Fix MIT references in kadmin-backend-heim documentation
Some of the kadmin-backend-heim documentation assumed configuration
for MIT Kerberos, referenced MIT Kerberos flags, or talked about
running an external kadmin binary. Fix all of that, and also clean
up references to Kerberos v5 and be explicit about the KDC
implementation where appropriate.
Change the default principal regex to allow two characters
Change the default allowed principal regex to allow two-character user
principals. This is just a default and can be overridden by setting
the allowed key in the configuration.
Set the disallow-svr flag on all newly-created principals. This
prohibits obtaining service tickets for the principal, which provides
some hardening against brute force attacks. Since the create command
is designed for creation of user principals, not service principals,
and use of service tickets for user principals is quite obscure and
rare in Kerberos, this seems like a better default.
Russ Allbery [Mon, 25 Mar 2013 22:31:19 +0000 (15:31 -0700)]
Fix a segfault in passwd_change on aborted authentication
If one aborts the initial Kerberos authentication, passwd_change
attempted to free a credential cache that was NULL. Set ccache
to NULL until it's reused to avoid that behavior.
Russ Allbery [Mon, 25 Mar 2013 17:55:17 +0000 (10:55 -0700)]
Use dh-autoreconf with --as-needed
* Use dh-autoreconf to rebuild the Autotools build system, and link with
--as-needed to remove the additional unnecessarily library
dependencies for the client.
Russ Allbery [Mon, 25 Mar 2013 17:38:09 +0000 (10:38 -0700)]
Move single-debian-patch to local-options
* Move single-debian-patch to local-options and patch-header to
local-patch-header so that they only apply to the packages I build and
NMUs get regular version-numbered patches.
Russ Allbery [Mon, 25 Mar 2013 16:33:34 +0000 (09:33 -0700)]
Update to rra-c-util 4.8
* Fix Heimdal libroken probes for old versions of Heimdal.
* Fix Kerberos header probing with non-standard include paths.
* Pass --deps to krb5-config if it is supported.
* Properly find krb5.h on NetBSD systems.
* Fix stripping of -I/usr/include from krb5-config output.
* Avoid using krb5-config if specific Kerberos paths are configured.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config.
* Replace concat with xasprintf.
* xasprintf is now void and always calls the failure handler on error.
* Improve __attribute__ portability to old GCC or non-GCC compilers.
* Add -D_FORTIFY_SOURCE=2 to make warnings flags.
* Probe for ssize_t and replace it in portable/system.h if not found.
* Include strings.h in portable/system.h if it exists.
* Add a pointer to rra-c-util in all files.
Russ Allbery [Tue, 12 Mar 2013 02:30:02 +0000 (19:30 -0700)]
Exit with non-zero status if check_passwd fails
Exit with a non-zero status if the check_passwd command rejects the
password. Previously, an error would be reported but the backend
would always report a successful zero status if the password could be
checked, even if it was rejected.
Russ Allbery [Tue, 12 Mar 2013 02:19:50 +0000 (19:19 -0700)]
In Heimdal version, do password strength check with IPC::Run
Something about the workaround code to suppress the stderr result
from Heimdal's libraries causes STDERR handling to get messed up
in Perl. Since the password strength checking program returns its
error on stderr, this is a problem. IPC::Run works properly and is
much more succinct, so switch to it.
Russ Allbery [Mon, 25 Feb 2013 04:23:30 +0000 (20:23 -0800)]
Further Heimdal error handling fixes
Clean up error reporting in the Heimdal version of kadmin-backend.
Use the correct (rather than the documented) way to tell
Heimdal::Kadm5 to throw exceptions, and ensure that all kadmin
functions uniformly use the same standard error formatting and exit
status for kadmin failures.
Also suppress the standard error output from the Heimdal library since
Heimdal::Kadm5 does not.
Russ Allbery [Fri, 22 Feb 2013 02:21:38 +0000 (18:21 -0800)]
Retry connecting to Heimdal if the first try fails
In the Heimdal version of kadmin-backend, retry the kadmin connection
once if the first connection fails. This is a workaround for a
transient networking error that we're seeing at Stanford and therefore
may not be fully appropriate for other sites. Even on a successful
reconnect, this will cause some errors to be sent to standard error
due to the behavior of Heimdal::Kadm5.
