1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
--- openafs/src/kauth/kaprocs.c 6 Sep 2002 02:44:03 -0000 1.12
+++ openafs/src/kauth/kaprocs.c 18 Mar 2003 03:56:18 -0000 1.13
@@ -1706,6 +1706,11 @@
celllen = strlen (cell);
if (import && (celllen == 0)) {code = KABADTICKET; goto abort;}
if (export && (celllen == 0)) strcpy (cell, lrealm);
+
+ if (!krb4_cross && celllen && strcmp(lrealm, cell) != 0) {
+ code = KABADUSER;
+ goto abort;
+ }
des_ecb_encrypt (atimes->SeqBody, ×, schedule, DECRYPT);
times.start = ntohl(times.start);
--- openafs/src/kauth/kaserver.c 21 Aug 2002 18:13:22 -0000 1.13
+++ openafs/src/kauth/kaserver.c 18 Mar 2003 03:56:18 -0000 1.14
@@ -56,6 +56,8 @@
struct ubik_dbase *KA_dbase;
afs_int32 myHost = 0;
afs_int32 verbose_track = 1;
+afs_int32 krb4_cross = 0;
+
struct afsconf_dir *KA_conf; /* for getting cell info */
extern afs_int32 ubik_lastYesTime;
@@ -193,6 +195,7 @@
usage:
printf("Usage: kaserver [-noAuth] [-fastKeys] [-database <dbpath>] "
"[-localfiles <lclpath>] [-minhours <n>] [-servers <serverlist>] "
+ "[-crossrealm]"
/*" [-enable_peer_stats] [-enable_process_stats] " */
"[-help]\n");
exit(1);
@@ -250,6 +253,7 @@
else if (IsArg("-clear")) level = rxkad_clear;
else if (IsArg("-sorry")) level = rxkad_clear;
else if (IsArg("-debug")) verbose_track = 0;
+ else if (IsArg("-crossrealm")) krb4_cross = 1;
else if (IsArg("-minhours")) {
MinHours = atoi(argv[++a]);
}
--- openafs/src/kauth/kaserver.h 4 Nov 2000 10:04:39 -0000 1.2
+++ openafs/src/kauth/kaserver.h 18 Mar 2003 23:47:51 -0000 1.4
@@ -179,6 +179,7 @@
u_int locktime
);
+extern afs_int32 krb4_cross;
#define LOCKPW
--- openafs/src/kauth/krb_udp.c 22 Aug 2002 18:45:16 -0000 1.20
+++ openafs/src/kauth/krb_udp.c 18 Mar 2003 03:56:18 -0000 1.21
@@ -461,6 +461,11 @@
strncpy (cell, lrealm, MAXKTCREALMLEN-1);
cell[MAXKTCREALMLEN-1] = 0;
};
+
+ if (!krb4_cross && strcmp(lrealm, cell) != 0) {
+ code = KERB_ERR_PRINCIPAL_UNKNOWN;
+ goto abort;
+ }
if (krb_udp_debug) {
printf ("UGetTicket: got ticket from '%s'.'%s'@'%s'\n",
|