- krb5kdc init script: prototype some changes to do a quick spot-checkkrb5-1.9-5.fc15

  of the TGS and kadmind keys and warn if there aren't any non-weak keys
  on file for them (to flush out parts of #651466)

3 files changed, 210 insertions, 1 deletions

diff --git a/kdb_check_weak.c b/kdb_check_weak.c
new file mode 100644
index 0000000..a175bbd
--- /dev/null
+++ b/kdb_check_weak.c
@@ -0,0 +1,183 @@
+/*
+   Copyright 2011 Red Hat, Inc.
+   All rights reserved.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in
+      the documentation and/or other materials provided with the
+      distribution.
+    * Neither the name of Red Hat, Inc., nor the names of its
+      contributors may be used to endorse or promote products derived
+      from this software without specific prior written permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+   IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+   TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+   PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+   OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+   EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+   PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+   PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+   LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* Walk the list of supplied principal names (or fragments of principal names)
+ * and check if the latest kvno on file for that principal has any "strong"
+ * keys.  If not, warn in various ways depending on how we were invoked. */
+
+#include <sys/types.h>
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <kdb.h>
+
+int
+main(int argc, char **argv)
+{
+	char name[256], ename[256], *realm = NULL, *defrealm, *unparsed;
+	krb5_context ctx;
+	krb5_principal princ;
+	krb5_error_code err;
+	krb5_db_entry *entry;
+	krb5_key_data *kd;
+	int problems = 0, c, i, j, verbose = 0, strong, kvno, problems_only = 0;
+
+	while ((c = getopt(argc, argv, "pr:v")) != -1) {
+		switch (c) {
+		case 'p':
+			problems_only++;
+			break;
+		case 'r':
+			realm = optarg;
+			break;
+		case 'v':
+			verbose++;
+			break;
+		default:
+			printf("kdb_check_weak: check if a principal's keys "
+			       "are all of types not allowed when\n"
+			       "                allow_weak_crypto is not "
+			       "set\n");
+			printf("%s: [-p | -v [-v [-v]]] [-r REALM] principal [...]\n",
+			       strchr(argv[0], '/') ?
+			       strrchr(argv[0], '/') + 1 :
+			       argv[0]);
+			return -1;
+			break;
+		}
+	}
+
+	/* Start up for the default (or specified) realm. */
+	ctx = NULL;
+	if ((err = krb5_init_context(&ctx)) != 0) {
+		fprintf(stderr, "Error initializing Kerberos: %s.\n",
+			error_message(err));
+		return -1;
+	}
+	if (realm != NULL) {
+		if ((err = krb5_set_default_realm(ctx, realm)) != 0) {
+			fprintf(stderr, "Error setting default realm: %s.\n",
+				error_message(err));
+			return -1;
+		}
+	}
+	defrealm = NULL;
+	if ((err = krb5_get_default_realm(ctx, &defrealm)) != 0) {
+		fprintf(stderr, "Error getting default realm: %s.\n",
+			error_message(err));
+		return -1;
+	}
+	if ((err = krb5_db_open(ctx, NULL, KRB5_KDB_OPEN_RO)) != 0) {
+		if (verbose) {
+			fprintf(stderr, "Error opening database: %s.\n",
+				error_message(err));
+		}
+		return -1;
+	}
+	for (i = optind; i < argc; i++) {
+		/* Look up the principal. */
+		princ = NULL;
+		if ((strlen(argv[i]) > 0) &&
+		    ((argv[i][strlen(argv[i]) - 1] == '/') ||
+		     (argv[i][strlen(argv[i]) - 1] == '@'))) {
+			snprintf(name, sizeof(name), "%s%s", argv[i], defrealm);
+		} else {
+			snprintf(name, sizeof(name), "%s", argv[i]);
+		}
+		if (krb5_parse_name(ctx, name, &princ) != 0) {
+			fprintf(stderr, "Error parsing name \"%s\".\n",
+				argv[i]);
+			continue;
+		}
+		entry = NULL;
+		if ((err = krb5_db_get_principal(ctx, princ, 0, &entry)) != 0) {
+			if (verbose) {
+				fprintf(stderr, "Error looking up entry: %s.\n",
+					error_message(err));
+			}
+			continue;
+		}
+		unparsed = NULL;
+		if ((err = krb5_unparse_name(ctx, entry->princ,
+					     &unparsed)) != 0) {
+			unparsed = name;
+		}
+		kvno = -1;
+		strong = 0;
+		for (j = 0; j < entry->n_key_data; j++) {
+			kd = &entry->key_data[j];
+			/* Reset the count if we find a newer key version. */
+			if (kd->key_data_kvno > kvno) {
+				kvno = kd->key_data_kvno;
+				strong = 0;
+			}
+			/* Print the types of keys we find if asked to. */
+			if (verbose >= 3) {
+				krb5_enctype_to_name(kd->key_data_type[0],
+						     FALSE,
+						     ename, sizeof(ename));
+				printf("%s: v%d %s: %s\n",
+				       unparsed, kd->key_data_kvno, ename,
+				       krb5int_c_weak_enctype(kd->key_data_type[0]) ?
+				       "weak" : "strong");
+			}
+			if (!krb5int_c_weak_enctype(kd->key_data_type[0])) {
+				strong++;
+			}
+		}
+		/* We need to have seen some strong keys. */
+		if (strong) {
+			/* Say we're okay unless we're asked to stay quiet. */
+			if (verbose >= 2) {
+				printf("%s: OK\n", unparsed);
+			}
+		} else {
+			/* Say we're not okay unless we're asked to stay quiet.
+			 * */
+			if (verbose) {
+				printf("%s: needs to be rekeyed\n", unparsed);
+			} else {
+				if (problems_only) {
+					printf("%s%s", problems ? " " : "",
+					       unparsed);
+				}
+			}
+			/* Note that there's a problem entry. */
+			problems++;
+		}
+		krb5_db_free_principal(ctx, entry);
+		if (unparsed != name) {
+			krb5_free_unparsed_name(ctx, unparsed);
+		}
+	}
+
+	return problems;
+}
diff --git a/krb5.spec b/krb5.spec
index 6e8017f..5d63110 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9
-Release: 4%{?dist}
+Release: 5%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -30,6 +30,7 @@ Source31: kerberos-adm.portreserve
 Source32: krb5_prop.portreserve
 Source33: krb5kdc.logrotate
 Source34: kadmind.logrotate
+Source35: kdb_check_weak.c
 
