diff options
Diffstat (limited to 'crypto/heimdal/kadmin')
| -rw-r--r-- | crypto/heimdal/kadmin/ChangeLog | 38 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/Makefile.in | 19 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/ank.c | 11 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/init.c | 27 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/kadm_conn.c | 2 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/kadmin.8 | 45 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/kadmin.c | 4 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/kadmind.8 | 39 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/kadmind.c | 2 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/mod.c | 6 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/server.c | 40 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/util.c | 5 | ||||
| -rw-r--r-- | crypto/heimdal/kadmin/version4.c | 33 |
13 files changed, 200 insertions, 71 deletions
diff --git a/crypto/heimdal/kadmin/ChangeLog b/crypto/heimdal/kadmin/ChangeLog index a457753..093835e 100644 --- a/crypto/heimdal/kadmin/ChangeLog +++ b/crypto/heimdal/kadmin/ChangeLog @@ -1,6 +1,42 @@ +2003-04-14 Love Hörquist Åstrand <lha@it.su.se> + + * util.c: cast argument to tolower to unsigned char, from + Christian Biere <christianbiere@gmx.de> via NetBSD + +2003-04-06 Love Hörquist Åstrand <lha@it.su.se> + + * kadmind.8: s/kerberos/Kerberos/ + +2003-03-31 Love Hörquist Åstrand <lha@it.su.se> + + * kadmin.8: initialises -> initializes, from Perry E. Metzger" + <perry@piermont.com> + + * kadmin.c: principal, not pricipal. From Thomas Klausner + <wiz@netbsd.org> + +2003-02-04 Love Hörquist Åstrand <lha@it.su.se> + + * kadmind.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + + * kadmin.8: spelling, from jmc <jmc@prioris.mini.pw.edu.pl> + +2003-01-29 Love Hörquist Åstrand <lha@it.su.se> + + * server.c (kadmind_dispatch): kadm_chpass: require the password + to pass the password quality check in case the user changes the + user's own password kadm_chpass_with_key: disallow the user to + change it own password to a key, since that password might violate + the password quality check. + +2002-10-23 Assar Westerlund <assar@kth.se> + + * version4.c (decode_packet): check the length of the version + string and that rlen has a reasonable value + 2002-10-21 Johan Danielsson <joda@pdc.kth.se> - * version4.c: pull up 1.27; check size of rlen + * version4.c: check size of rlen 2002-09-10 Johan Danielsson <joda@pdc.kth.se> diff --git a/crypto/heimdal/kadmin/Makefile.in b/crypto/heimdal/kadmin/Makefile.in index d2578f5..4739519 100644 --- a/crypto/heimdal/kadmin/Makefile.in +++ b/crypto/heimdal/kadmin/Makefile.in @@ -18,7 +18,7 @@ # $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $ -# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $ +# $Id: Makefile.am.common,v 1.37.2.1 2003/05/08 17:08:09 joda Exp $ SHELL = @SHELL@ srcdir = @srcdir@ @@ -114,6 +114,7 @@ LIB_roken = @LIB_roken@ LIB_security = @LIB_security@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ NROFF = @NROFF@ @@ -192,7 +193,7 @@ LIB_readline = @LIB_readline@ NROFF_MAN = groff -mandoc -Tascii -@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) +LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ @KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la @@ -345,10 +346,10 @@ all: all-am .SUFFIXES: .SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj -$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4) cd $(top_srcdir) && \ $(AUTOMAKE) --foreign kadmin/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status +Makefile: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.in $(top_builddir)/config.status cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe) libexecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) install-libexecPROGRAMS: $(libexec_PROGRAMS) @@ -595,7 +596,9 @@ info: info-am info-am: -install-data-am: install-data-local install-man +install-data-am: install-man + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-exec-am: install-libexecPROGRAMS install-sbinPROGRAMS @$(NORMAL_INSTALL) @@ -626,8 +629,8 @@ uninstall-man: uninstall-man8 clean-noinstPROGRAMS clean-sbinPROGRAMS distclean \ distclean-compile distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am info info-am install \ - install-am install-data install-data-am install-data-local \ - install-exec install-exec-am install-info install-info-am \ + install-am install-data install-data-am install-exec \ + install-exec-am install-info install-info-am \ install-libexecPROGRAMS install-man install-man8 \ install-sbinPROGRAMS install-strip installcheck installcheck-am \ installdirs maintainer-clean maintainer-clean-generic \ @@ -760,7 +763,7 @@ dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans install-cat-mans: $(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) -install-data-local: install-cat-mans +install-data-hook: install-cat-mans .et.h: $(COMPILE_ET) $< diff --git a/crypto/heimdal/kadmin/ank.c b/crypto/heimdal/kadmin/ank.c index 0dfdfad..a166fb2 100644 --- a/crypto/heimdal/kadmin/ank.c +++ b/crypto/heimdal/kadmin/ank.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kadmin_locl.h" -RCSID("$Id: ank.c,v 1.23 2002/06/07 19:05:38 nectar Exp $"); +RCSID("$Id: ank.c,v 1.25 2002/12/03 14:11:24 joda Exp $"); /* * fetch the default principal corresponding to `princ' @@ -112,7 +112,8 @@ add_one_principal (const char *name, if(use_defaults) set_defaults(&princ, &mask, default_ent, default_mask); else - edit_entry(&princ, &mask, default_ent, default_mask); + if(edit_entry(&princ, &mask, default_ent, default_mask)) + goto out; if(rand_key || key_data) { princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; mask |= KADM5_ATTRIBUTES; @@ -136,8 +137,10 @@ add_one_principal (const char *name, } ret = kadm5_create_principal(kadm_handle, &princ, mask, password); - if(ret) + if(ret) { krb5_warn(context, ret, "kadm5_create_principal"); + goto out; + } if(rand_key) { krb5_keyblock *new_keys; int n_keys, i; diff --git a/crypto/heimdal/kadmin/init.c b/crypto/heimdal/kadmin/init.c index 2391a08..587458b 100644 --- a/crypto/heimdal/kadmin/init.c +++ b/crypto/heimdal/kadmin/init.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "kadmin_locl.h" #include <kadm5/private.h> -RCSID("$Id: init.c,v 1.27 2000/09/10 19:20:16 joda Exp $"); +RCSID("$Id: init.c,v 1.29 2002/12/03 14:08:17 joda Exp $"); static kadm5_ret_t create_random_entry(krb5_principal princ, @@ -90,6 +90,7 @@ static struct getargs args[] = { "realm max ticket lifetime" }, { "realm-max-renewable-life", 0, arg_string, NULL, "realm max renewable lifetime" }, + { "help", 'h', arg_flag, NULL }, }; static int num_args = sizeof(args) / sizeof(args[0]); @@ -107,14 +108,16 @@ init(int argc, char **argv) int i; char *realm_max_life = NULL; char *realm_max_rlife = NULL; + int help_flag = 0; HDB *db; int optind = 0; krb5_deltat max_life, max_rlife; args[0].value = &realm_max_life; args[1].value = &realm_max_rlife; + args[2].value = &help_flag; - if(getarg(args, num_args, argc, argv, &optind)) { + if(getarg(args, num_args, argc, argv, &optind) || help_flag) { usage(); return 0; } @@ -150,16 +153,24 @@ init(int argc, char **argv) const char *realm = argv[i]; /* Create `krbtgt/REALM' */ - krb5_make_principal(context, &princ, realm, - KRB5_TGS_NAME, realm, NULL); + ret = krb5_make_principal(context, &princ, realm, + KRB5_TGS_NAME, realm, NULL); + if(ret) + return 0; if (realm_max_life == NULL) { max_life = 0; - edit_deltat ("Realm max ticket life", &max_life, NULL, 0); + if(edit_deltat ("Realm max ticket life", &max_life, NULL, 0)) { + krb5_free_principal(context, princ); + return 0; + } } if (realm_max_rlife == NULL) { max_rlife = 0; - edit_deltat("Realm max renewable ticket life", &max_rlife, - NULL, 0); + if(edit_deltat("Realm max renewable ticket life", &max_rlife, + NULL, 0)) { + krb5_free_principal(context, princ); + return 0; + } } create_random_entry(princ, max_life, max_rlife, 0); krb5_free_principal(context, princ); diff --git a/crypto/heimdal/kadmin/kadm_conn.c b/crypto/heimdal/kadmin/kadm_conn.c index f2b54de..ae44c43 100644 --- a/crypto/heimdal/kadmin/kadm_conn.c +++ b/crypto/heimdal/kadmin/kadm_conn.c @@ -36,7 +36,7 @@ #include <sys/wait.h> #endif -RCSID("$Id: kadm_conn.c,v 1.13.6.1 2002/10/21 14:53:39 joda Exp $"); +RCSID("$Id: kadm_conn.c,v 1.14 2002/10/21 13:21:24 joda Exp $"); struct kadm_port { char *port; diff --git a/crypto/heimdal/kadmin/kadmin.8 b/crypto/heimdal/kadmin/kadmin.8 index 66880f3..cf7ebe8 100644 --- a/crypto/heimdal/kadmin/kadmin.8 +++ b/crypto/heimdal/kadmin/kadmin.8 @@ -1,4 +1,35 @@ -.\" $Id: kadmin.8,v 1.7 2002/08/20 17:07:11 joda Exp $ +.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: kadmin.8,v 1.10 2003/03/31 10:42:32 lha Exp $ .\" .Dd September 10, 2000 .Dt KADMIN 8 @@ -43,7 +74,7 @@ .Sh DESCRIPTION The .Nm -program is used to make modification to the Kerberos database, either remotely via the +program is used to make modifications to the Kerberos database, either remotely via the .Xr kadmind 8 daemon, or locally (with the .Fl l @@ -60,7 +91,7 @@ principal to authenticate as .Fl K Ar string , .Fl -keytab= Ns Ar string .Xc -keytab for authentication pricipal +keytab for authentication principal .It Xo .Fl c Ar file , .Fl -config-file= Ns Ar file @@ -145,7 +176,7 @@ removes a principal .Ar principal enctypes... .Pp .Bd -ragged -offset indent -removes some enctypes from a principal, this can be useful the service +removes some enctypes from a principal. This can be useful the service belonging to the principal is known to not handle certain enctypes .Ed .Pp @@ -198,12 +229,12 @@ modifies certain attributes of a principal .Nm privileges .Pp .Bd -ragged -offset indent -lists the operations you are allowd to perform +lists the operations you are allowed to perform .Ed .Pp .Ed .Pp -When running in local mode, the following commands can also be used. +When running in local mode, the following commands can also be used: .Bd -ragged -offset indent .Nm dump .Op Fl d | Fl -decrypt @@ -221,7 +252,7 @@ form to the specified file, or standard out .Ar realm .Pp .Bd -ragged -offset indent -initialises the Kerberos database with entries for a new realm, it's +initializes the Kerberos database with entries for a new realm. It's possible to have more than one realm served by one server .Ed .Pp diff --git a/crypto/heimdal/kadmin/kadmin.c b/crypto/heimdal/kadmin/kadmin.c index