From 1312d1179d4a97e9c62eb26ef55f60007cd35872 Mon Sep 17 00:00:00 2001 From: Derrick Brashear Date: Tue, 18 Mar 2003 23:47:51 +0000 Subject: [PATCH] kaserver-disable-krb4-crossrealm-20030317 to deal with krb4 security advisory ==================== This delta was composed from multiple commits as part of the CVS->Git migration. The checkin message with each commit was inconsistent. The following are the additional commit messages. ==================== to deal with krb4 security advisory type mismatch for krb4_cross pointed out by Jack Neely --- src/kauth/kaprocs.c | 5 +++++ src/kauth/kaserver.c | 4 ++++ src/kauth/kaserver.h | 1 + src/kauth/krb_udp.c | 5 +++++ 4 files changed, 15 insertions(+) diff --git a/src/kauth/kaprocs.c b/src/kauth/kaprocs.c index 2b557fdcf..b20d5a994 100644 --- a/src/kauth/kaprocs.c +++ b/src/kauth/kaprocs.c @@ -1707,6 +1707,11 @@ static afs_int32 GetTicket (version, call, kvno, authDomain, aticket, if (import && (celllen == 0)) {code = KABADTICKET; goto abort;} if (export && (celllen == 0)) strcpy (cell, lrealm); + if (!krb4_cross && celllen && strcmp(lrealm, cell) != 0) { + code = KABADUSER; + goto abort; + } + des_ecb_encrypt (atimes->SeqBody, ×, schedule, DECRYPT); times.start = ntohl(times.start); times.end = ntohl(times.end); diff --git a/src/kauth/kaserver.c b/src/kauth/kaserver.c index d2345f398..b58c33aae 100644 --- a/src/kauth/kaserver.c +++ b/src/kauth/kaserver.c @@ -56,6 +56,8 @@ struct kadstats dynamic_statistics; struct ubik_dbase *KA_dbase; afs_int32 myHost = 0; afs_int32 verbose_track = 1; +afs_int32 krb4_cross = 0; + struct afsconf_dir *KA_conf; /* for getting cell info */ extern afs_int32 ubik_lastYesTime; @@ -193,6 +195,7 @@ main (argc, argv) usage: printf("Usage: kaserver [-noAuth] [-fastKeys] [-database ] " "[-localfiles ] [-minhours ] [-servers ] " + "[-crossrealm]" /*" [-enable_peer_stats] [-enable_process_stats] " */ "[-help]\n"); exit(1); @@ -250,6 +253,7 @@ main (argc, argv) else if (IsArg("-clear")) level = rxkad_clear; else if (IsArg("-sorry")) level = rxkad_clear; else if (IsArg("-debug")) verbose_track = 0; + else if (IsArg("-crossrealm")) krb4_cross = 1; else if (IsArg("-minhours")) { MinHours = atoi(argv[++a]); } diff --git a/src/kauth/kaserver.h b/src/kauth/kaserver.h index dfc0e3415..ef7580545 100644 --- a/src/kauth/kaserver.h +++ b/src/kauth/kaserver.h @@ -179,6 +179,7 @@ extern int kaux_islocked( u_int locktime ); +extern afs_int32 krb4_cross; #define LOCKPW diff --git a/src/kauth/krb_udp.c b/src/kauth/krb_udp.c index d31e7e416..a259a41d1 100644 --- a/src/kauth/krb_udp.c +++ b/src/kauth/krb_udp.c @@ -462,6 +462,11 @@ afs_int32 UDP_GetTicket (ksoc, pkt, kvno, authDomain, ticket, ticketLen, auth, a cell[MAXKTCREALMLEN-1] = 0; }; + if (!krb4_cross && strcmp(lrealm, cell) != 0) { + code = KERB_ERR_PRINCIPAL_UNKNOWN; + goto abort; + } + if (krb_udp_debug) { printf ("UGetTicket: got ticket from '%s'.'%s'@'%s'\n", name, inst, cell); -- 2.39.5