 Patch5: krb5-1.8-ksu-access.patch
 Patch6: krb5-1.9-ksu-path.patch
@@ -282,6 +283,12 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
 make %{?_smp_mflags}
 popd
 
+# A sanity checker for upgrades.
+%{__cc} -o kdb_check_weak \
+	-I src/include `./src/krb5-config --cflags kdb` \
+	%{SOURCE35} \
+	-L src/lib `./src/krb5-config --libs kdb`
+
 # Run the test suite.  We can't actually do this in the build system.
 : make -C src check TMPDIR=%{_tmppath}
 
@@ -381,6 +388,9 @@ for library in libgssapi_krb5 libgssrpc libk5crypto libkrb5 libkrb5support ; do
 	popd
 done
 
+# A sanity checker for upgrades.
+install -m 755 kdb_check_weak $RPM_BUILD_ROOT/%{_libdir}/krb5/
+
 %clean
 [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
 
@@ -511,6 +521,7 @@ exit 0
 %config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl
 
 %dir %{_libdir}/krb5
+%{_libdir}/krb5/kdb_check_weak
 %dir %{_libdir}/krb5/plugins
 %dir %{_libdir}/krb5/plugins/kdb
 %dir %{_libdir}/krb5/plugins/preauth
@@ -637,6 +648,11 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Wed Feb  9 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-5
+- krb5kdc init script: prototype some changes to do a quick spot-check
+  of the TGS and kadmind keys and warn if there aren't any non-weak keys
+  on file for them (to flush out parts of #651466)
+
 * Tue Feb  8 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-4
 - add upstream patches to fix standalone kpropd exiting if the per-client
   child process exits with an error (MITKRB5-SA-2011-001), a hang or crash
diff --git a/krb5kdc.init b/krb5kdc.init
index 363695d..c765790 100755
--- a/krb5kdc.init
+++ b/krb5kdc.init
@@ -36,10 +36,20 @@ RETVAL=0
 prog="Kerberos 5 KDC"
 krb5kdc=/usr/sbin/krb5kdc
 pidfile=/var/run/krb5kdc.pid
+PATH=/usr/lib64/krb5:/usr/lib/krb5:"$PATH"
 
 # Shell functions to cut down on useless shell instances.
 start() {
 	[ -x $krb5kdc ] || exit 5
+	# check that some of the basic principal names don't only have weak
+	# keys available. if they do, warn that they should be changed to
+	# get some keys for stronger ciphers added
+	if ! is_false "$KRB5CHECKWEAK" ; then
+		localhost=`hostname`
+		for principal in `kdb_check_weak -p "krbtgt/${KRB5REALM:+${KRB5REALM}@${KRB5REALM}}" "kadmin/admin${KRB5REALM:+@${KRB5REALM}}" "kadmin/changepw${KRB5REALM:+@${KRB5REALM}}" "kadmin/$localhost${KRB5REALM:+@${KRB5REALM}}"` ; do
+			echo -n "Keys for $principal should be changed to include keys for non-weak ciphers." ; warning ; echo ""
+		done
+	fi
 	echo -n $"Starting $prog: "
 	# tell portreserve to release the kerberos-iv port
 	[ -x /sbin/portrelease ] && /sbin/portrelease kerberos-iv &>/dev/null || :