| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
ticket: 7231 (new)
target_version: 1.10.3
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This simply adds KADM5_API_VERSION_4 and various fields to the
policy structures:
- attributes (policy-ish principal attributes)
- max_life (max ticket life)
- max_renewable_life (max ticket renewable life)
- allowed_keysalts (allowed key/salt types)
- TL data (future policy extensions)
Of these only allowed_keysalts is currently implemented.
Some refactoring of TL data handling is also done.
ticket: 7223 (new)
|
| |
|
|
|
|
|
| |
Like default_keytab_name and default_client_keytab_name,
default_ccache_name is subject to parameter expansion.
ticket: 7220 (new)
|
| |
|
|
|
|
|
| |
Generalize the ccache collection tests in t_cccol.py to multiple kinds
of ccache tests, and rename it to avoid confusion with the lower-level
lib/krb5/ccache/t_cccol.py. Move a test from t_general.py into
t_ccache.py.
|
| |
|
|
|
|
|
| |
Make the default_keytab_name and default_client_keytab_name variables
subject to parameter expansion.
ticket: 7219 (new)
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In combination with -k, -i will cause kinit or klist to use the
default client keytab instead of the default acceptor keytab. This
gives an easy way to figure out what default client keytab name is in
use and to get credentials using it.
ticket: 7216 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The dejagnu tests create some persistent acl files containing
hostname-derived principal names. These can get out of date if the
host has changed names since the last time the dejagnu tests were run,
causing failures (notably in iprop.exp). To avoid this problem,
change the dejagnu tests to always create new acl files for each test
run.
ticket: 7200 (new)
tags: pullup
target_version: 1.10.3
|
| |
|
|
|
|
|
|
| |
If the directory for a DIR ccache doesn't exist yet, try to create it
(but not its parents) with mode 700. Exercise this in test scripts by
not pre-creating directories.
ticket: 7196 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bite the bullet and pass LC_ALL to setlocale() instead of just
LC_MESSAGES. Calls to setlocale() itself were introduced in
fabbf9e443459e8c0161c84563690ed70c7f6a61 for ticket 6918, but
only for LC_MESSAGES since only localized strings were needed
and that was the most conservative option.
However, klist, kadmin, and kinit (and perhaps others) would benefit
from localized formats for times (i.e., LC_TIME). If potentially
localized data is being sent on the wire, that is a bug that should
be fixed. No such bugs are found with the current test suite, so we
are comfortable enabling LC_ALL at this time.
ticket: 7192
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
In order to use -1 as a sentinel value, we should explicitly cast
to make it clear what we are doing. It might be better to use
a less convoluted sentinel value such as SIZE_T_MAX, though.
Additionally, since size_t is unsigned and at least as wide as
an int, a loop with int index variable that compares against a
size_t for its termination check could become an infinite loop.
Make the loop index size_t for consistency.
|
| |
|
|
|
|
|
|
|
| |
Support acquiring GSSAPI krb5 credentials by fetching initial
credentials using the client keytab. Credentials obtained this way
will be stored in the default ccache or collection, and will be
refreshed when they are halfway to expiring.
ticket: 7189 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default client keytab is intended to be used to automatically
acquire initial credentials for client applications. The current
hardcoded default is a placeholder, and will likely change before
1.11.
Add test framework settings to ensure that a system default client
keytab doesn't interfere with tests, and to allow tests to be written
to deliberately use the default client keytab.
Add documentation about keytabs to the concepts section of the RST
docs, and describe the default client keytab there.
ticket: 7188 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When making a keytab-based AS request, a client has to choose between
sending its reply key enctype preference list (the enctypes it has in
the keytab) and its session key enctype preference list (all of the
enctypes it supports). Heimdal and MIT krb5 1.11 clients send the
reply key preference list. If this list doesn't overlap with the
server principal keys (say, because the krbtgt principal has only a
DES key), then the AS request will fail.
Try to make this work by making the KDC optimistically pick the first
permitted enctype in the request as the session key, even though it
can't be certain that other KDCs in the realm support that enctype.
