diff options
author | Sam Hartman <hartmans@mit.edu> | 2009-12-28 17:15:30 +0000 |
---|---|---|
committer | Sam Hartman <hartmans@mit.edu> | 2009-12-28 17:15:30 +0000 |
commit | ec49e6e673ab229462ef18aa2986167eaa643643 (patch) | |
tree | 625dba55e939a0073cf69f7b79c8c0010df991eb /src/lib/kadm5 | |
parent | c5479d0c5b29430a49cf3683513c1223a173ac4e (diff) | |
download | krb5-ec49e6e673ab229462ef18aa2986167eaa643643.zip krb5-ec49e6e673ab229462ef18aa2986167eaa643643.tar.gz krb5-ec49e6e673ab229462ef18aa2986167eaa643643.tar.bz2 |
Anonymous support for Kerberos
This ticket implements Project/Anonymous pkinit from k5wiki. Provides
support for completely anonymous principals and untested client
support for realm-exposed anonymous authentication.
* Introduce kinit -n
* Introduce kadmin -n
* krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache
* No longer generate ad-initial-verified-cas in pkinit
* Fix pkinit interactions with non-TGT authentication
Merge remote branch 'anonymous' into trunk
Conflicts:
src/lib/krb5/krb/gic_opt.c
ticket: 6607
Tags: enhancement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kadm5')
-rw-r--r-- | src/lib/kadm5/admin.h | 7 | ||||
-rw-r--r-- | src/lib/kadm5/clnt/client_init.c | 60 | ||||
-rw-r--r-- | src/lib/kadm5/clnt/libkadm5clnt.exports | 1 | ||||
-rw-r--r-- | src/lib/kadm5/srv/libkadm5srv.exports | 1 | ||||
-rw-r--r-- | src/lib/kadm5/srv/server_init.c | 13 |
5 files changed, 60 insertions, 22 deletions
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index 4196a19..8fad111 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -338,6 +338,13 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, krb5_ui_4 api_version, char **db_args, void **server_handle); +kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name, + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle); kadm5_ret_t kadm5_init_with_password(krb5_context context, char *client_name, char *pass, diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c index 95c4954..82033e9 100644 --- a/src/lib/kadm5/clnt/client_init.c +++ b/src/lib/kadm5/clnt/client_init.c @@ -59,7 +59,7 @@ #define ADM_CCACHE "/tmp/ovsec_adm.XXXXXX" -enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS }; +enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS , INIT_ANONYMOUS}; static kadm5_ret_t _kadm5_init_any(krb5_context context, char *client_name, @@ -129,6 +129,19 @@ kadm5_ret_t kadm5_init_with_password(krb5_context context, char *client_name, api_version, db_args, server_handle); } +kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name, + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) +{ + return _kadm5_init_any(context, client_name, INIT_ANONYMOUS, NULL, NULL, + service_name, params, struct_version, + api_version, db_args, server_handle); +} + kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass, char *service_name, kadm5_config_params *params, @@ -343,7 +356,8 @@ static kadm5_ret_t _kadm5_init_any(krb5_context context, char *client_name, * The RPC connection is open; establish the GSS-API * authentication context. */ - code = kadm5_setup_gss(handle, params_in, client_name, full_svcname); + code = kadm5_setup_gss(handle, params_in, (init_type == INIT_CREDS)?client_name:NULL, + full_svcname); if (code) goto error; @@ -490,7 +504,7 @@ kadm5_get_init_creds(kadm5_server_handle_t handle, full_svcname, full_svcname_len); if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) { - /* Retry with old host-independent service princpal. */ + /* Retry with old host-independent service principal. */ code = kadm5_gic_iter(handle, init_type, ccache, client, pass, KADM5_ADMIN_SERVICE, realm, @@ -525,7 +539,7 @@ kadm5_gic_iter(kadm5_server_handle_t handle, kadm5_ret_t code; krb5_context ctx; krb5_keytab kt; - krb5_get_init_creds_opt opt; + krb5_get_init_creds_opt *opt = NULL; krb5_creds mcreds, outcreds; int n; @@ -540,29 +554,32 @@ kadm5_gic_iter(kadm5_server_handle_t handle, if (realm) { n = snprintf(full_svcname, full_svcname_len, "%s@%s", svcname, realm); - if (n < 0 || n >= full_svcname_len) + if (n < 0 || n >= (int) full_svcname_len) goto error; } else { /* krb5_princ_realm(client) is not null terminated */ n = snprintf(full_svcname, full_svcname_len, "%s@%.*s", svcname, krb5_princ_realm(ctx, client)->length, krb5_princ_realm(ctx, client)->data); - if (n < 0 || n >= full_svcname_len) + if (n < 0 || n >= (int) full_svcname_len) goto error; } /* Credentials for kadmin don't need to be forwardable or proxiable. */ if (init_type != INIT_CREDS) { - krb5_get_init_creds_opt_init(&opt); - krb5_get_init_creds_opt_set_forwardable(&opt, 0); - krb5_get_init_creds_opt_set_proxiable(&opt, 0); + code = krb5_get_init_creds_opt_alloc(ctx, &opt); + krb5_get_init_creds_opt_set_forwardable(opt, 0); + krb5_get_init_creds_opt_set_proxiable(opt, 0); + krb5_get_init_creds_opt_set_out_ccache(ctx, opt, ccache); + if (init_type == INIT_ANONYMOUS) + krb5_get_init_creds_opt_set_anonymous(opt, 1); } - if (init_type == INIT_PASS) { + if (init_type == INIT_PASS || init_type == INIT_ANONYMOUS) { code = krb5_get_init_creds_password(ctx, &outcreds, client, pass, krb5_prompter_posix, NULL, 0, - full_svcname, &opt); + full_svcname, opt); if (code) goto error; } else if (init_type == INIT_SKEY) { @@ -572,7 +589,7 @@ kadm5_gic_iter(kadm5_server_handle_t handle, goto error; } code = krb5_get_init_creds_keytab(ctx, &outcreds, client, kt, - 0, full_svcname, &opt); + 0, full_svcname, opt); if (pass) krb5_kt_close(ctx, kt); if (code) @@ -588,14 +605,10 @@ kadm5_gic_iter(kadm5_server_handle_t handle, if (code) goto error; } - if (init_type != INIT_CREDS) { - /* Caller has initialized ccache. */ - code = krb5_cc_store_cred(ctx, ccache, &outcreds); - if (code) - goto error; - } error: krb5_free_cred_contents(ctx, &outcreds); + if (opt) + krb5_get_init_creds_opt_free(ctx, opt); return code; } @@ -644,10 +657,13 @@ kadm5_setup_gss(kadm5_server_handle_t handle, goto error; } - buf.value = client_name; - buf.length = strlen((char *)buf.value) + 1; - gssstat = gss_import_name(&minor_stat, &buf, - (gss_OID) gss_nt_krb5_name, &gss_client); + if (client_name) { + buf.value = client_name; + buf.length = strlen((char *)buf.value) + 1; + gssstat = gss_import_name(&minor_stat, &buf, + (gss_OID) gss_nt_krb5_name, &gss_client); + } else gss_client = GSS_C_NO_NAME; + if (gssstat != GSS_S_COMPLETE) { code = KADM5_GSS_ERROR; goto error; diff --git a/src/lib/kadm5/clnt/libkadm5clnt.exports b/src/lib/kadm5/clnt/libkadm5clnt.exports index 6174847..5e81580 100644 --- a/src/lib/kadm5/clnt/libkadm5clnt.exports +++ b/src/lib/kadm5/clnt/libkadm5clnt.exports @@ -24,6 +24,7 @@ kadm5_get_principal kadm5_get_principals kadm5_get_privs kadm5_init +kadm5_init_anonymous kadm5_init_krb5_context kadm5_init_with_creds kadm5_init_with_password diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports index 35745be..d8d3b22 100644 --- a/src/lib/kadm5/srv/libkadm5srv.exports +++ b/src/lib/kadm5/srv/libkadm5srv.exports @@ -40,6 +40,7 @@ kadm5_get_principal_keys kadm5_get_principals kadm5_get_privs kadm5_init +kadm5_init_anonymous kadm5_init_krb5_context kadm5_init_with_creds kadm5_init_with_password diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c index ed71cbf..557ef0a 100644 --- a/src/lib/kadm5/srv/server_init.c +++ b/src/lib/kadm5/srv/server_init.c @@ -104,6 +104,19 @@ kadm5_ret_t kadm5_init_with_password(krb5_context context, char *client_name, server_handle); } +kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name, + char *service_name, + kadm5_config_params *params, + krb5_ui_4 struct_version, + krb5_ui_4 api_version, + char **db_args, + void **server_handle) +{ + return kadm5_init(context, client_name, NULL, service_name, params, + struct_version, api_version, db_args, + server_handle); +} + kadm5_ret_t kadm5_init_with_creds(krb5_context context, char *client_name, krb5_ccache ccache, |