diff options
Diffstat (limited to 'crypto/heimdal/kadmin')
29 files changed, 3239 insertions, 1221 deletions
diff --git a/crypto/heimdal/kadmin/ChangeLog b/crypto/heimdal/kadmin/ChangeLog index 8bfbeed..ef1d458 100644 --- a/crypto/heimdal/kadmin/ChangeLog +++ b/crypto/heimdal/kadmin/ChangeLog @@ -1,9 +1,399 @@ +2007-12-09 Love Hörnquist Åstrand <lha@it.su.se> + + * kadmin.c: Use hdb_db_dir(). + + * kadmind.c: Use hdb_db_dir(). + +2007-07-26 Love Hörnquist Åstrand <lha@it.su.se> + + * util.c: Clear error string, just to be sure. + +2007-05-10 Love Hörnquist Åstrand <lha@it.su.se> + + * kadmin-commands.in: modify --pkinit-acl + + * mod.c: add pk-init command + +2007-02-22 Love Hörnquist Åstrand <lha@it.su.se> + + * kadmin.8: document kadmin add_enctype functionallity. + + * Makefile.am: Add new command, add_enctype. + + * kadmin-commands.in: Add new command, add_enctype. + + * add_enctype.c: Add support for adding a random key enctype to a + principal. + +2007-02-17 Love Hörnquist Åstrand <lha@it.su.se> + + * mod.c: add setting and displaying aliases + + * get.c: add setting and displaying aliases + + * kadmin-commands.in: add setting and displaying aliases + +2006-12-22 Love Hörnquist Åstrand <lha@it.su.se> + + * util.c: Make str2time_t parser more robust. + + * Makefile.am: Add test_util test program. + + * test_util.c: Test str2time_t parser. + +2006-12-05 Love Hörnquist Åstrand <lha@it.su.se> + + * add-random-users.c: Use strcspn to remove \n from fgets + result. Prompted by change by Ray Lai of OpenBSD via Björn + Sandell. + +2006-10-22 Love Hörnquist Åstrand <lha@it.su.se> + + * mod.c: Try to not leak memory. + + * check.c: Try to not leak memory. + +2006-10-07 Love Hörnquist Åstrand <lha@it.su.se> + + * Makefile.am: split build files into dist_ and noinst_ SOURCES + +2006-08-28 Love Hörnquist Åstrand <lha@it.su.se> + + * kadmin.c (help): use sl_slc_help(). + +2006-08-24 Love Hörnquist Åstrand <lha@it.su.se> + + * util.c: Add KRB5_KDB_ALLOW_DIGEST + +2006-07-14 Love Hörnquist Åstrand <lha@it.su.se> + + * get.c (format_field): optionally print issuer and anchor. + +2006-06-21 Love Hörnquist Åstrand <lha@it.su.se> + + * check.c: Check if afs@REALM and afs/cellname@REALM both exists. + +2006-06-14 Love Hörnquist Åstrand <lha@it.su.se> + + * util.c (kdb_attrs): Add KRB5_KDB_ALLOW_KERBEROS4 + +2006-06-07 Love Hörnquist Åstrand <lha@it.su.se> + + * mod.c (do_mod_entry): Add setting 1 delegation entry + +2006-06-01 Love Hörnquist Åstrand <lha@it.su.se> + + * server.c: Less shadowing. + +2006-05-13 Love Hörnquist Åstrand <lha@it.su.se> + + * Makefile.am: kadmin_SOURCES += add check.c + + * kadmin_locl.h: Avoid shadowing. + + * kadmin.8: Document the new check command. + + * kadmin-commands.in: Add check command + + * check.c: Check database for strange configurations on default + principals. + +2006-05-08 Love Hörnquist Åstrand <lha@it.su.se> + + * server.c (kadm_get_privs): one less "pointer targets in passing + argument differ in signedness" warning. + +2006-05-05 Love Hörnquist Åstrand <lha@it.su.se> + + * dump-format.txt: Moved to info documentation. + + * Rename u_intXX_t to uintXX_t + +2006-05-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kadmin.8: spelling, update .Dd + +2006-04-12 Love Hörnquist Åstrand <lha@it.su.se> + + * add-random-users.c: Catch empty file case. From Tobias + Stoeckmann. + +2006-04-07 Love Hörnquist Åstrand <lha@it.su.se> + + * random_password.c (generate_password): memory leak in error + condition case From Coverity NetBSD CID#1887 + +2006-02-19 Love Hörnquist Åstrand <lha@it.su.se> + + * cpw.c (cpw_entry): make sure ret have a defined value + + * del.c (del_entry): make sure ret have a defined value + + * mod.c: Return error code so that toplevel function can catch + them. + +2006-01-25 Love Hörnquist Åstrand <lha@it.su.se> + + * cpw.c (cpw_entry): return 1 on failure. + + * rename.c (rename_entry): return 1 on failure. + + * del.c (del_entry): return 1 on failure. + + * ank.c (add_new_key): return 1 on failure. + + * get.c: Add printing of pkinit-acls. Don't print password by + default. Return 1 on failure processing any of the principals. + + * util.c (foreach_principal): If any of calls to `func' failes, + the first error is returned when all principals are processed. + +2005-12-01 Love Hörnquist Åstrand <lha@it.su.se> + + * kadmin-commands.in: Add ank as an alias to add, it lost in + transition to slc, from Måns Nilsson. + +2005-09-14 Love Hörquist Åstrand <lha@it.su.se> + + * dump-format.txt: Add extensions, fill in missing fields. + +2005-09-08 Love Hörquist Åstrand <lha@it.su.se> + + * init.c (create_random_entry): create principal with random + password even though its disabled. From Andrew Bartlet + <abartlet@samba.org> + +2005-09-01 Love Hörquist Åstrand <lha@it.su.se> + + * kadm_conn.c: Use socket_set_reuseaddr and socket_set_ipv6only. + +2005-08-11 Love Hörquist Åstrand <lha@it.su.se> + + * get.c: Remove structure that is never used (sneaked in the large + TL_DATA patch). + + * kadmin-commands.in: Rename password-quality to + verify-password-quality. + + * get.c: Indent. + + * server.c: Avoid shadowing exp(). + + * load.c: Parse extensions. + + * kadmin_locl.h: Include <hex.h>. + + * get.c: Extend struct field_name to have a subvalue and a + extra_mask. Use that to implement printing of KADM5_TL_DATA + options and fix a dependency bug (keys needed principal to print + the salting). + +2005-07-08 Love Hörquist Åstrand <lha@it.su.se> + + * lower amount of shadow and const warnings + +2005-06-07 David Love <fx@gnu.org> + + * dump-format.txt: Clarify, spelling and add examples. + +2005-05-30 Love Hörquist Åstrand <lha@it.su.se> + + * util.c (kdb_attrs): add ok-as-delegate + + * get.c (getit): init data.mask to 0. Problem found by Andrew + Bartlett <abartlet@samba.org> + +2005-05-09 Love Hörquist Åstrand <lha@it.su.se> + + * kadmin.c (main): catch -2 as EOF + +2005-05-03 Dave Love <d.love@dl.ac.uk> + + * init.c (init): Don't disable forwardable for kadmin/changepw. + +2005-05-02 Dave Love <d.love@dl.ac.uk> + + * kadmin.c (help): Don't use non-constant initializer for `fake'. + +2005-04-20 Love Hörquist Åstrand <lha@it.su.se> + + * util.c (foreach_principal): initialize ret to make sure it have + a value + +2005-04-04 Love Hörquist Åstrand <lha@it.su.se> + + * kadmind.c: add verifier libraries with + kadm5_add_passwd_quality_verifier + + * kadmin.c: add verifier libraries with + kadm5_add_passwd_quality_verifier + + * load.c: max-life and max-renew is of unsigned int in asn1 + compiler, use that for the parser too + +2005-03-26 Love Hörquist Åstrand <lha@it.su.se> + + * kadmin.8: List of attributes, from James F. Hranicky + <jfh@cise.ufl.edu> + +2005-01-19 Love Hörquist Åstrand <lha@it.su.se> + + * dump.c (dump): handle errors + +2005-01-08 Love Hörquist Åstrand <lha@it.su.se> + + * dump-format.txt: text dump format + +2004-12-08 Love Hörquist Åstrand <lha@it.su.se> + + * kadmind.8: use keeps around options, from OpenBSD + + * kadmin.8: use keeps around options, "improve" spelling, from + openbsd + +2004-11-01 Love Hörquist Åstrand <lha@it.su.se> + + * get.c (getit): always free columns + + * ank.c (add_one_principal): catch error from + UI_UTIL_read_pw_string + +2004-10-31 Love Hörquist Åstrand <lha@it.su.se> + + * del_enctype.c (del_enctype): fix off-by-one error in del_enctype + From: <ragge@ludd.luth.se> + +2004-08-13 Love Hörquist Åstrand <lha@it.su.se> + + * get.c: print keytypes on long format + +2004-07-06 Love Hörquist Åstrand <lha@it.su.se> + + * get.c (format_field): allow mod_name to be optional + + * ext.c (do_ext_keytab): if there isn't any keydata, try using + kadm5_randkey_principal + +2004-07-02 Love Hörquist Åstrand <lha@it.su.se> + + * load.c: make merge/load work again + + * del.c: fix usage string + + * ank.c: fix slc lossage + +2004-06-28 Love Hörquist Åstrand <lha@it.su.se> + + * kadmin.c: use kadm5_ad_init_with_password_ctx + +2004-06-27 Johan Danielsson <joda@pdc.kth.se> + + * kadmin.8: document get -o and stash + + * get.c: implement output column selection, similar to ps -o + + * kadmin-commands.in: make get -l the default again, and add + column selection flag; sync list with get + +2004-06-24 Johan Danielsson <joda@pdc.kth.se> + + * kadmin-commands.in: mod needs default kvno of -1 + +2004-06-21 Johan Danielsson <joda@pdc.kth.se> + + * kadmin: convert to use slc; also add stash subcommand + +2004-06-15 Love Hörquist Åstrand <lha@it.su.se> + + * kadmin.c (main): keytab mode requires principal name + +2004-06-12 Love Hörquist Åstrand <lha@it.su.se> + + * kadmind.c: drop keyfile, not used, found by + Elrond <elrond@samba-tng.org> + + * kadmin.c: if keyfile is set, pass in to libkadm5 bug pointed out + by Elrond <elrond@samba-tng.org> + +2004-05-31 Love Hörquist Åstrand <lha@it.su.se> + + * kadmin.c: add --ad flag, XXX rewrite the init kadm5 interface + +2004-05-13 Johan Danielsson <joda@pdc.kth.se> + + * nuke kerberos 4 kadmin goo + +2004-05-07 Johan Danielsson <joda@pdc.kth.se> + + * util.c (str2time_t): fix end-of-day logic, from Duncan + McEwan/Mark Davies. + 2004-04-29 Love Hörquist Åstrand <lha@it.su.se> - * version4.c: 1.30: (handle_v4): make sure length is longer then - 2, Pointed out by Evgeny Demidov <demidov@gleg.net> + * version4.c (handle_v4): make sure length is longer then 2, + Pointed out by Evgeny Demidov <demidov@gleg.net> + + * kadmind.c: make kerberos4 support default turned off + +2004-03-24 Johan Danielsson <joda@pdc.kth.se> + + * kadmin.8: update manpage + + * mod.c: allow wildcarding principals, and make parameters a work + same as if prompted + +2004-03-08 Love Hörquist Åstrand <lha@it.su.se> + + * kadmin.8: document password-quality + + * kadmin_locl.h: add prototype for password_quality + + * kadmin.c: add password-quality/pwq command + + * Makefile.am: kadmin_SOURCES += pw_quality.c + + * pw_quality.c: test run the password quality function + +2004-03-07 Love Hörquist Åstrand <lha@it.su.se> + + * ank.c (add_one_principal): even though the principal is disabled + (creation of random key/keydata), create it with a random password - * kadmind.c: 1.31: make kerberos4 support default turned off +2003-12-07 Love Hörquist Åstrand <lha@it.su.se> + + * init.c (create_random_entry): print error message on failure + + * ank.c (add_one_principal): pass right argument to + kadm5_free_principal_ent From Panasas, Inc + +2003-11-18 Love Hörquist Åstrand <lha@it.su.se> + + * kadmind.c (main): move opening the logfile to after reading + kdc.conf move the loading of hdb keytab ops closer to where its + used From: Jeffrey Hutzelman <jhutz@cmu.edu> + +2003-10-04 Love Hörquist Åstrand <lha@it.su.se> + + * util.c (str2time_t): allow whitespace between date and time + From: Bob Beck <beck@cvs.openbsd.org> and adharw@yahoo.com + +2003-09-03 Love Hörquist Åstrand <lha@it.su.se> + + * ank.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + + * cpw.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ + +2003-08-21 Love Hörquist Åstrand <lha@it.su.se> + + * get.c (print_entry_terse): handle error when unparsing name + +2003-08-18 Love Hörquist Åstrand <lha@it.su.se> + + * kadmind.c (main): use krb5_prepend_config_files_default, now all + options in kdc.conf is parsed, not just [kdc]key-file= + + * kadmin.c (main): use krb5_prepend_config_files_default, now all + options in kdc.conf is parsed, not just [kdc]key-file= 2003-04-14 Love Hörquist Åstrand <lha@it.su.se> @@ -36,6 +426,25 @@ change it own password to a key, since that password might violate the password quality check. +2002-12-03 Johan Danielsson <joda@pdc.kth.se> + + * util.c (get_response): print a newline if interrupted + + * mod.c (mod_entry): check return value from edit_entry + + * ank.c (add_one_principal): check return value from edit_entry + + * ank.c (add_one_principal): don't continue if create_principal + fails + + * init.c: check return value from edit_deltat + + * init.c: add --help + +2002-10-29 Johan Danielsson <joda@pdc.kth.se> + + * version4.c: speling (from Tomas Olsson) + 2002-10-23 Assar Westerlund <assar@kth.se> * version4.c (decode_packet): check the length of the version diff --git a/crypto/heimdal/kadmin/Makefile.am b/crypto/heimdal/kadmin/Makefile.am index 3e9e406..323439a 100644 --- a/crypto/heimdal/kadmin/Makefile.am +++ b/crypto/heimdal/kadmin/Makefile.am @@ -1,19 +1,23 @@ -# $Id: Makefile.am,v 1.34 2001/08/28 08:31:26 assar Exp $ +# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $ include $(top_srcdir)/Makefile.am.common -INCLUDES += $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 +AM_CPPFLAGS += $(INCLUDE_readline) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5 sbin_PROGRAMS = kadmin libexec_PROGRAMS = kadmind +SLC = $(top_builddir)/lib/sl/slc + man_MANS = kadmin.8 kadmind.8 noinst_PROGRAMS = add_random_users -kadmin_SOURCES = \ +dist_kadmin_SOURCES = \ ank.c \ + add_enctype.c \ + check.c \ cpw.c \ del.c \ del_enctype.c \ @@ -25,14 +29,22 @@ kadmin_SOURCES = \ load.c \ mod.c \ rename.c \ + stash.c \ util.c \ + pw_quality.c \ random_password.c \ kadmin_locl.h -if KRB4 -KRB4LIB = $(LIB_krb4) -version4_c = version4.c -endif +nodist_kadmin_SOURCES = \ + kadmin-commands.c \ + kadmin-commands.h + +$(kadmin_OBJECTS): kadmin-commands.h + +CLEANFILES = kadmin-commands.h kadmin-commands.c + +kadmin-commands.c kadmin-commands.h: kadmin-commands.in + $(SLC) $(srcdir)/kadmin-commands.in kadmind_SOURCES = \ kadmind.c \ @@ -41,20 +53,24 @@ kadmind_SOURCES = \ $(version4_c) \ kadm_conn.c -EXTRA_kadmind_SOURCES = version4.c - add_random_users_SOURCES = add-random-users.c +test_util_SOURCES = test_util.c util.c + +TESTS = test_util + +check_PROGRAMS = $(TESTS) + LDADD_common = \ $(top_builddir)/lib/hdb/libhdb.la \ $(LIB_openldap) \ $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ + $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) \ $(DBLIB) -kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \ +kadmind_LDADD = $(top_builddir)/lib/kadm5/libkadm5srv.la \ $(LDADD_common) \ $(LIB_pidfile) \ $(LIB_dlopen) @@ -72,3 +88,7 @@ add_random_users_LDADD = \ $(top_builddir)/lib/kadm5/libkadm5srv.la \ $(LDADD_common) \ $(LIB_dlopen) + +test_util_LDADD = $(kadmin_LDADD) + +EXTRA_DIST = $(man_MANS) kadmin-commands.in diff --git a/crypto/heimdal/kadmin/Makefile.in b/crypto/heimdal/kadmin/Makefile.in index 19d7215..746cb48 100644 --- a/crypto/heimdal/kadmin/Makefile.in +++ b/crypto/heimdal/kadmin/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.8.3 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -14,23 +14,17 @@ @SET_MAKE@ -# $Id: Makefile.am,v 1.34 2001/08/28 08:31:26 assar Exp $ +# $Id: Makefile.am 20466 2007-04-20 08:29:05Z lha $ -# $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ +# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $ -# $Id: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $ +# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $ -SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES) - -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = .. am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c @@ -42,6 +36,7 @@ POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : +build_triplet = @build@ host_triplet = @host@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ $(top_srcdir)/Makefile.am.common \ @@ -49,19 +44,19 @@ DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ sbin_PROGRAMS = kadmin$(EXEEXT) libexec_PROGRAMS = kadmind$(EXEEXT) noinst_PROGRAMS = add_random_users$(EXEEXT) +TESTS = test_util$(EXEEXT) +check_PROGRAMS = $(am__EXEEXT_1) subdir = kadmin ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ - $(top_srcdir)/cf/auth-modules.m4 \ + $(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \ $(top_srcdir)/cf/broken-getaddrinfo.m4 \ - $(top_srcdir)/cf/broken-getnameinfo.m4 \ $(top_srcdir)/cf/broken-glob.m4 \ $(top_srcdir)/cf/broken-realloc.m4 \ $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ $(top_srcdir)/cf/capabilities.m4 \ $(top_srcdir)/cf/check-compile-et.m4 \ - $(top_srcdir)/cf/check-declaration.m4 \ $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ $(top_srcdir)/cf/check-man.m4 \ $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ @@ -74,6 +69,7 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ $(top_srcdir)/cf/find-func-no-libs2.m4 \ $(top_srcdir)/cf/find-func.m4 \ $(top_srcdir)/cf/find-if-not-broken.m4 \ + $(top_srcdir)/cf/framework-security.m4 \ $(top_srcdir)/cf/have-struct-field.m4 \ $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ $(top_srcdir)/cf/krb-bigendian.m4 \ @@ -82,19 +78,25 @@ am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ $(top_srcdir)/cf/krb-readline.m4 \ $(top_srcdir)/cf/krb-struct-spwd.m4 \ $(top_srcdir)/cf/krb-struct-winsize.m4 \ - $(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \ - $(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \ - $(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \ - $(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \ - $(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \ - $(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \ - $(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in + $(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \ + $(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \ + $(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \ + $(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \ + $(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \ + $(top_srcdir)/cf/roken-frag.m4 \ + $(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \ + $(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \ + $(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \ + $(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \ + $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/include/config.h CONFIG_CLEAN_FILES = -am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" +am__EXEEXT_1 = test_util$(EXEEXT) +am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" \ + "$(DESTDIR)$(man8dir)" libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(libexec_PROGRAMS) $(noinst_PROGRAMS) $(sbin_PROGRAMS) @@ -109,54 +111,55 @@ add_random_users_DEPENDENCIES = \ $(top_builddir)/lib/kadm5/libkadm5clnt.la \ $(top_builddir)/lib/kadm5/libkadm5srv.la $(am__DEPENDENCIES_2) \ $(am__DEPENDENCIES_1) -am_kadmin_OBJECTS = ank.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \ +dist_kadmin_OBJECTS = ank.$(OBJEXT) add_enctype.$(OBJEXT) \ + check.$(OBJEXT) cpw.$(OBJEXT) del.$(OBJEXT) \ del_enctype.$(OBJEXT) dump.$(OBJEXT) ext.$(OBJEXT) \ get.$(OBJEXT) init.$(OBJEXT) kadmin.$(OBJEXT) load.$(OBJEXT) \ - mod.$(OBJEXT) rename.$(OBJEXT) util.$(OBJEXT) \ - random_password.$(OBJEXT) -kadmin_OBJECTS = $(am_kadmin_OBJECTS) + mod.$(OBJEXT) rename.$(OBJEXT) stash.$(OBJEXT) util.$(OBJEXT) \ + pw_quality.$(OBJEXT) random_password.$(OBJEXT) +nodist_kadmin_OBJECTS = kadmin-commands.