From mboxrd@z Thu Jan 1 00:00:00 1970 From: DJ Delorie Subject: [PATCH] bug fixes for gss code in audisp-remote Date: Fri, 12 Sep 2008 12:46:32 -0400 Message-ID: <200809121646.m8CGkWvl002664@greed.delorie.com> Return-path: Received: from greed.delorie.com (vpn-12-95.rdu.redhat.com [10.11.12.95]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m8CGkWC5016805 for ; Fri, 12 Sep 2008 12:46:44 -0400 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com * use memory cache for credentials to avoid file-based attack * client principal name is configurable * updated documentation and sample config file diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.c trunk/audisp/plugins/remote/audisp-remote.c --- pristine/audisp/plugins/remote/audisp-remote.c 2008-09-12 10:49:20.000000000 -0400 +++ trunk/audisp/plugins/remote/audisp-remote.c 2008-09-12 12:30:18.000000000 -0400 @@ -455,7 +455,7 @@ return -1; } #define KEYTAB_NAME "/etc/audisp/audisp-remote.key" -#define CCACHE_NAME "FILE:/tmp/audisp-remote.ccache" +#define CCACHE_NAME "MEMORY:audisp-remote" /* Each time we connect to the server, we negotiate a set of credentials and a security context. To do this, we need our own @@ -487,6 +487,8 @@ krb5_creds my_creds; krb5_get_init_creds_opt options; krb5_keytab keytab = NULL; + const char *krb_client_name; + char host_name[255]; token_ptr = GSS_C_NO_BUFFER; *gss_context = GSS_C_NO_CONTEXT; @@ -498,12 +500,20 @@ /etc/krb5.conf (or wherever) */ krberr = krb5_get_default_realm (kcontext, &realm_name); KCHECK (krberr, "krb5_get_default_realm"); - syslog (LOG_ERR, "kerberos principal: auditd/remote@%s\n", realm_name); + krb_client_name = config.krb_client_name ? config.krb_client_name : "auditd"; + if (gethostname(host_name, sizeof(host_name)) != 0) { + syslog (LOG_ERR, "gethostname: host name longer than %d characters?", + sizeof (host_name)); + return -1; + } + + syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n", + krb_client_name, host_name, realm_name); /* Encode our own "name" as auditd/remote@EXAMPLE.COM. */ krberr = krb5_build_principal (kcontext, &audit_princ, strlen(realm_name), realm_name, - "auditd", "remote", NULL); + krb_client_name, host_name, NULL); KCHECK (krberr, "krb5_build_principal"); /* Locate our machine's key table, where our private key is Only in trunk/audisp/plugins/remote: audisp-remote.c.mine Only in trunk/audisp/plugins/remote: audisp-remote.c.r87 Only in trunk/audisp/plugins/remote: audisp-remote.c.r94 diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.conf trunk/audisp/plugins/remote/audisp-remote.conf --- pristine/audisp/plugins/remote/audisp-remote.conf 2008-08-29 11:53:55.000000000 -0400 +++ trunk/audisp/plugins/remote/audisp-remote.conf 2008-09-12 12:38:30.000000000 -0400 @@ -21,3 +21,6 @@ remote_ending_action = suspend generic_error_action = syslog generic_warning_action = syslog + +# gss_principal = something@EXAMPLE.COM +# krb_client_name = auditd diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.conf.5 trunk/audisp/plugins/remote/audisp-remote.conf.5 --- pristine/audisp/plugins/remote/audisp-remote.conf.5 2008-09-12 10:49:20.000000000 -0400 +++ trunk/audisp/plugins/remote/audisp-remote.conf.5 2008-09-12 12:37:18.000000000 -0400 @@ -125,16 +125,23 @@ .I gss_principal If specified, GSS (via Kerberos) will be used to encrypt the connection to the server. The client and server will use the -specified principal to negotiate the encryption. The client will -use a key named like -.I auditd/remote@EXAMPLE.COM -stored in -.I /etc/audisp/audisp-remote.key -to authenticate itself. The format for the +specified principal to negotiate the encryption. The format for the .I gss_principal is like somename@EXAMPLE.COM, see the auditd.conf man page for details. Note that encryption can only be used with managed connections, not plain ASCII. +.TP +.I krb_client_name +This specifies the name portion of the client's own principal. If +unspecified, the default is "auditd". The remainder of the principal +will consist of the host's fully qualified domain name and the default +Kerberos realm, like this: +.I auditd/host14.example.com@EXAMPLE.COM +(assuming you gave "auditd" as the krb_client_name). The key for this +principal must be stored in +.I /etc/audisp/audisp-remote.key +on the client machine. + .SH "NOTES" Specifying a local port may make it difficult to restart the audit diff -x .svn -U 3 -r pristine/audisp/plugins/remote/remote-config.c trunk/audisp/plugins/remote/remote-config.c --- pristine/audisp/plugins/remote/remote-config.c 2008-09-12 10:49:20.000000000 -0400 +++ trunk/audisp/plugins/remote/remote-config.c 2008-09-12 12:37:27.000000000 -0400 @@ -77,6 +77,8 @@ #ifdef USE_GSSAPI static int gss_principal_parser(struct nv_pair *nv, int line, remote_conf_t *config); +static int krb_client_name_parser(struct nv_pair *nv, int line, + remote_conf_t *config); #endif static int network_retry_time_parser(struct nv_pair *nv, int line, remote_conf_t *config); @@ -111,6 +113,7 @@ {"heartbeat_timeout", heartbeat_timeout_parser, 0 }, #ifdef USE_GSSAPI {"gss_principal", gss_principal_parser, 0 }, + {"krb_client_name", krb_client_name_parser, 0 }, #endif {"network_failure_action", network_failure_action_parser, 0 }, {"disk_low_action", disk_low_action_parser, 0 }, @@ -174,6 +177,7 @@ config->heartbeat_timeout = 0; #ifdef USE_GSSAPI config->gss_principal = NULL; + config->krb_client_name = NULL; #endif #define IA(x,f) config->x##_action = f; config->x##_exe = NULL @@ -589,6 +593,9 @@ { const char *ptr = nv->value; + if (config->gss_principal) + free ((char *)config->gss_principal); + if (strcmp (ptr, "none") == 0) { config->gss_principal = NULL; } else { @@ -596,6 +603,18 @@ } return 0; } + +static int krb_client_name_parser(struct nv_pair *nv, int line, + remote_conf_t *config) +{ + const char *ptr = nv->value; + + if (config->krb_client_name) + free ((char *)config->krb_client_name); + + config->krb_client_name = strdup(ptr); + return 0; +} #endif /* diff -x .svn -U 3 -r pristine/audisp/plugins/remote/remote-config.h trunk/audisp/plugins/remote/remote-config.h --- pristine/audisp/plugins/remote/remote-config.h 2008-09-12 10:49:20.000000000 -0400 +++ trunk/audisp/plugins/remote/remote-config.h 2008-09-12 12:08:16.000000000 -0400 @@ -45,6 +45,7 @@ unsigned int heartbeat_timeout; #ifdef USE_GSSAPI const char *gss_principal; + const char *krb_client_name; #endif failure_action_t network_failure_action;