[krbdev.mit.edu #5596] patch for providing a way to set the ok-as-delegate flag

The RT System itself via RT rt-comment at krbdev.mit.edu
Tue Jul 17 15:00:21 EDT 2007 

>From krb5-bugs-incoming-bounces at PCH.MIT.EDU  Tue Jul 17 15:00:15 2007
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
	id l6HJ0FHW022702; Tue, 17 Jul 2007 15:00:15 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l6HJ09cN006344;
	Tue, 17 Jul 2007 15:00:09 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l6HGNunr004112
	for <krb5-bugs-incoming at PCH.mit.edu>; Tue, 17 Jul 2007 12:23:56 -0400
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	l6HGNp47012748
	for <krb5-bugs at mit.edu>; Tue, 17 Jul 2007 12:23:51 -0400 (EDT)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
	by mit.edu (Spam Firewall) with ESMTP id 564293DAFF5
	for <krb5-bugs at mit.edu>; Tue, 17 Jul 2007 12:23:48 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
	[172.16.52.254])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l6HGNlhb001828
	for <krb5-bugs at mit.edu>; Tue, 17 Jul 2007 12:23:47 -0400
Received: from rapier.boston.redhat.com (rapier.boston.redhat.com
	[172.16.80.53])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l6HGNk03019623
	for <krb5-bugs at mit.edu>; Tue, 17 Jul 2007 12:23:47 -0400
Received: from rapier.boston.redhat.com (localhost.localdomain [127.0.0.1])
	by rapier.boston.redhat.com (8.14.1/8.14.0) with ESMTP id
	l6HGNkTY006275
	for <krb5-bugs at mit.edu>; Tue, 17 Jul 2007 12:23:46 -0400
Received: (from nalin at localhost)
	by rapier.boston.redhat.com (8.14.1/8.14.1/Submit) id l6HGNkxS006274;
	Tue, 17 Jul 2007 12:23:46 -0400
Date: Tue, 17 Jul 2007 12:23:46 -0400
Message-Id: <200707171623.l6HGNkxS006274 at rapier.boston.redhat.com>
To: krb5-bugs at mit.edu
Subject: patch to allow setting ok-as-delegate flag in database
From: nalin at redhat.com
X-send-pr-version: 3.99
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 17 Jul 2007 15:00:08 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces at PCH.MIT.EDU

>Submitter-Id:	net
>Originator:	
>Organization:
>Confidential:	no
>Synopsis:	patch for providing a way to set the ok-as-delegate flag
>Severity:	non-critical
>Priority:	low
>Category:	krb5-admin
>Class:		change-request
>Release:	1.6.1
>Environment:
	
System: Linux rapier.boston.redhat.com 2.6.21-1.3230.fc8 #1 SMP Wed Jun 20 15:59:23 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	Currently, the KDC doesn't issue credentials with the ok-as-delegate
	flag set, and the realm database doesn't have a means of indicating
	to the KDC that it should.
>Fix:
	Here's a patch which allows me to set the flag with kadmin, store it as
	an attribute bit in the KDB database, and get credentials with the bit
	set from the KDC, which I think is all that's required here.  There's
	no logic added to the client libraries to actually *do* anything with
	that bit, though, because that'd be more complicated.

Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo	(revision 19714)
+++ doc/admin.texinfo	(working copy)
@@ -2758,6 +2758,13 @@
 @samp{KRB5_KDB_REQURES_HW_AUTH} flag.)  @code{-requires_hwauth} clears
 this flag.
 
+ at itemx @{-|+@}ok_as_delegate
+ at code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears
+this flag.
+
 @itemx @{-|+@}allow_svr
 @code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag.
 
Index: src/include/kdb.h
===================================================================
--- src/include/kdb.h	(revision 19714)
+++ src/include/kdb.h	(working copy)
@@ -79,6 +79,7 @@
 #define KRB5_KDB_PWCHANGE_SERVICE	0x00002000
 #define KRB5_KDB_SUPPORT_DESMD5         0x00004000
 #define	KRB5_KDB_NEW_PRINC		0x00008000
+#define	KRB5_KDB_OK_AS_DELEGATE		0x00010000
 
 /* Creation flags */
 #define KRB5_KDB_CREATE_BTREE		0x00000001
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c	(revision 19714)
+++ src/kdc/do_tgs_req.c	(working copy)
@@ -533,6 +533,10 @@
 	goto cleanup;
     }
 
+    if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+	setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+    }
+
     ticket_reply.enc_part2 = &enc_tkt_reply;
 
