Implement restrict_anonymous_to_tgt realm flag

Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT.  Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.

ticket: 6829
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 14 insertions, 1 deletions

diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index 5dcc0d374..b6cc8e645 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -1562,7 +1562,11 @@ If you wish to change this (which we do not recommend, because the
 current implementation has little protection against denial-of-service
 attacks), the standard port number assigned for Kerberos TCP traffic
 is port 88.
--@end table
+
+@itemx restrict_anonymous_to_kdc
+This flag determines the default value of restrict_anonymous_to_kdc for
+realms.  The default value is @code{false}.
+@end table
 
 @node realms (kdc.conf), pkinit kdc options, kdcdefaults, kdc.conf
 @subsection [realms]
@@ -1742,6 +1746,15 @@ software on its application servers updated but another has not.
 
 This option defaults to @code{true}.
 
+@itemx restrict_anonymous_to_tgt
+A boolean value (@code{true}, @code{false}).  If set to @code{true}, the
+KDC will reject ticket requests from anonymous principals to service
+principals other than the realm's ticket-granting service.  This option
+allows anonymous PKINIT to be enabled for use as FAST armor tickets
+without allowing anonymous authentication to services.  By default, the
+value of restrict_anonymous_to_tgt as specified in the [kdcdefaults]
+section is used.
+
 @end table
 
 @node pkinit kdc options, Sample kdc.conf File, realms (kdc.conf), kdc.conf