[Freeipa-devel] [freeipa PR#5744][opened] WIP: Convert HMAC to EVP interface
URL: https://github.com/freeipa/freeipa/pull/5744 Author: simo5 Title: #5744: WIP: Convert HMAC to EVP interface Action: opened PR body: """ I haven't even compiled this yet, but I thought it would be better to post it then forget in my branch @abbra @tiran let me know if you'd like this contribution in this form and I will go through the paces of testing with openssl3. Or we can simply leave it here until we have an OS that carries openssl3 we can run tests against. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5744/head:pr5744 git checkout pr5744 From bd3d3cc2d8a1c454b727ad237296006835b33e15 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 29 Apr 2021 16:09:49 -0400 Subject: [PATCH] Convert HMAC to EVP interface Signed-off-by: Simo Sorce --- daemons/ipa-slapi-plugins/libotp/hotp.c | 59 - 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c index 894786e87d4..56fb9d45578 100644 --- a/daemons/ipa-slapi-plugins/libotp/hotp.c +++ b/daemons/ipa-slapi-plugins/libotp/hotp.c @@ -47,12 +47,20 @@ #include #include #include -#include +#if OPENSSL_VERSION_NUMBER < 0x3000L +#include struct digest_buffer { unsigned char buf[EVP_MAX_MD_SIZE]; unsigned int len; }; +#else +#include +struct digest_buffer { +unsigned char buf[EVP_MAX_MD_SIZE]; +size_t len; +}; +#endif static const struct { const char *algo; @@ -65,6 +73,7 @@ static const struct { { } }; +#if OPENSSL_VERSION_NUMBER < 0x3000L static bool hmac(const struct hotp_token_key *key, const char *sn_mech, uint64_t counter, struct digest_buffer *out) { @@ -85,6 +94,54 @@ static bool hmac(const struct hotp_token_key *key, const char *sn_mech, return true; } +#else +static bool hmac(const struct hotp_token_key *key, const char *sn_mech, + uint64_t counter, struct digest_buffer *out) +{ +unsigned char in[sizeof(uint64_t)]; +EVP_MAC_CTX *ctx = NULL; +EVP_MAC *mac = NULL; +bool ret = false; +OSSL_PARAM params[] = { +OSSL_PARAM_utf8_string("digest", sn_mech, strlen(sn_mech)), +OSSL_PARAM_END +}; +int status; + +mac = EVP_MAC_fetch(NULL, "hmac", NULL); +if (mac == NULL) { +goto done; +} + +ctx = EVP_MAC_CTX_new(mac); +if (ctx == NULL) { +goto done; +} + +status = EVP_MAC_init(ctx, (void *)key->bytes, key->len, params); +if (status == 0) { +goto done; +} + +memcpy(in, &counter, sizeof(uint64_t)); + +status = EVP_MAC_update(ctx, in, sizeof(in)); +if (status == 0) { +goto done; +} + +status = EVP_MAC_final(ctx, out->buf, &out->len, EVP_MAX_MD_SIZE); +if (status == 0) { +goto done; +} + +ret = true; + +done: +EVP_MAC_CTX_free(ctx); +EVP_MAC_free(mac); +} +#endif /* * An implementation of HOTP (RFC 4226). ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#3672][opened] Make sure to have storage space for tag
URL: https://github.com/freeipa/freeipa/pull/3672 Author: simo5 Title: #3672: Make sure to have storage space for tag Action: opened PR body: """ ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at by "t", if that is not provided the pointer will be store in whatever memory location is pointed by the stack at that time causeing a crash. Note that this is effectively unused code because in ipa-kdb the only party that can write a key_data structure to be stored is te kdb_driver itself and we never encode these s2kparam data. But we need to handle this for future proofing. Fixes #8071 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3672/head:pr3672 git checkout pr3672 From 94f4819cc6ea1ebe167c1c68ed25e82a7dbb33fe Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 16 Sep 2019 11:12:25 -0400 Subject: [PATCH] Make sure to have storage space for tag ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at by "t", if that is not provided the pointer will be store in whatever memory location is pointed by the stack at that time causeing a crash. Note that this is effectively unused code because in ipa-kdb the only party that can write a key_data structure to be stored is te kdb_driver itself and we never encode these s2kparam data. But we need to handle this for future proofing. Fixes #8071 Signed-off-by: Simo Sorce --- util/ipa_krb5.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c index a27cd4a4e5..c09c3daa50 100644 --- a/util/ipa_krb5.c +++ b/util/ipa_krb5.c @@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno, retag = ber_peek_tag(be, &setlen); if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) { /* not supported yet, skip */ -retag = ber_scanf(be, "t[x]}"); +retag = ber_scanf(be, "t[x]}", &tag); } else { retag = ber_scanf(be, "}"); } ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#892][opened] Always check peer has keys before connecting
