diff --git a/lib/hdb/keys.c b/lib/hdb/keys.c index 3c99c15a9..a82407ad8 100644 --- a/lib/hdb/keys.c +++ b/lib/hdb/keys.c @@ -469,6 +469,39 @@ out: return (rc); } +/* + * + */ + +static char ** +glob_rules_keys(krb5_context context, krb5_const_principal principal) +{ + const krb5_config_binding *list; + krb5_principal pattern; + krb5_error_code ret; + + list = krb5_config_get_list(context, NULL, "kadmin", + "default_key_rules", NULL); + if (list == NULL) + return NULL; + + while (list) { + if (list->type == krb5_config_string) { + ret = krb5_parse_name(context, list->name, &pattern); + if (ret == 0) { + ret = krb5_principal_match(context, principal, pattern); + krb5_free_principal(context, pattern); + if (ret) { + return krb5_config_get_strings(context, list, + list->name, NULL); + } + } + } + list = list->next; + } + return NULL; +} + /* * Generate the `key_set' from the [kadmin]default_keys statement. If * `no_salt' is set, salt is not important (and will not be set) since @@ -498,6 +531,9 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, return ret; ktypes = ks_tuple_strs; + if (ktypes == NULL) { + ktypes = glob_rules_keys(context, principal); + } if (ktypes == NULL) { config_ktypes = krb5_config_get_strings(context, NULL, "kadmin", "default_keys", NULL); diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 1c76d973c..7398deaf1 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -614,13 +614,20 @@ The Kerberos 5 salt The Kerberos 4 salt .Va des:pw-salt: .El +.It Li default_key_rules = Va { +.Bl -tag -width "xxx" -offset indent +.It Va globing-rule Li = Va keytypes... +a globbing rule to matching a principal, and when true, use the +keytypes as specified the same format as [kadmin]default_keys . +.El +.It Li } +.El .It Li use_v4_salt = Va BOOL When true, this is the same as .Pp .Va default_keys = Va des3:pw-salt Va v4 .Pp and is only left for backwards compatibility. -.El .It Li [password_quality] Check the Password quality assurance in the info documentation for more information. @@ -666,6 +673,10 @@ configuration file for Kerberos 5. kdc = FILE:/var/heimdal/kdc.log kdc = SYSLOG:INFO default = SYSLOG:INFO:USER +[kadmin] + default_key_rules = { + */ppp@* = arcfour-hmac-md5:pw-salt + } .Ed .Sh DIAGNOSTICS Since diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in index 4624e9bbd..f54e669fe 100644 --- a/tests/kdc/check-kdc.in +++ b/tests/kdc/check-kdc.in @@ -158,6 +158,9 @@ ${kadmin} add -p foo --use-defaults remove@${R} || exit 1 ${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 ${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 ${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1 +${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1 +${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1 +${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1 ${kadmin} add -p foo --use-defaults ${ps} || exit 1 ${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 ${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 @@ -233,6 +236,22 @@ for a in ${enctype_sans_des3} ; do ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a done +echo "checking globbing keys rules" +${kadmin} get foo/des3-only@${R} > tempfile || exit 1 +enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'` +if [ X"$enctypes" != Xdes3-cbc-sha1 ] ; then + echo "des3 only is not only des3: $enctypes" + exit 1 +fi + +${kadmin} get foo/aes-only@${R} > tempfile || exit 1 +enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'` +if [ X"$enctypes" != Xaes256-cts-hmac-sha1-96 ] ; then + echo "aes only is not only aes: $enctypes" + exit 1 +fi + + echo foo > ${objdir}/foopassword echo Starting kdc ; > messages.log diff --git a/tests/kdc/krb5.conf.in b/tests/kdc/krb5.conf.in index 50920659b..c7895c56c 100644 --- a/tests/kdc/krb5.conf.in +++ b/tests/kdc/krb5.conf.in @@ -113,6 +113,10 @@ [kadmin] save-password = true + default_key_rules = { + */des3-only@* = des3-cbc-sha1:pw-salt + */aes-only@* = aes256-cts-hmac-sha1-96:pw-salt + } @dk@ [capaths]