diff options
| author | Robbie Harwood <rharwood@redhat.com> | 2017-04-07 16:12:58 +0000 |
|---|---|---|
| committer | Robbie Harwood <rharwood@redhat.com> | 2017-04-07 16:13:00 +0000 |
| commit | 82cabae196eae2e7937264e0357d287ddd301e4f (patch) | |
| tree | 3edefd0613922a4d1aa52cd4bb459d6d8526b6d4 | |
| parent | 0dc40d929f05d1372bdb642edfee725e1cc40853 (diff) | |
| download | krb5-82cabae196eae2e7937264e0357d287ddd301e4f.tar.gz krb5-82cabae196eae2e7937264e0357d287ddd301e4f.tar.xz krb5-82cabae196eae2e7937264e0357d287ddd301e4f.zip | |
Fix use of enterprise principals with forwarding
| -rw-r--r-- | Add-the-client_name-kdcpreauth-callback.patch | 58 | ||||
| -rw-r--r-- | Use-the-canonical-client-principal-name-for-OTP.patch | 29 | ||||
| -rw-r--r-- | krb5.spec | 7 |
3 files changed, 93 insertions, 1 deletions
diff --git a/Add-the-client_name-kdcpreauth-callback.patch b/Add-the-client_name-kdcpreauth-callback.patch new file mode 100644 index 0000000..96ae084 --- /dev/null +++ b/Add-the-client_name-kdcpreauth-callback.patch @@ -0,0 +1,58 @@ +From 5d560c28ff46b04013ab64dc51a7d912d38b01de Mon Sep 17 00:00:00 2001 +From: Matt Rogers <mrogers@redhat.com> +Date: Tue, 4 Apr 2017 16:54:56 -0400 +Subject: [PATCH] Add the client_name() kdcpreauth callback + +Add a kdcpreauth callback to returns the canonicalized client principal. + +ticket: 8570 (new) +(cherry picked from commit a84f39ec30f3deeda7836da6e8b3d8dcf7a045b1) +--- + src/include/krb5/kdcpreauth_plugin.h | 6 ++++++ + src/kdc/kdc_preauth.c | 9 ++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h +index 92aa5a5a5..fa4436b83 100644 +--- a/src/include/krb5/kdcpreauth_plugin.h ++++ b/src/include/krb5/kdcpreauth_plugin.h +@@ -232,6 +232,12 @@ typedef struct krb5_kdcpreauth_callbacks_st { + krb5_kdcpreauth_rock rock, + krb5_principal princ); + ++ /* ++ * Get an alias to the client DB entry principal (possibly canonicalized). ++ */ ++ krb5_principal (*client_name)(krb5_context context, ++ krb5_kdcpreauth_rock rock); ++ + /* End of version 4 kdcpreauth callbacks. */ + + } *krb5_kdcpreauth_callbacks; +diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c +index 0ce79c667..81d0b8cff 100644 +--- a/src/kdc/kdc_preauth.c ++++ b/src/kdc/kdc_preauth.c +@@ -591,6 +591,12 @@ match_client(krb5_context context, krb5_kdcpreauth_rock rock, + return match; + } + ++static krb5_principal ++client_name(krb5_context context, krb5_kdcpreauth_rock rock) ++{ ++ return rock->client->princ; ++} ++ + static struct krb5_kdcpreauth_callbacks_st callbacks = { + 4, + max_time_skew, +@@ -607,7 +613,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = { + add_auth_indicator, + get_cookie, + set_cookie, +- match_client ++ match_client, ++ client_name + }; + + static krb5_error_code diff --git a/Use-the-canonical-client-principal-name-for-OTP.patch b/Use-the-canonical-client-principal-name-for-OTP.patch new file mode 100644 index 0000000..1cc6163 --- /dev/null +++ b/Use-the-canonical-client-principal-name-for-OTP.patch @@ -0,0 +1,29 @@ +From ca74a8a49f4a05c0b602c9dc473fd16fe71847fd Mon Sep 17 00:00:00 2001 +From: Matt Rogers <mrogers@redhat.com> +Date: Wed, 5 Apr 2017 16:48:55 -0400 +Subject: [PATCH] Use the canonical client principal name for OTP + +In the OTP module, when constructing the RADIUS request, use the +canonicalized client principal (using the new client_name kdcpreauth +callback) instead of the request client principal. + +ticket: 8571 (new) +(cherry picked from commit 6411398e35e343cdc4d2d103b079c4d3b9031f7e) +--- + src/plugins/preauth/otp/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c +index 2649e9a90..a1b681682 100644 +--- a/src/plugins/preauth/otp/main.c ++++ b/src/plugins/preauth/otp/main.c +@@ -331,7 +331,8 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + + /* Send the request. */ + otp_state_verify((otp_state *)moddata, cb->event_context(context, rock), +- request->client, config, req, on_response, rs); ++ cb->client_name(context, rock), config, req, on_response, ++ rs); + cb->free_string(context, rock, config); + + k5_free_pa_otp_req(context, req); @@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.15.1 # for prerelease, should be e.g., 0.3.beta2%{?dist} -Release: 3%{?dist} +Release: 4%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -69,6 +69,8 @@ Patch18: Add-test-cert-generation-to-make-certs.sh.patch Patch19: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch Patch20: Deindent-crypto_retrieve_X509_sans.patch Patch21: Add-certauth-pluggable-interface.patch +Patch22: Add-the-client_name-kdcpreauth-callback.patch +Patch23: Use-the-canonical-client-principal-name-for-OTP.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -719,6 +721,9 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Fri Apr 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-4 +- Fix use of enterprise principals with forwarding + * Wed Mar 22 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-3 - Backport certauth plugin and related pkinit changes |