This has most of the features needed to act as a kinit that uses GSS
APIs, specifically gss_acquire_cred_from() and gss_store_cred_into2().
It's missing some functionality, such as being able to drive prompts
from AS responses (if we add minor status codes for representing KDC
pre-auth proposals, then we do drive prompts, but we would have to
encode a lot of mechanism-specific knowledge into gsstool).
The point of this commit is to explore:
- GSS functionality for kinit-like actions
- credential store key/value pairs supported by the mechanisms
- document the credential store key/value pairs (in gsstool.1)
that might lead to further enhancements. But gsstool acquire-cred
is quite functional at this point!
We do a small amount of MIT interop testing in tests/kdc/check-fast.in,
which tests some MIT clients against Heimdal KDCs. This commit adds
more testing via tests/kdc/check-mit-kdc.in, wherein we set up and run
an MIT Kerberos realm and KDCs and test Heimdal clients against it.
- `test_section "..."` replaces `echo "Now we're testing ..."`
- `test_run ...` replaces `... || { ...; eval "testsfailed"; }`
- `test_run not ...` replaces `... && { ...; eval "testsfailed"; }`
`test_section` saves the output of the program and shows it only in the
case of failures.
`test_run` arranges to exit with non-zero status if a test fails.
Use `set -e` to force early exit. Conversely use `set +e` to continue
running the remaining tests when one fails -- this will be very useful
in reducing the number of CI test runs (e.g., GitHub Actions), thus
saving time and money.
This is Claude-generated code, guided by me, with minor corrections.
We must switch to OpenSSL 3.x, and getting lib/hcrypto to provide
OpenSSL 3.x APIs is too large an undertaking. Plus the hcrypto backend
is not safe, not secure (probably has timing leaks galore), and no one
has the resources to make it a world-class crypto library, so it just
has to go.
There were cases where we weren't negotiating SANON where we should
have. But we really don't want to overdo it. In particular we really
never ever want a user with expired or absent Kerberos credentials (say)
to accidentally negotiate SANON as that will then lead to authorization
errors down the line, and those would be hard to diagnose as they would
be masking the real issue (expired or absent credentials).
So basically either the user passes GSS_C_ANON_FLAG or (and/or) they
call gss_set_neg_mechs() to explicitly request SANON.
Partly authored by me, partly authored by Claude with heavy human
guidance, and reviewed by me.