ff2eec9..9438587 100644 --- a/crypto/heimdal/kadmin/kadmin.c +++ b/crypto/heimdal/kadmin/kadmin.c @@ -34,7 +34,7 @@ #include "kadmin_locl.h" #include <sl.h> -RCSID("$Id: kadmin.c,v 1.41 2001/08/10 08:06:13 joda Exp $"); +RCSID("$Id: kadmin.c,v 1.42 2003/03/31 10:20:19 lha Exp $"); static char *config_file; static char *keyfile; @@ -51,7 +51,7 @@ static struct getargs args[] = { { "principal", 'p', arg_string, &client_name, "principal to authenticate as" }, { "keytab", 'K', arg_string, &keytab, - "keytab for authentication pricipal" }, + "keytab for authentication principal" }, { "config-file", 'c', arg_string, &config_file, "location of config file", "file" diff --git a/crypto/heimdal/kadmin/kadmind.8 b/crypto/heimdal/kadmin/kadmind.8 index ac1fcd2..5663225 100644 --- a/crypto/heimdal/kadmin/kadmind.8 +++ b/crypto/heimdal/kadmin/kadmind.8 @@ -1,11 +1,42 @@ -.\" $Id: kadmind.8,v 1.10.2.1 2002/10/21 14:53:39 joda Exp $ +.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: kadmind.8,v 1.14 2003/04/06 17:47:57 lha Exp $ .\" .Dd March 5, 2002 .Dt KADMIND 8 .Os HEIMDAL .Sh NAME .Nm kadmind -.Nd "server for administrative access to kerberos database" +.Nd "server for administrative access to Kerberos database" .Sh SYNOPSIS .Nm .Oo Fl c Ar file \*(Ba Xo @@ -51,7 +82,7 @@ daemon is responsible for the Kerberos 5 password changing protocol .Xr kpasswd 1 ) . .Pp -This daemon should only be run on ther master server, and not on any +This daemon should only be run on the master server, and not on any slaves. .Pp Principals are always allowed to change their own password and list @@ -118,7 +149,7 @@ enable debugging .Fl p Ar port , .Fl -ports= Ns Ar port .Xc -ports to listen to. By default, if run as a daemon, it listen to ports +ports to listen to. By default, if run as a daemon, it listens to ports 749, and 751 (if Kerberos 4 support is built and enabled), but you can add any number of ports with this option. The port string is a whitespace separated list of port specifications, with the special diff --git a/crypto/heimdal/kadmin/kadmind.c b/crypto/heimdal/kadmin/kadmind.c index 5ef6349..2998ee6 100644 --- a/crypto/heimdal/kadmin/kadmind.c +++ b/crypto/heimdal/kadmin/kadmind.c @@ -33,7 +33,7 @@ #include "kadmin_locl.h" -RCSID("$Id: kadmind.c,v 1.27.6.1 2002/10/21 14:53:39 joda Exp $"); +RCSID("$Id: kadmind.c,v 1.28 2002/10/21 13:21:24 joda Exp $"); static char *check_library = NULL; static char *check_function = NULL; diff --git a/crypto/heimdal/kadmin/mod.c b/crypto/heimdal/kadmin/mod.c index 1ea9c86..0e9cd08 100644 --- a/crypto/heimdal/kadmin/mod.c +++ b/crypto/heimdal/kadmin/mod.c @@ -33,7 +33,7 @@ #include "kadmin_locl.h" -RCSID("$Id: mod.c,v 1.10 2000/07/11 14:34:56 joda Exp $"); +RCSID("$Id: mod.c,v 1.11 2002/12/03 14:12:30 joda Exp $"); static int parse_args (krb5_context context, kadm5_principal_ent_t ent, int argc, char **argv, int *optind, char *name, @@ -136,7 +136,8 @@ mod_entry(int argc, char **argv) printf ("no such principal: %s\n", argv[0]); return 0; } - edit_entry(&princ, &mask, NULL, 0); + if(edit_entry(&princ, &mask, NULL, 0)) + goto out; } else { princ.principal = princ_ent; } @@ -144,6 +145,7 @@ mod_entry(int argc, char **argv) ret = kadm5_modify_principal(kadm_handle, &princ, mask); if(ret) krb5_warn(context, ret, "kadm5_modify_principal"); + out: kadm5_free_principal_ent(kadm_handle, &princ); return 0; } diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c index 82050bb..adaf6cf 100644 --- a/crypto/heimdal/kadmin/server.c +++ b/crypto/heimdal/kadmin/server.