diff options
author | assar <assar@FreeBSD.org> | 2001-06-21 02:12:07 +0000 |
---|---|---|
committer | assar <assar@FreeBSD.org> | 2001-06-21 02:12:07 +0000 |
commit | 0c8fa354358381b3f1b92598e7f1b46f8cf744cc (patch) | |
tree | ed28ffb73cc0ae48a9892dab3f10b09bc36436d5 /crypto/heimdal/kdc | |
parent | 06c859ecf534f468a52f24a3eb14409d73a4907c (diff) | |
download | FreeBSD-src-0c8fa354358381b3f1b92598e7f1b46f8cf744cc.zip FreeBSD-src-0c8fa354358381b3f1b92598e7f1b46f8cf744cc.tar.gz |
import of heimdal 0.3f
Diffstat (limited to 'crypto/heimdal/kdc')
-rw-r--r-- | crypto/heimdal/kdc/524.c | 4 | ||||
-rw-r--r-- | crypto/heimdal/kdc/Makefile.in | 16 | ||||
-rw-r--r-- | crypto/heimdal/kdc/config.c | 15 | ||||
-rw-r--r-- | crypto/heimdal/kdc/connect.c | 24 | ||||
-rw-r--r-- | crypto/heimdal/kdc/headers.h | 6 | ||||
-rw-r--r-- | crypto/heimdal/kdc/hprop.8 | 20 | ||||
-rw-r--r-- | crypto/heimdal/kdc/hprop.c | 12 | ||||
-rw-r--r-- | crypto/heimdal/kdc/hprop.cat8 | 103 | ||||
-rw-r--r-- | crypto/heimdal/kdc/hpropd.8 | 8 | ||||
-rw-r--r-- | crypto/heimdal/kdc/hpropd.c | 4 | ||||
-rw-r--r-- | crypto/heimdal/kdc/hpropd.cat8 | 43 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kaserver.c | 33 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kdc.8 | 11 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kdc.cat8 | 118 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kerberos5.c | 134 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kstash.8 | 8 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kstash.cat8 | 34 | ||||
-rw-r--r-- | crypto/heimdal/kdc/main.c | 4 | ||||
-rw-r--r-- | crypto/heimdal/kdc/string2key.8 | 14 | ||||
-rw-r--r-- | crypto/heimdal/kdc/string2key.cat8 | 42 |
20 files changed, 553 insertions, 100 deletions
diff --git a/crypto/heimdal/kdc/524.c b/crypto/heimdal/kdc/524.c index df70988..ebe747f 100644 --- a/crypto/heimdal/kdc/524.c +++ b/crypto/heimdal/kdc/524.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: 524.c,v 1.19 2001/01/30 01:44:07 assar Exp $"); +RCSID("$Id: 524.c,v 1.20 2001/05/14 06:17:47 assar Exp $"); #ifdef KRB4 @@ -136,7 +136,7 @@ set_address (EncTicketPart *et, if (v4_addr == NULL) return ENOMEM; - ret = krb5_sockaddr2address(addr, v4_addr); + ret = krb5_sockaddr2address(context, addr, v4_addr); if(ret) { free (v4_addr); kdc_log(0, "Failed to convert address (%s)", from); diff --git a/crypto/heimdal/kdc/Makefile.in b/crypto/heimdal/kdc/Makefile.in index d5c394d..90d7e04 100644 --- a/crypto/heimdal/kdc/Makefile.in +++ b/crypto/heimdal/kdc/Makefile.in @@ -1,6 +1,7 @@ -# Makefile.in generated automatically by automake 1.4a from Makefile.am +# Makefile.in generated automatically by automake 1.4b from Makefile.am -# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc. +# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000 +# Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -119,7 +120,7 @@ install_sh = @install_sh@ # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $ -# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $ +# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $ AUTOMAKE_OPTIONS = foreign no-dependencies @@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii @KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la +@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la + CHECK_LOCAL = $(PROGRAMS) bin_PROGRAMS = string2key @@ -317,7 +320,7 @@ OBJECTS = $(am_hprop_OBJECTS) $(am_hpropd_OBJECTS) $(am_kdc_OBJECTS) $(am_kstash all: all-redirect .SUFFIXES: -.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x +.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common cd $(top_srcdir) && $(AUTOMAKE) --foreign kdc/Makefile @@ -522,6 +525,11 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \ || etags $(ETAGS_ARGS) $$tags $$unique $(LISP) +GTAGS: + here=`CDPATH=: && cd $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $$here + mostlyclean-tags: clean-tags: diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c index 0621db1..78f75d3 100644 --- a/crypto/heimdal/kdc/config.c +++ b/crypto/heimdal/kdc/config.