654 Commits

Author SHA1 Message Date
Minsoo Choo
aff90c322e Fix spelling 2024-06-16 23:30:48 -04:00
Nicolas Williams
7812c17f95 doc: Document KRB5CCNAME and KRB5_KTNAME 2023-05-26 13:24:06 -05:00
Nicolas Williams
8423016920 doc: Fix dvi/pdf/ps build 2022-12-19 17:54:11 -06:00
Sergei Trofimovich
254e40294e doc: add dependency on vars.texi
Noticed missing target directory dependency as a build failure in
`make --shuffle` mode (added in https://savannah.gnu.org/bugs/index.php?62100):

    Making all in doc
    make[1]: Entering directory '/build/heimdal/doc'
      MAKEINFO hx509.info
    hx509.texi:15: @include: could not find vars.texi
    hx509.texi:31: warning: undefined flag: PACKAGE_VERSION
    hx509.texi:186: warning: undefined flag: PACKAGE_VERSION
    make[1]: *** [Makefile:622: hx509.info] Error 1 shuffle=1656683556

The change moves vars.texi to BUILT_SOURCES to guarantee it's
presence when .info files start the build.
2022-09-16 16:13:50 -04:00
Nicolas Williams
c667c28f61 doc: Revert part of 0878a568f9 for Texinfo 5.1
0878a568f9 fixed a warning from Texinfo 6.7:

    doc/whatis.texi:33: warning: redefining Texinfo language command: @sub

but the fix makes the doc build fail w/ Texinfo 5.1.

There may still be other problems when using Texinfo 5.1.
2022-03-23 15:13:36 -05:00
Nicolas Williams
aa04fb0fbe doc: Document principal aliasing in Texinfo docs 2022-03-17 20:43:32 -05:00
Nicolas Williams
f072249d26 doc: Delete doc/kerberos4.texi 2022-03-16 18:24:25 -05:00
Nicolas Williams
a460911b03 doc: Document namespaces and synthetic principals 2022-03-16 17:50:33 -05:00
Nicolas Williams
0878a568f9 doc: Fix Texinfo docs; remove krb4 references 2022-03-16 17:50:33 -05:00
Luke Howard
fe71574be3 doc: add draft-perez-krb-wg-gss-preauth-03.txt
draft-perez-krb-wg-gss-preauth-03.txt documents the version of GSS-API
pre-authentication implemented by Heimdal at the point of this commit.
2021-09-23 19:16:35 +10:00
Luke Howard
be9f26e064 doc: use top-level Wiki URL
Top-level Wiki URL at https://github.com/heimdal/heimdal/wiki is a better
starting point for build instructions.
2021-09-08 12:25:37 +10:00
Luke Howard
686e7905c7 doc: update build instructions URL
h5l.org no longer exists, update build instructions to point to GitHub Wiki

Closes: #773
2021-09-08 12:22:25 +10:00
Luke Howard
49f3f5bd99 kdc: support for GSS-API pre-authentication
Add support for GSS-API pre-authentication to the KDC, using a simplified
variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context
tokens directly in PADATA, and uses FX-COOKIE for state management.

More information on the protocol and implementation may be found in
lib/gssapi/preauth/README.md.
2021-08-12 17:37:01 +10:00
Luke Howard
6e3bc8341c doc: make intermediate Windows help directory
The hx509 and heimdal subdirectories are required to exist before
Windows help compilation can proceed.
2021-08-12 16:33:51 +10:00
Nicolas Williams
7f0349e1fb asn1: Import ASN.1 modules from RFCs 4043 and 4108
In preparation for adding support for TPM attestations as an authentication
method in bx509d for a host trust bootstrap mechanism based on TPMs and their
endorsement keys and endorsement key certificates.

The plan is to add support to libhx509 and hxtool for PermanentIdentifier
(RFC4043) and HardwareModuleName (RFC4108) SANs, and then to add a query
parameter to bx509d for passing an attestation and a proof-of-possession
(either CMS or CSR), and add an authorizer plugin call for authorizing a device
manufacturer and serial number to hostname.  Support for TPMs w/o endorsement
key certificates should also be possible based on a digest of the endorsement
key as the "serial number".
2020-12-16 15:11:51 -06:00
Luke Howard
65d7f35047 doc: update to draft-howard-gss-sanon-13.txt 2020-04-27 22:38:19 +10:00
Luke Howard
4a7eb74374 gss: SAnon - the Simple Anonymous GSS-API mechanism
Add support for SAnon, a simple key agreement protocol that provides no
authentication of initiator or acceptor using x25519 ECDH key exchange.
See doc/standardization/draft-howard-gss-sanon-xx.txt for a protocol
description.
2020-04-25 23:19:30 -05:00
Luke Howard
4fb6a6adc9 gss: port NegoEx implementation from MIT
An implementation of draft-zhu-negoex-04 for MIT Kerberos was developed in
2011. This has been recently integrated, with many fixes from Greg Hudson. This
commit ports it to Heimdal. The implementation has been interoperability tested
with MIT Kerberos and Windows, using the GSS EAP mechanism developed as part of
the Moonshot project.

The SPNEGO code was also updated to import the state machine from Apple which
improves mechListMIC processing and avoids discarding initial context tokens
generated during mechanism probing, that can be used for optimistic tokens.

Finally, to aid in testing, the GSS-API mechanism glue configuration file can
be changed using the environment variable GSS_MECH_CONFIG. This environment
variable name, along with the format of the configuration file, is compatible
with MIT (although it would be difficult for a single mechanism binary to
support both implementations).
2020-02-04 17:28:35 +11:00
Nicolas Williams
027941b858 Document Heimdal's PKIX, kx509, bx509
This reverts commit 5c25450e50.
2020-01-02 23:50:59 -06:00
Nicolas Williams
5c25450e50 Revert docs changes for bx509 for now 2019-12-10 14:10:53 -06:00
Nicolas Williams
575c67806b Add bx509d 2019-12-04 21:34:44 -06:00
Nicolas Williams
6a7e7eace6 Add kx509 client and revamp kx509 service
This commit adds support for kx509 in libkrb5, and revamps the KDC's
kx509 service (fixing bugs, adding features).

Of note is that kx509 is attempted optimistically by the client, with
the certificate and private key stored in the ccache, and optionally in
an external PEM or DER file.

NOTE: We do not optimistically use kx509 in krb5_cc_store_cred() if the
      ccache is a MEMORY ccache so we don't generate a key when
      accepting a GSS context with a delegated credential.

kx509 protocol issues to be fixed in an upcoming commit:

 - no proof of possession (this is mostly not too bad, but we'll want to
   fix it by using CSRs)
 - no algorithm agility (only plain RSA is supported)
 - very limited (no way to request any options in regards to the
   requested cert)
 - error codes are not very useful

Things we're adding in this commit:

 - libkrb5 kx509 client
 - automatic kx509 usage hooked in via krb5_cc_store_cred() of start TGT
 - per-realm templates on the KDC side
 - per-realm issuer certificates
 - send error messages on the KDC side
   (this is essential to avoid client-side timeouts on error)
 - authenticate as many error messages
 - add a protocol probe feature so we can avoid generating a
   keypair if the service is not enabled
   (once we add support for ECC algorithms we won't need this
    anymore; the issue is that RSA keygen is slow)
 - support for different types of client principals, not just username:

    - host-based service and domain-based service, each with its own
      template set per-{realm, service} or per-service

   (the idea is to support issuance of server certificates too, not
    just client/user certs)
 - more complete support for SAN types
 - tests (including that PKINIT->kx509->PKINIT works, which makes it
   possible to have "delegation" of PKIX credentials by just delegating
   Kerberos credentials)
 - document the protocol in lib/krb5/kx509.c

Future work:

 - add option for longer-ticket-lifetime service certs
 - add support for ECDSA, and some day for ed25519 and ed448
 - reuse private key when running kinit
   (this will require rethinking how we trigger optimistic kx509
    usage)
 - HDB lookup for:
    - optional revocation check (not strictly necessary)
    - adding to certificates those SANs listed in HDB
       - hostname aliases (dNSName SANs)
       - rfc822Name (email)
       - XMPP SANs
       - id-pkinit-san (a user could have aliases too)
 - support username wild-card A RRs, ala OSKT/krb5_admin
    i.e., if a host/f.q.d.n principal asks for a certificate for
    some service at some-label.f.q.d.n, then issue it
   (this is not needed at OSKT sites because OSKT already
    supports keying such service principals, which means kx509
    will issue certificates for them, however, it would be nice
    to be able to have this independent of OSKT)
   (a better way to do this would be to integrate more of OSKT
    into Heimdal proper)
 - a kx509 command, or heimtools kx509 subcommand for explicitly
   attempting use of the kx509 protocol (as opposed to implicit, as is
   done in kinit via krb5_cc_store_cred() magic right now)

Issues:

 - optimistically trying kx509 on start realm TGT store -> timeout issues!
    - newer KDCs will return errors because of this commit; older ones
      will not, which causes timouts
    - need a separate timeout setting for kx509 for optimistic case
    - need a [realm] config item and DNS SRV RR lookup for whether a
      realm is expected to support kx509 service
2019-10-08 21:26:50 -05:00
Luke Howard
c6bf100b43 kadm5: move password quality checks out of daemons and into libkadm5
Note that this has a slight behavior change to c89d3f3b in order to continue
allow kadmin in local mode to bypass password quality checks. Password quality
checks are always bypassed if the *client* kadmin principal is kadmin/admin,
i.e. that of the kadmin service itself. This is the case when running kadmin in
local mode. As this is the equivalent of a superuser account, one would
anticipate that deployments would use specific administrator instances for
appropriate ACLs for day-to-day administration; operations by these will be
subject to password quality checks if enforce_on_admin_set is TRUE, or if the
user is changing their own password.
2018-12-26 11:04:05 -06:00
Luke Howard
c89d3f3b8c kadmin: allow enforcing password quality on admin password change
This patch adds the "enforce_on_admin_set" configuration knob in the
[password_quality] section. When this is enabled, administrative password
changes via the kadmin or kpasswd protocols will be subject to password quality
checks. (An administrative password change is one where the authenticating
principal is different to the principal whose password is being changed.)

Note that kadmin running in local mode (-l) is unaffected by this patch.
2018-12-26 15:38:48 +11:00
Matt Selsky
a2822719e6 Fix typos in setup documentation 2018-04-19 15:54:31 -04:00
Viktor Dukhovni
7c18507ccd Avoid make dist fail when doxyout/ does not exist 2017-03-17 12:47:39 -04:00
Nicolas Williams
fe43be8558 Add include/includedir directives for krb5.conf 2017-02-27 18:15:59 -06:00
Nicolas Williams
3e65dfbc32 Fix make dist missing files (#228) 2016-12-15 12:15:56 -06:00
Viktor Dukhovni
3657f23a9e Fix more doxygen bitrot 2016-12-15 04:28:21 -05:00
Nicolas Williams
2cc59accca Lame patch: expect dot and msgen in /usr/bin 2016-12-14 22:05:59 -06:00
Nicolas Williams
171377acd8 Fix lib/base doxygen control 2016-12-14 22:05:58 -06:00
Nicolas Williams
7aabd73f18 Remove doc/manpage noise files 2016-12-14 22:05:58 -06:00
Nicolas Williams
fa2afcc5fc Add #ifndef DOXY guard to generated headers
cf/make-proto.pl copies Doxygen docs to -private and -protos headers.
We need to either extract these from those files but not source files,
or only from source files but not the generated headers.  This commit
does the latter.
2016-12-14 22:05:58 -06:00
Nicolas Williams
5c2a3cb25a Always build hcrypto 2016-04-15 00:16:16 -05:00
Nicolas Williams
a388514712 Windows: fix two-phase commit docs 2016-02-26 12:08:05 -06:00
Nicolas Williams
7eb9b46f5b Document HDB backends 2016-02-26 00:55:33 -06:00
Nicolas Williams
a5f13331af Appveyor: workaround perl texinfo 2016-01-21 12:43:31 -06:00
Love Hörnquist Åstrand
3544bbc0b3 Update ack.texi 2015-10-06 17:26:27 +02:00
Love Hörnquist Åstrand
434020567a Update copyright.texi
Add Timothy
2015-09-28 10:52:47 +02:00
Love Hörnquist Åstrand
7c86e09dd8 Update ack.texi
Add Timothy
2015-09-28 10:50:38 +02:00
Stefan Metzmacher
20da6cad02 doc/standardisation: add rfc6806.txt
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2015-07-31 17:30:23 +12:00
Luke Howard
5023f55208 Add Windows CNG (BCrypt) support to HCrypto EVP API 2015-02-11 16:00:32 +11:00
Jelmer Vernooij
70e43e9808 Fix some typos. 2014-04-25 02:42:17 +02:00
Ken Dreyer
115f88a3e7 more texinfo 5.1 hacks
For hx509.texi, we need the copyright macros for both html and info.
Just remove the "ifhtml" conditionals.

For whatis.texi, texinfo 5.1 inserts the sub{} macro inline with no
newlines, so there are errors about @html not being at the end of a
line, etc.
2013-08-08 21:27:16 -06:00
Daniel Schepler
a1d7f1f3e3 fix for texinfo 5.1
Signed-off-by: Ken Dreyer <ktdreyer@ktdreyer.com>
2013-08-08 21:27:13 -06:00
Harald Barth
7b4b415fa0 spell-and-gram-proxy-certs
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-26 00:06:07 -07:00
Landon Fuller
6fb9bc86b7 Add a configuration option to enable LDAP Start TLS.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-24 16:21:15 -07:00
Landon Fuller
64341e9ec6 Document the new hdb-ldap* configuration options.
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-24 16:21:15 -07:00
Love Hornquist Astrand
1846c7a35d make @iftex case work in texinfo-5.1 2013-04-08 10:15:36 -07:00
Eray Aslan
0e0351776a @end should only appear at a line beginning
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2013-04-08 10:15:36 -07:00