ACL support in KDC management of AS_REQ and TGS_REQ

Matthieu Hautreux matthieu.hautreux at gmail.com
Wed Nov 30 18:01:04 EST 2011 

Hi,

looking at a way to filter incoming requests on a KDC based on IP
source addrs, we worked on a patch to add a new ACL mechanism to
allow/deny particular requests on the KDC side.

The main goal was to enforce that AS_REQ where only possible from a
subset of nodes instead of the whole infrastructure. The ACL concept
was then extended to the TGS_REQ, as it was not really difficult to
add that feature once the initial logic is added.

I am wondering if it is something that could be useful for other users
of MIT kerberos. You will find enclosed a preliminar version for
krb5-1.9.1. As well as a few notes below explaining the way it works.
Let me know if it is something that you would be interested to add in
a future version of the product. I would try in that case to work to
provide something including docs and regression tests. (I based the
acl file parsing logic on the one used for kadmin.acl)

Regards,
Matthieu

Notes :

The KDC acl support is configured using a kdc_acl pragma in the
kdcdefaults section ok kdc.conf pointing to the ACL file :

[root at leaf ~]# grep -B 4 kdc_acl /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 kdc_acl = /var/kerberos/krb5kdc/kdc.acl
[root at leaf ~]#

The KDC acl file enables to filter AS and TGS request to only serves a subset
of the incoming requests. The format of the ACL file is the following :

* For AS_REQ filtering :

AS_REQ: allow|deny regexp1 from regexp2

	where regexp1 correspond to the list of principals and regexp2 to the
	list of source IP addresses of requests that will match the rule.

* For TGS_REQ filtering :

TGS_REQ: allow|deny regexp1 from regexp2 for regexp3

	where regexp1 correspond to the list of target principals, regexp2 to
	the list of source IP addresses and regexp3 to the client principal of
	requests that will match the rule.

Here is an example of a configuration file :
#-------------
AS_REQ: allow ^(host/.*@EXAMPLE.ORG|admin/.*@EXAMPLE.ORG)$ \
	from ^(192\.168\.0\.1)|(192\.168\.0\.2)$

AS_REQ: allow ^hautreux at EXAMPLE\.ORG$ \
	from ^(10\.0\.0\.1)$

AS_REQ: deny * from *

TGS_REQ: deny ^(admin/.*@EXAMPLE.ORG)$ \
	 from ^(10\.0\.0\.1)$ \
	 for ^hautreux at EXAMPLE\.ORG$

TGS_REQ: allow * from * for *
#-------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-1.9.1-kdc_acl.patch
Type: text/x-patch
Size: 21238 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20111201/0c5178e1/attachment.bin

More information about the krbdev mailing list