[Freeipa-devel] [freeipa PR#5744][opened] WIP: Convert HMAC to EVP interface
URL: https://github.com/freeipa/freeipa/pull/5744
Author: simo5
Title: #5744: WIP: Convert HMAC to EVP interface
Action: opened
PR body:
"""
I haven't even compiled this yet, but I thought it would be better to post it
then forget in my branch
@abbra @tiran let me know if you'd like this contribution in this form and I
will go through the paces of testing with openssl3. Or we can simply leave it
here until we have an OS that carries openssl3 we can run tests against.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5744/head:pr5744
git checkout pr5744
From bd3d3cc2d8a1c454b727ad237296006835b33e15 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Thu, 29 Apr 2021 16:09:49 -0400
Subject: [PATCH] Convert HMAC to EVP interface
Signed-off-by: Simo Sorce
---
daemons/ipa-slapi-plugins/libotp/hotp.c | 59 -
1 file changed, 58 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
index 894786e87d4..56fb9d45578 100644
--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
+++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
@@ -47,12 +47,20 @@
#include
#include
#include
-#include
+#if OPENSSL_VERSION_NUMBER < 0x3000L
+#include
struct digest_buffer {
unsigned char buf[EVP_MAX_MD_SIZE];
unsigned int len;
};
+#else
+#include
+struct digest_buffer {
+unsigned char buf[EVP_MAX_MD_SIZE];
+size_t len;
+};
+#endif
static const struct {
const char *algo;
@@ -65,6 +73,7 @@ static const struct {
{ }
};
+#if OPENSSL_VERSION_NUMBER < 0x3000L
static bool hmac(const struct hotp_token_key *key, const char *sn_mech,
uint64_t counter, struct digest_buffer *out)
{
@@ -85,6 +94,54 @@ static bool hmac(const struct hotp_token_key *key, const char *sn_mech,
return true;
}
+#else
+static bool hmac(const struct hotp_token_key *key, const char *sn_mech,
+ uint64_t counter, struct digest_buffer *out)
+{
+unsigned char in[sizeof(uint64_t)];
+EVP_MAC_CTX *ctx = NULL;
+EVP_MAC *mac = NULL;
+bool ret = false;
+OSSL_PARAM params[] = {
+OSSL_PARAM_utf8_string("digest", sn_mech, strlen(sn_mech)),
+OSSL_PARAM_END
+};
+int status;
+
+mac = EVP_MAC_fetch(NULL, "hmac", NULL);
+if (mac == NULL) {
+goto done;
+}
+
+ctx = EVP_MAC_CTX_new(mac);
+if (ctx == NULL) {
+goto done;
+}
+
+status = EVP_MAC_init(ctx, (void *)key->bytes, key->len, params);
+if (status == 0) {
+goto done;
+}
+
+memcpy(in, &counter, sizeof(uint64_t));
+
+status = EVP_MAC_update(ctx, in, sizeof(in));
+if (status == 0) {
+goto done;
+}
+
+status = EVP_MAC_final(ctx, out->buf, &out->len, EVP_MAX_MD_SIZE);
+if (status == 0) {
+goto done;
+}
+
+ret = true;
+
+done:
+EVP_MAC_CTX_free(ctx);
+EVP_MAC_free(mac);
+}
+#endif
/*
* An implementation of HOTP (RFC 4226).
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#3672][opened] Make sure to have storage space for tag
URL: https://github.com/freeipa/freeipa/pull/3672
Author: simo5
Title: #3672: Make sure to have storage space for tag
Action: opened
PR body:
"""
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.
Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.
But we need to handle this for future proofing.
Fixes #8071
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3672/head:pr3672
git checkout pr3672
From 94f4819cc6ea1ebe167c1c68ed25e82a7dbb33fe Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 16 Sep 2019 11:12:25 -0400
Subject: [PATCH] Make sure to have storage space for tag
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.
Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.
But we need to handle this for future proofing.
Fixes #8071
Signed-off-by: Simo Sorce
---
util/ipa_krb5.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
index a27cd4a4e5..c09c3daa50 100644
--- a/util/ipa_krb5.c
+++ b/util/ipa_krb5.c
@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno,
retag = ber_peek_tag(be, &setlen);
if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) {
/* not supported yet, skip */
-retag = ber_scanf(be, "t[x]}");
+retag = ber_scanf(be, "t[x]}", &tag);
} else {
retag = ber_scanf(be, "}");
}
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#892][opened] Always check peer has keys before connecting
URL: https://github.com/freeipa/freeipa/pull/892
Author: simo5
Title: #892: Always check peer has keys before connecting
Action: opened
PR body:
"""
When pulling the DM password we may have the same issues reported in
ticket #6838 for CA keys.
This commit makes sure we always check the peer has keys before any
client operation.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/892/head:pr892
git checkout pr892
From 923d928fa0aa1b9a1b0ee096e0a7063755a1c4ab Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Fri, 23 Jun 2017 04:48:41 -0400
Subject: [PATCH] Always check peer has keys before connecting
When pulling the DM password we may have the same issues reported in
ticket #6838 for CA keys.
This commit makes sure we always check the peer has keys before any
client operation.
Ticket #6838
Signed-off-by: Simo Sorce
---
ipaserver/install/custodiainstance.py | 20
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 390576bc0c..bc3cea7063 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -13,7 +13,6 @@
from ipaserver.install import sysupgrade
from base64 import b64decode
from jwcrypto.common import json_decode
-import functools
import shutil
import os
import stat
@@ -31,13 +30,6 @@ def __init__(self, host_name=None, realm=None):
self.ldap_uri = None
self.fqdn = host_name
self.realm = realm
-self.__CustodiaClient = functools.partial(
-CustodiaClient,
-client_service='host@%s' % self.fqdn,
-keyfile=self.server_keys,
-keytab=paths.KRB5_KEYTAB,
-realm=realm,
-)
def __config_file(self):
template_file = os.path.basename(self.config_file) + '.template'
@@ -144,6 +136,14 @@ def __wait_keys(self, host, timeout=300):
raise RuntimeError("Timed out trying to obtain keys.")
time.sleep(1)
+def __CustodiaClient(self, server):
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+self.__wait_keys(server)
+
+return CustodiaClient('host@%s' % self.fqdn, self.server_keys,
+ paths.KRB5_KEYTAB, server, realm=self.realm)
+
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single
# p12 file
@@ -151,10 +151,6 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
prefix = data['prefix']
certlist = data['list']
-# Before we attempt to fetch keys from this host, make sure our public
-# keys have been replicated there.
-self.__wait_keys(ca_host)
-
cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#890][opened] Make sure we check ccaches in all rpcserver paths
URL: https://github.com/freeipa/freeipa/pull/890
Author: simo5
Title: #890: Make sure we check ccaches in all rpcserver paths
Action: opened
PR body:
"""
We need to verify the ccache is avcailable in all cases or finalize
will cause us to acquire creds with the keytab which is not what we
want.
Signed-off-by: Simo Sorce
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/890/head:pr890
git checkout pr890
From 0c2d59507917884b6351bdcc36e8694037efe0aa Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Thu, 22 Jun 2017 10:57:25 -0400
Subject: [PATCH] Make sure we check ccaches in all rpcserver paths
We need to verify the ccache is avcailable in all cases or finalize
will cause us to acquire creds with the keytab which is not what we
want.
Signed-off-by: Simo Sorce
---
ipaserver/rpcserver.py | 72 +++---
1 file changed, 39 insertions(+), 33 deletions(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 2990df2598..9efe3c1f4b 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -592,6 +592,41 @@ class KerberosSession(HTTP_Status):
needing this do not share a common base class.
'''
+def need_login(self, start_response):
+status = '401 Unauthorized'
+headers = []
+response = b''
+
+self.debug('%s need login', status)
+
+start_response(status, headers)
+return [response]
+
+def get_environ_creds(self, environ):
+# If we have a ccache ...
+ccache_name = environ.get('KRB5CCNAME')
+if ccache_name is None:
+self.debug('no ccache, need login')
+return
+
+# ... make sure we have a name ...
