Implement restrict_anonymous_to_tgt realm flag

Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT.  Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.

ticket: 6829
target_version: 1.9
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 3 insertions, 0 deletions

diff --git a/src/include/adm.h b/src/include/adm.h
index 68f3c7a89..c23cd89e3 100644
--- a/src/include/adm.h
+++ b/src/include/adm.h
@@ -210,6 +210,7 @@ typedef struct __krb5_realm_params {
     krb5_flags          realm_flags;
     krb5_key_salt_tuple *realm_keysalts;
     unsigned int        realm_reject_bad_transit:1;
+    unsigned int        realm_restrict_anon:1;
     unsigned int        realm_kadmind_port_valid:1;
     unsigned int        realm_enctype_valid:1;
     unsigned int        realm_max_life_valid:1;
@@ -217,6 +218,7 @@ typedef struct __krb5_realm_params {
     unsigned int        realm_expiration_valid:1;
     unsigned int        realm_flags_valid:1;
     unsigned int        realm_reject_bad_transit_valid:1;
+    unsigned int        realm_restrict_anon_valid:1;
     krb5_int32          realm_num_keysalts;
 } krb5_realm_params;
 #endif  /* KRB5_ADM_H__ */
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 9a81d3bbc..ac46b4600 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -263,6 +263,7 @@ typedef INT64_TYPE krb5_int64;
 #define KRB5_CONF_REALM_TRY_DOMAINS           "realm_try_domains"
 #define KRB5_CONF_REJECT_BAD_TRANSIT          "reject_bad_transit"
 #define KRB5_CONF_RENEW_LIFETIME              "renew_lifetime"
+#define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT   "restrict_anonymous_to_tgt"
 #define KRB5_CONF_SAFE_CHECKSUM_TYPE          "safe_checksum_type"
 #define KRB5_CONF_SUPPORTED_ENCTYPES          "supported_enctypes"
 #define KRB5_CONF_TICKET_LIFETIME             "ticket_lifetime"