Russ Allbery [Wed, 15 Jan 2014 22:51:55 +0000 (14:51 -0800)]
Support signature verification and xz in watch
* Add necessary keyring and watch configuration for uscan to verify
PGP signatures on new upstream releases.
* Prefer xz compression in the watch configuration.
Russ Allbery [Fri, 11 Oct 2013 01:15:39 +0000 (18:15 -0700)]
Stop remapping Heimdal kpasswd error messages
Stop mapping password quality errors in the Heimdal kpasswd backend.
Instead, remove any prefix about an external password quality program
and pass the rest of the error message back to the user.
Russ Allbery [Sat, 5 Oct 2013 23:03:26 +0000 (16:03 -0700)]
Report better error when enabling or disabling unknown principals
Check the existence of the principal before enabling or disabling it
in the Heimdal backend so that nonexistent principals report a clearer
error message instead of an internal error about getAttributes
failure.
Jon Robertson [Wed, 2 Oct 2013 21:37:45 +0000 (14:37 -0700)]
kadmin-backend-heim: Updated string expected in password changing
kpasswd changed some of the output it gives when changing a password, so
that expect was failing to match. Updated to include both new and old
format of the new password verification line.
Russ Allbery [Tue, 13 Aug 2013 22:22:19 +0000 (15:22 -0700)]
Increase kpasswd timeouts and fix Perl warnings
Also increase the timeout after doing the password change from 30
seconds to 60 seconds to reflect delays that we've seen in production.
Fix another Perl warning if the password change times out.
Russ Allbery [Tue, 13 Aug 2013 22:20:10 +0000 (15:20 -0700)]
Use get instead of list when checking for a principal on Heimdal
In the Heimdal backend, use get instead of list to check whether a
given principal already exists. list requires a complete database
traversal and is much more resource-intensive.
Increase timeout on kpasswd initial authentication
Increase the timeout for initial authentication during a kpasswd
password change to ten seconds. The previous timeout of two seconds
was occasionally too short in production. Also fix a Perl warning if
the initial authentication times out.
Increase timeout on kpasswd initial authentication
Increase the timeout for initial authentication during a kpasswd
password change to ten seconds. The previous timeout of two seconds
was occasionally too short in production. Also fix a Perl warning if
the initial authentication times out.
Fix MIT references in kadmin-backend-heim documentation
Some of the kadmin-backend-heim documentation assumed configuration
for MIT Kerberos, referenced MIT Kerberos flags, or talked about
running an external kadmin binary. Fix all of that, and also clean
up references to Kerberos v5 and be explicit about the KDC
implementation where appropriate.
Change the default principal regex to allow two characters
Change the default allowed principal regex to allow two-character user
principals. This is just a default and can be overridden by setting
the allowed key in the configuration.
Set the disallow-svr flag on all newly-created principals. This
prohibits obtaining service tickets for the principal, which provides
some hardening against brute force attacks. Since the create command
is designed for creation of user principals, not service principals,
and use of service tickets for user principals is quite obscure and
rare in Kerberos, this seems like a better default.
Russ Allbery [Mon, 25 Mar 2013 22:31:19 +0000 (15:31 -0700)]
Fix a segfault in passwd_change on aborted authentication
If one aborts the initial Kerberos authentication, passwd_change
attempted to free a credential cache that was NULL. Set ccache
to NULL until it's reused to avoid that behavior.
Russ Allbery [Mon, 25 Mar 2013 17:55:17 +0000 (10:55 -0700)]
Use dh-autoreconf with --as-needed
* Use dh-autoreconf to rebuild the Autotools build system, and link with
--as-needed to remove the additional unnecessarily library
dependencies for the client.
Russ Allbery [Mon, 25 Mar 2013 17:38:09 +0000 (10:38 -0700)]
Move single-debian-patch to local-options
* Move single-debian-patch to local-options and patch-header to
local-patch-header so that they only apply to the packages I build and
NMUs get regular version-numbered patches.
Russ Allbery [Mon, 25 Mar 2013 16:33:34 +0000 (09:33 -0700)]
Update to rra-c-util 4.8
* Fix Heimdal libroken probes for old versions of Heimdal.
* Fix Kerberos header probing with non-standard include paths.
* Pass --deps to krb5-config if it is supported.
* Properly find krb5.h on NetBSD systems.
* Fix stripping of -I/usr/include from krb5-config output.
* Avoid using krb5-config if specific Kerberos paths are configured.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config.
* Replace concat with xasprintf.
* xasprintf is now void and always calls the failure handler on error.
* Improve __attribute__ portability to old GCC or non-GCC compilers.
* Add -D_FORTIFY_SOURCE=2 to make warnings flags.
* Probe for ssize_t and replace it in portable/system.h if not found.
