diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-12-01 20:01:46 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-12-01 20:01:46 +0000 |
| commit | 9479352bf9c570659ebdc40561ac81a7eb292b08 (patch) | |
| tree | 3a4fc5078619402e8aba1386d2a99f58a207efc2 /src/lib | |
| parent | cdd631f3ec5c02f9c2983f459f944577a5a0c3e2 (diff) | |
Implement restrict_anonymous_to_tgt realm flag
Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT. Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.
ticket: 6829
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/kadm5/admin.h | 2 | ||||
| -rw-r--r-- | src/lib/kadm5/alt_prof.c | 6 |
2 files changed, 8 insertions, 0 deletions
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index 99837033b..8b59c6b5b 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -291,6 +291,7 @@ typedef struct __krb5_realm_params { krb5_flags realm_flags; krb5_key_salt_tuple *realm_keysalts; unsigned int realm_reject_bad_transit:1; + unsigned int realm_restrict_anon:1; unsigned int realm_kadmind_port_valid:1; unsigned int realm_enctype_valid:1; unsigned int realm_max_life_valid:1; @@ -298,6 +299,7 @@ typedef struct __krb5_realm_params { unsigned int realm_expiration_valid:1; unsigned int realm_flags_valid:1; unsigned int realm_reject_bad_transit_valid:1; + unsigned int realm_restrict_anon_valid:1; krb5_int32 realm_num_keysalts; } krb5_realm_params; diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index 6a7965512..cdd732113 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -1058,6 +1058,12 @@ krb5_read_realm_params(kcontext, realm, rparamp) rparams->realm_reject_bad_transit_valid = 1; } + hierarchy[2] = KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT; + if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { + rparams->realm_restrict_anon = bvalue; + rparams->realm_restrict_anon_valid = 1; + } + hierarchy[2] = KRB5_CONF_NO_HOST_REFERRAL; if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls)) rparams->realm_no_host_referral = no_refrls; |