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,7 +35,7 @@ #include <getarg.h> #include <parse_bytes.h> -RCSID("$Id: config.c,v 1.33 2000/09/10 19:27:17 joda Exp $"); +RCSID("$Id: config.c,v 1.36 2001/05/17 07:13:43 joda Exp $"); static char *config_file; /* location of kdc config file */ @@ -250,7 +250,7 @@ configure(int argc, char **argv) if(config_file == NULL) config_file = _PATH_KDC_CONF; - if(krb5_config_parse_file(config_file, &cf)) + if(krb5_config_parse_file(context, config_file, &cf)) cf = NULL; get_dbinfo(cf); @@ -286,6 +286,7 @@ configure(int argc, char **argv) for (i = 0; i < addresses_str.num_strings; ++i) add_one_address (addresses_str.strings[i], i == 0); + free_getarg_strings (&addresses_str); } else { char **foo = krb5_config_get_strings (context, cf, "kdc", "addresses", NULL); @@ -310,11 +311,11 @@ configure(int argc, char **argv) enable_http = krb5_config_get_bool(context, cf, "kdc", "enable-http", NULL); check_ticket_addresses = - krb5_config_get_bool(context, cf, "kdc", - "check-ticket-addresses", NULL); + krb5_config_get_bool_default(context, cf, TRUE, "kdc", + "check-ticket-addresses", NULL); allow_null_ticket_addresses = - krb5_config_get_bool(context, cf, "kdc", - "allow-null-ticket-addresses", NULL); + krb5_config_get_bool_default(context, cf, TRUE, "kdc", + "allow-null-ticket-addresses", NULL); allow_anonymous = krb5_config_get_bool(context, cf, "kdc", diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c index 4533cea..7f13310 100644 --- a/crypto/heimdal/kdc/connect.c +++ b/crypto/heimdal/kdc/connect.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: connect.c,v 1.80 2000/10/08 21:36:29 assar Exp $"); +RCSID("$Id: connect.c,v 1.82 2001/05/14 06:18:11 assar Exp $"); /* * a tuple describing on what to listen @@ -242,7 +242,7 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port) init_descr (d); - ret = krb5_addr2sockaddr (a, sa, &sa_size, port); + ret = krb5_addr2sockaddr (context, a, sa, &sa_size, port); if (ret) { krb5_warn(context, ret, "krb5_addr2sockaddr"); close(d->s); @@ -401,7 +401,7 @@ static void addr_to_string(struct sockaddr *addr, size_t addr_len, char *str, size_t len) { krb5_address a; - krb5_sockaddr2address(addr, &a); + krb5_sockaddr2address(context, addr, &a); if(krb5_print_address(&a, str, len, &len) == 0) { krb5_free_address(context, &a); return; @@ -462,7 +462,7 @@ handle_udp(struct descr *d) buf = malloc(max_request); if(buf == NULL){ - kdc_log(0, "Failed to allocate %u bytes", max_request); + kdc_log(0, "Failed to allocate %lu bytes", (unsigned long)max_request); return; } @@ -556,14 +556,15 @@ grow_descr (struct descr *d, size_t n) d->size += max(1024, d->len + n); if (d->size >= max_request) { - kdc_log(0, "Request exceeds max request size (%u bytes).", - d->size); + kdc_log(0, "Request exceeds max request size (%lu bytes).", + (unsigned long)d->size); clear_descr(d); return -1; } tmp = realloc (d->buf, d->size); if (tmp == NULL) { - kdc_log(0, "Failed to re-allocate %u bytes.", d->size); + kdc_log(0, "Failed to re-allocate %lu bytes.", + (unsigned long)d->size); clear_descr(d); return -1; } @@ -632,7 +633,8 @@ handle_http_tcp (struct descr *d) } data = malloc(strlen(t)); if (data == NULL) { - kdc_log(0, "Failed to allocate %u bytes", strlen(t)); + kdc_log(0, "Failed to allocate %lu bytes", + (unsigned long)strlen(t)); return -1; } if(*t == '/') @@ -750,8 +752,8 @@ loop(void) if(d[i].s >= 0){ if(d[i].type == SOCK_STREAM && d[i].timeout && d[i].timeout < time(NULL)) { - kdc_log(1, "TCP-connection from %s expired after %u bytes", - d[i].addr_string, d[i].len); + kdc_log(1, "TCP-connection from %s expired after %lu bytes", + d[i].addr_string, (unsigned long)d[i].len); clear_descr(&d[i]); continue; } diff --git a/crypto/heimdal/kdc/headers.h b/crypto/heimdal/kdc/headers.h index c4c8b5e..24442db 100644 --- a/crypto/heimdal/kdc/headers.h +++ b/crypto/heimdal/kdc/headers.h @@ -32,7 +32,7 @@ */ /* - * $Id: headers.h,v 1.10 2000/08/04 11:21:38 joda Exp $ + * $Id: headers.h,v 1.11 2001/02/15 04:20:53 assar Exp $ */ #ifndef __HEADERS_H__ @@ -82,7 +82,11 @@ #include <getarg.h> #include <base64.h> #include <parse_units.h> +#ifdef HAVE_OPENSSL_DES_H +#include <openssl/des.h> +#else #include <des.h> +#endif #include <krb5.h> #include <krb5_locl.h> #include <hdb.h> diff --git a/crypto/heimdal/kdc/hprop.8 b/crypto/heimdal/kdc/hprop.8 index b1e1cd9..ae8ee85 100644 --- a/crypto/heimdal/kdc/hprop.8 +++ b/crypto/heimdal/kdc/hprop.8 @@ -1,4 +1,4 @@ -.\" $Id: hprop.8,v 1.8 2001/01/30 04:18:41 assar Exp $ +.\" $Id: hprop.8,v 1.10 2001/06/08 21:35:31 joda Exp $ .