From: Derrick Brashear Date: Wed, 19 Mar 2003 12:52:36 +0000 (+0000) Subject: STABLE12-kaserver-disable-krb4-crossrealm-20030317 X-Git-Tag: openafs-stable-1_2_9~28 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=3941397640061207c404b5c3bc07bd2d8267f690;p=packages%2Fo%2Fopenafs.git STABLE12-kaserver-disable-krb4-crossrealm-20030317 to deal with krb4 security advisory ==================== This delta was composed from multiple commits as part of the CVS->Git migration. The checkin message with each commit was inconsistent. The following are the additional commit messages. ==================== to deal with krb4 security advisory type mismatch for krb4_cross pointed out by Jack Neely (cherry picked from commit 1312d1179d4a97e9c62eb26ef55f60007cd35872) --- diff --git a/src/kauth/kaprocs.c b/src/kauth/kaprocs.c index 2b557fdcf..b20d5a994 100644 --- a/src/kauth/kaprocs.c +++ b/src/kauth/kaprocs.c @@ -1707,6 +1707,11 @@ static afs_int32 GetTicket (version, call, kvno, authDomain, aticket, if (import && (celllen == 0)) {code = KABADTICKET; goto abort;} if (export && (celllen == 0)) strcpy (cell, lrealm); + if (!krb4_cross && celllen && strcmp(lrealm, cell) != 0) { + code = KABADUSER; + goto abort; + } + des_ecb_encrypt (atimes->SeqBody, ×, schedule, DECRYPT); times.start = ntohl(times.start); times.end = ntohl(times.end); diff --git a/src/kauth/kaserver.c b/src/kauth/kaserver.c index 74ea4ff00..eeefa2199 100644 --- a/src/kauth/kaserver.c +++ b/src/kauth/kaserver.c @@ -56,6 +56,8 @@ struct kadstats dynamic_statistics; struct ubik_dbase *KA_dbase; afs_int32 myHost = 0; afs_int32 verbose_track = 1; +afs_int32 krb4_cross = 0; + struct afsconf_dir *KA_conf; /* for getting cell info */ extern afs_int32 ubik_lastYesTime; @@ -194,6 +196,7 @@ main (argc, argv) usage: printf("Usage: kaserver [-noAuth] [-fastKeys] [-database ] " "[-localfiles ] [-minhours ] [-servers ] " + "[-crossrealm]" /*" [-enable_peer_stats] [-enable_process_stats] " */ "[-help]\n"); exit(1); @@ -251,6 +254,7 @@ main (argc, argv) else if (IsArg("-clear")) level = rxkad_clear; else if (IsArg("-sorry")) level = rxkad_clear; else if (IsArg("-debug")) verbose_track = 0; + else if (IsArg("-crossrealm")) krb4_cross = 1; else if (IsArg("-minhours")) { MinHours = atoi(argv[++a]); } diff --git a/src/kauth/kaserver.h b/src/kauth/kaserver.h index dfc0e3415..ef7580545 100644 --- a/src/kauth/kaserver.h +++ b/src/kauth/kaserver.h @@ -179,6 +179,7 @@ extern int kaux_islocked( u_int locktime ); +extern afs_int32 krb4_cross; #define LOCKPW diff --git a/src/kauth/krb_udp.c b/src/kauth/krb_udp.c index 137cd7dd1..6f3ba8ff7 100644 --- a/src/kauth/krb_udp.c +++ b/src/kauth/krb_udp.c @@ -462,6 +462,11 @@ afs_int32 UDP_GetTicket (ksoc, pkt, kvno, authDomain, ticket, ticketLen, auth, a cell[MAXKTCREALMLEN-1] = 0; }; + if (!krb4_cross && strcmp(lrealm, cell) != 0) { + code = KERB_ERR_PRINCIPAL_UNKNOWN; + goto abort; + } + if (krb_udp_debug) { printf ("UGetTicket: got ticket from '%s'.'%s'@'%s'\n", name, inst, cell);