URL: https://github.com/freeipa/freeipa/pull/892 Author: simo5 Title: #892: Always check peer has keys before connecting Action: opened PR body: """ When pulling the DM password we may have the same issues reported in ticket #6838 for CA keys. This commit makes sure we always check the peer has keys before any client operation. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/892/head:pr892 git checkout pr892 From 923d928fa0aa1b9a1b0ee096e0a7063755a1c4ab Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 23 Jun 2017 04:48:41 -0400 Subject: [PATCH] Always check peer has keys before connecting When pulling the DM password we may have the same issues reported in ticket #6838 for CA keys. This commit makes sure we always check the peer has keys before any client operation. Ticket #6838 Signed-off-by: Simo Sorce --- ipaserver/install/custodiainstance.py | 20 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 390576bc0c..bc3cea7063 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -13,7 +13,6 @@ from ipaserver.install import sysupgrade from base64 import b64decode from jwcrypto.common import json_decode -import functools import shutil import os import stat @@ -31,13 +30,6 @@ def __init__(self, host_name=None, realm=None): self.ldap_uri = None self.fqdn = host_name self.realm = realm -self.__CustodiaClient = functools.partial( -CustodiaClient, -client_service='host@%s' % self.fqdn, -keyfile=self.server_keys, -keytab=paths.KRB5_KEYTAB, -realm=realm, -) def __config_file(self): template_file = os.path.basename(self.config_file) + '.template' @@ -144,6 +136,14 @@ def __wait_keys(self, host, timeout=300): raise RuntimeError("Timed out trying to obtain keys.") time.sleep(1) +def __CustodiaClient(self, server): +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +self.__wait_keys(server) + +return CustodiaClient('host@%s' % self.fqdn, self.server_keys, + paths.KRB5_KEYTAB, server, realm=self.realm) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -151,10 +151,6 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] -# Before we attempt to fetch keys from this host, make sure our public -# keys have been replicated there. -self.__wait_keys(ca_host) - cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#890][opened] Make sure we check ccaches in all rpcserver paths
URL: https://github.com/freeipa/freeipa/pull/890 Author: simo5 Title: #890: Make sure we check ccaches in all rpcserver paths Action: opened PR body: """ We need to verify the ccache is avcailable in all cases or finalize will cause us to acquire creds with the keytab which is not what we want. Signed-off-by: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/890/head:pr890 git checkout pr890 From 0c2d59507917884b6351bdcc36e8694037efe0aa Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 22 Jun 2017 10:57:25 -0400 Subject: [PATCH] Make sure we check ccaches in all rpcserver paths We need to verify the ccache is avcailable in all cases or finalize will cause us to acquire creds with the keytab which is not what we want. Signed-off-by: Simo Sorce --- ipaserver/rpcserver.py | 72 +++--- 1 file changed, 39 insertions(+), 33 deletions(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 2990df2598..9efe3c1f4b 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -592,6 +592,41 @@ class KerberosSession(HTTP_Status): needing this do not share a common base class. ''' +def need_login(self, start_response): +status = '401 Unauthorized' +headers = [] +response = b'' + +self.debug('%s need login', status) + +start_response(status, headers) +return [response] + +def get_environ_creds(self, environ): +# If we have a ccache ... +ccache_name = environ.get('KRB5CCNAME') +if ccache_name is None: +self.debug('no ccache, need login') +return + +# ... make sure we have a name ... +principal = environ.get('GSS_NAME') +if principal is None: +self.debug('no Principal Name, need login') +return + +# ... and use it to resolve the ccache name (Issue: 6972 ) +gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) + +# Fail if Kerberos credentials are expired or missing +creds = get_credentials_if_valid(name=gss_name, + ccache_name=ccache_name) +if not creds: +self.debug('ccache expired or invalid, deleting session, need login') +return + +return ccache_name + def finalize_kerberos_acquisition(self, who, ccache_name, environ, start_response, headers=None): if headers is None: @@ -754,43 +789,15 @@ def __init__(self, api): def _on_finalize(self): super(jsonserver_session, self)._on_finalize() -def need_login(self, start_response): -status = '401 Unauthorized' -headers = [] -response = b'' - -self.debug('jsonserver_session: %s need login', status) - -start_response(status, headers) -return [response] - def __call__(self, environ, start_response): ''' ''' self.debug('WSGI jsonserver_session.