Commit Graph

57 Commits

Author SHA1 Message Date
Julien Rische
4a61184da6
kdb: apply combinatorial logic for ticket flags
The initial design for ticket flags was implementing this logic:
* If a ticket policy is defined for the principal entry, use flags from
  this policy if they are set. Otherwise, use default ticket flags.
* If no ticket policy is defined for the principal entry, but there is a
  global one, use flags from the global ticket policy if they are set.
  Otherwise, use default ticket flags.
* If no policy (principal nor global) is defined, use default ticket
  flags.

However, this logic was broken by a1165ffb which introduced creation of
a principal-level ticket policy in case the ticket flag set is modified.
This was typically the case for the -allow_tix flag, which was set
virtually by the KDB driver when a user was locked until they initialize
their password on first kinit pre-authentication.

This was causing multiple issues, which are mitigated by the new
approach:

Now flags from each level are combined together. There flags like
+requires_preauth which are set systematically by the KDB diver, as
well as -allow_tix which is set based on the value of "nsAccountLock".
This commit also adds the implicit -allow_svr ticket flag for user
principals to protect users against Kerberoast-type attacks. None of
these flags are stored in the LDAP database, they are hard-coded in the
KDB driver.

In addition to these "virtual" ticket flags, flags from both global and
principal ticket policies are applied (if these policies exist).

Principal ticket policies are not supported for hosts and services, but
this is only an HTTP API limitation. The "krbTicketPolicyAux" object
class is supported for all account types. This is required for ticket
flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa
host-mod" and "ipa serivce-mod", or using kadmin's "modprinc".

It is possible to ignore flags from the global ticket policy or default
flags like -allow_svr for a user principal by setting the
"final_user_tkt_flags" string attribute to "true" in kadmin. In this
case, any ticket flag can be configured in the principal ticket policy,
except requires_preauth and allow_tix.

When in IPA setup mode (using the "ipa-setup-override-restrictions" KDB
argument), all the system described above is disabled and ticket flags
are written in the principal ticket policy as they are provided. This is
required to initialize the Kerberos LDAP container during IPA server
installation.

This fixes CVE-2024-3183

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-06-10 12:46:05 +02:00
Rob Crittenden
99ea326b1c ipa_pwd: Remove unnecessary conditional
It is already confirmed that item_data is not NULL so there
is no need to check it again.

Discovered by coverity.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-15 10:01:28 +01:00
Slava Aseev
4c0398433e ipa-kdb: handle dates up to 2106-02-07 06:28:16
krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.

This commit:
  - adds some helper functions for working with krb5_timestamp as
    unsigned (actually copied from
    https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
  - replaces operations with krb5_timestamp's by these new functions

Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2020-12-18 20:38:40 +02:00
Alexander Bokovoy
d81df964c2 util: Fix client-only build
Commit 26b9a69784 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.

Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.

Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-18 16:23:05 +02:00
Fraser Tweedale
3f59118ffc ipa_sam: do not modify static buffer holding fqdn
ipa_sam was modifying the buffer returned by ipa_gethostfqdn().
Subsequent calls to ipa_gethostfqdn() returned the corrupt data,
causing other operations to fail.

Update ipa_sam to copy the string and modify the copy.  Also
document this characteristic of ipa_gethostfqdn() and explain that
callers must not modify the returned data.

Part of: https://pagure.io/freeipa/issue/8501

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
727a2ffb93 Easier to use ipa_gethostfqdn()
ipa_gethostfqdn() now returns a pointer to a statically allocated buffer
or NULL in case of an error. The caller no longer has to supply a
correctly allocated buffer.

Rename IPA_HOST_HOST to_LEN IPA_HOST_FQDN_LEN and use IPA_HOST_FQDN_LEN
wherever code copies a hostname supplied from ipa_gethostfqdn().

Clarify that MAXHOSTNAMELEN and MAXHOSTFQDNLEN are different things.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
e28ec76898 Unify access to FQDN
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.

Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.

C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Rob Crittenden
46d0096218 Add a unit test for libpwquality-based password policy
- with all policies disabled passwords are not evaluated
- the pwpolicy minimum overrides the existing IPA minimum
- max character repeats
- max character sequences (12345)
- palindrome
- dictionary check
- user name in the password check

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
c4cca53e88 Extend password policy to evaluate passwords using libpwpolicy
Enable checking:

maxrepeat - reject passwrods which contain more than N consecutive
            characters.
maxsequence - rejected passwords which contain character sequences
              (abcde).
dictcheck - check passwords using cracklib
usercheck - check whether the password contains the user name.

The class checking provided by libpwpolicy is not used because this
overlaps with the existing IPA checking. This includes the options
dcredit, ucredit, lcredit, ocredit, minclass and maxclassrepeat.

The pwquality min length is fixed at 6 so if there is a conflict between
the system policy and pwquality log that length is enforced at 6.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
3fc2eda4e1 Require libpwolicy and configure it in the build system
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Peter Keresztes Schmidt
68af4f39c1 util: replace NSS usage with OpenSSL
Fixes: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-08 12:54:19 +03:00
Peter Keresztes Schmidt
f2d854886f util: add unit test for pw hashing
Related: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-08 12:54:19 +03:00
Alexander Bokovoy
dbf5df4a66 CVE-2020-1722: prevent use of too long passwords
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2020-04-14 12:36:01 +03:00
Christian Heimes
e107b8e4fe Print LDAP diagnostic messages on error
ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join
and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages
to stderr.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-17 15:47:00 +01:00
Alexander Bokovoy
e9dd757763 covscan: free ucs2-encoded password copy when generating NTLM hash
On successful code path we leak internal copy of the ucs2-encoded
password.

Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-29 11:14:18 +01:00
Simo Sorce
4abd2f76d7 Make sure to have storage space for tag
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.

Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.

But we need to handle this for future proofing.

Fixes #8071

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-26 11:33:48 +01:00
Robbie Harwood
9414b038e7 Log INFO message when LDAP connection fails on startup
Since krb5_klog_syslog() always needs parameters from syslog.h, move the
include into ipa_krb5.h.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-05 14:53:55 -04:00
Christian Heimes
93fb037d84 Compile IPA modules with C11 extensions
- define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for
  Samba's ZERO_STRUCT() macro, see
  https://en.cppreference.com/w/c/string/byte/memset
- _DEFAULT_SOURCE enables features like htole16() from endian.h, see
  http://man7.org/linux/man-pages/man3/endian.3.html
- _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h,
  see http://man7.org/linux/man-pages/man3/strndup.3.html
- time_t is no longer implicitly defined, include time.h
- typeof() is only available as GNU extension. Use explicit types
  instead of generic __typeof__().

Fixes: https://pagure.io/freeipa/issue/7858
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-02-07 12:33:45 +01:00
Alexander Bokovoy
de8f969f2d
Move fips_enabled to a common library to share across different plugins
Related: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2018-08-13 14:42:16 +02:00
Thomas Woerner
f3faecbbb4 Fix $-style format string in ipa_ldap_init (util/ipa_ldap.c)
The second argument was not used, but the first one was used twice.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-20 12:53:38 -04:00
Christian Heimes
829998b19b Apply sane LDAP settings to C code
Common LDAP code from ipa-getkeytab and ipa-join are moved to libutil.a.
The common ipa_ldap_init() and ipa_tls_ssl_init() set the same options
as ldap_initialize()

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-05-29 15:30:37 +02:00
Christian Heimes
2828a2b92b C compilation fixes and hardening
Fix "implicit declaration of function ‘strlen’" in ipa_pwd_ntlm.c,
credits to Lukas.

Add -Werror=implicit-function-declaration to CFLAGS to point developers
to missing includes. It causes compilation to fail when a developer
forgets to add a required include. The problem is no longer hidden in a
massive wall of text from make.

