+2003-12-11 Sam Hartman <hartmans@mit.edu>
+
+ * configure.in (DO_ALL): Don't build v4server on v5passwdd
+
2003-08-29 Ken Raeburn <raeburn@mit.edu>
* configure.in: Call KRB5_AC_NEED_DAEMON instead of checking
myfulldir=kadmin
mydir=.
BUILDTOP=$(REL)..
-LOCAL_SUBDIRS = cli dbutil passwd ktutil server @V4SERVER@ v5passwdd testing
+LOCAL_SUBDIRS = cli dbutil passwd ktutil server @ testing
all::
DO_ALL=tcl
fi
AC_SUBST(DO_ALL)
-dnl See if we should build v4server
-if test -z "$KRB4_LIB"; then
-V4SERVER=""
-else
-V4SERVER=v4server
-fi
-AC_SUBST(V4SERVER)
-dnl
KRB5_BUILD_PROGRAM
dnl
K5_GEN_FILE(testing/scripts/env-setup.sh:testing/scripts/env-setup.shin)
-V5_AC_OUTPUT_MAKEFILE(. cli dbutil passwd passwd/unit-test ktutil server v4server v4server/unit-test v5passwdd testing testing/scripts testing/util)
+V5_AC_OUTPUT_MAKEFILE(. cli dbutil passwd passwd/unit-test ktutil server testing testing/scripts testing/util)
+++ /dev/null
-2003-02-08 Tom Yu <tlyu@mit.edu>
-
- * admin_server.c (kadm_listen): Zero sa_flags to avoid wonkiness.
-
-2003-01-09 Ken Raeburn <raeburn@mit.edu>
-
- * admin_server.c (kadm_listen): Use socklen_t when passing address
- to socket functions.
-
-2003-01-07 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.ov: Deleted.
-
-2003-01-05 Sam Hartman <hartmans@mit.edu>
-
- * admin_server.c (kadm_listen): Remove declaration of errno
-
- * acl_files.c: Remove declaration of errno
-
-2002-11-26 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in (OBJS): Remove kadm_stream.o and kadm_err.o. Also,
- remove references to kadm_err.et.
-
- * kadm_err.et: Remove. It lives in lib/krb4 now.
-
- * kadm_server.h: Remove some prototypes that were moved to
- kadm.h.
-
- * kadm_stream.c: Remove. It lives in lib/krb4 now.
-
-2002-11-01 Tom Yu <tlyu@mit.edu>
-
- * kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002
- buffer overflow.
-
-2002-08-29 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.in: Revert $(S)=>/ change, for Windows support.
-
-2002-08-23 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.in: Change $(S)=>/ and $(U)=>.. globally.
-
-2002-08-13 Tom Yu <tlyu@mit.edu>
-
- * acl_files.c (canon;): Properly handle appending of the local
- realm, which was botched due to a buffer-overflow patch.
-
-2001-11-19 Ezra Peisach <epeisach@mit.edu>
-
- * kadm_server.h: Update prototype for convert_kadm5_to_kadm.
-
- * admin_server.c (process_client): Do not assign negative value to
- unsigned variable.
- (convert_kadm5_to_kadm): Return krb5_int32 instead of krb5_ui_4 to
- be compatible with error codes.
-
-2001-07-09 Ezra Peisach <epeisach@mit.edu>
-
- * admin_server.c: Provide prototype for do_child and declare static.
-
-2001-07-01 Ezra Peisach <epeisach@mit.edu>
-
- * kadm_server.h: Add prototypes for missing acl_ functions.
-
- * admin_server.c, kadm_func.c: Declare functions static that are
- local to file.
-
- * acl_files.c: Include kadm_server.h for prototypes. Flush out
- static prototype for acl_abort.
-
- * kadm_supp.c: Include kadm_server.h for prototypes.
-
-2001-06-21 Ezra Peisach <epeisach@mit.edu>
-
- * kadm_supp.c (prin_vals): Pass time_t * to localtime instead of
- long *.
-
-2001-06-18 Ezra Peisach <epeisach@mit.edu>
-
- * kadm_funcs.c: Cast argument to isalnum()/isdigit() to int.
-
- * acl_files.c (nuke_whitespace): Cast argument to isspace() to int.
-
-2001-06-11 Ezra Peisach <epeisach@rna.mit.edu>
-
- * kadm_supp.c: Include string.h for strncpy() prototype.
-
-2001-06-08 Ezra Peisach <epeisach@mit.edu>
-
- * kadm_ser_wrap.c: Argument to quad_cksum is C_Block * - not C_Block.
- (kadm_ser_init): Declare as returning int.
-
-2001-06-07 Ezra Peisach <epeisach@mit.edu>
-
- * acl_files.c, admin_server.c, kadm_funcs.c, kadm_ser_wrap.c:
- Explicitly declare function return types and cleanup assignments
- in conditionals.
-
- * kadm_server.c: Include kadm_server.h and cleanup assignments in
- conditionals.
-
- * kadm_server.h: Include kadm5/admin.h, kadm.h, krb_db.h for
- structure defintions so that many prototypes may be added to this
- file.
-
- * kadm_stream.c: Include kadm_server.h for prototypes. Explicitly
- declare functions as ints.
- (stream_to_vals) Assumption made that pointer to long the same
- size as krb5_ui_4 fixed.
-
- * kadm_supp.c: Include sys/param.h early so that MAXHOSTNAMELEN is
- not defined by kadm.h and later redefined. In prin_vals(),
- key_high and key_low elements of the Kadm_vals structure are longs
- - use an appropriate format to printf.
-
-2001-06-04 Ezra Peisach <epeisach@rna.mit.edu>
-
- * kadm_ser_wrap.c, kadm_server.c: Cleanup assignments in conditionals.
-
-2000-10-23 Tom Yu <tlyu@mit.edu>
-
- * kadm_ser_wrap.c (kadm_ser_in): Update call to mk_priv().
-
-2000-10-10 Tom Yu <tlyu@mit.edu>
-
- * kadm_funcs.c: Call life_to_time() and time_to_life() as
- appropriate.
-
-2000-07-03 Ezra Peisach <epeisach@mit.edu>
-
- * Makefile.in: kadmin4d depends on the kdb5 lib.
-
-2000-05-23 Ken Raeburn <raeburn@mit.edu>
-
- * admin_server.c (main, case 'r'): Reject realm name that's too
- long.
-
- * acl_files.c (acl_load): Return error if name too long.
-
- * kadm_err.et (KADM_REALM_TOO_LONG): New error code.
- * kadm_ser_wrap.c (kadm_ser_init): Return it instead of truncating
- a too-long realm name.
-
-2000-05-23 Nalin Dahyabhai <nalin@redhat.com>
-
- * acl_files.c (acl_canonicalize_principal): If the principal name
- would be too long, return a zero-length string to mark it as invalid.
- (acl_load): Don't add the principal to the hash if it's invalid.
- (acl_add): Don't check the principal if it's invalid.
- (acl_delete): Don't try to delete the principal if it's invalid.
-
- * kadm_ser_wrap.c (kadm_ser_init): Truncate "server_parm.krbrlm"
- if "realm" is too long.
-
-2000-05-23 Tom Yu <tlyu@mit.edu>
-
- * kadm_server.c (kadm_ser_cpw): Add new arg to call to
- chpass_principal_util().
-
-1999-10-26 Wilfredo Sanchez <tritan@mit.edu>
-
- * Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
- LOCAL_INCLUDES such that one can override CFLAGS from the command
- line without losing CPP search patchs and defines. Some associated
- Makefile cleanup.
-
-Tue Jan 12 18:26:48 1999 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in (CFLAGS): PW_CHECK functionality now in DEFS.
-
-1998-11-13 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * Makefile.in: Set the myfulldir and mydir variables (which are
- relative to buildtop and thisconfigdir, respectively.)
