oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
27,948 Commits 4 Branches 2 Tags
1d07f0835181eaa83859e5ae40928e71c77b81da
Commit Graph

67 Commits

Author SHA1 Message Date
Jeffrey Altman 34bf7ae162 kadmind: don't send bogus keys to ext_keytab et al 
The Heimdal kadmind sends bogus keys when the client has 'get'
but not 'get-keys' permission.  For some kadmin commands this is
dangerous.  For example, ext_keytab could happily write bogus
keys to a keytab when real keys are expected, causing eventual
breakage.  Sending bogus keys is important for the kadmin get
command: so it can list the keysets that a principal has.

This patch implements a heuristic detection of kadmin get vs.
ext_keytab, add_enctype, del_enctype, and check commands.  If the
client principal lacks 'get-keys' permission, then the server
will fail requests that appear to be from those kadmin commands,
but will continue to serve bogus keys to kadmin get commands.

Thanks to Nico Williams for the idea behind this implementation.
 2015-03-16 11:03:58 -05:00
Jeffrey Altman 6043cc8c88 kadmind: check for KADM5_PRIV_GET when op GET 
When performing a permission check for a GET operation the
KADM5_PRIV_GET_KEYS privilege should not be assumed to be a pure
superset of KADM5_PRIV_GET.  If the "get" permission is denied the
user cannot get an entry with or without key data.
 2015-03-16 10:47:16 -05:00
Love Hörnquist Åstrand 63672067ea add nob for [kadmin]allow_self_change_password 2011-07-30 12:34:40 -07:00
Nicolas Williams 11c54cd6c8 Protect against negative n_ks_tuple values and against randkey returning negative n_keys 2011-07-24 11:08:58 -05:00
Nicolas Williams 0d90e0c4d0 Complete --keepold support and fix crasher in kadmin cpw -r --keepold. 2011-07-22 16:07:06 -05:00
Nicolas Williams 2510d2d8fc Oops, reverse sense of get-keys check... 2011-07-22 16:07:06 -05:00
Nicolas Williams f15745c60c Forgot to save edits to kadmin/server.c to use the new get-keys authorization. 2011-07-22 16:07:06 -05:00
Nicolas Williams e8e314bbb1 Beginning of another new kadm5 function. Need to switch branches for a bit. 2011-07-22 16:04:52 -05:00
Nicolas Williams 6e04b05e9d Initial support for kadm5_randkey_principal_3(), needed by krb5_admin. 
NOT TESTED YET.
 2011-07-22 16:04:52 -05:00
Love Hörnquist Åstrand 277bec06e7 simplify error printing, context contains error 2011-06-14 07:11:43 -07:00
Love Hornquist Astrand f5f9014c90 Warning fixes from Christos Zoulas 
- shadowed variables
- signed/unsigned confusion
- const lossage
- incomplete structure initializations
- unused code
 2011-04-29 20:25:05 -07:00
Love Hornquist Astrand 433b1d5073 drop RCSID 2010-03-16 12:52:58 -07:00
Love Hornquist Astrand be73fa4687 use krb5_socket_t 2009-12-23 14:12:38 +01:00
Asanka Herath a1942c1bad Use SOCKET data type instead of ints for sockets in kadmin 
Also use the new mini_inetd() API
 2009-11-24 10:17:51 -08:00
Love Hornquist Astrand 57faf165a0 [HEIMDAL-646] malloc(0) checks for AIX 2009-10-11 18:03:22 -07:00
Love Hornquist Astrand 8490e8fd34 make compile 2009-07-30 13:04:30 +02:00
Love Hornquist Astrand 3af78ea3fb out of memory [CID-63] 2009-07-30 12:53:50 +02:00
Love Hornquist Astrand 330fd7645d Always ask for principal (KADM5_PRINCIPAL) 
The protocol for "get principal" does not support not sending
principal, so when the caller doesn't add KADM5_PRINCIPAL to the mask,
lets add it for them.

