freeipa

Clone
Source Code
GIT

fdc42f7 kdb: apply combinatorial logic for ticket flags

4 files Authored by jrische 18 days ago, Committed by antorres 18 days ago,
raw patch tree parent
4 files changed. 365 lines added. 53 lines removed.
daemons/ipa-kdb/ipa_kdb.h
file modified
+43 -0
daemons/ipa-kdb/ipa_kdb_principals.c
file modified
+300 -53
util/ipa_krb5.c
file modified
+18 -0
util/ipa_krb5.h
file modified
+4 -0 
    kdb: apply combinatorial logic for ticket flags
    
    The initial design for ticket flags was implementing this logic:
    * If a ticket policy is defined for the principal entry, use flags from
      this policy if they are set. Otherwise, use default ticket flags.
    * If no ticket policy is defined for the principal entry, but there is a
      global one, use flags from the global ticket policy if they are set.
      Otherwise, use default ticket flags.
    * If no policy (principal nor global) is defined, use default ticket
      flags.
    
    However, this logic was broken by a1165ffb which introduced creation of
    a principal-level ticket policy in case the ticket flag set is modified.
    This was typically the case for the -allow_tix flag, which was set
    virtually by the KDB driver when a user was locked until they initialize
    their password on first kinit pre-authentication.
    
    This was causing multiple issues, which are mitigated by the new
    approach:
    
    Now flags from each level are combined together. There flags like
    +requires_preauth which are set systematically by the KDB diver, as
    well as -allow_tix which is set based on the value of "nsAccountLock".
    This commit also adds the implicit -allow_svr ticket flag for user
    principals to protect users against Kerberoast-type attacks. None of
    these flags are stored in the LDAP database, they are hard-coded in the
    KDB driver.
    
    In addition to these "virtual" ticket flags, flags from both global and
    principal ticket policies are applied (if these policies exist).
    
    Principal ticket policies are not supported for hosts and services, but
    this is only an HTTP API limitation. The "krbTicketPolicyAux" object
    class is supported for all account types. This is required for ticket
    flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa
    host-mod" and "ipa serivce-mod", or using kadmin's "modprinc".
    
    It is possible to ignore flags from the global ticket policy or default
    flags like -allow_svr for a user principal by setting the
    "final_user_tkt_flags" string attribute to "true" in kadmin. In this
    case, any ticket flag can be configured in the principal ticket policy,
    except requires_preauth and allow_tix.
    
    When in IPA setup mode (using the "ipa-setup-override-restrictions" KDB
    argument), all the system described above is disabled and ticket flags
    are written in the principal ticket policy as they are provided. This is
    required to initialize the Kerberos LDAP container during IPA server
    installation.
    
    This fixes CVE-2024-3183
    
    Signed-off-by: Julien Rische <jrische@redhat.com>
file modified
+43 -0
file modified
+300 -53
file modified
+18 -0
file modified
+4 -0
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.