From: Peter van Dijk Date: Fri, 25 Mar 2022 13:16:19 +0000 (+0100) Subject: spelling, review comments X-Git-Tag: rec-4.8.0-alpha1~31^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e8d94f1d2b1973ed11869f807e6f5197154a443;p=thirdparty%2Fpdns.git spelling, review comments --- diff --git a/docs/domainmetadata.rst b/docs/domainmetadata.rst index a021fa6ea4..970db65ec4 100644 --- a/docs/domainmetadata.rst +++ b/docs/domainmetadata.rst @@ -112,6 +112,13 @@ Use this named TSIG key to retrieve this zone from its master, see :ref:`tsig-pr GSS-ALLOW-AXFR-PRINCIPAL ------------------------ +.. versionchanged:: 4.3.1 + + GSS support was removed + +.. versionchanged:: 4.7.0 + + GSS support was added back Allow this GSS principal to perform AXFR retrieval. Most commonly it is ``host/something@REALM``, ``DNS/something@REALM`` or ``user@REALM``. diff --git a/docs/settings.rst b/docs/settings.rst index 5395308559..96362b0788 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -661,7 +661,7 @@ Enables EDNS subnet processing, for backends that support it. - Boolean - Default: no -Enable the accepting of GSS-TSIG signed messages. +Enable accepting GSS-TSIG signed messages. In addition to this setting, see :doc:`tsig`. .. _setting-enable-lua-records: diff --git a/docs/tsig.rst b/docs/tsig.rst index c68c16e695..dd04c11f3a 100644 --- a/docs/tsig.rst +++ b/docs/tsig.rst @@ -130,15 +130,12 @@ Prerequisites ~~~~~~~~~~~~~ - Working Kerberos environment. Please refer to your Kerberos vendor documentation on how to set it up. -- Accepting Principal (of the form ``DNS/your.dns.server.name@REALM``) in either per-user keytab or - system keytab, where ``your.dns.server.name`` must match the nameserver name in the SOA record of the zone. - If a user keytab is used, specify it using the ``KRB5_KTNAME`` environment variable when starting up PDNS server, - which must be able to read the keytab file. +- Service Principal(s) (of the form ``DNS/your.dns.server.name@REALM``) in either per-user keytab or system keytab, where ``your.dns.server.name`` must match the nameserver name in the SOA record of the zone. + If a user keytab is used, specify it using the ``KRB5_KTNAME`` environment variable when starting up PDNS server, which must be able to read the keytab file. -In particular, if something does not work, read logs and ensure that -your kerberos environment is ok before filing an issue. Most common -problems are time synchronization or changes done to the principal. +In particular, if something does not work, read logs and ensure that your kerberos environment is ok before filing an issue. +Most common problems are time synchronization or changes done to the principal. Setting up ~~~~~~~~~~ @@ -146,10 +143,8 @@ Setting up To allow AXFR / DNS update to work, you need to set :ref:`setting-enable-gss-tsig` and configure ``GSS-ACCEPTOR-PRINCIPAL`` in :doc:`domainmetadata`. This will define the principal that is used to accept any GSS context requests for names in the specified domain. This *must* match to a principal in the keytab used by PDNS Server. -Next you need to define one or more ``GSS-ALLOW-AXFR-PRINCIPAL`` entries for AXFR, -or ``TSIG-ALLOW-DNSUPDATE`` entries for DNS update. +Next you need to define one or more ``GSS-ALLOW-AXFR-PRINCIPAL`` entries for AXFR, or ``TSIG-ALLOW-DNSUPDATE`` entries for DNS update. These must be set to the exact initiator (client) principal names you intend to allow either AXFR or DNS update. No wildcards accepted. -If a Lua update policy is defined (see :doc:`dnsupdate`) no ``TSIG-ALLOW-DNSUPDATE`` entries are needed, -as the Lua policy defines which principals can update which records. +If a Lua update policy is defined (see :doc:`dnsupdate`) no ``TSIG-ALLOW-DNSUPDATE`` entries are needed, as the Lua policy defines which principals can update which records. diff --git a/pdns/Makefile.am b/pdns/Makefile.am index 4712a8ec88..d0dd5e341a 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -233,8 +233,8 @@ pdns_server_SOURCES = \ ednscookies.cc ednscookies.hh \ ednsoptions.cc ednsoptions.hh \ ednssubnet.cc ednssubnet.hh \ + gss_context.cc gss_context.hh \ histogram.hh \ - gss_context.cc gss_context.hh \ iputils.cc iputils.hh \ ixfr.cc ixfr.hh \ json.cc json.hh \ diff --git a/pdns/gss_context.cc b/pdns/gss_context.cc index cbd3265ee5..1c23371001 100644 --- a/pdns/gss_context.cc +++ b/pdns/gss_context.cc @@ -52,6 +52,8 @@ GssContextError GssContext::getError() { return GSS_CONTEXT_UNSUPPORTED; } #include "lock.hh" +#define TSIG_GSS_EXPIRE_INTERVAL 60 + class GssCredential : boost::noncopyable { public: @@ -77,12 +79,12 @@ public: ~GssCredential() { - OM_uint32 