oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

We provide a "derived key" mechanism to allow wildcard princs

Browse Source 
In order to support certain use cases, we implement a mechanism to
allow wildcard principals to be defined and for the KDC to issue
tickets for said principals by deriving a key for them from a
cluster master entry in the HDB.

The way that this works is we defined an entry of the form:

	WELLKNOWN/DERIVED-KEY/KRB5-CRYPTO-PRFPLUS/<hostname>@REALM

When reading from the Kerberos DB, if we can't find an entry for
what looks like a hostbased principal, then we will attempt to
search for a principal of the above form chopping name components
off the front as we search.

If we find an entry, then we derive keys for it by using
krb5_crypto_prfplus() with the entry's key and the principal name
of the request.
This commit is contained in:
Roland C. Dowdeswell
2019-06-12 18:33:10 +01:00
committed by Roland C. Dowdeswell
parent d6337ebdce
commit 366b787917
3 changed files with 187 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
kdc/kdc.h
View File

@@ -96,6 +96,9 @@ typedef struct krb5_kdc_configuration {
const char *kx509_template;
const char *kx509_ca;
krb5_boolean enable_derived_keys;
int derived_keys_ndots;
} krb5_kdc_configuration;
struct krb5_kdc_service {