Greg Hudson [Thu, 3 May 2012 15:15:51 +0000 (15:15 +0000)]
In sn2princ, getaddrinfo without AI_ADDRCONFIG
When canonicalizing a principal, use AI_CANONNAME alone in the hint
flags for getaddrinfo, for two reasons. First, it works around a gnu
libc bug where getaddrinfo does a PTR lookup for the canonical name
(we tried to work around this in r24977 bug the addition of
AI_ADDRCONFIG caused the same problem as the use of AF_INET). Second,
an IPv4-only host should be able create a principal for an IPv6-only
host even if it can't contact the host.
This does result in extra AAAA queries in the common case (IPv4-only
host contacting IPv4-only service), which is unfortunate. But we need
to leave that optimization up to the platform at this point.
Turn the last two entries of the pa_types table into helper functions
which we invoke before the loop. Then, get rid of the part of the
loop which consults the pa_types table.
Tom Yu [Fri, 27 Apr 2012 22:40:21 +0000 (22:40 +0000)]
Use correct name-type in TGS-REQs for 2008R2 RODCs
Correctly set the name-type for the TGS principals to KRB5_NT_SRV_INST
in TGS-REQs. (Previously, only AS-REQs had the name-type set in this
way.) Windows Server 2008 R2 read-only domain controllers (RODCs)
insist on having the correct name-type for the TGS principal in
TGS-REQs as well as AS-REQs, at least for the TGT-forwarding case.
Thanks to Sebastian Galiano for reporting this bug and helping with
testing.
The addition of afs3-salt processing in get_etype_info made it overly
large, so split out the pw-salt/afs3-salt processing into a separate
function. Also fix two dumb bugs.
In krb5_init_creds_ctx and krb5_clpreauth_rock_st, use a boolean to
track whether we're still using the default salt instead of
overloading salt.length. In preauth2.c, process afs3 salt values like
we would in krb5int_des_string_to_key, and set an s2kparams indicator
instead of overloading salt.length. Also use an s2kparams indicator
in kdb_cpw.c's add_key_pwd. Remove the s2k code to handle overloaded
salt lengths, except for a sanity check.
Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
pa-afs3-salt value in pa_salt(). If it's an afs3-salt, we're going to
throw away the length and use strcspn in krb5int_des_string_to_key,
which isn't safe if the value is unterminated.
Add a method to the securid_sam2 plugin, built with alternate
compile-time flags, which supplies a plain-text challenge to the
client to be used as the OTP value. This lets us manually exercise
the SAM-2 client code and a little bit of the KDC code.
securid_make_sam_challenge_2_and_cksum is moved into the method-
independent code and renamed. get_securid_edata_2 has its sc2b
parameter removed as it was not used by the caller.
Although the kadmin client never generates a KADM5_POLICY_CLR mask bit
with addprinc, the bit will be set if a kadm5.acl line imposes the
-clearpolicy restriction. Relax the sanity checking in
kadm5_create_principal_3 to allow KADM5_POLICY_CLR as long as
KADM5_POLICY is not also set.
Add K5Realm.prep_kadmin() to create a ccache and K5Realm.run_kadmin()
to run a kadmin query using it. Modify t_stringattr.py to use these
helpers instead of its own.
Initialize use_count fields in krb5_preauth_request_context_init,
which is invoked before each AS request. Previously they were
initialized only in krb5_init_preauth_context, which is only invoked
once per krb5 library context.
Move some tests out of the multipass_realms loop since they aren't
enctype-dependent. Fix the success message not to mention kvno
wrapping. Don't start kadmind in the multipass_realms loop since we
don't use it.
A database created prior to 1.3 will have multiple password history
keys, and kadmin prior to 1.8 won't necessarily choose the first one.
So if there are multiple keys, we have to try them all. If none of
the keys can decrypt a password history entry, don't fail the password
change operation; it's not worth it without positive evidence of
password reuse.
Use krb5_init_creds_set_keytab in krb5_get_init_creds_keytab, so that
processing added to the former will be used by the latter. This is
slightly awkward because of the way we do the use_master fallback, in
that we have to duplicate some of krb5int_get_init_creds.
Create a test script for keytab-related tests. Move the kvno wrapping
test there from t_general.py, and augment it to better match what's in
standalone.exp. Add tests for kinit with keytab, including kinit with
the most-preferred enctype missing from the keytab (which currently
fails).
Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge. This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).
When decoding an AS-REP enc part, we should accept app tags 26 (the
bogus one we generate) and 25 (the correct value). We were accepting
26 and 24. Bug report and fix by stefw@gnome.org.
When we check for password reuse, only compare keys with the most
recent kvno against history entries, or else we will always fail with
-keepold.
This bug primarily affects rollover of cross-realm TGT principals,
which typically use password-derived keys and may have an associated
password policy such as "default".
Bug report and candidate fix (taken with a slight modification) by
Nicolas Williams.
Active Directory always issues cross-realm tickets without a kvno,
which we see as kvno 0. When we see that, try the highest kvno (as we
already do) and then a few preceding kvnos so that key rollover of the
AD->MIT cross TGT can work.
Add new helpers kdc_rd_ap_req, which takes the place of a couple of
steps from kdc_process_tgs_req, and find_server_key, which takes the
place of some of the end steps of kdc_get_server_key.
Code changes by Nicolas Williams. Test cases by me.
Greg Hudson [Sat, 31 Mar 2012 00:38:20 +0000 (00:38 +0000)]
Fix data handling in rd_req_decoded_opt
We shouldn't peer at trans->tr_contents.data[0] if
trans->tr_contents.length is 0, even if the data field is non-null.
Harmless as long as the ASN.1 decoder uses null data fields for empty
krb5_data values, but still wrong.
Greg Hudson [Wed, 28 Mar 2012 21:11:06 +0000 (21:11 +0000)]
Add doc target with configured path substitutions
Add a new target "substhtml" in src/doc to create HTML documentation
with configured paths, suitable for installation by an OS package.
The build target generates a file named paths.py containing the
directory substitutions, copies it into the rst_composite directory,
and instructs conf.py to use it with the "pathsubs" tag.
Greg Hudson [Wed, 28 Mar 2012 21:11:01 +0000 (21:11 +0000)]
Use reference substitutions for paths in docs
For the default doc build (used for the web site and release tarball),
substitute path variables with links to the paths table in
mitK5defaults.rst, using symbolic names for the link text.
The substitution of kdcdir for man pages is slightly altered as a
side-effect of this commit. Regenerate the man pages to match. The
rendered man pages are unchanged.
Greg Hudson [Wed, 28 Mar 2012 02:03:33 +0000 (02:03 +0000)]
Automate RST HTML generation with doxygen info
In src/doc/Makefile.in, create an "rsthtml" target for generating
release tarball/web site HTML docs in doc/rst_html. For now,
eliminate support for the bridge to the Doxygen HTML output; just
generate XML output with Doxygen and convert it to RST format.
Greg Hudson [Tue, 27 Mar 2012 02:32:48 +0000 (02:32 +0000)]
Fix up krb5.hin Doxygen markup somewhat
* Put everything in an enclosing group, so it gets captured even
without EXTRACT_ALL.
* Make sure there's documentation for all constants referenced by
other markup.
* Fix references to the PAC constants.
Greg Hudson [Sat, 24 Mar 2012 14:29:44 +0000 (14:29 +0000)]
Remove krb5-send-pr man page
The license on the krb5-send-pr man page was incompatible with the
rest of our documentation, and the content is questionably up to date
(krb5-send-pr still exists, but we don't use GNATS any more, and
free-form mail to krb5-bugs is equally acceptable at this point). Get
rid of it for now.
Greg Hudson [Fri, 23 Mar 2012 16:27:05 +0000 (16:27 +0000)]
Install path-substituted man pages
Introduce src/doc/Makefile.in, which will eventually subsume
doc/Makefile (but will still pull sources from doc). In the rstman
target there, create man pages with symbolic path references (like
@SBINDIR@). In man/Makefile.in, substitute the path references with
the configured paths before installing.
Man pages generated from RST source are now checked into the source
tree under the name filename.man. This lets us use a single implicit
.man.sub rule for the path substitutions.
Greg Hudson [Thu, 22 Mar 2012 14:07:44 +0000 (14:07 +0000)]
Suppress some gcc uninitialized variable warnings
ticket: 7107
gcc 4.6.2 reportedly finds some spurious maybe-uninitialized warnings.
Suppress them. Patch from Eray Aslan with some adjustment.