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "kadmin_locl.h" #include <krb5-private.h> -RCSID("$Id: server.c,v 1.36.2.1 2002/10/21 14:53:39 joda Exp $"); +RCSID("$Id: server.c,v 1.38 2003/01/29 12:33:05 lha Exp $"); static kadm5_ret_t kadmind_dispatch(void *kadm_handle, krb5_boolean initial, @@ -217,19 +217,36 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, /* * The change is allowed if at least one of: - * a) it's for the principal him/herself and this was an initial ticket + + * a) it's for the principal him/herself and this was an + * initial ticket, but then, check with the password quality + * function. * b) the user is on the CPW ACL. */ if (initial && krb5_principal_compare (context->context, context->caller, princ)) - ret = 0; - else + { + krb5_data pwd_data; + const char *pwd_reason; + + pwd_data.data = password; + pwd_data.length = strlen(password); + + pwd_reason = kadm5_check_password_quality (context->context, + princ, &pwd_data); + if (pwd_reason != NULL) + ret = KADM5_PASS_Q_DICT; + else + ret = 0; + } else ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); if(ret) { krb5_free_principal(context->context, princ); + memset(password, 0, strlen(password)); + free(password); goto fail; } ret = kadm5_chpass_principal(kadm_handle, princ, password); @@ -286,18 +303,11 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, krb5_warnx(context->context, "%s: %s %s", client, op, name); /* - * The change is allowed if at least one of: - * a) it's for the principal him/herself and this was an initial ticket - * b) the user is on the CPW ACL. + * The change is only allowed if the user is on the CPW ACL, + * this it to force password quality check on the user. */ - if (initial - && krb5_principal_compare (context->context, context->caller, - princ)) - ret = 0; - else - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); - + ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); if(ret) { int16_t dummy = n_key_data; diff --git a/crypto/heimdal/kadmin/util.c b/crypto/heimdal/kadmin/util.c index f1b9764..b25bf2a 100644 --- a/crypto/heimdal/kadmin/util.c +++ b/crypto/heimdal/kadmin/util.c @@ -34,7 +34,7 @@ #include "kadmin_locl.h" #include <parse_units.h> -RCSID("$Id: util.c,v 1.37 2002/06/07 18:28:46 joda Exp $"); +RCSID("$Id: util.c,v 1.39 2003/04/14 11:55:27 lha Exp $"); /* * util.c - functions for parsing, unparsing, and editing different @@ -556,6 +556,7 @@ get_response(const char *prompt, const char *def, char *buf, size_t len) osig = signal(SIGINT, interrupt); if(setjmp(jmpbuf)) { signal(SIGINT, osig); + printf("\n"); return 1; } @@ -586,7 +587,7 @@ hex2n (char c) static char hexdigits[] = "0123456789abcdef"; const char *p; - p = strchr (hexdigits, tolower((int)c)); + p = strchr (hexdigits, tolower((unsigned char)c)); if (p == NULL) return -1; else diff --git a/crypto/heimdal/kadmin/version4.c b/crypto/heimdal/kadmin/version4.c index 466ec3a..80bf927 100644 --- a/crypto/heimdal/kadmin/version4.c +++ b/crypto/heimdal/kadmin/version4.c @@ -41,7 +41,7 @@ #include <krb_err.h> #include <kadm_err.h> -RCSID("$Id: version4.c,v 1.26.2.1 2002/10/21 14:52:59 joda Exp $"); +RCSID("$Id: version4.c,v 1.29 2002/10/29 10:33:23 joda Exp $"); #define KADM_NO_OPCODE -1 #define KADM_NO_ENCRYPT -2 @@ -51,7 +51,7 @@ RCSID("$Id: version4.c,v 1.26.2.1 2002/10/21 14:52:59 joda Exp $"); */ static void -make_you_loose_packet(int code, krb5_data *reply) +make_you_lose_packet(int