[krbdev.mit.edu #8365] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Feb 19 15:47:01 EST 2016
Add the ability to lock down principal keys
A new attribute named KRB5_KDC_LOCKDOWN_KEYS can be set on principals.
This flag prevents keys for the principal from being extracted or set
to a known value by the kadmin protocol. Principals with this flag
cannot be deleted or renamed, and cannot have keys set by setkey or
chpass. chrand operations are allowed, but keys are not returned.
This attribute can be set via the modify operation but cannot be
reset; an authorization error is resturned if an attempt to reset it
is performed.
When creating a KDB, set the lockdown flag on the krbtgt and kadmin
principals.
[ghudson at mit.edu: squash with t_kadmin_acl.py commit; condense commit
message]
https://github.com/krb5/krb5/commit/534db9834d6a77dc5e948e12844e72ba4e971e8c
Author: Simo Sorce <simo at redhat.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 534db9834d6a77dc5e948e12844e72ba4e971e8c
Branch: master
src/include/kdb.h | 1 +
src/kadmin/cli/kadmin.c | 2 +
src/kadmin/dbutil/kadm5_create.c | 9 +-
src/kadmin/dbutil/kdb5_create.c | 1 +
src/kadmin/server/server_stubs.c | 137 +++++++++++++++++++++++++--
src/lib/kadm5/kadm_err.et | 1 +
src/lib/kadm5/str_conv.c | 2 +
src/tests/dejagnu/krb-standalone/kadmin.exp | 96 ++++++++++++++++++-
src/tests/t_kadmin_acl.py | 40 ++++++++
src/util/princflags.py | 3 +
10 files changed, 281 insertions(+), 11 deletions(-)
More information about the krb5-bugs
mailing list