Re: [SSSD] [PATCH] Validate Kerberos cerdentials with local keytab
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/19/2009 09:22 AM, Stephen Gallagher wrote: On 11/19/2009 07:58 AM, Sumit Bose wrote: On Wed, Nov 18, 2009 at 05:13:30PM -0500, Stephen Gallagher wrote: On 11/13/2009 09:29 AM, Sumit Bose wrote: On Thu, Nov 12, 2009 at 01:46:39PM -0500, Stephen Gallagher wrote: On 11/12/2009 06:46 AM, Sumit Bose wrote: Hi, this patch add the possibility to validate the credentials obtained from a Kerberos server with a local keytab. The boolean option krb5_validate switches the validation on and off. It is disabled by default in the kerberos provider and enabled by default in the IPA provider. Typically root privileges are needed to read a keytab. As a consequence if validation is enabled the privileges cannot be drop before starting krb5_child, but only after reading the keytab. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Nack. In the sssd-ipa manpage, I think we should change the please note to Please note that this default differs from the traditional kerberos provider backend. I think that referring to the underlying Kerberos provider makes it unclear. done In create_send_buffer(), you assign buf-size based on sizeof(int), but you're using uint32_t for the actual data. This is a waste of memory on 64-bit integer systems, and a serious error on a 16-bit integer system. (Not that we ever expect to support such a system) If you're copying in a 32-bit number, please guarantee that the space is allocated for a 32-bit number. done Please add a comment in fork_child() stating why the value of KRB5_VALIDATE dictates whether to assume the user's identity. done I think this is a serious error: you're only validating against the first entry in the keytab. It's possible for a keytab to have many different principals, as well as multiple enctypes for the same principal. We need to iterate through all keytab entries and test first for the principal we need to validate against and not fail until all enctypes for the sought-after principal have been tried. ok, I look for the first key with a matching realm or try the last one in the keytab file. get_and_save_tgt(): Again a comment would be nice around become_user() noting that it was being done here after being deferred from earlier so that we can validate the TGT. done General question: if we're moving where become_user() is called, will this affect our SELinux policy? I think it will not affect the policy, because the krb5_child inherits the SELinux labels from the parent, but I will check with Dan. bye, Sumit Nack. If you're adding new options to the SSSDConfig API, please run the SSSDConfigTest.py in-tree. You need to update its expected results here because you've set an explicit default. Sorry, I didn't realised that I need to add the options more that once. New version attached. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Ack. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Pushed to master. ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAksGwfYACgkQeiVVYja6o6OthQCeO1EI9auKVS5aCUcszPKDm9Gj 4y8AoISY/i8hIhz950WyAWBG6hOsNLtH =86oi -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Re: [SSSD] [PATCH] Validate Kerberos cerdentials with local keytab
On Thu, Nov 12, 2009 at 01:46:39PM -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/12/2009 06:46 AM, Sumit Bose wrote: Hi, this patch add the possibility to validate the credentials obtained from a Kerberos server with a local keytab. The boolean option krb5_validate switches the validation on and off. It is disabled by default in the kerberos provider and enabled by default in the IPA provider. Typically root privileges are needed to read a keytab. As a consequence if validation is enabled the privileges cannot be drop before starting krb5_child, but only after reading the keytab. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Nack. In the sssd-ipa manpage, I think we should change the please note to Please note that this default differs from the traditional kerberos provider backend. I think that referring to the underlying Kerberos provider makes it unclear. done In create_send_buffer(), you assign buf-size based on sizeof(int), but you're using uint32_t for the actual data. This is a waste of memory on 64-bit integer systems, and a serious error on a 16-bit integer system. (Not that we ever expect to support such a system) If you're copying in a 32-bit number, please guarantee that the space is allocated for a 32-bit number. done Please add a comment in fork_child() stating why the value of KRB5_VALIDATE dictates whether to assume the user's identity. done I think this is a serious error: you're only validating against the first entry in the keytab. It's possible for a keytab to have many different principals, as well as multiple enctypes for the same principal. We need to iterate through all keytab entries and test first for the principal we need to validate against and not fail until all enctypes for the sought-after principal have been tried. ok, I look for the first key with a matching realm or try the last one in the keytab file. get_and_save_tgt(): Again a comment would be nice around become_user() noting that it was being done here after being deferred from earlier so that we can validate the TGT. done General question: if we're moving where become_user() is called, will this affect our SELinux policy? I think it will not affect the policy, because the krb5_child inherits the SELinux labels from the parent, but I will check with Dan. bye, Sumit - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkr8WAoACgkQeiVVYja6o6OG+ACeL0nd8tqxwtNKqER/ukPkJc7l nHYAnAmH383bqT9y6HioBTWTh1ZQ+IQX =DYJU -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel From 65e1945014b49e776c61f7fea866c596318949ab Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 11 Nov 2009 14:16:41 +0100 Subject: [PATCH] Validate Kerberos credentials with local keytab --- server/Makefile.am |3 + server/config/SSSDConfig.py |2 + server/config/SSSDConfigTest.py |2 + server/config/etc/sssd.api.d/sssd-krb5.conf |4 +- server/external/krb5.m4 |3 +- server/man/sssd-ipa.5.xml | 17 +++ server/man/sssd-krb5.5.xml | 25 + server/providers/ipa/ipa_common.c |2 + server/providers/krb5/krb5_auth.c | 74 +++--- server/providers/krb5/krb5_become_user.c| 61 +++ server/providers/krb5/krb5_child.c | 148 ++- server/providers/krb5/krb5_common.c |2 + server/providers/krb5/krb5_common.h |2 + server/providers/krb5/krb5_utils.h |2 + server/util/sss_krb5.c | 16 +++- server/util/sss_krb5.h |2 + 16 files changed, 322 insertions(+), 43 deletions(-) create mode 100644 server/providers/krb5/krb5_become_user.c diff --git a/server/Makefile.am b/server/Makefile.am index 08c0295..6dfc2ae 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -564,6 +564,7 @@ libsss_proxy_la_LDFLAGS = \ libsss_krb5_la_SOURCES = \ providers/krb5/krb5_utils.c \ +providers/krb5/krb5_become_user.c \ providers/krb5/krb5_auth.c \ providers/krb5/krb5_common.c \ providers/krb5/krb5_init.c @@ -591,6 +592,7 @@ libsss_ipa_la_SOURCES = \ util/sss_ldap.c \ util/sss_krb5.c \ providers/krb5/krb5_utils.c \ +providers/krb5/krb5_become_user.c \
Re: [SSSD] [PATCH] Validate Kerberos cerdentials with local keytab
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/12/2009 06:46 AM, Sumit Bose wrote: Hi, this patch add the possibility to validate the credentials obtained from a Kerberos server with a local keytab. The boolean option krb5_validate switches the validation on and off. It is disabled by default in the kerberos provider and enabled by default in the IPA provider. Typically root privileges are needed to read a keytab. As a consequence if validation is enabled the privileges cannot be drop before starting krb5_child, but only after reading the keytab. bye, Sumit ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel Nack. In the sssd-ipa manpage, I think we should change the please note to Please note that this default differs from the traditional kerberos provider backend. I think that referring to the underlying Kerberos provider makes it unclear. In create_send_buffer(), you assign buf-size based on sizeof(int), but you're using uint32_t for the actual data. This is a waste of memory on 64-bit integer systems, and a serious error on a 16-bit integer system. (Not that we ever expect to support such a system) If you're copying in a 32-bit number, please guarantee that the space is allocated for a 32-bit number. Please add a comment in fork_child() stating why the value of KRB5_VALIDATE dictates whether to assume the user's identity. I think this is a serious error: you're only validating against the first entry in the keytab. It's possible for a keytab to have many different principals, as well as multiple enctypes for the same principal. We need to iterate through all keytab entries and test first for the principal we need to validate against and not fail until all enctypes for the sought-after principal have been tried. get_and_save_tgt(): Again a comment would be nice around become_user() noting that it was being done here after being deferred from earlier so that we can validate the TGT. General question: if we're moving where become_user() is called, will this affect our SELinux policy? - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkr8WAoACgkQeiVVYja6o6OG+ACeL0nd8tqxwtNKqER/ukPkJc7l nHYAnAmH383bqT9y6HioBTWTh1ZQ+IQX =DYJU -END PGP SIGNATURE- ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel