krb5 commit: Allow user to restrict kadmind bind addresses
Greg Hudson
ghudson at mit.edu
Mon Jul 18 11:34:20 EDT 2016
https://github.com/krb5/krb5/commit/aa91cb5dbbd4356c7a9069f4f52a10f70d91bc00
commit aa91cb5dbbd4356c7a9069f4f52a10f70d91bc00
Author: Sarah Day <sarahday at mit.edu>
Date: Wed Dec 23 12:11:34 2015 -0500
Allow user to restrict kadmind bind addresses
kadmind has always only supported binding to the wildcard addresses.
Add three configuration options to allow specifying the address/port
that kadmind listens on for kpasswd, kadmin, and iprop connections.
[ghudson at mit.edu: edited documentation; minimized changes to
setup_loop(); added iprop_listen]
ticket: 1093
doc/admin/conf_files/kdc_conf.rst | 55 +++++++++++++++++++++++++++--
src/include/k5-int.h | 3 ++
src/kadmin/server/ovsec_kadmd.c | 14 +++++---
src/lib/kadm5/admin.h | 10 +++--
src/lib/kadm5/alt_prof.c | 8 ++++
src/man/kdc.conf.man | 68 +++++++++++++++++++++++++++++++++----
6 files changed, 138 insertions(+), 20 deletions(-)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index b88ce79..9974626 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -210,10 +210,26 @@ The following tags may be specified in a [realms] subsection:
new updates from the master. The default value is ``2m`` (that
is, two minutes).
+**iprop_listen**
+ (Whitespace- or comma-separated list.) Specifies the iprop RPC
+ listening addresses and/or ports for the :ref:`kadmind(8)` daemon.
+ Each entry may be an interface address, a port number, or an
+ address and port number separated by a colon. If the address
+ contains colons, enclose it in square brackets. If no address is
+ specified, the wildcard address is used. If kadmind fails to bind
+ to any of the specified addresses, it will fail to start. The
+ default (when **iprop_enable** is true) is to bind to the wildcard
+ address at the port specified in **iprop_port**. New in release
+ 1.15.
+
**iprop_port**
(Port number.) Specifies the port number to be used for
- incremental propagation. This is required in both master and
- slave configuration files.
+ incremental propagation. When **iprop_enable** is true, this
+ relation is required in the slave configuration file, and this
+ relation or **iprop_listen** is required in the master
+ configuration file, as there is no default port number. Port
+ numbers specified in **iprop_listen** entries will override this
+ port number for the :ref:`kadmind(8)` daemon.
**iprop_resync_timeout**
(Delta time string.) Specifies the amount of time to wait for a
@@ -232,10 +248,23 @@ The following tags may be specified in a [realms] subsection:
**database_name** is used. Determination of the **iprop_logfile**
default value will not use values from the [dbmodules] section.)
+**kadmind_listen**
+ (Whitespace- or comma-separated list.) Specifies the kadmin RPC
+ listening addresses and/or ports for the :ref:`kadmind(8)` daemon.
+ Each entry may be an interface address, a port number, or an
+ address and port number separated by a colon. If the address
+ contains colons, enclose it in square brackets. If no address is
+ specified, the wildcard address is used. If kadmind fails to bind
+ to any of the specified addresses, it will fail to start. The
+ default is to bind to the wildcard address at the port specified
+ in **kadmind_port**, or the standard kadmin port (749). New in
+ release 1.15.
+
**kadmind_port**
(Port number.) Specifies the port on which the :ref:`kadmind(8)`
- daemon is to listen for this realm. The assigned port for kadmind
- is 749, which is used by default.
+ daemon is to listen for this realm. Port numbers specified in
+ **kadmind_listen** entries will override this port number. The
+ assigned port for kadmind is 749, which is used by default.
**key_stash_file**
(String.) Specifies the location where the master key has been
@@ -258,6 +287,24 @@ The following tags may be specified in a [realms] subsection:
port 88 (the standard port). Prior to release 1.13, the default
was not to listen for TCP connections at all.
+**kpasswd_listen**
+ (Comma-separated list.) Specifies the kpasswd listening addresses
+ and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be
+ an interface address, a port number, or an address and port number
+ separated by a colon. If the address contains colons, enclose it
+ in square brackets. If no address is specified, the wildcard
+ address is used. If kadmind fails to bind to any of the specified
+ addresses, it will fail to start. The default is to bind to the
+ wildcard address at the port specified in **kpasswd_port**, or the
+ standard kpasswd port (464). New in release 1.15.
+
+**kpasswd_port**
+ (Port number.) Specifies the port on which the :ref:`kadmind(8)`
+ daemon is to listen for password change requests for this realm.
+ Port numbers specified in **kpasswd_listen** entries will override
+ this port number. The assigned port for password change requests
+ is 464, which is used by default.
+
**master_key_name**
(String.) Specifies the name of the principal associated with the
master key. The default is ``K/M``.
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 1cda50d..8c2fa43 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -218,6 +218,7 @@ typedef unsigned char u_char;
#define KRB5_CONF_HTTP_ANCHORS "http_anchors"
#define KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME "ignore_acceptor_hostname"
#define KRB5_CONF_IPROP_ENABLE "iprop_enable"
+#define KRB5_CONF_IPROP_LISTEN "iprop_listen"
#define KRB5_CONF_IPROP_LOGFILE "iprop_logfile"
#define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize"
#define KRB5_CONF_IPROP_PORT "iprop_port"
@@ -225,6 +226,7 @@ typedef unsigned char u_char;
#define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll"
#define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative"
#define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory"
+#define KRB5_CONF_KADMIND_LISTEN "kadmind_listen"
#define KRB5_CONF_KADMIND_PORT "kadmind_port"
#define KRB5_CONF_KCM_MACH_SERVICE "kcm_mach_service"
#define KRB5_CONF_KCM_SOCKET "kcm_socket"
@@ -237,6 +239,7 @@ typedef unsigned char u_char;
#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
#define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
+#define KRB5_CONF_KPASSWD_LISTEN "kpasswd_listen"
#define KRB5_CONF_KPASSWD_PORT "kpasswd_port"
#define KRB5_CONF_KPASSWD_SERVER "kpasswd_server"
#define KRB5_CONF_KRB524_SERVER "krb524_server"
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index a6e07c0..89bf4e6 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -150,20 +150,24 @@ setup_loop(int proponly, verto_ctx **ctx_out)
if (ret)
return ret;
if (!proponly) {
- ret = loop_add_udp_address(handle->params.kpasswd_port, NULL);
+ ret = loop_add_udp_address(handle->params.kpasswd_port,
+ handle->params.kpasswd_listen);
if (ret)
return ret;
- ret = loop_add_tcp_address(handle->params.kpasswd_port, NULL);
+ ret = loop_add_tcp_address(handle->params.kpasswd_port,
+ handle->params.kpasswd_listen);
if (ret)
return ret;
- ret = loop_add_rpc_service(handle->params.kadmind_port, NULL, KADM,
- KADMVERS, kadm_1);
+ ret = loop_add_rpc_service(handle->params.kadmind_port,
+ handle->params.kadmind_listen,
+ KADM, KADMVERS, kadm_1);
if (ret)
return ret;
}
#ifndef DISABLE_IPROP
if (handle->params.iprop_enabled) {
- ret = loop_add_rpc_service(handle->params.iprop_port, NULL,
+ ret = loop_add_rpc_service(handle->params.iprop_port,
+ handle->params.iprop_listen,
KRB5_IPROP_PROG, KRB5_IPROP_VERS,
krb5_iprop_prog_1);
if (ret)
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index 14e4865..b765148 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -145,7 +145,7 @@ typedef long kadm5_ret_t;
#define KADM5_CONFIG_ENCTYPE 0x00000200
#define KADM5_CONFIG_ADBNAME 0x00000400
#define KADM5_CONFIG_ADB_LOCKFILE 0x00000800
-/*#define KADM5_CONFIG_PROFILE 0x00001000*/
+#define KADM5_CONFIG_KADMIND_LISTEN 0x00001000
#define KADM5_CONFIG_ACL_FILE 0x00002000
#define KADM5_CONFIG_KADMIND_PORT 0x00004000
#define KADM5_CONFIG_ENCTYPES 0x00008000
@@ -156,9 +156,7 @@ typedef long kadm5_ret_t;
#define KADM5_CONFIG_OLD_AUTH_GSSAPI 0x00100000
#define KADM5_CONFIG_NO_AUTH 0x00200000
#define KADM5_CONFIG_AUTH_NOFALLBACK 0x00400000
-#ifdef notyet /* Novell */
-#define KADM5_CONFIG_KPASSWD_SERVER 0x00800000
-#endif
+#define KADM5_CONFIG_KPASSWD_LISTEN 0x00800000
#define KADM5_CONFIG_IPROP_ENABLED 0x01000000
#define KADM5_CONFIG_ULOG_SIZE 0x02000000
#define KADM5_CONFIG_POLL_TIME 0x04000000
@@ -166,6 +164,7 @@ typedef long kadm5_ret_t;
#define KADM5_CONFIG_IPROP_PORT 0x10000000
#define KADM5_CONFIG_KVNO 0x20000000
#define KADM5_CONFIG_IPROP_RESYNC_TIMEOUT 0x40000000
+#define KADM5_CONFIG_IPROP_LISTEN 0x80000000
/*
* permission bits
*/
@@ -277,6 +276,9 @@ typedef struct _kadm5_config_params {
/* char * iprop_server;*/
int iprop_port;
int iprop_resync_timeout;
+ char * kadmind_listen;
+ char * kpasswd_listen;
+ char * iprop_listen;
} kadm5_config_params;
typedef struct _kadm5_key_data {
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index a157093..34f8c56 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -591,6 +591,14 @@ krb5_error_code kadm5_get_config_params(krb5_context context,
GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, KRB5_CONF_DICT_FILE,
NULL);
+ /* Get the kadmind listen addresses. */
+ GET_STRING_PARAM(kadmind_listen, KADM5_CONFIG_KADMIND_LISTEN,
+ KRB5_CONF_KADMIND_LISTEN, NULL);
+ GET_STRING_PARAM(kpasswd_listen, KADM5_CONFIG_KPASSWD_LISTEN,
+ KRB5_CONF_KPASSWD_LISTEN, NULL);
+ GET_STRING_PARAM(iprop_listen, KADM5_CONFIG_IPROP_LISTEN,
+ KRB5_CONF_IPROP_LISTEN, NULL);
+
#define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
get_port_param(¶ms.FIELD, params_in->FIELD, \
¶ms.mask, params_in->mask, BIT, \
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index 04e3094..dbab0e8 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -269,10 +269,26 @@ Prior to release 1.11, the maximum value was 2500.
new updates from the master. The default value is \fB2m\fP (that
is, two minutes).
