From: Sarah Day Date: Wed, 23 Dec 2015 20:01:44 +0000 (-0500) Subject: Allow user to restrict KDC to specific addresses X-Git-Tag: krb5-1.15-beta1~152 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f53d6cfb2cdc2e666a3fd2fe4f3ef21aa8258ae;p=thirdparty%2Fkrb5.git Allow user to restrict KDC to specific addresses krb5kdc has always only supported binding to the wildcard addresses. Add two configuration options to allow specifying the address/port that krb5kdc listens on for UDP and TCP connections. [ghudson@mit.edu: edited documentation; preserved kdc_ports = "" behavior; made kdc_ports and kdc_tcp_ports continue to work in kdcdefaults section] ticket: 1093 --- diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index 9974626034..1a4c1813cb 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -49,7 +49,9 @@ subsection does not contain a relation for the tag. See the :ref:`kdc_realms` section for the definitions of these relations. * **host_based_services** +* **kdc_listen** * **kdc_ports** +* **kdc_tcp_listen** * **kdc_tcp_ports** * **no_host_referral** * **restrict_anonymous_to_tgt** @@ -271,21 +273,44 @@ The following tags may be specified in a [realms] subsection: stored (via kdb5_util stash). The default is |kdcdir|\ ``/.k5.REALM``, where *REALM* is the Kerberos realm. +**kdc_listen** + (Whitespace- or comma-separated list.) Specifies the UDP + listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. + Each entry may be an interface address, a port number, or an + address and port number separated by a colon. If the address + contains colons, enclose it in square brackets. If no address is + specified, the wildcard address is used. If no port is specified, + the standard port (88) is used. If the KDC daemon fails to bind + to any of the specified addresses, it will fail to start. The + default is to bind to the wildcard address on the standard port. + New in release 1.15. + **kdc_ports** - (Whitespace- or comma-separated list.) Lists the ports on which - the Kerberos server should listen for UDP requests, as a - comma-separated list of integers. The default value is - ``88,750``, which are the assigned Kerberos port and the port - historically used by Kerberos V4. + (Whitespace- or comma-separated list, deprecated.) Prior to + release 1.15, this relation lists the ports for the + :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In + release 1.15 and later, it has the same meaning as **kdc_listen** + if that relation is not defined. + +**kdc_tcp_listen** + (Whitespace- or comma-separated list.) Specifies the TCP + listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. + Each entry may be an interface address, a port number, or an + address and port number separated by a colon. If the address + contains colons, enclose it in square brackets. If no address is + specified, the wildcard address is used. If no port is specified, + the standard port (88) is used. To disable listening on TCP, set + this relation to the empty string with ``kdc_tcp_listen = ""``. + If the KDC daemon fails to bind to any of the specified addresses, + it will fail to start. The default is to bind to the wildcard + address on the standard port. New in release 1.15. **kdc_tcp_ports** - (Whitespace- or comma-separated list.) Lists the ports on which - the Kerberos server should listen for TCP connections, as a - comma-separated list of integers. To disable listening on TCP, - set this relation to the empty string with ``kdc_tcp_ports = ""``. - If this relation is not specified, the default is to listen on TCP - port 88 (the standard port). Prior to release 1.13, the default - was not to listen for TCP connections at all. + (Whitespace- or comma-separated list, deprecated.) Prior to + release 1.15, this relation lists the ports for the + :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In + release 1.15 and later, it has the same meaning as + **kdc_tcp_listen** if that relation is not defined. **kpasswd_listen** (Comma-separated list.) Specifies the kpasswd listening addresses @@ -853,8 +878,8 @@ Sample kdc.conf File Here's an example of a kdc.conf file:: [kdcdefaults] - kdc_ports = 88 - + kdc_listen = 88 + kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst index 1d8c4bc02a..b160932ee1 100644 --- a/doc/admin/install_kdc.rst +++ b/doc/admin/install_kdc.rst @@ -108,7 +108,8 @@ and location, and logging. An example kdc.conf file:: [kdcdefaults] - kdc_ports = 88 + kdc_listen = 88 + kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { diff --git a/doc/admin/pkinit.rst b/doc/admin/pkinit.rst index 8ef1a689d2..deb2d1e61a 100644 --- a/doc/admin/pkinit.rst +++ b/doc/admin/pkinit.rst @@ -186,7 +186,7 @@ appropriate pathname):: Because of the larger size of requests and responses using PKINIT, you may also need to allow TCP access to the KDC:: - kdc_tcp_ports = 88 + kdc_tcp_listen = 88 Restart the :ref:`krb5kdc(8)` daemon to pick up the configuration changes. diff --git a/src/config-files/kdc.conf b/src/config-files/kdc.conf index e7ef0f93d1..bc5076d53a 100644 --- a/src/config-files/kdc.conf +++ b/src/config-files/kdc.conf @@ -1,12 +1,14 @@ [kdcdefaults] - kdc_ports = 88 + kdc_listen = 88 + kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { database_name = /usr/local/var/krb5kdc/principal acl_file = /usr/local/var/krb5kdc/kadm5.acl key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU - kdc_ports = 88 + kdc_listen = 88 + kdc_tcp_listen = 88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 8c2fa43d25..0ed8b70c82 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -233,10 +233,12 @@ typedef unsigned char u_char; #define KRB5_CONF_KDC "kdc" #define KRB5_CONF_KDCDEFAULTS "kdcdefaults" #define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options" +#define KRB5_CONF_KDC_LISTEN "kdc_listen" #define KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size" #define KRB5_CONF_KDC_PORTS "kdc_ports" #define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type" #define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports" +#define KRB5_CONF_KDC_TCP_LISTEN "kdc_tcp_listen" #define KRB5_CONF_KDC_TIMESYNC "kdc_timesync" #define KRB5_CONF_KEY_STASH_FILE "key_stash_file" #define KRB5_CONF_KPASSWD_LISTEN "kpasswd_listen" diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto index 95a40fc8ac..61283ac775 100644 --- a/src/kadmin/testing/proto/kdc.conf.proto +++ b/src/kadmin/testing/proto/kdc.conf.proto @@ -1,6 +1,6 @@ [kdcdefaults] - kdc_ports = 1750 - kdc_tcp_ports = 1750 + kdc_listen = 1750 + kdc_tcp_listen = 1750 [realms] __REALM__ = { diff --git a/src/kdc/main.c b/src/kdc/main.c index 3e9893149c..a6ca9d8bca 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -1,7 +1,8 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* kdc/main.c - Main procedure body for the KDC server process */ /* - * Copyright 1990,2001,2008,2009 by the Massachusetts Institute of Technology. + * Copyright 1990,2001,2008,2009,2016 by the Massachusetts Institute of + * Technology. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -145,10 +146,10 @@ finish_realm(kdc_realm_t *rdp) free(rdp->realm_mpname); if (rdp->realm_stash) free(rdp->realm_stash); - if (rdp->realm_ports) - free(rdp->realm_ports); - if (rdp->realm_tcp_ports) - free(rdp->realm_tcp_ports); + if (rdp->realm_listen) + free(rdp->realm_listen); + if (rdp->realm_tcp_listen) + free(rdp->realm_tcp_listen); if (rdp->realm_keytab) krb5_kt_close(rdp->realm_context, rdp->realm_keytab); if (rdp->realm_hostbased) @@ -199,11 +200,12 @@ combine(const char *val1, const char *val2, char **val_out) * After we're complete here, the essence of the realm is embodied in the * realm data and we should be all set to begin operation for that realm. */ -static krb5_error_code -init_realm(kdc_realm_t *rdp, krb5_pointer aprof, char *realm, char *def_mpname, - krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports, - krb5_boolean def_manual, krb5_boolean def_restrict_anon, - char **db_args, char *no_referral, char *hostbased) +static krb5_error_code +init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm, + char *def_mpname, krb5_enctype def_enctype, char *def_udp_listen, + char *def_tcp_listen, krb5_boolean def_manual, + krb5_boolean def_restrict_anon, char **db_args, char *no_referral, + char *hostbased) { krb5_error_code kret; krb5_boolean manual; @@ -245,18 +247,28 @@ init_realm(kdc_realm_t *rdp, krb5_pointer aprof, char *realm, char *def_mpname, goto whoops; } - /* Handle KDC ports */ - hierarchy[2] = KRB5_CONF_KDC_PORTS; - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_ports)) - rdp->realm_ports = strdup(def_udp_ports); - if (!rdp->realm_ports) { + /* Handle KDC addresses/ports */ + hierarchy[2] = KRB5_CONF_KDC_LISTEN; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_listen)) { + /* Try the old kdc_ports configuration option. */ + hierarchy[2] = KRB5_CONF_KDC_PORTS; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_listen)) + rdp->realm_listen = strdup(def_udp_listen); + } + if (!rdp->realm_listen) { kret = ENOMEM; goto whoops; } - hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS; - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_tcp_ports)) - rdp->realm_tcp_ports = strdup(def_tcp_ports); - if (!rdp->realm_tcp_ports) { + hierarchy[2] = KRB5_CONF_KDC_TCP_LISTEN; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, + &rdp->realm_tcp_listen)) { + /* Try the old kdc_tcp_ports configuration option. */ + hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, + &rdp->realm_tcp_listen)) + rdp->realm_tcp_listen = strdup(def_tcp_listen); + } + if (!rdp->realm_tcp_listen) { kret = ENOMEM; goto whoops; } @@ -613,8 +625,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) kdc_realm_t *rdatap = NULL; krb5_boolean manual = FALSE; krb5_boolean def_restrict_anon; - char *default_udp_ports = 0; - char *default_tcp_ports = 0; + char *def_udp_listen = NULL; + char *def_tcp_listen = NULL; krb5_pointer aprof = NULL; const char *hierarchy[3]; char *no_referral = NULL; @@ -626,13 +638,19 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) { hierarchy[0] = KRB5_CONF_KDCDEFAULTS; - hierarchy[1] = KRB5_CONF_KDC_PORTS; + hierarchy[1] = KRB5_CONF_KDC_LISTEN; hierarchy[2] = (char *) NULL; - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_udp_ports)) - default_udp_ports = 0; - hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS; - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports)) - default_tcp_ports = 0; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen)) { + hierarchy[1] = KRB5_CONF_KDC_PORTS; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen)) + def_udp_listen = NULL; + } + hierarchy[1] = KRB5_CONF_KDC_TCP_LISTEN; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_tcp_listen)) { + hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen)) + def_tcp_listen = NULL; + } hierarchy[1] = KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE; if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size)) max_dgram_reply_size = MAX_DGRAM_SIZE; @@ -647,16 +665,16 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) hostbased = 0; } - if (default_udp_ports == 0) { - default_udp_ports = strdup(DEFAULT_KDC_UDP_PORTLIST); - if (default_udp_ports == 0) { + if (def_udp_listen == NULL) { + def_udp_listen = strdup(DEFAULT_KDC_UDP_PORTLIST); + if (def_udp_listen == NULL) { fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n")); exit(1); } } - if (default_tcp_ports == 0) { - default_tcp_ports = strdup(DEFAULT_KDC_TCP_PORTLIST); - if (default_tcp_ports == 0) { + if (def_tcp_listen == NULL) { + def_tcp_listen = strdup(DEFAULT_KDC_TCP_PORTLIST); + if (def_tcp_listen == NULL) { fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n")); exit(1); } @@ -691,8 +709,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) if (!find_realm_data(&shandle, optarg, (krb5_ui_4) strlen(optarg))) { if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { retval = init_realm(rdatap, aprof, optarg, mkey_name, - menctype, default_udp_ports, - default_tcp_ports, manual, + menctype, def_udp_listen, + def_tcp_listen, manual, def_restrict_anon, db_args, no_referral, hostbased); if (retval) { @@ -767,10 +785,10 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) pid_file = optarg; break; case 'p': - if (default_udp_ports) - free(default_udp_ports); - default_udp_ports = strdup(optarg); - if (!default_udp_ports) { + if (def_udp_listen) + free(def_udp_listen); + def_udp_listen = strdup(optarg); + if (!def_udp_listen) { fprintf(stderr, _(" KDC cannot initialize. Not enough " "memory\n")); exit(1); @@ -809,7 +827,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) } if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { retval = init_realm(rdatap, aprof, lrealm, mkey_name, menctype, - default_udp_ports, default_tcp_ports, manual, + def_udp_listen, def_tcp_listen, manual, def_restrict_anon, db_args, no_referral, hostbased); if (retval) { @@ -823,10 +841,10 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) krb5_free_default_realm(kcontext, lrealm); } - if (default_udp_ports) - free(default_udp_ports); - if (default_tcp_ports) - free(default_tcp_ports); + if (def_udp_listen) + free(def_udp_listen); + if (def_tcp_listen) + free(def_tcp_listen); if (db_args) free(db_args); if (db_name) @@ -898,6 +916,7 @@ int main(int argc, char **argv) { krb5_error_code retval; krb5_context kcontext; + kdc_realm_t *realm; verto_ctx *ctx; int errout = 0; int i; @@ -967,33 +986,18 @@ int main(int argc, char **argv) return 1; } - /* Handle each realm's ports */ - for (i=0; i< shandle.kdc_numrealms; i++) { - char *cp = shandle.kdc_realmlist[i]->realm_ports; - int port; - while (cp && *cp) { - if (*cp == ',' || isspace((int) *cp)) { - cp++; - continue; - } - port = strtol(cp, &cp, 10); - if (cp == 0) - break; - retval = loop_add_udp_address(port, NULL); + /* Add each realm's listener addresses to the loop. */ + for (i = 0; i < shandle.kdc_numrealms; i++) { + realm = shandle.kdc_realmlist[i]; + if (*realm->realm_listen != '\0') { + retval = loop_add_udp_address(KRB5_DEFAULT_PORT, + realm->realm_listen); if (retval) goto net_init_error; } - - cp = shandle.kdc_realmlist[i]->realm_tcp_ports; - while (cp && *cp) { - if (*cp == ',' || isspace((int) *cp)) { - cp++; - continue; - } - port = strtol(cp, &cp, 10); - if (cp == 0) - break; - retval = loop_add_tcp_address(port, NULL); + if (*realm->realm_tcp_listen != '\0') { + retval = loop_add_tcp_address(KRB5_DEFAULT_PORT, + realm->realm_tcp_listen); if (retval) goto net_init_error; } diff --git a/src/kdc/realm_data.h b/src/kdc/realm_data.h index 79ac1e1866..859daf1591 100644 --- a/src/kdc/realm_data.h +++ b/src/kdc/realm_data.h @@ -64,8 +64,8 @@ typedef struct __kdc_realm_data { /* * Other per-realm data. */ - char *realm_ports; /* Per-realm KDC UDP port */ - char *realm_tcp_ports; /* Per-realm KDC TCP port */ + char *realm_listen; /* Per-realm KDC UDP listen */ + char *realm_tcp_listen; /* Per-realm KDC TCP listen */ /* * Per-realm parameters. */ diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index dbab0e8699..69fde60c82 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -96,8 +96,12 @@ subsection does not contain a relation for the tag. See the .IP \(bu 2 \fBhost_based_services\fP .IP \(bu 2 +\fBkdc_listen\fP +.IP \(bu 2 \fBkdc_ports\fP .IP \(bu 2 +\fBkdc_tcp_listen\fP +.IP \(bu 2 \fBkdc_tcp_ports\fP .IP \(bu 2 \fBno_host_referral\fP @@ -329,21 +333,44 @@ assigned port for kadmind is 749, which is used by default. (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. .TP +.B \fBkdc_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the UDP +listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If no port is specified, +the standard port (88) is used. If the KDC daemon fails to bind +to any of the specified addresses, it will fail to start. The +default is to bind to the wildcard address on the standard port. +New in release 1.15. +.TP .B \fBkdc_ports\fP -(Whitespace\- or comma\-separated list.) Lists the ports on which -the Kerberos server should listen for UDP requests, as a -comma\-separated list of integers. The default value is -\fB88,750\fP, which are the assigned Kerberos port and the port -historically used by Kerberos V4. +(Whitespace\- or comma\-separated list, deprecated.) Prior to +release 1.15, this relation lists the ports for the +\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +release 1.15 and later, it has the same meaning as \fBkdc_listen\fP +if that relation is not defined. +.TP +.B \fBkdc_tcp_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the TCP +listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If no port is specified, +the standard port (88) is used. To disable listening on TCP, set +this relation to the empty string with \fBkdc_tcp_listen = ""\fP\&. +If the KDC daemon fails to bind to any of the specified addresses, +it will fail to start. The default is to bind to the wildcard +address on the standard port. New in release 1.15. .TP .B \fBkdc_tcp_ports\fP -(Whitespace\- or comma\-separated list.) Lists the ports on which -the Kerberos server should listen for TCP connections, as a -comma\-separated list of integers. To disable listening on TCP, -set this relation to the empty string with \fBkdc_tcp_ports = ""\fP\&. -If this relation is not specified, the default is to listen on TCP -port 88 (the standard port). Prior to release 1.13, the default -was not to listen for TCP connections at all. +(Whitespace\- or comma\-separated list, deprecated.) Prior to +release 1.15, this relation lists the ports for the +\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +release 1.15 and later, it has the same meaning as +\fBkdc_tcp_listen\fP if that relation is not defined. .TP .B \fBkpasswd_listen\fP (Comma\-separated list.) Specifies the kpasswd listening addresses @@ -1096,8 +1123,8 @@ Here\(aqs an example of a kdc.conf file: .nf .ft C [kdcdefaults] - kdc_ports = 88 - + kdc_listen = 88 + kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index c16354818d..1db70fb56a 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -782,8 +782,8 @@ proc setup_kerberos_files { } { || $last_passname_conf != $multipass_name } { set conffile [open $tmppwd/kdc.conf w] puts $conffile "\[kdcdefaults\]" - puts $conffile " kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" - puts $conffile " kdc_tcp_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" + puts $conffile " kdc_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" + puts $conffile " kdc_tcp_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" puts $conffile "" puts $conffile "\[realms\]" puts $conffile " $REALMNAME = \{" @@ -803,11 +803,11 @@ proc setup_kerberos_files { } { puts $conffile " supported_enctypes = $supported_enctypes" } if { $mode == "tcp" } { - puts $conffile " kdc_ports = [expr 3 + $portbase]" - puts $conffile " kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]" + puts $conffile " kdc_listen = [expr 3 + $portbase]" + puts $conffile " kdc_tcp_listen = [expr 1 + $portbase],[expr 3 + $portbase]" } else { - puts $conffile " kdc_ports = [expr 1 + $portbase]" - puts $conffile " kdc_tcp_ports = [expr 3 + $portbase]" + puts $conffile " kdc_listen = [expr 1 + $portbase]" + puts $conffile " kdc_tcp_listen = [expr 3 + $portbase]" } puts $conffile " default_principal_expiration = 2037.12.31.23.59.59" puts $conffile " default_principal_flags = -postdateable forwardable" @@ -830,8 +830,8 @@ proc setup_kerberos_files { } { || $last_passname_conf != $multipass_name } { set conffile [open $tmppwd/slave.conf w] puts $conffile "\[kdcdefaults\]" - puts $conffile " kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" - puts $conffile " kdc_tcp_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" + puts $conffile " kdc_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" + puts $conffile " kdc_tcp_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" puts $conffile "" puts $conffile "\[realms\]" puts $conffile " $REALMNAME = \{" @@ -851,11 +851,11 @@ proc setup_kerberos_files { } { puts $conffile " supported_enctypes = $supported_enctypes" } if { $mode == "tcp" } { - puts $conffile " kdc_ports = [expr 3 + $portbase]" - puts $conffile " kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]" + puts $conffile " kdc_listen = [expr 3 + $portbase]" + puts $conffile " kdc_tcp_listen = [expr 1 + $portbase],[expr 3 + $portbase]" } else { - puts $conffile " kdc_ports = [expr 1 + $portbase]" - puts $conffile " kdc_tcp_ports = [expr 3 + $portbase]" + puts $conffile " kdc_listen = [expr 1 + $portbase]" + puts $conffile " kdc_tcp_listen = [expr 3 + $portbase]" } puts $conffile " default_principal_expiration = 2037.12.31.23.59.59" puts $conffile " default_principal_flags = -postdateable forwardable" diff --git a/src/util/k5test.py b/src/util/k5test.py index 89271fc764..e90c2f36a0 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py @@ -1134,8 +1134,8 @@ _default_kdc_conf = { 'dictfile': '$testdir/dictfile', 'kadmind_port': '$port1', 'kpasswd_port': '$port2', - 'kdc_ports': '$port0', - 'kdc_tcp_ports': '$port0'}}, + 'kdc_listen': '$port0', + 'kdc_tcp_listen': '$port0'}}, 'dbmodules': { 'db_module_dir': '$plugins/kdb', 'db': {'db_library': 'db2', 'database_name' : '$testdir/db'}},