[PATCH] bug fixes for gss code in audisp-remote
DJ Delorie
dj at redhat.com
Fri Sep 12 16:46:32 UTC 2008
* use memory cache for credentials to avoid file-based attack
* client principal name is configurable
* updated documentation and sample config file
diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.c trunk/audisp/plugins/remote/audisp-remote.c
--- pristine/audisp/plugins/remote/audisp-remote.c 2008-09-12 10:49:20.000000000 -0400
+++ trunk/audisp/plugins/remote/audisp-remote.c 2008-09-12 12:30:18.000000000 -0400
@@ -455,7 +455,7 @@
return -1; }
#define KEYTAB_NAME "/etc/audisp/audisp-remote.key"
-#define CCACHE_NAME "FILE:/tmp/audisp-remote.ccache"
+#define CCACHE_NAME "MEMORY:audisp-remote"
/* Each time we connect to the server, we negotiate a set of
credentials and a security context. To do this, we need our own
@@ -487,6 +487,8 @@
krb5_creds my_creds;
krb5_get_init_creds_opt options;
krb5_keytab keytab = NULL;
+ const char *krb_client_name;
+ char host_name[255];
token_ptr = GSS_C_NO_BUFFER;
*gss_context = GSS_C_NO_CONTEXT;
@@ -498,12 +500,20 @@
/etc/krb5.conf (or wherever) */
krberr = krb5_get_default_realm (kcontext, &realm_name);
KCHECK (krberr, "krb5_get_default_realm");
- syslog (LOG_ERR, "kerberos principal: auditd/remote@%s\n", realm_name);
+ krb_client_name = config.krb_client_name ? config.krb_client_name : "auditd";
+ if (gethostname(host_name, sizeof(host_name)) != 0) {
+ syslog (LOG_ERR, "gethostname: host name longer than %d characters?",
+ sizeof (host_name));
+ return -1;
+ }
+
+ syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n",
+ krb_client_name, host_name, realm_name);
/* Encode our own "name" as auditd/remote at EXAMPLE.COM. */
krberr = krb5_build_principal (kcontext, &audit_princ,
strlen(realm_name), realm_name,
- "auditd", "remote", NULL);
+ krb_client_name, host_name, NULL);
KCHECK (krberr, "krb5_build_principal");
/* Locate our machine's key table, where our private key is
Only in trunk/audisp/plugins/remote: audisp-remote.c.mine
Only in trunk/audisp/plugins/remote: audisp-remote.c.r87
Only in trunk/audisp/plugins/remote: audisp-remote.c.r94
diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.conf trunk/audisp/plugins/remote/audisp-remote.conf
--- pristine/audisp/plugins/remote/audisp-remote.conf 2008-08-29 11:53:55.000000000 -0400
+++ trunk/audisp/plugins/remote/audisp-remote.conf 2008-09-12 12:38:30.000000000 -0400
@@ -21,3 +21,6 @@
remote_ending_action = suspend
generic_error_action = syslog
generic_warning_action = syslog
+
+# gss_principal = something at EXAMPLE.COM
+# krb_client_name = auditd
diff -x .svn -U 3 -r pristine/audisp/plugins/remote/audisp-remote.conf.5 trunk/audisp/plugins/remote/audisp-remote.conf.5
--- pristine/audisp/plugins/remote/audisp-remote.conf.5 2008-09-12 10:49:20.000000000 -0400
+++ trunk/audisp/plugins/remote/audisp-remote.conf.5 2008-09-12 12:37:18.000000000 -0400
@@ -125,16 +125,23 @@
.I gss_principal
If specified, GSS (via Kerberos) will be used to encrypt the
connection to the server. The client and server will use the
-specified principal to negotiate the encryption. The client will
-use a key named like
-.I auditd/remote at EXAMPLE.COM
-stored in
-.I /etc/audisp/audisp-remote.key
-to authenticate itself. The format for the
+specified principal to negotiate the encryption. The format for the
.I gss_principal
is like somename at EXAMPLE.COM, see the auditd.conf man page for
details. Note that encryption can only be used with managed
connections, not plain ASCII.
+.TP
+.I krb_client_name
+This specifies the name portion of the client's own principal. If
+unspecified, the default is "auditd". The remainder of the principal
+will consist of the host's fully qualified domain name and the default
+Kerberos realm, like this:
+.I auditd/host14.example.com at EXAMPLE.COM
+(assuming you gave "auditd" as the krb_client_name). The key for this
+principal must be stored in
+.I /etc/audisp/audisp-remote.key
+on the client machine.
+
.SH "NOTES"
Specifying a local port may make it difficult to restart the audit
diff -x .svn -U 3 -r pristine/audisp/plugins/remote/remote-config.c trunk/audisp/plugins/remote/remote-config.c
--- pristine/audisp/plugins/remote/remote-config.c 2008-09-12 10:49:20.000000000 -0400
+++ trunk/audisp/plugins/remote/remote-config.c 2008-09-12 12:37:27.000000000 -0400
@@ -77,6 +77,8 @@
#ifdef USE_GSSAPI
static int gss_principal_parser(struct nv_pair *nv, int line,
remote_conf_t *config);
+static int krb_client_name_parser(struct nv_pair *nv, int line,
+ remote_conf_t *config);
#endif
static int network_retry_time_parser(struct nv_pair *nv, int line,
remote_conf_t *config);
@@ -111,6 +113,7 @@
{"heartbeat_timeout", heartbeat_timeout_parser, 0 },
#ifdef USE_GSSAPI
{"gss_principal", gss_principal_parser, 0 },
+ {"krb_client_name", krb_client_name_parser, 0 },
#endif
{"network_failure_action", network_failure_action_parser, 0 },
{"disk_low_action", disk_low_action_parser, 0 },
@@ -174,6 +177,7 @@
config->heartbeat_timeout = 0;
#ifdef USE_GSSAPI
config->gss_principal = NULL;
+ config->krb_client_name = NULL;
#endif
#define IA(x,f) config->x##_action = f; config->x##_exe = NULL
@@ -589,6 +593,9 @@
{
const char *ptr = nv->value;
+ if (config->gss_principal)
+ free ((char *)config->gss_principal);
+
if (strcmp (ptr, "none") == 0) {
config->gss_principal = NULL;
} else {
@@ -596,6 +603,18 @@
}
return 0;
}
+
+static int krb_client_name_parser(struct nv_pair *nv, int line,
+ remote_conf_t *config)
+{
+ const char *ptr = nv->value;
+
+ if (config->krb_client_name)
+ free ((char *)config->krb_client_name);
+
+ config->krb_client_name = strdup(ptr);
+ return 0;
+}
#endif
/*
diff -x .svn -U 3 -r pristine/audisp/plugins/remote/remote-config.h trunk/audisp/plugins/remote/remote-config.h
--- pristine/audisp/plugins/remote/remote-config.h 2008-09-12 10:49:20.000000000 -0400
+++ trunk/audisp/plugins/remote/remote-config.h 2008-09-12 12:08:16.000000000 -0400
@@ -45,6 +45,7 @@
unsigned int heartbeat_timeout;
#ifdef USE_GSSAPI
const char *gss_principal;
+ const char *krb_client_name;
#endif
failure_action_t network_failure_action;
More information about the Linux-audit
mailing list