-
-1998-10-27 Marc Horowitz <marc@mit.edu>
-
- * admin_server.c, kadm_funcs.c, kadm_ser_wrap.c, kadm_server.h:
- convert to new crypto api
-
-Fri Jul 31 18:17:16 1998 Tom Yu <tlyu@mit.edu>
-
- * kadm_ser_wrap.c (kadm_ser_init): Remove references to
- master_encblock, as it's no longer needed in the new crypto API,
- adjusting kdb calls accordingly. Also punt calls to use_enctype,
- process_key, etc.
-
- * admin_server.c (clear_secrets): Remove references to
- master_encblock, due to new crypto API.
-
-Mon Jul 20 11:20:32 1998 Ezra Peisach <epeisach@mit.edu>
-
- * acl_files.c: Include stdlib.h if present.
-
-Thu Jul 9 21:52:41 1998 Tom Yu <tlyu@mit.edu>
-
- * kadm_server.c (kadm_ser_cpw): Re-enable "old-style" password
- changing. Yes, it's potentially a problem due to lack of quality
- checking, but we'll live with that because we can use
- key-hash-based checks too.
-
-Wed Jul 8 01:32:52 1998 Theodore Y. Ts'o <tytso@mit.edu>
-
- * kadm_ser_wrap.c (kadm_ser_init): Use krb5_425_conv_principal
- instead of krb5_build_principal to create the changepw
- sprinc principal.
-
-Fri Jul 3 18:17:48 1998 Theodore Y. Ts'o <tytso@mit.edu>
-
- * Makefile.in (build_pwfile): Add rule to build the build_pwfile
- program.
-
- * kadm_server.c (kadm_ser_cpw): Put the call to the
- kadm_approve_pw in the common code, so it's executed even
- if KADM5 is defined. Add appropriate syslogs to the
- change password processing.
-
- * kadm_funcs.c (pwstring;): If NDBM_PW_CHECK is defined, then do
- the NDBM-based dictionary check. Build kadmind4 using
- the make option PW_CHECK=-DNDBM_PW_CHECK if this feature
- is desired.
-
-1998-05-08 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * kadm_server.c (krb_log): Print the year using 4 digit to avoid
- Y2K issues.
-
-1998-05-06 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * admin_server.c (argv): POSIX states that getopt returns -1
- when it is done parsing options, not EOF.
-
-Fri Feb 27 23:32:38 1998 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * Makefile.in: Changed thisconfigdir to point at the kadmin
- directory, since we've moved all of the configure.in
- tests to the toplevel kadmin configure.in
-
-Wed Feb 18 16:00:59 1998 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in: Remove trailing slash from thisconfigdir. Fix up
- BUILDTOP for new conventions.
-
-Mon Feb 2 17:02:29 1998 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * Makefile.in: Define BUILDTOP and thisconfigdir in the Makefile
-
-Thu Oct 23 13:07:01 1997 Ezra Peisach <epeisach@mit.edu>
-
- * kadm_server.h: Declare kadm_context as extern so it will not be
- multiply defined in all source files.
-
-Wed Aug 6 20:27:27 1997 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in: Add support for compiling with Hesiod.
-
-Fri Jul 25 15:49:58 1997 Tom Yu <tlyu@mit.edu>
-
- * kadm_funcs.c: Remove mention of dbm for now. It should probably
- be added back later to deal with dbm-hashed passwd files.
-
-Tue Jul 1 02:38:50 1997 Tom Yu <tlyu@mit.edu>
-
- * kadm_funcs.c, kadm_server.c, kadm_ser_wrap.c: Reenable mod and
- check_pw.
-
- * kadm_funcs.c, kadm_server.c, kadm_ser_wrap.c: Reenable get and
- add.
-
-Wed Jun 18 18:38:45 1997 Tom Yu <tlyu@mit.edu>
-
- * kadm_funcs.c (kadm_chg_srvtab): Remove extraneous macros that
- were elaborate contortions to avoid using goto.
-
-Mon May 26 22:44:21 1997 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in (OBJS): Build kadm_funcs.c again.
-
- * kadm_funcs.c: Re-enable kadm_chg_srvtab() and update it to use
- the new kadm5 interface.
-
- * kadm_ser_wrap.c: Re-enable kadm_ser_stab().
