latchset / kdcproxy Goto Github PK
View Code? Open in Web Editor NEWA kerberos KDC HTTP/HTTPS proxy WSGI module
License: MIT License
A kerberos KDC HTTP/HTTPS proxy WSGI module
License: MIT License
There is a typo around line 194 of kdcproxy/init.py:
logging.warning("Conection broken while writing (%s)", e)
In init.py, call uses socket.getaddrinfo with no specified socket type to get a list of socket addresses to try. Empirically on my system, this results in SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW addresses. Nothing in the code appears to filter out the SOCK_RAW addresses; I think it should use only SOCK_STREAM or SOCK_DGRAM addresses as UDP and TCP are the only transports over which the Kerberos protocol is defined.
Hello,
is it possible to inspect the KRB ticket request and allow only configured ticket request? E.g.
Thanks in advance
The sending loop in call uses a timeout of 10 seconds for TCP socket addresses, before a successful connection. If a KDC completely fails to respond to packets, the code will wait ten seconds before trying UDP, and then two more seconds before trying another KDC.
In our Active Directory environment UDP is not used, infact the KDC answers with:
Received error from KDC: -1765328332/Antwort für UDP zu groß, erneuter Versuch mit TCP
Therefore, all servers are set to: [libdefaults]/udp_preference_limit = 1
.
kdcproxy.conf
is:
[global]
configs = mit
and krb5 .conf
on the server where the KDC Proxy is running:
[libdefaults]
default_realm = AD001.SIEMENS.NET
forwardable = true
canonicalize = true
dns_lookup_kdc = true
dns_uri_lookup = false
rdns = false
udp_preference_limit = 1
[domain_realm]
...
webtest pulls in a lot of dependencies. For Fedora testing, make webtest optional and skip KDCProxyWSGITests
tests when the package is not available.
See https://src.fedoraproject.org/rpms/python-kdcproxy/pull-request/3
kdcproxy has no test cases for AS-REQ with anon pkinit and pkinit. FreeIPA 4.5 will use anon PKINIT to establish a FAST channel for OTP.
=================================== FAILURES ===================================
________________________ KDCProxyCodecTests.test_asreq _________________________
self = <tests.KDCProxyCodecTests testMethod=test_asreq>
def test_asreq(self):
> outer = self.assert_decode(self.asreq1, codec.ASProxyRequest)
tests.py:202:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests.py:196: in assert_decode
der = encoder.encode(inner)
/usr/lib/python2.7/site-packages/pyasn1/codec/der/encoder.py:56: in __call__
return encoder.Encoder.__call__(self, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty)
/usr/lib/python2.7/site-packages/pyasn1/codec/cer/encoder.py:203: in __call__
return encoder.Encoder.__call__(self, value, defMode, maxChunkSize, ifNotEmpty)
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:483: in __call__
self, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:61: in encode
encodeFun, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:99: in encodeValue
return encodeFun(value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty), True, True
/usr/lib/python2.7/site-packages/pyasn1/codec/der/encoder.py:56: in __call__
return encoder.Encoder.__call__(self, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty)
/usr/lib/python2.7/site-packages/pyasn1/codec/cer/encoder.py:203: in __call__
return encoder.Encoder.__call__(self, value, defMode, maxChunkSize, ifNotEmpty)
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:483: in __call__
self, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:61: in encode
encodeFun, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty
/usr/lib/python2.7/site-packages/pyasn1/codec/cer/encoder.py:151: in encodeValue
substrate = encodeFun(value[idx], defMode, maxChunkSize, namedTypes[idx].isOptional) + substrate
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = NamedTypes(), idx = 3
def __getitem__(self, idx):
try:
> return self.__namedTypes[idx]
E IndexError: tuple index out of range
/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py:152: IndexError
________________________ KDCProxyCodecTests.test_tgsreq ________________________
self = <tests.KDCProxyCodecTests testMethod=test_tgsreq>
def test_tgsreq(self):
> outer = self.assert_decode(self.tgsreq, codec.TGSProxyRequest)
tests.py:208:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests.py:196: in assert_decode
der = encoder.encode(inner)
/usr/lib/python2.7/site-packages/pyasn1/codec/der/encoder.py:56: in __call__
return encoder.Encoder.__call__(self, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty)
/usr/lib/python2.7/site-packages/pyasn1/codec/cer/encoder.py:203: in __call__
return encoder.Encoder.__call__(self, value, defMode, maxChunkSize, ifNotEmpty)
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:483: in __call__
self, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:61: in encode
encodeFun, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:99: in encodeValue
return encodeFun(value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty), True, True
/usr/lib/python2.7/site-packages/pyasn1/codec/der/encoder.py:56: in __call__
return encoder.Encoder.__call__(self, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty)
/usr/lib/python2.7/site-packages/pyasn1/codec/cer/encoder.py:203: in __call__
return encoder.Encoder.__call__(self, value, defMode, maxChunkSize, ifNotEmpty)
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:483: in __call__
self, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty
/usr/lib/python2.7/site-packages/pyasn1/codec/ber/encoder.py:61: in encode
encodeFun, value, defMode, maxChunkSize, ifNotEmpty=ifNotEmpty
/usr/lib/python2.7/site-packages/pyasn1/codec/cer/encoder.py:151: in encodeValue
substrate = encodeFun(value[idx], defMode, maxChunkSize, namedTypes[idx].isOptional) + substrate
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = NamedTypes(), idx = 3
def __getitem__(self, idx):
try:
> return self.__namedTypes[idx]
E IndexError: tuple index out of range
/usr/lib/python2.7/site-packages/pyasn1/type/namedtype.py:152: IndexError
Currently, the location of the kdcproxy.conf is hard-coded, which is making it harder to integrate into a reasonably well isolated test setup under pythonpaste.
The Kerberos libraries themselves will look at a configuration named by $KRB5_CONFIG, if it's set, in preference to the hard-coded default location. Something akin to this would probably work here, as I don't expect people to randomly be setting, say, KDCPROXY_CONFIG in the environment when launching a proper copy of httpd. An optional initialization parameter would work just as well for my use case, though.
When running kdcproxy in mod_wsgi, it is unclear from which
component error messages come from. For example:
mod_wsgi.c(): [client WARNING:root:Connection broken while writing (...)
It was discovered that python-kdcproxy did not reject overly large POST
requests in the recommend default configuration, allocating arbitrary amounts of memory, eventually triggering the OOM killer, leading to a denial of service.
Possible mitigation:
Add “LimitRequestBody 100000” to the stanza, like this:
<Location "/KdcProxy">
Satisfy Any
Order Deny,Allow
Allow from all
WSGIProcessGroup kdcproxy
WSGIApplicationGroup kdcproxy
LimitRequestBody 100000
</Location>
This has been assigned CVE-2015-5159. Red Hat flaw bug: https://bugzilla.redhat.com/show_bug.cgi?id=1245200
I don't have permission to upload 0.3.3 on PyPI. You can use https://pypi.python.org/pypi/twine to upload the kdcproxy-0.3.3.tar.gz
and kdcproxy-0.3.3-py2.py3-none-any.whl
files from https://github.com/latchset/kdcproxy/releases/tag/v0.3.3
As the title says, if the kdcproxy perform health check, then it can act as a HA/fault tolerance mechanism at application layer, which I think is what kerberos currently leak of (I think kerberos only has a replica mechanism, but leak of loadblance/HA capability)
https://github.com/latchset/kdcproxy/blob/master/README says I have to see two POST requests in the log of the HTTP server, but I see only one. Is the information with 2x POST still current?
The KDC proxy protocol document requires DER encoding of the ASN.1 values. codec.py imports encoder and decoder from pyasn1.codec.ber, so it may be encoding values in ways that aren't DER-compliant.
In
kdcproxy/kdcproxy/config/mit.py
Lines 236 to 238 in 4bf6163
the property dns_fallback
is used, but the krb5.conf
reference doc does not even mention it: https://web.mit.edu/kerberos/krb5-1.17/doc/admin/conf_files/krb5_conf.html
I assume you trying to mimic:
It deserves at least a comment in the code.
Hello,
I'm trying to use kdcproxy
installed via apt
on Ubuntu 22.04.4 LTS to use with macOS and iOS endpoints using what Apple call the Kerberos SSO Extension
According to their documentation, KKDCP is supported and I can indeed get both macOS and iOS client trying to talk with kdcproxy, however on the kdcproxy side, it fail with an Invalid request length
error and 400 code.
Here is a sample content body from an intercepted POST
request from an iOS client:
3081f8a081e00481dd6a81da3081d7a103020105a20302010aa30e300c300aa10402020095a2020400a481ba3081b7a00703050050810000a131302fa003020101a12830261b2430613834336339372d353134312d343336662d626335662d623932363864643537643964a2131b1150523330382e4252415641532e54454348a3263024a003020102a11d301b1b066b72627467741b1150523330382e4252415641532e54454348a511180f32303234303332303036333531355aa611180f32303234303431383230333531355aa706020411cfde1aa80e300c020112020111020110020117a1131b1150523330382e4252415641532e54454348
This content however seems correctly decoded by http://ldh.org/asn1.html but I'm not expert in ASN.1.
Is there a config issue on my side? A bug on kdcproxy? Something else?
Hi folks,
I came across this package in my search to find a solution to my problem.
However Im having issues trying to get it to work.
my problem is that I have a client machine that cant see our domain controllers
so Im trying to set up kdcproxy on a machine that can see the controllers that can
be seen from the client machine.
Ive installed both from git and installing from the python-kdcproxy package on both ubuntu (16.04) and centos (7) machines.
Everything installs fine, apache has a config file for redirecting /kdcproxy to the python code, I get a response back from trying to connect to the server:
curl --cacert cert_file https://apache_server/kdcproxy
Method not allowed (GET).
Im not sure if that is the expected return though.
a kinit does different things then your example:
env KRB5_TRACE=/dev/stdout kinit user
[18780] 1526486985.326854: Getting initial credentials for user@domain
[18780] 1526486985.327033: Sending request (189 bytes) to domain
[18780] 1526486985.327066: Resolving hostname apache_server
[18780] 1526486985.327707: Terminating TCP connection to https ip:port
kinit: Cannot contact any KDC for realm 'domain' while getting initial credentials
(hostname/usernames/ip address/domains/etc have been changed to protect the guilty)
on the "apache_server" machine all kerberos related operations work fine, its /etc/krb5.conf file
is set up nicely.
on the machine trying to use the proxy the /etc/krb5.conf file is
...
[realms]
domain = {
http_anchors = FILE:cert_file
kdc = https://apache_server:port/kdcproxy
kpasswd_server = https://apache_server:port/kdcproxy
}
But any attempts on the client machine to ssh into it using krb5 passwords fail.
I can see incoming traffic on apache_server:port from the client machine request but there is never
any traffic outbound to the domain controllers.
there are no error messages nor any messages of any kind in the /var/log/httpd/* files
when an ssh attempt is made on the client.
Startup messages from httpd are there and look fine.
oh and the /etc/kdcproxy file on the apache_server machine has gone through various
forms none of which are any better then any other. but its was things like:
[global]
configs = mit
[domain]
kerberos = kerberos://domaincontroller
kerberos = kerberos+tcp://domaincontroller
similarly with kpasswd, with and without ports (88/464)
Im at a loss as to why I cant get things to work.
Thoughts?
thanks.
steve
libkrb5 does it on its own normally and is influenced by locator plugins. kdcproxy should just follow suite.
PyCA cryptography 1.8 has dropped pyasn1 and uses asn1crypto. The decision was made because the library is faster. We should consider to either replace our ASN.1 parsing with asn1crypto or support both libraries. This would allow us to drop dependency on pyasn1 and pyasn1_modules in FreeIPA stack.
On two occasions I wrote retval
instead of restype
. The problem is harmless (NULL return), but still wrong.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.