disallow requests naming principal as a service

Nicolas Williams Nicolas.Williams at ubsw.com
Fri Mar 22 16:53:00 EST 2002

[Cc'ing krbdev at mit.edu]

Sounds like kdc/kdc_util.c:validate_tgs_req():

  1306      /* Server must be allowed to be a service */
  1307      if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
  1308          *status = "SERVER NOT ALLOWED";
  1309          return(KDC_ERR_S_PRINCIPAL_UNKNOWN);
  1310      }

should be changed to:

  1306      /* Server must be allowed to be a service */
  1307      if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) &&
  1308          isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
  1309          *status = "SERVER NOT ALLOWED";
  1310          return(KDC_ERR_S_PRINCIPAL_UNKNOWN);
  1311      }

so as to match the handling of DUP SKEY:

  1293      /* Server must allow DUP SKEY requests */
  1294      if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) &&
  1295          isflagset(server.attributes, KRB5_KDB_DISALLOW_DUP_SKEY)) {
  1296          *status = "DUP_SKEY DISALLOWED";
  1297          return(KDC_ERR_POLICY);
  1298      }

Someone should file a bug report :)



On Thu, Mar 21, 2002 at 08:19:25PM -0600, Matt Crawford wrote:
> > This is the reason another flag is needed so that a user is allowed as
> > a service, but only via the ENC-TKT-IN-SKEY option, so that you can
> > authenticate to users as a service, but without exposing a 
> > conventional TGS_REP to attack on a user's key.
> It was pointed out to me in private mail (I don't know why, the
> sender isn't usually shy) that DISALLOW_SVR in MIT's KDC does stop
> user-to-user.  Since there already exists a separate
> DISALLOW_DUP_SKEY flag this surprised me, but it seems to be true.
> I suggest that the MIT krb5 has all the flags it needs, it just
> doesn't use them properly.  Still, they probably have to invent a new
> one to avoid breaking some existing deployment somewhere ......
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

More information about the krbdev mailing list