From krb5-bugs-incoming-bounces@PCH.MIT.EDU Tue Jul 17 15:00:15 2007
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
id l6HJ0FHW022702; Tue, 17 Jul 2007 15:00:15 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l6HJ09cN006344;
Tue, 17 Jul 2007 15:00:09 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l6HGNunr004112
for <krb5-bugs-incoming@PCH.mit.edu>; Tue, 17 Jul 2007 12:23:56 -0400
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
l6HGNp47012748
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:51 -0400 (EDT)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
by mit.edu (Spam Firewall) with ESMTP id 564293DAFF5
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:48 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254])
by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l6HGNlhb001828
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:47 -0400
Received: from rapier.boston.redhat.com (rapier.boston.redhat.com
[172.16.80.53])
by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l6HGNk03019623
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:47 -0400
Received: from rapier.boston.redhat.com (localhost.localdomain [127.0.0.1])
by rapier.boston.redhat.com (8.14.1/8.14.0) with ESMTP id
l6HGNkTY006275
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:46 -0400
Received: (from nalin@localhost)
by rapier.boston.redhat.com (8.14.1/8.14.1/Submit) id l6HGNkxS006274;
Tue, 17 Jul 2007 12:23:46 -0400
Date: Tue, 17 Jul 2007 12:23:46 -0400
Message-Id: <200707171623.l6HGNkxS006274@rapier.boston.redhat.com>
To: krb5-bugs@mit.edu
Subject: patch to allow setting ok-as-delegate flag in database
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 17 Jul 2007 15:00:08 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU
System: Linux rapier.boston.redhat.com 2.6.21-1.3230.fc8 #1 SMP Wed Jun 20 15:59:23 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
flag set, and the realm database doesn't have a means of indicating
to the KDC that it should.
an attribute bit in the KDB database, and get credentials with the bit
set from the KDC, which I think is all that's required here. There's
no logic added to the client libraries to actually *do* anything with
that bit, though, because that'd be more complicated.
Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo (revision 19714)
+++ doc/admin.texinfo (working copy)
@@ -2758,6 +2758,13 @@
@samp{KRB5_KDB_REQURES_HW_AUTH} flag.) @code{-requires_hwauth} clears
this flag.
+@itemx @{-|+@}ok_as_delegate
+@code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears
+this flag.
+
@itemx @{-|+@}allow_svr
@code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag.
Index: src/include/kdb.h
===================================================================
--- src/include/kdb.h (revision 19714)
+++ src/include/kdb.h (working copy)
@@ -79,6 +79,7 @@
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c (revision 19714)
+++ src/kdc/do_tgs_req.c (working copy)
@@ -533,6 +533,10 @@
goto cleanup;
}
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
Index: src/kdc/do_as_req.c
===================================================================
--- src/kdc/do_as_req.c (revision 19714)
+++ src/kdc/do_as_req.c (working copy) @@ -257,6 +257,10 @@ enc_tkt_reply.caddrs = request->addresses;
enc_tkt_reply.authorization_data = 0;
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
/*
* Check the preauthentication if it is there.
*/
Index: src/kadmin/cli/kadmin.c
===================================================================
--- src/kadmin/cli/kadmin.c (revision 19714)
+++ src/kadmin/cli/kadmin.c (working copy)
@@ -65,7 +65,8 @@
{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
};
static char *prflags[] = {
@@ -85,6 +86,7 @@
"PWCHANGE_SERVICE", /* 0x00002000 */
"SUPPORT_DESMD5", /* 0x00004000 */
"NEW_PRINC", /* 0x00008000 */
+ "OK_AS_DELEGATE", /* 0x00010000 */
};
char *getenv();
@@ -1101,6 +1103,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n");
}
@@ -1117,6 +1120,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n"
);
Index: src/kadmin/cli/kadmin.M
===================================================================
--- src/kadmin/cli/kadmin.M (revision 19714)
+++ src/kadmin/cli/kadmin.M (working copy)
@@ -327,6 +327,16 @@
.B -requires_hwauth
clears this flag.
.TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service. (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
.B -allow_svr
prohibits the issuance of service tickets for this principal. (Sets the
Index: src/lib/kadm5/str_conv.c
===================================================================
--- src/lib/kadm5/str_conv.c (revision 19714)
+++ src/lib/kadm5/str_conv.c (working copy)
@@ -73,6 +73,7 @@
static const char flags_tickets_in[] = "allow-tickets";
static const char flags_preauth_in[] = "preauth";
static const char flags_hwauth_in[] = "hwauth";
+static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
static const char flags_pwchange_in[] = "pwchange";
static const char flags_service_in[] = "service";
static const char flags_pwsvc_in[] = "pwservice";
@@ -86,6 +87,7 @@
static const char flags_tickets_out[] = "All Tickets Disallowed";
static const char flags_preauth_out[] = "Preauthorization required";
static const char flags_hwauth_out[] = "HW Authorization required";
+static const char flags_ok_as_delegate_out[] = "OK as Delegate";
static const char flags_pwchange_out[] = "Password Change required";
static const char flags_service_out[] = "Service Disabled";
static const char flags_pwsvc_out[] = "Password Changing Service";
@@ -109,6 +111,7 @@
{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
id l6HJ0FHW022702; Tue, 17 Jul 2007 15:00:15 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l6HJ09cN006344;
Tue, 17 Jul 2007 15:00:09 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l6HGNunr004112
for <krb5-bugs-incoming@PCH.mit.edu>; Tue, 17 Jul 2007 12:23:56 -0400
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223])
by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
l6HGNp47012748
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:51 -0400 (EDT)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
by mit.edu (Spam Firewall) with ESMTP id 564293DAFF5
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:48 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
[172.16.52.254])
by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l6HGNlhb001828
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:47 -0400
Received: from rapier.boston.redhat.com (rapier.boston.redhat.com
[172.16.80.53])
by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l6HGNk03019623
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:47 -0400
Received: from rapier.boston.redhat.com (localhost.localdomain [127.0.0.1])
by rapier.boston.redhat.com (8.14.1/8.14.0) with ESMTP id
l6HGNkTY006275
for <krb5-bugs@mit.edu>; Tue, 17 Jul 2007 12:23:46 -0400
Received: (from nalin@localhost)
by rapier.boston.redhat.com (8.14.1/8.14.1/Submit) id l6HGNkxS006274;
Tue, 17 Jul 2007 12:23:46 -0400
Date: Tue, 17 Jul 2007 12:23:46 -0400
Message-Id: <200707171623.l6HGNkxS006274@rapier.boston.redhat.com>
To: krb5-bugs@mit.edu
Subject: patch to allow setting ok-as-delegate flag in database
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 17 Jul 2007 15:00:08 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin@redhat.com
Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU
Show quoted text
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: patch for providing a way to set the ok-as-delegate flag
>Severity: non-critical
>Priority: low
>Category: krb5-admin
>Class: change-request
>Release: 1.6.1
>Environment:
>Originator:
>Organization:
>Confidential: no
>Synopsis: patch for providing a way to set the ok-as-delegate flag
>Severity: non-critical
>Priority: low
>Category: krb5-admin
>Class: change-request
>Release: 1.6.1
>Environment:
System: Linux rapier.boston.redhat.com 2.6.21-1.3230.fc8 #1 SMP Wed Jun 20 15:59:23 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
Show quoted text
>Description:
Currently, the KDC doesn't issue credentials with the ok-as-delegateflag set, and the realm database doesn't have a means of indicating
to the KDC that it should.
Show quoted text
>Fix:
Here's a patch which allows me to set the flag with kadmin, store it asan attribute bit in the KDB database, and get credentials with the bit
set from the KDC, which I think is all that's required here. There's
no logic added to the client libraries to actually *do* anything with
that bit, though, because that'd be more complicated.
Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo (revision 19714)
+++ doc/admin.texinfo (working copy)
@@ -2758,6 +2758,13 @@
@samp{KRB5_KDB_REQURES_HW_AUTH} flag.) @code{-requires_hwauth} clears
this flag.
+@itemx @{-|+@}ok_as_delegate
+@code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears
+this flag.
+
@itemx @{-|+@}allow_svr
@code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag.
Index: src/include/kdb.h
===================================================================
--- src/include/kdb.h (revision 19714)
+++ src/include/kdb.h (working copy)
@@ -79,6 +79,7 @@
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c (revision 19714)
+++ src/kdc/do_tgs_req.c (working copy)
@@ -533,6 +533,10 @@
goto cleanup;
}
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
Index: src/kdc/do_as_req.c
===================================================================
--- src/kdc/do_as_req.c (revision 19714)
+++ src/kdc/do_as_req.c (working copy) @@ -257,6 +257,10 @@ enc_tkt_reply.caddrs = request->addresses;
enc_tkt_reply.authorization_data = 0;
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
/*
* Check the preauthentication if it is there.
*/
Index: src/kadmin/cli/kadmin.c
===================================================================
--- src/kadmin/cli/kadmin.c (revision 19714)
+++ src/kadmin/cli/kadmin.c (working copy)
@@ -65,7 +65,8 @@
{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
};
static char *prflags[] = {
@@ -85,6 +86,7 @@
"PWCHANGE_SERVICE", /* 0x00002000 */
"SUPPORT_DESMD5", /* 0x00004000 */
"NEW_PRINC", /* 0x00008000 */
+ "OK_AS_DELEGATE", /* 0x00010000 */
};
char *getenv();
@@ -1101,6 +1103,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n");
}
@@ -1117,6 +1120,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n"
);
Index: src/kadmin/cli/kadmin.M
===================================================================
--- src/kadmin/cli/kadmin.M (revision 19714)
+++ src/kadmin/cli/kadmin.M (working copy)
@@ -327,6 +327,16 @@
.B -requires_hwauth
clears this flag.
.TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service. (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
.B -allow_svr
prohibits the issuance of service tickets for this principal. (Sets the
Index: src/lib/kadm5/str_conv.c
===================================================================
--- src/lib/kadm5/str_conv.c (revision 19714)
+++ src/lib/kadm5/str_conv.c (working copy)
@@ -73,6 +73,7 @@
static const char flags_tickets_in[] = "allow-tickets";
static const char flags_preauth_in[] = "preauth";
static const char flags_hwauth_in[] = "hwauth";
+static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
static const char flags_pwchange_in[] = "pwchange";
static const char flags_service_in[] = "service";
static const char flags_pwsvc_in[] = "pwservice";
@@ -86,6 +87,7 @@
static const char flags_tickets_out[] = "All Tickets Disallowed";
static const char flags_preauth_out[] = "Preauthorization required";
static const char flags_hwauth_out[] = "HW Authorization required";
+static const char flags_ok_as_delegate_out[] = "OK as Delegate";
static const char flags_pwchange_out[] = "Password Change required";
static const char flags_service_out[] = "Service Disabled";
static const char flags_pwsvc_out[] = "Password Changing Service";
@@ -109,6 +111,7 @@
{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },