[Heimdal-source-changes] [heimdal/heimdal] a1c742: kdc: handle kdc_options bit 14 confusion

Jeffrey Altman noreply at github.com
Sat Juni 1 23:21:09 CEST 2019 

  Branch: refs/heads/jaltman/kdc-anon-request-confusion
  Home:   https://github.com/heimdal/heimdal
  Commit: a1c742040dcaceef9298d95b3f6f4e1ddb946a2c
      https://github.com/heimdal/heimdal/commit/a1c742040dcaceef9298d95b3f6f4e1ddb946a2c
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-06-01 (Sat, 01 Jun 2019)

  Changed paths:
    M kdc/kerberos5.c

  Log Message:
  -----------
  kdc: handle kdc_options bit 14 confusion

Drafts 0 through 10 of the Kerberos anonymity draft specified the
TicketFlags.anonymous flag as bit 14.  This was changed to bit 16
after it was discovered that Microsoft used bit 14 for S4U2Proxy.

d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if
KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the
anonymous and constrained_delegation TicketFlags when issuing a
S4U2Proxy request.  The setting of the anonymous TicketFlag was
removed by ea7615ade3af28843f358e715703226b760db73b("Do not set
anonymous flag in S4U2Proxy request").

014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC
supports anonymous if requested") introduced a client side check
to ensure that an anonymous request is responded to with an
anonymized ticket.  The combination of setting the anonymous
TicketFlag and the anonymized ticket validation broke S4U2Proxy
requests to Windows KDCs because they ignore the anonymous TicketFlag
when constrained_delegation is requested.

The Heimdal KDC includes fallback logic to handle Heimdal clients
that set the anonymous TicketFlag as bit 14 in _kdc_is_anon_request().
However, it failed to adjust the kdc_options flags when it
determined that the request came from an old Heimdal client.

This change clears the constrained_delegation flag and sets the
request_anonymous flag when an old Heimdal client is detected.
It also clears the request_anonymous flag if both bit 14 and 16
are set.

Change-Id: If57b6f9fe95fdba0109c4450dba5548b4ae6eba9

More information about the Heimdal-source-changes mailing list