kadmin.8: Document the new dump -f flagCommit 5000d023a446 added a new flag to the dump option.This patch documents this new flag.This is a content change.MFC after: 3 daysFixes: 5000d023a44
kadmin.8: Document the new dump -f flagCommit 5000d023a446 added a new flag to the dump option.This patch documents this new flag.This is a content change.MFC after: 3 daysFixes: 5000d023a446 ("heimdal-kadmin: Add support for the -f dump option")
show more ...
heimdal-kadmin: Add support for the -f dump optionThe "-f" dump option allows a dump of the HeimdalKDC in a format that the MIT kdb5_util command canload into a MIT KDC's database.This makes tra
heimdal-kadmin: Add support for the -f dump optionThe "-f" dump option allows a dump of the HeimdalKDC in a format that the MIT kdb5_util command canload into a MIT KDC's database.This makes transitioning from the Heimdal KDC tothe current MIT one feasible without having tore-create the KDC database from scratch.glebius@ did the initial work, cherry picking thesecommits from the Heimdal sources on github and then doingextensive merge conflict resolution and other fixes sothat it would build.Heimdal commit fca5399 authored by Nico Williams:Initial commit for second approach for multiple kvno. NOT TESTED!Heimdal commit 57f1545 authored by Nico Williams:Add support for writing to KDB and dumping HDB to MIT KDB dump format Before this change Heimdal could read KDBs. Now it can write to them too. Heimdal can now also dump HDBs (including KDBs) in MIT format, which can then be imported with kdb5_util load. This is intended to help in migrations from MIT to Heimdal by allowing migrations from Heimdal to MIT so that it is possible to rollback from Heimdal to MIT should there be any issues. The idea is to allow a) running Heimdal kdc/kadmind with a KDB, or b) running Heimdal with an HDB converted from a KDB and then rollback by dumping the HDB and loading a KDB. Note that not all TL data types are supported, only two: last password change and modify-by. This is the minimum necessary. PKINIT users may need to add support for KRB5_TL_USER_CERTIFICATE, and for databases with K/M history we may need to add KRB5_TL_MKVNO support.This resulted in a Heimdal kadmin that would dumpthe KDC database in MIT format. However, therewere issues when this dump was loaded into thecurrent MIT KDC in FreeBSD current/15.0.The changes I did to make the dump more useful are listed below:When "-f MIT" is used for "kadmin -l dump" it writesthe dump out in MIT format. This dump format is understoodby the MIT kdb5_util command. The patch modifies the aboveso that the MIT KDC's master key keytab file can be providedas the argument to "-f" so that the principals are re-encrypted init. This allows any principal with at least one strong encryptiontype key to work without needing a change_password.The strong encryption types supported by the Heimdal KDC are:aes256-cts-hmac-sha1-96aes128-cts-hmac-sha1-96The issues my changes address are:- If there are weak encryption keys in a principal's entry, MIT's kadmin.local will report that the principcal's entry is incomplete or corrupted.- The keys are encrypted in Heimdal's master key. The "-d" option can be used on the "kadmin -l dump" to de-encrypt them, but the passwords will not work on the current MIT KDC.To try and deal with the above issues, this patch modied the above to:- Does not dump the weak keys.- Re-encrypts the strong keys in MIT's master key if the argument to "-f" is actually a filename which holds the MIT KDC's master key keytab and not "MIT".- For principals that only have weak keys, it generates a fake strong key. This key will not work on the MIT KDC, but the principal entry will work once a change_password is done to it.- It always generates a "modified_by" entry, faking one if not already present in the Heimdal KDC database. This was necessary, since the MIT kadmin will report that the principal entry is "incomplete or corrupted" without one.It also fixed a problem where "get principal" no longerworked after the initial patch was applied.A man page update will be done as a separate commit.I believe this commit is acceptable since the Heimdalsources are now essentially deprecated in favor of theMIT sources and that this new "-f" patch simplifiesthe transition to the MIT KDC.Discussed with: glebius, cyMFC after: 3 days
heimdal: Properly ix bus fault when zero-length request receivedZero length client requests result in a bus fault when attempting tofree malloc()ed pointers within the requests softc. Return an er
heimdal: Properly ix bus fault when zero-length request receivedZero length client requests result in a bus fault when attempting tofree malloc()ed pointers within the requests softc. Return an errorwhen the request is zero length.This properly fixes PR/268062 without regressions.PR: 268062Reported by: Robert Morris <rtm@lcs.mit.edu>MFC after: 3 days
heimdal: Add additional checks for bad kadmind inputCheck return codes for bad input.MFC after: 3 days
heimdal: Add missing kadmind error checksInspired by: Heimdal commmit 1b213c1082be4ef5a1c23928d614c762f837dbe7MFC after: 3 days
heimdal: Fix NULL dereference when mangled realm messageFix a NULL dereference in _kadm5_s_init_context() when the clientsends a mangled realm message.PR: 267912Reported by: Robert Morris <rtm
heimdal: Fix NULL dereference when mangled realm messageFix a NULL dereference in _kadm5_s_init_context() when the clientsends a mangled realm message.PR: 267912Reported by: Robert Morris <rtm@lcs.mit.edu>MFC after: 3 days
