.\" Copyright (c) 2020 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" 3. Neither the name of the Institute nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .Dd January 2, 2020 .Dt HTTPKADMIND 8 .Os HEIMDAL .Sh NAME .Nm httpkadmind .Nd HTTP HDB Administration Interface .Sh SYNOPSIS .Nm .Op Fl h | Fl Fl help .Op Fl Fl version .Op Fl H Ar HOSTNAME .Op Fl d | Fl Fl daemon .Op Fl Fl daemon-child .Op Fl Fl reverse-proxied .Op Fl p Ar port number (default: 443) .Op Fl Fl allow-GET .Op Fl Fl no-allow-GET .Op Fl Fl GET-with-csrf-token .Op Fl Fl csrf-header= Ns Ar HEADER-NAME .Op Fl Fl temp-dir= Ns Ar DIRECTORY .Op Fl Fl cert=HX509-STORE .Op Fl Fl private-key=HX509-STORE .Op Fl T | Fl Fl token-authentication-type=Negotiate|Bearer .Op Fl Fl realm=REALM .Op Fl Fl read-only .Op Fl l | Fl Fl local .Op Fl Fl local-read-only .Op Fl Fl hdb=HDB .Op Fl Fl stash-file=FILENAME .Op Fl Fl primary-server-uri=URI .Op Fl Fl read-only-admin-server=HOSTNAME[:PORT] .Op Fl Fl writable-admin-server=HOSTNAME[:PORT] .Op Fl Fl kadmin-client-name=PRINCIPAL .Op Fl Fl kadmin-client-keytab=KEYTAB .Op Fl t | Fl Fl thread-per-client .Oo Fl v \*(Ba Xo .Fl Fl verbose= Ns Ar run verbosely .Xc .Oc .Sh DESCRIPTION Serves the following resources over HTTP: .Ar /get-keys and .Ar /get-config . .Pp The .Ar /get-keys end-point allows callers to get a principal's keys in .Dq keytab format for named principals, possibly performing write operations such as creating a non-existent principal, or rotating its keys, if requested. Note that this end-point can cause KDC HDB principal entries to be modified or created incidental to fetching the principal's keys. The use of the HTTP POST method is required when this end-point writes to the KDC's HDB. See below. .Pp The .Ar /get-config end-point allows callers to get .Nm krb5.conf contents for a given principal. .Pp This service can run against a local HDB, or against a remote HDB via the .Nm kadmind(8) protocol. Read operations are always allowed, but write operations can be preformed either against writable .Nm kadmind(8) server(s) or redirected to another .Nm httpkadmind(8). .Pp The .Ar /get-config end-point accepts a single query parameter: .Bl -tag -width Ds -offset indent .It Ar princ=PRINCIPAL . .El .Sh HTTP APIS All HTTP APIs served by this program accept POSTs, with all request parameters given as either URI query parameters, and/or as form data in the POST request body, in either .Ar application/x-www-form-urlencoded or .Ar multipart/formdata . If GETs are enabled, then request parameters must be supplied as URI query parameters. .Pp Note that requests that cause changes to the HDB must always be done via POST, never GET. .Pp URI query parameters must be of the form .Ar param0=value¶m1=value... Some parameters can be given multiple values -- see the descriptions of the end-points. .Sh CROSS-SITE REQUEST FORGERY PROTECTION .Em None of the resources service by this service are intended to be executed by web pages. .Pp Most of the resources provided by this service are .Dq safe in the sense that they do not change server-side state besides logging, and in that they are idempotent, but they are only safe to execute .Em if and only if the requesting party is trusted to see the response. Since none of these resources are intended to be used from web pages, it is important that web pages not be able to execute them .Em and observe the responses. .Pp Some of the resources provided by this service do change server-side state, specifically principal entries in the KDC's HDB. Those always require the use of POST, not GET. .Pp In a web browser context, pages from other origins will be able to attempt requests to this service, but should never be able to see the responses because browsers normally wouldn't allow that. Nonetheless, anti cross site request forgery (CSRF) protection may be desirable. .Pp This service provides the following CSRF protection features: .Bl -tag -width Ds -offset indent .It requests are rejected if they have a .Dq Referer (except the