On 10/09/2012 12:28 PM, Sumit Bose wrote:
On Tue, Oct 09, 2012 at 11:38:57AM +0200, Ondrej Kos wrote:
>
https://fedorahosted.org/sssd/ticket/1499
>
> Adds log message about not finding appropriate entry in keytab and using
> the last keytab entry when validation is enabled.
>
> Adds more information about validation into manpage.
>
> Patch is attached.
>
> O.
> --
> Ondrej Kos
> Associate Software Engineer
> Identity Management
> Red Hat Czech
>
> phone: +420-532-294-558
> cell: +420-736-417-909
> ext: 82-62558
> loc: 1/5C Brno 1 office
> irc: okos @ #brno
> diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
> index
f4fd1cb73941e23d8e39d234bf8fd2ae8ae54554..a67e4215f7e897afb37708695e56459cfa968f25 100644
> --- a/src/man/sssd-krb5.5.xml
> +++ b/src/man/sssd-krb5.5.xml
> @@ -231,7 +231,12 @@
> <term>krb5_validate (boolean)</term>
> <listitem>
> <para>
> - Verify with the help of krb5_keytab that the TGT
obtained has not been spoofed.
> + Verify with the help of krb5_keytab that the TGT
> + obtained has not been spoofed. If there's no entry
with
> + corresponding realm found in keytab, the last one is
used.
> + This can be utilized to achieve validation in
enviroments
> + with cross-realm trust by placing appropriate keytab
entry
> + as the last one.
For completeness I would add that the first entry with a matching realm
is taken. This might be important to know because pam_krb5 uses a more
elaborate scheme. For a future version we might want to add an option to
switch to the scheme used by pam_krb5.
bye,
Sumit
I forgot this one. updated.
> </para>
> <para>
> Default: false
> diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
> index
b2d5bdaeb9d4b1ac8de12055a4d6bb5a7f48a7f1..ff6a30147bb9d7edac7bab364d5d9004451f6ffb 100644
> --- a/src/providers/krb5/krb5_child.c
> +++ b/src/providers/krb5/krb5_child.c
> @@ -696,6 +696,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
> krb5_keytab_entry entry;
> krb5_verify_init_creds_opt opt;
> krb5_principal validation_princ = NULL;
> + bool entry_found = false;
>
> memset(&keytab, 0, sizeof(keytab));
> kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);
> @@ -736,10 +737,17 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
> if (krb5_realm_compare(kr->ctx, validation_princ, kr->princ)) {
> DEBUG(SSSDBG_TRACE_INTERNAL,
> ("Found keytab entry with the realm of the
credential.\n"));
> + entry_found = true;
> break;
> }
> }
>
> + if (!entry_found) {
> + DEBUG(SSSDBG_TRACE_INTERNAL,
> + ("Keytab entry with the realm of the credential not found
"
> + "in keytab. Using the last entry.\n"));
> + }
> +
> /* Close the keytab here. Even though we're using cursors, the file
> * handle is stored in the krb5_keytab structure, and it gets
> * overwritten when the verify_init_creds() call below creates its own
just a nitpick. entry_found is a bit misleading, because we always find
an entry, at least the last one. e.g. realm_entry_found would be more
precise.
bye,
Sumit
not a problem, didn't cross my mind.
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
new patch attached
O.
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
phone: +420-532-294-558
cell: +420-736-417-909
ext: 82-62558
loc: 1/5C Brno 1 office
irc: okos @ #brno