From 551c4b42142e8de63ade61d58649149855cf32bf Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 29 Apr 2022 12:18:37 +1200 Subject: [PATCH] third_party/heimdal: Enforce hardware authentication for accounts requiring it Signed-off-by: Joseph Sutton --- kdc/kerberos5.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index d5ed939945..0f62e7fb42 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -990,6 +990,7 @@ struct kdc_patypes { #define PA_SYNTHETIC_OK 4 #define PA_REPLACE_REPLY_KEY 8 /* PA mech replaces reply key */ #define PA_USES_LONG_TERM_KEY 16 /* PA mech uses client's long-term key */ +#define PA_HARDWARE_AUTH 32 /* PA mech uses hardware authentication */ krb5_error_code (*validate)(astgs_request_t, const PA_DATA *pa); krb5_error_code (*finalize_pac)(astgs_request_t r); void (*cleanup)(astgs_request_t r); @@ -999,11 +1000,11 @@ static const struct kdc_patypes pat[] = { #ifdef PKINIT { KRB5_PADATA_PK_AS_REQ, "PK-INIT(ietf)", - PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY, + PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY | PA_HARDWARE_AUTH, pa_pkinit_validate, NULL, NULL }, { - KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", PA_ANNOUNCE | PA_REPLACE_REPLY_KEY, + KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", PA_ANNOUNCE | PA_REPLACE_REPLY_KEY | PA_HARDWARE_AUTH, pa_pkinit_validate, NULL, NULL }, { @@ -2245,6 +2246,13 @@ _kdc_as_rep(astgs_request_t r) ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } + if (r->client->flags.require_hwauth && + !(pat[n].flags & PA_HARDWARE_AUTH)) { + kdc_log(r->context, config, 4, "Hardware authentication required for %s", r->cname); + + ret = KRB5KDC_ERR_POLICY; + goto out; + } kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_VIS, "pa", "%s", pat[n].name); ret = pat[n].validate(r, pa); -- 2.39.1