From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001 From: Julien Rische Date: Tue, 1 Feb 2022 16:43:09 +0100 Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users Since 5d51ae5, principal keys were dropped in case user auth indicator was not including password. Thereafter, the key removal behavior was removed by 15ff9c8 in the context of the kdcpolicy plugin introduction. Support for hardened pre-auth methods (FAST and SPAKE) was added in d057040, and the removal of principal keys was restored afterwards by f0d12b7, but not taking the new hardened auth indicator into account. Fixes: https://pagure.io/freeipa/issue/9065 Related to: https://pagure.io/freeipa/issue/8001 Signed-off-by: Julien Rische Reviewed-By: Alexander Bokovoy Reviewed-By: Francisco Trivino --- daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 15f3df4fee8bdfadf60a4b1d9a5115407d1bb294..0d0d3748ce63a8252e84220d036140818ffdfb6e 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, &res_key_data, &result, &mkvno); switch (ret) { case 0: - /* Only set a principal's key if password auth can be used. Otherwise - * the KDC would add pre-authentication methods to the NEEDED_PREAUTH - * reply for AS-REQs which indicate the password authentication is - * available. This might confuse applications like e.g. SSSD which try - * to determine suitable authentication methods and corresponding - * prompts with the help of MIT Kerberos' responder interface which - * acts on the returned pre-authentication methods. A typical example - * is enforced OTP authentication where of course keys are available - * for the first factor but password authentication should not be - * advertised by the KDC. */ - if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) { + /* Only set a principal's key if password or hardened auth can be used. + * Otherwise the KDC would add pre-authentication methods to the + * NEEDED_PREAUTH reply for AS-REQs which indicate the password + * authentication is available. This might confuse applications like + * e.g. SSSD which try to determine suitable authentication methods and + * corresponding prompts with the help of MIT Kerberos' responder + * interface which acts on the returned pre-authentication methods. A + * typical example is enforced OTP authentication where of course keys + * are available for the first factor but password authentication + * should not be advertised by the KDC. */ + if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) && + (ua != IPADB_USER_AUTH_NONE)) { /* This is the same behavior as ENOENT below. */ ipa_krb5_free_key_data(res_key_data, result); break; -- 2.34.1