krb5 commit: Allow user to restrict KDC to specific addresses
Greg Hudson
ghudson at mit.edu
Mon Jul 18 11:34:20 EDT 2016
https://github.com/krb5/krb5/commit/5f53d6cfb2cdc2e666a3fd2fe4f3ef21aa8258ae
commit 5f53d6cfb2cdc2e666a3fd2fe4f3ef21aa8258ae
Author: Sarah Day <sarahday at mit.edu>
Date: Wed Dec 23 15:01:44 2015 -0500
Allow user to restrict KDC to specific addresses
krb5kdc has always only supported binding to the wildcard addresses.
Add two configuration options to allow specifying the address/port
that krb5kdc listens on for UDP and TCP connections.
[ghudson at mit.edu: edited documentation; preserved kdc_ports = ""
behavior; made kdc_ports and kdc_tcp_ports continue to work in
kdcdefaults section]
ticket: 1093
doc/admin/conf_files/kdc_conf.rst | 53 +++++++++---
doc/admin/install_kdc.rst | 3 +-
doc/admin/pkinit.rst | 2 +-
src/config-files/kdc.conf | 6 +-
src/include/k5-int.h | 2 +
src/kadmin/testing/proto/kdc.conf.proto | 4 +-
src/kdc/main.c | 140 ++++++++++++++++---------------
src/kdc/realm_data.h | 4 +-
src/man/kdc.conf.man | 55 +++++++++---
src/tests/dejagnu/config/default.exp | 24 +++---
src/util/k5test.py | 4 +-
11 files changed, 179 insertions(+), 118 deletions(-)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 9974626..1a4c181 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -49,7 +49,9 @@ subsection does not contain a relation for the tag. See the
:ref:`kdc_realms` section for the definitions of these relations.
* **host_based_services**
+* **kdc_listen**
* **kdc_ports**
+* **kdc_tcp_listen**
* **kdc_tcp_ports**
* **no_host_referral**
* **restrict_anonymous_to_tgt**
@@ -271,21 +273,44 @@ The following tags may be specified in a [realms] subsection:
stored (via kdb5_util stash). The default is |kdcdir|\
``/.k5.REALM``, where *REALM* is the Kerberos realm.
+**kdc_listen**
+ (Whitespace- or comma-separated list.) Specifies the UDP
+ listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon.
+ Each entry may be an interface address, a port number, or an
+ address and port number separated by a colon. If the address
+ contains colons, enclose it in square brackets. If no address is
+ specified, the wildcard address is used. If no port is specified,
+ the standard port (88) is used. If the KDC daemon fails to bind
+ to any of the specified addresses, it will fail to start. The
+ default is to bind to the wildcard address on the standard port.
+ New in release 1.15.
+
**kdc_ports**
- (Whitespace- or comma-separated list.) Lists the ports on which
- the Kerberos server should listen for UDP requests, as a
- comma-separated list of integers. The default value is
- ``88,750``, which are the assigned Kerberos port and the port
- historically used by Kerberos V4.
+ (Whitespace- or comma-separated list, deprecated.) Prior to
+ release 1.15, this relation lists the ports for the
+ :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In
+ release 1.15 and later, it has the same meaning as **kdc_listen**
+ if that relation is not defined.
+
+**kdc_tcp_listen**
+ (Whitespace- or comma-separated list.) Specifies the TCP
+ listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon.
+ Each entry may be an interface address, a port number, or an
+ address and port number separated by a colon. If the address
+ contains colons, enclose it in square brackets. If no address is
+ specified, the wildcard address is used. If no port is specified,
+ the standard port (88) is used. To disable listening on TCP, set
+ this relation to the empty string with ``kdc_tcp_listen = ""``.
+ If the KDC daemon fails to bind to any of the specified addresses,
+ it will fail to start. The default is to bind to the wildcard
+ address on the standard port. New in release 1.15.
**kdc_tcp_ports**
- (Whitespace- or comma-separated list.) Lists the ports on which
- the Kerberos server should listen for TCP connections, as a
- comma-separated list of integers. To disable listening on TCP,
- set this relation to the empty string with ``kdc_tcp_ports = ""``.
- If this relation is not specified, the default is to listen on TCP
- port 88 (the standard port). Prior to release 1.13, the default
- was not to listen for TCP connections at all.
+ (Whitespace- or comma-separated list, deprecated.) Prior to
+ release 1.15, this relation lists the ports for the
+ :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In
+ release 1.15 and later, it has the same meaning as
+ **kdc_tcp_listen** if that relation is not defined.
**kpasswd_listen**
(Comma-separated list.) Specifies the kpasswd listening addresses
@@ -853,8 +878,8 @@ Sample kdc.conf File
Here's an example of a kdc.conf file::
[kdcdefaults]
- kdc_ports = 88
-
+ kdc_listen = 88
+ kdc_tcp_listen = 88
[realms]
ATHENA.MIT.EDU = {
kadmind_port = 749
diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst
index 1d8c4bc..b160932 100644
--- a/doc/admin/install_kdc.rst
+++ b/doc/admin/install_kdc.rst
@@ -108,7 +108,8 @@ and location, and logging.
An example kdc.conf file::
[kdcdefaults]
- kdc_ports = 88
+ kdc_listen = 88
+ kdc_tcp_listen = 88
[realms]
ATHENA.MIT.EDU = {
diff --git a/doc/admin/pkinit.rst b/doc/admin/pkinit.rst
index 8ef1a68..deb2d1e 100644
--- a/doc/admin/pkinit.rst
+++ b/doc/admin/pkinit.rst
@@ -186,7 +186,7 @@ appropriate pathname)::
Because of the larger size of requests and responses using PKINIT, you
may also need to allow TCP access to the KDC::
- kdc_tcp_ports = 88
+ kdc_tcp_listen = 88
Restart the :ref:`krb5kdc(8)` daemon to pick up the configuration
changes.
diff --git a/src/config-files/kdc.conf b/src/config-files/kdc.conf
index e7ef0f9..bc5076d 100644
--- a/src/config-files/kdc.conf
+++ b/src/config-files/kdc.conf
@@ -1,12 +1,14 @@
[kdcdefaults]
- kdc_ports = 88
+ kdc_listen = 88
+ kdc_tcp_listen = 88
[realms]
ATHENA.MIT.EDU = {
database_name = /usr/local/var/krb5kdc/principal
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU
- kdc_ports = 88
+ kdc_listen = 88
+ kdc_tcp_listen = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 8c2fa43..0ed8b70 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -233,10 +233,12 @@ typedef unsigned char u_char;
#define KRB5_CONF_KDC "kdc"
#define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
#define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options"
+#define KRB5_CONF_KDC_LISTEN "kdc_listen"
#define KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
#define KRB5_CONF_KDC_PORTS "kdc_ports"
#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
+#define KRB5_CONF_KDC_TCP_LISTEN "kdc_tcp_listen"
#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
#define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
#define KRB5_CONF_KPASSWD_LISTEN "kpasswd_listen"
diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto
index 95a40fc..61283ac 100644
--- a/src/kadmin/testing/proto/kdc.conf.proto
+++ b/src/kadmin/testing/proto/kdc.conf.proto
@@ -1,6 +1,6 @@
[kdcdefaults]
- kdc_ports = 1750
- kdc_tcp_ports = 1750
+ kdc_listen = 1750
+ kdc_tcp_listen = 1750
[realms]
__REALM__ = {
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 3e98931..a6ca9d8 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -1,7 +1,8 @@
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/* kdc/main.c - Main procedure body for the KDC server process */
/*
- * Copyright 1990,2001,2008,2009 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001,2008,2009,2016 by the Massachusetts Institute of
+ * Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
@@ -145,10 +146,10 @@ finish_realm(kdc_realm_t *rdp)
free(rdp->realm_mpname);
if (rdp->realm_stash)
free(rdp->realm_stash);
- if (rdp->realm_ports)
- free(rdp->realm_ports);
- if (rdp->realm_tcp_ports)
- free(rdp->realm_tcp_ports);
+ if (rdp->realm_listen)
+ free(rdp->realm_listen);
+ if (rdp->realm_tcp_listen)
+ free(rdp->realm_tcp_listen);
if (rdp->realm_keytab)
krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
if (rdp->realm_hostbased)
@@ -199,11 +200,12 @@ combine(const char *val1, const char *val2, char **val_out)
* After we're complete here, the essence of the realm is embodied in the
* realm data and we should be all set to begin operation for that realm.