* Include strings.h in portable/system.h if it exists.
* Add a pointer to rra-c-util in all files.
Russ Allbery [Tue, 12 Mar 2013 02:30:02 +0000 (19:30 -0700)]
Exit with non-zero status if check_passwd fails
Exit with a non-zero status if the check_passwd command rejects the
password. Previously, an error would be reported but the backend
would always report a successful zero status if the password could be
checked, even if it was rejected.
Russ Allbery [Tue, 12 Mar 2013 02:19:50 +0000 (19:19 -0700)]
In Heimdal version, do password strength check with IPC::Run
Something about the workaround code to suppress the stderr result
from Heimdal's libraries causes STDERR handling to get messed up
in Perl. Since the password strength checking program returns its
error on stderr, this is a problem. IPC::Run works properly and is
much more succinct, so switch to it.
Russ Allbery [Mon, 25 Feb 2013 04:23:30 +0000 (20:23 -0800)]
Further Heimdal error handling fixes
Clean up error reporting in the Heimdal version of kadmin-backend.
Use the correct (rather than the documented) way to tell
Heimdal::Kadm5 to throw exceptions, and ensure that all kadmin
functions uniformly use the same standard error formatting and exit
status for kadmin failures.
Also suppress the standard error output from the Heimdal library since
Heimdal::Kadm5 does not.
Russ Allbery [Fri, 22 Feb 2013 02:21:38 +0000 (18:21 -0800)]
Retry connecting to Heimdal if the first try fails
In the Heimdal version of kadmin-backend, retry the kadmin connection
once if the first connection fails. This is a workaround for a
transient networking error that we're seeing at Stanford and therefore
may not be fully appropriate for other sites. Even on a successful
reconnect, this will cause some errors to be sent to standard error
due to the behavior of Heimdal::Kadm5.
Russ Allbery [Thu, 9 Jun 2011 21:33:44 +0000 (14:33 -0700)]
Update to rra-c-util 3.6
* Check for krb5-config in /usr/kerberos/bin as well as user's PATH.
* Add replacement for krb5_appdefault_* functions for AIX Kerberos.
* Fix broken GCC attribute markers.
* Fix Kerberos library probing without transitive shared libraries.
* Suppress warnings when probing for AIX-only Kerberos headers.
* Support Heimdal GSS-API on OpenBSD without a separate libroken.
* Update GCC warning flags for GCC 4.6.1.
Russ Allbery [Wed, 8 Jun 2011 20:26:04 +0000 (13:26 -0700)]
Add support for separate password change blacklist
Add support for a separate blacklist of principals whose passwords
cannot be changed with reset_passwd but who do not themselves have the
ability to reset passwords.
Russ Allbery [Thu, 6 Jan 2011 20:20:50 +0000 (12:20 -0800)]
Correctly handle incorrect password errors from Heimdal
Properly handle incorrect password errors from Heimdal's kpasswd.
Previously, if change_passwd failed because the original password was
incorrect, kadmin-remctl would output a confusing Expect error.
Jon Robertson [Thu, 5 Aug 2010 04:21:39 +0000 (21:21 -0700)]
Fixed to kadmin_create default attributes in kadmin-backend-heim
The code for creating a Kerberos principal was trying to get the default
set of attributes and then modify them before fully creating the account,
in order to properly create a disabled account. However, the default
attributes seem to not be created until the principal is fully created,
so we actually lose the default attributes by doing so. As a fix, hand
the routine our own default set of attributes. This isn't optimal, but
it's better than nothing.
* Switch to 3.0 (quilt) source format. Force a single Debian patch and
include a custom patch header explaining that it is a rollup of any
fixes cherry-picked from upstream and breaking those patches out
separately would be work for no gain.
* Restore default settings after probing for GSS-API libraries.
* Support the *BSD build of Heimdal in the Kerberos probes.
* Fix krb5_free_error_message replacement for older Kerberos libraries.
The MIT implementation of check_expires was calling str2time twice.
Also update the documentation to reflect that the second argument to
check_expires is optional and "now" is a valid expiration time.
Jon Robertson [Fri, 11 Jun 2010 07:28:19 +0000 (00:28 -0700)]
kadmin-backend: Fixed expiration time output
When expiration time was not set but password expiration time was, and
the soonest time of the two was requested, nothing was returned. Fixed
this to return the password expiration time.
Jon Robertson [Wed, 26 May 2010 18:14:08 +0000 (11:14 -0700)]
Added more support for account and password expiration
* Fixed bugs in the existing expiration command for Heimdal, and added
it to the help command for both MIT and Heimdal.
* Added pwexpiration command that works like the expiration command, but
for password expiration.
* Added check_expire command that will return expiration times in GMT
for either account or password expiration.
The commands have been tested against Heimdal, though not yet against MIT.