tmp_maj __attribute__((unused)), tmp_min __attribute__((unused)); + OM_uint32 tmp_min __attribute__((unused)); if (d_cred != GSS_C_NO_CREDENTIAL) { - tmp_maj = gss_release_cred(&tmp_min, &d_cred); + (void)gss_release_cred(&tmp_min, &d_cred); } if (d_name != GSS_C_NO_NAME) { - tmp_maj = gss_release_name(&tmp_min, &d_name); + (void)gss_release_name(&tmp_min, &d_name); } }; @@ -96,12 +98,12 @@ public: bool renew() { - OM_uint32 time_rec, tmp_maj __attribute__((unused)), tmp_min __attribute__((unused)); + OM_uint32 time_rec, tmp_maj, tmp_min __attribute__((unused)); tmp_maj = gss_acquire_cred(&tmp_min, d_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, d_usage, &d_cred, nullptr, &time_rec); if (tmp_maj != GSS_S_COMPLETE) { d_valid = false; - tmp_maj = gss_release_name(&tmp_min, &d_name); + (void)gss_release_name(&tmp_min, &d_name); d_name = GSS_C_NO_NAME; return false; } @@ -126,7 +128,7 @@ public: gss_cred_usage_t d_usage; gss_name_t d_name{GSS_C_NO_NAME}; gss_cred_id_t d_cred{GSS_C_NO_CREDENTIAL}; - time_t d_expires{time(nullptr) + 60}; // partly initialized wil be cleaned up + time_t d_expires{time(nullptr) + 60}; // partly initialized will be cleaned up bool d_valid{false}; }; // GssCredential @@ -136,18 +138,12 @@ static LockGuarded cred) : - d_cred(cred) + GssSecContext(std::shared_ptr cred) { if (!cred->valid()) { throw PDNSException("Invalid credential " + cred->d_nameS); } d_cred = cred; - d_state = GssStateInitial; - d_ctx = GSS_C_NO_CONTEXT; - d_expires = 0; - d_peer_name = GSS_C_NO_NAME; - d_type = GSS_CONTEXT_NONE; } ~GssSecContext() @@ -173,7 +169,7 @@ public: GssStateNegotiate, GssStateComplete, GssStateError - } d_state; + } d_state{GssStateInitial}; }; // GssSecContext static LockGuarded>> s_gss_sec_context; @@ -196,7 +192,7 @@ static void expire() { static time_t s_last_expired; time_t now = time(nullptr); - if (now - s_last_expired < 60) { + if (now - s_last_expired < TSIG_GSS_EXPIRE_INTERVAL) { return; } s_last_expired = now; diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc index e29a27e06b..3692857e85 100644 --- a/pdns/rfc2136handler.cc +++ b/pdns/rfc2136handler.cc @@ -697,7 +697,7 @@ int PacketHandler::processUpdate(DNSPacket& p) { } if (g_doGssTSIG && p.d_tsig_algo == TSIG_GSS) { - GssName inputname(p.d_peer_principal); // match against principal since GSS + GssName inputname(p.d_peer_principal); // match against principal since GSS requires that for(const auto& key: tsigKeys) { if (inputname.match(key)) { validKey = true; @@ -706,7 +706,7 @@ int PacketHandler::processUpdate(DNSPacket& p) { } } else { for(const auto& key: tsigKeys) { - if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the names of the ky match with the domain given. THis is valid. + if (inputkey == DNSName(key)) { // because checkForCorrectTSIG has already been performed earlier on, if the name of the key matches with the domain given it is valid. validKey=true; break; } diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc index 37fc3ffb8e..81fb0097f2 100644 --- a/pdns/tcpreceiver.cc +++ b/pdns/tcpreceiver.cc @@ -650,7 +650,7 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, if(haveTSIGDetails && !tsigkeyname.empty()) { string tsig64; - DNSName algorithm=trc.d_algoName; // FIXME400: check + DNSName algorithm=trc.d_algoName; if (algorithm == DNSName("hmac-md5.sig-alg.reg.int")) algorithm = DNSName("hmac-md5"); if (algorithm != DNSName("gss-tsig")) { diff --git a/pdns/tkey.cc b/pdns/tkey.cc index 5d4bdc3481..143ff69ae9 100644 --- a/pdns/tkey.cc +++ b/pdns/tkey.cc @@ -6,9 +6,11 @@ #include "auth-main.hh" void PacketHandler::tkeyHandler(const DNSPacket& p, std::unique_ptr& r) { -#if 0 - auto [i,a,s] = GssContext::getCounts(); - cerr << "#init_creds: " << i << " #accept_creds: " << a << " #secctxs: " << s << endl; +#ifdef ENABLE_GSS_TSIG + if (g_doGssTSIG) { + auto [i,a,s] = GssContext::getCounts(); + g_log << Logger::Debug << "GSS #init_creds: " << i << " #accept_creds: " << a << " #secctxs: " << s << endl; + } #endif TKEYRecordContent tkey_in; diff --git a/regression-tests.auth-py/kerberos-client/init-keytab.sh b/regression-tests.auth-py/kerberos-client/init-keytab.sh index ad4f331806..b3a68f9b37 100755 --- a/regression-tests.auth-py/kerberos-client/init-keytab.sh +++ b/regression-tests.auth-py/kerberos-client/init-keytab.sh @@ -1,5 +1,5 @@ echo commands to run: -echo Passwords enterd shoudl match those in kerberos-server setup script +echo Passwords entered should match those in the kerberos-server setup script echo rm -f kt.keytab echo ktutil echo add_entry -password -p testuser1@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96