Skip Menu |
 

Subject: KDC rejects unknown flags
The MIT KDC (as of 1.2.6) rejects AS_REQs with unknown flags. The
specific code is in kdc/kdc_util.c:validate_as_request():


#define AS_OPTIONS_HANDLED (KDC_OPT_FORWARDABLE | KDC_OPT_PROXIABLE | \
KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED
| \
KDC_OPT_RENEWABLE | KDC_OPT_RENEWABLE_OK)

[...]
/*
* If an illegal option is set, complain.
*/
if (request->kdc_options & ~(AS_OPTIONS_HANDLED)) {
*status = "INVALID AS OPTIONS";
return KDC_ERR_BADOPTION;
}

Probably the right solution is to remove these fragments.
To: rt@krbdev.mit.edu
RT-Send-CC: lha@stacken.kth.se
Subject: [krbdev.mit.edu #1202] KDC also rejects some valid flags
Date: Thu, 12 Dec 2002 17:22:24 -0500 (EST)
From: hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:


Love points out that our KDC also rejects the disabled transited check
option which it does understand.


Fixing this bug should fix that issue as well. I have marked for
inclusion in 1.3.
[hartmans - Thu Dec 12 17:22:45 2002]:

Show quoted text
> Love points out that our KDC also rejects the disabled transited check
> option which it does understand.

Yes, that's part of the protection against exploitation of the old
chk_trans.c bug. We shouldn't make the KDC obey this flag
unconditionally without warning admins that they'll need to upgrade
servers that are too old. (Not obeying but not rejecting would probably
be okay.)
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #1202] KDC rejects unknown flags
From: Sam Hartman <hartmans@mit.edu>
Date: Mon, 16 Dec 2002 14:42:38 -0500
RT-Send-Cc:
Show quoted text
>>>>> "Ken" == Ken Raeburn via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text
Ken> [hartmans - Thu Dec 12 17:22:45 2002]:
Show quoted text
>> Love points out that our KDC also rejects the disabled
>> transited check option which it does understand.

Show quoted text
Ken> Yes, that's part of the protection against exploitation of
Ken> the old chk_trans.c bug. We shouldn't make the KDC obey this
Ken> flag unconditionally without warning admins that they'll need
Ken> to upgrade servers that are too old. (Not obeying but not
Ken> rejecting would probably be okay.)

I think that doing so for 1.3 would be fine, particularly if we get
our act together and document it and publish the CERT advisory.
From: hartmans@mit.edu
Subject: CVS Commit
Provide an explicit list of options not to be allowed in AS requests
rather than disallowing all unknown options.


To generate a diff of this commit:



cvs diff -r5.259 -r5.260 krb5/src/kdc/ChangeLog
cvs diff -r5.108 -r5.109 krb5/src/kdc/kdc_util.c
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r5.251.2.6 -r5.251.2.7 krb5/src/kdc/ChangeLog
cvs diff -r5.106.2.2 -r5.106.2.3 krb5/src/kdc/kdc_util.c