krb5 commit: Add kadmind support for disabling listening
ghudson at mit.edu
ghudson at mit.edu
Wed Nov 27 17:50:16 EST 2024
https://github.com/krb5/krb5/commit/cde2b3bbd96d31604392b067e9a047c245c4e314
commit cde2b3bbd96d31604392b067e9a047c245c4e314
Author: Andreas Schneider <asn at samba.org>
Date: Fri Nov 8 09:57:59 2024 +0100
Add kadmind support for disabling listening
Currently setting kdc_listen or kdc_tcp_listen to the empty string
disables listening for UDP and TCP connections respectively, but
setting kadmind_listen or kpasswd_listen to the empty string listens
on the wildcard address. Make the behavior consistent by changing
loop_add_addresses() to add no listeners when the string contains no
tokens. Remove the conditionals from the KDC code.
Document the new behavior of kadmind_listen and kpasswd_listen, and
the existing behavior of kdc_listen.
[ghudson at mit.edu: simplified loop_add_addresses(); combined several
commits and rewrote commit message]
ticket: 9151 (new)
doc/admin/conf_files/kdc_conf.rst | 29 +++++++++++++++++------------
src/kdc/main.c | 19 +++++++------------
src/lib/apputils/net-server.c | 10 ++--------
3 files changed, 26 insertions(+), 32 deletions(-)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index d1de933a5..ed07d83b0 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -292,10 +292,12 @@ The following tags may be specified in a [realms] subsection:
Each entry may be an interface address, a port number, or an
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
- specified, the wildcard address is used. If kadmind fails to bind
- to any of the specified addresses, it will fail to start. The
- default is to bind to the wildcard address at the port specified
- in **kadmind_port**, or the standard kadmin port (749). New in
+ specified, the wildcard address is used. To disable listening for
+ kadmin RPC connections, set this relation to the empty string with
+ ``kadmind_listen = ""``. If kadmind fails to bind to any of the
+ specified addresses, it will fail to start. The default is to
+ bind to the wildcard address at the port specified in
+ **kadmind_port**, or the standard kadmin port (749). New in
release 1.15.
**kadmind_port**
@@ -316,10 +318,11 @@ The following tags may be specified in a [realms] subsection:
address and port number separated by a colon. If the address
contains colons, enclose it in square brackets. If no address is
specified, the wildcard address is used. If no port is specified,
- the standard port (88) is used. If the KDC daemon fails to bind
- to any of the specified addresses, it will fail to start. The
- default is to bind to the wildcard address on the standard port.
- New in release 1.15.
+ the standard port (88) is used. To disable listening on UDP, set
+ this relation to the empty string with ``kdc_listen = ""``.
+ If the KDC daemon fails to bind to any of the specified addresses,
+ it will fail to start. The default is to bind to the wildcard
+ address on the standard port. New in release 1.15.
**kdc_ports**
(Whitespace- or comma-separated list, deprecated.) Prior to
@@ -354,10 +357,12 @@ The following tags may be specified in a [realms] subsection:
an interface address, a port number, or an address and port number
separated by a colon. If the address contains colons, enclose it
in square brackets. If no address is specified, the wildcard
- address is used. If kadmind fails to bind to any of the specified
- addresses, it will fail to start. The default is to bind to the
- wildcard address at the port specified in **kpasswd_port**, or the
- standard kpasswd port (464). New in release 1.15.
+ address is used. To disable listening for kpasswd requests, set
+ this relation to the empty string with ``kpasswd_listen = ""``.
+ If kadmind fails to bind to any of the specified addresses, it
+ will fail to start. The default is to bind to the wildcard
+ address at the port specified in **kpasswd_port**, or the standard
+ kpasswd port (464). New in release 1.15.
**kpasswd_port**
(Port number.) Specifies the port on which the :ref:`kadmind(8)`
diff --git a/src/kdc/main.c b/src/kdc/main.c
index c5a66ddde..3698a4b0d 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -965,18 +965,13 @@ int main(int argc, char **argv)
/* Add each realm's listener addresses to the loop. */
for (i = 0; i < shandle.kdc_numrealms; i++) {
realm = shandle.kdc_realmlist[i];
- if (*realm->realm_listen != '\0') {
- retval = loop_add_udp_address(KRB5_DEFAULT_PORT,
- realm->realm_listen);
- if (retval)
- goto net_init_error;
- }
- if (*realm->realm_tcp_listen != '\0') {
- retval = loop_add_tcp_address(KRB5_DEFAULT_PORT,
- realm->realm_tcp_listen);
- if (retval)
- goto net_init_error;
- }
+ retval = loop_add_udp_address(KRB5_DEFAULT_PORT, realm->realm_listen);
+ if (retval)
+ goto net_init_error;
+ retval = loop_add_tcp_address(KRB5_DEFAULT_PORT,
+ realm->realm_tcp_listen);
+ if (retval)
+ goto net_init_error;
}
if (workers == 0) {
diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
index b3da72d3f..60bd71bae 100644
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -391,15 +391,8 @@ loop_add_addresses(const char *addresses, int default_port,
goto cleanup;
}
- /* Start tokenizing the addresses string. If we get NULL the string
- * contained no addresses, so add a wildcard address. */
+ /* Loop through each address in the string and add it to the loop. */
addr = strtok_r(addresses_copy, ADDRESSES_DELIM, &saveptr);
- if (addr == NULL) {
- ret = loop_add_address(NULL, default_port, type, rpc_data);
- goto cleanup;
- }
-
- /* Loop through each address and add it to the loop. */
for (; addr != NULL; addr = strtok_r(NULL, ADDRESSES_DELIM, &saveptr)) {
/* Parse the host string. */
ret = k5_parse_host_string(addr, default_port, &host, &port);
@@ -414,6 +407,7 @@ loop_add_addresses(const char *addresses, int default_port,
host = NULL;
}
+ ret = 0;
cleanup:
free(addresses_copy);
free(host);
More information about the cvs-krb5
mailing list