diff options
| author | Greg Hudson <ghudson@mit.edu> | 2023-03-21 00:51:17 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2023-03-27 14:25:56 -0400 |
| commit | 5af907156f8f502bbe268f0c62274f88a61261e4 (patch) | |
| tree | 4890644bc0e69a304eb80cf5559695d51b1ef1d8 /src/tests/t_authdata.py | |
| parent | 654f257b8843e3d85e368d8816511d99a8bab987 (diff) | |
| download | krb5-5af907156f8f502bbe268f0c62274f88a61261e4.zip krb5-5af907156f8f502bbe268f0c62274f88a61261e4.tar.gz krb5-5af907156f8f502bbe268f0c62274f88a61261e4.tar.bz2 | |
Add pac_privsvr_enctype string attribute
The KDC uses the first local TGT key for the privsvr and full PAC
checksums. If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer. This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
As a workaround, add a string attribute which can force the privsvr
key to use a specified enctype using key derivation when issuing
tickets to that principal. This attribute can be set on cross-realm
TGT entries when the target realm uses Active Directory and the local
TGT uses an aes-sha2 primary key.
ticket: 9089 (new)
Diffstat (limited to 'src/tests/t_authdata.py')
| -rw-r--r-- | src/tests/t_authdata.py | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py index 6a5af71..bde1c36 100644 --- a/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py @@ -1,9 +1,10 @@ from k5test import * -# Load the sample KDC authdata module. +# Load the sample KDC authdata module. Allow renewable tickets. greet_path = os.path.join(buildtop, 'plugins', 'authdata', 'greet_server', 'greet_server.so') -conf = {'plugins': {'kdcauthdata': {'module': 'greet:' + greet_path}}} +conf = {'realms': {'$realm': {'max_life': '20h', 'max_renewable_life': '20h'}}, + 'plugins': {'kdcauthdata': {'module': 'greet:' + greet_path}}} realm = K5Realm(krb5_conf=conf) # With no requested authdata, we expect to see PAC (128) in an @@ -49,6 +50,20 @@ out = realm.run(['./adata', 'krbtgt/XREALM', '-3', 'test']) if '128:' not in out or '^-42: Hello' not in out or ' -3: test' not in out: fail('expected authdata not seen for cross-realm TGT request') +mark('pac_privsvr_enctype') +# Change the privsvr enctype and make sure we can still verify the PAC +# on a service ticket in a TGS request. +realm.run([kadminl, 'setstr', realm.host_princ, + 'pac_privsvr_enctype', 'aes128-sha1']) +realm.kinit(realm.user_princ, password('user'), + ['-S', realm.host_princ, '-r', '1h']) +realm.kinit(realm.user_princ, None, ['-S', realm.host_princ, '-R']) +# Remove the attribute and make sure the previously-issued service +# ticket PAC no longer verifies. +realm.run([kadminl, 'delstr', realm.host_princ, 'pac_privsvr_enctype']) +realm.kinit(realm.user_princ, None, ['-S', realm.host_princ, '-R'], + expected_code=1, expected_msg='Message stream modified') + realm.stop() if not pkinit_enabled: |