89 lines
2.6 KiB
Go
89 lines
2.6 KiB
Go
package checker
|
|
|
|
import (
|
|
"time"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
// Version is the checker version reported in CheckerDefinition.Version.
|
|
// Overridden at link time by the binary/plugin entrypoints.
|
|
var Version = "built-in"
|
|
|
|
// Definition returns the CheckerDefinition for the Kerberos checker.
|
|
func (p *kerberosProvider) Definition() *sdk.CheckerDefinition {
|
|
return &sdk.CheckerDefinition{
|
|
ID: "kerberos",
|
|
Name: "Kerberos Realm Tester",
|
|
Version: Version,
|
|
Availability: sdk.CheckerAvailability{
|
|
ApplyToService: true,
|
|
LimitToServices: []string{"abstract.Kerberos"},
|
|
},
|
|
HasHTMLReport: true,
|
|
ObservationKeys: []sdk.ObservationKey{ObservationKeyKerberos},
|
|
Options: sdk.CheckerOptionsDocumentation{
|
|
RunOpts: []sdk.CheckerOptionDocumentation{
|
|
{
|
|
Id: "realm",
|
|
Type: "string",
|
|
Label: "Kerberos realm",
|
|
Placeholder: "EXAMPLE.COM",
|
|
AutoFill: sdk.AutoFillDomainName,
|
|
Required: true,
|
|
Description: "DNS domain advertising the realm (the realm name itself is derived in uppercase).",
|
|
},
|
|
{
|
|
Id: "principal",
|
|
Type: "string",
|
|
Label: "Principal (optional)",
|
|
Placeholder: "user@EXAMPLE.COM",
|
|
Description: "Supply to run an authenticated round-trip. Leave blank for anonymous probes only.",
|
|
},
|
|
{
|
|
Id: "password",
|
|
Type: "string",
|
|
Label: "Password (optional)",
|
|
Secret: true,
|
|
Description: "Password for the principal above. Used once per run; never stored by the checker.",
|
|
},
|
|
{
|
|
Id: "targetService",
|
|
Type: "string",
|
|
Label: "Service to request (TGS)",
|
|
Placeholder: "host/host.example.com",
|
|
Default: "",
|
|
Description: "SPN requested via TGS-REQ once a TGT is acquired. Defaults to krbtgt (realm self-test).",
|
|
},
|
|
},
|
|
AdminOpts: []sdk.CheckerOptionDocumentation{
|
|
{
|
|
Id: "timeout",
|
|
Type: "number",
|
|
Label: "Per-probe timeout (seconds)",
|
|
Default: 5,
|
|
},
|
|
{
|
|
Id: "requireStrongEnctypes",
|
|
Type: "bool",
|
|
Label: "Require strong enctypes",
|
|
Default: true,
|
|
Description: "Flag realms that only advertise DES/RC4 as CRIT.",
|
|
},
|
|
{
|
|
Id: "maxClockSkew",
|
|
Type: "number",
|
|
Label: "Max tolerated clock skew (seconds)",
|
|
Default: 300,
|
|
Description: "Default Kerberos tolerance is 300s; tighter values surface drift earlier.",
|
|
},
|
|
},
|
|
},
|
|
Rules: Rules(),
|
|
Interval: &sdk.CheckIntervalSpec{
|
|
Min: 5 * time.Minute,
|
|
Max: 7 * 24 * time.Hour,
|
|
Default: 24 * time.Hour,
|
|
},
|
|
}
|
|
}
|