[Heimdal-source-changes] [heimdal/heimdal] b365c2: Do not set anonymous flag in S4U2Proxy request

Jeffrey Altman noreply at github.com
Tis Juni 4 04:31:41 CEST 2019 

  Branch: refs/heads/jaltman/7.7-cherry-picks
  Home:   https://github.com/heimdal/heimdal
  Commit: b365c208bdb8bf7352e1fad3ed2917956706f87d
      https://github.com/heimdal/heimdal/commit/b365c208bdb8bf7352e1fad3ed2917956706f87d
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2019-06-03 (Mon, 03 Jun 2019)

  Changed paths:
    M lib/krb5/get_cred.c

  Log Message:
  -----------
  Do not set anonymous flag in S4U2Proxy request

It is not specified in MS-SFU, Apple dropped it as well and
it now breaks master branch.

Signed-off-by: Isaac Boukris <iboukris at gmail.com>
(cherry picked from commit ea7615ade3af28843f358e715703226b760db73b)


  Commit: bd632a28e5257eabf527979c9b2f2a58201b316c
      https://github.com/heimdal/heimdal/commit/bd632a28e5257eabf527979c9b2f2a58201b316c
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-06-03 (Mon, 03 Jun 2019)

  Changed paths:
    M kdc/kerberos5.c
    M lib/asn1/krb5.asn1
    M lib/krb5/get_cred.c

  Log Message:
  -----------
  krb5: rename constrained-delegatiom to cname-in-addl-tkt

For consistency with [MS-SFU] rename the constrained-delegation KDC option to
cname-in-addl-tkt (client name in additional ticket).

(cherry picked from commit cf940e15f4eac71d7b739bbb6672d7be9f9b98cb)


  Commit: 976294e0ee64ac2ce9a76fe1ce63c8ae69336363
      https://github.com/heimdal/heimdal/commit/976294e0ee64ac2ce9a76fe1ce63c8ae69336363
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-06-03 (Mon, 03 Jun 2019)

  Changed paths:
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: check for cname-in-addl-tkt flag in constrained delegation

Before accepting an additional ticket for use with constrained delegation,
verify the cname-in-addl-tkt flag was set. If not, ignore the request.

(cherry picked from commit 7381a280c82e29d7c56fad938175e70b7ef85a9f)


  Commit: 0bf6a9ce9875a89ddbe0d94c6e5e7100cb152a90
      https://github.com/heimdal/heimdal/commit/0bf6a9ce9875a89ddbe0d94c6e5e7100cb152a90
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-06-03 (Mon, 03 Jun 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: refactor anonymous checks in KDC

_kdc_is_anon_request() is only used by the AS, so make it static.

Centralize anonymous poilcy checks shared between AS and TGS into a shared
function, _kdc_check_anon_policy().

When issuing an anonymous ticket, set the ticket flag early and test that
rather than re-testing the request.

(cherry picked from commit 27c6cf7a9f26883eee0b17b36dd58a52d2ca3d98)


  Commit: fe34442dd65e664f0952e5f495c05c2c0c7134fb
      https://github.com/heimdal/heimdal/commit/fe34442dd65e664f0952e5f495c05c2c0c7134fb
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-06-03 (Mon, 03 Jun 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: don't misidentify constrained delegation requests as anonymous

Earlier (pre-7.6) Heimdal clients would send both the request-anonymous and
cname-in-addl-tkt flags for constrained delegation requests. A true anonymous
TGS request will only have the former flag set. Do not treat TGS requests with
both flags set as anonymous requests.

(cherry picked from commit cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c)


  Commit: 38120019a95ace55c92d8ba463d0e7d59c2dc59f
      https://github.com/heimdal/heimdal/commit/38120019a95ace55c92d8ba463d0e7d59c2dc59f
  Author: Jeffrey Altman <jaltman at secure-endpoints.com>
  Date:   2019-06-03 (Mon, 03 Jun 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: history of request_anonymous vs cname-in-addl-tkt confusion

Drafts 0 through 10 of the Kerberos anonymity internet draft,
https://tools.ietf.org/html/draft-ietf-krb-wg-anon, specified the
TicketFlags.anonymous flag as bit 14 and the KDCOptions.anonymous
flag as bit 14.  These were changed to bit 16 by MIT after it was
discovered that Microsoft used KDCOptions bit 14 for S4U2Proxy
cname-in-addl-tkt.

(Feb 2007) Heimdal added constrained delegation support prior to
1.0 but named the KDCOptions flag constrained_delegation instead of
cname-in-addl-tkt as per MS-SFU.  It also assigned bit 16 instead
of bit 14.  Perhaps this was done in the hope that the conflict
with Microsoft would be resolved in favor of the IETF internet
draft instead of the proprietary protocol extension.

adf912182266321b754ed1cb5a705ba2103e139a ("Add PA-ClientCanonicalized
and friends.") introduced the KDCOptions.constrained_delegation flag
as bit 16.

(June 2007) In order to make Heimdal's constrained delegation work
with Microsoft's implementation Heimdal began to set both KDCOptions
bits 14 and 16 when requesting constrained delegation.

d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if
KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the
anonymous and constrained_delegation TicketFlags when issuing a
S4U2Proxy request.

(June 2010) MIT reassigned the KDCOption.anonymous and
TicketFlags.anonymous flags to bit 16.  draft-ietf-krb-anon-11
was published with this change.

(July 2014) After the release of Heimdal 1.5.0 and prior to 1.5.1
it was noticed that Heimdal's anonymous TGT support did not
interoperate with MIT.

86554f5a7f81da1efa2849fa6961ca71ad3b8e90 ("Use correct value for
anonymous flags") swapped the bit assignments for request_anonymous
and constrained_delegation but failed to remove the setting of
KDCOptions bit 16 ("anonymous") when requesting constrained
delegation.

(May 2019) Prior to the 7.6 release many corrections to Heimdal's
anonymity support were introduced to bring it into compliance
with RFC8062.  This included support for requesting anonymous
tickets via the TGS service.  Because not all KDC can satisfy
anonymous requests the client must verify if the response was
anonymized.  This check wasn't added until after 7.6 was
released.

014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC
supports anonymous if requested").

The combination of setting KDCOption.anonymous when requesting
constrained delegation and the anonymized ticket validation
broke S4U2Proxy requests to Windows KDCs.  Windows KDCs ignore
the KDCOption.anonymous flag when processing a TGS request
with KDCOption.cname-in-addl-tkt set.

ea7615ade3af28843f358e715703226b760db73b ("Do not set
anonymous flag in S4U2Proxy request") removed the behavior
of setting the KDCOption.anonymous flag that should have
been removed in July 2014.

(June 2019) The Heimdal KDC includes fallback logic to handle
Heimdal clients from 1.0 to 1.5.0, inclusive, that set the
KDCOptions.anonymous flag as bit 14.  Prior to the 7.7 release
this logic only handled AS request but failed to handle the
constrained delegation request case where both bits 14 and 16
were set in the TGS request.

cdd0b70d37d87026e8618ff44b8d636c0bf9cb6c ("kdc: don't misidentify
constrained delegation requests as anonymous") added the TGS
request validation to distinguish anonymous requests from
constrained delegation requests.

This change documents the history in the commit message and
updates some in-tree comments.

Change-Id: I625cd012e2e6c263c71948c6021cc2fad4d2e53a
(cherry picked from commit 4331f4c7d4679762cd3d68ba6262745d9b122674)


Compare: https://github.com/heimdal/heimdal/compare/b365c208bdb8%5E...38120019a95a

More information about the Heimdal-source-changes mailing list