Re: [openssl.org #2962] [patch] openssl s_{client,server} improvements for Kerberos
On Tue, 9 Sep 2014, Rich Salz via RT wrote: Fixed in https://github.com/akamai/openssl/tree/rsalz-monolith/apps for integration after 1.0.2 commit f4f79df1a2e1d295e93afe68691499ec034b76ad Author: Richard Silverman r...@qoxp.net Date: Tue Sep 9 12:37:27 2014 -0400 RT2962: add -keytab and -krb5svc flags. Add -keytab and -krb5svcd flags to s_client and s_server. I (rsalz) also udpated the documentation. Thanks! (And I like your GIT pocket guide :) Glad to hear it. :) -- Richard __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2962] [patch] openssl s_{client,server} improvements for Kerberos
On Tue, 9 Sep 2014, Rich Salz via RT wrote: Fixed in https://github.com/akamai/openssl/tree/rsalz-monolith/apps for integration after 1.0.2 commit f4f79df1a2e1d295e93afe68691499ec034b76ad Author: Richard Silverman r...@qoxp.net Date: Tue Sep 9 12:37:27 2014 -0400 RT2962: add -keytab and -krb5svc flags. Add -keytab and -krb5svcd flags to s_client and s_server. I (rsalz) also udpated the documentation. Thanks! (And I like your GIT pocket guide :) Glad to hear it. :) -- Richard __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [patch] openssl s_{client,server} improvements for Kerberos (fwd)
Hello, A patch I submitted has been sitting in RT for several months now with no action: http://rt.openssl.org/Ticket/Display.html?id=2962 Is there anything else I should do to get this looked at? Thanks, -- Richard E. Silverman __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2962] [patch] openssl s_{client,server} improvements for Kerberos
Hello, The openssl s_server command hard-codes a specific Kerberos keytab filename, /etc/krb5.keytab. This causes difficulties for two reasons: 1) Although it is common, this may not in fact be the default keytab as that is configurable in MIT Kerberos at both compile and run times (the [libdefaults] default_keytab_name parameter). 2) Users do not generally have access to the system keytab, meaning in practice only root can use s_server with Kerberos. I have added a s_server -keytab filename option to set the keytab location, and the default is now to not set the keytab at all. This uses the *correct* default keytab (as supplied by the Kerberos library), and also allows the user to transparently override it by setting KRB5_KTNAME. I have also added an option -krb5svc service name to both s_client and s_server to select a service other than host, since an unprivileged user will not normally be given the keys to the host principal, but rather an application-specific one or a test principal created for this purpose (e.g. test/host@REALM). I'm attaching a patch against openssl-1.0.1c. Thanks, -- Richard E. Silverman diff --git a/apps/s_client.c b/apps/s_client.c index fc806eb6..ddc9c857 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -209,6 +209,10 @@ static int c_showcerts=0; static char *keymatexportlabel=NULL; static int keymatexportlen=20; +#ifndef OPENSSL_NO_KRB5 +static char *krb5svc=NULL; +#endif + static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT @@ -346,6 +350,9 @@ static void sc_usage(void) BIO_printf(bio_err, 'prot' defines which one to assume. Currently,\n); BIO_printf(bio_err, only \smtp\, \pop3\, \imap\, \ftp\ and \xmpp\\n); BIO_printf(bio_err, are supported.\n); +#ifndef OPENSSL_NO_KRB5 + BIO_printf(bio_err, -krb5svc arg - Kerberos service name\n); +#endif #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, -engine id- Initialise and use the specified engine\n); #endif @@ -896,6 +903,13 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,-nbio) == 0) { c_nbio=1; } #endif +#ifndef OPENSSL_NO_KRB5 + else if (strcmp(*argv,-krb5svc) == 0) + { + if (--argc 1) goto bad; + krb5svc= *(++argv); + } +#endif else if (strcmp(*argv,-starttls) == 0) { if (--argc 1) goto bad; @@ -1241,6 +1255,8 @@ bad: { SSL_set0_kssl_ctx(con, kctx); kssl_ctx_setstring(kctx, KSSL_SERVER, host); + if (krb5svc != NULL) + kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc); } #endif /* OPENSSL_NO_KRB5 */ /* SSL_set_cipher_list(con,RC4-MD5); */ diff --git a/apps/s_server.c b/apps/s_server.c index 3f9b3704..6316fe3a 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -265,6 +265,10 @@ static int accept_socket= -1; extern int verify_depth, verify_return_error; static char *cipher=NULL; +#ifndef OPENSSL_NO_KRB5 +static char *krb5svc=NULL; +static char *keytab=NULL; +#endif static int s_server_verify=SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ static const char *s_cert_file=TEST_CERT,*s_key_file=NULL; @@ -502,6 +506,10 @@ static void sv_usage(void) BIO_printf(bio_err, -serverpref - Use server's cipher preferences\n); BIO_printf(bio_err, -quiet- No server output\n); BIO_printf(bio_err, -no_tmp_rsa - Do not generate a tmp RSA key\n); +#ifndef OPENSSL_NO_KRB5 + BIO_printf(bio_err, -krb5svc arg - Kerberos service name\n); + BIO_printf(bio_err, -keytab arg - Kerberos keytab filename\n); +#endif #ifndef OPENSSL_NO_PSK BIO_printf(bio_err, -psk_hint arg - PSK identity hint to use\n); BIO_printf(bio_err, -psk arg - PSK in hex (without 0x)\n); @@ -1113,6 +1121,18 @@ int MAIN(int argc, char *argv[]) if (--argc 1) goto bad; cipher= *(++argv); } +#ifndef OPENSSL_NO_KRB5 + else if (strcmp(*argv,-krb5svc) == 0) + { + if (--argc 1) goto bad; + krb5svc= *(++argv); + } + else if (strcmp(*argv,-keytab) == 0) + { + if (--argc 1) goto bad; + keytab= *(++argv); + } +#endif else if (strcmp(*argv,-CAfile) == 0) { if (--argc 1) goto bad; @@ -1989,8 +2009,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) if ((kctx = kssl_ctx_new()) !=
[patch] openssl s_{client,server} improvements for Kerberos (fwd)
[I sent this to r...@openssl.org, but it did not appear to go into RT and there is a warning that the request tracker is currently under installation/test, features may change and malfunctions may occur, so I'm sending to openssl-dev directly as well.] Hello, The openssl s_server command hard-codes a specific Kerberos keytab filename, /etc/krb5.keytab. This causes difficulties for two reasons: 1) Although it is common, this may not in fact be the default keytab as that is configurable in MIT Kerberos at both compile and run times (the [libdefaults] default_keytab_name parameter). 2) Users do not generally have access to the system keytab, meaning in practice only root can use s_server with Kerberos. I have added a s_server -keytab filename option to set the keytab location, and the default is now to not set the keytab at all. This uses the *correct* default keytab (as supplied by the Kerberos library), and also allows the user to transparently override it by setting KRB5_KTNAME. I have also added an option -krb5svc service name to both s_client and s_server to select a service other than host, since an unprivileged user will not normally be given the keys to the host principal, but rather an application-specific one or a test principal created for this purpose (e.g. test/host@REALM). I'm attaching a patch against openssl-1.0.1c. Thanks, -- Richard E. Silvermandiff --git a/apps/s_client.c b/apps/s_client.c index fc806eb6..ddc9c857 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -209,6 +209,10 @@ static int c_showcerts=0; static char *keymatexportlabel=NULL; static int keymatexportlen=20; +#ifndef OPENSSL_NO_KRB5 +static char *krb5svc=NULL; +#endif + static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT @@ -346,6 +350,9 @@ static void sc_usage(void) BIO_printf(bio_err, 'prot' defines which one to assume. Currently,\n); BIO_printf(bio_err, only \smtp\, \pop3\, \imap\, \ftp\ and \xmpp\\n); BIO_printf(bio_err, are supported.\n); +#ifndef OPENSSL_NO_KRB5 + BIO_printf(bio_err, -krb5svc arg - Kerberos service name\n); +#endif #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, -engine id- Initialise and use the specified engine\n); #endif @@ -896,6 +903,13 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,-nbio) == 0) { c_nbio=1; } #endif +#ifndef OPENSSL_NO_KRB5 + else if (strcmp(*argv,-krb5svc) == 0) + { + if (--argc 1) goto bad; + krb5svc= *(++argv); + } +#endif else if (strcmp(*argv,-starttls) == 0) { if (--argc 1) goto bad; @@ -1241,6 +1255,8 @@ bad: { SSL_set0_kssl_ctx(con, kctx); kssl_ctx_setstring(kctx, KSSL_SERVER, host); + if (krb5svc != NULL) + kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc); } #endif /* OPENSSL_NO_KRB5 */ /* SSL_set_cipher_list(con,RC4-MD5); */ diff --git a/apps/s_server.c b/apps/s_server.c index 3f9b3704..6316fe3a 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -265,6 +265,10 @@ static int accept_socket= -1; extern int verify_depth, verify_return_error; static char *cipher=NULL; +#ifndef OPENSSL_NO_KRB5 +static char *krb5svc=NULL; +static char *keytab=NULL; +#endif static int s_server_verify=SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ static const char *s_cert_file=TEST_CERT,*s_key_file=NULL; @@ -502,6 +506,10 @@ static void sv_usage(void) BIO_printf(bio_err, -serverpref - Use server's cipher preferences\n); BIO_printf(bio_err, -quiet- No server output\n); BIO_printf(bio_err, -no_tmp_rsa - Do not generate a tmp RSA key\n); +#ifndef OPENSSL_NO_KRB5 + BIO_printf(bio_err, -krb5svc arg - Kerberos service name\n); + BIO_printf(bio_err, -keytab arg - Kerberos keytab filename\n); +#endif #ifndef OPENSSL_NO_PSK BIO_printf(bio_err, -psk_hint arg - PSK identity hint to use\n); BIO_printf(bio_err, -psk arg - PSK in hex (without 0x)\n); @@ -1113,6 +1121,18 @@ int MAIN(int argc, char *argv[]) if (--argc 1) goto bad; cipher= *(++argv); } +#ifndef OPENSSL_NO_KRB5 + else if (strcmp(*argv,-krb5svc) == 0) + { + if (--argc 1) goto bad; + krb5svc= *(++argv); + } + else if (strcmp(*argv,-keytab) == 0) + { + if (--argc 1) goto bad; + keytab= *(++argv); + } +#endif