krb5 commit: Don't create hostbased principals in new KDBs

Greg Hudson ghudson at mit.edu
Tue Aug 4 17:58:42 EDT 2020 

https://github.com/krb5/krb5/commit/ac2b693d0ec464e0bcda4953acd79f201169f396
commit ac2b693d0ec464e0bcda4953acd79f201169f396
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Jul 30 12:14:27 2020 -0400

    Don't create hostbased principals in new KDBs
    
    Unix-like platforms do not provide a simple method to find the
    fully-qualified local hostname as the machine is expected to appear to
    other hosts.  Canonicalizing the gethostname() result with
    getaddrinfo() usually works, but potentially uses DNS.  Now that
    dns_canonicalize_hostname=true is no longer the default, KDB creation
    would generally create the wrong host-based principals.
    
    kadmin/hostname is unnecessary because the client software can also
    use kadmin/admin, and kiprop/hostname is one of several principals
    that must be created for incremental propagation.
    
    ticket: 8935 (new)

 src/kadmin/dbutil/kadm5_create.c                 |   52 ++-------------------
 src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c |   35 +--------------
 src/tests/dejagnu/krb-standalone/kadmin.exp      |    7 ++-
 src/tests/t_iprop.py                             |    1 +
 src/tests/t_kadmin_acl.py                        |    1 +
 5 files changed, 12 insertions(+), 84 deletions(-)

diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c
index 4f254a3..42b45aa 100644
--- a/src/kadmin/dbutil/kadm5_create.c
+++ b/src/kadmin/dbutil/kadm5_create.c
@@ -139,60 +139,18 @@ int kadm5_create_magic_princs(kadm5_config_params *params,
 static int add_admin_princs(void *handle, krb5_context context, char *realm)
 {
     krb5_error_code ret = 0;
-    char *service_name = 0, *kiprop_name = 0, *canonhost = 0;
-    char localname[MAXHOSTNAMELEN];
-
-    if (gethostname(localname, MAXHOSTNAMELEN)) {
-        ret = errno;
-        perror("gethostname");
-        goto clean_and_exit;
-    }
-    ret = krb5_expand_hostname(context, localname, &canonhost);
-    if (ret) {
-        com_err(progname, ret, _("while canonicalizing local hostname"));
-        goto clean_and_exit;
-    }
-    if (asprintf(&service_name, "kadmin/%s", canonhost) < 0) {
-        ret = ENOMEM;
-        fprintf(stderr, _("Out of memory\n"));
-        goto clean_and_exit;
-    }
-    if (asprintf(&kiprop_name, "kiprop/%s", canonhost) < 0) {
-        ret = ENOMEM;
-        fprintf(stderr, _("Out of memory\n"));
-        goto clean_and_exit;
-    }
-
-    if ((ret = add_admin_princ(handle, context,
-                               service_name, realm,
-                               KRB5_KDB_DISALLOW_TGT_BASED |
-                               KRB5_KDB_LOCKDOWN_KEYS,
-                               ADMIN_LIFETIME)))
-        goto clean_and_exit;
 
     if ((ret = add_admin_princ(handle, context,
                                KADM5_ADMIN_SERVICE, realm,
                                KRB5_KDB_DISALLOW_TGT_BASED |
                                KRB5_KDB_LOCKDOWN_KEYS,
                                ADMIN_LIFETIME)))
-        goto clean_and_exit;
-
-    if ((ret = add_admin_princ(handle, context,
-                               KADM5_CHANGEPW_SERVICE, realm,
-                               KRB5_KDB_DISALLOW_TGT_BASED |
-                               KRB5_KDB_PWCHANGE_SERVICE |
-                               KRB5_KDB_LOCKDOWN_KEYS,
-                               CHANGEPW_LIFETIME)))
-        goto clean_and_exit;
-
-    ret = add_admin_princ(handle, context, kiprop_name, realm, 0, 0);
-
-clean_and_exit:
-    krb5_free_string(context, canonhost);
-    free(service_name);
-    free(kiprop_name);
+        return ret;
 