Greg Hudson [Wed, 21 Mar 2012 16:57:05 +0000 (16:57 +0000)]
Only store master mey list in DAL handle
r24314 (#6778) created a hybrid owernship model for the master key
list, with one virtual copy stored in the DAL handle and one provided
to the caller of krb5_db_fetch_mkey_list. Replace this with a model
where only the DAL handle owns the list, and a caller can get access
to an alias pointer with a new function krb5_db_mkey_list_alias().
Functions which previously accepted the master key list as an input
parameter now expect to find it in the DAL handle.
Greg Hudson [Fri, 16 Mar 2012 13:57:50 +0000 (13:57 +0000)]
Move privileges section in database admin docs
The "Privileges" section in the RST database administration
documentation was tucked away in the middle of a section on principal
operations. Move it out and put it between policy operations and
kdb5_util operations, without changing its content.
(We may want to replace this whole section with a reference to the
appropriate part of the kadmind man page, but that requires a bit of
reconciliation since the kadmind man page doesn't document
restrictions yet.)
Greg Hudson [Fri, 16 Mar 2012 13:57:05 +0000 (13:57 +0000)]
Revise RST install guide client configuration
Stop recommending login.krb5. Remove outdated OSX instructions.
Don't suggest modifying /etc/services as we don't rely on it any more
(and it's generally already done by the OS these days). Add new
guidance for krb5.conf settings.
Greg Hudson [Wed, 14 Mar 2012 21:06:01 +0000 (21:06 +0000)]
Add plugin configuration documentation
In the RST admin guide, add a page for host configuration, and include
a subsection on registering, enabling, and disabling plugin modules.
For now, do not cover the private KDB and authdata plugin interfaces.
Greg Hudson [Wed, 14 Mar 2012 19:55:49 +0000 (19:55 +0000)]
Add config file section in RST user guide
Move the .k5identity and .k5login man pages to a separate section from
user commands. Also, kadmin.local and k5srvutil are not user-oriented
commands, so don't link to them in the user_commands index.
Greg Hudson [Wed, 14 Mar 2012 19:55:44 +0000 (19:55 +0000)]
Remove user_appl section in RST docs
The user_appl directory contained documentation for krb5_appl programs
which have largely been subsumed by ssh, for ksu (essentially
duplicating the ksu man page), and for ssh (a stub). Get rid of the
whole thing for now; we can add an ssh section back into the user
guide when we have more written about it.
Greg Hudson [Mon, 12 Mar 2012 20:24:45 +0000 (20:24 +0000)]
Edit RST admin guide for clarity and accuracy
Some more notable changes include:
* plugin development is a top-level guide, so remove the advanced
topic page in the admin guide.
* Remove krb5-appl references in firewall configuration section.
* Remove dns.rst since it was only referenced from a man page (which
doesn't work) and just contained a pair of links, one of which was
to the immediately preceding section.
* Don't document TXT record support as if it were supported in the
default build. It can be documented in an appendix.
* A couple of troubleshooting segments gave very
specifically-applicable advice based on general error messages, or
described problems which were fixed several releases ago.
Greg Hudson [Thu, 8 Mar 2012 22:38:58 +0000 (22:38 +0000)]
Add pluggable interface RST documentation
Create a new top-level section for plugin module developers. Document
the general conventions for pluggable interfaces and an overview of
each existing interface (except for GSSAPI mechanisms).
Since we're not currently generating doxygen markup for plugin
interface headers, refer to header files for detail-level
documentation for now.
Greg Hudson [Thu, 8 Mar 2012 00:37:47 +0000 (00:37 +0000)]
Properly decode etype-info2 with no salt
The data-driven decoder for etype-info2 was neglecting to call
init_no_salt() when no salt is present in the encoding. Add in the
missing call. Also add decode test cases for etype-info2, which would
have caught this if they weren't missing.
Greg Hudson [Wed, 7 Mar 2012 18:02:29 +0000 (18:02 +0000)]
Document KDC settings in kdc.conf manual
Move the documentation for the [logging], [dbdefaults], and
[dbmodules] sections and the database_module tag in kdc.conf rather
than krb5.conf, now that (as of r18009, aka #3761, which went into
krb5 1.5) KDC settings can be placed in either file.
projects / thirdparty / krb5.git / log
