diff options
Diffstat (limited to 'doc/pdf')
| -rw-r--r-- | doc/pdf/admin.pdf | bin | 742854 -> 748562 bytes | |||
| -rw-r--r-- | doc/pdf/admin.tex | 163 | ||||
| -rw-r--r-- | doc/pdf/appdev.pdf | bin | 1445440 -> 1452407 bytes | |||
| -rw-r--r-- | doc/pdf/appdev.tex | 98 | ||||
| -rw-r--r-- | doc/pdf/basic.pdf | bin | 138064 -> 138061 bytes | |||
| -rw-r--r-- | doc/pdf/basic.tex | 4 | ||||
| -rw-r--r-- | doc/pdf/build.pdf | bin | 153561 -> 153476 bytes | |||
| -rw-r--r-- | doc/pdf/build.tex | 6 | ||||
| -rw-r--r-- | doc/pdf/plugindev.pdf | bin | 140040 -> 145446 bytes | |||
| -rw-r--r-- | doc/pdf/plugindev.tex | 85 | ||||
| -rw-r--r-- | doc/pdf/user.pdf | bin | 200228 -> 200216 bytes | |||
| -rw-r--r-- | doc/pdf/user.tex | 2 |
12 files changed, 308 insertions, 50 deletions
diff --git a/doc/pdf/admin.pdf b/doc/pdf/admin.pdf Binary files differindex 5e55aece3f2b..7811bec8d037 100644 --- a/doc/pdf/admin.pdf +++ b/doc/pdf/admin.pdf diff --git a/doc/pdf/admin.tex b/doc/pdf/admin.tex index 1cf190826169..62ce0e0358b8 100644 --- a/doc/pdf/admin.tex +++ b/doc/pdf/admin.tex @@ -15,7 +15,7 @@ \title{Kerberos Administration Guide} \date{ } -\release{1.15.1} +\release{1.16} \author{MIT} \newcommand{\sphinxlogo}{} \renewcommand{\releasename}{Release} @@ -939,9 +939,10 @@ includedir DIRNAME directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in ''.conf'' are also included. Included -profile files are syntactically independent of their parents, so each -included file must begin with a section header. +1.15, files with names ending in ''.conf'' are also included, unless the +name begins with ''.''. Included profile files are syntactically +independent of their parents, so each included file must begin with a +section header. The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the @@ -1075,7 +1076,7 @@ the client should request when making a TGS-REQ, in order of preference from highest to lowest. The list may be delimited with commas or whitespace. See {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the accepted values for this tag. -The default value is \code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types +The default value is \code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly removed from this list if the value of \textbf{allow\_weak\_crypto} is false. @@ -1089,7 +1090,7 @@ Identifies the supported list of session key encryption types that the client should request when making an AS-REQ, in order of preference from highest to lowest. The format is the same as for default\_tgs\_enctypes. The default value for this tag is -\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly +\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly removed from this list if the value of \textbf{allow\_weak\_crypto} is false. @@ -1171,7 +1172,7 @@ For security reasons, .k5login files must be owned by the local user or by root. \item[{\textbf{kcm\_mach\_service}}] \leavevmode -On OS X only, determines the name of the bootstrap service used to +On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is \code{-}, Mach RPC will not be used to contact the KCM daemon. The default value is \code{org.h5l.kcm}. @@ -1263,7 +1264,7 @@ used across NATs. The default value is true. \item[{\textbf{permitted\_enctypes}}] \leavevmode Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is -\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly +\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly removed from this list if the value of \textbf{allow\_weak\_crypto} is false. @@ -1699,6 +1700,10 @@ client principal Uses the service realm to guess an appropriate cache from the collection +\item[{\textbf{hostname}}] \leavevmode +If the service principal is host-based, uses the service hostname +to guess an appropriate cache from the collection + \end{description} @@ -1731,6 +1736,26 @@ principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. + + +\subparagraph{kadm5\_auth interface} +\label{admin/conf_files/krb5_conf:kadm5-auth-interface}\label{admin/conf_files/krb5_conf:kadm5-auth} +The kadm5\_auth section (introduced in release 1.16) controls modules +for the kadmin authorization interface, which determines whether a +client principal is allowed to perform a kadmin operation. The +following built-in modules exist for this interface: +\begin{description} +\item[{\textbf{acl}}] \leavevmode +This module reads the {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} file, and authorizes +operations which are allowed according to the rules in the file. + +\item[{\textbf{self}}] \leavevmode +This module authorizes self-service operations including password +changes, creation of new random keys, fetching the client's +principal record or string attributes, and fetching the policy +record associated with the client principal. + +\end{description} \phantomsection\label{admin/conf_files/krb5_conf:clpreauth} \subparagraph{clpreauth and kdcpreauth interfaces} @@ -1812,6 +1837,32 @@ principal name maps to the local account name. \end{description} +\subparagraph{certauth interface} +\label{admin/conf_files/krb5_conf:certauth}\label{admin/conf_files/krb5_conf:certauth-interface} +The certauth section (introduced in release 1.16) controls modules for +the certificate authorization interface, which determines whether a +certificate is allowed to preauthenticate a user via PKINIT. The +following built-in modules exist for this interface: +\begin{description} +\item[{\textbf{pkinit\_san}}] \leavevmode +This module authorizes the certificate if it contains a PKINIT +Subject Alternative Name for the requested client principal, or a +Microsoft UPN SAN matching the principal if \textbf{pkinit\_allow\_upn} +is set to true for the realm. + +\item[{\textbf{pkinit\_eku}}] \leavevmode +This module rejects the certificate if it does not contain an +Extended Key Usage attribute consistent with the +\textbf{pkinit\_eku\_checking} value for the realm. + +\item[{\textbf{dbmatch}}] \leavevmode +This module authorizes or rejects the certificate according to +whether it matches the \textbf{pkinit\_cert\_match} string attribute on +the client principal, if that attribute is present. + +\end{description} + + \subsubsection{PKINIT options} \label{admin/conf_files/krb5_conf:pkinit-options} \begin{notice}{note}{Note:} @@ -2345,9 +2396,10 @@ The following tags may be specified in a {[}realms{]} subsection: \item[{\textbf{acl\_file}}] \leavevmode (String.) Location of the access control list file that {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} uses to determine which principals are allowed -which permissions on the Kerberos database. The default value is -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}. For more information on Kerberos ACL -file see {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}. +which permissions on the Kerberos database. To operate without an +ACL file, set this relation to the empty string with \code{acl\_file = +""}. The default value is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}. For more +information on Kerberos ACL file see {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}. \item[{\textbf{database\_module}}] \leavevmode (String.) This relation indicates the name of the configuration @@ -2459,6 +2511,11 @@ per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. +\item[{\textbf{encrypted\_challenge\_indicator}}] \leavevmode +(String.) Specifies the authentication indicator value that the KDC +asserts into tickets obtained using FAST encrypted challenge +pre-authentication. New in 1.16. + \item[{\textbf{host\_based\_services}}] \leavevmode (Whitespace- or comma-separated list.) Lists services which will get host-based referral processing even if the server principal is @@ -3073,9 +3130,6 @@ Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) -\item[{\textbf{pkinit\_kdc\_ocsp}}] \leavevmode -Specifies the location of the KDC's OCSP. - \item[{\textbf{pkinit\_pool}}] \leavevmode Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's @@ -3203,7 +3257,7 @@ The triple DES family: des3-cbc-sha1 \hline aes & -The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 +The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 \\ \hline rc4 @@ -3523,16 +3577,17 @@ joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU \PYGZsh{} line 3 sms@ATHENA.MIT.EDU x * \PYGZhy{}maxlife 9h \PYGZhy{}postdateable \PYGZsh{} line 6 \end{Verbatim} -(line 1) Any principal in the \code{ATHENA.MIT.EDU} realm with -an \code{admin} instance has all administrative privileges. +(line 1) Any principal in the \code{ATHENA.MIT.EDU} realm with an +\code{admin} instance has all administrative privileges except extracting +keys. -(lines 1-3) The user \code{joeadmin} has all