Ticket History #8479: Resource Based Constrained Delegation support

Isaac Boukris has implemented client and KDC support, which is at or near completion.

The client must send a PA-PAC-OPTIONS pa-data item with the bit set for RBCD support.  If the KDC responds to an S4U2Proxy request with a referral, the client must follow the referral path to the destination realm twice, once to get a cross-TGT with its own authdata and once to get a cross-TGT with the impersonated client's authdata.  The client must then make an S4U2Proxy request to the destination realm with the second cross-TGT as the evidence ticket.  This is described in [MS-SFU] 3.1.5.2.2.

The KDC needs a new DAL method to authorize S4U2Proxy requests at the target principal entry (with the intermediate service name as a parameter).  We will call this method allowed_to_delegate_from().  The KDC also needs a way to read the client name out of the PAC for the final S4U2Proxy request.  This will be implemented via a second new DAL method get_authdata_info(); this method can also return an opaque representation of the PAC (or other authorization data) for consumption by sign_authdata() and allowed_to_delegate_from(), to avoid repeat parsing.
 

Move S4U2Proxy client code to s4u_creds.c

Add an internal libkrb5 interface k5_get_proxy_cred_from_kdc(), which
implements S4U2Proxy requests synchronously. Call it from
krb5_get_credentials() if constrained delegation is requested.

[ghudson@mit.edu: rewrote commit message; made style changes]

https://github.com/krb5/krb5/commit/2b29619aa27c2e63fea80cac60b5607a3fce972f
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 2b29619aa27c2e63fea80cac60b5607a3fce972f
Branch: master
src/lib/krb5/krb/get_creds.c | 28 +++-------
src/lib/krb5/krb/int-proto.h | 10 +++
src/lib/krb5/krb/s4u_creds.c | 130 ++++++++++++++++++++++++++++++++++++++++--
3 files changed, 143 insertions(+), 25 deletions(-)

S4U2Proxy evidence tickets needn't be forwardable

With the introduction of resource-based constrained delegation, the
absence of the forwardable flag no longer implies that a ticket cannot
be used for constrained delegation requests.

Instead, we should check in the PAC to see if the user is marked as
sensitive, and error out in that case rather than making a failed
request. But we don't always have access to the PAC and we currently
do not have the code to retrieve this attribute from the PAC.

Since krb5_get_credentials_for_proxy() no longer needs to look at the
decrypted ticket, change kvno to not require a keytab for constrained
delegation.

[ghudson@mit.edu: made minor style changes and commit message edits;
updated documentation]

https://github.com/krb5/krb5/commit/e131d339b81a22bfc91ab96990c3be9e7779200e
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: e131d339b81a22bfc91ab96990c3be9e7779200e
Branch: master
doc/appdev/gssapi.rst | 35 ++++++++++---------------
src/clients/kvno/kvno.c | 40 ++++++++++++++---------------
src/lib/gssapi/krb5/accept_sec_context.c | 3 +-
src/lib/gssapi/krb5/init_sec_context.c | 1 -
src/lib/gssapi/krb5/s4u_gss_glue.c | 14 ++--------
src/lib/krb5/krb/s4u_creds.c | 16 +++--------
src/tests/gssapi/t_s4u.py | 25 ++++++++----------
7 files changed, 53 insertions(+), 81 deletions(-)

Add KDC support for RBCD requests

Add two new KDB methods to support resource-based constrained
delegation. The get_authdata_info method extracts the client
principal for the authdata (necessary for cross-realm RBCD requests as
the evidence ticket is a cross-realm TGT with the requested client's
authdata), and also returns an opaque pointer for consumption by other
KDB methods. The allowed_to_delegate_from method performs a
constrained delegation policy check on the principal entry of the
target principal.

Add the server principal and abstract authdata representation to the
sign_authdata method. Also pass the second ticket server as
header_server since we pass the authorization data from the second
ticket, and pass the impersonated client (if it is in the local realm)
as client instead of the impersonator.

Add core KDC code for RBCD requests. For local RBCD requests
(impersonator and target in the same realm), KDC handling is similar
to existing constrained delegation support. The evidence ticket is
not required to be forwardable, and allowed_to_delegate_from is used
in preference to check_allowed_to_delegate.

For cross-realm RBCD requests, the KDC could be in the impersonator
realm, the target realm, or in a transit realm between the two. In
the transit realm case, the request looks like a regular cross-realm
request for a krbtgt service except for the information in the PAC, so
this case is handled by the KDB module sign_authdata() method.

[ghudson@mit.edu: made style and documentation edits; edited commit
message]

https://github.com/krb5/krb5/commit/d47f7dba3779c9e36e1dedaac830dac1dd248fb3
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: d47f7dba3779c9e36e1dedaac830dac1dd248fb3
Branch: master
src/include/kdb.h | 106 +++++++++++++++++++++++++++++++---
src/kdc/do_as_req.c | 2 +-
src/kdc/do_tgs_req.c | 118 +++++++++++++++++++++++---------------
src/kdc/kdc_authdata.c | 33 +++++------
src/kdc/kdc_preauth.c | 6 ++
src/kdc/kdc_util.c | 112 +++++++++++++++++++++++++++++++++++--
src/kdc/kdc_util.h | 15 +++++-
src/lib/kdb/kdb5.c | 77 +++++++++++++++++++++++--
src/lib/kdb/libkdb5.exports | 3 +
src/plugins/kdb/test/kdb_test.c | 5 +-
10 files changed, 387 insertions(+), 90 deletions(-)

Fix doc build

Commit c426ef2ca2ba45dbf96f5380cf7d153ec0679424 added
KRB5_PADATA_PAC_OPTIONS to krb5.hin, but did not put it in an API
index, causing a documentation build failure. Add it now.

https://github.com/krb5/krb5/commit/7ae4e8882458336fbe50d0e722ec9d5e3e338c63
Author: Greg Hudson <ghudson@mit.edu>
Commit: 7ae4e8882458336fbe50d0e722ec9d5e3e338c63
Branch: master
doc/appdev/refs/macros/index.rst | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)