| commit | 34bf7ae1629eb29a87f45f6e9f4e0e42bc2a1fd2 | |
| author | Jeffrey Altman <jaltman@secure-endpoints.com> | |
| Mon, 16 Mar 2015 16:03:58 +0000 (16 11:03 -0500) | ||
| committer | Nicolas Williams <nico@cryptonector.com> | |
| Mon, 16 Mar 2015 16:03:58 +0000 (16 11:03 -0500) | ||
| tree | 5dc3623b1f7f89104f933c72fddd8d7336071fc2 | treesnapshot (tar.gz zip) |
| parent | 6043cc8c88a7faf20e16176bd9982356fa4b3d24 | commitdiff |
kadmind: don't send bogus keys to ext_keytab et al
The Heimdal kadmind sends bogus keys when the client has 'get'
but not 'get-keys' permission. For some kadmin commands this is
dangerous. For example, ext_keytab could happily write bogus
keys to a keytab when real keys are expected, causing eventual
breakage. Sending bogus keys is important for the kadmin get
command: so it can list the keysets that a principal has.
This patch implements a heuristic detection of kadmin get vs.
ext_keytab, add_enctype, del_enctype, and check commands. If the
client principal lacks 'get-keys' permission, then the server
will fail requests that appear to be from those kadmin commands,
but will continue to serve bogus keys to kadmin get commands.
Thanks to Nico Williams for the idea behind this implementation.
The Heimdal kadmind sends bogus keys when the client has 'get'
but not 'get-keys' permission. For some kadmin commands this is
dangerous. For example, ext_keytab could happily write bogus
keys to a keytab when real keys are expected, causing eventual
breakage. Sending bogus keys is important for the kadmin get
command: so it can list the keysets that a principal has.
This patch implements a heuristic detection of kadmin get vs.
ext_keytab, add_enctype, del_enctype, and check commands. If the
client principal lacks 'get-keys' permission, then the server
will fail requests that appear to be from those kadmin commands,
but will continue to serve bogus keys to kadmin get commands.
Thanks to Nico Williams for the idea behind this implementation.
| kadmin/server.c | diffblobblamehistory |