[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Extract Keytab permissions

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: Extract Keytab permissions
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Tue, 15 Mar 2005 14:39:41 -0800
Cc: heimdal-discuss@sics.se
In-Reply-To: <amzmx4lfpp.fsf@nutcracker.it.su.se>
References: <b2857faf7d84078d2e315327e4f40686@jpl.nasa.gov> <amzmx4lfpp.fsf@nutcracker.it.su.se>
Sender: owner-heimdal-discuss@sics.se

Cool.  Thanks!

;-)

On Mar 15, 2005, at 2:14 PM, Love Hörnquist Åstrand wrote:

>
> "Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
>
>> I'm having difficulty disentangling the permissions structure for
>> kadmin[d].  Mostly it's pretty straightforward.  One permission from
>> kadmind.acl maps to one admin command.
>>
>> What I don't understand is ext_keytab.  I don't see how that command
>> is  protected, or what permission it uses.
>>
>> What I'd like to do is specify an "admin" account that's allowed to
>> get  expiration dates and maybe enctypes for everybody, but can't
>> extract a  keytab for (and impersonate) anybody.  In other terms:  the
>> metadata is  OK, but the keys aren't.
>
> I've got a patch that I've been meaning to to integerate any month  
> now.  It
> add a new keyword "key" to the ACL table.
>
> Love
>
>
>
>
> kadmin_priv_key.patch: XXX generated, not yet submitted
>
> Patches to kadmind and to the kadm5 library to introduce a new flag bit
> (KADM5_ZERO_KEYS) for the mask argument to kadm5_get_principal, and a
> new kadmind ACL privilege bit (KADM5_PRIV_KEY, written "get").  When
> specified, the new flag bit changes the behaviour of the KADM5_KEY_DATA
> bit, such that the actual key values returned are all zeroes.  When the
> new flag bit is not specified, real key data is returned, but only to
> clients which have the new ACL bit.  Other clients get an error.  This
> change is known to interact correctly with kadmin, adm, and Jeeves.
>
>
>
> Index: kadmin/server.c
> ===================================================================
> RCS file: /usr0/cvs/heimdal/kadmin/server.c,v
> retrieving revision 1.1.1.1
> retrieving revision 1.1.1.1.4.2
> diff -u -r1.1.1.1 -r1.1.1.1.4.2
> --- kadmin/server.c	6 Oct 2003 22:13:48 -0000	1.1.1.1
> +++ kadmin/server.c	5 Nov 2003 17:36:21 -0000	1.1.1.1.4.2
> @@ -77,6 +77,13 @@
>  	if(ret){
>  	    krb5_free_principal(context->context, princ);
>  	    goto fail;
> +	}
> +	if ((mask & KADM5_KEY_DATA) && !(mask & KADM5_ZERO_KEYS)) {
> +	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_KEY,  
> princ);
> +	    if(ret){
> +		krb5_free_principal(context->context, princ);
> +		goto fail;
> +	    }
>  	}
>  	ret = kadm5_get_principal(kadm_handle, princ, &ent, mask);
>  	krb5_storage_free(sp);
> Index: lib/kadm5/admin.h
> ===================================================================
> RCS file: /usr0/cvs/heimdal/lib/kadm5/admin.h,v
> retrieving revision 1.1.1.1
> retrieving revision 1.1.1.1.4.1
> diff -u -r1.1.1.1 -r1.1.1.1.4.1
> --- lib/kadm5/admin.h	6 Oct 2003 22:13:48 -0000	1.1.1.1
> +++ lib/kadm5/admin.h	31 Oct 2003 15:45:59 -0000	1.1.1.1.4.1
> @@ -84,6 +84,7 @@
>  #define KADM5_FAIL_AUTH_COUNT	0x010000
>  #define KADM5_KEY_DATA		0x020000
>  #define KADM5_TL_DATA		0x040000
> +#define KADM5_ZERO_KEYS		0x40000000
>
>  #define KADM5_PRINCIPAL_NORMAL_MASK (~(KADM5_KEY_DATA |  
> KADM5_TL_DATA))
>
> @@ -178,6 +179,7 @@
>  #define KADM5_PRIV_DELETE	(1 << 3)
>  #define KADM5_PRIV_LIST		(1 << 4)
>  #define KADM5_PRIV_CPW		(1 << 5)
> +#define KADM5_PRIV_KEY		(1 << 6)
>  #define KADM5_PRIV_ALL		(KADM5_PRIV_GET | KADM5_PRIV_ADD |  
> KADM5_PRIV_MODIFY | KADM5_PRIV_DELETE | KADM5_PRIV_LIST |  
> KADM5_PRIV_CPW)
>
>  typedef struct {
> Index: lib/kadm5/acl.c
> ===================================================================
> RCS file: /usr0/cvs/heimdal/lib/kadm5/acl.c,v
> retrieving revision 1.1.1.1
> retrieving revision 1.1.1.1.4.1
> diff -u -r1.1.1.1 -r1.1.1.1.4.1
> --- lib/kadm5/acl.c	6 Oct 2003 22:13:48 -0000	1.1.1.1
> +++ lib/kadm5/acl.c	31 Oct 2003 15:45:59 -0000	1.1.1.1.4.1
> @@ -44,6 +44,7 @@
>      { "modify",		KADM5_PRIV_MODIFY },
>      { "add",		KADM5_PRIV_ADD },
>      { "get", 		KADM5_PRIV_GET },
> +    { "key", 		KADM5_PRIV_KEY },
>      { NULL }
>  };
>
> @@ -157,7 +158,7 @@
>      ret = krb5_principal_compare(context->context, context->caller,  
> princ);
>      krb5_free_principal(context->context, princ);
>      if(ret != 0) {
> -	context->acl_flags = KADM5_PRIV_ALL;
> +	context->acl_flags = KADM5_PRIV_ALL|KADM5_PRIV_KEY;
>  	return 0;
>      }
>
> Index: lib/kadm5/get_s.c
> ===================================================================
> RCS file: /usr0/cvs/heimdal/lib/kadm5/get_s.c,v
> retrieving revision 1.1.1.1
> retrieving revision 1.1.1.1.4.1
> diff -u -r1.1.1.1 -r1.1.1.1.4.1
> --- lib/kadm5/get_s.c	6 Oct 2003 22:13:48 -0000	1.1.1.1
> +++ lib/kadm5/get_s.c	31 Oct 2003 15:45:59 -0000	1.1.1.1.4.1
> @@ -158,8 +158,11 @@
>  		ret = ENOMEM;
>  		break;
>  	    }
> -	    memcpy(kd->key_data_contents[0], key->key.keyvalue.data,
> -		   kd->key_data_length[0]);
> +	    if (mask & KADM5_ZERO_KEYS)
> +		memset(kd->key_data_contents[0], 0, kd->key_data_length[0]);
> +	    else
> +		memcpy(kd->key_data_contents[0], key->key.keyvalue.data,
> +		       kd->key_data_length[0]);
>  	    /* setup salt */
>  	    if(key->salt)
>  		sp = &key->salt->salt;
>
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: Extract Keytab permissions
  - From: Alf Wachsmann <alfw@slac.stanford.edu>

References:
- Extract Keytab permissions
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: ldap <--> heimdal again
Next by Date: Kerberos attributes with ldap/samba for a heimdal backend
Prev by thread: Extract Keytab permissions
Next by thread: Re: Extract Keytab permissions
Index(es):
- Date
- Thread