krb5.git/src/include, branch keyring MIT Kerberos patches Make set_cloexec_fd return void 2013-11-04T18:51:17+00:00 Ben Kaduk kaduk@mit.edu 2013-10-30T18:11:40+00:00 4547a1078afdeeb781307cf4a125baccf2edab02 We never check its return value (causing clang to emit warnings), and its use is primarily in cases where we should continue processing in the event of failure. Just ignore errors from the underlying fcntl() call (if present) and treat this operation as best-effort. The #if 0 code should probably be removed. 
We never check its return value (causing clang to emit warnings),
and its use is primarily in cases where we should continue processing
in the event of failure.  Just ignore errors from the underlying
fcntl() call (if present) and treat this operation as best-effort.

The #if 0 code should probably be removed.
KDC Audit infrastructure and plugin implementation 2013-10-05T00:25:49+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-07-20T19:47:42+00:00 1003f0173f266a6428ccf2c89976f0029d3ee831 Per project http://k5wiki.kerberos.org/wiki/Projects/Audit The purpose of this project is to create an Audit infrastructure to monitor security related events on the KDC. The following events are targeted in the initial version: - startup and shutdown of the KDC; - AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC request and request ID, KDC reply, primary and derived ticket and their ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and validated, local policy violation and protocol constraints, and KDC status message. Ticket ID is introduced to allow to link tickets to their initial TGT at any stage of the Kerberos exchange. For the purpose of this project it is a private to KDC ticket ID: each successfully created ticket is hashed and recorded into audit log. The administrators can correlate the primary and derived ticket IDs after the fact. Request ID is a randomly generated alpha-numeric string. Using this ID an administrator can easily correlate multiple audit events related to a single request. It should be informative both in cases when the request is sent to multiple KDCs, or to the same KDC multiple times. For the purpose of testing and demo of the Audit, the JSON based modules are implemented: "test" and "simple" audit modules respectively. The file plugins/audit/j_dict.h is a dictionary used in this implememtations. The new Audit system is build-time enabled and run-time pluggable. [kaduk@mit.edu: remove potential KDC crashes, minor reordering] ticket: 7712 target_version: 1.12 
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit

The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.

The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges.  This includes client address and port, KDC
  request and request ID, KDC reply, primary and derived ticket and their
  ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
  validated, local policy violation and protocol constraints, and KDC status
  message.

Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.

Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.

For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.

The new Audit system is build-time enabled and run-time pluggable.

[kaduk@mit.edu: remove potential KDC crashes, minor reordering]

ticket: 7712
target_version: 1.12
Add an internal constant-time comparison function 2013-10-03T19:26:00+00:00 Greg Hudson ghudson@mit.edu 2013-10-02T21:55:28+00:00 ac7d07c2cc54e9f07fe81ac4c50bcc80ecc7ac54 k5_bcmp acts similarly to the deprecated Unix bcmp() function, returning zero if two memory regions are equal and nonzero if they are not. It is implemented such that it should take the same amount of time regardless of how many bytes are equal within the memory regions. 
k5_bcmp acts similarly to the deprecated Unix bcmp() function,
returning zero if two memory regions are equal and nonzero if they are
not.  It is implemented such that it should take the same amount of
time regardless of how many bytes are equal within the memory regions.
Support authoritative KDB check_transited methods 2013-09-25T14:49:56+00:00 Greg Hudson ghudson@mit.edu 2013-09-25T14:40:23+00:00 0406cd81ef9d18cd505fffabba3ac78901dc797d In kdc_check_transited_list, consult the KDB module first. If it succeeds, treat this as authoritative and do not use the core transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to fall back to core mechanisms. ticket: 7709 
In kdc_check_transited_list, consult the KDB module first.  If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms.  Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.

ticket: 7709
Factor out krb5int_random_string() routine 2013-09-24T17:02:57+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-09-24T14:13:26+00:00 ee61e4adf18c6f032b7ab2fa790fb261cfc4105c Make krb5int_random_string() function available outside ccache code. Move it into a separate file under lib/krb5/krb hierarchy. 
Make krb5int_random_string() function available outside ccache code.
Move it into a separate file under lib/krb5/krb hierarchy.
Err codes in KRB_ERROR protocol messages are < 128 2013-09-23T16:06:47+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-09-19T17:11:15+00:00 58ea3bdbfe6330225a2d58dfb00ccf1ad70617fe If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC. This fix is to correct the previous behavior with [0,128] range. For more information see krb5_err.et 
If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see  krb5_err.et
Correct comments in ccselect_plugin.h 2013-09-18T20:27:05+00:00 Zhanna Tsitkov tsitkova@mit.edu 2013-09-18T20:18:11+00:00 6d53a8bf53c7380598698c3df98c96ab26db63b0 Some text mistakenly referred to password quality plugin. 
Some text mistakenly referred to password quality plugin.
Add a flag to prevent all host canonicalization 2013-09-06T05:02:28+00:00 Greg Hudson ghudson@mit.edu 2013-09-05T22:30:02+00:00 60edb321af64081e3eb597da0256faf117c9c441 If dns_canonicalize_hostname is set to false in [libdefaults], krb5_sname_to_principal will not canonicalize the hostname using either forward or reverse lookups. ticket: 7703 (new) 
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.

ticket: 7703 (new)
Fix FAST critical option bit checking 2013-09-03T23:13:51+00:00 Greg Hudson ghudson@mit.edu 2013-08-31T15:46:58+00:00 95b03a6fef4b86d1f8fac0a6ef92e86d836e261f The FAST option bits 0-15 are intended to be critical--if they are present and a KDC does not support them, the KDC is supposed to fail the request. Because of an incorrect constant, we were erroneously recognizing bits 24-31 as critical. Fix the constant. ticket: 7701 (new) 
The FAST option bits 0-15 are intended to be critical--if they are
present and a KDC does not support them, the KDC is supposed to fail
the request.  Because of an incorrect constant, we were erroneously
recognizing bits 24-31 as critical.  Fix the constant.

ticket: 7701 (new)
Support FAST hide-client-names option 2013-09-03T23:13:50+00:00 Greg Hudson ghudson@mit.edu 2013-08-31T15:45:48+00:00 0ebf39d8787b04b524967cdd48f1f1bcaf6bf8f9 In the KDC, if we see the hide-client-names option, identify the client as the anonymous principal in KDC-REP and KRB-ERROR responses. The actual client name is present in encrypted FAST elements. ticket: 7700 (new) 
In the KDC, if we see the hide-client-names option, identify the
client as the anonymous principal in KDC-REP and KRB-ERROR responses.
The actual client name is present in encrypted FAST elements.

ticket: 7700 (new)