ae77177087
several new kerberos related libraries and applications to FreeBSD: o kgetcred(1) allows one to manually get a ticket for a particular service. o kf(1) securily forwards ticket to another host through an authenticated and encrypted stream. o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1) and other user kerberos operations. klist and kswitch are just symlinks to kcc(1) now. o kswitch(1) allows you to easily switch between kerberos credentials if you're running KCM. o hxtool(1) is a certificate management tool to use with PKINIT. o string2key(1) maps a password into key. o kdigest(8) is a userland tool to access the KDC's digest interface. o kimpersonate(8) creates a "fake" ticket for a service. We also now install manpages for some lirbaries that were not installed before, libheimntlm and libhx509. - The new HEIMDAL version no longer supports Kerberos 4. All users are recommended to switch to Kerberos 5. - Weak ciphers are now disabled by default. To enable DES support (used by telnet(8)), use "allow_weak_crypto" option in krb5.conf. - libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings disabled due to the function they use (krb5_get_err_text(3)) being deprecated. I plan to work on this next. - Heimdal's KDC now require sqlite to operate. We use the bundled version and install it as libheimsqlite. If some other FreeBSD components will require it in the future we can rename it to libbsdsqlite and use for these components as well. - This is not a latest Heimdal version, the new one was released while I was working on the update. I will update it to 1.5.2 soon, as it fixes some important bugs and security issues.
140 lines
3.8 KiB
Groff
140 lines
3.8 KiB
Groff
-- $Id$
|
|
HDB DEFINITIONS ::=
|
|
BEGIN
|
|
|
|
IMPORTS EncryptionKey, KerberosTime, Principal FROM krb5;
|
|
|
|
HDB_DB_FORMAT INTEGER ::= 2 -- format of database,
|
|
-- update when making changes
|
|
|
|
-- these must have the same value as the pa-* counterparts
|
|
hdb-pw-salt INTEGER ::= 3
|
|
hdb-afs3-salt INTEGER ::= 10
|
|
|
|
Salt ::= SEQUENCE {
|
|
type[0] INTEGER (0..4294967295),
|
|
salt[1] OCTET STRING,
|
|
opaque[2] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
Key ::= SEQUENCE {
|
|
mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
|
|
key[1] EncryptionKey,
|
|
salt[2] Salt OPTIONAL
|
|
}
|
|
|
|
Event ::= SEQUENCE {
|
|
time[0] KerberosTime,
|
|
principal[1] Principal OPTIONAL
|
|
}
|
|
|
|
HDBFlags ::= BIT STRING {
|
|
initial(0), -- require as-req
|
|
forwardable(1), -- may issue forwardable
|
|
proxiable(2), -- may issue proxiable
|
|
renewable(3), -- may issue renewable
|
|
postdate(4), -- may issue postdatable
|
|
server(5), -- may be server
|
|
client(6), -- may be client
|
|
invalid(7), -- entry is invalid
|
|
require-preauth(8), -- must use preauth
|
|
change-pw(9), -- change password service
|
|
require-hwauth(10), -- must use hwauth
|
|
ok-as-delegate(11), -- as in TicketFlags
|
|
user-to-user(12), -- may use user-to-user auth
|
|
immutable(13), -- may not be deleted
|
|
trusted-for-delegation(14), -- Trusted to print forwardabled tickets
|
|
allow-kerberos4(15), -- Allow Kerberos 4 requests
|
|
allow-digest(16), -- Allow digest requests
|
|
locked-out(17) -- Account is locked out,
|
|
-- authentication will be denied
|
|
}
|
|
|
|
GENERATION ::= SEQUENCE {
|
|
time[0] KerberosTime, -- timestamp
|
|
usec[1] INTEGER (0..4294967295), -- microseconds
|
|
gen[2] INTEGER (0..4294967295) -- generation number
|
|
}
|
|
|
|
HDB-Ext-PKINIT-acl ::= SEQUENCE OF SEQUENCE {
|
|
subject[0] UTF8String,
|
|
issuer[1] UTF8String OPTIONAL,
|
|
anchor[2] UTF8String OPTIONAL
|
|
}
|
|
|
|
HDB-Ext-PKINIT-hash ::= SEQUENCE OF SEQUENCE {
|
|
digest-type[0] OBJECT IDENTIFIER,
|
|
digest[1] OCTET STRING
|
|
}
|
|
|
|
HDB-Ext-PKINIT-cert ::= SEQUENCE OF SEQUENCE {
|
|
cert[0] OCTET STRING
|
|
}
|
|
|
|
HDB-Ext-Constrained-delegation-acl ::= SEQUENCE OF Principal
|
|
|
|
-- hdb-ext-referrals ::= PA-SERVER-REFERRAL-DATA
|
|
|
|
HDB-Ext-Lan-Manager-OWF ::= OCTET STRING
|
|
|
|
HDB-Ext-Password ::= SEQUENCE {
|
|
mkvno[0] INTEGER (0..4294967295) OPTIONAL, -- master key version number
|
|
password OCTET STRING
|
|
}
|
|
|
|
HDB-Ext-Aliases ::= SEQUENCE {
|
|
case-insensitive[0] BOOLEAN, -- case insensitive name allowed
|
|
aliases[1] SEQUENCE OF Principal -- all names, inc primary
|
|
}
|
|
|
|
|
|
HDB-extension ::= SEQUENCE {
|
|
mandatory[0] BOOLEAN, -- kdc MUST understand this extension,
|
|
-- if not the whole entry must
|
|
-- be rejected
|
|
data[1] CHOICE {
|
|
pkinit-acl[0] HDB-Ext-PKINIT-acl,
|
|
pkinit-cert-hash[1] HDB-Ext-PKINIT-hash,
|
|
allowed-to-delegate-to[2] HDB-Ext-Constrained-delegation-acl,
|
|
-- referral-info[3] HDB-Ext-Referrals,
|
|
lm-owf[4] HDB-Ext-Lan-Manager-OWF,
|
|
password[5] HDB-Ext-Password,
|
|
aliases[6] HDB-Ext-Aliases,
|
|
last-pw-change[7] KerberosTime,
|
|
pkinit-cert[8] HDB-Ext-PKINIT-cert,
|
|
...
|
|
},
|
|
...
|
|
}
|
|
|
|
HDB-extensions ::= SEQUENCE OF HDB-extension
|
|
|
|
hdb_keyset ::= SEQUENCE {
|
|
kvno[1] INTEGER (0..4294967295),
|
|
keys[0] SEQUENCE OF Key
|
|
}
|
|
|
|
hdb_entry ::= SEQUENCE {
|
|
principal[0] Principal OPTIONAL, -- this is optional only
|
|
-- for compatibility with libkrb5
|
|
kvno[1] INTEGER (0..4294967295),
|
|
keys[2] SEQUENCE OF Key,
|
|
created-by[3] Event,
|
|
modified-by[4] Event OPTIONAL,
|
|
valid-start[5] KerberosTime OPTIONAL,
|
|
valid-end[6] KerberosTime OPTIONAL,
|
|
pw-end[7] KerberosTime OPTIONAL,
|
|
max-life[8] INTEGER (0..4294967295) OPTIONAL,
|
|
max-renew[9] INTEGER (0..4294967295) OPTIONAL,
|
|
flags[10] HDBFlags,
|
|
etypes[11] SEQUENCE OF INTEGER (0..4294967295) OPTIONAL,
|
|
generation[12] GENERATION OPTIONAL,
|
|
extensions[13] HDB-extensions OPTIONAL
|
|
}
|
|
|
|
hdb_entry_alias ::= [APPLICATION 0] SEQUENCE {
|
|
principal[0] Principal OPTIONAL
|
|
}
|
|
|
|
END
|