We provide a "derived key" mechanism to allow wildcard princs
In order to support certain use cases, we implement a mechanism to allow wildcard principals to be defined and for the KDC to issue tickets for said principals by deriving a key for them from a cluster master entry in the HDB. The way that this works is we defined an entry of the form: WELLKNOWN/DERIVED-KEY/KRB5-CRYPTO-PRFPLUS/<hostname>@REALM When reading from the Kerberos DB, if we can't find an entry for what looks like a hostbased principal, then we will attempt to search for a principal of the above form chopping name components off the front as we search. If we find an entry, then we derive keys for it by using krb5_crypto_prfplus() with the entry's key and the principal name of the request.
This commit is contained in:
Roland C. Dowdeswell
committed by
Roland C. Dowdeswell
Roland C. Dowdeswell
parent
d6337ebdce
commit
366b787917
@@ -68,6 +68,8 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
|
||||
c->db = NULL;
|
||||
c->num_db = 0;
|
||||
c->logf = NULL;
|
||||
c->enable_derived_keys = FALSE;
|
||||
c->derived_keys_ndots = 2;
|
||||
|
||||
c->num_kdc_processes =
|
||||
krb5_config_get_int_default(context, NULL, c->num_kdc_processes,
|
||||
@@ -261,6 +263,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
|
||||
0,
|
||||
"kdc", "pkinit_dh_min_bits", NULL);
|
||||
|
||||
c->enable_derived_keys =
|
||||
krb5_config_get_bool_default(context, NULL, c->enable_derived_keys,
|
||||
"kdc", "enable_derived_keys", NULL);
|
||||
|
||||
c->derived_keys_ndots =
|
||||
krb5_config_get_int_default(context, NULL, c->derived_keys_ndots,
|
||||
"kdc", "derived_keys_ndots", NULL);
|
||||
|
||||
*config = c;
|
||||
|
||||
return 0;
|
||||
|
||||
Reference in New Issue
Block a user