Silence a harmless error from 389-DS slapi.h until the bug is fixed in
downstream, https://pagure.io/389-ds-base/issue/48979

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-01 10:38:01 +01:00
Christian Heimes
20c1eb9844 Add missing include of stdint.h for uint8_t
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-22 15:48:36 +01:00
Lukas Slebodnik
41d7ae54fa ipa_pwd: remove unnecessary dependency on dirsrv plugins
"dirsrv/slapi-plugin.h" is unnecessary for build of ipa_pwd.
This patch allow us to move DIRSRV to daemon only dependencies

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-22 15:48:36 +01:00
Petr Spacek
b0cb6afa23 Build: transform util directory to libutil convenience library
This is autoconf way of doing things. It should allow us to enable
subdir-objects automake option and stay compatible with future versions
of automake.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Nathaniel McCallum
4bafba06f2 Migrate from #ifndef guards to #pragma once
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-05-29 14:04:45 +02:00
Simo Sorce
e2c2d5967d Add compatibility function for older libkrb5
Before krb5 1.13 the krb5_salttype_to_string() function was returning
incorrect names (display names of some kind instead of the names
used by the rest of the library to map saltname to the salt type
integer number).
This patch adds a function that checks at runtime if we have a working
function and uses a fallback map updated to the salt types known up
to 1.12, this allows us to use the library provided function in
following releases where new salt types may emerge.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Milan Kubik <mkubik@redhat.com>
2015-05-30 12:24:15 -04:00
Simo Sorce
d5b6c83601 Detect default encsalts kadmin password change
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).

This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.

Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.

Fixes https://fedorahosted.org/freeipa/ticket/4914

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
2015-05-27 09:45:56 -04:00
Simo Sorce
8b199b813d Stop including the DES algorythm from openssl.
Since we dropped support for LANMAN hashes we do not need DES from OpenSSL
anymore. Stop including an testing for it.
Test for the MD4 algorythm instead whichis still used for the NT Hashes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-23 16:27:22 +01:00
Simo Sorce
d762f61d25 Add a clear OpenSSL exception.
We are linking with OpenSSL in 2 files, so make it clear we intentionally
add a GPLv3 exception to allow that linking by third parties.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-23 16:25:54 +01:00
Martin Babinsky
98b1690a0e ipa-kdb: unexpected error code in 'ipa_kdb_audit_as_req' triggers a message
This patch is related this defect reported by covscan on FreeIPA master:

"""
Error: DEADCODE (CWE-561):
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition "error_code !=
-1765328353L", taking false branch. Now the value of "error_code" is equal to
-1765328353.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42: cond_const: Condition
"error_code != -1765328360L", taking false branch. Now the value of
"error_code" is equal to -1765328360.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:42:
cond_const: Condition "error_code != 0", taking false branch. Now the value of
"error_code" is equal to 0.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
intervals: When switching on "error_code", the value of "error_code" must be
in one of the following intervals: {[-1765328360,-1765328360],
[-1765328353,-1765328353], [0,0]}.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:71:
dead_error_condition: The switch value "error_code" cannot reach the default
case.
/daemons/ipa-kdb/ipa_kdb_audit_as.c:123: dead_error_begin: Execution
cannot reach this statement: "default:".
"""

This patch is a part of series related to
https://fedorahosted.org/freeipa/ticket/4795.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-01-30 11:02:16 +01:00
Jan Cholasta
66a42e67f3 Fix unchecked return value in krb5 common utils
https://fedorahosted.org/freeipa/ticket/4713

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-11-25 08:23:24 +00:00
Simo Sorce
c6afc489a1 Add asn1c generated code for keytab controls
Instead of manually encoding controls, use an actual asn1 compiler.
The file asn1/asn1c/ipa.asn1 will contain ipa modules. The generated code
is committed to the tree and built into a static library that is linked
to the code that uses it.

The first module implements the GetKeytabControl control.

