+++ /dev/null
-# Sanitize.in for Kerberos V5
-
-# Each directory to survive it's way into a release will need a file
-# like this one called "./.Sanitize". All keyword lines must exist,
-# and must exist in the order specified by this file. Each directory
-# in the tree will be processed, top down, in the following order.
-
-# Hash started lines like this one are comments and will be deleted
-# before anything else is done. Blank lines will also be squashed
-# out.
-
-# The lines between the "Do-first:" line and the "Things-to-keep:"
-# line are executed as a /bin/sh shell script before anything else is
-# done in this
-
-Do-first:
-
-# All files listed between the "Things-to-keep:" line and the
-# "Files-to-sed:" line will be kept. All other files will be removed.
-# Directories listed in this section will have their own Sanitize
-# called. Directories not listed will be removed in their entirety
-# with rm -rf.
-
-Things-to-keep:
-
-.cvsignore
-ChangeLog
-Makefile.in
-configure
-configure.in
-kdb5_create.M
-kdb5_create.c
-
-Things-to-lose:
-
-Do-last:
-
-# End of file.
+++ /dev/null
-Tue May 7 23:04:17 1996 Marc Horowitz <marc@mit.edu>
-
- * kdb5_create.c (add_principal): convert to used new krb5_dbe_*
- tl_data functions.
-
- * configure.in: use USE_KADMSRV_LIBRARY instead of
- USE_KADM_LIBRARY.
-
-Wed Dec 13 03:44:58 1995 Chris Provenzano (proven@mit.edu)
-
- * kdb5_create.c : Remove mkvno from krb5_db_entry.
-
-Thu Nov 09 17:05:57 1995 Chris Provenzano (proven@mit.edu)
-
- * kdb5_create.c : Remove krb5_enctype from krb5_string_to_key() args.
-
-Wed Oct 18 14:25:29 1995 <tytso@rsts-11.mit.edu>
-
- * kdb5_create.c (main): Add new option 's' which automatically
- stashes the master key in the key stash file. This
- eliminates the need for the admin to type kdb5_stash right
- after kdb5_create.
-
-Wed Sep 13 19:02:50 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * kdb5_create.c (tgt_keysalt_iterate): Don't bash the master key
- encblock when creating the various TGT keys. Otherwise,
- the keys end up getting encrypted using the wrong
- encryption algorithm. Initialize a new encblock,
- random_encblock, from the master key password.
- (main): Prompt for the master key password ourselves, and
- store it away so that it can be used by tgt_keysalt_iterate.
-
-Wed Sep 06 14:20:57 1995 Chris Provenzano (proven@mit.edu)
-
- * kdb5_create.c : s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g
-
-Tue Sep 05 22:10:34 1995 Chris Provenzano (proven@mit.edu)
-
- * kdb5_create.c : Remove krb5_enctype references, and replace with
- krb5_keytype where appropriate.
-
-Wed Aug 9 18:05:44 EDT 1995 Paul Park (pjpark@mit.edu)
- * kdb5_create.c - Use default key/salt tuple list or one generated from
- reading KDC profile to determine which key types to make for
- the tgt principal.
-
-
-Mon Jul 31 15:45:49 EDT 1995 Paul Park (pjpark@mit.edu)
- * kdb5_create.c - Use new admin string conversion routines.
- * kdb5_create.M - Remove "string representation of integer" for keytype
- and etype.
-
-
-Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu)
-
- * kdb5_create.c : Use new kdb format.
-
-Mon Jul 17 14:58:00 EDT 1995 Paul Park (pjpark@mit.edu)
- * configure.in - Add KADM library.
- * kdb5_create.c - Add KDC profile reading/handling as a supplement to
- command line supplied arguments. Change calling sequence to
- krb5_db_fetch_mkey().
-
-
-Fri Jul 7 15:36:00 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Remove all explicit library handling and LDFLAGS.
- * configure.in - Add USE_KDB5_LIBRARY and KRB5_LIBRARIES.
-
-
-Fri Jun 30 14:30:07 EDT 1995 Paul Park (pjpark@mit.edu)
- * configure.in - Add --with-dbm to select between Berkeley and DBM
- KDC database format.
-
-
-Thu Jun 15 15:29:39 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Change explicit library names to -l<lib> form, and
- change target link line to use $(LD) and associated flags.
- Also, remove DBMLIB, it wasn't used.
- * configure.in - Remove checks for dbm, they are not needed any
- more with the Berkeley database code. Add shared library
- usage check.
-
-Fri Jun 9 18:14:21 1995 <tytso@rsx-11.mit.edu>
-
- * configure.in: Remove standardized set of autoconf macros, which
- are now handled by CONFIG_RULES.
-
-Thu Mar 2 12:18:02 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * Makefile.in (ISODELIB): Remove reference to $(ISODELIB).
-
-Wed Mar 1 11:52:18 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * configure.in: Remove ISODE_INCLUDE, replace check for -lsocket
- and -lnsl with WITH_NETLIB check.
-
-Tue Feb 28 02:05:32 1995 John Gilmore (gnu at toad.com)
-
- * kdb5_create.c: Avoid <krb5/...> and <com_err.h> includes.
-
-Fri Jan 13 15:23:47 1995 Chris Provenzano (proven@mit.edu)
-
- * Added krb5_context to all krb5_routines
-
-Thu Oct 6 23:29:07 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * kdb5_create.c (main): Add a new option so that the master key
- password can be entered on the command line --- for
- testing only; not documented!!
-
-Mon Oct 3 19:10:01 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * Makefile.in: Use $(srcdir) to find manual page for make install.
-
-Fri Sep 30 22:04:35 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * kdb5_create.c: Add placeholders for magic numbers.
-
-Thu Sep 29 22:19:37 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * Makefile.in: Relink executable when libraries change.
-
-Tue Jul 19 18:56:59 1994 Tom Yu (tlyu at dragons-lair)
-
- * kdb5_create.c: start kvno and mkno at 1, not 0.
-
-Wed Jun 29 00:19:17 1994 Tom Yu (tlyu at dragons-lair)
-
- * kdb5_create.c: fixed up something that should have been a call
- to init_ets()
-
+++ /dev/null
-CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE)
-
-all:: kdb5_create
-
-kdb5_create: kdb5_create.o $(DEPLIBS)
- $(LD) $(LDFLAGS) $(LDARGS) -o kdb5_create kdb5_create.o $(LIBS)
-
-install::
- $(INSTALL_PROGRAM) kdb5_create $(DESTDIR)$(ADMIN_BINDIR)/kdb5_create
- $(INSTALL_DATA) $(srcdir)/kdb5_create.M $(DESTDIR)$(ADMIN_MANDIR)/kdb5_create.8
-
-clean::
- $(RM) kdb5_create kdb5_create.o
-
-
+++ /dev/null
-AC_INIT(kdb5_create.c)
-CONFIG_RULES
-AC_PROG_INSTALL
-USE_KADMSRV_LIBRARY
-USE_KDB5_LIBRARY
-KRB5_LIBRARIES
-V5_USE_SHARED_LIB
-V5_AC_OUTPUT_MAKEFILE
+++ /dev/null
-.\" admin/create/kdb5_create.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\" require a specific license from the United States Government.
-.\" It is the responsibility of any person or organization contemplating
-.\" export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission. M.I.T. makes no representations about the suitability of
-.\" this software for any purpose. It is provided "as is" without express
-.\" or implied warranty.
-.\"
-.\"
-.TH KDB5_CREATE 8 "Kerberos Version 5.0" "MIT Project Athena"
-.SH NAME
-kdb5_create \- create a new Kerberos V5 principal database
-.SH SYNOPSIS
-.B kdb5_create
-[
-.B \-r
-.I realm
-] [
-.B \-d
-.I dbname
-] [
-.B \-k
-.I keytype
-] [
-.B \-M
-.I mkeyname
-] [
-.B \-e
-.I enctype
-]
-.br
-.SH DESCRIPTION
-.I kdb5_create
-is used to create an empty Kerberos version 5 principal database.
-The user is prompted for the master password, which will be used to
-generate an encryption key under which all entries are stored (in order
-to provide some security against database theft).
-.PP
-The
-.B \-r
-.I realm
-option specifies the realm for which the database should be created;
-by default the realm returned by
-.IR krb5_default_local_realm (3)
-is used.
-.PP
-The
-.B \-d
-.I dbname
-option specifies the name under which the principal database is to be
-created; by default the database is in DEFAULT_DBM_FILE (normally
-/krb5/principal).
-.PP
-The
-.B \-k
-.I keytype
-option specifies the key type of the master key in the database.
-.PP
-The
-.B \-M
-.I mkeyname
-option specifies the principal name for the master key in the database;
-the default is KRB5_KDB_M_NAME (usually "K/M" in the KDC's realm).
-.PP
-The
-.B \-e
-.I enctype
-option specifies the encryption type to be used when placing entries in
-the database.
-keytype.
-.SH SEE ALSO
-krb5(3), krb5kdc(8)
-.SH BUGS
-Doesn't have flexibility about expiration times.
+++ /dev/null
-/*
- * admin/create/kdb5_create.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Generate (from scratch) a Kerberos KDC database.
- */
-
-#include "k5-int.h"
-#include "com_err.h"
-#include "adm.h"
-#include "adm_proto.h"
-#include <stdio.h>
-
-enum ap_op {
- NULL_KEY, /* setup null keys */
- MASTER_KEY, /* use master key as new key */
- TGT_KEY /* special handling for tgt key */
-};
-
-krb5_key_salt_tuple def_kslist = { ENCTYPE_DES_CBC_CRC, KRB5_KDB_SALTTYPE_NORMAL };
-
-struct realm_info {
- krb5_deltat max_life;
- krb5_deltat max_rlife;
- krb5_timestamp expiration;
- krb5_flags flags;
- krb5_encrypt_block *eblock;
- krb5_pointer rseed;
- krb5_int32 nkslist;
- krb5_key_salt_tuple *kslist;
-} rblock = { /* XXX */
- KRB5_KDB_MAX_LIFE,
- KRB5_KDB_MAX_RLIFE,
- KRB5_KDB_EXPIRATION,
- KRB5_KDB_DEF_FLAGS,
- (krb5_encrypt_block *) NULL,
- (krb5_pointer) NULL,
- 1,
- &def_kslist
-};
-
-struct iterate_args {
- krb5_context ctx;
- struct realm_info *rblock;
- krb5_db_entry *dbentp;
-};
-
-static krb5_error_code add_principal
- PROTOTYPE((krb5_context,
- krb5_principal,
- enum ap_op,
- struct realm_info *));
-
-/*
- * Steps in creating a database:
- *
- * 1) use the db calls to open/create a new database
- *
- * 2) get a realm name for the new db
- *
- * 3) get a master password for the new db; convert to an encryption key.
- *
- * 4) create various required entries in the database
- *
- * 5) close & exit
- */
-
-static void
-usage(who, status)
-char *who;
-int status;
-{
- fprintf(stderr, "usage: %s [-d dbpathname] [-r realmname] [-k enctype]\n\
-\t[-M mkeyname]\n",
- who);
- exit(status);
-}
-
-krb5_keyblock master_keyblock;
-krb5_principal master_princ;
-krb5_encrypt_block master_encblock;
-krb5_data master_salt;
-
-krb5_data tgt_princ_entries[] = {
- {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
- {0, 0, 0} };
-
-krb5_data db_creator_entries[] = {
- {0, sizeof("db_creation")-1, "db_creation"} };
-
-/* XXX knows about contents of krb5_principal, and that tgt names
- are of form TGT/REALM@REALM */
-krb5_principal_data tgt_princ = {
- 0, /* magic number */
- {0, 0, 0}, /* krb5_data realm */
- tgt_princ_entries, /* krb5_data *data */
- 2, /* int length */
- KRB5_NT_SRV_INST /* int type */
-};
-
-krb5_principal_data db_create_princ = {
- 0, /* magic number */
- {0, 0, 0}, /* krb5_data realm */
- db_creator_entries, /* krb5_data *data */
- 1, /* int length */
- KRB5_NT_SRV_INST /* int type */
-};
-
-char *mkey_password = 0;
-
-void
-main(argc, argv)
-int argc;
-char *argv[];
-{
- extern char *optarg;
- int optchar;
-
- krb5_error_code retval;
- char *dbname = (char *) NULL;
- char *realm = 0;
- char *mkey_name = 0;
- char *mkey_fullname;
- char *defrealm;
- char *pw_str = 0;
- char *keyfile = 0;
- int pw_size = 0;
- int enctypedone = 0;
- int do_stash = 0;
- krb5_data pwd;
- krb5_context context;
- krb5_realm_params *rparams;
-
- krb5_init_context(&context);
- krb5_init_ets(context);
-
- if (strrchr(argv[0], '/'))
- argv[0] = strrchr(argv[0], '/')+1;
-
- while ((optchar = getopt(argc, argv, "d:r:k:M:e:P:sf:")) != EOF) {
- switch(optchar) {
- case 'd': /* set db name */
- dbname = optarg;
- break;
- case 'r':
- realm = optarg;
- break;
- case 'k':
- if (!krb5_string_to_enctype(optarg, &master_keyblock.enctype))
- enctypedone++;
- else
- com_err(argv[0], 0, "%s is an invalid enctype", optarg);
- break;
- case 's':
- do_stash++;
- break;
- case 'f':
- keyfile = optarg;
- break;
- case 'M': /* master key name in DB */
- mkey_name = optarg;
- break;
- case 'P': /* Only used for testing!!! */
- mkey_password = optarg;
- break;
- case '?':
- default:
- usage(argv[0], 1);
- /*NOTREACHED*/
- }
- }
-
- /*
- * Attempt to read the KDC profile. If we do, then read appropriate values
- * from it and augment values supplied on the command line.
- */
- if (!(retval = krb5_read_realm_params(context,
- realm,
- (char *) NULL,
- (char *) NULL,
- &rparams))) {
- /* Get the value for the database */
- if (rparams->realm_dbname && !dbname)
- dbname = strdup(rparams->realm_dbname);
-
- /* Get the value for the master key name */
- if (rparams->realm_mkey_name && !mkey_name)
- mkey_name = strdup(rparams->realm_mkey_name);
-
- /* Get the value for the master key type */
- if (rparams->realm_enctype_valid && !enctypedone) {
- master_keyblock.enctype = rparams->realm_enctype;
- enctypedone++;
- }
-
- /* Get the value for maximum ticket lifetime. */
- if (rparams->realm_max_life_valid)
- rblock.max_life = rparams->realm_max_life;
-
- /* Get the value for maximum renewable ticket lifetime. */
- if (rparams->realm_max_rlife_valid)
- rblock.max_rlife = rparams->realm_max_rlife;
-
- /* Get the value for the default principal expiration */
- if (rparams->realm_expiration_valid)
- rblock.expiration = rparams->realm_expiration;
-
- /* Get the value for the default principal flags */
- if (rparams->realm_flags_valid)
- rblock.flags = rparams->realm_flags;
-
- /* Get the value of the supported key/salt pairs */
- if (rparams->realm_num_keysalts) {
- rblock.nkslist = rparams->realm_num_keysalts;
- rblock.kslist = rparams->realm_keysalts;
- rparams->realm_num_keysalts = 0;
- rparams->realm_keysalts = (krb5_key_salt_tuple *) NULL;
- }
-
- /* Get the value for the stash file */
- if (rparams->realm_stash_file && !keyfile)
- keyfile = strdup(rparams->realm_stash_file);
-
- krb5_free_realm_params(context, rparams);
- }
-
- if (!dbname)
- dbname = DEFAULT_KDB_FILE;
-
- if (!enctypedone)
- master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
-
- if (!valid_enctype(master_keyblock.enctype)) {
- char tmp[32];
- if (krb5_enctype_to_string(master_keyblock.enctype, tmp, sizeof(tmp)))
- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP,
- "while setting up enctype %d", master_keyblock.enctype);
- else
- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp);
- exit(1);
- }
-
- krb5_use_enctype(context, &master_encblock, master_keyblock.enctype);
-
- retval = krb5_db_set_name(context, dbname);
- if (!retval) retval = EEXIST;
-
- if (retval == EEXIST || retval == EACCES || retval == EPERM) {
- /* it exists ! */
- com_err(argv[0], 0, "The database '%s' appears to already exist",
- dbname);
- exit(1);
- }
- if (!realm) {
- if ((retval = krb5_get_default_realm(context, &defrealm))) {
- com_err(argv[0], retval, "while retrieving default realm name");
- exit(1);
- }
- realm = defrealm;
- }
-
- /* assemble & parse the master key name */
-
- if ((retval = krb5_db_setup_mkey_name(context, mkey_name, realm,
- &mkey_fullname, &master_princ))) {
- com_err(argv[0], retval, "while setting up master key name");
- exit(1);
- }
-
- krb5_princ_set_realm_data(context, &db_create_princ, realm);
- krb5_princ_set_realm_length(context, &db_create_princ, strlen(realm));
- krb5_princ_set_realm_data(context, &tgt_princ, realm);
- krb5_princ_set_realm_length(context, &tgt_princ, strlen(realm));
- krb5_princ_component(context, &tgt_princ,1)->data = realm;
- krb5_princ_component(context, &tgt_princ,1)->length = strlen(realm);
-
- printf("Initializing database '%s' for realm '%s',\n\
-master key name '%s'\n",
- dbname, realm, mkey_fullname);
-
- if (!mkey_password) {
- printf("You will be prompted for the database Master Password.\n");
- printf("It is important that you NOT FORGET this password.\n");
- fflush(stdout);
-
- pw_size = 1024;
- pw_str = malloc(pw_size);
-
- retval = krb5_read_password(context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2,
- pw_str, &pw_size);
- if (retval) {
- com_err(argv[0], retval, "while reading master key from keyboard");
- exit(1);
- }
- mkey_password = pw_str;
- }
-
- pwd.data = mkey_password;
- pwd.length = strlen(mkey_password);
- retval = krb5_principal2salt(context, master_princ, &master_salt);
- if (retval) {
- com_err(argv[0], retval, "while calculated master key salt");
- exit(1);
- }
- if (retval = krb5_string_to_key(context, &master_encblock,
- &master_keyblock, &pwd, &master_salt)) {
- com_err(argv[0], retval, "while transforming master key from password");
- exit(1);
- }
-
- if ((retval = krb5_process_key(context, &master_encblock,
- &master_keyblock))) {
- com_err(argv[0], retval, "while processing master key");
- exit(1);
- }
-
- rblock.eblock = &master_encblock;
- if ((retval = krb5_init_random_key(context, &master_encblock,
- &master_keyblock, &rblock.rseed))) {
- com_err(argv[0], retval, "while initializing random key generator");
- (void) krb5_finish_key(context, &master_encblock);
- exit(1);
- }
- if ((retval = krb5_db_create(context, dbname))) {
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- com_err(argv[0], retval, "while creating database '%s'",
- dbname);
- exit(1);
- }
- if ((retval = krb5_db_set_name(context, dbname))) {
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- com_err(argv[0], retval, "while setting active database to '%s'",
- dbname);
- exit(1);
- }
- if ((retval = krb5_db_init(context))) {
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- com_err(argv[0], retval, "while initializing the database '%s'",
- dbname);
- exit(1);
- }
-
- if ((retval = add_principal(context, master_princ, MASTER_KEY, &rblock)) ||
- (retval = add_principal(context, &tgt_princ, TGT_KEY, &rblock))) {
- (void) krb5_db_fini(context);
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- com_err(argv[0], retval, "while adding entries to the database");
- exit(1);
- }
- if (do_stash &&
- ((retval = krb5_db_store_mkey(context, keyfile, master_princ,
- &master_keyblock)))) {
- com_err(argv[0], errno, "while storing key");
- printf("Warning: couldn't stash master key.\n");
- }
- /* clean up */
- (void) krb5_db_fini(context);
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
- free(master_keyblock.contents);
- if (pw_str) {
- memset(pw_str, 0, pw_size);
- free(pw_str);
- }
- free(master_salt.data);
- exit(0);
-
-}
-
-static krb5_error_code
-tgt_keysalt_iterate(ksent, ptr)
- krb5_key_salt_tuple *ksent;
- krb5_pointer ptr;
-{
- krb5_context context;
- krb5_error_code kret;
- struct iterate_args *iargs;
- krb5_keyblock random_keyblock, *key;
- krb5_int32 ind;
- krb5_encrypt_block random_encblock;
- krb5_pointer rseed;
- krb5_data pwd;
-
- iargs = (struct iterate_args *) ptr;
- kret = 0;
-
- context = iargs->ctx;
-
- /*
- * Convert the master key password into a key for this particular
- * encryption system.
- */
- krb5_use_enctype(context, &random_encblock, ksent->ks_enctype);
- pwd.data = mkey_password;
- pwd.length = strlen(mkey_password);
- if (kret = krb5_string_to_key(context, &random_encblock, &random_keyblock,
- &pwd, &master_salt))
- return kret;
- if ((kret = krb5_init_random_key(context, &random_encblock,
- &random_keyblock, &rseed)))
- return kret;
-
- if (!(kret = krb5_dbe_create_key_data(iargs->ctx, iargs->dbentp))) {
- ind = iargs->dbentp->n_key_data-1;
- if (!(kret = krb5_random_key(context,
- &random_encblock, rseed,
- &key))) {
- kret = krb5_dbekd_encrypt_key_data(context,
- iargs->rblock->eblock,
- key,
- NULL,
- 1,
- &iargs->dbentp->key_data[ind]);
- krb5_free_keyblock(context, key);
- }
- }
- memset((char *)random_keyblock.contents, 0, random_keyblock.length);
- free(random_keyblock.contents);
- (void) krb5_finish_random_key(context, &random_encblock, &rseed);
- return(kret);
-}
-
-static krb5_error_code
-add_principal(context, princ, op, pblock)
- krb5_context context;
- krb5_principal princ;
- enum ap_op op;
- struct realm_info *pblock;
-{
- krb5_error_code retval;
- krb5_db_entry entry;
-
- krb5_timestamp now;
- struct iterate_args iargs;
-
- int nentries = 1;
-
- memset((char *) &entry, 0, sizeof(entry));
-
- entry.len = KRB5_KDB_V1_BASE_LENGTH;
- entry.attributes = pblock->flags;
- entry.max_life = pblock->max_life;
- entry.max_renewable_life = pblock->max_rlife;
- entry.expiration = pblock->expiration;
-
- if ((retval = krb5_copy_principal(context, princ, &entry.princ)))
- goto error_out;
-
- if ((retval = krb5_timeofday(context, &now)))
- goto error_out;
-
- if ((retval = krb5_dbe_update_mod_princ_data(context, &entry,
- now, &db_create_princ)))
- goto error_out;
-
- switch (op) {
- case MASTER_KEY:
- if ((entry.key_data=(krb5_key_data*)malloc(sizeof(krb5_key_data)))
- == NULL)
- goto error_out;
- memset((char *) entry.key_data, 0, sizeof(krb5_key_data));
- entry.n_key_data = 1;
-
- entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
- if ((retval = krb5_dbekd_encrypt_key_data(context, pblock->eblock,
- &master_keyblock, NULL,
- 1, entry.key_data)))
- return retval;
- break;
- case TGT_KEY:
- iargs.ctx = context;
- iargs.rblock = pblock;
- iargs.dbentp = &entry;
- /*
- * Iterate through the key/salt list, ignoring salt types.
- */
- if ((retval = krb5_keysalt_iterate(pblock->kslist,
- pblock->nkslist,
- 1,
- tgt_keysalt_iterate,
- (krb5_pointer) &iargs)))
- return retval;
- break;
- case NULL_KEY:
- return EOPNOTSUPP;
- default:
- break;
- }
-
- retval = krb5_db_put_principal(context, &entry, &nentries);
-
-error_out:;
- krb5_dbe_free_contents(context, &entry);
- return retval;
-}
+++ /dev/null
-# Sanitize.in for Kerberos V5
-
-# Each directory to survive it's way into a release will need a file
-# like this one called "./.Sanitize". All keyword lines must exist,
-# and must exist in the order specified by this file. Each directory
-# in the tree will be processed, top down, in the following order.
-
-# Hash started lines like this one are comments and will be deleted
-# before anything else is done. Blank lines will also be squashed
-# out.
-
-# The lines between the "Do-first:" line and the "Things-to-keep:"
-# line are executed as a /bin/sh shell script before anything else is
-# done in this
-
-Do-first:
-
-# All files listed between the "Things-to-keep:" line and the
-# "Files-to-sed:" line will be kept. All other files will be removed.
-# Directories listed in this section will have their own Sanitize
-# called. Directories not listed will be removed in their entirety
-# with rm -rf.
-
-Things-to-keep:
-
-.cvsignore
-ChangeLog
-Makefile.in
-configure
-configure.in
-kdb5_destroy.M
-kdb5_destroy.c
-
-Things-to-lose:
-
-Do-last:
-
-# End of file.
+++ /dev/null
-
-Fri Jul 7 15:36:45 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Remove all explicit library handling and LDFLAGS.
- * configure.in - Add USE_KDB5_LIBRARY and KRB5_LIBRARIES.
-
-
-Fri Jun 30 14:30:49 EDT 1995 Paul Park (pjpark@mit.edu)
- * configure.in - Add --with-dbm to select between Berkeley and DBM
- KDC database format.
-
-
-Thu Jun 15 15:31:59 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Change explicit library names to -l<lib> form, and
- change target link line to use $(LD) and associated flags.
- Also, remove DBMLIB, it was not used.
- * configure.in - Remove dbm library checks, these are no longer needed
- with the Berkeley database code. Also, add shared library
- usage check.
-
-
-Tue May 30 14:41:50 EDT 1995 Paul Park (pjpark@mit.edu)
- * kdb5_destroy.c: Remove knowledge of database files. Use kdb5_db_
- destroy to destroy the database.
-
-Thu Mar 2 12:18:36 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * Makefile.in (ISODELIB): Remove reference to $(ISODELIB).
-
-Wed Mar 1 11:52:36 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * configure.in: Remove ISODE_INCLUDE, replace check for -lsocket
- and -lnsl with WITH_NETLIB check.
-
-Tue Feb 28 02:05:53 1995 John Gilmore (gnu at toad.com)
-
- * kdb5_destroy.c: Avoid <krb5/...> and <com_err.h> includes.
-
-Fri Jan 13 15:23:47 1995 Chris Provenzano (proven@mit.edu)
-
- * Added krb5_context to all krb5_routines
-
-Thu Oct 6 23:43:38 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * kdb5_destroy.c (main): Add option to force destruction of a
- database.
-
-Mon Oct 3 19:10:23 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * Makefile.in: Use $(srcdir) to find manual page for make install.
-
-Thu Sep 29 22:20:25 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * Makefile.in: Relink executable when libraries change.
-
-Wed Jun 29 00:22:07 1994 Tom Yu (tlyu at dragons-lair)
-
- * kdb5_destroy.c: fix things to call krb5_init_ets
-
+++ /dev/null
-CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE)
-
-all:: kdb5_destroy
-
-kdb5_destroy: kdb5_destroy.o $(DEPLIBS)
- $(LD) $(LDFLAGS) $(LDARGS) -o kdb5_destroy kdb5_destroy.o $(LIBS)
-
-install::
- $(INSTALL_PROGRAM) kdb5_destroy ${DESTDIR}$(ADMIN_BINDIR)/kdb5_destroy
- $(INSTALL_DATA) $(srcdir)/kdb5_destroy.M ${DESTDIR}$(ADMIN_MANDIR)/kdb5_destroy.8
-
-clean::
- $(RM) kdb5_destroy kdb5_destroy.o
+++ /dev/null
-AC_INIT(kdb5_destroy.c)
-CONFIG_RULES
-AC_PROG_INSTALL
-USE_KDB5_LIBRARY
-KRB5_LIBRARIES
-V5_USE_SHARED_LIB
-V5_AC_OUTPUT_MAKEFILE
+++ /dev/null
-.\" admin/destroy/kdb5_destroy.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\" require a specific license from the United States Government.
-.\" It is the responsibility of any person or organization contemplating
-.\" export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission. M.I.T. makes no representations about the suitability of
-.\" this software for any purpose. It is provided "as is" without express
-.\" or implied warranty.
-.\"
-.\"
-.TH KDB5_DESTROY 8 "Kerberos Version 5.0" "MIT Project Athena"
-.SH NAME
-kdb5_destroy \- destroy a Kerberos principal database
-.SH SYNOPSIS
-.B kdb5_destroy
-[
-.B \-d
-.I dbname
-]
-.br
-.SH DESCRIPTION
-.I kdb5_destroy
-destroys a Kerberos principal database, i.e. all of the data is
-overwritten and then the file is removed.
-The user is prompted to confirm deletion of the database.
-.PP
-The
-.B \-d
-.I dbname
-option specifies the name under which the principal database is
-stored; by default the database is in DEFAULT_DBM_FILE (normally
-/krb5/principal).
