Last week I commited changes to the HDB backend interface that added
extensibility to add new data types. This change has been waiting on
the new ASN.1 compiler to be commited. Two new features that are
implemented using this are: storing the password in the HDB (default
turned off) and storing the password change time.
hprop protocol, iprop protocol, kadmin protocol, and the dump file
format have changed to add support to store associated data. Many of
these changes are pretty simple, with possible exception handling of
data that is unknown to older code, ie forward compatible.
The extension modifies the HDB entry to include the following new
fields.
hdb_entry ::= SEQUENCE {
[...]
extensions[13] HDB-extensions OPTIONAL
}
Where extensions are a list of HDB-extension
HDB-extensions ::= SEQUENCE OF HDB-extension
Now we come to the interesting part, the type data itself.
HDB-extension ::= SEQUENCE {
mandatory[0] BOOLEAN,
data[1] CHOICE {
[...]
password[5] HDB-Ext-Password,
last-pw-change[7] KerberosTime,
...
},
...
}
The extensibility in done in ASN.1, and the ASN.1 compiler tweeded to
store unknown branches in CHOICE’s into a separate entry in the union, the
unknown type. This, together with that the first tag in each CHOICE
branch needs to be unique, is used to handle HDB extension entries that
the current code base is unaware of. Another critical component is the
mandatory flag, its to make sure the KDC doesn’t use an HDB entry with
an extension that is limiting the principal for general use somehow.
I’m not sure I missed my chance to add generic support for wrapping
the data in master key. This is used by the password backend, but the
question is if other extensions will need it too. Right now a unknown
feature will only the support mandatory flag. I’ll have to make up my
mind about this before the 0.8 release.
I’m looking forward to add PK-INIT ACLs, credential delegation ACL,
and many other new features using HDB extensions. Its a very nice
feature, lets hope that is grows easier into the future then the last
format.
Next changes to the HDB layer will be either adding the external
pointer that Andrew Bartlett is asking for, or to write a privilege
seperation layer to tighter controll the long term key material, like
principal keys and PK-INIT private keys. I’ve not given much though
about the PK-INIT case since it requires some cooperation from the CMS
layer.
This all needs to wait, I will start to look at the GSS-API patches in
have laying around. DCE-RPC support, mech-glue and user2user kerberos
GSS-API.
But with all those changes in, there is time for a 0.8 release, enougth
new features. No need to re-write the whole world before a release.
Technorati tag: Heimdal