ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT

From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089
--------
The KDC uses the first local TGT key for the privsvr and full PAC
checksums.  If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer.  This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
--------

Use MIT Kerberos 1.21+ facility to hint about proper enctype for
cross-realm TGT.

Fixes: https://pagure.io/freeipa/issue/9124

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
This commit is contained in:
Alexander Bokovoy 2023-05-24 12:35:54 +03:00 committed by Florence Blanc-Renaud
parent 105b03370c
commit e00f457f75

View File

@ -117,6 +117,12 @@ static char *std_principal_obj_classes[] = {
#define OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME "optional_pac_tkt_chksum" #define OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME "optional_pac_tkt_chksum"
#ifndef KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE
#define OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME "pac_privsvr_enctype"
#else
#define OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE
#endif
static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le, static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
char *attrname, char *attrname,
krb5_tl_data **result, int *num) krb5_tl_data **result, int *num)
@ -1767,6 +1773,16 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
if (kerr) if (kerr)
return kerr; return kerr;
/* for trusted AD forests we currently must use SHA-1-based
* encryption types. For details, see
* https://github.com/krb5/krb5/commit/5af907156f8f502bbe268f0c62274f88a61261e4
*/
if (!is_local_tgs_princ) {
kerr = krb5_dbe_set_string(kcontext, *entry,
OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME,
"aes256-sha1");
}
/* PAC ticket signature should be optional for foreign realms, and local /* PAC ticket signature should be optional for foreign realms, and local
* realm if not supported by all servers * realm if not supported by all servers
*/ */
@ -2892,19 +2908,25 @@ remove_virtual_str_attrs(krb5_context kcontext, krb5_db_entry *entry)
{ {
char *str_attr_val; char *str_attr_val;
krb5_error_code kerr; krb5_error_code kerr;
const char *str_attrs[] = {
OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME,
OPT_PAC_PRIVSVR_CHKSUM_STR_ATTR_NAME,
NULL};
kerr = krb5_dbe_get_string(kcontext, entry, for(int i = 0; str_attrs[i] != NULL; i++) {
OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME, kerr = krb5_dbe_get_string(kcontext, entry,
&str_attr_val); str_attrs[i],
if (kerr) &str_attr_val);
return kerr; if (kerr)
return kerr;
if (str_attr_val) if (str_attr_val)
kerr = krb5_dbe_set_string(kcontext, entry, kerr = krb5_dbe_set_string(kcontext, entry,
OPT_PAC_TKT_CHKSUM_STR_ATTR_NAME, str_attrs[i],
NULL); NULL);
krb5_dbe_free_string(kcontext, str_attr_val); krb5_dbe_free_string(kcontext, str_attr_val);
}
return kerr; return kerr;
} }