1 #

     2 # Temporarily disable anonymity in kadmin (kadmin -n).

     3 #

     4 # This feature currently doesn't work with Solaris rpcsec_gss.

     5 # Fails in gss_acquire_cred, because desired_name

     6 # WELLKNOWN/[email protected] != WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

     7 #

     8 # The patch removes -n option from kadmin and its man pages and

     9 # skips kadmin tests in t_pkinit.py.

    10 #

    11 # Support can be added later, if there is demand for it.

    12 # This fix would need to either call gss_acquire_cred with empty desired name

    13 # or disregard realm when matching desired name.

    14 # Either way, rpcsec.so code would need to be adjusted too to accommodate this

    15 # change.

    16 #

    17 # This patch is Solaris specific and not intented for upstream contribution.

    18 # Patch source: in-house

    19 #

    20 diff -pur old/src/kadmin/cli/kadmin.c new/src/kadmin/cli/kadmin.c

    21 --- old/src/kadmin/cli/kadmin.c	2015-02-11 19:16:43.000000000 -0800

    22 +++ new/src/kadmin/cli/kadmin.c	2015-03-05 07:53:41.131383214 -0800

    23 @@ -282,7 +282,7 @@ kadmin_startup(int argc, char *argv[])

    24      }

    25  

    26      while ((optchar = getopt(argc, argv,

    27 -                             "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) {

    28 +                             "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) {

    29          switch (optchar) {

    30          case 'x':

    31              db_args_size++;

    32 diff -pur old/src/man/kadmin.man new/src/man/kadmin.man

    33 --- old/src/man/kadmin.man	2015-02-11 19:16:43.000000000 -0800

    34 +++ new/src/man/kadmin.man	2015-03-05 07:59:17.166151676 -0800

    35 @@ -37,7 +37,7 @@ level margin: \\n[rst2man-indent\\n[rst2

    36  [\fB\-r\fP \fIrealm\fP]

    37  [\fB\-p\fP \fIprincipal\fP]

    38  [\fB\-q\fP \fIquery\fP]

    39 -[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP]

    40 +[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]]

    41  [\fB\-w\fP \fIpassword\fP]

    42  [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]]

    43  .sp

    44 @@ -97,21 +97,6 @@ a password.  In this case, the default p

    45  Use \fIkeytab\fP to decrypt the KDC response.  This can only be used

    46  with the \fB\-k\fP option.

    47  .TP

    48 -.B \fB\-n\fP

    49 -Requests anonymous processing.  Two types of anonymous principals

    50 -are supported.  For fully anonymous Kerberos, configure PKINIT on

    51 -the KDC and configure \fBpkinit_anchors\fP in the client\(aqs

    52 -\fIkrb5.conf(5)\fP\&.  Then use the \fB\-n\fP option with a principal

    53 -of the form \fB@REALM\fP (an empty principal name followed by the

    54 -at\-sign and a realm name).  If permitted by the KDC, an anonymous

    55 -ticket will be returned.  A second form of anonymous tickets is

    56 -supported; these realm\-exposed tickets hide the identity of the

    57 -client but not the client\(aqs realm.  For this mode, use \fBkinit

    58 -\-n\fP with a normal principal name.  If supported by the KDC, the

    59 -principal (but not realm) will be replaced by the anonymous

    60 -principal.  As of release 1.8, the MIT Kerberos KDC only supports

    61 -fully anonymous operation.

    62 -.TP

    63  .B \fB\-c\fP \fIcredentials_cache\fP

    64  Use \fIcredentials_cache\fP as the credentials cache.  The

    65  cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP

    66 diff -pur old/src/tests/t_pkinit.py new/src/tests/t_pkinit.py

    67 --- old/src/tests/t_pkinit.py	2015-02-11 19:16:43.000000000 -0800

    68 +++ new/src/tests/t_pkinit.py	2015-03-05 09:09:09.690228292 -0800

    69 @@ -72,17 +72,18 @@ realm.klist('WELLKNOWN/ANONYMOUS@WELLKNO

    70  realm.run([kvno, realm.host_princ])

    71  

    72  # Test anonymous kadmin.

    73 -f = open(os.path.join(realm.testdir, 'acl'), 'a')

    74 -f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *')

    75 -f.close()

    76 -realm.start_kadmind()

    77 -out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd'])

    78 -if 'created.' not in out:

    79 -    fail('Could not create principal with anonymous kadmin')

    80 -out = realm.run([kadmin, '-n', '-q', 'getprinc testadd'])

    81 -if "Operation requires ``get'' privilege" not in out:

    82 -    fail('Anonymous kadmin has too much privilege')

    83 -realm.stop_kadmind()

    84 +sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n");

    85 +#f = open(os.path.join(realm.testdir, 'acl'), 'a')

    86 +#f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *')

    87 +#f.close()

    88 +#realm.start_kadmind()

    89 +#out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd'])

    90 +#if 'created.' not in out:

    91 +#    fail('Could not create principal with anonymous kadmin')

    92 +#out = realm.run([kadmin, '-n', '-q', 'getprinc testadd'])

    93 +#if "Operation requires ``get'' privilege" not in out:

    94 +#    fail('Anonymous kadmin has too much privilege')

    95 +#realm.stop_kadmind()

    96  

    97  # Test with anonymous restricted; FAST should work but kvno should fail.

    98  r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf)