diff options
author | Mark Murray <markm@FreeBSD.org> | 2000-02-24 11:19:29 +0000 |
---|---|---|
committer | Mark Murray <markm@FreeBSD.org> | 2000-02-24 11:19:29 +0000 |
commit | 283d988c23f8139afa6b31adef1909ddb9d0e4df (patch) | |
tree | c822a9ebecac015f7f6b7d1422b50d0c490791e7 /crypto/heimdal/kdc | |
parent | 13e3f4d6d9d9c48a270a1a18a92e57a56f0a7059 (diff) | |
download | src-283d988c23f8139afa6b31adef1909ddb9d0e4df.tar.gz src-283d988c23f8139afa6b31adef1909ddb9d0e4df.zip |
Vendor import of Heimdal 0.2ovendor/heimdal/0.2o
Notes
Notes:
svn path=/vendor-crypto/heimdal/dist/; revision=57419
svn path=/vendor-crypto/heimdal/0.2o/; revision=57421; tag=vendor/heimdal/0.2o
Diffstat (limited to 'crypto/heimdal/kdc')
-rw-r--r-- | crypto/heimdal/kdc/config.c | 76 | ||||
-rw-r--r-- | crypto/heimdal/kdc/connect.c | 74 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kaserver.c | 6 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kdc.8 | 63 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kdc_locl.h | 7 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kerberos4.c | 6 |
6 files changed, 175 insertions, 57 deletions
diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c index ba76432c2331..3db71732d423 100644 --- a/crypto/heimdal/kdc/config.c +++ b/crypto/heimdal/kdc/config.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,24 +35,33 @@ #include <getarg.h> #include <parse_bytes.h> -RCSID("$Id: config.c,v 1.28 1999/12/02 17:04:58 joda Exp $"); +RCSID("$Id: config.c,v 1.30 2000/02/11 17:47:19 assar Exp $"); + +static char *config_file; /* location of kdc config file */ + +int require_preauth = -1; /* 1 == require preauth for all principals */ + +size_t max_request; /* maximal size of a request */ + +static char *max_request_str; /* `max_request' as a string */ + +time_t kdc_warn_pwexpire; /* time before expiration to print a warning */ -static char *config_file; -int require_preauth = -1; -char *keyfile; -static char *max_request_str; -size_t max_request; -time_t kdc_warn_pwexpire; struct dbinfo *databases; HDB **db; int num_db; + char *port_str; + int enable_http = -1; krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ krb5_boolean check_ticket_addresses; krb5_boolean allow_null_ticket_addresses; +static struct getarg_strings addresses_str; /* addresses to listen on */ +krb5_addresses explicit_addresses; + #ifdef KRB4 char *v4_realm; #endif @@ -73,10 +82,6 @@ static struct getargs args[] = { "don't require pa-data in as-reqs" }, { - "key-file", 'k', arg_string, &keyfile, - "location of master key file", "file" - }, - { "max-request", 0, arg_string, &max_request, "max size for a kdc-request", "size" }, @@ -102,6 +107,8 @@ static struct getargs args[] = { { "ports", 'P', arg_string, &port_str, "ports to listen to" }, + { "addresses", 0, arg_strings, &addresses_str, + "addresses to listen on", "list of addresses" }, { "help", 'h', arg_flag, &help_flag }, { "version", 'v', arg_flag, &version_flag } }; @@ -190,6 +197,22 @@ get_dbinfo(krb5_config_section *cf) } } +static void +add_one_address (const char *str, int first) +{ + krb5_error_code ret; + krb5_addresses tmp; + + ret = krb5_parse_address (context, str, &tmp); + if (ret) + krb5_err (context, 1, ret, "parse_address `%s'", str); + if (first) + krb5_copy_addresses(context, &tmp, &explicit_addresses); + else + krb5_append_addresses(context, &explicit_addresses, &tmp); + krb5_free_addresses (context, &tmp); +} + void configure(int argc, char **argv) { @@ -221,16 +244,6 @@ configure(int argc, char **argv) if(krb5_config_parse_file(config_file, &cf)) cf = NULL; - if(keyfile == NULL){ - p = krb5_config_get_string (context, cf, - "kdc", - "key-file", - NULL); - if(p) - keyfile = strdup(p); - } - - get_dbinfo(cf); if(max_request_str){ @@ -256,6 +269,25 @@ configure(int argc, char **argv) if (p != NULL) port_str = strdup(p); } + + explicit_addresses.len = 0; + + if (addresses_str.num_strings) { + int i; + + for (i = 0; i < addresses_str.num_strings; ++i) + add_one_address (addresses_str.strings[i], i == 0); + } else { + char **foo = krb5_config_get_strings (context, cf, + "kdc", "addresses", NULL); + + if (foo != NULL) { + add_one_address (*foo++, TRUE); + while (*foo) + add_one_address (*foo++, FALSE); + } + } + if(enable_http == -1) enable_http = krb5_config_get_bool(context, cf, "kdc", "enable-http", NULL); diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c index 62b5bea7d874..a1bbdcbd0892 100644 --- a/crypto/heimdal/kdc/connect.c +++ b/crypto/heimdal/kdc/connect.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,11 @@ #include "kdc_locl.h" -RCSID("$Id: connect.c,v 1.68 1999/12/02 17:04:58 joda Exp $"); +RCSID("$Id: connect.c,v 1.69 2000/02/11 17:45:45 assar Exp $"); + +/* + * a tuple describing on what to listen + */ struct port_desc{ int family; @@ -41,9 +45,15 @@ struct port_desc{ int port; }; +/* the current ones */ + static struct port_desc *ports; static int num_ports; +/* + * add `family, port, protocol' to the list with duplicate suppresion. + */ + static void add_port(int family, int port, const char *protocol) { @@ -63,12 +73,19 @@ add_port(int family, int port, const char *protocol) return; } ports = realloc(ports, (num_ports + 1) * sizeof(*ports)); + if (ports == NULL) + krb5_err (context, 1, errno, "realloc"); ports[num_ports].family = family; ports[num_ports].type = type; ports[num_ports].port = port; num_ports++; } +/* + * add a triple but with service -> port lookup + * (this prints warnings for stuff that does not exist) + */ + static void add_port_service(int family, const char *service, int port, const char *protocol) @@ -77,6 +94,11 @@ add_port_service(int family, const char *service, int port, add_port (family, port, protocol); } +/* + * add the port with service -> port lookup or string -> number + * (no warning is printed) + */ + static void add_port_string (int family, const char *port_str, const char *protocol) { @@ -96,6 +118,10 @@ add_port_string (int family, const char *port_str, const char *protocol) add_port (family, port, protocol); } +/* + * add the standard collection of ports for `family' + */ + static void add_standard_ports (int family) { @@ -113,6 +139,12 @@ add_standard_ports (int family) #endif } +/* + * parse the set of space-delimited ports in `str' and add them. + * "+" => all the standard ones + * otherwise it's port|service[/protocol] + */ + static void parse_ports(const char *str) { @@ -150,6 +182,10 @@ parse_ports(const char *str) free (str_copy); } +/* + * every socket we listen on + */ + struct descr { int s; int type; @@ -176,7 +212,7 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port) ret = krb5_addr2sockaddr (a, sa, &sa_size, port); if (ret) { - krb5_warn(context, ret, "krb5_anyaddr"); + krb5_warn(context, ret, "krb5_addr2sockaddr"); close(d->s); d->s = -1; return; @@ -200,14 +236,23 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port) d->type = type; if(bind(d->s, sa, sa_size) < 0){ - krb5_warn(context, errno, "bind(%d)", ntohs(port)); + char