From noreply at github.com Wed Sep 4 01:30:49 2019 From: noreply at github.com (Viktor Dukhovni) Date: Tue, 03 Sep 2019 16:30:49 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 78a1a3: Optional backwards-compatible anon-pkinit behaviour Message-ID: Branch: refs/heads/heimdal-7-1-branch Home: https://github.com/heimdal/heimdal Commit: 78a1a3d66a825a84c6b2275b359355557760b542 https://github.com/heimdal/heimdal/commit/78a1a3d66a825a84c6b2275b359355557760b542 Author: Viktor Dukhovni Date: 2019-09-03 (Tue, 03 Sep 2019) Changed paths: M kdc/default_config.c M kdc/kdc.8 M kdc/kdc.h M kdc/kerberos5.c M kdc/pkinit.c M kuser/kinit.1 M kuser/kinit.c M lib/krb5/krb5.conf.5 M lib/krb5/krb5.h M lib/krb5/principal.c M lib/krb5/ticket.c Log Message: ----------- Optional backwards-compatible anon-pkinit behaviour * Anonymous pkinit responses from the KDC where the name type is not well-known (as issued by 7.5 KDCs and earlier) are accepted by the client. There is no need for the client to strictly enforce the name type. * With historical_anon_pkinit = true, the kinit(1) client's "--anonymous" option only performs anon pkinit, and does not require an '@' prefix for the realm argument. * With historical_anon_realm = true, the KDC issues anon pkinit tickets with the legacy pre-7.0 "real" realm. From noreply at github.com Thu Sep 5 00:00:17 2019 From: noreply at github.com (Viktor Dukhovni) Date: Wed, 04 Sep 2019 15:00:17 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] fae8df: Optional backwards-compatible anon-pkinit behaviour Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: fae8df383961a4843a832ec7bf49443be5518202 https://github.com/heimdal/heimdal/commit/fae8df383961a4843a832ec7bf49443be5518202 Author: Viktor Dukhovni Date: 2019-09-04 (Wed, 04 Sep 2019) Changed paths: M kdc/default_config.c M kdc/kdc.8 M kdc/kdc.h M kdc/kerberos5.c M kdc/pkinit.c M kuser/kinit.1 M kuser/kinit.c M lib/krb5/krb5.conf.5 M lib/krb5/krb5.h M lib/krb5/principal.c M lib/krb5/ticket.c Log Message: ----------- Optional backwards-compatible anon-pkinit behaviour * Anonymous pkinit responses from the KDC where the name type is not well-known (as issued by 7.5 KDCs and earlier) are accepted by the client. There is no need for the client to strictly enforce the name type. * With historical_anon_pkinit = true, the kinit(1) client's "--anonymous" option only performs anon pkinit, and does not require an '@' prefix for the realm argument. * With historical_anon_realm = true, the KDC issues anon pkinit tickets with the legacy pre-7.0 "real" realm. From noreply at github.com Thu Sep 5 16:53:00 2019 From: noreply at github.com (Nico Williams) Date: Thu, 05 Sep 2019 07:53:00 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 2709f2: Make gss_store_cred*() work Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 2709f28a1bd8fba02070b8a47f8a049881582cf6 https://github.com/heimdal/heimdal/commit/2709f28a1bd8fba02070b8a47f8a049881582cf6 Author: Nicolas Williams Date: 2019-09-05 (Thu, 05 Sep 2019) Changed paths: M lib/gssapi/krb5/store_cred.c M lib/gssapi/mech/gss_store_cred.c M lib/gssapi/mech/gss_store_cred_into.c Log Message: ----------- Make gss_store_cred*() work krb5_cc_cache_match() searches all ccache collections for a ccache that has credentials for a given principal name. This includes MEMORY ccaches, which means it can find the same ccache as is referenced by a GSS cred handle given to gss_store_cred(), which means that gss_store_cred() can fail. For now we work around this by including a private variant of krb5_cc_cache_match() that only searches the default ccache, not all collections. Eventually we should ensure that krb5_cc_default() also searches all collection-type (other than MEMORY) ccaches for a default credential, then we can go back to using krb5_cc_cache_match() (though we'll need to make sure that MEMORY is searched last or not at all). From noreply at github.com Sun Sep 15 06:40:47 2019 From: noreply at github.com (Nico Williams) Date: Sat, 14 Sep 2019 21:40:47 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 7680c9: Don't stutter in send_diffs Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 7680c9204791d78b8d56a4bdcee31207380b3d90 https://github.com/heimdal/heimdal/commit/7680c9204791d78b8d56a4bdcee31207380b3d90 Author: Viktor Dukhovni Date: 2019-09-14 (Sat, 14 Sep 2019) Changed paths: M lib/kadm5/ipropd_master.c Log Message: ----------- Don't stutter in send_diffs When the master sees a burst of updates (perhaps sustained), the slaves "I_HAVE" messages can fall behind the version we've already sent, and the unpatched code would retransmit already sent diffs! This can result in substantial amplification (in a local test, 3000 ops turned into 427,000 ops). Though the number of *messages* sent was actually somewhat smaller, the ever growing message size ultimately leads to failure. From noreply at github.com Sun Sep 15 06:41:07 2019 From: noreply at github.com (Nico Williams) Date: Sat, 14 Sep 2019 21:41:07 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] af018a: Don't stutter in send_diffs Message-ID: Branch: refs/heads/heimdal-7-1-branch Home: https://github.com/heimdal/heimdal Commit: af018a5aead8b391351ba71bbb85662f780a9a2a https://github.com/heimdal/heimdal/commit/af018a5aead8b391351ba71bbb85662f780a9a2a Author: Viktor Dukhovni Date: 2019-09-14 (Sat, 14 Sep 2019) Changed paths: M lib/kadm5/ipropd_master.c Log Message: ----------- Don't stutter in send_diffs When the master sees a burst of updates (perhaps sustained), the slaves "I_HAVE" messages can fall behind the version we've already sent, and the unpatched code would retransmit already sent diffs! This can result in substantial amplification (in a local test, 3000 ops turned into 427,000 ops). Though the number of *messages* sent was actually somewhat smaller, the ever growing message size ultimately leads to failure. From noreply at github.com Tue Sep 17 00:28:51 2019 From: noreply at github.com (Nico Williams) Date: Mon, 16 Sep 2019 15:28:51 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 20557e: Don't send diffs to slaves with not yet know version Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 20557e2255c8fed87cf9d296f50008c8f8eff09b https://github.com/heimdal/heimdal/commit/20557e2255c8fed87cf9d296f50008c8f8eff09b Author: Viktor Dukhovni Date: 2019-09-16 (Mon, 16 Sep 2019) Changed paths: M lib/kadm5/ipropd_master.c Log Message: ----------- Don't send diffs to slaves with not yet know version From noreply at github.com Tue Sep 17 00:29:30 2019 From: noreply at github.com (Nico Williams) Date: Mon, 16 Sep 2019 15:29:30 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 3adbd8: Don't send diffs to slaves with not yet know version Message-ID: Branch: refs/heads/heimdal-7-1-branch Home: https://github.com/heimdal/heimdal Commit: 3adbd831c721ec8aba068fcbc9ac2637093dfaf7 https://github.com/heimdal/heimdal/commit/3adbd831c721ec8aba068fcbc9ac2637093dfaf7 Author: Viktor Dukhovni Date: 2019-09-16 (Mon, 16 Sep 2019) Changed paths: M lib/kadm5/ipropd_master.c Log Message: ----------- Don't send diffs to slaves with not yet know version (cherry picked from commit d383fd3b5677ed87090adb5cf68a03c8ea9f29f5) From noreply at github.com Wed Sep 18 22:20:49 2019 From: noreply at github.com (Roland C. Dowdeswell) Date: Wed, 18 Sep 2019 13:20:49 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] d6337e: Export krb5_crypto_prfplus() from libkrb5 Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: d6337ebdcead7f3ef5df39323924d2026342b59e https://github.com/heimdal/heimdal/commit/d6337ebdcead7f3ef5df39323924d2026342b59e Author: Roland C. Dowdeswell Date: 2019-09-18 (Wed, 18 Sep 2019) Changed paths: M lib/krb5/crypto.c M lib/krb5/libkrb5-exports.def.in M lib/krb5/version-script.map Log Message: ----------- Export krb5_crypto_prfplus() from libkrb5 Commit: 366b787917f1ba0d5b38b79d4626e83d8b1b8b93 https://github.com/heimdal/heimdal/commit/366b787917f1ba0d5b38b79d4626e83d8b1b8b93 Author: Roland C. Dowdeswell Date: 2019-09-18 (Wed, 18 Sep 2019) Changed paths: M kdc/default_config.c M kdc/kdc.h M kdc/misc.c Log Message: ----------- We provide a "derived key" mechanism to allow wildcard princs In order to support certain use cases, we implement a mechanism to allow wildcard principals to be defined and for the KDC to issue tickets for said principals by deriving a key for them from a cluster master entry in the HDB. The way that this works is we defined an entry of the form: WELLKNOWN/DERIVED-KEY/KRB5-CRYPTO-PRFPLUS/@REALM When reading from the Kerberos DB, if we can't find an entry for what looks like a hostbased principal, then we will attempt to search for a principal of the above form chopping name components off the front as we search. If we find an entry, then we derive keys for it by using krb5_crypto_prfplus() with the entry's key and the principal name of the request. Compare: https://github.com/heimdal/heimdal/compare/20557e2255c8...366b787917f1 From noreply at github.com Thu Sep 26 06:09:22 2019 From: noreply at github.com (Nico Williams) Date: Wed, 25 Sep 2019 21:09:22 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 141289: roken: add roken_get_loginname() Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 141289f14b38ee26f52cf8c74cdfd5c9ac488f6b https://github.com/heimdal/heimdal/commit/141289f14b38ee26f52cf8c74cdfd5c9ac488f6b Author: Nicolas Williams Date: 2019-09-25 (Wed, 25 Sep 2019) Changed paths: M lib/roken/getuserinfo.c M lib/roken/roken.h.in M lib/roken/test-getuserinfo.c M lib/roken/version-script.map Log Message: ----------- roken: add roken_get_loginname() Commit: 0fdda02b610e06acb40e261d105ef353d537b772 https://github.com/heimdal/heimdal/commit/0fdda02b610e06acb40e261d105ef353d537b772 Author: Nicolas Williams Date: 2019-09-25 (Wed, 25 Sep 2019) Changed paths: M lib/krb5/expand_path.c Log Message: ----------- Add loginname, ruid, and LOCALSTATEDIR expansions %{loginname} is for getlogin_r(). Now %{username} uses only the $USER and $LOGNAME environment variables (if the caller is not set-uid), or if absent or the caller is set-uid, then getpwuid_r(). The intent is to allow kadmin(1) to use the loginname instead of the username for the construction of the kadmin client principal name. This is helpful when the user runs kadmin as root via sudo and/or su. Commit: d02277b45f0e9721facea3ad74cab0f41535424f https://github.com/heimdal/heimdal/commit/d02277b45f0e9721facea3ad74cab0f41535424f Author: Nicolas Williams Date: 2019-09-25 (Wed, 25 Sep 2019) Changed paths: M lib/krb5/krb5.conf.5 Log Message: ----------- List token expansions in krb5.conf.5 Commit: c9b5a4df906f63b9c12705657112f99b9a7d14df https://github.com/heimdal/heimdal/commit/c9b5a4df906f63b9c12705657112f99b9a7d14df Author: Nicolas Williams Date: 2019-09-25 (Wed, 25 Sep 2019) Changed paths: M lib/kadm5/init_c.c M lib/krb5/get_default_principal.c Log Message: ----------- Use roken_get_loginname() when we want getlogin_r() Compare: https://github.com/heimdal/heimdal/compare/366b787917f1...c9b5a4df906f From noreply at github.com Fri Sep 27 02:19:32 2019 From: noreply at github.com (Viktor Dukhovni) Date: Thu, 26 Sep 2019 17:19:32 -0700 Subject: [Heimdal-source-changes] [heimdal/heimdal] 989422: Install kuserok-plugin.h and update docs Message-ID: Branch: refs/heads/master Home: https://github.com/heimdal/heimdal Commit: 989422e0fcd8ce07fe16fb78cab4caabe6e5518a https://github.com/heimdal/heimdal/commit/989422e0fcd8ce07fe16fb78cab4caabe6e5518a Author: Viktor Dukhovni Date: 2019-09-26 (Thu, 26 Sep 2019) Changed paths: M lib/krb5/Makefile.am M lib/krb5/krb5-plugin.7 Log Message: ----------- Install kuserok-plugin.h and update docs The header file was not installed, and the manpage had the wrong name for the plugin load function, it is "krb5_plugin_kuserok_plugin_load", not "kuserok_plugin_load".