From krb5-bugs-incoming-bounces@mit.edu Mon Jul 19 21:22:31 2004 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id VAA24577; Mon, 19 Jul 2004 21:22:31 -0400 (EDT) Received: from pch.mit.edu (localhost [127.0.0.1]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i6K1MUl1027239 for ; Mon, 19 Jul 2004 21:22:30 -0400 (EDT) Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i6FNR8l1007521 for ; Thu, 15 Jul 2004 19:27:08 -0400 (EDT) Received: from MM01SNLNTO.son.sandia.gov (mm01snlnto.sandia.gov [132.175.109.20])i6FNR7cZ029555 for ; Thu, 15 Jul 2004 19:27:07 -0400 (EDT) Received: from 132.175.109.1 by mm02snlnto.son.sandia.gov with ESMTP ( Tumbleweed MMS SMTP Relay 01 (MMS v5.6.1)); Thu, 15 Jul 2004 17:26:58 -0600 X-Server-Uuid: 8A37177F-35F9-47CF-80CF-3627B2E578DE Received: from es08snlnt.sandia.gov (smtp-in.sandia.gov [134.253.130.11] ) by sass165.sandia.gov (8.12.10/8.12.10) with ESMTP id i6FNQuYH024869 for ; Thu, 15 Jul 2004 17:26:56 -0600 (MDT) Received: by es08snlnt.sandia.gov with Internet Mail Service ( 5.5.2653.19) id <3C9NAKS8>; Thu, 15 Jul 2004 17:26:55 -0600 Message-ID: From: "Moore, Patrick" To: "'krb5-bugs@mit.edu'" Date: Thu, 15 Jul 2004 17:26:55 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-PMX-Version: 4.6.0.99824, Antispam-Core: 4.6.1.104326, Antispam-Data: 2004.7.15.107631 X-WSS-ID: 6CE9CD481D868866-01-01 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 19 Jul 2004 21:22:28 -0400 Subject: KRB5_KDB_DISALLOW_SVR flag prevents User2User authentication X-BeenThere: krb5-bugs-incoming@mit.edu X-Mailman-Version: 2.1 Precedence: list Sender: krb5-bugs-incoming-bounces@mit.edu Errors-To: krb5-bugs-incoming-bounces@mit.edu >Submitter-Id: net >Originator: Pat Moore, pcmoore@sandia.gov >Organization: Sandia National Laboratories >Confidential: no >Synopsis: KRB5_KDB_DISALLOW_SVR flag unnecessarily prevents User2User authentication >Severity: non-critical >Priority: low >Category: krb5-kdc >Class: change-request >Release: krb5-1.3.4 >Environment: N/A >Description: Reviving an old issue . . . With MIT KDC, there is no way to allow user2user authentication unless you also allow conventional service tickets for that user, which some sites consider an unacceptable security risk. A couple years back, Nico Williams suggested (to the kerbdev list) a potential fix via a simple patch to kdc/kdc_util.c. My fix below is essentially Nico's suggestion. Note: I know that DCE KDC's allow user2user without allowing conventional service tickets (they use a special flag.) I understand that Msoft can allow user2user without allowing conventional service tickets. >How-To-Repeat: If you set "+allow svr" and "+allow dup skey", then you can get a user2user ticket for that principal, but unfortunately you can also get a conventional ticket. If you set "-allow svr" and "allow dup skey", you cannot get a user2user ticket for that principal. >Fix: Seems sensible that if a principal was set "-allow svr" AND "+allow dup skey" that user2user tickets should work, and conventional service tickets should not work. The patch below would provide that functionality. *** kdc_util.orig.c Thu Jul 15 13:42:01 2004 --- kdc_util.new.c Thu Jul 15 13:44:51 2004 *************** *** 1271,1277 **** } /* Server must be allowed to be a service */ ! if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) { *status = "SERVER NOT ALLOWED"; return(KDC_ERR_S_PRINCIPAL_UNKNOWN); } --- 1271,1278 ---- } /* Server must be allowed to be a service */ ! if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR) && ! !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) { *status = "SERVER NOT ALLOWED"; return(KDC_ERR_S_PRINCIPAL_UNKNOWN); }