     /*
Index: src/kdc/do_as_req.c
===================================================================
--- src/kdc/do_as_req.c	(revision 19714)
+++ src/kdc/do_as_req.c	(working copy) @@ -257,6 +257,10 @@ enc_tkt_reply.caddrs = request->addresses;
     enc_tkt_reply.authorization_data = 0;
 
+    if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+	setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+    }
+
     /* 
      * Check the preauthentication if it is there.
      */
Index: src/kadmin/cli/kadmin.c
===================================================================
--- src/kadmin/cli/kadmin.c	(revision 19714)
+++ src/kadmin/cli/kadmin.c	(working copy)
@@ -65,7 +65,8 @@
 {"needchange", 10,	KRB5_KDB_REQUIRES_PWCHANGE,	0},
 {"allow_svr", 9,	KRB5_KDB_DISALLOW_SVR, 1},
 {"password_changing_service",	25,	KRB5_KDB_PWCHANGE_SERVICE,	0 },
-{"support_desmd5",	14,	KRB5_KDB_SUPPORT_DESMD5,	0 }
+{"support_desmd5",	14,	KRB5_KDB_SUPPORT_DESMD5,	0 },
+{"ok_as_delegate",	14,	KRB5_KDB_OK_AS_DELEGATE,	0 }
 };
 
 static char *prflags[] = {
@@ -85,6 +86,7 @@
     "PWCHANGE_SERVICE",		/* 0x00002000 */
     "SUPPORT_DESMD5",		/* 0x00004000 */
     "NEW_PRINC",		/* 0x00008000 */
+    "OK_AS_DELEGATE",		/* 0x00010000 */
 };
 
 char *getenv();
@@ -1101,6 +1103,7 @@
 	    "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
 	    "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
 	    "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+	    "\t\tok_as_delegate\n"
 	    "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
 	    "\t\t\tLook at each database documentation for supported arguments\n");
 }
@@ -1117,6 +1120,7 @@
 	    "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
 	    "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
 	    "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+	    "\t\tok_as_delegate\n"
 	    "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
 	    "\t\t\tLook at each database documentation for supported arguments\n"
 	);
Index: src/kadmin/cli/kadmin.M
===================================================================
--- src/kadmin/cli/kadmin.M	(revision 19714)
+++ src/kadmin/cli/kadmin.M	(working copy)
@@ -327,6 +327,16 @@
 .B -requires_hwauth
 clears this flag.
 .TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service.  (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
 {\fB\-\fP|\fB+\fP}\fBallow_svr\fP
 .B -allow_svr
 prohibits the issuance of service tickets for this principal.  (Sets the
Index: src/lib/kadm5/str_conv.c
===================================================================
--- src/lib/kadm5/str_conv.c	(revision 19714)
+++ src/lib/kadm5/str_conv.c	(working copy)
@@ -73,6 +73,7 @@
 static const char flags_tickets_in[]	= "allow-tickets";
 static const char flags_preauth_in[]	= "preauth";
 static const char flags_hwauth_in[]	= "hwauth";
+static const char flags_ok_as_delegate_in[]	= "ok-as-delegate";
 static const char flags_pwchange_in[]	= "pwchange";
 static const char flags_service_in[]	= "service";
 static const char flags_pwsvc_in[]	= "pwservice";
@@ -86,6 +87,7 @@
 static const char flags_tickets_out[]	= "All Tickets Disallowed";
 static const char flags_preauth_out[]	= "Preauthorization required";
 static const char flags_hwauth_out[]	= "HW Authorization required";
+static const char flags_ok_as_delegate_out[]	= "OK as Delegate";
 static const char flags_pwchange_out[]	= "Password Change required";
 static const char flags_service_out[]	= "Service Disabled";
 static const char flags_pwsvc_out[]	= "Password Changing Service";
@@ -109,6 +111,7 @@
 { KRB5_KDB_DISALLOW_ALL_TIX,	0,	flags_tickets_in,  flags_tickets_out },
 { KRB5_KDB_REQUIRES_PRE_AUTH,	1,	flags_preauth_in,  flags_preauth_out },
 { KRB5_KDB_REQUIRES_HW_AUTH,	1,	flags_hwauth_in,   flags_hwauth_out  },
+{ KRB5_KDB_OK_AS_DELEGATE,	1,	flags_ok_as_delegate_in, flags_ok_as_delegate_out },
 { KRB5_KDB_REQUIRES_PWCHANGE,	1,	flags_pwchange_in, flags_pwchange_out},
 { KRB5_KDB_DISALLOW_SVR,	0,	flags_service_in,  flags_service_out },
 { KRB5_KDB_PWCHANGE_SERVICE,	1,	flags_pwsvc_in,	   flags_pwsvc_out   },

More information about the krb5-bugs mailing list