diff options
author | Hans Insulander <hin@cvs.openbsd.org> | 2001-06-22 21:17:30 +0000 |
---|---|---|
committer | Hans Insulander <hin@cvs.openbsd.org> | 2001-06-22 21:17:30 +0000 |
commit | f308dc91979036b1d3abdba87a42a94d39246374 (patch) | |
tree | 68992ac682cfaf8fdccd08805b804ed261b37859 | |
parent | 6b96aa9137652188a7e2cab902c921b3efb4bbbe (diff) |
Import of heimdal-0.3f
Lots of changes, highlights include:
* change default keytab to ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab,
the new keytab type that tries both of these in order (SRVTAB is
also an alias for krb4:)
* improve error reporting and error handling (error messages should
be more detailed and more useful)
* the API is closer to what MIT krb5 is using
* more compatible with windows 2000
* removed some memory leaks
* bug fixes
-rw-r--r-- | kerberosV/src/doc/ack.texi | 4 | ||||
-rw-r--r-- | kerberosV/src/doc/heimdal.info | 430 | ||||
-rw-r--r-- | kerberosV/src/doc/kerberos4.texi | 4 | ||||
-rw-r--r-- | kerberosV/src/doc/migration.texi | 4 | ||||
-rw-r--r-- | kerberosV/src/doc/misc.texi | 8 | ||||
-rw-r--r-- | kerberosV/src/doc/win2k.texi | 4 |
6 files changed, 366 insertions, 88 deletions
diff --git a/kerberosV/src/doc/ack.texi b/kerberosV/src/doc/ack.texi index a5f90c1656f..61b6bb5f9b8 100644 --- a/kerberosV/src/doc/ack.texi +++ b/kerberosV/src/doc/ack.texi @@ -1,6 +1,6 @@ -@c $KTH: ack.texi,v 1.13 2001/01/30 01:57:31 assar Exp $ +@c $KTH: ack.texi,v 1.14 2001/02/24 05:09:23 assar Exp $ -@node Acknowledgments, , Windows 2000 compatability, Top +@node Acknowledgments, , Migration, Top @comment node-name, next, previous, up @appendix Acknowledgments diff --git a/kerberosV/src/doc/heimdal.info b/kerberosV/src/doc/heimdal.info index 1058dc99dfd..2a4be24d75c 100644 --- a/kerberosV/src/doc/heimdal.info +++ b/kerberosV/src/doc/heimdal.info @@ -21,6 +21,7 @@ Heimdal * Things in search for a better place:: * Kerberos 4 issues:: * Windows 2000 compatability:: +* Programming with Kerberos:: * Migration:: * Acknowledgments:: @@ -808,8 +809,16 @@ A working solution would be to hook up a machine with a real operating system to the console of the Cisco and then use it as a backwards terminal server. +Making things work on Transarc AFS +================================== + +How to get a KeyFile +-------------------- + +`ktutil -k AFSKEYFILE:KeyFile get afs@MY.REALM' + -File: heimdal.info, Node: Kerberos 4 issues, Next: Migration, Prev: Things in search for a better place, Up: Top +File: heimdal.info, Node: Kerberos 4 issues, Next: Windows 2000 compatability, Prev: Things in search for a better place, Up: Top Kerberos 4 issues ***************** @@ -1042,53 +1051,7 @@ A program that does this is `krb-forward' (<ftp://ftp.stacken.kth.se/pub/projekts/krb-forward>). -File: heimdal.info, Node: Migration, Next: Windows 2000 compatability, Prev: Kerberos 4 issues, Up: Top - -Migration -********* - -General issues -============== - -When migrating from a Kerberos 4 KDC. - -Order in what to do things: -=========================== - - * Convert the database, check all principals that hprop complains - about. - - `hprop -n --source=<NNN>| hpropd -n' - - Replace <NNN> with whatever source you have, like krb4-db or - krb4-dump. - - * Run a Kerberos 5 slave for a while. - - * Figure out if it does everything you want it to. - - Make sure that all things that you use works for you. - - * Let a small number of controlled users use Kerberos 5 tools. - - Find a sample population of your users and check what programs - they use, you can also check the kdc-log to check what ticket are - checked out. - - * Burn the bridge and change the master. - - * Let all users use the Kerberos 5 tools by default. - - * Turn off services that do not need Kerberos 4 