.TP
+.B \fBiprop_listen\fP
+(Whitespace\- or comma\-separated list.) Specifies the iprop RPC
+listening addresses and/or ports for the \fIkadmind(8)\fP daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If kadmind fails to bind
+to any of the specified addresses, it will fail to start. The
+default (when \fBiprop_enable\fP is true) is to bind to the wildcard
+address at the port specified in \fBiprop_port\fP\&. New in release
+1.15.
+.TP
.B \fBiprop_port\fP
(Port number.) Specifies the port number to be used for
-incremental propagation. This is required in both master and
-slave configuration files.
+incremental propagation. When \fBiprop_enable\fP is true, this
+relation is required in the slave configuration file, and this
+relation or \fBiprop_listen\fP is required in the master
+configuration file, as there is no default port number. Port
+numbers specified in \fBiprop_listen\fP entries will override this
+port number for the \fIkadmind(8)\fP daemon.
.TP
.B \fBiprop_resync_timeout\fP
(Delta time string.) Specifies the amount of time to wait for a
@@ -291,10 +307,23 @@ back end is being used, or the file name is specified in the
\fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP
default value will not use values from the [dbmodules] section.)
.TP
+.B \fBkadmind_listen\fP
+(Whitespace\- or comma\-separated list.) Specifies the kadmin RPC
+listening addresses and/or ports for the \fIkadmind(8)\fP daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If kadmind fails to bind
+to any of the specified addresses, it will fail to start. The
+default is to bind to the wildcard address at the port specified
+in \fBkadmind_port\fP, or the standard kadmin port (749). New in
+release 1.15.
+.TP
.B \fBkadmind_port\fP
(Port number.) Specifies the port on which the \fIkadmind(8)\fP
-daemon is to listen for this realm. The assigned port for kadmind
-is 749, which is used by default.
+daemon is to listen for this realm. Port numbers specified in
+\fBkadmind_listen\fP entries will override this port number. The
+assigned port for kadmind is 749, which is used by default.
.TP
.B \fBkey_stash_file\fP
(String.) Specifies the location where the master key has been
@@ -316,6 +345,24 @@ If this relation is not specified, the default is to listen on TCP
port 88 (the standard port). Prior to release 1.13, the default
was not to listen for TCP connections at all.
.TP
+.B \fBkpasswd_listen\fP
+(Comma\-separated list.) Specifies the kpasswd listening addresses
+and/or ports for the \fIkadmind(8)\fP daemon. Each entry may be
+an interface address, a port number, or an address and port number
+separated by a colon. If the address contains colons, enclose it
+in square brackets. If no address is specified, the wildcard
+address is used. If kadmind fails to bind to any of the specified
+addresses, it will fail to start. The default is to bind to the
+wildcard address at the port specified in \fBkpasswd_port\fP, or the
+standard kpasswd port (464). New in release 1.15.
+.TP
+.B \fBkpasswd_port\fP
+(Port number.) Specifies the port on which the \fIkadmind(8)\fP
+daemon is to listen for password change requests for this realm.
+Port numbers specified in \fBkpasswd_listen\fP entries will override
+this port number. The assigned port for password change requests
+is 464, which is used by default.
+.TP
.B \fBmaster_key_name\fP
(String.) Specifies the name of the principal associated with the
master key. The default is \fBK/M\fP\&.
@@ -546,8 +593,8 @@ modules. The value should be an absolute path.
.SS [logging]
.sp
The [logging] section indicates how \fIkrb5kdc(8)\fP and
-\fIkadmind(8)\fP perform logging. The keys in this section are
-daemon names, which may be one of:
+\fIkadmind(8)\fP perform logging. It may contain the following
+relations:
.INDENT 0.0
.TP
.B \fBadmin_server\fP
@@ -559,9 +606,16 @@ Specifies how \fIkrb5kdc(8)\fP performs logging.
.B \fBdefault\fP
Specifies how either daemon performs logging in the absence of
relations specific to the daemon.
+.TP
+.B \fBdebug\fP
+(Boolean value.) Specifies whether debugging messages are
+included in log outputs other than SYSLOG. Debugging messages are
+always included in the system log output because syslog performs
+its own priority filtering. The default value is false. New in
+release 1.15.
.UNINDENT
.sp
-Values are of the following forms:
+Logging specifications may have the following forms:
.INDENT 0.0
.TP
.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP
More information about the cvs-krb5
mailing list