From 749169930ad76a709d2b056c17edcfc9faa48585 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 31 2020 09:36:23 +0000 Subject: import krb5-1.15.1-46.el7 --- diff --git a/SOURCES/Add-German-translation.patch b/SOURCES/Add-German-translation.patch index 2b385ac..98c6404 100644 --- a/SOURCES/Add-German-translation.patch +++ b/SOURCES/Add-German-translation.patch @@ -1,4 +1,4 @@ -From b02f2560d4610b11738687a23a848b422a9e4083 Mon Sep 17 00:00:00 2001 +From eb32be474036aa25a14aca5f457d09ce1f2804ec Mon Sep 17 00:00:00 2001 From: Chris Leick Date: Wed, 6 Apr 2016 18:14:40 -0400 Subject: [PATCH] Add German translation diff --git a/SOURCES/Add-KDC-policy-pluggable-interface.patch b/SOURCES/Add-KDC-policy-pluggable-interface.patch index 935d588..58f6db8 100644 --- a/SOURCES/Add-KDC-policy-pluggable-interface.patch +++ b/SOURCES/Add-KDC-policy-pluggable-interface.patch @@ -1,4 +1,4 @@ -From f12b57979012f93b339982ba335093d7c0d364f7 Mon Sep 17 00:00:00 2001 +From 7ed63b6bdeff7b94775432415682051eca479071 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 27 Jun 2017 17:15:39 -0400 Subject: [PATCH] Add KDC policy pluggable interface diff --git a/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch b/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch index a931833..74af7bd 100644 --- a/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch +++ b/SOURCES/Add-PKINIT-UPN-tests-to-t_pkinit.py.patch @@ -1,4 +1,4 @@ -From f726fe232a16a51ca277b660c61aa9cfc2f512f1 Mon Sep 17 00:00:00 2001 +From aaa3ceb3c9fa8ff206edcd6d66659c5e69e4811d Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Fri, 9 Dec 2016 11:43:27 -0500 Subject: [PATCH] Add PKINIT UPN tests to t_pkinit.py diff --git a/SOURCES/Add-PKINIT-test-case-for-generic-client-cert.patch b/SOURCES/Add-PKINIT-test-case-for-generic-client-cert.patch new file mode 100644 index 0000000..7b6928e --- /dev/null +++ b/SOURCES/Add-PKINIT-test-case-for-generic-client-cert.patch @@ -0,0 +1,50 @@ +From 5d072bc7e890e18903a18d22ecda7662db1d603e Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Fri, 25 Aug 2017 12:39:14 -0400 +Subject: [PATCH] Add PKINIT test case for generic client cert + +In t_pkinit.py, add a test case where a client cert with no extensions +is authorized via subject and issuer using a pkinit_cert_match string +attribute. + +ticket: 8562 +(cherry picked from commit 8c5d50888aab554239fd51306e79c5213833c898) +--- + src/tests/t_pkinit.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index 5a0624de7..22ab81743 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -26,6 +26,7 @@ user_enc_p12 = os.path.join(certs, 'user-enc.p12') + user_upn_p12 = os.path.join(certs, 'user-upn.p12') + user_upn2_p12 = os.path.join(certs, 'user-upn2.p12') + user_upn3_p12 = os.path.join(certs, 'user-upn3.p12') ++generic_p12 = os.path.join(certs, 'generic.p12') + path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') + path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') + +@@ -65,6 +66,7 @@ p12_identity = 'PKCS12:%s' % user_p12 + p12_upn_identity = 'PKCS12:%s' % user_upn_p12 + p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12 + p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12 ++p12_generic_identity = 'PKCS12:%s' % generic_p12 + p12_enc_identity = 'PKCS12:%s' % user_enc_p12 + p11_identity = 'PKCS11:soft-pkcs11.so' + p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:' +@@ -342,6 +344,14 @@ realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity], + expected_code=1, expected_msg=msg) + ++# Authorize a client cert with no PKINIT extensions using subject and ++# issuer. (Relies on EKU checking being turned off.) ++rule = '&&CN=user$O=MIT,' ++realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) ++realm.kinit(realm.user_princ, ++ flags=['-X', 'X509_user_identity=%s' % p12_generic_identity]) ++realm.klist(realm.user_princ) ++ + if not have_soft_pkcs11: + skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') + diff --git a/SOURCES/Add-a-hash-table-implementation-to-libkrb5support.patch b/SOURCES/Add-a-hash-table-implementation-to-libkrb5support.patch index 21ce64d..9e188fd 100644 --- a/SOURCES/Add-a-hash-table-implementation-to-libkrb5support.patch +++ b/SOURCES/Add-a-hash-table-implementation-to-libkrb5support.patch @@ -1,4 +1,4 @@ -From b3f5d3b0542ae314acfb94e1bc5a8f22201b8ac3 Mon Sep 17 00:00:00 2001 +From 4250a33a40c14325fb6076cded8e88b5a717ed13 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 4 Aug 2018 20:11:09 -0400 Subject: [PATCH] Add a hash table implementation to libkrb5support diff --git a/SOURCES/Add-k5_dir_filenames-to-libkrb5support.patch b/SOURCES/Add-k5_dir_filenames-to-libkrb5support.patch index a2a3c45..a6c9a83 100644 --- a/SOURCES/Add-k5_dir_filenames-to-libkrb5support.patch +++ b/SOURCES/Add-k5_dir_filenames-to-libkrb5support.patch @@ -1,4 +1,4 @@ -From 3c73ffd2ae4237e449808768d76b2869f8dffe8f Mon Sep 17 00:00:00 2001 +From a3f548a88d0bbf16ccc60843fb72e02e32a765f3 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 5 Jun 2018 14:01:05 -0400 Subject: [PATCH] Add k5_dir_filenames() to libkrb5support diff --git a/SOURCES/Add-k5test-expected_msg-expected_trace.patch b/SOURCES/Add-k5test-expected_msg-expected_trace.patch index 8a0dd37..0ac868b 100644 --- a/SOURCES/Add-k5test-expected_msg-expected_trace.patch +++ b/SOURCES/Add-k5test-expected_msg-expected_trace.patch @@ -1,4 +1,4 @@ -From c099e896f28d8c5ccacc9df086a8f4297c6b484e Mon Sep 17 00:00:00 2001 +From 6ad27ff3bde8911a6f873269a61924937d45cd8c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 17 Jan 2017 11:24:41 -0500 Subject: [PATCH] Add k5test expected_msg, expected_trace diff --git a/SOURCES/Add-libkrb5support-hex-functions-and-tests.patch b/SOURCES/Add-libkrb5support-hex-functions-and-tests.patch index becd51e..0ab3952 100644 --- a/SOURCES/Add-libkrb5support-hex-functions-and-tests.patch +++ b/SOURCES/Add-libkrb5support-hex-functions-and-tests.patch @@ -1,4 +1,4 @@ -From 868cbb573b512eac4561046fe7540c37406637fb Mon Sep 17 00:00:00 2001 +From 795c3972220e97bf7bb6557a424c9d246132ac84 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 19 Feb 2018 00:51:44 -0500 Subject: [PATCH] Add libkrb5support hex functions and tests diff --git a/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch b/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch index 24ecda3..28d8a50 100644 --- a/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch +++ b/SOURCES/Add-support-to-query-the-SSF-of-a-GSS-context.patch @@ -1,4 +1,4 @@ -From 1f7d42707585e552842455857070fff8957fcb7c Mon Sep 17 00:00:00 2001 +From 0bcadcebe22566a3bebd95974603b6b6593a4119 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 30 Mar 2017 11:27:09 -0400 Subject: [PATCH] Add support to query the SSF of a GSS context diff --git a/SOURCES/Add-test-case-for-PKINIT-DH-renegotiation.patch b/SOURCES/Add-test-case-for-PKINIT-DH-renegotiation.patch index 047f011..51d5ee1 100644 --- a/SOURCES/Add-test-case-for-PKINIT-DH-renegotiation.patch +++ b/SOURCES/Add-test-case-for-PKINIT-DH-renegotiation.patch @@ -1,4 +1,4 @@ -From c88c2328ed284996a61281ae84dddbdff044e1d5 Mon Sep 17 00:00:00 2001 +From d65bcba04f0051ac3ad74be7415da85b1c80a0ad Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 11 Jan 2017 10:49:30 -0500 Subject: [PATCH] Add test case for PKINIT DH renegotiation diff --git a/SOURCES/Add-test-cases-for-preauth-fallback-behavior.patch b/SOURCES/Add-test-cases-for-preauth-fallback-behavior.patch index f2c1740..8002723 100644 --- a/SOURCES/Add-test-cases-for-preauth-fallback-behavior.patch +++ b/SOURCES/Add-test-cases-for-preauth-fallback-behavior.patch @@ -1,4 +1,4 @@ -From 6909a4e3aa5c41cfd896b91cc8f9560481dddfd1 Mon Sep 17 00:00:00 2001 +From e1448b09ac4e94ff8e66a7cf0315841c38c48c37 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 20 Jan 2017 12:44:12 -0500 Subject: [PATCH] Add test cases for preauth fallback behavior diff --git a/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch b/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch index f2b1fa8..c44a755 100644 --- a/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch +++ b/SOURCES/Add-test-cert-generation-to-make-certs.sh.patch @@ -1,4 +1,4 @@ -From fd8ce9e1ed7a8d6cf5ac7d27d6acf40b0453c45e Mon Sep 17 00:00:00 2001 +From c1bda7ba15f8dcf04b6ca24d9f1c7bcf842e4feb Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 5 Sep 2017 15:54:31 -0400 Subject: [PATCH] Add test cert generation to make-certs.sh diff --git a/SOURCES/Add-test-cert-with-no-extensions.patch b/SOURCES/Add-test-cert-with-no-extensions.patch index da6f8cb..5c5e361 100644 --- a/SOURCES/Add-test-cert-with-no-extensions.patch +++ b/SOURCES/Add-test-cert-with-no-extensions.patch @@ -1,4 +1,4 @@ -From dd189f46b9e43392b842c4309c95dc7e71963261 Mon Sep 17 00:00:00 2001 +From 728d567d1c7445e89edad046d8aac5344143d51d Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 5 Oct 2017 12:54:13 -0400 Subject: [PATCH] Add test cert with no extensions diff --git a/SOURCES/Add-tests-for-per-request-preauth-data-scoping.patch b/SOURCES/Add-tests-for-per-request-preauth-data-scoping.patch index 03d3b3e..dc9ca95 100644 --- a/SOURCES/Add-tests-for-per-request-preauth-data-scoping.patch +++ b/SOURCES/Add-tests-for-per-request-preauth-data-scoping.patch @@ -1,4 +1,4 @@ -From 996c0089cf2e3240e1b331555897e5bf83b023e7 Mon Sep 17 00:00:00 2001 +From 2d8f53212aec704a60e0a96327d8cfd999306ceb Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 4 Jan 2017 18:31:15 -0500 Subject: [PATCH] Add tests for per-request preauth data scoping diff --git a/SOURCES/Add-the-certauth-dbmatch-module.patch b/SOURCES/Add-the-certauth-dbmatch-module.patch new file mode 100644 index 0000000..e14b029 --- /dev/null +++ b/SOURCES/Add-the-certauth-dbmatch-module.patch @@ -0,0 +1,316 @@ +From fab1e4f8553dcf8a573c41bb8ea93912a622aae0 Mon Sep 17 00:00:00 2001 +From: Matt Rogers +Date: Wed, 15 Mar 2017 19:57:15 -0400 +Subject: [PATCH] Add the certauth dbmatch module + +Add and enable the "dbmatch" builtin module. Add the +pkinit_client_cert_match() and crypto_req_cert_matching_data() helper +functions. Add dbmatch tests to t_pkinit.py. Add documentation to +krb5_conf.rst, pkinit.rst, and kadmin_local.rst. + +[ghudson@mit.edu: simplified code, edited docs] + +ticket: 8562 (new) +(cherry picked from commit 89634ca049e698d7dd2554f5c49bfc499be96188) +--- + doc/admin/admin_commands/kadmin_local.rst | 7 +++ + doc/admin/conf_files/krb5_conf.rst | 5 ++ + doc/admin/pkinit.rst | 20 +++++++ + src/plugins/preauth/pkinit/pkinit.h | 7 +++ + src/plugins/preauth/pkinit/pkinit_crypto.h | 6 ++ + .../preauth/pkinit/pkinit_crypto_openssl.c | 18 ++++++ + src/plugins/preauth/pkinit/pkinit_matching.c | 37 +++++++++++++ + src/plugins/preauth/pkinit/pkinit_srv.c | 55 +++++++++++++++++++ + src/tests/t_pkinit.py | 37 +++++++++++++ + 9 files changed, 192 insertions(+) + +diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst +index 0e955faf2..cefe6054b 100644 +--- a/doc/admin/admin_commands/kadmin_local.rst ++++ b/doc/admin/admin_commands/kadmin_local.rst +@@ -661,6 +661,13 @@ KDC: + *principal*. The *value* is a JSON string representing an array + of objects, each having optional ``type`` and ``username`` fields. + ++**pkinit_cert_match** ++ Specifies a matching expression that defines the certificate ++ attributes required for the client certificate used by the ++ principal during PKINIT authentication. The matching expression ++ is in the same format as those used by the **pkinit_cert_match** ++ option in :ref:`krb5.conf(5)`. (New in release 1.16.) ++ + This command requires the **modify** privilege. + + Alias: **setstr** +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index cc996f11a..d428124c9 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -883,6 +883,11 @@ following built-in modules exist for this interface: + Extended Key Usage attribute consistent with the + **pkinit_eku_checking** value for the realm. + ++**dbmatch** ++ This module authorizes or rejects the certificate according to ++ whether it matches the **pkinit_cert_match** string attribute on ++ the client principal, if that attribute is present. ++ + + PKINIT options + -------------- +diff --git a/doc/admin/pkinit.rst b/doc/admin/pkinit.rst +index 460d75d1e..c601c5c9e 100644 +--- a/doc/admin/pkinit.rst ++++ b/doc/admin/pkinit.rst +@@ -223,6 +223,26 @@ time as follows:: + + kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' + ++By default, the KDC requires PKINIT client certificates to have the ++standard Extended Key Usage and Subject Alternative Name attributes ++for PKINIT. Starting in release 1.16, it is possible to authorize ++client certificates based on the subject or other criteria instead of ++the standard PKINIT Subject Alternative Name, by setting the ++**pkinit_cert_match** string attribute on each client principal entry. ++For example:: ++ ++ kadmin set_string user@REALM pkinit_cert_match "CN=user@REALM$" ++ ++The **pkinit_cert_match** string attribute follows the syntax used by ++the :ref:`krb5.conf(5)` **pkinit_cert_match** relation. To allow the ++use of non-PKINIT client certificates, it will also be necessary to ++disable key usage checking using the **pkinit_eku_checking** relation; ++for example:: ++ ++ [kdcdefaults] ++ pkinit_eku_checking = none ++ ++ + + Configuring the clients + ----------------------- +diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h +index a49f3078e..430b3f334 100644 +--- a/src/plugins/preauth/pkinit/pkinit.h ++++ b/src/plugins/preauth/pkinit/pkinit.h +@@ -292,6 +292,13 @@ krb5_error_code pkinit_cert_matching + pkinit_identity_crypto_context id_cryptoctx, + krb5_principal princ); + ++krb5_error_code pkinit_client_cert_match ++ (krb5_context context, ++ pkinit_plg_crypto_context plgctx, ++ pkinit_req_crypto_context reqctx, ++ const char *match_rule, ++ krb5_boolean *matched); ++ + /* + * Client's list of identities for which it needs PINs or passwords + */ +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h +index b6e4e0ac3..149923b1d 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto.h ++++ b/src/plugins/preauth/pkinit/pkinit_crypto.h +@@ -637,4 +637,10 @@ krb5_error_code + crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, + uint8_t **der_out, size_t *der_len); + ++krb5_error_code ++crypto_req_cert_matching_data(krb5_context context, ++ pkinit_plg_crypto_context plgctx, ++ pkinit_req_crypto_context reqctx, ++ pkinit_cert_matching_data **md_out); ++ + #endif /* _PKINIT_CRYPTO_H */ +diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +index 3949eb9c2..534161b19 100644 +--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ++++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +@@ -6099,3 +6099,21 @@ crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, + *der_len = len; + return 0; + } ++ ++/* ++ * Get the certificate matching data from the request certificate. ++ */ ++krb5_error_code ++crypto_req_cert_matching_data(krb5_context context, ++ pkinit_plg_crypto_context plgctx, ++ pkinit_req_crypto_context reqctx, ++ pkinit_cert_matching_data **md_out) ++{ ++ *md_out = NULL; ++ ++ if (reqctx == NULL || reqctx->received_cert == NULL) ++ return ENOENT; ++ ++ return get_matching_data(context, plgctx, reqctx, reqctx->received_cert, ++ md_out); ++} +diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c +index d929fb3c0..c2a4c084d 100644 +--- a/src/plugins/preauth/pkinit/pkinit_matching.c ++++ b/src/plugins/preauth/pkinit/pkinit_matching.c +@@ -724,3 +724,40 @@ cleanup: + crypto_cert_free_matching_data_list(context, matchdata); + return retval; + } ++ ++krb5_error_code ++pkinit_client_cert_match(krb5_context context, ++ pkinit_plg_crypto_context plgctx, ++ pkinit_req_crypto_context reqctx, ++ const char *match_rule, ++ krb5_boolean *matched) ++{ ++ krb5_error_code ret; ++ pkinit_cert_matching_data *md = NULL; ++ rule_component *rc = NULL; ++ int comp_match = 0; ++ rule_set *rs = NULL; ++ ++ *matched = FALSE; ++ ret = parse_rule_set(context, match_rule, &rs); ++ if (ret) ++ goto cleanup; ++ ++ ret = crypto_req_cert_matching_data(context, plgctx, reqctx, &md); ++ if (ret) ++ goto cleanup; ++ ++ for (rc = rs->crs; rc != NULL; rc = rc->next) { ++ comp_match = component_match(context, rc, md); ++ if ((comp_match && rs->relation == relation_or) || ++ (!comp_match && rs->relation == relation_and)) { ++ break; ++ } ++ } ++ *matched = comp_match; ++ ++cleanup: ++ free_rule_set(context, rs); ++ crypto_cert_free_matching_data(context, md); ++ return ret; ++} +diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c +index 42ad45fe4..7d86e597e 100644 +--- a/src/plugins/preauth/pkinit/pkinit_srv.c ++++ b/src/plugins/preauth/pkinit/pkinit_srv.c +@@ -1537,6 +1537,56 @@ certauth_pkinit_eku_initvt(krb5_context context, int maj_ver, int min_ver, + return 0; + } + ++/* ++ * Do certificate auth based on a match expression in the pkinit_cert_match ++ * attribute string. An expression should be in the same form as those used ++ * for the pkinit_cert_match configuration option. ++ */ ++static krb5_error_code ++dbmatch_authorize(krb5_context context, krb5_certauth_moddata moddata, ++ const uint8_t *cert, size_t cert_len, ++ krb5_const_principal princ, const void *opts, ++ const krb5_db_entry *db_entry, char ***authinds_out) ++{ ++ krb5_error_code ret; ++ const struct certauth_req_opts *req_opts = opts; ++ char *pattern; ++ krb5_boolean matched; ++ ++ *authinds_out = NULL; ++ ++ /* Fetch the matching pattern. Pass if it isn't specified. */ ++ ret = req_opts->cb->get_string(context, req_opts->rock, ++ "pkinit_cert_match", &pattern); ++ if (ret) ++ return ret; ++ if (pattern == NULL) ++ return KRB5_PLUGIN_NO_HANDLE; ++ ++ /* Check the certificate against the match expression. */ ++ ret = pkinit_client_cert_match(context, req_opts->plgctx->cryptoctx, ++ req_opts->reqctx->cryptoctx, pattern, ++ &matched); ++ req_opts->cb->free_string(context, req_opts->rock, pattern); ++ if (ret) ++ return ret; ++ return matched ? 0 : KRB5KDC_ERR_CERTIFICATE_MISMATCH; ++} ++ ++static krb5_error_code ++certauth_dbmatch_initvt(krb5_context context, int maj_ver, int min_ver, ++ krb5_plugin_vtable vtable) ++{ ++ krb5_certauth_vtable vt; ++ ++ if (maj_ver != 1) ++ return KRB5_PLUGIN_VER_NOTSUPP; ++ vt = (krb5_certauth_vtable)vtable; ++ vt->name = "dbmatch"; ++ vt->authorize = dbmatch_authorize; ++ return 0; ++} ++ + static krb5_error_code + load_certauth_plugins(krb5_context context, certauth_handle **handle_out) + { +@@ -1556,6 +1606,11 @@ load_certauth_plugins(krb5_context context, certauth_handle **handle_out) + if (ret) + goto cleanup; + ++ ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH, "dbmatch", ++ certauth_dbmatch_initvt); ++ if (ret) ++ goto cleanup; ++ + ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CERTAUTH, &modules); + if (ret) + goto cleanup; +diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py +index 64ff2393a..5a0624de7 100755 +--- a/src/tests/t_pkinit.py ++++ b/src/tests/t_pkinit.py +@@ -305,6 +305,43 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity, + realm.klist(realm.user_princ) + realm.run([kvno, realm.host_princ]) + ++# Match a single rule. ++rule = '^user@KRBTEST.COM$' ++realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) ++realm.kinit(realm.user_princ, ++ flags=['-X', 'X509_user_identity=%s' % p12_identity]) ++realm.klist(realm.user_princ) ++ ++# Match a combined rule (default prefix is &&). ++rule = 'CN=user$digitalSignature,keyEncipherment' ++realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) ++realm.kinit(realm.user_princ, ++ flags=['-X', 'X509_user_identity=%s' % p12_identity]) ++realm.klist(realm.user_princ) ++ ++# Fail an && rule. ++rule = '&&O=OTHER.COM^user@KRBTEST.COM$' ++realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) ++msg = 'kinit: Certificate mismatch while getting initial credentials' ++realm.kinit(realm.user_princ, ++ flags=['-X', 'X509_user_identity=%s' % p12_identity], ++ expected_code=1, expected_msg=msg) ++ ++# Pass an || rule. ++rule = '||O=KRBTEST.COM^otheruser@KRBTEST.COM$' ++realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) ++realm.kinit(realm.user_princ, ++ flags=['-X', 'X509_user_identity=%s' % p12_identity]) ++realm.klist(realm.user_princ) ++ ++# Fail an || rule. ++rule = '||O=OTHER.COM^otheruser@KRBTEST.COM$' ++realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) ++msg = 'kinit: Certificate mismatch while getting initial credentials' ++realm.kinit(realm.user_princ, ++ flags=['-X', 'X509_user_identity=%s' % p12_identity], ++ expected_code=1, expected_msg=msg) ++ + if not have_soft_pkcs11: + skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') + diff --git a/SOURCES/Add-the-client_name-kdcpreauth-callback.patch b/SOURCES/Add-the-client_name-kdcpreauth-callback.patch index 9d53313..d9f3412 100644 --- a/SOURCES/Add-the-client_name-kdcpreauth-callback.patch +++ b/SOURCES/Add-the-client_name-kdcpreauth-callback.patch @@ -1,4 +1,4 @@ -From aa153bb60c4fdc05adbc88cca578612fce6c8ce0 Mon Sep 17 00:00:00 2001 +From 810e831592eeed8422197d9c8de237552645412f Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Tue, 4 Apr 2017 16:54:56 -0400 Subject: [PATCH] Add the client_name() kdcpreauth callback diff --git a/SOURCES/Add-timestamp-helper-functions.patch b/SOURCES/Add-timestamp-helper-functions.patch index 5993793..6cf4fa8 100644 --- a/SOURCES/Add-timestamp-helper-functions.patch +++ b/SOURCES/Add-timestamp-helper-functions.patch @@ -1,4 +1,4 @@ -From 6437685130b68670888db1d0551f5464d56c4cec Mon Sep 17 00:00:00 2001 +From 7beabe5cf16644dd0857a5e65fc43470e8b5d852 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 22 Apr 2017 09:49:12 -0400 Subject: [PATCH] Add timestamp helper functions diff --git a/SOURCES/Add-timestamp-tests.patch b/SOURCES/Add-timestamp-tests.patch index a203d59..704fed1 100644 --- a/SOURCES/Add-timestamp-tests.patch +++ b/SOURCES/Add-timestamp-tests.patch @@ -1,4 +1,4 @@ -From 47999bb8735f653f06e0eb46e7eced600210b9da Mon Sep 17 00:00:00 2001 +From 88c93d33d66abe9811e478fd678ff2e5f38a29aa Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 29 Apr 2017 17:30:36 -0400 Subject: [PATCH] Add timestamp tests diff --git a/SOURCES/Add-vector-support-to-k5_sha256.patch b/SOURCES/Add-vector-support-to-k5_sha256.patch index 9591995..63438d3 100644 --- a/SOURCES/Add-vector-support-to-k5_sha256.patch +++ b/SOURCES/Add-vector-support-to-k5_sha256.patch @@ -1,4 +1,4 @@ -From c886bef63a4820d12fbc956f62747840fba8a88e Mon Sep 17 00:00:00 2001 +From d8620f016248a9ee1fbb93aa773eb3952b99fd3d Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 3 Feb 2018 20:53:42 -0500 Subject: [PATCH] Add vector support to k5_sha256() diff --git a/SOURCES/Add-y2038-documentation.patch b/SOURCES/Add-y2038-documentation.patch index fedd583..a7fcce8 100644 --- a/SOURCES/Add-y2038-documentation.patch +++ b/SOURCES/Add-y2038-documentation.patch @@ -1,4 +1,4 @@ -From f9702eabc568679f48ea5d0bc7be073582cc52ad Mon Sep 17 00:00:00 2001 +From 087bd1bdff17025af6e5189898209035ec8d75da Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 4 May 2017 17:03:35 -0400 Subject: [PATCH] Add y2038 documentation diff --git a/SOURCES/Address-some-optimized-out-memset-calls.patch b/SOURCES/Address-some-optimized-out-memset-calls.patch new file mode 100644 index 0000000..2c5ddd6 --- /dev/null +++ b/SOURCES/Address-some-optimized-out-memset-calls.patch @@ -0,0 +1,96 @@ +From 05dc6552ea0e8f0002d21ca36d7ff47d4c088bd7 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Sun, 30 Dec 2018 16:40:28 -0500 +Subject: [PATCH] Address some optimized-out memset() calls + +Ilja Van Sprundel reported a list of memset() calls which gcc +optimizes out. In krb_auth_su.c, use zap() to clear the password, and +remove two memset() calls when there is no password to clear. In +iakerb.c, remove an unnecessary memset() before setting the only two +fields of the IAKERB header structure. In svr_principal.c, use +krb5_free_key_keyblock_contents() instead of hand-freeing key data. +In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack +shell before returning. + +(cherry picked from commit 1057b0befec1f1c0e9d4da5521a58496e2dc0997) +(cherry picked from commit 1dfff7202448a950c9133cdfe43d650092d930fd) +(cherry picked from commit 54348bbfaec50bb72d1625c015f8e5c4cfa59e0d) +--- + src/clients/ksu/krb_auth_su.c | 4 +--- + src/lib/gssapi/krb5/iakerb.c | 1 - + src/lib/kadm5/srv/svr_principal.c | 10 ++-------- + src/lib/krb5/asn.1/asn1_k_encode.c | 1 - + 4 files changed, 3 insertions(+), 13 deletions(-) + +diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c +index 7af48195c..e39685fff 100644 +--- a/src/clients/ksu/krb_auth_su.c ++++ b/src/clients/ksu/krb_auth_su.c +@@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password, + if (code ) { + com_err(prog_name, code, _("while reading password for '%s'\n"), + client_name); +- memset(password, 0, sizeof(password)); + return (FALSE); + } + + if ( pwsize == 0) { + fprintf(stderr, _("No password given\n")); + *zero_password = TRUE; +- memset(password, 0, sizeof(password)); + return (FALSE); + } + + code = krb5_get_init_creds_password(context, &creds, client, password, + krb5_prompter_posix, NULL, 0, NULL, + options); +- memset(password, 0, sizeof(password)); ++ zap(password, sizeof(password)); + + + if (code) { +diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c +index bb1072fe4..47c161ec9 100644 +--- a/src/lib/gssapi/krb5/iakerb.c ++++ b/src/lib/gssapi/krb5/iakerb.c +@@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx, + /* + * Assemble the IAKERB-HEADER from the realm and cookie + */ +- memset(&iah, 0, sizeof(iah)); + iah.target_realm = *realm; + iah.cookie = cookie; + +diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c +index 64a4a2e97..73733d371 100644 +--- a/src/lib/kadm5/srv/svr_principal.c ++++ b/src/lib/kadm5/srv/svr_principal.c +@@ -2141,14 +2141,8 @@ static int decrypt_key_data(krb5_context context, + ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i], + NULL); + if (ret) { +- for (; i >= 0; i--) { +- if (keys[i].contents) { +- memset (keys[i].contents, 0, keys[i].length); +- free( keys[i].contents ); +- } +- } +- +- memset(keys, 0, n_key_data*sizeof(krb5_keyblock)); ++ for (; i >= 0; i--) ++ krb5_free_keyblock_contents(context, &keys[i]); + free(keys); + return ret; + } +diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c +index 889460989..c4f9aacdf 100644 +--- a/src/lib/krb5/asn.1/asn1_k_encode.c ++++ b/src/lib/krb5/asn.1/asn1_k_encode.c +@@ -532,7 +532,6 @@ decode_kdc_req_body(const taginfo *t, const unsigned char *asn1, size_t len, + if (ret) { + free_kdc_req_body(b); + free(h.server_realm.data); +- memset(&h, 0, sizeof(h)); + return ret; + } + b->server->realm = h.server_realm; diff --git a/SOURCES/Adjust-processing-of-pa_type-ccache-config.patch b/SOURCES/Adjust-processing-of-pa_type-ccache-config.patch index d6e3297..4b787e1 100644 --- a/SOURCES/Adjust-processing-of-pa_type-ccache-config.patch +++ b/SOURCES/Adjust-processing-of-pa_type-ccache-config.patch @@ -1,4 +1,4 @@ -From 5c71088657f56a26f367aeebe905df51b38be434 Mon Sep 17 00:00:00 2001 +From bfeb18163ba1364d37c9179bcf5e9c042c268a8b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 13 Jan 2017 10:14:36 -0500 Subject: [PATCH] Adjust processing of pa_type ccache config diff --git a/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch b/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch index 41206f7..d9e5c5f 100644 --- a/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch +++ b/SOURCES/Allow-clock-skew-in-krb5-gss_context_time.patch @@ -1,4 +1,4 @@ -From 498b43b1a58795773834c1c5bb2b61dd801b9a03 Mon Sep 17 00:00:00 2001 +From 527fafc0e0abf90c1bb3d66c31ea92a96e095f08 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 22 Apr 2017 16:51:23 -0400 Subject: [PATCH] Allow clock skew in krb5 gss_context_time() diff --git a/SOURCES/Bring-back-general-kerberos-man-page.patch b/SOURCES/Bring-back-general-kerberos-man-page.patch new file mode 100644 index 0000000..dcfe5e9 --- /dev/null +++ b/SOURCES/Bring-back-general-kerberos-man-page.patch @@ -0,0 +1,468 @@ +From df8c8cc7cd18fa94c920c4763545b6fd93a21fcd Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 9 Oct 2018 17:05:10 -0400 +Subject: [PATCH] Bring back general kerberos man page + +Restore the content of kerberos(1) as it stood in +0f81e372a2830c9170f6e08dfa956841d0ebdfb1. Convert to ReST to match +the other man pages, and install it as the more appropriate +kerberos(7). + +Build kerberos(7) and check it in to avoid breaking the build. + +ticket: 8755 (new) +tags: pullup +target_version: 1.16-next + +(cherry picked from commit c38197ee9808503f86ccffd4a2bd94389e17df0b) +--- + doc/conf.py | 1 + + doc/user/user_config/index.rst | 1 + + doc/user/user_config/kerberos.rst | 148 ++++++++++++++++++++++++ + src/Makefile.in | 4 +- + src/config/pre.in | 2 + + src/man/Makefile.in | 14 ++- + src/man/kerberos.man | 180 ++++++++++++++++++++++++++++++ + 7 files changed, 345 insertions(+), 5 deletions(-) + create mode 100644 doc/user/user_config/kerberos.rst + create mode 100644 src/man/kerberos.man + +diff --git a/doc/conf.py b/doc/conf.py +index 3ee2df630..68dad781f 100644 +--- a/doc/conf.py ++++ b/doc/conf.py +@@ -292,6 +292,7 @@ man_pages = [ + ('user/user_commands/krb5-config', 'krb5-config', u'tool for linking against MIT Kerberos libraries', [u'MIT'], 1), + ('user/user_config/k5login', 'k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5), + ('user/user_config/k5identity', 'k5identity', u'Kerberos V5 client principal selection rules', [u'MIT'], 5), ++ ('user/user_config/kerberos', 'kerberos', u'Overview of using Kerberos', [u'MIT'], 7), + ('admin/admin_commands/krb5kdc', 'krb5kdc', u'Kerberos V5 KDC', [u'MIT'], 8), + ('admin/admin_commands/kadmin_local', 'kadmin', u'Kerberos V5 database administration program', [u'MIT'], 1), + ('admin/admin_commands/kprop', 'kprop', u'propagate a Kerberos V5 principal database to a slave server', [u'MIT'], 8), +diff --git a/doc/user/user_config/index.rst b/doc/user/user_config/index.rst +index 6b3d4393b..ad0dc1a72 100644 +--- a/doc/user/user_config/index.rst ++++ b/doc/user/user_config/index.rst +@@ -8,5 +8,6 @@ been disabled by your host's configuration): + .. toctree:: + :maxdepth: 1 + ++ kerberos.rst + k5login.rst + k5identity.rst +diff --git a/doc/user/user_config/kerberos.rst b/doc/user/user_config/kerberos.rst +new file mode 100644 +index 000000000..6c4453b3b +--- /dev/null ++++ b/doc/user/user_config/kerberos.rst +@@ -0,0 +1,148 @@ ++.. _kerberos(7): ++ ++kerberos ++======== ++ ++DESCRIPTION ++----------- ++ ++The Kerberos system authenticates individual users in a network ++environment. After authenticating yourself to Kerberos, you can use ++Kerberos-enabled programs without having to present passwords. ++ ++If you enter your username and :ref:`kinit(1)` responds with this ++message: ++ ++kinit(v5): Client not found in Kerberos database while getting initial ++credentials ++ ++you haven't been registered as a Kerberos user. See your system ++administrator. ++ ++A Kerberos name usually contains three parts. The first is the ++**primary**, which is usually a user's or service's name. The second ++is the **instance**, which in the case of a user is usually null. ++Some users may have privileged instances, however, such as ``root`` or ++``admin``. In the case of a service, the instance is the fully ++qualified name of the machine on which it runs; i.e. there can be an ++rlogin service running on the machine ABC, which is different from the ++rlogin service running on the machine XYZ. The third part of a ++Kerberos name is the **realm**. The realm corresponds to the Kerberos ++service providing authentication for the principal. ++ ++When writing a Kerberos name, the principal name is separated from the ++instance (if not null) by a slash, and the realm (if not the local ++realm) follows, preceded by an "@" sign. The following are examples ++of valid Kerberos names:: ++ ++ david ++ jennifer/admin ++ joeuser@BLEEP.COM ++ cbrown/root@FUBAR.ORG ++ ++When you authenticate yourself with Kerberos you get an initial ++Kerberos **ticket**. (A Kerberos ticket is an encrypted protocol ++message that provides authentication.) Kerberos uses this ticket for ++network utilities such as rlogin and rcp. The ticket transactions are ++done transparently, so you don't have to worry about their management. ++ ++Note, however, that tickets expire. Privileged tickets, such as those ++with the instance ``root``, expire in a few minutes, while tickets ++that carry more ordinary privileges may be good for several hours or a ++day, depending on the installation's policy. If your login session ++extends beyond the time limit, you will have to re-authenticate ++yourself to Kerberos to get new tickets. Use the :ref:`kinit(1)` ++command to re-authenticate yourself. ++ ++If you use the kinit command to get your tickets, make sure you use ++the kdestroy command to destroy your tickets before you end your login ++session. You should put the kdestroy command in your ``.logout`` file ++so that your tickets will be destroyed automatically when you logout. ++For more information about the kinit and kdestroy commands, see the ++:ref:`kinit(1)` and :ref:`kdestroy(1)` manual pages. ++ ++Kerberos tickets can be forwarded. In order to forward tickets, you ++must request **forwardable** tickets when you kinit. Once you have ++forwardable tickets, most Kerberos programs have a command line option ++to forward them to the remote host. ++ ++ENVIRONMENT VARIABLES ++--------------------- ++ ++Several environment variables affect the operation of Kerberos-enabled ++programs. These inclide: ++ ++**KRB5CCNAME** ++ Specifies the location of the credential cache, in the form ++ *TYPE*:*residual*. If no *type* prefix is present, the **FILE** ++ type is assumed and *residual* is the pathname of the cache file. ++ A collection of multiple caches may be used by specifying the ++ **dir** type and the pathname of a private directory (which must ++ already exist). The default cache file is /tmp/krb5cc_*uid*, ++ where *uid* is the decimal user ID of the user. ++ ++**KRB5_KTNAME** ++ Specifies the location of the keytab file, in the form ++ *TYPE*:*residual*. If no *type* is present, the **FILE** type is ++ assumed and *residual* is the pathname of the keytab file. The ++ default keytab file is ``/etc/krb5.keytab``. ++ ++**KRB5_CONFIG** ++ Specifies the location of the Kerberos configuration file. The ++ default is ``/etc/krb5.conf``. ++ ++**KRB5_KDC_PROFILE** ++ Specifies the location of the KDC configuration file, which ++ contains additional configuration directives for the Key ++ Distribution Center daemon and associated programs. The default ++ is ``/usr/local/var/krb5kdc/kdc.conf``. ++ ++**KRB5RCACHETYPE** ++ Specifies the default type of replay cache to use for servers. ++ Valid types include **dfl** for the normal file type and **none** ++ for no replay cache. ++ ++**KRB5RCACHEDIR** ++ Specifies the default directory for replay caches used by servers. ++ The default is the value of the **TMPDIR** environment variable, ++ or ``/var/tmp`` if **TMPDIR** is not set. ++ ++**KRB5_TRACE** ++ Specifies a filename to write trace log output to. Trace logs can ++ help illuminate decisions made internally by the Kerberos ++ libraries. The default is not to write trace log output anywhere. ++ ++Most environment variables are disabled for certain programs, such as ++login system programs and setuid programs, which are designed to be ++secure when run within an untrusted process environment. ++ ++SEE ALSO ++-------- ++ ++:ref:`kdestroy(1)`, :ref:`kinit(1)`, :ref:`klist(1)`, ++:ref:`kswitch(1)`, :ref:`kpasswd(1)`, :ref:`ksu(1)`, ++:ref:`krb5.conf(5)`, :ref:`kdc.conf(5)`, :ref:`kadmin(1)`, ++:ref:`kadmind(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` ++ ++BUGS ++---- ++ ++AUTHORS ++------- ++ ++| Steve Miller, MIT Project Athena/Digital Equipment Corporation ++| Clifford Neuman, MIT Project Athena ++| Greg Hudson, MIT Kerberos Consortium ++ ++HISTORY ++------- ++ ++The MIT Kerberos 5 implementation was developed at MIT, with ++contributions from many outside parties. It is currently maintained ++by the MIT Kerberos Consortium. ++ ++RESTRICTIONS ++------------ ++ ++Copyright 1985, 1986, 1989-1996, 2002, 2011 Masachusetts Institute of ++Technology +diff --git a/src/Makefile.in b/src/Makefile.in +index e47bddcb1..91032361f 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -60,9 +60,9 @@ world: + INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \ + $(ADMIN_BINDIR) $(SERVER_BINDIR) $(CLIENT_BINDIR) \ + $(ADMIN_MANDIR) $(SERVER_MANDIR) $(CLIENT_MANDIR) \ +- $(FILE_MANDIR) \ ++ $(FILE_MANDIR) $(OVERVIEW_MANDIR) \ + $(ADMIN_CATDIR) $(SERVER_CATDIR) $(CLIENT_CATDIR) \ +- $(FILE_CATDIR) \ ++ $(FILE_CATDIR) $(OVERVIEW_CATDIR) \ + $(KRB5_LIBDIR) $(KRB5_INCDIR) \ + $(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \ + $(KRB5_AD_MODULE_DIR) \ +diff --git a/src/config/pre.in b/src/config/pre.in +index f23c07d9d..a851c56c7 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -210,6 +210,8 @@ ADMIN_CATDIR = $(KRB5MANROOT)/cat8 + SERVER_CATDIR = $(KRB5MANROOT)/cat8 + CLIENT_CATDIR = $(KRB5MANROOT)/cat1 + FILE_CATDIR = $(KRB5MANROOT)/cat5 ++OVERVIEW_MANDIR = $(KRB5MANROOT)/man7 ++OVERVIEW_CATDIR = $(KRB5MANROOT)/cat7 + KRB5_LIBDIR = @libdir@ + KRB5_INCDIR = @includedir@ + MODULE_DIR = @libdir@/krb5/plugins +diff --git a/src/man/Makefile.in b/src/man/Makefile.in +index 4bc670bad..e3722b1cd 100644 +--- a/src/man/Makefile.in ++++ b/src/man/Makefile.in +@@ -15,7 +15,7 @@ MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \ + kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \ + kdestroy.sub kinit.sub klist.sub kpasswd.sub kprop.sub kpropd.sub \ + kproplog.sub krb5.conf.sub krb5-config.sub krb5kdc.sub ksu.sub \ +- kswitch.sub ktutil.sub kvno.sub sclient.sub sserver.sub ++ kswitch.sub ktutil.sub kvno.sub sclient.sub sserver.sub kerberos.sub + + docsrc=$(top_srcdir)/../doc + +@@ -56,9 +56,11 @@ all: $(MANSUBS) + clean: + rm -rf $(MANSUBS) rst_man + +-install: install-clientman install-fileman install-adminman install-serverman ++install: install-clientman install-fileman install-adminman \ ++ install-overviewman install-serverman + +-install-catman: install-clientcat install-filecat install-admincat install-servercat ++install-catman: install-clientcat install-filecat install-admincat \ ++ install-overviewcat install-servercat + + install-clientman: + $(INSTALL_DATA) k5srvutil.sub $(DESTDIR)$(CLIENT_MANDIR)/k5srvutil.1 +@@ -85,6 +87,9 @@ install-fileman: + $(INSTALL_DATA) kdc.conf.sub $(DESTDIR)$(FILE_MANDIR)/kdc.conf.5 + $(INSTALL_DATA) krb5.conf.sub $(DESTDIR)$(FILE_MANDIR)/krb5.conf.5 + ++install-overviewman: ++ $(INSTALL_DATA) kerberos.sub $(DESTDIR)$(OVERVIEW_MANDIR)/kerberos.7 ++ + install-adminman: + $(INSTALL_DATA) $(srcdir)/kadmin.local.8 \ + $(DESTDIR)$(ADMIN_MANDIR)/kadmin.local.8 +@@ -127,6 +132,9 @@ install-filecat: + $(GROFF_MAN) kdc.conf.sub > $(DESTDIR)$(FILE_CATDIR)/kdc.conf.5 + $(GROFF_MAN) krb5.conf.sub > $(DESTDIR)$(FILE_CATDIR)/krb5.conf.5 + ++install-overviewcat: ++ $(GROFF_MAN) kerberos.sub > $(DESTDIR)$(OVERVIEW_CATDIR)/kerberos.7 ++ + install-admincat: + ($(RM) $(DESTDIR)$(ADMIN_CATDIR)/kadmin.local.8; \ + $(LN_S) $(CLIENT_CATDIR)/kadmin.1 \ +diff --git a/src/man/kerberos.man b/src/man/kerberos.man +new file mode 100644 +index 000000000..7b2b5d932 +--- /dev/null ++++ b/src/man/kerberos.man +@@ -0,0 +1,180 @@ ++.\" Man page generated from reStructuredText. ++. ++.TH "KERBEROS" "7" " " "1.17" "MIT Kerberos" ++.SH NAME ++kerberos \- Overview of using Kerberos ++. ++.nr rst2man-indent-level 0 ++. ++.de1 rstReportMargin ++\\$1 \\n[an-margin] ++level \\n[rst2man-indent-level] ++level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] ++- ++\\n[rst2man-indent0] ++\\n[rst2man-indent1] ++\\n[rst2man-indent2] ++.. ++.de1 INDENT ++.\" .rstReportMargin pre: ++. RS \\$1 ++. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] ++. nr rst2man-indent-level +1 ++.\" .rstReportMargin post: ++.. ++.de UNINDENT ++. RE ++.\" indent \\n[an-margin] ++.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.nr rst2man-indent-level -1 ++.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] ++.in \\n[rst2man-indent\\n[rst2man-indent-level]]u ++.. ++.SH DESCRIPTION ++.sp ++The Kerberos system authenticates individual users in a network ++environment. After authenticating yourself to Kerberos, you can use ++Kerberos\-enabled programs without having to present passwords. ++.sp ++If you enter your username and kinit(1) responds with this ++message: ++.sp ++kinit(v5): Client not found in Kerberos database while getting initial ++credentials ++.sp ++you haven\(aqt been registered as a Kerberos user. See your system ++administrator. ++.sp ++A Kerberos name usually contains three parts. The first is the ++\fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second ++is the \fBinstance\fP, which in the case of a user is usually null. ++Some users may have privileged instances, however, such as \fBroot\fP or ++\fBadmin\fP\&. In the case of a service, the instance is the fully ++qualified name of the machine on which it runs; i.e. there can be an ++rlogin service running on the machine ABC, which is different from the ++rlogin service running on the machine XYZ. The third part of a ++Kerberos name is the \fBrealm\fP\&. The realm corresponds to the Kerberos ++service providing authentication for the principal. ++.sp ++When writing a Kerberos name, the principal name is separated from the ++instance (if not null) by a slash, and the realm (if not the local ++realm) follows, preceded by an "@" sign. The following are examples ++of valid Kerberos names: ++.INDENT 0.0 ++.INDENT 3.5 ++.sp ++.nf ++.ft C ++david ++jennifer/admin ++joeuser@BLEEP.COM ++cbrown/root@FUBAR.ORG ++.ft P ++.fi ++.UNINDENT ++.UNINDENT ++.sp ++When you authenticate yourself with Kerberos you get an initial ++Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol ++message that provides authentication.) Kerberos uses this ticket for ++network utilities such as rlogin and rcp. The ticket transactions are ++done transparently, so you don\(aqt have to worry about their management. ++.sp ++Note, however, that tickets expire. Privileged tickets, such as those ++with the instance \fBroot\fP, expire in a few minutes, while tickets ++that carry more ordinary privileges may be good for several hours or a ++day, depending on the installation\(aqs policy. If your login session ++extends beyond the time limit, you will have to re\-authenticate ++yourself to Kerberos to get new tickets. Use the kinit(1) ++command to re\-authenticate yourself. ++.sp ++If you use the kinit command to get your tickets, make sure you use ++the kdestroy command to destroy your tickets before you end your login ++session. You should put the kdestroy command in your \fB\&.logout\fP file ++so that your tickets will be destroyed automatically when you logout. ++For more information about the kinit and kdestroy commands, see the ++kinit(1) and kdestroy(1) manual pages. ++.sp ++Kerberos tickets can