| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Revert 18b02f3e839c007fff54fc9b693f479b7563ec73 in the KDC. Instead,
when making an initial request with a keytab, transmit the whole
default_tkt_enctypes list, but sorted with the enctypes we have in the
keytab first. That way the KDC should prefer enctypes which we have
keys for (for both reply key and session key), but the other enctypes
are still available for use as ticket session keys.
ticket: 7190
|
| |
|
|
|
|
|
|
|
| |
Support acquiring GSSAPI krb5 credentials by fetching initial
credentials using the client keytab. Credentials obtained this way
will be stored in the default ccache or collection, and will be
refreshed when they are halfway to expiring.
ticket: 7189 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default client keytab is intended to be used to automatically
acquire initial credentials for client applications. The current
hardcoded default is a placeholder, and will likely change before
1.11.
Add test framework settings to ensure that a system default client
keytab doesn't interfere with tests, and to allow tests to be written
to deliberately use the default client keytab.
Add documentation about keytabs to the concepts section of the RST
docs, and describe the default client keytab there.
ticket: 7188 (new)
|
| |
|
|
|
|
|
|
|
|
| |
In the regular krb5 code path, only get a default krb5 cred for the
initial token, since we don't need the cred for mutual_auth anyway.
In the IAKERB mechanism, cache the default cred in iakerb_ctx_id_rec
so we don't have to construct it again for each token. Also, get an
IAKERB default cred, not a regular krb5 cred (a bug which is harmless
now, but becomes more of a problem with keytab initiation changes).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When making a keytab-based AS request, a client has to choose between
sending its reply key enctype preference list (the enctypes it has in
the keytab) and its session key enctype preference list (all of the
enctypes it supports). Heimdal and MIT krb5 1.11 clients send the
reply key preference list. If this list doesn't overlap with the
server principal keys (say, because the krbtgt principal has only a
DES key), then the AS request will fail.
Try to make this work by making the KDC optimistically pick the first
permitted enctype in the request as the session key, even though it
can't be certain that other KDCs in the realm support that enctype.
Make sure to exercise this case in t_keytab.py by doing a multipass
keytab kinit test.
ticket: 7190 (new)
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The tgt_expire field is used to store non-TGT expiry times in a couple
of cases: when the ccache has no TGT, and after we've obtained a cred
for the target service. Rename it to just "expire" to be less
misleading.
|
| |
|
|
|
| |
Avoid rereading the ccache in order to find the impersonator config
entry. Instead, check each entry as we scan through the first time.
|
| |
|
|
|
| |
The password is always zero-terminated, so we can store it as a char *
instead of a krb5_data.
|
| |
|
|
|
|
| |
This is a cosmetic change to reintroduce some space characters that
cff6ea939f061d17a5742a04b8eeb2905c1813dc removed, e.g. between the tag
and the length or short value.
|
| |
|
|
|
|
|
|
|
|
| |
If read_primary_file() fails with an error other than ENOENT, abort
cache resolution rather than dereferencing a null pointer. Reported
by Oliver Loch.
ticket: 7185
target_version: 1.10.3
tags: pullup
|
| |
|
|
|
|
|
|
| |
Modify the trval output slightly so that the reference trval output
files don't containing trailing whitespace, to make them friendlier to
our git hooks. (The pkinit and ldap trval reference files now contain
a leading blank line, which isn't very elegant, but avoiding that
requires too much Makefile.in complexity.) Also correct a typo.
|
| |
|
|
|
|
| |
struct acquire_cred_args was used purely to pass arguments to
acquire_cred (a static function), and had no advantages for that
purpose over positional arguments.
|
| |
|
|
|
|
|
| |
krb5_is_config_principal should be invoked on creds.server, not
creds.client.
ticket: 7173
|
| |
|
|
|
|
|
|
| |
Add a preprocessor constant LOOKASIDE_MAX_SIZE (defaulting to 10MB)
which limits the total size of the lookaside cache entries. Purge
stale entries in kdc_insert_lookaside instead of kdc_check_lookaside,
and when doing so, continue purging non-stale entries until the total
cache size (including the new entry) is within the size constraint.
|
| |
|
|
|
| |
Use krb5_data structures instead of pointers in the entry structure,
reducing the number of memory allocations.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case. This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.
Code changes suggested by nalin@redhat.com.
ticket: 7183
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Also, in klist, use the appropriate libkrb5 free functions for
krb5_cc_get_full_name and krb5_unparse_name_results. Reported by
Kevin Wasserman.
ticket: 7179
|
| | |
|
| |
|
|
|
|
|
|
| |
If a caller tries to acquire krb5 initiator creds with no desired name
and we have no credentials in the cache collection, fail from
gss_acquire_cred intead of deferring until gss_init_sec_context.
ticket: 7160
|
| |
|
|
|
|
|
| |
Add a new API to determine whether any krb5 credentials are available
in the ccache collection. Add tests to t_cccol.py.
ticket: 7173 (new)
|
| |
|
|
|
| |
krb5int_cc_os_default_name has been unused since #6955 removed the
call to it in cccursor.c. Get rid of it.
|
| |
|
|
|
|
|
| |
The default realm could be leaked if the principal had the wrong
number of components. Reported by Russ Allbery.
ticket: 7161
|
| |
|
|
|
|
|
|
| |
The big_endian flag in krb5_gss_ctx_id_rec is there for
interoperability with a really ancient implementation which we believe
is no longer in use. Get rid of it and the code to handle it.
ticket: 7166 (new)
|
| |
|
|
| |
The etypes list was never freed. Also use k5_etypes_contains.
|
| |
|
|
|
|
|
| |
Rename krb5int_count_etypes and krb5int_copy_etypes to have k5_
prefixes, and make them available outside of libkrb5 (but not part of
the public API). Add k5_etypes_contains to search an etype list, and
use it in krb5_is_permitted_enctype.
|
| |
|
|
|
| |
It's an internal function (not in krb5.h or the libkrb5 export list)
and nothing uses it.
|
| |
|
|
|
|
|
|
| |
#7125 took out the copy of the krb5_verify_init_creds server argument
but left in the corresponding free, so it was freeing a caller-owned
principal. Reported by Russ Allbery.
ticket: 7162
|
| |
|
|
|
|
| |
Attempt to choose tracing inputs in t_trace.c which will produce
consistent output across platforms and logins. Re-enable the
comparison against the reference file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
| |
|
|
|
|
|
| |
Allow --debug to be used for commands which start daemons, to make it
easier to debug startup issues. After debugging a daemon, the script
will exit, since the daemon won't be running after the debugging
session is over.
|
| |
|
|
|
|
|
|
|
|
| |
r25844 (#7124) stopped using AI_ADDRCONFIG when canonicalizing
hostnames in sn2princ. So we need to also stop using it in k5test.c's
_get_hostname() or we could come up with a different result on a
system where forward and reverse resolution via IPv4 and IPv6 produce
different results. That in turn causes a t_gssapi.py test (the one
using the un-canonicalized hostname) to fail, because libkrb5 looks
for a different host principal than k5test.py put in the keytab.
|
| | |
|
| |
|
|
|
|
| |
The t_trace output isn't consistent from run to run. To fix "make
check", disable the comparison against the reference file until we can
make the output consistent.
|
| |
|
|
|
|
|
| |
Only use common denominator Bourne shell syntax for exporting
environment variables. Don't rely on /dev/stdout working. Compare
the output with a reference file to detect changes, instead of just
sending it to stdout.
|
| |
|
|
| |
ticket: 7150
|
| |
|
|
|
|
|
|
| |
If a caller tries to acquire krb5 acceptor creds with no desired name
and we have no keytab keys, fail from gss_acquire_cred instead of
deferring until gss_accept_sec_context.
ticket: 7159 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
If we can't acquire creds for any mech in gss_acquire_cred, return the
status of the first mech instead of the last mech, as it's more useful
in the typical case (where the first mech is krb5 and the last mech is
SPNEGO). This error reporting is not ideal when the user was
expecting to use some mech other than krb5, but it's about as good as
things were prior to #6894.
ticket: 6973
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the krb5_kt_have_content API from Heimdal, which can be used to
test whether a keytab exists and contains entries. Add tests to
t_keytab.c.
There is a deviation from Heimdal in the function signature.
Heimdal's signature returns a krb5_boolean at the moment, because the
Heimdal implementation actually returns a krb5_error_code. These are
generally the same type anyway (int).
ticket: 7158 (new)
|
| |
|
|
|
|
|
| |
When checking for specific error codes, using CHECK() meant that we
wouldn't properly fail if we got error code 0. Define and use a
CHECK_ERR() to test for a specific error code, and define CHECK() in
terms of it.
|
| |
|
|
|
|
|
|
|
|
|
| |
In r21879, when we converted to using KRB5_CONF macros for profile
variable names, we made a typo in krb5_get_tgs_ktypes and erroneously
started using default_tkt_enctypes instead of default_tgs_enctypes for
TGS requests. Fix the typo and return to the documented behavior.
ticket: 7155
target_version: 1.10.3
tags: pullup
|
| |
|
|
|
|
|
| |
Add a hash table to kdc/replay.c for fast lookup of incoming packets.
Continue to keep a time-ordered linked list of all entries for fast
expiry of stale entries. The preprocessor constant
LOOKASIDE_HASH_SIZE can be used to change the size of the hash table.
|
| |
|
|
|
| |
queue.h implements various types of linked lists as cpp macros,
without needing any library support.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name"). Only clients authorized to create principals can trigger the
bug. Fix the bug by testing for a null password in check_1_6_dummy.
CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C
[ghudson@mit.edu: Minor style change and commit message]
ticket: 7152
target_version: 1.10.2
tags: pullup
|