Make sure to exercise this case in t_keytab.py by doing a multipass
keytab kinit test.
ticket: 7190 (new)
|
| |
|
|
|
|
| |
This is a cosmetic change to reintroduce some space characters that
cff6ea939f061d17a5742a04b8eeb2905c1813dc removed, e.g. between the tag
and the length or short value.
|
| |
|
|
|
|
|
|
| |
Modify the trval output slightly so that the reference trval output
files don't containing trailing whitespace, to make them friendlier to
our git hooks. (The pkinit and ldap trval reference files now contain
a leading blank line, which isn't very elegant, but avoiding that
requires too much Makefile.in complexity.) Also correct a typo.
|
| |
|
|
|
|
|
|
| |
If a caller tries to acquire krb5 initiator creds with no desired name
and we have no credentials in the cache collection, fail from
gss_acquire_cred intead of deferring until gss_init_sec_context.
ticket: 7160
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
| |
|
|
|
|
|
|
| |
If a caller tries to acquire krb5 acceptor creds with no desired name
and we have no keytab keys, fail from gss_acquire_cred instead of
deferring until gss_accept_sec_context.
ticket: 7159 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MIT and Heimdal KDCs ignore the start time for non-postdated ticket
requests, but AD yields an error if the start time is in the KDC's
future, defeating the kdc_timesync option. Omit the start time if the
caller did not specify a start time offset.
This change reenables the client check for too much clock skew in the
KDC reply in the non-timesync configuration. That check had been
unintentionally suppressed since the introduction of the
get_init_creds interfaces. Adjust the t_skew test script to expect
the new error behavior.
Code changes from stefw@gnome.org with slight modifications.
ticket: 7130
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25864 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Active Directory returns structured policy information in the
nominally UTF-8 result string field of a password change reply. Add a
new API krb5_chpw_message() to convert a result string into a
displayable message, interpreting policy information if present.
Patch from stefw@gnome.org with changes.
ticket: 7128
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25857 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
Add a Python script to test the enforcement of kadm5.acl
specifications, including wildcards and restrictions.
ticket: 7097
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25828 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Add K5Realm.prep_kadmin() to create a ccache and K5Realm.run_kadmin()
to run a kadmin query using it. Modify t_stringattr.py to use these
helpers instead of its own.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25826 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Very few Python tests need kadmind, so it makes more sense to have to
turn it on than to have to turn it off.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25825 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
In t_general.py, run kinit with KRB5_TRACE enabled and make sure we
see some basic strings in the resulting file.
ticket: 7113
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25821 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
Move some tests out of the multipass_realms loop since they aren't
enctype-dependent. Fix the success message not to mention kvno
wrapping. Don't start kadmind in the multipass_realms loop since we
don't use it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25820 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
ticket: 7099
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25819 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
When getting initial credentials with a keytab, filter the list of
request enctypes based on the keys in the keytab.
Based on a patch from Stef Walter.
ticket: 2131
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25818 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
| |
Create a test script for keytab-related tests. Move the kvno wrapping
test there from t_general.py, and augment it to better match what's in
standalone.exp. Add tests for kinit with keytab, including kinit with
the most-preferred enctype missing from the keytab (which currently
fails).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25815 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge. This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).
Based on a patch from Stef Walter.
ticket: 7114
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Add a KDC option (-T) to run with a time offset, and use that to
test kdc_timesync behavior.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25807 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Active Directory always issues cross-realm tickets without a kvno,
which we see as kvno 0. When we see that, try the highest kvno (as we
already do) and then a few preceding kvnos so that key rollover of the
AD->MIT cross TGT can work.
Add new helpers kdc_rd_ap_req, which takes the place of a couple of
steps from kdc_process_tgs_req, and find_server_key, which takes the
place of some of the end steps of kdc_get_server_key.
Code changes by Nicolas Williams. Test cases by me.
ticket: 7109
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25799 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
r24314 (#6778) created a hybrid owernship model for the master key
list, with one virtual copy stored in the DAL handle and one provided
to the caller of krb5_db_fetch_mkey_list. Replace this with a model
where only the DAL handle owns the list, and a caller can get access
to an alias pointer with a new function krb5_db_mkey_list_alias().
