GSS-ALLOW-AXFR-PRINCIPAL
------------------------
+.. versionchanged:: 4.3.1
+
+ GSS support was removed
+
+.. versionchanged:: 4.7.0
+
+ GSS support was added back
Allow this GSS principal to perform AXFR retrieval. Most commonly it is
``host/something@REALM``, ``DNS/something@REALM`` or ``user@REALM``.
- Boolean
- Default: no
-Enable the accepting of GSS-TSIG signed messages.
+Enable accepting GSS-TSIG signed messages.
In addition to this setting, see :doc:`tsig`.
.. _setting-enable-lua-records:
~~~~~~~~~~~~~
- Working Kerberos environment. Please refer to your Kerberos vendor documentation on how to set it up.
-- Accepting Principal (of the form ``DNS/your.dns.server.name@REALM``) in either per-user keytab or
- system keytab, where ``your.dns.server.name`` must match the nameserver name in the SOA record of the zone.
- If a user keytab is used, specify it using the ``KRB5_KTNAME`` environment variable when starting up PDNS server,
- which must be able to read the keytab file.
+- Service Principal(s) (of the form ``DNS/your.dns.server.name@REALM``) in either per-user keytab or system keytab, where ``your.dns.server.name`` must match the nameserver name in the SOA record of the zone.
+ If a user keytab is used, specify it using the ``KRB5_KTNAME`` environment variable when starting up PDNS server, which must be able to read the keytab file.
-In particular, if something does not work, read logs and ensure that
-your kerberos environment is ok before filing an issue. Most common
-problems are time synchronization or changes done to the principal.
+In particular, if something does not work, read logs and ensure that your kerberos environment is ok before filing an issue.
+Most common problems are time synchronization or changes done to the principal.
Setting up
~~~~~~~~~~
To allow AXFR / DNS update to work, you need to set :ref:`setting-enable-gss-tsig` and configure ``GSS-ACCEPTOR-PRINCIPAL`` in :doc:`domainmetadata`.
This will define the principal that is used to accept any GSS context requests for names in the specified domain.
This *must* match to a principal in the keytab used by PDNS Server.
-Next you need to define one or more ``GSS-ALLOW-AXFR-PRINCIPAL`` entries for AXFR,
-or ``TSIG-ALLOW-DNSUPDATE`` entries for DNS update.
+Next you need to define one or more ``GSS-ALLOW-AXFR-PRINCIPAL`` entries for AXFR, or ``TSIG-ALLOW-DNSUPDATE`` entries for DNS update.
These must be set to the exact initiator (client) principal names you intend to allow either AXFR or DNS update.
No wildcards accepted.
-If a Lua update policy is defined (see :doc:`dnsupdate`) no ``TSIG-ALLOW-DNSUPDATE`` entries are needed,
-as the Lua policy defines which principals can update which records.
+If a Lua update policy is defined (see :doc:`dnsupdate`) no ``TSIG-ALLOW-DNSUPDATE`` entries are needed, as the Lua policy defines which principals can update which records.
