e57a97aa67
- Resolves: RHEL-12589 ipa: Invalid CSRF protection - Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit - Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca' - Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT - Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix - Resolves: RHEL-21810 ipa-client-install --automount-location does not work - Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0 - Resolves: RHEL-21812 Backport latest test fixes in ipa - Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa - Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing - Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
127 lines
4.4 KiB
Diff
127 lines
4.4 KiB
Diff
From c90ba9478b663bd5bcac9bb3af4272ee1406816b Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Fri, 24 Nov 2023 11:46:19 +0200
|
|
Subject: [PATCH] ipa-kdb: add better detection of allowed user auth type
|
|
|
|
If default user authentication type is set to a list that does not
|
|
include a password or a hardened credential, the resulting configuration
|
|
might be incorrect for special service principals, including a krbtgt/..
|
|
one.
|
|
|
|
Add detection of special principals to avoid these situations and always
|
|
allow password or hardened for services.
|
|
|
|
Special handling is needed for the following principals:
|
|
|
|
- krbtgt/.. -- TGT service principals
|
|
- K/M -- master key principal
|
|
- kadmin/changepw -- service for changing passwords
|
|
- kadmin/kadmin -- kadmin service principal
|
|
- kadmin/history -- key used to encrypt history
|
|
|
|
Additionally, implicitly allow password or hardened credential use for
|
|
IPA services and IPA hosts since applications typically use keytabs for
|
|
that purpose.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9485
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/ipa_kdb.c | 62 ++++++++++++++++++++++++++++++++++-----
|
|
1 file changed, 54 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
index 06d511c762006f6a1e6e7a0ec663bc059489cf64..dbb98dba6d6d273e86e39e8ca8b8877d13f4299b 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
@@ -26,6 +26,7 @@
|
|
#include "ipa_kdb.h"
|
|
#include "ipa_krb5.h"
|
|
#include "ipa_hostname.h"
|
|
+#include <kadm5/admin.h>
|
|
|
|
#define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
|
|
|
|
@@ -207,6 +208,19 @@ static const struct {
|
|
{ "idp", IPADB_USER_AUTH_IDP },
|
|
{ "passkey", IPADB_USER_AUTH_PASSKEY },
|
|
{ }
|
|
+},
|
|
+ objclass_table[] = {
|
|
+ { "ipaservice", IPADB_USER_AUTH_PASSWORD },
|
|
+ { "ipahost", IPADB_USER_AUTH_PASSWORD },
|
|
+ { }
|
|
+},
|
|
+ princname_table[] = {
|
|
+ { KRB5_TGS_NAME, IPADB_USER_AUTH_PASSWORD },
|
|
+ { KRB5_KDB_M_NAME, IPADB_USER_AUTH_PASSWORD },
|
|
+ { KADM5_ADMIN_SERVICE, IPADB_USER_AUTH_PASSWORD },
|
|
+ { KADM5_CHANGEPW_SERVICE, IPADB_USER_AUTH_PASSWORD },
|
|
+ { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD },
|
|
+ { }
|
|
};
|
|
|
|
void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
|
|
@@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le,
|
|
|
|
*userauth = IPADB_USER_AUTH_NONE;
|
|
vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE);
|
|
- if (!vals)
|
|
- return;
|
|
-
|
|
- for (i = 0; vals[i]; i++) {
|
|
- for (j = 0; userauth_table[j].name; j++) {
|
|
- if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
|
|
- *userauth |= userauth_table[j].flag;
|
|
- break;
|
|
+ if (!vals) {
|
|
+ /* if there is no explicit ipaUserAuthType set, use objectclass */
|
|
+ vals = ldap_get_values_len(lcontext, le, "objectclass");
|
|
+ if (!vals)
|
|
+ return;
|
|
+
|
|
+ for (i = 0; vals[i]; i++) {
|
|
+ for (j = 0; objclass_table[j].name; j++) {
|
|
+ if (strcasecmp(vals[i]->bv_val, objclass_table[j].name) == 0) {
|
|
+ *userauth |= objclass_table[j].flag;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ } else {
|
|
+ for (i = 0; vals[i]; i++) {
|
|
+ for (j = 0; userauth_table[j].name; j++) {
|
|
+ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) {
|
|
+ *userauth |= userauth_table[j].flag;
|
|
+ break;
|
|
+ }
|
|
}
|
|
}
|
|
}
|
|
+
|
|
+ /* If neither ipaUserAuthType nor objectClass were definitive,
|
|
+ * check the krbPrincipalName to see if it is krbtgt/ or K/M one */
|
|
+ if (*userauth == IPADB_USER_AUTH_NONE) {
|
|
+ ldap_value_free_len(vals);
|
|
+ vals = ldap_get_values_len(lcontext, le, "krbprincipalname");
|
|
+ if (!vals)
|
|
+ return;
|
|
+ for (i = 0; vals[i]; i++) {
|
|
+ for (j = 0; princname_table[j].name; j++) {
|
|
+ if (strncmp(vals[i]->bv_val, princname_table[j].name,
|
|
+ strlen(princname_table[j].name)) == 0) {
|
|
+ *userauth |= princname_table[j].flag;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ }
|
|
/* If password auth is enabled, enable hardened policy too. */
|
|
if (*userauth & IPADB_USER_AUTH_PASSWORD) {
|
|
*userauth |= IPADB_USER_AUTH_HARDENED;
|
|
--
|
|
2.43.0
|
|
|