Related:
https://fedorahosted.org/freeipa/ticket/4718
https://fedorahosted.org/freeipa/ticket/4728

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-11-20 10:52:13 -05:00
Simo Sorce
f352702d67 ipa-getkeytab: Add support for get_keytab extop
This new extended operation is tried by default and then the code falls
back to the old method if it fails. The new method allows for server
side password generation as well as retrieval of existing credentials
w/o causing regeneration of keys on the server.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
5c0e7a5fb4 keytab: Add new extended operation to get a keytab.
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Simo Sorce
88bcf5899c keytabs: Expose and modify key encoding function
Make it available outside of the encoding.c file for use in a follow-up
patch. Add option to not pass a password and generate a random key
instead.

Related:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Nathaniel McCallum
b769d1c186 Add support to ipa-kdb for keyless principals
https://fedorahosted.org/freeipa/ticket/3779

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-19 10:15:36 +01:00
Lukas Slebodnik
a4faa2f444 BUILD: Fix portability of NSS in file ipa_pwd.c
Tested-by: Timo Aaltonen <tjaalton@ubuntu.com>
2014-01-28 16:35:34 +01:00
Sumit Bose
d876a22732 Remove generation and handling of LM hashes
https://fedorahosted.org/freeipa/ticket/3795
2013-11-01 09:28:35 +01:00
Martin Kosek
827ea50566 ipa-kdb: read SID blacklist from LDAP
SIDs in incoming MS-PAC were checked and filtered with a fixed list of
well-known SIDs. Allow reading the SID blacklist from LDAP
(ipaNTSIDBlacklistIncoming and ipaNTSIDBlacklistOutgoing) and add the list
to mspac adtrust structure. Use the hardcoded SID list only if the LDAP
SID list is not configured.

LIMITATION: SID blacklist list is not used yet.

https://fedorahosted.org/freeipa/ticket/3289
2013-02-12 10:37:47 +01:00
Tomas Babej
0e8a329048 Prevent integer overflow when setting krbPasswordExpiration
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
2013-02-08 15:54:21 +01:00
Sumit Bose
973aad9db3 Make encode_ntlm_keys() public 2012-09-06 09:24:58 +02:00
Simo Sorce
505bc85ec3 Move code into common krb5 utils
This moves the decoding function that reads the keys from the ber format
into a structure in the common krb5 util code right below the function
that encodes the same data structure into a ber format.
This way the 2 functions are in the same place and can be both used by
all ia components.
2012-07-30 10:31:47 -04:00
Sumit Bose
ee936431c8 Move some krb5 keys related functions from ipa-client to util 2012-06-11 12:04:05 +02:00
Rob Crittenden
35f44a1aeb Dereference pointer when comparing password history in qsort compare.
The man page for qsort(3) says that the comparison function is called
with pointers to pointers to char but memcmp(3) wants a pointer to void
so we need to cast and dereference.

Without this the qsort() call wasn't properly sorting the elements so
a random password was being removed rather than the oldest when the
list overflowed.

https://fedorahosted.org/freeipa/ticket/2613
2012-04-10 18:33:04 +02:00
Simo Sorce
651f932473 ipa-kdb: add AS auditing support
Fixes: https://fedorahosted.org/freeipa/ticket/2334
2012-02-14 18:03:45 -05:00
Martin Kosek
f2cc9c8d33 Improve password change error message
User always receives the same error message if he changes his password
via "ipa passwd" command and the new password fails configured
password policy. He then has to investigate on his own the actual
reason why was the policy violated. This patch improves our SLAPI PWD
plugins to provide a better error message explaining the violation
reason.

https://fedorahosted.org/freeipa/ticket/2067
2012-02-03 17:21:33 +01:00
Simo Sorce
a9e4316d5a Add missing copyright header 2011-11-17 16:15:24 -05:00
Simo Sorce
c8aec450be Fix CID 11021: Resource leak
https://fedorahosted.org/freeipa/ticket/2037
2011-11-07 11:13:55 -05:00
Simo Sorce
08137836a3 Amend #2038 fix
The math was unsafe, thanks to Nalin for spotting it.
2011-11-05 19:05:08 -04:00