Fix use of enterprise principals with forwarding
This commit is contained in:
parent
0dc40d929f
commit
82cabae196
58
Add-the-client_name-kdcpreauth-callback.patch
Normal file
58
Add-the-client_name-kdcpreauth-callback.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 5d560c28ff46b04013ab64dc51a7d912d38b01de Mon Sep 17 00:00:00 2001
|
||||
From: Matt Rogers <mrogers@redhat.com>
|
||||
Date: Tue, 4 Apr 2017 16:54:56 -0400
|
||||
Subject: [PATCH] Add the client_name() kdcpreauth callback
|
||||
|
||||
Add a kdcpreauth callback to returns the canonicalized client principal.
|
||||
|
||||
ticket: 8570 (new)
|
||||
(cherry picked from commit a84f39ec30f3deeda7836da6e8b3d8dcf7a045b1)
|
||||
---
|
||||
src/include/krb5/kdcpreauth_plugin.h | 6 ++++++
|
||||
src/kdc/kdc_preauth.c | 9 ++++++++-
|
||||
2 files changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
|
||||
index 92aa5a5a5..fa4436b83 100644
|
||||
--- a/src/include/krb5/kdcpreauth_plugin.h
|
||||
+++ b/src/include/krb5/kdcpreauth_plugin.h
|
||||
@@ -232,6 +232,12 @@ typedef struct krb5_kdcpreauth_callbacks_st {
|
||||
krb5_kdcpreauth_rock rock,
|
||||
krb5_principal princ);
|
||||
|
||||
+ /*
|
||||
+ * Get an alias to the client DB entry principal (possibly canonicalized).
|
||||
+ */
|
||||
+ krb5_principal (*client_name)(krb5_context context,
|
||||
+ krb5_kdcpreauth_rock rock);
|
||||
+
|
||||
/* End of version 4 kdcpreauth callbacks. */
|
||||
|
||||
} *krb5_kdcpreauth_callbacks;
|
||||
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
|
||||
index 0ce79c667..81d0b8cff 100644
|
||||
--- a/src/kdc/kdc_preauth.c
|
||||
+++ b/src/kdc/kdc_preauth.c
|
||||
@@ -591,6 +591,12 @@ match_client(krb5_context context, krb5_kdcpreauth_rock rock,
|
||||
return match;
|
||||
}
|
||||
|
||||
+static krb5_principal
|
||||
+client_name(krb5_context context, krb5_kdcpreauth_rock rock)
|
||||
+{
|
||||
+ return rock->client->princ;
|
||||
+}
|
||||
+
|
||||
static struct krb5_kdcpreauth_callbacks_st callbacks = {
|
||||
4,
|
||||
max_time_skew,
|
||||
@@ -607,7 +613,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
|
||||
add_auth_indicator,
|
||||
get_cookie,
|
||||
set_cookie,
|
||||
- match_client
|
||||
+ match_client,
|
||||
+ client_name
|
||||
};
|
||||
|
||||
static krb5_error_code
|
29
Use-the-canonical-client-principal-name-for-OTP.patch
Normal file
29
Use-the-canonical-client-principal-name-for-OTP.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From ca74a8a49f4a05c0b602c9dc473fd16fe71847fd Mon Sep 17 00:00:00 2001
|
||||
From: Matt Rogers <mrogers@redhat.com>
|
||||
Date: Wed, 5 Apr 2017 16:48:55 -0400
|
||||
Subject: [PATCH] Use the canonical client principal name for OTP
|
||||
|
||||
In the OTP module, when constructing the RADIUS request, use the
|
||||
canonicalized client principal (using the new client_name kdcpreauth
|
||||
callback) instead of the request client principal.
|
||||
|
||||
ticket: 8571 (new)
|
||||
(cherry picked from commit 6411398e35e343cdc4d2d103b079c4d3b9031f7e)
|
||||
---
|
||||
src/plugins/preauth/otp/main.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c
|
||||
index 2649e9a90..a1b681682 100644
|
||||
--- a/src/plugins/preauth/otp/main.c
|
||||
+++ b/src/plugins/preauth/otp/main.c
|
||||
@@ -331,7 +331,8 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
|
||||
|
||||
/* Send the request. */
|
||||
otp_state_verify((otp_state *)moddata, cb->event_context(context, rock),
|
||||
- request->client, config, req, on_response, rs);
|
||||
+ cb->client_name(context, rock), config, req, on_response,
|
||||
+ rs);
|
||||
cb->free_string(context, rock, config);
|
||||
|
||||
k5_free_pa_otp_req(context, req);
|
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.15.1
|
||||
# for prerelease, should be e.g., 0.3.beta2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||
# - The sources below are stored in a lookaside cache. Upload with
|
||||
@ -69,6 +69,8 @@ Patch18: Add-test-cert-generation-to-make-certs.sh.patch
|
||||
Patch19: Add-PKINIT-UPN-tests-to-t_pkinit.py.patch
|
||||
Patch20: Deindent-crypto_retrieve_X509_sans.patch
|
||||
Patch21: Add-certauth-pluggable-interface.patch
|
||||
Patch22: Add-the-client_name-kdcpreauth-callback.patch
|
||||
Patch23: Use-the-canonical-client-principal-name-for-OTP.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -719,6 +721,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Fri Apr 07 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-4
|
||||
- Fix use of enterprise principals with forwarding
|
||||
|
||||
* Wed Mar 22 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-3
|
||||
- Backport certauth plugin and related pkinit changes
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user