Commit c86e5b1e authored by Apertis CI's avatar Apertis CI
Browse files

Import Upstream version 1.18.3

parent 0e855793
cd src
autoreconf
./configure --enable-maintainer-mode --with-ldap
./configure --enable-maintainer-mode --with-ldap $CONFIGURE_OPTS
make $MAKEVARS
make check
make distclean
......
......@@ -2,23 +2,21 @@ language: c++
sudo: required
dist: xenial
matrix:
include:
- compiler: clang
env: MAKEVARS=CPPFLAGS=-Werror
- compiler: clang
env:
- MAKEVARS=CPPFLAGS=-Werror
- CONFIGURE_OPTS=--with-crypto-impl=openssl
- compiler: gcc
before_install:
- sudo apt-get update -qq
- sudo apt-get install -y bison dejagnu gettext keyutils ldap-utils libldap2-dev libkeyutils-dev libssl-dev python3-paste slapd tcl-dev tcsh
- mkdir -p cmocka/build
- cd cmocka
- wget https://cmocka.org/files/1.1/cmocka-1.1.1.tar.xz
- tar -xvf cmocka-1.1.1.tar.xz
- cd build
- cmake ../cmocka-1.1.1 -DCMAKE_INSTALL_PREFIX=/usr
- make
- sudo make install
- cd ../..
- sudo apt-get install -y bison dejagnu gettext keyutils ldap-utils libcmocka-dev libldap2-dev libkeyutils-dev libssl-dev python3-kdcproxy python3-pip slapd tcl-dev tcsh
- pip3 install pyrad
script: sh -ex .travis-ci.sh
Copyright (C) 1985-2019 by the Massachusetts Institute of Technology.
Copyright (C) 1985-2020 by the Massachusetts Institute of Technology.
All rights reserved.
......
This diff is collapsed.
......@@ -38,7 +38,7 @@
{% if logo %}
<p class="logo">
{# Link logo to kerberos.org #}
<a href="http://kerberos.org"> <img class="logo"
<a href="https://kerberos.org"> <img class="logo"
src="{{ pathto('_static/' + logo, 1) }}" alt="Logo" /></a>
</p>
{% endif %}
......
......@@ -419,7 +419,7 @@ Options:
Example::
kadmin: addprinc jennifer
WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
No policy specified for "jennifer@ATHENA.MIT.EDU";
defaulting to no policy.
Enter password for principal jennifer@ATHENA.MIT.EDU:
Re-enter password for principal jennifer@ATHENA.MIT.EDU:
......@@ -569,16 +569,16 @@ Examples::
Principal: tlyu/admin@BLEEP.COM
Expiration date: [never]
Last password change: Mon Aug 12 14:16:47 EDT 1996
Password expiration date: [none]
Password expiration date: [never]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, des-cbc-crc
Key: vno 1, des-cbc-crc:v4
Number of keys: 1
Key: vno 1, aes256-cts-hmac-sha384-192
MKey: vno 1
Attributes:
Policy: [none]
......
......@@ -74,8 +74,7 @@ OPTIONS
**-nofork**
causes the server to remain in the foreground and remain
associated to the terminal. In normal operation, you should allow
the server to place itself in the background.
associated to the terminal.
**-proponly**
causes the server to only listen and respond to Kerberos replica
......
......@@ -29,6 +29,9 @@ COMMAND-LINE OPTIONS
.. _kdb5_ldap_util_options:
**-r** *realm*
Specifies the realm to be operated on.
**-D** *user_dn*
Specifies the Distinguished Name (DN) of the user who has
sufficient rights to perform the operation on the LDAP server.
......@@ -38,8 +41,12 @@ COMMAND-LINE OPTIONS
recommended.
**-H** *ldapuri*
Specifies the URI of the LDAP server. It is recommended to use
``ldapi://`` or ``ldaps://`` to connect to the LDAP server.
Specifies the URI of the LDAP server.
By default, kdb5_ldap_util operates on the default realm (as specified
in :ref:`krb5.conf(5)`) and connects and authenticates to the LDAP
server in the same manner as :ref:kadmind(8)` would given the
parameters in :ref:`dbdefaults` in :ref:`kdc.conf(5)`.
.. _kdb5_ldap_util_options_end:
......@@ -58,9 +65,9 @@ create
[**-containerref** *container_reference_dn*]
[**-k** *mkeytype*]
[**-kv** *mkeyVNO*]
[**-M** *mkeyname*]
[**-m|-P** *password*\|\ **-sf** *stashfilename*]
[**-s**]
[**-r** *realm*]
[**-maxtktlife** *max_ticket_life*]
[**-maxrenewlife** *max_renewable_ticket_life*]
[*ticket_flags*]
......@@ -92,6 +99,11 @@ Creates realm in directory. Options:
Specifies the version number of the master key in the database;
the default is 1. Note that 0 is not allowed.