permissions with his -\code{admin} instance, \code{joeadmin/admin@ATHENA.MIT.EDU} (matches line -1). He has no permissions at all with his null instance, -\code{joeadmin@ATHENA.MIT.EDU} (matches line 2). His \code{root} and other -non-\code{admin}, non-null instances (e.g., \code{extra} or \code{dbadmin}) have -inquire permissions with any principal that has the instance \code{root} -(matches line 3). +(lines 1-3) The user \code{joeadmin} has all permissions except +extracting keys with his \code{admin} instance, +\code{joeadmin/admin@ATHENA.MIT.EDU} (matches line 1). He has no +permissions at all with his null instance, \code{joeadmin@ATHENA.MIT.EDU} +(matches line 2). His \code{root} and other non-\code{admin}, non-null +instances (e.g., \code{extra} or \code{dbadmin}) have inquire permissions +with any principal that has the instance \code{root} (matches line 3). (line 4) Any \code{root} principal in \code{ATHENA.MIT.EDU} can inquire or change the password of their null instance, but not any other @@ -3546,9 +3601,22 @@ permission can only be granted globally, not to specific target principals. (line 6) Finally, the Service Management System principal -\code{sms@ATHENA.MIT.EDU} has all permissions, but any principal that it -creates or modifies will not be able to get postdateable tickets or -tickets with a life of longer than 9 hours. +\code{sms@ATHENA.MIT.EDU} has all permissions except extracting keys, but +any principal that it creates or modifies will not be able to get +postdateable tickets or tickets with a life of longer than 9 hours. + + +\subsubsection{MODULE BEHAVIOR} +\label{admin/conf_files/kadm5_acl:module-behavior} +The ACL file can coexist with other authorization modules in release +1.16 and later, as configured in the {\hyperref[admin/conf_files/krb5_conf:kadm5-auth]{\emph{kadm5\_auth interface}}} section of +{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. The ACL file will positively authorize +operations according to the rules above, but will never +authoritatively deny an operation, so other modules can authorize +operations in addition to those authorized by the ACL file. + +To operate without an ACL file, set the \emph{acl\_file} variable in +{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} to the empty string with \code{acl\_file = ""}. \subsubsection{SEE ALSO} @@ -3787,7 +3855,7 @@ convey more information about a realm's KDCs with a single query. The client performs a query for the following URI records: \begin{itemize} \item {} -\code{\_kerberos.REALM} for fiding KDCs. +\code{\_kerberos.REALM} for finding KDCs. \item {} \code{\_kerberos-adm.REALM} for finding kadmin services. @@ -7002,6 +7070,29 @@ time as follows: kadmin \PYGZhy{}q \PYGZsq{}add\PYGZus{}principal +requires\PYGZus{}preauth \PYGZhy{}nokey YOUR\PYGZus{}PRINCNAME\PYGZsq{} \end{Verbatim} +By default, the KDC requires PKINIT client certificates to have the +standard Extended Key Usage and Subject Alternative Name attributes +for PKINIT. Starting in release 1.16, it is possible to authorize +client certificates based on the subject or other criteria instead of +the standard PKINIT Subject Alternative Name, by setting the +\textbf{pkinit\_cert\_match} string attribute on each client principal entry. +For example: + +\begin{Verbatim}[commandchars=\\\{\}] +kadmin set\PYGZus{}string user@REALM pkinit\PYGZus{}cert\PYGZus{}match \PYGZdq{}\PYGZlt{}SUBJECT\PYGZgt{}CN=user@REALM\PYGZdl{}\PYGZdq{} +\end{Verbatim} + +The \textbf{pkinit\_cert\_match} string attribute follows the syntax used by +the {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} \textbf{pkinit\_cert\_match} relation. To allow the +use of non-PKINIT client certificates, it will also be necessary to +disable key usage checking using the \textbf{pkinit\_eku\_checking} relation; +for example: + +\begin{Verbatim}[commandchars=\\\{\}] +[kdcdefaults] + pkinit\PYGZus{}eku\PYGZus{}checking = none +\end{Verbatim} + \section{Configuring the clients} \label{admin/pkinit:configuring-the-clients} @@ -8328,6 +8419,13 @@ Enables One Time Passwords (OTP) preauthentication for a client \emph{principal}. The \emph{value} is a JSON string representing an array of objects, each having optional \code{type} and \code{username} fields. +\item[{\textbf{pkinit\_cert\_match}}] \leavevmode +Specifies a matching expression that defines the