New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kadmin selective prune of historic key for principal #415
kadmin selective prune of historic key for principal #415
Conversation
lib/kadm5/prune_c.c
Outdated
krb5_clear_error_message(context->context); | ||
return ENOMEM; | ||
} | ||
krb5_store_int32(sp, kadm_prune); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Error checking is needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code is copied from other features. i'm willing to work it out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing that out. I'll fix the others, but do please fix this one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remarked as unresolved to keep track of the things i've promissed/asked to fix
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nicowilliams please review commit 0d655f5 and resolve
Oh, I'd completely forgotten, but @vdukhovni wrote a prune history function two years ago. The idea is to delete keys that are too old to be needed for decrypting potentially still-extant tickets. Given that, do we still need pruning by kvno? |
Also, maybe we should make |
this is true, but as I stated in the original PR, there is a problem with that feature. |
@bodik We prune keys on every key change operation, not just
In fact, we prune key history on every |
well might be. but i see the rollover procedure as
|
@bodik You just rotate keys weekly or whatever. Yes, you'll generally have one old keyset you no longer need the KDC to know about. But even then, if you want to prune that keyset, how would you know its kvno? Why not just expose the current prune-old-keys operation and call that? Then the procedure would be:
For non-krbtgt principals we only need their keys for S4U2Proxy, so we can decrypt evidence tickets, but if a realm is not using S4U2Proxy or a service is known to not use it, then we can prune its key history more aggressively, in which case the sequence would be just (1). (In principle even non-krbtgt tickets can be renewable/postdated; in practice no one has nor uses support for that in clients.) Also, while we're here, your sequence has you generate keytab entries locally, then change them on the KDC. Now that Heimdal lets you set new keys without changing the kvno, you could first set them on the KDC, then write them to the keytab, then update the kvno to make the new keyset active. We are missing kadmin command options for this though!! |
See also #480. |
@bodik I'm happy with this PR, but I've requested one change: that
|
We'll integrate this for Heimdal 8. |
@bodik I've pushed some commits to your branch. One merges Another renames all the Another one adds documentation. Please review. We should squash all of these and merge. |
@nicowilliams I've:
once you review the changes I could squash commits and prepare branch for merging |
kadmin/prune.c
Outdated
@@ -0,0 +1,35 @@ | |||
/* | |||
* TODO licence |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, this needs a copyright notice and license. Please pick something friendly to Heimdal, preferably this one:
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
(You can change point 3 to refer to yourself if you wish to retain the copyright.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolved (commit e973b7e)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! This is now ready. I'll squash and merge next.
@bodik I've pushed to your branch a) a rebase-and-squash, b) one more cleanup commit (just using |
Thanks @bodik! This is a very nice contribution. |
Hello,
please consider and at least comment this PR.
In current implementation (without PR)
the old keys either stays in the database forever or are prunned
automagically based on max_lifetime (based on prune-key-history), but
only on
cpw
, and yet it left the old key in history forever.Rotating krbtgt/ (or other principals) wihtout
--keepold
would disruptrealm operations, eg. long computing grid jobs.
The added functionality:
can be used to prune historic keys from principal
history by selective kvno. The main usecase is rollover krbtgt/ principals
(self and crossrealms).
it should be backward compatible afaik despite new opcode
kadm_ops
struct. During operation a 'modify' type is logged into ipropjournal but data already contains and ipro processes full key history (KEY_TL_DATA),
so even using patched
kadmin --local
on unpatchedkadmind
would workas expected on the slaves.