*/
-static krb5_error_code
-init_realm(kdc_realm_t *rdp, krb5_pointer aprof, char *realm, char *def_mpname,
- krb5_enctype def_enctype, char *def_udp_ports, char *def_tcp_ports,
- krb5_boolean def_manual, krb5_boolean def_restrict_anon,
- char **db_args, char *no_referral, char *hostbased)
+static krb5_error_code
+init_realm(kdc_realm_t * rdp, krb5_pointer aprof, char *realm,
+ char *def_mpname, krb5_enctype def_enctype, char *def_udp_listen,
+ char *def_tcp_listen, krb5_boolean def_manual,
+ krb5_boolean def_restrict_anon, char **db_args, char *no_referral,
+ char *hostbased)
{
krb5_error_code kret;
krb5_boolean manual;
@@ -245,18 +247,28 @@ init_realm(kdc_realm_t *rdp, krb5_pointer aprof, char *realm, char *def_mpname,
goto whoops;
}
- /* Handle KDC ports */
- hierarchy[2] = KRB5_CONF_KDC_PORTS;
- if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_ports))
- rdp->realm_ports = strdup(def_udp_ports);
- if (!rdp->realm_ports) {
+ /* Handle KDC addresses/ports */
+ hierarchy[2] = KRB5_CONF_KDC_LISTEN;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_listen)) {
+ /* Try the old kdc_ports configuration option. */
+ hierarchy[2] = KRB5_CONF_KDC_PORTS;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_listen))
+ rdp->realm_listen = strdup(def_udp_listen);
+ }
+ if (!rdp->realm_listen) {
kret = ENOMEM;
goto whoops;
}
- hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS;
- if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &rdp->realm_tcp_ports))
- rdp->realm_tcp_ports = strdup(def_tcp_ports);
- if (!rdp->realm_tcp_ports) {
+ hierarchy[2] = KRB5_CONF_KDC_TCP_LISTEN;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE,
+ &rdp->realm_tcp_listen)) {
+ /* Try the old kdc_tcp_ports configuration option. */
+ hierarchy[2] = KRB5_CONF_KDC_TCP_PORTS;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE,
+ &rdp->realm_tcp_listen))
+ rdp->realm_tcp_listen = strdup(def_tcp_listen);
+ }
+ if (!rdp->realm_tcp_listen) {
kret = ENOMEM;
goto whoops;
}
@@ -613,8 +625,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
kdc_realm_t *rdatap = NULL;
krb5_boolean manual = FALSE;
krb5_boolean def_restrict_anon;
- char *default_udp_ports = 0;
- char *default_tcp_ports = 0;
+ char *def_udp_listen = NULL;
+ char *def_tcp_listen = NULL;
krb5_pointer aprof = NULL;
const char *hierarchy[3];
char *no_referral = NULL;
@@ -626,13 +638,19 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) {
hierarchy[0] = KRB5_CONF_KDCDEFAULTS;
- hierarchy[1] = KRB5_CONF_KDC_PORTS;
+ hierarchy[1] = KRB5_CONF_KDC_LISTEN;
hierarchy[2] = (char *) NULL;
- if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_udp_ports))
- default_udp_ports = 0;
- hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS;
- if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports))
- default_tcp_ports = 0;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen)) {
+ hierarchy[1] = KRB5_CONF_KDC_PORTS;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen))
+ def_udp_listen = NULL;
+ }
+ hierarchy[1] = KRB5_CONF_KDC_TCP_LISTEN;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_tcp_listen)) {
+ hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS;
+ if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &def_udp_listen))
+ def_tcp_listen = NULL;
+ }
hierarchy[1] = KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE;
if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
max_dgram_reply_size = MAX_DGRAM_SIZE;
@@ -647,16 +665,16 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
hostbased = 0;
}
- if (default_udp_ports == 0) {
