From 15da0d16e99f5c6956f1ed687cc3cffdade83cb5 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 31 Mar 2017 14:14:11 +0200 Subject: [PATCH] Use only anonymous PKINIT to fetch armor ccache Since the anonymous principal can only use PKINIT to fetch credential cache it makes no sense to try and use its kerberos key to establish FAST channel. We should also be able to use custom PKINIT anchor for the armoring. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy Reviewed-By: Jan Cholasta Reviewed-By: Martin Basti Reviewed-By: Simo Sorce --- ipalib/install/kinit.py | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 1e4d1a82fdefe968db13c3847b9b37b3b3f75d6f..fb6caee4d6b5fef27b53753b21ad83572da31ac4 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -7,7 +7,6 @@ import time import gssapi -from ipalib.constants import ANON_USER from ipaplatform.paths import paths from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import run @@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None, raise RuntimeError(result.error_output) -def kinit_armor(ccache_name): +def kinit_armor(ccache_name, pkinit_anchor=None): """ - perform kinit to obtain anonymous ticket to be used as armor for FAST. + perform anonymous pkinit to obtain anonymous ticket to be used as armor + for FAST. + + :param ccache_name: location of the armor ccache + :param pkinit_anchor: if not None, the location of PKINIT anchor file to + use. Otherwise the value from Kerberos client library configuration is + used + + :raises: CalledProcessError if the anonymous PKINIT fails """ root_logger.debug("Initializing anonymous ccache") env = {'LC_ALL': 'C'} - # try with the keytab first and then again fallback to try with pkinit in - # case someone decided it is fun to remove Anonymous keys from the entry - # or in future pkinit enabled principal enforce the use of pkinit - try: - # Gssapi does not understand anonymous cred use kinit command instead - args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB, - ANON_USER, '-c', ccache_name] - run(args, env=env, raiseonerr=True, capture_error=True) - return - except Exception as e: - root_logger.debug("Failed to init Anonymous keytab: %s", e, - exc_info=True) - - root_logger.debug("Fallback to slower Anonymous PKINIT") args = [paths.KINIT, '-n', '-c', ccache_name] + if pkinit_anchor is not None: + args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)]) + # this workaround enables us to capture stderr and put it # into the raised exception in case of unsuccessful authentication run(args, env=env, raiseonerr=True, capture_error=True) -- 2.12.2