\" .Dd June 19, 2000 .Dt HPROP 8 @@ -9,27 +9,33 @@ .Sh SYNOPSIS .Nm .Oo Fl m Ar file \*(Ba Xo -.Fl -master-key= Ns Pa file Oc +.Fl -master-key= Ns Pa file .Xc +.Oc .Oo Fl d Ar file \*(Ba Xo -.Fl -database= Ns Pa file Oc +.Fl -database= Ns Pa file .Xc +.Oc .Op Fl -source= Ns Ar heimdal|mit-dump|krb4-db|krb4-dump .Op Fl 4 | Fl -v4-db .Op Fl K | Fl -ka-db .Oo Fl c Ar cell \*(Ba Xo -.Fl -cell= Ns Ar cell Oc +.Fl -cell= Ns Ar cell .Xc +.Oc .Op Fl S | Fl -kaspecials .Oo Fl r Ar string \*(Ba Xo -.Fl -v4-realm= Ns Ar string Oc +.Fl -v4-realm= Ns Ar string .Xc +.Oc .Oo Fl k Ar keytab \*(Ba Xo -.Fl -keytab= Ns Ar keytab Oc +.Fl -keytab= Ns Ar keytab .Xc +.Oc .Oo Fl R Ar string \*(Ba Xo -.Fl -v5-realm= Ns Ar string Oc +.Fl -v5-realm= Ns Ar string .Xc +.Oc .Op Fl D | Fl -decrypt .Op Fl E | Fl -encrypt .Op Fl n | Fl -stdout diff --git a/crypto/heimdal/kdc/hprop.c b/crypto/heimdal/kdc/hprop.c index 8ce9f10..b5d1743 100644 --- a/crypto/heimdal/kdc/hprop.c +++ b/crypto/heimdal/kdc/hprop.c @@ -33,7 +33,7 @@ #include "hprop.h" -RCSID("$Id: hprop.c,v 1.60 2001/02/05 03:40:00 assar Exp $"); +RCSID("$Id: hprop.c,v 1.62 2001/02/20 01:44:50 assar Exp $"); static int version_flag; static int help_flag; @@ -457,11 +457,11 @@ ka_dump(struct prop_data *pd, const char *file, const char *cell) krb5_err(pd->context, 1, errno, "open(%s)", file); read_block(pd->context, fd, 0, &header, sizeof(header)); if(header.version1 != header.version2) - krb5_errx(pd->context, 1, "Version mismatch in header: %d/%d", - ntohl(header.version1), ntohl(header.version2)); + krb5_errx(pd->context, 1, "Version mismatch in header: %ld/%ld", + (long)ntohl(header.version1), (long)ntohl(header.version2)); if(ntohl(header.version1) != 5) - krb5_errx(pd->context, 1, "Unknown database version %d (expected 5)", - ntohl(header.version1)); + krb5_errx(pd->context, 1, "Unknown database version %ld (expected 5)", + (long)ntohl(header.version1)); for(i = 0; i < ntohl(header.hashsize); i++){ int32_t pos = ntohl(header.hash[i]); while(pos){ @@ -787,7 +787,7 @@ main(int argc, char **argv) int type = 0; - set_progname(argv[0]); + setprogname(argv[0]); if(getarg(args, num_args, argc, argv, &optind)) usage(1); diff --git a/crypto/heimdal/kdc/hprop.cat8 b/crypto/heimdal/kdc/hprop.cat8 new file mode 100644 index 0000000..f6c70b4 --- /dev/null +++ b/crypto/heimdal/kdc/hprop.cat8 @@ -0,0 +1,103 @@ + +HPROP(8) UNIX System Manager's Manual HPROP(8) + +NNAAMMEE + hhpprroopp - propagate the KDC database + +SSYYNNOOPPSSIISS + hhpprroopp [--mm _f_i_l_e | ----mmaasstteerr--kkeeyy==_f_i_l_e] [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e] + [----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_r_b_4_-_d_u_m_p] [--44 | ----vv44--ddbb] [--KK | + ----kkaa--ddbb] [--cc _c_e_l_l | ----cceellll==_c_e_l_l] [--SS | ----kkaassppeecciiaallss] [--rr _s_t_r_i_n_g | + ----vv44--rreeaallmm==_s_t_r_i_n_g] [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--RR _s_t_r_i_n_g | + ----vv55--rreeaallmm==_s_t_r_i_n_g] [--DD | ----ddeeccrryypptt] [--EE | ----eennccrryypptt] [--nn | ----ssttddoouutt] [--vv + | ----vveerrbboossee] [----vveerrssiioonn] [--hh | ----hheellpp] _h_o_s_t[:_p_o_r_t] _._._. + +DDEESSCCRRIIPPTTIIOONN + hhpprroopp takes a principal database in a specified format and converts it + into a stream of Heimdal database records. This stream can either be + written to standard out, or (more commonly) be propagated to a hpropd(8) + server running on a different machine. + + If propagating, it connects to all _h_o_s_t_s specified on the command by + opening a TCP connection to port 754 (service hprop) and sends the + database in encrypted form. + + Supported options: + + --mm _f_i_l_e, ----mmaasstteerr--kkeeyy==_f_i_l_e + Where to find the master key to encrypt or decrypt keys with. + + --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e + The database to be propagated. + + ----ssoouurrccee==_h_e_i_m_d_a_l_|_m_i_t_-_d_u_m_p_|_k_r_b_4_-_d_b_|_k_r_b_4_-_d_u_m_p + Specifies the type of the source database. Alternatives include: + + heimdal a Heimdal database + + mit-dump a MIT Kerberos 5 dump file + + krb4-db a Kerberos 4 database + + krb4-dump a Kerberos 4 dump file + + kaserver a Transarc kaserver database + + --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b + The keytab to use for fetching the key to be used for authenti- + cating to the propagation daemon(s). The key _k_a_d_m_i_n_/_h_p_r_o_p is used + from this keytab. The default is to fetch the key from the KDC + database. + + --RR _s_t_r_i_n_g, ----vv55--rreeaallmm==_s_t_r_i_n_g + Local realm override. + + --DD, ----ddeeccrryypptt + The encryption keys in the database can either be in clear, or + encrypted with a master key. This option thansmits the database + with unencrypted keys. + + --EE, ----eennccrryypptt + This option thansmits the database with encrypted keys. + + --nn, ----ssttddoouutt + Dump the database on stdout, in a format that can be fed to + hpropd. + + The following options are only valid if hhpprroopp is compiled with support + for Kerberos 4 (kaserver). + + --rr _s_t_r_i_n_g, ----vv44--rreeaallmm==_s_t_r_i_n_g + v4 realm to use + + --cc _c_e_l_l, ----cceellll==_c_e_l_l + The AFS cell name, used if reading a kaserver database. + + --SS, ----kkaassppeecciiaallss + Also dump the principals marked