From krb5-bugs-incoming-bounces@PCH.MIT.EDU Tue Jul 17 15:00:15 2007 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id l6HJ0FHW022702; Tue, 17 Jul 2007 15:00:15 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l6HJ09cN006344; Tue, 17 Jul 2007 15:00:09 -0400 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l6HGNunr004112 for ; Tue, 17 Jul 2007 12:23:56 -0400 Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id l6HGNp47012748 for ; Tue, 17 Jul 2007 12:23:51 -0400 (EDT) Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by mit.edu (Spam Firewall) with ESMTP id 564293DAFF5 for ; Tue, 17 Jul 2007 12:23:48 -0400 (EDT) Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l6HGNlhb001828 for ; Tue, 17 Jul 2007 12:23:47 -0400 Received: from rapier.boston.redhat.com (rapier.boston.redhat.com [172.16.80.53]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l6HGNk03019623 for ; Tue, 17 Jul 2007 12:23:47 -0400 Received: from rapier.boston.redhat.com (localhost.localdomain [127.0.0.1]) by rapier.boston.redhat.com (8.14.1/8.14.0) with ESMTP id l6HGNkTY006275 for ; Tue, 17 Jul 2007 12:23:46 -0400 Received: (from nalin@localhost) by rapier.boston.redhat.com (8.14.1/8.14.1/Submit) id l6HGNkxS006274; Tue, 17 Jul 2007 12:23:46 -0400 Date: Tue, 17 Jul 2007 12:23:46 -0400 Message-Id: <200707171623.l6HGNkxS006274@rapier.boston.redhat.com> To: krb5-bugs@mit.edu Subject: patch to allow setting ok-as-delegate flag in database From: nalin@redhat.com X-send-pr-version: 3.99 X-Spam-Score: 0.55 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-Mailman-Approved-At: Tue, 17 Jul 2007 15:00:08 -0400 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: nalin@redhat.com Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU >Submitter-Id: net >Originator: >Organization: >Confidential: no >Synopsis: patch for providing a way to set the ok-as-delegate flag >Severity: non-critical >Priority: low >Category: krb5-admin >Class: change-request >Release: 1.6.1 >Environment: System: Linux rapier.boston.redhat.com 2.6.21-1.3230.fc8 #1 SMP Wed Jun 20 15:59:23 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux Architecture: x86_64 >Description: Currently, the KDC doesn't issue credentials with the ok-as-delegate flag set, and the realm database doesn't have a means of indicating to the KDC that it should. >Fix: Here's a patch which allows me to set the flag with kadmin, store it as an attribute bit in the KDB database, and get credentials with the bit set from the KDC, which I think is all that's required here. There's no logic added to the client libraries to actually *do* anything with that bit, though, because that'd be more complicated. Index: doc/admin.texinfo =================================================================== --- doc/admin.texinfo (revision 19714) +++ doc/admin.texinfo (working copy) @@ -2758,6 +2758,13 @@ @samp{KRB5_KDB_REQURES_HW_AUTH} flag.) @code{-requires_hwauth} clears this flag. +@itemx @{-|+@}ok_as_delegate +@code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use +with this principal as the service, which clients may use as a hint that +credentials can and should be delegated when authenticating to the service. +(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears +this flag. + @itemx @{-|+@}allow_svr @code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag. Index: src/include/kdb.h =================================================================== --- src/include/kdb.h (revision 19714) +++ src/include/kdb.h (working copy) @@ -79,6 +79,7 @@ #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 #define KRB5_KDB_NEW_PRINC 0x00008000 +#define KRB5_KDB_OK_AS_DELEGATE 0x00010000 /* Creation flags */ #define KRB5_KDB_CREATE_BTREE 0x00000001 Index: src/kdc/do_tgs_req.c =================================================================== --- src/kdc/do_tgs_req.c (revision 19714) +++ src/kdc/do_tgs_req.c (working copy) @@ -533,6 +533,10 @@ goto cleanup; } + if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) { + setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); + } + ticket_reply.enc_part2 = &enc_tkt_reply; /* Index: src/kdc/do_as_req.c =================================================================== --- src/kdc/do_as_req.c (revision 19714) +++ src/kdc/do_as_req.c (working copy) @@ -257,6 +257,10 @@ enc_tkt_reply.caddrs = request->addresses; enc_tkt_reply.authorization_data = 0; + if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) { + setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); + } + /* * Check the preauthentication if it is there. */ Index: src/kadmin/cli/kadmin.c =================================================================== --- src/kadmin/cli/kadmin.c (revision 19714) +++ src/kadmin/cli/kadmin.c (working copy) @@ -65,7 +65,8 @@ {"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0}, {"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1}, {"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 } +{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, +{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 } }; static char *prflags[] = { @@ -85,6 +86,7 @@ "PWCHANGE_SERVICE", /* 0x00002000 */ "SUPPORT_DESMD5", /* 0x00004000 */ "NEW_PRINC", /* 0x00008000 */ + "OK_AS_DELEGATE", /* 0x00010000 */ }; char *getenv(); @@ -1101,6 +1103,7 @@ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n"); } @@ -1117,6 +1120,7 @@ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n" ); Index: src/kadmin/cli/kadmin.M =================================================================== --- src/kadmin/cli/kadmin.M (revision 19714) +++ src/kadmin/cli/kadmin.M (working copy) @@ -327,6 +327,16 @@ .B -requires_hwauth clears this flag. .TP +{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP +.B +ok_as_delegate +sets the OK-AS-DELEGATE flag on tickets issued for use with this principal +as the service, which clients may use as a hint that credentials can and +should be delegated when authenticating to the service. (Sets the +.SM KRB5_KDB_OK_AS_DELEGATE +flag.) +.B -ok_as_delegate +clears this flag. +.TP {\fB\-\fP|\fB+\fP}\fBallow_svr\fP .B -allow_svr prohibits the issuance of service tickets for this principal. (Sets the Index: src/lib/kadm5/str_conv.c =================================================================== --- src/lib/kadm5/str_conv.c (revision 19714) +++ src/lib/kadm5/str_conv.c (working copy) @@ -73,6 +73,7 @@ static const char flags_tickets_in[] = "allow-tickets"; static const char flags_preauth_in[] = "preauth"; static const char flags_hwauth_in[] = "hwauth"; +static const char flags_ok_as_delegate_in[] = "ok-as-delegate"; static const char flags_pwchange_in[] = "pwchange"; static const char flags_service_in[] = "service"; static const char flags_pwsvc_in[] = "pwservice"; @@ -86,6 +87,7 @@ static const char flags_tickets_out[] = "All Tickets Disallowed"; static const char flags_preauth_out[] = "Preauthorization required"; static const char flags_hwauth_out[] = "HW Authorization required"; +static const char flags_ok_as_delegate_out[] = "OK as Delegate"; static const char flags_pwchange_out[] = "Password Change required"; static const char flags_service_out[] = "Service Disabled"; static const char flags_pwsvc_out[] = "Password Changing Service"; @@ -109,6 +111,7 @@ { KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out }, { KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out }, { KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out }, +{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out }, { KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out}, { KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out }, { KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },