[36146] in Kerberos
Re: Problems parsing old krbPrincipalKey attributes from LDAP backend
daemon@ATHENA.MIT.EDU (Frank Steinberg)
Mon May 26 06:49:45 2014
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Frank Steinberg <steinberg@ibr.cs.tu-bs.de>
In-Reply-To: <53815FFC.5070704@mit.edu>
Date: Mon, 26 May 2014 12:45:27 +0200
Message-Id: <FE970282-CA96-48E6-9CA4-9A8E740F7CFE@ibr.cs.tu-bs.de>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1487081852=="
Errors-To: kerberos-bounces@mit.edu
--===============1487081852==
Content-Type: multipart/signed;
boundary="Apple-Mail=_2B8F946E-2CBB-4A2D-8C04-BFCEC221A565";
protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_2B8F946E-2CBB-4A2D-8C04-BFCEC221A565
Content-Type: multipart/mixed;
boundary="Apple-Mail=_20BF05D0-D545-48EF-93CB-27A989C8ACA6"
--Apple-Mail=_20BF05D0-D545-48EF-93CB-27A989C8ACA6
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii
Am 25.05.2014 um 05:14 schrieb Greg Hudson <ghudson@MIT.EDU>:
> If you decide to go with patching the KDC, the candidate fixes are here:
>
> https://github.com/krb5/krb5/pull/129
>
> These changes should get pushed to master within a week or so, and
> will eventually make their way into 1.12 and probably 1.11 patch releases.
I took some time to find a python ASN.1 decoder/encoder and came up with
the following python script. It should be able to convert the key data,
so that a KrbSalt with only a type == 0 will be added where it's missing.
With two test cases it seemed to work for me. However I did not yet apply
it to our whole user database. If you have any comments, please let me know.
--Apple-Mail=_20BF05D0-D545-48EF-93CB-27A989C8ACA6
Content-Disposition: attachment;
filename=kdb_ldap_fixkeys.py
Content-Type: text/x-python-script; x-unix-mode=0755;
name="kdb_ldap_fixkeys.py"
Content-Transfer-Encoding: 7bit
#!/usr/bin/python
#
# kdb_ldap_fixkeys.py - emit LDIF change records to fix krbPrincipalKey attributes in LDAP for use with MIT Kerberos 1.11+
#
# Copyright (c) 2014 Frank Steinberg, TU Braunschweig.
#
# see also:
# http://krbdev.mit.edu/rt/Ticket/Display.html?id=7918
# http://krbdev.mit.edu/rt/Ticket/Display.html?id=7919
#
import sys
import ldap
import getopt
from base64 import b64encode
from pyasn1.codec.ber import encoder, decoder
from pyasn1.type.univ import Sequence, SequenceOf, Integer, OctetString
from pyasn1.type.namedtype import NamedType, NamedTypes, OptionalNamedType
from pyasn1.type.tag import Tag, tagClassContext, tagFormatSimple
# KrbKeySet ::= SEQUENCE {
# attribute-major-vno [0] UInt16,
# attribute-minor-vno [1] UInt16,
# kvno [2] UInt32,
# mkvno [3] UInt32 OPTIONAL,
# keys [4] SEQUENCE OF KrbKey,
# ...
# }
#
# KrbKey ::= SEQUENCE {
# salt [0] KrbSalt OPTIONAL,
# key [1] EncryptionKey,
# s2kparams [2] OCTET STRING OPTIONAL,
# ...
# }
#
# KrbSalt ::= SEQUENCE {
# type [0] Int32,
# salt [1] OCTET STRING OPTIONAL
# }
#
# EncryptionKey ::= SEQUENCE {
# keytype [0] Int32,
# keyvalue [1] OCTET STRING
# }
class UInt16(Integer): pass
class UInt32(Integer): pass
class Int32(Integer): pass
class EncryptionKey(Sequence):
componentType = NamedTypes(
NamedType('keytype', Int32(
tagSet = Int32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)))),
NamedType('keyvalue', OctetString(
tagSet = OctetString.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 1))))
)
class KrbSalt(Sequence):
componentType = NamedTypes(
NamedType('type', Int32(
tagSet = Int32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)))),
OptionalNamedType('salt', OctetString(
tagSet = OctetString.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 1))))
)
class KrbKey(Sequence):
componentType = NamedTypes(
OptionalNamedType('salt', KrbSalt(
tagSet = KrbSalt.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)))),
NamedType('key', EncryptionKey(
tagSet = EncryptionKey.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 1)))),
OptionalNamedType('s2kparams', OctetString(
tagSet = OctetString.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 2))))
)
class KrbKeySet(Sequence):
componentType = NamedTypes(
NamedType('attribute_major_vno', UInt16(
tagSet = UInt16.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)))),
NamedType('attribute_minor_vno', UInt16(
tagSet = UInt16.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 1)))),
NamedType('kvno', UInt32(
tagSet = UInt32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 2)))),
OptionalNamedType('mkvno', UInt32(
tagSet = UInt32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 3)))),
NamedType('keys', SequenceOf(
tagSet = SequenceOf.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 4)),
componentType = KrbKey()))
)
def usage():
print("kdb5_ldap_fixkeys [-D user_dn [-w passwd]] [-H ldapuri]")
return
try:
opts, args = getopt.getopt(sys.argv[1:], "hD:w:H:b:", ["help", "binddn=", "password=", "ldapuri=", "base="])
except getopt.GetoptError as err:
print(str(err))
usage()
sys.exit(2)
binddn = ""
password = ""
base = ""
ldapuri = "ldapi:///"
for o, a in opts:
if o in ("-h", "--help"):
usage()
sys.exit()
elif o in ("-D", "--binddn"):
binddn = a
elif o in ("-w", "--password"):
password = a
elif o in ("-H", "--ldapuri"):
ldapuri = a
elif o in ("-b", "--base"):
base = a
else:
assert False, "unhandled option"
try:
l = ldap.initialize(ldapuri)
l.bind(binddn, password, ldap.AUTH_SIMPLE)
except ldap.LDAPError, error_message:
print(error_message)
if len(args) != 1:
usage()
sys.exit()
filter = args[0]
try:
r = l.search_s(base, ldap.SCOPE_SUBTREE, filter, ["krbPrincipalKey"])
for dn,entry in r:
if "krbPrincipalKey" in entry:
cnt = 0
keyset = decoder.decode(entry["krbPrincipalKey"][0], asn1Spec=KrbKeySet())[0]
for k in keyset.getComponentByPosition(4):
if k.getComponentByPosition(0) == None:
cnt = cnt + 1
k.setComponentByName("salt", KrbSalt(tagSet = KrbSalt.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0))).
setComponentByName("type", Int32(tagSet = Int32.tagSet.tagExplicitly(Tag(tagClassContext, tagFormatSimple, 0)), value = 0)))
if cnt > 0:
print("# Adding empty KrbSalt on %d KrbKeys for %s" % (cnt, dn))
keydata = encoder.encode(keyset)
print "dn: %s" % dn
print "changetype: modify"
print "replace: krbPrincipalKey"
print "# krbPrincipalKey:: %s" % b64encode(entry["krbPrincipalKey"][0])
print "krbPrincipalKey:: %s" % b64encode(keydata)
print "-\n"
else:
print("# The krbPrincipalKey attribute for %s seems to be ok" % dn)
else:
print("# No krbPrincipalKey attribute for %s" % dn)
except ldap.LDAPError, error_message:
print(error_message)
--Apple-Mail=_20BF05D0-D545-48EF-93CB-27A989C8ACA6
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii
--Apple-Mail=_20BF05D0-D545-48EF-93CB-27A989C8ACA6--
--Apple-Mail=_2B8F946E-2CBB-4A2D-8C04-BFCEC221A565
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJTgxtIAAoJELceje+Z7H2LjqoIAL6w4B8XUDfmlzWXTpaChKgZ
zUlPgGXMmN4My66HYI1ABAwlUL09WPpneToHQHN3Pw7xyCAKD41Hl4mGDfR7KTlV
jeexv7FWumdF1cgHZUY2UpVG/R27Mc9yVcG73Vg4YI/AITMy62zTgKzvuVLv9CQ+
0p5GmOOwO5IAPrlcm798I5s46o+BldsQAvel3f7IeypgPEevh7MLE5bPd9HRxC3n
T9l4UUIOFamgGjj80wqnc71I49za0GRuH/Df+qdJ33KNQ7JBPrXZyvAjN7c0cmvX
/LQAhv7EedfOilHOgHzCC/IKqxgJENiscYUTVplkJ8v2nH2/YMdMP9/PpQNrq74=
=65jq
-----END PGP SIGNATURE-----
--Apple-Mail=_2B8F946E-2CBB-4A2D-8C04-BFCEC221A565--
--===============1487081852==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1487081852==--
