krb5kdc has always only supported binding to the wildcard addresses.
Add two configuration options to allow specifying the address/port
that krb5kdc listens on for UDP and TCP connections.
[ghudson@mit.edu: edited documentation; preserved kdc_ports = ""
behavior; made kdc_ports and kdc_tcp_ports continue to work in
kdcdefaults section]
ticket: 1093
:ref:`kdc_realms` section for the definitions of these relations.
* **host_based_services**
+* **kdc_listen**
* **kdc_ports**
+* **kdc_tcp_listen**
* **kdc_tcp_ports**
* **no_host_referral**
* **restrict_anonymous_to_tgt**
stored (via kdb5_util stash). The default is |kdcdir|\
``/.k5.REALM``, where *REALM* is the Kerberos realm.
+**kdc_listen**
+ (Whitespace- or comma-separated list.) Specifies the UDP
+ listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon.
+ Each entry may be an interface address, a port number, or an
+ address and port number separated by a colon. If the address
+ contains colons, enclose it in square brackets. If no address is
+ specified, the wildcard address is used. If no port is specified,
+ the standard port (88) is used. If the KDC daemon fails to bind
+ to any of the specified addresses, it will fail to start. The
+ default is to bind to the wildcard address on the standard port.
+ New in release 1.15.
+
**kdc_ports**
- (Whitespace- or comma-separated list.) Lists the ports on which
- the Kerberos server should listen for UDP requests, as a
- comma-separated list of integers. The default value is
- ``88,750``, which are the assigned Kerberos port and the port
- historically used by Kerberos V4.
+ (Whitespace- or comma-separated list, deprecated.) Prior to
+ release 1.15, this relation lists the ports for the
+ :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In
+ release 1.15 and later, it has the same meaning as **kdc_listen**
+ if that relation is not defined.
+
+**kdc_tcp_listen**
+ (Whitespace- or comma-separated list.) Specifies the TCP
+ listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon.
+ Each entry may be an interface address, a port number, or an
+ address and port number separated by a colon. If the address
+ contains colons, enclose it in square brackets. If no address is
+ specified, the wildcard address is used. If no port is specified,
+ the standard port (88) is used. To disable listening on TCP, set
+ this relation to the empty string with ``kdc_tcp_listen = ""``.
+ If the KDC daemon fails to bind to any of the specified addresses,
+ it will fail to start. The default is to bind to the wildcard
+ address on the standard port. New in release 1.15.
**kdc_tcp_ports**
- (Whitespace- or comma-separated list.) Lists the ports on which
- the Kerberos server should listen for TCP connections, as a
- comma-separated list of integers. To disable listening on TCP,
- set this relation to the empty string with ``kdc_tcp_ports = ""``.
- If this relation is not specified, the default is to listen on TCP
- port 88 (the standard port). Prior to release 1.13, the default
- was not to listen for TCP connections at all.
+ (Whitespace- or comma-separated list, deprecated.) Prior to
+ release 1.15, this relation lists the ports for the
+ :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In
+ release 1.15 and later, it has the same meaning as
+ **kdc_tcp_listen** if that relation is not defined.
**kpasswd_listen**
(Comma-separated list.) Specifies the kpasswd listening addresses
Here's an example of a kdc.conf file::
[kdcdefaults]
- kdc_ports = 88
-
+ kdc_listen = 88
+ kdc_tcp_listen = 88
[realms]
ATHENA.MIT.EDU = {
kadmind_port = 749
An example kdc.conf file::
[kdcdefaults]
- kdc_ports = 88
+ kdc_listen = 88
+ kdc_tcp_listen = 88
[realms]
ATHENA.MIT.EDU = {
Because of the larger size of requests and responses using PKINIT, you
may also need to allow TCP access to the KDC::
- kdc_tcp_ports = 88
+ kdc_tcp_listen = 88
Restart the :ref:`krb5kdc(8)` daemon to pick up the configuration
changes.
