Commit Graph

5483 Commits

Author SHA1 Message Date
Roland C. Dowdeswell
c76e30e90c Document that log level 7 is for tracing. 2019-12-05 00:05:56 -05:00
Roland C. Dowdeswell
fb9a78223c We stop strnvisx(3)ing logs to FILE: by default.
Our logging framework used to strnvisx(3) each and every line
iff it is written to a FILE.  This is often unhelpful because
the line usually contains a number of elements that have already
been quoted and it makes the logs much more difficult to read in
this case.  An example if krb5_unparse_name() which will already
quote most characters that one cares about.

We change the behaviour to simply drop unprintable characters
rather than encoding them.  We thus rely on the rest of the
code to properly encode data elements written into the logs.
2019-12-05 00:05:56 -05:00
Nicolas Williams
575c67806b Add bx509d 2019-12-04 21:34:44 -06:00
Roland C. Dowdeswell
62d13ebf28 lib/krb5/kx509.c: fix memory leak in an error case. 2019-11-26 13:38:17 -06:00
Roland C. Dowdeswell
8ee86db261 Add enforce_ok_as_delegate setting
If this flag is set to true, then GSSAPI credential delegation will
be disabled when the "ok-as-delegate" flag is not set in the service
ticket.
2019-11-20 18:18:57 -05:00
Roland C. Dowdeswell
b5449e6c97 disable test_cc on Windows 2019-11-20 18:14:44 -05:00
Roland C. Dowdeswell
69dd82d33e Stop stuttering in libkrb5-exports.def.in 2019-11-20 18:14:44 -05:00
Nicolas Williams
ba5bb07495 krb5: disable automatic kx509 by default 2019-11-13 18:42:28 -06:00
Roland C. Dowdeswell
84ffa22c93 Add an "EFILE:" target for logging.
This target will write to a file IFF it exists.
2019-11-10 17:47:36 -05:00
Roland C. Dowdeswell
e44c680d8e Make logging path definitions subject to token expansion. 2019-11-10 17:47:36 -05:00
Roland C. Dowdeswell
0c869176f4 Define a token expansion for %{strftime:<string>}. 2019-11-10 17:47:36 -05:00
Nicolas Williams
94bf464f8d krb5: Add krb5_ticket_get_times() 2019-11-02 18:49:42 -05:00
Nicolas Williams
7dc134e410 krb5: Move krb5_plugin_load_t typedef to header 2019-11-02 18:49:42 -05:00
Roland C. Dowdeswell
ba65039586 Lightly document derived key namespaces 2019-10-30 16:31:51 -05:00
Viktor Dukhovni
5bbe7c8dc6 Implement forwarding of leaf TGTs to selected realms.
Refactor and enhance TGT forwarding to allow forwarding of leaf
(destination) TGTs for selected destination realms.

Enhance kinit(1) to renew non-origin realm tickets

Document delegate-destination-tgt

Use the newly implemented _krb5_mk_1cred().
2019-10-30 16:20:58 -05:00
Roland C. Dowdeswell
d81118cc1f Implement krb5_mk_{1,n}cred 2019-10-30 16:20:58 -05:00
Roland C. Dowdeswell
c7d4682aed Define log levels in docs and change default to 0-3.
We define the meaning of the various log levels in the man page
for krb5_openlog(3).  If logging configured and levels are not
specified, we change the default levels to 0-3 which should exclude
debugging messages which are generally only desired in exceptional
circumstances.

We also go through the KDC and adjust the levels to be appropriate.
2019-10-21 13:43:01 +01:00
Nicolas Williams
dfada0ccad kx509: Add CSR support
This commit adds support for proof of posession to the kx509 protocol by
using PKCS#10 CSRs.

This allows conveyance of extReq CSR attributes requesting desired
Certificate Extensions.
2019-10-09 20:53:30 -05:00
Nicolas Williams
6f9eb81243 krb5: copy AD from auth_context to Authenticator
If the caller provides authz data in the auth context, then we should
copy it to the Authenticator when making an AP-REQ!
2019-10-08 22:20:40 -05:00
Nicolas Williams
6a7e7eace6 Add kx509 client and revamp kx509 service
This commit adds support for kx509 in libkrb5, and revamps the KDC's
kx509 service (fixing bugs, adding features).

Of note is that kx509 is attempted optimistically by the client, with
the certificate and private key stored in the ccache, and optionally in
an external PEM or DER file.

