From 4b690a692a19460876199f278131bbd8dcc5b3e5 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Fri, 25 Nov 2011 17:21:04 -0600 Subject: [PATCH] Rename and fix as/tgs-use-strongest-key config parameters Different ticket session key enctype selection options should distinguish between target principal type (krbtgt vs. not), not between KDC request types. --- kdc/default_config.c | 16 ++++++++-------- kdc/kdc.h | 4 ++-- kdc/kerberos5.c | 5 ++++- kdc/krb5tgs.c | 4 +++- lib/krb5/krb5.conf.5 | 27 ++++++++++++++++----------- 5 files changed, 33 insertions(+), 23 deletions(-) diff --git a/kdc/default_config.c b/kdc/default_config.c index 6fbf5fdae..9a33a7f27 100644 --- a/kdc/default_config.c +++ b/kdc/default_config.c @@ -51,9 +51,9 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->require_preauth = TRUE; c->kdc_warn_pwexpire = 0; c->encode_as_rep_as_tgs_rep = FALSE; - c->as_use_strongest_session_key = FALSE; + c->tgt_use_strongest_session_key = FALSE; c->preauth_use_strongest_session_key = FALSE; - c->tgs_use_strongest_session_key = FALSE; + c->svc_use_strongest_session_key = FALSE; c->use_strongest_server_key = TRUE; c->check_ticket_addresses = TRUE; c->allow_null_ticket_addresses = TRUE; @@ -120,21 +120,21 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) } #endif - c->as_use_strongest_session_key = + c->tgt_use_strongest_session_key = krb5_config_get_bool_default(context, NULL, - c->as_use_strongest_session_key, + c->tgt_use_strongest_session_key, "kdc", - "as-use-strongest-session-key", NULL); + "tgt-use-strongest-session-key", NULL); c->preauth_use_strongest_session_key = krb5_config_get_bool_default(context, NULL, c->preauth_use_strongest_session_key, "kdc", "preauth-use-strongest-session-key", NULL); - c->tgs_use_strongest_session_key = + c->svc_use_strongest_session_key = krb5_config_get_bool_default(context, NULL, - c->tgs_use_strongest_session_key, + c->svc_use_strongest_session_key, "kdc", - "tgs-use-strongest-session-key", NULL); + "svc-use-strongest-session-key", NULL); c->use_strongest_server_key = krb5_config_get_bool_default(context, NULL, c->use_strongest_server_key, diff --git a/kdc/kdc.h b/kdc/kdc.h index 9d52fd4c2..ab643ec20 100644 --- a/kdc/kdc.h +++ b/kdc/kdc.h @@ -59,9 +59,9 @@ typedef struct krb5_kdc_configuration { krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ - krb5_boolean as_use_strongest_session_key; + krb5_boolean tgt_use_strongest_session_key; krb5_boolean preauth_use_strongest_session_key; - krb5_boolean tgs_use_strongest_session_key; + krb5_boolean svc_use_strongest_session_key; krb5_boolean use_strongest_server_key; krb5_boolean check_ticket_addresses; diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index c13abb7ce..db226bfa7 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1094,7 +1094,10 @@ _kdc_as_rep(krb5_context context, * enctype that an older version of a KDC in the same realm can't * decrypt. */ - ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE, + ret = _kdc_find_etype(context, + krb5_principal_is_krbtgt(context, r->server_princ) ? + config->tgt_use_strongest_session_key : + config->svc_use_strongest_session_key, FALSE, client, b->etype.val, b->etype.len, &sessionetype, NULL); if (ret) { diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 5bf68cdfd..87e33930b 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -1699,7 +1699,9 @@ server_lookup: Key *skey; ret = _kdc_find_etype(context, - config->tgs_use_strongest_session_key, FALSE, + krb5_principal_is_krbtgt(context, sp) ? + config->tgt_use_strongest_session_key : + config->svc_use_strongest_session_key, FALSE, server, b->etype.val, b->etype.len, NULL, &skey); if(ret) { diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index db16e7d5c..77d7f808a 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -410,19 +410,24 @@ Default is the same as .Va enable-kerberos4 . .It Li enable-http = Va BOOL Should the kdc answer kdc-requests over http. -.It Li as-use-strongest-session-key = Va BOOL +.It Li enable-kaserver = Va BOOL +If this kdc should emulate the AFS kaserver. +.It Li tgt-use-strongest-session-key = Va BOOL If this is TRUE then the KDC will prefer the strongest key from the -client's AS-REQ enctype list, that is also supported by the KDC and the -target principal, for the ticket session key. Else it will prefer the -first key from the client's AS-REQ enctype list that is also supported -by the KDC and the target principal. Defaults to TRUE. +client's AS-REQ or TGS-REQ enctype list for the ticket session key that +is supported by the KDC and the target principal when the target +principal is a krbtgt principal. Else it will prefer the first key from +the client's AS-REQ enctype list that is also supported by the KDC and +the target principal. Defaults to TRUE. +.It Li svc-use-strongest-session-key = Va BOOL +Like tgt-use-strongest-session-key, but applies to the session key +enctype of tickets for services other than krbtgt principals. Defaults +to TRUE. .It Li preauth-use-strongest-session-key = Va BOOL -Like as-use-strongest-session-key, but applies to the session key -enctype selection for PA-ETYPE-INFO2 (i.e., for password-based -pre-authentication). Defaults to TRUE. -.It Li tgs-use-strongest-session-key = Va BOOL -Like as-use-strongest-session-key, but applies to the session key -enctype of tickets issued by the TGS. Defaults to TRUE. +If TRUE then select the strongest possible enctype from the client's +AS-REQ for PA-ETYPE-INFO2 (i.e., for password-based pre-authentication). +Else pick the first supported enctype from the client's AS-REQ. Defaults +to TRUE. .It Li use-strongest-server-key = Va BOOL If TRUE then the KDC picks, for the ticket encrypted part's key, the first supported enctype from the target service principal's hdb entry's -- 2.11.4.GIT