-.SH SEE ALSO
-kdb5_create(8)
+++ /dev/null
-/*
- * admin/destroy/kdb5_destroy.c
- *
- * Copyright 1990 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * kdb_dest(roy): destroy the named database.
- *
- * This version knows about DBM format databases.
- */
-
-#include "k5-int.h"
-#include <stdio.h>
-#include "com_err.h"
-
-extern int errno;
-
-char *yes = "yes\n"; /* \n to compare against result of
- fgets */
-
-static void
-usage(who, status)
- char *who;
- int status;
-{
- fprintf(stderr, "usage: %s [-d dbpathname]\n", who);
- exit(status);
-}
-
-void
-main(argc, argv)
- int argc;
- char *argv[];
-{
- extern char *optarg;
- int optchar;
- char *dbname = DEFAULT_KDB_FILE;
- char buf[5];
- char dbfilename[MAXPATHLEN];
- krb5_error_code retval;
- krb5_context context;
- int force = 0;
-
- krb5_init_context(&context);
- krb5_init_ets(context);
-
- if (strrchr(argv[0], '/'))
- argv[0] = strrchr(argv[0], '/')+1;
-
- while ((optchar = getopt(argc, argv, "d:f")) != EOF) {
- switch(optchar) {
- case 'd': /* set db name */
- dbname = optarg;
- break;
- case 'f':
- force++;
- break;
- case '?':
- default:
- usage(argv[0], 1);
- /*NOTREACHED*/
- }
- }
- if (!force) {
- printf("Deleting KDC database stored in '%s', are you sure?\n", dbname);
- printf("(type 'yes' to confirm)? ");
- if (fgets(buf, sizeof(buf), stdin) == NULL)
- exit(1);
- if (strcmp(buf, yes))
- exit(1);
- printf("OK, deleting database '%s'...\n", dbname);
- }
-
- if (retval = krb5_db_set_name(context, dbname)) {
- com_err(argv[0], retval, "'%s'",dbname);
- exit(1);
- }
- if (retval = kdb5_db_destroy(context, dbname)) {
- com_err(argv[0], retval, "deleting database '%s'",dbname);
- exit(1);
- }
-
- printf("** Database '%s' destroyed.\n", dbname);
- exit(0);
-}
+++ /dev/null
-# Sanitize.in for Kerberos V5
-
-# Each directory to survive it's way into a release will need a file
-# like this one called "./.Sanitize". All keyword lines must exist,
-# and must exist in the order specified by this file. Each directory
-# in the tree will be processed, top down, in the following order.
-
-# Hash started lines like this one are comments and will be deleted
-# before anything else is done. Blank lines will also be squashed
-# out.
-
-# The lines between the "Do-first:" line and the "Things-to-keep:"
-# line are executed as a /bin/sh shell script before anything else is
-# done in this
-
-Do-first:
-
-# All files listed between the "Things-to-keep:" line and the
-# "Files-to-sed:" line will be kept. All other files will be removed.
-# Directories listed in this section will have their own Sanitize
-# called. Directories not listed will be removed in their entirety
-# with rm -rf.
-
-Things-to-keep:
-
-.cvsignore
-ChangeLog
-Makefile.in
-configure
-configure.in
-cpw.c
-dump.c
-dumpv4.c
-kdb5_ed_ct.ct
-kdb5_edit.M
-kdb5_edit.c
-kdb5_edit.h
-loadv4.c
-ss_wrapper.c
-tcl_wrapper.c
-util.c
-
-Things-to-lose:
-
-Do-last:
-
-# End of file.
+++ /dev/null
-Mon Jul 29 23:44:20 1996 Samuel D Hartman (hartmans@vorlon)
-
- * configure.in: Use *all* the appropriate libraries.
-
-Thu Jul 25 12:10:20 1996 Theodore Y. Ts'o <tytso@mit.edu>
-
- * dumpv4.c (v4_print_time): Declare function as returning void
-
-Thu Jun 13 21:41:42 1996 Tom Yu <tlyu@voltage-multiplier.mit.edu>
-
- * configure.in: remove ref to SS_RULES
-
-Sun Jun 9 22:04:50 1996 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * util.c (strstr): Replace crusty OS specific ifdef with configure
- generated one.
-
- * configure.in: Change AC_HAVE_FUNCS to AC_CHECK_FUNCS (newer
- naming convention). Check for strstr.
-
-Sat Jun 8 09:54:38 1996 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * configure.in: Remove kdb4 library usage.
-
- * dumpv4.c (handle_one_key): Remove the temporary --with-kdb4
- support.
-
-Sun May 12 00:27:44 1996 Marc Horowitz <marc@mit.edu>
-
- * loadv4.c (enter_in_v5_db, add_principal), kdb5_edit.c
- (create_db_entry, modent), dumpv4.c (dump_v4_iterator), dump.c
- (dump_k5beta_iterator, process_k5beta_record): convert to use new
- krb5_dbe_* tl_data functions.
-
- * cpw.c (enter_pwd_key): krb5_dbe_cpw() takes a kvno now.
-
-Tue May 7 23:16:57 1996 Marc Horowitz <marc@mit.edu>
-
- * configure.in: USE_KADM_LIBRARY replaced by USE_KADMSRV_LIBRARY
-
-Thu May 2 22:16:01 1996 Ken Raeburn <raeburn@cygnus.com>
-
- * ss_wrapper.c (main): Make sci_idx a global. This makes certain
- Cygnus customizations simpler.
-
- * dump.c (restore_dump): If header indicates a beta-5 dump,
- process it.
-
-Thu Apr 11 19:32:36 1996 Richard Basch <basch@lehman.com>
-
- * kdb5_edit.c (extract_v4_srvtab): Use the matching key_data's kvno;
- don't assume that key_data[0]'s kvno is necessarily the matching
- key_data's kvno.
-
-Wed Apr 10 19:17:58 1996 Richard Basch <basch@lehman.com>
-
- * kdb5_edit.c (extract_v4_srvtab): Translate the principal name to
- the common V4 name.
-
-Tue Mar 19 18:00:58 1996 Richard Basch <basch@lehman.com>
-
- * kdb5_edit.c (extract_v4_srvtab): do not test to make sure we
- fetched a key of enctype 1 (des-cbc-crc), since we may have gotten
- another des key from the database, which is just as useful in a
- v4 srvtab
-
- * dumpv4.c (dump_v4_iterator): use krb5_524_conv_principal to do the
- v5 to v4 principal translation, instead of having yet another
- hard-coded table.
-
-Wed Mar 6 16:17:20 1996 Richard Basch <basch@lehman.com>
-
- * dumpv4.c: The V4 master key & schedule was never initialized,
- so the dump created by dump_v4db was garbage. Read the V4
- master key from /.k or prompt for the V4 master key password.
- If there is no V4-salt key in the database, but there is a DES
- key, include it in the V4 dump, in case it is merely a random
- service key for which there is no associated password.
- Skip over K/M in the V5 database (use the entered V4 master key).
- Both krbtgt and afs keys often have domain-qualifed instances.
-
-Tue Mar 5 12:18:22 1996 Richard Basch <basch@lehman.com>
-
- * dump.c: POSIX locking requires that the file be opened read-write.
-
-Mon Feb 26 22:42:09 1996 Mark Eichin <eichin@cygnus.com>
-
- * kdb5_edit.c: new command line option -f stashfile.
- * kdb5_edit.M: document stashfile option.
-
-Mon Feb 26 22:13:45 1996 Mark Eichin <eichin@cygnus.com>
-
- * dump.c (process_k5beta_record): since V4 salt type has no data
- either, only set key_data_ver to 1 for data_type 0 with 0-length
- salt. Also, don't include alternate key if akey has all-zero type
- and length in both fields.
-
-Sat Feb 24 04:02:18 1996 Mark W. Eichin <eichin@cygnus.com>
-
- * dump.c (process_k5beta_record): encrypted keys used to have 4
- byte lengths in MSB order, need to convert to 2 byte LSB order
- lengths before storing. Handle primary key and alternate key.
-
-Fri Feb 23 18:44:10 1996 Mark Eichin <eichin@cygnus.com>
-
- * kdb5_edit.c (kdb5_edit_Init): set manual_mkey for testing with -P
-
-Wed Feb 14 09:52:18 1996 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * kdb5_edit.c (enter_master_key, set_dbname_help): If master key
- enctype is unknown, set to DEFAULT_KDC_ENCTYPE.
-
-Tue Feb 13 16:08:07 1996 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * kdb5_edit.c (extract_v4_srvtab): krb5_dbekd_decrypt_key_data
- takes krb5_key_data *, not **.
-
-Tue Jan 30 18:28:57 1996 Mark Eichin <eichin@cygnus.com>
-
- * dump.c (load_db): dbrenerr_fmt prints "from" first, so pass it
- to fprintf correctly.
-
-Sun Jan 28 14:31:47 1996 Mark Eichin <eichin@cygnus.com>
-
- * dump.c (process_k5_record): t2..t9 is only 8 vars, not 9.
-
-Thu Jan 25 16:07:42 1996 Sam Hartman <hartmans@tertius.mit.edu>
-
- * kdb5_edit.c (extract_srvtab): Extract *all* the keys in a
- dbentry, not the first one.
- (extract_v4_srvtab): Attempt to find the right v4 keys.
-
-Wed Jan 24 18:48:38 1996 Tom Yu <tlyu@dragons-lair.MIT.EDU>
-
- * Makefile.in: Remove spurious @DEFS@
-
-
-Wed Dec 13 03:44:58 1995 Chris Provenzano (proven@mit.edu)
-
- * dump.c, dumpv4.c, kdb5_edit.c, loadv4.c :
- Remove mkvno from krb5_db_entry.
-
-Sun Dec 10 11:07:51 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * kdb5_edit.M: Document that modent exists
-
- * kdb5_edit.c (modent): Add usage as suggested by jhawk@mit.edu.
-
-Thu Nov 09 17:05:57 1995 Chris Provenzano (proven@mit.edu)
-
- * kdb5_edit.c : Remove krb5_enctype from krb5_string_to_key() args.
-
-Fri Oct 27 13:37:04 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * dump.c (process_k5_record): Fix off by one in malloc.
-
-Mon Oct 9 16:35:19 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * kdb5_edit.c (extract_v4_srvtab): Extract a one byte version
- number for v4 srvtabs (from warlord).
-
-Thu Oct 5 10:35:35 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * cpw.c: Declare std_ks_tuple as extern.
- * kdb5_edit.h: Remove std_ks_tuple declaration as not all sources
- include adm.h for structures
-
-Tue Oct 3 23:10:57 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * cpw.c (enter_rnd_key, enter_pwd_key):
- * kdb5_edit.c (kdb5_edit_Init): Use the kdc.conf file to determine
- the default list of keysalt tuples to be used. This is
- stored in std_ks_tuple, and is used by cpw.c for random
- keys and when a list of keysalts is not specified.
-
-Mon Sep 18 03:59:47 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * kdb5_edit.c (show_principal): Show key version and last password
- change.
-
- * cpw.c: Fix typo in below change in which list was terminated
- after third entry. (extra } removed)
-
-Fri Sep 15 14:21:25 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * cpw.c: Add DES_CBC_MD5 and DES_CBC_CRC with the V4 salt as
- default key/salt tuples to be added. (Once proven's DES_*
- folding code is implemented, we can shorten this list.)
- Eventually, this list should be read in from kdc.conf.
-
-Thu Sep 7 20:41:24 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * loadv4.c (load_v4db): Provide a dummy routine if krb4
- compatibility is not compiled in.
-
-Wed Sep 06 14:20:57 1995 Chris Provenzano (proven@mit.edu)
-
- * cpw.c, dump.c, dumpv4.c, kdb5_edit.c, loadv4.c :
- s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g
-
-Tue Sep 05 22:10:34 1995 Chris Provenzano (proven@mit.edu)
-
- * cpw.c, dump.c, dumpv4.c, kdb5_edit.c, loadv4.c : Remove krb5_enctype
- references, and replace with krb5_keytype where appropriate.
-
-Fri Aug 25 17:37:33 EDT 1995 Paul Park (pjpark@mit.edu)
- * dumpv4.c - Fix handle_keys(). It was trying to recreate work that
- has already been done.
- * Makefile.in, .Sanitize, loadv4.c, kdb5_ed_ct.ct - Add lddb4, the
- command to load a v4 dump file. This is basically, kdb5_
- convert reconstituted to fit within the framework of kdb5_edit.
-
-Thu Aug 24 19:28:39 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * .Sanitize: Update file list
-
-Mon Aug 21 16:45:39 EDT 1995 Paul Park (pjpark@mit.edu)
- * dump.c - Completely rework this logic to support old (e.g. Beta 5
- and previous) dump format and new dump format using the same
- commands. This is differentiated by using the "-old" command
- qualifier.
-
- * kdb5_edit.M - Add description of -R and -s. Remove "ascii represen-
- tation of a decimal number". Remove "Bugs".
-
-Fri Aug 18 17:06:06 EDT 1995 Paul Park (pjpark@mit.edu)
-
- * ss_wrapper.c - Change sense of fgets() check so scripts work.
-
-
-Tue Aug 15 14:22:50 EDT 1995 Paul Park (pjpark@mit.edu)
-
- * kdb5_edit.c, ss_wrapper.c, cpw.c, kdb5_edit.h - Add support for
- -s scriptfile and fix up assorted gcc -Wall complaints.
-
-
-Mon Aug 7 17:32:31 EDT 1995 Paul Park (pjpark@mit.edu)
- * cpw.c - Use krb5_string_to_keysalts() to generate a list of unique
- key/salt pairs supplied in argv.
-
-
-Mon Aug 07 11:16:03 1995 Chris Provenzano (proven@mit.edu)
-
- * cpw.c : Uses new kdb change password routines for ank, ark, cpw,
- and crk. Also remove v4 variants of ank and cpw.
- * krb5_edit.c : Deleted old variants of rotuines now in cpw.c
- * kdb5_ed_ct.ct, kdb5_edit.M, tcl_wrapper.c:
- Removed references to v4 variants of ank and cpw.
- * kdb5_edit.h (enter_pwd_key()) : Removed proto, it's nolonger
- necessary as it's a static routine in cpw.c
-
-Thu Aug 03 12:13:50 1995 Chris Provenzano (proven@mit.edu)
-
- * cpw.c : New change password code for kdb5_edit.
- * dumpv4.c : Get it to compile with new kdb format.
-
-Mon Jul 31 15:47:30 EDT 1995 Paul Park (pjpark@mit.edu)
- * kdb5_edit.c - Use libkadm string conversion routines. These are
- shared by all utilities.
- * Makefile.in - Remove getdate.y.
- * configure.in - Remove getdate.y dependency checks.
- * getdate.y - Sayonara.
-
-
-Thu Jul 27 15:01:01 EDT 1995 Paul Park (pjpark@mit.edu)
- * configure.in - Add --with-dbm and check for already checking for dbm.
-
-
-Thu Jul 27 02:59:05 1995 Chris Provenzano (proven@mit.edu)
-
- * dump.c kdb5_edit.c kdb5_edit.h util.c : Use new kdb format.
-
-Mon Jul 17 15:00:08 EDT 1995 Paul Park (pjpark@mit.edu)
- * configure.in - Add KADM library.
- * dumpv4.c - Change calling sequence to krb5_db_fetch_mkey().
- * kdb5_edit.c - Change calling sequence to krb5_db_fetch_mkey() which
- uses the stash file. Add KDC profile reading/handling as a
- supplement to command line supplied arguments.
-
-
-Wed Jul 12 12:01:04 EDT 1995 Paul Park (pjpark@mit.edu)
- * configure.in - Temporarily add --with-kdb4 option. Default is without
- kdb4. Without kdb4 enables a define. With kdb4 uses -lkdb4 and
- -l[n]dbm libraries.
- * dumpv4.c - Conditionalize references to kdb4 routines with
- KDB4_DISABLE. Replace two required routines:
- kdb_encrypt_key -> pcbc_encrypt
- kdb_get_master_key -> des_read_password/printf/key_sched
-
-
-Fri Jul 7 15:38:00 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Remove all explicit library handling and LDFLAGS.
- * configure.in - Add USE_<mumble> and KRB5_LIBRARIES.
-
-
-Thu Jun 15 15:34:59 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Change explicit library names to -l<lib> form, and
- change target link line to use $(LD) and associated flags.
- Also, for K4, use KRB4_LIB and KRB4_CRYPTO_LIB, these wer
- split out.
- * configure.in - Add shared library usage check.
-
-Fri Jun 9 18:14:43 1995 <tytso@rsx-11.mit.edu>
-
- * configure.in: Remove standardized set of autoconf macros, which
- are now handled by CONFIG_RULES.
-
- * dumpv4.c: Change name of controlling #ifdef to be
- KRB5_KRB4_COMPAT instead of KRB4.
-
-Sun May 21 14:20:32 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * dumpv4.c: Include k5-int.h before krb.h so that PROTOTYPE is not
- redefined.
-
-Sun May 7 13:46:30 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * configure.in: Add AC_HEADER_STDC to define STDC_HEADERS for
- getdate.y.
-
-Mon May 1 13:36:41 1995 Theodore Y. Ts'o (tytso@dcl)
-
- * kdb5_edit.c (kdb5_edit_Init): Check the return code from
- kdb5_init_context().
-
-Fri Apr 28 18:04:26 1995 Mark Eichin <eichin@cygnus.com>
-
- * Makefile.in (LOCAL_LIBRARIES): put KRB4_LIB inside KLIB, and put
- KDB4_LIB ahead of them both.
-
-Thu Apr 27 13:47:23 1995 Mark Eichin <eichin@cygnus.com>
-
- * Makefile.in (LOCAL_LIBRARIES): use KRB4_LIB and KDB4_LIB
- directly.
- * configure.in: just use WITH_KRB4.
-
-Wed Apr 19 13:59:47 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * kdb5_edit.c (kdb5_edit_Init): If a default realm is specified
- (with -r), use krb5_set_default_realm so that created keys
- will have the correct realm.
-
-Thu Mar 23 23:28:26 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * kdb5_edit.c (show_principal, parse_princ_args): Add
- "support_desmd5" flag.
-
-Tue Mar 14 16:29:05 1995 <tytso@rsx-11.mit.edu>
-
- * ss_wrapper.c (main): Set the return code from ss_execute_line(),
- so that appropriate error checking is done.
-
-Thu Mar 2 12:18:57 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * Makefile.in (ISODELIB): Remove reference to $(ISODELIB).
-
-Wed Mar 1 11:53:02 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * configure.in: Remove ISODE_INCLUDE, replace check for -lsocket
- and -lnsl with WITH_NETLIB check.
-
-Tue Feb 28 02:06:26 1995 John Gilmore (gnu at toad.com)
-
- * dump.c, dumpv4.c, kdb5_edit.c, ss_wrapper.c, tcl_wrapper.c,
- util.c: Avoid <krb5/...> includes.
-
-Thu Feb 23 19:52:35 1995 Mark Eichin (eichin@cygnus.com)
-
- * kdb5_edit.c: add struct timeb and sys/timeb includes from
- getdate.y.
- (ftime): new function, in case we don't HAVE_FTIME.
-
-Tue Feb 14 17:55:47 1995 Tom Yu (tlyu@dragons-lair)
-
- * kdb5_edit.c: add modent
- * getdate.y: import get_date
- * kdbt_ed_ct.ct: add modent
- * configure.in:
- * Makefile.in: support for getdate.y
-
-Wed Feb 8 20:08:36 1995 Tom Yu (tlyu@dragons-lair)
-
- * kdb5_edit.c (show_principal): make sane and print all useful
- fields
-
-Wed Jan 25 16:54:40 1995 Chris Provenzano (proven@mit.edu)
-
- * Removed all narrow types and references to wide.h and narrow.h
-
-Fri Jan 13 15:23:47 1995 Chris Provenzano (proven@mit.edu)
-
- * Added krb5_context to all krb5_routines
-
-Mon Dec 19 18:04:11 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * configure.in:
- * Makefile.in:
- * dumpv4.c (dump_v4db): Do the right thing if we are compiling
- without V4 support. (The dump_v4db command is disabled.)
-
-Wed Dec 7 00:07:46 1994 <tytso@rsx-11.mit.edu>
-
- * dumpv4.c (v4_print_time): gmtime expects a pointer to a time_t,
- not a long. On most systems these are the same, on
- others....
-
-Wed Nov 16 01:03:42 1994 Mark Eichin (eichin@cygnus.com)
-
- * dumpv4.c: new file. New command dump_v4db which creates a v4
- slave dump out of a v5 database, leaving out any keys which aren't
- using v4 salt, and any keys that aren't for the current
- realm. Reencrypts using v4 master key, synthesizes arbitrary
- master key version number.
- * configure.in: use WITH_KRB4 for dump support.
- * kdb5_ed_ct.ct: add new dump_v4 command.
- * Makefile.in: link in dumpv4.
-
-Fri Oct 14 23:31:49 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * dump.c (load_db): When scanning a database entry, read
- fail_auth_count into a temporary integer variable, and
- then copy that into entry.fail_auth_count, which is a
- char.
-
-Fri Oct 7 00:01:40 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * kdb5_edit.c (kdb5_edit_Init): Don't let errors in
- set_dbname_help initially cause the exit status to be set.
- Commands like load_db don't need a valid database to be
- opened.
-
- * ss_wrapper.c (main): Clear code before ss_execute_line, since
- ss_execute_line doesn't set code to 0 if there are no
- problems.
-
- * kdb5_edit.c (kdb5_edit_Init): Add a new option so that the
- master key password can be entered on the command line ---
- for testing only; not documented!!
-
-Mon Oct 3 19:10:47 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * Makefile.in: Use $(srcdir) to find manual page for make install.
-
-Thu Sep 29 15:52:22 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * dump.c (update_ok_file): Make sure mod time on the dump_ok file
- is updated. (Some systems don't update the mod-time when
- a file is opened for writing.)
-
- * Makefile.in: Relink executable when libraries change.
-
- * kdb5_edit.c (show_principal): Pass variable with correct type to
- ctime().
-
- * tcl_wrapper.c (doquit):
- ss_wrapper.c (main):
- kdb5_edit.c:
- dump.c: Exit with a non-zero exit status if there was an error
- in a executed command.
-
-Thu Sep 15 11:00:30 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * dump.c (load_db): Fix error string on failed fopen. ("for
- writing" -> "for reading")
-
-
+++ /dev/null
-CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE)
-
-all::
-
-LOCALINCLUDE=-I$(SRCTOP)/include/kerberosIV -I$(BUILDTOP)/include/kerberosIV
-
-OBJS= kdb5_edit.o \
- kdb5_ed_ct.o \
- cpw.o \
- util.o \
- dump.o \
- dumpv4.o \
- loadv4.o \
- ss_wrapper.o \
- $(LIBOBJS)
-
-SRCS= $(srcdir)/kdb5_edit.c \
- $(srcdir)/kdb5_ed_ct.c \
- $(srcdir)/cpw.c \
- $(srcdir)/util.c \
- $(srcdir)/dump.c \
- $(srcdir)/ss_wrapper.c \
- $(srcdir)/dumpv4.c \
- $(srcdir)/loadv4.c
-
-all:: kdb5_edit
-
-kdb5_edit: kdb5_edit.o $(DEPLIBS) $(OBJS)
- $(LD) $(LDFLAGS) $(LDARGS) -o kdb5_edit $(OBJS) $(LIBS)
-
-install::
- $(INSTALL_PROGRAM) kdb5_edit ${DESTDIR}$(ADMIN_BINDIR)/kdb5_edit
- $(INSTALL_DATA) $(srcdir)/kdb5_edit.M ${DESTDIR}$(ADMIN_MANDIR)/kdb5_edit.8
-
-# needed until we run makedepend
-kdb5_ed_ct.c: kdb5_ed_ct.ct
-
-kdb5_ed_ct.o: kdb5_ed_ct.c
-
-clean::
- $(RM) kdb5_ed_ct.c
-
-depend:: kdb5_ed_ct.c
-
-clean::
- $(RM) kdb5_edit
+++ /dev/null
-AC_INIT(kdb5_edit.c)
-CONFIG_RULES
-AC_PROG_INSTALL
-AC_PROG_YACC
-AC_CONST
-AC_HEADER_STDC
-AC_CHECK_FUNCS(getcwd strstr)
-USE_KADMSRV_LIBRARY
-USE_KDB5_LIBRARY
-USE_KRB4_LIBRARY
-USE_SS_LIBRARY
-USE_DYN_LIBRARY
-USE_GSSRPC_LIBRARY
-USE_GSSAPI_LIBRARY
-KRB5_LIBRARIES
-V5_USE_SHARED_LIB
-V5_AC_OUTPUT_MAKEFILE
+++ /dev/null
-/*
- * admin/edit/cpw.c
- *
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * Change passwords for a KDC db entry.
- */
-
-#include "k5-int.h"
-#include "com_err.h"
-#include "adm.h"
-#include "adm_proto.h"
-#include <stdio.h>
-#include <time.h>
-
-#include "kdb5_edit.h"
-
-extern char *Err_no_master_msg;
-extern char *Err_no_database;
-extern char *current_dbname;
-
-extern krb5_key_salt_tuple *std_ks_tuple;
-extern int std_ks_tuple_count;
-
-/*
- * I can't figure out any way for this not to be global, given how ss
- * works.