__call__:') -ccache_name = environ.get('KRB5CCNAME') - # Redirect to login if no Kerberos credentials +ccache_name = self.get_environ_creds(environ) if ccache_name is None: -self.debug('no ccache, need login') -return self.need_login(start_response) - -# If we have a ccache, make sure we have a GSS_NAME and use -# it to resolve the ccache name (Issue: 6972 ) -principal = environ.get('GSS_NAME') -if principal is None: -self.debug('no GSS Name, need login') -return self.need_login(start_response) -gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) - -# Redirect to login if Kerberos credentials are expired -creds = get_credentials_if_valid(name=gss_name, - ccache_name=ccache_name) -if not creds: -self.debug('ccache expired, deleting session, need login') -# The request is finished with the ccache, destroy it. return self.need_login(start_response) # Store the ccache name in the per-thread context @@ -828,11 +835,10 @@ def _on_finalize(self): def __call__(self, environ, start_response): self.debug('WSGI KerberosLogin.__call__:') -# Get the ccache created by mod_auth_gssapi -user_ccache_name=environ.get('KRB5CCNAME') +# Redirect to login if no Kerberos credentials +user_ccache_name = self.get_environ_creds(environ) if user_ccache_name is None: -return self.internal_error(environ, start_response, -
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ Ok I added it to pylint_plugins, hopefully it is addressed fully now """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306767611 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][synchronized] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Author: simo5 Title: #855: Prevent issues with older clients Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/855/head:pr855 git checkout pr855 From 03cbfdbbfb429e0c8cdc20630a5d8c2c1bc126dd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 5 Jun 2017 09:50:22 -0400 Subject: [PATCH 1/2] Add code to be able to set default kinit lifetime This is done by setting the kinit_lifetime option in default.conf to a value that can be passed in with the -l option syntax of kinit. https://pagure.io/freeipa/issue/7001 Signed-off-by: Simo Sorce --- ipalib/constants.py | 1 + ipalib/install/kinit.py | 5 - ipaserver/rpcserver.py | 3 ++- pylint_plugins.py | 1 + 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 5279b64789..ab466bab7f 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -155,6 +155,7 @@ ('session_auth_duration', '20 minutes'), # How a session expiration is computed, see SessionManager.set_session_expiration_time() ('session_duration_type', 'inactivity_timeout'), +('kinit_lifetime', None), # Debugging: ('verbose', 0), diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 73471f103e..91ea5132aa 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): def kinit_password(principal, password, ccache_name, config=None, armor_ccache_name=None, canonicalize=False, - enterprise=False): + enterprise=False, lifetime=None): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None, % armor_ccache_name) args.extend(['-T', armor_ccache_name]) +if lifetime: +args.extend(['-l', lifetime]) + if canonicalize: root_logger.debug("Requesting principal canonicalization") args.append('-C') diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 32f286148b..2990df2598 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -969,7 +969,8 @@ def kinit(self, principal, password, ccache_name): password, ccache_name, armor_ccache_name=armor_path, -enterprise=True) +enterprise=True, +lifetime=self.api.env.kinit_lifetime) if armor_path: self.debug('Cleanup the armor ccache') diff --git a/pylint_plugins.py b/pylint_plugins.py index b17e7db81a..ecc24775b1 100644 --- a/pylint_plugins.py +++ b/pylint_plugins.py @@ -69,6 +69,7 @@ def fake_class(name_or_class_obj, members=()): 'realm', 'session_auth_duration', 'session_duration_type', +'kinit_lifetime', ]} # this is due ipaserver.rpcserver.KerberosSession where api is undefined From 0dae4bd957da05b874c98e5a78db3757170dc6de Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 6 Jun 2017 09:04:58 -0400 Subject: [PATCH 2/2] Revert setting sessionMaxAge for old clients Older clients have issues properly parsing cookies and the sessionMaxAge setting is one of those that breaks them. Comment out the setting and add a comment that explains why it is not set by default. https://pagure.io/freeipa/issue/7001 Signed-off-by: Simo Sorce --- install/conf/ipa.conf | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index a7ca5ce715..01bf9a4f97 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 27 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -77,7 +77,9 @@ WSGIScriptReloading Off Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION - SessionMaxAge 1800 + # Uncomment the following to have shorter sessions, but beware this may break + # old IPA client tols that incorrectly parse cookies. + # SessionMaxAge 1800 GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ Change to used the correct bug number: https://pagure.io/freeipa/issue/7001 """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306741024 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][synchronized] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Author: simo5 Title: #855: Prevent issues with older clients Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/855/head:pr855 git checkout pr855 From 0dfb66a8269baaf6b8fd18ba149dd1e2fa812a7b Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 5 Jun 2017 09:50:22 -0400 Subject: [PATCH 1/2] Add code to be able to set default kinit lifetime This is done by setting the kinit_lifetime option in default.conf to a value that can be passed in with the -l option syntax of kinit. https://pagure.io/freeipa/issue/7001 Signed-off-by: Simo Sorce --- ipalib/constants.py | 1 + ipalib/install/kinit.py | 5 - ipaserver/rpcserver.py | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 5279b64789..ab466bab7f 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -155,6 +155,7 @@ ('session_auth_duration', '20 minutes'), # How a session expiration is computed, see SessionManager.set_session_expiration_time() ('session_duration_type', 'inactivity_timeout'), +('kinit_lifetime', None), # Debugging: ('verbose', 0), diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 73471f103e..91ea5132aa 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): def kinit_password(principal, password, ccache_name, config=None, armor_ccache_name=None, canonicalize=False, - enterprise=False): + enterprise=False, lifetime=None): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None, % armor_ccache_name) args.extend(['-T', armor_ccache_name]) +if lifetime: +args.extend(['-l', lifetime]) + if canonicalize: root_logger.debug("Requesting principal canonicalization") args.append('-C') diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 32f286148b..2990df2598 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -969,7 +969,8 @@ def kinit(self, principal, password, ccache_name): password, ccache_name, armor_ccache_name=armor_path, -enterprise=True) +enterprise=True, +lifetime=self.api.env.kinit_lifetime) if armor_path: self.debug('Cleanup the armor ccache') From 4111ddd88173bce8811a165c2eca94c9e49e079e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 6 Jun 2017 09:04:58 -0400 Subject: [PATCH 2/2] Revert setting sessionMaxAge for old clients Older clients have issues properly parsing cookies and the sessionMaxAge setting is one of those that breaks them. Comment out the setting and add a comment that explains why it is not set by default. https://pagure.io/freeipa/issue/7001 Signed-off-by: Simo Sorce --- install/conf/ipa.conf | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index a7ca5ce715..01bf9a4f97 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 27 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -77,7 +77,9 @@ WSGIScriptReloading Off Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION - SessionMaxAge 1800 + # Uncomment the following to have shorter sessions, but beware this may break + # old IPA client tols that incorrectly parse cookies. + # SessionMaxAge 1800 GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ I thought just defining it as None in the constants was enough ? We do not want to set a kinit_lifetime entry in defaults.conf, I am ok with the default being None for now I think. """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306616228 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ In my test setup I verified the cookie does not have the MaxAge setting, and that kinit_lifetime properly causes the session to expire after the lifetime indicated. """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306539239 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ Fixes https://pagure.io/freeipa/issue/6774 """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306538965 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][opened] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Author: simo5 Title: #855: Prevent issues with older clients Action: opened PR body: """ Older clients have issues parsing cookies, and cannot handle well the MaxAge setting. So the first patch is about removing it. Unfortunately this means cookies will be valid for the duration of the authentication ticket which is set to 24h by default. This is a bit high, so the second patch adds the ability to set the "kinit_lifetime" in /etc/api/default.conf so that users authenticating using username/password can have their tickets (and therefore their session) hard capped at whatever lifetime is set there. Users that use HTTP negotiate can control their session duration by getting shorter lived tickets via kinit. In all cases users can click on the logout button to blow away credentials. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/855/head:pr855 git checkout pr855 From f0a57d5b9b17331d4bf277ff28718b42c66460b9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 5 Jun 2017 09:50:22 -0400 Subject: [PATCH 1/2] Add code to be able to set default kinit lifetime This is done by setting the kinit_lifetime option in default.conf to a value that can be passed in with the -l option syntax of kinit. https://pagure.io/freeipa/issue/6774 Signed-off-by: Simo Sorce --- ipalib/constants.py | 1 + ipalib/install/kinit.py | 5 - ipaserver/rpcserver.py | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 5279b64789..ab466bab7f 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -155,6 +155,7 @@ ('session_auth_duration', '20 minutes'), # How a session expiration is computed, see SessionManager.set_session_expiration_time() ('session_duration_type', 'inactivity_timeout'), +('kinit_lifetime', None), # Debugging: ('verbose', 0), diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py index 73471f103e..91ea5132aa 100644 --- a/ipalib/install/kinit.py +++ b/ipalib/install/kinit.py @@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): def kinit_password(principal, password, ccache_name, config=None, armor_ccache_name=None, canonicalize=False, - enterprise=False): + enterprise=False, lifetime=None): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None, % armor_ccache_name) args.extend(['-T', armor_ccache_name]) +if lifetime: +args.extend(['-l', lifetime]) + if canonicalize: root_logger.debug("Requesting principal canonicalization") args.append('-C') diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 32f286148b..2990df2598 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -969,7 +969,8 @@ def kinit(self, principal, password, ccache_name): password, ccache_name, armor_ccache_name=armor_path, -enterprise=True) +enterprise=True, +lifetime=self.api.env.kinit_lifetime) if armor_path: self.debug('Cleanup the armor ccache') From 969ed06cec5aa8efe8164899fbb73ff26f96b944 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 6 Jun 2017 09:04:58 -0400 Subject: [PATCH 2/2] Revert setting sessionMaxAge for old clients Older clients have issues properly parsing cookies and the sessionMaxAge setting is one of those that breaks them. Comment out the setting and add a comment that explains why it is not set by default. https://pagure.io/freeipa/issue/6774 Signed-off-by: Simo Sorce --- install/conf/ipa.conf | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index a7ca5ce715..01bf9a4f97 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 26 - DO NOT REMOVE THIS LINE +# VERSION 27 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -77,7 +77,9 @@ WSGIScriptReloading Off Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION - SessionMaxAge 1800 + # Uncomment the following to have shorter sessions, but beware this may break + # old IPA client tols that incorrectly parse cookies. + # SessionMaxAge 1800 GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#851][+ack] ipa-kdb: add pkinit authentication indicator in case of a successful certauth
URL: https://github.com/freeipa/freeipa/pull/851 Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using simo5 commented: """ So Iam for the very localized change still (to be clear) """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-304009517 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using simo5 commented: """ Ok one thing was in the back of my mind and came up now, we need to keep in mind that krbprincipalname can be multivalued. It won't affect this case (I think) but if we are going to expose some new attribute we need to make sure users of the API are not tricked into thinking it is alays the service's unique name (that's what krbCanonicalName is for). """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-304009324 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: Refactoring cert-find to use API call directly instead of using simo5 commented: """ Won't this cause it to not find certificates associated to users ? Currently that works, this change is not replicating the same functionality of the original code. """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-303821229 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#805][synchronized] Fix rare race condition with missing ccache file
