153 lines
6.3 KiB
Diff
153 lines
6.3 KiB
Diff
|
This appears to be the minimum needed to be able to set the OK-AS-DELEGATE
|
||
|
flag on an entry using kadmin, and to have the flag propagate back to clients
|
||
|
from the KDC. Note: this affects the KDB storage format, so this MUST NOT be
|
||
|
used until it's in upstream's tree.
|
||
|
|
||
|
Index: doc/admin.texinfo
|
||
|
===================================================================
|
||
|
--- doc/admin.texinfo (revision 19683)
|
||
|
+++ doc/admin.texinfo (working copy)
|
||
|
@@ -2758,6 +2758,13 @@
|
||
|
@samp{KRB5_KDB_REQURES_HW_AUTH} flag.) @code{-requires_hwauth} clears
|
||
|
this flag.
|
||
|
|
||
|
+@itemx @{-|+@}ok_as_delegate
|
||
|
+@code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use
|
||
|
+with this principal as the service, which clients may use as a hint that
|
||
|
+credentials can and should be delegated when authenticating to the service.
|
||
|
+(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears
|
||
|
+this flag.
|
||
|
+
|
||
|
@itemx @{-|+@}allow_svr
|
||
|
@code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag.
|
||
|
|
||
|
Index: src/include/kdb.h
|
||
|
===================================================================
|
||
|
--- src/include/kdb.h (revision 19683)
|
||
|
+++ src/include/kdb.h (working copy)
|
||
|
@@ -79,6 +79,7 @@
|
||
|
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
|
||
|
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
|
||
|
#define KRB5_KDB_NEW_PRINC 0x00008000
|
||
|
+#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
|
||
|
|
||
|
/* Creation flags */
|
||
|
#define KRB5_KDB_CREATE_BTREE 0x00000001
|
||
|
Index: src/kdc/do_tgs_req.c
|
||
|
===================================================================
|
||
|
--- src/kdc/do_tgs_req.c (revision 19683)
|
||
|
+++ src/kdc/do_tgs_req.c (working copy)
|
||
|
@@ -533,6 +533,10 @@
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
|
||
|
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
|
||
|
+ }
|
||
|
+
|
||
|
ticket_reply.enc_part2 = &enc_tkt_reply;
|
||
|
|
||
|
/*
|
||
|
Index: src/kdc/do_as_req.c
|
||
|
===================================================================
|
||
|
--- src/kdc/do_as_req.c (revision 19683)
|
||
|
+++ src/kdc/do_as_req.c (working copy)
|
||
|
@@ -257,6 +257,10 @@
|
||
|
enc_tkt_reply.caddrs = request->addresses;
|
||
|
enc_tkt_reply.authorization_data = 0;
|
||
|
|
||
|
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
|
||
|
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
|
||
|
+ }
|
||
|
+
|
||
|
/*
|
||
|
* Check the preauthentication if it is there.
|
||
|
*/
|
||
|
Index: src/kadmin/cli/kadmin.c
|
||
|
===================================================================
|
||
|
--- src/kadmin/cli/kadmin.c (revision 19683)
|
||
|
+++ src/kadmin/cli/kadmin.c (working copy)
|
||
|
@@ -65,7 +65,8 @@
|
||
|
{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
|
||
|
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
|
||
|
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
|
||
|
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
|
||
|
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
|
||
|
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
|
||
|
};
|
||
|
|
||
|
static char *prflags[] = {
|
||
|
@@ -85,6 +86,7 @@
|
||
|
"PWCHANGE_SERVICE", /* 0x00002000 */
|
||
|
"SUPPORT_DESMD5", /* 0x00004000 */
|
||
|
"NEW_PRINC", /* 0x00008000 */
|
||
|
+ "OK_AS_DELEGATE" /* 0x00010000 */
|
||
|
};
|
||
|
|
||
|
char *getenv();
|
||
|
@@ -1101,6 +1103,7 @@
|
||
|
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
|
||
|
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
|
||
|
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
|
||
|
+ "\t\tok_as_delegate\n"
|
||
|
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
|
||
|
"\t\t\tLook at each database documentation for supported arguments\n");
|
||
|
}
|
||
|
@@ -1117,6 +1120,7 @@
|
||
|
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
|
||
|
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
|
||
|
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
|
||
|
+ "\t\tok_as_delegate\n"
|
||
|
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
|
||
|
"\t\t\tLook at each database documentation for supported arguments\n"
|
||
|
);
|
||
|
Index: src/kadmin/cli/kadmin.M
|
||
|
===================================================================
|
||
|
--- src/kadmin/cli/kadmin.M (revision 19683)
|
||
|
+++ src/kadmin/cli/kadmin.M (working copy)
|
||
|
@@ -327,6 +327,16 @@
|
||
|
.B -requires_hwauth
|
||
|
clears this flag.
|
||
|
.TP
|
||
|
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
|
||
|
+.B +ok_as_delegate
|
||
|
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
|
||
|
+as the service, which clients may use as a hint that credentials can and
|
||
|
+should be delegated when authenticating to the service. (Sets the
|
||
|
+.SM KRB5_KDB_OK_AS_DELEGATE
|
||
|
+flag.)
|
||
|
+.B -ok_as_delegate
|
||
|
+clears this flag.
|
||
|
+.TP
|
||
|
{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
|
||
|
.B -allow_svr
|
||
|
prohibits the issuance of service tickets for this principal. (Sets the
|
||
|
Index: src/lib/kadm5/str_conv.c
|
||
|
===================================================================
|
||
|
--- src/lib/kadm5/str_conv.c (revision 19683)
|
||
|
+++ src/lib/kadm5/str_conv.c (working copy)
|
||
|
@@ -73,6 +73,7 @@
|
||
|
static const char flags_tickets_in[] = "allow-tickets";
|
||
|
static const char flags_preauth_in[] = "preauth";
|
||
|
static const char flags_hwauth_in[] = "hwauth";
|
||
|
+static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
|
||
|
static const char flags_pwchange_in[] = "pwchange";
|
||
|
static const char flags_service_in[] = "service";
|
||
|
static const char flags_pwsvc_in[] = "pwservice";
|
||
|
@@ -86,6 +87,7 @@
|
||
|
static const char flags_tickets_out[] = "All Tickets Disallowed";
|
||
|
static const char flags_preauth_out[] = "Preauthorization required";
|
||
|
static const char flags_hwauth_out[] = "HW Authorization required";
|
||
|
+static const char flags_ok_as_delegate_out[] = "OK as Delegate";
|
||
|
static const char flags_pwchange_out[] = "Password Change required";
|
||
|
static const char flags_service_out[] = "Service Disabled";
|
||
|
static const char flags_pwsvc_out[] = "Password Changing Service";
|
||
|
@@ -109,6 +111,7 @@
|
||
|
{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
|
||
|
{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
|
||
|
{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
|
||
|
+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
|
||
|
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
|
||
|
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
|
||
|
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },
|