NOTE: We do not optimistically use kx509 in krb5_cc_store_cred() if the
      ccache is a MEMORY ccache so we don't generate a key when
      accepting a GSS context with a delegated credential.

kx509 protocol issues to be fixed in an upcoming commit:

 - no proof of possession (this is mostly not too bad, but we'll want to
   fix it by using CSRs)
 - no algorithm agility (only plain RSA is supported)
 - very limited (no way to request any options in regards to the
   requested cert)
 - error codes are not very useful

Things we're adding in this commit:

 - libkrb5 kx509 client
 - automatic kx509 usage hooked in via krb5_cc_store_cred() of start TGT
 - per-realm templates on the KDC side
 - per-realm issuer certificates
 - send error messages on the KDC side
   (this is essential to avoid client-side timeouts on error)
 - authenticate as many error messages
 - add a protocol probe feature so we can avoid generating a
   keypair if the service is not enabled
   (once we add support for ECC algorithms we won't need this
    anymore; the issue is that RSA keygen is slow)
 - support for different types of client principals, not just username:

    - host-based service and domain-based service, each with its own
      template set per-{realm, service} or per-service

   (the idea is to support issuance of server certificates too, not
    just client/user certs)
 - more complete support for SAN types
 - tests (including that PKINIT->kx509->PKINIT works, which makes it
   possible to have "delegation" of PKIX credentials by just delegating
   Kerberos credentials)
 - document the protocol in lib/krb5/kx509.c

Future work:

 - add option for longer-ticket-lifetime service certs
 - add support for ECDSA, and some day for ed25519 and ed448
 - reuse private key when running kinit
   (this will require rethinking how we trigger optimistic kx509
    usage)
 - HDB lookup for:
    - optional revocation check (not strictly necessary)
    - adding to certificates those SANs listed in HDB
       - hostname aliases (dNSName SANs)
       - rfc822Name (email)
       - XMPP SANs
       - id-pkinit-san (a user could have aliases too)
 - support username wild-card A RRs, ala OSKT/krb5_admin
    i.e., if a host/f.q.d.n principal asks for a certificate for
    some service at some-label.f.q.d.n, then issue it
   (this is not needed at OSKT sites because OSKT already
    supports keying such service principals, which means kx509
    will issue certificates for them, however, it would be nice
    to be able to have this independent of OSKT)
   (a better way to do this would be to integrate more of OSKT
    into Heimdal proper)
 - a kx509 command, or heimtools kx509 subcommand for explicitly
   attempting use of the kx509 protocol (as opposed to implicit, as is
   done in kinit via krb5_cc_store_cred() magic right now)

Issues:

 - optimistically trying kx509 on start realm TGT store -> timeout issues!
    - newer KDCs will return errors because of this commit; older ones
      will not, which causes timouts
    - need a separate timeout setting for kx509 for optimistic case
    - need a [realm] config item and DNS SRV RR lookup for whether a
      realm is expected to support kx509 service
2019-10-08 21:26:50 -05:00
Nicolas Williams
78cb995e6e krb5: add missing export 2019-10-08 20:58:04 -05:00
Nicolas Williams
098f6480e4 krb5: Fix spurious error (debug) msg in keytab 2019-10-07 21:32:00 -05:00
Viktor Dukhovni
6f2b52bc97 Expose new Heimdal 8 KRB5_PLUGIN_COMMON_SPI_VERSION macro 2019-10-07 20:17:59 -04:00
Nicolas Williams
afaaf3d89d Add krb5_cc_configured_default_name()
Refactor krb5_cc_set_default_name() by splitting out the part that looks
for a configured default ccache name.  This will allow one to check if a
given ccache is a default ccache for a process ignoring KRB5CCNAME,
which might prove useful in the kx509 client.
2019-10-03 13:09:18 -05:00
Nicolas Williams
941dfd95a3 pkinit: fix leak in client 2019-10-03 13:09:18 -05:00
Nicolas Williams
37b55e1fdb pkinit: fix memory leak in libkrb5 2019-10-03 13:09:18 -05:00
Nicolas Williams
fe5c0a907c unparse_principal: reject embedded NULs 2019-10-03 13:09:18 -05:00
Nicolas Williams
621c68abea Improve krb5_cc_remove_cred() test 2019-10-03 13:09:18 -05:00
Nicolas Williams
e163bfd81b Make ccache init atomic 2019-10-03 13:09:18 -05:00
Nicolas Williams
ec84667763 Fix krb5_cc_move() issues
Move init/copy/destroy fallback sequence from fcc_move() to
krb5_cc_move().

Make sure all backends's move() method calls krb5_cc_destroy() on the
source on success (and only on success).

In text_cc make sure that we can find in the destination the cred
stored into the source.
2019-10-03 13:09:18 -05:00
Nicolas Williams
cf16e60f3b Fix off by one in KEYRING krcc_remove_cred() 2019-10-03 13:09:18 -05:00
Nicolas Williams
5e270a8914 Fix missing error checking in lib/krb5/pkinit.c 2019-10-03 13:09:18 -05:00
Nicolas Williams
338d47120b Fix Appveyor Windows build 2019-10-03 13:09:18 -05:00
Viktor Dukhovni
989422e0fc Install kuserok-plugin.h and update docs
The header file was not installed, and the manpage had the wrong
name for the plugin load function, it is "krb5_plugin_kuserok_plugin_load",
not "kuserok_plugin_load".
2019-09-26 20:18:00 -04:00
Nicolas Williams
c9b5a4df90 Use roken_get_loginname() when we want getlogin_r() 2019-09-25 23:09:20 -05:00
Nicolas Williams
d02277b45f List token expansions in krb5.conf.5 2019-09-25 23:09:20 -05:00
Nicolas Williams
0fdda02b61 Add loginname, ruid, and LOCALSTATEDIR expansions
%{loginname} is for getlogin_r().

Now %{username} uses only the $USER and $LOGNAME environment variables
(if the caller is not set-uid), or if absent or the caller is set-uid,
then getpwuid_r().

The intent is to allow kadmin(1) to use the loginname instead of the
username for the construction of the kadmin client principal name.  This
is helpful when the user runs kadmin as root via sudo and/or su.
2019-09-25 23:09:20 -05:00
Roland C. Dowdeswell
d6337ebdce Export krb5_crypto_prfplus() from libkrb5 2019-09-18 21:20:47 +01:00
Viktor Dukhovni
fae8df3839 Optional backwards-compatible anon-pkinit behaviour
* Anonymous pkinit responses from the KDC where the name
  type is not well-known (as issued by 7.5 KDCs and earlier)
  are accepted by the client.  There is no need for the client
  to strictly enforce the name type.

* With historical_anon_pkinit = true, the kinit(1) client's
  "--anonymous" option only performs anon pkinit, and does
  not require an '@' prefix for the realm argument.

* With historical_anon_realm = true, the KDC issues anon
  pkinit tickets with the legacy pre-7.0 "real" realm.
2019-09-04 18:00:15 -04:00
Nicolas Williams
dd226b6f9a Token "username" should be multi-platform 2019-07-09 12:34:26 -05:00
Nicolas Williams
51aed5d820 krb5_data_copy() should use memcpy() 2019-07-09 12:34:26 -05:00
Nicolas Williams
889617883d Make note in test_cc of how to keyctl new_session 2019-07-09 12:34:26 -05:00
Roland C. Dowdeswell
fcd57af8e1 Implement KRB5_TRACE using existing logging framework 2019-06-16 21:23:51 -04:00
Luke Howard
cf940e15f4 krb5: rename constrained-delegatiom to cname-in-addl-tkt
For consistency with [MS-SFU] rename the constrained-delegation KDC option to
cname-in-addl-tkt (client name in additional ticket).
2019-06-02 14:44:11 +10:00
Isaac Boukris
ea7615ade3 Do not set anonymous flag in S4U2Proxy request
It is not specified in MS-SFU, Apple dropped it as well and
it now breaks master branch.

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
2019-06-01 11:14:27 -04:00
Jeffrey Altman
b276d139ef lib/krb5: add plugin headers to Makefiles
Change-Id: I6701035da2e7ff3f83feee6cbb4921e5bd5dfd75
2019-05-21 22:20:14 -04:00
Jeffrey Altman
434b34d71c lib/krb5: prevent build failures of krb5_plugin_common on Windows
The Microsoft compiler cannot handle multiple const modifiers
for the same type.    It is also unhappy with the output pointer
parameter being declared const.

This change introduces new typedefs and cast of the dlsym() return
type to prevent warnings.

Change-Id: Ia92645efab8d2ec6745339a6f47c690782ae730a
2019-05-21 22:20:14 -04:00
Jeffrey Altman
ac6fa4cadc lib/krb5: prepare to make common plugins public
Rename common_plugin_ftable to krb5_plugin_common_ftable.

Create lib/krb5/common_plugin.h to include the structure and typedef.

The common_plugin.h header is now included by ccache_plugin.h
along with a prototype for the required ccache_ops_plugin_load()
function.

Change-Id: I2b27d6d0f5cf0544482c3f01784fef945e12e8d8
2019-05-21 22:20:14 -04:00
Jeffrey Altman
df78c88cc0 lib/krb5: common_plugin_ftable_desc funcs KRB5_LIB_CALL
As with the krb5plugin_an2ln_ftable_desc, krb5plugin_db_ftable_desc,
and krb5plugin_kuserok_ftable_desc the function pointers in
common_plugin_ftable_desc must be annotated with KRB5_LIB_CALL.

Change-Id: Ia7ea78743ee9eb8c7f6b648063852ca91a360d2c
2019-05-21 22:20:14 -04:00
Jeffrey Altman
32fe791c2e lib/krb5: common plugin only fallback if load_fn() fails
Only fallback to loading the plugin function table directly if
if the initialization function is not exported.  Failing a
consistency check should not permit falling back to a potentially
incompatible function table.

Change-Id: Ic753ed9a090aef6073853f7309f0f8f0f29d0aa9
2019-05-21 22:20:14 -04:00