experimental /get-negotiate-token end-point) .It the service can be configured to require a header that would make the request not Dq simple .It GETs can be disabled (see options), thus requiring POSTs .It GETs can be required to have a CSRF token (see below) .It POSTs can be required to have a CSRF token .El .Pp The experimental .Ar /get-negotiate-token end-point, however, always accepts .Dq Referer requests. .Pp To obtain a CSRF token, first execute the request without the CSRF token, and the resulting error response will include a .Ar X-CSRF-Token response header. .Pp To execute a request with a CSRF token, first obtain a CSRF token as described above, then copy the token to the request as the value of the request's .Ar X-CSRF-Token header. .Pp The key for keying the CSRF token HMAC is that of the first current key for the .Sq WELLKNOWN/CSRFTOKEN principal for the realm being used. Every realm served by this service must have this principal. .Sh GETTING KEYTABS The .Ar /get-keys end-point accepts various parameters: .Bl -tag -width Ds -offset indent .It Ar spn=PRINCIPAL Names the host-based service principal whose keys to get. May be given multiple times, and all named principal's keys will be fetched. .It Ar dNSName=HOSTNAME Names the host-based service principal's hostname whose keys to get. May be given multiple times, and all named principal's keys will be fetched. .It Ar service=SERVICE Hostnames given with .Ar dNSName=HOSTNAME will be qualified with this service name to form a host-based service principal. May be given multiple times, in which case the cartesian product of .Ar dNSName=HOSTNAME ad .Ar service=SERVICE will be used. Defaults to .Ar HTTP . .It realm=REALM Must be present if the .Nm httpkadmind daemon's default realm is not desired. .It Ar enctypes=ENCTYPE,... A comma-separated list of enctypes that the principal is expected to support (used for Kerberos Ticket session key negotiation). Defaults to the .Ar supported_enctypes configured in .Nm krb5.conf(5) . .It Ar materialize=true If the named principal(s) is (are) virtual, this will cause it (them) to be materialized as a concrete principal. (Currently not supported.) .It Ar create=true If the named principal(s) does not (do not) exist, this will cause it (them) to be created. The default attributes for new principals created this way will be taken (except for the disabled attribute) from any containing virtual host-based service principal namespace that include a leading .Sq . in the hostname component, or from .Nm krb5.conf(5) (see the CONFIGURATION section). .It Ar rotate=true This will cause the keys of concrete principals to be rotated. .It Ar revoke=true This will cause old keys of concrete principals to be deleted if their keys are being rotated. This means that extant service tickets with those principals as the target will not be able to be decrypted by the caller as it will not have the necessary keys. .El .Pp The HTTP .Nm Cache-Control header will be set on .Nm get-keys responses to .Dq Nm no-store , and the .Nm max-age cache control parameter will be set to the least number of seconds until before any of the requested principal's keys could change. For virtual principals this will be either the time left until a quarter of the rotation period before the next rotation, or the time left until a quarter of the rotation period after the next rotation. For concrete principals this will be the time left to the first such principal's password expiration, or, if none of them have a configured password expiration time, then half of the .Nm new_service_key_delay configured in the .Nm [hdb] section of the .Nm krb5.conf(5) file. .Pp Authorization is handled via the same mechanism as in .Nm bx509d(8) which was originally intended to authorize certification requests (CSRs). Authorization for extracting keys is specified like for .Nm bx509d(8) , but using .Nm [ext_keytab] as the .Nm krb5.conf(5) section. Clients with host-based principals for the .Dq host service can create and extract keys for their own service name, but otherwise a number of service names are denied: .Bl -tag -width Ds -offset indent .It Dq host .It Dq root .It Dq exceed .El as well as all the service names for Heimdal-specific services: .Bl -tag -width Ds -offset indent .It Dq krbtgt .It Dq iprop .It Dq kadmin .It Dq hprop .It Dq WELLKNOWN .It Dq K .El .Pp Supported options: .Bl -tag -width Ds -offset indent .It Xo .Fl h , .Fl Fl help .Xc Print usage message. .It Xo .Fl Fl version .Xc Print version. .It Xo .Fl H Ar HOSTNAME .Xc Expected audience(s) of bearer tokens (i.e., acceptor name). .It Xo .Fl d , .Fl Fl daemon .Xc Detach from TTY and run in the background. .It Xo .Fl Fl reverse-proxied .Xc Serves HTTP instead of HTTPS, accepting only looped-back connections. .It Xo .Fl p Ar port number (default: 443) .Xc PORT .It Xo .Fl Fl allow-GET .Xc If given, then HTTP GET will be allowed for the various end-points other than .Ar /health . Otherwise only HEAD and POST will be allowed. By default GETs are allowed, but this will change soon. .It Xo .Fl Fl no-allow-GET .Xc If given then HTTP GETs will be rejected for the various end-points other than .Ar /health . .It Xo .Fl Fl csrf-protection-type= Ns Ar CSRF-PROTECTION-TYPE .Xc Possible values of .Ar CSRF-PROTECTION-TYPE are .Bl -bullet -compact -offset indent .It .Li GET-with-header .It .Li GET-with-token .It .Li POST-with-header .It .Li POST-with-token .El This may be given multiple times. The default is to require CSRF tokens for POST requests, and to require neither a non-simple header nor a CSRF token for GET requests. .Pp See .Sx CROSS-SITE REQUEST FORGERY PROTECTION . .It Xo .Fl Fl csrf-header= Ns Ar HEADER-NAME .Xc If given, then all requests other than to the .Ar /health service must have the given request .Ar HEADER-NAME set (the value is irrelevant). .It Xo .Fl Fl temp-dir= Ns Ar DIRECTORY .Xc Directory for temp files. If not specified then a temporary directory will be made. .It Xo .Fl Fl cert= Ns Ar HX509-STORE .Xc Certificate file path (PEM) for HTTPS service. May contain private key as well. .It Xo .Fl Fl private-key= Ns Ar HX509-STORE .Xc Private key file path (PEM), if the private key is not stored along with the certificiate. .It Xo .Fl T Ar HTTP-AUTH-TYPE, .Fl Fl token-authentication-type= Ns Ar HTTP-AUTH-TYPE .Xc HTTP bearer token authentication type(s) supported (may be given more than once). For example, .Ar Negotiate or .Ar Bearer (JWT). .It Xo .Fl t , .Fl Fl thread-per-client .Xc Uses a thread per-client instead of as many threads as there are CPUs. .It Xo .Fl Fl realm= Ns Ar REALM .Xc The realm to serve, if not the default realm. Note that clients can request keys for principals in other realms, and .Nm httpkadmind will attempt to satisfy those requests too. .It Xo .Fl Fl read-only .Xc Do not perform write operations. Write operations will either fail or if a primary .Nm httpkadmind URI is configured, then they will be redirected there. .It Xo .Fl Fl local .Xc Use a local HDB, at least for read operations, and, if .Fl Fl local-read-only is not given, then also write operations. .It Xo .Fl Fl local-read-only .Xc Do not perform writes on a local HDB. Either redirect write operations if a primary .Nm httpkadmind URI is configured, or use a writable remote .Nm kadmind server. .It Xo .Fl Fl hdb=HDB .Xc A local HDB to serve. Note that this can be obtained from the .Nm krb5.conf . .It Xo .Fl Fl stash-file=FILENAME .Xc A stash file containing a master key for a local HDB. Note that this can be obtained from the .Nm krb5.conf . .It Xo .Fl Fl primary-server-uri=URI .Xc The URL of an httpkadmind to which to redirect write operations. .It Xo .Fl Fl read-only-admin-server=HOSTNAME[:PORT] .Xc The hostname (and possibly port number) of a .Nm kadmind(8) service to use for read-only operations. Recall that the .Nm kadmind(8) service's principal name is .Ar kadmin/admin . The .Ar HOSTNAME given here can be a name that resolves to the IP addresses of all the .Nm kadmind(8) services for the .Ar REALM . If not specified, but needed, this will be obtained by looking for .Nm readonly_admin_server in .Nm krb5.conf or, if enabled, performing DNS lookups for SRV resource records named .Ar _kerberos-adm-readonly._tcp. . .It Xo .Fl Fl writable-admin-server=HOSTNAME[:PORT] .Xc The hostname (and possibly port number) of a .Nm kadmind(8) service to use for write operations. If not specified, but needed, this will be obtained by looking for .Nm admin_server in .Nm krb5.conf or, if enabled, performing DNS lookups for SRV resource records named .Ar _kerberos-adm._tcp. . .It Xo .Fl Fl kadmin-client-name=PRINCIPAL .Xc The client principal name to use when connecting to a .Nm kadmind(8) server. Defaults to .Ar httpkadmind/admin . .It Xo .Fl Fl kadmin-client-keytab=KEYTAB .Xc The keytab containing keys for the .Ar kadmin-client-name . Note that you may use an .Ar HDB as a keytab as .Ar HDBGET:/var/heimdal/heimdal.db (or whatever the HDB specification is). .It Xo .Fl v , .Fl Fl verbose= Ns Ar run verbosely .Xc verbose .El .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev KRB5_CONFIG The file name of .Pa krb5.conf , the default being .Pa /etc/krb5.conf . .El .Sh FILES .Bl -tag -width Ds .It Pa /etc/krb5.conf .El .Sh CONFIGURATION Authorizer configuration goes in .Br .Ar [ext_keytab] in .Nm krb5.conf(5). For example: .Pp .Bd -literal -offset indent [ext_keytab] simple_csr_authorizer_directory = /etc/krb5/simple_csr_authz ipc_csr_authorizer = { service = UNIX:/var/heimdal/csr_authorizer_sock } .Ed .Pp Configuration parameters specific to .Nm httpkadmind : .Bl -tag -width Ds -offset indent .It csr_authorizer_handles_svc_names = BOOL .It new_hostbased_service_principal_attributes = ... .El .Pp The .Nm [ext_keytab] .Nm get_keys_max_spns = NUMBER parameter can be used to specify a maximum number of principals whose keys can be retrieved in one .Nm GET of the .Nm /get-keys end-point. Defaults to 400. .Pp The .Nm [ext_keytab] .Nm new_hostbased_service_principal_attributes parameter may be used instead of virtual host-based service namespace principals to specify the attributes of new principals created by .Nm httpkadmind , and its value is a hive with a service name then a hostname or namespace, and whose value is a set of attributes as given in the .Nm kadmin(1) modify command. For example: .Bd -literal -offset indent [ext_keytab] new_hostbased_service_principal_attributes = { host = { a-particular-hostname.test.h5l.se = ok-as-delegate .prod.test.h5l.se = ok-as-delegate } } .Ed .Pp which means that .Dq host/a-particular-hostname.test.h5l.se , if created via .Nm httpkadmind , will be allowed to get delegated credentials (ticket forwarding), and that hostnames matching the glob pattern .Dq host/*.prod.test.h5l.se , if created via .Nm httpkadmind , will also allowed to get delegated credentials. All host-based service principals created via .Nm httpkadmind not matchining any .Nm new_hostbased_service_principal_attributes service namespaces will have the empty attribute set. .Sh EXAMPLES To start .Nm httpkadmind on a primary KDC: .Pp .Ar $ httpkadmind -d --cert=PEM-FILE:/etc/httpkadmind.pem \\ .Br --local -T Negotiate .Pp To start .Nm httpkadmind on a secondary KDC, using redirects for write operations: .Pp .Ar $ httpkadmind -d --cert=PEM-FILE:/etc/httpkadmind.pem \\ .Br --local-read-only -T Negotiate \\ .Br --primary-server-uri=https://the-primary-server.fqdn/ .Pp To start .Nm httpkadmind on a secondary KDC, proxying kadmin to perform writes at the primary KDC, using DNS to discover the kadmin server: .Pp .Ar $ httpkadmind -d --cert=PEM-FILE:/etc/httpkadmind.pem \\ .Br --local-read-only -T Negotiate \\ .Br --kadmin-client-keytab=FILE:/etc/krb5.keytab .Pp To start .Nm httpkadmind on a non-KDC: .Pp .Ar $ httpkadmind -d --cert=PEM-FILE:/etc/httpkadmind.pem \\ .Br -T Negotiate --kadmin-client-keytab=FILE:/etc/krb5.keytab .Pp .Sh DIAGNOSTICS See logging section of .Nm krb5.conf.5 .Sh SEE ALSO .Xr bx509d 8 , .Xr kadmin 1 , .Xr kadmind 8 , .Xr krb5.conf 5 . .\".Sh STANDARDS .\".Sh HISTORY .\".Sh AUTHORS .\".Sh BUGS