diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2011-02-09 15:25:17 -0500 |
---|---|---|
committer | Nalin Dahyabhai <nalin@redhat.com> | 2011-02-09 15:25:17 -0500 |
commit | 08f510b3798ad91a2562d60dc173b08c91cb4f65 (patch) | |
tree | e4fe4e5c059a96b9f8fd3ccca8e9967c3d6cc3a9 | |
parent | 62cb58fe6fd594e356532f7af11ddc2043c96ec2 (diff) | |
download | krb5-08f510b3798ad91a2562d60dc173b08c91cb4f65.tar.gz krb5-08f510b3798ad91a2562d60dc173b08c91cb4f65.tar.xz krb5-08f510b3798ad91a2562d60dc173b08c91cb4f65.zip |
- krb5kdc init script: prototype some changes to do a quick spot-checkkrb5-1.9-5.fc15
of the TGS and kadmind keys and warn if there aren't any non-weak keys
on file for them (to flush out parts of #651466)
-rw-r--r-- | kdb_check_weak.c | 183 | ||||
-rw-r--r-- | krb5.spec | 18 | ||||
-rwxr-xr-x | krb5kdc.init | 10 |
3 files changed, 210 insertions, 1 deletions
diff --git a/kdb_check_weak.c b/kdb_check_weak.c new file mode 100644 index 0000000..a175bbd --- /dev/null +++ b/kdb_check_weak.c @@ -0,0 +1,183 @@ +/* + Copyright 2011 Red Hat, Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + * Neither the name of Red Hat, Inc., nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER + OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* Walk the list of supplied principal names (or fragments of principal names) + * and check if the latest kvno on file for that principal has any "strong" + * keys. If not, warn in various ways depending on how we were invoked. */ + +#include <sys/types.h> +#include <getopt.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <kdb.h> + +int +main(int argc, char **argv) +{ + char name[256], ename[256], *realm = NULL, *defrealm, *unparsed; + krb5_context ctx; + krb5_principal princ; + krb5_error_code err; + krb5_db_entry *entry; + krb5_key_data *kd; + int problems = 0, c, i, j, verbose = 0, strong, kvno, problems_only = 0; + + while ((c = getopt(argc, argv, "pr:v")) != -1) { + switch (c) { + case 'p': + problems_only++; + break; + case 'r': + realm = optarg; + break; + case 'v': + verbose++; + break; + default: + printf("kdb_check_weak: check if a principal's keys " + "are all of types not allowed when\n" + " allow_weak_crypto is not " + "set\n"); + printf("%s: [-p | -v [-v [-v]]] [-r REALM] principal [...]\n", + strchr(argv[0], '/') ? + strrchr(argv[0], '/') + 1 : + argv[0]); + return -1; + break; + } + } + + /* Start up for the default (or specified) realm. */ + ctx = NULL; + if ((err = krb5_init_context(&ctx)) != 0) { + fprintf(stderr, "Error initializing Kerberos: %s.\n", + error_message(err)); + return -1; + } + if (realm != NULL) { + if ((err = krb5_set_default_realm(ctx, realm)) != 0) { + fprintf(stderr, "Error setting default realm: %s.\n", + error_message(err)); + return -1; + } + } + defrealm = NULL; + if ((err = krb5_get_default_realm(ctx, &defrealm)) != 0) { + fprintf(stderr, "Error getting default realm: %s.\n", + error_message(err)); + return -1; + } + if ((err = krb5_db_open(ctx, NULL, KRB5_KDB_OPEN_RO)) != 0) { + if (verbose) { + fprintf(stderr, "Error opening database: %s.\n", + error_message(err)); + } + return -1; + } + for (i = optind; i < argc; i++) { + /* Look up the principal. */ + princ = NULL; + if ((strlen(argv[i]) > 0) && + ((argv[i][strlen(argv[i]) - 1] == '/') || + (argv[i][strlen(argv[i]) - 1] == '@'))) { + snprintf(name, sizeof(name), "%s%s", argv[i], defrealm); + } else { + snprintf(name, sizeof(name), "%s", argv[i]); + } + if (krb5_parse_name(ctx, name, &princ) != 0) { + fprintf(stderr, "Error parsing name \"%s\".\n", + argv[i]); + continue; + } + entry = NULL; + if ((err = krb5_db_get_principal(ctx, princ, 0, &entry)) != 0) { + if (verbose) { + fprintf(stderr, "Error looking up entry: %s.