- */
-extern int exit_status;
-extern krb5_context edit_context;
-extern krb5_keyblock master_keyblock;
-extern krb5_principal master_princ;
-extern krb5_db_entry master_entry;
-extern krb5_encrypt_block master_encblock;
-extern int valid_master_key;
-extern char *krb5_default_pwd_prompt1, *krb5_default_pwd_prompt2;
-extern krb5_boolean dbactive;
-extern FILE *scriptfile;
-
-static void
-enter_rnd_key(argc, argv, entry)
- int argc;
- char ** argv;
- krb5_db_entry * entry;
-{
- krb5_error_code retval;
- int nprincs = 1;
-
- if ((retval = krb5_dbe_crk(edit_context, &master_encblock,
- std_ks_tuple,
- std_ks_tuple_count, entry))) {
- com_err(argv[0], retval, "while generating random key");
- krb5_db_free_principal(edit_context, entry, nprincs);
- exit_status++;
- return;
- }
-
- if ((retval = krb5_db_put_principal(edit_context, entry, &nprincs))) {
- com_err(argv[0], retval, "while storing entry for '%s'\n", argv[1]);
- krb5_db_free_principal(edit_context, entry, nprincs);
- exit_status++;
- return;
- }
-
- krb5_db_free_principal(edit_context, entry, nprincs);
-
- if (nprincs != 1) {
- com_err(argv[0], 0, "entry not stored in database (unknown failure)");
- exit_status++;
- }
-
-}
-
-static int
-pre_key(argc, argv, newprinc, entry)
- int argc;
- char ** argv;
- krb5_principal * newprinc;
- krb5_db_entry * entry;
-{
- krb5_boolean more;
- krb5_error_code retval;
- int nprincs = 1;
-
- if (!dbactive) {
- com_err(argv[0], 0, Err_no_database);
- } else if (!valid_master_key) {
- com_err(argv[0], 0, Err_no_master_msg);
- } else if ((retval = krb5_parse_name(edit_context,
- argv[argc-1],
- newprinc))) {
- com_err(argv[0], retval, "while parsing '%s'", argv[argc-1]);
- } else if ((retval = krb5_db_get_principal(edit_context, *newprinc, entry,
- &nprincs, &more))) {
- com_err(argv[0],retval,"while trying to get principal's db entry");
- } else if ((nprincs > 1) || (more)) {
- krb5_db_free_principal(edit_context, entry, nprincs);
- krb5_free_principal(edit_context, *newprinc);
- } else if (nprincs)
- return(1);
- else
- return(0);
- return(-1);
-}
-
-void add_rnd_key(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_error_code retval;
- krb5_principal newprinc;
- krb5_db_entry entry;
-
- if (argc < 2) {
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s principal", argv[0]);
- exit_status++;
- return;
- }
- switch (pre_key(argc, argv, &newprinc, &entry)) {
- case 0:
- if ((retval = create_db_entry(newprinc, &entry))) {
- com_err(argv[0], retval, "While creating new db entry.");
- exit_status++;
- return;
- }
- krb5_free_principal(edit_context, newprinc);
- enter_rnd_key(argc, argv, &entry);
- return;
- case 1:
- com_err(argv[0], 0, "Principal '%s' already exists.", argv[1]);
- krb5_db_free_principal(edit_context, &entry, 1);
- krb5_free_principal(edit_context, newprinc);
- default:
- exit_status++;
- break;
- }
-}
-
-void change_rnd_key(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_principal newprinc;
- krb5_db_entry entry;
-
- if (argc < 2) {
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s principal", argv[0]);
- exit_status++;
- return;
- }
- switch (pre_key(argc, argv, &newprinc, &entry)) {
- case 1:
- krb5_free_principal(edit_context, newprinc);
- enter_rnd_key(argc, argv, &entry);
- break;
- case 0:
- com_err(argv[0], 0, "No principal '%s' exists", argv[1]);
- default:
- exit_status++;
- break;
- }
-}
-
-void
-enter_pwd_key(cmdname, princ, ks_tuple, ks_tuple_count, entry)
- char * cmdname;
- char * princ;
- krb5_key_salt_tuple * ks_tuple;
- int ks_tuple_count;
- krb5_db_entry * entry;
-{
- char password[KRB5_ADM_MAX_PASSWORD_LEN];
- int pwsize = KRB5_ADM_MAX_PASSWORD_LEN;
- krb5_error_code retval;
- int one = 1;
-
- /* Prompt for password only if interactive */
- if (!scriptfile) {
- if ((retval = krb5_read_password(edit_context,
- krb5_default_pwd_prompt1,
- krb5_default_pwd_prompt2,
- password, &pwsize))) {
- com_err(cmdname, retval, "while reading password for '%s'", princ);
- goto errout;
- }
- }
- else {
- if (!fgets(password, pwsize, scriptfile)) {
- com_err(cmdname, errno, "while reading password for '%s'", princ);
- retval = errno;
- goto errout;
- }
- else {
- pwsize = strlen(password);
- if (password[pwsize-1] == '\n') {
- password[pwsize-1] = '\0';
- pwsize--;
- }
- }
- }
-
- if (ks_tuple_count == 0) {
- ks_tuple_count = std_ks_tuple_count;
- ks_tuple = std_ks_tuple;
- }
- if ((retval = krb5_dbe_cpw(edit_context, &master_encblock, ks_tuple,
- ks_tuple_count, password, 0, entry))) {
- com_err(cmdname, retval, "while storing entry for '%s'\n", princ);
- memset(password, 0, sizeof(password)); /* erase it */
- krb5_dbe_free_contents(edit_context, entry);
- goto errout;
- }
- memset(password, 0, sizeof(password)); /* erase it */
-
- /* Write the entry back out and we're done */
- if ((retval = krb5_db_put_principal(edit_context, entry, &one))) {
- com_err(cmdname, retval, "while storing entry for '%s'\n", princ);
- }
-
- if (one != 1) {
- com_err(cmdname, 0, "entry not stored in database (unknown failure)");
- exit_status++;
- }
-
-errout:;
- krb5_db_free_principal(edit_context, entry, one);
- if (retval)
- exit_status++;
- return;
-}
-
-void change_pwd_key(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_key_salt_tuple * ks_tuple = NULL;
- krb5_int32 n_ks_tuple = 0;
- krb5_principal newprinc;
- krb5_db_entry entry;
-
- int i;
-
- if (argc < 2) {
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s [<key_type[:<salt_type>]>] principal",
- argv[0]);
- exit_status++;
- return;
- }
-
- for (i = 1; i < (argc - 1); i++) {
- if (krb5_string_to_keysalts(argv[i],
- "",
- ":",
- 0,
- &ks_tuple,
- &n_ks_tuple)) {
- com_err(argv[0], 0, "Unrecognized key/salt type %s", argv[i]);
- exit_status++;
- return;
- }
- }
-
- switch (pre_key(argc, argv, &newprinc, &entry)) {
- case 1:
- /* Done with principal */
- krb5_free_principal(edit_context, newprinc);
- enter_pwd_key(argv[0], argv[i], ks_tuple, n_ks_tuple, &entry);
- break;
- case 0:
- com_err(argv[0], 0, "No principal '%s' exists", argv[i]);
- default:
- exit_status++;
- break;
- }
-
- if (ks_tuple) {
- free(ks_tuple);
- }
-}
-
-void add_new_key(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_error_code retval;
- krb5_principal newprinc;
- krb5_db_entry entry;
-
- if (argc < 2) {
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s [<key_type[:<salt_type>]>] principal",
- argv[0]);
- exit_status++;
- return;
- }
- switch (pre_key(argc, argv, &newprinc, &entry)) {
- case 0:
- if ((retval = create_db_entry(newprinc, &entry))) {
- com_err(argv[0], retval, "While creating new db entry.");
- exit_status++;
- return;
- }
- enter_pwd_key(argv[0], argv[argc - 1], NULL, 0, &entry);
- krb5_free_principal(edit_context, newprinc);
- return;
- case 1:
- com_err(argv[0], 0, "Principal '%s' already exists.", argv[argc - 1]);
- krb5_db_free_principal(edit_context, &entry, 1);
- krb5_free_principal(edit_context, newprinc);
- default:
- exit_status++;
- break;
- }
-}
-
+++ /dev/null
-/*
- * admin/edit/dump.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Dump a KDC database
- */
-
-#include "k5-int.h"
-#include "com_err.h"
-#include <stdio.h>
-#include "kdb5_edit.h"
-#if HAVE_REGEX_H
-#include <regex.h>
-#endif /* HAVE_REGEX_H */
-
-/*
- * Use compile(3) if no regcomp present.
- */
-#if !defined(HAVE_REGCOMP) && defined(HAVE_REGEXP_H)
-#define INIT char *sp = instring;
-#define GETC() (*sp++)
-#define PEEKC() (*sp)
-#define UNGETC(c) (--sp)
-#define RETURN(c) return(c)
-#define ERROR(c)
-#define RE_BUF_SIZE 1024
-#include <regexp.h>
-#endif /* !HAVE_REGCOMP && HAVE_REGEXP_H */
-
-struct dump_args {
- char *programname;
- FILE *ofile;
- krb5_context kcontext;
- char **names;
- int nnames;
- int verbose;
-};
-
-/* External data */
-extern char *current_dbname;
-extern krb5_boolean dbactive;
-extern int exit_status;
-extern krb5_context edit_context;
-
-/* Strings */
-
-static const char k5beta_dump_header[] = "kdb5_edit load_dump version 2.0\n";
-static const char k5_dump_header[] = "kdb5_edit load_dump version 3.0\n";
-
-static const char null_mprinc_name[] = "kdb5_dump@MISSING";
-
-/* Message strings */
-static const char regex_err[] = "%s: regular expression error - %s\n";
-static const char regex_merr[] = "%s: regular expression match error - %s\n";
-static const char pname_unp_err[] = "%s: cannot unparse principal name (%s)\n";
-static const char mname_unp_err[] = "%s: cannot unparse modifier name (%s)\n";
-static const char nokeys_err[] = "%s: cannot find any standard key for %s\n";
-static const char sdump_tl_inc_err[] = "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n";
-static const char stand_fmt_name[] = "Kerberos version 5";
-static const char old_fmt_name[] = "Kerberos version 5 old format";
-static const char ofopen_error[] = "%s: cannot open %s for writing (%s)\n";
-static const char oflock_error[] = "%s: cannot lock %s (%s)\n";
-static const char dumprec_err[] = "%s: error performing %s dump (%s)\n";
-static const char dumphdr_err[] = "%s: error dumping %s header (%s)\n";
-static const char trash_end_fmt[] = "%s(%d): ignoring trash at end of line: ";
-static const char read_name_string[] = "name string";
-static const char read_key_type[] = "key type";
-static const char read_key_data[] = "key data";
-static const char read_pr_data1[] = "first set of principal attributes";
-static const char read_mod_name[] = "modifier name";
-static const char read_pr_data2[] = "second set of principal attributes";
-static const char read_salt_data[] = "salt data";
-static const char read_akey_type[] = "alternate key type";
-static const char read_akey_data[] = "alternate key data";
-static const char read_asalt_type[] = "alternate salt type";
-static const char read_asalt_data[] = "alternate salt data";
-static const char read_exp_data[] = "expansion data";
-static const char store_err_fmt[] = "%s(%d): cannot store %s(%s)\n";
-static const char add_princ_fmt[] = "%s\n";
-static const char parse_err_fmt[] = "%s(%d): cannot parse %s (%s)\n";
-static const char read_err_fmt[] = "%s(%d): cannot read %s\n";
-static const char no_mem_fmt[] = "%s(%d): no memory for buffers\n";
-static const char rhead_err_fmt[] = "%s(%d): cannot match size tokens\n";
-static const char err_line_fmt[] = "%s: error processing line %d of %s\n";
-static const char head_bad_fmt[] = "%s: dump header bad in %s\n";
-static const char read_bytecnt[] = "record byte count";
-static const char read_encdata[] = "encoded data";
-static const char n_name_unp_fmt[] = "%s(%s): cannot unparse name\n";
-static const char n_dec_cont_fmt[] = "%s(%s): cannot decode contents\n";
-static const char read_nint_data[] = "principal static attributes";
-static const char read_tcontents[] = "tagged data contents";
-static const char read_ttypelen[] = "tagged data type and length";
-static const char read_kcontents[] = "key data contents";
-static const char read_ktypelen[] = "key data type and length";
-static const char read_econtents[] = "extra data contents";
-static const char k5beta_fmt_name[] = "Kerberos version 5 old format";
-static const char standard_fmt_name[] = "Kerberos version 5 format";
-static const char lusage_err_fmt[] = "%s: usage is %s [%s] [%s] [%s] filename dbname\n";
-static const char no_name_mem_fmt[] = "%s: cannot get memory for temporary name\n";
-static const char ctx_err_fmt[] = "%s: cannot initialize Kerberos context\n";
-static const char stdin_name[] = "standard input";
-static const char restfail_fmt[] = "%s: %s restore failed\n";
-static const char close_err_fmt[] = "%s: cannot close database (%s)\n";
-static const char dbinit_err_fmt[] = "%s: cannot initialize database (%s)\n";
-static const char dbname_err_fmt[] = "%s: cannot set database name to %s (%s)\n";
-static const char dbdelerr_fmt[] = "%s: cannot delete bad database %s (%s)\n";
-static const char dbrenerr_fmt[] = "%s: cannot rename database %s to %s (%s)\n";
-static const char dbcreaterr_fmt[] = "%s: cannot create database %s (%s)\n";
-static const char dfile_err_fmt[] = "%s: cannot open %s (%s)\n";
-
-static const char oldoption[] = "-old";
-static const char verboseoption[] = "-verbose";
-static const char updateoption[] = "-update";
-static const char dump_tmptrail[] = "~";
-\f
-/*
- * Update the "ok" file.
- */
-void update_ok_file (file_name)
- char *file_name;
-{
- /* handle slave locking/failure stuff */
- char *file_ok;
- int fd;
- static char ok[]=".dump_ok";
-
- if ((file_ok = (char *)malloc(strlen(file_name) + strlen(ok) + 1))
- == NULL) {
- com_err(progname, ENOMEM,
- "while allocating filename for update_ok_file");
- exit_status++;
- return;
- }
- strcpy(file_ok, file_name);
- strcat(file_ok, ok);
- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
- com_err(progname, errno, "while creating 'ok' file, '%s'",
- file_ok);
- exit_status++;
- free(file_ok);
- return;
- }
- if (write(fd, "", 1) != 1) {
- com_err(progname, errno, "while writing to 'ok' file, '%s'",
- file_ok);
- exit_status++;
- free(file_ok);
- return;
- }
-
- free(file_ok);
- close(fd);
- return;
-}
-\f
-/*
- * name_matches() - See if a principal name matches a regular expression
- * or string.
- */
-static int
-name_matches(name, arglist)
- char *name;
- struct dump_args *arglist;
-{
-#if HAVE_REGCOMP
- regex_t match_exp;
- regmatch_t match_match;
- int match_error;
- char match_errmsg[BUFSIZ];
- size_t errmsg_size;
-#elif HAVE_REGEXP_H
- char regexp_buffer[RE_BUF_SIZE];
-#elif HAVE_RE_COMP
- extern char *re_comp();
- char *re_result;
-#endif /* HAVE_RE_COMP */
- int i, match;
-
- /*
- * Plow, brute force, through the list of names/regular expressions.
- */
- match = (arglist->nnames) ? 0 : 1;
- for (i=0; i<arglist->nnames; i++) {
-#if HAVE_REGCOMP
- /*
- * Compile the regular expression.
- */
- if (match_error = regcomp(&match_exp,
- arglist->names[i],
- REG_EXTENDED)) {
- errmsg_size = regerror(match_error,
- &match_exp,
- match_errmsg,
- sizeof(match_errmsg));
- fprintf(stderr, regex_err, arglist->programname, match_errmsg);
- break;
- }
- /*
- * See if we have a match.
- */
- if (match_error = regexec(&match_exp, name, 1, &match_match, 0)) {
- if (match_error != REG_NOMATCH) {
- errmsg_size = regerror(match_error,
- &match_exp,
- match_errmsg,
- sizeof(match_errmsg));
- fprintf(stderr, regex_merr,
- arglist->programname, match_errmsg);
- break;
- }
- }
- else {
- /*
- * We have a match. See if it matches the whole
- * name.
- */
- if ((match_match.rm_so == 0) &&
- (match_match.rm_eo == strlen(name)))
- match = 1;
- }
- regfree(&match_exp);
-#elif HAVE_REGEXP_H
- /*
- * Compile the regular expression.
- */
- compile(arglist->names[i],
- regexp_buffer,
- ®exp_buffer[RE_BUF_SIZE],
- '\0');
- if (step(name, regexp_buffer)) {
- if ((loc1 == name) &&
- (loc2 == &name[strlen(name)]))
- match = 1;
- }
-#elif HAVE_RE_COMP
- /*
- * Compile the regular expression.
- */
- if (re_result = re_comp(arglist->names[i])) {
- fprintf(stderr, regex_err, arglist->programname, re_result);
- break;
- }
- if (re_exec(name))
- match = 1;
-#else /* HAVE_RE_COMP */
- /*
- * If no regular expression support, then just compare the strings.
- */
- if (!strcmp(arglist->names[i], name))
- match = 1;
-#endif /* HAVE_REGCOMP */
- if (match)
- break;
- }
- return(match);
-}
-\f
-static krb5_error_code
-find_enctype(dbentp, enctype, salttype, kentp)
- krb5_db_entry *dbentp;
- krb5_enctype enctype;
- krb5_int32 salttype;
- krb5_key_data **kentp;
-{
- int i;
- int maxkvno;
- krb5_key_data *datap;
-
- maxkvno = -1;
- datap = (krb5_key_data *) NULL;
- for (i=0; i<dbentp->n_key_data; i++) {
- if ((dbentp->key_data[i].key_data_type[0] == enctype) &&
- ((dbentp->key_data[i].key_data_type[1] == salttype) ||
- (salttype < 0))) {
- maxkvno = dbentp->key_data[i].key_data_kvno;
- datap = &dbentp->key_data[i];
- }
- }
- if (maxkvno >= 0) {
- *kentp = datap;
- return(0);
- }
- return(ENOENT);
-}
-\f
-/*
- * dump_k5beta_header() - Make a dump header that is recognizable by Kerberos
- * Version 5 Beta 5 and previous releases.
- */
-static krb5_error_code
-dump_k5beta_header(arglist)
- struct dump_args *arglist;
-{
- /* The old header consists of the leading string */
- fprintf(arglist->ofile, k5beta_dump_header);
- return(0);
-}
-\f
-/*
- * dump_k5beta_iterator() - Dump an entry in a format that is usable
- * by Kerberos Version 5 Beta 5 and previous
- * releases.
- */
-static krb5_error_code
-dump_k5beta_iterator(ptr, entry)
- krb5_pointer ptr;
- krb5_db_entry *entry;
-{
- krb5_error_code retval;
- struct dump_args *arg;
- char *name, *mod_name;
- krb5_principal mod_princ;
- krb5_tl_data *pwchg;
- krb5_key_data *pkey, *akey, nullkey;
- krb5_timestamp mod_date, last_pwd_change;
- int i;
-
- /* Initialize */
- arg = (struct dump_args *) ptr;
- name = (char *) NULL;
- mod_name = (char *) NULL;
- memset(&nullkey, 0, sizeof(nullkey));
-
- /*
- * Flatten the principal name.
- */
- if ((retval = krb5_unparse_name(arg->kcontext,
- entry->princ,
- &name))) {
- fprintf(stderr, pname_unp_err,
- arg->programname, error_message(retval));
- return(retval);
- }
- /*
- * If we don't have any match strings, or if our name matches, then
- * proceed with the dump, otherwise, just forget about it.
- */
- if (!arg->nnames || name_matches(name, arg)) {
- /*
- * Deserialize the modifier record.
- */
- mod_name = (char *) NULL;
- mod_princ = NULL;
- last_pwd_change = mod_date = 0;
- pkey = akey = (krb5_key_data *) NULL;
- if (!(retval = krb5_dbe_lookup_mod_princ_data(arg->kcontext,
- entry,
- &mod_date,
- &mod_princ))) {
- if (mod_princ) {
- /*
- * Flatten the modifier name.
- */
- if ((retval = krb5_unparse_name(arg->kcontext,
- mod_princ,
- &mod_name)))
- fprintf(stderr, mname_unp_err, arg->programname,
- error_message(retval));
- krb5_free_principal(arg->kcontext, mod_princ);
- }
- }
- if (!mod_name)
- mod_name = strdup(null_mprinc_name);
-
- /*
- * Find the last password change record and set it straight.
- */
- if (retval =
- krb5_dbe_lookup_last_pwd_change(arg->kcontext, entry,
- &last_pwd_change)) {
- fprintf(stderr, nokeys_err, arg->programname, name);
- krb5_xfree(mod_name);
- krb5_xfree(name);
- return(retval);
- }
-
- /*
- * Find the 'primary' key and the 'alternate' key.
- */
- if ((retval = find_enctype(entry,
- ENCTYPE_DES_CBC_CRC,
- KRB5_KDB_SALTTYPE_NORMAL,
- &pkey)) &&
- (retval = find_enctype(entry,
- ENCTYPE_DES_CBC_CRC,
- KRB5_KDB_SALTTYPE_V4,
- &akey))) {
- fprintf(stderr, nokeys_err, arg->programname, name);
- krb5_xfree(mod_name);
- krb5_xfree(name);
- return(retval);
- }
-
- /* If we only have one type, then ship it out as the primary. */
- if (!pkey && akey) {
- pkey = akey;
- akey = &nullkey;
- }
- else {
- if (!akey)
- akey = &nullkey;
- }
-
- /*
- * First put out strings representing the length of the variable
- * length data in this record, then the name and the primary key type.
- */
- fprintf(arg->ofile, "%d\t%d\t%d\t%d\t%d\t%d\t%s\t%d\t", strlen(name),
- strlen(mod_name),
- (krb5_int32) pkey->key_data_length[0],
- (krb5_int32) akey->key_data_length[0],
- (krb5_int32) pkey->key_data_length[1],
- (krb5_int32) akey->key_data_length[1],
- name,
- (krb5_int32) pkey->key_data_type[0]);
- for (i=0; i<pkey->key_data_length[0]; i++) {
- fprintf(arg->ofile, "%02x", pkey->key_data_contents[0][i]);
- }
- /*
- * Second, print out strings representing the standard integer
- * data in this record.
- */
- fprintf(arg->ofile,
- "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%s\t%u\t%u\t%u\t",
- (krb5_int32) pkey->key_data_kvno,
- entry->max_life, entry->max_renewable_life,
- 1 /* Fake mkvno */, entry->expiration, entry->pw_expiration,
- last_pwd_change, entry->last_success, entry->last_failed,
- entry->fail_auth_count, mod_name, mod_date,
- entry->attributes, pkey->key_data_type[1]);
-
- /* Pound out the salt data, if present. */
- for (i=0; i<pkey->key_data_length[1]; i++) {
- fprintf(arg->ofile, "%02x", pkey->key_data_contents[1][i]);
- }
- /* Pound out the alternate key type and contents */
- fprintf(arg->ofile, "\t%u\t", akey->key_data_type[0]);
- for (i=0; i<akey->key_data_length[0]; i++) {
- fprintf(arg->ofile, "%02x", akey->key_data_contents[0][i]);
- }
- /* Pound out the alternate salt type and contents */
- fprintf(arg->ofile, "\t%u\t", akey->key_data_type[1]);
- for (i=0; i<akey->key_data_length[1]; i++) {
- fprintf(arg->ofile, "%02x", akey->key_data_contents[1][i]);
- }
- /* Pound out the expansion data. (is null) */
- for (i=0; i < 8; i++) {
- fprintf(arg->ofile, "\t%u", 0);
- }
- fprintf(arg->ofile, ";\n");
- /* If we're blabbing, do it */
- if (arg->verbose)
- fprintf(stderr, "%s\n", name);
- krb5_xfree(mod_name);
- }
- krb5_xfree(name);
- return(0);
-}
-\f
-/*
- * dump_standard_header() - Output the standard dump header.
- */
-static krb5_error_code
-dump_standard_header(arglist)
- struct dump_args *arglist;
-{
- /* The standard header consists of the leading string */
- fprintf(arglist->ofile, k5_dump_header);
- return(0);
-}
-\f
-/*
- * dump_standard_iterator() - Output a dump record in standard format.
- */
-static krb5_error_code
-dump_standard_iterator(ptr, entry)
- krb5_pointer ptr;
- krb5_db_entry *entry;
-{
- krb5_error_code retval;
- struct dump_args *arg;
- char *name;
- krb5_tl_data *tlp;
- krb5_key_data *kdata;
- int counter, i, j;
-
- /* Initialize */
- arg = (struct dump_args *) ptr;
- name = (char *) NULL;
-
- /*
- * Flatten the principal name.
- */
- if ((retval = krb5_unparse_name(arg->kcontext,
- entry->princ,
- &name))) {
- fprintf(stderr, pname_unp_err,
- arg->programname, error_message(retval));
- return(retval);
- }
- /*
- * If we don't have any match strings, or if our name matches, then
- * proceed with the dump, otherwise, just forget about it.
- */
- if (!arg->nnames || name_matches(name, arg)) {
- /*
- * We'd like to just blast out the contents as they would appear in
- * the database so that we can just suck it back in, but it doesn't
- * lend itself to easy editing.
- */
-
- /*
- * The dump format is as follows:
- * len strlen(name) n_tl_data n_key_data e_length
- * name
- * attributes max_life max_renewable_life expiration
- * pw_expiration last_success last_failed fail_auth_count
- * n_tl_data*[type length <contents>]
- * n_key_data*[ver kvno ver*(type length <contents>)]
- * <e_data>
- * Fields which are not encapsulated by angle-brackets are to appear
- * verbatim. Bracketed fields absence is indicated by a -1 in its
- * place
- */
-
- /*
- * Make sure that the tagged list is reasonably correct.
- */
- counter = 0;
- for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next)
- counter++;
- if (counter == entry->n_tl_data) {
- /* Pound out header */
- fprintf(arg->ofile, "%d\t%d\t%d\t%d\t%d\t%s\t",
- (int) entry->len,
- strlen(name),
- (int) entry->n_tl_data,
- (int) entry->n_key_data,
- (int) entry->e_length,
- name);
- fprintf(arg->ofile, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t",
- entry->attributes,
- entry->max_life,
- entry->max_renewable_life,
- entry->expiration,
- entry->pw_expiration,
- entry->last_success,
- entry->last_failed,
- entry->fail_auth_count);
- /* Pound out tagged data. */
- for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) {
- fprintf(arg->ofile, "%d\t%d\t",
- (int) tlp->tl_data_type,
- (int) tlp->tl_data_length);
- if (tlp->tl_data_length)
- for (i=0; i<tlp->tl_data_length; i++)
- fprintf(arg->ofile, "%02x", tlp->tl_data_contents[i]);
- else
- fprintf(arg->ofile, "%d", -1);
- fprintf(arg->ofile, "\t");
- }
-
- /* Pound out key data */
- for (counter=0; counter<entry->n_key_data; counter++) {
- kdata = &entry->key_data[counter];
- fprintf(arg->ofile, "%d\t%d\t",
- (int) kdata->key_data_ver,
- (int) kdata->key_data_kvno);
- for (i=0; i<kdata->key_data_ver; i++) {
- fprintf(arg->ofile, "%d\t%d\t",
- kdata->key_data_type[i],
- kdata->key_data_length[i]);
- if (kdata->key_data_length[i])
- for (j=0; j<kdata->key_data_length[i]; j++)
- fprintf(arg->ofile, "%02x",
- kdata->key_data_contents[i][j]);
- else
- fprintf(arg->ofile, "%d", -1);
- fprintf(arg->ofile, "\t");
- }
- }
-
- /* Pound out extra data */
- if (entry->e_length)
- for (i=0; i<entry->e_length; i++)
- fprintf(arg->ofile, "%02x", entry->e_data[i]);
- else
- fprintf(arg->ofile, "%d", -1);
-
- /* Print trailer */
- fprintf(arg->ofile, ";\n");
-
- if (arg->verbose)
- fprintf(stderr, "%s\n", name);
- }
- else {
- fprintf(stderr, sdump_tl_inc_err,
- arg->programname, name, counter, (int) entry->n_tl_data);
- retval = EINVAL;
- }
- }
- krb5_xfree(name);
- return(retval);
-}
-\f
-/*
- * usage is:
- * dump_db [-old] [-verbose] [filename [principals...]]
- */
-void
-dump_db(argc, argv)
- int argc;
- char **argv;
-{
- FILE *f;
- struct dump_args arglist;
- int error;
- char *programname;
- char *ofile;
- krb5_error_code kret;
- krb5_error_code (*dump_iterator) PROTOTYPE((krb5_pointer,
- krb5_db_entry *));
- krb5_error_code (*dump_header) PROTOTYPE((struct dump_args *));
- const char * dump_name;
- int aindex;
- krb5_boolean locked;
-
- /*
- * Parse the arguments.
- */
- programname = argv[0];
- if (strrchr(programname, (int) '/'))
- programname = strrchr(argv[0], (int) '/') + 1;
- ofile = (char *) NULL;
- error = 0;
- dump_iterator = dump_standard_iterator;
- dump_header = dump_standard_header;
- dump_name = stand_fmt_name;
- arglist.verbose = 0;
-
- /*
- * Parse the qualifiers.
- */
- for (aindex = 1; aindex < argc; aindex++) {
- if (!strcmp(argv[aindex], oldoption)) {
- dump_iterator = dump_k5beta_iterator;
- dump_header = dump_k5beta_header;
- dump_name = old_fmt_name;
- }
- else if (!strcmp(argv[aindex], verboseoption)) {
- arglist.verbose++;
- }
- else
- break;
- }
-
- arglist.names = (char **) NULL;
- arglist.nnames = 0;
- if (aindex < argc) {
- ofile = argv[aindex];
- aindex++;
- if (aindex < argc) {
- arglist.names = &argv[aindex];
- arglist.nnames = argc - aindex;
- }
- }
-
- /*
- * Attempt to open the database.
- */
- if (!dbactive) {
- com_err(argv[0], 0, Err_no_database);
- exit_status++;
- return;
- }
-
- kret = 0;
- locked = 0;
- if (ofile) {
- /*
- * Make sure that we don't open and truncate on the fopen,
- * since that may hose an on-going kprop process.
- *
- * We could also control this by opening for read and
- * write, doing an flock with LOCK_EX, and then
- * truncating the file once we have gotten the lock,
- * but that would involve more OS dependencies than I
- * want to get into.
- */
- unlink(ofile);
- if (!(f = fopen(ofile, "w"))) {
- fprintf(stderr, ofopen_error,
- programname, ofile, error_message(errno));
- exit_status++;
- }
- if ((kret = krb5_lock_file(edit_context,
- fileno(f),
- KRB5_LOCKMODE_EXCLUSIVE))) {
- fprintf(stderr, oflock_error,
- programname, ofile, error_message(kret));
- exit_status++;
- }
- else
- locked = 1;
- } else {
- f = stdout;
- }
- if (f && !(kret)) {
- arglist.programname = programname;
- arglist.ofile = f;
- arglist.kcontext = edit_context;
- if (!(kret = (*dump_header)(&arglist))) {
- if ((kret = krb5_db_iterate(edit_context,
- dump_iterator,
- (krb5_pointer) &arglist))) {
- fprintf(stderr, dumprec_err,
- programname, dump_name, error_message(kret));
- exit_status++;
- }
- }
- else {
- fprintf(stderr, dumphdr_err,
- programname, dump_name, error_message(kret));
- exit_status++;
- }
- if (ofile && !exit_status) {
- fclose(f);
- update_ok_file(ofile);
- }
- }
- if (locked)
- (void) krb5_lock_file(edit_context, fileno(f), KRB5_LOCKMODE_UNLOCK);
-}
-\f
-/*
- * Read a string of bytes while counting the number of lines passed.
- */
-static int
-read_string(f, buf, len, lp)
- FILE *f;
- char *buf;
- int len;
- int *lp;
-{
- int c;
- int i, retval;
-
- retval = 0;
- for (i=0; i<len; i++) {
- c = (char) fgetc(f);
- if (c < 0) {
- retval = 1;
- break;
- }
- if (c == '\n')
- (*lp)++;
- buf[i] = (char) c;
- }
- buf[len] = '\0';
- return(retval);
-}
-
-/*
- * Read a string of two character representations of bytes.