[kdcdefaults]
- kdc_ports = 88
+ kdc_listen = 88
+ kdc_tcp_listen = 88
[realms]
ATHENA.MIT.EDU = {
database_name = /usr/local/var/krb5kdc/principal
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
- kdc_ports = 88
+ kdc_listen = 88
+ kdc_tcp_listen = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
#define KRB5_CONF_KDC "kdc"
#define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
#define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options"
+#define KRB5_CONF_KDC_LISTEN "kdc_listen"
#define KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
#define KRB5_CONF_KDC_PORTS "kdc_ports"
#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
+#define KRB5_CONF_KDC_TCP_LISTEN "kdc_tcp_listen"
#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
#define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
#define KRB5_CONF_KPASSWD_LISTEN "kpasswd_listen"
[kdcdefaults]
- kdc_ports = 1750
- kdc_tcp_ports = 1750
+ kdc_listen = 1750
+ kdc_tcp_listen = 1750
[realms]
__REALM__ = {
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* kdc/main.c - Main procedure body for the KDC server process */
/*
- * Copyright 1990,2001,2008,2009 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001,2008,2009,2016 by the Massachusetts Institute of
+ * Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
free(rdp->realm_mpname);
if (rdp->realm_stash)
free(rdp->realm_stash);
- if (rdp->realm_ports)
- free(rdp->realm_ports);
- if (rdp->realm_tcp_ports)
- free(rdp->realm_tcp_ports);
+ if (rdp->realm_listen)
+ free(rdp->realm_listen);
+ if (rdp->realm_tcp_listen)
+ free(rdp->realm_tcp_listen);
if (rdp->realm_keytab)
krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
if (rdp->realm_hostbased)
* After we're complete here, the essence of the realm is embodied in the
* realm data and we should be all set to begin operation for that realm.
*/
-static krb5_error_code
-init_realm(kdc_realm_t *rdp, krb5_pointer aprof, char *realm, char *def_mpname,
- krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports,
- krb5_boolean def_manual, krb5_boolean def_restrict_anon,
- char **db_args, char *no_referral, char *hostbased)
+static krb5_error_code
+init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
+ char *def_mpname, krb5_enctype def_enctype, char *def_udp_listen,
+ char *def_tcp_listen, krb5_boolean def_manual,
+ krb5_boolean def_restrict_anon, char **db_args, char *no_referral,
+ char *hostbased)
{
krb5_error_code kret;
krb5_boolean manual;
goto whoops;
}
- /* Handle KDC ports */
- hierarchy[2] = KRB5_CONF_KDC_PORTS;
- if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_ports))
- rdp->realm_ports = strdup(def_udp_ports);
- if (!rdp->realm_ports) {
+ /* Handle KDC addresses/ports */
+ hierarchy[2] = KRB5_CONF_KDC_LISTEN;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_listen)) {
+ /* Try the old kdc_ports configuration option. */
+ hierarchy[2] = KRB5_CONF_KDC_PORTS;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_listen))
+ rdp->realm_listen = strdup(def_udp_listen);
+ }
+ if (!rdp->realm_listen) {
kret = ENOMEM;
goto whoops;
}
- hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS;
- if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_tcp_ports))
- rdp->realm_tcp_ports = strdup(def_tcp_ports);
- if (!rdp->realm_tcp_ports) {
+ hierarchy[2] = KRB5_CONF_KDC_TCP_LISTEN;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE,
+ &rdp->realm_tcp_listen)) {
+ /* Try the old kdc_tcp_ports configuration option. */
+ hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE,
+ &rdp->realm_tcp_listen))
+ rdp->realm_tcp_listen = strdup(def_tcp_listen);
+ }
+ if (!rdp->realm_tcp_listen) {
kret = ENOMEM;
goto whoops;
}
kdc_realm_t *rdatap = NULL;
krb5_boolean manual = FALSE;
krb5_boolean def_restrict_anon;
- char *default_udp_ports = 0;
- char *default_tcp_ports = 0;
+ char *def_udp_listen = NULL;
+ char *def_tcp_listen = NULL;
krb5_pointer aprof = NULL;
const char *hierarchy[3];
char *no_referral = NULL;
if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) {
hierarchy[0] = KRB5_CONF_KDCDEFAULTS;
- hierarchy[1] = KRB5_CONF_KDC_PORTS;
+ hierarchy[1] = KRB5_CONF_KDC_LISTEN;
hierarchy[2] = (char *) NULL;
- if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_udp_ports))
- default_udp_ports = 0;
- hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS;
- if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports))
- default_tcp_ports = 0;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen)) {
+ hierarchy[1] = KRB5_CONF_KDC_PORTS;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen))
+ def_udp_listen = NULL;
+ }
