Skip Menu |
 

Subject: Authentication indicator support
From: ghudson@mit.edu
Subject: git commit

Add ASN.1 encoder/decoder for UTF-8 strings

Add functions to encode and decode SEQUENCE OF UTF8String into a
null-terminated array of krb5_data pointers. This type is simple
enough that we don't need specific tests for it.

https://github.com/krb5/krb5/commit/d0f63158c3b0e9ebfe76c56136a575b41ec12642
Author: Greg Hudson <ghudson@mit.edu>
Commit: d0f63158c3b0e9ebfe76c56136a575b41ec12642
Branch: master
src/include/k5-int.h | 9 +++++++++
src/lib/krb5/asn.1/asn1_k_encode.c | 4 ++++
src/lib/krb5/krb/kfree.c | 10 ++++++++++
src/lib/krb5/libkrb5.exports | 3 +++
4 files changed, 26 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add constants for CAMMAC and auth-indicator

https://github.com/krb5/krb5/commit/4df561263da85d4683864e24de74df3bee18593e
Author: Greg Hudson <ghudson@mit.edu>
Commit: 4df561263da85d4683864e24de74df3bee18593e
Branch: master
src/include/krb5/krb5.hin | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Filter CAMMAC authdata from non-KDC sources

Also filter auth-indicator authdata values which aren't wrapped in
CAMMACs, although we don't normally expect to see those.

https://github.com/krb5/krb5/commit/a19109fffc70cabcabab00d00bf65ea85fd33e1a
Author: Greg Hudson <ghudson@mit.edu>
Commit: a19109fffc70cabcabab00d00bf65ea85fd33e1a
Branch: master
src/kdc/kdc_authdata.c | 2 ++
src/lib/krb5/krb/authdata_dec.c | 2 ++
2 files changed, 4 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add KDC CAMMAC and auth indicator functions

Add KDC utility functions to manipulate CAMMACs and authentication
indicators, to be used in later commits.

https://github.com/krb5/krb5/commit/5b39ea2b4ed54f4f208246b3cb725e7b1113d047
Author: Greg Hudson <ghudson@mit.edu>
Commit: 5b39ea2b4ed54f4f208246b3cb725e7b1113d047
Branch: master
src/kdc/Makefile.in | 4 +
src/kdc/authind.c | 123 ++++++++++++++++++++++++++++++++
src/kdc/cammac.c | 194 +++++++++++++++++++++++++++++++++++++++++++++++++++
src/kdc/kdc_util.h | 25 +++++++
4 files changed, 346 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add kdcpreauth callback for auth indicators

Add a new kdcpreauth callback add_auth_indicator, which adds an
authentication indicator string. This commit doesn't do anything with
the asserted authentication indicators; they are tracked in the
auth_indicators field of struct as_req_state to be used later.

https://github.com/krb5/krb5/commit/dd95e18f5cfa426db0f265172202debd257f3cdb
Author: Greg Hudson <ghudson@mit.edu>
Commit: dd95e18f5cfa426db0f265172202debd257f3cdb
Branch: master
src/include/krb5/kdcpreauth_plugin.h | 6 ++++++
src/kdc/do_as_req.c | 3 +++
src/kdc/kdc_preauth.c | 10 +++++++++-
src/kdc/kdc_util.h | 1 +
4 files changed, 19 insertions(+), 1 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add authentication indicators in AS-REQs

Add an auth_indicators parameter to handle_authdata(). In
finish_process_as_req(), supply the auth indicators asserted by
preauth modules. In handle_authdata(), wrap any supplied auth
indicators in CAMMAC and IF-RELEVANT containers and include them in
the ticket.

https://github.com/krb5/krb5/commit/7601a1c9e103b148d94974bb2ba0c85969055c65
Author: Greg Hudson <ghudson@mit.edu>
Commit: 7601a1c9e103b148d94974bb2ba0c85969055c65
Branch: master
src/kdc/do_as_req.c | 1 +
src/kdc/do_tgs_req.c | 1 +
src/kdc/kdc_authdata.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
src/kdc/kdc_util.h | 1 +
4 files changed, 53 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Propagate auth indicators in TGS requests

For normal and S4U2Proxy TGS requests (but not S4U2Self requests),
extract indicators from the subject ticket and include them in the
issued ticket.

https://github.com/krb5/krb5/commit/97973cf89cdc18a80c2bf5450caa1548c5be0b7b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 97973cf89cdc18a80c2bf5450caa1548c5be0b7b
Branch: master
src/kdc/do_tgs_req.c | 15 ++++++++++++++-
src/kdc/kdc_authdata.c | 42 ++++++++++++++++++++++++++++++++++++++++++
src/kdc/kdc_util.h | 4 ++++
3 files changed, 60 insertions(+), 1 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Enforce auth indicator restrictions in KDC

If the string attribute "require_auth" is set on a the server
principal of an AS or TGS request, deny the request unless one of the
named indicators is present was asserted for the client's initial
authentication.