$(OBJEXT) +kadmin_OBJECTS = $(dist_kadmin_OBJECTS) $(nodist_kadmin_OBJECTS) kadmin_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5clnt.la \ $(top_builddir)/lib/kadm5/libkadm5srv.la \ $(top_builddir)/lib/sl/libsl.la $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) -am__kadmind_SOURCES_DIST = kadmind.c server.c kadmin_locl.h version4.c \ - kadm_conn.c -@KRB4_TRUE@am__objects_1 = version4.$(OBJEXT) am_kadmind_OBJECTS = kadmind.$(OBJEXT) server.$(OBJEXT) \ - $(am__objects_1) kadm_conn.$(OBJEXT) + kadm_conn.$(OBJEXT) kadmind_OBJECTS = $(am_kadmind_OBJECTS) -@KRB4_TRUE@am__DEPENDENCIES_3 = $(am__DEPENDENCIES_1) -kadmind_DEPENDENCIES = $(am__DEPENDENCIES_3) \ - $(top_builddir)/lib/kadm5/libkadm5srv.la $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)/include +kadmind_DEPENDENCIES = $(top_builddir)/lib/kadm5/libkadm5srv.la \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) +am_test_util_OBJECTS = test_util.$(OBJEXT) util.$(OBJEXT) +test_util_OBJECTS = $(am_test_util_OBJECTS) +am__DEPENDENCIES_3 = $(top_builddir)/lib/kadm5/libkadm5clnt.la \ + $(top_builddir)/lib/kadm5/libkadm5srv.la \ + $(top_builddir)/lib/sl/libsl.la $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) +test_util_DEPENDENCIES = $(am__DEPENDENCIES_3) +DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@ depcomp = am__depfiles_maybe = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) -LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) \ - $(kadmind_SOURCES) $(EXTRA_kadmind_SOURCES) -DIST_SOURCES = $(add_random_users_SOURCES) $(kadmin_SOURCES) \ - $(am__kadmind_SOURCES_DIST) $(EXTRA_kadmind_SOURCES) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(add_random_users_SOURCES) $(dist_kadmin_SOURCES) \ + $(nodist_kadmin_SOURCES) $(kadmind_SOURCES) \ + $(test_util_SOURCES) +DIST_SOURCES = $(add_random_users_SOURCES) $(dist_kadmin_SOURCES) \ + $(kadmind_SOURCES) $(test_util_SOURCES) man8dir = $(mandir)/man8 MANS = $(man_MANS) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ -AIX4_FALSE = @AIX4_FALSE@ -AIX4_TRUE = @AIX4_TRUE@ -AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@ -AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@ AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ -AIX_FALSE = @AIX_FALSE@ -AIX_TRUE = @AIX_TRUE@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ @@ -166,8 +169,6 @@ AWK = @AWK@ CANONICAL_HOST = @CANONICAL_HOST@ CATMAN = @CATMAN@ CATMANEXT = @CATMANEXT@ -CATMAN_FALSE = @CATMAN_FALSE@ -CATMAN_TRUE = @CATMAN_TRUE@ CC = @CC@ CFLAGS = @CFLAGS@ COMPILE_ET = @COMPILE_ET@ @@ -178,11 +179,10 @@ CXXCPP = @CXXCPP@ CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DBLIB = @DBLIB@ -DCE_FALSE = @DCE_FALSE@ -DCE_TRUE = @DCE_TRUE@ DEFS = @DEFS@ DIR_com_err = @DIR_com_err@ -DIR_des = @DIR_des@ +DIR_hcrypto = @DIR_hcrypto@ +DIR_hdbdir = @DIR_hdbdir@ DIR_roken = @DIR_roken@ ECHO = @ECHO@ ECHO_C = @ECHO_C@ @@ -190,42 +190,27 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -EXTRA_LIB45 = @EXTRA_LIB45@ F77 = @F77@ FFLAGS = @FFLAGS@ +GREP = @GREP@ GROFF = @GROFF@ -HAVE_DB1_FALSE = @HAVE_DB1_FALSE@ -HAVE_DB1_TRUE = @HAVE_DB1_TRUE@ -HAVE_DB3_FALSE = @HAVE_DB3_FALSE@ -HAVE_DB3_TRUE = @HAVE_DB3_TRUE@ -HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@ -HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@ -HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@ -HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@ -HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@ -HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@ -HAVE_X_FALSE = @HAVE_X_FALSE@ -HAVE_X_TRUE = @HAVE_X_TRUE@ INCLUDES_roken = @INCLUDES_roken@ -INCLUDE_des = @INCLUDE_des@ +INCLUDE_hcrypto = @INCLUDE_hcrypto@ INCLUDE_hesiod = @INCLUDE_hesiod@ INCLUDE_krb4 = @INCLUDE_krb4@ INCLUDE_openldap = @INCLUDE_openldap@ INCLUDE_readline = @INCLUDE_readline@ +INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -IRIX_FALSE = @IRIX_FALSE@ -IRIX_TRUE = @IRIX_TRUE@ -KRB4_FALSE = @KRB4_FALSE@ -KRB4_TRUE = @KRB4_TRUE@ -KRB5_FALSE = @KRB5_FALSE@ -KRB5_TRUE = @KRB5_TRUE@ LDFLAGS = @LDFLAGS@ +LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@ LEX = @LEX@ LEXLIB = @LEXLIB@ LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBADD_roken = @LIBADD_roken@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ @@ -243,12 +228,9 @@ LIB_crypt = @LIB_crypt@ LIB_db_create = @LIB_db_create@ LIB_dbm_firstkey = @LIB_dbm_firstkey@ LIB_dbopen = @LIB_dbopen@ -LIB_des = @LIB_des@ -LIB_des_a = @LIB_des_a@ -LIB_des_appl = @LIB_des_appl@ -LIB_des_so = @LIB_des_so@ LIB_dlopen = @LIB_dlopen@ LIB_dn_expand = @LIB_dn_expand@ +LIB_door_create = @LIB_door_create@ LIB_el_init = @LIB_el_init@ LIB_freeaddrinfo = @LIB_freeaddrinfo@ LIB_gai_strerror = @LIB_gai_strerror@ @@ -258,15 +240,14 @@ LIB_gethostbyname2 = @LIB_gethostbyname2@ LIB_getnameinfo = @LIB_getnameinfo@ LIB_getpwnam_r = @LIB_getpwnam_r@ LIB_getsockopt = @LIB_getsockopt@ +LIB_hcrypto = @LIB_hcrypto@ +LIB_hcrypto_a = @LIB_hcrypto_a@ +LIB_hcrypto_appl = @LIB_hcrypto_appl@ +LIB_hcrypto_so = @LIB_hcrypto_so@ LIB_hesiod = @LIB_hesiod@ LIB_hstrerror = @LIB_hstrerror@ LIB_kdb = @LIB_kdb@ LIB_krb4 = @LIB_krb4@ -LIB_krb_disable_debug = @LIB_krb_disable_debug@ -LIB_krb_enable_debug = @LIB_krb_enable_debug@ -LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@ -LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@ -LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@ LIB_loadquery = @LIB_loadquery@ LIB_logout = @LIB_logout@ LIB_logwtmp = @LIB_logwtmp@ @@ -275,6 +256,7 @@ LIB_openpty = @LIB_openpty@ LIB_otp = @LIB_otp@ LIB_pidfile = @LIB_pidfile@ LIB_readline = @LIB_readline@ +LIB_res_ndestroy = @LIB_res_ndestroy@ LIB_res_nsearch = @LIB_res_nsearch@ LIB_res_search = @LIB_res_search@ LIB_roken = @LIB_roken@ @@ -286,15 +268,10 @@ LIB_tgetent = @LIB_tgetent@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAINT = @MAINT@ -MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ -MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ MAKEINFO = @MAKEINFO@ -NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ -NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ +MKDIR_P = @MKDIR_P@ NROFF = @NROFF@ OBJEXT = @OBJEXT@ -OTP_FALSE = @OTP_FALSE@ -OTP_TRUE = @OTP_TRUE@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ @@ -302,74 +279,80 @@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PTHREADS_CFLAGS = @PTHREADS_CFLAGS@ +PTHREADS_LIBS = @PTHREADS_LIBS@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +VERSIONING = @VERSIONING@ VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ WFLAGS = @WFLAGS@ WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ +XMKMF = @XMKMF@ X_CFLAGS = @X_CFLAGS@ X_EXTRA_LIBS = @X_EXTRA_LIBS@ X_LIBS = @X_LIBS@ X_PRE_LIBS = @X_PRE_LIBS@ YACC = @YACC@ -ac_ct_AR = @ac_ct_AR@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ ac_ct_CXX = @ac_ct_CXX@ ac_ct_F77 = @ac_ct_F77@ -ac_ct_RANLIB = @ac_ct_RANLIB@ -ac_ct_STRIP = @ac_ct_STRIP@ am__leading_dot = @am__leading_dot@ +am__tar = @am__tar@ +am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ +builddir = @builddir@ datadir = @datadir@ -do_roken_rename_FALSE = @do_roken_rename_FALSE@ -do_roken_rename_TRUE = @do_roken_rename_TRUE@ +datarootdir = @datarootdir@ +docdir = @docdir@ dpagaix_cflags = @dpagaix_cflags@ dpagaix_ldadd = @dpagaix_ldadd@ dpagaix_ldflags = @dpagaix_ldflags@ -el_compat_FALSE = @el_compat_FALSE@ -el_compat_TRUE = @el_compat_TRUE@ +dvidir = @dvidir@ exec_prefix = @exec_prefix@ -have_err_h_FALSE = @have_err_h_FALSE@ -have_err_h_TRUE = @have_err_h_TRUE@ -have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@ -have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@ -have_glob_h_FALSE = @have_glob_h_FALSE@ -have_glob_h_TRUE = @have_glob_h_TRUE@ -have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@ -have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@ -have_vis_h_FALSE = @have_vis_h_FALSE@ -have_vis_h_TRUE = @have_vis_h_TRUE@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ +htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ +localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ +psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ -SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 -INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_readline) $(INCLUDE_krb4) $(INCLUDE_des) -I$(srcdir)/../lib/krb5 +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 +AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) \ + $(INCLUDE_readline) $(INCLUDE_hcrypto) -I$(srcdir)/../lib/krb5 @do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME AM_CFLAGS = $(WFLAGS) CP = cp @@ -386,10 +369,14 @@ LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) @KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la @KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la +@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la @DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la +SLC = $(top_builddir)/lib/sl/slc man_MANS = kadmin.8 kadmind.8 -kadmin_SOURCES = \ +dist_kadmin_SOURCES = \ ank.c \ + add_enctype.c \ + check.c \ cpw.c \ del.c \ del_enctype.c \ @@ -401,12 +388,17 @@ kadmin_SOURCES = \ load.c \ mod.c \ rename.c \ + stash.c \ util.c \ + pw_quality.c \ random_password.c \ kadmin_locl.h -@KRB4_TRUE@KRB4LIB = $(LIB_krb4) -@KRB4_TRUE@version4_c = version4.c +nodist_kadmin_SOURCES = \ + kadmin-commands.c \ + kadmin-commands.h + +CLEANFILES = kadmin-commands.h kadmin-commands.c kadmind_SOURCES = \ kadmind.c \ server.c \ @@ -414,18 +406,18 @@ kadmind_SOURCES = \ $(version4_c) \ kadm_conn.c -EXTRA_kadmind_SOURCES = version4.c add_random_users_SOURCES = add-random-users.c +test_util_SOURCES = test_util.c util.c LDADD_common = \ $(top_builddir)/lib/hdb/libhdb.la \ $(LIB_openldap) \ $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_des) \ + $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(LIB_roken) \ $(DBLIB) -kadmind_LDADD = $(KRB4LIB) $(top_builddir)/lib/kadm5/libkadm5srv.la \ +kadmind_LDADD = $(top_builddir)/lib/kadm5/libkadm5srv.la \ $(LDADD_common) \ $(LIB_pidfile) \ $(LIB_dlopen) @@ -444,10 +436,12 @@ add_random_users_LDADD = \ $(LDADD_common) \ $(LIB_dlopen) +test_util_LDADD = $(kadmin_LDADD) +EXTRA_DIST = $(man_MANS) kadmin-commands.in all: all-am .SUFFIXES: -.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj +.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ @@ -477,9 +471,16 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done install-libexecPROGRAMS: $(libexec_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(libexecdir)" || $(mkdir_p) "$(DESTDIR)$(libexecdir)" + test -z "$(libexecdir)" || $(MKDIR_P) "$(DESTDIR)$(libexecdir)" @list='$(libexec_PROGRAMS)'; for p in $$list; do \ p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ if test -f $$p \ @@ -514,7 +515,7 @@ clean-noinstPROGRAMS: done install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)" + test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)" @list='$(sbin_PROGRAMS)'; for p in $$list; do \ p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ if test -f $$p \ @@ -542,13 +543,16 @@ clean-sbinPROGRAMS: done add_random_users$(EXEEXT): $(add_random_users_OBJECTS) $(add_random_users_DEPENDENCIES) @rm -f add_random_users$(EXEEXT) - $(LINK) $(add_random_users_LDFLAGS) $(add_random_users_OBJECTS) $(add_random_users_LDADD) $(LIBS) + $(LINK) $(add_random_users_OBJECTS) $(add_random_users_LDADD) $(LIBS) kadmin$(EXEEXT): $(kadmin_OBJECTS) $(kadmin_DEPENDENCIES) @rm -f kadmin$(EXEEXT) - $(LINK) $(kadmin_LDFLAGS) $(kadmin_OBJECTS) $(kadmin_LDADD) $(LIBS) + $(LINK) $(kadmin_OBJECTS) $(kadmin_LDADD) $(LIBS) kadmind$(EXEEXT): $(kadmind_OBJECTS) $(kadmind_DEPENDENCIES) @rm -f kadmind$(EXEEXT) - $(LINK) $(kadmind_LDFLAGS) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS) + $(LINK) $(kadmind_OBJECTS) $(kadmind_LDADD) $(LIBS) +test_util$(EXEEXT): $(test_util_OBJECTS) $(test_util_DEPENDENCIES) + @rm -f test_util$(EXEEXT) + $(LINK) $(test_util_OBJECTS) $(test_util_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -570,13 +574,9 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: install-man8: $(man8_MANS) $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ for i in $$l2; do \ @@ -640,9 +640,11 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ done | \ $(AWK) ' { files[$$0] = 1; } \ END { for (i in files) print i; }'`; \ - test -z "$(ETAGS_ARGS)$$tags$$unique" \ - || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) @@ -666,24 +668,95 @@ GTAGS: distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -distdir: $(DISTFILES) - $(mkdir_p) $(distdir)/.. $(distdir)/../cf - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ else \ - dir=''; \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ fi; \ @@ -698,12 +771,13 @@ distdir: $(DISTFILES) top_distdir="$(top_distdir)" distdir="$(distdir)" \ dist-hook check-am: all-am - $(MAKE) $(AM_MAKEFLAGS) check-local + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local check: check-am all-am: Makefile $(PROGRAMS) $(MANS) all-local installdirs: for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am @@ -722,22 +796,24 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: - -rm -f $(CONFIG_CLEAN_FILES) + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS clean-sbinPROGRAMS mostlyclean-am +clean-am: clean-checkPROGRAMS clean-generic clean-libexecPROGRAMS \ + clean-libtool clean-noinstPROGRAMS clean-sbinPROGRAMS \ + mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags + distclean-tags dvi: dvi-am @@ -753,14 +829,22 @@ install-data-am: install-man @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-data-hook +install-dvi: install-dvi-am + install-exec-am: install-libexecPROGRAMS install-sbinPROGRAMS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-exec-hook +install-html: install-html-am + install-info: install-info-am install-man: install-man8 +install-pdf: install-pdf-am + +install-ps: install-ps-am + installcheck-am: maintainer-clean: maintainer-clean-am @@ -780,24 +864,31 @@ ps: ps-am ps-am: -uninstall-am: uninstall-info-am uninstall-libexecPROGRAMS \ - uninstall-man uninstall-sbinPROGRAMS +uninstall-am: uninstall-libexecPROGRAMS uninstall-man \ + uninstall-sbinPROGRAMS + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) uninstall-hook uninstall-man: uninstall-man8 -.PHONY: CTAGS GTAGS all all-am all-local check check-am check-local \ - clean clean-generic clean-libexecPROGRAMS clean-libtool \ - clean-noinstPROGRAMS clean-sbinPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am \ - install-libexecPROGRAMS install-man install-man8 \ - install-sbinPROGRAMS install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am \ +.MAKE: install-am install-data-am install-exec-am install-strip \ + uninstall-am + +.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \ + check-local clean clean-checkPROGRAMS clean-generic \ + clean-libexecPROGRAMS clean-libtool clean-noinstPROGRAMS \ + clean-sbinPROGRAMS ctags dist-hook distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-data-hook install-dvi \ + install-dvi-am install-exec install-exec-am install-exec-hook \ + install-html install-html-am install-info install-info-am \ + install-libexecPROGRAMS install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-hook \ uninstall-libexecPROGRAMS uninstall-man uninstall-man8 \ uninstall-sbinPROGRAMS @@ -814,8 +905,8 @@ install-suid-programs: install-exec-hook: install-suid-programs -install-build-headers:: $(include_HEADERS) $(build_HEADERZ) - @foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ +install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) + @foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ for f in $$foo; do \ f=`basename $$f`; \ if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ @@ -825,19 +916,31 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ) echo " $(CP) $$file $(buildinclude)/$$f"; \ $(CP) $$file $(buildinclude)/$$f; \ fi ; \ + done ; \ + foo='$(nobase_include_HEADERS)'; \ + for f in $$foo; do \ + if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ + else file="$$f"; fi; \ + $(mkdir_p) $(buildinclude)/`dirname $$f` ; \ + if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ + : ; else \ + echo " $(CP) $$file $(buildinclude)/$$f"; \ + $(CP) $$file $(buildinclude)/$$f; \ + fi ; \ done all-local: install-build-headers check-local:: - @if test '$(CHECK_LOCAL)'; then \ + @if test '$(CHECK_LOCAL)' = "no-check-local"; then \ + foo=''; elif test '$(CHECK_LOCAL)'; then \ foo='$(CHECK_LOCAL)'; else \ foo='$(PROGRAMS)'; fi; \ if test "$$foo"; then \ failed=0; all=0; \ for i in $$foo; do \ all=`expr $$all + 1`; \ - if ./$$i --version > /dev/null 2>&1; then \ + if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \ echo "PASS: $$i"; \ else \ echo "FAIL: $$i"; \ @@ -853,7 +956,7 @@ check-local:: echo "$$dashes"; \ echo "$$banner"; \ echo "$$dashes"; \ - test "$$failed" -eq 0; \ + test "$$failed" -eq 0 || exit 1; \ fi .x.c: @@ -923,14 +1026,44 @@ dist-cat8-mans: dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans install-cat-mans: - $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) + $(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) + +uninstall-cat-mans: + $(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) install-data-hook: install-cat-mans +uninstall-hook: uninstall-cat-mans .et.h: $(COMPILE_ET) $< .et.c: $(COMPILE_ET) $< + +# +# Useful target for debugging +# + +check-valgrind: + tobjdir=`cd $(top_builddir) && pwd` ; \ + tsrcdir=`cd $(top_srcdir) && pwd` ; \ + env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check + +# +# Target to please samba build farm, builds distfiles in-tree. +# Will break when automake changes... +# + +distdir-in-tree: $(DISTFILES) $(INFO_DEPS) + list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" != .; then \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \ + fi ; \ + done + +$(kadmin_OBJECTS): kadmin-commands.h + +kadmin-commands.c kadmin-commands.h: kadmin-commands.in + $(SLC) $(srcdir)/kadmin-commands.in # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/crypto/heimdal/kadmin/add-random-users.c b/crypto/heimdal/kadmin/add-random-users.c index ebd1149..b797143 100644 --- a/crypto/heimdal/kadmin/add-random-users.c +++ b/crypto/heimdal/kadmin/add-random-users.c @@ -33,7 +33,7 @@ #include "kadmin_locl.h" -RCSID("$Id: add-random-users.c,v 1.6 2001/09/20 09:17:33 assar Exp $"); +RCSID("$Id: add-random-users.c 19213 2006-12-04 23:36:36Z lha $"); #define WORDS_FILENAME "/usr/share/dict/words" @@ -57,8 +57,7 @@ read_words (const char *filename, char ***ret_w) while (fgets (buf, sizeof(buf), f) != NULL) { size_t len; - if (buf[strlen (buf) - 1] == '\n') - buf[strlen (buf) - 1] = '\0'; + buf[strcspn(buf, "\r\n")] = '\0'; if (n >= alloc) { alloc = max(alloc + 16, alloc * 2); w = erealloc (w, alloc * sizeof(char **)); @@ -72,6 +71,8 @@ read_words (const char *filename, char ***ret_w) w[n++] = wptr; wptr += len + 1; } + if (n == 0) + errx(1, "%s is an empty file, no words to try", filename); *ret_w = w; return n; } @@ -156,12 +157,12 @@ usage (int ret) int main(int argc, char **argv) { - int optind = 0; + int optidx = 0; int n = NUSERS; const char *filename = WORDS_FILENAME; setprogname(argv[0]); - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); if (help_flag) usage (0); @@ -170,8 +171,8 @@ main(int argc, char **argv) return 0; } srand (0); - argc -= optind; - argv += optind; + argc -= optidx; + argv += optidx; if (argc > 0) { if (argc > 1) diff --git a/crypto/heimdal/kadmin/add_enctype.c b/crypto/heimdal/kadmin/add_enctype.c new file mode 100644 index 0000000..65337e6 --- /dev/null +++ b/crypto/heimdal/kadmin/add_enctype.c @@ -0,0 +1,164 @@ +/* + * Copyright (c) 1999-2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kadmin_locl.h" +#include "kadmin-commands.h" + +RCSID("$Id: add_enctype.c 20287 2007-02-22 03:12:30Z lha $"); + +/* + * del_enctype principal enctypes... + */ + +int +add_enctype(struct add_enctype_options*opt, int argc, char **argv) +{ + kadm5_principal_ent_rec princ; + krb5_principal princ_ent = NULL; + krb5_error_code ret; + const char *princ_name; + int i, j; + krb5_key_data *new_key_data; + int n_etypes; + krb5_enctype *etypes; + + if (!opt->random_key_flag) { + krb5_warnx (context, "only random key is supported now"); + return 0; + } + + memset (&princ, 0, sizeof(princ)); + princ_name = argv[0]; + n_etypes = argc - 1; + etypes = malloc (n_etypes * sizeof(*etypes)); + if (etypes == NULL) { + krb5_warnx (context, "out of memory"); + return 0; + } + argv++; + for (i = 0; i < n_etypes; ++i) { + ret = krb5_string_to_enctype (context, argv[i], &etypes[i]); + if (ret) { + krb5_warnx (context, "bad enctype \"%s\"", argv[i]); + goto out2; + } + } + + ret = krb5_parse_name(context, princ_name, &princ_ent); + if (ret) { + krb5_warn (context, ret, "krb5_parse_name %s", princ_name); + goto out2; + } + + ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, + KADM5_PRINCIPAL | KADM5_KEY_DATA); + if (ret) { + krb5_free_principal (context, princ_ent); + krb5_warnx (context, "no such principal: %s", princ_name); + goto out2; + } + + new_key_data = malloc((princ.n_key_data + n_etypes) + * sizeof(*new_key_data)); + if (new_key_data == NULL) { + krb5_warnx (context, "out of memory"); + goto out; + } + + for (i = 0; i < princ.n_key_data; ++i) { + krb5_key_data *key = &princ.key_data[i]; + + for (j = 0; j < n_etypes; ++j) { + if (etypes[j] == key->key_data_type[0]) { + krb5_warnx(context, "enctype %d already exists", + (int)etypes[j]); + goto out; + } + } + new_key_data[i] = *key; + } + + for (i = 0; i < n_etypes; ++i) { + int n = princ.n_key_data + i; + krb5_keyblock keyblock; + + memset(&new_key_data[n], 0, sizeof(new_key_data[n])); + new_key_data[n].key_data_ver = 2; + new_key_data[n].key_data_kvno = 0; + + ret = krb5_generate_random_keyblock (context, etypes[i], &keyblock); + if (ret) { + krb5_warnx(context, "genernate enctype %d failed", (int)etypes[i]); + while (--i >= 0) + free(new_key_data[--n].key_data_contents[0]); + goto out; + } + + /* key */ + new_key_data[n].key_data_type[0] = etypes[i]; + new_key_data[n].key_data_contents[0] = malloc(keyblock.keyvalue.length); + if (new_key_data[n].key_data_contents[0] == NULL) { + ret = ENOMEM; + krb5_warn(context, ret, "out of memory"); + while (--i >= 0) + free(new_key_data[--n].key_data_contents[0]); + goto out; + } + new_key_data[n].key_data_length[0] = keyblock.keyvalue.length; + memcpy(new_key_data[n].key_data_contents[0], + keyblock.keyvalue.data, + keyblock.keyvalue.length); + krb5_free_keyblock_contents(context, &keyblock); + + /* salt */ + new_key_data[n].key_data_type[1] = KRB5_PW_SALT; + new_key_data[n].key_data_length[1] = 0; + new_key_data[n].key_data_contents[1] = NULL; + + } + + free (princ.key_data); + princ.n_key_data += n_etypes; + princ.key_data = new_key_data; + new_key_data = NULL; + + ret = kadm5_modify_principal (kadm_handle, &princ, KADM5_KEY_DATA); + if (ret) + krb5_warn(context, ret, "kadm5_modify_principal"); +out: + krb5_free_principal (context, princ_ent); + kadm5_free_principal_ent(kadm_handle, &princ); +out2: + free (etypes); + return ret != 0; +} diff --git a/crypto/heimdal/kadmin/ank.c b/crypto/heimdal/kadmin/ank.c index a166fb2..7e7cfa8 100644 --- a/crypto/heimdal/kadmin/ank.c +++ b/crypto/heimdal/kadmin/ank.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,8 +32,9 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" -RCSID("$Id: ank.c,v 1.25 2002/12/03 14:11:24 joda Exp $"); +RCSID("$Id: ank.c 16658 2006-01-25 12:29:46Z lha $"); /* * fetch the default principal corresponding to `princ' @@ -117,7 +118,7 @@ add_one_principal (const char *name, if(rand_key || key_data) { princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; mask |= KADM5_ATTRIBUTES; - strlcpy (pwbuf, "hemlig", sizeof(pwbuf)); + random_password (pwbuf, sizeof(pwbuf)); password = pwbuf; } else if (rand_password) { random_password (pwbuf, sizeof(pwbuf)); @@ -129,10 +130,13 @@ add_one_principal (const char *name, krb5_unparse_name(context, princ_ent, &princ_name); asprintf (&prompt, "%s's Password: ", princ_name); free (princ_name); - ret = des_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1); + ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1); free (prompt); - if (ret) + if (ret) { + krb5_set_error_string(context, "failed to verify password"); + ret = KRB5_LIBOS_BADPWDMATCH; goto out; + } password = pwbuf; } @@ -176,14 +180,14 @@ add_one_principal (const char *name, char *princ_name; krb5_unparse_name(context, princ_ent, &princ_name); - printf ("added %s with password `%s'\n", princ_name, password); + printf ("added %s with password \"%s\"\n", princ_name, password); free (princ_name); } out: if (princ_ent) krb5_free_principal (context, princ_ent); if(default_ent) - kadm5_free_principal_ent (context, default_ent); + kadm5_free_principal_ent (kadm_handle, default_ent); if (password != NULL) memset (password, 0, strlen(password)); return ret; @@ -197,112 +201,58 @@ out: * the ank command */ -static struct getargs args[] = { - { "random-key", 'r', arg_flag, NULL, "set random key" }, - { "random-password", 0, arg_flag, NULL, "set random password" }, - { "password", 'p', arg_string, NULL, "princial's password" }, - { "key", 0, arg_string, NULL, "DES-key in hex" }, - { "max-ticket-life", 0, arg_string, NULL, "max ticket lifetime", - "lifetime"}, - { "max-renewable-life", 0, arg_string, NULL, - "max renewable lifetime", "lifetime" }, - { "attributes", 0, arg_string, NULL, "principal attributes", - "attributes"}, - { "expiration-time",0, arg_string, NULL, "expiration time", - "time"}, - { "pw-expiration-time", 0, arg_string, NULL, - "password expiration time", "time"}, - { "use-defaults", 0, arg_flag, NULL, "use default values" } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "add", "principal..."); -} - /* * Parse arguments and add all the principals. */ int -add_new_key(int argc, char **argv) +add_new_key(struct add_options *opt, int argc, char **argv) { - char *password = NULL; - char *key = NULL; - int random_key = 0; - int random_password = 0; - int optind = 0; - krb5_error_code ret; - char *max_ticket_life = NULL; - char *max_renewable_life = NULL; - char *attributes = NULL; - char *expiration = NULL; - char *pw_expiration = NULL; - int use_defaults = 0; + krb5_error_code ret = 0; int i; int num; krb5_key_data key_data[3]; krb5_key_data *kdp = NULL; - args[0].value = &random_key; - args[1].value = &random_password; - args[2].value = &password; - args[3].value = &key; - args[4].value = &max_ticket_life; - args[5].value = &max_renewable_life; - args[6].value = &attributes; - args[7].value = &expiration; - args[8].value = &pw_expiration; - args[9].value = &use_defaults; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage (); - return 0; - } - if(optind == argc) { - usage (); - return 0; - } - num = 0; - if (random_key) + if (opt->random_key_flag) ++num; - if (random_password) + if (opt->random_password_flag) ++num; - if (password) + if (opt->password_string) ++num; - if (key) + if (opt->key_string) ++num; if (num > 1) { - printf ("give only one of " + fprintf (stderr, "give only one of " "--random-key, --random-password, --password, --key\n"); - return 0; + return 1; } - if (key) { + if (opt->key_string) { const char *error; - if (parse_des_key (key, key_data, &error)) { - printf ("failed parsing key `%s': %s\n", key, error); - return 0; + if (parse_des_key (opt->key_string, key_data, &error)) { + fprintf (stderr, "failed parsing key \"%s\": %s\n", + opt->key_string, error); + return 1; } kdp = key_data; } - for (i = optind; i < argc; ++i) { - ret = add_one_principal (argv[i], random_key, random_password, - use_defaults, - password, + for(i = 0; i < argc; i++) { + ret = add_one_principal (argv[i], + opt->random_key_flag, + opt->random_password_flag, + opt->use_defaults_flag, + opt->password_string, kdp, - max_ticket_life, - max_renewable_life, - attributes, - expiration, - pw_expiration); + opt->max_ticket_life_string, + opt->max_renewable_life_string, + opt->attributes_string, + opt->expiration_time_string, + opt->pw_expiration_time_string); if (ret) { krb5_warn (context, ret, "adding %s", argv[i]); break; @@ -312,5 +262,5 @@ add_new_key(int argc, char **argv) int16_t dummy = 3; kadm5_free_key_data (kadm_handle, &dummy, key_data); } - return 0; + return ret != 0; } diff --git a/crypto/heimdal/kadmin/check.c b/crypto/heimdal/kadmin/check.c new file mode 100644 index 0000000..bd4f270 --- /dev/null +++ b/crypto/heimdal/kadmin/check.c @@ -0,0 +1,238 @@ +/* + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Check database for strange configurations on default principals + */ + +#include "kadmin_locl.h" +#include "kadmin-commands.h" + +RCSID("$Id: check.c 20962 2007-06-07 05:09:24Z lha $"); + +static int +get_check_entry(const char *name, kadm5_principal_ent_rec *ent) +{ + krb5_error_code ret; + krb5_principal principal; + + ret = krb5_parse_name(context, name, &principal); + if (ret) { + krb5_warn(context, ret, "krb5_unparse_name: %s", name); + return 1; + } + + memset(ent, 0, sizeof(*ent)); + ret = kadm5_get_principal(kadm_handle, principal, ent, 0); + krb5_free_principal(context, principal); + if(ret) + return 1; + + return 0; +} + + +static int +do_check_entry(krb5_principal principal, void *data) +{ + krb5_error_code ret; + kadm5_principal_ent_rec princ; + char *name; + int i; + + ret = krb5_unparse_name(context, principal, &name); + if (ret) + return 1; + + memset (&princ, 0, sizeof(princ)); + ret = kadm5_get_principal(kadm_handle, principal, &princ, + KADM5_PRINCIPAL | KADM5_KEY_DATA); + if(ret) { + krb5_warn(context, ret, "Failed to get principal: %s", name); + free(name); + return 0; + } + + for (i = 0; i < princ.n_key_data; i++) { + size_t keysize; + ret = krb5_enctype_keysize(context, + princ.key_data[i].key_data_type[0], + &keysize); + if (ret == 0 && keysize != princ.key_data[i].key_data_length[0]) { + krb5_warnx(context, + "Principal %s enctype %d, wrong length: %lu\n", + name, princ.key_data[i].key_data_type[0], + (unsigned long)princ.key_data[i].key_data_length); + } + } + + free(name); + kadm5_free_principal_ent(kadm_handle, &princ); + + return 0; +} + +int +check(void *opt, int argc, char **argv) +{ + kadm5_principal_ent_rec ent; + krb5_error_code ret; + char *realm = NULL, *p, *p2; + int found; + + if (argc == 0) { + ret = krb5_get_default_realm(context, &realm); + if (ret) { + krb5_warn(context, ret, "krb5_get_default_realm"); + goto fail; + } + } else { + realm = strdup(argv[0]); + if (realm == NULL) { + krb5_warnx(context, "malloc"); + goto fail; + } + } + + /* + * Check krbtgt/REALM@REALM + * + * For now, just check existance + */ + + if (asprintf(&p, "%s/%s@%s", KRB5_TGS_NAME, realm, realm) == -1) { + krb5_warn(context, errno, "asprintf"); + goto fail; + } + + ret = get_check_entry(p, &ent); + if (ret) { + printf("%s doesn't exist, are you sure %s is a realm in your database", + p, realm); + free(p); + goto fail; + } + free(p); + + kadm5_free_principal_ent(kadm_handle, &ent); + + /* + * Check kadmin/admin@REALM + */ + + if (asprintf(&p, "kadmin/admin@%s", realm) == -1) { + krb5_warn(context, errno, "asprintf"); + goto fail; + } + + ret = get_check_entry(p, &ent); + if (ret) { + printf("%s doesn't exist, " + "there is no way to do remote administration", p); + free(p); + goto fail; + } + free(p); + + kadm5_free_principal_ent(kadm_handle, &ent); + + /* + * Check kadmin/changepw@REALM + */ + + if (asprintf(&p, "kadmin/changepw@%s", realm) == -1) { + krb5_warn(context, errno, "asprintf"); + goto fail; + } + + ret = get_check_entry(p, &ent); + if (ret) { + printf("%s doesn't exist, " + "there is no way to do change password", p); + free(p); + goto fail; + } + free(p); + + kadm5_free_principal_ent(kadm_handle, &ent); + + /* + * Check for duplicate afs keys + */ + + p2 = strdup(realm); + if (p2 == NULL) { + krb5_warn(context, errno, "malloc"); + free(p); + goto fail; + } + strlwr(p2); + + if (asprintf(&p, "afs/%s@%s", p2, realm) == -1) { + krb5_warn(context, errno, "asprintf"); + free(p2); + goto fail; + } + free(p2); + + ret = get_check_entry(p, &ent); + free(p); + if (ret == 0) { + kadm5_free_principal_ent(kadm_handle, &ent); + found = 1; + } else + found = 0; + + if (asprintf(&p, "afs@%s", realm) == -1) { + krb5_warn(context, errno, "asprintf"); + goto fail; + } + + ret = get_check_entry(p, &ent); + free(p); + if (ret == 0) { + kadm5_free_principal_ent(kadm_handle, &ent); + if (found) { + krb5_warnx(context, "afs@REALM and afs/cellname@REALM both exists"); + goto fail; + } + } + + foreach_principal("*", do_check_entry, "check", NULL); + + free(realm); + return 0; +fail: + free(realm); + return 1; +} diff --git a/crypto/heimdal/kadmin/cpw.c b/crypto/heimdal/kadmin/cpw.c index 50c1cb2..c5fa9ed 100644 --- a/crypto/heimdal/kadmin/cpw.c +++ b/crypto/heimdal/kadmin/cpw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,8 +32,9 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" -RCSID("$Id: cpw.c,v 1.13 2001/08/10 08:05:35 joda Exp $"); +RCSID("$Id: cpw.c 16755 2006-02-18 23:30:32Z lha $"); struct cpw_entry_data { int random_key; @@ -42,21 +43,6 @@ struct cpw_entry_data { krb5_key_data *key_data; }; -static struct getargs args[] = { - { "random-key", 'r', arg_flag, NULL, "set random key" }, - { "random-password", 0, arg_flag, NULL, "set random password" }, - { "password", 'p', arg_string, NULL, "princial's password" }, - { "key", 0, arg_string, NULL, "DES key in hex" } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage(args, num_args, "passwd", "principal..."); -} - static int set_random_key (krb5_principal principal) { @@ -87,7 +73,7 @@ set_random_password (krb5_principal principal) krb5_unparse_name(context, principal, &princ_name); - printf ("%s's password set to `%s'\n", princ_name, pw); + printf ("%s's password set to \"%s\"\n", princ_name, pw); free (princ_name); } memset (pw, 0, sizeof(pw)); @@ -107,7 +93,7 @@ set_password (krb5_principal principal, char *password) krb5_unparse_name(context, principal, &princ_name); asprintf(&prompt, "%s's Password: ", princ_name); free (princ_name); - ret = des_read_pw_string(pwbuf, sizeof(pwbuf), prompt, 1); + ret = UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt, 1); free (prompt); if(ret){ return 0; /* XXX error code? */ @@ -146,32 +132,19 @@ do_cpw_entry(krb5_principal principal, void *data) } int -cpw_entry(int argc, char **argv) +cpw_entry(struct passwd_options *opt, int argc, char **argv) { - krb5_error_code ret; + krb5_error_code ret = 0; int i; - int optind = 0; struct cpw_entry_data data; int num; - char *key_string; krb5_key_data key_data[3]; - data.random_key = 0; - data.random_password = 0; - data.password = NULL; + data.random_key = opt->random_key_flag; + data.random_password = opt->random_password_flag; + data.password = opt->password_string; data.key_data = NULL; - key_string = NULL; - - args[0].value = &data.random_key; - args[1].value = &data.random_password; - args[2].value = &data.password; - args[3].value = &key_string; - if(getarg(args, num_args, argc, argv, &optind)){ - usage(); - return 0; - } - num = 0; if (data.random_key) ++num; @@ -179,28 +152,26 @@ cpw_entry(int argc, char **argv) ++num; if (data.password) ++num; - if (key_string) + if (opt->key_string) ++num; if (num > 1) { - printf ("give only one of " + fprintf (stderr, "give only one of " "--random-key, --random-password, --password, --key\n"); - return 0; + return 1; } - if (key_string) { + if (opt->key_string) { const char *error; - if (parse_des_key (key_string, key_data, &error)) { - printf ("failed parsing key `%s': %s\n", key_string, error); - return 0; + if (parse_des_key (opt->key_string, key_data, &error)) { + fprintf (stderr, "failed parsing key \"%s\": %s\n", + opt->key_string, error); + return 1; } data.key_data = key_data; } - argc -= optind; - argv += optind; - for(i = 0; i < argc; i++) ret = foreach_principal(argv[i], do_cpw_entry, "cpw", &data); @@ -209,5 +180,5 @@ cpw_entry(int argc, char **argv) kadm5_free_key_data (kadm_handle, &dummy, key_data); } - return 0; + return ret != 0; } diff --git a/crypto/heimdal/kadmin/del.c b/crypto/heimdal/kadmin/del.c index 1697656..a7db479 100644 --- a/crypto/heimdal/kadmin/del.c +++ b/crypto/heimdal/kadmin/del.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,8 +32,9 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" -RCSID("$Id: del.c,v 1.6 2001/05/07 05:30:50 assar Exp $"); +RCSID("$Id: del.c 16754 2006-02-18 23:29:43Z lha $"); static int do_del_entry(krb5_principal principal, void *data) @@ -41,40 +42,16 @@ do_del_entry(krb5_principal principal, void *data) return kadm5_delete_principal(kadm_handle, principal); } -static struct getargs args[] = { - { "help", 'h', arg_flag, NULL } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "delete", "principal..."); -} - - int -del_entry(int argc, char **argv) +del_entry(void *opt, int argc, char **argv) { - int optind = 0; - int help_flag = 0; - int i; - krb5_error_code ret; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage (); - return 0; - } - if(optind == argc || help_flag) { - usage (); - return 0; - } + krb5_error_code ret = 0; - for(i = 1; i < argc; i++) + for(i = 0; i < argc; i++) { ret = foreach_principal(argv[i], do_del_entry, "del", NULL); - return 0; + if (ret) + break; + } + return ret != 0; } diff --git a/crypto/heimdal/kadmin/del_enctype.c b/crypto/heimdal/kadmin/del_enctype.c index 985cc84..26921f2 100644 --- a/crypto/heimdal/kadmin/del_enctype.c +++ b/crypto/heimdal/kadmin/del_enctype.