-
- * kadm_server.c: Re-enable kadm_ser_stab().
-
-Tue May 13 20:21:21 1997 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in:
- * admin_server.c:
- * kadm_server.c:
- * kadm_ser_wrap.c: Convert to use new kadm5 API; this still needs
- work to remove references to krb5_db and to regain full v4 kadmind
- functionality (or as much as is possible).
-
-Tue Feb 18 09:59:59 1997 Ezra Peisach <epeisach@mit.edu>
-
- * acl_files.c: Do not declare malloc() or calloc() if stdlib.h exists.
-
-Thu Feb 6 14:49:45 1997 Tom Yu <tlyu@voltage-multiplier.mit.edu>
-
- * Makefile.in (LOCALINCLUDE): Repair lack of -I. and -I$(srcdir)
-
-Tue Feb 4 21:23:16 1997 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in:
- * configure.in: Update to new program build procedure.
-
-Fri Nov 22 15:49:27 1996 unknown <bjaspan@mit.edu>
-
- * kadm_ser_wrap.c (endif ): use sizeof instead of h_length to
- determine number of bytes of addr to copy from DNS response
- [krb5-misc/211]
-
-Wed Nov 13 19:24:00 1996 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in (clean): Remove kadm_err.h and kadm_err.c.
-
-Fri Nov 8 17:27:20 1996 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * admin_server.c (argv): Check the error return from
- krb5_init_context(), and print an error message if
- necessary.
-
-Mon Oct 21 17:20:32 1996 Barry Jaspan <bjaspan@mit.edu>
-
- * admin_server.c: use params.admin_keytab instead of a hard-coded
- value [krb5-admin/30]
-
-Thu Sep 26 17:54:33 1996 Barry Jaspan <bjaspan@mit.edu>
-
- * admin_server.c (process_client): allow keytab to be specified on
- command line; default is still wrong
-
-Mon Sep 23 15:36:41 1996 Barry Jaspan <bjaspan@mit.edu>
-
- * configure.in: add unit-test subdir
-
-Wed Jul 31 17:53:45 1996 Tom Yu <tlyu@mit.edu>
-
- * kadm_ser_wrap.c: Remove #include <sys/socket.h>, <netdb.h>
- because k5-int.h already grabs it if NEED_SOCKETS is
- defined.
-
- * admin_server.c: Remove #include <sys/socket.h> because k5-int.h
- already grabs it if NEED_SOCKETS is defined.
-
-Thu Jul 18 19:46:49 1996 Marc Horowitz <marc@mit.edu>
-
- * configure.in: removed ET_RULES, replaced with AC_PROG_AWK
-
-Tue Jul 9 17:18:56 1996 Marc Horowitz <marc@mit.edu>
-
- * kadm_stream.c: rename HAS_STDLIB_H to HAVE_STDLIB_H to conform
- to the autoconf convention
- * configure.in: the old configure.in seemed to be written for some
- other directory. Now it's right.
- * admin_server.c, kadm_ser_wrap.c, kadm_server.c: renamed
- <ovsec_admin/foo.h> to <kadm5/foo.h>
- * Makefile.in: complete rewrite.
-
-Thu Mar 21 20:33:43 1996 Richard Basch <basch@lehman.com>
-
- * kadm_funcs.c: new principals were being created with two keys,
- one of which the key_data_ver=0 and had no valid data.
-
-Tue Mar 19 19:42:37 1996 Richard Basch <basch@lehman.com>
-
- * kadm_funcs.c:
- changed all references of des-cbc-md5 to des-cbc-crc
- fixed uninitialized variable
- set kvno modulo 256 in database
-
-Wed Feb 21 23:34:31 1996 Richard Basch <basch@lehman.com>
-
- * kadm_funcs.c: Initialize the length element of the krb5_db_entry
- structure in kadm_princ2entry (add_entry was failing).
