Commit Graph

18110 Commits

Author SHA1 Message Date
Radoslav Bodo
f3f06fcba9 kadmin selective prune of historic key for principal 2018-12-31 14:17:10 -06:00
Luke Howard
af0d8ef677 gssapi: support for client keytab in gss_acquire_cred (#383)
For compatibility with MIT Kerberos, support automatic acquisition of initiator
credentials if a client keytab is available. The default path on non-Windows is
/var/heimdal/user/%{euid}/client.keytab, but can be overriden with the
KRB5_CLIENT_KTNAME environment variable or the default_client_keytab_name
configuration option. If a client keytab does not exist, or exists but does not
contain the principal for which initiator credentials are being acquired, the
system keytab is tried.
2018-12-31 18:20:37 +11:00
Luke Howard
58b77bb485 krb5: fix a couple of missing options in verify_krb5_conf 2018-12-31 18:18:08 +11:00
Luke Howard
014f16883c libhcrypto: UI_UTIL_FLAG_VERIFY_SILENT 2018-12-30 15:39:49 -06:00
Luke Howard
7e0ff63b38 gssapi: add OPTSYM for gss_duplicate_cred() (#487)
Allow API-as-SPI mechanisms to provide gss_duplicate_cred(), introduced
in e6d1c108.
2018-12-29 20:22:12 +11:00
Nicolas Williams
e6d1c10808 Rewrite gss_add_cred() (fix #413)
It turns out gss_add_cred() really needed a complete rewrite.  It's much
better to first have a gss_duplicate_cred() (which has been needed for
other reasons anyways), and use that when the input_cred_handle is not
GSS_C_NO_CREDENTIAL and output_cred_handle is not NULL, then mutate that
duplicate credential handle (or the input_cred_handle if
output_cred_handle is NULL).
2018-12-28 19:26:25 -06:00
Jeffrey Altman
134b53ead1 lib/roken: roken_get_shell unreachable code warning
When WIN32 is undefined an unreachable code warning was generated
since "/bin/sh" is returned as the default resposne.

Change-Id: I757c9d05db62c1d52fee0e510259098d73273a84
2018-12-28 14:31:21 -05:00
Jeffrey Altman
51c2a5831a lib/kadm5: _kadm5_s_init_hooks
prevent leak of configuration strings introduced by
f62b00e33c ("kadm5: improve
kadm5 hook logging (#397)")

Change-Id: I12c028241e6ee0175599b6edc6a334c6efb858d9
2018-12-28 14:26:11 -05:00
Nicolas Williams
b0a357429d Fix warning in lib/gssapi/test_context.c 2018-12-28 01:09:38 -06:00
Nicolas Williams
7c03b981a4 Fix warning in lib/krb5/get_default_principal.c 2018-12-28 01:09:38 -06:00
Nicolas Williams
06773bba48 Fix warning in lib/ipc/tc.c 2018-12-28 01:09:38 -06:00
Nicolas Williams
6df981e048 Fix warning in lib/krb5/test_store.c 2018-12-28 01:09:38 -06:00
Luke Howard
36ad8fa536 krb5: fix pointer indirection error in keyring cache (#166) 2018-12-28 17:54:18 +11:00
Luke Howard
65ed504d21 hcrypto: print failure on password mismatch (#469)
UI_UTIL_read_pw_string(), an interface borrowed from OpenSSL, should report
password verification failure to stderr.
2018-12-27 17:40:57 +11:00
Luke Howard
410d96f480 kadmin: do not assign passwords at realm initialization
Since c6bf100b password quality checks have been moved out of kadmindd and into
libkadm5. This means that all password changes are subject to quality checks,
if enforce_on_admin_set is true (the default). In rare instances it could be
possible for realm initialization to fail because the randomly generated
passwords do not pass the password quality test. Fix this by creating
principals with no password or key, rather than with a random password.

Random *keys* continue to be set immediately after the principal is created,
and before DISALLOW_ALL_TIX is unset, so there should be no functionality or
security implications from this change. It is safe to call a server-side API
such as kadm5_s_create_principal_with_key() as local_flag is asserted to be
true.
2018-12-27 17:11:27 +11:00
Luke Howard
f62b00e33c kadm5: improve kadm5 hook logging (#397)
Centralize logging for kadm5 hook failure, log successful hook loading, better
logging on hook load failures and on platforms that do not support dlopen().
2018-12-27 11:58:26 +11:00
Isaac Boukris
efb111e450 Separate enterprise and canonicalize flags
The meaning of the two is different and we should
not implicitly set both if one was requested (this
aligns the logic with MIT kinit -C/-E options).

