Initial import of KTH eBones. This has been cleaned up to only include

the "core" Kerberos functionality. The rest of the userland will get their
own changes later.

1 files changed, 845 insertions, 0 deletions

diff --git a/crypto/kerberosIV/kadmin/kadmin.c b/crypto/kerberosIV/kadmin/kadmin.c
new file mode 100644
index 0000000..f117b6b
--- /dev/null
+++ b/crypto/kerberosIV/kadmin/kadmin.c
@@ -0,0 +1,845 @@
+/* 
+  Copyright (C) 1989 by the Massachusetts Institute of Technology
+
+   Export of this software from the United States of America is assumed
+   to require a specific license from the United States Government.
+   It is the responsibility of any person or organization contemplating
+   export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of M.I.T. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission.  M.I.T. makes no representations about the suitability of
+this software for any purpose.  It is provided "as is" without express
+or implied warranty.
+
+  */
+
+/*
+ * Kerberos database administrator's tool.  
+ * 
+ * The default behavior of kadmin is if the -m option is given 
+ * on the commandline, multiple requests are allowed to be given
+ * with one entry of the admin password (until the tickets expire).
+ */
+
+#include "kadm_locl.h"
+
+RCSID("$Id: kadmin.c,v 1.48 1997/05/13 09:43:06 bg Exp $");
+
+static void change_password(int argc, char **argv);
+static void change_key(int argc, char **argv);
+static void change_admin_password(int argc, char **argv);
+static void add_new_key(int argc, char **argv);
+static void del_entry(int argc, char **argv);
+static void get_entry(int argc, char **argv);
+static void mod_entry(int argc, char **argv);
+static void help(int argc, char **argv);
+static void clean_up_cmd(int argc, char **argv);
+static void quit_cmd(int argc, char **argv);
+
+static SL_cmd cmds[] = {
+  {"change_password", change_password, "Change a user's password"},
+  {"cpw"},
+  {"passwd"},
+  {"change_key", change_key, "Change a user's password as a DES binary key"},
+  {"ckey"},
+  {"change_admin_password", change_admin_password,
+   "Change your admin password"},
+  {"cap"},
+  {"add_new_key", add_new_key, "Add new user to kerberos database"},
+  {"ank"},
+  {"del_entry", del_entry, "Delete entry from database"},
+  {"del"},
+  {"delete"},
+  {"get_entry", get_entry, "Get entry from kerberos database"},
+  {"mod_entry", mod_entry, "Modify entry in kerberos database"},
+  {"destroy_tickets", clean_up_cmd, "Destroy admin tickets"},
+  {"exit", quit_cmd, "Exit program"},
+  {"quit"},
+  {"help", help, "Help"},
+  {"?"},
+  {NULL}
+};
+
+#define BAD_PW 1
+#define GOOD_PW 0
+#define FUDGE_VALUE 15		/* for ticket expiration time */
+#define PE_NO 0
+#define PE_YES 1
+#define PE_UNSURE 2
+
+/* for get_password, whether it should do the swapping...necessary for
+   using vals structure, unnecessary for change_pw requests */
+#define DONTSWAP 0
+#define SWAP 1
+
+static krb_principal pr;
+static char default_realm[REALM_SZ]; /* default kerberos realm */
+static char krbrlm[REALM_SZ];	/* current realm being administered */
+static int multiple = 0;	/* Allow multiple requests per ticket */
+
+#ifdef NOENCRYPTION
+#define read_long_pw_string placebo_read_pw_string
+#else
+#define read_long_pw_string des_read_pw_string
+#endif
+
+static void
+get_maxlife(Kadm_vals *vals)
+{
+    char buff[BUFSIZ];
+    time_t life;
+    int l;
+
+    do {
+	printf("Maximum ticket lifetime?  (%d)  [%s]  ",
+ 	     vals->max_life, krb_life_to_atime(vals->max_life));
+	fflush(stdout);
+	if (fgets(buff, sizeof(buff), stdin) == NULL || *buff == '\n') {
