From 05b3b6a305ddbb56cc53bbeadf5866db4d785f49 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Tue, 2 Mar 2021 15:09:26 +0100 Subject: [PATCH] auth/cephx: ignore CEPH_ENTITY_TYPE_AUTH in requested keys When handling CEPHX_GET_AUTH_SESSION_KEY requests from nautilus+ clients, ignore CEPH_ENTITY_TYPE_AUTH in CephXAuthenticate::other_keys. Similarly, when handling CEPHX_GET_PRINCIPAL_SESSION_KEY requests, ignore CEPH_ENTITY_TYPE_AUTH in CephXServiceTicketRequest::keys. These fields are intended for requesting service tickets, the auth ticket (which is really a ticket granting ticket) must not be shared this way. Otherwise we end up sharing an auth ticket that a) isn't encrypted with the old session key even if needed (should_enc_ticket == true) and b) has the wrong validity, namely auth_service_ticket_ttl instead of auth_mon_ticket_ttl. In the CEPHX_GET_AUTH_SESSION_KEY case, this undue ticket immediately supersedes the actual auth ticket already encoded in the same reply (the reply frame ends up containing two auth tickets). Signed-off-by: Ilya Dryomov (cherry picked from commit 05772ab6127bdd9ed2f63fceef840f197ecd9ea8) --- src/auth/cephx/CephxServiceHandler.cc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/auth/cephx/CephxServiceHandler.cc b/src/auth/cephx/CephxServiceHandler.cc index cb5f9a796bcda..82c964e47fa02 100644 --- a/src/auth/cephx/CephxServiceHandler.cc +++ b/src/auth/cephx/CephxServiceHandler.cc @@ -273,11 +273,14 @@ int CephxServiceHandler::handle_request( } } encode(cbl, *result_bl); - // provite all of the other tickets at the same time + // provide requested service tickets at the same time vector info_vec; for (uint32_t service_id = 1; service_id <= req.other_keys; service_id <<= 1) { - if (req.other_keys & service_id) { + // skip CEPH_ENTITY_TYPE_AUTH: auth ticket is already encoded + // (possibly encrypted with the old session key) + if ((req.other_keys & service_id) && + service_id != CEPH_ENTITY_TYPE_AUTH) { ldout(cct, 10) << " adding key for service " << ceph_entity_type_name(service_id) << dendl; CephXSessionAuthInfo svc_info; @@ -337,7 +340,10 @@ int CephxServiceHandler::handle_request( int service_err = 0; for (uint32_t service_id = 1; service_id <= ticket_req.keys; service_id <<= 1) { - if (ticket_req.keys & service_id) { + // skip CEPH_ENTITY_TYPE_AUTH: auth ticket must be obtained with + // CEPHX_GET_AUTH_SESSION_KEY + if ((ticket_req.keys & service_id) && + service_id != CEPH_ENTITY_TYPE_AUTH) { ldout(cct, 10) << " adding key for service " << ceph_entity_type_name(service_id) << dendl; CephXSessionAuthInfo info; -- 2.39.5