Age | Commit message (Collapse) | Author | Files | Lines |
|
improvements" Project Proposal review.
Introduced plugin_version and removed plugin_id config attr.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24177 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Example of plugin section in krb5.conf after renaming:
PQ_DYN = {
plugin_api = plugin_pwd_qlty
plugin_loader_name = plugin_dyn_loader
plugin_loader_type = dynamic
plugin_name = plugin_pwd_qlty_DYN
plugin_loader_path = /var/tsitkova/Sources/pl/src/plugin_dynamic/libplugin_dynamic.so
plugin_type = service
plugin_id = 33
}
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24155 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24154 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24150 dc483132-0cff-0310-8789-dd5450dbe970
|
|
For the purpose of demonstration, a new plugin pwd_qlty_DYN was created.
The new section in krb5.conf for dynamic plugins looks as follows
plugin_list = PQ_DYN
PQ_DYN = {
plugin_api = plugin_pwd_qlty
plugin_factory_name = plugin_dyn_factory
plugin_factory_type = dynamic
plugin_name = plugin_pwd_qlty_DYN
plugin_factory_path = /var/tsitkova/Sources/pl/src/plugin_dynamic/libplugin_dynamic.so
plugin_id = 33
}
The test appl is server_misc.c.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24149 dc483132-0cff-0310-8789-dd5450dbe970
|
|
based on plugin_id
As a proof of the concept, the password quality validation plugins were considered.
So, the following happens:
In the krb5.conf we indicate that we potentially want two pwd quality plugins: plugin_pwd_qlty_krb (native MIT kerb code extracted from server_mics.c) and plugin_pwd_qlty_X (bogus,as a matter of fact, almost identical to plugin_pwd_qlty_krb impl).
In the caller, i.e. in passwd_check of lib/kadm5/srv/server_misc.c, we call KRB and X impl's and verify the pwd against both of the policies:
plugin_manager_get_service(srv_handle->context->pl_handle, "plugin_pwd_qlty", PWD_QLTY_KRB);
plugin_manager_get_service(srv_handle->context->pl_handle, "plugin_pwd_qlty", PWD_QLTY_X);
(It is proof of the concept.)
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24135 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24116 dc483132-0cff-0310-8789-dd5450dbe970
|
|
the old/existing built-in pwd verification functionality. ( for proof of the concept and demonstration purposes)
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24108 dc483132-0cff-0310-8789-dd5450dbe970
|
|
routines in crypto lib to have a krb5_context as an argument. (This is needed to pass ref to pl_handle.) Unfortunately, it is not the case for the current state of crypto lib. Introducing krb5_context is a very invasive change and might be unsuitable for 1.9 release. So, yarrow is moved from plugins to crypto/krb and is treated as built-in functionality again.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24104 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24080 dc483132-0cff-0310-8789-dd5450dbe970
|
|
KDC side works. kinit needs to be linked with old libs to work.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24079 dc483132-0cff-0310-8789-dd5450dbe970
|
|
At the moment we do not have "default" plugin configuration => needed to update come krb5 config files for "make check" tests to work.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@24064 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Also, made path to yaml config file conditional in krb5_libinit.c
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23975 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Example of plugin section in krb5.conf:
[plugins]
plugin_prng = {
plugin_factory_name = plugin_default_factory
plugin_factory_type = static
plugin_name = plugin_yarrow_prng
plugin_type = service
}
plugin_pa = {
plugin_factory_name = plugin_default_factory
plugin_factory_type = static
plugin_name = plugin_encrypted_challenge_pa
plugin_type = service
}
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23974 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23949 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23924 dc483132-0cff-0310-8789-dd5450dbe970
|
|
preauth/encrypted_challenge server side as a new plugin under the new arch.
This commit is for plugin implementation and initialization only. Next step is to invoke the code in kdc.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23923 dc483132-0cff-0310-8789-dd5450dbe970
|
|
is still needed in the appl, e.g. t_prng, where krb5 lib is not initialized).
Make check works until it reaches ./t_gssapi.py
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23915 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23904 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23903 dc483132-0cff-0310-8789-dd5450dbe970
|
|
This design provides the following advantages:
1. Simple and clear additions of new plugin APIs and new implementations of the existing plugins
2. Handle both static and dynamic plugins
3. Handle two types of plugins: Listener and Service
4. Uniform way to supply parameters for plugin configuration
5. Possible versioning of configuration
6. Potentially, configuration file may contain hash values for the library validity verification
7. Tables of functions are created during make.
It was tested by implementing yarrow as PRNG plugin. (There is also a bogus plugin_prng_os implementation which uses system rand calls just for the demonstration purpose)
t_prng and all other tests in crypto_tests work (need to run "make check" from crypto_tests dir)
This particular version suggests using plugin configuration file in yaml format. It can be alternated by hardcoded or any other configuration.