**-M** *mkeyname*
Specifies the principal name for the master key in the database.
If not specified, the name is determined by the
**master_key_name** variable in :ref:`kdc.conf(5)`.
**-m**
Specifies that the master database password should be read from
the TTY rather than fetched from a file on the disk.
......@@ -100,9 +112,6 @@ Creates realm in directory. Options:
Specifies the master database password. This option is not
recommended.
**-r** *realm*
Specifies the Kerberos realm of the database.
**-sf** *stashfilename*
Specifies the stash file of the master database password.
......@@ -125,7 +134,7 @@ Creates realm in directory. Options:
Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
-r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB
Password for "cn=admin,o=org":
Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
......@@ -144,7 +153,6 @@ modify
[**-subtrees** *subtree_dn_list*]
[**-sscope** *search_scope*]
[**-containerref** *container_reference_dn*]
[**-r** *realm*]
[**-maxtktlife** *max_ticket_life*]
[**-maxrenewlife** *max_renewable_ticket_life*]
[*ticket_flags*]
......@@ -165,9 +173,6 @@ Modifies the attributes of a realm. Options:
container object in which the principals of a realm will be
created.
**-r** *realm*
Specifies the Kerberos realm of the database.
**-maxtktlife** *max_ticket_life*
(:ref:`getdate` string) Specifies maximum ticket life for
principals in this realm.
......@@ -183,9 +188,8 @@ Modifies the attributes of a realm. Options:
Example::
shell% kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu modify +requires_preauth -r
ATHENA.MIT.EDU
shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu modify +requires_preauth
Password for "cn=admin,o=org":
shell%
......@@ -196,17 +200,14 @@ view
.. _kdb5_ldap_util_view:
**view** [**-r** *realm*]
**view**
Displays the attributes of a realm. Options:
**-r** *realm*
Specifies the Kerberos realm of the database.
Displays the attributes of a realm.
Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
view -r ATHENA.MIT.EDU
-r ATHENA.MIT.EDU view
Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=users,o=org
......@@ -223,20 +224,17 @@ destroy
.. _kdb5_ldap_util_destroy:
**destroy** [**-f**] [**-r** *realm*]
**destroy** [**-f**]
Destroys an existing realm. Options:
**-f**
If specified, will not prompt the user for confirmation.
**-r** *realm*
Specifies the Kerberos realm of the database.
Example::
shell% kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu destroy
Password for "cn=admin,o=org":
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? yes
......@@ -252,7 +250,7 @@ list
**list**
Lists the name of realms.
Lists the names of realms under the container.
Example::
......@@ -308,7 +306,6 @@ create_policy
.. _kdb5_ldap_util_create_policy:
**create_policy**
[**-r** *realm*]
[**-maxtktlife** *max_ticket_life*]
[**-maxrenewlife** *max_renewable_ticket_life*]
[*ticket_flags*]
......@@ -316,9 +313,6 @@ create_policy
Creates a ticket policy in the directory. Options:
**-r** *realm*
Specifies the Kerberos realm of the database.
**-maxtktlife** *max_ticket_life*
(:ref:`getdate` string) Specifies maximum ticket life for
principals.
......@@ -339,7 +333,7 @@ Creates a ticket policy in the directory. Options:
Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
-r ATHENA.MIT.EDU create_policy -maxtktlife "1 day"
-maxrenewlife "1 week" -allow_postdated +needchange
-allow_forwardable tktpolicy
Password for "cn=admin,o=org":
......@@ -352,7 +346,6 @@ modify_policy
.. _kdb5_ldap_util_modify_policy:
**modify_policy**
[**-r** *realm*]
[**-maxtktlife** *max_ticket_life*]
[**-maxrenewlife** *max_renewable_ticket_life*]
[*ticket_flags*]
......@@ -364,7 +357,7 @@ Modifies the attributes of a ticket policy. Options are same as for
Example::
kdb5_ldap_util -D cn=admin,o=org -H
ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy
-maxtktlife "60 minutes" -maxrenewlife "10 hours"
+allow_postdated -requires_preauth tktpolicy
Password for "cn=admin,o=org":
......@@ -377,18 +370,14 @@ view_policy
.. _kdb5_ldap_util_view_policy:
**view_policy**
[**-r** *realm*]
*policy_name*
Displays the attributes of a ticket policy. Options:
*policy_name*
Specifies the name of the ticket policy.