- */
-static int
-read_octet_string(f, buf, len)
- FILE *f;
- krb5_octet *buf;
- int len;
-{
- int c;
- int i, retval;
-
- retval = 0;
- for (i=0; i<len; i++) {
- if (fscanf(f, "%02x", &c) != 1) {
- retval = 1;
- break;
- }
- buf[i] = (krb5_octet) c;
- }
- return(retval);
-}
-
-/*
- * Find the end of an old format record.
- */
-static void
-find_record_end(f, fn, lineno)
- FILE *f;
- char *fn;
- int lineno;
-{
- int ch;
-
- if (((ch = fgetc(f)) != ';') || ((ch = fgetc(f)) != '\n')) {
- fprintf(stderr, trash_end_fmt, fn, lineno);
- while (ch != '\n') {
- putc(ch, stderr);
- ch = fgetc(f);
- }
- putc(ch, stderr);
- }
-}
-
-#if 0
-/*
- * update_tl_data() - Generate the tl_data entries.
- */
-static krb5_error_code
-update_tl_data(kcontext, dbentp, mod_name, mod_date, last_pwd_change)
- krb5_context kcontext;
- krb5_db_entry *dbentp;
- krb5_principal mod_name;
- krb5_timestamp mod_date;
- krb5_timestamp last_pwd_change;
-{
- krb5_error_code kret;
-
- kret = 0 ;
-
- /*
- * Handle modification principal.
- */
- if (mod_name) {
- krb5_tl_mod_princ mprinc;
-
- memset(&mprinc, 0, sizeof(mprinc));
- if (!(kret = krb5_copy_principal(kcontext,
- mod_name,
- &mprinc.mod_princ))) {
- mprinc.mod_date = mod_date;
- kret = krb5_dbe_encode_mod_princ_data(kcontext,
- &mprinc,
- dbentp);
- }
- if (mprinc.mod_princ)
- krb5_free_principal(kcontext, mprinc.mod_princ);
- }
-
- /*
- * Handle last password change.
- */
- if (!kret) {
- krb5_tl_data *pwchg;
- krb5_boolean linked;
-
- /* Find a previously existing entry */
- for (pwchg = dbentp->tl_data;
- (pwchg) && (pwchg->tl_data_type != KRB5_TL_LAST_PWD_CHANGE);
- pwchg = pwchg->tl_data_next);
-
- /* Check to see if we found one. */
- linked = 0;
- if (!pwchg) {
- /* No, allocate a new one */
- if ((pwchg = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) {
- memset(pwchg, 0, sizeof(krb5_tl_data));
- if (!(pwchg->tl_data_contents =
- (krb5_octet *) malloc(sizeof(krb5_timestamp)))) {
- free(pwchg);
- pwchg = (krb5_tl_data *) NULL;
- }
- else {
- pwchg->tl_data_type = KRB5_TL_LAST_PWD_CHANGE;
- pwchg->tl_data_length =
- (krb5_int16) sizeof(krb5_timestamp);
- }
- }
- }
- else
- linked = 1;
-
- /* Do we have an entry? */
- if (pwchg && pwchg->tl_data_contents) {
- /* Encode it */
- krb5_kdb_encode_int32(last_pwd_change, pwchg->tl_data_contents);
- /* Link it in if necessary */
- if (!linked) {
- pwchg->tl_data_next = dbentp->tl_data;
- dbentp->tl_data = pwchg;
- dbentp->n_tl_data++;
- }
- }
- else
- kret = ENOMEM;
- }
-
- return(kret);
-}
-#endif
-
-/*
- * process_k5beta_record() - Handle a dump record in old format.
- *
- * Returns -1 for end of file, 0 for success and 1 for failure.
- */
-static int
-process_k5beta_record(fname, kcontext, filep, verbose, linenop)
- char *fname;
- krb5_context kcontext;
- FILE *filep;
- int verbose;
- int *linenop;
-{
- int nmatched;
- int retval;
- krb5_db_entry dbent;
- int name_len, mod_name_len, key_len;
- int alt_key_len, salt_len, alt_salt_len;
- char *name;
- char *mod_name;
- int tmpint1, tmpint2, tmpint3;
- int error;
- const char *try2read;
- int i;
- krb5_key_data *pkey, *akey;
- krb5_timestamp last_pwd_change, mod_date;
- krb5_principal mod_princ;
- krb5_error_code kret;
-
- try2read = (char *) NULL;
- (*linenop)++;
- retval = 1;
- memset((char *)&dbent, 0, sizeof(dbent));
-
- /* Make sure we've got key_data entries */
- if (krb5_dbe_create_key_data(kcontext, &dbent) ||
- krb5_dbe_create_key_data(kcontext, &dbent)) {
- krb5_db_free_principal(kcontext, &dbent, 1);
- return(1);
- }
- pkey = &dbent.key_data[0];
- akey = &dbent.key_data[1];
-
- /*
- * Match the sizes. 6 tokens to match.
- */
- nmatched = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t",
- &name_len, &mod_name_len, &key_len,
- &alt_key_len, &salt_len, &alt_salt_len);
- if (nmatched == 6) {
- pkey->key_data_length[0] = key_len;
- akey->key_data_length[0] = alt_key_len;
- pkey->key_data_length[1] = salt_len;
- akey->key_data_length[1] = alt_salt_len;
- name = (char *) NULL;
- mod_name = (char *) NULL;
- /*
- * Get the memory for the variable length fields.
- */
- if ((name = (char *) malloc((size_t) (name_len + 1))) &&
- (mod_name = (char *) malloc((size_t) (mod_name_len + 1))) &&
- (!key_len ||
- (pkey->key_data_contents[0] =
- (krb5_octet *) malloc((size_t) (key_len + 1)))) &&
- (!alt_key_len ||
- (akey->key_data_contents[0] =
- (krb5_octet *) malloc((size_t) (alt_key_len + 1)))) &&
- (!salt_len ||
- (pkey->key_data_contents[1] =
- (krb5_octet *) malloc((size_t) (salt_len + 1)))) &&
- (!alt_salt_len ||
- (akey->key_data_contents[1] =
- (krb5_octet *) malloc((size_t) (alt_salt_len + 1))))
- ) {
- error = 0;
-
- /* Read the principal name */
- if (read_string(filep, name, name_len, linenop)) {
- try2read = read_name_string;
- error++;
- }
- /* Read the key type */
- if (!error && (fscanf(filep, "\t%d\t", &tmpint1) != 1)) {
- try2read = read_key_type;
- error++;
- }
- pkey->key_data_type[0] = tmpint1;
- /* Read the old format key */
- if (!error && read_octet_string(filep,
- pkey->key_data_contents[0],
- pkey->key_data_length[0])) {
- try2read = read_key_data;
- error++;
- }
- /* convert to a new format key */
- /* the encrypted version is stored as the unencrypted key length
- (4 bytes, MSB first) followed by the encrypted key. */
- if ((pkey->key_data_length[0] > 4)
- && (pkey->key_data_contents[0][0] == 0)
- && (pkey->key_data_contents[0][1] == 0)) {
- /* this really does look like an old key, so drop and swap */
- /* the *new* length is 2 bytes, LSB first, sigh. */
- size_t shortlen = pkey->key_data_length[0]-4+2;
- char *shortcopy = (krb5_octet *) malloc(shortlen);
- char *origdata = pkey->key_data_contents[0];
- shortcopy[0] = origdata[3];
- shortcopy[1] = origdata[2];
- memcpy(shortcopy+2,origdata+4,shortlen-2);
- free(origdata);
- pkey->key_data_length[0] = shortlen;
- pkey->key_data_contents[0] = shortcopy;
- }
-
- /* Read principal attributes */
- if (!error && (fscanf(filep,
- "\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t%u\t",
- &tmpint1, &dbent.max_life,
- &dbent.max_renewable_life,
- &tmpint2, &dbent.expiration,
- &dbent.pw_expiration, &last_pwd_change,
- &dbent.last_success, &dbent.last_failed,
- &tmpint3) != 10)) {
- try2read = read_pr_data1;
- error++;
- }
- pkey->key_data_kvno = tmpint1;
- dbent.fail_auth_count = tmpint3;
- /* Read modifier name */
- if (!error && read_string(filep,
- mod_name,
- mod_name_len,
- linenop)) {
- try2read = read_mod_name;
- error++;
- }
- /* Read second set of attributes */
- if (!error && (fscanf(filep, "\t%u\t%u\t%u\t",
- &mod_date, &dbent.attributes,
- &tmpint1) != 3)) {
- try2read = read_pr_data2;
- error++;
- }
- pkey->key_data_type[1] = tmpint1;
- /* Read salt data */
- if (!error && read_octet_string(filep,
- pkey->key_data_contents[1],
- pkey->key_data_length[1])) {
- try2read = read_salt_data;
- error++;
- }
- /* Read alternate key type */
- if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) {
- try2read = read_akey_type;
- error++;
- }
- akey->key_data_type[0] = tmpint1;
- /* Read alternate key */
- if (!error && read_octet_string(filep,
- akey->key_data_contents[0],
- akey->key_data_length[0])) {
- try2read = read_akey_data;
- error++;
- }
-
- /* convert to a new format key */
- /* the encrypted version is stored as the unencrypted key length
- (4 bytes, MSB first) followed by the encrypted key. */
- if ((akey->key_data_length[0] > 4)
- && (akey->key_data_contents[0][0] == 0)
- && (akey->key_data_contents[0][1] == 0)) {
- /* this really does look like an old key, so drop and swap */
- /* the *new* length is 2 bytes, LSB first, sigh. */
- size_t shortlen = akey->key_data_length[0]-4+2;
- char *shortcopy = (krb5_octet *) malloc(shortlen);
- char *origdata = akey->key_data_contents[0];
- shortcopy[0] = origdata[3];
- shortcopy[1] = origdata[2];
- memcpy(shortcopy+2,origdata+4,shortlen-2);
- free(origdata);
- akey->key_data_length[0] = shortlen;
- akey->key_data_contents[0] = shortcopy;
- }
-
- /* Read alternate salt type */
- if (!error && (fscanf(filep, "\t%u\t", &tmpint1) != 1)) {
- try2read = read_asalt_type;
- error++;
- }
- akey->key_data_type[1] = tmpint1;
- /* Read alternate salt data */
- if (!error && read_octet_string(filep,
- akey->key_data_contents[1],
- akey->key_data_length[1])) {
- try2read = read_asalt_data;
- error++;
- }
- /* Read expansion data - discard it */
- if (!error) {
- for (i=0; i<8; i++) {
- if (fscanf(filep, "\t%u", &tmpint1) != 1) {
- try2read = read_exp_data;
- error++;
- break;
- }
- }
- if (!error)
- find_record_end(filep, fname, *linenop);
- }
-
- /*
- * If no error, then we're done reading. Now parse the names
- * and store the database dbent.
- */
- if (!error) {
- if (!(kret = krb5_parse_name(kcontext,
- name,
- &dbent.princ))) {
- if (!(kret = krb5_parse_name(kcontext,
- mod_name,
- &mod_princ))) {
- if (!(kret =
- krb5_dbe_update_mod_princ_data(kcontext,
- &dbent,
- mod_date,
- mod_princ)) &&
- !(kret =
- krb5_dbe_update_last_pwd_change(kcontext,
- &dbent,
- last_pwd_change))) {
- int one = 1;
-
- dbent.len = KRB5_KDB_V1_BASE_LENGTH;
- pkey->key_data_ver = (pkey->key_data_type[1] || pkey->key_data_length[1]) ?
- 2 : 1;
- akey->key_data_ver = (akey->key_data_type[1] || akey->key_data_length[1]) ?
- 2 : 1;
- if ((pkey->key_data_type[0] ==
- akey->key_data_type[0]) &&
- (pkey->key_data_type[1] ==
- akey->key_data_type[1]))
- dbent.n_key_data--;
- else if ((akey->key_data_type[0] == 0)
- && (akey->key_data_length[0] == 0)
- && (akey->key_data_type[1] == 0)
- && (akey->key_data_length[1] == 0))
- dbent.n_key_data--;
- if ((kret = krb5_db_put_principal(kcontext,
- &dbent,
- &one)) ||
- (one != 1)) {
- fprintf(stderr, store_err_fmt,
- fname, *linenop, name,
- error_message(kret));
- error++;
- }
- else {
- if (verbose)
- fprintf(stderr, add_princ_fmt, name);
- retval = 0;
- }
- dbent.n_key_data = 2;
- }
- krb5_free_principal(kcontext, mod_princ);
- }
- else {
- fprintf(stderr, parse_err_fmt,
- fname, *linenop, mod_name,
- error_message(kret));
- error++;
- }
- }
- else {
- fprintf(stderr, parse_err_fmt,
- fname, *linenop, name, error_message(kret));
- error++;
- }
- }
- else {
- fprintf(stderr, read_err_fmt, fname, *linenop, try2read);
- }
- }
- else {
- fprintf(stderr, no_mem_fmt, fname, *linenop);
- }
-
- krb5_db_free_principal(kcontext, &dbent, 1);
- if (mod_name)
- free(mod_name);
- if (name)
- free(name);
- }
- else {
- if (nmatched != EOF)
- fprintf(stderr, rhead_err_fmt, fname, *linenop);
- else
- retval = -1;
- }
- return(retval);
-}
-\f
-/*
- * process_k5_record() - Handle a dump record in new format.
- *
- * Returns -1 for end of file, 0 for success and 1 for failure.
- */
-static int
-process_k5_record(fname, kcontext, filep, verbose, linenop)
- char *fname;
- krb5_context kcontext;
- FILE *filep;
- int verbose;
- int *linenop;
-{
- int retval;
- krb5_db_entry dbentry;
- krb5_int32 t1, t2, t3, t4, t5, t6, t7, t8, t9;
- int nread;
- int error;
- int i, j, one;
- char *name;
- krb5_key_data *kp, *kdatap;
- krb5_tl_data **tlp, *tl;
- krb5_octet *op;
- krb5_error_code kret;
- const char *try2read;
-
- try2read = (char *) NULL;
- memset((char *) &dbentry, 0, sizeof(dbentry));
- (*linenop)++;
- retval = 1;
- name = (char *) NULL;
- kp = (krb5_key_data *) NULL;
- op = (krb5_octet *) NULL;
- error = 0;
- kret = 0;
- nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t", &t1, &t2, &t3, &t4, &t5);
- if (nread == 5) {
- /* Get memory for flattened principal name */
- if (!(name = (char *) malloc((size_t) t2 + 1)))
- error++;
-
- /* Get memory for and form tagged data linked list */
- tlp = &dbentry.tl_data;
- for (i=0; i<t3; i++) {
- if ((*tlp = (krb5_tl_data *) malloc(sizeof(krb5_tl_data)))) {
- memset(*tlp, 0, sizeof(krb5_tl_data));
- tlp = &((*tlp)->tl_data_next);
- dbentry.n_tl_data++;
- }
- else {
- error++;
- break;
- }
- }
-
- /* Get memory for key list */
- if (t4 && !(kp = (krb5_key_data *) malloc((size_t)
- (t4*sizeof(krb5_key_data)))))
- error++;
-
- /* Get memory for extra data */
- if (t5 && !(op = (krb5_octet *) malloc((size_t) t5)))
- error++;
-
- if (!error) {
- dbentry.len = t1;
- dbentry.n_key_data = t4;
- dbentry.e_length = t5;
- if (kp) {
- memset(kp, 0, (size_t) (t4*sizeof(krb5_key_data)));
- dbentry.key_data = kp;
- kp = (krb5_key_data *) NULL;
- }
- if (op) {
- memset(op, 0, (size_t) t5);
- dbentry.e_data = op;
- op = (krb5_octet *) NULL;
- }
-
- /* Read in and parse the principal name */
- if (!read_string(filep, name, t2, linenop) &&
- !(kret = krb5_parse_name(kcontext, name, &dbentry.princ))) {
-
- /* Get the fixed principal attributes */
- nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t",
- &t2, &t3, &t4, &t5, &t6, &t7, &t8, &t9);
- if (nread == 8) {
- dbentry.attributes = (krb5_flags) t2;
- dbentry.max_life = (krb5_deltat) t3;
- dbentry.max_renewable_life = (krb5_deltat) t4;
- dbentry.expiration = (krb5_timestamp) t5;
- dbentry.pw_expiration = (krb5_timestamp) t6;
- dbentry.last_success = (krb5_timestamp) t7;
- dbentry.last_failed = (krb5_timestamp) t8;
- dbentry.fail_auth_count = (krb5_kvno) t9;
- } else {
- try2read = read_nint_data;
- error++;
- }
-
- /* Get the tagged data */
- if (!error && dbentry.n_tl_data) {
- for (tl = dbentry.tl_data; tl; tl = tl->tl_data_next) {
- nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
- if (nread == 2) {
- tl->tl_data_type = (krb5_int16) t1;
- tl->tl_data_length = (krb5_int16) t2;
- if (tl->tl_data_length) {
- if (!(tl->tl_data_contents =
- (krb5_octet *) malloc((size_t) t2+1)) ||
- read_octet_string(filep,
- tl->tl_data_contents,
- t2)) {
- try2read = read_tcontents;
- error++;
- break;
- }
- }
- else {
- /* Should be a null field */
- nread = fscanf(filep, "%d", &t9);
- if ((nread != 1) || (t9 != -1)) {
- error++;
- try2read = read_tcontents;
- break;
- }
- }
- }
- else {
- try2read = read_ttypelen;
- error++;
- break;
- }
- }
- }
-
- /* Get the key data */
- if (!error && dbentry.n_key_data) {
- for (i=0; !error && (i<dbentry.n_key_data); i++) {
- kdatap = &dbentry.key_data[i];
- nread = fscanf(filep, "%d\t%d\t", &t1, &t2);
- if (nread == 2) {
- kdatap->key_data_ver = (krb5_int16) t1;
- kdatap->key_data_kvno = (krb5_int16) t2;
-
- for (j=0; j<t1; j++) {
- nread = fscanf(filep, "%d\t%d\t", &t3, &t4);
- if (nread == 2) {
- kdatap->key_data_type[j] = t3;
- kdatap->key_data_length[j] = t4;
- if (t4) {
- if (!(kdatap->key_data_contents[j] =
- (krb5_octet *)
- malloc((size_t) t4+1)) ||
- read_octet_string(filep,
- kdatap->key_data_contents[j],
- t4)) {
- try2read = read_kcontents;
- error++;
- break;
- }
- }
- else {
- /* Should be a null field */
- nread = fscanf(filep, "%d", &t9);
- if ((nread != 1) || (t9 != -1)) {
- error++;
- try2read = read_kcontents;
- break;
- }
- }
- }
- else {
- try2read = read_ktypelen;
- error++;
- break;
- }
- }
- }
- }
- }
-
- /* Get the extra data */
- if (!error && dbentry.e_length) {
- if (read_octet_string(filep,
- dbentry.e_data,
- (int) dbentry.e_length)) {
- try2read = read_econtents;
- error++;
- }
- }
- else {
- nread = fscanf(filep, "%d", &t9);
- if ((nread != 1) || (t9 != -1)) {
- error++;
- try2read = read_econtents;
- }
- }
-
- /* Finally, find the end of the record. */
- if (!error)
- find_record_end(filep, fname, *linenop);
-
- /*
- * We have either read in all the data or choked.
- */
- if (!error) {
- one = 1;
- if ((kret = krb5_db_put_principal(kcontext,
- &dbentry,
- &one))) {
- fprintf(stderr, store_err_fmt,
- fname, *linenop,
- name, error_message(kret));
- }
- else {
- if (verbose)
- fprintf(stderr, add_princ_fmt, name);
- retval = 0;
- }
- }
- else {
- fprintf(stderr, read_err_fmt, fname, *linenop, try2read);
- }
- }
- else {
- if (kret)
- fprintf(stderr, parse_err_fmt,
- fname, *linenop, name, error_message(kret));
- else
- fprintf(stderr, no_mem_fmt, fname, *linenop);
- }
- }
- else {
- fprintf(stderr, rhead_err_fmt, fname, *linenop);
- }
-
- if (op)
- free(op);
- if (kp)
- free(kp);
- if (name)
- free(name);
- krb5_db_free_principal(kcontext, &dbentry, 1);
- }
- else {
- if (nread == EOF)
- retval = -1;
- }
- return(retval);
-}
-\f
-/*
- * restore_k5beta_compat() - Restore the database from a K5 Beta
- * format dump file.
- */
-static int
-restore_k5beta_compat(programname, kcontext, dumpfile, f, verbose)
- const char *programname;
- krb5_context kcontext;
- const char *dumpfile;
- FILE *f;
- int verbose;
-{
- int error;
- int lineno;
- char buf[2*sizeof(k5beta_dump_header)];
-
- /*
- * Get/check the header.
- */
- error = 0;
- fgets(buf, sizeof(buf), f);
- if (!strcmp(buf, k5beta_dump_header)) {
- lineno = 1;
- /*
- * Process the records.
- */
- while (!(error = process_k5beta_record(dumpfile,
- kcontext,
- f,
- verbose,
- &lineno)))
- ;
- if (error != -1)
- fprintf(stderr, err_line_fmt, programname, lineno, dumpfile);
- else
- error = 0;
-
- /*
- * Close the input file.
- */
- if (f != stdin)
- fclose(f);
- }
- else {
- fprintf(stderr, head_bad_fmt, programname, dumpfile);
- error++;
- }
- return(error);
-}
-\f
-/*
- * restore_dump() - Restore the database from a standard dump file.
- */
-static int
-restore_dump(programname, kcontext, dumpfile, f, verbose)
- const char *programname;
- krb5_context kcontext;
- const char *dumpfile;
- FILE *f;
- int verbose;
-{
- int error;
- int lineno;
- char buf[2*sizeof(k5_dump_header)];
-
- /*
- * Get/check the header.
- */
- error = 0;
- fgets(buf, sizeof(buf), f);
- if (!strcmp(buf, k5_dump_header)) {
- lineno = 1;
- /*
- * Process the records.
- */
- while (!(error = process_k5_record(dumpfile,
- kcontext,
- f,
- verbose,
- &lineno)))
- ;
- if (error != -1)
- fprintf(stderr, err_line_fmt, programname, lineno, dumpfile);
- else
- error = 0;
-
- /*
- * Close the input file.
- */
- if (f != stdin)
- fclose(f);
- }
- else if (!strcmp (buf, k5beta_dump_header)) {
- lineno = 1;
- /*
- * Process the records.
- */
- while (!(error = process_k5beta_record(dumpfile,
- kcontext,
- f,
- verbose,
- &lineno)))
- ;
- if (error != -1)
- fprintf(stderr, err_line_fmt, programname, lineno, dumpfile);
- else
- error = 0;
-
- /*
- * Close the input file.
- */
- if (f != stdin)
- fclose(f);
- }
- else {
- fprintf(stderr, head_bad_fmt, programname, dumpfile);
- error++;
- }
- return(error);
-}
-\f
-/*
- * Usage is
- * load_db [-old] [-verbose] [-update] filename dbname
- */
-void
-load_db(argc, argv)
- int argc;
- char **argv;
-{
- krb5_error_code kret;
- krb5_context kcontext;
- FILE *f;
- extern char *optarg;
- extern int optind;
- const char *programname;
- const char *dumpfile;
- char *dbname;
- char *dbname_tmp;
- int (*restore_function) PROTOTYPE((const char *,
- krb5_context,
- const char *,
- FILE *,
- int));
- const char * restore_name;
- int update, verbose;
- int aindex;
-
- /*
- * Parse the arguments.
- */
- programname = argv[0];
- if (strrchr(programname, (int) '/'))
- programname = strrchr(argv[0], (int) '/') + 1;
- dumpfile = (char *) NULL;
- dbname = (char *) NULL;
- restore_function = restore_dump;
- restore_name = standard_fmt_name;
- update = 0;
- verbose = 0;
- exit_status = 0;
- dbname_tmp = (char *) NULL;
- for (aindex = 1; aindex < argc; aindex++) {
- if (!strcmp(argv[aindex], oldoption)) {
- restore_function = restore_k5beta_compat;
- restore_name = k5beta_fmt_name;
- }
- else if (!strcmp(argv[aindex], verboseoption)) {
- verbose = 1;
- }
- else if (!strcmp(argv[aindex], updateoption)) {
- update = 1;
- }
- else
- break;
- }
- if ((argc - aindex) != 2) {
- fprintf(stderr, lusage_err_fmt, argv[0], argv[0],
- oldoption, verboseoption, updateoption);
- exit_status++;
- return;
- }
-
- dumpfile = argv[aindex];
- dbname = argv[aindex+1];
- if (!(dbname_tmp = (char *) malloc(strlen(dbname)+
- strlen(dump_tmptrail)+1))) {
- fprintf(stderr, no_name_mem_fmt, argv[0]);
- exit_status++;
- return;
- }
- strcpy(dbname_tmp, dbname);
- strcat(dbname_tmp, dump_tmptrail);
-
- /*
- * Initialize the Kerberos context and error tables.
- */
- if ((kret = krb5_init_context(&kcontext))) {
- fprintf(stderr, ctx_err_fmt, programname);
- free(dbname_tmp);
- exit_status++;
- return;
- }
- krb5_init_ets(kcontext);
-
- /*
- * Open the dumpfile
- */
- if (dumpfile) {
- if ((f = fopen(dumpfile, "r+"))) {
- kret = krb5_lock_file(kcontext, fileno(f), KRB5_LOCKMODE_SHARED);
- }
- }
- else {
- f = stdin;
- }
- if (f && !kret) {
- /*
- * Create the new database if not an update restoration.
- */
- if (update || !(kret = krb5_db_create(kcontext, dbname_tmp))) {
- /*
- * Point ourselves at it.
- */
- if (!(kret = krb5_db_set_name(kcontext,
- (update) ? dbname : dbname_tmp))) {
- /*
- * Initialize the database.
- */
- if (!(kret = krb5_db_init(kcontext))) {
- if ((*restore_function)(programname,
- kcontext,
- (dumpfile) ? dumpfile : stdin_name,
- f,
- verbose)) {
- fprintf(stderr, restfail_fmt,
- programname, restore_name);
- exit_status++;
- }
- if ((kret = krb5_db_fini(kcontext))) {
- fprintf(stderr, close_err_fmt,
- programname, error_message(kret));
- exit_status++;
- }
- }
- else {
- fprintf(stderr, dbinit_err_fmt,
- programname, error_message(kret));
- exit_status++;
- }
- }
- else {
- fprintf(stderr, dbname_err_fmt,
- programname,
- (update) ? dbname : dbname_tmp, error_message(kret));
- exit_status++;
- }
- /*
- * If there was an error and this is not an update, then
- * destroy the database.
- */
- if (!update) {
- if (exit_status) {
- if ((kret = kdb5_db_destroy(kcontext, dbname))) {
- fprintf(stderr, dbdelerr_fmt,
- programname, dbname_tmp, error_message(kret));
- exit_status++;
- }
- }
- else {
- if ((kret = krb5_db_rename(kcontext,
- dbname_tmp,
- dbname))) {
- fprintf(stderr, dbrenerr_fmt,
- programname, dbname_tmp, dbname,
- error_message(kret));
- exit_status++;
- }
- }
- }
- }
- else {
- fprintf(stderr, dbcreaterr_fmt,
- programname, dbname, error_message(kret));
- exit_status++;
- }
- if (dumpfile) {
- (void) krb5_lock_file(kcontext, fileno(f), KRB5_LOCKMODE_UNLOCK);
- fclose(f);
- }
- }
- else {
- fprintf(stderr, dfile_err_fmt, dumpfile, error_message(errno));
- exit_status++;
- }
- free(dbname_tmp);
- krb5_free_context(kcontext);
-}
+++ /dev/null
-/*
- * admin/edit/dumpv4.c
- *
- * Copyright 1990,1991, 1994 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Dump a KDC database into a V4 slave dump.
- */
-
-#ifdef KRB5_KRB4_COMPAT
-
-#include "k5-int.h"
-#include "com_err.h"
-
-#include <des.h>
-#include <krb.h>
-#include <krb_db.h>
-/* MKEYFILE is now defined in kdc.h */
-#include <kdc.h>
-
-#include <stdio.h>
-#include "kdb5_edit.h"
-
-struct dump_record {
- char *comerr_name;
- FILE *f;
- krb5_encrypt_block *v5master;
- C_Block v4_master_key;
- Key_schedule v4_master_key_schedule;
- long master_key_version;
- char *realm;
-};
-
-extern krb5_encrypt_block master_encblock;
-extern krb5_keyblock master_keyblock;
-extern char *cur_realm;
-extern krb5_principal master_princ;
-extern krb5_boolean dbactive;
-extern int exit_status;
-extern krb5_context edit_context;
-
-void update_ok_file();
-
-#define ANAME_SZ 40
-#define INST_SZ 40
-
-static char *v4_mkeyfile = "/.k";
-
-static int
-v4init(arg, manual)
- struct dump_record *arg;
- int manual;
-{
- int fd;
- int ok = 0;
-
- if (!manual) {
- fd = open(v4_mkeyfile, O_RDONLY, 0600);
- if (fd >= 0) {
- if (read(fd,arg->v4_master_key,sizeof(C_Block)) == sizeof(C_Block))
- ok = 1;
- close(fd);
- }
- }
- if (!ok) {
- des_read_password(arg->v4_master_key, "V4 Kerberos master key: ", 1);
- printf("\n");
- }
- arg->master_key_version = 1;
- key_sched(arg->v4_master_key, arg->v4_master_key_schedule);
-
- return 0;
-}
-
-void v4_print_time(file, timeval)
- FILE *file;
- unsigned long timeval;
-{
- struct tm *tm;
- struct tm *gmtime();
- tm = gmtime((time_t *)&timeval);
- fprintf(file, " %04d%02d%02d%02d%02d",
- tm->tm_year < 1900 ? tm->tm_year + 1900: tm->tm_year,
- tm->tm_mon + 1,
- tm->tm_mday,
- tm->tm_hour,
- tm->tm_min);
-}
-
-
-
-krb5_error_code
-dump_v4_iterator(ptr, entry)
- krb5_pointer ptr;
- krb5_db_entry *entry;
-{
- struct dump_record *arg = (struct dump_record *) ptr;
- krb5_principal mod_princ;
- krb5_timestamp mod_time;
- krb5_error_code retval;
- int i, max_kvno, ok_key;
-
- struct v4princ {
- char name[ANAME_SZ+1];
- char instance[INST_SZ+1];
- char realm[REALM_SZ+1];
- int max_life;
- int kdc_key_ver, key_version, attributes;
- char mod_name[ANAME_SZ+1];
- char mod_instance[INST_SZ+1];
- char mod_realm[REALM_SZ+1];
- } v4princ, *principal;
- des_cblock v4key;
-
- principal = &v4princ;
-
- if (strcmp(krb5_princ_realm(edit_context, entry->princ)->data, arg->realm))
- /* skip this because it's a key for a different realm, probably
- * a paired krbtgt key */
- return 0;
-
- retval = krb5_524_conv_principal(edit_context, entry->princ,
- principal->name, principal->instance,
- principal->realm);
- if (retval)
- /* Skip invalid V4 principals */
- return 0;
-
- if (!strcmp(principal->name, "K") && !strcmp(principal->instance, "M"))
- /* The V4 master key is handled specially */
- return 0;
-
- if (! principal->name[0])
- return 0;
- if (! principal->instance[0])
- strcpy(principal->instance, "*");
-
- /* Now move to mod princ */
- if (retval = krb5_dbe_lookup_mod_princ_data(edit_context,entry,
- &mod_time, &mod_princ)){
- com_err(arg->comerr_name, retval, "while unparsing db entry");
- exit_status++;
- return retval;
- }
- retval = krb5_524_conv_principal(edit_context, mod_princ,
- principal->mod_name, principal->mod_instance,
- principal->mod_realm);
- if (retval) {
- /* Invalid V4 mod principal */
- principal->mod_name[0] = '\0';
- principal->mod_instance[0] = '\0';
- }
-
- if (! principal->mod_name[0])
- strcpy(principal->mod_name, "*");
- if (! principal->mod_instance[0])
- strcpy(principal->mod_instance, "*");
-
- /* OK deal with the key now. */
- for (max_kvno = i = 0; i < entry->n_key_data; i++) {
- if (max_kvno < entry->key_data[i].key_data_kvno) {
- max_kvno = entry->key_data[i].key_data_kvno;
- ok_key = i;
- }
- }
-
- i = ok_key;
- while (ok_key < entry->n_key_data) {
- if (max_kvno == entry->key_data[ok_key].key_data_kvno) {
- if (entry->key_data[ok_key].key_data_type[1]
- == KRB5_KDB_SALTTYPE_V4) {
- goto found_one;
- }
- }
- ok_key++;
- }
-
- /* See if there are any DES keys that may be suitable */
- ok_key = i;
- while (ok_key < entry->n_key_data) {
- if (max_kvno == entry->key_data[ok_key].key_data_kvno) {
- krb5_enctype enctype = entry->key_data[ok_key].key_data_type[0];
- if ((enctype == ENCTYPE_DES_CBC_CRC) ||
- (enctype == ENCTYPE_DES_CBC_MD5) ||
- (enctype == ENCTYPE_DES_CBC_RAW))
- goto found_one;
- }
- ok_key++;
- }
- /* skip this because it's a new style key and we can't help it */
- return 0;
-
-found_one:;
- principal->key_version = max_kvno;
- if ((principal->max_life = entry->max_life / (60 * 5)) > 255)
- principal->max_life = 255;
- principal->kdc_key_ver = arg->master_key_version;
- principal->attributes = 0; /* ??? not preserved either */
-
- fprintf(arg->f, "%s %s %d %d %d %d ",
- principal->name,
- principal->instance,
- principal->max_life,
- principal->kdc_key_ver,
- principal->key_version,
- principal->attributes);
-
- handle_one_key(arg, arg->v5master, &entry->key_data[ok_key], v4key);
-
- for (i = 0; i < 8; i++) {
- fprintf(arg->f, "%02x", ((unsigned char*)v4key)[i]);
- if (i == 3) fputc(' ', arg->f);
- }
-
- v4_print_time(arg->f, entry->expiration);
- v4_print_time(arg->f, mod_time);
-
- fprintf(arg->f, " %s %s\n", principal->mod_name, principal->mod_instance);
- return 0;
-}
-
-/*ARGSUSED*/
-void dump_v4db(argc, argv)
- int argc;
- char **argv;
-{
- FILE *f;
- struct dump_record arg;
-
- if (argc > 2) {
- com_err(argv[0], 0, "Usage: %s filename", argv[0]);
- exit_status++;
- return;
- }
- if (!dbactive) {
- com_err(argv[0], 0, Err_no_database);
- exit_status++;
- return;
- }
- if (argc == 2) {
- /*
- * Make sure that we don't open and truncate on the fopen,
- * since that may hose an on-going kprop process.
- *
- * We could also control this by opening for read and
- * write, doing an flock with LOCK_EX, and then
- * truncating the file once we have gotten the lock,
- * but that would involve more OS dependancies than I
- * want to get into.
- */
- unlink(argv[1]);
- if (!(f = fopen(argv[1], "w"))) {
- com_err(argv[0], errno,
- "While opening file %s for writing", argv[1]);
- exit_status++;
- return;
- }
- } else {
- f = stdout;
- }
-
- arg.comerr_name = argv[0];
- arg.f = f;
- v4init(&arg, 0);
- handle_keys(&arg);
-
- /* special handling for K.M since it isn't preserved */
- {
- des_cblock v4key;
- int i;
-
- /* assume:
- max lifetime (255)
- key version == 1 (actually, should be whatever the v5 one is)
- master key version == key version
- args == 0 (none are preserved)
- expiration date is the default 2000
- last mod time is near zero (arbitrarily.)
- creator is db_creation *
- */
-
- fprintf(f,"K M 255 1 1 0 ");
-
- pcbc_encrypt((C_Block *) arg.v4_master_key,
- (C_Block *) v4key,
- (long) sizeof(C_Block),
- arg.v4_master_key_schedule,
- (C_Block *) arg.v4_master_key,
- ENCRYPT);
-
- for (i=0; i<8; i++) {
- fprintf(f, "%02x", ((unsigned char*)v4key)[i]);
- if (i == 3) fputc(' ', f);
- }
- fprintf(f," 200001010459 197001020000 db_creation *\n");
- }
-
- (void) krb5_db_iterate(edit_context, dump_v4_iterator,
- (krb5_pointer) &arg);
- if (argc == 2)
- fclose(f);
- if (argv[1])
- update_ok_file(argv[1]);
-}
-
-int handle_keys(arg)
- struct dump_record *arg;
-{
- krb5_error_code retval;
- char *defrealm;
- char *mkey_name = 0;
- char *mkey_fullname;
- krb5_principal master_princ;
-
- if (retval = krb5_get_default_realm(edit_context, &defrealm)) {
- com_err(arg->comerr_name, retval,
- "while retrieving default realm name");
- exit(1);
- }
- arg->realm = defrealm;
-
- /* assemble & parse the master key name */
-
- if (retval = krb5_db_setup_mkey_name(edit_context, mkey_name, arg->realm,
- &mkey_fullname, &master_princ)) {
- com_err(arg->comerr_name, retval, "while setting up master key name");
- exit(1);
- }
-
- krb5_use_enctype(edit_context, &master_encblock, DEFAULT_KDC_ENCTYPE);
- if (retval = krb5_db_fetch_mkey(edit_context, master_princ,
- &master_encblock, 0,
- 0, (char *) NULL, 0, &master_keyblock)) {
- com_err(arg->comerr_name, retval, "while reading master key");
- exit(1);
- }
- if (retval = krb5_process_key(edit_context, &master_encblock,
- &master_keyblock)) {
- com_err(arg->comerr_name, retval, "while processing master key");
- exit(1);
- }
- arg->v5master = &master_encblock;
- return(0);
-}
-
-handle_one_key(arg, v5master, v5key, v4key)
- struct dump_record *arg;
- krb5_encrypt_block *v5master;
- krb5_key_data *v5key;
- des_cblock v4key;
-{
- krb5_error_code retval;
-
- krb5_keyblock v4v5key;
- krb5_keyblock v5plainkey;
- /* v4key is the actual v4 key from the file. */
-
- if (retval = krb5_dbekd_decrypt_key_data(edit_context, v5master, v5key,
- &v5plainkey, NULL))
- return retval;
-
- /* v4v5key.contents = (krb5_octet *)v4key; */
- /* v4v5key.enctype = ENCTYPE_DES; */
- /* v4v5key.length = sizeof(v4key); */
-
- memcpy(v4key, v5plainkey.contents, sizeof(des_cblock));
- pcbc_encrypt((C_Block *) v4key,
- (C_Block *) v4key,
- (long) sizeof(C_Block),
- arg->v4_master_key_schedule,
- (C_Block *) arg->v4_master_key,
- ENCRYPT);
- return 0;
-}
-
-#else /* KRB5_KRB4_COMPAT */
-void dump_v4db(argc, argv)
- int argc;
- char **argv;
-{
- printf("This version of krb5_edit does not support the V4 dump command.\n");
-}
-#endif /* KRB5_KRB4_COMPAT */
+++ /dev/null
-# admin/edit/kdb5_ed_ct.ct
-#
-# Copyright 1990 by the Massachusetts Institute of Technology.
-# All Rights Reserved.
-#
-# Export of this software from the United States of America may
-# require a specific license from the United States Government.
-# It is the responsibility of any person or organization contemplating
-# export to obtain such a license before exporting.
-#
-# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-# distribute this software and its documentation for any purpose and
-# without fee is hereby granted, provided that the above copyright
-# notice appear in all copies and that both that copyright notice and
-# this permission notice appear in supporting documentation, and that
-# the name of M.I.T. not be used in advertising or publicity pertaining
-# to distribution of the software without specific, written prior
-# permission. M.I.T. makes no representations about the suitability of
-# this software for any purpose. It is provided "as is" without express
-# or implied warranty.
-#
-#
-# Command table for Kerberos administration edit
-#
-
-command_table kdb5_edit_cmds;
-
-request show_principal, "Show the Kerberos database entry for a principal",
- show_principal, show;
-
-request add_new_key, "Add new entry to Kerberos database (prompting for password)",
- add_new_key, ank;
-
-request change_pwd_key, "Change key of an entry in the Kerberos database (prompting for password)",
- change_pwd_key, cpw;
-
-request add_rnd_key, "Add new entry to Kerberos database, using a random key",
- add_rnd_key, ark;
-
-request change_rnd_key, "Change key of an entry in the Kerberos database (select a new random key)",
- change_rnd_key, crk;
-
-request delete_entry, "Delete an entry from the database",
- delete_entry, delent, del;
-
-request extract_srvtab, "Extract service key table",
- extract_srvtab, xst, ex_st;
-
-request extract_v4_srvtab, "Extract service key table",
- extract_v4_srvtab, xst4;
-
-request modent, "Modify entry",
- modify_entry, modent;
-
-request list_db, "List database entries",
- list_db, ldb;
-
-request dump_db, "Dump database entries to a file",
- dump_db, ddb;
-
-request dump_v4db, "Dump database entries to a V4 slave dump file",
- dump_v4db, d4db;
-
-request load_db, "Load database entries from a file",
- load_db, lddb;
-
-request load_v4db, "Load database entries from a V4 slave dump file",
- load_v4db, lddb4;
-
-request set_dbname, "Change database name",
- set_dbname, sdbn;
-
-request enter_master_key, "Enter the master key for a database",
- enter_master_key, emk;
-
-request change_working_dir, "Change working directory",
- change_working_directory, cwd, cd;
-
-request print_working_dir, "Print working directory",
- print_working_directory, pwd;
-
-# list_requests is generic -- unrelated to Kerberos
-request ss_list_requests, "List available requests.",
- list_requests, lr, "?";
-
-request ss_quit, "Exit program.",
- quit, exit, q;
-
-end;
+++ /dev/null
-.\" admin/edit/kdb5_edit.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\" require a specific license from the United States Government.
-.\" It is the responsibility of any person or organization contemplating
-.\" export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission. M.I.T. makes no representations about the suitability of
-.\" this software for any purpose. It is provided "as is" without express
-.\" or implied warranty.
-.\"
-.\"
-.TH KDB5_EDIT 8 "Kerberos Version 5.0" "MIT Project Athena"
-.SH NAME
-kdb5_edit \- edit a Kerberos V5 principal database
-.SH SYNOPSIS
-.B kdb5_edit
-[
-.B \-r
-.I realm
-] [
-.B \-d
-.I dbname
-] [
-.B \-k
-.I keytype
-] [
-.B \-M
-.I mkeyname
-] [
-.B \-e
-.I enctype
-] [
-.B \-m
-] [
-.B \-R
-.I command
-] [
-.B \-s
-.I script
-] [
-.B \-f
-.I stashfile
-]
-.br
-.SH DESCRIPTION
-.I kdb5_edit
-allows an administrator to add, delete, and edit entries in a Kerberos
-version 5 principal database.
-After themaster key is verified, commands are to
-.I kdb5_edit
-are issued using one of three mechanisms. If a single command is supplied
-using the
-.B \-R
-.I command
-argument, then that single command is processed and execution ceases. If a
-script file is provided using the
-.B \-s
-.I script
-argument, then commands are read from this file until either an error occurs
-or an end of file is detected. Finally, if neither a command or a script is
-specified, the invoker is placed into a shell-like command loop, from which
-[s]he may issue commands to modify the
-database.
-.PP
-The
-.B \-r
-.I realm
-option specifies the realm of the database;
-by default the realm returned by
-.IR krb5_default_local_realm (3)
-is used.
-.PP
-The
-.B \-d
-.I dbname
-option specifies the name under which the principal database is stored;
-by default the database is in DEFAULT_DBM_FILE (defined in <krb5/osconf.h>).
-.PP
-The
-.B \-k
-.I keytype
-option specifies the key type of the master key in the database; the default is
-the string representation of DEFAULT_KDC_KEYTYPE (defined in <krb5/osconf.h>).
-.PP
-The
-.B \-f
-.I stashfile
-option specifies the filename of the stashed V5 master key. The default is
-defined as DEFAULT_KEYFILE_STUB in <krb5/osconf.h> and is
-typically $(prefix)/lib/krb5kdc/.k5.REALMNAME. (In previous
-releases, this would have been /.k5.REALMNAME.)
-.PP
-The
-.B \-M
-.I mkeyname
-option specifies the principal name for the master key in the database;
-the default is KRB5_KDB_M_NAME (defined in <krb5/kdb.h>).
-.PP
-The
-.B \-e
-.I enctype
-option specifies the encryption type to be used when placing entries in
-the database; the default is the string representation of DEFAULT_KDC_ETYPE
-(defined in <krb5/osconf.h>).
-.PP
-The
-.B \-m
-option specifies that the master database password should be fetched
-from the keyboard rather than from a file on disk.
-.SH AVAILABLE COMMANDS
-
-The following is a list of commands and their aliases that the system
-administrator may use to manipulate the database:
-
-.IP add_new_key,ank
-Add new entry to Kerberos database (prompting for password)
-
-.IP change_pwd_key,cpw
-Change key of an entry in the Kerberos database (prompting for password)
-
-.IP add_rnd_key,ark
-Add new entry to Kerberos database, using a random key
-
-.IP change_rnd_key,crk
-Change key of an entry in the Kerberos database (select a new random key)
-
-.IP delete_entry,delent,del
-Delete an entry from the database
-
-.IP extract_srvtab,xst,ex_st
-Extract service key table
-
-.IP extract_v4_srvtab,xst4
-Extract service key table
-
-.IP modify_entry,modent
-Modify entry
-
-.IP list_db,ldb
-List database entries
-
-.IP dump_db,ddb
-Dump database entries to a file
-
-.IP load_db,lddb
-Load database entries from a file
-
-.IP set_dbname,sdbn
-Change database name
-
-.IP enter_master_key,emk
-Enter the master key for a database
-
-.IP change_working_directory,cwd,cd
-Change working directory
-
-.IP print_working_direcotry,pwd
-Print working directory
-
-.IP list_requests,lr,?
-List available requests.
-
-.IP quit,exit,q
-Exit program.
-
-.SH SEE ALSO
-krb5(3), krb5kdc(8), ss(3)
-.SH BUGS
-
+++ /dev/null
-/*
- * admin/edit/kdb5_edit.c
- *
- * (C) Copyright 1990,1991, 1996 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Edit a KDC database.
- */
-
-#include "k5-int.h"
-#include "com_err.h"
-#include "adm.h"
-#include "adm_proto.h"
-#include <stdio.h>
-#include <time.h>
-#include "kdb5_edit.h"
-
-struct mblock mblock = { /* XXX */
- KRB5_KDB_MAX_LIFE,
- KRB5_KDB_MAX_RLIFE,
- KRB5_KDB_EXPIRATION,
- KRB5_KDB_DEF_FLAGS,
- 0
-};
-
-krb5_key_salt_tuple ks_tuple_default[] = {{ ENCTYPE_DES_CBC_CRC, 0 }};
-
-krb5_key_salt_tuple *std_ks_tuple = ks_tuple_default;
-int std_ks_tuple_count = 1;
-
-char *Err_no_master_msg = "Master key not entered!\n";
-char *Err_no_database = "Database not currently opened!\n";
-char *current_dbname = NULL;
-
-/*
- * XXX Ick, ick, ick. These global variables shouldn't be global....
- */
-static char search_name[40];
-static int num_name_tokens;
-static char search_instance[40];
-static int num_instance_tokens;
-static int must_be_first[2];
-static char *mkey_password = 0;
-static char *stash_file = (char *) NULL;
-
-/*
- * I can't figure out any way for this not to be global, given how ss
- * works.
- */
-
-int exit_status = 0;
-
-krb5_context edit_context;
-
-/*
- * Script input, specified by -s.
- */
-FILE *scriptfile = (FILE *) NULL;
-
-static void
-usage(who, status)
- char *who;
- int status;
-{
- fprintf(stderr,
- "usage: %s [-d dbpathname] [-r realmname] [-R request ]\n",
- who);
- fprintf(stderr, "\t [-k enctype] [-M mkeyname] [-f stashfile]\n");
- exit(status);
-}
-
-krb5_keyblock master_keyblock;
-krb5_principal master_princ;
-krb5_db_entry master_entry;
-krb5_encrypt_block master_encblock;
-krb5_pointer master_random;
-int valid_master_key = 0;
-
-extern char *krb5_default_pwd_prompt1, *krb5_default_pwd_prompt2;
-
-char *progname;
-char *cur_realm = 0;
-char *mkey_name = 0;
-krb5_boolean manual_mkey = FALSE;
-krb5_boolean dbactive = FALSE;
-
-char *kdb5_edit_Init(argc, argv)
- int argc;
- char *argv[];
-{
- extern char *optarg;
- int optchar;
-
- krb5_error_code retval;
- char *dbname = (char *) NULL;
- char *defrealm;
- int enctypedone = 0;
- extern krb5_kt_ops krb5_ktf_writable_ops;
- char *request = NULL;
- krb5_realm_params *rparams;
-
- retval = krb5_init_context(&edit_context);
- if (retval) {
- fprintf(stderr, "krb5_init_context failed with error #%ld\n",
- (long) retval);
- exit(1);
- }
- krb5_init_ets(edit_context);
-
- if (strrchr(argv[0], '/'))
- argv[0] = strrchr(argv[0], '/')+1;
-
- progname = argv[0];
-
- while ((optchar = getopt(argc, argv, "P:d:r:R:k:M:e:ms:f:")) != EOF) {
- switch(optchar) {
- case 'P': /* Only used for testing!!! */
- mkey_password = optarg;
- manual_mkey = TRUE;
- break;
- case 'd': /* set db name */
- dbname = optarg;
- break;
- case 'r':
- if (cur_realm)
- free(cur_realm);
- cur_realm = malloc(strlen(optarg)+1);
- if (!cur_realm) {
- com_err(argv[0], 0, "Insufficient memory to proceed");
- exit(1);
- }
- (void) strcpy(cur_realm, optarg);
- break;
- case 'R':
- request = optarg;
- break;
- case 'k':
- if (!krb5_string_to_enctype(optarg, &master_keyblock.enctype))
- enctypedone++;
- else
- com_err(argv[0], 0, "%s is an invalid enctype", optarg);
- break;
- case 'M': /* master key name in DB */
- mkey_name = optarg;
- break;
- case 'm':
- manual_mkey = TRUE;
- break;
- case 's':
- /* Open the script file */
- if (!(scriptfile = fopen(optarg, "r"))) {
- com_err(argv[0], errno, "while opening script file %s",
- optarg);
- exit(1);
- }
- break;
- case 'f':
- stash_file = optarg;
- break;
- case '?':
- default:
- usage(progname, 1);
- /*NOTREACHED*/
- }
- }
-
- /*
- * Attempt to read the KDC profile. If we do, then read appropriate values
- * from it and augment values supplied on the command line.
- */
- if (!(retval = krb5_read_realm_params(edit_context,
- cur_realm,
- (char *) NULL,
- (char *) NULL,
- &rparams))) {
- /* Get the value for the database */
- if (rparams->realm_dbname && !dbname)
- dbname = strdup(rparams->realm_dbname);
-
- /* Get the value for the master key name */
- if (rparams->realm_mkey_name && !mkey_name)
- mkey_name = strdup(rparams->realm_mkey_name);
-
- /* Get the value for the master key type */
- if (rparams->realm_enctype_valid && !enctypedone) {
- master_keyblock.enctype = rparams->realm_enctype;
- enctypedone++;
- }
-
- /* Get the value for the stashfile */
- if (rparams->realm_stash_file)
- stash_file = strdup(rparams->realm_stash_file);
-
- /* Get the value for maximum ticket lifetime. */
- if (rparams->realm_max_life_valid)
- mblock.max_life = rparams->realm_max_life;
-
- /* Get the value for maximum renewable ticket lifetime. */
- if (rparams->realm_max_rlife_valid)
- mblock.max_rlife = rparams->realm_max_rlife;
-
- /* Get the value for the default principal expiration */
- if (rparams->realm_expiration_valid)
- mblock.expiration = rparams->realm_expiration;
-
- /* Get the value for the default principal flags */
- if (rparams->realm_flags_valid)
- mblock.flags = rparams->realm_flags;
-
- /* Get the value of the supported key/salt pairs */
- if (rparams->realm_num_keysalts) {
- std_ks_tuple_count = rparams->realm_num_keysalts;
- std_ks_tuple = rparams->realm_keysalts;
- rparams->realm_num_keysalts = 0;
- rparams->realm_keysalts = (krb5_key_salt_tuple *) NULL;
- }
-
-
- krb5_free_realm_params(edit_context, rparams);
- }
-
- /* Dump creates files which should not be world-readable. It is easiest
- to do a single umask call here; any shells run by the ss command
- interface will have umask = 77 but that is not a serious problem. */
- (void) umask(077);
-
- if ((retval = krb5_kt_register(edit_context, &krb5_ktf_writable_ops))) {
- com_err(progname, retval,
- "while registering writable key table functions");
- exit(1);
- }
-
- /* Handle defaults */
- if (!dbname)
- dbname = DEFAULT_KDB_FILE;
-
- if (!enctypedone) {
- if (manual_mkey)
- master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
- else
- master_keyblock.enctype = ENCTYPE_UNKNOWN;
- }
-
- if (master_keyblock.enctype != ENCTYPE_UNKNOWN) {
- if (!valid_enctype(master_keyblock.enctype)) {
- char tmp[32];
- if (krb5_enctype_to_string(master_keyblock.enctype,
- tmp, sizeof(tmp)))
- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP,
- "while setting up enctype %d", master_keyblock.enctype);
- else
- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp);
- exit(1);
- }
- krb5_use_enctype(edit_context, &master_encblock,
- master_keyblock.enctype);
- }
-
- if (cur_realm) {
- if ((retval = krb5_set_default_realm(edit_context, cur_realm))) {
- com_err(progname, retval, "while setting default realm name");
- exit(1);
- }
- } else {
- if ((retval = krb5_get_default_realm(edit_context, &defrealm))) {
- com_err(progname, retval, "while retrieving default realm name");
- exit(1);
- }
- cur_realm = malloc(strlen(defrealm)+1);
- if (!cur_realm) {
- com_err(argv[0], 0, "Insufficient memory to proceed");
- exit(1);
- }
- (void) strcpy(cur_realm, defrealm);
- }
-
- (void) set_dbname_help(progname, dbname);
- exit_status = 0; /* It's OK if we get errors in set_dbname_help */
- return request;
-}
-
-
-#define NO_PRINC ((krb5_kvno)-1)
-
-krb5_kvno
-princ_exists(pname, principal)
- char *pname;
- krb5_principal principal;
-{
- int i, nprincs = 1;
- krb5_db_entry entry;
- krb5_boolean more;
- krb5_error_code retval;
- krb5_kvno vno = 0;
-
- if ((retval = krb5_db_get_principal(edit_context, principal, &entry,
- &nprincs, &more))) {
- com_err(pname, retval,
- "while attempting to verify principal's existence");
- exit_status++;
- return 0;
- }
- if (!nprincs)
- return NO_PRINC;
- for (i = 0; i < entry.n_key_data; i++)
- if (vno < entry.key_data[i].key_data_kvno)
- vno = entry.key_data[i].key_data_kvno;
- krb5_db_free_principal(edit_context, &entry, nprincs);
- return(vno);
-}
-
-int create_db_entry(principal, newentry)
- krb5_principal principal;
- krb5_db_entry * newentry;
-{
- krb5_timestamp now;
- int retval;
-
- memset(newentry, 0, sizeof(krb5_db_entry));
-
- newentry->len = KRB5_KDB_V1_BASE_LENGTH;
- newentry->attributes = mblock.flags;
- newentry->max_life = mblock.max_life;
- newentry->max_renewable_life = mblock.max_rlife;
- newentry->expiration = mblock.expiration;
-
- if ((retval = krb5_copy_principal(edit_context, principal,
- &newentry->princ)))
- return retval;
-
- if ((retval = krb5_timeofday(edit_context, &now)))
- goto create_db_entry_error;
-
- retval = krb5_dbe_update_mod_princ_data(edit_context, newentry, now,
- master_princ);
- if (!retval)
- return 0;
-
-create_db_entry_error:
- krb5_dbe_free_contents(edit_context, newentry);
- exit_status++;
- return retval;
-}
-
-void
-set_dbname(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_error_code retval;
-
- if (argc < 3) {
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s dbpathname realmname", argv[0]);
- exit_status++;
- return;
- }
- if (dbactive) {
- if ((retval = krb5_db_fini(edit_context)) && retval!= KRB5_KDB_DBNOTINITED) {
- com_err(argv[0], retval, "while closing previous database");
- exit_status++;
- return;
- }
- if (valid_master_key) {
- (void) krb5_finish_key(edit_context, &master_encblock);
- (void) krb5_finish_random_key(edit_context, &master_encblock,
- &master_random);
- memset((char *)master_keyblock.contents, 0,
- master_keyblock.length);
- krb5_xfree(master_keyblock.contents);
- master_keyblock.contents = NULL;
- valid_master_key = 0;
- }
- krb5_free_principal(edit_context, master_princ);
- dbactive = FALSE;
- }
- if (cur_realm)
- free(cur_realm);
- cur_realm = malloc(strlen(argv[2])+1);
- if (!cur_realm) {
- (void)quit();
- exit(1); /* XXX */
- }
- (void) strcpy(cur_realm, argv[2]);
- (void) set_dbname_help(argv[0], argv[1]);
- return;
-}
-
-int
-set_dbname_help(pname, dbname)
- char *pname;
- char *dbname;
-{
- krb5_error_code retval;
- int nentries, i;
- krb5_boolean more;
- krb5_data scratch, pwd;
-
- if (current_dbname)
- free(current_dbname);
- if (!(current_dbname = malloc(strlen(dbname)+1))) {
- com_err(pname, 0, "Out of memory while trying to store dbname");
- exit(1);
- }
- strcpy(current_dbname, dbname);
- if ((retval = krb5_db_set_name(edit_context, current_dbname))) {
- com_err(pname, retval, "while setting active database to '%s'",
- dbname);
- exit_status++;
- return(1);
- }
- if ((retval = krb5_db_init(edit_context))) {
- com_err(pname, retval, "while initializing database");
- exit_status++;
- return(1);
- }
-
- /* assemble & parse the master key name */
-
- if ((retval = krb5_db_setup_mkey_name(edit_context, mkey_name, cur_realm,
- 0, &master_princ))) {
- com_err(pname, retval, "while setting up master key name");
- exit_status++;
- return(1);
- }
- nentries = 1;
- if ((retval = krb5_db_get_principal(edit_context, master_princ,
- &master_entry, &nentries, &more))) {
- com_err(pname, retval, "while retrieving master entry");
- exit_status++;
- (void) krb5_db_fini(edit_context);
- return(1);
- } else if (more) {
- com_err(pname, KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "while retrieving master entry");
- exit_status++;
- (void) krb5_db_fini(edit_context);
- return(1);
- } else if (!nentries) {
- com_err(pname, KRB5_KDB_NOENTRY, "while retrieving master entry");
- exit_status++;
- (void) krb5_db_fini(edit_context);
- return(1);
- }
-#ifdef notdef
- mblock.max_life = master_entry.max_life;
- mblock.max_rlife = master_entry.max_renewable_life;
- mblock.expiration = master_entry.expiration;
-#endif /* notdef */
- /* don't set flags, master has some extra restrictions */
- for (mblock.mkvno = 1, i = 0; i < master_entry.n_key_data; i++)
- if (mblock.mkvno < master_entry.key_data[i].key_data_kvno)
- mblock.mkvno = master_entry.key_data[i].key_data_kvno;
-
- krb5_db_free_principal(edit_context, &master_entry, nentries);
- if (mkey_password) {
- pwd.data = mkey_password;
- pwd.length = strlen(mkey_password);
- retval = krb5_principal2salt(edit_context, master_princ, &scratch);
- if (retval) {
- com_err(pname, retval, "while calculated master key salt");
- return(1);
- }
-
- /* If no encryption type is set, use the default */
- if (master_keyblock.enctype == ENCTYPE_UNKNOWN) {
- master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
- if (!valid_enctype(master_keyblock.enctype)) {
- char tmp[32];
- if (krb5_enctype_to_string(master_keyblock.enctype,
- tmp, sizeof(tmp)))
- com_err(pname, KRB5_PROG_KEYTYPE_NOSUPP,
- "while setting up enctype %d", master_keyblock.enctype);
- else
- com_err(pname, KRB5_PROG_KEYTYPE_NOSUPP, tmp);
- exit(1);
- }
- krb5_use_enctype(edit_context, &master_encblock,
- master_keyblock.enctype);
- }
-
- retval = krb5_string_to_key(edit_context, &master_encblock,
- &master_keyblock, &pwd, &scratch);
- if (retval) {
- com_err(pname, retval,
- "while transforming master key from password");
- return(1);
- }
- free(scratch.data);
- mkey_password = 0;
- } else if ((retval = krb5_db_fetch_mkey(edit_context, master_princ,
- &master_encblock, manual_mkey,
- FALSE, stash_file,
- 0, &master_keyblock))) {
- com_err(pname, retval, "while reading master key");
- com_err(pname, 0, "Warning: proceeding without master key");
- exit_status++;
- valid_master_key = 0;
- dbactive = TRUE;
- return(0);
- }
- valid_master_key = 1;
- if ((retval = krb5_db_verify_master_key(edit_context, master_princ,
- &master_keyblock,&master_encblock))
- ) {
- com_err(pname, retval, "while verifying master key");
- exit_status++;
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
- krb5_xfree(master_keyblock.contents);
- valid_master_key = 0;
- dbactive = TRUE;
- return(1);
- }
- if ((retval = krb5_process_key(edit_context, &master_encblock,
- &master_keyblock))) {
- com_err(pname, retval, "while processing master key");
- exit_status++;
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
- krb5_xfree(master_keyblock.contents);
- valid_master_key = 0;
- dbactive = TRUE;
- return(1);
- }
- if ((retval = krb5_init_random_key(edit_context, &master_encblock,
- &master_keyblock,
- &master_random))) {
- com_err(pname, retval, "while initializing random key generator");
- exit_status++;
- (void) krb5_finish_key(edit_context, &master_encblock);
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
- krb5_xfree(master_keyblock.contents);
- valid_master_key = 0;
- dbactive = TRUE;
- return(1);
- }
- dbactive = TRUE;
- return 0;
-}
-
-void enter_master_key(argc, argv)
- int argc;
- char *argv[];
-{
- char *pname = argv[0];
- krb5_error_code retval;
-
- if (!dbactive) {
- com_err(pname, 0, Err_no_database);
- exit_status++;
- return;
- }
- if (valid_master_key) {
- (void) krb5_finish_key(edit_context, &master_encblock);
- (void) krb5_finish_random_key(edit_context, &master_encblock,
- &master_random);
- memset((char *)master_keyblock.contents, 0,
- master_keyblock.length);
- krb5_xfree(master_keyblock.contents);
- master_keyblock.contents = NULL;
- valid_master_key = 0;
- }
-
- if (master_keyblock.enctype == ENCTYPE_UNKNOWN) {
- master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
- if (!valid_enctype(master_keyblock.enctype)) {
- char tmp[32];
- if (krb5_enctype_to_string(master_keyblock.enctype,
- tmp, sizeof(tmp)))
- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP,
- "while setting up enctype %d", master_keyblock.enctype);
- else
- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp);
- exit(1);
- }
- krb5_use_enctype(edit_context, &master_encblock,
- master_keyblock.enctype);
- }
-
- if ((retval = krb5_db_fetch_mkey(edit_context, master_princ,
- &master_encblock,
- TRUE, FALSE, (char *) NULL,
- 0, &master_keyblock))) {
- com_err(pname, retval, "while reading master key");
- exit_status++;
- return;
- }
- if ((retval = krb5_db_verify_master_key(edit_context, master_princ,
- &master_keyblock,
- &master_encblock))) {
- com_err(pname, retval, "while verifying master key");
- exit_status++;
- return;
- }
- if ((retval = krb5_process_key(edit_context, &master_encblock,
- &master_keyblock))) {
- com_err(pname, retval, "while processing master key");
- exit_status++;
- return;
- }
- if ((retval = krb5_init_random_key(edit_context, &master_encblock,
- &master_keyblock,
- &master_random))) {
- com_err(pname, retval, "while initializing random key generator");
- exit_status++;
- (void) krb5_finish_key(edit_context, &master_encblock);
- return;
- }
- valid_master_key = 1;
- return;
-}
-
-
-extern krb5_kt_ops krb5_ktf_writable_ops;
-
-/* this brings in only the writable keytab version, replacing ktdir.c */
-static krb5_kt_ops *krb5_kt_dir_array[] = {
- &krb5_ktf_writable_ops,
- 0
-};
-
-krb5_kt_ops **krb5_kt_directory = krb5_kt_dir_array;
-
-void extract_srvtab(argc, argv)
- int argc;
- char *argv[];
-{
- char ktname[MAXPATHLEN+sizeof("WRFILE:")+1];
- krb5_keytab ktid;
- krb5_error_code retval;
- krb5_principal princ;
- krb5_db_entry dbentry;
- char *pname;
- register int i;
- int nentries;
- krb5_boolean more;
- krb5_keytab_entry newentry;
-
- if (argc < 3) {
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s instance name [name ...]", argv[0]);
- exit_status++;
- return;
- }
- if (!dbactive) {
- com_err(argv[0], 0, Err_no_database);
- exit_status++;
- return;
- }
- if (!valid_master_key) {
- com_err(argv[0], 0, Err_no_master_msg);
- exit_status++;
- return;
- }
-
- memset(ktname, 0, sizeof(ktname));
- strcpy(ktname, "WRFILE:");
- if (strlen(argv[1])+sizeof("WRFILE:")+sizeof("-new-srvtab") >= sizeof(ktname)) {
- com_err(argv[0], 0,
- "Instance name '%s' is too long to form a filename", argv[1]);
- com_err(argv[0], 0, "using 'foobar' instead.");
- strcat(ktname, "foobar");
- } else
- strcat(ktname, argv[1]);
-
- strcat(ktname, "-new-srvtab");
- if ((retval = krb5_kt_resolve(edit_context, ktname, &ktid))) {
- com_err(argv[0], retval, "while resolving keytab name '%s'", ktname);
- exit_status++;
- return;
- }
-
- for (i = 2; i < argc; i++) {
- /* iterate over the names */
-int keynum;
- pname = malloc(strlen(argv[1])+strlen(argv[i])+strlen(cur_realm)+3);
- if (!pname) {
- com_err(argv[0], ENOMEM,
- "while preparing to extract key for %s/%s",
- argv[i], argv[1]);
- exit_status++;
- continue;
- }
- strcpy(pname, argv[i]);
- strcat(pname, "/");
- strcat(pname, argv[1]);
- if (!strchr(argv[1], REALM_SEP)) {
- strcat(pname, REALM_SEP_STR);
- strcat(pname, cur_realm);
- }
-
- if ((retval = krb5_parse_name(edit_context, pname, &princ))) {
- com_err(argv[0], retval, "while parsing %s", pname);
- exit_status++;
- free(pname);
- continue;
- }
- nentries = 1;
- if ((retval = krb5_db_get_principal(edit_context, princ, &dbentry,
- &nentries, &more))) {
- com_err(argv[0], retval, "while retrieving %s", pname);
- exit_status++;
- goto cleanmost;
- } else if (more) {
- com_err(argv[0], KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "while retrieving %s", pname);
- exit_status++;
- if (nentries)
- krb5_db_free_principal(edit_context, &dbentry, nentries);
- goto cleanmost;
- } else if (!nentries) {
- com_err(argv[0], KRB5_KDB_NOENTRY, "while retrieving %s", pname);
- exit_status++;
- goto cleanmost;
- }
-for (keynum = 0; keynum < dbentry.n_key_data; keynum++) {
-
- if ((retval = krb5_dbekd_decrypt_key_data(edit_context,
- &master_encblock,
- &dbentry.key_data[keynum],
- &newentry.key, NULL))) {
- com_err(argv[0], retval, "while decrypting key for '%s'", pname);
- exit_status++;
- goto cleanall;
- }
- newentry.principal = princ;
- newentry.vno = dbentry.key_data[keynum].key_data_kvno;
- if ((retval = krb5_kt_add_entry(edit_context, ktid, &newentry))) {
- com_err(argv[0], retval, "while adding key to keytab '%s'",
- ktname);
- exit_status++;
- } else
- printf("'%s' added to keytab '%s'\n",
- pname, ktname);
- memset((char *)newentry.key.contents, 0, newentry.key.length);
- krb5_xfree(newentry.key.contents);
- }
- cleanall:
- krb5_db_free_principal(edit_context, &dbentry, nentries);
- cleanmost:
- free(pname);
- krb5_free_principal(edit_context, princ);
- }
- if ((retval = krb5_kt_close(edit_context, ktid))) {
- com_err(argv[0], retval, "while closing keytab");
- exit_status++;
- }
- return;
-}
-
-void extract_v4_srvtab(argc, argv)
- int argc;
- char *argv[];
-{
- char ktname[MAXPATHLEN+1];
- FILE *fout;
- krb5_error_code retval;
- krb5_principal princ;
- krb5_db_entry dbentry;
- char *pname;
- register int i;
- int nentries;
- krb5_boolean more;
- krb5_keyblock key;
- char v4_name[65];
- char v4_inst[65];
- char v4_realm[65];
-
- if (argc < 3) {
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s instance name [name ...]", argv[0]);
- exit_status++;
- return;
- }
- if (!dbactive) {
- com_err(argv[0], 0, Err_no_database);
- exit_status++;
- return;
- }
- if (!valid_master_key) {
- com_err(argv[0], 0, Err_no_master_msg);
- exit_status++;
- return;
- }
-
- memset(ktname, 0, sizeof(ktname));
- if (strlen(argv[1])+sizeof("-new-v4-srvtab") >= sizeof(ktname)) {
- com_err(argv[0], 0,
- "Instance name '%s' is too long to form a filename", argv[1]);
- com_err(argv[0], 0, "using 'foobar' instead.");
- strcat(ktname, "foobar");
- } else
- strcat(ktname, argv[1]);
-
- strcat(ktname, "-new-v4-srvtab");
- if ((fout = fopen(ktname, "w")) == NULL) {
- com_err(argv[0], 0, "Couldn't create file '%s'.\n", ktname);
- exit_status++;
- return;
- }
- for (i = 2; i < argc; i++) {
- unsigned char kvno;
- krb5_key_data *pkey;
-
- /* iterate over the names */
- pname = malloc(strlen(argv[1])+strlen(argv[i])+strlen(cur_realm)+3);
- if (!pname) {
- com_err(argv[0], ENOMEM,
- "while preparing to extract key for %s/%s",
- argv[i], argv[1]);
- exit_status++;
- continue;
- }
- strcpy(pname, argv[i]);
- strcat(pname, "/");
- strcat(pname, argv[1]);
- if (!strchr(argv[1], REALM_SEP)) {
- strcat(pname, REALM_SEP_STR);
- strcat(pname, cur_realm);
- }
-
- if ((retval = krb5_parse_name(edit_context, pname, &princ))) {
- com_err(argv[0], retval, "while parsing %s", pname);
- exit_status++;
- free(pname);
- continue;
- }
- nentries = 1;
- if ((retval = krb5_db_get_principal(edit_context, princ, &dbentry,
- &nentries, &more))) {
- com_err(argv[0], retval, "while retrieving %s", pname);
- exit_status++;
- goto cleanmost;
- } else if (more) {
- com_err(argv[0], KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE,
- "while retrieving %s", pname);
- exit_status++;
- if (nentries)
- krb5_db_free_principal(edit_context, &dbentry, nentries);
- goto cleanmost;
- } else if (!nentries) {
- com_err(argv[0], KRB5_KDB_NOENTRY, "while retrieving %s", pname);
- exit_status++;
- goto cleanmost;
- }
-
- retval = krb5_524_conv_principal(edit_context, princ,
- v4_name, v4_inst, v4_realm);
- if (retval) {
- com_err(argv[0], retval, "while translating principal");
- exit_status++;
- goto cleanmost;
- }
-
- if (krb5_dbe_find_enctype(edit_context,
- &dbentry,
- ENCTYPE_DES_CBC_CRC,
- KRB5_KDB_SALTTYPE_V4,
- -1,
- &pkey) &&
- (retval = krb5_dbe_find_enctype(edit_context,
- &dbentry,
- ENCTYPE_DES_CBC_CRC,
- -1,
- -1,
- &pkey)))
- {
- com_err(argv[0], retval, "while retrieving %s", pname);
- exit_status++;
- goto cleanmost;
- }
-
- if ((retval = krb5_dbekd_decrypt_key_data(edit_context,
- &master_encblock,
- pkey,
- &key, NULL))) {
- com_err(argv[0], retval, "while decrypting key for '%s'", pname);
- exit_status++;
- goto cleanall;
- }
-
- fwrite(v4_name, strlen(v4_name) + 1, 1, fout); /* p.name */
- fwrite(v4_inst, strlen(v4_inst) + 1, 1, fout); /* p.instance */
- fwrite(v4_realm, strlen(v4_realm) + 1, 1, fout); /* p.realm */
-
- kvno = (unsigned char) pkey->key_data_kvno;
- fwrite((char *)&kvno, sizeof(kvno), 1, fout);
- fwrite((char *)key.contents, 8, 1, fout);
- printf("'%s' added to V4 srvtab '%s'\n", pname, ktname);
- memset((char *)key.contents, 0, key.length);
- krb5_xfree(key.contents);
- cleanall:
- krb5_db_free_principal(edit_context, &dbentry, nentries);
- cleanmost:
- krb5_free_principal(edit_context, princ);
- free(pname);
- }
- fclose(fout);
- return;
-}
-
-int
-check_print(chk_entry)
- krb5_db_entry *chk_entry;
-{
- int names = 0;
- int instances = 1;
- int check1, check2;
-
- /* Print All Records */
- if ((num_name_tokens == 0) && (num_instance_tokens == 0)) return(1);
-
- if ((num_name_tokens > 0) && (num_instance_tokens == 0))
- return(check_for_match(search_name, must_be_first[0], chk_entry,
- num_name_tokens, names));
-
- if ((krb5_princ_size(edit_context, chk_entry->princ) > 1) &&
- (num_name_tokens == 0) &&
- (num_instance_tokens > 0))
- return(check_for_match(search_instance, must_be_first[1], chk_entry,
- num_instance_tokens, instances));
-
- if ((krb5_princ_size(edit_context, chk_entry->princ) > 1) &&
- (num_name_tokens > 0) &&
- (num_instance_tokens > 0)) {
- check1 = check_for_match(search_name, must_be_first[0], chk_entry,
- num_name_tokens, names);
- check2 = check_for_match(search_instance, must_be_first[1], chk_entry,
- num_instance_tokens, instances);
- if (check1 && check2) return(1);
- }
- return(0);
-}
-
-struct list_iterator_struct {
- char *cmdname;
- int verbose;
-};
-
-krb5_error_code
-list_iterator(ptr, entry)
- krb5_pointer ptr;
- krb5_db_entry *entry;
-{
- krb5_error_code retval;
- struct list_iterator_struct *lis = (struct list_iterator_struct *)ptr;
- char *name;
-
- if ((retval = krb5_unparse_name(edit_context, entry->princ, &name))) {
- com_err(lis->cmdname, retval, "while unparsing principal");
- exit_status++;
- return retval;
- }
- if (check_print(entry)) {
- printf("entry: %s\n", name);
- }
- free(name);
- return 0;
-}
-
-/*ARGSUSED*/
-void list_db(argc, argv)
- int argc;
- char *argv[];
-{
- struct list_iterator_struct lis;
- char *argbuf;
- char *p;
-
- if (!dbactive) {
- com_err(argv[0], 0, Err_no_database);
- exit_status++;
- return;
- }
-
- if (!valid_master_key) {
- com_err(argv[0], 0, Err_no_master_msg);
- exit_status++;
- return;
- }
- lis.cmdname = argv[0];
- lis.verbose = 0;
-
- if (argc > 2) {
- if (!strcmp(argv[1], "-v")) {
- lis.verbose = 1;
- argc--;
- argv++;
- }
- }
-
- if (argc > 2) {
- printf("Usage: ldb [-v] {name/instance}\n");
- printf(" name and instance may contain \"*\" wildcards\n");
- return;
- }
-
- num_name_tokens = 0;
- num_instance_tokens = 0;
- if (argc == 2) {
- argbuf = argv[1];
- p = strchr(argbuf, '/');
- if (p) {
- *p++ = '\0';
- parse_token(p, &must_be_first[1],
- &num_instance_tokens, search_instance);
- }
- parse_token(argbuf, &must_be_first[0],
- &num_name_tokens, search_name);
- }
- (void) krb5_db_iterate(edit_context, list_iterator, argv[0]);
-}
-
-void delete_entry(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_error_code retval;
- krb5_principal newprinc;
- char yesno[80];
- int one = 1;
-
- if (argc < 2) {
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s principal", argv[0]);
- exit_status++;
- return;
- }
- if (!dbactive) {
- com_err(argv[0], 0, Err_no_database);
- exit_status++;
- return;
- }
- if (!valid_master_key) {
- com_err(argv[0], 0, Err_no_master_msg);
- exit_status++;
- return;
- }
- if ((retval = krb5_parse_name(edit_context, argv[1], &newprinc))) {
- com_err(argv[0], retval, "while parsing '%s'", argv[1]);
- exit_status++;
- return;
- }
- if (princ_exists(argv[0], newprinc) == NO_PRINC) {
- com_err(argv[0], 0, "principal '%s' is not in the database", argv[1]);
- krb5_free_principal(edit_context, newprinc);
- exit_status++;
- return;
- }
- if (!scriptfile) {
- /* Only confirm if we're interactive */
- printf("Are you sure you want to delete '%s'?\nType 'yes' to confirm:",
- argv[1]);
- if ((fgets(yesno, sizeof(yesno), stdin) == NULL) ||
- strcmp(yesno, "yes\n")) {
- printf("NOT removing '%s'\n", argv[1]);
- krb5_free_principal(edit_context, newprinc);
- return;
- }
- printf("OK, deleting '%s'\n", argv[1]);
- }
- if ((retval = krb5_db_delete_principal(edit_context, newprinc, &one))) {
- com_err(argv[0], retval, "while deleting '%s'", argv[1]);
- exit_status++;
- } else if (one != 1) {
- com_err(argv[0], 0, "no principal deleted? unknown error");
- exit_status++;
- }
-#ifdef __STDC__
- printf("\a\a\aWARNING: Be sure to take '%s' off all access control lists\n\tbefore reallocating the name\n", argv[1]);
-#else
- printf("\007\007\007WARNING: Be sure to take '%s' off all access control lists\n\tbefore reallocating the name\n", argv[1]);
-#endif
-
- krb5_free_principal(edit_context, newprinc);
- return;
-}
-
-static char *
-strdur(deltat)
- krb5_deltat deltat;
-{
- static char deltat_buffer[128];
-
- (void) krb5_deltat_to_string(deltat, deltat_buffer, sizeof(deltat_buffer));
- return(deltat_buffer);
-}
-
-/*
- * XXX Still under construction....
- */
-void show_principal(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_principal princ;
- int nprincs = 1;
- krb5_db_entry entry;
- krb5_boolean more;
- krb5_error_code retval;
- char *pr_name = 0;
- char buffer[256];
- int i;
-
- if (argc < 2) {
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s principal", argv[0]);
- exit_status++;
- return;
- }
- if (!dbactive) {
- com_err(argv[0], 0, Err_no_database);
- exit_status++;
- return;
- }
- if (!valid_master_key) {
- com_err(argv[0], 0, Err_no_master_msg);
- exit_status++;
- return;
- }
- if ((retval = krb5_parse_name(edit_context, argv[1], &princ))) {
- com_err(argv[0], retval, "while parsing '%s'", argv[1]);
- exit_status++;
- return;
- }
-
- if ((retval = krb5_db_get_principal(edit_context,princ,&entry,
- &nprincs,&more))) {
- com_err(argv[0], retval,
- "while trying to get principal's database entry");
- exit_status++;
- goto errout;
- }
-
- if (!nprincs) {
- com_err(argv[0], 0, "Principal %s not found.", argv[1]);
- exit_status++;
- goto errout;
- }
-
- if ((retval = krb5_unparse_name(edit_context, entry.princ, &pr_name))) {
- com_err(argv[0], retval, "while unparsing principal");
- exit_status++;
- goto errout;
- }
-
- printf("Name: %s\n", pr_name);
- printf("Maximum life: %s\n", strdur(entry.max_life));
- printf("Maximum renewable life: %s\n", strdur(entry.max_renewable_life));
- (void) krb5_timestamp_to_string(entry.expiration, buffer, sizeof(buffer));
- printf("Expiration: %s\n", buffer);
- (void) krb5_timestamp_to_string(entry.pw_expiration,
- buffer, sizeof(buffer));
- printf("Password expiration: %s\n", buffer);
-/* (void) krb5_timestamp_to_string(entry.last_pw_change,
- buffer, sizeof(buffer)); */
-/* printf("Last password change: %s\n", buffer); */
- (void) krb5_timestamp_to_string(entry.last_success,
- buffer, sizeof(buffer));
- printf("Last successful password: %s\n", buffer);
- (void) krb5_timestamp_to_string(entry.last_failed,
- buffer, sizeof(buffer));
- printf("Last failed password attempt: %s\n", buffer);
- printf("Failed password attempts: %d\n", entry.fail_auth_count);
-/* tmp_date = (time_t) entry.mod_date; */
-/* printf("Last modified by %s on %s", pr_mod, ctime(&tmp_date)); */
- (void) krb5_flags_to_string(entry.attributes, ", ",
- buffer, sizeof(buffer));
- printf("Attributes: %s\n", buffer);
-
- printf("Number of keys: %d\n", entry.n_key_data);
- for (i = 0; i < entry.n_key_data; i++) {
- char enctype[64], salttype[32];
- krb5_keyblock key;
- krb5_keysalt salt;
-
- if ((retval = krb5_dbekd_decrypt_key_data(edit_context,
- &master_encblock,
- &entry.key_data[i],
- &key, &salt))) {
- com_err(argv[0], retval, "while reading key information");
- continue;
- }
-
- /* Paranoia... */
- memset((char *)key.contents, 0, key.length);
- krb5_xfree(key.contents);
-
- if (krb5_enctype_to_string(key.enctype, enctype, sizeof(enctype)))
- sprintf(enctype, "<Encryption type 0x%x>", key.enctype);
- if (krb5_salttype_to_string(salt.type, salttype, sizeof(salttype)))
- sprintf(salttype, "<Salt type 0x%x>", salt.type);
-
- printf("Key: Version %d, Type %s/%s\n",
- entry.key_data[i].key_data_kvno, enctype, salttype);
- }
-
-errout:
- krb5_free_principal(edit_context, princ);
- if (nprincs)
- krb5_db_free_principal(edit_context, &entry, nprincs);
-}
-
-int parse_princ_args(argc, argv, entry, pass, randkey, caller)
- int argc;
- char *argv[];
- krb5_db_entry *entry;
- char **pass;
- int *randkey;
- char *caller;
-{
- int i, attrib_set;
- krb5_timestamp date;
- krb5_error_code retval;
-
- *pass = NULL;
- *randkey = 0;
- for (i = 1; i < argc - 1; i++) {
- attrib_set = 0;
-/*
- if (strlen(argv[i]) == 5 &&
- !strcmp("-kvno", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- entry->kvno = atoi(argv[i]);
- continue;
- }
- }
-*/
- if (strlen(argv[i]) == 8 &&
- !strcmp("-maxlife", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- (void) krb5_string_to_deltat(argv[i], &entry->max_life);
- continue;
- }
- }
- if (strlen(argv[i]) == 7 &&
- !strcmp("-expire", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- (void) krb5_string_to_timestamp(argv[i], &date);
- entry->expiration = date == (time_t) -1 ? 0 : date;
- continue;
- }
- }
- if (strlen(argv[i]) == 9 &&
- !strcmp("-pwexpire", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- (void) krb5_string_to_timestamp(argv[i], &date);
- entry->pw_expiration = date == (time_t) -1 ? 0 : date;
- continue;
- }
- }
- if (strlen(argv[i]) == 3 &&
- !strcmp("-pw", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- *pass = argv[i];
- continue;
- }
- }
- if (strlen(argv[i]) == 8 &&
- !strcmp("-randkey", argv[i])) {
- ++*randkey;
- continue;
- }
- if (!krb5_string_to_flags(argv[i], "+", "-", &entry->attributes))
- attrib_set++;
- if (!attrib_set)
- return -1; /* nothing was parsed */
- }
- if (i != argc - 1) {
- fprintf(stderr, "%s: parser lost count!\n", caller);
- return -1;
- }
- retval = krb5_parse_name(edit_context, argv[i], &entry->princ);
- if (retval) {
- com_err(caller, retval, "while parsing principal");
- return -1;
- }
- return 0;
-}
-
-void modent(argc, argv)
- int argc;
- char *argv[];
-{
- krb5_db_entry entry, oldentry;
- krb5_timestamp now;
- krb5_principal kprinc;
- krb5_error_code retval;
- krb5_boolean more;
- char *pass, *canon;
- int one = 1, nprincs = 1, randkey = 0;
-
- if (argc < 3) {
- char arg[30];
- int i;
-
- com_err(argv[0], 0, "Too few arguments");
- com_err(argv[0], 0, "Usage: %s [ -maxlife maxticketlifetime ]", argv[0]);
- com_err(argv[0], 0, " [ -expire expiredate ]");
- com_err(argv[0], 0, " [ -pwexpire pwexpiredate ]");
- com_err(argv[0], 0, " [ -pw password ]");
- com_err(argv[0], 0, " [ -randkey ]");
- i=0;
- while (!(retval = krb5_input_flag_to_string(i, arg, sizeof(arg)))) {
- com_err(argv[0], 0, " [ +%-13s | -%-13s ]", arg, arg);
- i++;
- }
- com_err(argv[0], 0, " principal");
-
- exit_status++;
- return;
- }
-
- retval = krb5_parse_name(edit_context, argv[argc - 1], &kprinc);
- if (retval) {
- com_err("modify_principal", retval, "while parsing principal");
- return;
- }
- retval = krb5_unparse_name(edit_context, kprinc, &canon);
- if (retval) {
- com_err("modify_principal", retval,
- "while canonicalizing principal");
- krb5_free_principal(edit_context, kprinc);
- return;
- }
- retval = krb5_db_get_principal(edit_context, kprinc, &oldentry,
- &nprincs, &more);
- krb5_free_principal(edit_context, kprinc);
- if (retval) {
- com_err("modify_entry", retval, "while getting \"%s\".",
- canon);
- free(canon);
- return;
- }
- if (!nprincs) {
- com_err(argv[0], 0, "No principal \"%s\" exists", canon);
- exit_status++;
- free(canon);
- return;
- }
- memcpy((krb5_pointer) &entry, (krb5_pointer) &oldentry,
- sizeof (krb5_db_entry));
- retval = parse_princ_args(argc, argv,
- &entry, &pass, &randkey,
- "modify_principal");
- if (retval) {
- fprintf(stderr, "modify_principal: bad arguments\n");
- krb5_free_principal(edit_context, entry.princ);
- free(canon);
- return;
- }
- if (randkey) {
- fprintf(stderr, "modify_principal: -randkey not allowed\n");
- krb5_free_principal(edit_context, entry.princ);
- free(canon);
- return;
- }
- if ((retval = krb5_timeofday(edit_context, &now))) {
- com_err(argv[0], retval, "while getting current time");
- krb5_free_principal(edit_context, entry.princ);
- exit_status++;
- free(canon);
- return;
- }
- if ((retval=krb5_dbe_update_mod_princ_data(edit_context,
- &entry, now, master_princ))) {
- com_err(argv[0], retval, "while setting mod_princ_data");
- krb5_free_principal(edit_context, entry.princ);
- exit_status++;
- free(canon);
- return;
- }
- retval = krb5_db_put_principal(edit_context, &entry, &one);
- krb5_free_principal(edit_context, entry.princ);
- if (retval) {
- com_err("modify_principal", retval,
- "while modifying \"%s\".", canon);
- free(canon);
- return;
- }
- if (one != 1) {
- com_err(argv[0], 0, "entry not stored in database (unknown failure)");
- exit_status++;
- }
- printf("Principal \"%s\" modified.\n", canon);
- free(canon);
-}
-
-#ifdef HAVE_GETCWD
-#define getwd(x) getcwd(x,MAXPATHLEN)
-#endif
-
-void change_working_dir(argc, argv)
- int argc;
- char **argv;
-{
- if (argc != 2) {
- com_err(argv[0], 0, "Usage: %s directory", argv[0]);
- exit_status++;
- return;
- }
- if (chdir(argv[1])) {
- com_err(argv[0], errno,
- "Couldn't change directory to %s", argv[1]);
- exit_status++;
- }
-}
-
-void print_working_dir(argc, argv)
- int argc;
- char **argv;
-{
- char buf[MAXPATHLEN];
-
- if (!getwd(buf)) {
- com_err(argv[0], 0, "Couldn't get working directory: %s",
- buf);
- exit_status++;
- return;
- }
- puts(buf);
-}
-
-#ifdef HAVE_GETCWD
-#undef getwd
-#endif
-
-int
-quit()
-{
- krb5_error_code retval;
- static krb5_boolean finished = 0;
-
- if (finished)
- return 0;
- if (valid_master_key) {
- (void) krb5_finish_key(edit_context, &master_encblock);
- (void) krb5_finish_random_key(edit_context, &master_encblock,
- &master_random);
- }
- retval = krb5_db_fini(edit_context);
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
- finished = TRUE;
- if (retval && retval != KRB5_KDB_DBNOTINITED) {
- com_err(progname, retval, "while closing database");
- exit_status++;
- return 1;
- }
- return 0;
-}
+++ /dev/null
-/*
- * admin/edit/kdb5_edit.h
- *
- * Copyright 1992 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-#define REALM_SEP '@'
-#define REALM_SEP_STR "@"
-
-extern char *progname;
-extern char *Err_no_database;
-
-struct mblock {
- krb5_deltat max_life;
- krb5_deltat max_rlife;
- krb5_timestamp expiration;
- krb5_flags flags;
- krb5_kvno mkvno;
-};
-
-void add_key
- PROTOTYPE((char const *, char const *,
- krb5_const_principal, const krb5_keyblock *,
- krb5_kvno, krb5_keysalt *));
-int set_dbname_help
- PROTOTYPE((char *, char *));
-
-char *kdb5_edit_Init PROTOTYPE((int, char **));
-
-int quit();
-
-int check_for_match
- PROTOTYPE((char *, int, krb5_db_entry *, int, int));
-
-void parse_token
- PROTOTYPE((char *, int *, int *, char *));
-
-int create_db_entry
- PROTOTYPE((krb5_principal, krb5_db_entry *));
+++ /dev/null
-/*
- * admin/edit/loadv4.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Generate (from scratch) a Kerberos V5 KDC database, filling it in with the
- * entries from a V4 database.
