krb5 commit: Make it possible to renew aliased service tickets
Greg Hudson
ghudson at MIT.EDU
Thu Aug 29 18:04:01 EDT 2013
https://github.com/krb5/krb5/commit/81ceb5352dd3bc11a546d818107d0c4a896cee44
commit 81ceb5352dd3bc11a546d818107d0c4a896cee44
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Aug 29 11:15:02 2013 -0400
Make it possible to renew aliased service tickets
We always allow aliases in the service principal when processing
AS-REQs and TGS-REQs. If the ticket we issued is presented back to us
in a TGS-REQ as a header ticket for renewal or similar, we should
allow aliases when looking up its key to decode the AP-REQ.
ticket: 7699 (new)
src/kdc/kdc_util.c | 6 +++---
src/tests/t_kdb.py | 8 ++++++++
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index e61a867..bc638c1 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -389,9 +389,9 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm,
match_enctype = 0;
}
- retval = kdc_get_server_key(kdc_context,
- apreq->ticket, 0, match_enctype, server, NULL,
- NULL);
+ retval = kdc_get_server_key(kdc_context, apreq->ticket,
+ KRB5_KDB_FLAG_ALIAS_OK, match_enctype, server,
+ NULL, NULL);
if (retval)
return retval;
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 7a9471f..70fe58a 100644
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -286,6 +286,14 @@ out = realm.run([klist])
if 'tgtalias at KRBTEST.COM\n' not in out:
fail('After fetching tgtalias, klist is missing it')
+# Make sure aliases work in header tickets.
+realm.run_kadminl('modprinc -maxrenewlife "3 hours" user')
+realm.run_kadminl('modprinc -maxrenewlife "3 hours" krbtgt/KRBTEST.COM')
+realm.kinit(realm.user_princ, password('user'), ['-l', '1h', '-r', '2h'])
+realm.run([kvno, 'alias'])
+realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias'])
+realm.klist(realm.user_princ, 'alias at KRBTEST.COM')
+
realm.stop()
# Briefly test dump and load.
More information about the cvs-krb5
mailing list