Skip Menu |
 

To: kerberos@mit.edu
From: Adam Megacz <megacz@cs.berkeley.edu>
Subject: Re: Reading kerberos-adm from DNS: when will MIT-krb support this?
Date: Sat, 15 Mar 2008 19:36:02 -0700
Download (untitled) / with headers
text/plain 2.3KiB

Ken Raeburn <raeburn@mit.edu> writes:
Show quoted text
>> I believe the future has already arrived. Current MIT code should
>> be capable of finding and using records like this:
>>
>> spam% dig _kerberos-adm._tcp.umich.edu srv
>
> This is used for the password-changing service, but unfortunately the
> RPC code used for the kadmin program still looks up admin_server, and
> uses the first IP address found when looking up that hostname. No
> DNS, one hostname, one address, no service-location plugin support,
> no IPv6. These do need to be fixed....

This should help.

- a


diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index bb87f88..48b1792 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -416,10 +416,31 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv,
params.admin_server = strdup(params_in->admin_server);
if (params.admin_server)
params.mask |= KADM5_CONFIG_ADMIN_SERVER;
- } else if (aprofile &&
- !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
- params.admin_server = svalue;
- params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+ } else if (aprofile) {
+ if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
+ params.admin_server = svalue;
+ params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+ } else {
+ struct addrlist addrlist;
+ int i;
+ krb5_data drealm;
+ drealm.data = (void*)params.realm;
+ drealm.length = strlen(params.realm);
+ if (!krb5int_locate_server(context, &drealm, &addrlist, 0,
+ "admin_server", "_kerberos-adm", 1,
+ DEFAULT_KPASSWD_PORT, 0, 0)) {
+ for (i=0;i<addrlist.naddrs;i++ ) {
+ struct addrinfo *a = addrlist.addrs[i];
+ if (a->ai_family == AF_INET) {
+ params.admin_server = strdup(inet_ntoa(sa2sin(a->ai_addr)->sin_addr));
+ params.kadmind_port = ntohs(sa2sin (a->ai_addr)->sin_port);
+ params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+ params.mask |= KADM5_CONFIG_KADMIND_PORT;
+ break;
+ }
+ }
+ }
+ }
}
if (params.mask & KADM5_CONFIG_ADMIN_SERVER) {
char *p;

Show quoted text
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Date: Mon, 17 Mar 2008 09:39:50 -0400 (EDT)
To: rt@krbdev.mit.edu
From: adam@megacz.com
Subject: Re: [krbdev.mit.edu #5916] AutoReply: Re: Reading kerberos-adm from DNS: when will MIT-krb support this?
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.5KiB
Hi, I've never sent a message to you before, so my spam filter trapped
your email. If you're really a human being and not an evil spammer,
please click the link below or paste it into a web browser; doing so will
add you to my list of non-spammers (so you won't get this email in the future)
and it will move your message from my spam folder to my incoming mail folder.

Thanks!

- Adam

http://www.megacz.com:8025/whitelist/xrt-5916-26183.5.2518976017344%40krbdev.mit.edu.txt


About this message:

NOTE: SPAMCOP DOES NOT CONSIDER THIS TO BE SPAM; see this:

http://www.spamcop.net/fom-serve/cache/369.html

and examine the "x-originally-received" header on this message
for the required "chain of custody" information.

Only one of these challenge messages is ever generated in response to
a given inbound SMTP connection; it cannot be used to amplify spam
attacks, and in fact actually retards them while also stripping the
advertisement they were meant to convey.

Only one delivery attempt for this challenge is ever made, and it is made
DURING the SMTP delivery of the message being challenged (that is,
between C:DATA and S:250); the deliverer of the possibly-spam message
must remain SMTP connected to my server during the entire process or else
the delivery will immediately abort. These challenge messages are NEVER,
EVER queued for multiple delivery attempts

For more information, please see:

http://www.templetons.com/brad/spam/crgood.html
Date: Mon, 17 Mar 2008 09:40:44 -0400 (EDT)
To: rt-comment@krbdev.mit.edu
From: adam@megacz.com
Subject: Re: Re: [krbdev.mit.edu #5916] AutoReply: Re: Reading kerberos-adm from DNS: when will MIT-krb support this?
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.5KiB
Hi, I've never sent a message to you before, so my spam filter trapped
your email. If you're really a human being and not an evil spammer,
please click the link below or paste it into a web browser; doing so will
add you to my list of non-spammers (so you won't get this email in the future)
and it will move your message from my spam folder to my incoming mail folder.

Thanks!