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2001 Kungliga Tekniska Högskolan + * Copyright (c) 1999-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,32 +32,17 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" -RCSID("$Id: del_enctype.c,v 1.7 2001/04/19 07:26:52 joda Exp $"); +RCSID("$Id: del_enctype.c 16658 2006-01-25 12:29:46Z lha $"); /* * del_enctype principal enctypes... */ -static struct getargs args[] = { - { "help", 'h', arg_flag, NULL } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "del_enctype", "principal enctypes..."); -} - - int -del_enctype(int argc, char **argv) +del_enctype(void *opt, int argc, char **argv) { - int optind = 0; - int help_flag = 0; - kadm5_principal_ent_rec princ; krb5_principal princ_ent = NULL; krb5_error_code ret; @@ -67,29 +52,19 @@ del_enctype(int argc, char **argv) int n_etypes; krb5_enctype *etypes; - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage (); - return 0; - } - if(argc - optind < 2 || help_flag) { - usage (); - return 0; - } - memset (&princ, 0, sizeof(princ)); - princ_name = argv[1]; - n_etypes = argc - 2; + princ_name = argv[0]; + n_etypes = argc - 1; etypes = malloc (n_etypes * sizeof(*etypes)); if (etypes == NULL) { krb5_warnx (context, "out of memory"); return 0; } + argv++; for (i = 0; i < n_etypes; ++i) { - ret = krb5_string_to_enctype (context, argv[i + 2], &etypes[i]); + ret = krb5_string_to_enctype (context, argv[i], &etypes[i]); if (ret) { - krb5_warnx (context, "bad enctype `%s'", argv[i + 2]); + krb5_warnx (context, "bad enctype \"%s\"", argv[i]); goto out2; } } @@ -144,5 +119,5 @@ out: kadm5_free_principal_ent(kadm_handle, &princ); out2: free (etypes); - return 0; + return ret != 0; } diff --git a/crypto/heimdal/kadmin/dump.c b/crypto/heimdal/kadmin/dump.c index a57309c..97ec667 100644 --- a/crypto/heimdal/kadmin/dump.c +++ b/crypto/heimdal/kadmin/dump.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,49 +32,48 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" #include <kadm5/private.h> -RCSID("$Id: dump.c,v 1.26 1999/12/02 17:04:58 joda Exp $"); +RCSID("$Id: dump.c 14518 2005-01-19 17:09:56Z lha $"); + +extern int local_flag; int -dump(int argc, char **argv) +dump(struct dump_options *opt, int argc, char **argv) { krb5_error_code ret; FILE *f; - HDB *db = _kadm5_s_get_db(kadm_handle); - int decrypt = 0; - int optind = 0; - - struct getargs args[] = { - { "decrypt", 'd', arg_flag, NULL, "decrypt keys" } - }; - args[0].value = &decrypt; - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) { - arg_printusage(args, sizeof(args) / sizeof(args[0]), "kadmin dump", - "[dump-file]"); + HDB *db = NULL; + + if(!local_flag) { + krb5_warnx(context, "dump is only available in local (-l) mode"); return 0; } - argc -= optind; - argv += optind; - if(argc < 1) + db = _kadm5_s_get_db(kadm_handle); + + if(argc == 0) f = stdout; else f = fopen(argv[0], "w"); - ret = db->open(context, db, O_RDONLY, 0600); - if(ret){ + if(f == NULL) { + krb5_warn(context, errno, "open: %s", argv[0]); + goto out; + } + ret = db->hdb_open(context, db, O_RDONLY, 0600); + if(ret) { krb5_warn(context, ret, "hdb_open"); - if(f != stdout) - fclose(f); - return 0; + goto out; } - hdb_foreach(context, db, decrypt ? HDB_F_DECRYPT : 0, hdb_print_entry, f); + hdb_foreach(context, db, opt->decrypt_flag ? HDB_F_DECRYPT : 0, + hdb_print_entry, f); - if(f != stdout) + db->hdb_close(context, db); +out: + if(f && f != stdout) fclose(f); - db->close(context, db); return 0; } diff --git a/crypto/heimdal/kadmin/ext.c b/crypto/heimdal/kadmin/ext.c index c945fea..f80272f 100644 --- a/crypto/heimdal/kadmin/ext.c +++ b/crypto/heimdal/kadmin/ext.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,85 +32,108 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" -RCSID("$Id: ext.c,v 1.8 2002/02/11 14:29:52 joda Exp $"); +RCSID("$Id: ext.c 16658 2006-01-25 12:29:46Z lha $"); struct ext_keytab_data { krb5_keytab keytab; }; -static struct getargs args[] = { - { "keytab", 'k', arg_string, NULL, "keytab to use" }, -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage(args, num_args, "ext", "principal..."); -} - static int do_ext_keytab(krb5_principal principal, void *data) { krb5_error_code ret; - int i; kadm5_principal_ent_rec princ; struct ext_keytab_data *e = data; - + krb5_keytab_entry *keys = NULL; + krb5_keyblock *k = NULL; + int i, n_k; + ret = kadm5_get_principal(kadm_handle, principal, &princ, KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA); if(ret) return ret; - for(i = 0; i < princ.n_key_data; i++){ - krb5_keytab_entry key; - krb5_key_data *k = &princ.key_data[i]; - key.principal = princ.principal; - key.vno = k->key_data_kvno; - key.keyblock.keytype = k->key_data_type[0]; - key.keyblock.keyvalue.length = k->key_data_length[0]; - key.keyblock.keyvalue.data = k->key_data_contents[0]; - key.timestamp = time(NULL); - ret = krb5_kt_add_entry(context, e->keytab, &key); + + if (princ.n_key_data) { + keys = malloc(sizeof(*keys) * princ.n_key_data); + if (keys == NULL) { + kadm5_free_principal_ent(kadm_handle, &princ); + krb5_clear_error_string(context); + return ENOMEM; + } + for (i = 0; i < princ.n_key_data; i++) { + krb5_key_data *kd = &princ.key_data[i]; + + keys[i].principal = princ.principal; + keys[i].vno = kd->key_data_kvno; + keys[i].keyblock.keytype = kd->key_data_type[0]; + keys[i].keyblock.keyvalue.length = kd->key_data_length[0]; + keys[i].keyblock.keyvalue.data = kd->key_data_contents[0]; + keys[i].timestamp = time(NULL); + } + + n_k = princ.n_key_data; + } else { + ret = kadm5_randkey_principal(kadm_handle, principal, &k, &n_k); + if (ret) { + kadm5_free_principal_ent(kadm_handle, &princ); + return ret; + } + keys = malloc(sizeof(*keys) * n_k); + if (keys == NULL) { + kadm5_free_principal_ent(kadm_handle, &princ); + krb5_clear_error_string(context); + return ENOMEM; + } + for (i = 0; i < n_k; i++) { + keys[i].principal = principal; + keys[i].vno = princ.kvno + 1; /* XXX get entry again */ + keys[i].keyblock = k[i]; + keys[i].timestamp = time(NULL); + } + } + + for(i = 0; i < n_k; i++) { + ret = krb5_kt_add_entry(context, e->keytab, &keys[i]); if(ret) - krb5_warn(context, ret, "krb5_kt_add_entry"); + krb5_warn(context, ret, "krb5_kt_add_entry(%d)", i); } + + if (k) { + memset(k, 0, n_k * sizeof(*k)); + free(k); + } + if (keys) + free(keys); kadm5_free_principal_ent(kadm_handle, &princ); return 0; } int -ext_keytab(int argc, char **argv) +ext_keytab(struct ext_keytab_options *opt, int argc, char **argv) { krb5_error_code ret; int i; - int optind = 0; - char *keytab = NULL; struct ext_keytab_data data; - - args[0].value = &keytab; - if(getarg(args, num_args, argc, argv, &optind)){ - usage(); - return 0; - } - if (keytab == NULL) + + if (opt->keytab_string == NULL) ret = krb5_kt_default(context, &data.keytab); else - ret = krb5_kt_resolve(context, keytab, &data.keytab); + ret = krb5_kt_resolve(context, opt->keytab_string, &data.keytab); if(ret){ krb5_warn(context, ret, "krb5_kt_resolve"); - return 0; + return 1; } - argc -= optind; - argv += optind; - - for(i = 0; i < argc; i++) - foreach_principal(argv[i], do_ext_keytab, "ext", &data); + for(i = 0; i < argc; i++) { + ret = foreach_principal(argv[i], do_ext_keytab, "ext", &data); + if (ret) + break; + } krb5_kt_close(context, data.keytab); - return 0; + return ret != 0; } diff --git a/crypto/heimdal/kadmin/get.c b/crypto/heimdal/kadmin/get.c index 30eea9d..6e09f91 100644 --- a/crypto/heimdal/kadmin/get.c +++ b/crypto/heimdal/kadmin/get.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,74 +32,77 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" #include <parse_units.h> +#include <rtbl.h> -RCSID("$Id: get.c,v 1.13 2001/05/07 05:31:43 assar Exp $"); +RCSID("$Id: get.c 21745 2007-07-31 16:11:25Z lha $"); -struct get_entry_data { - void (*header)(void); - void (*format)(kadm5_principal_ent_t); +static struct field_name { + const char *fieldname; + unsigned int fieldvalue; + unsigned int subvalue; + uint32_t extra_mask; + const char *default_header; + const char *def_longheader; + unsigned int flags; +} field_names[] = { + { "principal", KADM5_PRINCIPAL, 0, 0, "Principal", "Principal", 0 }, + { "princ_expire_time", KADM5_PRINC_EXPIRE_TIME, 0, 0, "Expiration", "Principal expires", 0 }, + { "pw_expiration", KADM5_PW_EXPIRATION, 0, 0, "PW-exp", "Password expires", 0 }, + { "last_pwd_change", KADM5_LAST_PWD_CHANGE, 0, 0, "PW-change", "Last password change", 0 }, + { "max_life", KADM5_MAX_LIFE, 0, 0, "Max life", "Max ticket life", 0 }, + { "max_rlife", KADM5_MAX_RLIFE, 0, 0, "Max renew", "Max renewable life", 0 }, + { "mod_time", KADM5_MOD_TIME, 0, 0, "Mod time", "Last modified", 0 }, + { "mod_name", KADM5_MOD_NAME, 0, 0, "Modifier", "Modifier", 0 }, + { "attributes", KADM5_ATTRIBUTES, 0, 0, "Attributes", "Attributes", 0 }, + { "kvno", KADM5_KVNO, 0, 0, "Kvno", "Kvno", RTBL_ALIGN_RIGHT }, + { "mkvno", KADM5_MKVNO, 0, 0, "Mkvno", "Mkvno", RTBL_ALIGN_RIGHT }, + { "last_success", KADM5_LAST_SUCCESS, 0, 0, "Last login", "Last successful login", 0 }, + { "last_failed", KADM5_LAST_FAILED, 0, 0, "Last fail", "Last failed login", 0 }, + { "fail_auth_count", KADM5_FAIL_AUTH_COUNT, 0, 0, "Fail count", "Failed login count", RTBL_ALIGN_RIGHT }, + { "policy", KADM5_POLICY, 0, 0, "Policy", "Policy", 0 }, + { "keytypes", KADM5_KEY_DATA, 0, KADM5_PRINCIPAL, "Keytypes", "Keytypes", 0 }, + { "password", KADM5_TL_DATA, KRB5_TL_PASSWORD, KADM5_KEY_DATA, "Password", "Password", 0 }, + { "pkinit-acl", KADM5_TL_DATA, KRB5_TL_PKINIT_ACL, 0, "PK-INIT ACL", "PK-INIT ACL", 0 }, + { "aliases", KADM5_TL_DATA, KRB5_TL_ALIASES, 0, "Aliases", "Aliases", 0 }, + { NULL } }; -static void -print_entry_terse(kadm5_principal_ent_t princ) -{ - char *p; - krb5_unparse_name(context, princ->principal, &p); - printf(" %s\n", p); - free(p); -} - -static void -print_header_short(void) -{ - printf("%-20s ", "Principal"); - - printf("%-10s ", "Expires"); - - printf("%-10s ", "PW-exp"); - - printf("%-10s ", "PW-change"); - - printf("%-9s ", "Max life"); +struct field_info { + struct field_name *ff; + char *header; + struct field_info *next; +}; - printf("%-9s ", "Max renew"); - - printf("\n"); -} +struct get_entry_data { + void (*format)(struct get_entry_data*, kadm5_principal_ent_t); + rtbl_t table; + uint32_t mask; + uint32_t extra_mask; + struct field_info *chead, **ctail; +}; -static void -print_entry_short(kadm5_principal_ent_t princ) +static int +add_column(struct get_entry_data *data, struct field_name *ff, const char *header) { - char buf[1024]; - - krb5_unparse_name_fixed_short(context, princ->principal, buf, sizeof(buf)); - printf("%-20s ", buf); - - time_t2str(princ->princ_expire_time, buf, sizeof(buf), 0); - printf("%-10s ", buf); - - time_t2str(princ->pw_expiration, buf, sizeof(buf), 0); - printf("%-10s ", buf); - - time_t2str(princ->last_pwd_change, buf, sizeof(buf), 0); - printf("%-10s ", buf); - - deltat2str(princ->max_life, buf, sizeof(buf)); - printf("%-9s ", buf); - - deltat2str(princ->max_renewable_life, buf, sizeof(buf)); - printf("%-9s ", buf); - -#if 0 - time_t2str(princ->mod_date, buf, sizeof(buf), 0); - printf("%-10s ", buf); - - krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf)); - printf("%-24s", buf); -#endif - - printf("\n"); + struct field_info *f = malloc(sizeof(*f)); + if (f == NULL) + return ENOMEM; + f->ff = ff; + if(header) + f->header = strdup(header); + else + f->header = NULL; + f->next = NULL; + *data->ctail = f; + data->ctail = &f->next; + data->mask |= ff->fieldvalue; + data->extra_mask |= ff->extra_mask; + if(data->table != NULL) + rtbl_add_column_by_id(data->table, ff->fieldvalue, + header ? header : ff->default_header, ff->flags); + return 0; } /* @@ -118,83 +121,244 @@ cmp_salt (const krb5_salt *salt, const krb5_key_data *k) } static void -print_entry_long(kadm5_principal_ent_t princ) +format_keytype(krb5_key_data *k, krb5_salt *def_salt, char *buf, size_t buf_len) { - char buf[1024]; - int i; - krb5_salt def_salt; + krb5_error_code ret; + char *s; + + ret = krb5_enctype_to_string (context, + k->key_data_type[0], + &s); + if (ret) + asprintf (&s, "unknown(%d)", k->key_data_type[0]); + strlcpy(buf, s, buf_len); + free(s); + + strlcat(buf, "(", buf_len); + + ret = krb5_salttype_to_string (context, + k->key_data_type[0], + k->key_data_type[1], + &s); + if (ret) + asprintf (&s, "unknown(%d)", k->key_data_type[1]); + strlcat(buf, s, buf_len); + free(s); + + if (cmp_salt(def_salt, k) == 0) + s = strdup(""); + else if(k->key_data_length[1] == 0) + s = strdup("()"); + else + asprintf (&s, "(%.*s)", k->key_data_length[1], + (char *)k->key_data_contents[1]); + strlcat(buf, s, buf_len); + free(s); + + strlcat(buf, ")", buf_len); +} + +static void +format_field(kadm5_principal_ent_t princ, unsigned int field, + unsigned int subfield, char *buf, size_t buf_len, int condensed) +{ + switch(field) { + case KADM5_PRINCIPAL: + if(condensed) + krb5_unparse_name_fixed_short(context, princ->principal, buf, buf_len); + else + krb5_unparse_name_fixed(context, princ->principal, buf, buf_len); + break; - krb5_unparse_name_fixed(context, princ->principal, buf, sizeof(buf)); - printf("%24s: %s\n", "Principal", buf); - time_t2str(princ->princ_expire_time, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Principal expires", buf); + case KADM5_PRINC_EXPIRE_TIME: + time_t2str(princ->princ_expire_time, buf, buf_len, !condensed); + break; - time_t2str(princ->pw_expiration, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Password expires", buf); + case KADM5_PW_EXPIRATION: + time_t2str(princ->pw_expiration, buf, buf_len, !condensed); + break; - time_t2str(princ->last_pwd_change, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Last password change", buf); - - deltat2str(princ->max_life, buf, sizeof(buf)); - printf("%24s: %s\n", "Max ticket life", buf); - - deltat2str(princ->max_renewable_life, buf, sizeof(buf)); - printf("%24s: %s\n", "Max renewable life", buf); - printf("%24s: %d\n", "Kvno", princ->kvno); - printf("%24s: %d\n", "Mkvno", princ->mkvno); - printf("%24s: %s\n", "Policy", princ->policy ? princ->policy : "none"); - time_t2str(princ->last_success, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Last successful login", buf); - time_t2str(princ->last_failed, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Last failed login", buf); - printf("%24s: %d\n", "Failed login count", princ->fail_auth_count); - time_t2str(princ->mod_date, buf, sizeof(buf), 1); - printf("%24s: %s\n", "Last modified", buf); - if(princ->mod_name != NULL) { - krb5_unparse_name_fixed(context, princ->mod_name, buf, sizeof(buf)); - printf("%24s: %s\n", "Modifier", buf); - } - attributes2str (princ->attributes, buf, sizeof(buf)); - printf("%24s: %s\n", "Attributes", buf); - - printf("%24s: ", "Keytypes(salttype[(salt-value)])"); - - krb5_get_pw_salt (context, princ->principal, &def_salt); - - for (i = 0; i < princ->n_key_data; ++i) { - krb5_key_data *k = &princ->key_data[i]; - krb5_error_code ret; - char *e_string, *s_string, *salt; - - ret = krb5_enctype_to_string (context, - k->key_data_type[0], - &e_string); - if (ret) - asprintf (&e_string, "unknown(%d)", k->key_data_type[0]); - - ret = krb5_salttype_to_string (context, - k->key_data_type[0], - k->key_data_type[1], - &s_string); - if (ret) - asprintf (&s_string, "unknown(%d)", k->key_data_type[1]); - - if (cmp_salt(&def_salt, k) == 0) - salt = strdup(""); - else if(k->key_data_length[1] == 0) - salt = strdup("()"); + case KADM5_LAST_PWD_CHANGE: + time_t2str(princ->last_pwd_change, buf, buf_len, !condensed); + break; + + case KADM5_MAX_LIFE: + deltat2str(princ->max_life, buf, buf_len); + break; + + case KADM5_MAX_RLIFE: + deltat2str(princ->max_renewable_life, buf, buf_len); + break; + + case KADM5_MOD_TIME: + time_t2str(princ->mod_date, buf, buf_len, !condensed); + break; + + case KADM5_MOD_NAME: + if (princ->mod_name == NULL) + strlcpy(buf, "unknown", buf_len); + else if(condensed) + krb5_unparse_name_fixed_short(context, princ->mod_name, buf, buf_len); + else + krb5_unparse_name_fixed(context, princ->mod_name, buf, buf_len); + break; + case KADM5_ATTRIBUTES: + attributes2str (princ->attributes, buf, buf_len); + break; + case KADM5_KVNO: + snprintf(buf, buf_len, "%d", princ->kvno); + break; + case KADM5_MKVNO: + snprintf(buf, buf_len, "%d", princ->mkvno); + break; + case KADM5_LAST_SUCCESS: + time_t2str(princ->last_success, buf, buf_len, !condensed); + break; + case KADM5_LAST_FAILED: + time_t2str(princ->last_failed, buf, buf_len, !condensed); + break; + case KADM5_FAIL_AUTH_COUNT: + snprintf(buf, buf_len, "%d", princ->fail_auth_count); + break; + case KADM5_POLICY: + if(princ->policy != NULL) + strlcpy(buf, princ->policy, buf_len); else - asprintf (&salt, "(%.*s)", k->key_data_length[1], - (char *)k->key_data_contents[1]); + strlcpy(buf, "none", buf_len); + break; + case KADM5_KEY_DATA:{ + krb5_salt def_salt; + int i; + char buf2[1024]; + krb5_get_pw_salt (context, princ->principal, &def_salt); + + *buf = '\0'; + for (i = 0; i < princ->n_key_data; ++i) { + format_keytype(&princ->key_data[i], &def_salt, buf2, sizeof(buf2)); + if(i > 0) + strlcat(buf, ", ", buf_len); + strlcat(buf, buf2, buf_len); + } + krb5_free_salt (context, def_salt); + break; + } + case KADM5_TL_DATA: { + krb5_tl_data *tl; + for (tl = princ->tl_data; tl != NULL; tl = tl->tl_data_next) + if (tl->tl_data_type == subfield) + break; + if (tl == NULL) { + strlcpy(buf, "", buf_len); + break; + } + + switch (subfield) { + case KRB5_TL_PASSWORD: + snprintf(buf, buf_len, "\"%.