diff options
| author | Simo Sorce <simo@redhat.com> | 2016-12-02 06:48:35 -0500 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2017-02-14 17:36:58 -0500 |
| commit | 399ab5b87a6d983bd5e3882d0660b81942c184e4 (patch) | |
| tree | ff3f12613b239b28b0dfa32fa536a1bb86147ed3 /ipalib | |
| parent | 09886c1e89532a64c4f1e5b5a68135390113f5b3 (diff) | |
| download | freeipa-399ab5b87a6d983bd5e3882d0660b81942c184e4.tar.gz freeipa-399ab5b87a6d983bd5e3882d0660b81942c184e4.tar.xz freeipa-399ab5b87a6d983bd5e3882d0660b81942c184e4.zip | |
Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/constants.py | 3 | ||||
| -rw-r--r-- | ipalib/install/kinit.py | 30 |
2 files changed, 32 insertions, 1 deletions
diff --git a/ipalib/constants.py b/ipalib/constants.py index 81643da1b..c67340751 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -276,3 +276,6 @@ RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' # regexp definitions PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$' + +# Kerberos Anonymous principal name +ANON_USER = 'WELLKNOWN/ANONYMOUS' diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 2c59b5e13..1e4d1a82f 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -7,6 +7,7 @@ import time import gssapi +from ipalib.constants import ANON_USER from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import run @@ -61,7 +62,6 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): else: os.environ.pop('KRB5_CONFIG', None) - def kinit_password(principal, password, ccache_name, config=None, armor_ccache_name=None, canonicalize=False, enterprise=False): @@ -95,3 +95,31 @@ def kinit_password(principal, password, ccache_name, config=None, capture_error=True) if result.returncode: raise RuntimeError(result.error_output) + + +def kinit_armor(ccache_name): + """ + perform kinit to obtain anonymous ticket to be used as armor for FAST. + """ + root_logger.debug("Initializing anonymous ccache") + + env = {'LC_ALL': 'C'} + # try with the keytab first and then again fallback to try with pkinit in + # case someone decided it is fun to remove Anonymous keys from the entry + # or in future pkinit enabled principal enforce the use of pkinit + try: + # Gssapi does not understand anonymous cred use kinit command instead + args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB, + ANON_USER, '-c', ccache_name] + run(args, env=env, raiseonerr=True, capture_error=True) + return + except Exception as e: + root_logger.debug("Failed to init Anonymous keytab: %s", e, + exc_info=True) + + root_logger.debug("Fallback to slower Anonymous PKINIT") + args = [paths.KINIT, '-n', '-c', ccache_name] + + # this workaround enables us to capture stderr and put it + # into the raised exception in case of unsuccessful authentication + run(args, env=env, raiseonerr=True, capture_error=True) |