diff options
| author | Isaac Boukris <iboukris@gmail.com> | 2018-10-05 14:43:51 +0300 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2018-10-12 14:25:39 -0400 |
| commit | 586e901145c2b874828748610bf95aa32b281fc4 (patch) | |
| tree | a3e31b0bbcd467c0412230eab2fdef0459bf109a | |
| parent | bce3da1bc392cf5e8a4ca709f8eb1cfde974e36e (diff) | |
| download | krb5-586e901145c2b874828748610bf95aa32b281fc4.zip krb5-586e901145c2b874828748610bf95aa32b281fc4.tar.gz krb5-586e901145c2b874828748610bf95aa32b281fc4.tar.bz2 | |
Add more constraints to S4U2Self processing
Of the eight possible combinations of local or cross TGT, local or
non-local user, and local server or referral, four are valid. The
previous commit rejects two of the invalid cases (local TGT and
referral, with local or non-local user). Document the four valid
cases and reject the remaining two invalid combinations.
[ghudson@mit.edu: rewrote commit message; added comment documenting
valid combinations; adjusted style and comments]
ticket: 8748 (new)
| -rw-r--r-- | src/kdc/kdc_util.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index d1c81a5..dfeaf7e 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1546,6 +1546,19 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, return KRB5KDC_ERR_BADOPTION; } + /* + * Valid S4U2Self requests can occur in the following combinations: + * + * (1) local TGT, local user, local server + * (2) cross TGT, local user, issuing referral + * (3) cross TGT, non-local user, issuing referral + * (4) cross TGT, non-local user, local server + * + * The first case is for a single-realm S4U2Self scenario; the second, + * third, and fourth cases are for the initial, intermediate (if any), and + * final cross-realm requests in a multi-realm scenario. + */ + is_local_tgt = !is_cross_tgs_principal(header_srv_princ); if (is_local_tgt && issuing_referral) { /* The requesting server appears to no longer exist, and we found @@ -1562,6 +1575,13 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, krb5_db_entry no_server; krb5_pa_data **e_data = NULL; + if (!is_local_tgt && !issuing_referral) { + /* A local server should not need a cross-realm TGT to impersonate + * a local principal. */ + *status = "NOT_CROSS_REALM_REQUEST"; + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */ + } + code = krb5_db_get_principal(kdc_context, (*s4u_x509_user)->user_id.user, KRB5_KDB_FLAG_INCLUDE_PAC, &princ); @@ -1584,6 +1604,14 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, } *princ_ptr = princ; + } else if (is_local_tgt) { + /* + * The server is asking to impersonate a principal from another realm, + * using a local TGT. It should instead ask that principal's realm and + * follow referrals back to us. + */ + *status = "S4U2SELF_CLIENT_NOT_OURS"; + return KRB5KDC_ERR_POLICY; /* match Windows error */ } return 0; |