add possible to set rules on what enctypes to use based on glob matching on principal
This commit is contained in:
Love Hornquist Astrand
@@ -469,6 +469,39 @@ out:
|
||||
return (rc);
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
*/
|
||||
|
||||
static char **
|
||||
glob_rules_keys(krb5_context context, krb5_const_principal principal)
|
||||
{
|
||||
const krb5_config_binding *list;
|
||||
krb5_principal pattern;
|
||||
krb5_error_code ret;
|
||||
|
||||
list = krb5_config_get_list(context, NULL, "kadmin",
|
||||
"default_key_rules", NULL);
|
||||
if (list == NULL)
|
||||
return NULL;
|
||||
|
||||
while (list) {
|
||||
if (list->type == krb5_config_string) {
|
||||
ret = krb5_parse_name(context, list->name, &pattern);
|
||||
if (ret == 0) {
|
||||
ret = krb5_principal_match(context, principal, pattern);
|
||||
krb5_free_principal(context, pattern);
|
||||
if (ret) {
|
||||
return krb5_config_get_strings(context, list,
|
||||
list->name, NULL);
|
||||
}
|
||||
}
|
||||
}
|
||||
list = list->next;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Generate the `key_set' from the [kadmin]default_keys statement. If
|
||||
* `no_salt' is set, salt is not important (and will not be set) since
|
||||
@@ -498,6 +531,9 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal,
|
||||
return ret;
|
||||
|
||||
ktypes = ks_tuple_strs;
|
||||
if (ktypes == NULL) {
|
||||
ktypes = glob_rules_keys(context, principal);
|
||||
}
|
||||
if (ktypes == NULL) {
|
||||
config_ktypes = krb5_config_get_strings(context, NULL, "kadmin",
|
||||
"default_keys", NULL);
|
||||
|
||||
@@ -614,13 +614,20 @@ The Kerberos 5 salt
|
||||
The Kerberos 4 salt
|
||||
.Va des:pw-salt:
|
||||
.El
|
||||
.It Li default_key_rules = Va {
|
||||
.Bl -tag -width "xxx" -offset indent
|
||||
.It Va globing-rule Li = Va keytypes...
|
||||
a globbing rule to matching a principal, and when true, use the
|
||||
keytypes as specified the same format as [kadmin]default_keys .
|
||||
.El
|
||||
.It Li }
|
||||
.El
|
||||
.It Li use_v4_salt = Va BOOL
|
||||
When true, this is the same as
|
||||
.Pp
|
||||
.Va default_keys = Va des3:pw-salt Va v4
|
||||
.Pp
|
||||
and is only left for backwards compatibility.
|
||||
.El
|
||||
.It Li [password_quality]
|
||||
Check the Password quality assurance in the info documentation for
|
||||
more information.
|
||||
@@ -666,6 +673,10 @@ configuration file for Kerberos 5.
|
||||
kdc = FILE:/var/heimdal/kdc.log
|
||||
kdc = SYSLOG:INFO
|
||||
default = SYSLOG:INFO:USER
|
||||
[kadmin]
|
||||
default_key_rules = {
|
||||
*/ppp@* = arcfour-hmac-md5:pw-salt
|
||||
}
|
||||
.Ed
|
||||
.Sh DIAGNOSTICS
|
||||
Since
|
||||
|
||||
Reference in New Issue
Block a user