- */
-
-#ifdef KRB5_KRB4_COMPAT
-
-#include <des.h>
-#include <krb.h>
-#include <krb_db.h>
-/* MKEYFILE is now defined in kdc.h */
-#include <kdc.h>
-
-static C_Block master_key;
-static Key_schedule master_key_schedule;
-static long master_key_version;
-
-static char *v4_mkeyfile = "/.k";
-
-#include "k5-int.h"
-#include "com_err.h"
-#include "adm.h"
-#include "adm_proto.h"
-#include <stdio.h>
-
-#include <netinet/in.h> /* ntohl */
-
-#define PROGNAME argv[0]
-
-enum ap_op {
- NULL_KEY, /* setup null keys */
- MASTER_KEY, /* use master key as new key */
- RANDOM_KEY /* choose a random key */
-};
-
-struct realm_info {
- krb5_deltat max_life;
- krb5_deltat max_rlife;
- krb5_timestamp expiration;
- krb5_flags flags;
- krb5_encrypt_block *eblock;
- krb5_pointer rseed;
-};
-
-static struct realm_info rblock = { /* XXX */
- KRB5_KDB_MAX_LIFE,
- KRB5_KDB_MAX_RLIFE,
- KRB5_KDB_EXPIRATION,
- KRB5_KDB_DEF_FLAGS,
- 0
-};
-
-static int verbose = 0;
-
-static krb5_error_code add_principal
- PROTOTYPE((krb5_context,
- krb5_principal,
- enum ap_op,
- struct realm_info *));
-
-static int v4init PROTOTYPE((char *, char *, int, char *));
-static krb5_error_code enter_in_v5_db PROTOTYPE((krb5_context,
- char *, Principal *));
-static krb5_error_code process_v4_dump PROTOTYPE((krb5_context, char *,
- char *));
-static krb5_error_code fixup_database PROTOTYPE((krb5_context, char *));
-
-static int create_local_tgt = 0;
-
-static void
-usage(who, status)
-char *who;
-int status;
-{
- fprintf(stderr, "usage: %s [-d v5dbpathname] [-t] [-n] [-r realmname] [-K] [-k enctype]\n\
-\t[-M mkeyname] -f inputfile\n",
- who);
- return;
-}
-
-static krb5_keyblock master_keyblock;
-static krb5_principal master_princ;
-static krb5_encrypt_block master_encblock;
-
-static krb5_data tgt_princ_entries[] = {
- {0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME},
- {0, 0, 0} };
-
-static krb5_data db_creator_entries[] = {
- {0, sizeof("db_creation")-1, "db_creation"} };
-
-/* XXX knows about contents of krb5_principal, and that tgt names
- are of form TGT/REALM@REALM */
-static krb5_principal_data tgt_princ = {
- 0, /* magic number */
- {0, 0, 0}, /* krb5_data realm */
- tgt_princ_entries, /* krb5_data *data */
- 2, /* int length */
- KRB5_NT_SRV_INST /* int type */
-};
-
-static krb5_principal_data db_create_princ = {
- 0, /* magic number */
- {0, 0, 0}, /* krb5_data realm */
- db_creator_entries, /* krb5_data *data */
- 1, /* int length */
- KRB5_NT_SRV_INST /* int type */
-};
-
-
-void
-load_v4db(argc, argv)
-int argc;
-char *argv[];
-{
- krb5_error_code retval;
- /* The kdb library will default to this, but it is convenient to
- make it explicit (error reporting and temporary filename generation
- use it). */
- char *dbname = DEFAULT_KDB_FILE;
- char *v4dbname = 0;
- char *v4dumpfile = 0;
- char *realm = 0;
- char *mkey_name = 0;
- char *mkey_fullname;
- char *defrealm;
- int enctypedone = 0;
- int v4manual = 0;
- int read_mkey = 0;
- int tempdb = 0;
- char *tempdbname;
- krb5_context context;
- char *stash_file = (char *) NULL;
- krb5_realm_params *rparams;
- int persist, op_ind;
-
- krb5_init_context(&context);
-
- krb5_init_ets(context);
-
- if (strrchr(argv[0], '/'))
- argv[0] = strrchr(argv[0], '/')+1;
-
- persist = 1;
- op_ind = 1;
- while (persist && (op_ind < argc)) {
- if (!strcmp(argv[op_ind], "-d") && ((argc - op_ind) >= 2)) {
- dbname = argv[op_ind+1];
- op_ind++;
- }
- else if (!strcmp(argv[op_ind], "-T")) {
- create_local_tgt = 1;
- }
- else if (!strcmp(argv[op_ind], "-t")) {
- tempdb = 1;
- }
- else if (!strcmp(argv[op_ind], "-r") && ((argc - op_ind) >= 2)) {
- realm = argv[op_ind+1];
- op_ind++;
- }
- else if (!strcmp(argv[op_ind], "-K")) {
- read_mkey = 1;
- }
- else if (!strcmp(argv[op_ind], "-v")) {
- verbose = 1;
- }
- else if (!strcmp(argv[op_ind], "-k") && ((argc - op_ind) >= 2)) {
- if (!krb5_string_to_enctype(argv[op_ind+1],
- &master_keyblock.enctype))
- enctypedone++;
- else
- com_err(argv[0], 0, "%s is an invalid enctype",
- argv[op_ind+1]);
- op_ind++;
- }
- else if (!strcmp(argv[op_ind], "-M") && ((argc - op_ind) >= 2)) {
- mkey_name = argv[op_ind+1];
- op_ind++;
- }
- else if (!strcmp(argv[op_ind], "-n")) {
- v4manual++;
- }
- else if (!strcmp(argv[op_ind], "-f") && ((argc - op_ind) >= 2)) {
- if (v4dbname) {
- usage(PROGNAME, 1);
- return;
- }
- v4dumpfile = argv[op_ind+1];
- op_ind++;
- }
- else
- persist = 0;
- op_ind++;
- }
-
- /*
- * Attempt to read the KDC profile. If we do, then read appropriate values
- * from it and augment values supplied on the command line.
- */
- if (!(retval = krb5_read_realm_params(context,
- realm,
- (char *) NULL,
- (char *) NULL,
- &rparams))) {
- /* Get the value for the database */
- if (rparams->realm_dbname && !dbname)
- dbname = strdup(rparams->realm_dbname);
-
- /* Get the value for the master key name */
- if (rparams->realm_mkey_name && !mkey_name)
- mkey_name = strdup(rparams->realm_mkey_name);
-
- /* Get the value for the master key type */
- if (rparams->realm_enctype_valid && !enctypedone) {
- master_keyblock.enctype = rparams->realm_enctype;
- enctypedone++;
- }
-
- /* Get the value for the stashfile */
- if (rparams->realm_stash_file)
- stash_file = strdup(rparams->realm_stash_file);
-
- /* Get the value for maximum ticket lifetime. */
- if (rparams->realm_max_life_valid)
- rblock.max_life = rparams->realm_max_life;
-
- /* Get the value for maximum renewable ticket lifetime. */
- if (rparams->realm_max_rlife_valid)
- rblock.max_rlife = rparams->realm_max_rlife;
-
- /* Get the value for the default principal expiration */
- if (rparams->realm_expiration_valid)
- rblock.expiration = rparams->realm_expiration;
-
- /* Get the value for the default principal flags */
- if (rparams->realm_flags_valid)
- rblock.flags = rparams->realm_flags;
-
- krb5_free_realm_params(context, rparams);
- }
-
- if (!v4dumpfile) {
- usage(PROGNAME, 1);
- return;
- }
-
- if (!enctypedone)
- master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
-
- if (!valid_enctype(master_keyblock.enctype)) {
- com_err(PROGNAME, KRB5_PROG_KEYTYPE_NOSUPP,
- "while setting up enctype %d", master_keyblock.enctype);
- return;
- }
-
- krb5_use_enctype(context, &master_encblock, master_keyblock.enctype);
-
- /* If the user has not requested locking, don't modify an existing database. */
- if (! tempdb) {
- retval = krb5_db_set_name(context, dbname);
- if (retval != ENOENT) {
- fprintf(stderr,
- "%s: The v5 database appears to already exist.\n",
- PROGNAME);
- return;
- }
- tempdbname = dbname;
- } else {
- int dbnamelen = strlen(dbname);
- tempdbname = malloc(dbnamelen + 2);
- if (tempdbname == 0) {
- com_err(PROGNAME, ENOMEM, "allocating temporary filename");
- return;
- }
- strcpy(tempdbname, dbname);
- tempdbname[dbnamelen] = '~';
- tempdbname[dbnamelen+1] = 0;
- (void) kdb5_db_destroy(context, tempdbname);
- }
-
-
- if (!realm) {
- if (retval = krb5_get_default_realm(context, &defrealm)) {
- com_err(PROGNAME, retval, "while retrieving default realm name");
- return;
- }
- realm = defrealm;
- }
-
- /* assemble & parse the master key name */
-
- if (retval = krb5_db_setup_mkey_name(context, mkey_name, realm,
- &mkey_fullname, &master_princ)) {
- com_err(PROGNAME, retval, "while setting up master key name");
- return;
- }
-
- krb5_princ_set_realm_data(context, &db_create_princ, realm);
- krb5_princ_set_realm_length(context, &db_create_princ, strlen(realm));
- krb5_princ_set_realm_data(context, &tgt_princ, realm);
- krb5_princ_set_realm_length(context, &tgt_princ, strlen(realm));
- krb5_princ_component(context, &tgt_princ,1)->data = realm;
- krb5_princ_component(context, &tgt_princ,1)->length = strlen(realm);
-
- printf("Initializing database '%s' for realm '%s',\n\
-master key name '%s'\n",
- dbname, realm, mkey_fullname);
-
- if (read_mkey) {
- puts("You will be prompted for the version 5 database Master Password.");
- puts("It is important that you NOT FORGET this password.");
- fflush(stdout);
- }
-
- if (retval = krb5_db_fetch_mkey(context, master_princ, &master_encblock,
- read_mkey, read_mkey, stash_file, 0,
- &master_keyblock)) {
- com_err(PROGNAME, retval, "while reading master key");
- return;
- }
- if (retval = krb5_process_key(context, &master_encblock, &master_keyblock)) {
- com_err(PROGNAME, retval, "while processing master key");
- return;
- }
-
- rblock.eblock = &master_encblock;
- if (retval = krb5_init_random_key(context, &master_encblock,
- &master_keyblock, &rblock.rseed)) {
- com_err(PROGNAME, retval, "while initializing random key generator");
- (void) krb5_finish_key(context, &master_encblock);
- return;
- }
- if (retval = krb5_db_create(context, tempdbname)) {
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- (void) krb5_dbm_db_destroy(context, tempdbname);
- com_err(PROGNAME, retval, "while creating %sdatabase '%s'",
- tempdb ? "temporary " : "", tempdbname);
- return;
- }
- if (retval = krb5_db_set_name(context, tempdbname)) {
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- (void) krb5_dbm_db_destroy(context, tempdbname);
- com_err(PROGNAME, retval, "while setting active database to '%s'",
- tempdbname);
- return;
- }
- if (v4init(PROGNAME, v4dbname, v4manual, v4dumpfile)) {
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- (void) krb5_dbm_db_destroy(context, tempdbname);
- return;
- }
- if ((retval = krb5_db_init(context)) ||
- (retval = krb5_dbm_db_open_database(context))) {
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- (void) krb5_dbm_db_destroy(context, tempdbname);
- com_err(PROGNAME, retval, "while initializing the database '%s'",
- tempdbname);
- return;
- }
-
- if (retval = add_principal(context, master_princ, MASTER_KEY, &rblock)) {
- (void) krb5_db_fini(context);
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- (void) krb5_dbm_db_destroy(context, tempdbname);
- com_err(PROGNAME, retval, "while adding K/M to the database");
- return;
- }
-
- if (create_local_tgt &&
- (retval = add_principal(context, &tgt_princ, RANDOM_KEY, &rblock))) {
- (void) krb5_db_fini(context);
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- (void) krb5_dbm_db_destroy(context, tempdbname);
- com_err(PROGNAME, retval, "while adding TGT service to the database");
- return;
- }
-
- retval = process_v4_dump(context, v4dumpfile, realm);
- putchar('\n');
- if (retval)
- com_err(PROGNAME, retval, "while translating entries to the database");
- else {
- retval = fixup_database(context, realm);
- }
-
- /* clean up; rename temporary database if there were no errors */
- if (retval == 0) {
- if (retval = krb5_db_fini (context))
- com_err(PROGNAME, retval, "while shutting down database");
- else if (tempdb && (retval = krb5_dbm_db_rename(context, tempdbname,
- dbname)))
- com_err(PROGNAME, retval, "while renaming temporary database");
- } else {
- (void) krb5_db_fini (context);
- if (tempdb)
- (void) krb5_dbm_db_destroy (context, tempdbname);
- }
- (void) krb5_finish_key(context, &master_encblock);
- (void) krb5_finish_random_key(context, &master_encblock, &rblock.rseed);
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
- krb5_free_context(context);
- return;
-}
-
-static int
-v4init(pname, name, manual, dumpfile)
-char *pname, *name;
-int manual;
-char *dumpfile;
-{
- int fd;
- int ok = 0;
-
- if (!manual) {
- fd = open(v4_mkeyfile, O_RDONLY, 0600);
- if (fd >= 0) {
- if (read(fd, master_key, sizeof(master_key)) == sizeof(master_key))
- ok = 1;
- close(fd);
- }
- }
- if (!ok) {
- des_read_password(master_key, "V4 Kerberos master key: ", 0);
- printf("\n");
- }
- key_sched(master_key, master_key_schedule);
- return 0;
-}
-
-static krb5_error_code
-enter_in_v5_db(context, realm, princ)
-krb5_context context;
-char *realm;
-Principal *princ;
-{
- krb5_db_entry entry;
- krb5_error_code retval;
- krb5_keyblock v4v5key;
- int nentries = 1;
- des_cblock v4key;
- char *name;
- krb5_timestamp mod_time;
- krb5_principal mod_princ;
- krb5_keysalt keysalt;
-
- /* don't convert local TGT if we created a TGT already.... */
- if (create_local_tgt && !strcmp(princ->name, "krbtgt") &&
- !strcmp(princ->instance, realm)) {
- if (verbose)
- printf("\nignoring local TGT: '%s.%s' ...",
- princ->name, princ->instance);
- return 0;
- }
- if (!strcmp(princ->name, KERB_M_NAME) &&
- !strcmp(princ->instance, KERB_M_INST)) {
- des_cblock key_from_db;
- int val;
-
- /* here's our chance to verify the master key */
- /*
- * use the master key to decrypt the key in the db, had better
- * be the same!
- */
- memcpy(key_from_db, (char *)&princ->key_low, 4);
- memcpy(((char *) key_from_db) + 4, (char *)&princ->key_high, 4);
- pcbc_encrypt((C_Block *) &key_from_db,
- (C_Block *) &key_from_db,
- (long) sizeof(C_Block),
- master_key_schedule,
- (C_Block *) master_key,
- DECRYPT);
- val = memcmp((char *) master_key, (char *) key_from_db,
- sizeof(master_key));
- memset((char *)key_from_db, 0, sizeof(key_from_db));
- if (val) {
- return KRB5_KDB_BADMASTERKEY;
- }
- if (verbose)
- printf("\nignoring '%s.%s' ...", princ->name, princ->instance);
- return 0;
- }
- memset((char *) &entry, 0, sizeof(entry));
- if (retval = krb5_425_conv_principal(context, princ->name, princ->instance,
- realm, &entry.princ))
- return retval;
- if (verbose) {
- if (retval = krb5_unparse_name(context, entry.princ, &name))
- name = strdup("<not unparsable name!>");
- if (verbose)
- printf("\ntranslating %s...", name);
- free(name);
- }
-
- if (retval = krb5_build_principal(context, &mod_princ,
- strlen(realm),
- realm, princ->mod_name,
- princ->mod_instance[0] ? princ->mod_instance : 0,
- 0)) {
- krb5_free_principal(context, entry.princ);
- return retval;
- }
- mod_time = princ->mod_date;
-
- entry.max_life = princ->max_life * 60 * 5;
- entry.max_renewable_life = rblock.max_rlife;
- entry.len = KRB5_KDB_V1_BASE_LENGTH;
- entry.expiration = princ->exp_date;
- entry.attributes = rblock.flags; /* XXX is there a way to convert
- the old attrs? */
-
- memcpy((char *)v4key, (char *)&(princ->key_low), 4);
- memcpy((char *) (((char *) v4key) + 4), (char *)&(princ->key_high), 4);
- pcbc_encrypt((C_Block *) &v4key,
- (C_Block *) &v4key,
- (long) sizeof(C_Block),
- master_key_schedule,
- (C_Block *) master_key,
- DECRYPT);
-
- v4v5key.magic = KV5M_KEYBLOCK;
- v4v5key.contents = (krb5_octet *)v4key;
- v4v5key.enctype = ENCTYPE_DES_CBC_CRC;
- v4v5key.length = sizeof(v4key);
-
- retval = krb5_dbe_create_key_data(context, &entry);
- if (retval) {
- krb5_free_principal(context, entry.princ);
- krb5_free_principal(context, mod_princ);
- return retval;
- }
-
- keysalt.type = KRB5_KDB_SALTTYPE_V4;
- keysalt.data.length = 0;
- keysalt.data.data = (char *) NULL;
- retval = krb5_dbekd_encrypt_key_data(context, rblock.eblock,
- &v4v5key, &keysalt,
- princ->key_version,
- &entry.key_data[0]);
- if (!retval)
- retval = krb5_dbe_update_mod_princ_data(context, &entry,
- mod_time, mod_princ);
- if (retval) {
- krb5_db_free_principal(context, &entry, 1);
- krb5_free_principal(context, mod_princ);
- return retval;
- }
- memset((char *)v4key, 0, sizeof(v4key));
-
- retval = krb5_db_put_principal(context, &entry, &nentries);
-
- if (!retval && !strcmp(princ->name, "krbtgt") &&
- strcmp(princ->instance, realm) && princ->instance[0]) {
- krb5_free_principal(context, entry.princ);
- if (retval = krb5_build_principal(context, &entry.princ,
- strlen(princ->instance),
- princ->instance,
- "krbtgt", realm, 0))
- return retval;
- retval = krb5_db_put_principal(context, &entry, &nentries);
- }
-
- krb5_db_free_principal(context, &entry, 1);
- krb5_free_principal(context, mod_princ);
-
- return retval;
-}
-
-static krb5_error_code
-add_principal(context, princ, op, pblock)
-krb5_context context;
-krb5_principal princ;
-enum ap_op op;
-struct realm_info *pblock;
-{
- krb5_db_entry entry;
- krb5_error_code retval;
- krb5_keyblock *rkey;
- int nentries = 1;
- krb5_timestamp mod_time;
- krb5_principal mod_princ;
-
- memset((char *) &entry, 0, sizeof(entry));
- if (retval = krb5_copy_principal(context, princ, &entry.princ))
- return(retval);
- entry.max_life = pblock->max_life;
- entry.max_renewable_life = pblock->max_rlife;
- entry.len = KRB5_KDB_V1_BASE_LENGTH;
- entry.expiration = pblock->expiration;
-
- if ((retval = krb5_timeofday(context, &mod_time))) {
- krb5_db_free_principal(context, &entry, 1);
- return retval;
- }
- entry.attributes = pblock->flags;
-
- if (retval = krb5_dbe_create_key_data(context, &entry)) {
- krb5_db_free_principal(context, &entry, 1);
- return(retval);
- }
-
- switch (op) {
- case MASTER_KEY:
- entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
- if (retval = krb5_dbekd_encrypt_key_data(context, pblock->eblock,
- &master_keyblock,
- (krb5_keysalt *) NULL, 1,
- &entry.key_data[0])) {
- krb5_db_free_principal(context, &entry, 1);
- return retval;
- }
- break;
- case RANDOM_KEY:
- if (retval = krb5_random_key(context, pblock->eblock, pblock->rseed,
- &rkey)) {
- krb5_db_free_principal(context, &entry, 1);
- return retval;
- }
- if (retval = krb5_dbekd_encrypt_key_data(context, pblock->eblock,
- rkey,
- (krb5_keysalt *) NULL, 1,
- &entry.key_data[0])) {
- krb5_db_free_principal(context, &entry, 1);
- return(retval);
- }
- krb5_free_keyblock(context, rkey);
- break;
- case NULL_KEY:
- return EOPNOTSUPP;
- default:
- break;
- }
-
- retval = krb5_dbe_update_mod_princ_data(context, &entry,
- mod_time, &db_create_princ);
- if (!retval)
- retval = krb5_db_put_principal(context, &entry, &nentries);
- krb5_db_free_principal(context, &entry, 1);
- return retval;
-}
-
-/*
- * Convert a struct tm * to a UNIX time.
- */
-
-
-#define daysinyear(y) (((y) % 4) ? 365 : (((y) % 100) ? 366 : (((y) % 400) ? 365 : 366)))
-
-#define SECSPERDAY 24*60*60
-#define SECSPERHOUR 60*60
-#define SECSPERMIN 60
-
-static int cumdays[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334,
- 365};
-
-static int leapyear[] = {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
-static int nonleapyear[] = {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
-
-static long
-maketime(tp, local)
-register struct tm *tp;
-int local;
-{
- register long retval;
- int foo;
- int *marray;
-
- if (tp->tm_mon < 0 || tp->tm_mon > 11 ||
- tp->tm_hour < 0 || tp->tm_hour > 23 ||
- tp->tm_min < 0 || tp->tm_min > 59 ||
- tp->tm_sec < 0 || tp->tm_sec > 59) /* out of range */
- return 0;
-
- retval = 0;
- if (tp->tm_year < 1900)
- foo = tp->tm_year + 1900;
- else
- foo = tp->tm_year;
-
- if (foo < 1901 || foo > 2038) /* year is too small/large */
- return 0;
-
- if (daysinyear(foo) == 366) {
- if (tp->tm_mon > 1)
- retval+= SECSPERDAY; /* add leap day */
- marray = leapyear;
- } else
- marray = nonleapyear;
-
- if (tp->tm_mday < 0 || tp->tm_mday > marray[tp->tm_mon])
- return 0; /* out of range */
-
- while (--foo >= 1970)
- retval += daysinyear(foo) * SECSPERDAY;
-
- retval += cumdays[tp->tm_mon] * SECSPERDAY;
- retval += (tp->tm_mday-1) * SECSPERDAY;
- retval += tp->tm_hour * SECSPERHOUR + tp->tm_min * SECSPERMIN + tp->tm_sec;
-
- if (local) {
- /* need to use local time, so we retrieve timezone info */
- struct timezone tz;
- struct timeval tv;
- if (gettimeofday(&tv, &tz) < 0) {
- /* some error--give up? */
- return(retval);
- }
- retval += tz.tz_minuteswest * SECSPERMIN;
- }
- return(retval);
-}
-
-static long
-time_explode(cp)
-register char *cp;
-{
- char wbuf[5];
- struct tm tp;
- int local;
-
- memset((char *)&tp, 0, sizeof(tp));
-
- if (strlen(cp) > 10) { /* new format */
- (void) strncpy(wbuf, cp, 4);
- wbuf[4] = 0;
- tp.tm_year = atoi(wbuf);
- cp += 4; /* step over the year */
- local = 0; /* GMT */
- } else { /* old format: local time,
- year is 2 digits, assuming 19xx */
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- wbuf[2] = 0;
- tp.tm_year = 1900 + atoi(wbuf);
- local = 1; /* local */
- }
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- wbuf[2] = 0;
- tp.tm_mon = atoi(wbuf)-1;
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- tp.tm_mday = atoi(wbuf);
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- tp.tm_hour = atoi(wbuf);
-
- wbuf[0] = *cp++;
- wbuf[1] = *cp++;
- tp.tm_min = atoi(wbuf);
-
-
- return(maketime(&tp, local));
-}
-
-static krb5_error_code
-process_v4_dump(context, dumpfile, realm)
-krb5_context context;
-char *dumpfile;
-char *realm;
-{
- krb5_error_code retval;
- FILE *input_file;
- Principal aprinc;
- char exp_date_str[50];
- char mod_date_str[50];
- int temp1, temp2, temp3;
- long time_explode();
-
- input_file = fopen(dumpfile, "r");
- if (!input_file)
- return errno;
-
- for (;;) { /* explicit break on eof from fscanf */
- int nread;
-
- memset((char *)&aprinc, 0, sizeof(aprinc));
- nread = fscanf(input_file,
- "%s %s %d %d %d %hd %x %x %s %s %s %s\n",
- aprinc.name,
- aprinc.instance,
- &temp1,
- &temp2,
- &temp3,
- &aprinc.attributes,
- &aprinc.key_low,
- &aprinc.key_high,
- exp_date_str,
- mod_date_str,
- aprinc.mod_name,
- aprinc.mod_instance);
- if (nread != 12) {
- retval = nread == EOF ? 0 : KRB5_KDB_DB_CORRUPT;
- break;
- }
- aprinc.key_low = ntohl (aprinc.key_low);
- aprinc.key_high = ntohl (aprinc.key_high);
- aprinc.max_life = (unsigned char) temp1;
- aprinc.kdc_key_ver = (unsigned char) temp2;
- aprinc.key_version = (unsigned char) temp3;
- aprinc.exp_date = time_explode(exp_date_str);
- aprinc.mod_date = time_explode(mod_date_str);
- if (aprinc.instance[0] == '*')
- aprinc.instance[0] = '\0';
- if (aprinc.mod_name[0] == '*')
- aprinc.mod_name[0] = '\0';
- if (aprinc.mod_instance[0] == '*')
- aprinc.mod_instance[0] = '\0';
- if (retval = enter_in_v5_db(context, realm, &aprinc))
- break;
- }
- (void) fclose(input_file);
- return retval;
-}
-
-static krb5_error_code fixup_database(context, realm)
- krb5_context context;
- char * realm;
-{
- krb5_db_entry entry;
- krb5_error_code retval;
- int nprincs;
- krb5_boolean more;
-
- nprincs = 1;
- if (retval = krb5_db_get_principal(context, &tgt_princ, &entry,
- &nprincs, &more))
- return retval;
-
- if (nprincs == 0)
- return 0;
-
- entry.attributes |= KRB5_KDB_SUPPORT_DESMD5;
-
- retval = krb5_db_put_principal(context, &entry, &nprincs);
-
- if (nprincs)
- krb5_db_free_principal(context, &entry, nprincs);
-
- return retval;
-}
-
-#else /* KRB5_KRB4_COMPAT */
-void
-load_v4db(argc, argv)
- int argc;
- char *argv[];
-{
- printf("This version of krb5_edit does not support the V4 load command.\n");
-}
-#endif /* KRB5_KRB4_COMPAT */
+++ /dev/null
-/*
- * admin/edit/ss_wrapper.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * ss wrapper for kdb5_edit
- */
-
-#include "k5-int.h"
-#include "kdb5_edit.h"
-#include <ss/ss.h>
-#include <stdio.h>
-
-extern ss_request_table kdb5_edit_cmds;
-extern int exit_status;
-extern FILE *scriptfile;
-
-int sci_idx;
-
-int main(argc, argv)
- int argc;
- char *argv[];
-{
- char *request;
- krb5_error_code retval;
- int code = 0;
-
- request = kdb5_edit_Init(argc, argv);
- sci_idx = ss_create_invocation("kdb5_edit", "5.0", (char *) NULL,
- &kdb5_edit_cmds, &retval);
- if (retval) {
- ss_perror(sci_idx, retval, "creating invocation");
- exit(1);
- }
-
- if (request) {
- code = ss_execute_line(sci_idx, request, &code);
- if (code != 0) {
- ss_perror(sci_idx, code, request);
- exit_status++;
- }
- } else if (scriptfile) {
- char *command;
- int nread;
-
- /* Get a buffer */
- if ((command = (char *) malloc(BUFSIZ))) {
- /* Process commands from the script until end-of-file or error */
- while (!feof(scriptfile) &&
- (fgets(command, BUFSIZ, scriptfile))) {
-
- /* Strip trailing newline */
- if (command[strlen(command)-1] == '\n')
- command[strlen(command)-1] = '\0';
-
- /* Execute the command */
- code = ss_execute_line(sci_idx, command, &code);
- if (code != 0) {
- ss_perror(sci_idx, code, command);
- exit_status++;
- break;
- }
- }
- free(command);
- }
- } else
- ss_listen(sci_idx, &retval);
- return quit() ? 1 : exit_status;
-}
+++ /dev/null
-/*
- * admin/edit/tcl_wrapper.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Tcl wrapper for kdb5_edit
- */
-
-#include "k5-int.h"
-#include "kdb5_edit.h"
-#include <tcl.h>
-
-#define CMDDECL(x) int x(clientData, interp, argc, argv)\
- ClientData clientData;\
- Tcl_Interp * interp;\
- int argc;\
- char ** argv;
-#define CMDPROTO(x) int x PROTOTYPE((ClientData, Tcl_Interp,\
- int, char **))
-#define MKCMD(name,cmd) Tcl_CreateCommand(interp, name, cmd,\
- (ClientData)NULL,\
- (Tcl_CmdDeleteProc *)NULL)
-
-extern int main();
-int *tclDummyMainPtr = (int *) main; /* force ld to suck in main()
- from libtcl.a */
-extern Tcl_Interp *interp; /* XXX yes, this is gross,
- but we do need it for some things */
-extern int exit_status;
-
-void show_principal PROTOTYPE((int, char **));
-void add_new_key PROTOTYPE((int, char **));
-void change_pwd_key PROTOTYPE((int, char **));
-void add_rnd_key PROTOTYPE((int, char **));
-void change_rnd_key PROTOTYPE((int, char **));
-void delete_entry PROTOTYPE((int, char **));
-void extract_srvtab PROTOTYPE((krb5_context, int, char **));
-void extract_v4_srvtab PROTOTYPE((int, char **));
-void list_db PROTOTYPE((int, char **));
-void dump_db PROTOTYPE((int, char **));
-void load_db PROTOTYPE((int, char **));
-void set_dbname PROTOTYPE((krb5_context, int, char **));
-void enter_master_key PROTOTYPE((krb5_context, int, char **));
-
-/*
- * this is mostly stolen from tcl_ExitCmd()
- * we need to do a few extra things, though...
- */
-int doquit(clientData, interp, argc, argv)
- ClientData clientData;
- Tcl_Interp *interp;
- int argc;
- char *argv[];
-{
- int value;
-
- if ((argc != 1) && (argc != 2)) {
- Tcl_AppendResult(interp, "wrong # args: should be \"", argv[0],
- " ?returnCode?\"", (char *) NULL);
- return TCL_ERROR;
- }
- if (argc == 1) {
- exit(quit() ? 1 : exit_status);
- }
- if (Tcl_GetInt(interp, argv[1], &value) != TCL_OK) {
- return TCL_ERROR;
- }
- (void)quit();
- exit(value);
- /*NOTREACHED*/
- return TCL_OK; /* Better not ever reach this! */
-}
-
-int list_requests(clientData, interp, argc, argv)
- ClientData clientData;
- Tcl_Interp *interp;
- int argc;
- char *argv[];
-{
- Tcl_SetResult(interp, "show_principal, show: Show the Kerberos database entry for a principal\nadd_new_key, ank: Add new entry to the Kerberos database (prompting for password\nchange_pwd_key, cpw: Change key of an entry in the Kerberos database (prompting for password)\nadd_rnd_key, ark: Add new entry to Kerberos database, using a random key\nchange_rnd_key, crk: Change key of an entry in the Kerberos database (select a random key)\ndelete_entry, delent: Delete an entry from the database\nextract_srvtab, xst, ex_st: Extract service key table\nextract_v4_srvtab, xst4: Extract service key table\nlist_db, ldb: List database entries\nset_dbname, sdbn: Change database name\nenter_master_key, emk: Enter the master key for a database\nchange_working_directory, cwd, cd: Change working directory\nprint_working_directory, pwd: Print working directory\nlist_requests, lr: List available requests\nquit, exit: Exit program", TCL_STATIC);
- return TCL_OK;
-}
-
-int wrapper(func, interp, argc, argv)
- void (*func)();
- Tcl_Interp *interp;
- int argc;
- char *argv[];
-{
- (*func)(argc, argv);
- return TCL_OK;
-}
-
-int Tcl_AppInit(interp)
- Tcl_Interp *interp;
-{
- int argc;
- char **argv, **mostly_argv;
- char *interp_argv, *interp_argv0, *request;
- Tcl_CmdInfo cmdInfo;
-
- if (Tcl_Init(interp) == TCL_ERROR)
- return TCL_ERROR;
- /*
- * the following is, admittedly, sorta gross, but the only way
- * to grab the original argc, argv once the interpreter is running
- */
- interp_argv = Tcl_GetVar(interp, "argv", 0);
- if (interp_argv == NULL)
- return TCL_ERROR;
- else if (Tcl_SplitList(interp, interp_argv,
- &argc, &mostly_argv) != TCL_OK)
- return TCL_ERROR;
- interp_argv0 = Tcl_GetVar(interp, "argv0", 0);
- if (interp_argv0 == NULL)
- return TCL_ERROR;
- if ((argv = (char **)malloc((argc + 1) * sizeof (char *))) == NULL)
- return TCL_ERROR;
- argv[0] = interp_argv0;
- memcpy(argv + 1, mostly_argv, argc++ * sizeof (char *));
- /*
- * set up a prompt
- */
- if (Tcl_SetVar(interp, "tcl_prompt1",
- "puts -nonewline \"kdb5_edit: \"", 0) == NULL)
- return TCL_ERROR;
- /*
- * we don't want arbitrary programs to get exec'd by accident
- */
- if (Tcl_SetVar(interp, "auto_noexec", "{}", 0) == NULL)
- return TCL_ERROR;
- request = kdb5_edit_Init(argc, argv);
- Tcl_CallWhenDeleted(interp, doquit,
- (ClientData)0);
- Tcl_CreateCommand(interp, "quit", doquit,
- (ClientData)0,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "exit", doquit,
- (ClientData)0,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "list_requests", list_requests,
- (ClientData)0,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "lr", list_requests,
- (ClientData)0,
- (Tcl_CmdDeleteProc *)0);
- if (Tcl_GetCommandInfo(interp, "cd", &cmdInfo)) {
- Tcl_CreateCommand(interp, "cwd", cmdInfo.proc,
- (ClientData)0,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "change_working_directory", cmdInfo.proc,
- (ClientData)0,
- (Tcl_CmdDeleteProc *)0);
- }
- if (Tcl_GetCommandInfo(interp, "pwd", &cmdInfo)) {
- Tcl_CreateCommand(interp, "print_working_directory", cmdInfo.proc,
- (ClientData)0,
- (Tcl_CmdDeleteProc *)0);
- }
- Tcl_CreateCommand(interp, "show_principal", wrapper, show_principal,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "show", wrapper, show_principal,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "add_new_key", wrapper, add_new_key,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "ank", wrapper, add_new_key,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "change_pwd_key", wrapper, change_pwd_key,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "cpw", wrapper, change_pwd_key,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "add_rnd_key", wrapper, add_rnd_key,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "ark", wrapper, add_rnd_key,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "change_rnd_key", wrapper, change_rnd_key,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "crk", wrapper, change_rnd_key,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "delete_entry", wrapper, delete_entry,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "delent", wrapper, delete_entry,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "extract_srvtab", wrapper, extract_srvtab,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "xst", wrapper, extract_srvtab,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "ex_st", wrapper, extract_srvtab,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "extract_v4_srvtab", wrapper, extract_v4_srvtab,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "xv4st", wrapper, extract_v4_srvtab,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "list_db", wrapper, list_db,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "ldb", wrapper, list_db,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "dump_db", wrapper, dump_db,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "ddb", wrapper, dump_db,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "load_db", wrapper, load_db,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "lddb", wrapper, load_db,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "set_dbname", wrapper, set_dbname,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "sdbn", wrapper, set_dbname,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "enter_master_key", wrapper, enter_master_key,
- (Tcl_CmdDeleteProc *)0);
- Tcl_CreateCommand(interp, "emk", wrapper, enter_master_key,
- (Tcl_CmdDeleteProc *)0);
- if (request && (Tcl_Eval(interp, request) == TCL_ERROR))
- return TCL_ERROR;
- return TCL_OK;
-}
+++ /dev/null
-/*
- * admin/edit/util.c
- *
- * Copyright 1992 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- * Utilities for kdb5_edit.
- *
- * Some routines derived from code contributed by the Sandia National
- * Laboratories. Sandia National Laboratories also makes no
- * representations about the suitability of the modifications, or
- * additions to this software for any purpose. It is provided "as is"
- * without express or implied warranty.
- *
- */
-
-#include "k5-int.h"
-#include "./kdb5_edit.h"
-
-#if !defined(HAVE_STRSTR)
-char *
-strstr(s1, s2)
-char *s1;
-char *s2;
-{
- int s2len;
- int i;
- char *temp_ptr;
-
- temp_ptr = s1;
- for ( i = 0; i < strlen(s1); i++) {
- if (memcmp(temp_ptr, s2, strlen(s2)) == 0) return(temp_ptr);
- temp_ptr += 1;
- }
- return ((char *) 0);
-}
-#endif /* sysvimp */
-
-void
-parse_token(token_in, must_be_first_char, num_tokens, tokens_out)
-char *token_in;
-int *must_be_first_char;
-int *num_tokens;
-char *tokens_out;
-{
- int i, j;
- int token_count = 0;
-
- i = 0;
- j = 0;
-
- /* Eliminate Up Front Asterisks */
- *must_be_first_char = 1;
- for (i = 0; token_in[i] == '*'; i++) {
- *must_be_first_char = 0;
- }
-
- if (i == strlen(token_in)) {
- *num_tokens = 0;
- return;
- }
-
- /* Fill first token_out */
- token_count++;
- while ((token_in[i] != '*') && (token_in[i] != '\0')) {
- tokens_out[j] = token_in[i];
- j++;
- i++;
- }
-
- if (i == strlen(token_in)) {
- tokens_out[j] = '\0';
- *num_tokens = token_count;
- return;
- }
-
- /* Then All Subsequent Tokens */
- while (i < strlen(token_in)) {
- if (token_in[i] == '*') {
- token_count++;
- tokens_out[j] = '\t';
- } else {
- tokens_out[j] = token_in[i];
- }
- i++;
- j++;
- }
- tokens_out[j] = '\0';
-
- if (tokens_out[j - 1] == '\t') {
- token_count--;
- tokens_out[j - 1] = '\0';
- }
-
- *num_tokens = token_count;
- return;
-}
-
-int
-check_for_match(search_field, must_be_first_character, chk_entry,
- num_tokens, type)
-int must_be_first_character;
-char *search_field;
-krb5_db_entry *chk_entry;
-int num_tokens;
-int type;
-{
- char token1[256];
- char *found1;
- char token2[256];
- char *found2;
- char token3[256];
- char *found3;
- char *local_entry;
-
- local_entry = chk_entry->princ->data[type].data;
-
- token1[0] = token2[0] = token3[0] = '\0';
-
- (void) sscanf(search_field, "%s\t%s\t%s", token1, token2, token3);
-
- found1 = strstr(local_entry, token1);
-
- if (must_be_first_character && (found1 != local_entry)) return(0);
-
- if (found1 && (num_tokens == 1)) return(1);
-
- if (found1 && (num_tokens > 1)) {
- found2 = strstr(local_entry, token2);
- if (found2 && (found2 > found1) && (num_tokens == 2)) return(1);
- }
-
- if ((found2 > found1) && (num_tokens == 3)) {
- found3 = strstr(local_entry, token3);
- if (found3 && (found3 > found2) && (found2 > found1)) return(1);
- }
- return(0);
-}
-
+++ /dev/null
-# Sanitize.in for Kerberos V5
-
-# Each directory to survive it's way into a release will need a file
-# like this one called "./.Sanitize". All keyword lines must exist,
-# and must exist in the order specified by this file. Each directory
-# in the tree will be processed, top down, in the following order.
-
-# Hash started lines like this one are comments and will be deleted
-# before anything else is done. Blank lines will also be squashed
-# out.
-
-# The lines between the "Do-first:" line and the "Things-to-keep:"
-# line are executed as a /bin/sh shell script before anything else is
-# done in this
-
-Do-first:
-
-# All files listed between the "Things-to-keep:" line and the
-# "Files-to-sed:" line will be kept. All other files will be removed.
-# Directories listed in this section will have their own Sanitize
-# called. Directories not listed will be removed in their entirety
-# with rm -rf.
-
-Things-to-keep:
-
-.cvsignore
-ChangeLog
-Makefile.in
-configure
-configure.in
-kdb5_stash.M
-kdb5_stash.c
-
-Things-to-lose:
-
-Do-last:
-
-# End of file.
+++ /dev/null
-Sun May 12 01:16:49 1996 Marc Horowitz <marc@mit.edu>
-
- * configure.in: USE_KADM_LIBRARY replaced by USE_KADMSRV_LIBRARY
-
-Wed Sep 06 14:20:57 1995 Chris Provenzano (proven@mit.edu)
-
- * kdb5_stash.c : s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g
-
-Tue Sep 05 22:10:34 1995 Chris Provenzano (proven@mit.edu)
-
- * kdb5_stash.c : Remove krb5_enctype references, and replace with
- krb5_keytype where appropriate.
-
-Mon Aug 21 16:48:01 EDT 1995 Paul Park (pjpark@mit.edu)
- * kdb5_stash.M - Remove "ascii representation of a decimal number".
-
-
-Mon Jul 31 15:49:17 EDT 1995 Paul Park (pjpark@mit.edu)
- * kdb5_stash.c - Use kadm string conversion routines.
-
-
-Mon Jul 17 15:02:29 EDT 1995 Paul Park (pjpark@mit.edu)
- * configure.in - Add KADM library.
- * kdb5_stash.c - Change calling sequence to krb5_db_fetch_mkey(). Add
- KDC profile reading/handling as a supplement to command line
- arguments.
-
-
-Fri Jul 7 15:38:50 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Remove all explicit library handling and LDFLAGS.
- * configure.in - Add USE_KDB5_LIBRARY and KRB5_LIBRARIES.
-
-
-Fri Jun 30 14:31:23 EDT 1995 Paul Park (pjpark@mit.edu)
- * configure.in - Add --with-dbm to select between Berkeley and DBM
- KDC database format.
-
-
-Thu Jun 15 15:35:39 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Change explicit library names to -l<lib> form, and
- change target link line to use $(LD) and associated flags.
- * configure.in - Add shared library usage check.
-
-Fri Jun 9 18:16:17 1995 <tytso@rsx-11.mit.edu>
-
- * configure.in: Remove standardized set of autoconf macros, which
- are now handled by CONFIG_RULES.
-
-Thu Mar 2 13:03:01 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * Makefile.in (ISODELIB): Remove reference to $(ISODELIB).
-
-Wed Mar 1 11:53:29 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * configure.in: Remove ISODE_INCLUDE, replace check for -lsocket
- and -lnsl with WITH_NETLIB check.
-
-Tue Feb 28 02:08:04 1995 John Gilmore (gnu at toad.com)
-
- * kdb5_stach.c: Avoid <krb5/...> and <com_err.h> includes.
-
-Fri Jan 13 15:23:47 1995 Chris Provenzano (proven@mit.edu)
-
- * Added krb5_context to all krb5_routines
-
-Mon Oct 3 19:11:08 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * Makefile.in: Use $(srcdir) to find manual page for make install.
-
-Thu Sep 29 22:20:51 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * Makefile.in: Relink executable when libraries change.
-
-Wed Jun 29 00:23:09 1994 Tom Yu (tlyu at dragons-lair)
-
- * kdb5_stash.c: fix things that should have been krb5_init_ets
-
+++ /dev/null
-CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE)
-
-all:: kdb5_stash
-
-kdb5_stash: kdb5_stash.o $(DEPLIBS)
- $(LD) $(LDFLAGS) $(LDARGS) -o kdb5_stash kdb5_stash.o $(LIBS)
-
-install::
- $(INSTALL_PROGRAM) kdb5_stash ${DESTDIR}$(ADMIN_BINDIR)/kdb5_stash
- $(INSTALL_DATA) $(srcdir)/kdb5_stash.M ${DESTDIR}$(ADMIN_MANDIR)/kdb5_stash.8
-
-clean::
- $(RM) kdb5_stash kdb5_stash.o
+++ /dev/null
-AC_INIT(kdb5_stash.c)
-CONFIG_RULES
-AC_PROG_INSTALL
-USE_KADMSRV_LIBRARY
-USE_KDB5_LIBRARY
-KRB5_LIBRARIES
-V5_USE_SHARED_LIB
-V5_AC_OUTPUT_MAKEFILE
+++ /dev/null
-.\" admin/stash/kdb5_stash.M
-.\"
-.\" Copyright 1990 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\" require a specific license from the United States Government.
-.\" It is the responsibility of any person or organization contemplating
-.\" export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission. M.I.T. makes no representations about the suitability of
-.\" this software for any purpose. It is provided "as is" without express
-.\" or implied warranty.
-.\"
-.\"
-.TH KDB5_STASH 8 "Kerberos Version 5.0" "MIT Project Athena"
-.SH NAME
-kdb5_stash \- store a principal database master key on disk
-.SH SYNOPSIS
-.B kdb5_stash
-[
-.B \-r
-.I realm
-] [
-.B \-d
-.I dbname
-] [
-.B \-k
-.I keytype
-] [
-.B \-M
-.I mkeyname
-] [
-.B \-e
-.I enctype
-] [
-.B \-f
-.I keyfile
-]
-.br
-.SH DESCRIPTION
-.I kdb5_stash
-stores a Kerberos principal database master key in a file;
-this key may subsequently be used for unattended re-start of a Kerberos
-V5 KDC.
-The user is prompted for the master password, which will be verified
-against the database, and then stored in a file.
-.PP
-The
-.B \-r
-.I realm
-option specifies the realm for which the database key should be stored;
-by default the realm returned by
-.IR krb5_default_local_realm (3)
-is used.
-.PP
-The
-.B \-d
-.I dbname
-option specifies the name under which the principal database is
-stored; by default the database is in DEFAULT_DBM_FILE (normally
-/krb5/principal).
-.PP
-The
-.B \-k
-.I keytype
-option specifies the key type of the master key in the database; the default
-is KEYTYPE_DES.
-.PP
-The
-.B \-M
-.I mkeyname
-option specifies the principal name for the master key in the database;
-the default is KRB5_KDB_M_NAME (usually "K/M" in the KDC's realm).
-.PP
-The
-.B \-e
-.I enctype
-option specifies the encryption type used for entries in the database; the
-default is the default encryption type for the master keytype.
-.PP
-The
-.B \-f
-option specifies the file in which the master key should be stored; the
-default is DEFAULT_KEYFILE_STUB ("/.k5." concatenated with the realm name).
-.SH SEE ALSO
-krb5(3), krb5kdc(8), kdb5_create(8)
-.SH BUGS
-Allows an intruder to gain access to the entire database if the security
-of the KDC system is breached.
-
+++ /dev/null
-/*
- * admin/stash/kdb5_stash.c
- *
- * Copyright 1990 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Store the master database key in a file.
- */
-
-#include "k5-int.h"
-#include "com_err.h"
-#include "adm.h"
-#include "adm_proto.h"
-#include <stdio.h>
-
-extern int errno;
-
-krb5_keyblock master_keyblock;
-krb5_principal master_princ;
-krb5_encrypt_block master_encblock;
-
-static void
-usage(who, status)
-char *who;
-int status;
-{
- fprintf(stderr, "usage: %s [-d dbpathname] [-r realmname] [-k enctype]\n\
-\t[-M mkeyname] [-f keyfile]\n",
- who);
- exit(status);
-}
-
-
-void
-main(argc, argv)
-int argc;
-char *argv[];
-{
- extern char *optarg;
- int optchar;
- krb5_error_code retval;
- char *dbname = (char *) NULL;
- char *realm = 0;
- char *mkey_name = 0;
- char *mkey_fullname;
- char *keyfile = 0;
- krb5_context context;
- krb5_realm_params *rparams;
-
- int enctypedone = 0;
-
- if (strrchr(argv[0], '/'))
- argv[0] = strrchr(argv[0], '/')+1;
-
- krb5_init_context(&context);
- krb5_init_ets(context);
-
- while ((optchar = getopt(argc, argv, "d:r:k:M:e:f:")) != EOF) {
- switch(optchar) {
- case 'd': /* set db name */
- dbname = optarg;
- break;
- case 'r':
- realm = optarg;
- break;
- case 'k':
- if (!krb5_string_to_enctype(optarg, &master_keyblock.enctype))
- enctypedone++;
- else
- com_err(argv[0], 0, "%s is an invalid enctype", optarg);
- break;
- case 'M': /* master key name in DB */
- mkey_name = optarg;
- break;
- case 'f':
- keyfile = optarg;
- break;
- case '?':
- default:
- usage(argv[0], 1);
- /*NOTREACHED*/
- }
- }
-
- /*
- * Attempt to read the KDC profile. If we do, then read appropriate values
- * from it and augment values supplied on the command line.
- */
- if (!(retval = krb5_read_realm_params(context,
- realm,
- (char *) NULL,
- (char *) NULL,
- &rparams))) {
- /* Get the value for the database */
- if (rparams->realm_dbname && !dbname)
- dbname = strdup(rparams->realm_dbname);
-
- /* Get the value for the master key name */
- if (rparams->realm_mkey_name && !mkey_name)
- mkey_name = strdup(rparams->realm_mkey_name);
-
- /* Get the value for the master key type */
- if (rparams->realm_enctype_valid && !enctypedone) {
- master_keyblock.enctype = rparams->realm_enctype;
- enctypedone++;
- }
-
- /* Get the value for the stash file */
- if (rparams->realm_stash_file && !keyfile)
- keyfile = strdup(rparams->realm_stash_file);
-
- krb5_free_realm_params(context, rparams);
- }
-
- if (!dbname)
- dbname = DEFAULT_KDB_FILE;
-
- if (!enctypedone)
- master_keyblock.enctype = DEFAULT_KDC_ENCTYPE;
-
- if (!valid_enctype(master_keyblock.enctype)) {
- char tmp[32];
- if (krb5_enctype_to_string(master_keyblock.enctype, tmp, sizeof(tmp)))
- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP,
- "while setting up enctype %d", master_keyblock.enctype);
- else
- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp);
- exit(1);
- }
-
- krb5_use_enctype(context, &master_encblock, master_keyblock.enctype);
-
- if (retval = krb5_db_set_name(context, dbname)) {
- com_err(argv[0], retval, "while setting active database to '%s'",
- dbname);
- exit(1);
- }
- if (!realm) {
- if (retval = krb5_get_default_realm(context, &realm)) {
- com_err(argv[0], retval, "while retrieving default realm name");
- exit(1);
- }
- }
-
- /* assemble & parse the master key name */
-
- if (retval = krb5_db_setup_mkey_name(context, mkey_name, realm,
- &mkey_fullname, &master_princ)) {
- com_err(argv[0], retval, "while setting up master key name");
- exit(1);
- }
-
- if (retval = krb5_db_init(context)) {
- com_err(argv[0], retval, "while initializing the database '%s'",
- dbname);
- exit(1);
- }
-
- /* TRUE here means read the keyboard, but only once */
- if (retval = krb5_db_fetch_mkey(context, master_princ, &master_encblock,
- TRUE, FALSE, (char *) NULL,
- 0, &master_keyblock)) {
- com_err(argv[0], retval, "while reading master key");
- (void) krb5_db_fini(context);
- exit(1);
- }
- if (retval = krb5_db_verify_master_key(context, master_princ,
- &master_keyblock,&master_encblock)) {
- com_err(argv[0], retval, "while verifying master key");
- (void) krb5_db_fini(context);
- exit(1);
- }
- if (retval = krb5_db_store_mkey(context, keyfile, master_princ,
- &master_keyblock)) {
- com_err(argv[0], errno, "while storing key");
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
- (void) krb5_db_fini(context);
- exit(1);
- }
- memset((char *)master_keyblock.contents, 0, master_keyblock.length);
- if (retval = krb5_db_fini(context)) {
- com_err(argv[0], retval, "closing database '%s'", dbname);
- exit(1);
- }
-
- exit(0);
-}
projects / krb5.git / commitdiff