Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

KRB: do not set keytab by default.

Browse source 
Only enable decryption if a user purposefully sets a keytab.
This commit is contained in:
Johanna Amann 2018-06-01 12:46:26 -07:00
parent 8bb76cd3c1
commit 327acf6555
5 changed files with 26 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
scripts/base/init-bare.bro
View file

@ -4245,7 +4245,8 @@ export {
module KRB; module KRB;
export { export {
const keytab = "/etc/krb5.keytab" &redef; ## Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
const keytab = "" &redef;
## KDC Options. See :rfc:`4120` ## KDC Options. See :rfc:`4120`
type KRB::KDC_Options: record { type KRB::KDC_Options: record {
## The ticket to be issued should have its forwardable flag set. ## The ticket to be issued should have its forwardable flag set.

3
src/analyzer/protocol/krb/KRB.cc
View file

@ -13,6 +13,9 @@ KRB_Analyzer::KRB_Analyzer(Connection* conn)
interp = new binpac::KRB::KRB_Conn(this); interp = new binpac::KRB::KRB_Conn(this);
#ifdef USE_KRB5 #ifdef USE_KRB5
if ( BifConst::KRB::keytab->Len() == 0 )
return; // no keytab set
const char* keytab_filename = BifConst::KRB::keytab->CheckString(); const char* keytab_filename = BifConst::KRB::keytab->CheckString();
if ( access(keytab_filename, R_OK) != 0 ) if ( access(keytab_filename, R_OK) != 0 )
{ {

0
testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr Normal file
View file

1
testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout Normal file
View file

@ -0,0 +1 @@
F

20
testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test Normal file
View file

@ -0,0 +1,20 @@
# This test verifies that without a keytab file no entries are
# created and no errors happen.
#
# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
#
# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
# @TEST-EXEC: bro -C -r $TRACES/krb/smb2_krb.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
# @TEST-EXEC: btest-diff .stderr
global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef;
event bro_init() &priority=5{
Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports);
}
event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options){
print ticket?$authenticationinfo;
}