+principal = environ.get('GSS_NAME')
+if principal is None:
+self.debug('no Principal Name, need login')
+return
+
+# ... and use it to resolve the ccache name (Issue: 6972 )
+gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
+
+# Fail if Kerberos credentials are expired or missing
+creds = get_credentials_if_valid(name=gss_name,
+ ccache_name=ccache_name)
+if not creds:
+self.debug('ccache expired or invalid, deleting session, need login')
+return
+
+return ccache_name
+
def finalize_kerberos_acquisition(self, who, ccache_name, environ, start_response, headers=None):
if headers is None:
@@ -754,43 +789,15 @@ def __init__(self, api):
def _on_finalize(self):
super(jsonserver_session, self)._on_finalize()
-def need_login(self, start_response):
-status = '401 Unauthorized'
-headers = []
-response = b''
-
-self.debug('jsonserver_session: %s need login', status)
-
-start_response(status, headers)
-return [response]
-
def __call__(self, environ, start_response):
'''
'''
self.debug('WSGI jsonserver_session.__call__:')
-ccache_name = environ.get('KRB5CCNAME')
-
# Redirect to login if no Kerberos credentials
+ccache_name = self.get_environ_creds(environ)
if ccache_name is None:
-self.debug('no ccache, need login')
-return self.need_login(start_response)
-
-# If we have a ccache, make sure we have a GSS_NAME and use
-# it to resolve the ccache name (Issue: 6972 )
-principal = environ.get('GSS_NAME')
-if principal is None:
-self.debug('no GSS Name, need login')
-return self.need_login(start_response)
-gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
-
-# Redirect to login if Kerberos credentials are expired
-creds = get_credentials_if_valid(name=gss_name,
- ccache_name=ccache_name)
-if not creds:
-self.debug('ccache expired, deleting session, need login')
-# The request is finished with the ccache, destroy it.
return self.need_login(start_response)
# Store the ccache name in the per-thread context
@@ -828,11 +835,10 @@ def _on_finalize(self):
def __call__(self, environ, start_response):
self.debug('WSGI KerberosLogin.__call__:')
-# Get the ccache created by mod_auth_gssapi
-user_ccache_name=environ.get('KRB5CCNAME')
+# Redirect to login if no Kerberos credentials
+user_ccache_name = self.get_environ_creds(environ)
if user_ccache_name is None:
-return self.internal_error(environ, start_response,
-
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ Ok I added it to pylint_plugins, hopefully it is addressed fully now """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306767611 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][synchronized] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855
Author: simo5
Title: #855: Prevent issues with older clients
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/855/head:pr855
git checkout pr855
From 03cbfdbbfb429e0c8cdc20630a5d8c2c1bc126dd Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 5 Jun 2017 09:50:22 -0400
Subject: [PATCH 1/2] Add code to be able to set default kinit lifetime
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.
https://pagure.io/freeipa/issue/7001
Signed-off-by: Simo Sorce
---
ipalib/constants.py | 1 +
ipalib/install/kinit.py | 5 -
ipaserver/rpcserver.py | 3 ++-
pylint_plugins.py | 1 +
4 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 5279b64789..ab466bab7f 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -155,6 +155,7 @@
('session_auth_duration', '20 minutes'),
# How a session expiration is computed, see SessionManager.set_session_expiration_time()
('session_duration_type', 'inactivity_timeout'),
+('kinit_lifetime', None),
# Debugging:
('verbose', 0),
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 73471f103e..91ea5132aa 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
def kinit_password(principal, password, ccache_name, config=None,
armor_ccache_name=None, canonicalize=False,
- enterprise=False):
+ enterprise=False, lifetime=None):
"""
perform interactive kinit as principal using password. If using FAST for
web-based authentication, use armor_ccache_path to specify http service
@@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None,
% armor_ccache_name)
args.extend(['-T', armor_ccache_name])
+if lifetime:
+args.extend(['-l', lifetime])
+
if canonicalize:
root_logger.debug("Requesting principal canonicalization")
args.append('-C')
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 32f286148b..2990df2598 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -969,7 +969,8 @@ def kinit(self, principal, password, ccache_name):
password,
ccache_name,
armor_ccache_name=armor_path,
-enterprise=True)
+enterprise=True,
+lifetime=self.api.env.kinit_lifetime)
if armor_path:
self.debug('Cleanup the armor ccache')
diff --git a/pylint_plugins.py b/pylint_plugins.py
index b17e7db81a..ecc24775b1 100644
--- a/pylint_plugins.py
+++ b/pylint_plugins.py
@@ -69,6 +69,7 @@ def fake_class(name_or_class_obj, members=()):
'realm',
'session_auth_duration',
'session_duration_type',
+'kinit_lifetime',
]}
# this is due ipaserver.rpcserver.KerberosSession where api is undefined
From 0dae4bd957da05b874c98e5a78db3757170dc6de Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 6 Jun 2017 09:04:58 -0400
Subject: [PATCH 2/2] Revert setting sessionMaxAge for old clients
Older clients have issues properly parsing cookies and the sessionMaxAge
setting is one of those that breaks them.