heimdal: Fix multiple security vulnerabilitiesThe following issues are patched: - CVE-2022-42898 PAC parse integer overflows - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and
heimdal: Fix multiple security vulnerabilitiesThe following issues are patched: - CVE-2022-42898 PAC parse integer overflows - CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and arcfour - CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors - CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0 on the Common Vulnerability Scoring System (CVSS) v3, as we believe it should be possible to get an RCE on a KDC, which means that credentials can be compromised that can be used to impersonate anyone in a realm or forest of realms. Heimdal's ASN.1 compiler generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free function on the decoded structure upon decode error. This is known to impact the Heimdal KDC, leading to an invalid free() of an address partly or wholly under the control of the attacker, in turn leading to a potential remote code execution (RCE) vulnerability. This error affects the DER codec for all extensible CHOICE types used in Heimdal, though not all cases will be exploitable. We have not completed a thorough analysis of all the Heimdal components affected, thus the Kerberos client, the X.509 library, and other parts, may be affected as well. This bug has been in Heimdal's ASN.1 compiler since 2005, but it may only affect Heimdal 1.6 and up. It was first reported by Douglas Bagnall, though it had been found independently by the Heimdal maintainers via fuzzing a few weeks earlier. While no zero-day exploit is known, such an exploit will likely be available soon after public disclosure. - CVE-2019-14870: Validate client attributes in protocol-transition - CVE-2019-14870: Apply forwardable policy in protocol-transition - CVE-2019-14870: Always lookup impersonate client in DBSponsored by: so (philip)Obtained from: so (philip)Tested by: philip, cyMFC after: immediately
- Update FreeBSD Heimdal distribution to version 1.5.1. This also brings several new kerberos related libraries and applications to FreeBSD: o kgetcred(1) allows one to manually get a ticket for
- Update FreeBSD Heimdal distribution to version 1.5.1. This also brings several new kerberos related libraries and applications to FreeBSD: o kgetcred(1) allows one to manually get a ticket for a particular service. o kf(1) securily forwards ticket to another host through an authenticated and encrypted stream. o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1) and other user kerberos operations. klist and kswitch are just symlinks to kcc(1) now. o kswitch(1) allows you to easily switch between kerberos credentials if you're running KCM. o hxtool(1) is a certificate management tool to use with PKINIT. o string2key(1) maps a password into key. o kdigest(8) is a userland tool to access the KDC's digest interface. o kimpersonate(8) creates a "fake" ticket for a service. We also now install manpages for some lirbaries that were not installed before, libheimntlm and libhx509.- The new HEIMDAL version no longer supports Kerberos 4. All users are recommended to switch to Kerberos 5.- Weak ciphers are now disabled by default. To enable DES support (used by telnet(8)), use "allow_weak_crypto" option in krb5.conf.- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings disabled due to the function they use (krb5_get_err_text(3)) being deprecated. I plan to work on this next.- Heimdal's KDC now require sqlite to operate. We use the bundled version and install it as libheimsqlite. If some other FreeBSD components will require it in the future we can rename it to libbsdsqlite and use for these components as well.- This is not a latest Heimdal version, the new one was released while I was working on the update. I will update it to 1.5.2 soon, as it fixes some important bugs and security issues.
Fix conflicts after heimdal-1.1 import and add build infrastructure. Importall non-style changes made by heimdal to our own libgssapi.
This commit was generated by cvs2svn to compensate for changes in r178825,which included commits to RCS files with non-trunk default branches.
Vendor import of Heimdal 1.1
Vendor import of Heimdal 0.6.3.
This commit was generated by cvs2svn to compensate for changes in r142403,which included commits to RCS files with non-trunk default branches.
Clean up the Heimdal vendor branch by removing files not included inany import for several years.If memory serves, this wasSuggested by: ruan awfully long time ago-- sorry for the delay!
Resolve conflicts after import of Heimdal 0.6.1.
Vendor import of Heimdal 0.6.1.
This commit was generated by cvs2svn to compensate for changes in r127808,which included commits to RCS files with non-trunk default branches.
Vendor import of Heimdal 0.6.
This commit was generated by cvs2svn to compensate for changes in r120945,which included commits to RCS files with non-trunk default branches.
Import of Heimdal 0.5.1.Approved by: re
This commit was generated by cvs2svn to compensate for changes in r107207,which included commits to RCS files with non-trunk default branches.
import 1.27 to fix buffer overflow:check size of rlenObtained from: Heimdal CVS
This commit was generated by cvs2svn to compensate for changes in r105672,which included commits to RCS files with non-trunk default branches.
Resolve conflicts.
Import of Heimdal Kerberos from KTH repository circa 2002/09/16.
12