krb5 commit: Add more constraints to S4U2Self processing
Greg Hudson
ghudson at mit.edu
Fri Oct 12 21:58:11 EDT 2018
https://github.com/krb5/krb5/commit/586e901145c2b874828748610bf95aa32b281fc4
commit 586e901145c2b874828748610bf95aa32b281fc4
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Oct 5 14:43:51 2018 +0300
Add more constraints to S4U2Self processing
Of the eight possible combinations of local or cross TGT, local or
non-local user, and local server or referral, four are valid. The
previous commit rejects two of the invalid cases (local TGT and
referral, with local or non-local user). Document the four valid
cases and reject the remaining two invalid combinations.
[ghudson at mit.edu: rewrote commit message; added comment documenting
valid combinations; adjusted style and comments]
ticket: 8748 (new)
src/kdc/kdc_util.c | 28 ++++++++++++++++++++++++++++
1 files changed, 28 insertions(+), 0 deletions(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index d1c81a5..dfeaf7e 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1546,6 +1546,19 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
return KRB5KDC_ERR_BADOPTION;
}
+ /*
+ * Valid S4U2Self requests can occur in the following combinations:
+ *
+ * (1) local TGT, local user, local server
+ * (2) cross TGT, local user, issuing referral
+ * (3) cross TGT, non-local user, issuing referral
+ * (4) cross TGT, non-local user, local server
+ *
+ * The first case is for a single-realm S4U2Self scenario; the second,
+ * third, and fourth cases are for the initial, intermediate (if any), and
+ * final cross-realm requests in a multi-realm scenario.
+ */
+
is_local_tgt = !is_cross_tgs_principal(header_srv_princ);
if (is_local_tgt && issuing_referral) {
/* The requesting server appears to no longer exist, and we found
@@ -1562,6 +1575,13 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
krb5_db_entry no_server;
krb5_pa_data **e_data = NULL;
+ if (!is_local_tgt && !issuing_referral) {
+ /* A local server should not need a cross-realm TGT to impersonate
+ * a local principal. */
+ *status = "NOT_CROSS_REALM_REQUEST";
+ return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */
+ }
+
code = krb5_db_get_principal(kdc_context,
(*s4u_x509_user)->user_id.user,
KRB5_KDB_FLAG_INCLUDE_PAC, &princ);
@@ -1584,6 +1604,14 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
}
*princ_ptr = princ;
+ } else if (is_local_tgt) {
+ /*
+ * The server is asking to impersonate a principal from another realm,
+ * using a local TGT. It should instead ask that principal's realm and
+ * follow referrals back to us.
+ */
+ *status = "S4U2SELF_CLIENT_NOT_OURS";
+ return KRB5KDC_ERR_POLICY; /* match Windows error */
}
return 0;
More information about the cvs-krb5
mailing list