Patch to ignore service principals when accepting connexions.

Wed Aug 25 21:18:42 EDT 2010

On Wed, Aug 25, 2010 at 08:48:36PM -0400, Sam Hartman wrote:
>

> How far along would a patch that simply made krb5_rd_req not care about
> the second component (hostname) of a principal go to address your needs?
> Do you need cases where the realm mismatches or where the application
> asked for nfs and you really want imap?

This would solve all of the issues that I have.

A bit more complicated to code but the following patch seems to
have the desired behaviour.  It would be a bit more optimal if it
also convinced gss_acquire_cred() to not use forward and reverse
lookups to populate the server field with an instance that will be
later ignored as this provides an unnecessary point of failure,
but this should suffice for my needs:

Index: include/k5-int.h
===================================================================
RCS file: /ms/.dev/kerberos/mitkrb5/CVS/mitkrb5-1.4/mitkrb5/src/include/k5-int.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 k5-int.h

--- include/k5-int.h	26 Sep 2006 20:29:10 -0000	1.1.1.2
+++ include/k5-int.h	26 Aug 2010 01:08:23 -0000
@@ -508,6 +508,8 @@
 
 void krb5_os_free_context (krb5_context);
 
+int krb5_os_check_service_principal (krb5_context);
+
 /* This function is needed by KfM's KerberosPreferences API 
  * because it needs to be able to specify "secure" */
 krb5_error_code os_get_default_config_files 
@@ -1057,6 +1059,7 @@
 
 
 #define KRB5_LIBOPT_SYNC_KDCTIME	0x0001
+#define KRB5_LIBOPT_IGNORE_SERVICE_INST	0x0002
 
 /* internal message representations */
 
Index: lib/krb5/krb/init_ctx.c
===================================================================
RCS file: /ms/.dev/kerberos/mitkrb5/CVS/mitkrb5-1.4/mitkrb5/src/lib/krb5/krb/init_ctx.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 init_ctx.c
--- lib/krb5/krb/init_ctx.c	28 Mar 2005 21:43:36 -0000	1.1.1.1
+++ lib/krb5/krb/init_ctx.c	26 Aug 2010 01:08:11 -0000
@@ -209,7 +209,32 @@
 	profile_get_integer(ctx->profile, "libdefaults",
 			    "kdc_timesync", 0, DEFAULT_KDC_TIMESYNC,
 			    &tmp);
-	ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
+	ctx->library_options |= tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
+
+	/*
+	 * KRB5_LIBOPT_IGNORE_SERVICE_INST may be reset by
+	 * krb5_os_init_context() and hence this must precede it.
+	 * We set the default value to -1 so that we can distinguish
+	 * between true, false and undefined.
+	 */
+	profile_get_boolean(ctx->profile, "libdefaults",
+			    "check-service-instance", 0,
+			    -1, &tmp);
+	if (tmp == 1)
+		ctx->library_options &= ~KRB5_LIBOPT_IGNORE_SERVICE_INST;
+	if (tmp == 0)
+		ctx->library_options |= KRB5_LIBOPT_IGNORE_SERVICE_INST;
+
+	switch (krb5_os_check_service_instance(ctx)) {
+	case 1:
+		ctx->library_options &= ~KRB5_LIBOPT_IGNORE_SERVICE_INST;
+		break;
+	case 0:
+		ctx->library_options |= KRB5_LIBOPT_IGNORE_SERVICE_INST;
+		break;
+	default:
+		break;
+	}
 
 	/*
 	 * We use a default file credentials cache of 3.  See
Index: lib/krb5/os/init_os_ctx.c
===================================================================
RCS file: /ms/.dev/kerberos/mitkrb5/CVS/mitkrb5-1.4/mitkrb5/src/lib/krb5/os/init_os_ctx.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 init_os_ctx.c
--- lib/krb5/os/init_os_ctx.c	16 Aug 2005 19:51:59 -0000	1.1.1.2
+++ lib/krb5/os/init_os_ctx.c	26 Aug 2010 01:14:21 -0000
@@ -375,6 +375,26 @@
 	return retval;
 }
 
+int KRB5_CALLCONV
+krb5_os_check_service_instance (krb5_context ctx)
+{
+#ifndef _WIN32
+	char *check_server;
+
+	check_server = getenv("KRB5_CHECK_SERVICE_INSTANCE");
+	if (check_server) {
+		if (!strcmp(check_server, "0") ||
+		    !strcasecmp(check_server, "false"))
+			return 0;
+		if (!strcmp(check_server, "1") ||
+		    !strcasecmp(check_server, "true"))
+			return 1;
+	}
+#endif /* _WIN32 */
+
+	return -1;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_get_profile (krb5_context ctx, profile_t *profile)
 {


--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

