Skip Menu |
 

Subject: KDC should not fail requests due to forwardable/proxiable option
If the client requests forwardable or proxiable tickets and the client or
server DB entry has disallow-forwardable or disallow-proxiable set, we
fail the request. It would be more helpful to just issue a ticket
without the forwardable/proxiable ticket flag set, as Heimdal and Active
Directory do.
I misread the Heimdal code. Its KDC behavior matches our current
behavior of rejecting requests based on an unfulfillable forwardable or
proxiable option.
[ghudson - Tue Mar 4 11:48:56 2014]:

Show quoted text
> I misread the Heimdal code. Its KDC behavior matches our current
> behavior of rejecting requests based on an unfulfillable forwardable or
> proxiable option.

Do we have confirmation that Windows issues tickets with the policy-denied flags cleared rather
than rejecting the request? Also, the RFCs do not appear to require the KDC to reject the
request if it can't fulfill the options.
[tlyu - Thu Mar 27 17:07:28 2014]:
Show quoted text
> Do we have confirmation that Windows issues tickets with the policy-
> denied flags cleared rather than rejecting the request?

That's my memory from the last interop event. I don't have a written
reference.
[ghudson - Thu Mar 27 21:03:07 2014]:

Show quoted text
> [tlyu - Thu Mar 27 17:07:28 2014]:
> > Do we have confirmation that Windows issues tickets with the policy-
> > denied flags cleared rather than rejecting the request?
>
> That's my memory from the last interop event. I don't have a written
> reference.


Silently declining to fulfill requested options like this might allow us to forgo the weird hack with
validate_forwardable() in kdc_util.c.
After talking with Simo yesterday, I'm no longer convinced that Active
Directory has the specific behavior of silently not setting the
forwardable flag. Simo's recollection was that (1) the conformance test
was just authenticating against a specific service principal, possibly
kadmin/admin, with the forwardable flag set, and (2) the conformance
test wasn't necessarily checking that it got a non-forwardable ticket,
just that it got a ticket at all. After hearing that, I'm no longer
sure whether Active Directory even has an equivalent of
DISALLOW_FORWARDABLE.

(We don't appear to set DISALLOW_FORWARDABLE on any principals when a
KDB is created, but maybe IPA does?)

So, ignore any language in the original ticket description about
behavior differences. The reasons to do this would be (1) it is an
arguably friendlier behavior which is allowed by RFC 4120 and is
consistent with how the KDC handles other request options such as
lifetimes, and (2) it gets rid of the validate_forwardable hack in the
KDC code.

This is not a high-priority issue since DISALLOW_FORWARDABLE is probably
not often used.
From: Russ Allbery <eagle@eyrie.org>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #7871] KDC should not fail requests due to forwardable/proxiable option
Date: Wed, 02 Apr 2014 13:36:50 -0700
RT-Send-Cc:
"Greg Hudson via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> This is not a high-priority issue since DISALLOW_FORWARDABLE is probably
> not often used.

FWIW, we use it heavily for privileged principals, and have struggled with
this for years in various ways.

--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
Ticket 8761 provides additional motivation for this change.
From: ghudson@mit.edu
Subject: git commit

Clear forwardable flag instead of denying request

If the client requests a forwardable or proxiable ticket and the
option cannot be honored by policy, issue a non-forwardable or
non-proxiable ticket rather than denying the request.

Add a test script for testing KDC request options and populate it with
tests for the forwardable and proxiable flags.

https://github.com/krb5/krb5/commit/08e948cce2c79a3604066fcf7a64fc527456f83d
Author: Greg Hudson <ghudson@mit.edu>
Commit: 08e948cce2c79a3604066fcf7a64fc527456f83d
Branch: master
src/kdc/do_as_req.c | 19 ++------
src/kdc/do_tgs_req.c | 58 +++++---------------------
src/kdc/kdc_util.c | 82 +++++++++++++++++++++----------------
src/kdc/kdc_util.h | 9 ++--
src/kdc/tgs_policy.c | 8 +---
src/tests/Makefile.in | 1 +
src/tests/gcred.c | 28 +++++++++----
src/tests/t_kdcoptions.py | 100 +++++++++++++++++++++++++++++++++++++++++++++
8 files changed, 190 insertions(+), 115 deletions(-)