Refresh manually acquired creds from client keytab
This commit is contained in:
Robbie Harwood
parent
812c07a94f
commit
f6c62d5e63
78
Refresh-manually-acquired-creds-from-client-keytab.patch
Normal file
78
Refresh-manually-acquired-creds-from-client-keytab.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From e67aca9a77d78efa798237b43e177caf9e79f64a Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Wed, 26 Feb 2020 18:27:17 -0500
|
||||
Subject: [PATCH] Refresh manually acquired creds from client keytab
|
||||
|
||||
If a client keytab is present but credentials are acquired manually,
|
||||
the credentials would not be refreshed because no refresh_time config
|
||||
var is set in the cache. Change kg_cred_time_to_refresh() to attempt
|
||||
a refresh from the client keytab on any credentials which will expire
|
||||
in the next 30 seconds.
|
||||
|
||||
[ghudson@mit.edu: adjused code and added test case]
|
||||
|
||||
ticket: 7976
|
||||
(cherry picked from commit 729896467e3c77904666019d6cbbda583ae49b95)
|
||||
---
|
||||
src/lib/gssapi/krb5/acquire_cred.c | 14 +++++++++++---
|
||||
src/tests/gssapi/t_client_keytab.py | 18 ++++++++++++++++++
|
||||
2 files changed, 29 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
|
||||
index acc1868f8..4062f4741 100644
|
||||
--- a/src/lib/gssapi/krb5/acquire_cred.c
|
||||
+++ b/src/lib/gssapi/krb5/acquire_cred.c
|
||||
@@ -557,15 +557,23 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,
|
||||
krb5_boolean
|
||||
kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
|
||||
{
|
||||
- krb5_timestamp now;
|
||||
+ krb5_timestamp now, soon;
|
||||
|
||||
if (krb5_timeofday(context, &now))
|
||||
return FALSE;
|
||||
+ soon = ts_incr(now, 30);
|
||||
if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {
|
||||
- set_refresh_time(context, cred->ccache,
|
||||
- ts_incr(cred->refresh_time, 30));
|
||||
+ set_refresh_time(context, cred->ccache, soon);
|
||||
return TRUE;
|
||||
}
|
||||
+
|
||||
+ /* If the creds will expire soon, try to refresh even if they weren't
|
||||
+ * acquired with a client keytab. */
|
||||
+ if (ts_after(soon, cred->expire)) {
|
||||
+ set_refresh_time(context, cred->ccache, soon);
|
||||
+ return TRUE;
|
||||
+ }
|
||||
+
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
|
||||
index e474a27c7..7847b3ecd 100755
|
||||
--- a/src/tests/gssapi/t_client_keytab.py
|
||||
+++ b/src/tests/gssapi/t_client_keytab.py
|
||||
@@ -124,4 +124,22 @@ realm.kinit(realm.user_princ, password('user'))
|
||||
realm.run(['./t_ccselect', phost], env=bad_cktname,
|
||||
expected_msg=realm.user_princ)
|
||||
|
||||
+mark('refresh of manually acquired creds')
|
||||
+
|
||||
+# Test 17: no name/ccache specified, manually acquired creds which
|
||||
+# will expire soon. Verify that creds are refreshed using the current
|
||||
+# client name, with refresh_time set in the refreshed ccache.
|
||||
+realm.kinit('bob', password('bob'), ['-l', '15s'])
|
||||
+realm.run(['./t_ccselect', phost], expected_msg='bob')
|
||||
+realm.run([klist, '-C'], expected_msg='refresh_time = ')
|
||||
+
|
||||
+# Test 18: no name/ccache specified, manually acquired creds with a
|
||||
+# client principal not present in the client keytab. A refresh is
|
||||
+# attempted but fails, and an expired ticket error results.
|
||||
+realm.kinit(realm.admin_princ, password('admin'), ['-l', '-1s'])
|
||||
+msgs = ('Getting initial credentials for user/admin@KRBTEST.COM',
|
||||
+ '/Matching credential not found')
|
||||
+realm.run(['./t_ccselect', phost], expected_code=1,
|
||||
+ expected_msg='Ticket expired', expected_trace=msgs)
|
||||
+
|
||||
success('Client keytab tests')
|
||||
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.18
|
||||
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
|
||||
# rharwood has trust path to signing key and verifies on check-in
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
|
||||
@ -53,6 +53,7 @@ Patch7: downstream-FIPS-with-PRNG-and-RADIUS-and-MD4.patch
|
||||
Patch8: Fix-AS-REQ-checking-of-KDB-modified-indicators.patch
|
||||
Patch9: Allow-certauth-modules-to-set-hw-authent-flag.patch
|
||||
Patch10: Allow-deletion-of-require_auth-with-LDAP-KDB.patch
|
||||
Patch11: Refresh-manually-acquired-creds-from-client-keytab.patch
|
||||
|
||||
License: MIT
|
||||
URL: https://web.mit.edu/kerberos/www/
|
||||
@ -626,6 +627,9 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Tue Mar 03 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-5
|
||||
- Refresh manually acquired creds from client keytab
|
||||
|
||||
* Fri Feb 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18-4
|
||||
- Allow deletion of require_auth with LDAP KDB
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user