A new attribute named KRB5_KDC_LOCKDOWN_KEYS can be set on principals.
This flag prevents keys for the principal from being extracted or set
to a known value by the kadmin protocol. Principals with this flag
cannot be deleted or renamed, and cannot have keys set by setkey or
chpass. chrand operations are allowed, but keys are not returned.
This attribute can be set via the modify operation but cannot be
reset; an authorization error is resturned if an attempt to reset it
is performed.
When creating a KDB, set the lockdown flag on the krbtgt and kadmin
principals.
[ghudson@mit.edu: squash with t_kadmin_acl.py commit; condense commit
message]
ticket: 8365 (new)
#define KRB5_KDB_OK_AS_DELEGATE 0x00100000
#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 /* S4U2Self OK */
#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000
+#define KRB5_KDB_LOCKDOWN_KEYS 0x00800000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
"\t\trequires_hwauth needchange allow_svr "
"password_changing_service\n"
"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
+ "\t\tlockdown_keys\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database "
"specific arguments.\n"
"\t\t\tLook at each database documentation for supported "
"\t\trequires_hwauth needchange allow_svr "
"password_changing_service\n"
"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
+ "\t\tlockdown_keys\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database "
"specific arguments.\n"
"\t\t\tLook at each database documentation for supported "
if ((ret = add_admin_princ(handle, context,
service_name, realm,
- KRB5_KDB_DISALLOW_TGT_BASED,
+ KRB5_KDB_DISALLOW_TGT_BASED |
+ KRB5_KDB_LOCKDOWN_KEYS,
ADMIN_LIFETIME)))
goto clean_and_exit;
if ((ret = add_admin_princ(handle, context,
KADM5_ADMIN_SERVICE, realm,
- KRB5_KDB_DISALLOW_TGT_BASED,
+ KRB5_KDB_DISALLOW_TGT_BASED |
+ KRB5_KDB_LOCKDOWN_KEYS,
ADMIN_LIFETIME)))
goto clean_and_exit;
if ((ret = add_admin_princ(handle, context,
KADM5_CHANGEPW_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
- KRB5_KDB_PWCHANGE_SERVICE,
+ KRB5_KDB_PWCHANGE_SERVICE |
+ KRB5_KDB_LOCKDOWN_KEYS,
CHANGEPW_LIFETIME)))
goto clean_and_exit;
entry->mask = (KADM5_KEY_DATA | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |
KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_TL_DATA |
KADM5_PRINC_EXPIRE_TIME);
+ entry->attributes |= KRB5_KDB_LOCKDOWN_KEYS;
retval = krb5_db_put_principal(context, entry);
return &ret;
}
+/* Return KADM5_PROTECT_KEYS if KRB5_KDB_LOCKDOWN_KEYS is set for princ. */
+static kadm5_ret_t
+check_lockdown_keys(kadm5_server_handle_t handle, krb5_principal princ)
+{
+ kadm5_principal_ent_rec rec;
+ kadm5_ret_t ret;
+
+ ret = kadm5_get_principal(handle, princ, &rec, KADM5_ATTRIBUTES);
+ if (ret)
+ return ret;
+ ret = (rec.attributes & KRB5_KDB_LOCKDOWN_KEYS) ? KADM5_PROTECT_KEYS : 0;
+ kadm5_free_principal_ent(handle, &rec);
+ return ret;
+}
+
generic_ret *
delete_principal_2_svc(dprinc_arg *arg, struct svc_req *rqstp)
{
log_unauth("kadm5_delete_principal", prime_arg,
&client_name, &service_name, rqstp);
} else {
+ ret.code = check_lockdown_keys(handle, arg->princ);
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_delete_principal", prime_arg, &client_name,
+ &service_name, rqstp);
+ ret.code = KADM5_AUTH_DELETE;
+ }
+ }
+
+ if (ret.code == KADM5_OK)
ret.code = kadm5_delete_principal((void *)handle, arg->princ);
+ if (ret.code != KADM5_AUTH_DELETE) {
if( ret.code != 0 )
errmsg = krb5_get_error_message(handle->context, ret.code);
ret.code = KADM5_AUTH_MODIFY;
log_unauth("kadm5_modify_principal", prime_arg,
&client_name, &service_name, rqstp);
- } else {
+ } else if ((arg->mask & KADM5_ATTRIBUTES) &&
+ (!(arg->rec.attributes & KRB5_KDB_LOCKDOWN_KEYS))) {
+ ret.code = check_lockdown_keys(handle, arg->rec.principal);
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_modify_principal", prime_arg, &client_name,
