diff options
author | rbasch <probe@tardis.internal.bright-prospects.com> | 2014-06-03 18:44:17 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2014-06-10 23:54:41 -0400 |
commit | f07516a9f65207b1fb2f9f07b1ec7d3caa51c6be (patch) | |
tree | 77b8040d28b8829058ac6760d81b27706c52f085 /src/kdc | |
parent | 41d38531043b99e8daa334f2b6ddf376adf1e878 (diff) | |
download | krb5-f07516a9f65207b1fb2f9f07b1ec7d3caa51c6be.zip krb5-f07516a9f65207b1fb2f9f07b1ec7d3caa51c6be.tar.gz krb5-f07516a9f65207b1fb2f9f07b1ec7d3caa51c6be.tar.bz2 |
In KDC, log client principal in bad header ticket
Fix KDC logging to include client principal in TGS_REQ logging even
during error conditions such as "Ticket expired". As long as the
TGS_REQ can be decrypted and the client principal is available, it
should be included in the log, regardless of other errors which might
be detected.
krb5_rd_req_decoded and krb5_rd_req_decoded_anyflag (not public
interfaces) now leave the decrypted ticket in req->ticket->enc_part2
on success or failure, if the ticket was successfully decrypted. This
does not affect the behavior of krb5_rd_req.
[ghudson@mit.edu: removed extraneous change, added commit message
summary and description of internal API change, fixed possible memory
leak, removed comment and #if 0 code block of purely historical
interest]
ticket: 7910
Diffstat (limited to 'src/kdc')
-rw-r--r-- | src/kdc/kdc_util.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 98e1937..cd276e4 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -363,6 +363,10 @@ cleanup: * * This function also implements key rollover support for kvno 0 cross-realm * TGTs issued by AD. + * + * If the ticket was successfully decrypted, it will be returned in *ticket + * even if we return an error because the ticket was invalid (e.g. if it was + * expired). */ static krb5_error_code @@ -371,12 +375,14 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm, krb5_db_entry **server, krb5_keyblock **tgskey, krb5_ticket **ticket) { - krb5_error_code retval; + krb5_error_code retval, ret2; krb5_enctype search_enctype = apreq->ticket->enc_part.enctype; krb5_boolean match_enctype = 1; krb5_kvno kvno; size_t tries = 3; + *ticket = NULL; + /* * When we issue tickets we use the first key in the principals' highest * kvno keyset. For non-cross-realm krbtgt principals we want to only @@ -413,7 +419,17 @@ kdc_rd_ap_req(kdc_realm_t *kdc_active_realm, retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, apreq->ticket->server, kdc_active_realm->realm_keytab, - NULL, ticket); + NULL, NULL); + + /* If the ticket was decrypted, save it even if it didn't validate, and + * don't try any more keys. */ + if (apreq->ticket->enc_part2 != NULL) { + ret2 = krb5_copy_ticket(kdc_context, apreq->ticket, ticket); + if (!retval) + retval = ret2; + break; + } + } while (retval && apreq->ticket->enc_part.kvno == 0 && kvno-- > 1 && --tries > 0); |