krb5: Remove dummy key from keytab (#285)

# Description

Fixes #283.

Author: nightkr

CHANGELOG.md

@@ -11,8 +11,10 @@ All notable changes to this project will be documented in this file.
 ### Changed
 
 - `operator-rs` `0.27.1` -> `0.41.0` ([#275]).
+- Removed dummy key from generated Kerberos keytab ([#285]).
 
 [#275]: https://github.com/stackabletech/secret-operator/pull/275
+[#285]: https://github.com/stackabletech/secret-operator/pull/285
 
 ## [23.4.0] - 2023-04-17
 

default.nix

@@ -15,7 +15,12 @@
       };
       krb5-sys = attrs: {
         nativeBuildInputs = [ pkgs.pkg-config ];
-        buildInputs = [ (pkgs.enableDebugging pkgs.krb5) ];
+        buildInputs = [ pkgs.krb5 ];
+        LIBCLANG_PATH = "${pkgs.libclang.lib}/lib";
+        BINDGEN_EXTRA_CLANG_ARGS = "-I${pkgs.glibc.dev}/include -I${pkgs.clang.cc.lib}/lib/clang/${pkgs.lib.getVersion pkgs.clang.cc}/include";
+      };
+      libgssapi-sys = attrs: {
+        buildInputs = [ pkgs.krb5 ];
         LIBCLANG_PATH = "${pkgs.libclang.lib}/lib";
         BINDGEN_EXTRA_CLANG_ARGS = "-I${pkgs.glibc.dev}/include -I${pkgs.clang.cc.lib}/lib/clang/${pkgs.lib.getVersion pkgs.clang.cc}/include";
       };

rust/krb5-provision-keytab/src/main.rs

@@ -56,8 +56,10 @@ enum Error {
         source: kadm5::Error,
         principal: String,
     },
-    #[snafu(display("failed to add dummy key keytab"))]
+    #[snafu(display("failed to add dummy key to keytab"))]
     AddDummyToKeytab { source: krb5::Error },
+    #[snafu(display("failed to remove dummy key from keytab"))]
+    RemoveDummyFromKeytab { source: krb5::Error },
 }
 
 enum AdminConnection<'a> {
@@ -116,15 +118,20 @@ async fn run() -> Result<Response, Error> {
         .context(ParsePrincipalSnafu {
             principal: dummy_principal_name,
         })?;
+    let dummy_kvno = 0;
     kt.add(
         &dummy_principal,
-        0,
+        dummy_kvno,
         // keyblock len must be >0, or kt.add() will always fail
         &Keyblock::new(&krb, 0, 1)
             .context(AddDummyToKeytabSnafu)?
             .as_ref(),
     )
     .context(AddDummyToKeytabSnafu)?;
+    // Remove dummy key once we have forced the keytab to be created,
+    // to avoid tools trying to use it to authenticate
+    kt.remove(&dummy_principal, dummy_kvno)
+        .context(RemoveDummyFromKeytabSnafu)?;
 
     for princ_req in req.principals {
         let princ = krb

rust/krb5/src/lib.rs

@@ -413,6 +413,23 @@ impl<'a> Keytab<'a> {
             )
         }
     }
+
+    /// Remove the specified key from the keytab.
+    pub fn remove(
+        &mut self,
+        principal: &Principal,
+        kvno: krb5_sys::krb5_kvno,
+    ) -> Result<(), Error> {
+        unsafe {
+            let mut entry: krb5_sys::krb5_keytab_entry = std::mem::zeroed();
+            entry.principal = principal.raw;
+            entry.vno = kvno;
+            Error::from_call_result(
+                Some(self.ctx),
+                krb5_sys::krb5_kt_remove_entry(self.ctx.raw, self.raw, &mut entry),
+            )
+        }
+    }
 }
 impl Drop for Keytab<'_> {
     fn drop(&mut self) {