|
 |
483b06 |
From 15da0d16e99f5c6956f1ed687cc3cffdade83cb5 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
483b06 |
Date: Fri, 31 Mar 2017 14:14:11 +0200
|
|
|
483b06 |
Subject: [PATCH] Use only anonymous PKINIT to fetch armor ccache
|
|
|
483b06 |
|
|
|
483b06 |
Since the anonymous principal can only use PKINIT to fetch credential
|
|
|
483b06 |
cache it makes no sense to try and use its kerberos key to establish
|
|
|
483b06 |
FAST channel.
|
|
|
483b06 |
|
|
|
483b06 |
We should also be able to use custom PKINIT anchor for the armoring.
|
|
|
483b06 |
|
|
|
483b06 |
https://pagure.io/freeipa/issue/6830
|
|
|
483b06 |
|
|
|
483b06 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
483b06 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
483b06 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
483b06 |
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
ipalib/install/kinit.py | 30 +++++++++++++-----------------
|
|
|
483b06 |
1 file changed, 13 insertions(+), 17 deletions(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
|
|
|
483b06 |
index 1e4d1a82fdefe968db13c3847b9b37b3b3f75d6f..fb6caee4d6b5fef27b53753b21ad83572da31ac4 100644
|
|
|
483b06 |
--- a/ipalib/install/kinit.py
|
|
|
483b06 |
+++ b/ipalib/install/kinit.py
|
|
|
483b06 |
@@ -7,7 +7,6 @@ import time
|
|
|
483b06 |
|
|
|
483b06 |
import gssapi
|
|
|
483b06 |
|
|
|
483b06 |
-from ipalib.constants import ANON_USER
|
|
|
483b06 |
from ipaplatform.paths import paths
|
|
|
483b06 |
from ipapython.ipa_log_manager import root_logger
|
|
|
483b06 |
from ipapython.ipautil import run
|
|
|
483b06 |
@@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None,
|
|
|
483b06 |
raise RuntimeError(result.error_output)
|
|
|
483b06 |
|
|
|
483b06 |
|
|
|
483b06 |
-def kinit_armor(ccache_name):
|
|
|
483b06 |
+def kinit_armor(ccache_name, pkinit_anchor=None):
|
|
|
483b06 |
"""
|
|
|
483b06 |
- perform kinit to obtain anonymous ticket to be used as armor for FAST.
|
|
|
483b06 |
+ perform anonymous pkinit to obtain anonymous ticket to be used as armor
|
|
|
483b06 |
+ for FAST.
|
|
|
483b06 |
+
|
|
|
483b06 |
+ :param ccache_name: location of the armor ccache
|
|
|
483b06 |
+ :param pkinit_anchor: if not None, the location of PKINIT anchor file to
|
|
|
483b06 |
+ use. Otherwise the value from Kerberos client library configuration is
|
|
|
483b06 |
+ used
|
|
|
483b06 |
+
|
|
|
483b06 |
+ :raises: CalledProcessError if the anonymous PKINIT fails
|
|
|
483b06 |
"""
|
|
|
483b06 |
root_logger.debug("Initializing anonymous ccache")
|
|
|
483b06 |
|
|
|
483b06 |
env = {'LC_ALL': 'C'}
|
|
|
483b06 |
- # try with the keytab first and then again fallback to try with pkinit in
|
|
|
483b06 |
- # case someone decided it is fun to remove Anonymous keys from the entry
|
|
|
483b06 |
- # or in future pkinit enabled principal enforce the use of pkinit
|
|
|
483b06 |
- try:
|
|
|
483b06 |
- # Gssapi does not understand anonymous cred use kinit command instead
|
|
|
483b06 |
- args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB,
|
|
|
483b06 |
- ANON_USER, '-c', ccache_name]
|
|
|
483b06 |
- run(args, env=env, raiseonerr=True, capture_error=True)
|
|
|
483b06 |
- return
|
|
|
483b06 |
- except Exception as e:
|
|
|
483b06 |
- root_logger.debug("Failed to init Anonymous keytab: %s", e,
|
|
|
483b06 |
- exc_info=True)
|
|
|
483b06 |
-
|
|
|
483b06 |
- root_logger.debug("Fallback to slower Anonymous PKINIT")
|
|
|
483b06 |
args = [paths.KINIT, '-n', '-c', ccache_name]
|
|
|
483b06 |
|
|
|
483b06 |
+ if pkinit_anchor is not None:
|
|
|
483b06 |
+ args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)])
|
|
|
483b06 |
+
|
|
|
483b06 |
# this workaround enables us to capture stderr and put it
|
|
|
483b06 |
# into the raised exception in case of unsuccessful authentication
|
|
|
483b06 |
run(args, env=env, raiseonerr=True, capture_error=True)
|
|
|
483b06 |
--
|
|
|
483b06 |
2.12.2
|
|
|
483b06 |
|