\n", + error_message(err)); + } + continue; + } + unparsed = NULL; + if ((err = krb5_unparse_name(ctx, entry->princ, + &unparsed)) != 0) { + unparsed = name; + } + kvno = -1; + strong = 0; + for (j = 0; j < entry->n_key_data; j++) { + kd = &entry->key_data[j]; + /* Reset the count if we find a newer key version. */ + if (kd->key_data_kvno > kvno) { + kvno = kd->key_data_kvno; + strong = 0; + } + /* Print the types of keys we find if asked to. */ + if (verbose >= 3) { + krb5_enctype_to_name(kd->key_data_type[0], + FALSE, + ename, sizeof(ename)); + printf("%s: v%d %s: %s\n", + unparsed, kd->key_data_kvno, ename, + krb5int_c_weak_enctype(kd->key_data_type[0]) ? + "weak" : "strong"); + } + if (!krb5int_c_weak_enctype(kd->key_data_type[0])) { + strong++; + } + } + /* We need to have seen some strong keys. */ + if (strong) { + /* Say we're okay unless we're asked to stay quiet. */ + if (verbose >= 2) { + printf("%s: OK\n", unparsed); + } + } else { + /* Say we're not okay unless we're asked to stay quiet. + * */ + if (verbose) { + printf("%s: needs to be rekeyed\n", unparsed); + } else { + if (problems_only) { + printf("%s%s", problems ? " " : "", + unparsed); + } + } + /* Note that there's a problem entry. */ + problems++; + } + krb5_db_free_principal(ctx, entry); + if (unparsed != name) { + krb5_free_unparsed_name(ctx, unparsed); + } + } + + return problems; +} @@ -6,7 +6,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.9 -Release: 4%{?dist} +Release: 5%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar Source0: krb5-%{version}.tar.gz @@ -30,6 +30,7 @@ Source31: kerberos-adm.portreserve Source32: krb5_prop.portreserve Source33: krb5kdc.logrotate Source34: kadmind.logrotate +Source35: kdb_check_weak.c Patch5: krb5-1.8-ksu-access.patch Patch6: krb5-1.9-ksu-path.patch @@ -282,6 +283,12 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" make %{?_smp_mflags} popd +# A sanity checker for upgrades. +%{__cc} -o kdb_check_weak \ + -I src/include `./src/krb5-config --cflags kdb` \ + %{SOURCE35} \ + -L src/lib `./src/krb5-config --libs kdb` + # Run the test suite. We can't actually do this in the build system. : make -C src check TMPDIR=%{_tmppath} @@ -381,6 +388,9 @@ for library in libgssapi_krb5 libgssrpc libk5crypto libkrb5 libkrb5support ; do popd done +# A sanity checker for upgrades. +install -m 755 kdb_check_weak $RPM_BUILD_ROOT/%{_libdir}/krb5/ + %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT @@ -511,6 +521,7 @@ exit 0 %config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl %dir %{_libdir}/krb5 +%{_libdir}/krb5/kdb_check_weak %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb %dir %{_libdir}/krb5/plugins/preauth @@ -637,6 +648,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Wed Feb 9 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-5 +- krb5kdc init script: prototype some changes to do a quick spot-check + of the TGS and kadmind keys and warn if there aren't any non-weak keys + on file for them (to flush out parts of #651466) + * Tue Feb 8 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-4 - add upstream patches to fix standalone kpropd exiting if the per-client child process exits with an error (MITKRB5-SA-2011-001), a hang or crash diff --git a/krb5kdc.init b/krb5kdc.init index 363695d..c765790 100755 --- a/krb5kdc.init +++ b/krb5kdc.init @@ -36,10 +36,20 @@ RETVAL=0 prog="Kerberos 5 KDC" krb5kdc=/usr/sbin/krb5kdc pidfile=/var/run/krb5kdc.pid +PATH=/usr/lib64/krb5:/usr/lib/krb5:"$PATH" # Shell functions to cut down on useless shell instances. start() { [ -x $krb5kdc ] || exit 5 + # check that some of the basic principal names don't only have weak + # keys available. if they do, warn that they should be changed to + # get some keys for stronger ciphers added + if ! is_false "$KRB5CHECKWEAK" ; then + localhost=`hostname` + for principal in `kdb_check_weak -p "krbtgt/${KRB5REALM:+${KRB5REALM}@${KRB5REALM}}" "kadmin/admin${KRB5REALM:+@${KRB5REALM}}" "kadmin/changepw${KRB5REALM:+@${KRB5REALM}}" "kadmin/$localhost${KRB5REALM:+@${KRB5REALM}}"` ; do + echo -n "Keys for $principal should be changed to include keys for non-weak ciphers." ; warning ; echo "" + done + fi echo -n $"Starting $prog: " # tell portreserve to release the kerberos-iv port [ -x /sbin/portrelease ] && /sbin/portrelease kerberos-iv &>/dev/null || : |