+ hierarchy[1] = KRB5_CONF_KDC_TCP_LISTEN;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_tcp_listen)) {
+ hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen))
+ def_tcp_listen = NULL;
+ }
hierarchy[1] = KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE;
if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
max_dgram_reply_size = MAX_DGRAM_SIZE;
hostbased = 0;
}
- if (default_udp_ports == 0) {
- default_udp_ports = strdup(DEFAULT_KDC_UDP_PORTLIST);
- if (default_udp_ports == 0) {
+ if (def_udp_listen == NULL) {
+ def_udp_listen = strdup(DEFAULT_KDC_UDP_PORTLIST);
+ if (def_udp_listen == NULL) {
fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n"));
exit(1);
}
}
- if (default_tcp_ports == 0) {
- default_tcp_ports = strdup(DEFAULT_KDC_TCP_PORTLIST);
- if (default_tcp_ports == 0) {
+ if (def_tcp_listen == NULL) {
+ def_tcp_listen = strdup(DEFAULT_KDC_TCP_PORTLIST);
+ if (def_tcp_listen == NULL) {
fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n"));
exit(1);
}
if (!find_realm_data(&shandle, optarg, (krb5_ui_4) strlen(optarg))) {
if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
retval = init_realm(rdatap, aprof, optarg, mkey_name,
- menctype, default_udp_ports,
- default_tcp_ports, manual,
+ menctype, def_udp_listen,
+ def_tcp_listen, manual,
def_restrict_anon, db_args,
no_referral, hostbased);
if (retval) {
pid_file = optarg;
break;
case 'p':
- if (default_udp_ports)
- free(default_udp_ports);
- default_udp_ports = strdup(optarg);
- if (!default_udp_ports) {
+ if (def_udp_listen)
+ free(def_udp_listen);
+ def_udp_listen = strdup(optarg);
+ if (!def_udp_listen) {
fprintf(stderr, _(" KDC cannot initialize. Not enough "
"memory\n"));
exit(1);
}
if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
retval = init_realm(rdatap, aprof, lrealm, mkey_name, menctype,
- default_udp_ports, default_tcp_ports, manual,
+ def_udp_listen, def_tcp_listen, manual,
def_restrict_anon, db_args, no_referral,
hostbased);
if (retval) {
krb5_free_default_realm(kcontext, lrealm);
}
- if (default_udp_ports)
- free(default_udp_ports);
- if (default_tcp_ports)
- free(default_tcp_ports);
+ if (def_udp_listen)
+ free(def_udp_listen);
+ if (def_tcp_listen)
+ free(def_tcp_listen);
if (db_args)
free(db_args);
if (db_name)
{
krb5_error_code retval;
krb5_context kcontext;
+ kdc_realm_t *realm;
verto_ctx *ctx;
int errout = 0;
int i;
return 1;
}
- /* Handle each realm's ports */
- for (i=0; i< shandle.kdc_numrealms; i++) {
- char *cp = shandle.kdc_realmlist[i]->realm_ports;
- int port;
- while (cp && *cp) {
- if (*cp == ',' || isspace((int) *cp)) {
- cp++;
- continue;
- }
- port = strtol(cp, &cp, 10);
- if (cp == 0)
- break;
- retval = loop_add_udp_address(port, NULL);
+ /* Add each realm's listener addresses to the loop. */
+ for (i = 0; i < shandle.kdc_numrealms; i++) {
+ realm = shandle.kdc_realmlist[i];
+ if (*realm->realm_listen != '\0') {
+ retval = loop_add_udp_address(KRB5_DEFAULT_PORT,
+ realm->realm_listen);
if (retval)
goto net_init_error;
}
-
- cp = shandle.kdc_realmlist[i]->realm_tcp_ports;
- while (cp && *cp) {
- if (*cp == ',' || isspace((int) *cp)) {
- cp++;
- continue;
- }
- port = strtol(cp, &cp, 10);
- if (cp == 0)
- break;
- retval = loop_add_tcp_address(port, NULL);
+ if (*realm->realm_tcp_listen != '\0') {
+ retval = loop_add_tcp_address(KRB5_DEFAULT_PORT,
+ realm->realm_tcp_listen);
if (retval)
goto net_init_error;
}
/*
* Other per-realm data.
*/
- char *realm_ports; /* Per-realm KDC UDP port */
- char *realm_tcp_ports; /* Per-realm KDC TCP port */
+ char *realm_listen; /* Per-realm KDC UDP listen */
+ char *realm_tcp_listen; /* Per-realm KDC TCP listen */
/*
* Per-realm parameters.
*/
.IP \(bu 2
\fBhost_based_services\fP
.IP \(bu 2
+\fBkdc_listen\fP
+.IP \(bu 2
\fBkdc_ports\fP
.IP \(bu 2
+\fBkdc_tcp_listen\fP
+.IP \(bu 2
\fBkdc_tcp_ports\fP
.IP \(bu 2
\fBno_host_referral\fP
(String.) Specifies the location where the master key has been
stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm.
.TP
+.B \fBkdc_listen\fP
+(Whitespace\- or comma\-separated list.) Specifies the UDP
+listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If no port is specified,
+the standard port (88) is used. If the KDC daemon fails to bind
+to any of the specified addresses, it will fail to start. The
+default is to bind to the wildcard address on the standard port.
+New in release 1.15.
+.TP
.B \fBkdc_ports\fP
-(Whitespace\- or comma\-separated list.) Lists the ports on which
-the Kerberos server should listen for UDP requests, as a
-comma\-separated list of integers. The default value is
-\fB88,750\fP, which are the assigned Kerberos port and the port
-historically used by Kerberos V4.
+(Whitespace\- or comma\-separated list, deprecated.) Prior to
+release 1.15, this relation lists the ports for the
+\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In
+release 1.15 and later, it has the same meaning as \fBkdc_listen\fP
+if that relation is not defined.
+.TP
+.B \fBkdc_tcp_listen\fP
+(Whitespace\- or comma\-separated list.) Specifies the TCP
+listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If no port is specified,
+the standard port (88) is used. To disable listening on TCP, set
+this relation to the empty string with \fBkdc_tcp_listen = ""\fP\&.
+If the KDC daemon fails to bind to any of the specified addresses,
+it will fail to start. The default is to bind to the wildcard
+address on the standard port. New in release 1.15.
.TP
.B \fBkdc_tcp_ports\fP
-(Whitespace\- or comma\-separated list.) Lists the ports on which
-the Kerberos server should listen for TCP connections, as a
-comma\-separated list of integers. To disable listening on TCP,
-set this relation to the empty string with \fBkdc_tcp_ports = ""\fP\&.
-If this relation is not specified, the default is to listen on TCP
-port 88 (the standard port). Prior to release 1.13, the default
-was not to listen for TCP connections at all.
+(Whitespace\- or comma\-separated list, deprecated.) Prior to
+release 1.15, this relation lists the ports for the
+\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In
+release 1.15 and later, it has the same meaning as
+\fBkdc_tcp_listen\fP if that relation is not defined.
.TP
.B \fBkpasswd_listen\fP
(Comma\-separated list.) Specifies the kpasswd listening addresses
.nf
.ft C
[kdcdefaults]
- kdc_ports = 88
-
+ kdc_listen = 88
+ kdc_tcp_listen = 88
[realms]
ATHENA.MIT.EDU = {
kadmind_port = 749
|| $last_passname_conf != $multipass_name } {
set conffile [open $tmppwd/kdc.conf w]
puts $conffile "\[kdcdefaults\]"
- puts $conffile " kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
- puts $conffile " kdc_tcp_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile " kdc_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile " kdc_tcp_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
puts $conffile ""
puts $conffile "\[realms\]"
puts $conffile " $REALMNAME = \{"
puts $conffile " supported_enctypes = $supported_enctypes"
}
if { $mode == "tcp" } {
- puts $conffile " kdc_ports = [expr 3 + $portbase]"
- puts $conffile " kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]"
+ puts $conffile " kdc_listen = [expr 3 + $portbase]"
+ puts $conffile " kdc_tcp_listen = [expr 1 + $portbase],[expr 3 + $portbase]"
} else {
- puts $conffile " kdc_ports = [expr 1 + $portbase]"
- puts $conffile " kdc_tcp_ports = [expr 3 + $portbase]"
+ puts $conffile " kdc_listen = [expr 1 + $portbase]"
+ puts $conffile " kdc_tcp_listen = [expr 3 + $portbase]"
}
puts $conffile " default_principal_expiration = 2037.12.31.23.59.59"
puts $conffile " default_principal_flags = -postdateable forwardable"
|| $last_passname_conf != $multipass_name } {
set conffile [open $tmppwd/slave.conf w]
puts $conffile "\[kdcdefaults\]"
- puts $conffile " kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
- puts $conffile " kdc_tcp_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile " kdc_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile " kdc_tcp_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
puts $conffile ""
puts $conffile "\[realms\]"
puts $conffile " $REALMNAME = \{"
puts $conffile " supported_enctypes = $supported_enctypes"
}
if { $mode == "tcp" } {
- puts $conffile " kdc_ports = [expr 3 + $portbase]"
- puts $conffile " kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]"
+ puts $conffile " kdc_listen = [expr 3 + $portbase]"
+ puts $conffile " kdc_tcp_listen = [expr 1 + $portbase],[expr 3 + $portbase]"
} else {
- puts $conffile " kdc_ports = [expr 1 + $portbase]"
- puts $conffile " kdc_tcp_ports = [expr 3 + $portbase]"
+ puts $conffile " kdc_listen = [expr 1 + $portbase]"
+ puts $conffile " kdc_tcp_listen = [expr 3 + $portbase]"
}
puts $conffile " default_principal_expiration = 2037.12.31.23.59.59"
puts $conffile " default_principal_flags = -postdateable forwardable"
'dictfile': '$testdir/dictfile',
'kadmind_port': '$port1',
'kpasswd_port': '$port2',
- 'kdc_ports': '$port0',
- 'kdc_tcp_ports': '$port0'}},
+ 'kdc_listen': '$port0',
+ 'kdc_tcp_listen': '$port0'}},
'dbmodules': {
'db_module_dir': '$plugins/kdb',
'db': {'db_library': 'db2', 'database_name' : '$testdir/db'}},
projects / thirdparty / krb5.git / commitdiff