- Adam

http://www.megacz.com:8025/whitelist/xrt-5916-26184.6.86270769200704%40krbdev.mit.edu.txt


About this message:

NOTE: SPAMCOP DOES NOT CONSIDER THIS TO BE SPAM; see this:

http://www.spamcop.net/fom-serve/cache/369.html

and examine the "x-originally-received" header on this message
for the required "chain of custody" information.

Only one of these challenge messages is ever generated in response to
a given inbound SMTP connection; it cannot be used to amplify spam
attacks, and in fact actually retards them while also stripping the
advertisement they were meant to convey.

Only one delivery attempt for this challenge is ever made, and it is made
DURING the SMTP delivery of the message being challenged (that is,
between C:DATA and S:250); the deliverer of the possibly-spam message
must remain SMTP connected to my server during the entire process or else
the delivery will immediately abort. These challenge messages are NEVER,
EVER queued for multiple delivery attempts

For more information, please see:

http://www.templetons.com/brad/spam/crgood.html
From: Adam Megacz <megacz@cs.berkeley.edu>
To: jaltman@secure-endpoints.com
Subject: patch inclusion status?
Date: Thu, 19 Jun 2008 15:22:59 -0700
CC: krb5-bugs@mit.edu

Regarding this patch:

http://mailman.mit.edu/pipermail/kerberos/2008-March/013327.html

Jeffrey Altman <jaltman@secure-endpoints.com> writes:
Show quoted text
> Adam Megacz wrote:
>> Hi, would it be possible for the Kerberos maintainers to consider the
>> patch below for inclusion in the main libkadm5 distribution?
>>
>> - a
> Adam:
>
> I already forwarded your patch to krb5-bugs@mit.edu on your behalf.

Is there any way I can track the status of this matter? The patch
does not seem to have been applied to the development tree (I checked
the snapshot two days ago).

If the patch needs to be revised, I would be happy to do so. It would
be nice to see it included in the next release, unless there is some
objection to it.

Thank you!

- a
From: Adam Megacz <megacz@cs.berkeley.edu>
Subject: Re: Reading kerberos-adm from DNS (PATCH)
Date: Sat, 20 Jun 2009 10:37:21 -0700
CC: krb5-bugs@mit.edu, krbdev@mit.edu, kerberos@mit.edu
Download (untitled) / with headers
text/plain 3.7KiB
The following message is a courtesy copy of an article
that has been posted to gmane.comp.encryption.kerberos.general,gmane.comp.encryption.kerberos.devel as well.


It seems that this patch didn't wind up in the recent kerberos
release. Do you think somebody could review it for inclusion soon, so
that it has a chance of making it into the next release? If any
changes need to be made, please let me know and I will make them.

Thanks!

