STABLE12-kaserver-disable-krb4-crossrealm-20030317

to deal with krb4 security advisory ==================== This delta was composed from multiple commits as part of the CVS->Git migration. The checkin message with each commit was inconsistent. The following are the additional commit messages. ==================== to deal with krb4 security advisory type mismatch for krb4_cross pointed out by Jack Neely <slack@quackmaster.net> (cherry picked from commit 1312d1179d)
2025-01-18 23:10:58 +00:00 · 2003-03-19 12:52:36 +00:00 · 2003-03-19 12:52:36 +00:00 · 3941397640
commit 3941397640
parent 567b277d77
4 changed files with 15 additions and 0 deletions
--- a/src/kauth/kaprocs.c
+++ b/src/kauth/kaprocs.c
@ -1707,6 +1707,11 @@ static afs_int32 GetTicket (version, call, kvno, authDomain, aticket,
    if (import && (celllen == 0)) {code = KABADTICKET; goto abort;}
    if (export && (celllen == 0)) strcpy (cell, lrealm);

+    if (!krb4_cross && celllen && strcmp(lrealm, cell) != 0) {
+      code = KABADUSER;
+      goto abort;
+    }
+
    des_ecb_encrypt (atimes->SeqBody, &times, schedule, DECRYPT);
    times.start = ntohl(times.start);
    times.end = ntohl(times.end);
--- a/src/kauth/kaserver.c
+++ b/src/kauth/kaserver.c
@ -56,6 +56,8 @@ struct kadstats dynamic_statistics;
 struct ubik_dbase *KA_dbase;
 afs_int32 myHost = 0;
 afs_int32 verbose_track = 1;
+afs_int32 krb4_cross = 0;
+
 struct afsconf_dir *KA_conf;		/* for getting cell info */

 extern afs_int32 ubik_lastYesTime;
@ -194,6 +196,7 @@ main (argc, argv)
      usage:
        printf("Usage: kaserver [-noAuth] [-fastKeys] [-database <dbpath>] "
 	       "[-localfiles <lclpath>] [-minhours <n>] [-servers <serverlist>] "
+	       "[-crossrealm]"
 	       /*" [-enable_peer_stats] [-enable_process_stats] " */
 	       "[-help]\n");
 	exit(1);
@ -251,6 +254,7 @@ main (argc, argv)
 	else if (IsArg("-clear")) level = rxkad_clear;
 	else if (IsArg("-sorry")) level = rxkad_clear;
 	else if (IsArg("-debug")) verbose_track = 0;
+	else if (IsArg("-crossrealm")) krb4_cross = 1;
 	else if (IsArg("-minhours")) {
             MinHours = atoi(argv[++a]);
        }
--- a/src/kauth/kaserver.h
+++ b/src/kauth/kaserver.h
@ -179,6 +179,7 @@ extern int kaux_islocked(
  u_int   locktime
 );

+extern afs_int32 krb4_cross;

 #define LOCKPW

--- a/src/kauth/krb_udp.c
+++ b/src/kauth/krb_udp.c
@ -462,6 +462,11 @@ afs_int32 UDP_GetTicket (ksoc, pkt, kvno, authDomain, ticket, ticketLen, auth, a
 	cell[MAXKTCREALMLEN-1] = 0;
    };

+    if (!krb4_cross && strcmp(lrealm, cell) != 0) {
+	code = KERB_ERR_PRINCIPAL_UNKNOWN;
+	goto abort;
+    }
+
    if (krb_udp_debug) {
 	printf ("UGetTicket: got ticket from '%s'.'%s'@'%s'\n",
 		name, inst, cell);