Age | Commit message (Collapse) | Author | Files | Lines |
|
(cherry picked from commit 35cd8db0f6627324b3b3a31f29b34774f649263b)
|
|
In database.rst, describe a couple of krbtgt rollover issues and how
to avoid them.
(cherry picked from commit 56d05e87858b672591c1e6b7869cb08e8b1e0d59)
ticket: 8524
version_fixed: 1.14.5
|
|
With permission from Danilo Almeida, change the license on
autolock.hxx to the 2-clause BSD license used by MIT krb5.
(cherry picked from commit 90bfe396781c3b2a427c95dd2e58a234027ff269)
ticket: 8520
version_fixed: 1.14.5
|
|
Describe the principal selection behavior of kinit when the principal
argument is absent.
(cherry picked from commit 9896d4ffecb69f0262375b2f0db5b275a5e25de9)
ticket: 8403
version_fixed: 1.14.5
|
|
(cherry picked from commit f619c2621443d9463898c434828dc67e587c2afd)
ticket: 8500
version_fixed: 1.14.5
|
|
In the k5srvutil man page, do not give the impression that arbitrary
new keys can be added to the keytab (requested by Dan Gillmor), since
only the new keys randomly generated by the KDC via 'k5srvutil change'
can be added to the keytab. Reiterate the importance of running
k5srvutil delold after running k5srvutil change in the description of
k5srvutil change, as well as in the description of k5srvutil delold
itself.
In install_kdc.rst, mention using a separate keytab file when
generating a keytab on a KDC for use on another host.
[ghudson@mit.edu: squashed two commits, condensed commit message]
(cherry picked from commit b1e655b38b60a05d4d2e4e0d4aedb7a9c36ab93b)
ticket: 8500
version_fixed: 1.14.5
|
|
The libss parser will consume paired double quotes, but within
a double-quoted region, repeated double quotes will be treated
as an escape and passed through as a single double quote.
(The new kadmin(1) parser in 1.14 that lets commands be specified
on the command line without -q does not go through the libss parser,
so standard shell methods for escaping quotes function as usual.)
(cherry picked from commit 3e319b1f93f75a3bab86425221f2bcbf5603f3f9)
ticket: 8469
version_fixed: 1.14.4
|
|
kdb5_util dump -recurse hasn't behaved as documented since krb5-1.5,
when the DAL was integrated. Restoring it is a nontrivial amount of
work, so just document it for now.
(cherry picked from commit eb8dc865efec4938d74a7955fdcd02bbee4c22b9)
ticket: 8470
version_fixed: 1.14.4
|
|
The KDC now needs write access to the LDAP KDB, unless password
lockout and tracking of the last successful authentication time are
disabled. Update the example LDAP access control configuration in
conf_ldap.rst to reflect this, add a note that only read access is
required if lockout is disabled, and add a section to lockout.rst
calling out the need for write access. Reported by Will Fiveash.
[ci skip]
(cherry picked from commit c6550832235c63ccfaceb61864e887a675b02619)
ticket: 8452
version_fixed: 1.14.3
|
|
[ci skip]
(cherry picked from commit 8b5259b9d17a441a6914e141862c3fa29c234c3d)
ticket: 8417
version_fixed: 1.14.3
|
|
The key length and count of principal components are 16-bit fields.
(cherry picked from commit 841cabb2bd0275f0aad739fc03aaa2b66a617f68)
ticket: 8385
version_fixed: 1.14.2
status: resolved
tags: -pullup
|
|
Update copyright years to 2016 where appropriate.
|
|
|
|
|
|
ticket: 8243
|
|
In kdcpreauth.rst, describe the set_cookie and get_cookie callbacks
and explain how to generate a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error
for multi-round-trip mechanisms. Add a new file formats/cookie.rst
documenting the secure cookie format.
ticket: 8233
|
|
Remove the existing support for creating trivial cookies. Add new
functions to fast_util.c for reading and generating secure cookies.
Add new kdcpreauth callbacks "get_cookie" and "set_cookie" to allow
preauth mechs to retrieve and set cookie values.
Based on a patch by Nathaniel McCallum.
ticket: 8233 (new)
|
|
This commit permits the external use of the RFC 6113 PRF+ function.
It also adds a function to derive a key from an input key and string
using PRF+.
[ghudson@mit.edu: adjust style; avoid new C99isms; use string2data(),
empty_data(), and alloc_data() where appropriate; add some explanatory
comments; edit docstrings and commit message]
ticket: 8228 (new)
|
|
To better support integration with FreeIPA, allow authentication
indicators to be specified in the "otp" string attribute, overriding
any indicators in the token type.
ticket: 8157
|
|
Add a new file auth_indicator.rst to the admin guide. Also document
the pkinit_indicator and OTP indicator profile variables, the
require_auth string attribute, and the add_auth_indicator kdcpreauth
callback. Add references to the new public constants in
appdev/refs/macros/index.rst.
ticket: 8157
|
|
In krb5_conf.rst, document that KRB5_CONFIG can contain directory
names.
ticket: 8030
|
|
In env_variables.rst and krb5_conf.rst, document that KRB5_CONFIG can
contain multiple colon-separated pathnames.
ticket: 8031 (new)
target_version: 1.13.3
tags: pullup
|
|
Bump the minor version of the kadm5_hook interface to 2 and add a
rename method. Invoke the rename method in kadm5_rename_principal()
like we do for other libkadm5srv operations.
Partly based on a patch from John Hascall.
ticket: 8171
|
|
This file is out of date, and we now use the wiki for the kind of
material it covers. Most of the information here is covered
http://k5wiki.kerberos.org/wiki/Committer_resources
|
|
Fix typos, remove excess header underlines, and remove trailing
whitespace.
[ghudson@mit.edu: squashed several commits, summarized commit
messages]
ticket: 8170 (new)
target_version: 1.13.2
|
|
Heimdal and Shishi support a 32-bit kvno at the end of a keytab entry,
overriding the 8-bit version if present. Implement this in the FILE
keytab type and document it in keytab_file_format.rst.
ticket: 7532
|
|
If kpropd is asked to run just once, don't exit after starting a full
resync; we want to wait for the fullprop child to process the request,
and then request incremental updates afterwards. Also don't exit from
do_standalone() in the fullprop child, in case multiple full resyncs
are required to get the database up to date.
Document the -t flag in kpropd.rst.
ticket: 8161
|
|
kadm5.acl entries can include restrictions which can force flag values
on or off. These flag values are parsed with krb5_string_to_flags(),
which means the flag names are the ones for default_principal_flags,
not the ones for kadmin addprinc/modprinc.
ticket: 8155
target_version: 1.13.2
tags: pullup
|
|
Add a new "formats" section to the RST documentation and populate it
with documentation of the credential cache and keytab file formats.
ticket: 8149 (new)
target_version: 1.13.2
tags: pullup
|
|
Add support for a command and argments to be specified on the kadmin
command line, with script-friendly behavior. kadmin_startup() now
yields either a request string or a request argv array, and sets
script_mode in the argv array case. Informational messages now go
through info() and are suppressed if script_mode is set. Prompts and
warning messages are also suppressed in script mode. Error messages
indicating a failure now go through error() and set exit_status if
script_mode is set. The extended com_err() hook is always installed
so that com_err messages go through error() and set exit_status.
getopt() is now invoked with a leading '+' to suppress Gnu getopt
argument reordering behavior, so that invokers don't need to pass "--"
to prevent query options from being treated as kadmin options.
Non-Gnu getopt implementations should harmlessly treat '+' as a valid
flag option, which has no effect as it will reach the same default
label in the switch statement.
ticket: 7991
|
|
|
|
Add support for multi-hop preauth mechs.
In the KDC, allow kdcpreauth modules to return
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113.
In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
modules can use the modreq parameter to distinguish between the first
and subsequent KDC messages. We assume that the error padata will
include an element of the preauth mech's type, or at least of a type
recognized by the clpreauth module.
Also reset the list of previously attempted preauth types for both
kinds of errors. That list is really only appropriate for retrying
after a failed preauth attempt, which we don't currently do. Add an
intermediate variable for the reply code to avoid a long conditional
expression.
[ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper
function; clarify commit message]
ticket: 8063 (new)
|
|
Support the err_fmt relation in [libdefaults] which allows custom
error message formatting.
[ghudson@mit.edu: maintain alphabetical order in documentation and
reword docs; simplify err_fmt_fmt; expand commit message]
ticket: 8047 (new)
|
|
Add four new public APIs for wrapping error messages:
krb5_prepend_error_message, krb5_vprepend_error_message,
krb5_wrap_error_message, and krb5_vwrap_error_message. The first two
functions are from Heimdal and allow a prefix to be added to the
existing message for a code. The latter two functions also allow the
code to be changed.