as special in the kaserver + database. + + --44, ----vv44--ddbb + Deprecated, identical to `--source=krb4-db'. + + --KK, ----kkaa--ddbb + Deprecated, identical to `--source=kaserver'. + +EEXXAAMMPPLLEESS + The following will propagate a database to another machine (which should + run hpropd(8):) + + $ hprop slave-1 slave-2 + + Copy a Kerberos 4 database to a Kerberos 5 slave: + + $ hprop --source=krb4-db -E krb5-slave + + Convert a Kerberos 4 dump-file for use with a Heimdal KDC: + + $ hprop -n --source=krb4-dump -d /var/kerberos/principal.dump -E | hpropd -n + +SSEEEE AALLSSOO + hpropd(8) + + HEIMDAL June 19, 2000 2 diff --git a/crypto/heimdal/kdc/hpropd.8 b/crypto/heimdal/kdc/hpropd.8 index 35e416f..dd26547 100644 --- a/crypto/heimdal/kdc/hpropd.8 +++ b/crypto/heimdal/kdc/hpropd.8 @@ -1,4 +1,4 @@ -.\" $Id: hpropd.8,v 1.5 2000/11/12 15:37:33 joda Exp $ +.\" $Id: hpropd.8,v 1.7 2001/06/08 21:35:32 joda Exp $ .\" .Dd August 27, 1997 .Dt HPROPD 8 @@ -9,14 +9,16 @@ .Sh SYNOPSIS .Nm .Oo Fl d Ar file \*(Ba Xo -.Fl -database= Ns Ar file Oc +.Fl -database= Ns Ar file .Xc +.Oc .Op Fl n | Fl -stdin .Op Fl -print .Op Fl i | Fl -no-inetd .Oo Fl k Ar keytab \*(Ba Xo -.Fl -keytab= Ns Ar keytab Oc +.Fl -keytab= Ns Ar keytab .Xc +.Oc .Op Fl 4 | Fl -v4dump .Sh DESCRIPTION .Nm diff --git a/crypto/heimdal/kdc/hpropd.c b/crypto/heimdal/kdc/hpropd.c index 2cfdd15..da5498b 100644 --- a/crypto/heimdal/kdc/hpropd.c +++ b/crypto/heimdal/kdc/hpropd.c @@ -33,7 +33,7 @@ #include "hprop.h" -RCSID("$Id: hpropd.c,v 1.31 2001/01/25 12:37:39 assar Exp $"); +RCSID("$Id: hpropd.c,v 1.32 2001/02/20 01:44:50 assar Exp $"); #ifdef KRB4 static des_cblock mkey4; @@ -213,7 +213,7 @@ main(int argc, char **argv) int fd_out = -1; #endif - set_progname(argv[0]); + setprogname(argv[0]); ret = krb5_init_context(&context); if(ret) diff --git a/crypto/heimdal/kdc/hpropd.cat8 b/crypto/heimdal/kdc/hpropd.cat8 new file mode 100644 index 0000000..5218e6d --- /dev/null +++ b/crypto/heimdal/kdc/hpropd.cat8 @@ -0,0 +1,43 @@ + +HPROPD(8) UNIX System Manager's Manual HPROPD(8) + +NNAAMMEE + hhpprrooppdd - receive a propagated database + +SSYYNNOOPPSSIISS + hhpprrooppdd [--dd _f_i_l_e | ----ddaattaabbaassee==_f_i_l_e] [--nn | ----ssttddiinn] [----pprriinntt] [--ii | + ----nnoo--iinneettdd] [--kk _k_e_y_t_a_b | ----kkeeyyttaabb==_k_e_y_t_a_b] [--44 | ----vv44dduummpp] + +DDEESSCCRRIIPPTTIIOONN + hhpprrooppdd receives databases sent by hhpprroopp. and writes it as a local + database. + + By default, hhpprrooppdd expects to be started from iinneettdd if stdin is a socket + and expects to receive the dumped database over stdin otherwise. If the + database is sent over the network, it is authenticated and encrypted. + Only connections from kadmin/hprop are accepted. + + Options supported: + + --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e + database + + --nn, ----ssttddiinn + read from stdin + + ----pprriinntt + print dump to stdout + + --ii, ----nnoo--iinneettdd + Not started from inetd + + --kk _k_e_y_t_a_b, ----kkeeyyttaabb==_k_e_y_t_a_b + keytab to use for authentication + + --44, ----vv44dduummpp + create v4 type DB + +SSEEEE AALLSSOO + hprop(8) + + HEIMDAL August 27, 1997 1 diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c index 175ddb6..5920895 100644 --- a/crypto/heimdal/kdc/kaserver.c +++ b/crypto/heimdal/kdc/kaserver.c @@ -33,11 +33,10 @@ #include "kdc_locl.h" -RCSID("$Id: kaserver.c,v 1.15 2001/01/28 21:51:05 assar Exp $"); +RCSID("$Id: kaserver.c,v 1.16 2001/02/05 10:49:43 assar Exp $"); #ifdef KASERVER -#include "kerberos4.h" #include <rx.h> #define KA_AUTHENTICATION_SERVICE 731 @@ -406,10 +405,10 @@ do_authenticate (struct rx_header *hdr, snprintf (client_name, sizeof(client_name), "%s.%s@%s", name, instance, v4_realm); - client_entry = db_fetch4 (name, instance, v4_realm); - if (client_entry == NULL) { - kdc_log(0, "Client not found in database: %s", - client_name); + ret = db_fetch4 (name, instance, v4_realm, &client_entry); + if (ret) { + kdc_log(0, "Client not found in database: %s: %s", + client_name, krb5_get_err_text(context, ret)); make_error_reply (hdr, KANOENT, reply); goto out; } @@ -417,9 +416,10 @@ do_authenticate (struct rx_header *hdr, snprintf (server_name, sizeof(server_name), "%s.%s@%s", "krbtgt", v4_realm, v4_realm); - server_entry = db_fetch4 ("krbtgt", v4_realm, v4_realm); - if (server_entry == NULL) { - kdc_log(0, "Server not found in database: %s", server_name); + ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &server_entry); + if (ret) { + kdc_log(0, "Server not found in database: %s: %s", + server_name, krb5_get_err_text(context, ret)); make_error_reply (hdr, KANOENT, reply); goto out; } @@ -599,9 +599,10 @@ do_getticket (struct rx_header *hdr, snprintf (server_name, sizeof(server_name), "%s.