e57a97aa67
- Resolves: RHEL-12589 ipa: Invalid CSRF protection - Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit - Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca' - Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT - Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix - Resolves: RHEL-21810 ipa-client-install --automount-location does not work - Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0 - Resolves: RHEL-21812 Backport latest test fixes in ipa - Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa - Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing - Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
42 lines
1.8 KiB
Diff
42 lines
1.8 KiB
Diff
From 1fb026105ef397612a504722b2bcac29fbc69676 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Fri, 24 Nov 2023 11:54:04 +0200
|
|
Subject: [PATCH] ipa-kdb: when applying ticket policy, do not deny PKINIT
|
|
|
|
PKINIT differs from other pre-authentication methods by the fact that it
|
|
can be matched indepedently of the user authentication types via certmap
|
|
plugin in KDC.
|
|
|
|
Since PKINIT is a strong authentication method, allow its authentication
|
|
indicator and only apply the ticket policy.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9485
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 ++-----
|
|
1 file changed, 2 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
index 436ee0e62665594062e7be37e5b7925f76e921a0..2802221c79fe63ab4bd33bfbe4859517f3d91ec5 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
@@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
|
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]);
|
|
} else if (strcmp(auth_indicator, "pkinit") == 0) {
|
|
valid_auth_indicators++;
|
|
- if (!(ua & IPADB_USER_AUTH_PKINIT)) {
|
|
- *status = "PKINIT pre-authentication not allowed for this user.";
|
|
- kerr = KRB5KDC_ERR_POLICY;
|
|
- goto done;
|
|
- }
|
|
+ /* allow PKINIT unconditionally -- it has passed already at this
|
|
+ * point so some certificate was useful, only apply the limits */
|
|
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]);
|
|
} else if (strcmp(auth_indicator, "hardened") == 0) {
|
|
valid_auth_indicators++;
|
|
--
|
|
2.43.0
|
|
|