code, krb5_data *reply) { krb5_data_alloc(reply, KADM_VERSIZE + 4); memcpy(reply->data, KADM_ULOSE, KADM_VERSIZE); @@ -812,9 +812,9 @@ decode_packet(krb5_context context, char *client_str; krb5_keytab_entry entry; - if(message.length < KADM_VERSIZE + if(message.length < KADM_VERSIZE + 4 || strncmp(msg, KADM_VERSTR, KADM_VERSIZE) != 0) { - make_you_loose_packet (KADM_BAD_VER, reply); + make_you_lose_packet (KADM_BAD_VER, reply); return; } @@ -823,9 +823,10 @@ decode_packet(krb5_context context, memset(&authent, 0, sizeof(authent)); authent.length = message.length - rlen - KADM_VERSIZE - 4; - if(authent.length >= MAX_KTXT_LEN) { + if(rlen > message.length - KADM_VERSIZE - 4 + || authent.length > MAX_KTXT_LEN) { krb5_warnx(context, "received bad rlen (%lu)", (unsigned long)rlen); - make_you_loose_packet (KADM_LENGTH_ERROR, reply); + make_you_lose_packet (KADM_LENGTH_ERROR, reply); return; } @@ -840,7 +841,7 @@ decode_packet(krb5_context context, "changepw", "kerberos", NULL); if (ret) { krb5_warn (context, ret, "krb5_make_principal"); - make_you_loose_packet (KADM_NOMEM, reply); + make_you_lose_packet (KADM_NOMEM, reply); return; } ret = krb5_kt_get_entry (context, keytab, principal, 0, @@ -848,7 +849,7 @@ decode_packet(krb5_context context, krb5_kt_close (context, keytab); if (ret) { krb5_free_principal(context, principal); - make_you_loose_packet (KADM_NO_AUTH, reply); + make_you_lose_packet (KADM_NO_AUTH, reply); return; } ret = krb5_copy_keyblock (context, &entry.keyblock,& key); @@ -856,10 +857,10 @@ decode_packet(krb5_context context, krb5_free_principal(context, principal); if(ret) { if(ret == KRB5_KT_NOTFOUND) - make_you_loose_packet(KADM_NO_AUTH, reply); + make_you_lose_packet(KADM_NO_AUTH, reply); else /* XXX */ - make_you_loose_packet(KADM_NO_AUTH, reply); + make_you_lose_packet(KADM_NO_AUTH, reply); krb5_warn(context, ret, "krb5_kt_read_service_key"); return; } @@ -875,7 +876,7 @@ decode_packet(krb5_context context, client_addr->sin_addr.s_addr, &ad, NULL); if(ret) { - make_you_loose_packet(ERROR_TABLE_BASE_krb + ret, reply); + make_you_lose_packet(ERROR_TABLE_BASE_krb + ret, reply); krb5_warnx(context, "krb_rd_req: %d", ret); return; } @@ -884,7 +885,7 @@ decode_packet(krb5_context context, &client); if (ret) { krb5_warnx (context, "krb5_425_conv_principal: %d", ret); - make_you_loose_packet (KADM_NOMEM, reply); + make_you_lose_packet (KADM_NOMEM, reply); return; } @@ -898,21 +899,21 @@ decode_packet(krb5_context context, &kadm_handle); if (ret) { krb5_warn (context, ret, "kadm5_init_with_password_ctx"); - make_you_loose_packet (KADM_NOMEM, reply); + make_you_lose_packet (KADM_NOMEM, reply); goto out; } checksum = des_quad_cksum((void *)(msg + off), NULL, rlen, 0, &ad.session); if(checksum != ad.checksum) { krb5_warnx(context, "decode_packet: bad checksum"); - make_you_loose_packet (KADM_BAD_CHK, reply); + make_you_lose_packet (KADM_BAD_CHK, reply); goto out; } des_set_key(&ad.session, schedule); ret = krb_rd_priv(msg + off, rlen, schedule, &ad.session, client_addr, admin_addr, &msg_dat); if (ret) { - make_you_loose_packet (ERROR_TABLE_BASE_krb + ret, reply); + make_you_lose_packet (ERROR_TABLE_BASE_krb + ret, reply); krb5_warnx(context, "krb_rd_priv: %d", ret); goto out; } @@ -931,7 +932,7 @@ decode_packet(krb5_context context, schedule, &ad.session, admin_addr, client_addr); if((ssize_t)reply->length < 0) { - make_you_loose_packet(KADM_NO_ENCRYPT, reply); + make_you_lose_packet(KADM_NO_ENCRYPT, reply); goto out; } } |
