Skip to content

Commit

Permalink
Don't create hostbased principals in new KDBs
Browse files Browse the repository at this point in the history 
Unix-like platforms do not provide a simple method to find the
fully-qualified local hostname as the machine is expected to appear to
other hosts.  Canonicalizing the gethostname() result with
getaddrinfo() usually works, but potentially uses DNS.  Now that
dns_canonicalize_hostname=true is no longer the default, KDB creation
would generally create the wrong host-based principals.

kadmin/hostname is unnecessary because the client software can also
use kadmin/admin, and kiprop/hostname is one of several principals
that must be created for incremental propagation.

ticket: 8935 (new)
  • Loading branch information
@greghudson
greghudson committed Aug 4, 2020
1 parent 1d282ba commit ac2b693
Show file tree
Hide file tree
Showing 5 changed files with 12 additions and 84 deletions.
52 changes: 5 additions & 47 deletions src/kadmin/dbutil/kadm5_create.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,60 +139,18 @@ int kadm5_create_magic_princs(kadm5_config_params *params,
static int add_admin_princs(void *handle, krb5_context context, char *realm)
{
krb5_error_code ret = 0;
char *service_name = 0, *kiprop_name = 0, *canonhost = 0;
char localname[MAXHOSTNAMELEN];

if (gethostname(localname, MAXHOSTNAMELEN)) {
ret = errno;
perror("gethostname");
goto clean_and_exit;
}
ret = krb5_expand_hostname(context, localname, &canonhost);
if (ret) {
com_err(progname, ret, _("while canonicalizing local hostname"));
goto clean_and_exit;
}
if (asprintf(&service_name, "kadmin/%s", canonhost) < 0) {
ret = ENOMEM;
fprintf(stderr, _("Out of memory\n"));
goto clean_and_exit;
}
if (asprintf(&kiprop_name, "kiprop/%s", canonhost) < 0) {
ret = ENOMEM;
fprintf(stderr, _("Out of memory\n"));
goto clean_and_exit;
}

if ((ret = add_admin_princ(handle, context,
service_name, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_LOCKDOWN_KEYS,
ADMIN_LIFETIME)))
goto clean_and_exit;

if ((ret = add_admin_princ(handle, context,
KADM5_ADMIN_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_LOCKDOWN_KEYS,
ADMIN_LIFETIME)))
goto clean_and_exit;

if ((ret = add_admin_princ(handle, context,
KADM5_CHANGEPW_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_PWCHANGE_SERVICE |
KRB5_KDB_LOCKDOWN_KEYS,
CHANGEPW_LIFETIME)))
goto clean_and_exit;

ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0);

clean_and_exit:
krb5_free_string(context, canonhost);
free(service_name);
free(kiprop_name);
return ret;

return ret;
return add_admin_princ(handle, context, KADM5_CHANGEPW_SERVICE, realm,
KRB5_KDB_DISALLOW_TGT_BASED |
KRB5_KDB_PWCHANGE_SERVICE | KRB5_KDB_LOCKDOWN_KEYS,
CHANGEPW_LIFETIME);
}

/*
Expand Down
35 changes: 1 addition & 34 deletions src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -307,29 +307,6 @@ create_fixed_special(krb5_context context, struct realm_info *rinfo,

}

/* Create a special principal using one specified component and the
* canonicalized local hostname. */
static krb5_error_code
create_hostbased_special(krb5_context context, struct realm_info *rinfo,
krb5_keyblock *mkey, const char *comp1)
{
krb5_error_code ret;
krb5_principal princ = NULL;

ret = krb5_sname_to_principal(context, NULL, comp1, KRB5_NT_SRV_HST,
&princ);
if (ret)
goto cleanup;
ret = krb5_set_principal_realm(context, princ, global_params.realm);
if (ret)
goto cleanup;
ret = kdb_ldap_create_principal(context, princ, TGT_KEY, rinfo, mkey);

cleanup:
krb5_free_principal(context, princ);
return ret;
}

/* Create all special principals for the realm. */
static krb5_error_code
create_special_princs(krb5_context context, krb5_principal master_princ,
Expand Down Expand Up @@ -360,20 +337,10 @@ create_special_princs(krb5_context context, krb5_principal master_princ,
if (ret)
return ret;

/* Create kadmin/admin and kadmin/<hostname>. */
/* Create kadmin/admin. */
rblock.max_life = ADMIN_LIFETIME;
rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
ret = create_fixed_special(context, &rblock, mkey, "kadmin", "admin");
if (ret)
return ret;
ret = create_hostbased_special(context, &rblock, mkey, "kadmin");
if (ret)
return ret;

/* Create kiprop/<hostname>. */
rblock.max_life = global_params.max_life;
rblock.flags = 0;
ret = create_hostbased_special(context, &rblock, mkey, "kiprop");
if (ret)
return ret;

Expand Down
7 changes: 4 additions & 3 deletions src/tests/dejagnu/krb-standalone/kadmin.exp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1098,10 +1098,11 @@ proc kadmin_test { } {
return
}

# test fallback to kadmin/admin
if {![kadmin_delete_locked_down kadmin/$hostname] \
# test fallback to kadmin/hostname
if {![kadmin_add_rnd kadmin/$hostname] \
|| ![kadmin_delete_locked_down kadmin/admin] \
|| ![kadmin_list] \
|| ![kadmin_add_rnd kadmin/$hostname -allow_tgs_req] \
|| ![kadmin_add_rnd kadmin/admin -allow_tgs_req] \
|| ![kadmin_list]} {
return
}
Expand Down
1 change: 1 addition & 0 deletions src/tests/t_iprop.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ def check_ulog(num, first, last, entries, env=None):

# Create the principal used to authenticate kpropd to kadmind.
kiprop_princ = 'kiprop/' + hostname
realm.addprinc(kiprop_princ)
realm.extract_keytab(kiprop_princ, realm.keytab)

# Create the initial replica databases.
Expand Down
1 change: 1 addition & 0 deletions src/tests/t_kadmin_acl.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,7 @@ def kadmin_as(client, query, **kwargs):
# Test authentication to kadmin/hostname.
mark('authentication to kadmin/hostname')
kadmin_hostname = 'kadmin/' + hostname
realm.addprinc(kadmin_hostname)
realm.run([kadminl, 'delprinc', 'kadmin/admin'])
msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
'Setting initial creds service to kadmin/admin',
Expand Down

0 comments on commit ac2b693

Please sign in to comment.