Re: [devel] Обновление до krb5-1.15.1

ALT Linux Team development discussions
 help / color / mirror / Atom feed

From: Evgeny Sinelnikov <sin@altlinux.org>
To: ALT Linux Team development discussions <devel@lists.altlinux.org>
Subject: Re: [devel] Обновление до krb5-1.15.1
Date: Tue, 12 Sep 2017 17:39:50 +0400
Message-ID: <CAK42-GrKA6-uE-U3xuwvie=pwMvh65yMgK9L8qv-LV409qV7og@mail.gmail.com> (raw)
In-Reply-To: <CAG0OwAErhkWL6yLsJVTtdUyBG_E8ktSj=rrmZpE+mnKaqGAvAQ@mail.gmail.com>

Здравствуйте,

я заметил целый ряд новых патчей и пока не понял какие из них нам нужны.

fedora-Add-KDC-policy-pluggable-interface/fedora-Add-KDC-policy-pluggable-interface.patch
fedora-Add-KDC-policy-pluggable-interface/fedora-Add-timestamp-helper-functions.patch
fedora-Add-KDC-policy-pluggable-interface/fedora-Add-timestamp-tests.patch
fedora-Add-KDC-policy-pluggable-interface/fedora-Add-y2038-documentation.patch
fedora-Add-KDC-policy-pluggable-interface/fedora-Allow-clock-skew-in-krb5-gss_context_time.patch
fedora-Add-KDC-policy-pluggable-interface/fedora-Fix-bugs-in-kdcpolicy-commit.patch
fedora-Add-KDC-policy-pluggable-interface/fedora-Fix-in_clock_skew-and-use-it-in-AS-client-code.patch
fedora-Add-KDC-policy-pluggable-interface/fedora-Make-timestamp-manipulations-y2038-safe.patch
fedora-Add-KDC-policy-pluggable-interface/fedora-Use-krb5_timestamp-where-appropriate.patch

Make-certauth-eku-module-restrictive-only/fedora-Add-hostname-based-ccselect-module.patch
Make-certauth-eku-module-restrictive-only/fedora-Add-PKINIT-test-case-for-generic-client-cert.patch
Make-certauth-eku-module-restrictive-only/fedora-Add-test-cert-with-no-extensions.patch
Make-certauth-eku-module-restrictive-only/fedora-Convert-some-pkiDebug-messages-to-TRACE-macros.patch
Make-certauth-eku-module-restrictive-only/fedora-Fix-certauth-built-in-module-returns.patch

fedora-Add-support-to-query-the-SSF-of-a-GSS-context.patch
fedora-Preserve-GSS-context-on-init-accept-failure.patch
fedora-Prevent-KDC-unset-status-assertion-failures.patch
fedora-Remove-incomplete-PKINIT-OCSP-support.patch

В них имеется исправление CVE-2017-11368, которое судя по всем нас не
затрагивает (в этом я пока не разобрался) и KDC policy pluggable
interface, который непонятно нужен ли нам. Его и дальше придётся
тянуть из апстримного гита и патчей федоры.



2017-08-22 10:59 GMT+04:00 Alexander Bokovoy <ab@altlinux.org>:
> On Tue, Aug 22, 2017 at 9:18 AM, Evgeny Sinelnikov <sin@altlinux.org> wrote:
>> 21 августа 2017 г., 8:53 пользователь Alexander Bokovoy
>> <ab@altlinux.org> написал:
>>> 2017-08-21 0:27 GMT+03:00 Evgeny Sinelnikov <sin@altlinux.org>:
>>>
>>>>> Можешь добавить дамп окружений до исполнения этого теста?
>>>>
>>>> Мне доступен chroot в hasher'е. Могу. Но что есть "дамп окружений" и
>>>> как его получить ?
>>> r1.env и r2.env в t_ccselect.py, это обычные хэши.
>>> import pprint
>>> pprint.pprint(r1.env)
>>>
>>
>> Внёс такую правку:
>>
>> [builder@localhost gssapi]$ diff -u t_ccselect.py.orig t_ccselect.py
>> --- t_ccselect.py.orig  2017-08-22 06:05:19.511969086 +0000
>> +++ t_ccselect.py       2017-08-22 06:06:31.236771746 +0000
>> @@ -23,6 +23,7 @@
>>  # or implied warranty.
>>
>>  from k5test import *
>> +import pprint
>>
>>  # Create two independent realms (no cross-realm TGTs).
>>  r1 = K5Realm(create_user=False)
>> @@ -49,6 +50,9 @@
>>  # .k5identity rules since it has unknown type.
>>  refserver = 'p:host/' + hostname + '@'
>>
>> +pprint.pprint(r1.env)
>> +pprint.pprint(r2.env)
>> +
>>  # Verify that we can't get initiator creds with no credentials in the
>>  # collection.
>>  r1.run(['./t_ccselect', host1, '-'], expected_code=1,
>> @@ -86,6 +90,9 @@
>>  r1.kinit(alice, password('alice'))
>>  r2.kinit(zaphod, password('zaphod'))
>>
>> +pprint.pprint(r1.env)
>> +pprint.pprint(r2.env)
>> +
>>  # Check that we can find a cache for a specified client principal.
>>  output = r1.run(['./t_ccselect', host1, 'p:' + alice])
>>  if output != (alice + '\n'):
>>
>>
>> Два раза вывожу env'ы:
>> - до начала теста (1 - для r1, 2 - для r2)
>> - сразу после kinit (3 - для r1, 4 - для r2)
> Спасибо. Я поговорю сегодня с Робби (мейнтейнер krb5 в Федоре).

Я так и не понял чем здесь всё решилось. Вопрос, изначально, ставился так:

>> При работе с ccache collection код использует тот реалм, который
>> указан в имени принципала. Если он там отсутствует, то применяется
>> тот, который указан в качестве умолчания в krb5.conf.
>>
>> Далее, если в krb5.conf есть dns_canonicalize_hostname=true, то
>> localhost будет разрешен через getaddrinfo() и превратится в
>> localhost.localdomain.
>> Поскольку реалм не указан и прямого соответствия в domain_realm секции
>> krb5.conf нет, то используется реалм по умолчанию.

Хотя в коде указано так:

    retval = get_boolean(ctx, KRB5_CONF_DNS_CANONICALIZE_HOSTNAME, 1, &tmp);
    if (retval)
        goto cleanup;
    ctx->dns_canonicalize_hostname = tmp;

То есть dns_canonicalize_hostname=true, по умолчанию, получается.

Я так понял, что в федоре решили вопрос так:

commit ccd78d8ee908015ca558e7428c27151cb1af5579
Author: Robbie Harwood <rharwood@redhat.com>
Date:   Wed Aug 2 17:02:46 2017 +0000

    Disable dns_canonicalize_hostname.  This may break some setups.

diff --git a/krb5.conf b/krb5.conf
index cf23f53..a588211 100644
--- a/krb5.conf
+++ b/krb5.conf
@@ -8,6 +8,7 @@ includedir /etc/krb5.conf.d/
  admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
+ dns_canonicalize_hostname = false
  dns_lookup_realm = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
diff --git a/krb5.spec b/krb5.spec
index 1db9bdb..122aacf 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.15.1
 # for prerelease, should be e.g., 0.3.beta2%{?dist}
-Release: 19%{?dist}
+Release: 20%{?dist}
 # - Maybe we should explode from the now-available-to-everybody
tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -520,13 +520,12 @@ rm --
"$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"

 %post libs -p /sbin/ldconfig

-%triggerun libs -- krb5-libs < 1.15.1-5
-# Previously, there was logic to make this conditional in order to
-# (effectively) allow for multiple triggers.  However, RPM doesn't keep the
-# database consistent during upgrades.
-#
-# When a second trigger is needed, this will be made unconditional.
+%triggerun libs -- krb5-libs < 1.15.1-20
+if ! grep -q 'dns_canonicalize_hostname' /etc/krb5.conf ; then
+    sed -i 's/\[libdefaults\]/\[libdefaults\]\n
dns_canonicalize_hostname = false/' /etc/krb5.conf
+fi

+# Correct trigger would be krb5-libs < 1.15.1-5
 if ! grep -q 'includedir /etc/krb5.conf.d' /etc/krb5.conf ; then
     sed -i '1i # To opt out of the system crypto-policies
configuration of krb5, remove the\n# symlink at
/etc/krb5.conf.d/crypto-policies which will not be
recreated.\nincludedir /etc/krb5.conf.d/\n' /etc/krb5.conf
 fi
@@ -737,6 +736,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Wed Aug 02 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-20
+- Disable dns_canonicalize_hostname.  This may break some setups.
+
 * Wed Aug 02 2017 Robbie Harwood <rharwood@redhat.com> - 1.15.1-19
 - Re-enable test suite on ppc64le (no other changes)


-- 
Sin (Sinelnikov Evgeny)

next prev parent reply	other threads:[~2017-09-12 13:39 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-14 18:47 Evgeny Sinelnikov
2017-07-17 12:49 ` Alexander Bokovoy
2017-08-20  3:20   ` Evgeny Sinelnikov
2017-08-20  5:08     ` Alexander Bokovoy
2017-08-20 10:16       ` Evgeny Sinelnikov
2017-08-20 10:24         ` Evgeny Sinelnikov
2017-08-20 11:46           ` Dmitry V. Levin
2017-08-20 15:19         ` Alexander Bokovoy
2017-08-20 21:27           ` Evgeny Sinelnikov
2017-08-21  4:53             ` Alexander Bokovoy
2017-08-22  6:18               ` Evgeny Sinelnikov
2017-08-22  6:59                 ` Alexander Bokovoy
2017-09-12 13:39                   ` Evgeny Sinelnikov [this message]
2017-09-12 21:09                     ` Alexander Bokovoy
2017-09-12 21:22                       ` Dmitry V. Levin
2017-09-12 21:45                         ` Alexander Bokovoy
2017-09-13  0:24                       ` Evgeny Sinelnikov
2017-09-13  5:51                         ` Alexander Bokovoy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAK42-GrKA6-uE-U3xuwvie=pwMvh65yMgK9L8qv-LV409qV7og@mail.gmail.com' \
    --to=sin@altlinux.org \
    --cc=devel@lists.altlinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

ALT Linux Team development discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
		devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
	public-inbox-index devel

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git