krb5 commit: Limit matching of user-to-user ccache credentials

Greg Hudson ghudson at mit.edu
Mon Aug 27 18:19:31 EDT 2018 

https://github.com/krb5/krb5/commit/77ee8336c3f4d39d12146d8a631f9abd595d4cbb
commit 77ee8336c3f4d39d12146d8a631f9abd595d4cbb
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Aug 3 00:36:10 2018 -0400

    Limit matching of user-to-user ccache credentials
    
    In krb5int_cc_creds_match_request(), do not yield a user-to-user
    credential if the caller is not looking for one; it would not be
    useful when a normal service ticket (encrypted in the service key) is
    required.  Reported by Todd Lubin.
    
    ticket: 8718

 src/lib/krb5/ccache/cc_retr.c |    5 +++++
 src/tests/t_u2u.py            |    8 ++++++++
 2 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c
index e8a20fe..c835129 100644
--- a/src/lib/krb5/ccache/cc_retr.c
+++ b/src/lib/krb5/ccache/cc_retr.c
@@ -164,6 +164,11 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes)
 krb5_boolean
 krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds)
 {
+    /* Only match a user-to-user credential if explicitly asked for, since the
+     * ticket won't work as a regular service ticket. */
+    if (! set(KRB5_TC_MATCH_IS_SKEY) && creds->is_skey)
+        return FALSE;
+
     if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) &&
           srvname_match(context, mcreds, creds)) ||
          standard_fields_match(context, mcreds, creds))
diff --git a/src/tests/t_u2u.py b/src/tests/t_u2u.py
index 8905dc2..1ca6ac8 100644
--- a/src/tests/t_u2u.py
+++ b/src/tests/t_u2u.py
@@ -21,7 +21,15 @@ realm.run([kvno, 'alice'], expected_code=1,
 realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_msg='kvno = 0')
 realm.run([kadminl, 'modprinc', '+allow_svr', 'alice'])
 
+# Verify that normal lookups ignore the user-to-user ticket.
+realm.run([kvno, 'alice'], expected_msg='kvno = 1')
+out = realm.run([klist])
+if out.count('alice at KRBTEST.COM') != 2:
+    fail('expected two alice tickets after regular kvno')
+
 # Try u2u against the client user.
 realm.run([kvno, '--u2u', realm.ccache, realm.user_princ])
 
 realm.run([klist])
+
+success('user-to-user tests')

More information about the cvs-krb5 mailing list