[I sent this to r...@openssl.org, but it did not appear to go into RT and
there is a warning that the request tracker is "currently under
installation/test, features may change and malfunctions may occur," so I'm
sending to openssl-dev directly as well.]
Hello,
The "openssl s_server" command hard-codes a specific Kerberos keytab
filename, "/etc/krb5.keytab". This causes difficulties for two reasons:
1) Although it is common, this may not in fact be the default keytab
as that is configurable in MIT Kerberos at both compile and run times
(the [libdefaults] default_keytab_name parameter).
2) Users do not generally have access to the system keytab, meaning in
practice only root can use s_server with Kerberos.
I have added a "s_server -keytab " option to set the keytab
location, and the default is now to not set the keytab at all. This uses
the *correct* default keytab (as supplied by the Kerberos library), and
also allows the user to transparently override it by setting KRB5_KTNAME.
I have also added an option "-krb5svc " to both s_client and
s_server to select a service other than "host", since an unprivileged user
will not normally be given the keys to the host principal, but rather an
application-specific one or a test principal created for this purpose
(e.g. test/host@REALM).
I'm attaching a patch against openssl-1.0.1c.
Thanks,
--
Richard E. Silvermandiff --git a/apps/s_client.c b/apps/s_client.c
index fc806eb6..ddc9c857 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -209,6 +209,10 @@ static int c_showcerts=0;
static char *keymatexportlabel=NULL;
static int keymatexportlen=20;
+#ifndef OPENSSL_NO_KRB5
+static char *krb5svc=NULL;
+#endif
+
static void sc_usage(void);
static void print_stuff(BIO *berr,SSL *con,int full);
#ifndef OPENSSL_NO_TLSEXT
@@ -346,6 +350,9 @@ static void sc_usage(void)
BIO_printf(bio_err," 'prot' defines which one to
assume. Currently,\n");
BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\",
\"ftp\" and \"xmpp\"\n");
BIO_printf(bio_err," are supported.\n");
+#ifndef OPENSSL_NO_KRB5
+ BIO_printf(bio_err," -krb5svc arg - Kerberos service name\n");
+#endif
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err," -engine id- Initialise and use the specified
engine\n");
#endif
@@ -896,6 +903,13 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-nbio") == 0)
{ c_nbio=1; }
#endif
+#ifndef OPENSSL_NO_KRB5
+ else if (strcmp(*argv,"-krb5svc") == 0)
+ {
+ if (--argc < 1) goto bad;
+ krb5svc= *(++argv);
+ }
+#endif
else if (strcmp(*argv,"-starttls") == 0)
{
if (--argc < 1) goto bad;
@@ -1241,6 +1255,8 @@ bad:
{
SSL_set0_kssl_ctx(con, kctx);
kssl_ctx_setstring(kctx, KSSL_SERVER, host);
+ if (krb5svc != NULL)
+ kssl_ctx_setstring(kctx, KSSL_SERVICE,
krb5svc);
}
#endif /* OPENSSL_NO_KRB5 */
/* SSL_set_cipher_list(con,"RC4-MD5"); */
diff --git a/apps/s_server.c b/apps/s_server.c
index 3f9b3704..6316fe3a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -265,6 +265,10 @@ static int accept_socket= -1;
extern int verify_depth, verify_return_error;
static char *cipher=NULL;
+#ifndef OPENSSL_NO_KRB5
+static char *krb5svc=NULL;
+static char *keytab=NULL;
+#endif
static int s_server_verify=SSL_VERIFY_NONE;
static int s_server_session_id_context = 1; /* anything will do */
static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
@@ -502,6 +506,10 @@ static void sv_usage(void)
BIO_printf(bio_err," -serverpref - Use server's cipher
preferences\n");
BIO_printf(bio_err," -quiet- No server output\n");
BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n");
+#ifndef OPENSSL_NO_KRB5
+ BIO_printf(bio_err," -krb5svc arg - Kerberos service name\n");
+ BIO_printf(bio_err," -keytab arg - Kerberos keytab filename\n");
+#endif
#ifndef OPENSSL_NO_PSK
BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
@@ -1113,6 +1121,18 @@ int MAIN(int argc, char *argv[])
if (--argc < 1) goto bad;
cipher= *(++argv);
}
+#ifndef OPENSSL_NO_KRB5
+ else if (strcmp(*argv,"-krb5svc") == 0)
+ {
+ if (--argc < 1) goto bad;
+ krb5svc= *(++argv);
+ }
+ else if (strcmp(*argv,"-keytab") == 0)
+ {
+ if (--argc < 1) goto bad;
+ keytab= *(++argv);
+
