|
1 # |
|
2 # Temporarily disable anonymity in kadmin (kadmin -n). |
|
3 # |
|
4 # This feature currently doesn't work with Solaris rpcsec_gss. |
|
5 # Fails in gss_acquire_cred, because desired_name |
|
6 # WELLKNOWN/[email protected] != WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS |
|
7 # |
|
8 # The patch removes -n option from kadmin and its man pages and |
|
9 # skips kadmin tests in t_pkinit.py. |
|
10 # |
|
11 # Support can be added later, if there is demand for it. |
|
12 # This fix would need to either call gss_acquire_cred with empty desired name |
|
13 # or disregard realm when matching desired name. |
|
14 # Either way, rpcsec.so code would need to be adjusted too to accommodate this |
|
15 # change. |
|
16 # |
|
17 # This patch is Solaris specific and not intented for upstream contribution. |
|
18 # Patch source: in-house |
|
19 # |
|
20 diff -pur old/src/kadmin/cli/kadmin.c new/src/kadmin/cli/kadmin.c |
|
21 --- old/src/kadmin/cli/kadmin.c 2015-02-11 19:16:43.000000000 -0800 |
|
22 +++ new/src/kadmin/cli/kadmin.c 2015-03-05 07:53:41.131383214 -0800 |
|
23 @@ -282,7 +282,7 @@ kadmin_startup(int argc, char *argv[]) |
|
24 } |
|
25 |
|
26 while ((optchar = getopt(argc, argv, |
|
27 - "x:r:p:knq:w:d:s:mc:t:e:ON")) != EOF) { |
|
28 + "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) { |
|
29 switch (optchar) { |
|
30 case 'x': |
|
31 db_args_size++; |
|
32 diff -pur old/src/man/kadmin.man new/src/man/kadmin.man |
|
33 --- old/src/man/kadmin.man 2015-02-11 19:16:43.000000000 -0800 |
|
34 +++ new/src/man/kadmin.man 2015-03-05 07:59:17.166151676 -0800 |
|
35 @@ -37,7 +37,7 @@ level margin: \\n[rst2man-indent\\n[rst2 |
|
36 [\fB\-r\fP \fIrealm\fP] |
|
37 [\fB\-p\fP \fIprincipal\fP] |
|
38 [\fB\-q\fP \fIquery\fP] |
|
39 -[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP] |
|
40 +[[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]] |
|
41 [\fB\-w\fP \fIpassword\fP] |
|
42 [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]] |
|
43 .sp |
|
44 @@ -97,21 +97,6 @@ a password. In this case, the default p |
|
45 Use \fIkeytab\fP to decrypt the KDC response. This can only be used |
|
46 with the \fB\-k\fP option. |
|
47 .TP |
|
48 -.B \fB\-n\fP |
|
49 -Requests anonymous processing. Two types of anonymous principals |
|
50 -are supported. For fully anonymous Kerberos, configure PKINIT on |
|
51 -the KDC and configure \fBpkinit_anchors\fP in the client\(aqs |
|
52 -\fIkrb5.conf(5)\fP\&. Then use the \fB\-n\fP option with a principal |
|
53 -of the form \fB@REALM\fP (an empty principal name followed by the |
|
54 -at\-sign and a realm name). If permitted by the KDC, an anonymous |
|
55 -ticket will be returned. A second form of anonymous tickets is |
|
56 -supported; these realm\-exposed tickets hide the identity of the |
|
57 -client but not the client\(aqs realm. For this mode, use \fBkinit |
|
58 -\-n\fP with a normal principal name. If supported by the KDC, the |
|
59 -principal (but not realm) will be replaced by the anonymous |
|
60 -principal. As of release 1.8, the MIT Kerberos KDC only supports |
|
61 -fully anonymous operation. |
|
62 -.TP |
|
63 .B \fB\-c\fP \fIcredentials_cache\fP |
|
64 Use \fIcredentials_cache\fP as the credentials cache. The |
|
65 cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP |
|
66 diff -pur old/src/tests/t_pkinit.py new/src/tests/t_pkinit.py |
|
67 --- old/src/tests/t_pkinit.py 2015-02-11 19:16:43.000000000 -0800 |
|
68 +++ new/src/tests/t_pkinit.py 2015-03-05 09:09:09.690228292 -0800 |
|
69 @@ -72,17 +72,18 @@ realm.klist('WELLKNOWN/ANONYMOUS@WELLKNO |
|
70 realm.run([kvno, realm.host_princ]) |
|
71 |
|
72 # Test anonymous kadmin. |
|
73 -f = open(os.path.join(realm.testdir, 'acl'), 'a') |
|
74 -f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') |
|
75 -f.close() |
|
76 -realm.start_kadmind() |
|
77 -out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) |
|
78 -if 'created.' not in out: |
|
79 - fail('Could not create principal with anonymous kadmin') |
|
80 -out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) |
|
81 -if "Operation requires ``get'' privilege" not in out: |
|
82 - fail('Anonymous kadmin has too much privilege') |
|
83 -realm.stop_kadmind() |
|
84 +sys.stderr.write("Anonymous pkinit support in kadmin disabled, skipping...\n"); |
|
85 +#f = open(os.path.join(realm.testdir, 'acl'), 'a') |
|
86 +#f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') |
|
87 +#f.close() |
|
88 +#realm.start_kadmind() |
|
89 +#out = realm.run([kadmin, '-n', '-q', 'addprinc -pw test testadd']) |
|
90 +#if 'created.' not in out: |
|
91 +# fail('Could not create principal with anonymous kadmin') |
|
92 +#out = realm.run([kadmin, '-n', '-q', 'getprinc testadd']) |
|
93 +#if "Operation requires ``get'' privilege" not in out: |
|
94 +# fail('Anonymous kadmin has too much privilege') |
|
95 +#realm.stop_kadmind() |
|
96 |
|
97 # Test with anonymous restricted; FAST should work but kvno should fail. |
|
98 r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf) |