On 10/09/2012 12:28 PM, Sumit Bose wrote:
On Tue, Oct 09, 2012 at 11:38:57AM +0200, Ondrej Kos wrote:
https://fedorahosted.org/sssd/ticket/1499
Adds log message about not finding appropriate entry in keytab and using
the last keytab entry when validation is enabled.
Adds more information about validation into manpage.
Patch is attached.
O.
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
phone: +420-532-294-558
cell: +420-736-417-909
ext: 82-62558
loc: 1/5C Brno 1 office
irc: okos @ #brno
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index
f4fd1cb73941e23d8e39d234bf8fd2ae8ae54554..a67e4215f7e897afb37708695e56459cfa968f25
100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -231,7 +231,12 @@
<term>krb5_validate (boolean)</term>
<listitem>
<para>
- Verify with the help of krb5_keytab that the TGT
obtained has not been spoofed.
+ Verify with the help of krb5_keytab that the TGT
+ obtained has not been spoofed. If there's no entry
with
+ corresponding realm found in keytab, the last one
is used.
+ This can be utilized to achieve validation in
enviroments
+ with cross-realm trust by placing appropriate
keytab entry
+ as the last one.
For completeness I would add that the first entry with a matching realm
is taken. This might be important to know because pam_krb5 uses a more
elaborate scheme. For a future version we might want to add an option to
switch to the scheme used by pam_krb5.
bye,
Sumit
I forgot this one. updated.
</para>
<para>
Default: false
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index
b2d5bdaeb9d4b1ac8de12055a4d6bb5a7f48a7f1..ff6a30147bb9d7edac7bab364d5d9004451f6ffb
100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -696,6 +696,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
krb5_keytab_entry entry;
krb5_verify_init_creds_opt opt;
krb5_principal validation_princ = NULL;
+ bool entry_found = false;
memset(&keytab, 0, sizeof(keytab));
kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
@@ -736,10 +737,17 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) {
DEBUG(SSSDBG_TRACE_INTERNAL,
("Found keytab entry with the realm of the credential.\n"));
+ entry_found = true;
break;
}
}
+ if (!entry_found) {
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ ("Keytab entry with the realm of the credential not found "
+ "in keytab. Using the last entry.\n"));
+ }
+
/* Close the keytab here. Even though we're using cursors, the file
* handle is stored in the krb5_keytab structure, and it gets
* overwritten when the verify_init_creds() call below creates its own
just a nitpick. entry_found is a bit misleading, because we always find
an entry, at least the last one. e.g. realm_entry_found would be more
precise.
bye,
Sumit
not a problem, didn't cross my mind.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
new patch attached
O.
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
phone: +420-532-294-558
cell: +420-736-417-909
ext: 82-62558
loc: 1/5C Brno 1 office
irc: okos @ #brno
From d089e81ec725ff8168229f898f0a9a8dfe0d96dc Mon Sep 17 00:00:00 2001
From: Ondrej Kos <o...@redhat.com>
Date: Tue, 9 Oct 2012 11:34:56 +0200
Subject: [PATCH] Add more info about ticket validation
https://fedorahosted.org/sssd/ticket/1499
Adds log message about not finding appropriate entry in keytab and using
the last keytab entry when validation is enabled.
Adds more information about validation into manpage.
---
src/man/sssd-krb5.5.xml | 9 ++++++++-
src/providers/krb5/krb5_child.c | 8 ++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index f4fd1cb73941e23d8e39d234bf8fd2ae8ae54554..4d5062ba450203ba6c8722e8b178d7a3a7f5a70b 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -231,7 +231,14 @@
<term>krb5_validate (boolean)</term>
<listitem>
<para>
- Verify with the help of krb5_keytab that the TGT obtained has not been spoofed.
+ Verify with the help of krb5_keytab that the TGT
+ obtained has not been spoofed. The keytab is checked for
+ entries from top to bottom, and the first entry with matching
+ realm is used for validation. If there's no entry with
+ corresponding realm found in the keytab, the last one is used.
+ This can be utilized to achieve validation in enviroments
+ with cross-realm trust by placing appropriate keytab entry
+ as the last one or the only one.
</para>
<para>
Default: false
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index b2d5bdaeb9d4b1ac8de12055a4d6bb5a7f48a7f1..00da7ea35f503256ca1b750f9b94e3eccfbdbb96 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -696,6 +696,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
krb5_keytab_entry entry;
krb5_verify_init_creds_opt opt;
krb5_principal validation_princ = NULL;
+ bool realm_entry_found = false;
memset(&keytab, 0, sizeof(keytab));
kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
@@ -736,10 +737,17 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) {
DEBUG(SSSDBG_TRACE_INTERNAL,
("Found keytab entry with the realm of the credential.\n"));
+ realm_entry_found = true;
break;
}
}
+ if (!realm_entry_found) {
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ ("Keytab entry with the realm of the credential not found "
+ "in keytab. Using the last entry.\n"));
+ }
+
/* Close the keytab here. Even though we're using cursors, the file
* handle is stored in the krb5_keytab structure, and it gets
* overwritten when the verify_init_creds() call below creates its own
--
1.7.11.4
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