- default_udp_ports = strdup(DEFAULT_KDC_UDP_PORTLIST);
- if (default_udp_ports == 0) {
+ if (def_udp_listen == NULL) {
+ def_udp_listen = strdup(DEFAULT_KDC_UDP_PORTLIST);
+ if (def_udp_listen == NULL) {
fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n"));
exit(1);
}
}
- if (default_tcp_ports == 0) {
- default_tcp_ports = strdup(DEFAULT_KDC_TCP_PORTLIST);
- if (default_tcp_ports == 0) {
+ if (def_tcp_listen == NULL) {
+ def_tcp_listen = strdup(DEFAULT_KDC_TCP_PORTLIST);
+ if (def_tcp_listen == NULL) {
fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n"));
exit(1);
}
@@ -691,8 +709,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
if (!find_realm_data(&shandle, optarg, (krb5_ui_4) strlen(optarg))) {
if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
retval = init_realm(rdatap, aprof, optarg, mkey_name,
- menctype, default_udp_ports,
- default_tcp_ports, manual,
+ menctype, def_udp_listen,
+ def_tcp_listen, manual,
def_restrict_anon, db_args,
no_referral, hostbased);
if (retval) {
@@ -767,10 +785,10 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
pid_file = optarg;
break;
case 'p':
- if (default_udp_ports)
- free(default_udp_ports);
- default_udp_ports = strdup(optarg);
- if (!default_udp_ports) {
+ if (def_udp_listen)
+ free(def_udp_listen);
+ def_udp_listen = strdup(optarg);
+ if (!def_udp_listen) {
fprintf(stderr, _(" KDC cannot initialize. Not enough "
"memory\n"));
exit(1);
@@ -809,7 +827,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
}
if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
retval = init_realm(rdatap, aprof, lrealm, mkey_name, menctype,
- default_udp_ports, default_tcp_ports, manual,
+ def_udp_listen, def_tcp_listen, manual,
def_restrict_anon, db_args, no_referral,
hostbased);
if (retval) {
@@ -823,10 +841,10 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
krb5_free_default_realm(kcontext, lrealm);
}
- if (default_udp_ports)
- free(default_udp_ports);
- if (default_tcp_ports)
- free(default_tcp_ports);
+ if (def_udp_listen)
+ free(def_udp_listen);
+ if (def_tcp_listen)
+ free(def_tcp_listen);
if (db_args)
free(db_args);
if (db_name)
@@ -898,6 +916,7 @@ int main(int argc, char **argv)
{
krb5_error_code retval;
krb5_context kcontext;
+ kdc_realm_t *realm;
verto_ctx *ctx;
int errout = 0;
int i;
@@ -967,33 +986,18 @@ int main(int argc, char **argv)
return 1;
}
- /* Handle each realm's ports */
- for (i=0; i< shandle.kdc_numrealms; i++) {
- char *cp = shandle.kdc_realmlist[i]->realm_ports;
- int port;
- while (cp && *cp) {
- if (*cp == ',' || isspace((int) *cp)) {
- cp++;
- continue;
- }
- port = strtol(cp, &cp, 10);
- if (cp == 0)
- break;
- retval = loop_add_udp_address(port, NULL);
+ /* Add each realm's listener addresses to the loop. */
+ for (i = 0; i < shandle.kdc_numrealms; i++) {
+ realm = shandle.kdc_realmlist[i];
+ if (*realm->realm_listen != '\0') {
+ retval = loop_add_udp_address(KRB5_DEFAULT_PORT,
+ realm->realm_listen);
if (retval)
goto net_init_error;
}
-
- cp = shandle.kdc_realmlist[i]->realm_tcp_ports;
- while (cp && *cp) {
- if (*cp == ',' || isspace((int) *cp)) {
- cp++;
- continue;
- }
- port = strtol(cp, &cp, 10);
- if (cp == 0)
- break;
- retval = loop_add_tcp_address(port, NULL);
+ if (*realm->realm_tcp_listen != '\0') {
+ retval = loop_add_tcp_address(KRB5_DEFAULT_PORT,
+ realm->realm_tcp_listen);
if (retval)
goto net_init_error;
}
diff --git a/src/kdc/realm_data.h b/src/kdc/realm_data.h
index 79ac1e1..859daf1 100644
--- a/src/kdc/realm_data.h
+++ b/src/kdc/realm_data.h
@@ -64,8 +64,8 @@ typedef struct __kdc_realm_data {
/*
* Other per-realm data.
*/
- char *realm_ports; /* Per-realm KDC UDP port */
- char *realm_tcp_ports; /* Per-realm KDC TCP port */
+ char *realm_listen; /* Per-realm KDC UDP listen */
+ char *realm_tcp_listen; /* Per-realm KDC TCP listen */
/*
* Per-realm parameters.
*/
diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man
index dbab0e8..69fde60 100644
--- a/src/man/kdc.conf.man
+++ b/src/man/kdc.conf.man
@@ -96,8 +96,12 @@ subsection does not contain a relation for the tag. See the
.IP \(bu 2
\fBhost_based_services\fP
.IP \(bu 2
+\fBkdc_listen\fP
+.IP \(bu 2
\fBkdc_ports\fP
.IP \(bu 2
+\fBkdc_tcp_listen\fP
+.IP \(bu 2
\fBkdc_tcp_ports\fP
.IP \(bu 2
\fBno_host_referral\fP
@@ -329,21 +333,44 @@ assigned port for kadmind is 749, which is used by default.
(String.) Specifies the location where the master key has been
stored (via kdb5_util stash). The default is \fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm.
.TP
+.B \fBkdc_listen\fP
+(Whitespace\- or comma\-separated list.) Specifies the UDP
+listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If no port is specified,
+the standard port (88) is used. If the KDC daemon fails to bind
+to any of the specified addresses, it will fail to start. The
+default is to bind to the wildcard address on the standard port.
+New in release 1.15.
+.TP
.B \fBkdc_ports\fP
-(Whitespace\- or comma\-separated list.) Lists the ports on which
-the Kerberos server should listen for UDP requests, as a
-comma\-separated list of integers. The default value is
-\fB88,750\fP, which are the assigned Kerberos port and the port
-historically used by Kerberos V4.
+(Whitespace\- or comma\-separated list, deprecated.) Prior to
+release 1.15, this relation lists the ports for the
+\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In
+release 1.15 and later, it has the same meaning as \fBkdc_listen\fP
+if that relation is not defined.
+.TP
+.B \fBkdc_tcp_listen\fP
+(Whitespace\- or comma\-separated list.) Specifies the TCP
+listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon.
+Each entry may be an interface address, a port number, or an
+address and port number separated by a colon. If the address
+contains colons, enclose it in square brackets. If no address is
+specified, the wildcard address is used. If no port is specified,
+the standard port (88) is used. To disable listening on TCP, set
+this relation to the empty string with \fBkdc_tcp_listen = ""\fP\&.
+If the KDC daemon fails to bind to any of the specified addresses,
+it will fail to start. The default is to bind to the wildcard
+address on the standard port. New in release 1.15.
.TP
.B \fBkdc_tcp_ports\fP
-(Whitespace\- or comma\-separated list.) Lists the ports on which
-the Kerberos server should listen for TCP connections, as a
-comma\-separated list of integers. To disable listening on TCP,
-set this relation to the empty string with \fBkdc_tcp_ports = ""\fP\&.
-If this relation is not specified, the default is to listen on TCP
-port 88 (the standard port). Prior to release 1.13, the default
-was not to listen for TCP connections at all.
+(Whitespace\- or comma\-separated list, deprecated.) Prior to
+release 1.15, this relation lists the ports for the
+\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In
+release 1.15 and later, it has the same meaning as
+\fBkdc_tcp_listen\fP if that relation is not defined.