Displays the attributes of the named ticket policy.
Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
view_policy -r ATHENA.MIT.EDU tktpolicy
-r ATHENA.MIT.EDU view_policy tktpolicy
Password for "cn=admin,o=org":
Ticket policy: tktpolicy
Maximum ticket life: 0 days 01:00:00
......@@ -403,15 +392,11 @@ destroy_policy
.. _kdb5_ldap_util_destroy_policy:
**destroy_policy**
[**-r** *realm*]
[**-force**]
*policy_name*
Destroys an existing ticket policy. Options:
**-r** *realm*
Specifies the Kerberos realm of the database.
**-force**
Forces the deletion of the policy object. If not specified, the
user will be prompted for confirmation before deleting the policy.
......@@ -422,7 +407,7 @@ Destroys an existing ticket policy. Options:
Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
destroy_policy -r ATHENA.MIT.EDU tktpolicy
-r ATHENA.MIT.EDU destroy_policy tktpolicy
Password for "cn=admin,o=org":
This will delete the policy object 'tktpolicy', are you sure?
(type 'yes' to confirm)? yes
......@@ -436,18 +421,13 @@ list_policy
.. _kdb5_ldap_util_list_policy:
**list_policy**
[**-r** *realm*]
Lists the ticket policies in realm if specified or in the default
realm. Options:
**-r** *realm*
Specifies the Kerberos realm of the database.
Lists ticket policies.
Example::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
list_policy -r ATHENA.MIT.EDU
-r ATHENA.MIT.EDU list_policy
Password for "cn=admin,o=org":
tktpolicy
tmppolicy
......
......@@ -136,7 +136,7 @@ dump
.. _kdb5_util_dump:
**dump** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**]
**dump** [**-b7**\|\ **-r13**\|\ **-r18**]
[**-verbose**] [**-mkey_convert**] [**-new_mkey_file**
*mkey_file*] [**-rev**] [**-recurse**] [*filename*
[*principals*...]]
......@@ -151,9 +151,6 @@ load_dump version 7". If filename is not specified, or is the string
load_dump version 4"). This was the dump format produced on
releases prior to 1.2.2.
**-ov**
causes the dump to be in "ovsec_adm_export" format.
**-r13**
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
......@@ -204,7 +201,7 @@ load
.. _kdb5_util_load:
**load** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] [**-hash**]
**load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**]
[**-verbose**] [**-update**] *filename*
Loads a database dump from the named file into the named database. If
......@@ -222,10 +219,6 @@ Options:
("kdb5_util load_dump version 4"). This was the dump format
produced on releases prior to 1.2.2.
**-ov**
requires the database to be in "ovsec_adm_import" format. Must be
used with the **-update** option.
**-r13**
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
load_dump version 5"). This was the dump format produced on
......@@ -483,17 +476,17 @@ Examples::
$ kdb5_util tabdump -o keyinfo.txt keyinfo
$ cat keyinfo.txt
name keyindex kvno enctype salttype salt
K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1
foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
$ sqlite3
sqlite> .mode tabs
sqlite> .import keyinfo.txt keyinfo
sqlite> select * from keyinfo where enctype like 'des-cbc-%';
bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
sqlite> select * from keyinfo where enctype like 'aes256-%';
K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
sqlite> .quit
$ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt
bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1
$ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt
K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
ENVIRONMENT
......
......@@ -31,7 +31,9 @@ OPTIONS
-------
The **-r** *realm* option specifies the realm for which the server
should provide service.
should provide service. This option may be specified multiple times
to serve multiple realms. If no **-r** option is given, the default
realm (as specified in :ref:`krb5.conf(5)`) will be served.
The **-d** *dbname* option specifies the name under which the
principal database can be found. This option does not apply to the
......@@ -39,7 +41,7 @@ LDAP database.
The **-k** *keytype* option specifies the key type of the master key
to be entered manually as a password when **-m** is given; the default
is ``des-cbc-crc``.
is |defmkey|.
The **-M** *mkeyname* option specifies the principal name for the
master key in the database (usually ``K/M`` in the KDC's realm).
......@@ -48,9 +50,7 @@ The **-m** option specifies that the master database password should
be fetched from the keyboard rather than from a stash file.
The **-n** option specifies that the KDC does not put itself in the
background and does not disassociate itself from the terminal. In
normal operation, you should always allow the KDC to place itself in
the background.
background and does not disassociate itself from the terminal.
The **-P** *pid_file* option tells the KDC to write its PID into
*pid_file* after it starts up. This can be used to identify whether
......
......@@ -13,8 +13,8 @@ DESCRIPTION
-----------
The ktutil command invokes a command interface from which an
administrator can read, write, or edit entries in a keytab or Kerberos
V4 srvtab file.
administrator can read, write, or edit entries in a keytab. (Kerberos
V4 srvtab files are no longer supported.)
COMMANDS
......@@ -38,15 +38,6 @@ Read the Kerberos V5 keytab file *keytab* into the current keylist.
Alias: **rkt**
read_st
~~~~~~~
**read_st** *srvtab*
Read the Kerberos V4 srvtab file *srvtab* into the current keylist.
Alias: **rst**
write_kt
~~~~~~~~
......@@ -56,15 +47,6 @@ Write the current keylist into the Kerberos V5 keytab file *keytab*.
Alias: **wkt**
write_st
~~~~~~~~
**write_st** *srvtab*
Write the current keylist into the Kerberos V4 srvtab file *srvtab*.
Alias: **wst**
clear_list
~~~~~~~~~~
......
......@@ -5,5 +5,4 @@ Advanced topics
.. toctree::
:maxdepth: 1
ldapbackend.rst
retiring-des.rst
.. _ldap_be_ubuntu:
LDAP backend on Ubuntu 10.4 (lucid)
===================================
Setting up Kerberos v1.9 with LDAP backend on Ubuntu 10.4 (Lucid Lynx)
Prerequisites
-------------
Install the following packages: *slapd, ldap-utils* and *libldap2-dev*
You can install the necessary packages with these commands::
sudo apt-get install slapd
sudo apt-get install ldap-utils
sudo apt-get install libldap2-dev
Extend the user schema using schemas from standart OpenLDAP
distribution: *cosine, mics, nis, inetcomperson* ::
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/mics.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetcomperson.ldif
Building Kerberos from source
-----------------------------
::
./configure --with-ldap
make
sudo make install
Setting up Kerberos
-------------------
Configuration
~~~~~~~~~~~~~
Update kdc.conf with the LDAP back-end information::
[realms]
EXAMPLE.COM = {
database_module = LDAP
}
[dbmodules]
LDAP = {
db_library = kldap
ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
ldap_kdc_dn = cn=admin,dc=example,dc=com
ldap_kadmind_dn = cn=admin,dc=example,dc=com
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
ldap_servers = ldapi:///
}
Schema
~~~~~~
From the source tree copy
``src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema`` into
``/etc/ldap/schema``
Warning: this step should be done after slapd is installed to avoid
problems with slapd installation.
To convert kerberos.schema to run-time configuration (``cn=config``)
do the following:
#. Create a temporary file ``/tmp/schema_convert.conf`` with the
following content::
include /etc/ldap/schema/kerberos.schema
#. Create a temporary directory ``/tmp/krb5_ldif``.
#. Run::
slaptest -f /tmp/schema_convert.conf -F /tmp/krb5_ldif
This should in a new file named
``/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif``.
#. Edit ``/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif`` by
replacing the lines::
dn: cn={0}kerberos
cn: {0}kerberos
with
dn: cn=kerberos,cn=schema,cn=config
cn: kerberos
Also, remove following attribute-value pairs::
structuralObjectClass: olcSchemaConfig
entryUUID: ...
creatorsName: cn=config
createTimestamp: ...
entryCSN: ...
modifiersName: cn=config
modifyTimestamp: ...
#. Load the new schema with ldapadd (with the proper authentication)::
ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif
which should result the message ``adding new entry
"cn=kerberos,cn=schema,cn=config"``.
Create Kerberos database
------------------------
Using LDAP administrator credentials, create Kerberos database and
master key stash::
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
Stash the LDAP administrative passwords::
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=com
Start :ref:`krb5kdc(8)`::
krb5kdc
To destroy database run::
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// destroy -f
Useful references
-----------------
* `Kerberos and LDAP <https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html>`_
......@@ -22,6 +22,11 @@ However, deployments of krb5 using Kerberos databases created with older
versions of krb5 will not necessarily start using strong crypto for
ordinary operation without administrator intervention.
MIT krb5 began flagging deprecated encryption types with release 1.17,
and removed DES (single-DES) support in release 1.18. As a
consequence, a release prior to 1.18 is required to perform these
migrations.
Types of keys
-------------
......
......@@ -60,6 +60,43 @@ To remove a principal from an existing keytab, use the kadmin