URL: https://github.com/freeipa/freeipa/pull/805 Author: simo5 Title: #805: Fix rare race condition with missing ccache file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/805/head:pr805 git checkout pr805 From 6ba2d059ae7fb13cec40581a69eddbd995bf9bf7 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 22 May 2017 10:56:41 -0400 Subject: [PATCH] Fix rare race condition with missing ccache file In some circumstances the ccache file may disappear while mod_auth_gssapi still has a valid cookie and the client is performing a json server call. This may lead to credentials getting sourced from the keytab. Make sure we enforce what GSS NAME we want to resolve so HTTP creds are never mistakenly sourced. Ticket: #6972 Signed-off-by: Simo Sorce --- ipaserver/rpcserver.py | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 4cde2815a0..32f286148b 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -777,8 +777,17 @@ def __call__(self, environ, start_response): self.debug('no ccache, need login') return self.need_login(start_response) +# If we have a ccache, make sure we have a GSS_NAME and use +# it to resolve the ccache name (Issue: 6972 ) +principal = environ.get('GSS_NAME') +if principal is None: +self.debug('no GSS Name, need login') +return self.need_login(start_response) +gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) + # Redirect to login if Kerberos credentials are expired -creds = get_credentials_if_valid(ccache_name=ccache_name) +creds = get_credentials_if_valid(name=gss_name, + ccache_name=ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#805][synchronized] Fix rare race condition with missing ccache file
URL: https://github.com/freeipa/freeipa/pull/805 Author: simo5 Title: #805: Fix rare race condition with missing ccache file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/805/head:pr805 git checkout pr805 From 9abfd06c430e6ffdffd6a8044c80a8b05d349509 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 22 May 2017 10:56:41 -0400 Subject: [PATCH] Fix rare race condition with missing ccache file In some circumstances the ccache file may disappear while mod_auth_gssapi still has a valid cookie and the client is performing a json server call. This may lead to credentials getting sourced from the keytab. Make sure we enforce what GSS NAME we want to resolve so HTTP creds are never mistakenly sourced. Ticket: #6972 Signed-off-by: Simo Sorce --- ipaserver/rpcserver.py | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 4cde2815a0..32f286148b 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -777,8 +777,17 @@ def __call__(self, environ, start_response): self.debug('no ccache, need login') return self.need_login(start_response) +# If we have a ccache, make sure we have a GSS_NAME and use +# it to resolve the ccache name (Issue: 6972 ) +principal = environ.get('GSS_NAME') +if principal is None: +self.debug('no GSS Name, need login') +return self.need_login(start_response) +gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) + # Redirect to login if Kerberos credentials are expired -creds = get_credentials_if_valid(ccache_name=ccache_name) +creds = get_credentials_if_valid(name=gss_name, + ccache_name=ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#805][opened] Fix rare race condition with missing ccache file
URL: https://github.com/freeipa/freeipa/pull/805 Author: simo5 Title: #805: Fix rare race condition with missing ccache file Action: opened PR body: """ In some circumstances the ccache file may disappear while mod_auth_gssapi still has a valid cookie and the client is performing a json server call. This may lead to credentials getting sourced from the keytab. Make sure we enforce what GSS NAME we want to resolve so HTTP creds are never mistakenly sourced. Ticket: #6972 Signed-off-by: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/805/head:pr805 git checkout pr805 From 4c92d47012bf6a24b2e0fb64e1c2374463bc79a6 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 22 May 2017 10:56:41 -0400 Subject: [PATCH] Fix rare race condition with missing ccache file In some circumstances the ccache file may disappear while mod_auth_gssapi still has a valid cookie and the client is performing a json server call. This may lead to credentials getting sourced from the keytab. Make sure we enforce what GSS NAME we want to resolve so HTTP creds are never mistakenly sourced. Ticket: #6972 Signed-off-by: Simo Sorce --- ipaserver/rpcserver.py | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 4cde2815a0..89f8e9d286 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -777,8 +777,17 @@ def __call__(self, environ, start_response): self.debug('no ccache, need login') return self.need_login(start_response) +# If we have a ccache, make sure we have a GSS_NAME and use +# it to resolve the ccache name (Issue: ) +principal = environ.get('GSS_NAME') +if principal is None: +self.debug('no GSS Name, need login') +return self.need_login(start_response) +gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) + # Redirect to login if Kerberos credentials are expired -creds = get_credentials_if_valid(ccache_name=ccache_name) +creds = get_credentials_if_valid(name=gss_name, + ccache_name=ccache_name) if not creds: self.debug('ccache expired, deleting session, need login') # The request is finished with the ccache, destroy it. ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][+ack] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org