oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hdb: consolidate preauth audit event types

Browse Source 
Instead of having distinct preauth success/failure events for different
mechanisms, have a single event; the mechanism can be disambiguated by querying
the HDB_REQUEST_KV_PA_NAME key.

Note: there is still an explicit event for long-term key-based success/failure
in order to help the backend implement lockout.

Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
than in each mechanism. Success is still audited in the mechanism to allow
client pre-authentication success to be noted even if something subsequent
(e.g. encoding a reply, memory allocation) fails. The generic catch-all for
success remains.
This commit is contained in:
Luke Howard
2022-01-05 09:42:03 +11:00
parent 68c4fd6572
commit 06f8985c55
2 changed files with 16 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
lib/hdb/hdb.h
View File

@@ -91,16 +91,11 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
#define HDB_AUTH_EVENT_CLIENT_UNKNOWN 2 /* client unknown */
#define HDB_AUTH_EVENT_CLIENT_LOCKED_OUT 3 /* client locked out */
#define HDB_AUTH_EVENT_CLIENT_TIME_SKEW 4 /* client time skew */
#define HDB_AUTH_EVENT_LTK_PREAUTH_FAILED 5 /* long term key preauth failed */
#define HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED 6 /* long term key preauth succeeded */
#define HDB_AUTH_EVENT_PKINIT_SUCCEEDED 7 /* PKINIT preauth succeeded */
#define HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED 8 /* PKINIT cert not authorized */
#define HDB_AUTH_EVENT_PKINIT_FAILED 9 /* PKINIT preauth succeeded */
#define HDB_AUTH_EVENT_GSS_PA_SUCCEEDED 10 /* GSS preauth succeeded */
#define HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED 11 /* GSS preauth mapping failed */
#define HDB_AUTH_EVENT_GSS_PA_FAILED 12 /* GSS preauth failed */
#define HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED 13 /* unknown preauth failed */
#define HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED 14 /* unknown preauth succeeded */
#define HDB_AUTH_EVENT_WRONG_LONG_TERM_KEY 5 /* PA failed to validate long term key */
#define HDB_AUTH_EVENT_VALIDATED_LONG_TERM_KEY 6 /* PA validated long term key */
#define HDB_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED 7 /* couldn't map GSS/PKINIT name to principal */
#define HDB_AUTH_EVENT_PREAUTH_FAILED 8 /* generic PA failure */
#define HDB_AUTH_EVENT_PREAUTH_SUCCEEDED 9 /* generic (non-long term key) PA success */
/*
* Audit keys to be queried using heim_audit_getkv(). There are other keys