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23902 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23889 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23887 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23881 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23874 dc483132-0cff-0310-8789-dd5450dbe970
|
|
indentation caused by an #ifdef HAVE_LSTAT block.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23870 dc483132-0cff-0310-8789-dd5450dbe970
|
|
containing programs.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23858 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5_init_creds_step() is taken from Heimdal, which sets *flags to 1
for "continue" and 0 for "stop". Unfortunately, we got it backwards
in 1.8; fix it for 1.8.1.
ticket: 6693
tags: pullup
target_version: 1.8.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23844 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23838 dc483132-0cff-0310-8789-dd5450dbe970
|
|
to make it easier to distinguish them from cur_tgt and nxt_tgt. Make
similar name changes to lst_kdc and kdc_list, as well as the function
find_nxt_kdc().
No functional changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23837 dc483132-0cff-0310-8789-dd5450dbe970
|
|
making it clearer that control drops through if one of the first
couple of steps fails.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23836 dc483132-0cff-0310-8789-dd5450dbe970
|
|
gss_import_sec_context in some error paths.
ticket: 6678
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23834 dc483132-0cff-0310-8789-dd5450dbe970
|
|
The SPNEGO implementation in krb5-1.7 and later could crash due to
assertion failure when receiving some sorts of invalid GSS-API tokens.
ticket: 6690
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23832 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23831 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Move krb5_typed_data to krb5.hin from k5-int-pkinit.h because
krb5int_fast_process_error was assuming that it was safe to cast it to
krb5_pa_data. It's not safe to do the cast on 64-bit MacOSX because
krb5.hin uses #pragma pack on that platform.
ticket: 6689
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23829 dc483132-0cff-0310-8789-dd5450dbe970
|
|
KRB5_AUTHDATA_SIGNTICKET, originally a Heimdal authorization data
type, was used to implement PAC-less constrained delegation in krb5
1.8. Unfortunately, it was found that Microsoft was using 142 for
other purposes, which could result in a ticket issued by an MIT or
Heimdal KDC being rejected by a Windows Server 2008 R2 application
server. Because KRB5_AUTHDATA_SIGNTICKET is only used to communicate
among a realm's KDCs, it is relatively easy to change the number, so
MIT and Heimdal are both migrating to a new number. This change will
cause a transitional interoperability issue when a realm mixes MIT
krb5 1.8 (or Heimdal 1.3.1) KDCs with MIT krb5 1.8.1 (or Heimdal
1.3.2) KDCs, but only for constrained delegation evidence tickets.
ticket: 6687
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23821 dc483132-0cff-0310-8789-dd5450dbe970
|
|
r16656, #2656). Based on a patch from nalin@redhat.com.
ticket: 6680
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23820 dc483132-0cff-0310-8789-dd5450dbe970
|
|
username in the case where the ccache doesn't exist.
ticket: 6683
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23819 dc483132-0cff-0310-8789-dd5450dbe970
|
|
declaration.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23818 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23817 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23816 dc483132-0cff-0310-8789-dd5450dbe970
|
|
dereference options if it's NULL.
ticket: 6681
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23815 dc483132-0cff-0310-8789-dd5450dbe970
|
|
a patch from Jeff Blaine <jblaine@kickflop.net>.
ticket: 6684
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23814 dc483132-0cff-0310-8789-dd5450dbe970
|
|
versions of Python. (python --version was added in 2.5.)
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23813 dc483132-0cff-0310-8789-dd5450dbe970
|
|
k5test in Python 2.3 or below.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23812 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Re-integrates the forked versions of network.c in kdc and
kadmin/server. Server-specific initialization and SIGHUP-reset code
is moved into other source files; the more generic network-servicing
code is merged and moved into apputils library already used by both
programs.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Handle NT_SRV_INST in service principal cross-realm referrals, as
Windows apparently uses that instead of NT_SRV_HST for at least some
service principals.
ticket: 6685
target_version: 1.8.1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23810 dc483132-0cff-0310-8789-dd5450dbe970
|
|
without first running "make install".
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23805 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Create kadmin/history lazily when we need it (i.e. when a password is
changed on a principal with a policy) instead of whenever we open the
database. Allows kadmin.local to be used as a read-only tool on non-
kadmin-conformant database back ends such as the Samba bridge.
ticket: 6679
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23799 dc483132-0cff-0310-8789-dd5450dbe970
|
|
config attributes "default" and "logging"
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23798 dc483132-0cff-0310-8789-dd5450dbe970
|