Functions which previously accepted the master key list as an input
parameter now expect to find it in the DAL handle.
Patch by Will Fiveash <will.fiveash@oracle.com>.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25781 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
The data-driven decoder for etype-info2 was neglecting to call
init_no_salt() when no salt is present in the encoding. Add in the
missing call. Also add decode test cases for etype-info2, which would
have caught this if they weren't missing.
ticket: 7100
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25744 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
Use encode_run() for pa_data and etype_info tests.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25743 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Reformat call sites according to current coding conventions, since
we're touching them all anyway.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25742 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
The admin keytab hasn't been needed or used by kadmind since 1.4
(except possibly by legacy admin daemons which we no longer ship).
Eliminate remaining references to it in code, test cases, and
documentation.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25729 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
ticket: 7092
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25725 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
| |
Create a special type to plug authdata types from authdata and make
krb5int_get_authdata_containee_types use it. Add a test case for it
as well. Move krb5_decode_ticket (a trivial wrapper) into
asn1_k_encode.c so that krb5_decode.c is empty.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25694 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a general ASN.1 decoder implementation in asn1_encode.c using the
same data structures as the encoder (augmented where necessary), and
use it to define decoder functions in asn1_k_encode.c. Add a boolean
type to atype_info, as it is needed for the pa_pac_req decoder. For
the moment, just #if out the old decoder functions; they and their
support code can be cleaned up later after a a few remaining utility
functions are addressed.
Changes to encoder and decoder interfaces are minimized, but there are
two small ones. ldap_seqof_key_data has a kvno field added, and some
of the decoder logic is pushed up into the caller. The safe_with_body
decoder now outputs an allocated krb5_data * instead of a krb5_data
with aliases into the input buffer.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25693 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKINIT client code doesn't use decode_krb5_pa_pk_as_rep_draft9,
which is fortunate because it doesn't work (see issue #7072).
Instead, it passes both kinds of PKINIT replies through
decode_krb5_pa_pk_as_rep, then decodes the un-enveloped CMS data in
alternative 1 (encKeyPack) as either an RFC or draft9 ReplyKeyPack.
So, remove the unused broken pa_pk_as_rep_draft9 decoder.
For pa_pk_as_req_draft9, we only use two of the fields on encode and
only one of those on decode. So, get rid of the unused fields and
the krb5_trusted_ca structure, and reduce the encoder and decoder
sequences to the minimum necessary fields.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25689 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
Also, if decode_krb5_ap_rep_enc_part doesn't return the expected error
code in krb5_decode_test, exit with nonzero status.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25685 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
gcc -O3 is agressive enough to detect that do_cons() doesn't always
set the value of rlen2, so trval2() gets a maybe-uninitialized
warning. Squash it by initializing rlen2.
ticket: 7088
target_version: 1.10.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25679 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
Dump the known attributes only once, before iterating over the
mechanisms, and display the short and long desc as well as the names
when doing so.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25667 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
Add tests to krb5_decode_test.c for PKINIT types. Where the decoders
do not match the encoders, include comments and hand-generated
encodings which work with the decoder.
Add a comment to asn1_k_encode.c documenting inconsistencies between
the draft 9 PA-PK-AS-REQ spec and our encoder results.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25650 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
ktest_make_sample_pa_pk_as_req_draft9 was allocating the wrong
size of objects for the trustedCertifiers array. Fix it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25638 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
krb5_pk_authenticator_draft9 had a kdcRealm field which was set by the
client code but never encoded or decoded. Remove it. Eliminating this
field exposed a bug in auth_pack_draft9_optional; fix that.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25624 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
Use an explicit tag for serverDHNonce, as specified in RFC 4556,
rather than the implicit tag we historically used. This bug had no
practical effect (and creates no interoperability issues) because we
never generate a serverDHNonce.
ticket: 7061
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25623 dc483132-0cff-0310-8789-dd5450dbe970
|
