ac7d03
From 15da0d16e99f5c6956f1ed687cc3cffdade83cb5 Mon Sep 17 00:00:00 2001
ac7d03
From: Martin Babinsky <mbabinsk@redhat.com>
ac7d03
Date: Fri, 31 Mar 2017 14:14:11 +0200
ac7d03
Subject: [PATCH] Use only anonymous PKINIT to fetch armor ccache
ac7d03
ac7d03
Since the anonymous principal can only use PKINIT to fetch credential
ac7d03
cache it makes no sense to try and use its kerberos key to establish
ac7d03
FAST channel.
ac7d03
ac7d03
We should also be able to use custom PKINIT anchor for the armoring.
ac7d03
ac7d03
https://pagure.io/freeipa/issue/6830
ac7d03
ac7d03
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ac7d03
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ac7d03
Reviewed-By: Martin Basti <mbasti@redhat.com>
ac7d03
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ac7d03
---
ac7d03
 ipalib/install/kinit.py | 30 +++++++++++++-----------------
ac7d03
 1 file changed, 13 insertions(+), 17 deletions(-)
ac7d03
ac7d03
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
ac7d03
index 1e4d1a82fdefe968db13c3847b9b37b3b3f75d6f..fb6caee4d6b5fef27b53753b21ad83572da31ac4 100644
ac7d03
--- a/ipalib/install/kinit.py
ac7d03
+++ b/ipalib/install/kinit.py
ac7d03
@@ -7,7 +7,6 @@ import time
ac7d03
 
ac7d03
 import gssapi
ac7d03
 
ac7d03
-from ipalib.constants import ANON_USER
ac7d03
 from ipaplatform.paths import paths
ac7d03
 from ipapython.ipa_log_manager import root_logger
ac7d03
 from ipapython.ipautil import run
ac7d03
@@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None,
ac7d03
         raise RuntimeError(result.error_output)
ac7d03
 
ac7d03
 
ac7d03
-def kinit_armor(ccache_name):
ac7d03
+def kinit_armor(ccache_name, pkinit_anchor=None):
ac7d03
     """
ac7d03
-    perform kinit to obtain anonymous ticket to be used as armor for FAST.
ac7d03
+    perform anonymous pkinit to obtain anonymous ticket to be used as armor
ac7d03
+    for FAST.
ac7d03
+
ac7d03
+    :param ccache_name: location of the armor ccache
ac7d03
+    :param pkinit_anchor: if not None, the location of PKINIT anchor file to
ac7d03
+        use. Otherwise the value from Kerberos client library configuration is
ac7d03
+        used
ac7d03
+
ac7d03
+    :raises: CalledProcessError if the anonymous PKINIT fails
ac7d03
     """
ac7d03
     root_logger.debug("Initializing anonymous ccache")
ac7d03
 
ac7d03
     env = {'LC_ALL': 'C'}
ac7d03
-    # try with the keytab first and then again fallback to try with pkinit in
ac7d03
-    # case someone decided it is fun to remove Anonymous keys from the entry
ac7d03
-    # or in future pkinit enabled principal enforce the use of pkinit
ac7d03
-    try:
ac7d03
-        # Gssapi does not understand anonymous cred use kinit command instead
ac7d03
-        args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB,
ac7d03
-                ANON_USER, '-c', ccache_name]
ac7d03
-        run(args, env=env, raiseonerr=True, capture_error=True)
ac7d03
-        return
ac7d03
-    except Exception as e:
ac7d03
-        root_logger.debug("Failed to init Anonymous keytab: %s", e,
ac7d03
-                          exc_info=True)
ac7d03
-
ac7d03
-    root_logger.debug("Fallback to slower Anonymous PKINIT")
ac7d03
     args = [paths.KINIT, '-n', '-c', ccache_name]
ac7d03
 
ac7d03
+    if pkinit_anchor is not None:
ac7d03
+        args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)])
ac7d03
+
ac7d03
     # this workaround enables us to capture stderr and put it
ac7d03
     # into the raised exception in case of unsuccessful authentication
ac7d03
     run(args, env=env, raiseonerr=True, capture_error=True)
ac7d03
-- 
ac7d03
2.12.2
ac7d03