+	    clearerr(stdin);
+	    return;
+	}
+	life = krb_atime_to_life(buff);
+    } while (life <= 0);
+
+    l = strlen(buff);
+    if (buff[l-2] == 'm')
+	life = krb_time_to_life(0L, life*60);
+    if (buff[l-2] == 'h')
+	life = krb_time_to_life(0L, life*60*60);
+
+    vals->max_life = life;
+    SET_FIELD(KADM_MAXLIFE,vals->fields);
+}
+
+static void
+get_attr(Kadm_vals *vals)
+{
+    char buff[BUFSIZ], *out;
+    int attr;
+
+    do {
+	printf("Attributes?  [0x%.2x]  ", vals->attributes);
+	fflush(stdout);
+	if (fgets(buff, sizeof(buff), stdin) == NULL || *buff == '\n') {
+	    clearerr(stdin);
+	    return;
+	}
+        attr = strtol(buff, &out, 0);
+	if (attr == 0 && out == buff)
+	  attr = -1;
+    } while (attr < 0 || attr > 0xffff);
+
+    vals->attributes = attr;
+    SET_FIELD(KADM_ATTR,vals->fields);
+}
+
+static void
+get_expdate(Kadm_vals *vals)
+{
+    char buff[BUFSIZ];
+    struct tm edate;
+
+    memset(&edate, 0, sizeof(edate));
+    do {
+        printf("Expiration date (enter yyyy-mm-dd) ?  [%.24s]  ",
+             asctime(k_localtime(&vals->exp_date)));
+        fflush(stdout);
+        if (fgets(buff, sizeof(buff), stdin) == NULL || *buff == '\n') {
+            clearerr(stdin);
+            return;
+        }
+        if (sscanf(buff, "%d-%d-%d",
+                   &edate.tm_year, &edate.tm_mon, &edate.tm_mday) == 3) {
+            edate.tm_mon--;     /* January is 0, not 1 */
+            edate.tm_hour = 23; /* nearly midnight at the end of the */
+            edate.tm_min = 59;  /* specified day */
+        }
+    } while (krb_check_tm (edate));
+
+    edate.tm_year -= 1900;
+    vals->exp_date = tm2time (edate, 1);
+    SET_FIELD(KADM_EXPDATE,vals->fields);
+}
+
+static int
+princ_exists(char *name, char *instance, char *realm)
+{
+    int status;
+
+    status = krb_get_pw_in_tkt(name, instance, realm,
+			       KRB_TICKET_GRANTING_TICKET,
+			       realm, 1, "");
+
+    if ((status == KSUCCESS) || (status == INTK_BADPW))
+	return(PE_YES);
+    else if (status == KDC_PR_UNKNOWN)
+	return(PE_NO);
+    else
+	return(PE_UNSURE);
+}
+
+static int
+get_password(u_int32_t *low, u_int32_t *high, char *prompt, int byteswap)
+{
+    char new_passwd[MAX_KPW_LEN];	/* new password */
+    des_cblock newkey;
+
+    if (read_long_pw_string(new_passwd, sizeof(new_passwd)-1, prompt, 1))
+    	return(BAD_PW);
+    if (strlen(new_passwd) == 0) {
+    	printf("Using random password.\n");
+#ifdef NOENCRYPTION
+	memset(newkey, 0, sizeof(newkey));
+#else
+	des_new_random_key(&newkey);
+#endif
+    } else {
+#ifdef NOENCRYPTION
+      memset(newkey, 0, sizeof(newkey));
+#else
+      des_string_to_key(new_passwd, &newkey);
+#endif
+      memset(new_passwd, 0, sizeof(new_passwd));
+    }
+
+    memcpy(low, newkey, 4);
+    memcpy(high, ((char *)newkey) + 4, 4);
+
+    memset(newkey, 0, sizeof(newkey));
+
+#ifdef NOENCRYPTION
+    *low = 1;
+#endif
+
+    if (byteswap != DONTSWAP) {
+	*low = htonl(*low);
+	*high = htonl(*high);
+    }
+    return(GOOD_PW);
+}
+
+static int
+get_admin_password(void)
+{
+    int status;
+    char admin_passwd[MAX_KPW_LEN];	/* Admin's password */
+    int ticket_life = 1;	/* minimum ticket lifetime */
+    CREDENTIALS c;
+
+    if (multiple) {
+	/* If admin tickets exist and are valid, just exit. */
+	memset(&c, 0, sizeof(c));
+	if (krb_get_cred(PWSERV_NAME, KADM_SINST, krbrlm, &c) == KSUCCESS)
+	    /* 
+	     * If time is less than lifetime - FUDGE_VALUE after issue date,
+	     * tickets will probably last long enough for the next 
+	     * transaction.