a_str[256]; + size_t len; + + krb5_print_address (a, a_str, sizeof(a_str), &len); + krb5_warn(context, errno, "bind %s/%d", a_str, ntohs(port)); close(d->s); d->s = -1; return; } if(type == SOCK_STREAM && listen(d->s, SOMAXCONN) < 0){ - krb5_warn(context, errno, "listen"); + char a_str[256]; + size_t len; + + krb5_print_address (a, a_str, sizeof(a_str), &len); + krb5_warn(context, errno, "listen %s/%d", a_str, ntohs(port)); close(d->s); + d->s = -1; return; } } @@ -226,9 +271,13 @@ init_sockets(struct descr **desc) int num = 0; krb5_addresses addresses; - ret = krb5_get_all_server_addrs (context, &addresses); - if (ret) - krb5_err (context, 1, ret, "krb5_get_all_server_addrs"); + if (explicit_addresses.len) { + addresses = explicit_addresses; + } else { + ret = krb5_get_all_server_addrs (context, &addresses); + if (ret) + krb5_err (context, 1, ret, "krb5_get_all_server_addrs"); + } parse_ports(port_str); d = malloc(addresses.len * num_ports * sizeof(*d)); if (d == NULL) @@ -262,7 +311,11 @@ init_sockets(struct descr **desc) return num; } - +/* + * handle the request in `buf, len', from `addr' (or `from' as a string), + * sending a reply in `reply'. + */ + static int process_request(unsigned char *buf, size_t len, @@ -711,7 +764,8 @@ loop(void) case 0: break; case -1: - krb5_warn(context, errno, "select"); + if (errno != EINTR) + krb5_warn(context, errno, "select"); break; default: for(i = 0; i < ndescr; i++) diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c index dc155faa95ec..64121eb06154 100644 --- a/crypto/heimdal/kdc/kaserver.c +++ b/crypto/heimdal/kdc/kaserver.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kaserver.c,v 1.9 1999/12/02 17:04:59 joda Exp $"); +RCSID("$Id: kaserver.c,v 1.10 2000/02/13 19:21:22 assar Exp $"); #ifdef KASERVER @@ -468,7 +468,7 @@ do_authenticate (struct rx_header *hdr, create_reply_ticket (hdr, skey, name, instance, v4_realm, - addr, life, client_entry->kvno, + addr, life, server_entry->kvno, max_seq_len, "krbtgt", v4_realm, chal + 1, "tgsT", diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8 index 89251118c3cf..181a3cea15a7 100644 --- a/crypto/heimdal/kdc/kdc.8 +++ b/crypto/heimdal/kdc/kdc.8 @@ -1,4 +1,4 @@ -.\" $Id: kdc.8,v 1.3 1997/08/09 00:20:38 joda Exp $ +.\" $Id: kdc.8,v 1.5 2000/02/13 21:04:32 assar Exp $ .\" .Dd July 27, 1997 .Dt KDC 8 @@ -11,12 +11,16 @@ Kerberos 5 server .Nm .Op Fl c Ar file .Op Fl -config-file= Ns Ar file -.Op Fl k Ar file -.Op Fl -key-file= Ns Ar file -.Op Fl p -.Op Fl -no-require-preauth +.Op Fl p | Fl -no-require-preauth +.Op Fl -max-request= Ns Ar size +.Op Fl H | Fl -enable-http +.Op Fl K | Fl -no-kaserver .Op Fl r Ar realm .Op Fl -v4-realm= Ns Ar realm +.Oo Fl P Ar string \*(Ba Xo +.Fl -ports= Ns Ar string Oc +.Xc +.Op Fl -addresses= Ns Ar list of addresses .Sh DESCRIPTION .Nm @@ -31,21 +35,32 @@ Options supported: Specifies the location of the config file, the default is .Pa /var/heimdal/kdc.conf . This is the only value that can't be specified in the config file. -.It Fl k Ar file -.It Fl -key-file= Ns Ar file -The location of the master-key file. All keys in the database is -encrypted with this master key. The use of a master key is currently -optional, so there is no default. -.Em "Don't specify a master key file if your database is not encrypted." .It Fl p .It Fl -no-require-preauth -Turn off the requirement for pre-autentication in the initial -AS-REQ. The use of pre-authentication makes it more difficult to do -offline password attacks. You might want to turn it off if you have -clients that doesn't do pre-authentication. Since the version 4 -protocol doesn't support any pre-authentication, so serving version 4 -clients is just about the same as not requiring pre-athentication. The -default is to require pre-authentication. +Turn off the requirement for pre-autentication in the initial AS-REQ +for all principals. The use of pre-authentication makes it more +difficult to do offline password attacks. You might want to turn it +off if you have clients that doesn't do pre-authentication. Since the +version 4 protocol doesn't support any pre-authentication, so serving +version 4 clients is just about the same as not requiring +pre-athentication. The default is to require +pre-authentication. Adding the require-preauth per principal is a more +flexible way of handling this. +.It Xo +.Fl -max-request= Ns Ar size +.Xc +Gives an upper limit on the size of the requests that the kdc is +willing to handle. +.It Xo +.Fl H Ns , +.Fl -enable-http +.Xc +Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. +.It Xo +.Fl K Ns , +.Fl -no-kaserver +.Xc +Disables kaserver emulation (in case it's compiled in). .It Fl r Ar realm .It Fl -v4-realm= Ns Ar realm What realm this server should act as when dealing with version 4 @@ -55,6 +70,18 @@ explicitly specified. The default is whatever is returned by .Fn krb_get_lrealm . This option is only availabe if the KDC has been compiled with version 4 support. +.It Xo +.Fl P Ar string Ns , +.Fl -ports= Ns Ar string +.Xc +Specifies the set of ports the KDC should listen on. It is given as a +white-space separated list of services or port numbers. +.It Xo +.Fl -addresses= Ns Ar list of addresses +.Xc +The list of addresses to listen for requests on. By default, the kdc +will listen on all the locally configured addresses. If only a subset +is desired, or the automatic detection fails, this option might be used. .El .Pp All activities , are logged to one or more destinations, see diff --git a/crypto/heimdal/kdc/kdc_locl.h b/crypto/heimdal/kdc/kdc_locl.h index 727557693090..c703030cb041 100644 --- a/crypto/heimdal/kdc/kdc_locl.h +++ b/crypto/heimdal/kdc/kdc_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ /* - * $Id: kdc_locl.h,v 1.39 1999/12/02 17:04:59 joda Exp $ + * $Id: kdc_locl.h,v 1.40 2000/02/11 17:46:29 assar Exp $ */ #ifndef __KDC_LOCL_H__ @@ -44,7 +44,6 @@ extern krb5_context context; extern int require_preauth; extern sig_atomic_t exit_flag; -extern char *keyfile; extern size_t max_request; extern time_t kdc_warn_pwexpire; extern struct dbinfo { @@ -56,6 +55,8 @@ extern struct dbinfo { extern HDB **db; extern int num_db; extern char *port_str; +extern krb5_addresses explicit_addresses; + extern int enable_http; extern krb5_boolean encode_as_rep_as_tgs_rep; extern krb5_boolean check_ticket_addresses; diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c index 29e28b3efb75..23d59dd5e147 100644 --- a/crypto/heimdal/kdc/kerberos4.c +++ b/crypto/heimdal/kdc/kerberos4.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos4.c,v 1.26 2000/02/02 01:26:41 assar Exp $"); +RCSID("$Id: kerberos4.c,v 1.27 2000/02/13 19:27:36 assar Exp $"); #ifdef KRB4 @@ -307,6 +307,10 @@ do_version4(unsigned char *buf, } if(tgt->kvno != kvno){ + kdc_log(0, "tgs-req with old kvno %d (current %d) for " + "krbtgt.%s@%s", kvno, tgt->kvno, realm, v4_realm); + make_err_reply(reply, KDC_AUTH_EXP, + "old krbtgt kvno used"); goto out2; } |