-    return ret;
+    return add_admin_princ(handle, context, KADM5_CHANGEPW_SERVICE, realm,
+                           KRB5_KDB_DISALLOW_TGT_BASED |
+                           KRB5_KDB_PWCHANGE_SERVICE | KRB5_KDB_LOCKDOWN_KEYS,
+                           CHANGEPW_LIFETIME);
 }
 
 /*
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
index c21d199..ae1afd4 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c
@@ -307,29 +307,6 @@ create_fixed_special(krb5_context context, struct realm_info *rinfo,
 
 }
 
-/* Create a special principal using one specified component and the
- * canonicalized local hostname. */
-static krb5_error_code
-create_hostbased_special(krb5_context context, struct realm_info *rinfo,
-                         krb5_keyblock *mkey, const char *comp1)
-{
-    krb5_error_code ret;
-    krb5_principal princ = NULL;
-
-    ret = krb5_sname_to_principal(context, NULL, comp1, KRB5_NT_SRV_HST,
-                                  &princ);
-    if (ret)
-        goto cleanup;
-    ret = krb5_set_principal_realm(context, princ, global_params.realm);
-    if (ret)
-        goto cleanup;
-    ret = kdb_ldap_create_principal(context, princ, TGT_KEY, rinfo, mkey);
-
-cleanup:
-    krb5_free_principal(context, princ);
-    return ret;
-}
-
 /* Create all special principals for the realm. */
 static krb5_error_code
 create_special_princs(krb5_context context, krb5_principal master_princ,
@@ -360,22 +337,12 @@ create_special_princs(krb5_context context, krb5_principal master_princ,
     if (ret)
         return ret;
 
-    /* Create kadmin/admin and kadmin/<hostname>. */
+    /* Create kadmin/admin. */
     rblock.max_life = ADMIN_LIFETIME;
     rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED;
     ret = create_fixed_special(context, &rblock, mkey, "kadmin", "admin");
     if (ret)
         return ret;
-    ret = create_hostbased_special(context, &rblock, mkey, "kadmin");
-    if (ret)
-        return ret;
-
-    /* Create kiprop/<hostname>. */
-    rblock.max_life = global_params.max_life;
-    rblock.flags = 0;
-    ret = create_hostbased_special(context, &rblock, mkey, "kiprop");
-    if (ret)
-        return ret;
 
     /* Create kadmin/changepw. */
     rblock.max_life = CHANGEPW_LIFETIME;
diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp
index 36a3452..fa50a61 100644
--- a/src/tests/dejagnu/krb-standalone/kadmin.exp
+++ b/src/tests/dejagnu/krb-standalone/kadmin.exp
@@ -1098,10 +1098,11 @@ proc kadmin_test { } {
 	return
     }
 
-    # test fallback to kadmin/admin
-    if {![kadmin_delete_locked_down kadmin/$hostname] \
+    # test fallback to kadmin/hostname
+    if {![kadmin_add_rnd kadmin/$hostname] \
+	    || ![kadmin_delete_locked_down kadmin/admin] \
 	    || ![kadmin_list] \
-	    || ![kadmin_add_rnd kadmin/$hostname -allow_tgs_req] \
+	    || ![kadmin_add_rnd kadmin/admin -allow_tgs_req] \
 	    || ![kadmin_list]} {
 	return
     }
diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py
index 371f3a2..3bb0fd2 100755
--- a/src/tests/t_iprop.py
+++ b/src/tests/t_iprop.py
@@ -188,6 +188,7 @@ for realm in multidb_realms(kdc_conf=conf, create_user=False,
 
     # Create the principal used to authenticate kpropd to kadmind.
     kiprop_princ = 'kiprop/' + hostname
+    realm.addprinc(kiprop_princ)
     realm.extract_keytab(kiprop_princ, realm.keytab)
 
     # Create the initial replica databases.
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 16faf0a..31a7fb8 100755
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -331,6 +331,7 @@ realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
 # Test authentication to kadmin/hostname.
 mark('authentication to kadmin/hostname')
 kadmin_hostname = 'kadmin/' + hostname
+realm.addprinc(kadmin_hostname)
 realm.run([kadminl, 'delprinc', 'kadmin/admin'])
 msgs = ('Getting initial credentials for user/admin at KRBTEST.COM',
         'Setting initial creds service to kadmin/admin',

More information about the cvs-krb5 mailing list