205 lines
8.8 KiB
Diff
205 lines
8.8 KiB
Diff
From f44ef4893050e673f495444c27a19525813f75a8 Mon Sep 17 00:00:00 2001
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
Date: Mon, 11 Jun 2018 13:53:27 -0400
|
|
Subject: [PATCH] Add flag to disable encrypted timestamp on client
|
|
|
|
ticket: 8655
|
|
(cherry picked from commit 4ad376134b8d456392edbac7a7d351e6c7a7f0e7)
|
|
---
|
|
doc/admin/conf_files/krb5_conf.rst | 10 ++++++++++
|
|
doc/admin/spake.rst | 8 ++++++++
|
|
src/include/k5-int.h | 1 +
|
|
src/include/k5-trace.h | 2 ++
|
|
src/lib/krb5/krb/get_in_tkt.c | 23 +++++++++++++++++++++++
|
|
src/lib/krb5/krb/init_creds_ctx.h | 1 +
|
|
src/lib/krb5/krb/preauth_encts.c | 14 +++++++++++++-
|
|
src/tests/t_referral.py | 13 +++++++++++++
|
|
8 files changed, 71 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
|
index ce545492d..eb5c29e5d 100644
|
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
|
@@ -475,6 +475,16 @@ following tags may be specified in the realm's subsection:
|
|
(for example, when converting ``rcmd.hostname`` to
|
|
``host/hostname.domain``).
|
|
|
|
+**disable_encrypted_timestamp**
|
|
+ If this flag is true, the client will not perform encrypted
|
|
+ timestamp preauthentication if requested by the KDC. Setting this
|
|
+ flag can help to prevent dictionary attacks by active attackers,
|
|
+ if the realm's KDCs support SPAKE preauthentication or if initial
|
|
+ authentication always uses another mechanism or always uses FAST.
|
|
+ This flag persists across client referrals during initial
|
|
+ authentication. This flag does not prevent the KDC from offering
|
|
+ encrypted timestamp. New in release 1.17.
|
|
+
|
|
**http_anchors**
|
|
When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag
|
|
can be used to specify the location of the CA certificate which should be
|
|
diff --git a/doc/admin/spake.rst b/doc/admin/spake.rst
|
|
index b65c694aa..4f6eeaf53 100644
|
|
--- a/doc/admin/spake.rst
|
|
+++ b/doc/admin/spake.rst
|
|
@@ -30,6 +30,14 @@ principal entries, as you would for any preauthentication mechanism::
|
|
Clients which do not implement SPAKE preauthentication will fall back
|
|
to encrypted timestamp.
|
|
|
|
+An active attacker can force a fallback to encrypted timestamp by
|
|
+modifying the initial KDC response, defeating the protection against
|
|
+dictionary attacks. To prevent this fallback on clients which do
|
|
+implement SPAKE preauthentication, set the
|
|
+**disable_encrypted_timestamp** variable to ``true`` in the
|
|
+:ref:`realms` subsection for realms whose KDCs offer SPAKE
|
|
+preauthentication.
|
|
+
|
|
By default, SPAKE preauthentication requires an extra network round
|
|
trip to the KDC during initial authentication. If most of the clients
|
|
in a realm support SPAKE, this extra round trip can be eliminated
|
|
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
|
index 86b53c76b..e4a9a1412 100644
|
|
--- a/src/include/k5-int.h
|
|
+++ b/src/include/k5-int.h
|
|
@@ -204,6 +204,7 @@ typedef unsigned char u_char;
|
|
#define KRB5_CONF_DES_CRC_SESSION_SUPPORTED "des_crc_session_supported"
|
|
#define KRB5_CONF_DICT_FILE "dict_file"
|
|
#define KRB5_CONF_DISABLE "disable"
|
|
+#define KRB5_CONF_DISABLE_ENCRYPTED_TIMESTAMP "disable_encrypted_timestamp"
|
|
#define KRB5_CONF_DISABLE_LAST_SUCCESS "disable_last_success"
|
|
#define KRB5_CONF_DISABLE_LOCKOUT "disable_lockout"
|
|
#define KRB5_CONF_DNS_CANONICALIZE_HOSTNAME "dns_canonicalize_hostname"
|
|
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
|
|
index 5f7eb9517..0854974dc 100644
|
|
--- a/src/include/k5-trace.h
|
|
+++ b/src/include/k5-trace.h
|
|
@@ -299,6 +299,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
|
|
#define TRACE_PREAUTH_ENC_TS(c, sec, usec, plain, enc) \
|
|
TRACE(c, "Encrypted timestamp (for {long}.{int}): plain {hexdata}, " \
|
|
"encrypted {hexdata}", (long) sec, (int) usec, plain, enc)
|
|
+#define TRACE_PREAUTH_ENC_TS_DISABLED(c) \
|
|
+ TRACE(c, "Ignoring encrypted timestamp because it is disabled")
|
|
#define TRACE_PREAUTH_ETYPE_INFO(c, etype, salt, s2kparams) \
|
|
TRACE(c, "Selected etype info: etype {etype}, salt \"{data}\", " \
|
|
"params \"{data}\"", etype, salt, s2kparams)
|
|
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
|
index c026bbc6d..79dede2c6 100644
|
|
--- a/src/lib/krb5/krb/get_in_tkt.c
|
|
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
|
@@ -801,6 +801,24 @@ read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx)