certificate +attributes required for the client certificate used by the +principal during PKINIT authentication. The matching expression +is in the same format as those used by the \textbf{pkinit\_cert\_match} +option in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. (New in release 1.16.) + \end{description} This command requires the \textbf{modify} privilege. @@ -9992,6 +10090,7 @@ Specifies the location of the keytab file. {[}\textbf{-F} \emph{principal\_database}{]} {[}\textbf{-p} \emph{kdb5\_util\_prog}{]} {[}\textbf{-P} \emph{port}{]} +{[}\textbf{--pid-file}=\emph{pid\_file}{]} {[}\textbf{-d}{]} {[}\textbf{-t}{]} @@ -10081,6 +10180,10 @@ is only useful in combination with the \textbf{-S} option. Allows the user to specify the path to the kpropd.acl file; by default the path used is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kpropd.acl}. +\item[{\textbf{--pid-file}=\emph{pid\_file}}] \leavevmode +In standalone mode, write the process ID of the daemon into +\emph{pid\_file}. + \end{description} @@ -10299,7 +10402,7 @@ Alias: \textbf{delent} \label{admin/admin_commands/ktutil:add-entry}\begin{quote} \textbf{add\_entry} \{\textbf{-key}\textbar{}\textbf{-password}\} \textbf{-p} \emph{principal} -\textbf{-k} \emph{kvno} \textbf{-e} \emph{enctype} +\textbf{-k} \emph{kvno} \textbf{-e} \emph{enctype} {[}\textbf{-s} \emph{salt}{]} \end{quote} Add \emph{principal} to keylist using key or password. @@ -10623,7 +10726,7 @@ Default {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{keysalt list}} \hline Permitted enctypes & -\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4} +\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4} & \\ \hline KDC default port diff --git a/doc/pdf/appdev.pdf b/doc/pdf/appdev.pdf Binary files differindex 58b6eab4334c..75ddae5f75e7 100644 --- a/doc/pdf/appdev.pdf +++ b/doc/pdf/appdev.pdf diff --git a/doc/pdf/appdev.tex b/doc/pdf/appdev.tex index 947b8106d84e..9d49457ffce0 100644 --- a/doc/pdf/appdev.tex +++ b/doc/pdf/appdev.tex @@ -15,7 +15,7 @@ \title{Kerberos Application Developer Guide} \date{ } -\release{1.15.1} +\release{1.16} \author{MIT} \newcommand{\sphinxlogo}{} \renewcommand{\releasename}{Release} @@ -443,6 +443,27 @@ issue a ticket from the client to the target service. The GSSAPI library will then use this ticket to authenticate to the target service. +If an application needs to find out whether a credential it holds is a +proxy credential and the name of the intermediate service, it can +query the credential with the \textbf{GSS\_KRB5\_GET\_CRED\_IMPERSONATOR} OID +(new in release 1.16, declared in \code{\textless{}gssapi/gssapi\_krb5.h\textgreater{}}) using +the gss\_inquire\_cred\_by\_oid extension (declared in +\code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}): + +\begin{Verbatim}[commandchars=\\\{\}] +OM\PYGZus{}uint32 gss\PYGZus{}inquire\PYGZus{}cred\PYGZus{}by\PYGZus{}oid(OM\PYGZus{}uint32 *minor\PYGZus{}status, + const gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t cred\PYGZus{}handle, + gss\PYGZus{}OID desired\PYGZus{}object, + gss\PYGZus{}buffer\PYGZus{}set\PYGZus{}t *data\PYGZus{}set); +\end{Verbatim} + +If the call succeeds and \emph{cred\_handle} is a proxy credential, +\emph{data\_set} will be set to a single-element buffer set containing the +unparsed principal name of the intermediate service. If \emph{cred\_handle} +is not a proxy credential, \emph{data\_set} will be set to an empty buffer +set. If the library does not support the query, +gss\_inquire\_cred\_by\_oid will return \textbf{GSS\_S\_UNAVAILABLE}. + \section{AEAD message wrapping} \label{appdev/gssapi:aead-message-wrapping} @@ -763,6 +784,37 @@ if (GSS\PYGZus{}ERROR(major)) \end{Verbatim} +\chapter{Year 2038 considerations for uses of krb5\_timestamp} +\label{appdev/y2038::doc}\label{appdev/y2038:year-2038-considerations-for-uses-of-krb5-timestamp} +POSIX time values, which measure the number of seconds since January 1 +1970, will exceed the maximum value representable in a signed 32-bit +integer in January 2038. This documentation describes considerations +for consumers of the MIT krb5 libraries. + +Applications or libraries which use libkrb5 and consume the timestamps +included in credentials or other structures make use of the +{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{\code{krb5\_timestamp}}} type. For historical