New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the KDB to see and modify auth indicators #965
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I guess kdb_test plugin minor version should be set to 0. |
simo5
approved these changes
Aug 8, 2019
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I added a test case and corrected the test KDB module's minor version. Alexander said he would attempt an experiment using FreeIPA and Samba, so I will likely wait for that before merging. |
frozencemetery
approved these changes
Aug 8, 2019
greghudson
pushed a commit
to iboukris/krb5
that referenced
this pull request
Aug 14, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 15, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 15, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 15, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 15, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 18, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 18, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 20, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 22, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 24, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
Amend the sign_authdata method signature to include a modifiable auth_indicators array. Bump the DAL major version and the libkdb5 soname. Add a test case using the test KDB module. ticket: 8823 (new)
greghudson
force-pushed
the
kdb-authind
branch
from
August 27, 2019 00:20
2d75f2b
to
7196c03
Compare
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 27, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 27, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 27, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
iboukris
added a commit
to iboukris/krb5
that referenced
this pull request
Aug 27, 2019
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Amend the sign_authdata method signature to include a modifiable
auth_indicators array. Bump the DAL major version and the libkdb5
soname.
[This overlaps with PR #912 which also adds a parameter to sign_authdata, but the merge should be straightforward. I will likely want to add a test case by having the test KDB module do something to the auth indicators in its sign_authdata method before merging, but this should be enough to get feedback from Samba developers.]