From 1fb026105ef397612a504722b2bcac29fbc69676 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 24 Nov 2023 11:54:04 +0200 Subject: [PATCH] ipa-kdb: when applying ticket policy, do not deny PKINIT PKINIT differs from other pre-authentication methods by the fact that it can be matched indepedently of the user authentication types via certmap plugin in KDC. Since PKINIT is a strong authentication method, allow its authentication indicator and only apply the ticket policy. Fixes: https://pagure.io/freeipa/issue/9485 Signed-off-by: Alexander Bokovoy Reviewed-By: Francisco Trivino --- daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c index 436ee0e62665594062e7be37e5b7925f76e921a0..2802221c79fe63ab4bd33bfbe4859517f3d91ec5 100644 --- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c +++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c @@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]); } else if (strcmp(auth_indicator, "pkinit") == 0) { valid_auth_indicators++; - if (!(ua & IPADB_USER_AUTH_PKINIT)) { - *status = "PKINIT pre-authentication not allowed for this user."; - kerr = KRB5KDC_ERR_POLICY; - goto done; - } + /* allow PKINIT unconditionally -- it has passed already at this + * point so some certificate was useful, only apply the limits */ pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]); } else if (strcmp(auth_indicator, "hardened") == 0) { valid_auth_indicators++; -- 2.43.0