krb5.git/src/include/krb5, branch keyring MIT Kerberos patches KDC Audit infrastructure and plugin implementation 2013-10-05T00:25:49+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-07-20T19:47:42+00:00 1003f0173f266a6428ccf2c89976f0029d3ee831 Per project http://k5wiki.kerberos.org/wiki/Projects/Audit The purpose of this project is to create an Audit infrastructure to monitor security related events on the KDC. The following events are targeted in the initial version: - startup and shutdown of the KDC; - AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC request and request ID, KDC reply, primary and derived ticket and their ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and validated, local policy violation and protocol constraints, and KDC status message. Ticket ID is introduced to allow to link tickets to their initial TGT at any stage of the Kerberos exchange. For the purpose of this project it is a private to KDC ticket ID: each successfully created ticket is hashed and recorded into audit log. The administrators can correlate the primary and derived ticket IDs after the fact. Request ID is a randomly generated alpha-numeric string. Using this ID an administrator can easily correlate multiple audit events related to a single request. It should be informative both in cases when the request is sent to multiple KDCs, or to the same KDC multiple times. For the purpose of testing and demo of the Audit, the JSON based modules are implemented: "test" and "simple" audit modules respectively. The file plugins/audit/j_dict.h is a dictionary used in this implememtations. The new Audit system is build-time enabled and run-time pluggable. [kaduk@mit.edu: remove potential KDC crashes, minor reordering] ticket: 7712 target_version: 1.12 
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit

The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.

The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges.  This includes client address and port, KDC
  request and request ID, KDC reply, primary and derived ticket and their
  ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
  validated, local policy violation and protocol constraints, and KDC status
  message.

Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.

Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.

For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.

The new Audit system is build-time enabled and run-time pluggable.

[kaduk@mit.edu: remove potential KDC crashes, minor reordering]

ticket: 7712
target_version: 1.12
Correct comments in ccselect_plugin.h 2013-09-18T20:27:05+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-09-18T20:18:11+00:00 6d53a8bf53c7380598698c3df98c96ab26db63b0 Some text mistakenly referred to password quality plugin. 
Some text mistakenly referred to password quality plugin.
Add hostrealm pluggable interface definition 2013-08-15T16:27:39+00:00 Greg Hudson ghudson@mit.edu 2013-08-05T18:43:24+00:00 d61fbd85467c71c9bfb185e0e675e1619972bd0b ticket: 7687 (new) 
ticket: 7687 (new)
Add non-JSON APIs for PKINIT responder items 2013-07-17T18:57:12+00:00 Nalin Dahyabhai nalin@redhat.com 2013-07-15T17:37:00+00:00 ce02b69e27bcfa21bcab2ed195dfdbaa8040d773 Add wrappers for the JSON-oriented APIs for PKINIT responder items, modeled after the API we provide for OTP items: * krb5_responder_pkinit_get_challenge() returns the list of identities for which we need PINs * krb5_responder_pkinit_challenge_free() frees the structure that was returned by krb5_responder_pkinit_get_challenge() * krb5_responder_pkinit_set_answer() sets the answer to the PIN for one of the identities [ghudson@mit.edu: style cleanup; added comment pointing to main body of PKINIT module] ticket: 7680 
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:

* krb5_responder_pkinit_get_challenge() returns the list of
  identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
  was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
  one of the identities

[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]

ticket: 7680
Pass PKINIT identity prompts to the responder cb 2013-07-17T18:57:11+00:00 Nalin Dahyabhai nalin@dahyabhai.net 2013-07-15T17:11:00+00:00 e8b63198029c632d097822104d6e17c9a67ef1a5 Use the list of deferred identity prompts and warnings, which we have after calling pkinit_identity_initialize(), to build a list of questions to supply to responder callbacks. Before calling pkinit_identity_prompt() to actually load identities that are protected, save any passwords and PINs which a responder callback may have supplied. Because pkinit_client_prep_questions() can be called multiple times, and we don't want to try to load all of our identities each of those times, take some steps to ensure that we only call pkinit_identity_initialize() and pkinit_identity_prompt() once per request. ticket: 7680 
Use the list of deferred identity prompts and warnings, which we have
after calling pkinit_identity_initialize(), to build a list of questions
to supply to responder callbacks.

Before calling pkinit_identity_prompt() to actually load identities that
are protected, save any passwords and PINs which a responder callback
may have supplied.

Because pkinit_client_prep_questions() can be called multiple times, and
we don't want to try to load all of our identities each of those times,
take some steps to ensure that we only call pkinit_identity_initialize()
and pkinit_identity_prompt() once per request.

ticket: 7680
Clarify krb5_rd_req documentation 2013-05-22T05:55:12+00:00 Greg Hudson ghudson@mit.edu 2013-05-22T05:55:12+00:00 98aa233e18245981b491affe5fa70623cb83b705 For the user-to-user case, document that callers should pass a server principal to krb5_rd_req. For the keytab case, more accurately document which keytab keys are tried against the ticket. ticket: 7641 (new) target_version: 1.11.3 tags: pullup 
For the user-to-user case, document that callers should pass a server
principal to krb5_rd_req.  For the keytab case, more accurately
document which keytab keys are tried against the ticket.

ticket: 7641 (new)
target_version: 1.11.3
tags: pullup
Add kdcpreauth callback to check for client keys 2013-05-03T20:11:28+00:00 Greg Hudson ghudson@mit.edu 2013-04-26T19:50:05+00:00 e50482720a805ecd8c160e4a8f4a846e6327dca2 Add a new have_client_keys callback to the kdcpreauth interface, allowing modules to efficiently check whether the client DB entry has any keys matching the request enctypes. ticket: 7630 
Add a new have_client_keys callback to the kdcpreauth interface,
allowing modules to efficiently check whether the client DB entry has
any keys matching the request enctypes.

ticket: 7630
Add a few comments to `PADATA types` in krb5.hin 2013-04-18T19:27:01+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-04-18T19:21:51+00:00 b67781a8165a55f937dc53e91e28f855b8a6f4b9 Mostly, based on http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml 
Mostly, based on
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml
Use macro for IANA assigned PA-AS-CHECKSUM number 2013-04-18T19:03:12+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-04-18T18:56:39+00:00 d7d74867952fdd7335f22981c66a67a61dc6e434 Replace numeric value '132' by the macro KRB5_PADATA_AS_CHECKSUM in preauth plugin. 
Replace numeric value '132' by the macro KRB5_PADATA_AS_CHECKSUM
in preauth plugin.
Add krb5_kt_dup API and use it in two places 2013-04-01T17:25:33+00:00 Greg Hudson ghudson@mit.edu 2013-04-01T17:25:33+00:00 f9c5d2277c23e40b2e929cef6e4654113b66da68 Add an API to duplicate keytab handles, mirroring krb5_cc_dup. Use it to simplify the krb5 GSS acquire_cred code. ticket: 7599 (new) 
Add an API to duplicate keytab handles, mirroring krb5_cc_dup.  Use it
to simplify the krb5 GSS acquire_cred code.

ticket: 7599 (new)