|
|
free(tmp);
|
|
}
|
|
|
|
+/* Return true if encrypted timestamp is disabled for realm. */
|
|
+static krb5_boolean
|
|
+encts_disabled(profile_t profile, const krb5_data *realm)
|
|
+{
|
|
+ krb5_error_code ret;
|
|
+ char *realmstr;
|
|
+ int bval;
|
|
+
|
|
+ realmstr = k5memdup0(realm->data, realm->length, &ret);
|
|
+ if (realmstr == NULL)
|
|
+ return FALSE;
|
|
+ ret = profile_get_boolean(profile, KRB5_CONF_REALMS, realmstr,
|
|
+ KRB5_CONF_DISABLE_ENCRYPTED_TIMESTAMP, FALSE,
|
|
+ &bval);
|
|
+ free(realmstr);
|
|
+ return (ret == 0) ? bval : FALSE;
|
|
+}
|
|
+
|
|
/**
|
|
* Throw away any pre-authentication realm state and begin with a
|
|
* unauthenticated or optimistically authenticated request. If fast_upgrade is
|
|
@@ -842,6 +860,11 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
|
goto cleanup;
|
|
}
|
|
|
|
+ /* Never set encts_disabled back to false, so it can't be circumvented with
|
|
+ * client realm referrals. */
|
|
+ if (encts_disabled(context->profile, &ctx->request->client->realm))
|
|
+ ctx->encts_disabled = TRUE;
|
|
+
|
|
krb5_free_principal(context, ctx->request->server);
|
|
ctx->request->server = NULL;
|
|
|
|
diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h
|
|
index 7ba61e17c..7a6219b1c 100644
|
|
--- a/src/lib/krb5/krb/init_creds_ctx.h
|
|
+++ b/src/lib/krb5/krb/init_creds_ctx.h
|
|
@@ -61,6 +61,7 @@ struct _krb5_init_creds_context {
|
|
krb5_boolean info_pa_permitted;
|
|
krb5_boolean restarted;
|
|
krb5_boolean fallback_disabled;
|
|
+ krb5_boolean encts_disabled;
|
|
struct krb5_responder_context_st rctx;
|
|
krb5_preauthtype selected_preauth_type;
|
|
krb5_preauthtype allowed_preauth_type;
|
|
diff --git a/src/lib/krb5/krb/preauth_encts.c b/src/lib/krb5/krb/preauth_encts.c
|
|
index 45bf9da92..345701984 100644
|
|
--- a/src/lib/krb5/krb/preauth_encts.c
|
|
+++ b/src/lib/krb5/krb/preauth_encts.c
|
|
@@ -28,6 +28,7 @@
|
|
#include <k5-int.h>
|
|
#include <krb5/clpreauth_plugin.h>
|
|
#include "int-proto.h"
|
|
+#include "init_creds_ctx.h"
|
|
|
|
static krb5_error_code
|
|
encts_prep_questions(krb5_context context, krb5_clpreauth_moddata moddata,
|
|
@@ -38,7 +39,10 @@ encts_prep_questions(krb5_context context, krb5_clpreauth_moddata moddata,
|
|
krb5_data *encoded_previous_request,
|
|
krb5_pa_data *pa_data)
|
|
{
|
|
- cb->need_as_key(context, rock);
|
|
+ krb5_init_creds_context ctx = (krb5_init_creds_context)rock;
|
|
+
|
|
+ if (!ctx->encts_disabled)
|
|
+ cb->need_as_key(context, rock);
|
|
return 0;
|
|
}
|
|
|
|
@@ -51,6 +55,7 @@ encts_process(krb5_context context, krb5_clpreauth_moddata moddata,
|
|
krb5_prompter_fct prompter, void *prompter_data,
|
|
krb5_pa_data ***out_padata)
|
|
{
|
|
+ krb5_init_creds_context ctx = (krb5_init_creds_context)rock;
|
|
krb5_error_code ret;
|
|
krb5_pa_enc_ts pa_enc;
|
|
krb5_data *ts = NULL, *enc_ts = NULL;
|
|
@@ -60,6 +65,13 @@ encts_process(krb5_context context, krb5_clpreauth_moddata moddata,
|
|
|
|
enc_data.ciphertext = empty_data();
|
|
|
|
+ if (ctx->encts_disabled) {
|
|
+ TRACE_PREAUTH_ENC_TS_DISABLED(context);
|
|
+ k5_setmsg(context, KRB5_PREAUTH_FAILED,
|
|
+ _("Encrypted timestamp is disabled"));
|
|
+ return KRB5_PREAUTH_FAILED;
|
|
+ }
|
|
+
|
|
ret = cb->get_as_key(context, rock, &as_key);
|
|
if (ret)
|
|
goto cleanup;
|
|
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
|
|
index 98fdf2925..e12fdc2e9 100755
|
|
--- a/src/tests/t_referral.py
|
|
+++ b/src/tests/t_referral.py
|
|
@@ -126,4 +126,17 @@ r1.klist('user@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
|
|
r1.kinit('abc@XYZ', 'pw', ['-E'])
|
|
r1.klist('abc\@XYZ@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
|
|
|
|
+# Test that disable_encrypted_timestamp persists across client
|
|
+# referrals. (This test relies on SPAKE not being enabled by default
|
|
+# on the KDC.)
|
|
+r2.run([kadminl, 'modprinc', '+preauth', 'user'])
|
|
+msgs = ('Encrypted timestamp (for ')
|
|
+r1.kinit('user', password('user'), ['-C'], expected_trace=msgs)
|
|
+dconf = {'realms': {'$realm': {'disable_encrypted_timestamp': 'true'}}}
|
|
+denv = r1.special_env('disable_encts', False, krb5_conf=dconf)
|
|
+msgs = ('Ignoring encrypted timestamp because it is disabled',
|
|
+ '/Encrypted timestamp is disabled')
|
|
+r1.kinit('user', None, ['-C'], env=denv, expected_code=1, expected_trace=msgs,
|
|
+ expected_msg='Encrypted timestamp is disabled')
|
|
+
|
|
success('KDC host referral tests')
|