From c57484fe932ab4fb2d75186d7fbf2a1723d220b6 Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Mon, 6 Jun 2022 16:55:51 +0200 Subject: [PATCH 1/4] [#2247] Added a note against client-keytab --- doc/sphinx/arm/ext-gss-tsig.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/doc/sphinx/arm/ext-gss-tsig.rst b/doc/sphinx/arm/ext-gss-tsig.rst index 6126e32f30..28a9fd9ed4 100644 --- a/doc/sphinx/arm/ext-gss-tsig.rst +++ b/doc/sphinx/arm/ext-gss-tsig.rst @@ -804,6 +804,17 @@ The server map parameters are described below: - ``comment`` is allowed but currently ignored. +.. note:: + + Even when the client keytab can be specified either in the configuration + or the environment variable, leaving the library acquiring and caching + client credentials, to use cached client credentials is far better. + + For instance only the read access right is needed to use the cache, + to fetch credentials and update the cache requires the write access + right too. + + GSS-TSIG Automatic Key Removal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- GitLab From 4c638170d4ab993dc8ef65da0ceadf8f998273d7 Mon Sep 17 00:00:00 2001 From: Tomek Mrugalski Date: Fri, 24 Jun 2022 10:22:34 +0200 Subject: [PATCH 2/4] [#2247] Rephrased text --- doc/sphinx/arm/ext-gss-tsig.rst | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/doc/sphinx/arm/ext-gss-tsig.rst b/doc/sphinx/arm/ext-gss-tsig.rst index 28a9fd9ed4..f415b64a0d 100644 --- a/doc/sphinx/arm/ext-gss-tsig.rst +++ b/doc/sphinx/arm/ext-gss-tsig.rst @@ -806,13 +806,17 @@ The server map parameters are described below: .. note:: - Even when the client keytab can be specified either in the configuration - or the environment variable, leaving the library acquiring and caching - client credentials, to use cached client credentials is far better. - - For instance only the read access right is needed to use the cache, - to fetch credentials and update the cache requires the write access - right too. + Generally it is not recommended to specify both the client keytab (``client-keytab``) + and the credentials cache (``credentials-cache``), although this may + differ between Kerberos implementations. The client keytab is just for + the client key and is typically used to specify the key explicitly in more + static manner, while the credentials cache can be used to store multiple + credentials and can be dynamically updated by the Keberos library. As such, + the credentials-cache is more flexible and thus the recommended alternative. + + Also note that only the read access right is needed to use the cache. + Fetching credentials and updating the cache requires the write access + right. GSS-TSIG Automatic Key Removal -- GitLab From ad90c809cec91bae7ef87b0c93772124a22df407 Mon Sep 17 00:00:00 2001 From: Tomek Mrugalski Date: Fri, 24 Jun 2022 10:29:47 +0200 Subject: [PATCH 3/4] [#2247] gss-tsig example configs updated --- doc/examples/ddns/gss-tsig.json | 13 ++++++++++--- doc/sphinx/arm/ext-gss-tsig.rst | 12 +++++++++--- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/doc/examples/ddns/gss-tsig.json b/doc/examples/ddns/gss-tsig.json index 0cc324df74..e98a2ef667 100644 --- a/doc/examples/ddns/gss-tsig.json +++ b/doc/examples/ddns/gss-tsig.json @@ -56,7 +56,7 @@ ] }, - // Need to add gss-tsig hook here + // The GSS-TSIG hook is loaded and its configuration is specified here. "hooks-libraries": [ { "library": "/opt/lib/libddns_gss_tsig.so", @@ -69,8 +69,15 @@ "server-principal": "DNS/server.example.org@EXAMPLE.ORG", "client-principal": "DHCP/admin.example.org@EXAMPLE.ORG", - "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only - "credentials-cache": "FILE:/etc/ccache", // toplevel only + + // client-keytab and credentials-cache can both be used to + // store client keys. As credentials cache is more flexible, + // it is recommended to use it. Typically, using both at the + // same time may cause problems. + // + // "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only + "credentials-cache": "FILE:/etc/ccache", // toplevel only + "tkey-lifetime": 3600, // 1 hour "rekey-interval": 2700, // 45 minutes "retry-interval": 120, // 2 minutes diff --git a/doc/sphinx/arm/ext-gss-tsig.rst b/doc/sphinx/arm/ext-gss-tsig.rst index f415b64a0d..b0012c2193 100644 --- a/doc/sphinx/arm/ext-gss-tsig.rst +++ b/doc/sphinx/arm/ext-gss-tsig.rst @@ -466,7 +466,7 @@ An excerpt from a D2 server configuration is provided below; more examples are a .. code-block:: javascript :linenos: - :emphasize-lines: 57-107 + :emphasize-lines: 57-113 { @@ -525,7 +525,7 @@ An excerpt from a D2 server configuration is provided below; more examples are a ] }, - // Need to add gss-tsig hook here + // The GSS-TSIG hook is loaded and its configuration is specified here. "hooks-libraries": [ { "library": "/opt/lib/libddns_gss_tsig.so", @@ -538,7 +538,13 @@ An excerpt from a D2 server configuration is provided below; more examples are a "server-principal": "DNS/server.example.org@EXAMPLE.ORG", "client-principal": "DHCP/admin.example.org@EXAMPLE.ORG", - "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only + + // client-keytab and credentials-cache can both be used to + // store client keys. As credentials cache is more flexible, + // it is recommended to use it. Typically, using both at the + // same time may cause problems. + // + // "client-keytab": "FILE:/etc/dhcp.keytab", // toplevel only "credentials-cache": "FILE:/etc/ccache", // toplevel only "tkey-lifetime": 3600, // 1 hour "rekey-interval": 2700, // 45 minutes -- GitLab From be8abc94ba1113308b8e542f56419c2cb82e2180 Mon Sep 17 00:00:00 2001 From: Tomek Mrugalski Date: Fri, 24 Jun 2022 10:31:13 +0200 Subject: [PATCH 4/4] [#2247] ChangeLog updated --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index a5a5e5741a..f4a602919b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2030. [doc] fdupont,tomek + GSS-TSIG examples updated. The recommendation to not use + client-keytab and credentials-cache at the same time added. + (Gitlab #2247) + 2029. [bug] fdupont The check of the subnet id in configuration is stricter: values outside the 0..4294967295 are rejected. Note that -- GitLab