be forwarded. In order to forward tickets, you ++must request \fBforwardable\fP tickets when you kinit. Once you have ++forwardable tickets, most Kerberos programs have a command line option ++to forward them to the remote host. ++.SH ENVIRONMENT VARIABLES ++.sp ++Several environment variables affect the operation of Kerberos\-enabled ++programs. These inclide: ++.INDENT 0.0 ++.TP ++\fBKRB5CCNAME\fP ++Specifies the location of the credential cache, in the form ++\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP ++type is assumed and \fIresidual\fP is the pathname of the cache file. ++A collection of multiple caches may be used by specifying the ++\fBdir\fP type and the pathname of a private directory (which must ++already exist). The default cache file is /tmp/krb5cc_*uid*, ++where \fIuid\fP is the decimal user ID of the user. ++.TP ++\fBKRB5_KTNAME\fP ++Specifies the location of the keytab file, in the form ++\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is ++assumed and \fIresidual\fP is the pathname of the keytab file. The ++default keytab file is \fB/etc/krb5.keytab\fP\&. ++.TP ++\fBKRB5_CONFIG\fP ++Specifies the location of the Kerberos configuration file. The ++default is \fB/etc/krb5.conf\fP\&. ++.TP ++\fBKRB5_KDC_PROFILE\fP ++Specifies the location of the KDC configuration file, which ++contains additional configuration directives for the Key ++Distribution Center daemon and associated programs. The default ++is \fB/usr/local/var/krb5kdc/kdc.conf\fP\&. ++.TP ++\fBKRB5RCACHETYPE\fP ++Specifies the default type of replay cache to use for servers. ++Valid types include \fBdfl\fP for the normal file type and \fBnone\fP ++for no replay cache. ++.TP ++\fBKRB5RCACHEDIR\fP ++Specifies the default directory for replay caches used by servers. ++The default is the value of the \fBTMPDIR\fP environment variable, ++or \fB/var/tmp\fP if \fBTMPDIR\fP is not set. ++.TP ++\fBKRB5_TRACE\fP ++Specifies a filename to write trace log output to. Trace logs can ++help illuminate decisions made internally by the Kerberos ++libraries. The default is not to write trace log output anywhere. ++.UNINDENT ++.sp ++Most environment variables are disabled for certain programs, such as ++login system programs and setuid programs, which are designed to be ++secure when run within an untrusted process environment. ++.SH SEE ALSO ++.sp ++kdestroy(1), kinit(1), klist(1), ++kswitch(1), kpasswd(1), ksu(1), ++krb5.conf(5), kdc.conf(5), kadmin(1), ++kadmind(8), kdb5_util(8), krb5kdc(8) ++.SH BUGS ++.SH AUTHORS ++.nf ++Steve Miller, MIT Project Athena/Digital Equipment Corporation ++Clifford Neuman, MIT Project Athena ++Greg Hudson, MIT Kerberos Consortium ++.fi ++.sp ++.SH HISTORY ++.sp ++The MIT Kerberos 5 implementation was developed at MIT, with ++contributions from many outside parties. It is currently maintained ++by the MIT Kerberos Consortium. ++.SH RESTRICTIONS ++.sp ++Copyright 1985, 1986, 1989\-1996, 2002, 2011 Masachusetts Institute of ++Technology ++.SH AUTHOR ++MIT ++.SH COPYRIGHT ++1985-2018, MIT ++.\" Generated by docutils manpage writer. ++. diff --git a/SOURCES/Continue-after-KDC_ERR_PREAUTH_FAILED.patch b/SOURCES/Continue-after-KDC_ERR_PREAUTH_FAILED.patch index b67622d..7da3368 100644 --- a/SOURCES/Continue-after-KDC_ERR_PREAUTH_FAILED.patch +++ b/SOURCES/Continue-after-KDC_ERR_PREAUTH_FAILED.patch @@ -1,4 +1,4 @@ -From 64c15ad2b8f4af57ffd998fc27f3781cc02bff29 Mon Sep 17 00:00:00 2001 +From 75b375abcec69421c430a0241e5c72cafd96cb7f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 16 Jan 2017 15:09:32 -0500 Subject: [PATCH] Continue after KDC_ERR_PREAUTH_FAILED diff --git a/SOURCES/Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch b/SOURCES/Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch index 6ba7e0e..08ba8cc 100644 --- a/SOURCES/Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch +++ b/SOURCES/Continue-after-KRB5_CC_END-in-KCM-cache-iteration.patch @@ -1,4 +1,4 @@ -From 0890a832accffe4ddfb882528346b3d9c65b351c Mon Sep 17 00:00:00 2001 +From c66f120e6eba811ba1417ce67b49a01958b1c9d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 28 Mar 2018 18:27:06 +0200 Subject: [PATCH] Continue after KRB5_CC_END in KCM cache iteration diff --git a/SOURCES/Continue-preauth-after-client-side-failures.patch b/SOURCES/Continue-preauth-after-client-side-failures.patch index 14c069f..c03b071 100644 --- a/SOURCES/Continue-preauth-after-client-side-failures.patch +++ b/SOURCES/Continue-preauth-after-client-side-failures.patch @@ -1,4 +1,4 @@ -From 0cd770449a733a8b3a853531a562c91883ccac27 Mon Sep 17 00:00:00 2001 +From d45e1ea83a6ed9eef0e7e6bfe86c8d4995a7402d Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 14 Jan 2017 13:55:22 -0500 Subject: [PATCH] Continue preauth after client-side failures diff --git a/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch b/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch index 5b55956..5d28f23 100644 --- a/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch +++ b/SOURCES/Convert-some-pkiDebug-messages-to-TRACE-macros.patch @@ -1,4 +1,4 @@ -From b4c2212ae7412e21f4965acdb8c10e4a60b65b9b Mon Sep 17 00:00:00 2001 +From 7564be02d140b5caa225679c8f728ee49d9a9e0a Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Wed, 29 Mar 2017 10:35:13 -0400 Subject: [PATCH] Convert some pkiDebug messages to TRACE macros @@ -15,7 +15,7 @@ ticket: 8568 (new) 5 files changed, 97 insertions(+), 45 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 90c30dbf5..70e230ec2 100644 +index a5b010b26..792a2f771 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2320,7 +2320,6 @@ crypto_check_cert_eku(krb5_context context, diff --git a/SOURCES/Correct-error-handling-bug-in-prior-commit.patch b/SOURCES/Correct-error-handling-bug-in-prior-commit.patch index 5039df1..4ae2ec9 100644 --- a/SOURCES/Correct-error-handling-bug-in-prior-commit.patch +++ b/SOURCES/Correct-error-handling-bug-in-prior-commit.patch @@ -1,4 +1,4 @@ -From ca3e61600f1400974c63b2abb30b44f0c94d550b Mon Sep 17 00:00:00 2001 +From ce220f7a4c0a6bda0004626d702a2a60dd51e181 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 23 Mar 2017 13:42:55 -0400 Subject: [PATCH] Correct error handling bug in prior commit @@ -14,10 +14,10 @@ ticket: 8561 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index a5b010b26..90c30dbf5 100644 +index 534161b19..25bcef292 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -@@ -6196,10 +6196,10 @@ crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, +@@ -6089,10 +6089,10 @@ crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, if (len <= 0) return EINVAL; p = der = malloc(len); diff --git a/SOURCES/Correct-kpasswd_server-description-in-krb5.conf-5.patch b/SOURCES/Correct-kpasswd_server-description-in-krb5.conf-5.patch new file mode 100644 index 0000000..2406545 --- /dev/null +++ b/SOURCES/Correct-kpasswd_server-description-in-krb5.conf-5.patch @@ -0,0 +1,28 @@ +From fce9cdd8b264343a30b37bea8442da03b258ce45 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 16 Oct 2018 17:32:29 -0400 +Subject: [PATCH] Correct kpasswd_server description in krb5.conf(5) + +ticket: 8754 (new) +tags: pullup +target_version: 1.16-next + +(cherry picked from commit 762d804701f78fc76f728ec05a205eea6a2b2dd7) +--- + doc/admin/conf_files/krb5_conf.rst | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index a959e0e60..cc996f11a 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -496,7 +496,8 @@ following tags may be specified in the realm's subsection: + + **kpasswd_server** + Points to the server where all the password changes are performed. +- If there is no such entry, the port 464 on the **admin_server** ++ If there is no such entry, DNS will be queried (unless forbidden ++ by **dns_lookup_kdc**). Finally, port 464 on the **admin_server** + host will be tried. + + **master_kdc** diff --git a/SOURCES/Document-and-check-init_creds-context-requirement.patch b/SOURCES/Document-and-check-init_creds-context-requirement.patch index fa99298..53b2b9c 100644 --- a/SOURCES/Document-and-check-init_creds-context-requirement.patch +++ b/SOURCES/Document-and-check-init_creds-context-requirement.patch @@ -1,4 +1,4 @@ -From 7a9917db6b72d47cd19fb54dc34fc409353a3ea4 Mon Sep 17 00:00:00 2001 +From 86fd6a4e1a768eff55aa3df6bc5794dfa63b801f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 9 Jan 2017 11:44:29 -0500 Subject: [PATCH] Document and check init_creds context requirement diff --git a/SOURCES/Don-t-include-all-MEMORY-ccaches-in-collection.patch b/SOURCES/Don-t-include-all-MEMORY-ccaches-in-collection.patch index 4adb9e8..284c911 100644 --- a/SOURCES/Don-t-include-all-MEMORY-ccaches-in-collection.patch +++ b/SOURCES/Don-t-include-all-MEMORY-ccaches-in-collection.patch @@ -1,4 +1,4 @@ -From 763420ead602d5b17b27f6bad07fdb1cc2f61119 Mon Sep 17 00:00:00 2001 +From 7c50ae9787c2fbfb479fbc513a2aeb2aff039d43 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 1 Aug 2018 15:53:12 -0400 Subject: [PATCH] Don't include all MEMORY ccaches in collection diff --git a/SOURCES/Echo-KDC-cookies-in-preauth-tryagain.patch b/SOURCES/Echo-KDC-cookies-in-preauth-tryagain.patch index 7370542..19fa3e8 100644 --- a/SOURCES/Echo-KDC-cookies-in-preauth-tryagain.patch +++ b/SOURCES/Echo-KDC-cookies-in-preauth-tryagain.patch @@ -1,4 +1,4 @@ -From 7deb721e6eeb51be30c147240426c19a0c7beede Mon Sep 17 00:00:00 2001 +From 7439bb967c7c7d860bc69b6b4eaa290a7fe7f530 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 21 Jan 2017 13:20:38 -0500 Subject: [PATCH] Echo KDC cookies in preauth tryagain diff --git a/SOURCES/Exit-with-status-0-from-kadmind.patch b/SOURCES/Exit-with-status-0-from-kadmind.patch index 9d85255..b2a7317 100644 --- a/SOURCES/Exit-with-status-0-from-kadmind.patch +++ b/SOURCES/Exit-with-status-0-from-kadmind.patch @@ -1,4 +1,4 @@ -From f77de343e052ad66324eda13cf8dd9b9e131590c Mon Sep 17 00:00:00 2001 +From 987d80aba6a59dae5242cb544864e23785098106 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 14 Mar 2018 14:31:22 -0400 Subject: [PATCH] Exit with status 0 from kadmind diff --git a/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch b/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch index 552ef19..05b880c 100644 --- a/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch +++ b/SOURCES/Expose-context-errors-in-pkinit_server_plugin_init.patch @@ -1,4 +1,4 @@ -From 9c0a06f38189d255575acdae5efb22b76b4c33b3 Mon Sep 17 00:00:00 2001 +From 97a39c0048344c43af4006a4b9e7da609095510d Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 13 Nov 2017 13:32:37 -0500 Subject: [PATCH] Expose context errors in pkinit_server_plugin_init diff --git a/SOURCES/Fix-PKINIT-cert-matching-data-construction.patch b/SOURCES/Fix-PKINIT-cert-matching-data-construction.patch index 99e71aa..da24ba8 100644 --- a/SOURCES/Fix-PKINIT-cert-matching-data-construction.patch +++ b/SOURCES/Fix-PKINIT-cert-matching-data-construction.patch @@ -1,4 +1,4 @@ -From 1bde0be47ab0c6f94b474c0a3b1d03ec32db1293 Mon Sep 17 00:00:00 2001 +From 62eb62a3db7d40a44f26c3e563cfa22b1f05d93d Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 17 Oct 2017 18:50:15 -0400 Subject: [PATCH] Fix PKINIT cert matching data construction @@ -18,7 +18,7 @@ tags: pullup 1 file changed, 25 insertions(+), 42 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index b243dca30..1eb273808 100644 +index f70aab5b3..34ed7afaf 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -5052,33 +5052,29 @@ out: diff --git a/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch b/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch index 9b84bbb..1d87c25 100644 --- a/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch +++ b/SOURCES/Fix-bugs-in-kdcpolicy-commit.patch @@ -1,4 +1,4 @@ -From d59b00fd1fdcc473739f3033c0f67eb402f20d9c Mon Sep 17 00:00:00 2001 +From ffd715b98da026a6a9b3aac48de42e4f19860ce4 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 19 Aug 2017 19:09:24 -0400 Subject: [PATCH] Fix bugs in kdcpolicy commit diff --git a/SOURCES/Fix-bugs-with-concurrent-use-of-MEMORY-ccaches.patch b/SOURCES/Fix-bugs-with-concurrent-use-of-MEMORY-ccaches.patch index 26399e2..99e0f7b 100644 --- a/SOURCES/Fix-bugs-with-concurrent-use-of-MEMORY-ccaches.patch +++ b/SOURCES/Fix-bugs-with-concurrent-use-of-MEMORY-ccaches.patch @@ -1,4 +1,4 @@ -From c0873e9b9de0570c97e88598f17b72bf51fd7f5d Mon Sep 17 00:00:00 2001 +From 8cb69a3657064ff6bb90a208cfad5fb91e30c307 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 1 Jul 2018 00:12:25 -0400 Subject: [PATCH] Fix bugs with concurrent use of MEMORY ccaches diff --git a/SOURCES/Fix-certauth-built-in-module-returns.patch b/SOURCES/Fix-certauth-built-in-module-returns.patch index 72c9efb..6b3adbb 100644 --- a/SOURCES/Fix-certauth-built-in-module-returns.patch +++ b/SOURCES/Fix-certauth-built-in-module-returns.patch @@ -1,4 +1,4 @@ -From 41b9111b48e53bf7864ed1f134e0433b070fa900 Mon Sep 17 00:00:00 2001 +From 5fbdf62de3883be137ed9a1a2eff3985e4ca05ae Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 24 Aug 2017 11:11:46 -0400 Subject: [PATCH] Fix certauth built-in module returns @@ -25,7 +25,7 @@ ticket: 8561 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 70e230ec2..7fa2efd21 100644 +index 792a2f771..85ca8885d 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -2137,7 +2137,6 @@ crypto_retrieve_X509_sans(krb5_context context, diff --git a/SOURCES/Fix-flaws-in-LDAP-DN-checking.patch b/SOURCES/Fix-flaws-in-LDAP-DN-checking.patch index 62a0cab..d823a0b 100644 --- a/SOURCES/Fix-flaws-in-LDAP-DN-checking.patch +++ b/SOURCES/Fix-flaws-in-LDAP-DN-checking.patch @@ -1,4 +1,4 @@ -From 997e1bbb2ec662357089aa43763e138183860cc3 Mon Sep 17 00:00:00 2001 +From bc1ff677dcb45c59107c39465b032f555e3d99f6 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 12 Jan 2018 11:43:01 -0500 Subject: [PATCH] Fix flaws in LDAP DN checking diff --git a/SOURCES/Fix-hex-conversion-of-PKINIT-certid-strings.patch b/SOURCES/Fix-hex-conversion-of-PKINIT-certid-strings.patch index f05c4ed..792219e 100644 --- a/SOURCES/Fix-hex-conversion-of-PKINIT-certid-strings.patch +++ b/SOURCES/Fix-hex-conversion-of-PKINIT-certid-strings.patch @@ -1,4 +1,4 @@ -From e427a9c2027446f1d0883ced077caf3515116b10 Mon Sep 17 00:00:00 2001 +From 73c156f998e848c5e383ddd715193d84d95e5c39 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 26 Jan 2018 11:47:50 -0500 Subject: [PATCH] Fix hex conversion of PKINIT certid strings @@ -17,7 +17,7 @@ ticket: 8636 1 file changed, 44 insertions(+), 11 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 7fa2efd21..6a95f8035 100644 +index 85ca8885d..6098acc6a 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -4640,6 +4640,43 @@ reassemble_pkcs11_name(pkinit_identity_opts *idopts) diff --git a/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch b/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch index 236d17a..e11a490 100644 --- a/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch +++ b/SOURCES/Fix-in_clock_skew-and-use-it-in-AS-client-code.patch @@ -1,4 +1,4 @@ -From 7e914206a676fb8f972c8021e97fab86a155488b Mon Sep 17 00:00:00 2001 +From 4d42f950965f16a9eb77444a99abe76a8b4ac12c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 24 Apr 2017 02:02:36 -0400 Subject: [PATCH] Fix in_clock_skew() and use it in AS client code diff --git a/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch b/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch index 43a0d6d..26ab1d5 100644 --- a/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch +++ b/SOURCES/Fix-make-certs.sh-for-OpenSSL-1.1.patch @@ -1,4 +1,4 @@ -From 7221a9f695016d3e4873bb799f06665ec74387f8 Mon Sep 17 00:00:00 2001 +From 7113cdfa8b06d1f2a9512a1a69c5313a79509298 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 6 Sep 2017 12:56:37 -0400 Subject: [PATCH] Fix make-certs.sh for OpenSSL 1.1 diff --git a/SOURCES/Fix-more-time-manipulations-for-y2038.patch b/SOURCES/Fix-more-time-manipulations-for-y2038.patch index 91af0c8..e796c92 100644 --- a/SOURCES/Fix-more-time-manipulations-for-y2038.patch +++ b/SOURCES/Fix-more-time-manipulations-for-y2038.patch @@ -1,4 +1,4 @@ -From 006c68f6ed266d5ea7a24512349a931f45160cc6 Mon Sep 17 00:00:00 2001 +From 5fd12bd6e550bc178923b25abc30d8f7c250837a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 17 May 2017 14:52:09 -0400 Subject: [PATCH] Fix more time manipulations for y2038 diff --git a/SOURCES/Fix-segfault-in-finish_dispatch.patch b/SOURCES/Fix-segfault-in-finish_dispatch.patch index 85b974e..dc6a7f0 100644 --- a/SOURCES/Fix-segfault-in-finish_dispatch.patch +++ b/SOURCES/Fix-segfault-in-finish_dispatch.patch @@ -1,4 +1,4 @@ -From eb58cafce36423ece63a4c1b503a965b38527171 Mon Sep 17 00:00:00 2001 +From 9680ab4bd9f38c67ffeb249cf1572d30a1475d28 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Wed, 18 Apr 2018 14:13:28 -0400 Subject: [PATCH] Fix segfault in finish_dispatch() diff --git a/SOURCES/Ignore-dotfiles-in-profile-includedir.patch b/SOURCES/Ignore-dotfiles-in-profile-includedir.patch index 26401ed..1237061 100644 --- a/SOURCES/Ignore-dotfiles-in-profile-includedir.patch +++ b/SOURCES/Ignore-dotfiles-in-profile-includedir.patch @@ -1,4 +1,4 @@ -From f0eae5a57bf6904d9d64abd450f195a7ddfd897f Mon Sep 17 00:00:00 2001 +From df09bfffaf5a8e5a3c646838f7d87b16a2680cfe Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 24 Mar 2017 11:07:21 -0400 Subject: [PATCH] Ignore dotfiles in profile includedir diff --git a/SOURCES/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch b/SOURCES/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch index 53e379a..98c2bcc 100644 --- a/SOURCES/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch +++ b/SOURCES/In-FIPS-mode-add-plaintext-fallback-for-RC4-usages-a.patch @@ -1,4 +1,4 @@ -From e7266b788278f019ad15d2d2fe518401e98c5645 Mon Sep 17 00:00:00 2001 +From c1f14d371be42cbe851c573d26e425ebecc2ea35 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 31 Jul 2018 13:47:26 -0400 Subject: [PATCH] In FIPS mode, add plaintext fallback for RC4 usages and taint diff --git a/SOURCES/Include-preauth-name-in-trace-output-if-possible.patch b/SOURCES/Include-preauth-name-in-trace-output-if-possible.patch index 9d17ba6..a78f166 100644 --- a/SOURCES/Include-preauth-name-in-trace-output-if-possible.patch +++ b/SOURCES/Include-preauth-name-in-trace-output-if-possible.patch @@ -1,4 +1,4 @@ -From 89c5f21992e055955c752aba4a207810aa201e9f Mon Sep 17 00:00:00 2001 +From c9b74036064b7f3aebbd3c482703ce97ff868bb6 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 15 Mar 2018 14:37:28 -0400 Subject: [PATCH] Include preauth name in trace output if possible diff --git a/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch b/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch index 53ba9ba..71cea7a 100644 --- a/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch +++ b/SOURCES/Limit-ticket-lifetime-to-2-31-1-seconds.patch @@ -1,4 +1,4 @@ -From 31d5c854198ed91fc2bd0b9fb87ed0dcd5a40eb6 Mon Sep 17 00:00:00 2001 +From 5802408ab53a524f40f9a83a104f1d5f19ce5db0 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 24 Aug 2017 16:00:33 -0400 Subject: [PATCH] Limit ticket lifetime to 2^31-1 seconds diff --git a/SOURCES/Log-when-non-root-ksu-authorization-fails.patch b/SOURCES/Log-when-non-root-ksu-authorization-fails.patch new file mode 100644 index 0000000..dc631ba --- /dev/null +++ b/SOURCES/Log-when-non-root-ksu-authorization-fails.patch @@ -0,0 +1,35 @@ +From d5f22f9982dca7fa157d1d9b7488a671e0df72b8 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 7 May 2018 16:42:59 -0400 +Subject: [PATCH] Log when non-root ksu authorization fails + +If non-root user attempts to ksu but is denied by policy, log to +syslog at LOG_WARNING in keeping with other failure messages. + +ticket: 8270 +(cherry picked from commit 6cfa5c113e981f14f70ccafa20abfa5c46b665ba) +--- + src/clients/ksu/main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index cab0c1806..7959a0cba 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -417,6 +417,16 @@ main (argc, argv) + if (hp){ + if (gb_err) fprintf(stderr, "%s", gb_err); + fprintf(stderr, _("account %s: authorization failed\n"), target_user); ++ ++ if (cmd != NULL) { ++ syslog(LOG_WARNING, ++ "Account %s: authorization for %s for execution of %s failed", ++ target_user, source_user, cmd); ++ } else { ++ syslog(LOG_WARNING, "Account %s: authorization of %s failed", ++ target_user, source_user); ++ } ++ + exit(1); + } + diff --git a/SOURCES/Make-krb5_preauth_context-a-pointer-type.patch b/SOURCES/Make-krb5_preauth_context-a-pointer-type.patch index b31a98c..aa7b15d 100644 --- a/SOURCES/Make-krb5_preauth_context-a-pointer-type.patch +++ b/SOURCES/Make-krb5_preauth_context-a-pointer-type.patch @@ -1,4 +1,4 @@ -From 676588d0f878a1b235805c9cf3fb28f14d55638a Mon Sep 17 00:00:00 2001 +From 3645da2a06ee69c846823e8335b5fd8a608f059a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 20 Dec 2016 15:25:29 -0500 Subject: [PATCH] Make krb5_preauth_context a pointer type diff --git a/SOURCES/Make-timestamp-manipulations-y2038-safe.patch b/SOURCES/Make-timestamp-manipulations-y2038-safe.patch index 83f47ad..486d831 100644 --- a/SOURCES/Make-timestamp-manipulations-y2038-safe.patch +++ b/SOURCES/Make-timestamp-manipulations-y2038-safe.patch @@ -1,4 +1,4 @@ -From 7c671a869d1fc21b5154c035d568d5b5fd940783 Mon Sep 17 00:00:00 2001 +From e7358d93fa1cbe5db52e217d466894b1af96d95c Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 22 Apr 2017 12:52:17 -0400 Subject: [PATCH] Make timestamp manipulations y2038-safe diff --git a/SOURCES/Merge-duplicate-subsections-in-profile-library.patch b/SOURCES/Merge-duplicate-subsections-in-profile-library.patch index 54e2bc4..5acd4ab 100644 --- a/SOURCES/Merge-duplicate-subsections-in-profile-library.patch +++ b/SOURCES/Merge-duplicate-subsections-in-profile-library.patch @@ -1,4 +1,4 @@ -From 7e2b7bb44c4996c425a93f6aacf151480cd08595 Mon Sep 17 00:00:00 2001 +From a19917522862f26bc711fd8271940906284ff55d Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Tue, 10 Apr 2018 15:55:41 -0400 Subject: [PATCH] Merge duplicate subsections in profile library diff --git a/SOURCES/Modernize-kerberos-7.patch b/SOURCES/Modernize-kerberos-7.patch new file mode 100644 index 0000000..a4c690f --- /dev/null +++ b/SOURCES/Modernize-kerberos-7.patch @@ -0,0 +1,429 @@ +From 2319336ac1f52e56d2549bd83ff40a3e7b2f281a Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 15 Oct 2018 13:20:30 -0400 +Subject: [PATCH] Modernize kerberos(7) + +Update environment variable descriptions, using env_variables.rst as a +guide. Replace the content in env_variables.rst with a pointer to +documentation at kerberos(7) so that we don't break external links and +don't duplicate content. + +Replace references to rlogin. Clarify and modernize other language. + +ticket: 8755 +(cherry picked from commit cdccdefa2d74d3abf5a8ae126e423af9d467d34f) +--- + doc/admin/env_variables.rst | 44 +------------ + doc/user/user_config/kerberos.rst | 106 ++++++++++++++++++------------ + src/man/kerberos.man | 104 +++++++++++++++++------------ + 3 files changed, 128 insertions(+), 126 deletions(-) + +diff --git a/doc/admin/env_variables.rst b/doc/admin/env_variables.rst +index 0c146d3e3..a2d15bea8 100644 +--- a/doc/admin/env_variables.rst ++++ b/doc/admin/env_variables.rst +@@ -1,46 +1,4 @@ + Environment variables + ===================== + +-The following environment variables can be used during runtime: +- +-**KRB5_CONFIG** +- Main Kerberos configuration file. Multiple filenames can be +- specified, separated by a colon; all files which are present will +- be read. (See :ref:`mitK5defaults` for the default path.) +- +-**KRB5_KDC_PROFILE** +- KDC configuration file. (See :ref:`mitK5defaults` for the default +- name.) +- +-**KRB5_KTNAME** +- Default keytab file name. (See :ref:`mitK5defaults` for the +- default name.) +- +-**KRB5_CLIENT_KTNAME** +- Default client keytab file name. (See :ref:`mitK5defaults` for +- the default name.) +- +-**KRB5CCNAME** +- Default name for the credentials cache file, in the form *type*\:\ +- *residual*. The type of the default cache may determine the +- availability of a cache collection. For instance, a default cache +- of type ``DIR`` causes caches within the directory to be present +- in the global cache collection. +- +-**KRB5RCACHETYPE** +- Default replay cache type. Defaults to ``dfl``. A value of +- ``none`` disables the replay cache. +- +-**KRB5RCACHEDIR** +- Default replay cache directory. (See :ref:`mitK5defaults` for the +- default location.) +- +-**KPROP_PORT** +- :ref:`kprop(8)` port to use. Defaults to 754. +- +-**KRB5_TRACE** +- Filename for trace-logging output (introduced in release 1.9). +- For example, ``env KRB5_TRACE=/dev/stdout kinit`` would send +- tracing information for kinit to ``/dev/stdout``. Some programs +- may ignore this variable (particularly setuid or login system +- programs). ++This content has moved to :ref:`kerberos(7)`. +diff --git a/doc/user/user_config/kerberos.rst b/doc/user/user_config/kerberos.rst +index 6c4453b3b..56412f099 100644 +--- a/doc/user/user_config/kerberos.rst ++++ b/doc/user/user_config/kerberos.rst +@@ -8,12 +8,12 @@ DESCRIPTION + + The Kerberos system authenticates individual users in a network + environment. After authenticating yourself to Kerberos, you can use +-Kerberos-enabled programs without having to present passwords. ++Kerberos-enabled programs without having to present passwords or ++certificates to those programs. + +-If you enter your username and :ref:`kinit(1)` responds with this +-message: ++If you receive the following response from :ref:`kinit(1)`: + +-kinit(v5): Client not found in Kerberos database while getting initial ++kinit: Client not found in Kerberos database while getting initial + credentials + + you haven't been registered as a Kerberos user. See your system +@@ -25,10 +25,13 @@ is the **instance**, which in the case of a user is usually null. + Some users may have privileged instances, however, such as ``root`` or + ``admin``. In the case of a service, the instance is the fully + qualified name of the machine on which it runs; i.e. there can be an +-rlogin service running on the machine ABC, which is different from the +-rlogin service running on the machine XYZ. The third part of a +-Kerberos name is the **realm**. The realm corresponds to the Kerberos +-service providing authentication for the principal. ++ssh service running on the machine ABC (ssh/ABC@REALM), which is ++different from the ssh service running on the machine XYZ ++(ssh/XYZ@REALM). The third part of a Kerberos name is the **realm**. ++The realm corresponds to the Kerberos service providing authentication ++for the principal. Realms are conventionally all-uppercase, and often ++match the end of hostnames in the realm (for instance, host01.example.com ++might be in realm EXAMPLE.COM). + + When writing a Kerberos name, the principal name is separated from the + instance (if not null) by a slash, and the realm (if not the local +@@ -43,64 +46,72 @@ of valid Kerberos names:: + When you authenticate yourself with Kerberos you get an initial + Kerberos **ticket**. (A Kerberos ticket is an encrypted protocol + message that provides authentication.) Kerberos uses this ticket for +-network utilities such as rlogin and rcp. The ticket transactions are +-done transparently, so you don't have to worry about their management. ++network utilities such as ssh. The ticket transactions are done ++transparently, so you don't have to worry about their management. + +-Note, however, that tickets expire. Privileged tickets, such as those +-with the instance ``root``, expire in a few minutes, while tickets +-that carry more ordinary privileges may be good for several hours or a +-day, depending on the installation's policy. If your login session +-extends beyond the time limit, you will have to re-authenticate +-yourself to Kerberos to get new tickets. Use the :ref:`kinit(1)` +-command to re-authenticate yourself. ++Note, however, that tickets expire. Administrators may configure more ++privileged tickets, such as those with service or instance of ``root`` ++or ``admin``, to expire in a few minutes, while tickets that carry ++more ordinary privileges may be good for several hours or a day. If ++your login session extends beyond the time limit, you will have to ++re-authenticate yourself to Kerberos to get new tickets using the ++:ref:`kinit(1)` command. + +-If you use the kinit command to get your tickets, make sure you use +-the kdestroy command to destroy your tickets before you end your login +-session. You should put the kdestroy command in your ``.logout`` file +-so that your tickets will be destroyed automatically when you logout. +-For more information about the kinit and kdestroy commands, see the +-:ref:`kinit(1)` and :ref:`kdestroy(1)` manual pages. ++Some tickets are **renewable** beyond their initial lifetime. This ++means that ``kinit -R`` can extend their lifetime without requiring ++you to re-authenticate. ++ ++If you wish to delete your local tickets, use the :ref:`kdestroy(1)` ++command. + + Kerberos tickets can be forwarded. In order to forward tickets, you + must request **forwardable** tickets when you kinit. Once you have + forwardable tickets, most Kerberos programs have a command line option +-to forward them to the remote host. ++to forward them to the remote host. This can be useful for, e.g., ++running kinit on your local machine and then sshing into another to do ++work. Note that this should not be done on untrusted machines since ++they will then have your tickets. + + ENVIRONMENT VARIABLES + --------------------- + + Several environment variables affect the operation of Kerberos-enabled +-programs. These inclide: ++programs. These include: + + **KRB5CCNAME** +- Specifies the location of the credential cache, in the form +- *TYPE*:*residual*. If no *type* prefix is present, the **FILE** +- type is assumed and *residual* is the pathname of the cache file. +- A collection of multiple caches may be used by specifying the +- **dir** type and the pathname of a private directory (which must +- already exist). The default cache file is /tmp/krb5cc_*uid*, +- where *uid* is the decimal user ID of the user. ++ Default name for the credentials cache file, in the form ++ *TYPE*:*residual*. The type of the default cache may determine ++ the availability of a cache collection. ``FILE`` is not a ++ collection type; ``KEYRING``, ``DIR``, and ``KCM`` are. ++ ++ If not set, the value of **default_ccache_name** from ++ configuration files (see **KRB5_CONFIG**) will be used. If that ++ is also not set, the default *type* is ``FILE``, and the ++ *residual* is the path /tmp/krb5cc_*uid*, where *uid* is the ++ decimal user ID of the user. + + **KRB5_KTNAME** +- Specifies the location of the keytab file, in the form ++ Specifies the location of the default keytab file, in the form + *TYPE*:*residual*. If no *type* is present, the **FILE** type is +- assumed and *residual* is the pathname of the keytab file. The +- default keytab file is ``/etc/krb5.keytab``. ++ assumed and *residual* is the pathname of the keytab file. If ++ unset, |keytab| will be used. + + **KRB5_CONFIG** + Specifies the location of the Kerberos configuration file. The +- default is ``/etc/krb5.conf``. ++ default is |sysconfdir|\ ``/krb5.conf``. Multiple filenames can ++ be specified, separated by a colon; all files which are present ++ will be read. + + **KRB5_KDC_PROFILE** + Specifies the location of the KDC configuration file, which + contains additional configuration directives for the Key + Distribution Center daemon and associated programs. The default +- is ``/usr/local/var/krb5kdc/kdc.conf``. ++ is |kdcdir|\ ``/kdc.conf``. + + **KRB5RCACHETYPE** + Specifies the default type of replay cache to use for servers. +- Valid types include **dfl** for the normal file type and **none** +- for no replay cache. ++ Valid types include ``dfl`` for the normal file type and ``none`` ++ for no replay cache. The default is ``dfl``. + + **KRB5RCACHEDIR** + Specifies the default directory for replay caches used by servers. +@@ -110,7 +121,17 @@ programs. These inclide: + **KRB5_TRACE** + Specifies a filename to write trace log output to. Trace logs can + help illuminate decisions made internally by the Kerberos +- libraries. The default is not to write trace log output anywhere. ++ libraries. For example, ``env KRB5_TRACE=/dev/stderr kinit`` ++ would send tracing information for :ref:`kinit(1)` to ++ ``/dev/stderr``. The default is not to write trace log output ++ anywhere. ++ ++**KRB5_CLIENT_KTNAME** ++ Default client keytab file name. If unset, |ckeytab| will be ++ used). ++ ++**KPROP_PORT** ++ :ref:`kprop(8)` port to use. Defaults to 754. + + Most environment variables are disabled for certain programs, such as + login system programs and setuid programs, which are designed to be +@@ -133,6 +154,7 @@ AUTHORS + | Steve Miller, MIT Project Athena/Digital Equipment Corporation + | Clifford Neuman, MIT Project Athena + | Greg Hudson, MIT Kerberos Consortium ++| Robbie Harwood, Red Hat, Inc. + + HISTORY + ------- +@@ -144,5 +166,5 @@ by the MIT Kerberos Consortium. + RESTRICTIONS + ------------ + +-Copyright 1985, 1986, 1989-1996, 2002, 2011 Masachusetts Institute of +-Technology ++Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts ++Institute of Technology +diff --git a/src/man/kerberos.man b/src/man/kerberos.man +index 7b2b5d932..026f4604a 100644 +--- a/src/man/kerberos.man ++++ b/src/man/kerberos.man +@@ -34,12 +34,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] + .sp + The Kerberos system authenticates individual users in a network + environment. After authenticating yourself to Kerberos, you can use +-Kerberos\-enabled programs without having to present passwords. ++Kerberos\-enabled programs without having to present passwords or ++certificates to those programs. + .sp +-If you enter your username and kinit(1) responds with this +-message: ++If you receive the following response from kinit(1): + .sp +-kinit(v5): Client not found in Kerberos database while getting initial ++kinit: Client not found in Kerberos database while getting initial + credentials + .sp + you haven\(aqt been registered as a Kerberos user. See your system +@@ -51,10 +51,13 @@ is the \fBinstance\fP, which in the case of a user is usually null. + Some users may have privileged instances, however, such as \fBroot\fP or + \fBadmin\fP\&. In the case of a service, the instance is the fully + qualified name of the machine on which it runs; i.e. there can be an +-rlogin service running on the machine ABC, which is different from the +-rlogin service running on the machine XYZ. The third part of a +-Kerberos name is the \fBrealm\fP\&. The realm corresponds to the Kerberos +-service providing authentication for the principal. ++ssh service running on the machine ABC (\fI\%ssh/ABC@REALM\fP), which is ++different from the ssh service running on the machine XYZ ++(\fI\%ssh/XYZ@REALM\fP). The third part of a Kerberos name is the \fBrealm\fP\&. ++The realm corresponds to the Kerberos service providing authentication ++for the principal. Realms are conventionally all\-uppercase, and often ++match the end of hostnames in the realm (for instance, host01.example.com ++might be in realm EXAMPLE.COM). + .sp + When writing a Kerberos name, the principal name is separated from the + instance (if not null) by a slash, and the realm (if not the local +@@ -77,63 +80,71 @@ cbrown/root@FUBAR.ORG + When you authenticate yourself with Kerberos you get an initial + Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol + message that provides authentication.) Kerberos uses this ticket for +-network utilities such as rlogin and rcp. The ticket transactions are +-done transparently, so you don\(aqt have to worry about their management. ++network utilities such as ssh. The ticket transactions are done ++transparently, so you don\(aqt have to worry about their management. + .sp +-Note, however, that tickets expire. Privileged tickets, such as those +-with the instance \fBroot\fP, expire in a few minutes, while tickets +-that carry more ordinary privileges may be good for several hours or a +-day, depending on the installation\(aqs policy. If your login session +-extends beyond the time limit, you will have to re\-authenticate +-yourself to Kerberos to get new tickets. Use the kinit(1) +-command to re\-authenticate yourself. ++Note, however, that tickets expire. Administrators may configure more ++privileged tickets, such as those with service or instance of \fBroot\fP ++or \fBadmin\fP, to expire in a few minutes, while tickets that carry ++more ordinary privileges may be good for several hours or a day. If ++your login session extends beyond the time limit, you will have to ++re\-authenticate yourself to Kerberos to get new tickets using the ++kinit(1) command. + .sp +-If you use the kinit command to get your tickets, make sure you use +-the kdestroy command to destroy your tickets before you end your login +-session. You should put the kdestroy command in your \fB\&.logout\fP file +-so that your tickets will be destroyed automatically when you logout. +-For more information about the kinit and kdestroy commands, see the +-kinit(1) and kdestroy(1) manual pages. ++Some tickets are \fBrenewable\fP beyond their initial lifetime. This ++means that \fBkinit \-R\fP can extend their lifetime without requiring ++you to re\-authenticate. ++.sp ++If you wish to delete your local tickets, use the kdestroy(1) ++command. + .sp + Kerberos tickets can be forwarded. In order to forward tickets, you + must request \fBforwardable\fP tickets when you kinit. Once you have + forwardable tickets, most Kerberos programs have a command line option +-to forward them to the remote host. ++to forward them to the remote host. This can be useful for, e.g., ++running kinit on your local machine and then sshing into another to do ++work. Note that this should not be done on untrusted machines since ++they will then have your tickets. + .SH ENVIRONMENT VARIABLES + .sp + Several environment variables affect the operation of Kerberos\-enabled +-programs. These inclide: ++programs. These include: + .INDENT 0.0 + .TP + \fBKRB5CCNAME\fP +-Specifies the location of the credential cache, in the form +-\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP +-type is assumed and \fIresidual\fP is the pathname of the cache file. +-A collection of multiple caches may be used by specifying the +-\fBdir\fP type and the pathname of a private directory (which must +-already exist). The default cache file is /tmp/krb5cc_*uid*, +-where \fIuid\fP is the decimal user ID of the user. ++Default name for the credentials cache file, in the form ++\fITYPE\fP:\fIresidual\fP\&. The type of the default cache may determine ++the availability of a cache collection. \fBFILE\fP is not a ++collection type; \fBKEYRING\fP, \fBDIR\fP, and \fBKCM\fP are. ++.sp ++If not set, the value of \fBdefault_ccache_name\fP from ++configuration files (see \fBKRB5_CONFIG\fP) will be used. If that ++is also not set, the default \fItype\fP is \fBFILE\fP, and the ++\fIresidual\fP is the path /tmp/krb5cc_*uid*, where \fIuid\fP is the ++decimal user ID of the user. + .TP + \fBKRB5_KTNAME\fP +-Specifies the location of the keytab file, in the form ++Specifies the location of the default keytab file, in the form + \fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is +-assumed and \fIresidual\fP is the pathname of the keytab file. The +-default keytab file is \fB/etc/krb5.keytab\fP\&. ++assumed and \fIresidual\fP is the pathname of the keytab file. If ++unset, \fB@KTNAME@\fP will be used. + .TP + \fBKRB5_CONFIG\fP + Specifies the location of the Kerberos configuration file. The +-default is \fB/etc/krb5.conf\fP\&. ++default is \fB@SYSCONFDIR@\fP\fB/krb5.conf\fP\&. Multiple filenames can ++be specified, separated by a colon; all files which are present ++will be read. + .TP + \fBKRB5_KDC_PROFILE\fP + Specifies the location of the KDC configuration file, which + contains additional configuration directives for the Key + Distribution Center daemon and associated programs. The default +-is \fB/usr/local/var/krb5kdc/kdc.conf\fP\&. ++is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP\&. + .TP + \fBKRB5RCACHETYPE\fP + Specifies the default type of replay cache to use for servers. + Valid types include \fBdfl\fP for the normal file type and \fBnone\fP +-for no replay cache. ++for no replay cache. The default is \fBdfl\fP\&. + .TP + \fBKRB5RCACHEDIR\fP + Specifies the default directory for replay caches used by servers. +@@ -143,7 +154,17 @@ or \fB/var/tmp\fP if \fBTMPDIR\fP is not set. + \fBKRB5_TRACE\fP + Specifies a filename to write trace log output to. Trace logs can + help illuminate decisions made internally by the Kerberos +-libraries. The default is not to write trace log output anywhere. ++libraries. For example, \fBenv KRB5_TRACE=/dev/stderr kinit\fP ++would send tracing information for kinit(1) to ++\fB/dev/stderr\fP\&. The default is not to write trace log output ++anywhere. ++.TP ++\fBKRB5_CLIENT_KTNAME\fP ++Default client keytab file name. If unset, \fB@CKTNAME@\fP will be ++used). ++.TP ++\fBKPROP_PORT\fP ++kprop(8) port to use. Defaults to 754. + .UNINDENT + .sp + Most environment variables are disabled for certain programs, such as +@@ -161,6 +182,7 @@ kadmind(8), kdb5_util(8), krb5kdc(8) + Steve Miller, MIT Project Athena/Digital Equipment Corporation + Clifford Neuman, MIT Project Athena + Greg Hudson, MIT Kerberos Consortium ++Robbie Harwood, Red Hat, Inc. + .fi + .sp + .SH HISTORY +@@ -170,8 +192,8 @@ contributions from many outside parties. It is currently maintained + by the MIT Kerberos Consortium. + .SH RESTRICTIONS + .sp +-Copyright 1985, 1986, 1989\-1996, 2002, 2011 Masachusetts Institute of +-Technology ++Copyright 1985, 1986, 1989\-1996, 2002, 2011, 2018 Masachusetts ++Institute of Technology + .SH AUTHOR + MIT + .SH COPYRIGHT diff --git a/SOURCES/Prefer-TCP-to-UDP-for-password-changes.patch b/SOURCES/Prefer-TCP-to-UDP-for-password-changes.patch index 9efa19f..31e62d1 100644 --- a/SOURCES/Prefer-TCP-to-UDP-for-password-changes.patch +++ b/SOURCES/Prefer-TCP-to-UDP-for-password-changes.patch @@ -1,4 +1,4 @@ -From c00a81874675b4c9c1c488863fc2ef780db1834d Mon Sep 17 00:00:00 2001 +From aa346834947ef65c293a29300b0f98b1825d8508 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 8 Oct 2018 16:02:12 -0400 Subject: [PATCH] Prefer TCP to UDP for password changes @@ -12,7 +12,6 @@ this issue. ticket: 7905 (cherry picked from commit d7b3018d338fc9c989c3fa17505870f23c3759a8) -(cherry picked from commit 8afeaa2eecbeae486320947892ace490870fefe8) --- src/lib/krb5/os/changepw.c | 110 ++++++++++++++----------------------- 1 file changed, 42 insertions(+), 68 deletions(-) diff --git a/SOURCES/Preserve-method-data-in-get_in_tkt.c.patch b/SOURCES/Preserve-method-data-in-get_in_tkt.c.patch index 187993d..189845f 100644 --- a/SOURCES/Preserve-method-data-in-get_in_tkt.c.patch +++ b/SOURCES/Preserve-method-data-in-get_in_tkt.c.patch @@ -1,4 +1,4 @@ -From 129e5a5694783bb033532e5933b2eeefabc5a35d Mon Sep 17 00:00:00 2001 +From 5b52d5b4b1e65699dac6a53f0b6dbe545af4f689 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 13 Jan 2017 15:35:48 -0500 Subject: [PATCH] Preserve method data in get_in_tkt.c diff --git a/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch b/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch index 7d73dde..abc663e 100644 --- a/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch +++ b/SOURCES/Prevent-KDC-unset-status-assertion-failures.patch @@ -1,4 +1,4 @@ -From 3b2376b47a9f1fc7dfd138d4ecc70e5d8897dc2b Mon Sep 17 00:00:00 2001 +From 3b9e328664c92d95e7e3ec3c14cb6c7cbac4c05d Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 13 Jul 2017 12:14:20 -0400 Subject: [PATCH] Prevent KDC unset status assertion failures diff --git a/SOURCES/Process-profile-includedir-in-sorted-order.patch b/SOURCES/Process-profile-includedir-in-sorted-order.patch index 05ef4f5..577bfca 100644 --- a/SOURCES/Process-profile-includedir-in-sorted-order.patch +++ b/SOURCES/Process-profile-includedir-in-sorted-order.patch @@ -1,4 +1,4 @@ -From bcbc07379fec90a2026d621e864db9a1f2c31e92 Mon Sep 17 00:00:00 2001 +From f1f6eabb88391b796ee0eec1bb5d207002696f3e Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 6 Jun 2018 17:58:41 -0400 Subject: [PATCH] Process profile includedir in sorted order diff --git a/SOURCES/Properly-scope-per-request-preauth-data.patch b/SOURCES/Properly-scope-per-request-preauth-data.patch index 624e6c3..adc77ed 100644 --- a/SOURCES/Properly-scope-per-request-preauth-data.patch +++ b/SOURCES/Properly-scope-per-request-preauth-data.patch @@ -1,4 +1,4 @@ -From 44fdcedd2a61cd40fe68aef533c878b5f2f665a8 Mon Sep 17 00:00:00 2001 +From b3472e687181719dec6561c96aca6036b34865a5 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 20 Dec 2016 16:06:24 -0500 Subject: [PATCH] Properly scope per-request preauth data diff --git a/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch b/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch index af23c82..17bb5e5 100644 --- a/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch +++ b/SOURCES/Remove-incomplete-PKINIT-OCSP-support.patch @@ -1,4 +1,4 @@ -From 9ff3ed399f9a5bb0c6101a986798d80ecc7a1b92 Mon Sep 17 00:00:00 2001 +From 771f85f6d84f1cce95c5246b700bd950295d8fb3 Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Mon, 31 Jul 2017 16:03:41 -0400 Subject: [PATCH] Remove incomplete PKINIT OCSP support diff --git a/SOURCES/Remove-incorrect-KDC-assertion.patch b/SOURCES/Remove-incorrect-KDC-assertion.patch index ae39781..f4f84c8 100644 --- a/SOURCES/Remove-incorrect-KDC-assertion.patch +++ b/SOURCES/Remove-incorrect-KDC-assertion.patch @@ -1,4 +1,4 @@ -From cf528eaa89db56d5825f2b04e8d46b50bd52bd08 Mon Sep 17 00:00:00 2001 +From ba85fb83677b6e46cf35e090fbb58129adbc048b Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 15 Dec 2018 11:56:36 +0200 Subject: [PATCH] Remove incorrect KDC assertion @@ -23,7 +23,6 @@ version_fixed: 1.16.3 (cherry picked from commit 56870f9456da78d77a667dfc03a6d90f948dc3a5) (cherry picked from commit 2a96564f6fd53f2e1e8424d865c02349bfe5b818) -(cherry picked from commit a2749226a5930d15a1e31a4a4f3d9ecfb4cb250e) --- src/kdc/kdc_preauth.c | 1 - src/tests/gssapi/t_s4u.py | 7 +++++++ diff --git a/SOURCES/Remove-nodes-option-from-make-certs-scripts.patch b/SOURCES/Remove-nodes-option-from-make-certs-scripts.patch index 93c0351..572f91e 100644 --- a/SOURCES/Remove-nodes-option-from-make-certs-scripts.patch +++ b/SOURCES/Remove-nodes-option-from-make-certs-scripts.patch @@ -1,4 +1,4 @@ -From 7e7719fcad9c0c5a14b4006989f5481dfbd78c3d Mon Sep 17 00:00:00 2001 +From db667872d9a4103ffc30d4bd570a378a184d7c7f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 3 May 2018 14:40:45 -0400 Subject: [PATCH] Remove "-nodes" option from make-certs scripts diff --git a/SOURCES/Remove-sent_nontrivial_preauth-field.patch b/SOURCES/Remove-sent_nontrivial_preauth-field.patch index e5b0f89..f210bb9 100644 --- a/SOURCES/Remove-sent_nontrivial_preauth-field.patch +++ b/SOURCES/Remove-sent_nontrivial_preauth-field.patch @@ -1,4 +1,4 @@ -From 34acacec560fa0bb1beeaf1f54d50e580747d731 Mon Sep 17 00:00:00 2001 +From fd44fa60948a58634a3757be7c5c52fc671e48c7 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 16 Jan 2017 13:42:18 -0500 Subject: [PATCH] Remove sent_nontrivial_preauth field diff --git a/SOURCES/Return-UPN-SANs-as-strings.patch b/SOURCES/Return-UPN-SANs-as-strings.patch index c11efd0..1823f9e 100644 --- a/SOURCES/Return-UPN-SANs-as-strings.patch +++ b/SOURCES/Return-UPN-SANs-as-strings.patch @@ -1,4 +1,4 @@ -From c7c702a9fee22a0f5173d94d8b1d5c2fac975f5c Mon Sep 17 00:00:00 2001 +From 0f94f224f16f196d8d3fb56cfcf4a65bdd0f20c7 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Mar 2018 20:07:17 -0400 Subject: [PATCH] Return UPN SANs as strings @@ -34,7 +34,7 @@ index c14f4456a..b6e4e0ac3 100644 id-ms-upn-san values found in the certificate are returned */ diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index a38738f45..3f106973c 100644 +index cf2f16294..3949eb9c2 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -29,6 +29,7 @@ diff --git a/SOURCES/Save-SANs-separately-and-unparse-them-with-NO_REALM.patch b/SOURCES/Save-SANs-separately-and-unparse-them-with-NO_REALM.patch index 0502aa1..3930589 100644 --- a/SOURCES/Save-SANs-separately-and-unparse-them-with-NO_REALM.patch +++ b/SOURCES/Save-SANs-separately-and-unparse-them-with-NO_REALM.patch @@ -1,4 +1,4 @@ -From 38692624d6e2f23309f6652c98dd04b0af37308c Mon Sep 17 00:00:00 2001 +From c796a84ffa455b60e08508f4b706f7ecae0054de Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 22 Mar 2018 19:46:22 -0400 Subject: [PATCH] Save SANs separately and unparse them with NO_REALM @@ -26,7 +26,7 @@ index a0176acad..c14f4456a 100644 /* diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 1eb273808..a38738f45 100644 +index 34ed7afaf..cf2f16294 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -5110,6 +5110,9 @@ crypto_cert_free_matching_data(krb5_context context, diff --git a/SOURCES/Simplify-PKINIT-cert-iteration-and-selection.patch b/SOURCES/Simplify-PKINIT-cert-iteration-and-selection.patch index 4804c65..4035c1f 100644 --- a/SOURCES/Simplify-PKINIT-cert-iteration-and-selection.patch +++ b/SOURCES/Simplify-PKINIT-cert-iteration-and-selection.patch @@ -1,4 +1,4 @@ -From 68c478bbc5a130bf4cc800b856da73b2fd5e83ed Mon Sep 17 00:00:00 2001 +From 5bca501af5e28e0a8f5194088fdaea53f5fa419f Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Tue, 21 Mar 2017 21:24:14 -0400 Subject: [PATCH] Simplify PKINIT cert iteration and selection @@ -124,7 +124,7 @@ index 49b96b8ee..a0176acad 100644 /* * Select the default certificate as "the chosen one" diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c -index 6a95f8035..b243dca30 100644 +index 6098acc6a..f70aab5b3 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -4974,136 +4974,16 @@ cleanup: diff --git a/SOURCES/Simplify-k5_preauth_tryagain.patch b/SOURCES/Simplify-k5_preauth_tryagain.patch index fe716dd..efb91ee 100644 --- a/SOURCES/Simplify-k5_preauth_tryagain.patch +++ b/SOURCES/Simplify-k5_preauth_tryagain.patch @@ -1,4 +1,4 @@ -From 9b525f2406da57eb7a064fc56398a41e2680999a Mon Sep 17 00:00:00 2001 +From e443dfe315a38607e7c9dcba219f73253d17032b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 13 Jan 2017 20:45:48 -0500 Subject: [PATCH] Simplify k5_preauth_tryagain() diff --git a/SOURCES/Track-preauth-failures-instead-of-tries.patch b/SOURCES/Track-preauth-failures-instead-of-tries.patch index 3ef2750..b18ae37 100644 --- a/SOURCES/Track-preauth-failures-instead-of-tries.patch +++ b/SOURCES/Track-preauth-failures-instead-of-tries.patch @@ -1,4 +1,4 @@ -From 4a8e9b806ce2fc1234504498fc54f36dd8b482f8 Mon Sep 17 00:00:00 2001 +From 6a69660d9415bc49948143109759f36b2ad70d1b Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 13 Jan 2017 12:16:04 -0500 Subject: [PATCH] Track preauth failures instead of tries diff --git a/SOURCES/Update-man-pages-to-reference-kerberos-7.patch b/SOURCES/Update-man-pages-to-reference-kerberos-7.patch new file mode 100644 index 0000000..b5cdfe6 --- /dev/null +++ b/SOURCES/Update-man-pages-to-reference-kerberos-7.patch @@ -0,0 +1,475 @@ +From 7bcff005db31c62b37ea5c364cd65526cfaecbf1 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 15 Oct 2018 15:19:12 -0400 +Subject: [PATCH] Update man pages to reference kerberos(7) + +Remove broken references to old kerberos(1). Reference kerberos(7) +from all man pages, and create/update their environment section so +that it references kerberos(7). + +ticket: 8755 +(cherry picked from commit 52cbe198d0d6f0085d4653b2f6a1ecc84d139118) +[rharwood@redhat.com: git got weird about fuzz] +--- + doc/admin/admin_commands/k5srvutil.rst | 9 ++++++++- + doc/admin/admin_commands/kadmin_local.rst | 9 ++++++++- + doc/admin/admin_commands/kadmind.rst | 9 ++++++++- + doc/admin/admin_commands/kdb5_ldap_util.rst | 9 ++++++++- + doc/admin/admin_commands/kdb5_util.rst | 9 ++++++++- + doc/admin/admin_commands/kprop.rst | 8 ++++---- + doc/admin/admin_commands/kpropd.rst | 10 +++++++++- + doc/admin/admin_commands/kproplog.rst | 7 +++---- + doc/admin/admin_commands/krb5kdc.rst | 8 +++----- + doc/admin/admin_commands/ktutil.rst | 9 ++++++++- + doc/admin/admin_commands/sserver.rst | 9 ++++++++- + doc/user/user_commands/kdestroy.rst | 13 +++---------- + doc/user/user_commands/kinit.rst | 14 +++----------- + doc/user/user_commands/klist.rst | 13 +++---------- + doc/user/user_commands/kpasswd.rst | 9 ++++++++- + doc/user/user_commands/krb5-config.rst | 2 +- + doc/user/user_commands/ksu.rst | 13 +++++++++++++ + doc/user/user_commands/kswitch.rst | 14 ++++---------- + doc/user/user_commands/kvno.rst | 9 +++------ + doc/user/user_commands/sclient.rst | 8 +++++++- + 20 files changed, 120 insertions(+), 71 deletions(-) + +diff --git a/doc/admin/admin_commands/k5srvutil.rst b/doc/admin/admin_commands/k5srvutil.rst +index b873d9077..79502cf9e 100644 +--- a/doc/admin/admin_commands/k5srvutil.rst ++++ b/doc/admin/admin_commands/k5srvutil.rst +@@ -56,7 +56,14 @@ k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in + place. + + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ + SEE ALSO + -------- + +-:ref:`kadmin(1)`, :ref:`ktutil(1)` ++:ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)` +diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst +index 50c3b99ea..0e955faf2 100644 +--- a/doc/admin/admin_commands/kadmin_local.rst ++++ b/doc/admin/admin_commands/kadmin_local.rst +@@ -989,7 +989,14 @@ The kadmin program was originally written by Tom Yu at MIT, as an + interface to the OpenVision Kerberos administration program. + + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ + SEE ALSO + -------- + +-:ref:`kpasswd(1)`, :ref:`kadmind(8)` ++:ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` +diff --git a/doc/admin/admin_commands/kadmind.rst b/doc/admin/admin_commands/kadmind.rst +index f5b7733ea..8bfb48a32 100644 +--- a/doc/admin/admin_commands/kadmind.rst ++++ b/doc/admin/admin_commands/kadmind.rst +@@ -116,8 +116,15 @@ OPTIONS + ` in :ref:`kadmin(1)` for supported arguments. + + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ + SEE ALSO + -------- + + :ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, +-:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)` ++:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)` +diff --git a/doc/admin/admin_commands/kdb5_ldap_util.rst b/doc/admin/admin_commands/kdb5_ldap_util.rst +index cbf313f55..343df4dd9 100644 +--- a/doc/admin/admin_commands/kdb5_ldap_util.rst ++++ b/doc/admin/admin_commands/kdb5_ldap_util.rst +@@ -456,7 +456,14 @@ Example:: + .. _kdb5_ldap_util_list_policy_end: + + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ + SEE ALSO + -------- + +-:ref:`kadmin(1)` ++:ref:`kadmin(1)`, :ref:`kerberos(7)` +diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst +index 258498f0d..18a3fb627 100644 +--- a/doc/admin/admin_commands/kdb5_util.rst ++++ b/doc/admin/admin_commands/kdb5_util.rst +@@ -491,7 +491,14 @@ Examples:: + bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 + + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ + SEE ALSO + -------- + +-:ref:`kadmin(1)` ++:ref:`kadmin(1)`, :ref:`kerberos(7)` +diff --git a/doc/admin/admin_commands/kprop.rst b/doc/admin/admin_commands/kprop.rst +index 726c8cc2f..0bc353239 100644 +--- a/doc/admin/admin_commands/kprop.rst ++++ b/doc/admin/admin_commands/kprop.rst +@@ -49,12 +49,12 @@ OPTIONS + ENVIRONMENT + ----------- + +-*kprop* uses the following environment variable: +- +-* **KRB5_CONFIG** ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. + + + SEE ALSO + -------- + +-:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` ++:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, ++:ref:`kerberos(7)` +diff --git a/doc/admin/admin_commands/kpropd.rst b/doc/admin/admin_commands/kpropd.rst +index 5e01e2f14..36ad3344c 100644 +--- a/doc/admin/admin_commands/kpropd.rst ++++ b/doc/admin/admin_commands/kpropd.rst +@@ -124,7 +124,15 @@ kpropd.acl + will allow Kerberos database propagation via :ref:`kprop(8)`. + + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ + SEE ALSO + -------- + +-:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, inetd(8) ++:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, ++:ref:`kerberos(7)`, inetd(8) +diff --git a/doc/admin/admin_commands/kproplog.rst b/doc/admin/admin_commands/kproplog.rst +index ed906398d..b98e1b29b 100644 +--- a/doc/admin/admin_commands/kproplog.rst ++++ b/doc/admin/admin_commands/kproplog.rst +@@ -74,12 +74,11 @@ OPTIONS + ENVIRONMENT + ----------- + +-kproplog uses the following environment variables: +- +-* **KRB5_KDC_PROFILE** ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. + + + SEE ALSO + -------- + +-:ref:`kpropd(8)` ++:ref:`kpropd(8)`, :ref:`kerberos(7)` +diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst +index 7ec4ee4d3..4bf9e0150 100644 +--- a/doc/admin/admin_commands/krb5kdc.rst ++++ b/doc/admin/admin_commands/krb5kdc.rst +@@ -110,14 +110,12 @@ description for further details. + ENVIRONMENT + ----------- + +-krb5kdc uses the following environment variables: +- +-* **KRB5_CONFIG** +-* **KRB5_KDC_PROFILE** ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. + + + SEE ALSO + -------- + + :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`, +-:ref:`kdb5_ldap_util(8)` ++:ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)` +diff --git a/doc/admin/admin_commands/ktutil.rst b/doc/admin/admin_commands/ktutil.rst +index d55ddc894..5a6fc31a8 100644 +--- a/doc/admin/admin_commands/ktutil.rst ++++ b/doc/admin/admin_commands/ktutil.rst +@@ -127,7 +127,14 @@ EXAMPLE + ktutil: + + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ + SEE ALSO + -------- + +-:ref:`kadmin(1)`, :ref:`kdb5_util(8)` ++:ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kerberos(7)` +diff --git a/doc/admin/admin_commands/sserver.rst b/doc/admin/admin_commands/sserver.rst +index b4e464466..a8dcf5d5b 100644 +--- a/doc/admin/admin_commands/sserver.rst ++++ b/doc/admin/admin_commands/sserver.rst +@@ -99,7 +99,14 @@ COMMON ERROR MESSAGES + probably not installed in the proper directory. + + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ + SEE ALSO + -------- + +-:ref:`sclient(1)`, services(5), inetd(8) ++:ref:`sclient(1)`, :ref:`kerberos(7)`, services(5), inetd(8) +diff --git a/doc/user/user_commands/kdestroy.rst b/doc/user/user_commands/kdestroy.rst +index b8c67aba4..c69d65667 100644 +--- a/doc/user/user_commands/kdestroy.rst ++++ b/doc/user/user_commands/kdestroy.rst +@@ -53,15 +53,8 @@ when you log out. + ENVIRONMENT + ----------- + +-kdestroy uses the following environment variable: +- +-**KRB5CCNAME** +- Location of the default Kerberos 5 credentials (ticket) cache, in +- the form *type*:*residual*. If no *type* prefix is present, the +- **FILE** type is assumed. The type of the default cache may +- determine the availability of a cache collection; for instance, a +- default cache of type **DIR** causes caches within the directory +- to be present in the collection. ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. + + + FILES +@@ -74,4 +67,4 @@ FILES + SEE ALSO + -------- + +-:ref:`kinit(1)`, :ref:`klist(1)` ++:ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` +diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst +index 3f9d5340f..33e6aa64f 100644 +--- a/doc/user/user_commands/kinit.rst ++++ b/doc/user/user_commands/kinit.rst +@@ -197,19 +197,11 @@ OPTIONS + specify use of RSA, rather than the default Diffie-Hellman + protocol + +- + ENVIRONMENT + ----------- + +-kinit uses the following environment variables: +- +-**KRB5CCNAME** +- Location of the default Kerberos 5 credentials cache, in the form +- *type*:*residual*. If no *type* prefix is present, the **FILE** +- type is assumed. The type of the default cache may determine the +- availability of a cache collection; for instance, a default cache +- of type **DIR** causes caches within the directory to be present +- in the collection. ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. + + + FILES +@@ -225,4 +217,4 @@ FILES + SEE ALSO + -------- + +-:ref:`klist(1)`, :ref:`kdestroy(1)`, kerberos(1) ++:ref:`klist(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` +diff --git a/doc/user/user_commands/klist.rst b/doc/user/user_commands/klist.rst +index c24c74132..88e457846 100644 +--- a/doc/user/user_commands/klist.rst ++++ b/doc/user/user_commands/klist.rst +@@ -105,15 +105,8 @@ value is used to locate the default ticket cache. + ENVIRONMENT + ----------- + +-klist uses the following environment variable: +- +-**KRB5CCNAME** +- Location of the default Kerberos 5 credentials (ticket) cache, in +- the form *type*:*residual*. If no *type* prefix is present, the +- **FILE** type is assumed. The type of the default cache may +- determine the availability of a cache collection; for instance, a +- default cache of type **DIR** causes caches within the directory +- to be present in the collection. ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. + + + FILES +@@ -129,4 +122,4 @@ FILES + SEE ALSO + -------- + +-:ref:`kinit(1)`, :ref:`kdestroy(1)` ++:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` +diff --git a/doc/user/user_commands/kpasswd.rst b/doc/user/user_commands/kpasswd.rst +index 1b6463265..0583bbd05 100644 +--- a/doc/user/user_commands/kpasswd.rst ++++ b/doc/user/user_commands/kpasswd.rst +@@ -33,7 +33,14 @@ OPTIONS + identity of the user invoking the kpasswd command. + + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ + SEE ALSO + -------- + +-:ref:`kadmin(1)`, :ref:`kadmind(8)` ++:ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` +diff --git a/doc/user/user_commands/krb5-config.rst b/doc/user/user_commands/krb5-config.rst +index ee0fceaa3..2c09141a1 100644 +--- a/doc/user/user_commands/krb5-config.rst ++++ b/doc/user/user_commands/krb5-config.rst +@@ -80,4 +80,4 @@ the following output:: + SEE ALSO + -------- + +-kerberos(1), cc(1) ++:ref:`kerberos(7)`, cc(1) +diff --git a/doc/user/user_commands/ksu.rst b/doc/user/user_commands/ksu.rst +index b2f9121f0..29487a838 100644 +--- a/doc/user/user_commands/ksu.rst ++++ b/doc/user/user_commands/ksu.rst +@@ -385,3 +385,16 @@ AUTHOR OF KSU + ------------- + + GENNADY (ARI) MEDVINSKY ++ ++ ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ ++ ++SEE ALSO ++-------- ++ ++:ref:`kerberos(7)`, :ref:`kinit(1)` +diff --git a/doc/user/user_commands/kswitch.rst b/doc/user/user_commands/kswitch.rst +index 56e5915ac..010332e6a 100644 +--- a/doc/user/user_commands/kswitch.rst ++++ b/doc/user/user_commands/kswitch.rst +@@ -32,15 +32,8 @@ OPTIONS + ENVIRONMENT + ----------- + +-kswitch uses the following environment variables: +- +-**KRB5CCNAME** +- Location of the default Kerberos 5 credentials (ticket) cache, in +- the form *type*:*residual*. If no *type* prefix is present, the +- **FILE** type is assumed. The type of the default cache may +- determine the availability of a cache collection; for instance, a +- default cache of type **DIR** causes caches within the directory +- to be present in the collection. ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. + + + FILES +@@ -53,4 +46,5 @@ FILES + SEE ALSO + -------- + +-:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`), kerberos(1) ++:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`, ++:ref:`kerberos(7)` +diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst +index 31ca24460..f269fb3f9 100644 +--- a/doc/user/user_commands/kvno.rst ++++ b/doc/user/user_commands/kvno.rst +@@ -63,14 +63,11 @@ OPTIONS + delegation is not requested, the service name must match the + credentials cache client principal. + +- + ENVIRONMENT + ----------- + +-kvno uses the following environment variable: +- +-**KRB5CCNAME** +- Location of the credentials (ticket) cache. ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. + + + FILES +@@ -83,4 +80,4 @@ FILES + SEE ALSO + -------- + +-:ref:`kinit(1)`, :ref:`kdestroy(1)` ++:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` +diff --git a/doc/user/user_commands/sclient.rst b/doc/user/user_commands/sclient.rst +index ebf797253..1e3d38f82 100644 +--- a/doc/user/user_commands/sclient.rst ++++ b/doc/user/user_commands/sclient.rst +@@ -17,8 +17,14 @@ purposes. It contacts a sample server :ref:`sserver(8)` and + authenticates to it using Kerberos version 5 tickets, then displays + the server's response. + ++ENVIRONMENT ++----------- ++ ++See :ref:`kerberos(7)` for a description of Kerberos environment ++variables. ++ + + SEE ALSO + -------- + +-:ref:`kinit(1)`, :ref:`sserver(8)` ++:ref:`kinit(1)`, :ref:`sserver(8)`, :ref:`kerberos(7)` diff --git a/SOURCES/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch b/SOURCES/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch index 21766ce..1451c55 100644 --- a/SOURCES/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch +++ b/SOURCES/Use-SHA-256-instead-of-MD5-for-audit-ticket-IDs.patch @@ -1,4 +1,4 @@ -From ec9660539473b0fe00974b6ef30078e0f3c0041f Mon Sep 17 00:00:00 2001 +From c931cdfaa3539e42cfc57caca6b67fe9a03227e2 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Tue, 10 Jul 2018 16:17:15 -0400 Subject: [PATCH] Use SHA-256 instead of MD5 for audit ticket IDs diff --git a/SOURCES/Use-a-hash-table-for-MEMORY-ccache-resolution.patch b/SOURCES/Use-a-hash-table-for-MEMORY-ccache-resolution.patch index 77ccf6a..fe0a184 100644 --- a/SOURCES/Use-a-hash-table-for-MEMORY-ccache-resolution.patch +++ b/SOURCES/Use-a-hash-table-for-MEMORY-ccache-resolution.patch @@ -1,4 +1,4 @@ -From 779a298a583d64cb9a200cc35a4def3a120e03f7 Mon Sep 17 00:00:00 2001 +From 6e29836f794abdd91aa03d334b72b7a7f4800e92 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 4 Aug 2018 23:55:18 -0400 Subject: [PATCH] Use a hash table for MEMORY ccache resolution diff --git a/SOURCES/Use-krb5_timestamp-where-appropriate.patch b/SOURCES/Use-krb5_timestamp-where-appropriate.patch index a7f2294..96705ed 100644 --- a/SOURCES/Use-krb5_timestamp-where-appropriate.patch +++ b/SOURCES/Use-krb5_timestamp-where-appropriate.patch @@ -1,4 +1,4 @@ -From f181bf6ee4ff66489895a8c543521cbec253d1f9 Mon Sep 17 00:00:00 2001 +From 6eda4c6a2cd301418b2efbfd737a86079abb02e9 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 17 May 2017 15:14:15 -0400 Subject: [PATCH] Use krb5_timestamp where appropriate diff --git a/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch b/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch index 6be4cdb..ceedcda 100644 --- a/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch +++ b/SOURCES/Use-the-canonical-client-principal-name-for-OTP.patch @@ -1,4 +1,4 @@ -From 685698f8d33810ce085da4d75d1d8febe5323fd3 Mon Sep 17 00:00:00 2001 +From a23d45875c03d6284f6b5b2851d3ecb8d3ec88ce Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Wed, 5 Apr 2017 16:48:55 -0400 Subject: [PATCH] Use the canonical client principal name for OTP diff --git a/SOURCES/krb5.conf b/SOURCES/krb5.conf index c5fa3cf..2356a60 100644 --- a/SOURCES/krb5.conf +++ b/SOURCES/krb5.conf @@ -12,7 +12,7 @@ includedir /etc/krb5.conf.d/ renew_lifetime = 7d forwardable = true rdns = false - pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt + pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM [realms] diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec index 9378cf8..249e0ca 100644 --- a/SPECS/krb5.spec +++ b/SPECS/krb5.spec @@ -12,7 +12,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.15.1 -Release: 37%{?dist}.2 +Release: 46%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar @@ -64,7 +64,6 @@ Patch147: krb5-1.11-kpasswdtest.patch Patch148: Improve-PKINIT-UPN-SAN-matching.patch Patch149: Deindent-crypto_retrieve_X509_sans.patch Patch152: Add-certauth-pluggable-interface.patch -Patch153: Correct-error-handling-bug-in-prior-commit.patch Patch154: Add-the-client_name-kdcpreauth-callback.patch Patch155: Use-the-canonical-client-principal-name-for-OTP.patch Patch156: Remove-incomplete-PKINIT-OCSP-support.patch @@ -129,6 +128,15 @@ Patch215: Add-a-hash-table-implementation-to-libkrb5support.patch Patch216: Use-a-hash-table-for-MEMORY-ccache-resolution.patch Patch217: Remove-incorrect-KDC-assertion.patch Patch218: Prefer-TCP-to-UDP-for-password-changes.patch +Patch219: Bring-back-general-kerberos-man-page.patch +Patch220: Modernize-kerberos-7.patch +Patch221: Update-man-pages-to-reference-kerberos-7.patch +Patch222: Log-when-non-root-ksu-authorization-fails.patch +Patch223: Correct-kpasswd_server-description-in-krb5.conf-5.patch +Patch224: Address-some-optimized-out-memset-calls.patch +Patch225: Add-the-certauth-dbmatch-module.patch +Patch226: Correct-error-handling-bug-in-prior-commit.patch +Patch227: Add-PKINIT-test-case-for-generic-client-cert.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -326,7 +334,6 @@ ONLY by kerberos itself. Do not depend on this package. %patch148 -p1 -b .Improve-PKINIT-UPN-SAN-matching %patch149 -p1 -b .Deindent-crypto_retrieve_X509_sans %patch152 -p1 -b .Add-certauth-pluggable-interface -%patch153 -p1 -b .Correct-error-handling-bug-in-prior-commit %patch154 -p1 -b .Add-the-client_name-kdcpreauth-callback %patch155 -p1 -b .Use-the-canonical-client-principal-name-for-OTP %patch156 -p1 -b .Remove-incomplete-PKINIT-OCSP-support @@ -391,6 +398,15 @@ ONLY by kerberos itself. Do not depend on this package. %patch216 -p1 -b .Use-a-hash-table-for-MEMORY-ccache-resolution %patch217 -p1 -b .Remove-incorrect-KDC-assertion %patch218 -p1 -b .Prefer-TCP-to-UDP-for-password-changes +%patch219 -p1 -b .Bring-back-general-kerberos-man-page +%patch220 -p1 -b .Modernize-kerberos-7 +%patch221 -p1 -b .Update-man-pages-to-reference-kerberos-7 +%patch222 -p1 -b .Log-when-non-root-ksu-authorization-fails +%patch223 -p1 -b .Correct-kpasswd_server-description-in-krb5.conf-5 +%patch224 -p1 -b .Address-some-optimized-out-memset-calls +%patch225 -p1 -b .Add-the-certauth-dbmatch-module +%patch226 -p1 -b .Correct-error-handling-bug-in-prior-commit +%patch227 -p1 -b .Add-PKINIT-test-case-for-generic-client-cert ln NOTICE LICENSE @@ -837,6 +853,7 @@ exit 0 /%{_mandir}/man5/k5identity.5* /%{_mandir}/man5/k5login.5* /%{_mandir}/man5/krb5.conf.5* +/%{_mandir}/man7/kerberos.7* %{_libdir}/libgssapi_krb5.so.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* @@ -896,13 +913,41 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog -* Thu Jul 25 2019 Robbie Harwood - 1.15.1-37.el_7_7.2 +* Mon Jul 29 2019 Robbie Harwood - 1.15.1-46 +- Add pkinit_cert_match support +- Resolves: #1656126 + +* Mon Jul 29 2019 Robbie Harwood - 1.15.1-45 +- Install kerberos(7) +- Resolves: #1704726 + +* Mon Jul 29 2019 Robbie Harwood - 1.15.1-44 +- Address some optimized-out memset() calls +- Resolves: #1663506 + +* Mon Jul 29 2019 Robbie Harwood - 1.15.1-43 +- Correct kpasswd_server description in krb5.conf(5) +- Resolves: #1498347 + +* Mon Jul 29 2019 Robbie Harwood - 1.15.1-42 +- Log when non-root ksu authorization fails +- Resolves: #1270927 + +* Mon Jul 29 2019 Robbie Harwood - 1.15.1-41 +- Update man pages to reference kerberos(7) +- Resolves: #1704726 + +* Wed Jul 24 2019 Robbie Harwood - 1.15.1-40 - Prefer TCP to UDP for password changes -- Resolves: #1732743 +- Resolves: #1637349 -* Thu Jul 25 2019 Robbie Harwood - 1.15.1-37.el7_7.1 +* Mon Jul 22 2019 Robbie Harwood - 1.15.1-39 - Remove incorrect KDC assertion -- Resolves: #1732339 +- Resolves: #1673017 + +* Mon Jul 22 2019 Robbie Harwood - 1.15.1-38 +- Add FILE prefix to pkinit_anchors field +- Resolves: #1661338 * Tue Dec 18 2018 Robbie Harwood - 1.15.1-37 - Bring back builtin crypto (openssl broke too many FIPS setups)