reasons, krb5\_timestamp +is a signed 32-bit integer, even on platforms where a larger type is +natively used to represent time values. To behave properly for time +values after January 2038, calling code should cast krb5\_timestamp +values to uint32\_t, and then to time\_t: + +\begin{Verbatim}[commandchars=\\\{\}] +(time\PYGZus{}t)(uint32\PYGZus{}t)timestamp +\end{Verbatim} + +Used in this way, krb5\_timestamp values can represent time values up +until February 2106, provided that the platform uses a 64-bit or +larger time\_t type. This usage will also remain safe if a later +version of MIT krb5 changes krb5\_timestamp to an unsigned 32-bit +integer. + +The GSSAPI only uses representations of time intervals, not absolute +times. Callers of the GSSAPI should require no changes to behave +correctly after January 2038, provided that they use MIT krb5 release +1.16 or later. + + \chapter{Differences between Heimdal and MIT Kerberos API} \label{appdev/h5l_mit_apidiff:differences-between-heimdal-and-mit-kerberos-api}\label{appdev/h5l_mit_apidiff::doc} \begin{tabulary}{\linewidth}{|l|l|} @@ -1832,7 +1884,7 @@ This function frees a \emph{context} that was created by {\hyperref[appdev/refs/ \label{appdev/refs/api/krb5_fwd_tgt_creds:krb5-fwd-tgt-creds-get-a-forwarded-tgt-and-format-a-krb-cred-message}\label{appdev/refs/api/krb5_fwd_tgt_creds::doc}\index{krb5\_fwd\_tgt\_creds (C function)} \begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_fwd_tgt_creds:c.krb5_fwd_tgt_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_fwd\_tgt\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, char *\emph{ rhost}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cc}, int\emph{ forwardable}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} +\phantomsection\label{appdev/refs/api/krb5_fwd_tgt_creds:c.krb5_fwd_tgt_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_fwd\_tgt\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const char *\emph{ rhost}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cc}, int\emph{ forwardable}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} \end{fulllineitems} \begin{quote}\begin{description} @@ -7274,6 +7326,10 @@ Create a context structure, optionally using a specified profile and initializat \textbf{{[}in{]}} \textbf{ctx} - Initial credentials context \end{description}\end{quote} +\begin{quote} + +\emph{context} must be the same as the one passed to {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} for this initial credentials context. +\end{quote} \subsubsection{krb5\_init\_creds\_get - Acquire credentials using an initial credentials context.} @@ -7300,6 +7356,10 @@ Create a context structure, optionally using a specified profile and initializat \end{description}\end{quote} This function synchronously obtains credentials using a context created by {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} . On successful return, the credentials can be retrieved with {\hyperref[appdev/refs/api/krb5_init_creds_get_creds:c.krb5_init_creds_get_creds]{\code{krb5\_init\_creds\_get\_creds()}}} . +\begin{quote} + +\emph{context} must be the same as the one passed to {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} for this initial credentials context. +\end{quote} \subsubsection{krb5\_init\_creds\_get\_creds - Retrieve acquired credentials from an initial credentials context.} @@ -7419,6 +7479,8 @@ The initial credentials context must have completed obtaining credentials via ei This function creates a new context for acquiring initial credentials. Use {\hyperref[appdev/refs/api/krb5_init_creds_free:c.krb5_init_creds_free]{\code{krb5\_init\_creds\_free()}}} to free \emph{ctx} when it is no longer needed. +Any subsequent calls to {\hyperref[appdev/refs/api/krb5_init_creds_step:c.krb5_init_creds_step]{\code{krb5\_init\_creds\_step()}}} , {\hyperref[appdev/refs/api/krb5_init_creds_get:c.krb5_init_creds_get]{\code{krb5\_init\_creds\_get()}}} , or {\hyperref[appdev/refs/api/krb5_init_creds_free:c.krb5_init_creds_free]{\code{krb5\_init\_creds\_free()}}} for this initial credentials context must use the same \emph{context} argument as the one passed to this function. + \subsubsection{krb5\_init\_creds\_set\_keytab - Specify a keytab to use for acquiring initial credentials.} \label{appdev/refs/api/krb5_init_creds_set_keytab:krb5-init-creds-set-keytab-specify-a-keytab-to-use-for-acquiring-initial-credentials}\label{appdev/refs/api/krb5_init_creds_set_keytab::doc}\index{krb5\_init\_creds\_set\_keytab (C function)} @@ -7501,7 +7563,7 @@ This function supplies a password to be used to construct the client key for an \end{description}\end{quote} -This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. \emph{service} is parsed as a principal name; any realm part is ignored. +Thisfunction supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. \emph{service} is parsed as a principal name; any realm part is ignored. \subsubsection{krb5\_init\_creds\_step - Get the next KDC request for acquiring initial credentials.} @@ -7540,6 +7602,10 @@ This function constructs the next KDC request in an initial credential exchange, If more requests are needed, \emph{flags} will be set to {\hyperref[appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and the next request will be placed in \emph{out} . If no more requests are needed, \emph{flags} will not contain {\hyperref[appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and \emph{out} will be empty. If this function returns \textbf{KRB5KRB\_ERR\_RESPONSE\_TOO\_BIG} , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed. +\begin{quote} + +\emph{context} must be the same as the one passed to {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} for this initial credentials context. +\end{quote} \subsubsection{krb5\_init\_keyblock - Initialize an empty krb5\_keyblock .} @@ -8194,7 +8260,7 @@ Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents \label{appdev/refs/api/krb5_mk_req:krb5-mk-req-create-a-krb-ap-req-message}\label{appdev/refs/api/krb5_mk_req::doc}\index{krb5\_mk\_req (C function)} \begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_req:c.krb5_mk_req}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_req}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, char *\emph{ service}, char *\emph{ hostname}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} +\phantomsection\label{appdev/refs/api/krb5_mk_req:c.krb5_mk_req}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_req}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, const char *\emph{ service}, const char *\emph{ hostname}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} \end{fulllineitems} \begin{quote}\begin{description} @@ -8616,7 +8682,7 @@ This function validates \emph{pac} against the supplied \emph{server} , \emph{pr If successful, \emph{pac} is marked as verified. \begin{notice}{note}{Note:} -A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified. +A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified. \end{notice} @@ -11882,8 +11948,8 @@ DEPRECATED Replaced by krb5\_auth\_con\_getsendsubkey() . DEPRECATED Replaced by krb5\_auth\_con\_getrecvsubkey() . -\subsubsection{krb5\_auth\_con\_initivector} -\label{appdev/refs/api/krb5_auth_con_initivector:krb5-auth-con-initivector}\label{appdev/refs/api/krb5_auth_con_initivector::doc}\index{krb5\_auth\_con\_initivector (C function)} +\subsubsection{krb5\_auth\_con\_initivector - Cause an auth context to use cipher state.} +\label{appdev/refs/api/krb5_auth_con_initivector::doc}\label{appdev/refs/api/krb5_auth_con_initivector:krb5-auth-con-initivector-cause-an-auth-context-to-use-cipher-state}\index{krb5\_auth\_con\_initivector (C function)} \begin{fulllineitems} \phantomsection\label{appdev/refs/api/krb5_auth_con_initivector:c.krb5_auth_con_initivector}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_initivector}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}}{} @@ -11891,15 +11957,21 @@ DEPRECATED Replaced by krb5\_auth\_con\_getrecvsubkey() . \begin{quote}\begin{description} \item[{param}] \leavevmode -\textbf{context} +\textbf{{[}in{]}} \textbf{context} - Library context -\textbf{auth\_context} +\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context \end{description}\end{quote} +\begin{quote}\begin{description} +\item[{retval}] \leavevmode\begin{itemize} +\item {} +0 Success; otherwise - Kerberos error codes -DEPRECATED Not replaced. +\end{itemize} -RFC 4120 doesn't have anything like the initvector concept; only really old protocols may need this API. +\end{description}\end{quote} + +Prepare \emph{auth\_context} to use cipher state when {\hyperref[appdev/refs/api/krb5_mk_priv:c.krb5_mk_priv]{\code{krb5\_mk\_priv()}}} or {\hyperref[appdev/refs/api/krb5_rd_priv:c.krb5_rd_priv]{\code{krb5\_rd\_priv()}}} encrypt or decrypt data. \subsubsection{krb5\_build\_principal\_va} @@ -15186,6 +15258,10 @@ Latest time at which renewal of ticket can be valid. \end{fulllineitems} +Represents a timestamp in seconds since the POSIX epoch. + +This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32\_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time\_t. + \paragraph{Declaration} \label{appdev/refs/types/krb5_timestamp:declaration} diff --git a/doc/pdf/basic.pdf b/doc/pdf/basic.pdf Binary files differindex 65aa43c9fe4f..c2128707986c 100644 --- a/doc/pdf/basic.pdf +++ b/doc/pdf/basic.pdf diff --git a/doc/pdf/basic.tex b/doc/pdf/basic.tex index d13762e98d6d..aaffd29f368f 100644 --- a/doc/pdf/basic.tex +++ b/doc/pdf/basic.tex @@ -15,7 +15,7 @@ \title{Kerberos Concepts} \date{ } -\release{1.15.1} +\release{1.16} \author{MIT} \newcommand{\sphinxlogo}{} \renewcommand{\releasename}{Release} @@ -188,7 +188,7 @@ where \emph{uid} is the effective user ID of the running process. KCM client support is new in release 1.13. A KCM daemon has not yet been implemented in MIT krb5, but the client will interoperate -with the KCM daemon implemented by Heimdal. OS X 10.7 and higher +with the KCM daemon implemented by Heimdal. macOS 10.7 and higher provides a KCM daemon as part of the operating system, and the \textbf{KCM} cache type is used as the default cache on that platform in a default build. diff --git a/doc/pdf/build.pdf b/doc/pdf/build.pdf Binary files differindex 4313a70dca43..beb6800c4d51 100644 --- a/doc/pdf/build.pdf +++ b/doc/pdf/build.pdf diff --git a/doc/pdf/build.tex b/doc/pdf/build.tex index 43c9d606edb1..a7036e38b711 100644 --- a/doc/pdf/build.tex +++ b/doc/pdf/build.tex @@ -15,7 +15,7 @@ \title{Building MIT Kerberos} \date{ } -\release{1.15.1} +\release{1.16} \author{MIT} \newcommand{\sphinxlogo}{} \renewcommand{\releasename}{Release} @@ -888,10 +888,6 @@ Use specified PRNG algorithm. For example, to use the OS native prng specify \code{-{-}with-prng-alg=os}. The default is \code{fortuna}. (See \emph{mitK5features}) -\item[{\textbf{-}\textbf{-with-pkinit-crypto-impl=}\emph{IMPL}}] \leavevmode -Use the specified pkinit crypto implementation \emph{IMPL}. -Defaults to using OpenSSL. - \item[{\textbf{-}\textbf{-without-libedit}}] \leavevmode Do not compile and link against libedit. Some utilities will no longer offer command history or completion in interactive mode if diff --git a/doc/pdf/plugindev.pdf b/doc/pdf/plugindev.pdf Binary files differindex 12756fcca9b4..8ade8c1052cf 100644 --- a/doc/pdf/plugindev.pdf +++ b/doc/pdf/plugindev.pdf diff --git a/doc/pdf/plugindev.tex b/doc/pdf/plugindev.tex index 4e3b805923ac..474b00c80cbf 100644 --- a/doc/pdf/plugindev.tex +++ b/doc/pdf/plugindev.tex @@ -15,7 +15,7 @@ \title{Kerberos Plugin Module Developer Guide} \date{ } -\release{1.15.1} +\release{1.16} \author{MIT} \newcommand{\sphinxlogo}{} \renewcommand{\releasename}{Release} @@ -451,6 +451,40 @@ interface (which is explicitly unstable), it may not remain as stable across versions as other public pluggable interfaces. +\section{kadmin authorization interface (kadm5\_auth)} +\label{plugindev/kadm5_auth:kadm5-auth-plugin}\label{plugindev/kadm5_auth:kadmin-authorization-interface-kadm5-auth}\label{plugindev/kadm5_auth::doc} +The kadm5\_auth interface (new in release 1.16) allows modules to +determine whether a client principal is authorized to perform an +operation in the kadmin protocol, and to apply restrictions to +principal operations. For a detailed description of the kadm5\_auth +interface, see the header file \code{\textless{}krb5/kadm5\_auth\_plugin.h\textgreater{}}. + +A module can create and destroy per-process state objects by +implementing the \textbf{init} and \textbf{fini} methods. State objects have +the type kadm5\_auth\_modinfo, which is an abstract pointer type. A +module should typically cast this to an internal type for the state +object. + +The kadm5\_auth interface has one method for each kadmin operation, +with parameters specific to the operation. Each method can return +either 0 to authorize access, KRB5\_PLUGIN\_NO\_HANDLE to defer the +decision to other modules, or another error (canonically EPERM) to +authoritatively deny access. Access is granted if at least one module +grants access and no module authoritatively denies access. + +The \textbf{addprinc} and \textbf{modprinc} methods can also impose restrictions +on the principal operation by returning a \code{struct +kadm5\_auth\_restrictions} object. The module should also implement +the \textbf{free\_restrictions} method if it dynamically allocates +restrictions objects for principal operations. + +kadm5\_auth modules can optionally inspect principal or policy objects. +To do this, the module must also include \code{\textless{}kadm5/admin.h\textgreater{}} to gain +access to the structure definitions for those objects. As the kadmin +interface is explicitly not as stable as other public interfaces, +modules which do this may not retain compatibility across releases. + + \section{Host-to-realm interface (hostrealm)} \label{plugindev/hostrealm:hostrealm-plugin}\label{plugindev/hostrealm::doc}\label{plugindev/hostrealm:host-to-realm-interface-hostrealm} The host-to-realm interface was first introduced in release 1.12. It @@ -795,6 +829,55 @@ defined in the header file \code{\textless{}krb5/authdata\_plugin.h\textgreater{ installed by the build. +\section{PKINIT certificate authorization interface (certauth)} +\label{plugindev/certauth:certauth-plugin}\label{plugindev/certauth::doc}\label{plugindev/certauth:pkinit-certificate-authorization-interface-certauth} +The certauth interface was first introduced in release 1.16. It +allows customization of the X.509 certificate attribute requirements +placed on certificates used by PKINIT enabled clients. For a detailed +description of the certauth interface, see the header file +\code{\textless{}krb5/certauth\_plugin.h\textgreater{}} + +A certauth module implements the \textbf{authorize} method to determine +whether a client's certificate is authorized to authenticate a client +principal. \textbf{authorize} receives the DER-encoded certificate, the +requested client principal, and a pointer to the client's +krb5\_db\_entry (for modules that link against libkdb5). It returns the +authorization status and optionally outputs a list of authentication +indicator strings to be added to the ticket. A module must use its +own internal or library-provided ASN.1 certificate decoder. + +A module can optionally create and destroy module data with the +\textbf{init} and \textbf{fini} methods. Module data objects last for the +lifetime of the KDC process. + +If a module allocates and returns a list of authentication indicators +from \textbf{authorize}, it must also implement the \textbf{free\_ind} method +to free the list. + + +\section{KDC policy interface (kdcpolicy)} +\label{plugindev/kdcpolicy:kdcpolicy-plugin}\label{plugindev/kdcpolicy::doc}\label{plugindev/kdcpolicy:kdc-policy-interface-kdcpolicy} +The kdcpolicy interface was first introduced in release 1.16. It +allows modules to veto otherwise valid AS and TGS requests or restrict +the lifetime and renew time of the resulting ticket. For a detailed +description of the kdcpolicy interface, see the header file +\code{\textless{}krb5/kdcpolicy\_plugin.h\textgreater{}}. + +The optional \textbf{check\_as} and \textbf{check\_tgs} functions allow the module +to perform access control. Additionally, a module can create and +destroy module data with the \textbf{init} and \textbf{fini} methods. Module +data objects last for the lifetime of the KDC process, and are +provided to all other methods. The data has the type +krb5\_kdcpolicy\_moddata, which should be cast to the appropriate +internal type. + +kdcpolicy modules can optionally inspect principal entries. To do +this, the module must also include \code{\textless{}kdb.h\textgreater{}} to gain access to the +principal entry structure definition. As the KDB interface is +explicitly not as stable as other public interfaces, modules which do +this may not retain compatibility across releases. + + \renewcommand{\indexname}{Index} \printindex diff --git a/doc/pdf/user.pdf b/doc/pdf/user.pdf Binary files differindex ee40d417d3e7..06bec04b3a05 100644 --- a/doc/pdf/user.pdf +++ b/doc/pdf/user.pdf diff --git a/doc/pdf/user.tex b/doc/pdf/user.tex index ffe97ebf4ca3..15bd75167e60 100644 --- a/doc/pdf/user.tex +++ b/doc/pdf/user.tex @@ -15,7 +15,7 @@ \title{Kerberos User Guide} \date{ } -\release{1.15.1} +\release{1.16} \author{MIT} \newcommand{\sphinxlogo}{} \renewcommand{\releasename}{Release} |