| commit | 366b787917f1ba0d5b38b79d4626e83d8b1b8b93 | |
| author | Roland C. Dowdeswell <roland.dowdeswell@twosigma.com> | |
| Wed, 12 Jun 2019 17:33:10 +0000 (12 18:33 +0100) | ||
| committer | Roland C. Dowdeswell <elric@imrryr.org> | |
| Wed, 18 Sep 2019 20:20:47 +0000 (18 21:20 +0100) | ||
| tree | 4badb0c44d9b74bdb1e3a6487615d4b993893e1f | treesnapshot (tar.gz zip) |
| parent | d6337ebdcead7f3ef5df39323924d2026342b59e | commitdiff |
We provide a "derived key" mechanism to allow wildcard princs
In order to support certain use cases, we implement a mechanism to
allow wildcard principals to be defined and for the KDC to issue
tickets for said principals by deriving a key for them from a
cluster master entry in the HDB.
The way that this works is we defined an entry of the form:
WELLKNOWN/DERIVED-KEY/KRB5-CRYPTO-PRFPLUS/<hostname>@REALM
When reading from the Kerberos DB, if we can't find an entry for
what looks like a hostbased principal, then we will attempt to
search for a principal of the above form chopping name components
off the front as we search.
If we find an entry, then we derive keys for it by using
krb5_crypto_prfplus() with the entry's key and the principal name
of the request.
In order to support certain use cases, we implement a mechanism to
allow wildcard principals to be defined and for the KDC to issue
tickets for said principals by deriving a key for them from a
cluster master entry in the HDB.
The way that this works is we defined an entry of the form:
WELLKNOWN/DERIVED-KEY/KRB5-CRYPTO-PRFPLUS/<hostname>@REALM
When reading from the Kerberos DB, if we can't find an entry for
what looks like a hostbased principal, then we will attempt to
search for a principal of the above form chopping name components
off the front as we search.
If we find an entry, then we derive keys for it by using
krb5_crypto_prfplus() with the entry's key and the principal name
of the request.
| kdc/default_config.c | diffblobblamehistory | |
| kdc/kdc.h | diffblobblamehistory | |
| kdc/misc.c | diffblobblamehistory |