krb5 commit: Allow client canonicalization in non-krbtgt AS-REP

Greg Hudson ghudson at mit.edu
Sun Nov 3 13:56:39 EST 2019 

https://github.com/krb5/krb5/commit/c6c19b1d35c6523cb7ed220c1f2e97e12e039293
commit c6c19b1d35c6523cb7ed220c1f2e97e12e039293
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Tue Oct 15 20:41:49 2019 +0300

    Allow client canonicalization in non-krbtgt AS-REP
    
    If a caller makes an AS-REQ with the canonicalize flag set (or with an
    enterprise client principal or the anonymous flag), always allow the
    KDC to change the client principal.  Continue to restrict server name
    changes to requests for TGS principals.
    
    Also remove the conditional for setting canon_ok for fully anonymous
    requests.  Both kinds of anonymous requests change the client
    principal or realm, but neither kind changes the server principal or
    realm, so this logic is no longer needed now that canon_ok only
    applies to server name changes.
    
    [ghudson at mit.edu: clarified commit message; removed anonymous PKINIT
    clause]
    
    ticket: 8843 (new)

 src/lib/krb5/krb/get_in_tkt.c |    9 ++-------
 src/tests/t_kdb.py            |    3 +++
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index dcf6663..870df62 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -230,17 +230,12 @@ verify_as_reply(krb5_context            context,
     if (canon_req) {
         canon_ok = IS_TGS_PRINC(request->server) &&
             IS_TGS_PRINC(as_reply->enc_part2->server);
-        if (!canon_ok && (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS)) {
-            canon_ok = krb5_principal_compare_any_realm(context,
-                                                        as_reply->client,
-                                                        krb5_anonymous_principal());
-        }
     } else
         canon_ok = 0;
 
     if ((!canon_ok &&
-         (!krb5_principal_compare(context, as_reply->client, request->client) ||
-          !krb5_principal_compare(context, as_reply->enc_part2->server, request->server)))
+         !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))
+        || (!canon_req && !krb5_principal_compare(context, as_reply->client, request->client))
         || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server)
         || (request->nonce != as_reply->enc_part2->nonce)
         /* XXX check for extraneous flags */
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 7a082a5..cc5d2fc 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -389,6 +389,9 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
 realm.kinit('canon', password('canon'))
 realm.kinit('alias', password('canon'), ['-C'])
 
+# Test client name canonicalization in non-krbtgt AS reply
+realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw'])
+
 mark('LDAP password history')
 
 # Test password history.

More information about the cvs-krb5 mailing list