diff options
| author | Sam Hartman <hartmans@mit.edu> | 2003-03-17 01:03:11 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2003-03-17 01:03:11 +0000 |
| commit | eeefea9966e50bf16af6e2df9e8b74d892598bef (patch) | |
| tree | a90a9b3603e6fec48c0b7febcb26e0c83e01752f /src/krb524 | |
| parent | 1b190c9ac0a47f4dbd8db4a2e191758fc8d030f7 (diff) | |
| download | krb5-eeefea9966e50bf16af6e2df9e8b74d892598bef.tar.gz krb5-eeefea9966e50bf16af6e2df9e8b74d892598bef.tar.xz krb5-eeefea9966e50bf16af6e2df9e8b74d892598bef.zip | |
Disable krb4 cross-realm in krb524d and krb5kdc. Provide an option to
reenable (-X) which prints a warning that you are creating a security
hole.
Remove support for generating krb4 tickets encrypted using 3DES
service keys as it is insecure. They are still accepted however.
The KDc is much more strict about accepting only tickets that it would
have issued in the current configuration. In particular if the KDC
would choose some enctype for writing a TGT, other enctypes will not
be accepted when using a TGT.
Ticket: 1385
Target_Version: 1.3
Tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15286 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/krb524')
| -rw-r--r-- | src/krb524/ChangeLog | 8 | ||||
| -rw-r--r-- | src/krb524/cnv_tkt_skey.c | 20 | ||||
| -rw-r--r-- | src/krb524/krb524d.c | 36 |
3 files changed, 30 insertions, 34 deletions
diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index 2a7b6cc54..ba03cc0da 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,11 @@ +2003-03-16 Sam Hartman <hartmans@mit.edu> + + * krb524d.c (handle_classic_v4): Do not support 3des enctypes as + they are insecure. Also, by default do not allow krb4 + cross-realm. + + * cnv_tkt_skey.c (krb524_convert_tkt_skey): Don't support 3des tickets + 2003-03-12 Ken Raeburn <raeburn@mit.edu> * cnv_tkt_skey.c (krb524_convert_tkt_skey): Extract source IP diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index 595a1d392..3730ce43c 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -184,26 +184,8 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, sname, sinst, v4_skey->contents); - } else { - /* Force enctype to be raw if using DES3. */ - if (v4_skey->enctype == ENCTYPE_DES3_CBC_SHA1 || - v4_skey->enctype == ENCTYPE_LOCAL_DES3_HMAC_SHA1) - v4_skey->enctype = ENCTYPE_DES3_CBC_RAW; - ret = krb524int_krb_cr_tkt_krb5(v4tkt, - 0, /* flags */ - pname, - pinst, - prealm, - sinp->sin_addr.s_addr, - (char *) v5etkt->session->contents, - lifetime, - /* issue_data */ - server_time, - sname, - sinst, - v4_skey); } - + else abort(); krb5_free_enc_tkt_part(context, v5etkt); v5tkt->enc_part2 = NULL; if (ret == KSUCCESS) diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c index 4995b515f..0dce9cbc9 100644 --- a/src/krb524/krb524d.c +++ b/src/krb524/krb524d.c @@ -76,6 +76,7 @@ static int debug = 0; void *handle = NULL; int use_keytab, use_master; +int allow_v4_crossrealm = 0; char *keytab = NULL; krb5_keytab kt; @@ -137,7 +138,10 @@ int main(argc, argv) config_params.mask = 0; while (argc) { - if (strncmp(*argv, "-k", 2) == 0) + if (strncmp(*argv, "-X", 2) == 0) { + allow_v4_crossrealm = 1; + } + else if (strncmp(*argv, "-k", 2) == 0) use_keytab = 1; else if (strncmp(*argv, "-m", 2) == 0) use_master = 1; @@ -524,19 +528,7 @@ handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, &v5_service_key, NULL))) goto error; - if ((ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_DES3_CBC_RAW, - 0, /* highest kvno */ - &v4_service_key, v4kvno)) && - (ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_LOCAL_DES3_HMAC_SHA1, - 0, - &v4_service_key, v4kvno)) && - (ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_DES3_CBC_SHA1, - 0, - &v4_service_key, v4kvno)) && - (ret = lookup_service_key(context, v5tkt->server, + if ( (ret = lookup_service_key(context, v5tkt->server, ENCTYPE_DES_CBC_CRC, 0, &v4_service_key, v4kvno))) @@ -544,8 +536,19 @@ handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, if (debug) printf("service key retrieved\n"); + if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt))) { + goto error; + } - ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key, + if (!(allow_v4_crossrealm || krb5_realm_compare(context, v5tkt->server, + v5tkt->enc_part2->client))) { +ret = KRB5KDC_ERR_POLICY ; + goto error; + } + krb5_free_enc_tkt_part(context, v5tkt->enc_part2); + v5tkt->enc_part2= NULL; + + ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key, &v4_service_key, (struct sockaddr_in *)saddr); if (ret) @@ -561,6 +564,9 @@ handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, printf("v4 credentials encoded\n"); error: + if (v5tkt->enc_part2) + krb5_free_enc_tkt_part(context, v5tkt->enc_part2); + if(v5_service_key.contents) krb5_free_keyblock_contents(context, &v5_service_key); if (v4_service_key.contents) |