|
|
10fa70 |
From 61f3943f9fc237936ed9fd098edcd8dcc43b8da7 Mon Sep 17 00:00:00 2001
|
|
|
10fa70 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
10fa70 |
Date: Wed, 6 May 2020 16:03:13 -0400
|
|
|
10fa70 |
Subject: [PATCH] Omit KDC indicator check for S4U2Self requests
|
|
|
10fa70 |
|
|
|
10fa70 |
As there was no initial ticket exchange from the client for an
|
|
|
10fa70 |
S4U2Self request, the auth indicator check is inapplicable (and would
|
|
|
10fa70 |
always fail if any auth indicators are required).
|
|
|
10fa70 |
|
|
|
10fa70 |
ticket: 8902 (new)
|
|
|
10fa70 |
(cherry picked from commit 183631fbf72351c2d5fc7d60b2d9fc4d09fe7465)
|
|
|
10fa70 |
(cherry picked from commit 442f1fa5b2e4034954a51048414cc0863b914379)
|
|
|
10fa70 |
---
|
|
|
10fa70 |
src/kdc/do_tgs_req.c | 14 +++++++-------
|
|
|
10fa70 |
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
|
10fa70 |
|
|
|
10fa70 |
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
|
|
10fa70 |
index 241f34e2a..463a9c0dd 100644
|
|
|
10fa70 |
--- a/src/kdc/do_tgs_req.c
|
|
|
10fa70 |
+++ b/src/kdc/do_tgs_req.c
|
|
|
10fa70 |
@@ -392,8 +392,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
|
|
|
10fa70 |
}
|
|
|
10fa70 |
authtime = subject_tkt->times.authtime;
|
|
|
10fa70 |
|
|
|
10fa70 |
- /* Extract auth indicators from the subject ticket, except for S4U2Self
|
|
|
10fa70 |
- * requests (where the client didn't authenticate). */
|
|
|
10fa70 |
+ /* Extract and check auth indicators from the subject ticket, except for
|
|
|
10fa70 |
+ * S4U2Self requests (where the client didn't authenticate). */
|
|
|
10fa70 |
if (s4u_x509_user == NULL) {
|
|
|
10fa70 |
errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
|
|
|
10fa70 |
&local_tgt_key, &auth_indicators);
|
|
|
10fa70 |
@@ -401,12 +401,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
|
|
|
10fa70 |
status = "GET_AUTH_INDICATORS";
|
|
|
10fa70 |
goto cleanup;
|
|
|
10fa70 |
}
|
|
|
10fa70 |
- }
|
|
|
10fa70 |
|
|
|
10fa70 |
- errcode = check_indicators(kdc_context, server, auth_indicators);
|
|
|
10fa70 |
- if (errcode) {
|
|
|
10fa70 |
- status = "HIGHER_AUTHENTICATION_REQUIRED";
|
|
|
10fa70 |
- goto cleanup;
|
|
|
10fa70 |
+ errcode = check_indicators(kdc_context, server, auth_indicators);
|
|
|
10fa70 |
+ if (errcode) {
|
|
|
10fa70 |
+ status = "HIGHER_AUTHENTICATION_REQUIRED";
|
|
|
10fa70 |
+ goto cleanup;
|
|
|
10fa70 |
+ }
|
|
|
10fa70 |
}
|
|
|
10fa70 |
|
|
|
10fa70 |
if (is_referral)
|