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
2018-12-26 16:55:13 -06:00
Isaac Boukris
2ee4169dd1 Avoid shadowing KDC returned error code
The referral function does not handle short names,
so avoid falling over it in case capath fails, in
order to preserve the error code returned by the
KDC (it wasn't a problem before the order between
the two functions has changed).

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
2018-12-26 16:55:13 -06:00
Jeffrey Altman
434f76bcb7 lib/roken: rk_random_init HAVE_ARC4RANDOM #401
When arc4random() is available, rk_random_init() does not have to
call arc4random_stir().  ac4random_stir() will be called as a result
of the first call to arc4random().

Change-Id: I6f4a3be7c39752746657945ed15896472908f889
2018-12-26 16:49:06 -06:00
Jeffrey Altman
3a52ba6ed0 lib/krb5: send_to_kdc KRB5KDC_ERR_SVC_UNAVAILABLE infinite loop #346
Prior to this change a KDC response of KRB5KDC_ERR_SVC_UNAVAILABLE
would result in the client looping forever.  Setting the action to
KRB5_SENTO_CONTINUE repeats the current loop without altering the
current state.  Hence the infinite loop.

As of this change, the action is set to KRB5_SENDTO_RESET which
forces the current kdc's response to be cleared and then to retry.
If KRB5KDC_ERR_SVC_UNAVAILABLE continues to be returned, the retry
limit will be reached and the loop will end.

This bug was filed by multiple sources including Samba and ScottUrban
on github.

Change-Id: If1611be0ada3422cefae89541ed3b3df1f6efe29
2018-12-26 17:04:26 -05:00
Jeffrey Altman
60b25dd9c5 lib/ipc: client double close of socket file descriptor #431
When connect() fails in connect_unix() the path_ctx.fd is not
set to -1 after close().  When common_release() is executed due
to the error return from connect_unix() it calls close() a second
time.

There is no need to call close() from connect_unix(). Remove the
duplicate request.

This issue was reported by YASUOKA Masahiko.

Change-Id: I825e274cc7f12e50a8779a2b62ddb756817cdb52
2018-12-26 15:13:28 -05:00
YASUOKA Masahiko
becb0b03ae Deadlock in lib/krb5/mcache.c #432 2018-12-26 12:03:25 -06:00
Jeffrey Altman
63914b95b8 lib/wind: PY3 gen-punycode-examples.py
Update gen-punycode-examples.py for python 3.

gen-punycode-examples.py parses the Sample strings from section 7.1
of rfc3492.txt and generates the punycode_examples.[ch] sources containing
the punycode_examples[].

Python 3 requires that print output be surrounded by parentheses
and the split and join operations have been moved from the "string"
class to built-ins.

This change adds the missing parentheses and switches to the built-in
split and join str operations.

The "string" class is no longer required as an import.

Change-Id: Ic5f341080d2ff2feef692c89e0b28dcbf4e48cb4
2018-12-26 11:51:41 -06:00
Luke Howard
c6bf100b43 kadm5: move password quality checks out of daemons and into libkadm5
Note that this has a slight behavior change to c89d3f3b in order to continue
allow kadmin in local mode to bypass password quality checks. Password quality
checks are always bypassed if the *client* kadmin principal is kadmin/admin,
i.e. that of the kadmin service itself. This is the case when running kadmin in
local mode. As this is the equivalent of a superuser account, one would
anticipate that deployments would use specific administrator instances for
appropriate ACLs for day-to-day administration; operations by these will be
subject to password quality checks if enforce_on_admin_set is TRUE, or if the
user is changing their own password.
2018-12-26 11:04:05 -06:00
Luke Howard
62c1790bf5 kadm5: pre/post-commit plugin hook for kadm5 update operations (#397)
This change adds plugin support to the kadmin libraries for performing
actions before and after a password change is committed to the KDC database
and after a change is made to the attributes of a principal (specifically,
a change to DISALLOW_ALL_TIX).

This change adds a hook_libraries configuration option to the [kadmin]
section of krb5.conf (or kdc.conf if you use that file) that must be set
to load the module. That configuration option is in the form:

[kadmin]
  hook_libraries = /usr/local/lib/krb5/plugins/kadm5_hook/krb5_sync.so

where the value is the full path to the plugin that you want to load. If
this option is not present, kadmind will not load a plugin and the changes
from the patch will be inactive. If this option is given and the plugin
cannot be loaded, kadmind startup will abort with a (hopefully useful)
error message in syslog.