*s\"", + (int)tl->tl_data_length, + (const char *)tl->tl_data_contents); + break; + case KRB5_TL_PKINIT_ACL: { + HDB_Ext_PKINIT_acl acl; + size_t size; + int i, ret; - printf ("%s%s(%s%s)", (i != 0) ? ", " : "", e_string, s_string, salt); - free (e_string); - free (s_string); - free (salt); + ret = decode_HDB_Ext_PKINIT_acl(tl->tl_data_contents, + tl->tl_data_length, + &acl, + &size); + if (ret) { + snprintf(buf, buf_len, "failed to decode ACL"); + break; + } + + buf[0] = '\0'; + for (i = 0; i < acl.len; i++) { + strlcat(buf, "subject: ", buf_len); + strlcat(buf, acl.val[i].subject, buf_len); + if (acl.val[i].issuer) { + strlcat(buf, " issuer:", buf_len); + strlcat(buf, *acl.val[i].issuer, buf_len); + } + if (acl.val[i].anchor) { + strlcat(buf, " anchor:", buf_len); + strlcat(buf, *acl.val[i].anchor, buf_len); + } + if (i + 1 < acl.len) + strlcat(buf, ", ", buf_len); + } + free_HDB_Ext_PKINIT_acl(&acl); + break; + } + case KRB5_TL_ALIASES: { + HDB_Ext_Aliases alias; + size_t size; + int i, ret; + + ret = decode_HDB_Ext_Aliases(tl->tl_data_contents, + tl->tl_data_length, + &alias, + &size); + if (ret) { + snprintf(buf, buf_len, "failed to decode alias"); + break; + } + buf[0] = '\0'; + for (i = 0; i < alias.aliases.len; i++) { + char *p; + ret = krb5_unparse_name(context, &alias.aliases.val[i], &p); + if (ret) + break; + if (i < 0) + strlcat(buf, " ", buf_len); + strlcat(buf, p, buf_len); + free(p); + } + free_HDB_Ext_Aliases(&alias); + break; + } + default: + snprintf(buf, buf_len, "unknown type %d", subfield); + break; + } + break; + } + default: + strlcpy(buf, "<unknown>", buf_len); + break; } - krb5_free_salt (context, def_salt); - printf("\n\n"); +} + +static void +print_entry_short(struct get_entry_data *data, kadm5_principal_ent_t princ) +{ + char buf[1024]; + struct field_info *f; + + for(f = data->chead; f != NULL; f = f->next) { + format_field(princ, f->ff->fieldvalue, f->ff->subvalue, buf, sizeof(buf), 1); + rtbl_add_column_entry_by_id(data->table, f->ff->fieldvalue, buf); + } +} + +static void +print_entry_long(struct get_entry_data *data, kadm5_principal_ent_t princ) +{ + char buf[1024]; + struct field_info *f; + int width = 0; + + for(f = data->chead; f != NULL; f = f->next) { + int w = strlen(f->header ? f->header : f->ff->def_longheader); + if(w > width) + width = w; + } + for(f = data->chead; f != NULL; f = f->next) { + format_field(princ, f->ff->fieldvalue, f->ff->subvalue, buf, sizeof(buf), 0); + printf("%*s: %s\n", width, f->header ? f->header : f->ff->def_longheader, buf); + } + printf("\n"); } static int @@ -207,84 +371,128 @@ do_get_entry(krb5_principal principal, void *data) memset(&princ, 0, sizeof(princ)); ret = kadm5_get_principal(kadm_handle, principal, &princ, - KADM5_PRINCIPAL_NORMAL_MASK|KADM5_KEY_DATA); + e->mask | e->extra_mask); if(ret) return ret; else { - if(e->header) { - (*e->header)(); - e->header = NULL; /* XXX only once */ - } - (e->format)(&princ); + (e->format)(e, &princ); kadm5_free_principal_ent(kadm_handle, &princ); } return 0; } +static void +free_columns(struct get_entry_data *data) +{ + struct field_info *f, *next; + for(f = data->chead; f != NULL; f = next) { + free(f->header); + next = f->next; + free(f); + } + data->chead = NULL; + data->ctail = &data->chead; +} + +static int +setup_columns(struct get_entry_data *data, const char *column_info) +{ + char buf[1024], *q; + char *field, *header; + struct field_name *f; + + while(strsep_copy(&column_info, ",", buf, sizeof(buf)) != -1) { + q = buf; + field = strsep(&q, "="); + header = strsep(&q, "="); + for(f = field_names; f->fieldname != NULL; f++) { + if(strcasecmp(field, f->fieldname) == 0) { + add_column(data, f, header); + break; + } + } + if(f->fieldname == NULL) { + krb5_warnx(context, "unknown field name \"%s\"", field); + free_columns(data); + return -1; + } + } + return 0; +} + +#define DEFAULT_COLUMNS_SHORT "principal,princ_expire_time,pw_expiration,last_pwd_change,max_life,max_rlife" +#define DEFAULT_COLUMNS_LONG "principal,princ_expire_time,pw_expiration,last_pwd_change,max_life,max_rlife,kvno,mkvno,last_success,last_failed,fail_auth_count,mod_time,mod_name,attributes,keytypes,pkinit-acl,aliases" +#define DEFAULT_COLUMNS_TERSE "principal=" + static int -getit(const char *name, int terse_flag, int argc, char **argv) +getit(struct get_options *opt, const char *name, int argc, char **argv) { int i; krb5_error_code ret; struct get_entry_data data; - struct getargs args[] = { - { "long", 'l', arg_flag, NULL, "long format" }, - { "short", 's', arg_flag, NULL, "short format" }, - { "terse", 't', arg_flag, NULL, "terse format" }, - }; - int num_args = sizeof(args) / sizeof(args[0]); - int optind = 0; - int long_flag = -1; - int short_flag = -1; - args[0].value = &long_flag; - args[1].value = &short_flag; - args[2].value = &terse_flag; - - if(getarg(args, num_args, argc, argv, &optind)) - goto usage; - if(optind == argc) - goto usage; - - if(long_flag == -1 && (short_flag == 1 || terse_flag == 1)) - long_flag = 0; - if(short_flag == -1 && (long_flag == 1 || terse_flag == 1)) - short_flag = 0; - if(terse_flag == -1 && (long_flag == 1 || short_flag == 1)) - terse_flag = 0; - if(long_flag == 0 && short_flag == 0 && terse_flag == 0) - short_flag = 1; - - if(long_flag) { - data.format = print_entry_long; - data.header = NULL; - } else if(short_flag){ - data.format = print_entry_short; - data.header = print_header_short; - } else if(terse_flag) { - data.format = print_entry_terse; - data.header = NULL; - } + if(opt->long_flag == -1 && (opt->short_flag == 1 || opt->terse_flag == 1)) + opt->long_flag = 0; + if(opt->short_flag == -1 && (opt->long_flag == 1 || opt->terse_flag == 1)) + opt->short_flag = 0; + if(opt->terse_flag == -1 && (opt->long_flag == 1 || opt->short_flag == 1)) + opt->terse_flag = 0; + if(opt->long_flag == 0 && opt->short_flag == 0 && opt->terse_flag == 0) + opt->short_flag = 1; - argc -= optind; - argv += optind; + data.table = NULL; + data.chead = NULL; + data.ctail = &data.chead; + data.mask = 0; + data.extra_mask = 0; + if(opt->short_flag || opt->terse_flag) { + data.table = rtbl_create(); + rtbl_set_separator(data.table, " "); + data.format = print_entry_short; + } else + data.format = print_entry_long; + if(opt->column_info_string == NULL) { + if(opt->long_flag) + ret = setup_columns(&data, DEFAULT_COLUMNS_LONG); + else if(opt->short_flag) + ret = setup_columns(&data, DEFAULT_COLUMNS_SHORT); + else { + ret = setup_columns(&data, DEFAULT_COLUMNS_TERSE); + rtbl_set_flags(data.table, RTBL_HEADER_STYLE_NONE); + } + } else + ret = setup_columns(&data, opt->column_info_string); + + if(ret != 0) { + if(data.table != NULL) + rtbl_destroy(data.table); + return 0; + } + for(i = 0; i < argc; i++) ret = foreach_principal(argv[i], do_get_entry, "get", &data); - return 0; -usage: - arg_printusage (args, num_args, name, "principal..."); - return 0; + + if(data.table != NULL) { + rtbl_format(data.table, stdout); + rtbl_destroy(data.table); + } + free_columns(&data); + return ret != 0; } int -get_entry(int argc, char **argv) +get_entry(struct get_options *opt, int argc, char **argv) { - return getit("get", 0, argc, argv); + return getit(opt, "get", argc, argv); } int -list_princs(int argc, char **argv) +list_princs(struct list_options *opt, int argc, char **argv) { - return getit("list", 1, argc, argv); + if(sizeof(struct get_options) != sizeof(struct list_options)) { + krb5_warnx(context, "programmer error: sizeof(struct get_options) != sizeof(struct list_options)"); + return 0; + } + return getit((struct get_options*)opt, "list", argc, argv); } diff --git a/crypto/heimdal/kadmin/init.c b/crypto/heimdal/kadmin/init.c index 587458b..8b512f9 100644 --- a/crypto/heimdal/kadmin/init.c +++ b/crypto/heimdal/kadmin/init.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,21 +32,34 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" #include <kadm5/private.h> -RCSID("$Id: init.c,v 1.29 2002/12/03 14:08:17 joda Exp $"); +RCSID("$Id: init.c 17447 2006-05-05 10:52:01Z lha $"); static kadm5_ret_t create_random_entry(krb5_principal princ, unsigned max_life, unsigned max_rlife, - u_int32_t attributes) + uint32_t attributes) { kadm5_principal_ent_rec ent; kadm5_ret_t ret; int mask = 0; krb5_keyblock *keys; int n_keys, i; + char *name; + const char *password; + char pwbuf[512]; + + random_password(pwbuf, sizeof(pwbuf)); + password = pwbuf; + + ret = krb5_unparse_name(context, princ, &name); + if (ret) { + krb5_warn(context, ret, "failed to unparse principal name"); + return ret; + } memset(&ent, 0, sizeof(ent)); ent.principal = princ; @@ -62,93 +75,85 @@ create_random_entry(krb5_principal princ, ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX; mask |= KADM5_ATTRIBUTES; - ret = kadm5_create_principal(kadm_handle, &ent, mask, "hemlig"); - if(ret) - return ret; + /* Create the entry with a random password */ + ret = kadm5_create_principal(kadm_handle, &ent, mask, password); + if(ret) { + krb5_warn(context, ret, "create_random_entry(%s): randkey failed", + name); + goto out; + } + + /* Replace the string2key based keys with real random bytes */ ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys); - if(ret) - return ret; + if(ret) { + krb5_warn(context, ret, "create_random_entry*%s): randkey failed", + name); + goto out; + } for(i = 0; i < n_keys; i++) krb5_free_keyblock_contents(context, &keys[i]); free(keys); ret = kadm5_get_principal(kadm_handle, princ, &ent, KADM5_PRINCIPAL | KADM5_ATTRIBUTES); - if(ret) - return ret; + if(ret) { + krb5_warn(context, ret, "create_random_entry(%s): " + "unable to get principal", name); + goto out; + } ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); ent.kvno = 1; ret = kadm5_modify_principal(kadm_handle, &ent, KADM5_ATTRIBUTES|KADM5_KVNO); kadm5_free_principal_ent (kadm_handle, &ent); - if(ret) - return ret; - return 0; + if(ret) { + krb5_warn(context, ret, "create_random_entry(%s): " + "unable to modify principal", name); + goto out; + } + out: + free(name); + return ret; } -static struct getargs args[] = { - { "realm-max-ticket-life", 0, arg_string, NULL, - "realm max ticket lifetime" }, - { "realm-max-renewable-life", 0, arg_string, NULL, - "realm max renewable lifetime" }, - { "help", 'h', arg_flag, NULL }, -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "init", "realm..."); -} +extern int local_flag; int -init(int argc, char **argv) +init(struct init_options *opt, int argc, char **argv) { kadm5_ret_t ret; int i; - char *realm_max_life = NULL; - char *realm_max_rlife = NULL; - int help_flag = 0; HDB *db; - int optind = 0; krb5_deltat max_life, max_rlife; - args[0].value = &realm_max_life; - args[1].value = &realm_max_rlife; - args[2].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind) || help_flag) { - usage(); - return 0; - } - - if(argc - optind < 1) { - usage(); + if(!local_flag) { + krb5_warnx(context, "init is only available in local (-l) mode"); return 0; } - if (realm_max_life) { - if (str2deltat (realm_max_life, &max_life) != 0) { - krb5_warnx (context, "unable to parse `%s'", realm_max_life); + if (opt->realm_max_ticket_life_string) { + if (str2deltat (opt->realm_max_ticket_life_string, &max_life) != 0) { + krb5_warnx (context, "unable to parse \"%s\"", + opt->realm_max_ticket_life_string); return 0; } } - if (realm_max_rlife) { - if (str2deltat (realm_max_rlife, &max_rlife) != 0) { - krb5_warnx (context, "unable to parse `%s'", realm_max_rlife); + if (opt->realm_max_renewable_life_string) { + if (str2deltat (opt->realm_max_renewable_life_string, &max_rlife) != 0) { + krb5_warnx (context, "unable to parse \"%s\"", + opt->realm_max_renewable_life_string); return 0; } } db = _kadm5_s_get_db(kadm_handle); - ret = db->open(context, db, O_RDWR | O_CREAT, 0600); + ret = db->hdb_open(context, db, O_RDWR | O_CREAT, 0600); if(ret){ krb5_warn(context, ret, "hdb_open"); return 0; } - db->close(context, db); - for(i = optind; i < argc; i++){ + db->hdb_close(context, db); + for(i = 0; i < argc; i++){ krb5_principal princ; const char *realm = argv[i]; @@ -157,14 +162,14 @@ init(int argc, char **argv) KRB5_TGS_NAME, realm, NULL); if(ret) return 0; - if (realm_max_life == NULL) { + if (opt->realm_max_ticket_life_string == NULL) { max_life = 0; if(edit_deltat ("Realm max ticket life", &max_life, NULL, 0)) { krb5_free_principal(context, princ); return 0; } } - if (realm_max_rlife == NULL) { + if (opt->realm_max_renewable_life_string == NULL) { max_rlife = 0; if(edit_deltat("Realm max renewable ticket life", &max_rlife, NULL, 0)) { @@ -178,11 +183,16 @@ init(int argc, char **argv) /* Create `kadmin/changepw' */ krb5_make_principal(context, &princ, realm, "kadmin", "changepw", NULL); + /* + * The Windows XP (at least) password changing protocol + * request the `kadmin/changepw' ticket with `renewable_ok, + * renewable, forwardable' and so fails if we disallow + * forwardable here. + */ create_random_entry(princ, 5*60, 5*60, KRB5_KDB_DISALLOW_TGT_BASED| KRB5_KDB_PWCHANGE_SERVICE| KRB5_KDB_DISALLOW_POSTDATED| - KRB5_KDB_DISALLOW_FORWARDABLE| KRB5_KDB_DISALLOW_RENEWABLE| KRB5_KDB_DISALLOW_PROXIABLE| KRB5_KDB_REQUIRES_PRE_AUTH); diff --git a/crypto/heimdal/kadmin/kadm_conn.c b/crypto/heimdal/kadmin/kadm_conn.c index ae44c43..f2a0828 100644 --- a/crypto/heimdal/kadmin/kadm_conn.c +++ b/crypto/heimdal/kadmin/kadm_conn.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -36,7 +36,7 @@ #include <sys/wait.h> #endif -RCSID("$Id: kadm_conn.c,v 1.14 2002/10/21 13:21:24 joda Exp $"); +RCSID("$Id: kadm_conn.c 16007 2005-09-01 18:49:57Z lha $"); struct kadm_port { char *port; @@ -62,16 +62,10 @@ add_kadm_port(krb5_context context, const char *service, unsigned int port) kadm_ports = p; } -extern int do_kerberos4; - static void add_standard_ports (krb5_context context) { add_kadm_port(context, "kerberos-adm", 749); -#ifdef KRB4 - if(do_kerberos4) - add_kadm_port(context, "kerberos-master", 751); -#endif } /* @@ -261,17 +255,15 @@ start_server(krb5_context context) } socks = tmp; for(ap = ai; ap; ap = ap->ai_next) { - int one = 1; int s = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol); if(s < 0) { krb5_warn(context, errno, "socket"); continue; } -#if defined(SO_REUSEADDR) && defined(HAVE_SETSOCKOPT) - if(setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&one, - sizeof(one)) < 0) - krb5_warn(context, errno, "setsockopt"); -#endif + + socket_set_reuseaddr(s, 1); + socket_set_ipv6only(s, 1); + if (bind (s, ap->ai_addr, ap->ai_addrlen) < 0) { krb5_warn(context, errno, "bind"); close(s); diff --git a/crypto/heimdal/kadmin/kadmin-commands.in b/crypto/heimdal/kadmin/kadmin-commands.in new file mode 100644 index 0000000..019b99c --- /dev/null +++ b/crypto/heimdal/kadmin/kadmin-commands.in @@ -0,0 +1,420 @@ +/* + * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ +/* $Id: kadmin-commands.in 21969 2007-10-18 18:51:11Z lha $ */ + +command = { + name = "stash" + name = "kstash" + option = { + long = "enctype" + short = "e" + type = "string" + help = "encryption type" + default = "des3-cbc-sha1" + } + option = { + long = "key-file" + short = "k" + type = "string" + argument = "file" + help = "master key file" + } + option = { + long = "convert-file" + type = "flag" + help = "just convert keyfile to new format" + } + option = { + long = "master-key-fd" + type = "integer" + argument = "fd" + help = "filedescriptor to read passphrase from" + default = "-1" + } + help = "Writes the Kerberos master key to a file used by the KDC. \nLocal (-l) mode only." +} +command = { + name = "dump" + option = { + long = "decrypt" + short = "d" + type = "flag" + help = "decrypt keys" + } + argument = "[dump-file]" + min_args = "0" + max_args = "1" + help = "Dumps the database in a human readable format to the specified file, \nor the standard out. Local (-l) mode only." +} + +command = { + name = "init" + option = { + long = "realm-max-ticket-life" + type = "string" + help = "realm max ticket lifetime" + } + option = { + long = "realm-max-renewable-life" + type = "string" + help = "realm max renewable lifetime" + } + argument = "realm..." + min_args = "1" + help = "Initializes the default principals for a realm. Creates the database\nif necessary. Local (-l) mode only." +} +command = { + name = "load" + argument = "file" + min_args = "1" + max_args = "1" + help = "Loads a previously dumped file. Local (-l) mode only." +} +command = { + name = "merge" + argument = "file" + min_args = "1" + max_args = "1" + help = "Merges the contents of a dump file into the database. Local (-l) mode only." +} +command = { + name = "add" + name = "ank" + name = "add_new_key" + function = "add_new_key" + option = { + long = "random-key" + short = "r" + type = "flag" + help = "set random key" + } + option = { + long = "random-password" + type = "flag" + help = "set random password" + } + option = { + long = "password" + short = "p" + type = "string" + help = "principal's password" + } + option = { + long = "key" + type = "string" + help = "DES-key in hex" + } + option = { + long = "max-ticket-life" + type = "string" + argument ="lifetime" + help = "max ticket lifetime" + } + option = { + long = "max-renewable-life" + type = "string" + argument = "lifetime" + help = "max renewable life" + } + option = { + long = "attributes" + type = "string" + argument = "attributes" + help = "principal attributes" + } + option = { + long = "expiration-time" + type = "string" + argument = "time" + help = "principal expiration time" + } + option = { + long = "pw-expiration-time" + type = "string" + argument = "time" + help = "password expiration time" + } + option = { + long = "use-defaults" + type = "flag" + help = "use default values" + } + argument = "principal..." + min_args = "1" + help = "Adds a principal to the database." +} +command = { + name = "passwd" + name = "cpw" + name = "change_password" + function = "cpw_entry" + option = { + long = "random-key" + short = "r" + type = "flag" + help = "set random key" + } + option = { + long = "random-password" + type = "flag" + help = "set random password" + } + option = { + long = "password" + short = "p" + type = "string" + help = "princial's password" + } + option = { + long = "key" + type = "string" + help = "DES key in hex" + } + argument = "principal..." + min_args = "1" + help = "Changes the password of one or more principals matching the expressions." +} +command = { + name = "delete" + name = "del" + name = "del_entry" + function = "del_entry" + argument = "principal..." + min_args = "1" + help = "Deletes all principals matching the expressions." +} +command = { + name = "del_enctype" + argument = "principal enctype..." + min_args = "2" + help = "Delete all the mentioned enctypes for principal." +} +command = { + name = "add_enctype" + option = { + long = "random-key" + short = "r" + type = "flag" + help = "set random key" + } + argument = "principal enctype..." + min_args = "2" + help = "Add new enctypes for principal." +} +command = { + name = "ext_keytab" + option = { + long = "keytab" + short = "k" + type = "string" + help = "keytab to use" + } + argument = "principal..." + min_args = "1" + help = "Extracts the keys of all principals matching the expressions, and stores them in a keytab." +} +command = { + name = "get" + name = "get_entry" + function = "get_entry" + /* XXX sync options with "list" */ + option = { + long = "long" + short = "l" + type = "flag" + help = "long format" + default = "-1" + } + option = { + long = "short" + short = "s" + type = "flag" + help = "short format" + } + option = { + long = "terse" + short = "t" + type = "flag" + help = "terse format" + } + option = { + long = "column-info" + short = "o" + type = "string" + help = "columns to print for short output" + } + argument = "principal..." + min_args = "1" + help = "Shows information about principals matching the expressions." +} +command = { + name = "rename" + function = "rename_entry" + argument = "from to" + min_args = "2" + max_args = "2" + help = "Renames a principal." +} +command = { + name = "modify" + function = "mod_entry" + option = { + long = "max-ticket-life" + type = "string" + argument ="lifetime" + help = "max ticket lifetime" + } + option = { + long = "max-renewable-life" + type = "string" + argument = "lifetime" + help = "max renewable life" + } + option = { + long = "attributes" + short = "a" + type = "string" + argument = "attributes" + help = "principal attributes" + } + option = { + long = "expiration-time" + type = "string" + argument = "time" + help = "principal expiration time" + } + option = { + long = "pw-expiration-time" + type = "string" + argument = "time" + help = "password expiration time" + } + option = { + long = "kvno" + type = "integer" + help = "key version number" + default = "-1" + } + option = { + long = "constrained-delegation" + type = "strings" + argument = "principal" + help = "allowed target principals" + } + option = { + long = "alias" + type = "strings" + argument = "principal" + help = "aliases" + } + option = { + long = "pkinit-acl" + type = "strings" + argument = "subject dn" + help = "aliases" + } + argument = "principal" + min_args = "1" + max_args = "1" + help = "Modifies some attributes of the specified principal." +} +command = { + name = "privileges" + name = "privs" + function = "get_privs" + help = "Shows which operations you are allowed to perform." +} +command = { + name = "list" + function = "list_princs" + /* XXX sync options with "get" */ + option = { + long = "long" + short = "l" + type = "flag" + help = "long format" + } + option = { + long = "short" + short = "s" + type = "flag" + help = "short format" + } + option = { + long = "terse" + short = "t" + type = "flag" + help = "terse format" + default = "-1" + } + option = { + long = "column-info" + short = "o" + type = "string" + help = "columns to print for short output" + } + argument = "principal..." + min_args = "1" + help = "Lists principals in a terse format. Equivalent to \"get -t\"." +} +command = { + name = "verify-password-quality" + name = "pwq" + function = "password_quality" + argument = "principal password" + min_args = "2" + max_args = "2" + help = "Try run the password quality function locally (not doing RPC out to server)." +} +command = { + name = "check" + function = "check" + argument = "[realm]" + min_args = "0" + max_args = "1" + help = "Check the realm (if not given, the default realm) for configuration errors." +} +command = { + name = "help" + name = "?" + argument = "[command]" + min_args = "0" + max_args = "1" + help = "Help! I need somebody." +} +command = { + name = "exit" + name = "quit" + function = "exit_kadmin" + help = "Quits." +} diff --git a/crypto/heimdal/kadmin/kadmin.8 b/crypto/heimdal/kadmin/kadmin.8 index cf7ebe8..06fe3d0 100644 --- a/crypto/heimdal/kadmin/kadmin.8 +++ b/crypto/heimdal/kadmin/kadmin.8 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id: kadmin.8,v 1.10 2003/03/31 10:42:32 lha Exp $ +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.Dd September 10, 2000 +.