https://github.com/krb5/krb5/commit/24dc279b9b14fe8d6674fdd2a9210c1e1fb52e37
Author: Greg Hudson <ghudson@mit.edu>
Commit: 24dc279b9b14fe8d6674fdd2a9210c1e1fb52e37
Branch: master
src/include/kdb.h | 1 +
src/kdc/do_as_req.c | 7 +++++++
src/kdc/do_tgs_req.c | 6 ++++++
src/kdc/kdc_util.c | 36 ++++++++++++++++++++++++++++++++++++
src/kdc/kdc_util.h | 4 ++++
5 files changed, 54 insertions(+), 0 deletions(-)
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Test auth indicator functionality

Modify adata.c to handle CAMMAC containers and display auth
indicators. Modify the test preauth module to transmit a list of
indicators (specified by a gic opt) from the clpreauth module to the
kdcpreauth module and assert them to the KDC. Add a new s4u2proxy
test harness in src/tests which can be used to exercise S4U2Proxy
without going through GSSAPI, using a second ccache containing an
existing evidence ticket.

Add tests to t_authdata.py to exercise a variety of ticket issuing
scenarios and verify that the correct auth indicators appear in each
ticket.

https://github.com/krb5/krb5/commit/e64140aba967e3d8a785d4f83b1477ed0bdc85bd
Author: Greg Hudson <ghudson@mit.edu>
Commit: e64140aba967e3d8a785d4f83b1477ed0bdc85bd
Branch: master
.gitignore | 1 +
src/plugins/preauth/test/cltest.c | 66 +++++++++++++++++--
src/plugins/preauth/test/kdctest.c | 29 +++++++--
src/tests/Makefile.in | 11 ++-
src/tests/adata.c | 60 ++++++++++++++++--
src/tests/s4u2proxy.c | 110 +++++++++++++++++++++++++++++++
src/tests/t_authdata.py | 125 ++++++++++++++++++++++++++++++++++++
7 files changed, 381 insertions(+), 21 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add indicator support to OTP

Read an "indicator" profile variable for OTP token types and assert
its values as indicators when that token type is used to authenticate.
Add a test case in t_otp.py for this feature.

https://github.com/krb5/krb5/commit/e6e6e54e89bc9644144436c3f267796ed790f70c
Author: Greg Hudson <ghudson@mit.edu>
Commit: e6e6e54e89bc9644144436c3f267796ed790f70c
Branch: master
src/plugins/preauth/otp/main.c | 13 ++++++++++++-
src/plugins/preauth/otp/otp_state.c | 29 ++++++++++++++++++++++++-----
src/plugins/preauth/otp/otp_state.h | 3 ++-
src/tests/t_otp.py | 7 ++++++-
4 files changed, 44 insertions(+), 8 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add indicator support to PKINIT

Read a "pkinit_indicator" profile variable for PKINIT realm
configuration and assert its values as indicators when PKINIT is used
to authenticate. Add a test case in t_pkinit.py for this feature.

https://github.com/krb5/krb5/commit/8ca82f0e3059cd8805f4dda388a8aa1d67c80920
Author: Greg Hudson <ghudson@mit.edu>
Commit: 8ca82f0e3059cd8805f4dda388a8aa1d67c80920
Branch: master
src/plugins/preauth/pkinit/pkinit.h | 2 ++
src/plugins/preauth/pkinit/pkinit_srv.c | 18 ++++++++++++++++++
src/tests/t_pkinit.py | 9 ++++++++-
3 files changed, 28 insertions(+), 1 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Document authentication indicators

Add a new file auth_indicator.rst to the admin guide. Also document
the pkinit_indicator and OTP indicator profile variables, the
require_auth string attribute, and the add_auth_indicator kdcpreauth
callback. Add references to the new public constants in
appdev/refs/macros/index.rst.

https://github.com/krb5/krb5/commit/491b012b49ce687ffd4a26f5d0f6114d8411d04d
Author: Greg Hudson <ghudson@mit.edu>
Commit: 491b012b49ce687ffd4a26f5d0f6114d8411d04d
Branch: master
doc/admin/admin_commands/kadmin_local.rst | 6 +++
doc/admin/auth_indicator.rst | 52 +++++++++++++++++++++++++++++
doc/admin/conf_files/kdc_conf.rst | 10 +++++
doc/admin/index.rst | 1 +
doc/appdev/refs/macros/index.rst | 3 ++
doc/plugindev/kdcpreauth.rst | 5 ++-
6 files changed, 76 insertions(+), 1 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Support OTP auth indicators in string attribute

To better support integration with FreeIPA, allow authentication
indicators to be specified in the "otp" string attribute, overriding
any indicators in the token type.

https://github.com/krb5/krb5/commit/bd6a449f6591f75d0db6dbf3fb702268b92d7eb8
Author: Greg Hudson <ghudson@mit.edu>
Commit: bd6a449f6591f75d0db6dbf3fb702268b92d7eb8
Branch: master
doc/admin/auth_indicator.rst | 3 +-
doc/admin/otp.rst | 13 +++++-
src/plugins/preauth/otp/otp_state.c | 73 +++++++++++++++++++++++++++++++++--
src/tests/t_otp.py | 26 ++++++++++--
4 files changed, 103 insertions(+), 12 deletions(-)