| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t. k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there. Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If configure gets run with --sysconfdir=/etc, "/etc/krb5.conf" shows
up twice in the profile path, which causes its contents to be read
twice. This can cause some confusing and possibly problematic
behavior.
Add some logic to configure.in to avoid adding the duplicate entry for
"/etc/krb5.conf".
Reported independently by Denis Vlasenko and Fredrik Tolf.
ticket: 3277
tags: pullup
target_version: 1.12.2
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives. Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.
[ghudson@mit.edu: commit message, otp.rst formatting fix]
ticket: 7859 (new)
|
|
|
|
|
|
|
| |
Remove the GNATS-based krb5-send-pr script and replace it with a
script that instructs users to send email.
ticket: 7840 (new)
|
|
|
|
|
|
|
|
|
|
|
| |
Since we explicitly specify the ELF object format when building
iaesx86.s or iaesx64.s, we need to restrict it to operating systems we
know to be ELF platforms. Otherwise we can break the build on OS X,
which uses the Mach-O object format.
ticket: 7812
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
|
| |
libkrad relies on verto_set_flags, which was added to libverto in
release 0.2.4. Make sure the system libverto has this function before
choosing it over the built-in version.
ticket: 7808 (new)
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
| |
This configure option hasn't done anything since 1.8, so don't mention
it in configure --help or the documentation. The disable_last_success
and disable_lockout DB options are now used to turn it off.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove tests/mkeystash_compat and tests/mk_migr. These are superseded
by t_mkey.py, with two exceptions:
tests/mk_migr included tests for password history across master key
rollovers. Historical keys are encrypted in the kadmin/history key
(which is accessed like any other key), so there isn't a specific need
to test this unless we implement #1221.
tests/mk_migr had provisions for testing master key rollover with the
LDAP KDB module. All master key logic used in the LDAP KDB module is
shared with the DB2 module in lib/kdb, so there is no specific need to
test this combination.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
|
|
|
|
|
|
|
|
|
| |
Create a test module for the hostrealm interface, a harness to call
the realm mapping functions and display their results, and a Python
script to exercise the functionality of the interface and each module
(except the dns module, which we cannot easily test since it relies on
TXT records in the public DNS).
ticket: 7687
|
|
|
|
|
|
|
|
|
|
| |
This plugin implements the proposal for providing OTP support by
proxying requests to RADIUS. Details can be found inside the
provided documentation as well as on the project page.
http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS
ticket: 7678
|
|
|
|
|
|
|
|
| |
The new library libkrad provides code for the parsing of RADIUS packets
as well as client implementation based around libverto. This library
should be considered unstable.
ticket: 7678 (new)
|
|
|
|
|
|
|
|
|
|
| |
Create a test module for the pwqual interface, and script to exercise
the built-in and test modules through kadmin.local. Also create a
test harness to display the order of pwqual modules for the current
configuration, and use it to test the plugin module ordering
guarantees.
ticket: 7665
|
|
|
|
|
|
|
|
|
|
| |
AC_MSG_RESULT is to print result after AC_MSG_CHECKING.
AC_MSG_NOTICE is to deliver message to user.
So use AC_MSG_NOTICE for --with options.
Remove overquoting too.
ticket: 7648
|
|
|
|
|
|
|
| |
If yasm and cpuid.h are present on a Linux i686 or x64 system, compile
the modified Intel AES-NI assembly sources. In the builtin AES enc
provider, check at runtime whether the CPU supports AES-NI
instructions and use the assembly functions if so.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AUTH_GSSAPI flavor of rpc authentication uses IP address channel
bindings. These are broken over UDP, because svcudp_recv() fails to
get the destination address of incoming packets (it tries to use the
recvmsg() msg_name field to get the destination IP address, which
instead gets the source address; see ticket #5540).
There is no simple or comprehensive way to fix this; using IP_PKTINFO
is a fair amount of code and only works on some platforms. It's also
not very important--nobody should be using AUTH_GSSAPI except perhaps
for compatibility with really old kadmin, and kadmin only runs over
TCP. Since the gssrpc tests are closely wedded to AUTH_GSSAPI, the
simplest fix is to only run the TCP pass.
|
|
|
|
| |
ticket: 7620
|
|
|
|
|
|
|
|
| |
Create a test module, program, and script to exercise the
krb5_aname_to_localname and krb5_k5userok functions as well as the
localauth pluggable interface.
ticket: 7583
|
|
|
|
|
|
|
|
|
|
| |
krb5_ldap_open and krb5_ldap_create contain two large, almost
identical blocks of DB option processing code. Factor it out into a
new function krb5_ldap_parse_db_params in ldap_misc.c, and simplify
the factored-out code. Create a helper function to add server entries
and use it to simplify krb5_ldap_read_server_params as well as DB
option parsing. Since the new DB option helper uses isspace instead
of isblank, we no longer require portability goop for isblank.
|
|
|
|
|
|
|
|
|
|
|
| |
Add seven data files for pkg-config, corresponding to the five modules
supported by krb5-config. For krb5 and krb5-gssapi, we also provide
mit- versions for callers desiring to distinguish between our
implementation and Heimdal's.
Based on a patch from Stef Walter <stefw@gnome.org>.
ticket: 7529 (new)
|
|
|
|
|
|
| |
In preparation for adding a bunch of pkg-config data files, move
krb5-config into a new source tree subdirectory containing tools we
provide as outputs to other build systems.
|
|
|
|
| |
grep -q isn't as portable as we would like, so don't use it.
|
|
|
|
|
|
|
| |
We generate man pages from RST sources now; they are checked into
the tree in src/man/.
The gen-manpages directory is no longer needed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream libverto depends on dynamic loading and in particular on
dladdr(), which is not universal. To avoid this dependency, stub out
support for module loading (by replacing module.c) and instead
integrate the k5ev module directly into the bundled verto library.
This change removes the need to link, include, and invoke libverto
differently depending on whether we're using the bundled library; we
can always just link with -lverto and call verto_default().
bigredbutton: whitespace
ticket: 7351 (new)
|
|
|
|
|
|
|
| |
Change the default client keytab name, if not overridden at build
time, to FILE:$localstatedir/krb5/user/%{euid}/client.keytab.
Introduce a second file from the autoconf archives in order to
recursively expand $localstatedir within configure.in.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add DEFCCNAME, DEFKTNAME, and DEFCKTNAME configure variables to
change the built-in ccache and keytab names.
* Add krb5-config options to display the built-in ccache and keytab
names.
* In the default build, use krb5-config to discover the system's
built-in ccache and keytab names and use them (if not overridden).
This can be controlled with the --with-krb5-config=PATH or
--without-krb5-config configure options.
* Make the built-in ccache name subject to parameter expansion.
ticket: 7221 (new)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce src/doc/Makefile.in, which will eventually subsume
doc/Makefile (but will still pull sources from doc). In the rstman
target there, create man pages with symbolic path references (like
@SBINDIR@). In man/Makefile.in, substitute the path references with
the configured paths before installing.
Man pages generated from RST source are now checked into the source
tree under the name filename.man. This lets us use a single implicit
.man.sub rule for the path substitutions.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25786 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
autoconf 2.5x does not define localedir, so we have to detect that and
do it ourselves.
ticket: 7095
target_version: 1.10.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25777 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
ticket: 7074
target_version: 1.10.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25716 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Install sphinx-generated manpages. Original nroff manpages remain for
reference until proofreading is complete. Modify
doc/rst_source/conf.py to better deal with shadow manpages -- sphinx
will now build k5login.5 instead of .k5login.5, and kadmin.1 instead
of both kadmin.1 and kadmin.local.8.
Proofreaders should ensure that the original nroff manpages (and
associated Makefile rules) are deleted once their reST format
equivalents have been proofread.
ticket: 7064
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25625 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not add decode tests, because those would trip some bugs in the
decoders, and we can't safely fix some of those bugs without interop
testing. Encode tests are sufficient to detect when we
unintentionally change the output of the encoders.
Fix trval2() not to use the context shortcut on primitive context
tags.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25609 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we're using the system verto and pkg-config isn't found but
libverto is, set VERTO_LIBS to just -lverto as there won't be a k5ev
module.
ticket: 7029
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25493 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
for pkinit. A similar problem exists for crypto_impl and is not
addressed by this patch.
ticket: new Subject: LIBS should not include PKINIT_CRYPTO_IMPL_LIBS tags: pullup target_version: 1.10
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25491 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
From nalin@redhat.com.
ticket: 6999
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25445 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
The presence of dgettext in libc or libintl doesn't imply that msgfmt
is installed, so conditionalize building the po subdir on whether
msgfmt is installed.
ticket: 6997
target_version: 1.10
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25425 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
The configure.in code for the PKINIT NSS back end version check was
copied from the k5crypto NSS back end version check, but from before
r25181 which added AC_LANG_SOURCE wrappers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25360 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
Add an implementation of PKINIT using NSS instead of OpenSSL, from
nalin@redhat.com.
ticket: 6975
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25327 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
Microsecond accuracy on _WIN32, but only one second accuracy on other,
AFAIK purely hypothetical, platforms that lack native gettimeofday.
Shamelessly cribbed from Heimdal.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25310 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25283 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25274 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
Since it has no external dependencies, split up encrypted preauth into
clpreauth and kdcpreauth chunks and link them directly into the
consumers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25227 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
semaphore.h, since the results of the tests are never used.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25182 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
messages. Verified to produce the same configure script (under
autoconf 2.68 on Mac OS X) as before.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25181 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
Give libverto-k5ev a header file. When using the internal verto
library, link against -lverto-k5ev and use verto_default_k5ev()
instead of verto_default(), bypassing the module loading logic and
making static builds possible.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25166 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* "kdestroy -A" destroys all caches in collection.
* "kinit princ" searches the collection for a matching cache and
overwrites it, or creates a new cache in the collection, if the
type of the default cache is collection-enabled. The chosen cache
also becomes the primary cache for the collection.
* "klist -l" lists (in summary form) the caches in the collection.
* "klist -A" lists the content of all of the caches in the collection.
* "kswitch -c cache" (new command) makes cache the primary cache.
* "kswitch -p princ" makes the cache for princ the primary cache.
ticket: 6956
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25157 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25153 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
Add configure and build support for libverto and the libverto-k5ev
module. Fix the version script rules to work for libraries with
hyphens in their names.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25127 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
Also clean the built message catalogs in "make clean".
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25112 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
The configure script was correctly detecting that libedit was absent,
but was setting RL_CFLAGS to garbage in the process.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25036 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
By default, look for libedit (using pkg-config) and use it in libss.
Alternatively, the builder can explicitly ask for GNU Readline, but
using it will break the dejagnu test suite and will also add a GPL
dependency to libss and the programs using it.
ticket: 6931
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25035 dc483132-0cff-0310-8789-dd5450dbe970
|