[SERVER-43163] Add keytab checks Created: 04/Sep/19  Updated: 29/Oct/23  Resolved: 22/Nov/19

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.3.3

Type: Task Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Adam Cooper (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Sprint: Security 2019-10-21, Security 2019-11-04, Security 2019-11-18, Security 2019-12-02
Participants:

 Description   

Check the key tab exists if it is a file based keytab or warn the user if it is not - https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_kt_have_content.html

Iterate through all entries
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_kt_client_default.html
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_kt_start_seq_get.html
Server: Check for users with prefix mongodb and wrong DNS name
Client: Check that the user specified as the user name is the one listed in the keytab

Optional:

  • Report the current active contexts with "klist -Al"
  • If "KRB5_CONFIG" is defined, get the krb5.conf contents
  • If "KRB5_TRACE" is defined, get the ktrace.log contents
  • If "KRB5_KTNAME" is defined, get the keytab entries with "ktutil -k $KRB5_KTNAME list"
  • If "KRB5_CLIENT_KTNAME" is defined, get the keytab entries with "ktutil -k $KRB5_CLIENT_KTNAME list”


 Comments   
Comment by Githook User [ 22/Nov/19 ]

Author:

{'email': 'adam.cooper@mongodb.com', 'name': 'Adam Cooper', 'username': 'super-cooper'}

Message: SERVER-43163 Add keytab checks
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/2d26640453e3c03037848230c61e61740a0a36be

Generated at Thu Feb 08 05:02:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.