Re: [openssl.org #2962] [patch] openssl s_{client,server} improvements for Kerberos
On Tue, 9 Sep 2014, Rich Salz via RT wrote: Fixed in https://github.com/akamai/openssl/tree/rsalz-monolith/apps for integration after 1.0.2 commit f4f79df1a2e1d295e93afe68691499ec034b76ad Author: Richard Silverman r...@qoxp.net Date: Tue Sep 9 12:37:27 2014 -0400 RT2962: add -keytab and -krb5svc flags. Add -keytab and -krb5svcd flags to s_client and s_server. I (rsalz) also udpated the documentation. Thanks! (And I like your GIT pocket guide :) Glad to hear it. :) -- Richard __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2962] [patch] openssl s_{client,server} improvements for Kerberos
On Tue, 9 Sep 2014, Rich Salz via RT wrote: Fixed in https://github.com/akamai/openssl/tree/rsalz-monolith/apps for integration after 1.0.2 commit f4f79df1a2e1d295e93afe68691499ec034b76ad Author: Richard Silverman r...@qoxp.net Date: Tue Sep 9 12:37:27 2014 -0400 RT2962: add -keytab and -krb5svc flags. Add -keytab and -krb5svcd flags to s_client and s_server. I (rsalz) also udpated the documentation. Thanks! (And I like your GIT pocket guide :) Glad to hear it. :) -- Richard __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [patch] openssl s_{client,server} improvements for Kerberos (fwd)
Hello, A patch I submitted has been sitting in RT for several months now with no action: http://rt.openssl.org/Ticket/Display.html?id=2962 Is there anything else I should do to get this looked at? Thanks, -- Richard E. Silverman __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2962] [patch] openssl s_{client,server} improvements for Kerberos
Hello,
The openssl s_server command hard-codes a specific Kerberos keytab
filename, /etc/krb5.keytab. This causes difficulties for two reasons:
1) Although it is common, this may not in fact be the default keytab
as that is configurable in MIT Kerberos at both compile and run times
(the [libdefaults] default_keytab_name parameter).
2) Users do not generally have access to the system keytab, meaning in
practice only root can use s_server with Kerberos.
I have added a s_server -keytab filename option to set the keytab
location, and the default is now to not set the keytab at all. This uses
the *correct* default keytab (as supplied by the Kerberos library), and
also allows the user to transparently override it by setting KRB5_KTNAME.
I have also added an option -krb5svc service name to both s_client and
s_server to select a service other than host, since an unprivileged user
will not normally be given the keys to the host principal, but rather an
application-specific one or a test principal created for this purpose
(e.g. test/host@REALM).
I'm attaching a patch against openssl-1.0.1c.
Thanks,
--
Richard E. Silverman
diff --git a/apps/s_client.c b/apps/s_client.c
index fc806eb6..ddc9c857 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -209,6 +209,10 @@ static int c_showcerts=0;
static char *keymatexportlabel=NULL;
static int keymatexportlen=20;
+#ifndef OPENSSL_NO_KRB5
+static char *krb5svc=NULL;
+#endif
+
static void sc_usage(void);
static void print_stuff(BIO *berr,SSL *con,int full);
#ifndef OPENSSL_NO_TLSEXT
@@ -346,6 +350,9 @@ static void sc_usage(void)
BIO_printf(bio_err, 'prot' defines which one to
assume. Currently,\n);
BIO_printf(bio_err, only \smtp\, \pop3\, \imap\,
\ftp\ and \xmpp\\n);
BIO_printf(bio_err, are supported.\n);
+#ifndef OPENSSL_NO_KRB5
+ BIO_printf(bio_err, -krb5svc arg - Kerberos service name\n);
+#endif
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, -engine id- Initialise and use the specified
engine\n);
#endif
@@ -896,6 +903,13 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,-nbio) == 0)
{ c_nbio=1; }
#endif
+#ifndef OPENSSL_NO_KRB5
+ else if (strcmp(*argv,-krb5svc) == 0)
+ {
+ if (--argc 1) goto bad;
+ krb5svc= *(++argv);
+ }
+#endif
else if (strcmp(*argv,-starttls) == 0)
{
if (--argc 1) goto bad;
@@ -1241,6 +1255,8 @@ bad:
{
SSL_set0_kssl_ctx(con, kctx);
kssl_ctx_setstring(kctx, KSSL_SERVER, host);
+ if (krb5svc != NULL)
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
krb5svc);
}
#endif /* OPENSSL_NO_KRB5 */
/* SSL_set_cipher_list(con,RC4-MD5); */
diff --git a/apps/s_server.c b/apps/s_server.c
index 3f9b3704..6316fe3a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -265,6 +265,10 @@ static int accept_socket= -1;
extern int verify_depth, verify_return_error;
static char *cipher=NULL;
+#ifndef OPENSSL_NO_KRB5
+static char *krb5svc=NULL;
+static char *keytab=NULL;
+#endif
static int s_server_verify=SSL_VERIFY_NONE;
static int s_server_session_id_context = 1; /* anything will do */
static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
@@ -502,6 +506,10 @@ static void sv_usage(void)
BIO_printf(bio_err, -serverpref - Use server's cipher
preferences\n);
BIO_printf(bio_err, -quiet- No server output\n);
BIO_printf(bio_err, -no_tmp_rsa - Do not generate a tmp RSA key\n);
+#ifndef OPENSSL_NO_KRB5
+ BIO_printf(bio_err, -krb5svc arg - Kerberos service name\n);
+ BIO_printf(bio_err, -keytab arg - Kerberos keytab filename\n);
+#endif
#ifndef OPENSSL_NO_PSK
BIO_printf(bio_err, -psk_hint arg - PSK identity hint to use\n);
BIO_printf(bio_err, -psk arg - PSK in hex (without 0x)\n);
@@ -1113,6 +1121,18 @@ int MAIN(int argc, char *argv[])
if (--argc 1) goto bad;
cipher= *(++argv);
}
+#ifndef OPENSSL_NO_KRB5
+ else if (strcmp(*argv,-krb5svc) == 0)
+ {
+ if (--argc 1) goto bad;
+ krb5svc= *(++argv);
+ }
+ else if (strcmp(*argv,-keytab) == 0)
+ {
+ if (--argc 1) goto bad;
+ keytab= *(++argv);
+ }
+#endif
else if (strcmp(*argv,-CAfile) == 0)
{
if (--argc 1) goto bad;
@@ -1989,8 +2009,10 @@ static int sv_body(char *hostname, int s, unsigned char
*context)
if ((kctx = kssl_ctx_new()) !=
[patch] openssl s_{client,server} improvements for Kerberos (fwd)
[I sent this to r...@openssl.org, but it did not appear to go into RT and
there is a warning that the request tracker is currently under
installation/test, features may change and malfunctions may occur, so I'm
sending to openssl-dev directly as well.]
Hello,
The openssl s_server command hard-codes a specific Kerberos keytab
filename, /etc/krb5.keytab. This causes difficulties for two reasons:
1) Although it is common, this may not in fact be the default keytab
as that is configurable in MIT Kerberos at both compile and run times
(the [libdefaults] default_keytab_name parameter).
2) Users do not generally have access to the system keytab, meaning in
practice only root can use s_server with Kerberos.
I have added a s_server -keytab filename option to set the keytab
location, and the default is now to not set the keytab at all. This uses
the *correct* default keytab (as supplied by the Kerberos library), and
also allows the user to transparently override it by setting KRB5_KTNAME.
I have also added an option -krb5svc service name to both s_client and
s_server to select a service other than host, since an unprivileged user
will not normally be given the keys to the host principal, but rather an
application-specific one or a test principal created for this purpose
(e.g. test/host@REALM).
I'm attaching a patch against openssl-1.0.1c.
Thanks,
--
Richard E. Silvermandiff --git a/apps/s_client.c b/apps/s_client.c
index fc806eb6..ddc9c857 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -209,6 +209,10 @@ static int c_showcerts=0;
static char *keymatexportlabel=NULL;
static int keymatexportlen=20;
+#ifndef OPENSSL_NO_KRB5
+static char *krb5svc=NULL;
+#endif
+
static void sc_usage(void);
static void print_stuff(BIO *berr,SSL *con,int full);
#ifndef OPENSSL_NO_TLSEXT
@@ -346,6 +350,9 @@ static void sc_usage(void)
BIO_printf(bio_err, 'prot' defines which one to
assume. Currently,\n);
BIO_printf(bio_err, only \smtp\, \pop3\, \imap\,
\ftp\ and \xmpp\\n);
BIO_printf(bio_err, are supported.\n);
+#ifndef OPENSSL_NO_KRB5
+ BIO_printf(bio_err, -krb5svc arg - Kerberos service name\n);
+#endif
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err, -engine id- Initialise and use the specified
engine\n);
#endif
@@ -896,6 +903,13 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,-nbio) == 0)
{ c_nbio=1; }
#endif
+#ifndef OPENSSL_NO_KRB5
+ else if (strcmp(*argv,-krb5svc) == 0)
+ {
+ if (--argc 1) goto bad;
+ krb5svc= *(++argv);
+ }
+#endif
else if (strcmp(*argv,-starttls) == 0)
{
if (--argc 1) goto bad;
@@ -1241,6 +1255,8 @@ bad:
{
SSL_set0_kssl_ctx(con, kctx);
kssl_ctx_setstring(kctx, KSSL_SERVER, host);
+ if (krb5svc != NULL)
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
krb5svc);
}
#endif /* OPENSSL_NO_KRB5 */
/* SSL_set_cipher_list(con,RC4-MD5); */
diff --git a/apps/s_server.c b/apps/s_server.c
index 3f9b3704..6316fe3a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -265,6 +265,10 @@ static int accept_socket= -1;
extern int verify_depth, verify_return_error;
static char *cipher=NULL;
+#ifndef OPENSSL_NO_KRB5
+static char *krb5svc=NULL;
+static char *keytab=NULL;
+#endif
static int s_server_verify=SSL_VERIFY_NONE;
static int s_server_session_id_context = 1; /* anything will do */
static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
@@ -502,6 +506,10 @@ static void sv_usage(void)
BIO_printf(bio_err, -serverpref - Use server's cipher
preferences\n);
BIO_printf(bio_err, -quiet- No server output\n);
BIO_printf(bio_err, -no_tmp_rsa - Do not generate a tmp RSA key\n);
+#ifndef OPENSSL_NO_KRB5
+ BIO_printf(bio_err, -krb5svc arg - Kerberos service name\n);
+ BIO_printf(bio_err, -keytab arg - Kerberos keytab filename\n);
+#endif
#ifndef OPENSSL_NO_PSK
BIO_printf(bio_err, -psk_hint arg - PSK identity hint to use\n);
BIO_printf(bio_err, -psk arg - PSK in hex (without 0x)\n);
@@ -1113,6 +1121,18 @@ int MAIN(int argc, char *argv[])
if (--argc 1) goto bad;
cipher= *(++argv);
}
+#ifndef OPENSSL_NO_KRB5
+ else if (strcmp(*argv,-krb5svc) == 0)
+ {
+ if (--argc 1) goto bad;
+ krb5svc= *(++argv);
+ }
+ else if (strcmp(*argv,-keytab) == 0)
+ {
+ if (--argc 1) goto bad;
+ keytab= *(++argv);
+ }
+#endif
