Russ Allbery [Wed, 15 Jan 2014 22:31:32 +0000 (14:31 -0800)]
Update to rra-c-util 5.1
* Don't attempt to use Kerberos if no Kerberos error APIs were found.
* Improve error handling in xasprintf and xvasprintf.
* Check the return status of snprintf and vsnprintf properly.
* Preserve errno if snprintf fails in vasprintf replacement.
Russ Allbery [Wed, 15 Jan 2014 20:59:08 +0000 (12:59 -0800)]
Map create and reset_passwd quality failures to a generic message
In the Heimdal backend, map password quality errors on account
creation or password reset to a generic error. The kadmin protocol
doesn't have a mechanism for passing back the rich error message from
the password quality check, so all failures use the same error string.
Remap it here, since the error message from Heimdal is of dubious
accuracy. This will only apply to sites that have patched Heimdal to
do password quality checks on administrative operations.
Russ Allbery [Wed, 15 Jan 2014 03:06:22 +0000 (19:06 -0800)]
Add configuration option to set initial password expiration
Add a new per-instance configuration option to set the password
expiration time for newly-created principals. Be aware that this only
controls the initial expiration period. After the first password
change, further expiration periods are normally controlled by the KDC
configuration or policy.
Russ Allbery [Fri, 11 Oct 2013 01:15:39 +0000 (18:15 -0700)]
Stop remapping Heimdal kpasswd error messages
Stop mapping password quality errors in the Heimdal kpasswd backend.
Instead, remove any prefix about an external password quality program
and pass the rest of the error message back to the user.
Russ Allbery [Sat, 5 Oct 2013 23:03:26 +0000 (16:03 -0700)]
Report better error when enabling or disabling unknown principals
Check the existence of the principal before enabling or disabling it
in the Heimdal backend so that nonexistent principals report a clearer
error message instead of an internal error about getAttributes
failure.
Jon Robertson [Wed, 2 Oct 2013 21:37:45 +0000 (14:37 -0700)]
kadmin-backend-heim: Updated string expected in password changing
kpasswd changed some of the output it gives when changing a password, so
that expect was failing to match. Updated to include both new and old
format of the new password verification line.
Russ Allbery [Tue, 13 Aug 2013 22:22:19 +0000 (15:22 -0700)]
Increase kpasswd timeouts and fix Perl warnings
Also increase the timeout after doing the password change from 30
seconds to 60 seconds to reflect delays that we've seen in production.
Fix another Perl warning if the password change times out.
Russ Allbery [Tue, 13 Aug 2013 22:20:10 +0000 (15:20 -0700)]
Use get instead of list when checking for a principal on Heimdal
In the Heimdal backend, use get instead of list to check whether a
given principal already exists. list requires a complete database
traversal and is much more resource-intensive.
Increase timeout on kpasswd initial authentication
Increase the timeout for initial authentication during a kpasswd
password change to ten seconds. The previous timeout of two seconds
was occasionally too short in production. Also fix a Perl warning if
the initial authentication times out.
Fix MIT references in kadmin-backend-heim documentation
Some of the kadmin-backend-heim documentation assumed configuration
for MIT Kerberos, referenced MIT Kerberos flags, or talked about
running an external kadmin binary. Fix all of that, and also clean
up references to Kerberos v5 and be explicit about the KDC
implementation where appropriate.
Change the default principal regex to allow two characters
Change the default allowed principal regex to allow two-character user
principals. This is just a default and can be overridden by setting
the allowed key in the configuration.
Set the disallow-svr flag on all newly-created principals. This
prohibits obtaining service tickets for the principal, which provides
some hardening against brute force attacks. Since the create command
is designed for creation of user principals, not service principals,
and use of service tickets for user principals is quite obscure and
rare in Kerberos, this seems like a better default.
Russ Allbery [Mon, 25 Mar 2013 22:31:19 +0000 (15:31 -0700)]
Fix a segfault in passwd_change on aborted authentication
If one aborts the initial Kerberos authentication, passwd_change
attempted to free a credential cache that was NULL. Set ccache
to NULL until it's reused to avoid that behavior.
Russ Allbery [Mon, 25 Mar 2013 16:33:34 +0000 (09:33 -0700)]
Update to rra-c-util 4.8
* Fix Heimdal libroken probes for old versions of Heimdal.
* Fix Kerberos header probing with non-standard include paths.
* Pass --deps to krb5-config if it is supported.
* Properly find krb5.h on NetBSD systems.
* Fix stripping of -I/usr/include from krb5-config output.
* Avoid using krb5-config if specific Kerberos paths are configured.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config.
* Replace concat with xasprintf.
* xasprintf is now void and always calls the failure handler on error.
* Improve __attribute__ portability to old GCC or non-GCC compilers.
* Add -D_FORTIFY_SOURCE=2 to make warnings flags.
* Probe for ssize_t and replace it in portable/system.h if not found.
* Include strings.h in portable/system.h if it exists.
* Add a pointer to rra-c-util in all files.
Russ Allbery [Tue, 12 Mar 2013 02:30:02 +0000 (19:30 -0700)]
Exit with non-zero status if check_passwd fails
Exit with a non-zero status if the check_passwd command rejects the
password. Previously, an error would be reported but the backend
would always report a successful zero status if the password could be
checked, even if it was rejected.
Russ Allbery [Tue, 12 Mar 2013 02:19:50 +0000 (19:19 -0700)]
In Heimdal version, do password strength check with IPC::Run
Something about the workaround code to suppress the stderr result
from Heimdal's libraries causes STDERR handling to get messed up
in Perl. Since the password strength checking program returns its
error on stderr, this is a problem. IPC::Run works properly and is
much more succinct, so switch to it.
Russ Allbery [Mon, 25 Feb 2013 04:23:30 +0000 (20:23 -0800)]
Further Heimdal error handling fixes
Clean up error reporting in the Heimdal version of kadmin-backend.
Use the correct (rather than the documented) way to tell
Heimdal::Kadm5 to throw exceptions, and ensure that all kadmin
functions uniformly use the same standard error formatting and exit
status for kadmin failures.
Also suppress the standard error output from the Heimdal library since
Heimdal::Kadm5 does not.
Russ Allbery [Fri, 22 Feb 2013 02:21:38 +0000 (18:21 -0800)]
Retry connecting to Heimdal if the first try fails
In the Heimdal version of kadmin-backend, retry the kadmin connection
once if the first connection fails. This is a workaround for a
transient networking error that we're seeing at Stanford and therefore
may not be fully appropriate for other sites. Even on a successful
reconnect, this will cause some errors to be sent to standard error
due to the behavior of Heimdal::Kadm5.
Russ Allbery [Thu, 9 Jun 2011 21:33:44 +0000 (14:33 -0700)]
Update to rra-c-util 3.6
* Check for krb5-config in /usr/kerberos/bin as well as user's PATH.
* Add replacement for krb5_appdefault_* functions for AIX Kerberos.
* Fix broken GCC attribute markers.
* Fix Kerberos library probing without transitive shared libraries.
* Suppress warnings when probing for AIX-only Kerberos headers.
* Support Heimdal GSS-API on OpenBSD without a separate libroken.
* Update GCC warning flags for GCC 4.6.1.
Russ Allbery [Wed, 8 Jun 2011 20:26:04 +0000 (13:26 -0700)]
Add support for separate password change blacklist
Add support for a separate blacklist of principals whose passwords
cannot be changed with reset_passwd but who do not themselves have the
ability to reset passwords.
Russ Allbery [Thu, 6 Jan 2011 20:20:50 +0000 (12:20 -0800)]
Correctly handle incorrect password errors from Heimdal
Properly handle incorrect password errors from Heimdal's kpasswd.
Previously, if change_passwd failed because the original password was
incorrect, kadmin-remctl would output a confusing Expect error.
Jon Robertson [Thu, 5 Aug 2010 04:21:39 +0000 (21:21 -0700)]
Fixed to kadmin_create default attributes in kadmin-backend-heim
The code for creating a Kerberos principal was trying to get the default
set of attributes and then modify them before fully creating the account,
in order to properly create a disabled account. However, the default
attributes seem to not be created until the principal is fully created,
so we actually lose the default attributes by doing so. As a fix, hand
the routine our own default set of attributes. This isn't optimal, but
it's better than nothing.
* Restore default settings after probing for GSS-API libraries.
* Support the *BSD build of Heimdal in the Kerberos probes.
* Fix krb5_free_error_message replacement for older Kerberos libraries.
The MIT implementation of check_expires was calling str2time twice.
Also update the documentation to reflect that the second argument to
check_expires is optional and "now" is a valid expiration time.
Jon Robertson [Fri, 11 Jun 2010 07:28:19 +0000 (00:28 -0700)]
kadmin-backend: Fixed expiration time output
When expiration time was not set but password expiration time was, and
the soonest time of the two was requested, nothing was returned. Fixed
this to return the password expiration time.
Jon Robertson [Wed, 26 May 2010 18:14:08 +0000 (11:14 -0700)]
Added more support for account and password expiration
* Fixed bugs in the existing expiration command for Heimdal, and added
it to the help command for both MIT and Heimdal.
* Added pwexpiration command that works like the expiration command, but
for password expiration.
* Added check_expire command that will return expiration times in GMT
for either account or password expiration.
The commands have been tested against Heimdal, though not yet against MIT.
Russ Allbery [Sun, 16 May 2010 19:17:36 +0000 (12:17 -0700)]
Improve principal creation attributes for Heimdal
In the Heimdal backend, don't set KADM5_POLICY_NORMAL_MASK or
KADM5_POLICY_CLR as attributes when creating a new principal. These
are not valid attribute values and end up setting or clearing large
numbers of other attributes.
In the Heimdal backend, don't unconditionally set the preauth required
attribute on newly created principals. This should be handled using
the "default" principal in Heimdal to configure the desired default
principal lifetime and attributes.
Russ Allbery [Fri, 26 Mar 2010 06:09:45 +0000 (23:09 -0700)]
Replace checking with policy for kadmin-backend
kadmin-backend for an MIT Kerberos server no longer has the boolean
checking configuration parameter, which said whether to do password
checking. Instead, there is a new policy configuration parameter
which, if set, sets that password policy for newly created accounts.
To duplicate the previous behavior when checking was true, set policy
to "standard".
Garrett Wollman [Fri, 26 Mar 2010 04:17:06 +0000 (21:17 -0700)]
Add expiration command and kadmin extra options
Add an expiration command to the MIT Kerberos interface that sets the
expiration time for a principal. Add an extra_options configuration
parameter that adds extra options to the kadmin create command for that
principal.
Russ Allbery [Tue, 16 Feb 2010 18:10:52 +0000 (10:10 -0800)]
Map all external check errors to the same generic kpasswd error
For the Heimdal version of kadmin-backend, map all errors from the
external password check program except for password too short errors
to the same generic kpasswd string, maintaining our interface for AS
systems even if Cracklib provides specific errors.
Russ Allbery [Tue, 16 Feb 2010 18:00:48 +0000 (10:00 -0800)]
Do password strength checking for create and reset_passwd
For the Heimdal version of kadmin-backend, do password strength checking
and report a proper error in both create and reset_passwd. Previously,
a failure of strength checking would cause a silent failure to create a
principal.
Jon Robertson [Tue, 16 Feb 2010 17:52:24 +0000 (09:52 -0800)]
Added translation of MIT kpasswd errors to Heimdal
For downstream apps that currently expect the change_passwd errors to be
specific strings, we translate known error cases from Heimdal kpasswd to
the matching error cases from MIT kpasswd.
Russ Allbery [Thu, 11 Feb 2010 04:55:46 +0000 (20:55 -0800)]
Use external program password checking in kadmin-backend-heim
Use the Heimdal external program API for password strength checking in
kadmin-backend-heim and check password strength on create if strength
checking is enabled for that instance, since the Heimdal kadmin API
doesn't enforce password strength on passwords changed by
administrators.
Russ Allbery [Wed, 10 Feb 2010 23:06:08 +0000 (15:06 -0800)]
Cast result_string in ksetpass for Heimdal
The Heimdal krb5_set_password_using_ccache function returns krb5_data
structs and on Heimdal the data element is a void *. Cast it to a
char * for our diagnostic output.
Russ Allbery [Wed, 10 Feb 2010 23:03:58 +0000 (15:03 -0800)]
Rewrite the error handling in ksetpass and passwd_change
Take advantage of the new portability layer and use die/warn and
die_krb5/warn_krb5 where appropriate. Use xmalloc and concat functions
where appropriate. Use the Kerberos portability layer to avoid calling
deprecated functions on Heimdal.
Jon Robertson [Wed, 10 Feb 2010 16:44:31 +0000 (08:44 -0800)]
Multiple output and production readiness fixes
* Changed formatting of Expect statements for kpasswd to use Heimdal
kpasswd.
* Removed testing line that was specifying realm.
* Fixed date output for the examine command.
* Fixed days output for the examine command when only one day.
* Fixed output for the examine command when principal does not exist.
* Fixed bug in kadmin_reset with sending instance rather than principal to
be reset.
Jon Robertson [Tue, 26 Jan 2010 00:45:13 +0000 (16:45 -0800)]
Added ability to ignore enable for locked accounts
Added a new configuration option for each instance type, locked. This is
an array containing a command and all arguments to it, which is used to
determine if a principal is marked to not be re-enabled via kadmin-backend.
If no command is set, none is checked. The command is given the instance
name, and if the command returns 0, then the instance is locked and may
not be re-enabled via this interface. This is done to support accounts
that may be locked for policy reasons, where we must go through extra steps
befor re-enabling the command.
Jon Robertson [Wed, 13 Jan 2010 20:26:58 +0000 (12:26 -0800)]
Added translator of Heimdal output to MIT get output
Heimdal uses a different syntax for the output of its get command than
MIT's getprinc. The output from the examine command was originally based
upon the Heimdal::Kadm5 'dump' command, which models its output off of
Heimdal's get command. Because downstream apps might be taking the output
of kadmin-backend examine, we replicate the Heimdal::Kadm5 code to
construct the get output here, but modelled to replicate MIT instead. In
the long term, we would love to verify and have any applications using
the output fixed so that we aren't taking the arbitrary workaround.
Jon Robertson [Thu, 10 Dec 2009 18:58:55 +0000 (10:58 -0800)]
Added version of kadmin-backend for Heimdal
kadmin-backend-heim will use Heimdal::Kadm5 to operate on a Heimdal KDC
as kadmin-backend works on an MIT KDC. All functions are the same, and
it is identical from a use standpoint. The longer-term plan will merge
the two back together and let kadmin-backend choose whether to use Heimdal
or MIT based on a config file value, but that is waiting on some discovery
first.
projects / kerberos / kadmin-remctl.git / log