From: Andreas Schneider Date: Fri, 8 Nov 2024 08:57:59 +0000 (+0100) Subject: Add kadmind support for disabling listening X-Git-Tag: krb5-1.22-beta1~50 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cde2b3bbd96d31604392b067e9a047c245c4e314;p=thirdparty%2Fkrb5.git Add kadmind support for disabling listening Currently setting kdc_listen or kdc_tcp_listen to the empty string disables listening for UDP and TCP connections respectively, but setting kadmind_listen or kpasswd_listen to the empty string listens on the wildcard address. Make the behavior consistent by changing loop_add_addresses() to add no listeners when the string contains no tokens. Remove the conditionals from the KDC code. Document the new behavior of kadmind_listen and kpasswd_listen, and the existing behavior of kdc_listen. [ghudson@mit.edu: simplified loop_add_addresses(); combined several commits and rewrote commit message] ticket: 9151 (new) --- diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index d1de933a57..ed07d83b0e 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -292,10 +292,12 @@ The following tags may be specified in a [realms] subsection: Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If kadmind fails to bind - to any of the specified addresses, it will fail to start. The - default is to bind to the wildcard address at the port specified - in **kadmind_port**, or the standard kadmin port (749). New in + specified, the wildcard address is used. To disable listening for + kadmin RPC connections, set this relation to the empty string with + ``kadmind_listen = ""``. If kadmind fails to bind to any of the + specified addresses, it will fail to start. The default is to + bind to the wildcard address at the port specified in + **kadmind_port**, or the standard kadmin port (749). New in release 1.15. **kadmind_port** @@ -316,10 +318,11 @@ The following tags may be specified in a [realms] subsection: address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, - the standard port (88) is used. If the KDC daemon fails to bind - to any of the specified addresses, it will fail to start. The - default is to bind to the wildcard address on the standard port. - New in release 1.15. + the standard port (88) is used. To disable listening on UDP, set + this relation to the empty string with ``kdc_listen = ""``. + If the KDC daemon fails to bind to any of the specified addresses, + it will fail to start. The default is to bind to the wildcard + address on the standard port. New in release 1.15. **kdc_ports** (Whitespace- or comma-separated list, deprecated.) Prior to @@ -354,10 +357,12 @@ The following tags may be specified in a [realms] subsection: an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard - address is used. If kadmind fails to bind to any of the specified - addresses, it will fail to start. The default is to bind to the - wildcard address at the port specified in **kpasswd_port**, or the - standard kpasswd port (464). New in release 1.15. + address is used. To disable listening for kpasswd requests, set + this relation to the empty string with ``kpasswd_listen = ""``. + If kadmind fails to bind to any of the specified addresses, it + will fail to start. The default is to bind to the wildcard + address at the port specified in **kpasswd_port**, or the standard + kpasswd port (464). New in release 1.15. **kpasswd_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` diff --git a/src/kdc/main.c b/src/kdc/main.c index c5a66ddde8..3698a4b0da 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -965,18 +965,13 @@ int main(int argc, char **argv) /* Add each realm's listener addresses to the loop. */ for (i = 0; i < shandle.kdc_numrealms; i++) { realm = shandle.kdc_realmlist[i]; - if (*realm->realm_listen != '\0') { - retval = loop_add_udp_address(KRB5_DEFAULT_PORT, - realm->realm_listen); - if (retval) - goto net_init_error; - } - if (*realm->realm_tcp_listen != '\0') { - retval = loop_add_tcp_address(KRB5_DEFAULT_PORT, - realm->realm_tcp_listen); - if (retval) - goto net_init_error; - } + retval = loop_add_udp_address(KRB5_DEFAULT_PORT, realm->realm_listen); + if (retval) + goto net_init_error; + retval = loop_add_tcp_address(KRB5_DEFAULT_PORT, + realm->realm_tcp_listen); + if (retval) + goto net_init_error; } if (workers == 0) { diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c index b3da72d3fb..60bd71bae1 100644 --- a/src/lib/apputils/net-server.c +++ b/src/lib/apputils/net-server.c @@ -391,15 +391,8 @@ loop_add_addresses(const char *addresses, int default_port, goto cleanup; } - /* Start tokenizing the addresses string. If we get NULL the string - * contained no addresses, so add a wildcard address. */ + /* Loop through each address in the string and add it to the loop. */ addr = strtok_r(addresses_copy, ADDRESSES_DELIM, &saveptr); - if (addr == NULL) { - ret = loop_add_address(NULL, default_port, type, rpc_data); - goto cleanup; - } - - /* Loop through each address and add it to the loop. */ for (; addr != NULL; addr = strtok_r(NULL, ADDRESSES_DELIM, &saveptr)) { /* Parse the host string. */ ret = k5_parse_host_string(addr, default_port, &host, &port); @@ -414,6 +407,7 @@ loop_add_addresses(const char *addresses, int default_port, host = NULL; } + ret = 0; cleanup: free(addresses_copy); free(host);