.TP
.B \fBkpasswd_listen\fP
(Comma\-separated list.) Specifies the kpasswd listening addresses
@@ -1096,8 +1123,8 @@ Here\(aqs an example of a kdc.conf file:
.nf
.ft C
[kdcdefaults]
- kdc_ports = 88
-
+ kdc_listen = 88
+ kdc_tcp_listen = 88
[realms]
ATHENA.MIT.EDU = {
kadmind_port = 749
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index c163548..1db70fb 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -782,8 +782,8 @@ proc setup_kerberos_files { } {
|| $last_passname_conf != $multipass_name } {
set conffile [open $tmppwd/kdc.conf w]
puts $conffile "\[kdcdefaults\]"
- puts $conffile " kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
- puts $conffile " kdc_tcp_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile " kdc_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile " kdc_tcp_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
puts $conffile ""
puts $conffile "\[realms\]"
puts $conffile " $REALMNAME = \{"
@@ -803,11 +803,11 @@ proc setup_kerberos_files { } {
puts $conffile " supported_enctypes = $supported_enctypes"
}
if { $mode == "tcp" } {
- puts $conffile " kdc_ports = [expr 3 + $portbase]"
- puts $conffile " kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]"
+ puts $conffile " kdc_listen = [expr 3 + $portbase]"
+ puts $conffile " kdc_tcp_listen = [expr 1 + $portbase],[expr 3 + $portbase]"
} else {
- puts $conffile " kdc_ports = [expr 1 + $portbase]"
- puts $conffile " kdc_tcp_ports = [expr 3 + $portbase]"
+ puts $conffile " kdc_listen = [expr 1 + $portbase]"
+ puts $conffile " kdc_tcp_listen = [expr 3 + $portbase]"
}
puts $conffile " default_principal_expiration = 2037.12.31.23.59.59"
puts $conffile " default_principal_flags = -postdateable forwardable"
@@ -830,8 +830,8 @@ proc setup_kerberos_files { } {
|| $last_passname_conf != $multipass_name } {
set conffile [open $tmppwd/slave.conf w]
puts $conffile "\[kdcdefaults\]"
- puts $conffile " kdc_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
- puts $conffile " kdc_tcp_ports = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile " kdc_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
+ puts $conffile " kdc_tcp_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]"
puts $conffile ""
puts $conffile "\[realms\]"
puts $conffile " $REALMNAME = \{"
@@ -851,11 +851,11 @@ proc setup_kerberos_files { } {
puts $conffile " supported_enctypes = $supported_enctypes"
}
if { $mode == "tcp" } {
- puts $conffile " kdc_ports = [expr 3 + $portbase]"
- puts $conffile " kdc_tcp_ports = [expr 1 + $portbase],[expr 3 + $portbase]"
+ puts $conffile " kdc_listen = [expr 3 + $portbase]"
+ puts $conffile " kdc_tcp_listen = [expr 1 + $portbase],[expr 3 + $portbase]"
} else {
- puts $conffile " kdc_ports = [expr 1 + $portbase]"
- puts $conffile " kdc_tcp_ports = [expr 3 + $portbase]"
+ puts $conffile " kdc_listen = [expr 1 + $portbase]"
+ puts $conffile " kdc_tcp_listen = [expr 3 + $portbase]"
}
puts $conffile " default_principal_expiration = 2037.12.31.23.59.59"
puts $conffile " default_principal_flags = -postdateable forwardable"
diff --git a/src/util/k5test.py b/src/util/k5test.py
index 89271fc..e90c2f3 100644
--- a/src/util/k5test.py
+++ b/src/util/k5test.py
@@ -1134,8 +1134,8 @@ _default_kdc_conf = {
'dictfile': '$testdir/dictfile',
'kadmind_port': '$port1',
'kpasswd_port': '$port2',
- 'kdc_ports': '$port0',
- 'kdc_tcp_ports': '$port0'}},
+ 'kdc_listen': '$port0',
+ 'kdc_tcp_listen': '$port0'}},
'dbmodules': {
'db_module_dir': '$plugins/kdb',
'db': {'db_library': 'db2', 'database_name' : '$testdir/db'}},
More information about the cvs-krb5
mailing list