Patch to ignore service principals when accepting connexions.

Roland C. Dowdeswell elric at imrryr.org
Thu Aug 26 16:36:24 EDT 2010 

On Thu, Aug 26, 2010 at 12:00:27PM -0400, Greg Hudson wrote:
>

> On Wed, 2010-08-25 at 21:40 -0400, Roland C. Dowdeswell wrote:
> > Is my proposed name ``check-service-instance'' reasonable or should
> > we settle on another name?
> 
> How about "ignore-server-hostname"?  Your patch, incidentally, only
> seemed to include configuration logic, not the actual implementation of
> the flag (looking at
> http://mailman.mit.edu/pipermail/krbdev/2010-August/009353.html)

Right, sorry about that.  I used the same CVS diff to pick the list of
files from my prior patch---and the actual logic moved from rd_req.c
to rd_req_dec.c.

Here's the full patch that I intended to send.

It appears that there may be a use case for

	ignore-server-realm: just ignore the realm, and
	ignore-server-principal: ignore the entire principal.

I can code those up as well, if they seem to be a good idea.


Index: include/k5-int.h
===================================================================
RCS file: /ms/.dev/kerberos/mitkrb5/CVS/mitkrb5-1.4/mitkrb5/src/include/k5-int.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 k5-int.h
--- include/k5-int.h	26 Sep 2006 20:29:10 -0000	1.1.1.2
+++ include/k5-int.h	26 Aug 2010 01:20:16 -0000
@@ -508,6 +508,8 @@
 
 void krb5_os_free_context (krb5_context);
 
+int krb5_os_check_service_instance (krb5_context);
+
 /* This function is needed by KfM's KerberosPreferences API 
  * because it needs to be able to specify "secure" */
 krb5_error_code os_get_default_config_files 
@@ -1057,6 +1059,7 @@
 
 
 #define KRB5_LIBOPT_SYNC_KDCTIME	0x0001
+#define KRB5_LIBOPT_IGNORE_SERVICE_INST	0x0002
 
 /* internal message representations */
 
Index: lib/krb5/krb/init_ctx.c
===================================================================
RCS file: /ms/.dev/kerberos/mitkrb5/CVS/mitkrb5-1.4/mitkrb5/src/lib/krb5/krb/init_ctx.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 init_ctx.c
--- lib/krb5/krb/init_ctx.c	28 Mar 2005 21:43:36 -0000	1.1.1.1
+++ lib/krb5/krb/init_ctx.c	26 Aug 2010 01:08:11 -0000
@@ -209,7 +209,32 @@
 	profile_get_integer(ctx->profile, "libdefaults",
 			    "kdc_timesync", 0, DEFAULT_KDC_TIMESYNC,
 			    &tmp);
-	ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
+	ctx->library_options |= tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
+
+	/*
+	 * KRB5_LIBOPT_IGNORE_SERVICE_INST may be reset by
+	 * krb5_os_init_context() and hence this must precede it.
+	 * We set the default value to -1 so that we can distinguish
+	 * between true, false and undefined.
+	 */
+	profile_get_boolean(ctx->profile, "libdefaults",
+			    "check-service-instance", 0,
+			    -1, &tmp);
+	if (tmp == 1)
+		ctx->library_options &= ~KRB5_LIBOPT_IGNORE_SERVICE_INST;
+	if (tmp == 0)
+		ctx->library_options |= KRB5_LIBOPT_IGNORE_SERVICE_INST;
+
+	switch (krb5_os_check_service_instance(ctx)) {
+	case 1:
+		ctx->library_options &= ~KRB5_LIBOPT_IGNORE_SERVICE_INST;
+		break;
+	case 0:
+		ctx->library_options |= KRB5_LIBOPT_IGNORE_SERVICE_INST;
+		break;
+	default:
+		break;
+	}
 
 	/*
 	 * We use a default file credentials cache of 3.  See
Index: lib/krb5/krb/rd_req_dec.c
===================================================================
RCS file: /ms/.dev/kerberos/mitkrb5/CVS/mitkrb5-1.4/mitkrb5/src/lib/krb5/krb/rd_req_dec.c,v
retrieving revision 1.3
diff -u -r1.3 rd_req_dec.c
--- lib/krb5/krb/rd_req_dec.c	16 Apr 2007 02:40:21 -0000	1.3
+++ lib/krb5/krb/rd_req_dec.c	26 Aug 2010 01:12:39 -0000
@@ -93,8 +93,22 @@
     krb5_timestamp 	  currenttime;
     int			  check_addrs = 0;
 
-    if (server && !krb5_principal_compare(context, server, req->ticket->server))
-	return KRB5KRB_AP_WRONG_PRINC;
+    if (server) {
+	if (!krb5_realm_compare(context, server, req->ticket->server))
+	    return KRB5KRB_AP_WRONG_PRINC;
+
+	if (context->library_options & KRB5_LIBOPT_IGNORE_SERVICE_INST) {
+	    krb5_data *s, *t;
+
+	    s = krb5_princ_component(context, server, 0);
+	    t = krb5_princ_component(context, server, 0);
+	    if (s->length != t->length || memcmp(s->data, t->data, s->length))
+		return KRB5KRB_AP_WRONG_PRINC;
+	} else {
+	    if (!krb5_principal_compare(context, server, req->ticket->server))
+		return KRB5KRB_AP_WRONG_PRINC;
+	}
+    }
 
     /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
        do we need special processing here ?	*/
Index: lib/krb5/os/init_os_ctx.c
===================================================================
RCS file: /ms/.dev/kerberos/mitkrb5/CVS/mitkrb5-1.4/mitkrb5/src/lib/krb5/os/init_os_ctx.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 init_os_ctx.c
--- lib/krb5/os/init_os_ctx.c	16 Aug 2005 19:51:59 -0000	1.1.1.2
+++ lib/krb5/os/init_os_ctx.c	26 Aug 2010 01:14:21 -0000
@@ -375,6 +375,26 @@
 	return retval;
 }
 
+int KRB5_CALLCONV
+krb5_os_check_service_instance (krb5_context ctx)
+{
+#ifndef _WIN32
+	char *check_server;
+
+	check_server = getenv("KRB5_CHECK_SERVICE_INSTANCE");
+	if (check_server) {
+		if (!strcmp(check_server, "0") ||
+		    !strcasecmp(check_server, "false"))
+			return 0;
+		if (!strcmp(check_server, "1") ||
+		    !strcasecmp(check_server, "true"))
+			return 1;
+	}
+#endif /* _WIN32 */
+
+	return -1;
+}
+
 krb5_error_code KRB5_CALLCONV
 krb5_get_profile (krb5_context ctx, profile_t *profile)
 {


--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/

More information about the krbdev mailing list