diff options
| author | Sam Hartman <hartmans@mit.edu> | 2009-12-28 17:15:30 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2009-12-28 17:15:30 +0000 |
| commit | ec49e6e673ab229462ef18aa2986167eaa643643 (patch) | |
| tree | 625dba55e939a0073cf69f7b79c8c0010df991eb /src/kdc | |
| parent | c5479d0c5b29430a49cf3683513c1223a173ac4e (diff) | |
Anonymous support for Kerberos
This ticket implements Project/Anonymous pkinit from k5wiki. Provides
support for completely anonymous principals and untested client
support for realm-exposed anonymous authentication.
* Introduce kinit -n
* Introduce kadmin -n
* krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache
* No longer generate ad-initial-verified-cas in pkinit
* Fix pkinit interactions with non-TGT authentication
Merge remote branch 'anonymous' into trunk
Conflicts:
src/lib/krb5/krb/gic_opt.c
ticket: 6607
Tags: enhancement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/do_as_req.c | 18 | ||||
| -rw-r--r-- | src/kdc/do_tgs_req.c | 3 | ||||
| -rw-r--r-- | src/kdc/kdc_authdata.c | 8 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth.c | 9 |
4 files changed, 32 insertions, 6 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 23f1ddcb8..58da726cb 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -389,6 +389,24 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, enc_tkt_reply.caddrs = request->addresses; enc_tkt_reply.authorization_data = 0; + /* If anonymous requests are being used, adjust the realm of the client principal*/ + if (isflagset(request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS)) { + if (!krb5_principal_compare_any_realm(kdc_context, request->client, + krb5_anonymous_principal())) { + errcode = KRB5KDC_ERR_BADOPTION; + status = "Anonymous requested but anonymous principal not used."; + goto errout; + } + setflag(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS); + krb5_free_principal(kdc_context, request->client); + errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(), + &request->client); + if (errcode) { + status = "Copying anonymous principal"; + goto errout; + } + enc_tkt_reply.client = request->client; + } /* * Check the preauthentication if it is there. */ diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 75d413250..4a778f412 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -593,7 +593,8 @@ tgt_again: } else { enc_tkt_reply.times.renew_till = 0; } - + if (isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS)) + setflag(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS); /* * Set authtime to be the same as header or evidence ticket's */ diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 03bfe29c4..882167443 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -128,6 +128,7 @@ typedef struct _krb5_authdata_systems { int type; #define AUTHDATA_FLAG_CRITICAL 0x1 #define AUTHDATA_FLAG_PRE_PLUGIN 0x2 +#define AUTHDATA_FLAG_ANONYMOUS 0x4 /*Use this plugin even for anonymous tickets*/ int flags; void *plugin_context; init_proc init; @@ -143,7 +144,7 @@ static krb5_authdata_systems static_authdata_systems[] = { /* Propagate client-submitted authdata */ "tgs_req", AUTHDATA_SYSTEM_V2, - AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN, + AUTHDATA_FLAG_CRITICAL | AUTHDATA_FLAG_PRE_PLUGIN|AUTHDATA_FLAG_ANONYMOUS, NULL, NULL, NULL, @@ -153,7 +154,7 @@ static krb5_authdata_systems static_authdata_systems[] = { /* Propagate TGT authdata */ "tgt", AUTHDATA_SYSTEM_V2, - AUTHDATA_FLAG_CRITICAL, + AUTHDATA_FLAG_CRITICAL|AUTHDATA_FLAG_ANONYMOUS, NULL, NULL, NULL, @@ -765,6 +766,9 @@ handle_authdata (krb5_context context, for (i = 0; i < n_authdata_systems; i++) { const krb5_authdata_systems *asys = &authdata_systems[i]; + if (isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS) && + !isflagset(asys->flags, AUTHDATA_FLAG_ANONYMOUS)) + continue; switch (asys->type) { case AUTHDATA_SYSTEM_V0: diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 2262c8956..d14b18333 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1275,6 +1275,7 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, krb5_pa_data ** send_pa_list; krb5_pa_data ** send_pa; krb5_pa_data * pa = 0; + krb5_pa_data null_item; krb5_preauth_systems * ap; int * pa_order; int * pa_type; @@ -1308,7 +1309,8 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, return retval; } key_modified = FALSE; - + null_item.contents = NULL; + null_item.length = NULL; send_pa = send_pa_list; *send_pa = 0; @@ -1330,7 +1332,8 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, continue; if (find_pa_context(ap, *padata_context, &pa_context)) continue; - pa = 0; + pa = &null_item; + null_item.pa_type = ap->type; if (request->padata) { for (padata = request->padata; *padata; padata++) { if ((*padata)->pa_type == ap->type) { @@ -1900,7 +1903,7 @@ return_sam_data(krb5_context context, krb5_pa_data *in_padata, krb5_sam_response *sr = 0; krb5_predicted_sam_response *psr = 0; - if (in_padata == 0) + if (in_padata->contents == 0) return 0; /* |