auth/kerberos: add remove_instance_name config (hashicorp#16594) (has…

…hicorp#16597)

* auth/kerberos: add remove_instance_name config

* Update website

* Fix doc

* Fix doc

* changelog

changelog/16594.txt

@@ -0,0 +1,5 @@
+```release-note:improvement
+auth/kerberos: add `remove_instance_name` parameter to the login CLI and the 
+Kerberos config in Vault. This removes any instance names found in the keytab 
+service principal name.
+```

go.mod

@@ -100,7 +100,7 @@ require (
 	github.com/hashicorp/vault-plugin-auth-cf v0.12.0
 	github.com/hashicorp/vault-plugin-auth-gcp v0.13.2
 	github.com/hashicorp/vault-plugin-auth-jwt v0.13.0
-	github.com/hashicorp/vault-plugin-auth-kerberos v0.7.0
+	github.com/hashicorp/vault-plugin-auth-kerberos v0.7.1
 	github.com/hashicorp/vault-plugin-auth-kubernetes v0.13.0
 	github.com/hashicorp/vault-plugin-auth-oci v0.11.0
 	github.com/hashicorp/vault-plugin-database-couchbase v0.7.0

go.sum

@@ -980,8 +980,8 @@ github.com/hashicorp/vault-plugin-auth-gcp v0.13.2 h1:rv8gBKYzFz9BD9pFRyrmfi46Bu
 github.com/hashicorp/vault-plugin-auth-gcp v0.13.2/go.mod h1:tHtTF/qQmrRrY5DEOxWxoW/y5Wk9VoHsBOC339RO3d8=
 github.com/hashicorp/vault-plugin-auth-jwt v0.13.0 h1:BeMC4ZnP8iwRgL8vInEvCICA6e+iiDtkmOdNYKg3aGQ=
 github.com/hashicorp/vault-plugin-auth-jwt v0.13.0/go.mod h1:+WL5kaq/0L5OROsA31X15U8yTIX4GTEv1rTLA9d15eo=
-github.com/hashicorp/vault-plugin-auth-kerberos v0.7.0 h1:6iQIiF4usqBwXZmab3rpq/dMIw+np+DFbIBxC3r6Ybw=
-github.com/hashicorp/vault-plugin-auth-kerberos v0.7.0/go.mod h1:eqjae8tMBpAWgJNk1NjV/vtJYXQRZnYudUkBFowz3bY=
+github.com/hashicorp/vault-plugin-auth-kerberos v0.7.1 h1:H4MmfNqpxpa4vHMdfckx9KzEEPC+9+APHpDF1pBy61g=
+github.com/hashicorp/vault-plugin-auth-kerberos v0.7.1/go.mod h1:eqjae8tMBpAWgJNk1NjV/vtJYXQRZnYudUkBFowz3bY=
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.13.0 h1:pONFgWz9hbcS1wFxPtQJYj9Mt/nzPVX1kw1DGv+92Ww=
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.13.0/go.mod h1:/hQF30guXWLcIUiTYsXoQ0dUTHspo0q30nLBr1RE+Lw=
 github.com/hashicorp/vault-plugin-auth-oci v0.11.0 h1:DrdccnGU8O28I1MIs21zmbYM2Nta7RLOAzozvDSX9h0=

website/content/api-docs/auth/kerberos.mdx

@@ -35,6 +35,10 @@ for verifying inbound SPNEGO tokens.
 - `service_account` `(string: <required>)` – The service account associated
   with both the keytab entry and an LDAP service account created for Vault. Ex.:
   `"vault_svc"`.
+- `remove_instance_name` - Removes any instance names from a Kerberos service
+  principal name when parsing the keytab file. For example when this is set to true,
+  if a keytab has the service principal name `foo/localhost@example.com`, Vault
+  will strip the service principal name to just be `foo@example.com`. 
 
 ### Sample Request
 
@@ -51,7 +55,8 @@ $ curl \
 ```json
 {
   "keytab": "BQIAAAA6AAEACk1BVFJJWC5MQU4ACXZhdWx0X3N2YwAAAAFdzZSjAgAXABDwhEyRR9nRqkpP8KTn2A83AAAAAg==",
-  "service_account": "vault_svc"
+  "remove_instance_name": false,
+  "service_account": "vault_svc",
 }
 ```
 
@@ -80,6 +85,7 @@ $ curl \
   "warnings": null,
   "wrap_info": null,
   "data": {
+    "remove_instance_name": false,
     "service_account": "vault_svc"
   },
   "lease_duration": 0,

website/content/docs/auth/kerberos.mdx

@@ -164,6 +164,10 @@ $ vault login -method=kerberos \
   It includes a mechanism for tunneling pre-authentication exchanges using armoured
   KDC messages. FAST provides increased resistance to passive password guessing attacks.
   Some common Kerberos implementations do not support FAST negotiation.
+- `remove_instance_name` removes any instance names from a Kerberos service 
+  principal name when parsing the keytab file. For example when this is set to true, 
+  if a keytab has the service principal name `foo/localhost@example.com`, the CLI 
+  will strip the service principal name to just be `foo@example.com`.
 
 ## Troubleshooting