+ &service_name, rqstp);
+ ret.code = KADM5_AUTH_MODIFY;
+ }
+ }
+
+ if (ret.code == KADM5_OK) {
ret.code = kadm5_modify_principal((void *)handle, &arg->rec,
arg->mask);
if( ret.code != 0 )
else
ret.code = KADM5_AUTH_ADD;
}
+ if (ret.code == KADM5_OK) {
+ ret.code = check_lockdown_keys(handle, arg->src);
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_rename_principal", prime_arg1, &client_name,
+ &service_name, rqstp);
+ ret.code = KADM5_AUTH_DELETE;
+ }
+ }
} else
ret.code = KADM5_AUTH_INSUFFICIENT;
if (ret.code != KADM5_OK) {
goto exit_func;
}
- if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
+ ret.code = check_lockdown_keys(handle, arg->princ);
+ if (ret.code != KADM5_OK) {
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_chpass_principal", prime_arg, &client_name,
+ &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+ } else if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
FALSE, 0, NULL, arg->pass);
} else if (!(CHANGEPW_SERVICE(rqstp)) &&
goto exit_func;
}
- if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
+ ret.code = check_lockdown_keys(handle, arg->princ);
+ if (ret.code != KADM5_OK) {
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_chpass_principal", prime_arg, &client_name,
+ &service_name, rqstp);
+ ret.code = KADM5_AUTH_CHANGEPW;
+ }
+ } else if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) {
ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
arg->keepold,
arg->n_ks_tuple,
goto exit_func;
}
- if (!(CHANGEPW_SERVICE(rqstp)) &&
+ ret.code = check_lockdown_keys(handle, arg->princ);
+ if (ret.code != KADM5_OK) {
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_setv4key_principal", prime_arg, &client_name,
+ &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+ } else if (!(CHANGEPW_SERVICE(rqstp)) &&
kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_SETKEY, arg->princ, NULL)) {
ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
goto exit_func;
}
- if (!(CHANGEPW_SERVICE(rqstp)) &&
+ ret.code = check_lockdown_keys(handle, arg->princ);
+ if (ret.code != KADM5_OK) {
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_setkey_principal", prime_arg, &client_name,
+ &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+ } else if (!(CHANGEPW_SERVICE(rqstp)) &&
kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_SETKEY, arg->princ, NULL)) {
ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
goto exit_func;
}
- if (!(CHANGEPW_SERVICE(rqstp)) &&
+ ret.code = check_lockdown_keys(handle, arg->princ);
+ if (ret.code != KADM5_OK) {
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_setkey_principal", prime_arg, &client_name,
+ &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+ } else if (!(CHANGEPW_SERVICE(rqstp)) &&
kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_SETKEY, arg->princ, NULL)) {
ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ,
goto exit_func;
}
- if (!(CHANGEPW_SERVICE(rqstp)) &&
+ ret.code = check_lockdown_keys(handle, arg->princ);
+ if (ret.code != KADM5_OK) {
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_setkey_principal", prime_arg, &client_name,
+ &service_name, rqstp);
+ ret.code = KADM5_AUTH_SETKEY;
+ }
+ } else if (!(CHANGEPW_SERVICE(rqstp)) &&
kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_SETKEY,
arg->princ, NULL)) {
ret.code = kadm5_setkey_principal_4((void *)handle, arg->princ,
return &ret;
}
+/* Empty out *keys/*nkeys if princ is protected with the lockdown attribute, or
+ * if we fail to check. */
+static kadm5_ret_t
+chrand_check_lockdown(kadm5_server_handle_t handle, krb5_principal princ,
+ krb5_keyblock **keys, int *nkeys)
+{
+ kadm5_ret_t ret;
+ int i;
+
+ ret = check_lockdown_keys(handle, princ);
+ if (!ret)
+ return 0;
+
+ for (i = 0; i < *nkeys; i++)
+ krb5_free_keyblock_contents(handle->context, &((*keys)[i]));
+ free(*keys);