[ghudson@mit.edu: rename krb5_prepend_error_message2 to
krb5_wrap_error_message; clarify doxygen comments and put them in the
proper form; implement krb5_prepend_error_message in terms of
krb5_wrap_error_message; fix leak and null context handling in
krb5_wrap_error_message; rewrite commit message]
ticket: 8046 (new)
|
|
ksu -D does not work in the default build, so we should not document
it. Remove any mention of it from the usage message and from ksu.rst.
[ghudson@mit.edu: edited commit message; omit change to generated man
page]
ticket: 8048 (new)
|
|
Use modern enctypes for values of master_key_type and
supported_enctypes in the example kdc.conf in kdc_conf.rst.
ticket: 8035 (new)
target_version: 1.13.1
tags: pullup
|
|
|
|
Add text clarifying our unusual packaging of the PGP signature inside
a tar file.
ticket: 7927
target_version: 1.13
tags: pullup
|
|
Modern OpenAFS releases support using encryption stronger than single
DES with Kerberos. Update the documentation accordingly.
ticket: 7761
target_version: 1.13
tags: pullup
|
|
Update documentation to reflect the change in the default KDC TCP
listener behavior, new in 1.13.
ticket: 6731
target_version: 1.13
tags: pullup
|
|
KDC and application server checks on ticket start and expiration times
are subject to clock skew tolerance. Document this grace period.
[tlyu@mit.edu: edit commit message, adjust wording to conform to
existing style, document start time clock skew]
ticket: 8008 (new)
target_version: 1.13
tags: pullup
|
|
The KCM RPC definitions are copyright KTH/Apple, since it is present
for interoperability with OS X.
Add MS-KKDCP client copyright; alas, it does not match the existing
Red Hat copyrights, since the new code is a 2-clause BSD license, and
there was only a 3-clause Red Hat copyright block present already.
The actual Sphinx output for NOTICE would adjust the wrapping and
indentation of some existing content, but those changes were removed
by hand, so this commit only reflects new added content.
ticket: 8006
tags: pullup
target_version: 1.13
|
|
ticket: 7977
|
|
To reduce the number of steps in the deployment of iprop, create the
kiprop/hostname principal for the master KDC during KDB creation.
Adjust tests to match the new behavior.
[ghudson@mit.edu: clarified commit message; avoided applying kadmin
flags/lifetime to kiprop principal]
ticket: 7979 (new)
|
|
Document the new KCM ccache type in ccache_def.rst. Document the
kcm_socket and kcm_mach_service variables in krb5_conf.rst.
ticket: 7964
|
|
Commit 15b7e405ff7b62ab96af45999d1350455948e602 contained an
indentation error which broke the doc build. Fix it.
ticket: 7944
|
|
Document the LDAP SASL profile tags and DB options. For consistency,
also condense the kdc.conf documentation for the two bind DN variables
into one entry.
ticket: 7944
|
|
docutils 0.10 properly adds indentation to example blocks in man
pages, so we do not need to force an extra indentation level. Get rid
of the workaround wherever we use it.
ticket: 7954 (new)
target_version: 1.12.2
tags: pullup
|
|
Document DB options in the kadmin/kadmin.local man page, in their own
section. Refer to that section from the documentation of the -x
parameter of each other command which supports DB options. Add
documentation for the "dbname" DB2 option.
ticket: 7946 (new)
target_version: 1.12.2
tags: pullup
|
|
Make the example and documentation a closer match to reality.
In particular, the list permission is all-or-nothing; it is not
restricted in scope by the target_principal field. Change the
table entry to try and indicate this fact, and do not put list
permissions on any example line that is scoped by a target_principal
pattern.
While here, remove the nonsensical granting of global inquire
permissions to */* (inaccurately described as "all principals"),
and the granting of privileges to foreign-realm principals.
It is not possible to obtain an initial ticket (as required by
the kadmin service) for a principal in a different realm, and
the current kadmind implementation can serve only a single realm
at a time -- this permission literally has no effect. Replace
it with a (presumably automated) "Service Management System"
example, where it might make sense to limit the principals which
are automatically created.
ticket: 7939
|