%s@%s", name, instance, v4_realm); - server_entry = db_fetch4 (name, instance, v4_realm); - if (server_entry == NULL) { - kdc_log(0, "Server not found in database: %s", server_name); + ret = db_fetch4 (name, instance, v4_realm, &server_entry); + if (ret) { + kdc_log(0, "Server not found in database: %s: %s", + server_name, krb5_get_err_text(context, ret)); make_error_reply (hdr, KANOENT, reply); goto out; } @@ -614,10 +615,10 @@ do_getticket (struct rx_header *hdr, goto out; } - krbtgt_entry = db_fetch4 ("krbtgt", v4_realm, v4_realm); - if (krbtgt_entry == NULL) { - kdc_log(0, "Server not found in database: %s.%s@%s", - "krbtgt", v4_realm, v4_realm); + ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &krbtgt_entry); + if (ret) { + kdc_log(0, "Server not found in database: %s.%s@%s: %s", + "krbtgt", v4_realm, v4_realm, krb5_get_err_text(context, ret)); make_error_reply (hdr, KANOENT, reply); goto out; } diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8 index 1687dcd..8437c63 100644 --- a/crypto/heimdal/kdc/kdc.8 +++ b/crypto/heimdal/kdc/kdc.8 @@ -1,4 +1,4 @@ -.\" $Id: kdc.8,v 1.11 2001/01/26 22:46:28 assar Exp $ +.\" $Id: kdc.8,v 1.13 2001/06/08 21:35:32 joda Exp $ .\" .Dd July 27, 1997 .Dt KDC 8 @@ -9,20 +9,23 @@ .Sh SYNOPSIS .Nm .Oo Fl c Ar file \*(Ba Xo -.Fl -config-file= Ns Ar file Oc +.Fl -config-file= Ns Ar file .Xc +.Oc .Op Fl p | Fl -no-require-preauth .Op Fl -max-request= Ns Ar size .Op Fl H | Fl -enable-http .Oo Fl r Ar string \*(Ba Xo -.Fl -v4-realm= Ns Ar string Oc +.Fl -v4-realm= Ns Ar string .Xc +.Oc .Op Fl K | Fl -no-kaserver .Op Fl r Ar realm .Op Fl -v4-realm= Ns Ar realm .Oo Fl P Ar string \*(Ba Xo -.Fl -ports= Ns Ar string Oc +.Fl -ports= Ns Ar string .Xc +.Oc .Op Fl -addresses= Ns Ar list of addresses .Sh DESCRIPTION .Nm diff --git a/crypto/heimdal/kdc/kdc.cat8 b/crypto/heimdal/kdc/kdc.cat8 new file mode 100644 index 0000000..234b76d --- /dev/null +++ b/crypto/heimdal/kdc/kdc.cat8 @@ -0,0 +1,118 @@ + +KDC(8) UNIX System Manager's Manual KDC(8) + +NNAAMMEE + kkddcc - Kerberos 5 server + +SSYYNNOOPPSSIISS + kkddcc [--cc _f_i_l_e | ----ccoonnffiigg--ffiillee==_f_i_l_e] [--pp | ----nnoo--rreeqquuiirree--pprreeaauutthh] + [----mmaaxx--rreeqquueesstt==_s_i_z_e] [--HH | ----eennaabbllee--hhttttpp] [--rr _s_t_r_i_n_g | ----vv44--rreeaallmm==_s_t_r_i_n_g] + [--KK | ----nnoo--kkaasseerrvveerr] [--rr _r_e_a_l_m] [----vv44--rreeaallmm==_r_e_a_l_m] [--PP _s_t_r_i_n_g | + ----ppoorrttss==_s_t_r_i_n_g] [----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s] + +DDEESSCCRRIIPPTTIIOONN + kkddcc serves requests for tickets. When it starts, it first checks the + flags passed, any options that are not specified with a command line flag + is taken from a config file, or from a default compiled-in value. + + Options supported: + + --cc _f_i_l_e + + ----ccoonnffiigg--ffiillee==_f_i_l_e + Specifies the location of the config file, the default is + _/_v_a_r_/_h_e_i_m_d_a_l_/_k_d_c_._c_o_n_f. This is the only value that can't be spec- + ified in the config file. + + --pp + + ----nnoo--rreeqquuiirree--pprreeaauutthh + Turn off the requirement for pre-autentication in the initial AS- + REQ for all principals. The use of pre-authentication makes it + more difficult to do offline password attacks. You might want to + turn it off if you have clients that doesn't do pre-authentica- + tion. Since the version 4 protocol doesn't support any pre-au- + thentication, so serving version 4 clients is just about the same + as not requiring pre-athentication. The default is to require + pre-authentication. Adding the require-preauth per principal is a + more flexible way of handling this. + + ----mmaaxx--rreeqquueesstt==_s_i_z_e + Gives an upper limit on the size of the requests that the kdc is + willing to handle. + + --HH, ----eennaabbllee--hhttttpp + Makes the kdc listen on port 80 and handle requests encapsulated + in HTTP. + + --KK, ----nnoo--kkaasseerrvveerr + Disables kaserver emulation (in case it's compiled in). + + --rr _r_e_a_l_m + + ----vv44--rreeaallmm==_r_e_a_l_m + What realm this server should act as when dealing with version 4 + requests. The database can contain any number of realms, but + since the version 4 protocol doesn't contain a realm for the + server, it must be explicitly specified. The default is whatever + is returned by kkrrbb__ggeett__llrreeaallmm(). This option is only availabe if + the KDC has been compiled with version 4 support. + + --PP _s_t_r_i_n_g, ----ppoorrttss==_s_t_r_i_n_g + Specifies the set of