authentication. - - Things that might be hard to get away is old programs with support - for Kerberos 4. Example applications are old Eudora installations - using KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in - the Heimdal kdc. - - - -File: heimdal.info, Node: Windows 2000 compatability, Next: Acknowledgments, Prev: Migration, Up: Top +File: heimdal.info, Node: Windows 2000 compatability, Next: Programming with Kerberos, Prev: Kerberos 4 issues, Up: Top Windows 2000 compatability ************************** @@ -1364,7 +1327,312 @@ Other useful programs include these: * pwdump2 <http://www.webspan.net/~tas/pwdump2/> -File: heimdal.info, Node: Acknowledgments, Prev: Windows 2000 compatability, Up: Top +File: heimdal.info, Node: Programming with Kerberos, Next: Migration, Prev: Windows 2000 compatability, Up: Top + +Programming with Kerberos +************************* + +First you need to know how the Kerberos model works, go read the +introduction text (*note What is Kerberos?::). + +* Menu: + +* Kerberos 5 API Overview:: +* Walkthru a sample Kerberos 5 client:: +* Validating a password in a server application:: + + +File: heimdal.info, Node: Kerberos 5 API Overview, Next: Walkthru a sample Kerberos 5 client, Prev: Programming with Kerberos, Up: Programming with Kerberos + +Kerberos 5 API Overview +======================= + +Most functions are documenteded in manual pages. This overview only +tries to point to where to look for a specific function. + +Kerberos context +---------------- + +A kerberos context (`krb5_context') holds all per thread state. All +global variables that are context specific are stored in this struture, +including default encryption types, credential-cache (ticket file), and +default realms. + +See the manual pages for `krb5_context(3)' and `krb5_init_context(3)'. + +Kerberos authenication context +------------------------------ + +Kerberos authentication context (`krb5_auth_context') holds all context +related to an authenticated connection, in a similar way to the +kerberos context that holds the context for the thread or process. + +The `krb5_auth_context' is used by various functions that are directly +related to authentication between the server/client. Example of data +that this structure contains are various flags, addresses of client and +server, port numbers, keyblocks (and subkeys), sequence numbers, replay +cache, and checksum types. + +See the manual page for `krb5_auth_context(3)'. + +Keytab managment +---------------- + +A keytab is a storage for locally stored keys. Heimdal includes keytab +support for Kerberos 5 keytabs, Kerberos 4 srvtab, AFS-KeyFile's, and +for storing keys in memory. + +See also manual page for `krb5_keytab(3)' + + +File: heimdal.info, Node: Walkthru a sample Kerberos 5 client, Next: Validating a password in a server application, Prev: Kerberos 5 API Overview, Up: Programming with Kerberos + +Walkthru a sample Kerberos 5 client +=================================== + +This example contains parts of a sample TCP Kerberos 5 clients, if you +want a real working client, please look in `appl/test' directory in the +Heimdal distribution. + +All Kerberos error-codes that are returned from kerberos functions in +this program are passed to `krb5_err', that will print a descriptive +text of the error code and exit. Graphical programs can convert +error-code to a humal readable error-string with the +`krb5_get_err_text(3)' function. + +Note that you should not use any Kerberos function before +`krb5_init_context()' have completed successfully. That is the reson +`err()' is used when `krb5_init_context()' fails. + +First the client needs to call `krb5_init_context' to initialize the +Kerberos 5 library. This is only needed once per thread in the program. +If the function returns a non-zero value it indicates that either the +Kerberos implemtation is failing or its disabled on this host. + + #include <krb5.h> + + int + main(int argc, char **argv) + { + krb5_context context; + + if (krb5_context(&context)) + errx (1, "krb5_context"); + +Now the client wants to connect to the host at the other end. The +preferred way of doing this is using `getaddrinfo(3)' (for operating +system that have this function implemented), since getaddrinfo is +neutral to the address type and can use any protocol that is available. + + struct addrinfo *ai, *a; + struct addrinfo hints; + int error; + + memset (&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_STREAM; + hints.ai_protocol = IPPROTO_TCP; + + error = getaddrinfo (hostname, "pop3", &hints, &ai); + if (error) + errx (1, "%s: %s", hostname, gai_strerror(error)); + + for (a = ai; a != NULL; a = a->ai_next) { + int s; + + s = socket (a->ai_family, a->ai_socktype, a->ai_protocol); + if (s < 0) + continue; + if (connect (s, a->ai_addr, a->ai_addrlen) < 0) { + warn ("connect(%s)", hostname); + close (s); + continue; + } + freeaddrinfo (ai); + ai = NULL; + } + if (ai) { + freeaddrinfo (ai); + errx ("failed to contact %s", hostname); + } + +Before authenticating, an authentication context needs to be created. +This context keeps all information for one (to be) authenticated +connection (see `krb5_auth_context(3)'). + + status = krb5_auth_con_init (context, &auth_context); + if (status) + krb5_err (context, 1, status, "krb5_auth_con_init"); + +For setting the address in the authentication there is a help function +`krb5_auth_con_setaddrs_from_fd' that does everthing that is needed +when given a connected file descriptor to the socket. + + status = krb5_auth_con_setaddrs_from_fd (context, + auth_context, + &sock); + if (status) + krb5_err (context, 1, status, + "krb5_auth_con_setaddrs_from_fd"); + +The next step is to build a server principal for the service we want to +connect to. (See also `krb5_sname_to_principal(3)'.) + + status = krb5_sname_to_principal (context, + hostname, + service, + KRB5_NT_SRV_HST, + &server); + if (status) + krb5_err (context, 1, status, "krb5_sname_to_principal"); + +The client principal is not passed to `krb5_sendauth(3)' function, this +causes the `krb5_sendauth' function to try to figure it out itself. + +The server program is using the function `krb5_recvauth(3)' to receive +the Kerberos 5 authenticator. + +In this case, mutual authenication will be tried. That means that the +server will authenticate to the client. Using mutual authenication is +good since it enables the user to verify that they are talking to the +right server (a server that knows the key). + +If you are using a non-blocking socket you will need to do all work of +`krb5_sendauth' yourself. Basically you need to send over the +authenticator from `krb5_mk_req(3)' and, in case of mutual +authentication, verifying the result from the server with +`krb5_rd_rep(3)'. + + status = krb5_sendauth (context, + &auth_context, + &sock, + VERSION, + NULL, + server, + AP_OPTS_MUTUAL_REQUIRED, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL); + if (status) + krb5_err (context, 1, status, "krb5_sendauth"); + +Once authentication has been performed, it is time to send some data. +First we create a krb5_data structure, then we sign it with +`krb5_mk_safe(3)' using the `auth_context' that contains the +session-key that was exchanged in the +`krb5_sendauth(3)'/`krb5_recvauth(3)' authentication sequence. + + data.data = "hej"; + data.length = 3; + + krb5_data_zero (&packet); + + status = krb5_mk_safe (context, + auth_context, + &data, + &packet, + NULL); + if (status) + krb5_err (context, 1, status, "krb5_mk_safe"); + +And send it over the network. + + len = packet.length; + net_len = htonl(len); + + if (krb5_net_write (context, &sock, &net_len, 4) != 4) + err (1, "krb5_net_write"); + if (krb5_net_write (context, &sock, packet.data, len) != len) + err (1, "krb5_net_write"); + +To send encrypted (and signed) data `krb5_mk_priv(3)' should be used +instead. `krb5_mk_priv(3)' works the same way as `krb5_mk_safe(3)', +with the exception that it encrypts the data in addition to signing it. + + data.data = "hemligt"; + data.length = 7; + + krb5_data_free (&packet); + + status = krb5_mk_priv (context, + auth_context, + &data, + &packet, + NULL); + if (status) + krb5_err (context, 1, status, "krb5_mk_priv"); + +And send it over the network. + + len = packet.length; + net_len = htonl(len); + + if (krb5_net_write (context, &sock, &net_len, 4) != 4) + err (1, "krb5_net_write"); + if (krb5_net_write (context, &sock, packet.data, len) != len) + err (1, "krb5_net_write"); + +The server is using `krb5_rd_safe(3)' and `krb5_rd_priv(3)' to verify +the signature and decrypt the packet. + + +File: heimdal.info, Node: Validating a password in a server application, Prev: Walkthru a sample Kerberos 5 client, Up: Programming with Kerberos + +Validating a password in an application +======================================= + +See the manual page for `krb5_verify_user(3)'. + + +File: heimdal.info, Node: Migration, Next: Acknowledgments, Prev: Programming with Kerberos, Up: Top + +Migration +********* + +General issues +============== + +When migrating from a Kerberos 4 KDC. + +Order in what to do things: +=========================== + + * Convert the database, check all principals that hprop complains + about. + + `hprop -n --source=<NNN>| hpropd -n' + + Replace <NNN> with whatever source you have, like krb4-db or + krb4-dump. + + * Run a Kerberos 5 slave for a while. + + * Figure out if it does everything you want it to. + + Make sure that all things that you use works for you. + + * Let a small number of controlled users use Kerberos 5 tools. + + Find a sample population of your users and check what programs + they use, you can also check the kdc-log to check what ticket are + checked out. + + * Burn the bridge and change the master. + + * Let all users use the Kerberos 5 tools by default. + + * Turn off services that do not need Kerberos 4 authentication. + + Things that might be hard to get away is old programs with support + for Kerberos 4. Example applications are old Eudora installations + using KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in + the Heimdal kdc. + + + +File: heimdal.info, Node: Acknowledgments, Prev: Migration, Up: Top Acknowledgments *************** @@ -1447,35 +1715,39 @@ All bugs were introduced by ourselves. Tag Table: Node: Top210 -Node: Introduction535 -Node: What is Kerberos?3177 -Node: Building and Installing8251 -Node: Setting up a realm11985 -Node: Configuration file12646 -Node: Creating the database15336 -Node: keytabs17839 -Node: Remote administration18673 -Node: Password changing20427 -Node: Testing clients and servers22234 -Node: Slave Servers22554 -Node: Incremental propagation24186 -Node: Salting26714 -Node: Things in search for a better place28103 -Node: Kerberos 4 issues30825 -Node: Principal conversion issues31327 -Ref: Principal conversion issues-Footnote-133550 -Ref: Principal conversion issues-Footnote-233618 -Node: Converting a version 4 database33671 -Node: kaserver38671 -Node: Migration40409 -Node: Windows 2000 compatability41666 -Node: Configuring Windows 2000 to use a Heimdal KDC42834 -Node: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC44586 -Node: Create account mappings47066 -Node: Encryption types47656 -Node: Authorization data48397 -Node: Quirks of Windows 2000 KDC49541 -Node: Useful links when reading about the Windows 200050782 -Node: Acknowledgments52610 +Node: Introduction565 +Node: What is Kerberos?3207 +Node: Building and Installing8281 +Node: Setting up a realm12015 +Node: Configuration file12676 +Node: Creating the database15366 +Node: keytabs17869 +Node: Remote administration18703 +Node: Password changing20457 +Node: Testing clients and servers22264 +Node: Slave Servers22584 +Node: Incremental propagation24216 +Node: Salting26744 +Node: Things in search for a better place28133 +Node: Kerberos 4 issues31018 +Node: Principal conversion issues31537 +Ref: Principal conversion issues-Footnote-133760 +Ref: Principal conversion issues-Footnote-233828 +Node: Converting a version 4 database33881 +Node: kaserver38881 +Node: Windows 2000 compatability40619 +Node: Configuring Windows 2000 to use a Heimdal KDC41805 +Node: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC43557 +Node: Create account mappings46037 +Node: Encryption types46627 +Node: Authorization data47368 +Node: Quirks of Windows 2000 KDC48512 +Node: Useful links when reading about the Windows 200049753 +Node: Programming with Kerberos51581 +Node: Kerberos 5 API Overview51994 +Node: Walkthru a sample Kerberos 5 client53546 +Node: Validating a password in a server application61362 +Node: Migration61643 +Node: Acknowledgments62897 End Tag Table diff --git a/kerberosV/src/doc/kerberos4.texi b/kerberosV/src/doc/kerberos4.texi index 6fd3bd0f111..09a587b7923 100644 --- a/kerberosV/src/doc/kerberos4.texi +++ b/kerberosV/src/doc/kerberos4.texi @@ -1,6 +1,6 @@ -@c $KTH: kerberos4.texi,v 1.12 2001/01/30 17:07:03 assar Exp $ +@c $KTH: kerberos4.texi,v 1.13 2001/02/24 05:09:24 assar Exp $ -@node Kerberos 4 issues, Migration, Things in search for a better place, Top +@node Kerberos 4 issues, Windows 2000 compatability, Things in search for a better place, Top @comment node-name, next, previous, up @chapter Kerberos 4 issues diff --git a/kerberosV/src/doc/migration.texi b/kerberosV/src/doc/migration.texi index cd58f35a615..e4ed01eac3c 100644 --- a/kerberosV/src/doc/migration.texi +++ b/kerberosV/src/doc/migration.texi @@ -1,6 +1,6 @@ -@c $KTH: migration.texi,v 1.2 2001/01/28 22:03:36 assar Exp $ +@c $KTH: migration.texi,v 1.3 2001/02/24 05:09:24 assar Exp $ -@node Migration, Windows 2000 compatability, Kerberos 4 issues, Top +@node Migration, Acknowledgments, Programming with Kerberos, Top @chapter Migration @section General issues diff --git a/kerberosV/src/doc/misc.texi b/kerberosV/src/doc/misc.texi index e130cd89103..e772c4e9855 100644 --- a/kerberosV/src/doc/misc.texi +++ b/kerberosV/src/doc/misc.texi @@ -1,4 +1,4 @@ -@c $KTH: misc.texi,v 1.5 2001/01/28 22:11:23 assar Exp $ +@c $KTH: misc.texi,v 1.6 2001/02/24 05:09:24 assar Exp $ @node Things in search for a better place, Kerberos 4 issues, Setting up a realm, Top @chapter Things in search for a better place @@ -56,3 +56,9 @@ protocol. A working solution would be to hook up a machine with a real operating system to the console of the Cisco and then use it as a backwards terminal server. + +@section Making things work on Transarc AFS + +@subsection How to get a KeyFile + +@file{ktutil -k AFSKEYFILE:KeyFile get afs@@MY.REALM} diff --git a/kerberosV/src/doc/win2k.texi b/kerberosV/src/doc/win2k.texi index 803259dd67c..e1325c6c1d0 100644 --- a/kerberosV/src/doc/win2k.texi +++ b/kerberosV/src/doc/win2k.texi @@ -1,6 +1,6 @@ -@c $KTH: win2k.texi,v 1.12 2001/01/28 22:10:35 assar Exp $ +@c $KTH: win2k.texi,v 1.13 2001/02/24 05:09:24 assar Exp $ -@node Windows 2000 compatability, Acknowledgments, Migration, Top +@node Windows 2000 compatability, Programming with Kerberos, Kerberos 4 issues, Top @comment node-name, next, previous, up @chapter Windows 2000 compatability |