Commit Graph

24 Commits

Author SHA1 Message Date
Simo Sorce
f352702d67 ipa-getkeytab: Add support for get_keytab extop
This new extended operation is tried by default and then the code falls
back to the old method if it fails. The new method allows for server
side password generation as well as retrieval of existing credentials
w/o causing regeneration of keys on the server.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
5c0e7a5fb4 keytab: Add new extended operation to get a keytab.
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
88bcf5899c keytabs: Expose and modify key encoding function
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Nathaniel McCallum
b769d1c186 Add support to ipa-kdb for keyless principals
https://fedorahosted.org/freeipa/ticket/3779

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-19 10:15:36 +01:00
Lukas Slebodnik
a4faa2f444 BUILD: Fix portability of NSS in file ipa_pwd.c
Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
2014-01-28 16:35:34 +01:00
Sumit Bose
d876a22732 Remove generation and handling of LM hashes
https://fedorahosted.org/freeipa/ticket/3795
2013-11-01 09:28:35 +01:00
Martin Kosek
827ea50566 ipa-kdb: read SID blacklist from LDAP
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.

LIMITATION: SID blacklist list is not used yet.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:47 +01:00
Tomas Babej
0e8a329048 Prevent integer overflow when setting krbPasswordExpiration
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
2013-02-08 15:54:21 +01:00
Sumit Bose
973aad9db3 Make encode_ntlm_keys() public 2012-09-06 09:24:58 +02:00
Simo Sorce
505bc85ec3 Move code into common krb5 utils
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
2012-07-30 10:31:47 -04:00
Sumit Bose
ee936431c8 Move some krb5 keys related functions from ipa-client to util 2012-06-11 12:04:05 +02:00
Rob Crittenden
35f44a1aeb Dereference pointer when comparing password history in qsort compare.
The man page for qsort(3) says that the comparison function is called
with pointers to pointers to char but memcmp(3) wants a pointer to void
so we need to cast and dereference.

Without this the qsort() call wasn't properly sorting the elements so
a random password was being removed rather than the oldest when the
list overflowed.

https://fedorahosted.org/freeipa/ticket/2613
2012-04-10 18:33:04 +02:00
Simo Sorce
651f932473 ipa-kdb: add AS auditing support
Fixes: https://fedorahosted.org/freeipa/ticket/2334
2012-02-14 18:03:45 -05:00
Martin Kosek
f2cc9c8d33 Improve password change error message
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.

https://fedorahosted.org/freeipa/ticket/2067
2012-02-03 17:21:33 +01:00
Simo Sorce
a9e4316d5a Add missing copyright header 2011-11-17 16:15:24 -05:00
Simo Sorce
c8aec450be Fix CID 11021: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
08137836a3 Amend #2038 fix
The math was unsafe, thanks to Nalin for spotting it.
2011-11-05 19:05:08 -04:00
Simo Sorce
f7938a1773 Modify random salt creation for interoperability
See:
https://fedorahosted.org/freeipa/ticket/2038
2011-11-04 11:10:56 +01:00
Simo Sorce
a1637d47c0 util: add password policy manipulation functions 2011-08-26 08:24:49 -04:00
Simo Sorce
452fcdccdc ipa-kdb: implement change_pwd function 2011-08-26 08:24:49 -04:00
Simo Sorce
7d41e7b4d4 ipa-pwd-extop: make encsalt parsing function common
It is going to be used by the ipa-kdb module too.
2011-08-26 08:24:49 -04:00
Simo Sorce
eed401306c ipa-pwd-extop: Move encoding in common too
Also to be used by ipa-kdb
2011-08-26 08:24:49 -04:00
Simo Sorce
4928229093 ipa-pwd-extop: Move encryption of keys in common
This way we can reuse the same code from ipa-kdb later
2011-08-26 08:24:49 -04:00
Jakub Hrozek
3b7a86024b Use internal implementation of internal Kerberos functions
Don't use KRB5_PRIVATE.

The patch implements and uses the following krb5 functions that are
otherwise private in recent MIT Kerberos releases:
 * krb5_principal2salt_norealm
 * krb5_free_ktypes

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2010-11-22 16:01:35 -05:00