[krbdev.mit.edu #8479] git commit

Greg Hudson via RT rt at KRBDEV-PROD-APP-1.mit.edu
Mon Sep 9 10:33:38 EDT 2019 

<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8479 >


Add KDC support for RBCD requests

Add two new KDB methods to support resource-based constrained
delegation.  The get_authdata_info method extracts the client
principal for the authdata (necessary for cross-realm RBCD requests as
the evidence ticket is a cross-realm TGT with the requested client's
authdata), and also returns an opaque pointer for consumption by other
KDB methods.  The allowed_to_delegate_from method performs a
constrained delegation policy check on the principal entry of the
target principal.

Add the server principal and abstract authdata representation to the
sign_authdata method.  Also pass the second ticket server as
header_server since we pass the authorization data from the second
ticket, and pass the impersonated client (if it is in the local realm)
as client instead of the impersonator.

Add core KDC code for RBCD requests.  For local RBCD requests
(impersonator and target in the same realm), KDC handling is similar
to existing constrained delegation support.  The evidence ticket is
not required to be forwardable, and allowed_to_delegate_from is used
in preference to check_allowed_to_delegate.

For cross-realm RBCD requests, the KDC could be in the impersonator
realm, the target realm, or in a transit realm between the two.  In
the transit realm case, the request looks like a regular cross-realm
request for a krbtgt service except for the information in the PAC, so
this case is handled by the KDB module sign_authdata() method.

[ghudson at mit.edu: made style and documentation edits; edited commit
message]

https://github.com/krb5/krb5/commit/d47f7dba3779c9e36e1dedaac830dac1dd248fb3
Author: Isaac Boukris <iboukris at gmail.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: d47f7dba3779c9e36e1dedaac830dac1dd248fb3
Branch: master
 src/include/kdb.h               |  106 +++++++++++++++++++++++++++++++---
 src/kdc/do_as_req.c             |    2 +-
 src/kdc/do_tgs_req.c            |  118 +++++++++++++++++++++++---------------
 src/kdc/kdc_authdata.c          |   33 +++++------
 src/kdc/kdc_preauth.c           |    6 ++
 src/kdc/kdc_util.c              |  112 +++++++++++++++++++++++++++++++++++--
 src/kdc/kdc_util.h              |   15 +++++-
 src/lib/kdb/kdb5.c              |   77 +++++++++++++++++++++++--
 src/lib/kdb/libkdb5.exports     |    3 +
 src/plugins/kdb/test/kdb_test.c |    5 +-
 10 files changed, 387 insertions(+), 90 deletions(-)

More information about the krb5-bugs mailing list