From: Greg Hudson Date: Mon, 2 Dec 2024 19:11:38 +0000 (-0500) Subject: Default kdc_tcp_listen to kdc_listen value X-Git-Tag: krb5-1.22-beta1~38 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9cebfc375e27a060058eba1cff75b9ddafaf3460;p=thirdparty%2Fkrb5.git Default kdc_tcp_listen to kdc_listen value If kdc_tcp_listen is not specified in the realm or in [kdcdefaults], use the same listeners as were given for UDP instead of separately defaulting to port 88. This change makes the kdc_listen and kpasswd_listen more consistent, while still allowing UDP and TCP listening to be separately configured when required for the KDC. ticket: 9152 (new) --- diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index f809f77dd5..63bdb8d48c 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -312,10 +312,10 @@ The following tags may be specified in a [realms] subsection: ``/.k5.REALM``, where *REALM* is the Kerberos realm. **kdc_listen** - (Whitespace- or comma-separated list.) Specifies the UDP - listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. - Each entry may be an interface address, a port number, an address - and port number separated by a colon, or a UNIX domain socket + (Whitespace- or comma-separated list.) Specifies the listening + addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each + entry may be an interface address, a port number, an address and + port number separated by a colon, or a UNIX domain socket pathname. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. @@ -335,15 +335,10 @@ The following tags may be specified in a [realms] subsection: **kdc_tcp_listen** (Whitespace- or comma-separated list.) Specifies the TCP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If no port is specified, - the standard port (88) is used. To disable listening on TCP, set - this relation to the empty string with ``kdc_tcp_listen = ""``. - If the KDC daemon fails to bind to any of the specified addresses, - it will fail to start. The default is to bind to the wildcard - address on the standard port. New in release 1.15. + The syntax is identical to that of **kdc_listen**. To disable + listening on TCP, set this relation to the empty string with + ``kdc_tcp_listen = ""``. The default is to bind to the same + addresses and ports as for UDP. New in release 1.15. **kdc_tcp_ports** (Whitespace- or comma-separated list, deprecated.) Prior to diff --git a/src/include/osconf.hin b/src/include/osconf.hin index c24717be67..c142975356 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -96,8 +96,7 @@ #define DEFAULT_KPASSWD_PORT 464 -#define DEFAULT_KDC_UDP_PORTLIST "88" -#define DEFAULT_KDC_TCP_PORTLIST "88" +#define DEFAULT_KDC_PORTLIST "88" #define DEFAULT_TCP_LISTEN_BACKLOG 5 /* diff --git a/src/kdc/main.c b/src/kdc/main.c index 439565cd51..105276601e 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -197,7 +197,7 @@ combine(const char *val1, const char *val2, char **val_out) */ static krb5_error_code init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm, - char *def_mpname, krb5_enctype def_enctype, char *def_udp_listen, + char *def_mpname, krb5_enctype def_enctype, char *def_listen, char *def_tcp_listen, krb5_boolean def_manual, krb5_boolean def_restrict_anon, char **db_args, char *no_referral, char *hostbased) @@ -260,7 +260,7 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm, /* Try the old kdc_ports configuration option. */ hierarchy[2] = KRB5_CONF_KDC_PORTS; if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_listen)) - rdp->realm_listen = strdup(def_udp_listen); + rdp->realm_listen = strdup(def_listen); } if (!rdp->realm_listen) { kret = ENOMEM; @@ -272,12 +272,15 @@ init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm, /* Try the old kdc_tcp_ports configuration option. */ hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS; if (krb5_aprof_get_string(aprof, hierarchy, TRUE, - &rdp->realm_tcp_listen)) + &rdp->realm_tcp_listen) && + def_tcp_listen != NULL) { + /* Copy [kdcdefaults] value if one was given. */ rdp->realm_tcp_listen = strdup(def_tcp_listen); - } - if (!rdp->realm_tcp_listen) { - kret = ENOMEM; - goto whoops; + if (rdp->realm_tcp_listen == NULL) { + kret = ENOMEM; + goto whoops; + } + } } /* Handle stash file */ hierarchy[2] = KRB5_CONF_KEY_STASH_FILE; @@ -605,7 +608,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, kdc_realm_t *rdatap = NULL; krb5_boolean manual = FALSE; krb5_boolean def_restrict_anon; - char *def_udp_listen = NULL; + char *def_listen = NULL; char *def_tcp_listen = NULL; krb5_pointer aprof = kcontext->profile; const char *hierarchy[3]; @@ -619,10 +622,10 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, hierarchy[0] = KRB5_CONF_KDCDEFAULTS; hierarchy[1] = KRB5_CONF_KDC_LISTEN; hierarchy[2] = NULL; - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen)) { + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_listen)) { hierarchy[1] = KRB5_CONF_KDC_PORTS; - if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen)) - def_udp_listen = NULL; + if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_listen)) + def_listen = NULL; } hierarchy[1] = KRB5_CONF_KDC_TCP_LISTEN; if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_tcp_listen)) { @@ -649,16 +652,9 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, if (krb5_aprof_get_string_all(aprof, hierarchy, &hostbased)) hostbased = 0; - if (def_udp_listen == NULL) { - def_udp_listen = strdup(DEFAULT_KDC_UDP_PORTLIST); - if (def_udp_listen == NULL) { - fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n")); - exit(1); - } - } - if (def_tcp_listen == NULL) { - def_tcp_listen = strdup(DEFAULT_KDC_TCP_PORTLIST); - if (def_tcp_listen == NULL) { + if (def_listen == NULL) { + def_listen = strdup(DEFAULT_KDC_PORTLIST); + if (def_listen == NULL) { fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n")); exit(1); } @@ -693,9 +689,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, if (!find_realm_data(&shandle, optarg, (krb5_ui_4) strlen(optarg))) { if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { retval = init_realm(rdatap, aprof, optarg, mkey_name, - menctype, def_udp_listen, - def_tcp_listen, manual, - def_restrict_anon, db_args, + menctype, def_listen, def_tcp_listen, + manual, def_restrict_anon, db_args, no_referral, hostbased); if (retval) { fprintf(stderr, _("%s: cannot initialize realm %s - " @@ -769,11 +764,9 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, pid_file = optarg; break; case 'p': - free(def_udp_listen); - free(def_tcp_listen); - def_udp_listen = strdup(optarg); - def_tcp_listen = strdup(optarg); - if (def_udp_listen == NULL || def_tcp_listen == NULL) { + free(def_listen); + def_listen = strdup(optarg); + if (def_listen == NULL) { fprintf(stderr, _(" KDC cannot initialize. Not enough " "memory\n")); exit(1); @@ -807,7 +800,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, } if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { retval = init_realm(rdatap, aprof, lrealm, mkey_name, menctype, - def_udp_listen, def_tcp_listen, manual, + def_listen, def_tcp_listen, manual, def_restrict_anon, db_args, no_referral, hostbased); if (retval) { @@ -821,8 +814,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, krb5_free_default_realm(kcontext, lrealm); } - if (def_udp_listen) - free(def_udp_listen); + if (def_listen) + free(def_listen); if (def_tcp_listen) free(def_tcp_listen); if (db_args) @@ -896,6 +889,7 @@ int main(int argc, char **argv) krb5_error_code retval; krb5_context kcontext; kdc_realm_t *realm; + const char *tcp_listen; verto_ctx *ctx; int tcp_listen_backlog; int errout = 0; @@ -972,8 +966,9 @@ int main(int argc, char **argv) retval = loop_add_unix_socket(realm->realm_listen); if (retval) goto net_init_error; - retval = loop_add_tcp_address(KRB5_DEFAULT_PORT, - realm->realm_tcp_listen); + tcp_listen = (realm->realm_tcp_listen != NULL) ? + realm->realm_tcp_listen : realm->realm_listen; + retval = loop_add_tcp_address(KRB5_DEFAULT_PORT, tcp_listen); if (retval) goto net_init_error; }