A patch to support S4U2proxy in db2 module

Weijun Wang weijun.wang at oracle.com
Tue Jul 3 05:11:26 EDT 2012


Hi All

I'm playing with MIT krb5's S4U2proxy feature, but the db2 backend does 
not implement the check_allowed_to_delegate callback.

Here is a patch for it. It makes use of the "allowed_to_delegate_to" 
string attribute. The value can be either "*", "s1", or "s1 s2".

I haven't written a lot of C codes in the past few years, so there might 
be some coding errors.

Thanks
Weijun
-------------- next part --------------
# HG changeset patch
# Parent a3ee99c1bcbf2ec16494bd01a1b428faeef0e063

diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c
--- a/src/plugins/kdb/db2/db2_exp.c
+++ b/src/plugins/kdb/db2/db2_exp.c
@@ -180,6 +180,13 @@
             krb5_timestamp authtime, krb5_error_code error_code),
            (kcontext, request, client, server, authtime, error_code));
 
+WRAP_K (krb5_db2_check_allowed_to_delegate,
+        (krb5_context kcontext,
+         krb5_const_principal client,
+         const krb5_db_entry *server,
+         krb5_const_principal proxy),
+        (kcontext, client, server, proxy));
+
 static krb5_error_code
 hack_init (void)
 {
@@ -235,5 +242,6 @@
     /* check_policy_as */               wrap_krb5_db2_check_policy_as,
     0,
     /* audit_as_req */                  wrap_krb5_db2_audit_as_req,
-    0, 0
+    0,
+    /* check_allowed_to_delegate */     wrap_krb5_db2_check_allowed_to_delegate
 };
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -1425,3 +1425,54 @@
 {
     (void) krb5_db2_lockout_audit(kcontext, client, authtime, error_code);
 }
+
+/*
+ * Use the "allowed_to_delegate_to" string attribute to determine when
+ * S4U2proxy can be performed. The value should take the form of
+ *
+ *     proxy1 proxy2...
+ *
+ * proxy1 (and proxy2...) can also be * to match all princpals. It
+ * MUST NOT include the realm name.
+ */
+krb5_error_code
+krb5_db2_check_allowed_to_delegate(krb5_context kcontext,
+                                   krb5_const_principal client,
+                                   const krb5_db_entry *server,
+                                   krb5_const_principal proxy)
+{
+    char *proxy_name = NULL;
+    char *conf = NULL;
+    krb5_error_code retval;;
+
+    if (retval = krb5_unparse_name_flags(kcontext, proxy,
+            KRB5_PRINCIPAL_UNPARSE_SHORT, &proxy_name)) {
+        goto cleanup;
+    }
+
+    if (retval = krb5_dbe_get_string(kcontext, server,
+            "allowed_to_delegate_to", &conf)) {
+        goto cleanup;
+    }
+
+    retval = KRB5KDC_ERR_POLICY;
+    if (conf != NULL) {
+        char *name_r;
+        char *name = strtok_r(conf, " ", &name_r);
+        while (name != NULL) {
+            if (!strcmp(name, "*") || !strcmp(name, proxy_name)) {
+                retval = 0;
+                goto cleanup;
+            }
+            name = strtok_r(NULL, ",;", &name_r);
+        }
+    }
+
+cleanup:
+    if (conf)
+        krb5_dbe_free_string(kcontext, conf);
+    if (proxy_name)
+        krb5_free_unparsed_name(kcontext, proxy_name);
+
+    return retval;
+}
diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h
--- a/src/plugins/kdb/db2/kdb_db2.h
+++ b/src/plugins/kdb/db2/kdb_db2.h
@@ -142,4 +142,9 @@
                       krb5_db_entry *client, krb5_db_entry *server,
                       krb5_timestamp authtime, krb5_error_code error_code);
 
+krb5_error_code
+krb5_db2_check_allowed_to_delegate(krb5_context kcontext,
+                                  krb5_const_principal client,
+                                  const krb5_db_entry *server,
+                                  krb5_const_principal proxy);
 #endif /* KRB5_KDB_DB2_H */


More information about the Kerberos mailing list