krb5 commit: Allow u2u requests when -allow_svr is set

Greg Hudson ghudson at mit.edu
Mon Jul 30 11:00:43 EDT 2018 

https://github.com/krb5/krb5/commit/23dc2efc6419c7abbac183a46ed89a16be33a48a
commit 23dc2efc6419c7abbac183a46ed89a16be33a48a
Author: Chris Hecker <checker at d6.com>
Date:   Wed Jul 25 00:57:23 2018 -0500

    Allow u2u requests when -allow_svr is set
    
    If KRB5_KDB_DISALLOW_SVR is set on the server principal, still allow
    user-to-user tickets to be issued unless KRB5_KDB_DISALLOW_DUP_SKEY is
    also set.  This change makes the KDC_ERR_MUST_USE_USER2USER error
    message more appropriate.
    
    ticket: 2641
    
    [ghudson at mit.edu: added test case; updated documentation based on
    suggestions by Patrick Moore; edited commit message]

 doc/admin/admin_commands/kadmin_local.rst |    9 ++++++---
 doc/admin/conf_files/kdc_conf.rst         |    9 +++++----
 src/appl/user_user/t_user2user.py         |    6 ++++++
 src/kdc/tgs_policy.c                      |    3 ++-
 4 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 9b5ccf4..0321202 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -297,8 +297,9 @@ Options:
 
 {-\|+}\ **allow_dup_skey**
     **-allow_dup_skey** disables user-to-user authentication for this
-    principal by prohibiting this principal from obtaining a session
-    key for another user.  **+allow_dup_skey** clears this flag.
+    principal by prohibiting others from obtaining a service ticket
+    encrypted in this principal's TGT session key.
+    **+allow_dup_skey** clears this flag.
 
 {-\|+}\ **requires_preauth**
     **+requires_preauth** requires this principal to preauthenticate
@@ -325,7 +326,9 @@ Options:
 
 {-\|+}\ **allow_svr**
     **-allow_svr** prohibits the issuance of service tickets for this
-    principal.  **+allow_svr** clears this flag.
+    principal.  In release 1.17 and later, user-to-user service
+    tickets are still allowed unless the **-allow_dup_skey** flag is
+    also set.  **+allow_svr** clears this flag.
 
 {-\|+}\ **allow_tgs_req**
     **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index ea185ae..227c76d 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -134,9 +134,8 @@ The following tags may be specified in a [realms] subsection:
         the principal within this realm.
 
     **dup-skey**
-        Enabling this flag allows the principal to obtain a session
-        key for another user, permitting user-to-user authentication
-        for this principal.
+        Enabling this flag allows the KDC to issue user-to-user
+        service tickets for this principal.
 
     **forwardable**
         Enabling this flag allows the principal to obtain forwardable
@@ -193,7 +192,9 @@ The following tags may be specified in a [realms] subsection:
 
     **service**
         Enabling this flag allows the the KDC to issue service tickets
-        for this principal.
+        for this principal.  In release 1.17 and later, user-to-user
+        service tickets are still allowed if the **dup-skey** flag is
+        set.
 
     **tgt-based**
         Enabling this flag allows a principal to obtain tickets based
diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py
index 2c054f1..0d50d66 100755
--- a/src/appl/user_user/t_user2user.py
+++ b/src/appl/user_user/t_user2user.py
@@ -4,6 +4,12 @@ from k5test import *
 debug_compiled=1
 
 for realm in multipass_realms():
+    # Verify that -allow_svr denies regular TGS requests, but allows
+    # user-to-user TGS requests.
+    realm.run([kadminl, 'modprinc', '-allow_svr', realm.user_princ])
+    realm.run([kvno, realm.user_princ], expected_code=1,
+               expected_msg='Server principal valid for user2user only')
+
     if debug_compiled == 0:
         realm.start_in_inetd(['./uuserver', 'uuserver'], port=9999)
     else:
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index 4c08e44..907fcd3 100644
--- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c
@@ -146,7 +146,8 @@ check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry server,
         *status = "SERVER LOCKED OUT";
         return KDC_ERR_S_PRINCIPAL_UNKNOWN;
     }
-    if (server.attributes & KRB5_KDB_DISALLOW_SVR) {
+    if ((server.attributes & KRB5_KDB_DISALLOW_SVR) &&
+        !(req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)) {
         *status = "SERVER NOT ALLOWED";
         return KDC_ERR_MUST_USE_USER2USER;
     }

More information about the cvs-krb5 mailing list