add possible to set rules on what enctypes to use based on glob matching on principal

lib/hdb/keys.c

@@ -469,6 +469,39 @@ out:
 	return (rc);
 }
 
+/*
+ *
+ */
+
+static char **
+glob_rules_keys(krb5_context context, krb5_const_principal principal)
+{
+    const krb5_config_binding *list;
+    krb5_principal pattern;
+    krb5_error_code ret;
+
+    list = krb5_config_get_list(context, NULL, "kadmin",
+				"default_key_rules", NULL);
+    if (list == NULL)
+	return NULL;
+
+    while (list) {
+	if (list->type == krb5_config_string) {
+	    ret = krb5_parse_name(context, list->name, &pattern);
+	    if (ret == 0) {
+		ret = krb5_principal_match(context, principal, pattern);
+		krb5_free_principal(context, pattern);
+		if (ret) {
+		    return krb5_config_get_strings(context, list, 
+						   list->name, NULL);
+		}
+	    }
+	}
+	list = list->next;
+    }
+    return NULL;    
+}
+
 /*
  * Generate the `key_set' from the [kadmin]default_keys statement. If
  * `no_salt' is set, salt is not important (and will not be set) since
@@ -498,6 +531,9 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal,
 	    return ret;
 
     ktypes = ks_tuple_strs;
+    if (ktypes == NULL) {
+	ktypes = glob_rules_keys(context, principal);
+    }
     if (ktypes == NULL) {
 	config_ktypes = krb5_config_get_strings(context, NULL, "kadmin",
 						"default_keys", NULL);

lib/krb5/krb5.conf.5

@@ -614,13 +614,20 @@ The Kerberos 5 salt
 The Kerberos 4 salt
 .Va des:pw-salt:
 .El
+.It Li default_key_rules = Va {
+.Bl -tag -width "xxx" -offset indent
+.It Va globing-rule Li = Va keytypes...
+a globbing rule to matching a principal, and when true, use the
+keytypes as specified the same format as [kadmin]default_keys .
+.El
+.It Li }
+.El
 .It Li use_v4_salt = Va BOOL
 When true, this is the same as
 .Pp
 .Va default_keys = Va des3:pw-salt Va v4
 .Pp
 and is only left for backwards compatibility.
-.El
 .It Li [password_quality]
 Check the Password quality assurance in the info documentation for
 more information.
@@ -666,6 +673,10 @@ configuration file for Kerberos 5.
 	kdc = FILE:/var/heimdal/kdc.log
 	kdc = SYSLOG:INFO
 	default = SYSLOG:INFO:USER
+[kadmin]
+	default_key_rules = {
+		*/ppp@* = arcfour-hmac-md5:pw-salt
+	}
 .Ed
 .Sh DIAGNOSTICS
 Since

tests/kdc/check-kdc.in

@@ -158,6 +158,9 @@ ${kadmin} add -p foo --use-defaults remove@${R} || exit 1
 ${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
 ${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
 ${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
+${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1
+${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1
+${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1
 ${kadmin} add -p foo --use-defaults ${ps} || exit 1
 ${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
 ${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
@@ -233,6 +236,22 @@ for a in ${enctype_sans_des3} ; do
    ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
 done
 
+echo "checking globbing keys rules"
+${kadmin} get foo/des3-only@${R} > tempfile || exit 1
+enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
+if [ X"$enctypes" != Xdes3-cbc-sha1 ] ; then
+    echo "des3 only is not only des3: $enctypes"
+    exit 1
+fi
+
+${kadmin} get foo/aes-only@${R} > tempfile || exit 1
+enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'`
+if [ X"$enctypes" != Xaes256-cts-hmac-sha1-96 ] ; then
+    echo "aes only is not only aes: $enctypes"
+    exit 1
+fi
+
+
 echo foo > ${objdir}/foopassword
 
 echo Starting kdc ; > messages.log

tests/kdc/krb5.conf.in

@@ -113,6 +113,10 @@
 
 [kadmin]
 	save-password = true
+	default_key_rules = {
+		*/des3-only@* = des3-cbc-sha1:pw-salt
+		*/aes-only@* = aes256-cts-hmac-sha1-96:pw-salt
+	}
 	@dk@
 
 [capaths]