Russ Allbery [Thu, 9 Jun 2011 21:33:44 +0000 (14:33 -0700)]
Update to rra-c-util 3.6
* Check for krb5-config in /usr/kerberos/bin as well as user's PATH.
* Add replacement for krb5_appdefault_* functions for AIX Kerberos.
* Fix broken GCC attribute markers.
* Fix Kerberos library probing without transitive shared libraries.
* Suppress warnings when probing for AIX-only Kerberos headers.
* Support Heimdal GSS-API on OpenBSD without a separate libroken.
* Update GCC warning flags for GCC 4.6.1.
Russ Allbery [Wed, 8 Jun 2011 20:26:04 +0000 (13:26 -0700)]
Add support for separate password change blacklist
Add support for a separate blacklist of principals whose passwords
cannot be changed with reset_passwd but who do not themselves have the
ability to reset passwords.
Russ Allbery [Thu, 6 Jan 2011 20:20:50 +0000 (12:20 -0800)]
Correctly handle incorrect password errors from Heimdal
Properly handle incorrect password errors from Heimdal's kpasswd.
Previously, if change_passwd failed because the original password was
incorrect, kadmin-remctl would output a confusing Expect error.
Jon Robertson [Thu, 5 Aug 2010 04:21:39 +0000 (21:21 -0700)]
Fixed to kadmin_create default attributes in kadmin-backend-heim
The code for creating a Kerberos principal was trying to get the default
set of attributes and then modify them before fully creating the account,
in order to properly create a disabled account. However, the default
attributes seem to not be created until the principal is fully created,
so we actually lose the default attributes by doing so. As a fix, hand
the routine our own default set of attributes. This isn't optimal, but
it's better than nothing.
* Switch to 3.0 (quilt) source format. Force a single Debian patch and
include a custom patch header explaining that it is a rollup of any
fixes cherry-picked from upstream and breaking those patches out
separately would be work for no gain.
* Restore default settings after probing for GSS-API libraries.
* Support the *BSD build of Heimdal in the Kerberos probes.
* Fix krb5_free_error_message replacement for older Kerberos libraries.
The MIT implementation of check_expires was calling str2time twice.
Also update the documentation to reflect that the second argument to
check_expires is optional and "now" is a valid expiration time.
Jon Robertson [Fri, 11 Jun 2010 07:28:19 +0000 (00:28 -0700)]
kadmin-backend: Fixed expiration time output
When expiration time was not set but password expiration time was, and
the soonest time of the two was requested, nothing was returned. Fixed
this to return the password expiration time.
Jon Robertson [Wed, 26 May 2010 18:14:08 +0000 (11:14 -0700)]
Added more support for account and password expiration
* Fixed bugs in the existing expiration command for Heimdal, and added
it to the help command for both MIT and Heimdal.
* Added pwexpiration command that works like the expiration command, but
for password expiration.
* Added check_expire command that will return expiration times in GMT
for either account or password expiration.
The commands have been tested against Heimdal, though not yet against MIT.
Russ Allbery [Sun, 16 May 2010 19:17:36 +0000 (12:17 -0700)]
Improve principal creation attributes for Heimdal
In the Heimdal backend, don't set KADM5_POLICY_NORMAL_MASK or
KADM5_POLICY_CLR as attributes when creating a new principal. These
are not valid attribute values and end up setting or clearing large
numbers of other attributes.
In the Heimdal backend, don't unconditionally set the preauth required
attribute on newly created principals. This should be handled using
the "default" principal in Heimdal to configure the desired default
principal lifetime and attributes.
Russ Allbery [Fri, 26 Mar 2010 06:09:45 +0000 (23:09 -0700)]
Replace checking with policy for kadmin-backend
kadmin-backend for an MIT Kerberos server no longer has the boolean
checking configuration parameter, which said whether to do password
checking. Instead, there is a new policy configuration parameter
which, if set, sets that password policy for newly created accounts.
To duplicate the previous behavior when checking was true, set policy
to "standard".
Garrett Wollman [Fri, 26 Mar 2010 04:17:06 +0000 (21:17 -0700)]
Add expiration command and kadmin extra options
Add an expiration command to the MIT Kerberos interface that sets the
expiration time for a principal. Add an extra_options configuration
parameter that adds extra options to the kadmin create command for that
principal.