diff options
| author | Tom Yu <tlyu@mit.edu> | 2002-08-15 20:48:24 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2002-08-15 20:48:24 +0000 |
| commit | 39cbdfcf334c5d19be70a2ce5e8d7b5c392e5d3f (patch) | |
| tree | 3a546d03b6132c2b13f32cf2f10cfbf251647486 /src/kdc/kerberos_v4.c | |
| parent | bf87ad4667a914122f2eaa5de924a4daa80f7af8 (diff) | |
| download | krb5-39cbdfcf334c5d19be70a2ce5e8d7b5c392e5d3f.tar.gz krb5-39cbdfcf334c5d19be70a2ce5e8d7b5c392e5d3f.tar.xz krb5-39cbdfcf334c5d19be70a2ce5e8d7b5c392e5d3f.zip | |
* kerberos_v4.c: For consistency, check for both DISALLOW_ALL_TIX
and DISALLOW_SVR when looking up services.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14726 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc/kerberos_v4.c')
| -rw-r--r-- | src/kdc/kerberos_v4.c | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c index cf9fa9feec..a1f2714948 100644 --- a/src/kdc/kerberos_v4.c +++ b/src/kdc/kerberos_v4.c @@ -156,7 +156,7 @@ static int set_tgtkey (char *, krb5_kvno); #define V4_KDB_REQUIRES_PREAUTH 0x1 #define V4_KDB_DISALLOW_ALL_TIX 0x2 #define V4_KDB_REQUIRES_PWCHANGE 0x4 - +#define V4_KDB_DISALLOW_SVR 0x8 /* v4 compatibitly mode switch */ #define KDC_V4_NONE 0 /* Don't even respond to packets */ @@ -547,6 +547,9 @@ kerb_get_principal(name, inst, principal, maxn, more, k5key, kvno, if (isflagset(entries.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { principal->attributes |= V4_KDB_DISALLOW_ALL_TIX; } + if (issrv && isflagset(entries.attributes, KRB5_KDB_DISALLOW_SVR)) { + principal->attributes |= V4_KDB_DISALLOW_SVR; + } if (isflagset(entries.attributes, KRB5_KDB_REQUIRES_PWCHANGE)) { principal->attributes |= V4_KDB_REQUIRES_PWCHANGE; } @@ -1121,6 +1124,13 @@ check_princ(p_name, instance, lifetime, p, k5key, issrv, k5life) return KERB_ERR_NAME_EXP; } + if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) { + lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: " + "\"%s\" \"%s\"", p_name, instance); + /* Not sure of a better error to return */ + return KERB_ERR_NAME_EXP; + } + /* * Does the principal require preauthentication? */ @@ -1181,6 +1191,19 @@ set_tgtkey(r, kvno) if (n == 0) return (KFAILURE); + if (isflagset(p->attributes, V4_KDB_DISALLOW_ALL_TIX)) { + lt = klog(L_ERR_SEXP, + "V5 DISALLOW_ALL_TIX set: \"krbtgt\" \"%s\"", r); + krb5_free_keyblock_contents(kdc_context, &k5key); + return KFAILURE; + } + + if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) { + lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: \"krbtgt\" \"%s\"", r); + krb5_free_keyblock_contents(kdc_context, &k5key); + return KFAILURE; + } + if (!K4KDC_ENCTYPE_OK(k5key.enctype)) { krb_set_key_krb5(kdc_context, &k5key); strncpy(lastrealm, r, sizeof(lastrealm) - 1); |