1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
From 6fad7d45701234c8e81300d50dd5b8037d846d11 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 Feb 2019 23:59:59 -0800
Subject: [PATCH] Ignore password attributes for S4U2Self requests
For consistency with Windows KDCs, allow protocol transition to work
even if the password has expired or needs changing.
Also, when looking up an enterprise principal with an AS request,
treat ERR_KEY_EXP as confirmation that the client is present in the
realm.
[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
commit message]
ticket: 8763 (new)
tags: pullup
target_version: 1.17
Upsteam-Status: Backport [https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086]
CVE: CVE-2018-20217
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
---
src/kdc/kdc_util.c | 5 +++++
src/lib/krb5/krb/s4u_creds.c | 2 +-
src/tests/gssapi/t_s4u.py | 8 ++++++++
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 754570c..034c979 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1574,6 +1574,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
memset(&no_server, 0, sizeof(no_server));
+ /* Ignore password expiration and needchange attributes (as Windows
+ * does), since S4U2Self is not password authentication. */
+ princ->pw_expiration = 0;
+ clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
+
code = validate_as_request(kdc_active_realm, request, *princ,
no_server, kdc_time, status, &e_data);
if (code) {
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 91c02aa..2037984 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -117,7 +117,7 @@ s4u_identify_user(krb5_context context,
code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL,
opts, krb5_get_as_key_noop, &userid, &use_master,
NULL);
- if (code == 0 || code == KRB5_PREAUTH_FAILED) {
+ if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
*canon_user = userid.user;
userid.user = NULL;
code = 0;
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 3da6544..ba0469e 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -20,6 +20,14 @@ pservice2 = 'p:' + service2
# Get forwardable creds for service1 in the default cache.
realm.kinit(service1, None, ['-f', '-k'])
+# Try S4U2Self for user with a restricted password.
+realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-needchange',
+ '-pwexpire', '1/1/2000', realm.user_princ])
+realm.run(['./t_s4u', 'e:user', '-'])
+realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
+
# Try krb5 -> S4U2Proxy with forwardable user creds. This should fail
# at the S4U2Proxy step since the DB2 back end currently has no
# support for allowing it.
--
2.17.1
|