Any plugin used with this patch must expose a public function named
kadm5_hook_init of type kadm5_hook_init_t that returns a kadm5_hook structure.
See sample_hook.c for an example of this initialization function.

typedef struct kadm5_hook {
    const char *name;
    uint32_t version;
    const char *vendor;
    void (KRB5_CALLCONV *fini)(krb5_context, void *data);

    krb5_error_code (KRB5_CALLCONV *chpass)(krb5_context context,
					    void *data,
					    enum kadm5_hook_stage stage,
                                            krb5_error_code code,
                                            krb5_const_principal princ,
                                            uint32_t flags,
                                            size_t n_ks_tuple,
                                            krb5_key_salt_tuple *ks_tuple,
                                            const char *password,
                                            char **error_msg);
    ...
};

where enum kadm5_hook_stage is:

enum kadm5_hook_stage {
    KADM5_HOOK_STAGE_PRECOMMIT,
    KADM5_HOOK_STAGE_POSTCOMMIT
};

init creates a hook context that is passed into all subsequent calls.
chpass is called for password changes, create is called for principal
creation (with the newly-created principal in the kadm5_principal_ent_t
argument), and modify is called when a principal is modified. The purpose of
the remaining functions should be self-explanatory.

returning 0 on success and a Kerberos error code on failure, setting the
Kerberos error message in the provided context. The error code passed in is
valid for post-commit hooks and contains the result of the update operation.

This change is submitted under the following license

Copyright 2012, 2013
The Board of Trustees of the Leland Stanford Junior University

Portions Copyright 2018 AuriStor Inc.

Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved. This file is offered as-is, without any
warranty.
2018-12-26 11:04:05 -06:00
Luke Howard
c89d3f3b8c kadmin: allow enforcing password quality on admin password change
This patch adds the "enforce_on_admin_set" configuration knob in the
[password_quality] section. When this is enabled, administrative password
changes via the kadmin or kpasswd protocols will be subject to password quality
checks. (An administrative password change is one where the authenticating
principal is different to the principal whose password is being changed.)

Note that kadmin running in local mode (-l) is unaffected by this patch.
2018-12-26 15:38:48 +11:00
Luke Howard
6ce1aa84c5 Remove rk_getpw*_r() functions 2018-12-25 22:11:19 -06:00
Nicolas Williams
3f1451a4c3 Remove get_default_username() 2018-12-25 22:11:19 -06:00
Nicolas Williams
620862049e Use roken_get_*() instead of getpwuuid()
Using non-reentrant getpwuid() (or getpwnam(), or getspnam())  can be
dangerous.  We had a report of a login application / PAM that calls
those, and Heimdal, by calling them too, clobbered the cached struct
passwd used by the login app / PAM.
2018-12-25 22:11:19 -06:00
Nicolas Williams
95eb83c424 roken: Add roken_get_username() and friends
We add roken_get_{shell, username, appdatadir, homedir}() functions.  These use
a combination of secure_getenv(), getpwuid_r(), getlogin_r(), or various WIN32
functions to get this information.

Use roken_get_appdatadir() instead of roken_get_homedir() when looking for
dotfiles.
2018-12-25 22:11:19 -06:00
Nicolas Williams
073ffd0423 roken: Make sure we have MAX_PATH 2018-12-25 22:11:19 -06:00
Nicolas Williams
a152c4c808 Remove k_getpwnam() and k_getpwuid() 2018-12-25 22:11:19 -06:00
Nicolas Williams
784637709b Remove unix_verify_user() 2018-12-25 22:11:19 -06:00
Nicolas Williams
8fae8a1826 Remove iruserok() 2018-12-25 22:11:19 -06:00
Nicolas Williams
3b8c762dd0 Remove lib/roken glob()
We no longer use it since removing ftp from appl/.

