42 lines
1.8 KiB
Diff
42 lines
1.8 KiB
Diff
From 1fb026105ef397612a504722b2bcac29fbc69676 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Fri, 24 Nov 2023 11:54:04 +0200
|
|
Subject: [PATCH] ipa-kdb: when applying ticket policy, do not deny PKINIT
|
|
|
|
PKINIT differs from other pre-authentication methods by the fact that it
|
|
can be matched indepedently of the user authentication types via certmap
|
|
plugin in KDC.
|
|
|
|
Since PKINIT is a strong authentication method, allow its authentication
|
|
indicator and only apply the ticket policy.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9485
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
---
|
|
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 ++-----
|
|
1 file changed, 2 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
index 436ee0e62665594062e7be37e5b7925f76e921a0..2802221c79fe63ab4bd33bfbe4859517f3d91ec5 100644
|
|
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
@@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
|
|
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]);
|
|
} else if (strcmp(auth_indicator, "pkinit") == 0) {
|
|
valid_auth_indicators++;
|
|
- if (!(ua & IPADB_USER_AUTH_PKINIT)) {
|
|
- *status = "PKINIT pre-authentication not allowed for this user.";
|
|
- kerr = KRB5KDC_ERR_POLICY;
|
|
- goto done;
|
|
- }
|
|
+ /* allow PKINIT unconditionally -- it has passed already at this
|
|
+ * point so some certificate was useful, only apply the limits */
|
|
pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]);
|
|
} else if (strcmp(auth_indicator, "hardened") == 0) {
|
|
valid_auth_indicators++;
|
|
--
|
|
2.43.0
|
|
|