-
-Wed Dec 13 03:51:53 1995 Chris Provenzano (proven@mit.edu)
-
- * kadm_funcs.c : Remove mkvno for krb5_db_entry
-
-Wed Sep 06 14:20:57 1995 Chris Provenzano (proven@mit.edu)
-
- * admin_server.c, kadm_funcs.c kadm_ser_wrap.c :
- s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g
-
-Tue Sep 05 22:10:34 1995 Chris Provenzano (proven@mit.edu)
-
- * admin_server.c, kadm_funcs.c, kadm_ser_wrap.c : Remove krb5_enctype
- references, and replace with krb5_keytype where appropriate.
-
-Tue Aug 15 14:31:37 EDT 1995 Paul Park (pjpark@mit.edu)
- * admin_server,kadm_funcs,kadm_ser_wrap.c - Replace kadm_find_keytype()
- with krb5_dbe_find_keytype().
-
-
-Thu Aug 10 14:48:26 EDT 1995 Paul Park (pjpark@mit.edu)
- * kadm_funcs.c - Add kadm_find_keytype() to find a particular key/salt
- pair. Use this to find keys instead of assuming that the
- right one's in the first slot.
- Fix transposed arguments to strncpy().
- Handle mod_princ_data stuff.
- Supply saltblock to encrypt_key_data().
- * admin_server, kadm_ser_wrap.c - Use kadm_find_keytype() to find keys.
-
-
-Mon Aug 7 13:30:46 EDT 1995 Paul Park (pjpark@mit.edu)
- * admin_server,kadm_funcs,kadm_ser_wrap.c - Brute force substitutions
- to get this to compile.
-
-
-Mon Jul 17 15:12:30 EDT 1995 Paul Park (pjpark@mit.edu)
- * kadm_ser_wrap.c - Add NULL stash file argument to krb5_db_fetch_mkey.
-
-
-Fri Jul 7 16:05:11 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Remove all explicit library handling and LDFLAGS.
- * configure.in - Add USE_<mumble> and KRB5_LIBRARIES.
-
-
-Tue Jun 27 16:05:27 EDT 1995 Paul Park (pjpark@mit.edu)
- * acl_files.c - Change check for return value from fputs(3) from NULL
- to EOF. That's what's returned on error.
- * admin_server.c - Cast 4th argument of setsockopt(2) to be const char *
- * kadm_funcs.c - Cast argument to ctime(3)
- * kadm_server.c - Cast first argument to strcpy(3) and strcat(3).
-
-Tue Jun 20 14:44:54 1995 Tom Yu (tlyu@dragons-lair)
-
- * configure.in: add tests for TIME_WITH_SYS_TIME and sys/time.h
-
-Thu Jun 15 17:52:29 EDT 1995 Paul Park (pjpark@mit.edu)
- * Makefile.in - Change explicit library names to -l<lib> form, and
- change target link line to use $(LD) and associated flags.
- Also, for K4, use KRB4_LIB and KRB4_CRYPTO_LIB, these were
- split out.
- * configure.in - Add shared library usage check.
-
-Fri Jun 9 19:07:25 1995 <tytso@rsx-11.mit.edu>
-
- * configure.in: Remove standardized set of autoconf macros, which
- are now handled by CONFIG_RULES.
-
-Fri Jun 9 06:49:36 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * kadm_stream.c (vts_long, stv_long): Change u_long to krb5_ui_4
-
- * kadm_server.c (kadm_ser_ckpw): Change u_long to krb5_ui_4
-
- * kadm_ser_wrap.c (errpkt, kadm_ser_in): Change u_long to krb5_ui_4
-
- * kadm_funcs.c (kadm_add_entry): Change u_long to krb5_ui_4
-
- * admin_server.c (process_client): Change u_long to krb5_ui_4
-
-Sat May 20 22:33:58 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * kadm_stream.c: Based on presence of stdlib.h, include or declare
- malloc.
-
- * configure.in: Check for stdlib.h
-
-Sun May 7 13:49:54 1995 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * admin_server.c: Avoid warning of redeclaring POSIX_SIGNALS if
- already defined.
-
-Sat Apr 29 00:34:01 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * admin_server.c (kadm_listen): Use Posix sigaction() instead of
- signal() to set signal handlers. This allows us not to
- worry about System V signal semantics. Make the code use
- POSIX_SIGNALS by default.
