Exposing authentication indicators through libkrb5
Greg Hudson
ghudson at mit.edu
Mon Feb 22 18:48:53 EST 2016
On 02/22/2016 06:06 PM, Matt Rogers wrote:
> After looking at it more my concern is that leading up to calling the verify
> function (in rd_req_decoded_opt()) the key provided could be a subkey or a
> service key from the keytab, and we need to make sure we're only using the
> service key to check the svc-verifier, without unnecessary trips to the keytab.
The keyblock we pass to krb5int_authdata_verify() is &decrypt_key, which
is always the key used to decrypt the ticket. Perhaps the presence of
the user-to-user case is confusing because of the way it pulls a
keyblock from the auth context, but it's still setting decrypt_key to
the ticket encryption key.
> I submitted PR #410 for two public API functions. They will first be needed
> for a check_policy_tgs KDB method, but then also for the authdata plugin.
> Thanks again.
I'm not sure it's feasible to do auth indicator verification inside
check_policy_tgs, and these APIs don't seem to be applicable to that
task. The KDC needs to use the KDC verifier to verify the CAMMAC, not
the service verifier, and check_policy_tgs does not receive either the
ticket decryption key or the service-realm local TGT entry.
Nathaniel brought this part of things up on IRC. I gave an alternative
suggestion then, but I'm not sure it was read since I sent it late in
the day. See the last two things here:
http://colabti.org/irclogger/irclogger_log/krbdev?date=2016-02-10
More information about the krbdev
mailing list