From: Sarah Day Date: Wed, 23 Dec 2015 17:11:34 +0000 (-0500) Subject: Allow user to restrict kadmind bind addresses X-Git-Tag: krb5-1.15-beta1~153 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa91cb5dbbd4356c7a9069f4f52a10f70d91bc00;p=thirdparty%2Fkrb5.git Allow user to restrict kadmind bind addresses kadmind has always only supported binding to the wildcard addresses. Add three configuration options to allow specifying the address/port that kadmind listens on for kpasswd, kadmin, and iprop connections. [ghudson@mit.edu: edited documentation; minimized changes to setup_loop(); added iprop_listen] ticket: 1093 --- diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index b88ce79b57..9974626034 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -210,10 +210,26 @@ The following tags may be specified in a [realms] subsection: new updates from the master. The default value is ``2m`` (that is, two minutes). +**iprop_listen** + (Whitespace- or comma-separated list.) Specifies the iprop RPC + listening addresses and/or ports for the :ref:`kadmind(8)` daemon. + Each entry may be an interface address, a port number, or an + address and port number separated by a colon. If the address + contains colons, enclose it in square brackets. If no address is + specified, the wildcard address is used. If kadmind fails to bind + to any of the specified addresses, it will fail to start. The + default (when **iprop_enable** is true) is to bind to the wildcard + address at the port specified in **iprop_port**. New in release + 1.15. + **iprop_port** (Port number.) Specifies the port number to be used for - incremental propagation. This is required in both master and - slave configuration files. + incremental propagation. When **iprop_enable** is true, this + relation is required in the slave configuration file, and this + relation or **iprop_listen** is required in the master + configuration file, as there is no default port number. Port + numbers specified in **iprop_listen** entries will override this + port number for the :ref:`kadmind(8)` daemon. **iprop_resync_timeout** (Delta time string.) Specifies the amount of time to wait for a @@ -232,10 +248,23 @@ The following tags may be specified in a [realms] subsection: **database_name** is used. Determination of the **iprop_logfile** default value will not use values from the [dbmodules] section.) +**kadmind_listen** + (Whitespace- or comma-separated list.) Specifies the kadmin RPC + listening addresses and/or ports for the :ref:`kadmind(8)` daemon. + Each entry may be an interface address, a port number, or an + address and port number separated by a colon. If the address + contains colons, enclose it in square brackets. If no address is + specified, the wildcard address is used. If kadmind fails to bind + to any of the specified addresses, it will fail to start. The + default is to bind to the wildcard address at the port specified + in **kadmind_port**, or the standard kadmin port (749). New in + release 1.15. + **kadmind_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` - daemon is to listen for this realm. The assigned port for kadmind - is 749, which is used by default. + daemon is to listen for this realm. Port numbers specified in + **kadmind_listen** entries will override this port number. The + assigned port for kadmind is 749, which is used by default. **key_stash_file** (String.) Specifies the location where the master key has been @@ -258,6 +287,24 @@ The following tags may be specified in a [realms] subsection: port 88 (the standard port). Prior to release 1.13, the default was not to listen for TCP connections at all. +**kpasswd_listen** + (Comma-separated list.) Specifies the kpasswd listening addresses + and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be + an interface address, a port number, or an address and port number + separated by a colon. If the address contains colons, enclose it + in square brackets. If no address is specified, the wildcard + address is used. If kadmind fails to bind to any of the specified + addresses, it will fail to start. The default is to bind to the + wildcard address at the port specified in **kpasswd_port**, or the + standard kpasswd port (464). New in release 1.15. + +**kpasswd_port** + (Port number.) Specifies the port on which the :ref:`kadmind(8)` + daemon is to listen for password change requests for this realm. + Port numbers specified in **kpasswd_listen** entries will override + this port number. The assigned port for password change requests + is 464, which is used by default. + **master_key_name** (String.) Specifies the name of the principal associated with the master key. The default is ``K/M``. diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 1cda50db45..8c2fa43d25 