\" $Id: kadmin.8 21739 2007-07-31 15:55:32Z lha $ +.\" +.Dd Feb 22, 2007 .Dt KADMIN 8 .Os HEIMDAL .Sh NAME @@ -39,6 +39,7 @@ .Nd Kerberos administration utility .Sh SYNOPSIS .Nm +.Bk -words .Oo Fl p Ar string \*(Ba Xo .Fl -principal= Ns Ar string .Xc @@ -71,6 +72,7 @@ .Op Fl h | Fl -help .Op Fl v | Fl -version .Op Ar command +.Ek .Sh DESCRIPTION The .Nm @@ -128,7 +130,18 @@ If no .Ar command is given on the command line, .Nm -will prompt for commands to process. Commands include: +will prompt for commands to process. Some of the commands that take +one or more principals as argument +.Ns ( Nm delete , +.Nm ext_keytab , +.Nm get , +.Nm modify , +and +.Nm passwd ) +will accept a glob style wildcard, and perform the operation on all +matching principals. +.Pp +Commands include: .\" not using a list here, since groff apparently gets confused .\" with nested Xo/Xc .Bd -ragged -offset indent @@ -148,36 +161,33 @@ will prompt for commands to process. Commands include: .Ar principal... .Pp .Bd -ragged -offset indent -creates a new principal +Adds a new principal to the database. The options not passed on the +command line will be promped for. .Ed .Pp -.Nm passwd +.Nm add_enctype .Op Fl r | Fl -random-key -.Op Fl -random-password -.Oo Fl p Ar string \*(Ba Xo -.Fl -password= Ns Ar string -.Xc -.Oc -.Op Fl -key= Ns Ar string -.Ar principal... +.Ar principal enctypes... .Pp .Bd -ragged -offset indent -changes the password of an existing principal +Adds a new encryption type to the principal, only random key are +supported. .Ed .Pp .Nm delete .Ar principal... .Pp .Bd -ragged -offset indent -removes a principal +Removes a principal. .Ed .Pp .Nm del_enctype .Ar principal enctypes... .Pp .Bd -ragged -offset indent -removes some enctypes from a principal. This can be useful the service -belonging to the principal is known to not handle certain enctypes +Removes some enctypes from a principal; this can be useful if the +service belonging to the principal is known to not handle certain +enctypes. .Ed .Pp .Nm ext_keytab @@ -188,26 +198,49 @@ belonging to the principal is known to not handle certain enctypes .Ar principal... .Pp .Bd -ragged -offset indent -creates a keytab with the keys of the specified principals +Creates a keytab with the keys of the specified principals. .Ed .Pp .Nm get .Op Fl l | Fl -long .Op Fl s | Fl -short .Op Fl t | Fl -terse -.Ar expression... +.Op Fl o Ar string | Fl -column-info= Ns Ar string +.Ar principal... .Pp .Bd -ragged -offset indent -lists the principals that match the expressions (which are shell glob -like), long format gives more information, and terse just prints the -names -.Ed +Lists the matching principals, short prints the result as a table, +while long format produces a more verbose output. Which columns to +print can be selected with the +.Fl o +option. The argument is a comma separated list of column names +optionally appended with an equal sign +.Pq Sq = +and a column header. Which columns are printed by default differ +slightly between short and long output. .Pp -.Nm rename -.Ar from to +The default terse output format is similar to +.Fl s o Ar principal= , +just printing the names of matched principals. .Pp -.Bd -ragged -offset indent -renames a principal +Possible column names include: +.Li principal , +.Li princ_expire_time , +.Li pw_expiration , +.Li last_pwd_change , +.Li max_life , +.Li max_rlife , +.Li mod_time , +.Li mod_name , +.Li attributes , +.Li kvno , +.Li mkvno , +.Li last_success , +.Li last_failed , +.Li fail_auth_count , +.Li policy , +and +.Li keytypes . .Ed .Pp .Nm modify @@ -220,16 +253,91 @@ renames a principal .Op Fl -expiration-time= Ns Ar time .Op Fl -pw-expiration-time= Ns Ar time .Op Fl -kvno= Ns Ar number +.Ar principal... +.Pp +.Bd -ragged -offset indent +Modifies certain attributes of a principal. If run without command +line options, you will be prompted. With command line options, it will +only change the ones specified. +.Pp +Possible attributes are: +.Li new-princ , +.Li support-desmd5 , +.Li pwchange-service , +.Li disallow-svr , +.Li requires-pw-change , +.Li requires-hw-auth , +.Li requires-pre-auth , +.Li disallow-all-tix , +.Li disallow-dup-skey , +.Li disallow-proxiable , +.Li disallow-renewable , +.Li disallow-tgt-based , +.Li disallow-forwardable , +.Li disallow-postdated +.Pp +Attributes may be negated with a "-", e.g., +.Pp +kadmin -l modify -a -disallow-proxiable user +.Ed +.Pp +.Nm passwd +.Op Fl r | Fl -random-key +.Op Fl -random-password +.Oo Fl p Ar string \*(Ba Xo +.Fl -password= Ns Ar string +.Xc +.Oc +.Op Fl -key= Ns Ar string +.Ar principal... +.Pp +.Bd -ragged -offset indent +Changes the password of an existing principal. +.Ed +.Pp +.Nm password-quality .Ar principal +.Ar password .Pp .Bd -ragged -offset indent -modifies certain attributes of a principal +Run the password quality check function locally. +You can run this on the host that is configured to run the kadmind +process to verify that your configuration file is correct. +The verification is done locally, if kadmin is run in remote mode, +no rpc call is done to the server. .Ed .Pp .Nm privileges .Pp .Bd -ragged -offset indent -lists the operations you are allowed to perform +Lists the operations you are allowed to perform. These include +.Li add , +.Li add_enctype , +.Li change-password , +.Li delete , +.Li del_enctype , +.Li get , +.Li list , +and +.Li modify . +.Ed +.Pp +.Nm rename +.Ar from to +.Pp +.Bd -ragged -offset indent +Renames a principal. This is normally transparent, but since keys are +salted with the principal name, they will have a non-standard salt, +and clients which are unable to cope with this will fail. Kerberos 4 +suffers from this. +.Ed +.Pp +.Nm check +.Op Ar realm +.Pp +.Bd -ragged -offset indent +Check database for strange configurations on important principals. If +no realm is given, the default realm is used. .Ed .Pp .Ed @@ -241,9 +349,12 @@ When running in local mode, the following commands can also be used: .Op Ar dump-file .Pp .Bd -ragged -offset indent -writes the database in +Writes the database in .Dq human readable -form to the specified file, or standard out +form to the specified file, or standard out. If the database is +encrypted, the dump will also have encrypted keys, unless +.Fl -decrypt +is used. .Ed .Pp .Nm init @@ -252,24 +363,41 @@ form to the specified file, or standard out .Ar realm .Pp .Bd -ragged -offset indent -initializes the Kerberos database with entries for a new realm. It's -possible to have more than one realm served by one server +Initializes the Kerberos database with entries for a new realm. It's +possible to have more than one realm served by one server. .Ed .Pp .Nm load .Ar file .Pp .Bd -ragged -offset indent -reads a previously dumped database, and re-creates that database from scratch +Reads a previously dumped database, and re-creates that database from +scratch. .Ed .Pp .Nm merge .Ar file .Pp .Bd -ragged -offset indent -similar to -.Nm list -but just modifies the database with the entries in the dump file +Similar to +.Nm load +but just modifies the database with the entries in the dump file. +.Ed +.Pp +.Nm stash +.Oo Fl e Ar enctype \*(Ba Xo +.Fl -enctype= Ns Ar enctype +.Xc +.Oc +.Oo Fl k Ar keyfile \*(Ba Xo +.Fl -key-file= Ns Ar keyfile +.Xc +.Oc +.Op Fl -convert-file +.Op Fl -master-key-fd= Ns Ar fd +.Pp +.Bd -ragged -offset indent +Writes the Kerberos master key to a file used by the KDC. .Ed .Pp .Ed diff --git a/crypto/heimdal/kadmin/kadmin.c b/crypto/heimdal/kadmin/kadmin.c index 9438587..da9b894 100644 --- a/crypto/heimdal/kadmin/kadmin.c +++ b/crypto/heimdal/kadmin/kadmin.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,13 +32,15 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" #include <sl.h> -RCSID("$Id: kadmin.c,v 1.42 2003/03/31 10:20:19 lha Exp $"); +RCSID("$Id: kadmin.c 22253 2007-12-09 06:00:00Z lha $"); static char *config_file; static char *keyfile; -static int local_flag; +int local_flag; +static int ad_flag; static int help_flag; static int version_flag; static char *realm; @@ -46,6 +48,9 @@ static char *admin_server; static int server_port = 0; static char *client_name; static char *keytab; +static char *check_library = NULL; +static char *check_function = NULL; +static getarg_strings policy_libraries = { 0, NULL }; static struct getargs args[] = { { "principal", 'p', arg_string, &client_name, @@ -72,6 +77,15 @@ static struct getargs args[] = { "server-port", 's', arg_integer, &server_port, "port to use", "port number" }, + { "ad", 0, arg_flag, &ad_flag, "active directory admin mode" }, +#ifdef HAVE_DLOPEN + { "check-library", 0, arg_string, &check_library, + "library to load password check function from", "library" }, + { "check-function", 0, arg_string, &check_function, + "password check function to load", "function" }, + { "policy-libraries", 0, arg_strings, &policy_libraries, + "password check function to load", "function" }, +#endif { "local", 'l', arg_flag, &local_flag, "local admin mode" }, { "help", 'h', arg_flag, &help_flag }, { "version", 'v', arg_flag, &version_flag } @@ -79,100 +93,24 @@ static struct getargs args[] = { static int num_args = sizeof(args) / sizeof(args[0]); -static SL_cmd commands[] = { - /* commands that are only available with `-l' */ - { - "dump", dump, "dump [file]", - "Dumps the database in a human readable format to the\n" - "specified file, or the standard out." - }, - { - "load", load, "load file", - "Loads a previously dumped file." - }, - { - "merge", merge, "merge file" , - "Merges the contents of a dump file into the database." - }, - { - "init", init, "init realm...", - "Initializes the default principals for a realm.\n" - "Creates the database if necessary." - }, - /* common commands */ - { - "add", add_new_key, "add principal" , - "Adds a principal to the database." - }, - { "add_new_key"}, - { "ank"}, - { - "passwd", cpw_entry, "passwd expression..." , - "Changes the password of one or more principals\n" - "matching the expressions." - }, - { "change_password"}, - { "cpw"}, - { - "delete", del_entry, "delete expression...", - "Deletes all principals matching the expressions." - }, - { "del_entry" }, - { "del" }, - { - "del_enctype", del_enctype, "del_enctype principal enctype...", - "Delete all the mentioned enctypes for principal." - }, - { - "ext_keytab", ext_keytab, "ext_keytab expression...", - "Extracts the keys of all principals matching the expressions,\n" - "and stores them in a keytab." - }, - { - "get", get_entry, "get expression...", - "Shows information about principals matching the expressions." - }, - { "get_entry" }, - { - "rename", rename_entry, "rename source target", - "Renames `source' to `target'." - }, - { - "modify", mod_entry, "modify principal", - "Modifies some attributes of the specified principal." - }, - { - "privileges", get_privs, "privileges", - "Shows which kinds of operations you are allowed to perform." - }, - { "privs" }, - { - "list", list_princs, "list expression...", - "Lists principals in a terse format. The same as `get -t'." - }, - { "help", help, "help"}, - { "?"}, - { "exit", exit_kadmin, "exit"}, - { "quit" }, - { NULL} -}; krb5_context context; void *kadm_handle; -static SL_cmd *actual_cmds; - int -help(int argc, char **argv) +help(void *opt, int argc, char **argv) { - sl_help(actual_cmds, argc, argv); + sl_slc_help(commands, argc, argv); return 0; } +static int exit_seen = 0; + int -exit_kadmin (int argc, char **argv) +exit_kadmin (void *opt, int argc, char **argv) { - return 1; + exit_seen = 1; + return 0; } static void @@ -183,30 +121,12 @@ usage(int ret) } int -get_privs(int argc, char **argv) +get_privs(void *opt, int argc, char **argv) { - u_int32_t privs; + uint32_t privs; char str[128]; kadm5_ret_t ret; - int help_flag = 0; - struct getargs args[] = { - { "help", 'h', arg_flag, NULL } - }; - int num_args = sizeof(args) / sizeof(args[0]); - int optind = 0; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - arg_printusage (args, num_args, "privileges", NULL); - return 0; - } - if(help_flag) { - arg_printusage (args, num_args, "privileges", NULL); - return 0; - } - ret = kadm5_get_privs(kadm_handle, &privs); if(ret) krb5_warn(context, ret, "kadm5_get_privs"); @@ -221,9 +141,10 @@ int main(int argc, char **argv) { krb5_error_code ret; - krb5_config_section *cf = NULL; + char **files; kadm5_config_params conf; - int optind = 0; + int optidx = 0; + int exit_status = 0; setprogname(argv[0]); @@ -231,7 +152,7 @@ main(int argc, char **argv) if (ret) errx (1, "krb5_init_context failed: %d", ret); - if(getarg(args, num_args, argc, argv, &optind)) + if(getarg(args, num_args, argc, argv, &optidx)) usage(1); if (help_flag) @@ -242,20 +163,24 @@ main(int argc, char **argv) exit(0); } - argc -= optind; - argv += optind; - - if (config_file == NULL) - config_file = HDB_DB_DIR "/kdc.conf"; + argc -= optidx; + argv += optidx; - if(krb5_config_parse_file(context, config_file, &cf) == 0) { - const char *p = krb5_config_get_string (context, cf, - "kdc", "key-file", NULL); - if (p) - keyfile = strdup(p); + if (config_file == NULL) { + asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)); + if (config_file == NULL) + errx(1, "out of memory"); } - krb5_clear_error_string (context); + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if(ret) + krb5_err(context, 1, ret, "reading configuration files"); + memset(&conf, 0, sizeof(conf)); if(realm) { krb5_set_default_realm(context, realm); /* XXX should be fixed @@ -274,31 +199,58 @@ main(int argc, char **argv) conf.mask |= KADM5_CONFIG_KADMIND_PORT; } - if(local_flag){ + if (keyfile) { + conf.stash_file = keyfile; + conf.mask |= KADM5_CONFIG_STASH_FILE; + } + + if(local_flag) { + int i; + + kadm5_setup_passwd_quality_check (context, + check_library, check_function); + + for (i = 0; i < policy_libraries.num_strings; i++) { + ret = kadm5_add_passwd_quality_verifier(context, + policy_libraries.strings[i]); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + } + ret = kadm5_add_passwd_quality_verifier(context, NULL); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + ret = kadm5_s_init_with_password_ctx(context, KADM5_ADMIN_SERVICE, NULL, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_handle); - actual_cmds = commands; + } else if (ad_flag) { + if (client_name == NULL) + krb5_errx(context, 1, "keytab mode require principal name"); + ret = kadm5_ad_init_with_password_ctx(context, + client_name, + NULL, + KADM5_ADMIN_SERVICE, + &conf, 0, 0, + &kadm_handle); } else if (keytab) { + if (client_name == NULL) + krb5_errx(context, 1, "keytab mode require principal name"); ret = kadm5_c_init_with_skey_ctx(context, client_name, keytab, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_handle); - actual_cmds = commands + 4; /* XXX */ - } else { + } else ret = kadm5_c_init_with_password_ctx(context, client_name, NULL, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_handle); - actual_cmds = commands + 4; /* XXX */ - } if(ret) krb5_err(context, 1, ret, "kadm5_init_with_password"); @@ -309,14 +261,24 @@ main(int argc, char **argv) each function, f.i `get' might be interruptable, but not `create' */ if (argc != 0) { - ret = sl_command (actual_cmds, argc, argv); + ret = sl_command (commands, argc, argv); if(ret == -1) krb5_warnx (context, "unrecognized command: %s", argv[0]); - } else - ret = sl_loop (actual_cmds, "kadmin> ") != 0; + else if (ret == -2) + ret = 0; + if(ret != 0) + exit_status = 1; + } else { + while(!exit_seen) { + ret = sl_command_loop(commands, "kadmin> ", NULL); + if (ret == -2) + exit_seen = 1; + else if (ret != 0) + exit_status = 1; + } + } kadm5_destroy(kadm_handle); - krb5_config_file_free (context, cf); krb5_free_context(context); - return ret; + return exit_status; } diff --git a/crypto/heimdal/kadmin/kadmind.8 b/crypto/heimdal/kadmin/kadmind.8 index 5663225..4715da9 100644 --- a/crypto/heimdal/kadmin/kadmind.8 +++ b/crypto/heimdal/kadmin/kadmind.8 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: kadmind.8,v 1.14 2003/04/06 17:47:57 lha Exp $ +.\" $Id: kadmind.8 14370 2004-12-08 17:20:21Z lha $ .