ports the KDC should listen on. It is given + as a white-space separated list of services or port numbers. + + ----aaddddrreesssseess==_l_i_s_t _o_f _a_d_d_r_e_s_s_e_s + The list of addresses to listen for requests on. By default, the + kdc will listen on all the locally configured addresses. If only + a subset is desired, or the automatic detection fails, this op- + tion might be used. + + All activities , are logged to one or more destinations, see + krb5.conf(5), and krb5_openlog(3). The entity used for logging is kkddcc. + +CCOONNFFIIGGUURRAATTIIOONN FFIILLEE + The configuration file has the same syntax as the _k_r_b_5_._c_o_n_f file (you can + actually put the configuration in _/_e_t_c_/_k_r_b_5_._c_o_n_f, and then start the KDC + with ----ccoonnffiigg--ffiillee==_/_e_t_c_/_k_r_b_5_._c_o_n_f). All options should be in a section + called ``kdc''. All the command-line options can preferably be added in + the configuration file. The only difference is the pre-authentication + flag, that has to be specified as: + + require-preauth = no + + (in fact you can specify the option as ----rreeqquuiirree--pprreeaauutthh==nnoo). + + And there are some configuration options which do not have command-line + equivalents: + + check-ticket-addresses = _b_o_o_l_e_a_n + Check the addresses in the ticket when processing TGS re- + quests. The default is FALSE. + + allow-null-ticket-addresses = _b_o_o_l_e_a_n + Permit tickets with no addresses. This option is only rele- + vant when check-ticket-addresses is TRUE. + + allow-anonymous = _b_o_o_l_e_a_n + Permit anonymous tickets with no addresses. + + encode_as_rep_as_tgs_rep = _b_o_o_l_e_a_n + Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE + code. The Heimdal clients allow both. + + kdc_warn_pwexpire = _t_i_m_e + How long before password/principal expiration the KDC should + start sending out warning messages. + + An example of a config file: + + [kdc] + require-preauth = no + v4-realm = FOO.SE + key-file = /key-file + +SSEEEE AALLSSOO + kinit(1) + + HEIMDAL July 27, 1997 2 diff --git a/crypto/heimdal/kdc/kerberos5.c b/crypto/heimdal/kdc/kerberos5.c index 90cc49e..e540b12 100644 --- a/crypto/heimdal/kdc/kerberos5.c +++ b/crypto/heimdal/kdc/kerberos5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c,v 1.123 2001/01/30 01:44:08 assar Exp $"); +RCSID("$Id: kerberos5.c,v 1.133 2001/05/22 20:16:22 assar Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -415,7 +415,7 @@ check_addresses(HostAddresses *addresses, const struct sockaddr *from) if(addresses == NULL) return allow_null_ticket_addresses; - ret = krb5_sockaddr2address (from, &addr); + ret = krb5_sockaddr2address (context, from, &addr); if(ret) return FALSE; @@ -630,7 +630,8 @@ as_rep(KDC_REQ *req, &foo_data, client_princ, server_princ, - 0, + NULL, + NULL, reply); free(buf); kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name); @@ -804,17 +805,17 @@ as_rep(KDC_REQ *req, if (client->pw_end && (kdc_warn_pwexpire == 0 || kdc_time + kdc_warn_pwexpire <= *client->pw_end)) { - ek.last_req.val[ek.last_req.len].lr_type = 6; + ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME; ek.last_req.val[ek.last_req.len].lr_value = *client->pw_end; ++ek.last_req.len; } if (client->valid_end) { - ek.last_req.val[ek.last_req.len].lr_type = 7; + ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME; ek.last_req.val[ek.last_req.len].lr_value = *client->valid_end; ++ek.last_req.len; } if (ek.last_req.len == 0) { - ek.last_req.val[ek.last_req.len].lr_type = 0; + ek.last_req.val[ek.last_req.len].lr_type = LR_NONE; ek.last_req.val[ek.last_req.len].lr_value = 0; ++ek.last_req.len; } @@ -862,7 +863,8 @@ out: NULL, client_princ, server_princ, - 0, + NULL, + NULL, reply); ret = 0; } @@ -978,7 +980,9 @@ check_tgs_flags(KDC_REQ_BODY *b, EncTicketPart *tgt, EncTicketPart *et) old_life -= *tgt->starttime; else old_life -= tgt->authtime; - et->endtime = min(*et->renew_till, *et->starttime + old_life); + et->endtime = *et->starttime + old_life; + if (et->renew_till != NULL) + et->endtime = min(*et->renew_till, et->endtime); } /* checks for excess flags */ @@ -1006,7 +1010,8 @@ fix_transited_encoding(TransitedEncoding *tr, tr->tr_type); return KRB5KDC_ERR_TRTYPE_NOSUPP; } - ret = krb5_domain_x500_decode(tr->contents, + ret = krb5_domain_x500_decode(context, + tr->contents, &realms, &num_realms, client_realm, @@ -1285,10 +1290,15 @@ out: return ret; } +/* + * return the realm of a krbtgt-ticket or NULL + */ + static Realm -is_krbtgt(PrincipalName *p) +get_krbtgt_realm(const PrincipalName *p) { - if(p->name_string.len == 2 && strcmp(p->name_string.val[0], "krbtgt") == 0) + if(p->name_string.len == 2 + && strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0) return p->name_string.val[1]; else return NULL; @@ -1307,12 +1317,25 @@ find_rpath(Realm r) } +static krb5_boolean +need_referral(krb5_principal server, krb5_realm **realms) +{ + if(server->name.name_type != KRB5_NT_SRV_INST || + server->name.name_string.len != 2) + return FALSE; + + return krb5_get_host_realm_int(context, server->name.name_string.val[1], + FALSE, realms) == 0; +} + static krb5_error_code tgs_rep2(KDC_REQ_BODY *b, PA_DATA *tgs_req, krb5_data *reply, const char *from, - struct sockaddr *from_addr) + const struct sockaddr *from_addr, + time_t **csec, + int **cusec) { krb5_ap_req ap_req; krb5_error_code ret; @@ -1332,6 +1355,9 @@ tgs_rep2(KDC_REQ_BODY *b, krb5_principal sp = NULL; AuthorizationData *auth_data = NULL; + *csec = NULL; + *cusec = NULL; + memset(&ap_req, 0, sizeof(ap_req)); ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req); if(ret){ @@ -1340,7 +1366,7 @@ tgs_rep2(KDC_REQ_BODY *b, goto out2; } - if(!is_krbtgt(&ap_req.ticket.sname)){ + if(!get_krbtgt_realm(&ap_req.ticket.sname)){ /* XXX check for ticket.sname == req.sname */ kdc_log(0, "PA-DATA is not a ticket-granting ticket"); ret = KRB5KDC_ERR_POLICY; /* ? */ @@ -1409,6 +1435,29 @@ tgs_rep2(KDC_REQ_BODY *b, goto out2; } + { + krb5_authenticator auth; + + ret = krb5_auth_getauthenticator(context, ac, &auth); + if (ret == 0) { + *csec = malloc(sizeof(**csec)); + if (*csec == NULL) { + krb5_free_authenticator(context, &auth); + kdc_log(0, "malloc failed"); + goto out2; + } + **csec = auth->ctime; + *cusec = malloc(sizeof(**cusec)); + if (*cusec == NULL) { + krb5_free_authenticator(context, &auth); + kdc_log(0, "malloc failed"); + goto out2; + } + **csec = auth->cusec; + krb5_free_authenticator(context, &auth); + } + } + cetype = ap_req.authenticator.etype; tgt = &ticket->ticket; @@ -1506,7 +1555,7 @@ tgs_rep2(KDC_REQ_BODY *b, goto out; } t = &b->additional_tickets->val[0]; - if(!is_krbtgt(&t->sname)){ + if(!get_krbtgt_realm(&t->sname)){ kdc_log(0, "Additional ticket is not a ticket-granting ticket"); ret = KRB5KDC_ERR_POLICY; goto out2; @@ -1548,18 +1597,36 @@ tgs_rep2(KDC_REQ_BODY *b, if(ret){ Realm req_rlm, new_rlm; - if(loop++ < 2 && (req_rlm = is_krbtgt(&sp->name))){ - new_rlm = find_rpath(req_rlm); - if(new_rlm) { - kdc_log(5, "krbtgt for realm %s not found, trying %s", - req_rlm, new_rlm); + krb5_realm *realms; + + if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { + if(loop++ < 2) { + new_rlm = find_rpath(req_rlm); + if(new_rlm) { + kdc_log(5, "krbtgt for realm %s not found, trying %s", + req_rlm, new_rlm); + krb5_free_principal(context, sp); + free(spn); + krb5_make_principal(context, &sp, r, + KRB5_TGS_NAME, new_rlm, NULL); + krb5_unparse_name(context, sp, &spn); + goto server_lookup; + } + } + } else if(need_referral(sp, &realms)) { + if (strcmp(realms[0], sp->realm) != 0) { + kdc_log(5, "returning a referral to realm %s for " + "server %s that was not found", + realms[0], spn); krb5_free_principal(context, sp); free(spn); - krb5_make_principal(context, &sp, r, - "krbtgt", new_rlm, NULL); - krb5_unparse_name(context, sp, &spn); + krb5_make_principal(context, &sp, r, KRB5_TGS_NAME, + realms[0], NULL); + krb5_unparse_name(context, sp, &spn); + krb5_free_host_realm(context, realms); goto server_lookup; } + krb5_free_host_realm(context, realms); } kdc_log(0, "Server not found in database: %s: %s", spn, krb5_get_err_text(context, ret)); @@ -1624,15 +1691,21 @@ tgs_rep2(KDC_REQ_BODY *b, free_ent(client); } out2: - if(ret) + if(ret) { krb5_mk_error(context, ret, e_text, NULL, cp, sp, - 0, + NULL, + NULL, reply); + free(*csec); + free(*cusec); + *csec = NULL; + *cusec = NULL; + } krb5_free_principal(context, cp); krb5_free_principal(context, sp); if (ticket) { @@ -1647,6 +1720,7 @@ out2: if(krbtgt) free_ent(krbtgt); + return ret; } @@ -1660,6 +1734,8 @@ tgs_rep(KDC_REQ *req, krb5_error_code ret; int i = 0; PA_DATA *tgs_req = NULL; + time_t *csec = NULL; + int *cusec = NULL; if(req->padata == NULL){ ret = KRB5KDC_ERR_PREAUTH_REQUIRED; /* XXX ??? */ @@ -1675,7 +1751,8 @@ tgs_rep(KDC_REQ *req, kdc_log(0, "TGS-REQ from %s without PA-TGS-REQ", from); goto out; } - ret = tgs_rep2(&req->req_body, tgs_req, data, from, from_addr); + ret = tgs_rep2(&req->req_body, tgs_req, data, from, from_addr, + &csec, &cusec); out: if(ret && data->data == NULL){ krb5_mk_error(context, @@ -1684,8 +1761,11 @@ out: NULL, NULL, NULL, - 0, + csec, + cusec, data); } + free(csec); + free(cusec); return 0; } diff --git a/crypto/heimdal/kdc/kstash.8 b/crypto/heimdal/kdc/kstash.8 index a9d34c3..afbad1e 100644 --- a/crypto/heimdal/kdc/kstash.8 +++ b/crypto/heimdal/kdc/kstash.8 @@ -1,4 +1,4 @@ -.