From 4dcdbec0055ceebb6cfe64f82f1d4edc9e21e210 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Wed, 22 Sep 2004 16:07:40 +0000 Subject: [PATCH] STABLE14-kfw-hklm-registry-fix-20040922 Fix the registry query in afskfw.lib to read the HKLM machine value even if the HKCU key is present. Update text in the install notes to better describe the krb524 issues (cherry picked from commit d69e6641e5fc423b41fcfc9345a6f917ec958f37) --- doc/txt/winnotes/afs-changes-since-1.2.txt | 5 ++++ doc/txt/winnotes/afs-install-notes.txt | 28 +++++++++++++++++++ src/WINNT/afsd/afskfw.c | 32 +++++++++++++++------- 3 files changed, 55 insertions(+), 10 deletions(-) diff --git a/doc/txt/winnotes/afs-changes-since-1.2.txt b/doc/txt/winnotes/afs-changes-since-1.2.txt index 17738ed8dd..a864e197bf 100644 --- a/doc/txt/winnotes/afs-changes-since-1.2.txt +++ b/doc/txt/winnotes/afs-changes-since-1.2.txt @@ -1,4 +1,9 @@ Since 1.3.71: + * Fix bug in loading of registry value HKLM\SOFTWARE\OpenAFS\Client + "EnableKFW". This value will not be read if the key + HKCU\SOFTWARE\OpenAFS\Client exists; even if the "EnableKFW" + value under that key does not. + * provide mechanisms to force the use of krb524d for Kerberos 5 ticket to AFS token conversion. For afslogon.dll and afscreds.exe there is a new registry value "Use524" and for aklog.exe a new diff --git a/doc/txt/winnotes/afs-install-notes.txt b/doc/txt/winnotes/afs-install-notes.txt index 9265625e53..28b8ebd37f 100644 --- a/doc/txt/winnotes/afs-install-notes.txt +++ b/doc/txt/winnotes/afs-install-notes.txt @@ -352,6 +352,34 @@ or fs.exe. During installation this group is created and the current contents of the Administrators group is copied. +26. Some organizations which have AFS cell names and Kerberos realm names +which differ by more then just lower and upper case rely on a modification +to krb524d which maps a Kerberos 5 ticket from realm FOO to a Kerberos 4 +ticket in realm BAR. This allows user@FOO to appear to be user@bar for +the purposes of accessing the AFS cell. As of OpenAFS 1.2.8, support was +added to allow the immediate use of Kerberos 5 tickets as AFS (2b) tokens. +This is the first building block necessary to break away from the +limitations of Kerberos 4 with AFS. By using Kerberos 5 directly we +avoid the security holes inherent in Kerberos 4 cross-realm. We also +gain access to cryptographically stronger algorithms for authentication +and encryption. + +Another reason for using Kerberos 5 directly is because the krb524 service +runs on a port (4444) which has become increasingly blocked by ISPs. The +port was used to spread a worm which attacked Microsoft Windows in the +summer of 2003. When the port is blocked users find that they are unable +to authenticate. + +Replacing the Kerberos 4 ticket with a Kerberos 5 ticket is a win in all +situations except when the cell name does not match the realm name and +the principal names placed into the ACLs are not the principal names from +the Kerberos 5 ticket. To support this transition, OpenAFS for Windows +in 1.3.72 adds a new registry value to force the use of krb524d. However, +the availability of this option should only be used by individuals until +such time as their organizations can provide a more permanent solution. + + + ------------------------------------------------------------------------ Reporting Bugs: diff --git a/src/WINNT/afsd/afskfw.c b/src/WINNT/afsd/afskfw.c index dce6739a56..823c60cf19 100644 --- a/src/WINNT/afsd/afskfw.c +++ b/src/WINNT/afsd/afskfw.c @@ -453,19 +453,25 @@ KFW_use_krb524(void) code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName, 0, KEY_QUERY_VALUE, &parmKey); - if (code != ERROR_SUCCESS) - code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName, - 0, KEY_QUERY_VALUE, &parmKey); if (code == ERROR_SUCCESS) { len = sizeof(use524); code = RegQueryValueEx(parmKey, "Use524", NULL, NULL, (BYTE *) &use524, &len); if (code != ERROR_SUCCESS) { - use524 = 0; + RegCloseKey(parmKey); + + code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName, + 0, KEY_QUERY_VALUE, &parmKey); + if (code == ERROR_SUCCESS) { + len = sizeof(use524); + code = RegQueryValueEx(parmKey, "Use524", NULL, NULL, + (BYTE *) &use524, &len); + if (code != ERROR_SUCCESS) + use524 = 0; + } } RegCloseKey (parmKey); } - return use524; } @@ -478,19 +484,25 @@ KFW_is_available(void) code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName, 0, KEY_QUERY_VALUE, &parmKey); - if (code != ERROR_SUCCESS) - code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName, - 0, KEY_QUERY_VALUE, &parmKey); if (code == ERROR_SUCCESS) { len = sizeof(enableKFW); code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL, (BYTE *) &enableKFW, &len); if (code != ERROR_SUCCESS) { - enableKFW = 1; + RegCloseKey(parmKey); + + code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName, + 0, KEY_QUERY_VALUE, &parmKey); + if (code == ERROR_SUCCESS) { + len = sizeof(enableKFW); + code = RegQueryValueEx(parmKey, "EnableKFW", NULL, NULL, + (BYTE *) &enableKFW, &len); + if (code != ERROR_SUCCESS) + enableKFW = 1; + } } RegCloseKey (parmKey); } - if ( !enableKFW ) return FALSE;