-
-Fri Apr 28 18:08:05 1995 Mark Eichin <eichin@cygnus.com>
-
- * Makefile.in (KLIB): put KRB4_LIB inside KLIB.
-
-Thu Apr 27 13:53:41 1995 Mark Eichin <eichin@cygnus.com>
-
- * Makefile.in (v4kadmind): use KRB4_LIB directly.
-
-Thu Apr 20 23:21:42 1995 Theodore Y. Ts'o (tytso@dcl)
-
- * kadm_funcs.c: Don't #include <ndbm.h>, since that's
- automatically included by k5-config.h
-
-Thu Apr 20 15:26:48 1995 Ezra Peisach (epeisach@kangaroo.mit.edu)
-
- * kadm_server.c (kadm_ser_cpw, kadm_ser_ckpw): krb_int32 should be
- krb5_int32.
-
- * acl_files.c: Declare acl_abort as static at top of file.
-
-Sun Apr 16 19:10:17 1995 Mark Eichin <eichin@cygnus.com>
-
- * kadm_server.c (kadm_ser_cpw, kadm_ser_ckpw): use krb_int32, not
- long, for network 4 byte quantities. Should get rid of the
- use of memcpy at some point.
-
-Sat Mar 25 16:59:55 1995 Mark Eichin <eichin@cygnus.com>
-
- * kadm_funcs.c (kadm_entry2princ): pass kadm_context in to
- krb5_524_conv_principal.
-
-Tue Mar 14 16:45:18 1995 <tytso@rsx-11.mit.edu>
-
- * Makefile.in: Don't link in the V4 DES library; use the des425
- library to avoid linking the DES code in twice.
-
-Thu Mar 2 12:25:13 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * Makefile.in (ISODELIB): Remove reference to $(ISODELIB).
-
-Wed Mar 1 16:30:08 1995 Theodore Y. Ts'o <tytso@dcl>
-
- * kadm_server.c: Remove declataions of malloc(); should be done by
- header files.
-
- * configure.in: Remove ISODE_INCLUDE, replace check for -lsocket
- and -lnsl with WITH_NETLIB check.
-
-Tue Feb 28 02:24:56 1995 John Gilmore (gnu at toad.com)
-
- * admin_server.c, kadm_server.c, kadm-server.h: Avoid
- <krb5/...> includes.
-
-Tue Feb 7 16:42:54 1995 Mark Eichin <eichin@cygnus.com>
-
- * kadm_funcs.c (kadm_del_entry): fixed call to db_delete_principal.
-
-Wed Jan 25 18:42:42 1995 Mark Eichin (eichin@tweedledumber.cygnus.com)
-
- * kadm_server.h (DEL_ACL_FILE): new define, acl file for V4 delete
- function.
- * kadm_server.c (kadm_ser_add): new function, wrapper for V4 delete.
- * kadm_funcs.c (check_access): declare int; add DEL.
- (kadm_del_entry): new function, V4 delete from CNS.
- (failadd): fix spelling error in log entry.
-
-Mon Dec 12 13:21:48 1994 Mark Eichin (eichin@cygnus.com)
-
- * kadm_funcs.c (kadm_entry2princ, kadm_princ2entry,
- kadm_chg_srvtab): V4 and V5 max_life are in *different units* so
- use the 60*5 conversion factor.
-
-Fri Nov 18 15:51:11 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * kadm_funcs.c (kadm_add_entry, kadm_mod_entry, kadm_change): Add
- magic numbers of keyblock structre.
-
-Fri Nov 18 01:11:58 1994 Mark Eichin <eichin@cygnus.com>
-
- * configure.in: use CHECK_SIGNALS instead of expansion (from
- epeisach).
-
-Wed Oct 19 18:53:45 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * kadm_ser_wrap.c (kadm_ser_init): Use krb5_use_cstype() to
- initialize the master_encblock structure.
-
-Thu Sep 29 22:41:20 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * Makefile.in: relink executable if libraries change
-
-Thu Sep 15 10:53:37 1994 Theodore Y. