You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
50 lines
1.9 KiB
50 lines
1.9 KiB
From f7b6d43533d1d9ec3960e3d7f375995896768aef Mon Sep 17 00:00:00 2001
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
Date: Wed, 6 May 2020 16:03:13 -0400
|
|
Subject: [PATCH] Omit KDC indicator check for S4U2Self requests
|
|
|
|
As there was no initial ticket exchange from the client for an
|
|
S4U2Self request, the auth indicator check is inapplicable (and would
|
|
always fail if any auth indicators are required).
|
|
|
|
ticket: 8902 (new)
|
|
(cherry picked from commit 183631fbf72351c2d5fc7d60b2d9fc4d09fe7465)
|
|
(cherry picked from commit 442f1fa5b2e4034954a51048414cc0863b914379)
|
|
---
|
|
src/kdc/do_tgs_req.c | 14 +++++++-------
|
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
|
index 241f34e2a..463a9c0dd 100644
|
|
--- a/src/kdc/do_tgs_req.c
|
|
+++ b/src/kdc/do_tgs_req.c
|
|
@@ -392,8 +392,8 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
|
|
}
|
|
authtime = subject_tkt->times.authtime;
|
|
|
|
- /* Extract auth indicators from the subject ticket, except for S4U2Self
|
|
- * requests (where the client didn't authenticate). */
|
|
+ /* Extract and check auth indicators from the subject ticket, except for
|
|
+ * S4U2Self requests (where the client didn't authenticate). */
|
|
if (s4u_x509_user == NULL) {
|
|
errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
|
|
&local_tgt_key, &auth_indicators);
|
|
@@ -401,12 +401,12 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
|
|
status = "GET_AUTH_INDICATORS";
|
|
goto cleanup;
|
|
}
|
|
- }
|
|
|
|
- errcode = check_indicators(kdc_context, server, auth_indicators);
|
|
- if (errcode) {
|
|
- status = "HIGHER_AUTHENTICATION_REQUIRED";
|
|
- goto cleanup;
|
|
+ errcode = check_indicators(kdc_context, server, auth_indicators);
|
|
+ if (errcode) {
|
|
+ status = "HIGHER_AUTHENTICATION_REQUIRED";
|
|
+ goto cleanup;
|
|
+ }
|
|
}
|
|
|
|
if (is_referral)
|