Apply by doing: cd /usr/src patch -p0 < 026_kerberos.patch And then rebuild and install the Kerberos 5 KDC: cd kerberosV/lib/roken make obj make cleandir make depend make cd ../../libexec/kdc make obj make cleandir make depend make make install Index: kerberosV/src/kdc/524.c =================================================================== RCS file: /cvs/src/kerberosV/src/kdc/524.c,v retrieving revision 1.1.1.3 retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3 -r1.1.1.3.2.1 --- kerberosV/src/kdc/524.c 6 Feb 2002 08:54:50 -0000 1.1.1.3 +++ kerberosV/src/kdc/524.c 22 Mar 2003 06:57:21 -0000 1.1.1.3.2.1 @@ -251,6 +251,14 @@ free_EncTicketPart(&et); goto out; } + if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) { + kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm, + t->realm); + free_EncTicketPart(&et); + ret = KRB5KDC_ERR_POLICY; + goto out; + } + ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf), &et, &t->sname, &len); free_EncTicketPart(&et); Index: kerberosV/src/kdc/config.c =================================================================== RCS file: /cvs/src/kerberosV/src/kdc/config.c,v retrieving revision 1.1.1.3 retrieving revision 1.1.1.3.2.1 diff -u -r1.1.1.3 -r1.1.1.3.2.1 --- kerberosV/src/kdc/config.c 6 Feb 2002 08:54:50 -0000 1.1.1.3 +++ kerberosV/src/kdc/config.c 22 Mar 2003 06:57:21 -0000 1.1.1.3.2.1 @@ -67,6 +67,7 @@ char *v4_realm; int enable_v4 = -1; int enable_524 = -1; +int enable_v4_cross_realm = -1; int enable_kaserver = -1; #endif @@ -100,6 +101,10 @@ { "524", 0, arg_negative_flag, &enable_524, "don't respond to 524 requests" }, + { "kerberos4-cross-realm", 0, arg_flag, + &enable_v4_cross_realm, + "respond to kerberos 4 requests from foreign realms" + }, { "v4-realm", 'r', arg_string, &v4_realm, "realm to serve v4-requests for" @@ -301,6 +306,12 @@ if(enable_v4 == -1) enable_v4 = krb5_config_get_bool_default(context, cf, TRUE, "kdc", "enable-kerberos4", NULL); + if(enable_v4_cross_realm == -1) + enable_v4_cross_realm = + krb5_config_get_bool_default(context, NULL, + FALSE, "kdc", + "enable-kerberos4-cross-realm", + NULL); if(enable_524 == -1) enable_524 = krb5_config_get_bool_default(context, cf, enable_v4, "kdc", "enable-524", NULL); @@ -325,8 +336,11 @@ "kdc", "v4-realm", NULL); - if(p) + if(p != NULL) { v4_realm = strdup(p); + if (v4_realm == NULL) + krb5_errx(context, 1, "out of memory"); + } } if (enable_kaserver == -1) enable_kaserver = krb5_config_get_bool_default(context, cf, FALSE, @@ -355,6 +369,8 @@ #ifdef KRB4 if(v4_realm == NULL){ v4_realm = malloc(40); /* REALM_SZ */ + if (v4_realm == NULL) + krb5_errx(context, 1, "out of memory"); krb_get_lrealm(v4_realm, 1); } #endif Index: kerberosV/src/kdc/kdc.8 =================================================================== RCS file: /cvs/src/kerberosV/src/kdc/kdc.8,v retrieving revision 1.2 retrieving revision 1.2.4.1 diff -u -r1.2 -r1.2.4.1 --- kerberosV/src/kdc/kdc.8 25 Jun 2001 04:43:37 -0000 1.2 +++ kerberosV/src/kdc/kdc.8 22 Mar 2003 06:57:21 -0000 1.2.4.1 @@ -1,4 +1,4 @@ -.\" $KTH: kdc.8,v 1.13 2001/06/08 21:35:32 joda Exp $ +.\" $Id: kdc.8,v 1.2.4.1 2003/03/22 06:57:21 miod Exp $ .\" .Dd July 27, 1997 .Dt KDC 8 @@ -19,6 +19,7 @@ .Fl -v4-realm= Ns Ar string .Xc .Oc +.Op Fl -kerberos4-cross-realm .Op Fl K | Fl -no-kaserver .Op Fl r Ar realm .Op Fl -v4-realm= Ns Ar realm @@ -56,6 +57,12 @@ .Xc Gives an upper limit on the size of the requests that the kdc is willing to handle. +.It Xo +.Fl -kerberos4-cross-realm +.Xc +respond to kerberos 4 requests from foreign realms. +This is a known security hole and should not be enabled unless you +understand the consequences and are willing to live with them. .It Xo .Fl H Ns , .Fl -enable-http Index: kerberosV/src/kdc/kdc_locl.h =================================================================== RCS file: /cvs/src/kerberosV/src/kdc/kdc_locl.h,v retrieving revision 1.3 retrieving revision 1.3.2.1 diff -u -r1.3 -r1.3.2.1 --- kerberosV/src/kdc/kdc_locl.h 6 Feb 2002 09:10:02 -0000 1.3 +++ kerberosV/src/kdc/kdc_locl.h 22 Mar 2003 06:57:21 -0000 1.3.2.1 @@ -67,6 +67,7 @@ extern char *v4_realm; extern int enable_v4; extern int enable_524; +extern int enable_v4_cross_realm; extern krb5_boolean enable_kaserver; #endif Index: kerberosV/src/kdc/kerberos4.c =================================================================== RCS file: /cvs/src/kerberosV/src/kdc/kerberos4.c,v retrieving revision 1.1.1.2 retrieving revision 1.1.1.2.2.1 diff -u -r1.1.1.2 -r1.1.1.2.2.1 --- kerberosV/src/kdc/kerberos4.c 6 Feb 2002 08:54:52 -0000 1.1.1.2 +++ kerberosV/src/kdc/kerberos4.c 22 Mar 2003 06:57:21 -0000 1.1.1.2.2.1 @@ -430,6 +430,13 @@ goto out2; } + if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) { + kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm); + make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't hop realms"); + goto out2; + } + if(strcmp(sname, "changepw") == 0){ kdc_log(0, "Bad request for changepw ticket"); make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN,