diff --git a/Dockerfile b/Dockerfile index 99555e6..7b0d9bd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ WORKDIR /src COPY go.mod go.sum ./ RUN go mod download COPY . . -RUN CGO_ENABLED=0 go build -ldflags "-X main.Version=${CHECKER_VERSION}" -o /checker-kerberos . +RUN CGO_ENABLED=0 go build -tags standalone -ldflags "-X main.Version=${CHECKER_VERSION}" -o /checker-kerberos . FROM scratch COPY --from=builder /checker-kerberos /checker-kerberos diff --git a/Makefile b/Makefile index fb74a58..1d83007 100644 --- a/Makefile +++ b/Makefile @@ -6,12 +6,12 @@ CHECKER_SOURCES := main.go $(wildcard checker/*.go) GO_LDFLAGS := -X main.Version=$(CHECKER_VERSION) -.PHONY: all plugin docker clean +.PHONY: all plugin docker test clean all: $(CHECKER_NAME) $(CHECKER_NAME): $(CHECKER_SOURCES) - go build -ldflags "$(GO_LDFLAGS)" -o $@ . + go build -tags standalone -ldflags "$(GO_LDFLAGS)" -o $@ . plugin: $(CHECKER_NAME).so @@ -21,5 +21,8 @@ $(CHECKER_NAME).so: $(CHECKER_SOURCES) $(wildcard plugin/*.go) docker: docker build --build-arg CHECKER_VERSION=$(CHECKER_VERSION) -t $(CHECKER_IMAGE) . +test: + go test -tags standalone ./... + clean: rm -f $(CHECKER_NAME) $(CHECKER_NAME).so diff --git a/README.md b/README.md index 4c64a87..52a2e91 100644 --- a/README.md +++ b/README.md @@ -4,13 +4,13 @@ happyDomain checker that audits a Kerberos realm from its DNS records. Starting from the realm name (or from the SRV records grouped under the `abstract.Kerberos` service), the checker performs a series of -**anonymous probes** — and an optional **authenticated round-trip** when -credentials are supplied — to give a complete picture of the realm's +**anonymous probes**, and an optional **authenticated round-trip** when +credentials are supplied, to give a complete picture of the realm's availability and security posture. ## What gets checked -- SRV layout — `_kerberos._tcp.`, `_kerberos._udp.`, +- SRV layout, `_kerberos._tcp.`, `_kerberos._udp.`, `_kerberos-master._tcp.`, `_kerberos-adm._tcp.`, `_kpasswd._tcp.`, `_kpasswd._udp.`. - Forward resolution of every SRV target (A + AAAA). diff --git a/checker/collect.go b/checker/collect.go index e13804b..2b5bf64 100644 --- a/checker/collect.go +++ b/checker/collect.go @@ -377,7 +377,7 @@ func buildProbeASReq(realm string) (messages.ASReq, error) { // parseASResponse inspects the raw KDC reply and fills the ASProbeResult. // Expected replies: KRB-ERROR (PREAUTH_REQUIRED / C_PRINCIPAL_UNKNOWN) or, -// less commonly, an AS-REP (principal exists and doesn't require preauth — +// less commonly, an AS-REP (principal exists and doesn't require preauth . // AS-REP roasting territory). func parseASResponse(raw []byte, out *ASProbeResult) { // Try KRB-ERROR first. @@ -400,7 +400,7 @@ func parseASResponse(raw []byte, out *ASProbeResult) { return } - // Try AS-REP. If this succeeds, preauth wasn't required — surface it. + // Try AS-REP. If this succeeds, preauth wasn't required, surface it. var asRep messages.ASRep if err := asRep.Unmarshal(raw); err == nil { out.PrincipalFound = true diff --git a/checker/interactive.go b/checker/interactive.go index 504d9e5..42a4cf1 100644 --- a/checker/interactive.go +++ b/checker/interactive.go @@ -1,3 +1,5 @@ +//go:build standalone + package checker import ( diff --git a/checker/report.go b/checker/report.go index 35db28d..0ff01be 100644 --- a/checker/report.go +++ b/checker/report.go @@ -257,7 +257,7 @@ then rekey principals with kadmin -q "cpw -randkey principal" or eq }) } - // AS-REP without preauth — AS-REP roasting. + // AS-REP without preauth, AS-REP roasting. if r.AS.Attempted && r.AS.PrincipalFound && !r.AS.PreauthReq { out = append(out, remediation{ Title: "Enable pre-authentication", diff --git a/go.mod b/go.mod index c2a4640..392087b 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module git.happydns.org/checker-kerberos go 1.25.0 require ( - git.happydns.org/checker-sdk-go v1.2.0 + git.happydns.org/checker-sdk-go v1.3.0 github.com/jcmturner/gofork v1.7.6 github.com/jcmturner/gokrb5/v8 v8.4.4 ) diff --git a/go.sum b/go.sum index c652fb7..e2b9a0d 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,5 @@ -git.happydns.org/checker-sdk-go v1.2.0 h1:v4MpKAz0W3PwP+bxx3pya8w893sVH5xTD1of1cc0TV8= -git.happydns.org/checker-sdk-go v1.2.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI= +git.happydns.org/checker-sdk-go v1.3.0 h1:FG2kIhlJCzI0m35EhxSgn4UWc9M4ha6aZTeoChu4l7A= +git.happydns.org/checker-sdk-go v1.3.0/go.mod h1:aNAcfYFfbhvH9kJhE0Njp5GX0dQbxdRB0rJ0KvSC5nI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/main.go b/main.go index 846c077..6037bfb 100644 --- a/main.go +++ b/main.go @@ -5,7 +5,7 @@ import ( "log" kerberos "git.happydns.org/checker-kerberos/checker" - sdk "git.happydns.org/checker-sdk-go/checker" + "git.happydns.org/checker-sdk-go/checker/server" ) // Version is the standalone binary's version. It defaults to "custom-build" @@ -21,8 +21,8 @@ func main() { kerberos.Version = Version - server := sdk.NewServer(kerberos.Provider()) - if err := server.ListenAndServe(*listenAddr); err != nil { + srv := server.New(kerberos.Provider()) + if err := srv.ListenAndServe(*listenAddr); err != nil { log.Fatalf("server error: %v", err) } }