Comment out the setting and add a comment that explains why it is not
set by default.
https://pagure.io/freeipa/issue/7001
Signed-off-by: Simo Sorce
---
install/conf/ipa.conf | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index a7ca5ce715..01bf9a4f97 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
#
-# VERSION 26 - DO NOT REMOVE THIS LINE
+# VERSION 27 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
@@ -77,7 +77,9 @@ WSGIScriptReloading Off
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
- SessionMaxAge 1800
+ # Uncomment the following to have shorter sessions, but beware this may break
+ # old IPA client tols that incorrectly parse cookies.
+ # SessionMaxAge 1800
GssapiSessionKey file:/etc/httpd/alias/ipasession.key
GssapiImpersonate On
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ Change to used the correct bug number: https://pagure.io/freeipa/issue/7001 """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306741024 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][synchronized] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855
Author: simo5
Title: #855: Prevent issues with older clients
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/855/head:pr855
git checkout pr855
From 0dfb66a8269baaf6b8fd18ba149dd1e2fa812a7b Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 5 Jun 2017 09:50:22 -0400
Subject: [PATCH 1/2] Add code to be able to set default kinit lifetime
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.
https://pagure.io/freeipa/issue/7001
Signed-off-by: Simo Sorce
---
ipalib/constants.py | 1 +
ipalib/install/kinit.py | 5 -
ipaserver/rpcserver.py | 3 ++-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 5279b64789..ab466bab7f 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -155,6 +155,7 @@
('session_auth_duration', '20 minutes'),
# How a session expiration is computed, see SessionManager.set_session_expiration_time()
('session_duration_type', 'inactivity_timeout'),
+('kinit_lifetime', None),
# Debugging:
('verbose', 0),
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 73471f103e..91ea5132aa 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
def kinit_password(principal, password, ccache_name, config=None,
armor_ccache_name=None, canonicalize=False,
- enterprise=False):
+ enterprise=False, lifetime=None):
"""
perform interactive kinit as principal using password. If using FAST for
web-based authentication, use armor_ccache_path to specify http service
@@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None,
% armor_ccache_name)
args.extend(['-T', armor_ccache_name])
+if lifetime:
+args.extend(['-l', lifetime])
+
if canonicalize:
root_logger.debug("Requesting principal canonicalization")
args.append('-C')
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 32f286148b..2990df2598 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -969,7 +969,8 @@ def kinit(self, principal, password, ccache_name):
password,
ccache_name,
armor_ccache_name=armor_path,
-enterprise=True)
+enterprise=True,
+lifetime=self.api.env.kinit_lifetime)
if armor_path:
self.debug('Cleanup the armor ccache')
From 4111ddd88173bce8811a165c2eca94c9e49e079e Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 6 Jun 2017 09:04:58 -0400
Subject: [PATCH 2/2] Revert setting sessionMaxAge for old clients
Older clients have issues properly parsing cookies and the sessionMaxAge
setting is one of those that breaks them.
Comment out the setting and add a comment that explains why it is not
set by default.
https://pagure.io/freeipa/issue/7001
Signed-off-by: Simo Sorce
---
install/conf/ipa.conf | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index a7ca5ce715..01bf9a4f97 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
#
-# VERSION 26 - DO NOT REMOVE THIS LINE
+# VERSION 27 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
@@ -77,7 +77,9 @@ WSGIScriptReloading Off
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
- SessionMaxAge 1800
+ # Uncomment the following to have shorter sessions, but beware this may break
+ # old IPA client tols that incorrectly parse cookies.
+ # SessionMaxAge 1800
GssapiSessionKey file:/etc/httpd/alias/ipasession.key
GssapiImpersonate On
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ I thought just defining it as None in the constants was enough ? We do not want to set a kinit_lifetime entry in defaults.conf, I am ok with the default being None for now I think. """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306616228 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ In my test setup I verified the cookie does not have the MaxAge setting, and that kinit_lifetime properly causes the session to expire after the lifetime indicated. """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306539239 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][comment] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855 Title: #855: Prevent issues with older clients simo5 commented: """ Fixes https://pagure.io/freeipa/issue/6774 """ See the full comment at https://github.com/freeipa/freeipa/pull/855#issuecomment-306538965 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#855][opened] Prevent issues with older clients
URL: https://github.com/freeipa/freeipa/pull/855
Author: simo5
Title: #855: Prevent issues with older clients
Action: opened
PR body:
"""
Older clients have issues parsing cookies, and cannot handle well the MaxAge
setting.
So the first patch is about removing it.
Unfortunately this means cookies will be valid for the duration of the
authentication ticket which is set to 24h by default.
This is a bit high, so the second patch adds the ability to set the
"kinit_lifetime" in /etc/api/default.conf so that users authenticating using
username/password can have their tickets (and therefore their session) hard
capped at whatever lifetime is set there.
Users that use HTTP negotiate can control their session duration by getting
shorter lived tickets via kinit.
In all cases users can click on the logout button to blow away credentials.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/855/head:pr855
git checkout pr855
From f0a57d5b9b17331d4bf277ff28718b42c66460b9 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 5 Jun 2017 09:50:22 -0400
Subject: [PATCH 1/2] Add code to be able to set default kinit lifetime
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.
https://pagure.io/freeipa/issue/6774
Signed-off-by: Simo Sorce
---
ipalib/constants.py | 1 +
ipalib/install/kinit.py | 5 -
ipaserver/rpcserver.py | 3 ++-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 5279b64789..ab466bab7f 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -155,6 +155,7 @@
('session_auth_duration', '20 minutes'),
# How a session expiration is computed, see SessionManager.set_session_expiration_time()
('session_duration_type', 'inactivity_timeout'),
+('kinit_lifetime', None),
# Debugging:
('verbose', 0),
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 73471f103e..91ea5132aa 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -63,7 +63,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
def kinit_password(principal, password, ccache_name, config=None,
armor_ccache_name=None, canonicalize=False,
- enterprise=False):
+ enterprise=False, lifetime=None):
"""
perform interactive kinit as principal using password. If using FAST for
web-based authentication, use armor_ccache_path to specify http service
@@ -76,6 +76,9 @@ def kinit_password(principal, password, ccache_name, config=None,
% armor_ccache_name)
args.extend(['-T', armor_ccache_name])
+if lifetime:
+args.extend(['-l', lifetime])
+
if canonicalize:
root_logger.debug("Requesting principal canonicalization")
args.append('-C')
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 32f286148b..2990df2598 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -969,7 +969,8 @@ def kinit(self, principal, password, ccache_name):
password,
ccache_name,
armor_ccache_name=armor_path,
-enterprise=True)
+enterprise=True,
+lifetime=self.api.env.kinit_lifetime)
if armor_path:
self.debug('Cleanup the armor ccache')
From 969ed06cec5aa8efe8164899fbb73ff26f96b944 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Tue, 6 Jun 2017 09:04:58 -0400
Subject: [PATCH 2/2] Revert setting sessionMaxAge for old clients
Older clients have issues properly parsing cookies and the sessionMaxAge
setting is one of those that breaks them.
Comment out the setting and add a comment that explains why it is not
set by default.
https://pagure.io/freeipa/issue/6774
Signed-off-by: Simo Sorce
---
install/conf/ipa.conf | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index a7ca5ce715..01bf9a4f97 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
#
-# VERSION 26 - DO NOT REMOVE THIS LINE
+# VERSION 27 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
@@ -77,7 +77,9 @@ WSGIScriptReloading Off
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
- SessionMaxAge 1800
+ # Uncomment the following to have shorter sessions, but beware this may break
+ # old IPA client tols that incorrectly parse cookies.
+ # SessionMaxAge 1800
GssapiSessionKey file:/etc/httpd/alias/ipasession.key
GssapiImpersonate On
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#851][+ack] ipa-kdb: add pkinit authentication indicator in case of a successful certauth
URL: https://github.com/freeipa/freeipa/pull/851 Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using simo5 commented: """ So Iam for the very localized change still (to be clear) """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-304009517 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using simo5 commented: """ Ok one thing was in the back of my mind and came up now, we need to keep in mind that krbprincipalname can be multivalued. It won't affect this case (I think) but if we are going to expose some new attribute we need to make sure users of the API are not tricked into thinking it is alays the service's unique name (that's what krbCanonicalName is for). """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-304009324 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: Refactoring cert-find to use API call directly instead of using simo5 commented: """ Won't this cause it to not find certificates associated to users ? Currently that works, this change is not replicating the same functionality of the original code. """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-303821229 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#805][synchronized] Fix rare race condition with missing ccache file
URL: https://github.com/freeipa/freeipa/pull/805
Author: simo5
Title: #805: Fix rare race condition with missing ccache file
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/805/head:pr805
git checkout pr805
From 6ba2d059ae7fb13cec40581a69eddbd995bf9bf7 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 22 May 2017 10:56:41 -0400
Subject: [PATCH] Fix rare race condition with missing ccache file
In some circumstances the ccache file may disappear while
mod_auth_gssapi still has a valid cookie and the client is performing a
json server call.
