The header file was not installed, and the manpage had the wrong
name for the plugin load function, it is "krb5_plugin_kuserok_plugin_load",
not "kuserok_plugin_load".
%{loginname} is for getlogin_r().
Now %{username} uses only the $USER and $LOGNAME environment variables
(if the caller is not set-uid), or if absent or the caller is set-uid,
then getpwuid_r().
The intent is to allow kadmin(1) to use the loginname instead of the
username for the construction of the kadmin client principal name. This
is helpful when the user runs kadmin as root via sudo and/or su.
* Anonymous pkinit responses from the KDC where the name
type is not well-known (as issued by 7.5 KDCs and earlier)
are accepted by the client. There is no need for the client
to strictly enforce the name type.
* With historical_anon_pkinit = true, the kinit(1) client's
"--anonymous" option only performs anon pkinit, and does
not require an '@' prefix for the realm argument.
* With historical_anon_realm = true, the KDC issues anon
pkinit tickets with the legacy pre-7.0 "real" realm.
The Microsoft compiler cannot handle multiple const modifiers
for the same type. It is also unhappy with the output pointer
parameter being declared const.
This change introduces new typedefs and cast of the dlsym() return
type to prevent warnings.
Change-Id: Ia92645efab8d2ec6745339a6f47c690782ae730a
Rename common_plugin_ftable to krb5_plugin_common_ftable.
Create lib/krb5/common_plugin.h to include the structure and typedef.
The common_plugin.h header is now included by ccache_plugin.h
along with a prototype for the required ccache_ops_plugin_load()
function.
Change-Id: I2b27d6d0f5cf0544482c3f01784fef945e12e8d8
As with the krb5plugin_an2ln_ftable_desc, krb5plugin_db_ftable_desc,
and krb5plugin_kuserok_ftable_desc the function pointers in
common_plugin_ftable_desc must be annotated with KRB5_LIB_CALL.
Change-Id: Ia7ea78743ee9eb8c7f6b648063852ca91a360d2c
Only fallback to loading the plugin function table directly if
if the initialization function is not exported. Failing a
consistency check should not permit falling back to a potentially
incompatible function table.
Change-Id: Ic753ed9a090aef6073853f7309f0f8f0f29d0aa9
even if tgt used an enctype with a different checksum.
Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.
In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.
Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Commit bdcd7d2f moved the KRB5_ANON_MATCH_xxx preprocessor symbols to krb5.h,
but did not remove the originals from krb5_locl.h. This commit removes them.
The combination of 8740528b24
("Windows-compatible sentinel socket type and value") and
d497d7e4a7 ("krb5_sendto_kdc:
failover for multiple AAAA/A RRs on one domain") broke
all the send to kdc loop on Windows. rk_socket_t is
a HANDLE and rk_INVALID_SOCKET is the max value. Therefore,
no valid socket will be larger and all communications
will fail.
Change-Id: I3464f78d67b19f14050ad7a01738fb32bac99385
_krb5_principal_is_anonymous() is used outside lib/krb5 and
therefore it needs to be properly exported and its flag macros
need to be in a public header: krb5.h not krb5_locl.h.
Including krb5_locl.h from within kuser_locl.h for instance
results in build failures on Solaris.
This change renames the function and makes it part of the public
api.
Change-Id: I130d1698b10bdbd150b95e8c7d32dfc362889ce6
RFC8062 Section 7 requires verification of the PA-PKINIT-KX key excahnge
when anonymous PKINIT is used. Failure to do so can permit an active
attacker to become a man-in-the-middle.
Introduced by a1ef548600. First tagged
release Heimdal 1.4.0.
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)
Change-Id: I6cc1c0c24985936468af08693839ac6c3edda133
Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
Approved-by: Jeffrey Altman <jaltman@auritor.com>
We found that the libraries behaviour when dealing with domains with
more than one entry in them is slightly suboptimal. The situation
was
kdc1 IN A 1.2.3.4
kdc1 IN AAAA ff02::1
I.e. a single hostmame with both IPv6 and IPv4 addresses. When we
run krb5_sendto_kdc on a box with only IPv4 addresses, there is a
3s delay before it fails back to the IPv4 address. This is because
the library sets the 2nd address on each hostname to be 3s in the
future and each additional one another 3s.
We change wait_response() s.t. if one is able to make progress, we
iterate over the list of hosts and move them all 1s forward. We
also modify submit_request() to skip hosts if host_connect() fails.
Add macros to give symbolic names to the flags which can be passed to
krb5_get_init_creds_opt_set_pkinit(). Reserve flags for BTMM and not validating
KDC anchors.
Add _krb5_principal_is_anonymous() private API for checking if a principal is
anonymous or not. The third argument determines whether to match authenticated
anonymous, unauthenticated anonymous, or both types of principal.
We choose a semantic for the file offset during truncate operations
which is to leave the offset as is unless it is off the end of the
file in which case we pull it back in to the end. We update fd and
stdio handling to match the {,e}mem behaviour.
On 32-bit Windows Intel builds the __cdecl and __stdcall calling
conventions are different so labeling the functions that are
exported or assigned to function pointers matters.
Change-Id: I03b6f34baeb9ffb2e683fd979f12f27a5078a4da
Heimdal declares functions that never return as non-void. Suppress
the following warnings now that functions are labeled 'noreturn'.
4646 - function declared with __declspec(noreturn) has non-void return type
4716 - 'function' must return a value
Change-Id: Id85cc435e99688bae7326a723a5a80d828859bf2
The 'plugin_prefix' variable was declared 'const' which generates
a warning because the C string is freed.
This change removes the 'const' designation.
Change-Id: I6f3838d6dbf1bb496f286c96aea96bae8948930d
Refactor plugin framework to use a single list of loaded plugins; add a new
plugin API where DSOs export a load function that can declare dependencies and
export multiple plugins; refactor kadm5 hook API to use krb5 plugin framework.
More information in krb5-plugin(7).
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
commands. Default behavior to "prune old keys".
- When setting keys for a service, we need to specify enctypes for it:
- Always use kadm5_randkey_principal_3() instead of the older
kadm5_randkey_principal().
- Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
but with a context, and simpler.
- Add --enctypes options to various kadmin/ktutil commands.
- Add [libdefaults] supported_enctypes param with enctype[:salttype]
list.
- Add [realms] realm supported_enctypes param with enctype[:salttype]
list.
Default to aes128-cts-hmac-sha1-96:normal.
For compatibility with MIT Kerberos, support automatic acquisition of initiator
credentials if a client keytab is available. The default path on non-Windows is
/var/heimdal/user/%{euid}/client.keytab, but can be overriden with the
KRB5_CLIENT_KTNAME environment variable or the default_client_keytab_name
configuration option. If a client keytab does not exist, or exists but does not
contain the principal for which initiator credentials are being acquired, the
system keytab is tried.
