mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT
From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089 -------- The KDC uses the first local TGT key for the privsvr and full PAC checksums. If this key is of an aes-sha2 enctype in a cross-realm TGT, a Microsoft KDC in the target realm may reject the ticket because it has an unexpectedly large privsvr checksum buffer. This behavior is unnecessarily picky as the target realm KDC cannot and does not need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the checksum key to three specific enctypes. -------- Use MIT Kerberos 1.21+ facility to hint about proper enctype for cross-realm TGT. Fixes: https://pagure.io/freeipa/issue/9124 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Julien Rische <jrische@redhat.com>
This commit is contained in:
parent
105b03370c
commit
e00f457f75
@ -117,6 +117,12 @@ static char *std_principal_obj_classes[] = {
|
||||
|
||||
#define OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME "optional_pac_tkt_chksum"
|
||||
|
||||
#ifndef KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE
|
||||
#define OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME "pac_privsvr_enctype"
|
||||
#else
|
||||
#define OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE
|
||||
#endif
|
||||
|
||||
static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
|
||||
char *attrname,
|
||||
krb5_tl_data **result, int *num)
|
||||
@ -1767,6 +1773,16 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
|
||||
if (kerr)
|
||||
return kerr;
|
||||
|
||||
/* for trusted AD forests we currently must use SHA-1-based
|
||||
* encryption types. For details, see
|
||||
* https://github.com/krb5/krb5/commit/5af907156f8f502bbe268f0c62274f88a61261e4
|
||||
*/
|
||||
if (!is_local_tgs_princ) {
|
||||
kerr = krb5_dbe_set_string(kcontext, *entry,
|
||||
OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME,
|
||||
"aes256-sha1");
|
||||
}
|
||||
|
||||
/* PAC ticket signature should be optional for foreign realms, and local
|
||||
* realm if not supported by all servers
|
||||
*/
|
||||
@ -2892,19 +2908,25 @@ remove_virtual_str_attrs(krb5_context kcontext, krb5_db_entry *entry)
|
||||
{
|
||||
char *str_attr_val;
|
||||
krb5_error_code kerr;
|
||||
const char *str_attrs[] = {
|
||||
OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME,
|
||||
OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME,
|
||||
NULL};
|
||||
|
||||
kerr = krb5_dbe_get_string(kcontext, entry,
|
||||
OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME,
|
||||
&str_attr_val);
|
||||
if (kerr)
|
||||
return kerr;
|
||||
for(int i = 0; str_attrs[i] != NULL; i++) {
|
||||
kerr = krb5_dbe_get_string(kcontext, entry,
|
||||
str_attrs[i],
|
||||
&str_attr_val);
|
||||
if (kerr)
|
||||
return kerr;
|
||||
|
||||
if (str_attr_val)
|
||||
kerr = krb5_dbe_set_string(kcontext, entry,
|
||||
OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME,
|
||||
NULL);
|
||||
if (str_attr_val)
|
||||
kerr = krb5_dbe_set_string(kcontext, entry,
|
||||
str_attrs[i],
|
||||
NULL);
|
||||
|
||||
krb5_dbe_free_string(kcontext, str_attr_val);
|
||||
krb5_dbe_free_string(kcontext, str_attr_val);
|
||||
}
|
||||
return kerr;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user