This may lead to credentials getting sourced from the keytab.
Make sure we enforce what GSS NAME we want to resolve so HTTP creds are
never mistakenly sourced.
Ticket: #6972
Signed-off-by: Simo Sorce
---
ipaserver/rpcserver.py | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 4cde2815a0..32f286148b 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -777,8 +777,17 @@ def __call__(self, environ, start_response):
self.debug('no ccache, need login')
return self.need_login(start_response)
+# If we have a ccache, make sure we have a GSS_NAME and use
+# it to resolve the ccache name (Issue: 6972 )
+principal = environ.get('GSS_NAME')
+if principal is None:
+self.debug('no GSS Name, need login')
+return self.need_login(start_response)
+gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
+
# Redirect to login if Kerberos credentials are expired
-creds = get_credentials_if_valid(ccache_name=ccache_name)
+creds = get_credentials_if_valid(name=gss_name,
+ ccache_name=ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#805][synchronized] Fix rare race condition with missing ccache file
URL: https://github.com/freeipa/freeipa/pull/805
Author: simo5
Title: #805: Fix rare race condition with missing ccache file
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/805/head:pr805
git checkout pr805
From 9abfd06c430e6ffdffd6a8044c80a8b05d349509 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 22 May 2017 10:56:41 -0400
Subject: [PATCH] Fix rare race condition with missing ccache file
In some circumstances the ccache file may disappear while
mod_auth_gssapi still has a valid cookie and the client is performing a
json server call.
This may lead to credentials getting sourced from the keytab.
Make sure we enforce what GSS NAME we want to resolve so HTTP creds are
never mistakenly sourced.
Ticket: #6972
Signed-off-by: Simo Sorce
---
ipaserver/rpcserver.py | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 4cde2815a0..32f286148b 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -777,8 +777,17 @@ def __call__(self, environ, start_response):
self.debug('no ccache, need login')
return self.need_login(start_response)
+# If we have a ccache, make sure we have a GSS_NAME and use
+# it to resolve the ccache name (Issue: 6972 )
+principal = environ.get('GSS_NAME')
+if principal is None:
+self.debug('no GSS Name, need login')
+return self.need_login(start_response)
+gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
+
# Redirect to login if Kerberos credentials are expired
-creds = get_credentials_if_valid(ccache_name=ccache_name)
+creds = get_credentials_if_valid(name=gss_name,
+ ccache_name=ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#805][opened] Fix rare race condition with missing ccache file
URL: https://github.com/freeipa/freeipa/pull/805
Author: simo5
Title: #805: Fix rare race condition with missing ccache file
Action: opened
PR body:
"""
In some circumstances the ccache file may disappear while
mod_auth_gssapi still has a valid cookie and the client is performing a
json server call.
This may lead to credentials getting sourced from the keytab.
Make sure we enforce what GSS NAME we want to resolve so HTTP creds are
never mistakenly sourced.
Ticket: #6972
Signed-off-by: Simo Sorce
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/805/head:pr805
git checkout pr805
From 4c92d47012bf6a24b2e0fb64e1c2374463bc79a6 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Mon, 22 May 2017 10:56:41 -0400
Subject: [PATCH] Fix rare race condition with missing ccache file
In some circumstances the ccache file may disappear while
mod_auth_gssapi still has a valid cookie and the client is performing a
json server call.
This may lead to credentials getting sourced from the keytab.
Make sure we enforce what GSS NAME we want to resolve so HTTP creds are
never mistakenly sourced.
Ticket: #6972
Signed-off-by: Simo Sorce
---
ipaserver/rpcserver.py | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 4cde2815a0..89f8e9d286 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -777,8 +777,17 @@ def __call__(self, environ, start_response):
self.debug('no ccache, need login')
return self.need_login(start_response)
+# If we have a ccache, make sure we have a GSS_NAME and use
+# it to resolve the ccache name (Issue: )
+principal = environ.get('GSS_NAME')
+if principal is None:
+self.debug('no GSS Name, need login')
+return self.need_login(start_response)
+gss_name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
+
# Redirect to login if Kerberos credentials are expired
-creds = get_credentials_if_valid(ccache_name=ccache_name)
+creds = get_credentials_if_valid(name=gss_name,
+ ccache_name=ccache_name)
if not creds:
self.debug('ccache expired, deleting session, need login')
# The request is finished with the ccache, destroy it.
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][+ack] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