ednscookies.cc ednscookies.hh \
ednsoptions.cc ednsoptions.hh \
ednssubnet.cc ednssubnet.hh \
+ gss_context.cc gss_context.hh \
histogram.hh \
- gss_context.cc gss_context.hh \
iputils.cc iputils.hh \
ixfr.cc ixfr.hh \
json.cc json.hh \
#include "lock.hh"
+#define TSIG_GSS_EXPIRE_INTERVAL 60
+
class GssCredential : boost::noncopyable
{
public:
~GssCredential()
{
- OM_uint32 tmp_maj __attribute__((unused)), tmp_min __attribute__((unused));
+ OM_uint32 tmp_min __attribute__((unused));
if (d_cred != GSS_C_NO_CREDENTIAL) {
- tmp_maj = gss_release_cred(&tmp_min, &d_cred);
+ (void)gss_release_cred(&tmp_min, &d_cred);
}
if (d_name != GSS_C_NO_NAME) {
- tmp_maj = gss_release_name(&tmp_min, &d_name);
+ (void)gss_release_name(&tmp_min, &d_name);
}
};
bool renew()
{
- OM_uint32 time_rec, tmp_maj __attribute__((unused)), tmp_min __attribute__((unused));
+ OM_uint32 time_rec, tmp_maj, tmp_min __attribute__((unused));
tmp_maj = gss_acquire_cred(&tmp_min, d_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, d_usage, &d_cred, nullptr, &time_rec);
if (tmp_maj != GSS_S_COMPLETE) {
d_valid = false;
- tmp_maj = gss_release_name(&tmp_min, &d_name);
+ (void)gss_release_name(&tmp_min, &d_name);
d_name = GSS_C_NO_NAME;
return false;
}
gss_cred_usage_t d_usage;
gss_name_t d_name{GSS_C_NO_NAME};
gss_cred_id_t d_cred{GSS_C_NO_CREDENTIAL};
- time_t d_expires{time(nullptr) + 60}; // partly initialized wil be cleaned up
+ time_t d_expires{time(nullptr) + 60}; // partly initialized will be cleaned up
bool d_valid{false};
}; // GssCredential
class GssSecContext : boost::noncopyable
{
public:
- GssSecContext(std::shared_ptr<GssCredential> cred) :
- d_cred(cred)
+ GssSecContext(std::shared_ptr<GssCredential> cred)
{
if (!cred->valid()) {
throw PDNSException("Invalid credential " + cred->d_nameS);
}
d_cred = cred;
- d_state = GssStateInitial;
- d_ctx = GSS_C_NO_CONTEXT;
- d_expires = 0;
- d_peer_name = GSS_C_NO_NAME;
- d_type = GSS_CONTEXT_NONE;
}
~GssSecContext()
GssStateNegotiate,
GssStateComplete,
GssStateError
- } d_state;
+ } d_state{GssStateInitial};
}; // GssSecContext
static LockGuarded<std::unordered_map<DNSName, std::shared_ptr<GssSecContext>>> s_gss_sec_context;
{
static time_t s_last_expired;
time_t now = time(nullptr);
- if (now - s_last_expired < 60) {
+ if (now - s_last_expired < TSIG_GSS_EXPIRE_INTERVAL) {
return;
}
s_last_expired = now;
}
if (g_doGssTSIG && p.d_tsig_algo == TSIG_GSS) {
- GssName inputname(p.d_peer_principal); // match against principal since GSS
+ GssName inputname(p.d_peer_principal); // match against principal since GSS requires that
for(const auto& key: tsigKeys) {
if (inputname.match(key)) {
validKey = true;
}
} else {
for(const auto& key: tsigKeys) {
- if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid.
+ if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the name of the key matches with the domain given it is valid.
validKey=true;
break;
}
if(haveTSIGDetails && !tsigkeyname.empty()) {
string tsig64;
- DNSName algorithm=trc.d_algoName; // FIXME400: check
+ DNSName algorithm=trc.d_algoName;
if (algorithm == DNSName("hmac-md5.sig-alg.reg.int"))
algorithm = DNSName("hmac-md5");
if (algorithm != DNSName("gss-tsig")) {
#include "auth-main.hh"
void PacketHandler::tkeyHandler(const DNSPacket& p, std::unique_ptr<DNSPacket>& r) {
-#if 0
- auto [i,a,s] = GssContext::getCounts();
- cerr << "#init_creds: " << i << " #accept_creds: " << a << " #secctxs: " << s << endl;
+#ifdef ENABLE_GSS_TSIG
+ if (g_doGssTSIG) {
+ auto [i,a,s] = GssContext::getCounts();
+ g_log << Logger::Debug << "GSS #init_creds: " << i << " #accept_creds: " << a << " #secctxs: " << s << endl;
+ }
#endif
TKEYRecordContent tkey_in;
echo commands to run:
-echo Passwords enterd shoudl match those in kerberos-server setup script
+echo Passwords entered should match those in the kerberos-server setup script
echo rm -f kt.keytab
echo ktutil
echo add_entry -password -p testuser1@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96