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -218,6 +218,7 @@ typedef unsigned char u_char; #define KRB5_CONF_HTTP_ANCHORS "http_anchors" #define KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME "ignore_acceptor_hostname" #define KRB5_CONF_IPROP_ENABLE "iprop_enable" +#define KRB5_CONF_IPROP_LISTEN "iprop_listen" #define KRB5_CONF_IPROP_LOGFILE "iprop_logfile" #define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize" #define KRB5_CONF_IPROP_PORT "iprop_port" @@ -225,6 +226,7 @@ typedef unsigned char u_char; #define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll" #define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative" #define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory" +#define KRB5_CONF_KADMIND_LISTEN "kadmind_listen" #define KRB5_CONF_KADMIND_PORT "kadmind_port" #define KRB5_CONF_KCM_MACH_SERVICE "kcm_mach_service" #define KRB5_CONF_KCM_SOCKET "kcm_socket" @@ -237,6 +239,7 @@ typedef unsigned char u_char; #define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports" #define KRB5_CONF_KDC_TIMESYNC "kdc_timesync" #define KRB5_CONF_KEY_STASH_FILE "key_stash_file" +#define KRB5_CONF_KPASSWD_LISTEN "kpasswd_listen" #define KRB5_CONF_KPASSWD_PORT "kpasswd_port" #define KRB5_CONF_KPASSWD_SERVER "kpasswd_server" #define KRB5_CONF_KRB524_SERVER "krb524_server" diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index a6e07c020c..89bf4e6980 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -150,20 +150,24 @@ setup_loop(int proponly, verto_ctx **ctx_out) if (ret) return ret; if (!proponly) { - ret = loop_add_udp_address(handle->params.kpasswd_port, NULL); + ret = loop_add_udp_address(handle->params.kpasswd_port, + handle->params.kpasswd_listen); if (ret) return ret; - ret = loop_add_tcp_address(handle->params.kpasswd_port, NULL); + ret = loop_add_tcp_address(handle->params.kpasswd_port, + handle->params.kpasswd_listen); if (ret) return ret; - ret = loop_add_rpc_service(handle->params.kadmind_port, NULL, KADM, - KADMVERS, kadm_1); + ret = loop_add_rpc_service(handle->params.kadmind_port, + handle->params.kadmind_listen, + KADM, KADMVERS, kadm_1); if (ret) return ret; } #ifndef DISABLE_IPROP if (handle->params.iprop_enabled) { - ret = loop_add_rpc_service(handle->params.iprop_port, NULL, + ret = loop_add_rpc_service(handle->params.iprop_port, + handle->params.iprop_listen, KRB5_IPROP_PROG, KRB5_IPROP_VERS, krb5_iprop_prog_1); if (ret) diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index 14e4865209..b765148b36 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -145,7 +145,7 @@ typedef long kadm5_ret_t; #define KADM5_CONFIG_ENCTYPE 0x00000200 #define KADM5_CONFIG_ADBNAME 0x00000400 #define KADM5_CONFIG_ADB_LOCKFILE 0x00000800 -/*#define KADM5_CONFIG_PROFILE 0x00001000*/ +#define KADM5_CONFIG_KADMIND_LISTEN 0x00001000 #define KADM5_CONFIG_ACL_FILE 0x00002000 #define KADM5_CONFIG_KADMIND_PORT 0x00004000 #define KADM5_CONFIG_ENCTYPES 0x00008000 @@ -156,9 +156,7 @@ typedef long kadm5_ret_t; #define KADM5_CONFIG_OLD_AUTH_GSSAPI 0x00100000 #define KADM5_CONFIG_NO_AUTH 0x00200000 #define KADM5_CONFIG_AUTH_NOFALLBACK 0x00400000 -#ifdef notyet /* Novell */ -#define KADM5_CONFIG_KPASSWD_SERVER 0x00800000 -#endif +#define KADM5_CONFIG_KPASSWD_LISTEN 0x00800000 #define KADM5_CONFIG_IPROP_ENABLED 0x01000000 #define KADM5_CONFIG_ULOG_SIZE 0x02000000 #define KADM5_CONFIG_POLL_TIME 0x04000000 @@ -166,6 +164,7 @@ typedef long kadm5_ret_t; #define KADM5_CONFIG_IPROP_PORT 0x10000000 #define KADM5_CONFIG_KVNO 0x20000000 #define KADM5_CONFIG_IPROP_RESYNC_TIMEOUT 0x40000000 +#define KADM5_CONFIG_IPROP_LISTEN 0x80000000 /* * permission bits */ @@ -277,6 +276,9 @@ typedef struct _kadm5_config_params { /* char * iprop_server;*/ int iprop_port; int iprop_resync_timeout; + char * kadmind_listen; + char * kpasswd_listen; + char * iprop_listen; } kadm5_config_params; typedef struct _kadm5_key_data { diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index a157093109..34f8c5661d 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -591,6 +591,14 @@ krb5_error_code kadm5_get_config_params(krb5_context context, GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, KRB5_CONF_DICT_FILE, NULL); + /* Get the kadmind listen addresses. */ + GET_STRING_PARAM(kadmind_listen, KADM5_CONFIG_KADMIND_LISTEN, + KRB5_CONF_KADMIND_LISTEN, NULL); + GET_STRING_PARAM(kpasswd_listen, KADM5_CONFIG_KPASSWD_LISTEN, + KRB5_CONF_KPASSWD_LISTEN, NULL); + GET_STRING_PARAM(iprop_listen, KADM5_CONFIG_IPROP_LISTEN, + KRB5_CONF_IPROP_LISTEN, NULL); + #define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ get_port_param(¶ms.FIELD, params_in->FIELD, \ ¶ms.mask, params_in->mask, BIT, \ diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index 04e309453d..dbab0e8699 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -269,10 +269,26 @@ Prior to release 1.11, the maximum value was 2500. new updates from the master. The default value is \fB2m\fP (that is, two minutes). .TP +.B \fBiprop_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the iprop RPC +listening addresses and/or ports for the \fIkadmind(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If kadmind fails to bind +to any of the specified addresses, it will fail to start. The +default (when \fBiprop_enable\fP is true) is to bind to the wildcard +address at the port specified in \fBiprop_port\fP\&. New in release +1.15. +.TP .B \fBiprop_port\fP (Port number.) Specifies the port number to be used for -incremental propagation. This is required in both master and -slave configuration files. +incremental propagation. When \fBiprop_enable\fP is true, this +relation is required in the slave configuration file, and this +relation or \fBiprop_listen\fP is required in the master +configuration file, as there is no default port number. Port +numbers specified in \fBiprop_listen\fP entries will override this +port number for the \fIkadmind(8)\fP daemon. .TP .B \fBiprop_resync_timeout\fP (Delta time string.) Specifies the amount of time to wait for a @@ -291,10 +307,23 @@ back end is being used, or the file name is specified in the \fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP default value will not use values from the [dbmodules] section.) .TP +.B \fBkadmind_listen\fP +(Whitespace\- or comma\-separated list.) Specifies the kadmin RPC +listening addresses and/or ports for the \fIkadmind(8)\fP daemon. +Each entry may be an interface address, a port number, or an +address and port number separated by a colon. If the address +contains colons, enclose it in square brackets. If no address is +specified, the wildcard address is used. If kadmind fails to bind +to any of the specified addresses, it will fail to start. The +default is to bind to the wildcard address at the port specified +in \fBkadmind_port\fP, or the standard kadmin port (749). New in +release 1.15. +.TP .B \fBkadmind_port\fP (Port number.) Specifies the port on which the \fIkadmind(8)\fP -daemon is to listen for this realm. The assigned port for kadmind -is 749, which is used by default. +daemon is to listen for this realm. Port numbers specified in +\fBkadmind_listen\fP entries will override this port number. The +assigned port for kadmind is 749, which is used by default. .TP .B \fBkey_stash_file\fP (String.) Specifies the location where the master key has been @@ -316,6 +345,24 @@ If this relation is not specified, the default is to listen on TCP port 88 (the standard port). Prior to release 1.13, the default was not to listen for TCP connections at all. .TP +.B \fBkpasswd_listen\fP +(Comma\-separated list.) Specifies the kpasswd listening addresses +and/or ports for the \fIkadmind(8)\fP daemon. Each entry may be +an interface address, a port number, or an address and port number +separated by a colon. If the address contains colons, enclose it +in square brackets. If no address is specified, the wildcard +address is used. If kadmind fails to bind to any of the specified +addresses, it will fail to start. The default is to bind to the +wildcard address at the port specified in \fBkpasswd_port\fP, or the +standard kpasswd port (464). New in release 1.15. +.TP +.B \fBkpasswd_port\fP +(Port number.) Specifies the port on which the \fIkadmind(8)\fP +daemon is to listen for password change requests for this realm. +Port numbers specified in \fBkpasswd_listen\fP entries will override +this port number. The assigned port for password change requests +is 464, which is used by default. +.TP .B \fBmaster_key_name\fP (String.) Specifies the name of the principal associated with the master key. The default is \fBK/M\fP\&. @@ -546,8 +593,8 @@ modules. The value should be an absolute path. .SS [logging] .sp The [logging] section indicates how \fIkrb5kdc(8)\fP and -\fIkadmind(8)\fP perform logging. The keys in this section are -daemon names, which may be one of: +\fIkadmind(8)\fP perform logging. It may contain the following +relations: .INDENT 0.0 .TP .B \fBadmin_server\fP @@ -559,9 +606,16 @@ Specifies how \fIkrb5kdc(8)\fP performs logging. .B \fBdefault\fP Specifies how either daemon performs logging in the absence of relations specific to the daemon. +.TP +.B \fBdebug\fP +(Boolean value.) Specifies whether debugging messages are +included in log outputs other than SYSLOG. Debugging messages are +always included in the system log output because syslog performs +its own priority filtering. The default value is false. New in +release 1.15. .UNINDENT .sp -Values are of the following forms: +Logging specifications may have the following forms: .INDENT 0.0 .TP .B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP