Commit 892a8f2d authored by Russ Allbery's avatar Russ Allbery

Cleanup of MIT Kerberos 1.9 support

Do some code and syntax cleanup, update NEWS and README, rename the
file to match the current naming convention, and fix the prototype
of the external function we provide.
parent 46c1a4a2
The krb5-sync package as a whole is:
Copyright 2006, 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr.
University. All rights reserved.
Copyright 2006, 2007, 2008, 2010, 2011 The Board of Trustees of the
Leland Stanford Junior University. All rights reserved.
and covered under the following license:
......@@ -28,8 +28,9 @@ files.
Collected copyright notices for the entire package:
Copyright 2009 Russ Allbery <rra@stanford.edu>
Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010
Board of Trustees, Leland Stanford Jr. University
Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011
The Board of Trustees of the Leland Stanford Junior University
Copyright 2010 The Massachusetts Institute of Technology
Copyright (c) 2004, 2005, 2006, 2007, 2008, 2009
by Internet Systems Consortium, Inc. ("ISC")
Copyright (c) 1991, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
......
......@@ -30,7 +30,7 @@ moduledir = $(libdir)/kadmind
# Rules for building the password synchronization plugin.
module_LTLIBRARIES = plugin/passwd_update.la
plugin_passwd_update_la_SOURCES = plugin/ad.c plugin/api.c plugin/error.c \
plugin/internal.h plugin/heimdal.c plugin/kadm5_hook.c plugin/queue.c
plugin/internal.h plugin/heimdal.c plugin/mit.c plugin/queue.c
plugin_passwd_update_la_LDFLAGS = -module -avoid-version $(KRB5_LDFLAGS)
plugin_passwd_update_la_LIBADD = portable/libportable.la $(KRB5_LIBS)
......
......@@ -2,6 +2,10 @@
krb5-sync 2.2 (unreleased)
Add support for the new libkadm5 hooks provided by MIT Kerberos 1.9.
With that version and later, no patch to MIT Kerberos is required to
use this code. Thanks to Sam Hartman for the patch.
Current MIT Kerberos calls the password change hook with a NULL
password in the -randkey case, which neither the module nor the patch
were prepared to handle. Pass a password of NULL and a length of 0
......
......@@ -3,9 +3,10 @@
Maintained by Russ Allbery <rra@stanford.edu>
Copyright 2006, 2007, 2010 Board of Trustees, Leland Stanford
Jr. University. Originally developed by Derrick Brashear and Ken
Hornstein of Sine Nomine Associates, on behalf of Stanford University.
Copyright 2006, 2007, 2010, 2011 The Board of Trustees of the Leland
Stanford Junior University. Originally developed by Derrick Brashear
and Ken Hornstein of Sine Nomine Associates, on behalf of Stanford
University.
This software is distributed under a BSD-style license. Please see the
file LICENSE in the distribution for more information.
......@@ -37,11 +38,12 @@ DESCRIPTION
This toolkit consists of three basic pieces:
* Patches to MIT Kerberos and Heimdal to add a plugin system for
password changes and account status updates. These patches add hooks
that are run prior to a password change, after a password change, and
after a change to an account's flags. The code in libkadm5srv is
independent of what that plugin might do.
* Patches to MIT Kerberos (prior to 1.9; 1.9 and later do not require
patching) and Heimdal to add a plugin system for password changes and
account status updates. These patches add hooks that are run prior
to a password change, after a password change, and after a change to
an account's flags. The code in libkadm5srv is independent of what
that plugin might do.
* A plugin that uses that system to push password changes and selected
account flag changes to Active Directory. This is done using a
......@@ -67,27 +69,28 @@ DESCRIPTION
Currently, only one Active Directory realm is supported for updates.
Be aware that, due to the structure of the MIT Kerberos libkadm5srv
code, the pre-commit hook and hence password propagation to Active
Directory will happen before the password is checked for reuse. This
means that the password may be changed in Active Directory but then
rejected by the local KDC if it is present in the account's password
history. If you remember only one password in the password history,
this will be harmless, since it will only mean the Active Directory
password will be reset to the existing password. If, however, you store
multiple passwords in the password history, the passwords could end up
being desynchronized. This will hopefully be fixed in a later version
of the libkadm5srv patch.
code, the patch for versions prior to 1.9 runs the pre-commit hook and
hence password propagation to Active Directory before the password is
checked for reuse. This means that the password may be changed in
Active Directory but then rejected by the local KDC if it is present in
the account's password history. If you remember only one password in
the password history, this will be harmless, since it will only mean the
Active Directory password will be reset to the existing password. If,
however, you store multiple passwords in the password history, the
passwords could end up being desynchronized. This should be fixed in
MIT Kerberos 1.9.
REQUIREMENTS
The utilities provided in this package will work without any
modifications to your KDC or kadmind, but to use this entire system, you
will have to apply the patch in the patches directory to MIT Kerberos or
Heimdal and rebuild. Due to how kadmind is constructed, the changes are
actually in the libkadm5srv library, not the kadmind binary, so you'll
need to install the modified libraries. It is my hope that eventually
an interface like this will be incorporated into the MIT Kerberos and
Heimdal distributions and patching will not be necessary.
will either need MIT Kerberos 1.9 or later or apply the patch in the
patches directory to MIT Kerberos or Heimdal and rebuild. Due to how
kadmind is constructed, the changes are actually in the libkadm5srv
library, not the kadmind binary, so you'll need to install the modified
libraries. It is my hope that eventually an interface like this will be
incorporated into the Heimdal distribution as well and patching will not
be necessary.
To build the account status update code, you will need OpenLDAP
installed. To authenticate to Active Directory, you will also need
......@@ -108,10 +111,10 @@ REQUIREMENTS
INSTALLATION
First, patch MIT Kerberos or Heimdal with the patch provided in the
patches directory and install the new libkadm5srv or libkadm5srv_mit
library. See patches/README for more information about the patch. If
you're using a different version of MIT Kerberos, you may need to adjust
the patch accordingly.
patches directory if necessary and install the new libkadm5srv or
libkadm5srv_mit library. See patches/README for more information about
the patch. If you're using a different version of MIT Kerberos, you may
need to adjust the patch accordingly.
Then, you can build and install the plugin and command-line utilities
with the standard commands:
......
......@@ -50,8 +50,8 @@ config_string(krb5_context ctx, const char *opt, char **result)
/*
* Initialize the module. This consists solely of loading our configuration
* options from krb5.conf into a newly allocated struct stored in the second
* argument to this function. Returns 0 on success, non-zero on failre. This
* function returns failure only if it could not allocate memory.
* argument to this function. Returns 0 on success, non-zero on failure.
* This function returns failure only if it could not allocate memory.
*/
int
pwupdate_init(krb5_context ctx, void **data)
......
/*
* MIt kadm5_hook API
* MIT kadm5_hook shared module API.
*
* This is the glue required to connect kadmin hook module to the
* API for the krb5-sync module. It is based on the kadm5_hook
* interface released with MIT Kerberos 1.9 which was based on a
* preliminary proposal for
* the Heimdal hook API.
* This is the glue required to connect an MIT Kerberos kadmin hook module to
* the API for the krb5-sync module. It is based on the kadm5_hook interface
* released with MIT Kerberos 1.9, which was based on a preliminary proposal
* for the Heimdal hook API.
*
* Written by Russ Allbery <rra@stanford.edu> and updated by Sam
* Hartman <hartmans@painless-security.com>
* Copyright 2010 Board of Trustees, Leland Stanford Jr. University
* copyright 2010, the Massachusetts Institute of Technology
* Written by Russ Allbery <rra@stanford.edu>
* and updated by Sam Hartman <hartmans@painless-security.com>
* Copyright 2010, 2011
* The Board of Trustees of the Leland Stanford Junior University
* Copyright 2010 The Massachusetts Institute of Technology
*
* See LICENSE for licensing terms.
*/
......@@ -18,18 +18,30 @@
#include <config.h>
#include <portable/system.h>
/*
* Skip this entire file if the relevant MIT Kerberos header isn't available,
* since without that header we don't have the data types that we need.
*/
#ifdef HAVE_KRB5_KADM5_HOOK_PLUGIN_H
#include <errno.h>
#include <kadm5/admin.h>
#ifdef HAVE_KADM5_KADM5_ERR_H
# include <kadm5/kadm5_err.h>
#endif
#include <krb5.h>
#ifdef HAVE_KRB5_KADM5_HOOK_PLUGIN_H
#include <krb5/kadm5_hook_plugin.h>
#include <plugin/internal.h>
#include <util/macros.h>
/*
* The public function that the MIT kadm5 library looks for. It contains the
* module name, so it can't be prototyped by the MIT headers.
*/
krb5_error_code kadm5_hook_krb5_sync_initvt(krb5_context, int, int,
krb5_plugin_vtable);
/*
* Initialize the plugin. Calls the pwupdate_init() function and returns the
......@@ -47,7 +59,7 @@ init(krb5_context ctx, kadm5_hook_modinfo **data)
/*
* Shut down the object, freeing any internal resources.
* Shut down the plugin, freeing any internal resources.
*/
static void
fini(krb5_context ctx UNUSED, kadm5_hook_modinfo *data)
......@@ -61,10 +73,8 @@ fini(krb5_context ctx UNUSED, kadm5_hook_modinfo *data)
*/
static kadm5_ret_t
chpass(krb5_context ctx, kadm5_hook_modinfo *data, int stage,
krb5_principal princ,
krb5_boolean keepoldUNUSED,
int n_ks_tuple UNUSED,
krb5_key_salt_tuple *ks_tuple UNUSED,
krb5_principal princ, krb5_boolean keepold UNUSED,
int n_ks_tuple UNUSED, krb5_key_salt_tuple *ks_tuple UNUSED,
const char *password)
{
char error[BUFSIZ];
......@@ -96,30 +106,11 @@ chpass(krb5_context ctx, kadm5_hook_modinfo *data, int stage,
*/
static kadm5_ret_t
create(krb5_context ctx, kadm5_hook_modinfo *data, int stage,
kadm5_principal_ent_t entry, long mask UNUSED,
int n_ks_tuple UNUSED,
krb5_key_salt_tuple *ks_tuple UNUSED,
const char *password)
kadm5_principal_ent_t entry, long mask UNUSED, int n_ks_tuple UNUSED,
krb5_key_salt_tuple *ks_tuple UNUSED, const char *password)
{
char error[BUFSIZ];
size_t length;
int status = 0;
length = strlen(password);
if (stage == KADM5_HOOK_STAGE_PRECOMMIT)
status = pwupdate_precommit_password(data, entry->principal, password,
length, error, sizeof(error));
else if (stage == KADM5_HOOK_STAGE_POSTCOMMIT)
status = pwupdate_postcommit_password(data, entry->principal,
password, length, error,
sizeof(error));
if (status == 0)
return 0;
else {
krb5_set_error_message(ctx, KADM5_FAILURE,
"cannot synchronize password: %s", error);
return KADM5_FAILURE;
}
return chpass(ctx, data, stage, entry->principal, false, n_ks_tuple,
ks_tuple, password);
}
......@@ -152,13 +143,13 @@ modify(krb5_context ctx, kadm5_hook_modinfo *data, int stage,
return 0;
}
krb5_error_code
kadm5_hook_test_initvt(krb5_context context, int maj_ver, int min_ver,
krb5_plugin_vtable vtable);
/*
* The public interface called by the kadmin hook code in MIT Kerberos.
*/
krb5_error_code
kadm5_hook_krb5_sync_initvt(krb5_context context, int maj_ver, int min_ver,
krb5_plugin_vtable vtable)
kadm5_hook_krb5_sync_initvt(krb5_context ctx UNUSED, int maj_ver,
int min_ver UNUSED, krb5_plugin_vtable vtable)
{
kadm5_hook_vftable_1 *vt = (kadm5_hook_vftable_1 *) vtable;
if (maj_ver != 1)
......@@ -173,5 +164,4 @@ kadm5_hook_krb5_sync_initvt(krb5_context context, int maj_ver, int min_ver,
return 0;
}
#endif /*KADM5_HOOK_PLUGIN_H*/
#endif /* HAVE_KRB5_KADM5_HOOK_PLUGIN_H */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment