1109919 – Backport https support into libkrb5

Bug 1109919 - Backport https support into libkrb5

Summary: Backport https support into libkrb5

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Patrik Kis
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-16 15:45 UTC by Nalin Dahyabhai
Modified:	2015-03-05 10:00 UTC (History)
CC List:	4 users (show)
Fixed In Version:	krb5-1.12.2-7.el7
Doc Type:	Enhancement
Doc Text:	Feature: Support for contacting KDCs and kpasswd servers via HTTPS proxies which implement the KKDCP protocol has been backported. Reason: The Kerberos client libraries could not communicate with KDCs or kpasswd servers in environments where realm services were only accessible via a KKDCP proxy. Result: When a realm's configuration specifies a realm's KDC's or kpasswd server's location in the form of an HTTPS URI, the Kerberos client library will now use KKDCP to communicate with the server.
Clone Of:
Environment:
Last Closed:	2015-03-05 10:00:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0439	0	normal	SHIPPED_LIVE	Moderate: krb5 security, bug fix and enhancement update	2015-03-05 14:38:14 UTC

Description Nalin Dahyabhai 2014-06-16 15:45:28 UTC

Description of problem:
We'd like for Kerberos clients to be able to access KDCs and password changing services over https proxies, via the [MS-KKDCP] support that's planned for krb5 1.13.  If we don't end up jumping to that in the next update, we're going to want to backport it.

Version-Release number of selected component (if applicable):
krb5-1.11.3-49.el7

How reproducible:
Always

Steps to Reproduce:
1. Stand up a Windows Server with the KDC Proxy Service running, or a web server with python kdcproxy.
2. Configure /etc/krb5.conf with 'kdc' and 'kpasswd_server' entries only in the form of https URLs and with the server's CA as a trusted anchor, either in the default locations or via explicit configuration.
3. Attempt each of 'kinit' (AS request), 'kvno' (TGS request), and 'kpasswd' (kpasswd request).

Actual results:
Each fails because the library doesn't know how to even parse HTTPS URLs, much less use them.

Expected results:
Each should succeed.

Comment 5 errata-xmlrpc 2015-03-05 10:00:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html

Note You need to log in before you can comment on or make changes to this bug.