\" -.Dd March 5, 2002 +.Dd December 8, 2004 .Dt KADMIND 8 .Os HEIMDAL .Sh NAME @@ -39,6 +39,7 @@ .Nd "server for administrative access to Kerberos database" .Sh SYNOPSIS .Nm +.Bk -words .Oo Fl c Ar file \*(Ba Xo .Fl -config-file= Ns Ar file .Xc @@ -57,7 +58,7 @@ .Fl -ports= Ns Ar port .Xc .Oc -.Op Fl -no-kerberos4 +.Ek .Sh DESCRIPTION .Nm listens for requests for changes to the Kerberos database and performs @@ -71,11 +72,7 @@ option causes .Nm to accept exactly one connection, which is useful for debugging. .Pp -If built with krb4 support, it implements both the Heimdal Kerberos 5 -administrative protocol and the Kerberos 4 protocol. Password changes -via the Kerberos 4 protocol are also performed by -.Nm kadmind , -but the +The .Xr kpasswdd 8 daemon is responsible for the Kerberos 5 password changing protocol (used by @@ -149,17 +146,12 @@ enable debugging .Fl p Ar port , .Fl -ports= Ns Ar port .Xc -ports to listen to. By default, if run as a daemon, it listens to ports -749, and 751 (if Kerberos 4 support is built and enabled), but you can -add any number of ports with this option. The port string is a -whitespace separated list of port specifications, with the special -string +ports to listen to. By default, if run as a daemon, it listens to port +749, but you can add any number of ports with this option. The port +string is a whitespace separated list of port specifications, with the +special string .Dq + -representing the default set of ports. -.It Fl -no-kerberos4 -make -.Nm -ignore Kerberos 4 kadmin requests. +representing the default port. .El .\".Sh ENVIRONMENT .Sh FILES diff --git a/crypto/heimdal/kadmin/kadmind.c b/crypto/heimdal/kadmin/kadmind.c index 7c52637..4d1c2ec 100644 --- a/crypto/heimdal/kadmin/kadmind.c +++ b/crypto/heimdal/kadmin/kadmind.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,21 +33,18 @@ #include "kadmin_locl.h" -RCSID("$Id: kadmind.c,v 1.28.2.1 2004/04/29 12:30:32 lha Exp $"); +RCSID("$Id: kadmind.c 22250 2007-12-09 05:57:31Z lha $"); static char *check_library = NULL; static char *check_function = NULL; +static getarg_strings policy_libraries = { 0, NULL }; static char *config_file; -static char *keyfile; static char *keytab_str = "HDB:"; static int help_flag; static int version_flag; static int debug_flag; static char *port_str; char *realm; -#ifdef KRB4 -int do_kerberos4 = 0; -#endif static struct getargs args[] = { { @@ -55,10 +52,6 @@ static struct getargs args[] = { "location of config file", "file" }, { - "key-file", 'k', arg_string, &keyfile, - "location of master key file", "file" - }, - { "keytab", 0, arg_string, &keytab_str, "what keytab to use", "keytab" }, @@ -70,15 +63,12 @@ static struct getargs args[] = { "library to load password check function from", "library" }, { "check-function", 0, arg_string, &check_function, "password check function to load", "function" }, + { "policy-libraries", 0, arg_strings, &policy_libraries, + "password check function to load", "function" }, #endif { "debug", 'd', arg_flag, &debug_flag, "enable debugging" }, -#ifdef KRB4 - { "kerberos4", 0, arg_flag, &do_kerberos4, - "don't respond to kerberos 4 requests" - }, -#endif { "ports", 'p', arg_string, &port_str, "ports to listen to", "port" }, { "help", 'h', arg_flag, &help_flag }, @@ -100,10 +90,10 @@ int main(int argc, char **argv) { krb5_error_code ret; - krb5_config_section *cf; - int optind = 0; - int e; - krb5_log_facility *logf; + char **files; + int optidx = 0; + int e, i; + krb5_log_facility *logfacility; krb5_keytab keytab; setprogname(argv[0]); @@ -112,11 +102,8 @@ main(int argc, char **argv) if (ret) errx (1, "krb5_init_context failed: %d", ret); - ret = krb5_openlog(context, "kadmind", &logf); - ret = krb5_set_warn_dest(context, logf); - - while((e = getarg(args, num_args, argc, argv, &optind))) - warnx("error at argument `%s'", argv[optind]); + while((e = getarg(args, num_args, argc, argv, &optidx))) + warnx("error at argument `%s'", argv[optidx]); if (help_flag) usage (0); @@ -126,29 +113,51 @@ main(int argc, char **argv) exit(0); } - argc -= optind; - argv += optind; + argc -= optidx; + argv += optidx; + + if (config_file == NULL) { + asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)); + if (config_file == NULL) + errx(1, "out of memory"); + } + + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if(ret) + krb5_err(context, 1, ret, "reading configuration files"); + + ret = krb5_openlog(context, "kadmind", &logfacility); + if (ret) + krb5_err(context, 1, ret, "krb5_openlog"); + ret = krb5_set_warn_dest(context, logfacility); + if (ret) + krb5_err(context, 1, ret, "krb5_set_warn_dest"); ret = krb5_kt_register(context, &hdb_kt_ops); if(ret) krb5_err(context, 1, ret, "krb5_kt_register"); - if (config_file == NULL) - config_file = HDB_DB_DIR "/kdc.conf"; - - if(krb5_config_parse_file(context, config_file, &cf) == 0) { - const char *p = krb5_config_get_string (context, cf, - "kdc", "key-file", NULL); - if (p) - keyfile = strdup(p); - } - ret = krb5_kt_resolve(context, keytab_str, &keytab); if(ret) krb5_err(context, 1, ret, "krb5_kt_resolve"); kadm5_setup_passwd_quality_check (context, check_library, check_function); + for (i = 0; i < policy_libraries.num_strings; i++) { + ret = kadm5_add_passwd_quality_verifier(context, + policy_libraries.strings[i]); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + } + ret = kadm5_add_passwd_quality_verifier(context, NULL); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + { int fd = 0; struct sockaddr_storage __ss; diff --git a/crypto/heimdal/kadmin/load.c b/crypto/heimdal/kadmin/load.c index 3635023..30e6d93 100644 --- a/crypto/heimdal/kadmin/load.c +++ b/crypto/heimdal/kadmin/load.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,9 +32,10 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" #include <kadm5/private.h> -RCSID("$Id: load.c,v 1.44 2002/09/04 20:44:35 joda Exp $"); +RCSID("$Id: load.c 16658 2006-01-25 12:29:46Z lha $"); struct entry { char *principal; @@ -48,6 +49,7 @@ struct entry { char *pw_end; char *flags; char *generation; + char *extensions; }; static char * @@ -116,7 +118,7 @@ parse_time_string_alloc (time_t **t, const char *s) */ static int -parse_integer(unsigned *u, const char *s) +parse_integer(unsigned int *u, const char *s) { if(strcmp(s, "-") == 0) return 0; @@ -126,9 +128,9 @@ parse_integer(unsigned *u, const char *s) } static int -parse_integer_alloc (int **u, const char *s) +parse_integer_alloc (unsigned int **u, const char *s) { - unsigned tmp; + unsigned int tmp; int ret; *u = NULL; @@ -274,7 +276,7 @@ static int parse_hdbflags2int(HDBFlags *f, const char *s) { int ret; - unsigned tmp; + unsigned int tmp; ret = parse_integer (&tmp, s); if (ret == 1) @@ -308,6 +310,49 @@ parse_generation(char *str, GENERATION **gen) return 0; } +static int +parse_extensions(char *str, HDB_extensions **e) +{ + char *p; + int ret; + + if(strcmp(str, "-") == 0 || *str == '\0') { + *e = NULL; + return 0; + } + *e = calloc(1, sizeof(**e)); + + p = strsep(&str, ":"); + + while (p) { + HDB_extension ext; + ssize_t len; + void *d; + + len = strlen(p); + d = malloc(len); + + len = hex_decode(p, d, len); + if (len < 0) + return -1; + + ret = decode_HDB_extension(d, len, &ext, NULL); + free(d); + if (ret) + return -1; + d = realloc((*e)->val, ((*e)->len + 1) * sizeof((*e)->val[0])); + if (d == NULL) + abort(); + (*e)->val = d; + (*e)->val[(*e)->len] = ext; + (*e)->len++; + + p = strsep(&str, ":"); + } + + return 0; +} + /* * Parse the dump file in `filename' and create the database (merging @@ -315,7 +360,7 @@ parse_generation(char *str, GENERATION **gen) */ static int -doit(const char *filename, int merge) +doit(const char *filename, int mergep) { krb5_error_code ret; FILE *f; @@ -324,7 +369,7 @@ doit(const char *filename, int merge) int line; int flags = O_RDWR; struct entry e; - hdb_entry ent; + hdb_entry_ex ent; HDB *db = _kadm5_s_get_db(kadm_handle); f = fopen(filename, "r"); @@ -339,9 +384,9 @@ doit(const char *filename, int merge) return 1; } - if(!merge) + if(!mergep) flags |= O_CREAT | O_TRUNC; - ret = db->open(context, db, flags, 0600); + ret = db->hdb_open(context, db, flags, 0600); if(ret){ krb5_warn(context, ret, "hdb_open"); fclose(f); @@ -352,7 +397,12 @@ doit(const char *filename, int merge) while(fgets(s, sizeof(s), f) != NULL) { ret = 0; line++; - e.principal = s; + + p = s; + while (isspace((unsigned char)*p)) + p++; + + e.principal = p; for(p = s; *p; p++){ if(*p == '\\') p++; @@ -393,8 +443,11 @@ doit(const char *filename, int merge) e.generation = p; p = skip_next(p); + e.extensions = p; + p = skip_next(p); + memset(&ent, 0, sizeof(ent)); - ret = krb5_parse_name(context, e.principal, &ent.principal); + ret = krb5_parse_name(context, e.principal, &ent.entry.principal); if(ret) { fprintf(stderr, "%s:%d:%s (%s)\n", filename, @@ -404,137 +457,113 @@ doit(const char *filename, int merge) continue; } - if (parse_keys(&ent, e.key)) { + if (parse_keys(&ent.entry, e.key)) { fprintf (stderr, "%s:%d:error parsing keys (%s)\n", filename, line, e.key); hdb_free_entry (context, &ent); continue; } - if (parse_event(&ent.created_by, e.created) == -1) { + if (parse_event(&ent.entry.created_by, e.created) == -1) { fprintf (stderr, "%s:%d:error parsing created event (%s)\n", filename, line, e.created); hdb_free_entry (context, &ent); continue; } - if (parse_event_alloc (&ent.modified_by, e.modified) == -1) { + if (parse_event_alloc (&ent.entry.modified_by, e.modified) == -1) { fprintf (stderr, "%s:%d:error parsing event (%s)\n", filename, line, e.modified); hdb_free_entry (context, &ent); continue; } - if (parse_time_string_alloc (&ent.valid_start, e.valid_start) == -1) { + if (parse_time_string_alloc (&ent.entry.valid_start, e.valid_start) == -1) { fprintf (stderr, "%s:%d:error parsing time (%s)\n", filename, line, e.valid_start); hdb_free_entry (context, &ent); continue; } - if (parse_time_string_alloc (&ent.valid_end, e.valid_end) == -1) { + if (parse_time_string_alloc (&ent.entry.valid_end, e.valid_end) == -1) { fprintf (stderr, "%s:%d:error parsing time (%s)\n", filename, line, e.valid_end); hdb_free_entry (context, &ent); continue; } - if (parse_time_string_alloc (&ent.pw_end, e.pw_end) == -1) { + if (parse_time_string_alloc (&ent.entry.pw_end, e.pw_end) == -1) { fprintf (stderr, "%s:%d:error parsing time (%s)\n", filename, line, e.pw_end); hdb_free_entry (context, &ent); continue; } - if (parse_integer_alloc (&ent.max_life, e.max_life) == -1) { + if (parse_integer_alloc (&ent.entry.max_life, e.max_life) == -1) { fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n", filename, line, e.max_life); hdb_free_entry (context, &ent); continue; } - if (parse_integer_alloc (&ent.max_renew, e.max_renew) == -1) { + if (parse_integer_alloc (&ent.entry.max_renew, e.max_renew) == -1) { fprintf (stderr, "%s:%d:error parsing lifetime (%s)\n", filename, line, e.max_renew); hdb_free_entry (context, &ent); continue; } - if (parse_hdbflags2int (&ent.flags, e.flags) != 1) { + if (parse_hdbflags2int (&ent.entry.flags, e.flags) != 1) { fprintf (stderr, "%s:%d:error parsing flags (%s)\n", filename, line, e.flags); hdb_free_entry (context, &ent); continue; } - if(parse_generation(e.generation, &ent.generation) == -1) { + if(parse_generation(e.generation, &ent.entry.generation) == -1) { fprintf (stderr, "%s:%d:error parsing generation (%s)\n", filename, line, e.generation); hdb_free_entry (context, &ent); continue; } - ret = db->store(context, db, HDB_F_REPLACE, &ent); + if(parse_extensions(e.extensions, &ent.entry.extensions) == -1) { + fprintf (stderr, "%s:%d:error parsing extension (%s)\n", + filename, line, e.extensions); + hdb_free_entry (context, &ent); + continue; + } + + ret = db->hdb_store(context, db, HDB_F_REPLACE, &ent); hdb_free_entry (context, &ent); if (ret) { krb5_warn(context, ret, "db_store"); break; } } - db->close(context, db); + db->hdb_close(context, db); fclose(f); return ret != 0; } -static struct getargs args[] = { - { "help", 'h', arg_flag, NULL } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(const char *name) -{ - arg_printusage (args, num_args, name, "file"); -} - - +extern int local_flag; -int -load(int argc, char **argv) +static int +loadit(int mergep, const char *name, int argc, char **argv) { - int optind = 0; - int help_flag = 0; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage ("load"); - return 0; - } - if(argc - optind != 1 || help_flag) { - usage ("load"); + if(!local_flag) { + krb5_warnx(context, "%s is only available in local (-l) mode", name); return 0; } - doit(argv[optind], 0); - return 0; + return doit(argv[0], mergep); } - + int -merge(int argc, char **argv) +load(void *opt, int argc, char **argv) { - int optind = 0; - int help_flag = 0; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage ("merge"); - return 0; - } - if(argc - optind != 1 || help_flag) { - usage ("merge"); - return 0; - } - - doit(argv[optind], 1); - return 0; + return loadit(0, "load", argc, argv); +} + +int +merge(void *opt, int argc, char **argv) +{ + return loadit(1, "merge", argc, argv); } diff --git a/crypto/heimdal/kadmin/mod.c b/crypto/heimdal/kadmin/mod.c index 0e9cd08..f5f9e04 100644 --- a/crypto/heimdal/kadmin/mod.c +++ b/crypto/heimdal/kadmin/mod.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,120 +32,230 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" -RCSID("$Id: mod.c,v 1.11 2002/12/03 14:12:30 joda Exp $"); +RCSID("$Id: mod.c 21968 2007-10-18 18:50:33Z lha $"); -static int parse_args (krb5_context context, kadm5_principal_ent_t ent, - int argc, char **argv, int *optind, char *name, - int *mask); +static void +add_tl(kadm5_principal_ent_rec *princ, int type, krb5_data *data) +{ + krb5_tl_data *tl, **ptl; -static int -parse_args(krb5_context context, kadm5_principal_ent_t ent, - int argc, char **argv, int *optind, char *name, - int *mask) + tl = ecalloc(1, sizeof(*tl)); + tl->tl_data_next = NULL; + tl->tl_data_type = KRB5_TL_EXTENSION; + tl->tl_data_length = data->length; + tl->tl_data_contents = data->data; + + princ->n_tl_data++; + ptl = &princ->tl_data; + while (*ptl != NULL) + ptl = &(*ptl)->tl_data_next; + *ptl = tl; + + return; +} + +static void +add_constrained_delegation(krb5_context context, + kadm5_principal_ent_rec *princ, + struct getarg_strings *strings) { - char *attr_str = NULL; - char *max_life_str = NULL; - char *max_rlife_str = NULL; - char *expiration_str = NULL; - char *pw_expiration_str = NULL; - int new_kvno = -1; - int ret, i; - - struct getargs args[] = { - {"attributes", 'a', arg_string, NULL, "Attributies", - "attributes"}, - {"max-ticket-life", 0, arg_string, NULL, "max ticket lifetime", - "lifetime"}, - {"max-renewable-life", 0, arg_string, NULL, - "max renewable lifetime", "lifetime" }, - {"expiration-time", 0, arg_string, - NULL, "Expiration time", "time"}, - {"pw-expiration-time", 0, arg_string, - NULL, "Password expiration time", "time"}, - {"kvno", 0, arg_integer, - NULL, "Key version number", "number"}, - }; - - i = 0; - args[i++].value = &attr_str; - args[i++].value = &max_life_str; - args[i++].value = &max_rlife_str; - args[i++].value = &expiration_str; - args[i++].value = &pw_expiration_str; - args[i++].value = &new_kvno; - - *optind = 0; /* XXX */ - - if(getarg(args, sizeof(args) / sizeof(args[0]), - argc, argv, optind)){ - arg_printusage(args, - sizeof(args) / sizeof(args[0]), - name ? name : "", - "principal"); - return -1; + krb5_error_code ret; + HDB_extension ext; + krb5_data buf; + size_t size; + + memset(&ext, 0, sizeof(ext)); + ext.mandatory = FALSE; + ext.data.element = choice_HDB_extension_data_allowed_to_delegate_to; + + if (strings->num_strings == 1 && strings->strings[0][0] == '\0') { + ext.data.u.allowed_to_delegate_to.val = NULL; + ext.data.u.allowed_to_delegate_to.len = 0; + } else { + krb5_principal p; + int i; + + ext.data.u.allowed_to_delegate_to.val = + calloc(strings->num_strings, + sizeof(ext.data.u.allowed_to_delegate_to.val[0])); + ext.data.u.allowed_to_delegate_to.len = strings->num_strings; + + for (i = 0; i < strings->num_strings; i++) { + ret = krb5_parse_name(context, strings->strings[i], &p); + ret = copy_Principal(p, &ext.data.u.allowed_to_delegate_to.val[i]); + krb5_free_principal(context, p); + } } - - ret = set_entry(context, ent, mask, max_life_str, max_rlife_str, - expiration_str, pw_expiration_str, attr_str); + + ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length, + &ext, &size, ret); + free_HDB_extension(&ext); if (ret) - return ret; + abort(); + if (buf.length != size) + abort(); - if(new_kvno != -1) { - ent->kvno = new_kvno; - *mask |= KADM5_KVNO; - } - return 0; + add_tl(princ, KRB5_TL_EXTENSION, &buf); } -int -mod_entry(int argc, char **argv) +static void +add_aliases(krb5_context context, kadm5_principal_ent_rec *princ, + struct getarg_strings *strings) { - kadm5_principal_ent_rec princ; - int mask = 0; krb5_error_code ret; - krb5_principal princ_ent = NULL; - int optind; + HDB_extension ext; + krb5_data buf; + krb5_principal p; + size_t size; + int i; + + memset(&ext, 0, sizeof(ext)); + ext.mandatory = FALSE; + ext.data.element = choice_HDB_extension_data_aliases; + ext.data.u.aliases.case_insensitive = 0; - memset (&princ, 0, sizeof(princ)); + if (strings->num_strings == 1 && strings->strings[0][0] == '\0') { + ext.data.u.aliases.aliases.val = NULL; + ext.data.u.aliases.aliases.len = 0; + } else { + ext.data.u.aliases.aliases.val = + calloc(strings->num_strings, + sizeof(ext.data.u.aliases.aliases.val[0])); + ext.data.u.aliases.aliases.len = strings->num_strings; + + for (i = 0; i < strings->num_strings; i++) { + ret = krb5_parse_name(context, strings->strings[i], &p); + ret = copy_Principal(p, &ext.data.u.aliases.aliases.val[i]); + krb5_free_principal(context, p); + } + } - ret = parse_args (context, &princ, argc, argv, - &optind, "mod", &mask); + ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length, + &ext, &size, ret); + free_HDB_extension(&ext); if (ret) - return 0; + abort(); + if (buf.length != size) + abort(); + + add_tl(princ, KRB5_TL_EXTENSION, &buf); +} - argc -= optind; - argv += optind; +static void +add_pkinit_acl(krb5_context context, kadm5_principal_ent_rec *princ, + struct getarg_strings *strings) +{ + krb5_error_code ret; + HDB_extension ext; + krb5_data buf; + size_t size; + int i; - if (argc != 1) { - printf ("Usage: mod [options] principal\n"); - return 0; - } + memset(&ext, 0, sizeof(ext)); + ext.mandatory = FALSE; + ext.data.element = choice_HDB_extension_data_pkinit_acl; + ext.data.u.aliases.case_insensitive = 0; - krb5_parse_name(context, argv[0], &princ_ent); - - if (mask == 0) { - memset(&princ, 0, sizeof(princ)); - ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, - KADM5_PRINCIPAL | KADM5_ATTRIBUTES | - KADM5_MAX_LIFE | KADM5_MAX_RLIFE | - KADM5_PRINC_EXPIRE_TIME | - KADM5_PW_EXPIRATION); - krb5_free_principal (context, princ_ent); - if (ret) { - printf ("no such principal: %s\n", argv[0]); - return 0; - } - if(edit_entry(&princ, &mask, NULL, 0)) - goto out; + if (strings->num_strings == 1 && strings->strings[0][0] == '\0') { + ext.data.u.pkinit_acl.val = NULL; + ext.data.u.pkinit_acl.len = 0; } else { - princ.principal = princ_ent; + ext.data.u.pkinit_acl.val = + calloc(strings->num_strings, + sizeof(ext.data.u.pkinit_acl.val[0])); + ext.data.u.pkinit_acl.len = strings->num_strings; + + for (i = 0; i < strings->num_strings; i++) { + ext.data.u.pkinit_acl.val[i].subject = estrdup(strings->strings[i]); + } } - ret = kadm5_modify_principal(kadm_handle, &princ, mask); - if(ret) - krb5_warn(context, ret, "kadm5_modify_principal"); - out: + ASN1_MALLOC_ENCODE(HDB_extension, buf.data, buf.length, + &ext, &size, ret); + free_HDB_extension(&ext); + if (ret) + abort(); + if (buf.length != size) + abort(); + + add_tl(princ, KRB5_TL_EXTENSION, &buf); +} + +static int +do_mod_entry(krb5_principal principal, void *data) +{ + krb5_error_code ret; + kadm5_principal_ent_rec princ; + int mask = 0; + struct modify_options *e = data; + + memset (&princ, 0, sizeof(princ)); + ret = kadm5_get_principal(kadm_handle, principal, &princ, + KADM5_PRINCIPAL | KADM5_ATTRIBUTES | + KADM5_MAX_LIFE | KADM5_MAX_RLIFE | + KADM5_PRINC_EXPIRE_TIME | + KADM5_PW_EXPIRATION); + if(ret) + return ret; + + if(e->max_ticket_life_string || + e->max_renewable_life_string || + e->expiration_time_string || + e->pw_expiration_time_string || + e->attributes_string || + e->kvno_integer != -1 || + e->constrained_delegation_strings.num_strings || + e->alias_strings.num_strings || + e->pkinit_acl_strings.num_strings) { + ret = set_entry(context, &princ, &mask, + e->max_ticket_life_string, + e->max_renewable_life_string, + e->expiration_time_string, + e->pw_expiration_time_string, + e->attributes_string); + if(e->kvno_integer != -1) { + princ.kvno = e->kvno_integer; + mask |= KADM5_KVNO; + } + if (e->constrained_delegation_strings.num_strings) { + add_constrained_delegation(context, &princ, + &e->constrained_delegation_strings); + mask |= KADM5_TL_DATA; + } + if (e->alias_strings.num_strings) { + add_aliases(context, &princ, &e->alias_strings); + mask |= KADM5_TL_DATA; + } + if (e->pkinit_acl_strings.num_strings) { + add_pkinit_acl(context, &princ, &e->pkinit_acl_strings); + mask |= KADM5_TL_DATA; + } + + } else + ret = edit_entry(&princ, &mask, NULL, 0); + if(ret == 0) { + ret = kadm5_modify_principal(kadm_handle, &princ, mask); + if(ret) + krb5_warn(context, ret, "kadm5_modify_principal"); + } + kadm5_free_principal_ent(kadm_handle, &princ); - return 0; + return ret; } + +int +mod_entry(struct modify_options *opt, int argc, char **argv) +{ + krb5_error_code ret = 0; + int i; + + for(i = 0; i < argc; i++) { + ret = foreach_principal(argv[i], do_mod_entry, "mod", opt); + if (ret) + break; + } + return ret != 0; +} + diff --git a/crypto/heimdal/kadmin/pw_quality.c b/crypto/heimdal/kadmin/pw_quality.c new file mode 100644 index 0000000..8d1e9cc --- /dev/null +++ b/crypto/heimdal/kadmin/pw_quality.c @@ -0,0 +1,62 @@ +/* + * Copyright (c) 2003-2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kadmin_locl.h" +#include "kadmin-commands.h" + +RCSID("$Id: pw_quality.c 14026 2004-07-05 11:41:22Z joda $"); + +int +password_quality(void *opt, int argc, char **argv) +{ + krb5_error_code ret; + krb5_principal principal; + krb5_data pw_data; + const char *s; + + ret = krb5_parse_name(context, argv[0], &principal); + if(ret){ + krb5_warn(context, ret, "krb5_parse_name(%s)", argv[0]); + return 0; + } + pw_data.data = argv[1]; + pw_data.length = strlen(argv[1]); + + s = kadm5_check_password_quality (context, principal, &pw_data); + if (s) + krb5_warnx(context, "kadm5_check_password_quality: %s", s); + + krb5_free_principal(context, principal); + + return 0; +} diff --git a/crypto/heimdal/kadmin/random_password.c b/crypto/heimdal/kadmin/random_password.c index 92fb2fc..d56dd94 100644 --- a/crypto/heimdal/kadmin/random_password.c +++ b/crypto/heimdal/kadmin/random_password.c @@ -33,7 +33,7 @@ #include "kadmin_locl.h" -RCSID("$Id: random_password.c,v 1.4 2001/02/15 04:20:53 assar Exp $"); +RCSID("$Id: random_password.c 21745 2007-07-31 16:11:25Z lha $"); /* This file defines some a function that generates a random password, that can be used when creating a large amount of principals (such @@ -123,7 +123,11 @@ generate_password(char **pw, int num_classes, ...) unsigned char rbuf[8]; /* random buffer */ int rleft = 0; + *pw = NULL; + classes = malloc(num_classes * sizeof(*classes)); + if(classes == NULL) + return; va_start(ap, num_classes); len = 0; for(i = 0; i < num_classes; i++){ @@ -134,8 +138,10 @@ generate_password(char **pw, int num_classes, ...) } va_end(ap); *pw = malloc(len + 1); - if(*pw == NULL) + if(*pw == NULL) { + free(classes); return; + } for(i = 0; i < len; i++) { int j; int x = RND(rbuf, sizeof(rbuf), &rleft) % (len - i); diff --git a/crypto/heimdal/kadmin/rename.c b/crypto/heimdal/kadmin/rename.c index ac5f4d6..9309db5 100644 --- a/crypto/heimdal/kadmin/rename.c +++ b/crypto/heimdal/kadmin/rename.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,57 +32,32 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" -RCSID("$Id: rename.c,v 1.4 2001/05/04 13:07:03 joda Exp $"); - -static struct getargs args[] = { - { "help", 'h', arg_flag, NULL } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(void) -{ - arg_printusage (args, num_args, "rename", "from to"); -} +RCSID("$Id: rename.c 17007 2006-04-07 13:11:24Z lha $"); int -rename_entry(int argc, char **argv) +rename_entry(void *opt, int argc, char **argv) { - int optind = 0; - int help_flag = 0; - krb5_error_code ret; krb5_principal princ1, princ2; - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage (); - return 0; - } - if(argc - optind != 2 || help_flag) { - usage (); - return 0; - } - - ret = krb5_parse_name(context, argv[1], &princ1); + ret = krb5_parse_name(context, argv[0], &princ1); if(ret){ - krb5_warn(context, ret, "krb5_parse_name(%s)", argv[1]); - return 0; + krb5_warn(context, ret, "krb5_parse_name(%s)", argv[0]); + return ret != 0; } - ret = krb5_parse_name(context, argv[2], &princ2); + ret = krb5_parse_name(context, argv[1], &princ2); if(ret){ - krb5_free_principal(context, princ2); - krb5_warn(context, ret, "krb5_parse_name(%s)", argv[2]); - return 0; + krb5_free_principal(context, princ1); + krb5_warn(context, ret, "krb5_parse_name(%s)", argv[1]); + return ret != 0; } ret = kadm5_rename_principal(kadm_handle, princ1, princ2); if(ret) krb5_warn(context, ret, "rename"); krb5_free_principal(context, princ1); krb5_free_principal(context, princ2); - return 0; + return ret != 0; } diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c index adaf6cf..07dd9a5 100644 --- a/crypto/heimdal/kadmin/server.c +++ b/crypto/heimdal/kadmin/server.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "kadmin_locl.h" #include <krb5-private.h> -RCSID("$Id: server.c,v 1.38 2003/01/29 12:33:05 lha Exp $"); +RCSID("$Id: server.c 17611 2006-06-02 22:10:21Z lha $"); static kadm5_ret_t kadmind_dispatch(void *kadm_handle, krb5_boolean initial, @@ -47,7 +47,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, char *op = ""; krb5_principal princ, princ2; kadm5_principal_ent_rec ent; - char *password, *exp; + char *password, *expression; krb5_keyblock *new_keys; int n_keys; char **princs; @@ -192,6 +192,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, princ); if(ret){ krb5_free_principal(context->context, princ); + krb5_free_principal(context->context, princ2); goto fail; } ret = kadm5_rename_principal(kadm_handle, princ, princ2); @@ -370,12 +371,13 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, break; } case kadm_get_privs:{ - ret = kadm5_get_privs(kadm_handle, &mask); + uint32_t privs; + ret = kadm5_get_privs(kadm_handle, &privs); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, ret); if(ret == 0) - krb5_store_int32(sp, mask); + krb5_store_uint32(sp, privs); break; } case kadm_get_princs:{ @@ -384,19 +386,20 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, if(ret) goto fail; if(tmp){ - ret = krb5_ret_string(sp, &exp); + ret = krb5_ret_string(sp, &expression); if(ret) goto fail; }else - exp = NULL; - krb5_warnx(context->context, "%s: %s %s", client, op, exp ? exp : "*"); + expression = NULL; + krb5_warnx(context->context, "%s: %s %s", client, op, + expression ? expression : "*"); ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST, NULL); if(ret){ - free(exp); + free(expression); goto fail; } - ret = kadm5_get_principals(kadm_handle, exp, &princs, &n_princs); - free(exp); + ret = kadm5_get_principals(kadm_handle, expression, &princs, &n_princs); + free(expression); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, ret); @@ -542,8 +545,6 @@ handle_v5(krb5_context context, v5_loop (context, ac, initial, kadm_handle, fd); } -extern int do_kerberos4; - krb5_error_code kadmind_loop(krb5_context context, krb5_auth_context ac, @@ -560,16 +561,15 @@ kadmind_loop(krb5_context context, if(n < 0) krb5_err(context, 1, errno, "read"); _krb5_get_int(tmp, &len, 4); + /* this v4 test could probably also go away */ if(len > 0xffff && (len & 0xffff) == ('K' << 8) + 'A') { - len >>= 16; -#ifdef KRB4 - if(do_kerberos4) - handle_v4(context, keytab, len, fd); - else - krb5_errx(context, 1, "version 4 kadmin is disabled"); -#else + unsigned char v4reply[] = { + 0x00, 0x0c, + 'K', 'Y', 'O', 'U', 'L', 'O', 'S', 'E', + 0x95, 0xb7, 0xa7, 0x08 /* KADM_BAD_VER */ + }; + krb5_net_write(context, &fd, v4reply, sizeof(v4reply)); krb5_errx(context, 1, "packet appears to be version 4"); -#endif } else { handle_v5(context, ac, keytab, len, fd); } diff --git a/crypto/heimdal/kadmin/stash.c b/crypto/heimdal/kadmin/stash.c new file mode 100644 index 0000000..d5b65ee --- /dev/null +++ b/crypto/heimdal/kadmin/stash.c @@ -0,0 +1,140 @@ +/* + * Copyright (c) 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kadmin_locl.h" +#include "kadmin-commands.h" + +RCSID("$Id: stash.c 22251 2007-12-09 05:58:43Z lha $"); + +extern int local_flag; + +int +stash(struct stash_options *opt, int argc, char **argv) +{ + char buf[1024]; + krb5_error_code ret; + krb5_enctype enctype; + hdb_master_key mkey; + + if(!local_flag) { + krb5_warnx(context, "stash is only available in local (-l) mode"); + return 0; + } + + ret = krb5_string_to_enctype(context, opt->enctype_string, &enctype); + if(ret) { + krb5_warn(context, ret, "%s", opt->enctype_string); + return 0; + } + + if(opt->key_file_string == NULL) { + asprintf(&opt->key_file_string, "%s/m-key", hdb_db_dir(context)); + if (opt->key_file_string == NULL) + errx(1, "out of memory"); + } + + ret = hdb_read_master_key(context, opt->key_file_string, &mkey); + if(ret && ret != ENOENT) { + krb5_warn(context, ret, "reading master key from %s", + opt->key_file_string); + return 0; + } + + if (opt->convert_file_flag) { + if (ret) + krb5_warn(context, ret, "reading master key from %s", + opt->key_file_string); + return 0; + } else { + krb5_keyblock key; + krb5_salt salt; + salt.salttype = KRB5_PW_SALT; + /* XXX better value? */ + salt.saltvalue.data = NULL; + salt.saltvalue.length = 0; + if(opt->master_key_fd_integer != -1) { + ssize_t n; + n = read(opt->master_key_fd_integer, buf, sizeof(buf)); + if(n == 0) + krb5_warnx(context, "end of file reading passphrase"); + else if(n < 0) + krb5_warn(context, errno, "reading passphrase"); + buf[n] = '\0'; + buf[strcspn(buf, "\r\n")] = '\0'; + } else { + if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) { + hdb_free_master_key(context, mkey); + return 0; + } + } + ret = krb5_string_to_key_salt(context, enctype, buf, salt, &key); + ret = hdb_add_master_key(context, &key, &mkey); + krb5_free_keyblock_contents(context, &key); + } + + { + char *new, *old; + asprintf(&old, "%s.old", opt->key_file_string); + asprintf(&new, "%s.new", opt->key_file_string); + if(old == NULL || new == NULL) { + ret = ENOMEM; + goto out; + } + + if(unlink(new) < 0 && errno != ENOENT) { + ret = errno; + goto out; + } + krb5_warnx(context, "writing key to \"%s\"", opt->key_file_string); + ret = hdb_write_master_key(context, new, mkey); + if(ret) + unlink(new); + else { + unlink(old); + if(link(opt->key_file_string, old) < 0 && errno != ENOENT) { + ret = errno; + unlink(new); + } else if(rename(new, opt->key_file_string) < 0) { + ret = errno; + } + } + out: + free(old); + free(new); + if(ret) + krb5_warn(context, errno, "writing master key file"); + } + + hdb_free_master_key(context, mkey); + return 0; +} diff --git a/crypto/heimdal/kadmin/test_util.c b/crypto/heimdal/kadmin/test_util.c new file mode 100644 index 0000000..0f59f60 --- /dev/null +++ b/crypto/heimdal/kadmin/test_util.c @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "kadmin_locl.h" + +RCSID("$Id: test_util.c 19486 2006-12-22 17:25:59Z lha $"); + +krb5_context context; +void *kadm_handle; + +struct { + const char *str; + int ret; + time_t t; +} ts[] = { + { "2006-12-22 18:09:00", 0, 1166810940 }, + { "2006-12-22", 0, 1166831999 }, + { "2006-12-22 23:59:59", 0, 1166831999 } +}; + +static int +test_time(void) +{ + int i, errors = 0; + + for (i = 0; i < sizeof(ts)/sizeof(ts[0]); i++) { + time_t t; + int ret; + + ret = str2time_t (ts[i].str, &t); + if (ret != ts[i].ret) { + printf("%d: %d is wrong ret\n", i, ret); + errors++; + } + else if (t != ts[i].t) { + printf("%d: %d is wrong time\n", i, (int)t); + errors++; + } + } + + return errors; +} + + +int +main(int argc, char **argv) +{ + krb5_error_code ret; + + setprogname(argv[0]); + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + ret = 0; + ret += test_time(); + + krb5_free_context(context); + + return ret; +} + diff --git a/crypto/heimdal/kadmin/util.c b/crypto/heimdal/kadmin/util.c index b25bf2a..3c12dcb 100644 --- a/crypto/heimdal/kadmin/util.c +++ b/crypto/heimdal/kadmin/util.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "kadmin_locl.h" #include <parse_units.h> -RCSID("$Id: util.c,v 1.39 2003/04/14 11:55:27 lha Exp $"); +RCSID("$Id: util.c 21745 2007-07-31 16:11:25Z lha $"); /* * util.c - functions for parsing, unparsing, and editing different @@ -49,6 +49,10 @@ get_response(const char *prompt, const char *def, char *buf, size_t len); */ struct units kdb_attrs[] = { + { "allow-digest", KRB5_KDB_ALLOW_DIGEST }, + { "allow-kerberos4", KRB5_KDB_ALLOW_KERBEROS4 }, + { "trusted-for-delegation", KRB5_KDB_TRUSTED_FOR_DELEGATION }, + { "ok-as-delegate", KRB5_KDB_OK_AS_DELEGATE }, { "new-princ", KRB5_KDB_NEW_PRINC }, { "support-desmd5", KRB5_KDB_SUPPORT_DESMD5 }, { "pwchange-service", KRB5_KDB_PWCHANGE_SERVICE }, @@ -114,7 +118,7 @@ parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit) } else if(*resp == '?') { print_flags_table (kdb_attrs, stderr); } else { - fprintf (stderr, "Unable to parse '%s'\n", resp); + fprintf (stderr, "Unable to parse \"%s\"\n", resp); } return -1; } @@ -178,6 +182,7 @@ str2time_t (const char *str, time_t *t) struct tm tm, tm2; memset (&tm, 0, sizeof (tm)); + memset (&tm2, 0, sizeof (tm2)); if(strcasecmp(str, "never") == 0) { *t = 0; @@ -194,15 +199,20 @@ str2time_t (const char *str, time_t *t) if (p == NULL) return -1; - /* Do it on the end of the day */ - tm2.tm_hour = 23; - tm2.tm_min = 59; - tm2.tm_sec = 59; + while(isspace((unsigned char)*p)) + p++; - if(strptime (p, "%H:%M:%S", &tm2) != NULL) { + /* XXX this is really a bit optimistic, we should really complain + if there was a problem parsing the time */ + if(p[0] != '\0' && strptime (p, "%H:%M:%S", &tm2) != NULL) { tm.tm_hour = tm2.tm_hour; tm.tm_min = tm2.tm_min; tm.tm_sec = tm2.tm_sec; + } else { + /* Do it on the end of the day */ + tm.tm_hour = 23; + tm.tm_min = 59; + tm.tm_sec = 59; } *t = tm2time (tm, 0); @@ -223,11 +233,10 @@ parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit) if(mask) *mask |= bit; return 0; - } else if(*resp == '?') { - printf ("Print date on format YYYY-mm-dd [hh:mm:ss]\n"); - } else { - fprintf (stderr, "Unable to parse time '%s'\n", resp); - } + } + if(*resp != '?') + fprintf (stderr, "Unable to parse time \"%s\"\n", resp); + fprintf (stderr, "Print date on format YYYY-mm-dd [hh:mm:ss]\n"); return -1; } @@ -313,7 +322,7 @@ parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit) } else if(*resp == '?') { print_time_table (stderr); } else { - fprintf (stderr, "Unable to parse time '%s'\n", resp); + fprintf (stderr, "Unable to parse time \"%s\"\n", resp); } return -1; } @@ -482,9 +491,13 @@ is_expression(const char *string) return 0; } -/* loop over all principals matching exp */ +/* + * Loop over all principals matching exp. If any of calls to `func' + * failes, the first error is returned when all principals are + * processed. + */ int -foreach_principal(const char *exp, +foreach_principal(const char *exp_str, int (*func)(krb5_principal, void*), const char *funcname, void *data) @@ -492,15 +505,15 @@ foreach_principal(const char *exp, char **princs; int num_princs; int i; - krb5_error_code ret; + krb5_error_code saved_ret = 0, ret = 0; krb5_principal princ_ent; int is_expr; /* if this isn't an expression, there is no point in wading through the whole database looking for matches */ - is_expr = is_expression(exp); + is_expr = is_expression(exp_str); if(is_expr) - ret = kadm5_get_principals(kadm_handle, exp, &princs, &num_princs); + ret = kadm5_get_principals(kadm_handle, exp_str, &princs, &num_princs); if(!is_expr || ret == KADM5_AUTH_LIST) { /* we might be able to perform the requested opreration even if we're not allowed to list principals */ @@ -508,7 +521,7 @@ foreach_principal(const char *exp, princs = malloc(sizeof(*princs)); if(princs == NULL) return ENOMEM; - princs[0] = strdup(exp); + princs[0] = strdup(exp_str); if(princs[0] == NULL){ free(princs); return ENOMEM; @@ -524,12 +537,18 @@ foreach_principal(const char *exp, continue; } ret = (*func)(princ_ent, data); - if(ret) + if(ret) { + krb5_clear_error_string(context); krb5_warn(context, ret, "%s %s", funcname, princs[i]); + if (saved_ret == 0) + saved_ret = ret; + } krb5_free_principal(context, princ_ent); } + if (ret == 0 && saved_ret != 0) + ret = saved_ret; kadm5_free_name_list(kadm_handle, princs, &num_princs); - return 0; + return ret; } /* @@ -556,11 +575,11 @@ get_response(const char *prompt, const char *def, char *buf, size_t len) osig = signal(SIGINT, interrupt); if(setjmp(jmpbuf)) { signal(SIGINT, osig); - printf("\n"); + fprintf(stderr, "\n"); return 1; } - printf("%s [%s]:", prompt, def); + fprintf(stderr, "%s [%s]:", prompt, def); if(fgets(buf, len, stdin) == NULL) { int save_errno = errno; if(ferror(stdin)) @@ -601,14 +620,14 @@ hex2n (char c) int parse_des_key (const char *key_string, krb5_key_data *key_data, - const char **err) + const char **error) { const char *p = key_string; unsigned char bits[8]; int i; if (strlen (key_string) != 16) { - *err = "bad length, should be 16 for DES key"; + *error = "bad length, should be 16 for DES key"; return 1; } for (i = 0; i < 8; ++i) { @@ -617,7 +636,7 @@ parse_des_key (const char *key_string, krb5_key_data *key_data, d1 = hex2n(p[2 * i]); d2 = hex2n(p[2 * i + 1]); if (d1 < 0 || d2 < 0) { - *err = "non-hex character"; + *error = "non-hex character"; return 1; } bits[i] = (d1 << 4) | d2; @@ -629,6 +648,10 @@ parse_des_key (const char *key_string, krb5_key_data *key_data, key_data[i].key_data_type[0] = ETYPE_DES_CBC_CRC; key_data[i].key_data_length[0] = 8; key_data[i].key_data_contents[0] = malloc(8); + if (key_data[i].key_data_contents[0] == NULL) { + *error = "malloc"; + return ENOMEM; + } memcpy (key_data[i].key_data_contents[0], bits, 8); /* salt */ key_data[i].key_data_type[1] = KRB5_PW_SALT; |