Reported by Henry.B.Hotz@jpl.nasa.gov in [HEIMDAL-588]
 2009-07-19 21:01:20 -07:00
Love Hörnquist Åstrand e147d3fba4 use kadm5_s_init_with_password_ctx 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24548 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-30 16:48:46 +00:00
Love Hörnquist Åstrand 8d16bb0b68 add support for add,get,delete,chrand for the MIT kadmin protocol 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24240 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-11 21:42:02 +00:00
Love Hörnquist Åstrand 6937d41a02 remove trailing whitespace 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 09:21:03 +00:00
Love Hörnquist Åstrand e172367898 switch to utf8 encoding of all files 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 08:53:55 +00:00
Love Hörnquist Åstrand 9056a3263a revert previous 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17611 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-06-02 22:10:21 +00:00
Love Hörnquist Åstrand d782cd55c5 Less shadowing. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17609 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-06-01 21:04:42 +00:00
Love Hörnquist Åstrand 59fa02a897 (kadm_get_privs): one less "pointer targets in passing argument differ 
in signedness" warning.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17511 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-05-08 13:40:58 +00:00
Love Hörnquist Åstrand 2a6831b56c (kadmind_dispatch): case kadm_rename, free princ2 on acl check failure. 
Coverity, NetBSD CID#1911


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17014 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-04-07 22:00:57 +00:00
Love Hörnquist Åstrand 8acefbf5a0 Update (c). 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15905 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-08-11 17:12:13 +00:00
Love Hörnquist Åstrand e478a72278 Avoid shadowing exp(). 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15893 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-08-11 13:53:24 +00:00
Johan Danielsson 2450e7b7f8 nuke kerberos 4 kadmin goo 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13845 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-05-13 17:46:20 +00:00
Love Hörnquist Åstrand 84a8e5c39a (kadmind_dispatch): kadm_chpass: require the password to pass the 
password quality check in case the user changes the user's own password
kadm_chpass_with_key: disallow the user to change it own password to a
key, since that password might violate the password quality check.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11626 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2003-01-29 12:33:05 +00:00
Johan Danielsson fed79b33b9 add option to disable kerberos 4 kadmin 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11489 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2002-10-21 13:21:24 +00:00
Johan Danielsson 120c4c61a0 constify match_appl_version() 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11437 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2002-09-10 19:23:28 +00:00
Jacques A. Vidrine 1d61dd312f While decoding arguments for kadm_chpass_with_key, sanity check the 
number of keys given: must be non-negative, small enough that it is
not truncated when stuffed into an int16_t for kadm5_free_key_data,
and small enough to avoid integer overflow when calculating the memory
required for the keys themselves.

XXX Why does kadm5_free_key_data use int16_t?


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11415 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2002-09-09 14:40:08 +00:00
Johan Danielsson 4fa94362ee fix for storage change 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11021 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2002-05-24 15:23:43 +00:00
Johan Danielsson e18c7ab0f7 typo 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@10387 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2001-07-23 13:46:47 +00:00
Assar Westerlund 9fcec97d9e (kadmind_loop): send in keytab to v4 handling function 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9065 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-09-19 12:46:01 +00:00
Assar Westerlund f46be87764 (handle_v5): do not try to perform stupid stunts when printing errors 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9014 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-08-27 05:48:18 +00:00
Assar Westerlund ef5c76e232 (handle_v5): accept any kadmin/admin@* principal as the server 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8973 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-08-18 05:18:34 +00:00
Johan Danielsson be27bbbffe (v5_loop): check for termination 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8740 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-21 23:29:24 +00:00
Johan Danielsson be4807afef use krb5_read_priv_message; (v5_loop): check for EOF 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8736 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-21 23:12:25 +00:00
Johan Danielsson eb685752f6 (v5_loop): use krb5_{read,write}_priv_message 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8686 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-17 16:12:00 +00:00
Assar Westerlund ad081120c4 adapt to new acl stuff 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8352 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-06-07 11:14:44 +00:00
Assar Westerlund 91b6bc6386 (kadmind_dispatch): add kadm_chpass_with_key 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8054 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-03-23 22:54:53 +00:00
Assar Westerlund da845c115c check initial flag in ticket and allow users to change their own 
password if it's set


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7708 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-01-02 03:58:45 +00:00
Johan Danielsson c5b916ca6f remove advertising clause 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7464 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1999-12-02 17:05:13 +00:00
Assar Westerlund a2fc2d4b7c initial ? 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7382 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1999-11-13 20:33:41 +00:00
Johan Danielsson 30fffdb6bd cope with old clients 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7337 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1999-11-09 18:05:02 +00:00
Johan Danielsson ff4739d93c (handle_v5): give more informative message if KRB5_KT_NOTFOUND 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@6885 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1999-08-27 09:23:26 +00:00
Assar Westerlund ab1f32ffef (v5_loop): use correct error code 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@6864 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1999-08-24 23:27:10 +00:00
Assar Westerlund 07da4391d7 (v5_loop, kadmind_loop): more error checking and more correct error 
messages


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@6826 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1999-08-16 12:45:03 +00:00