+ *keys = NULL;
+ *nkeys = 0;
+ return (ret == KADM5_PROTECT_KEYS) ? KADM5_OK : ret;
+}
+
chrand_ret *
chrand_principal_2_svc(chrand_arg *arg, struct svc_req *rqstp)
{
}
if(ret.code == KADM5_OK) {
+ ret.code = chrand_check_lockdown(handle, arg->princ, &k, &nkeys);
ret.keys = k;
ret.n_keys = nkeys;
}
}
if(ret.code == KADM5_OK) {
+ ret.code = chrand_check_lockdown(handle, arg->princ, &k, &nkeys);
ret.keys = k;
ret.n_keys = nkeys;
}
ret.code = KADM5_AUTH_EXTRACT;
}
+ if (ret.code == KADM5_OK) {
+ ret.code = check_lockdown_keys(handle, arg->princ);
+ if (ret.code != KADM5_OK) {
+ kadm5_free_kadm5_key_data(handle->context, ret.n_key_data,
+ ret.key_data);
+ ret.key_data = NULL;
+ ret.n_key_data = 0;
+ }
+ if (ret.code == KADM5_PROTECT_KEYS) {
+ log_unauth("kadm5_get_principal_keys", prime_arg,
+ &client_name, &service_name, rqstp);
+ ret.code = KADM5_AUTH_EXTRACT;
+ }
+ }
+
if (ret.code != KADM5_AUTH_EXTRACT) {
if (ret.code != 0)
errmsg = krb5_get_error_message(handle->context, ret.code);
error_code KADM5_BAD_KEYSALTS, "Invalid key/salt tuples"
error_code KADM5_SETKEY_BAD_KVNO, "Invalid multiple or duplicate kvnos in setkey operation"
error_code KADM5_AUTH_EXTRACT, "Operation requires ``extract-keys'' privilege"
+error_code KADM5_PROTECT_KEYS, "Principal keys are locked down"
end
{"ok_as_delegate", KRB5_KDB_OK_AS_DELEGATE, 0},
{"ok_to_auth_as_delegate", KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0},
{"no_auth_data_required", KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0},
+ {"lockdown_keys", KRB5_KDB_LOCKDOWN_KEYS, 0},
};
#define NFTBL (sizeof(ftbl) / sizeof(ftbl[0]))
"OK_AS_DELEGATE", /* 0x00100000 */
"OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */
"NO_AUTH_DATA_REQUIRED", /* 0x00400000 */
+ "LOCKDOWN_KEYS", /* 0x00800000 */
};
#define NOUTFLAGS (sizeof(outflags) / sizeof(outflags[0]))
}
}
+#++
+# kadmin_delete - Test delete principal function of kadmin.
+#
+# Deletes principal $pname. Returns 1 on success.
+#--
+proc kadmin_delete_locked_down { pname } {
+ global REALMNAME
+ global KADMIN
+ global KADMIN_LOCAL
+ global KEY
+ global spawn_id
+ global tmppwd
+
+ #
+ # First test that we fail, then unlock and retry
+ #
+
+ set good 0
+ spawn $KADMIN -p krbtest/admin@$REALMNAME -q "delprinc -force $pname"
+ expect_after {
+ "Cannot contact any KDC" {
+ fail "kadmin_delete $pname lost KDC"
+ catch "expect_after"
+ return 0
+ }
+ timeout {
+ fail "kadmin delprinc $pname"
+ catch "expect_after"
+ return 0
+ }
+ eof {
+ fail "kadmin delprinc $pname"
+ catch "expect_after"
+ return 0
+ }
+ }
+ expect -re "assword\[^\r\n\]*: *" {
+ send "adminpass$KEY\r"
+ }
+ expect "delete_principal: Operation requires ``delete'' privilege while deleting principal \"$pname@$REALMNAME\"" { set good 1 }
+ expect_after
+ expect eof
+ set k_stat [wait -i $spawn_id]
+ verbose "wait -i $spawn_id returned $k_stat (kadmin delprinc)"
+ catch "close -i $spawn_id"
+ if { $good == 1 } {
+ #
+ # use kadmin.local to remove lockdown.
+ #
+ envstack_push
+ setup_kerberos_env kdc
+ spawn $KADMIN_LOCAL -r $REALMNAME
+ envstack_pop
+ expect_after {
+ -i $spawn_id
+ timeout {
+ fail "kadmin delprinc $pname"
+ catch "expect_after"
+ return 0
+ }
+ eof {
+ fail "kadmin delprinc $pname"
+ catch "expect_after"
+ return 0
+ }
+ }
+ set good 0
+ expect "kadmin.local: " { send "modprinc -lockdown_keys $pname\r" }
+ expect "Principal \"$pname@$REALMNAME\" modified." { set good 1 }
+ expect "kadmin.local: " { send "quit\r" }
+ expect_after
+ expect eof
+ set k_stat [wait -i $spawn_id]
+ verbose "wait -i $spawn_id returned $k_stat (kadmin.local show)"
+ catch "close -i $spawn_id"
+ if { $good == 1 } {
+ set good 0
+ if {[kadmin_delete $pname]} { set good 1 }
+ }
+ if { $good == 1 } {
+ pass "kadmin delprinc $pname"
+ return 1
+ }
+ else {
+ fail "kadmin delprinc $pname"
+ return 0
+ }
+ }
+ else {
+ fail "kadmin delprinc $pname"