Note that expansion of ~username/ couldn't have been working because
k_getpwnam() was being called with an unsigned short * that was forcibly
cast to char *, but it really was shorts, not chars...  Anyone who ever
feels like reviving lib/roken/glob.[ch] will want to fix that...
2018-12-25 22:11:19 -06:00
Nicolas Williams
af9e938867 Fix infinite loop in print_units_table() 2018-12-25 22:11:19 -06:00
Nicolas Williams
7138a04690 Fix rk_mkdir() on WIN32 2018-12-25 22:11:19 -06:00
Jeffrey Altman
db859520b4 lib/kadm5: use krb5_enomem() where possible
Change-Id: I487fbc640a8f793f0aa02ef4c94099e09241d616
2018-12-25 16:57:55 -06:00
Jeffrey Altman
50ebc1491a lib/kadm5: improve kadm_c_ error handling
Perform error checking for each function call and consistently return
errors at the point of failure.

Refactor functions to use a common exit path.  Preserve error messages
stored in the kadm5_client_context.context when appropriate.

Change-Id: I7aa04020e4de3454066f0d88ba805fed999dbd1a
2018-12-25 16:57:55 -06:00
Sushant Mathur
622c4ded2f Fixed incorrect NTLM version. It was 00 earlier,
changed it to 0f(15). Also made the reserved field
before it 00 00 00 instead of 0f 00 00.
2018-12-25 10:54:35 -05:00
Andrew Bartlett
785db7b740 Fix -O3 -Werror=unused-result build in dcache.c (#420)
* Fix -O3 -Werror=unused-result build in dcache.c

gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10)
with -O3 -Werror=unused-result

../lib/krb5/dcache.c:85:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
     asprintf(&path, "%s/primary-XXXXXX", dc->dir);
     ^
../lib/krb5/dcache.c: In function ‘primary_create’:
../lib/krb5/dcache.c:56:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
     asprintf(&primary, "%s/primary", dc->dir);
     ^
../lib/krb5/dcache.c: In function ‘dcc_gen_new’:
../lib/krb5/dcache.c:423:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
     asprintf(&name, ":%s/tktXXXXXX", dc->dir);
     ^
../lib/krb5/dcache.c: In function ‘dcc_resolve’:
../lib/krb5/dcache.c:340:2: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
  asprintf(&dc->name, ":%s/%s", dc->dir, residual);
  ^
../lib/krb5/dcache.c:348:5: error: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Werror=unused-result]
     asprintf(&filename, "FILE%s", dc->name);
     ^
cc1: all warnings being treated as errors

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

* Update dcache.c

When asprintf() fails it is not guaranteed that the output variable will be NULL on all platforms and releases.

* Update dcache.c
2018-12-25 01:29:25 -05:00
Jeffrey Altman
17e8216927 lib/krb5: krcache add_unique_keyring dead code removal
After the for loop 'key' cannot have the value -1.  The loop
must execute at least once resulting either in the function
returning to the caller or the value of 'key' getting set to
a value other than -1.

Change-Id: Idaf65e3cf3d22a27828ad0dd04650a4f54ba94fc
2018-12-25 09:47:35 +11:00
Jeffrey Altman
49dacab0b8 lib/krb5: krcc_remove_cred remove dead code
At the completion of the while loop the value of 'ret' cannot
be zero.  The expected value is KRB5_CC_END.  Any other value
is an error to return to the caller.  If 'ret' is KRB5_CC_END
then return krcc_end_get() result().

Change-Id: Ic2afb5a754e03d521c10a259c53fc70b86b4a132
2018-12-25 09:47:35 +11:00
Luke Howard
6561afff3a hx509: update gen_req.sh for OpenSSL 1.1 (#392)
OpenSSL 1.1 has the pkInitKDC OID built in, which breaks as it was redefined by
openssl.cnf in Heimdal. Try to determine if OpenSSL >= 1.1 and if so, use a
configuration file that omits this OID definition. The implementation is not
robust but as this is simply an example (not run by the test suites), it should
be adequete.
2018-12-24 12:13:29 -06:00
Luke Howard
fb81598d44 krb5: port MIT Linux keyring credentials cache (#166) 2018-12-24 18:17:32 +11:00
David Mulder
f132d2040d solaris 8 sparc defines _LP64 to empty, causing build failure 2018-12-23 20:30:12 -06:00
Luke Howard
572a6fd7ac hx509: fix dependency, hxtool requires ASN.1 headers 2018-12-24 02:25:19 +00:00
Damir Franusic
329918bd67 hcrypto: fix include path 2018-12-24 02:25:08 +00:00
Damir Franusic
872222db35 AC_FIND_FUNC_NO_LIBS should check libtinfo for tgetent 2018-12-24 02:24:22 +00:00
Luke Howard
9763482d9f gssapi: fix pointer type mismatch in NTLM mech 2018-12-23 07:42:16 +00:00