Skip Menu |
 

Date: Wed, 25 Sep 2013 13:05:30 +0200
From: Sumit Bose <sbose@redhat.com>
To: krb5-bugs@mit.edu
Subject: Wrong order in kdc_check_transited_list()
Hi,

I think there is an issue in kdc_check_transited_list(). Currently the
capaths from krb5.conf are checked first and then a method from a KDB
plugin is called, if defined.

If the request comes from a realm which is not in the same DNS hierarchy
and krb5.conf does not contain any capaths I would expect that the
method from the KDB plugin will be call. But currently it is skipped
becasue krb5_check_transited_list() will return an error. If no
capaths are available a tree derived from the DNS hierarchy
(rtree_hier_tree) will be used and this will always fail if the request
is not coming form the same hierarchy.

As a result the method from the KDB plugin will never be called and
defining capaths in krb5.conf is always necessary and cannot be replaced
by a KDB plugin.

bye,
Sumit
I have a patch in review for this and expect to push it later today.

This will be a semantic change to check_transited_realms; a module will
have to return KRB5_PLUGIN_NO_HANDLE to invoke the core transited-
checking rules instead of just returning 0. I think that's okay since
the KDB interface is still private and the check_transited_realms method
is still pretty obscure within that interface.
Date: Wed, 25 Sep 2013 17:17:57 +0200
From: Sumit Bose <sbose@redhat.com>
To: Greg Hudson via RT <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #7709] Wrong order in kdc_check_transited_list()
RT-Send-Cc:
On Wed, Sep 25, 2013 at 10:45:22AM -0400, Greg Hudson via RT wrote:
Show quoted text
> I have a patch in review for this and expect to push it later today.
>
> This will be a semantic change to check_transited_realms; a module will
> have to return KRB5_PLUGIN_NO_HANDLE to invoke the core transited-
> checking rules instead of just returning 0. I think that's okay since
> the KDB interface is still private and the check_transited_realms method
> is still pretty obscure within that interface.
>

I wonder if this can be improved by checking if the two realms are in
the same hierarchy first and calling the core functionality for this
first. If they are not in a hierarchy the module will be called and if
KRB5_PLUGIN_NO_HANDLE is returned the capaths based transited checking
will be called.

This would have the advantage that the module only has to handle the
non-hierarchical case and the [capaths] section only has to define the
non-hierarchical cases. Because if I see it correctly if [capaths] are
defined in krb5.conf the hierarchical relationships must be defined in
the [capaths] as well.

bye,
Sumit
It's intentional that [capaths] can override the assumption of
hierarchical relationships. We would not want to change that.
Date: Wed, 25 Sep 2013 18:05:13 +0200
From: Sumit Bose <sbose@redhat.com>
To: Greg Hudson via RT <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #7709] Wrong order in kdc_check_transited_list()
RT-Send-Cc:
On Wed, Sep 25, 2013 at 11:57:58AM -0400, Greg Hudson via RT wrote:
Show quoted text
> It's intentional that [capaths] can override the assumption of
> hierarchical relationships. We would not want to change that.

Thank you for clarification.

bye,
Sumit
From: ghudson@mit.edu
Subject: git commit

Support authoritative KDB check_transited methods

In kdc_check_transited_list, consult the KDB module first. If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.

https://github.com/krb5/krb5/commit/0406cd81ef9d18cd505fffabba3ac78901dc797d
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0406cd81ef9d18cd505fffabba3ac78901dc797d
Branch: master
src/include/kdb.h | 5 +++--
src/kdc/kdc_util.c | 14 ++++++--------
2 files changed, 9 insertions(+), 10 deletions(-)