+	     */
+	    if (time(0) < (c.issue_date + (5 * 60 * c.lifetime) - FUDGE_VALUE))
+		return(KADM_SUCCESS);
+	ticket_life = DEFAULT_TKT_LIFE;
+    }
+    
+    if (princ_exists(pr.name, pr.instance, pr.realm) != PE_NO) {
+        char prompt[256];
+	snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&pr));
+	if (read_long_pw_string(admin_passwd,
+				sizeof(admin_passwd)-1,
+				prompt, 0)) {
+	    warnx ("Error reading admin password.");
+	    goto bad;
+	}
+	status = krb_get_pw_in_tkt(pr.name, pr.instance, pr.realm,
+				   PWSERV_NAME, KADM_SINST,
+				   ticket_life, admin_passwd);
+	memset(admin_passwd, 0, sizeof(admin_passwd));
+
+	/* Initialize non shared random sequence from session key. */
+	memset(&c, 0, sizeof(c));
+	krb_get_cred(PWSERV_NAME, KADM_SINST, krbrlm, &c);
+	des_init_random_number_generator(&c.session);
+    }
+    else
+	status = KDC_PR_UNKNOWN;
+
+    switch(status) {
+    case GT_PW_OK:
+	return(GOOD_PW);
+    case KDC_PR_UNKNOWN:
+	printf("Principal %s does not exist.\n", krb_unparse_name(&pr));
+	goto bad;
+    case GT_PW_BADPW:
+	printf("Incorrect admin password.\n");
+	goto bad;
+    default:
+	com_err("kadmin", status+krb_err_base,
+		"while getting password tickets");
+	goto bad;
+    }
+    
+ bad:
+    memset(admin_passwd, 0, sizeof(admin_passwd));
+    dest_tkt();
+    return(BAD_PW);
+}
+
+static void
+usage(void)
+{
+    fprintf (stderr, "Usage: kadmin [[-u|-p] admin_name] [-r default_realm]"
+	     " [-m]\n"
+	     "   -m allows multiple admin requests to be "
+	     "serviced with one entry of admin\n"	     
+	     "   password.\n");
+    exit (1);
+}
+
+/* GLOBAL */
+static void
+clean_up()
+{
+    dest_tkt();
+}
+
+static void
+clean_up_cmd (int argc, char **argv)
+{
+    clean_up();
+}
+
+/* GLOBAL */
+static void 
+quit()
+{
+    printf("Cleaning up and exiting.\n");
+    clean_up();
+    exit(0);
+}
+
+static void
+quit_cmd (int argc, char **argv)
+{
+    quit();
+}
+
+static void
+do_init(int argc, char **argv)
+{
+    int c;
+    int tflag = 0;
+    char tktstring[MaxPathLen];
+    int k_errno;
+    
+    set_progname (argv[0]);
+
+    memset(&pr, 0, sizeof(pr));
+    if (krb_get_default_principal(pr.name, pr.instance, default_realm) < 0)
+	errx (1, "I could not even guess who you might be");
+    while ((c = getopt(argc, argv, "p:u:r:mt")) != EOF) 
+	switch (c) {
+	case 'p':
+	case 'u':
+	    if((k_errno = krb_parse_name(optarg, &pr)) != KSUCCESS)
+		errx (1, "%s", krb_get_err_text(k_errno));
+	    break;
+	case 'r':
+	    memset(default_realm, 0, sizeof(default_realm));
+	    strncpy(default_realm, optarg, sizeof(default_realm) - 1);
+	    break;
+	case 'm':
+	    multiple++;
+	    break;
+	case 't':
+	    tflag++;
+	    break;
+	default:
+	    usage();
+	    break;
+	}
+    if (optind < argc)
+	usage();
+    strcpy(krbrlm, default_realm);
+
+    if (kadm_init_link(PWSERV_NAME, KRB_MASTER, krbrlm) != KADM_SUCCESS)
+	*krbrlm = '\0';
+    if (pr.realm[0] == '\0')
+	strcpy (pr.realm, krbrlm);
+    if (pr.instance[0] == '\0')
+	strcpy(pr.instance, "admin");
+    
+    if (!tflag) {
+	snprintf(tktstring, sizeof(tktstring), TKT_ROOT "_adm_%d",(int)getpid());
+	krb_set_tkt_string(tktstring);
+    }
+    
+}
+
+int
+main(int argc, char **argv)
+{
+    do_init(argc, argv);
+
+    printf("Welcome to the Kerberos Administration Program, version 2\n");
+    printf("Type \"help\" if you need it.\n");
+    sl_loop (cmds, "kadmin: ");
+    printf("\n");
+    quit();
+    exit(0);
+}
+
+static int
+setvals(Kadm_vals *vals, char *string)
+{
+    char realm[REALM_SZ];
+    int status = KADM_SUCCESS;
+
+    memset(vals, 0, sizeof(*vals));
+    memset(realm, 0, sizeof(realm));
+
+    SET_FIELD(KADM_NAME,vals->fields);
+    SET_FIELD(KADM_INST,vals->fields);
+    if ((status = kname_parse(vals->name, vals->instance, realm, string))) {
+	printf("kerberos error: %s\n", krb_get_err_text(status));
+	return status;
+    }
+    if (!realm[0])
+	strcpy(realm, default_realm);
+    if (strcmp(realm, krbrlm)) {
+	strcpy(krbrlm, realm);
+	if ((status = kadm_init_link(PWSERV_NAME, KRB_MASTER, krbrlm)) 
+	    != KADM_SUCCESS)
+	    printf("kadm error for realm %s: %s\n", 
+		   krbrlm, error_message(status));
+    }
+    if (status) 
+	return 1;
+    else
+	return KADM_SUCCESS;
+}    
+
+static void 
+change_password(int argc, char **argv)
+{
+    Kadm_vals old, new;
+    int status;
+    char pw_prompt[BUFSIZ];
+
+    if (argc != 2) {
+	printf("Usage: change_password loginname\n");
+	return;
+    }
+
+    if (setvals(&old, argv[1]) != KADM_SUCCESS)
+	return;
+
+    new = old;
+
+    SET_FIELD(KADM_DESKEY,new.fields);
+
+    if (princ_exists(old.name, old.instance, krbrlm) != PE_NO) {
+	/* get the admin's password */
+        if (get_admin_password() != GOOD_PW)
+	    return;
+
+	/* get the new password */
+	snprintf(pw_prompt, sizeof(pw_prompt), "New password for %s:", argv[1]);
+	
+	if (get_password(&new.key_low, &new.key_high,
+			 pw_prompt, SWAP) == GOOD_PW) {
+	    status = kadm_mod(&old, &new);
+	    if (status == KADM_SUCCESS) {
+		printf("Password changed for %s.\n", argv[1]);
+	    } else {
+		printf("kadmin: %s\nwhile changing password for %s",
+		       error_message(status), argv[1]);
+	    }
+	} else
+	    printf("Error reading password; password unchanged\n");
+	memset(&new, 0, sizeof(new));
+	if (!multiple)
+	    clean_up();
+    }
+    else 
+	printf("kadmin: Principal %s does not exist.\n",
+	       krb_unparse_name_long (old.name, old.instance, krbrlm));
+    return;
+}
+
+static int
+getkey(unsigned char *k)
+{
+    int i, c;
+    for (i = 0; i < 8; i++)
+	{
+	    c = getchar();
+	    if (c == EOF)
+		return 0;
+	    else if (c == '\\')
+		{
+		    int oct = -1;
+		    scanf("%03o", &oct);
+		    if (oct < 0 || oct > 255)
+			return 0;
+		    k[i] = oct;
+		}
+	    else if (!isalpha(c))
+		return 0;
+	    else
+		k[i] = c;
+	}
+    c = getchar();
+    if (c != '\n')
+	return 0;
+    return 1;			/* Success */
+}
+
+static void
+printkey(unsigned char *tkey)
+{
+    int j;
+    for(j = 0; j < 8; j++)
+	if(tkey[j] != '\\' && isalpha(tkey[j]) != 0)
+	    printf("%c", tkey[j]);
+	else
+	    printf("\\%03o",(unsigned char)tkey[j]);
+    printf("\n");
+}
+
+static void 
+change_key(int argc, char **argv)
+{
+    Kadm_vals old, new;
+    unsigned char newkey[8];
+    int status;
+
+    if (argc != 2) {
+	printf("Usage: change_key principal-name\n");
+	return;
+    }
+
+    if (setvals(&old, argv[1]) != KADM_SUCCESS)
+	return;
+
+    new = old;
+
+    SET_FIELD(KADM_DESKEY,new.fields);
+
+    if (princ_exists(old.name, old.instance, krbrlm) != PE_NO) {
+	/* get the admin's password */
+        if (get_admin_password() != GOOD_PW)
+	    return;
+
+	/* get the new password */
+	printf("New DES key for %s: ", argv[1]);
+	
+	if (getkey(newkey)) {
+	    memcpy(&new.key_low, newkey, 4);
+	    memcpy(&new.key_high, ((char *)newkey) + 4, 4);
+	    printf("Entered key for %s: ", argv[1]);
+	    printkey(newkey);
+	    memset(newkey, 0, sizeof(newkey));
+
+	    status = kadm_mod(&old, &new);
+	    if (status == KADM_SUCCESS) {
+		printf("Key changed for %s.\n", argv[1]);
+	    } else {
+		printf("kadmin: %s\nwhile changing key for %s",
+		       error_message(status), argv[1]);
+	    }
+	} else
+	    printf("Error reading key; key unchanged\n");
+	memset(&new, 0, sizeof(new));
+	if (!multiple)
+	    clean_up();
+    }
+    else 
+	printf("kadmin: Principal %s does not exist.\n",
+	       krb_unparse_name_long (old.name, old.instance, krbrlm));
+    return;
+}
+
+static void 
+change_admin_password(int argc, char **argv)
+{
+    des_cblock newkey;
+    int status;
+    char pword[MAX_KPW_LEN];
+    char *pw_msg;
+
+    if (argc != 1) {
+	printf("Usage: change_admin_password\n");
+	return;
+    }
+    if (get_pw_new_pwd(pword, sizeof(pword), &pr, 1) == 0) {
+	 des_string_to_key(pword, &newkey);
+	 status = kadm_change_pw_plain(newkey, pword, &pw_msg);
+	 if(status == KADM_INSECURE_PW)
+	      printf("Insecure password: %s\n", pw_msg);
+	 else if (status == KADM_SUCCESS)
+	      printf("Admin password changed\n");
+	 else
+	      printf("kadm error: %s\n",error_message(status));
+	 memset(newkey, 0, sizeof(newkey));
+	 memset(pword, 0, sizeof(pword));
+    }
+    if (!multiple)
+	clean_up();
+    return;
+}
+
+static void 
+add_new_key(int argc, char **argv)
+{
+    Kadm_vals new;
+    char pw_prompt[BUFSIZ];
+    int status;
+
+    if (argc != 2) {
+	printf("Usage: add_new_key user_name.\n");
+	return;
+    }
+    if (setvals(&new, argv[1]) != KADM_SUCCESS)
+	return;
+
+    SET_FIELD(KADM_EXPDATE,new.fields);
+    SET_FIELD(KADM_ATTR,new.fields);
+    SET_FIELD(KADM_MAXLIFE,new.fields);
+    SET_FIELD(KADM_DESKEY,new.fields);
+
+    if (princ_exists(new.name, new.instance, krbrlm) != PE_YES) {