\" $Id: kstash.8,v 1.3 2000/09/01 16:37:52 joda Exp $ +.\" $Id: kstash.8,v 1.5 2001/06/08 21:35:32 joda Exp $ .\" .Dd September 1, 2000 .Dt KSTASH 8 @@ -9,11 +9,13 @@ .Sh SYNOPSIS .Nm .Oo Fl e Ar string \*(Ba Xo -.Fl -enctype= Ns Ar string Oc +.Fl -enctype= Ns Ar string .Xc +.Oc .Oo Fl k Ar file \*(Ba Xo -.Fl -key-file= Ns Ar file Oc +.Fl -key-file= Ns Ar file .Xc +.Oc .Op Fl -convert-file .Op Fl -master-key-fd= Ns Ar fd .Op Fl h | Fl -help diff --git a/crypto/heimdal/kdc/kstash.cat8 b/crypto/heimdal/kdc/kstash.cat8 new file mode 100644 index 0000000..7dd2c7a --- /dev/null +++ b/crypto/heimdal/kdc/kstash.cat8 @@ -0,0 +1,34 @@ + +KSTASH(8) UNIX System Manager's Manual KSTASH(8) + +NNAAMMEE + kkssttaasshh - store the KDC master password in a file + +SSYYNNOOPPSSIISS + kkssttaasshh [--ee _s_t_r_i_n_g | ----eennccttyyppee==_s_t_r_i_n_g] [--kk _f_i_l_e | ----kkeeyy--ffiillee==_f_i_l_e] + [----ccoonnvveerrtt--ffiillee] [----mmaasstteerr--kkeeyy--ffdd==_f_d] [--hh | ----hheellpp] [----vveerrssiioonn] + +DDEESSCCRRIIPPTTIIOONN + kkssttaasshh reads the Kerberos master key and stores it in a file that will be + used by the KDC. + + Supported options: + + --ee _s_t_r_i_n_g, ----eennccttyyppee==_s_t_r_i_n_g + the encryption type to use, defaults to DES3-CBC-SHA1 + + --kk _f_i_l_e, ----kkeeyy--ffiillee==_f_i_l_e + the name of the master key file + + ----ccoonnvveerrtt--ffiillee + don't ask for a new master key, just read an old master key file, + and writes it back in the new keyfile format + + ----mmaasstteerr--kkeeyy--ffdd==_f_d + filedescriptor to read passphrase from, if not specified the + passphrase will be read from the terminal + +SSEEEE AALLSSOO + kdc(8) + + HEIMDAL September 1, 2000 1 diff --git a/crypto/heimdal/kdc/main.c b/crypto/heimdal/kdc/main.c index a14ae84..146bd91 100644 --- a/crypto/heimdal/kdc/main.c +++ b/crypto/heimdal/kdc/main.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: main.c,v 1.24 2000/12/31 07:46:14 assar Exp $"); +RCSID("$Id: main.c,v 1.25 2001/02/20 01:44:50 assar Exp $"); sig_atomic_t exit_flag = 0; krb5_context context; @@ -48,7 +48,7 @@ int main(int argc, char **argv) { krb5_error_code ret; - set_progname(argv[0]); + setprogname(argv[0]); ret = krb5_init_context(&context); if (ret) diff --git a/crypto/heimdal/kdc/string2key.8 b/crypto/heimdal/kdc/string2key.8 index b286733..50d7c29 100644 --- a/crypto/heimdal/kdc/string2key.8 +++ b/crypto/heimdal/kdc/string2key.8 @@ -1,4 +1,4 @@ -.\" $Id: string2key.8,v 1.2 2000/03/04 14:02:55 assar Exp $ +.\" $Id: string2key.8,v 1.4 2001/06/08 21:35:32 joda Exp $ .\" .Dd March 4, 2000 .Dt STRING2KEY 8 @@ -12,17 +12,21 @@ .Op Fl 4 | Fl -version4 .Op Fl a | Fl -afs .Oo Fl c Ar cell \*(Ba Xo -.Fl -cell= Ns Ar cell Oc +.Fl -cell= Ns Ar cell .Xc +.Oc .Oo Fl w Ar password \*(Ba Xo -.Fl -password= Ns Ar password Oc +.Fl -password= Ns Ar password .Xc +.Oc .Oo Fl p Ar principal \*(Ba Xo -.Fl -principal= Ns Ar principal Oc +.Fl -principal= Ns Ar principal .Xc +.Oc .Oo Fl k Ar string \*(Ba Xo -.Fl -keytype= Ns Ar string Oc +.Fl -keytype= Ns Ar string .Xc +.Oc .Ar password .Sh DESCRIPTION .Nm diff --git a/crypto/heimdal/kdc/string2key.cat8 b/crypto/heimdal/kdc/string2key.cat8 new file mode 100644 index 0000000..d70e150 --- /dev/null +++ b/crypto/heimdal/kdc/string2key.cat8 @@ -0,0 +1,42 @@ + +STRING2KEY(8) UNIX System Manager's Manual STRING2KEY(8) + +NNAAMMEE + ssttrriinngg22kkeeyy - map a password into a key + +SSYYNNOOPPSSIISS + ssttrriinngg22kkeeyy [--55 | ----vveerrssiioonn55] [--44 | ----vveerrssiioonn44] [--aa | ----aaffss] [--cc _c_e_l_l | + ----cceellll==_c_e_l_l] [--ww _p_a_s_s_w_o_r_d | ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d] [--pp _p_r_i_n_c_i_p_a_l | + ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l] [--kk _s_t_r_i_n_g | ----kkeeyyttyyppee==_s_t_r_i_n_g] _p_a_s_s_w_o_r_d + +DDEESSCCRRIIPPTTIIOONN + ssttrriinngg22kkeeyy performs the string-to-key function. This is useful when you + want to handle the raw key instead of the password. Supported options: + + --55, ----vveerrssiioonn55 + Output Kerberos v5 string-to-key + + --44, ----vveerrssiioonn44 + Output Kerberos v4 string-to-key + + --aa, ----aaffss + Output AFS string-to-key + + --cc _c_e_l_l, ----cceellll==_c_e_l_l + AFS cell to use + + --ww _p_a_s_s_w_o_r_d, ----ppaasssswwoorrdd==_p_a_s_s_w_o_r_d + Password to use + + --pp _p_r_i_n_c_i_p_a_l, ----pprriinncciippaall==_p_r_i_n_c_i_p_a_l + Kerberos v5 principal to use + + --kk _s_t_r_i_n_g, ----kkeeyyttyyppee==_s_t_r_i_n_g + Keytype + + ----vveerrssiioonn + print version + + ----hheellpp + + HEIMDAL March 4, 2000 1 |