Skip Menu |
 

Subject: kadmind does not log IPv6 requests properly
kadmind uses inet_ntoa() on the RPC handle in multiple places to produce
the client address string, which doesn't work for IPv6 requests.

We probably can't use xp_raddr when fixing this, since it is a
sockaddr_in6. Instead we'll need to call getpeername on the socket.
From: ghudson@mit.edu
Subject: git commit

Add new versions of log_badauth gssrpc callbacks

libgssrpc supports two callbacks for gss_accept_sec_context failures
on servers (one for AUTH_GSS and one for AUTH_GSSAPI), which are
IPv4-specific. Provide an alternate version which supplies the
transport handle instead of the address, so that we can get the
address via the file descriptor for TCP connections.

https://github.com/krb5/krb5/commit/4c57a429760a3b3aa89938a13708742675f9548b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 4c57a429760a3b3aa89938a13708742675f9548b
Branch: master
src/include/gssrpc/auth_gssapi.h | 13 +++++++++++++
src/include/gssrpc/rename.h | 2 ++
src/lib/rpc/libgssrpc.exports | 2 ++
src/lib/rpc/svc_auth_gss.c | 27 +++++++++++++++++++++------
src/lib/rpc/svc_auth_gssapi.c | 26 +++++++++++++++++++++-----
5 files changed, 59 insertions(+), 11 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Correctly log IPv6 addresses in kadmind

Define client_addr() in server_stubs.c and use it consistently in that
file and ipropd_svc.c to get the client address from a transport
handle. In it, call getpeername() on the client socket and use
inet_ntop() on the result, instead of using inet_ntoa() on the IPv4
socket address. Provide a log_badauth2 callback to GSSRPC, so that we
get a transport handle instead of an IPv4 socket address, and use
client_addr() within it instead of inet_ntoa().

https://github.com/krb5/krb5/commit/5384f45e728957da20ecf82d8cf567945a2bbf6e
Author: Greg Hudson <ghudson@mit.edu>
Commit: 5384f45e728957da20ecf82d8cf567945a2bbf6e
Branch: master
src/kadmin/server/ipropd_svc.c | 22 +++++++---------------
src/kadmin/server/kadm_rpc_svc.c | 18 ++++++------------
src/kadmin/server/misc.h | 9 +++------
src/kadmin/server/ovsec_kadmd.c | 29 ++++++++++-------------------
src/kadmin/server/server_stubs.c | 30 ++++++++++++++++++++++++------
5 files changed, 50 insertions(+), 58 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Add new versions of log_badauth gssrpc callbacks

libgssrpc supports two callbacks for gss_accept_sec_context failures
on servers (one for AUTH_GSS and one for AUTH_GSSAPI), which are
IPv4-specific. Provide an alternate version which supplies the
transport handle instead of the address, so that we can get the
address via the file descriptor for TCP connections.

(cherry picked from commit 4c57a429760a3b3aa89938a13708742675f9548b)

https://github.com/krb5/krb5/commit/dca3c14c0b43a4de724e3533ca2f0a909b7c695f
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: dca3c14c0b43a4de724e3533ca2f0a909b7c695f
Branch: krb5-1.12
src/include/gssrpc/auth_gssapi.h | 13 +++++++++++++
src/include/gssrpc/rename.h | 2 ++
src/lib/rpc/libgssrpc.exports | 2 ++
src/lib/rpc/svc_auth_gss.c | 27 +++++++++++++++++++++------
src/lib/rpc/svc_auth_gssapi.c | 26 +++++++++++++++++++++-----
5 files changed, 59 insertions(+), 11 deletions(-)
From: tlyu@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.1KiB

Correctly log IPv6 addresses in kadmind

Define client_addr() in server_stubs.c and use it consistently in that
file and ipropd_svc.c to get the client address from a transport
handle. In it, call getpeername() on the client socket and use
inet_ntop() on the result, instead of using inet_ntoa() on the IPv4
socket address. Provide a log_badauth2 callback to GSSRPC, so that we
get a transport handle instead of an IPv4 socket address, and use
client_addr() within it instead of inet_ntoa().

(cherry picked from commit 5384f45e728957da20ecf82d8cf567945a2bbf6e)

https://github.com/krb5/krb5/commit/7ce5de08d0273bf70d927f0eb606398a792654a7
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 7ce5de08d0273bf70d927f0eb606398a792654a7
Branch: krb5-1.12
src/kadmin/server/ipropd_svc.c | 22 +++++++---------------
src/kadmin/server/kadm_rpc_svc.c | 18 ++++++------------
src/kadmin/server/misc.h | 9 +++------
src/kadmin/server/ovsec_kadmd.c | 29 ++++++++++-------------------
src/kadmin/server/server_stubs.c | 30 ++++++++++++++++++++++++------
5 files changed, 50 insertions(+), 58 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Bump libgssrpc minor version

Bump minor version for the new log_badauth2 interfaces.

https://github.com/krb5/krb5/commit/af5f5d63efe938c568a33bfb64ba5154982d6fb2
Author: Tom Yu <tlyu@mit.edu>
Commit: af5f5d63efe938c568a33bfb64ba5154982d6fb2
Branch: master
src/lib/rpc/Makefile.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Bump libgssrpc minor version

Bump minor version for the new log_badauth2 interfaces.

(cherry picked from commit af5f5d63efe938c568a33bfb64ba5154982d6fb2)

https://github.com/krb5/krb5/commit/b658f054334cf4f09110f76998ffbea7216eff7a
Author: Tom Yu <tlyu@mit.edu>
Commit: b658f054334cf4f09110f76998ffbea7216eff7a
Branch: krb5-1.12
src/lib/rpc/Makefile.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)