From cad699a8f011de08925bd969bcb7a35c43e25d77 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 1 Jun 2019 16:40:51 -0400 Subject: [PATCH] kdc: handle kdc_options bit 14 confusion Drafts 0 through 10 of the Kerberos anonymity draft specified the TicketFlags.anonymous flag as bit 14. This was changed to bit 16 after it was discovered that Microsoft used bit 14 for S4U2Proxy. d5bb7a7c566841d52662b230248f06522bfa64ad ("(krb5_get_creds): if KRB5_GC_CONSTRAINED_DELEGATION is set, set both") set both the anonymous and constrained_delegation TicketFlags when issuing a S4U2Proxy request. The setting of the anonymous TicketFlag was removed by ea7615ade3af28843f358e715703226b760db73b("Do not set anonymous flag in S4U2Proxy request"). 014e318d6bdefd8ecfcb99ca9928921f6a49d721 ("krb5: check KDC supports anonymous if requested") introduced a client side check to ensure that an anonymous request is responded to with an anonymized ticket. The combination of setting the anonymous TicketFlag and the anonymized ticket validation broke S4U2Proxy requests to Windows KDCs because they ignore the anonymous TicketFlag when constrained_delegation is requested. The Heimdal KDC includes fallback logic to handle Heimdal clients that set the anonymous TicketFlag as bit 14 in _kdc_is_anon_request(). However, it failed to adjust the kdc_options flags when it determined that the request came from an old Heimdal client. This change clears the constrained_delegation flag and sets the request_anonymous flag when an old Heimdal client is detected. It also clears the request_anonymous flag if both bit 14 and 16 are set. Change-Id: If57b6f9fe95fdba0109c4450dba5548b4ae6eba9 --- kdc/kerberos5.c | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 1b0d0f8df0..5f675b1244 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -2434,10 +2434,27 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context, krb5_boolean _kdc_is_anon_request(const KDC_REQ_BODY *b) { - /* some versions of heimdal use bit 14 instead of 16 for - request_anonymous, as indicated in the anonymous draft prior to - version 11. Bit 14 is assigned to S4U2Proxy, but all S4U2Proxy - requests will have a second ticket; don't consider those anonymous */ - return (b->kdc_options.request_anonymous || - (b->kdc_options.constrained_delegation && !b->additional_tickets)); + if (b->kdc_options.constrained_delegation) { + if (!b->additional_tickets) { + /* + * some versions of heimdal use bit 14 instead of 16 for + * request_anonymous, as indicated in the anonymous draft prior + * to version 11. Bit 14 is assigned to S4U2Proxy, but all + * S4U2Proxy requests will have a second ticket. Use the missing + * second ticket as an indicator that this is a pre-draft 11 + * client. */ + b->kdc_options.constrained_delegation = 0; + b->kdc_options.request_anonymous = 1; + } + else if (b->request_anonymous) { + /* + * Heimdal versions between 1.0 and 7.6 set the anonymous_request + * bit (16) in addition to constrained_delegation (14) when + * requesting S4U2Proxy. The Windows KDC ignores the + * anonymous_request bit when satisfying a S4U2Proxy request. + */ + b->kdc_options.request_anonymous = 0; + } + } + return b->kdc_options.request_anonymous; }