+ return 0
+ }
+}
+
#++
# kpasswd_cpw - Test password changing using kpasswd.
#
}
# test fallback to kadmin/admin
- if {![kadmin_delete kadmin/$hostname] \
+ if {![kadmin_delete_locked_down kadmin/$hostname] \
|| ![kadmin_list] \
|| ![kadmin_add_rnd kadmin/$hostname -allow_tgs_req] \
|| ![kadmin_list]} {
#!/usr/bin/python
from k5test import *
+import os
realm = K5Realm(create_host=False, create_user=False)
all_list = make_client('all_list')
all_modify = make_client('all_modify')
all_rename = make_client('all_rename')
+all_wildcard = make_client('all_wildcard')
+all_extract = make_client('all_extract')
some_add = make_client('some_add')
some_changepw = make_client('some_changepw')
some_delete = make_client('some_delete')
all_list l
all_modify im
all_rename ad
+all_wildcard x
+all_extract ie
some_add a selected
some_changepw c selected
some_delete d selected
if 'Maximum renewable life: 0 days 02:00:00' not in out:
fail('restriction (maxrenewlife high)')
+realm.run([kadminl, 'addprinc', '-pw', 'pw', 'extractkeys'])
+out = kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'],
+ expected_code=1)
+if 'Operation requires ``extract-keys\'\' privilege' not in out:
+ fail('extractkeys failure (all_wildcard)')
+kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
+realm.kinit('extractkeys', flags=['-k'])
+os.remove(realm.keytab)
+
+kadmin_as(all_modify, ['modprinc', '+lockdown_keys', 'extractkeys'])
+out = kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'],
+ expected_code=1)
+if 'Operation requires ``change-password\'\' privilege' not in out:
+ fail('extractkeys failure (all_changepw)')
+kadmin_as(all_changepw, ['cpw', '-randkey', 'extractkeys'])
+out = kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'],
+ expected_code=1)
+if 'Operation requires ``extract-keys\'\' privilege' not in out:
+ fail('extractkeys failure (all_extract)')
+out = kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1)
+if 'Operation requires ``delete\'\' privilege' not in out:
+ fail('extractkeys failure (all_delete)')
+out = kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'],
+ expected_code=1)
+if 'Operation requires ``delete\'\' privilege' not in out:
+ fail('extractkeys failure (all_rename)')
+out = kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'],
+ expected_code=1)
+if 'Operation requires ``modify\'\' privilege' not in out:
+ fail('extractkeys failure (all_modify)')
+realm.run([kadminl, 'modprinc', '-lockdown_keys', 'extractkeys'])
+kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'])
+realm.kinit('extractkeys', flags=['-k'])
+os.remove(realm.keytab)
+
success('kadmin ACL enforcement')
KRB5_KDB_OK_AS_DELEGATE = 0x00100000
KRB5_KDB_OK_TO_AUTH_AS_DELEGATE = 0x00200000
KRB5_KDB_NO_AUTH_DATA_REQUIRED = 0x00400000
+KRB5_KDB_LOCKDOWN_KEYS = 0x00800000
# Input tables -- list of tuples of the form (name, flag, invert)
("ok_as_delegate", KRB5_KDB_OK_AS_DELEGATE, False),
("ok_to_auth_as_delegate", KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, False),
("no_auth_data_required", KRB5_KDB_NO_AUTH_DATA_REQUIRED, False),
+ ("lockdown_keys", KRB5_KDB_LOCKDOWN_KEYS, False),
]
# Input forms from lib/kadm5/str_conv.c
("md5", KRB5_KDB_SUPPORT_DESMD5, False),
("ok-to-auth-as-delegate", KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, False),
("no-auth-data-required", KRB5_KDB_NO_AUTH_DATA_REQUIRED, False),
+ ("lockdown-keys", KRB5_KDB_LOCKDOWN_KEYS, False),
]
# kdb.h symbol prefix
projects / thirdparty / krb5.git / commitdiff