+	Kadm_vals vals;
+	u_char fields[4];
+	char n[ANAME_SZ + INST_SZ + 1];
+
+	/* get the admin's password */
+	if (get_admin_password() != GOOD_PW)
+	    return;
+	
+	memset(fields, 0, sizeof(fields));
+	SET_FIELD(KADM_NAME,fields);
+	SET_FIELD(KADM_INST,fields);
+	SET_FIELD(KADM_EXPDATE,fields);
+	SET_FIELD(KADM_ATTR,fields);
+	SET_FIELD(KADM_MAXLIFE,fields);
+	snprintf (n, sizeof(n), "default.%s", new.instance);
+	if (setvals(&vals, n) != KADM_SUCCESS)
+	    return;
+
+	if (kadm_get(&vals, fields) != KADM_SUCCESS) {
+	    if (setvals(&vals, "default") != KADM_SUCCESS)
+		return;
+	    if ((status = kadm_get(&vals, fields)) != KADM_SUCCESS) {
+		printf ("kadm error: %s\n", error_message(status));
+		return;
+	    }
+	}
+
+	if (vals.max_life == 255) /* Defaults not set! */ {
+	      /* This is the default maximum lifetime for new principals. */
+	      if (strcmp(new.instance, "admin") == 0)
+		vals.max_life = 1 + (CLOCK_SKEW/(5*60)); /* 5+5 minutes */
+	      else if (strcmp(new.instance, "root") == 0)
+		vals.max_life = 96;    /* 8 hours */
+	      else if (krb_life_to_time(0, 162) >= 24*60*60)
+		vals.max_life = 162;     /* ca 100 hours */
+	      else
+		vals.max_life = 255;     /* ca 21 hours (maximum) */
+
+	      /* Also fix expiration date. */
+	      if (strcmp(new.name, "rcmd") == 0)
+		vals.exp_date = 1104814999; /* Tue Jan 4 06:03:19 2005 */
+	      else
+		vals.exp_date = time(0) + 2*(365*24*60*60); /* + ca 2 years */
+	}
+
+	new.max_life = vals.max_life;
+	new.exp_date = vals.exp_date;
+	new.attributes = vals.attributes;
+	get_maxlife(&new);
+	get_attr(&new);
+	get_expdate(&new);
+
+	/* get the new password */
+	snprintf(pw_prompt, sizeof(pw_prompt), "Password for %s:", argv[1]);
+	
+	if (get_password(&new.key_low, &new.key_high,
+			 pw_prompt, SWAP) == GOOD_PW) {
+	    status = kadm_add(&new);
+	    if (status == KADM_SUCCESS) {
+		printf("%s added to database.\n", argv[1]);
+	    } else {
+		printf("kadm error: %s\n",error_message(status));
+	    }
+	} else
+	    printf("Error reading password; %s not added\n",argv[1]);
+	memset(&new, 0, sizeof(new));
+	if (!multiple)
+	    clean_up();
+    }
+    else
+	printf("kadmin: Principal already exists.\n");
+    return;
+}
+
+static void 
+del_entry(int argc, char **argv)
+{
+    int status;
+    Kadm_vals vals;
+
+    if (argc != 2) {
+	printf("Usage: del_entry username\n");
+	return;
+    }
+
+    if (setvals(&vals, argv[1]) != KADM_SUCCESS)
+	return;
+
+    if (princ_exists(vals.name, vals.instance, krbrlm) != PE_NO) {
+	/* get the admin's password */
+	if (get_admin_password() != GOOD_PW)
+	    return;
+	
+	if ((status = kadm_del(&vals)) == KADM_SUCCESS){
+	    printf("%s removed from database.\n", argv[1]);
+	} else {
+	    printf("kadm error: %s\n",error_message(status));
+	}
+	
+	if (!multiple)
+	    clean_up();
+    }
+    else
+	printf("kadmin: Principal %s does not exist.\n",