- a

Ken Raeburn <raeburn@mit.edu> writes:
Show quoted text
> Sure. :)
> At first glance it looks good, but I want to have a closer look
> before committing it (unless someone else gets to it first). Thanks
> for sending it in!
>
> Adam Megacz <megacz@cs.berkeley.edu> writes:
> > Hi, would it be possible for the Kerberos maintainers to consider the
> > patch below for inclusion in the main libkadm5 distribution?
> >
> > - a
> >
> > Adam Megacz <megacz@cs.berkeley.edu> writes:
> >> Ken Raeburn <raeburn@mit.edu> writes:
> >>>> I believe the future has already arrived. Current MIT code should
> >>>> be capable of finding and using records like this:
> >>>>
> >>>> spam% dig _kerberos-adm._tcp.umich.edu srv
> >>>
> >>> This is used for the password-changing service, but unfortunately the
> >>> RPC code used for the kadmin program still looks up admin_server, and
> >>> uses the first IP address found when looking up that hostname. No
> >>> DNS, one hostname, one address, no service-location plugin support,
> >>> no IPv6. These do need to be fixed....
> >>
> >> This should help.
> >>
> >> - a
> >>
> >>
> >> diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
> >> index bb87f88..48b1792 100644
> >> --- a/src/lib/kadm5/alt_prof.c
> >> +++ b/src/lib/kadm5/alt_prof.c
> >> @@ -416,10 +416,31 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv,
> >> params.admin_server = strdup(params_in->admin_server);
> >> if (params.admin_server)
> >> params.mask |= KADM5_CONFIG_ADMIN_SERVER;
> >> - } else if (aprofile &&
> >> - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
> >> - params.admin_server = svalue;
> >> - params.mask |= KADM5_CONFIG_ADMIN_SERVER;
> >> + } else if (aprofile) {
> >> + if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
> >> + params.admin_server = svalue;
> >> + params.mask |= KADM5_CONFIG_ADMIN_SERVER;
> >> + } else {
> >> + struct addrlist addrlist;
> >> + int i;
> >> + krb5_data drealm;
> >> + drealm.data = (void*)params.realm;
> >> + drealm.length = strlen(params.realm);
> >> + if (!krb5int_locate_server(context, &drealm, &addrlist, 0,
> >> + "admin_server", "_kerberos-adm", 1,
> >> + DEFAULT_KPASSWD_PORT, 0, 0)) {
> >> + for (i=0;i<addrlist.naddrs;i++ ) {
> >> + struct addrinfo *a = addrlist.addrs[i];
> >> + if (a->ai_family == AF_INET) {
> >> + params.admin_server = strdup(inet_ntoa(sa2sin(a->ai_addr)->sin_addr));
> >> + params.kadmind_port = ntohs(sa2sin (a->ai_addr)->sin_port);
> >> + params.mask |= KADM5_CONFIG_ADMIN_SERVER;
> >> + params.mask |= KADM5_CONFIG_KADMIND_PORT;
> >> + break;
> >> + }
> >> + }
> >> + }
> >> + }
> >> }
> >> if (params.mask & KADM5_CONFIG_ADMIN_SERVER) {
> >> char *p;
> >>
> >> ________________________________________________
> >> Kerberos mailing list Kerberos@mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >
> > --
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> --
>
From: Ken Raeburn <raeburn@MIT.EDU>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6516] Re: Reading kerberos-adm from DNS (PATCH)
Date: Fri, 26 Jun 2009 19:00:57 -0400
RT-Send-Cc:
Download (untitled) / with headers
text/plain 3.6KiB
On Jun 21, 2009, at 13:42, megacz@cs.berkeley.edu via RT wrote:
Show quoted text
> It seems that this patch didn't wind up in the recent kerberos
> release. Do you think somebody could review it for inclusion soon, so
> that it has a chance of making it into the next release? If any
> changes need to be made, please let me know and I will make them.

Hi, Adam. I'm sorry it took so long to get back to this one. I've
looked at the patch in more detail, and see some problems in using it
with the current code:

First, a minor point, the source code you're patching has changed.
There are now a macro and helper function used to fetch a string
parameter from either the command-line data or supplied profile. That
change probably doesn't need to be undone, it merely means the patch
doesn't apply trivially.

Second, also a minor point, locate_server is going to check the
profile referenced in the context. It should use a subset of the
config files supplied in the profile argument passed in, and in the
same order, so it shouldn't get wrong results if the profile search
has already failed, but it is doing redundant work. That could be
worked around a couple of ways -- supply an explicit profile to
locate_server through yet another argument, or have it skip the use of
the profile if the relevant string argument is instead a null
pointer. I haven't checked to see if that will do something
reasonable when invoking service-location plugins though, and that
should be supported here as well. (Using locate_server will get that
support, so it is the right way to go.) If it turns out to be
difficult or ugly, we can probably just live with the redundant checks
for now and not worry about it; locating the kadmin server is rarely
something performance-critical.

Third, more serious: One of the changes in the kadmin code in recent
years was to add support for using kadmin/serverhostname as an
alternative service principal name. Logically, we should probably use
the name presented in the SRV record, rather than having to go look
the address up again in DNS. (Currently kadm5_get_admin_service_name
does use DNS to get the canonical name, but we should keep that
mistake localized to one place where we can fix it later when we've
got solid name canonicalization support, and we should use the same
process for getting the principal name whether we got the host name
from the config file or from DNS. And, the CNAME processing done by
gethostbyname is not necessarily going to give the same result that
gethostbyaddr/getnameinfo will return for an address.)

This may get messier to fix than the others... I think we want all of
the mechanisms that can be used to get a server address, including
plugins (and the sample Python plugin) to supply a host name, probably
in addition to the address, not instead of it. This will probably
mean changing some of the internal interfaces. I'm uncertain whether
that interface should permit a null pointer or empty string, and what
that should mean -- should the library look up the address to get a
name, or should it not fall back to host-based principal naming for
that case? And a smart plugin could know that for the KDC case we
don't care about the host name, and omit it. (Should it return a
service principal name instead/too?)

Fourth, and related to ticket #5890, kadm5_get_admin_service_name will
need tweaking for the DNS SRV usage, too; might as well fix the
various problems at once. (Or fix 5890 first, designing the changes
with the future SRV support in mind.)

Ken

--
Ken Raeburn / raeburn@mit.edu / no longer at MIT Kerberos Consortium