+	       krb_unparse_name_long (vals.name, vals.instance, krbrlm));
+    return;
+}
+
+static void 
+get_entry(int argc, char **argv)
+{
+    int status;
+    u_char fields[4];
+    Kadm_vals vals;
+
+    if (argc != 2) {
+	printf("Usage: get_entry username\n");
+	return;
+    }
+
+    memset(fields, 0, sizeof(fields));
+
+    SET_FIELD(KADM_NAME,fields);
+    SET_FIELD(KADM_INST,fields);
+    SET_FIELD(KADM_EXPDATE,fields);
+    SET_FIELD(KADM_ATTR,fields);
+    SET_FIELD(KADM_MAXLIFE,fields);
+#if 0
+    SET_FIELD(KADM_DESKEY,fields); 
+#endif
+
+    if (setvals(&vals, argv[1]) != KADM_SUCCESS)
+	return;
+
+
+    if (princ_exists(vals.name, vals.instance, krbrlm) != PE_NO) {
+	/* get the admin's password */
+	if (get_admin_password() != GOOD_PW)
+	    return;
+	
+	if ((status = kadm_get(&vals, fields)) == KADM_SUCCESS)
+	    prin_vals(&vals);
+	else
+	    printf("kadm error: %s\n",error_message(status));
+	
+	if (!multiple)
+	    clean_up();
+    }
+    else
+	printf("kadmin: Principal %s does not exist.\n",
+	       krb_unparse_name_long (vals.name, vals.instance, krbrlm));
+    return;
+}
+
+static void 
+mod_entry(int argc, char **argv)
+{
+    int status;
+    u_char fields[4];
+    Kadm_vals ovals, nvals;
+
+    if (argc != 2) {
+	printf("Usage: mod_entry username\n");
+	return;
+    }
+
+    memset(fields, 0, sizeof(fields));
+
+    SET_FIELD(KADM_NAME,fields);
+    SET_FIELD(KADM_INST,fields);
+    SET_FIELD(KADM_EXPDATE,fields);
+    SET_FIELD(KADM_ATTR,fields);
+    SET_FIELD(KADM_MAXLIFE,fields);
+
+    if (setvals(&ovals, argv[1]) != KADM_SUCCESS)
+	return;
+
+    nvals = ovals;
+
+    if (princ_exists(ovals.name, ovals.instance, krbrlm) == PE_NO) {
+	printf("kadmin: Principal %s does not exist.\n",
+	       krb_unparse_name_long (ovals.name, ovals.instance, krbrlm));
+	return;
+    }
+
+    /* get the admin's password */
+    if (get_admin_password() != GOOD_PW)
+	return;
+	
+    if ((status = kadm_get(&ovals, fields)) != KADM_SUCCESS) {
+	printf("[ unable to retrieve current settings: %s ]\n",
+	    error_message(status));
+	nvals.max_life = DEFAULT_TKT_LIFE;
+	nvals.exp_date = 0;
+	nvals.attributes = 0;
+    } else {
+	nvals.max_life = ovals.max_life;
+	nvals.exp_date = ovals.exp_date;
+	nvals.attributes = ovals.attributes;
+    }
+
+    get_maxlife(&nvals);
+    get_attr(&nvals);
+    get_expdate(&nvals);
+    
+    if (IS_FIELD(KADM_MAXLIFE, nvals.fields) ||
+	IS_FIELD(KADM_ATTR, nvals.fields) ||
+	IS_FIELD(KADM_EXPDATE, nvals.fields)) {
+	if ((status = kadm_mod(&ovals, &nvals)) != KADM_SUCCESS) {
+	    printf("kadm error: %s\n",error_message(status));
+	    goto out;
+	}
+	if ((status = kadm_get(&ovals, fields)) != KADM_SUCCESS) {
+	    printf("kadm error: %s\n",error_message(status));
+	    goto out;
+	}
+    }
+    prin_vals(&ovals);
+
+out:
+    if (!multiple)
+	clean_up();
+    return;
+}
+
+static void
+help(int argc, char **argv)
+{
+    sl_help (cmds, argc, argv);
+}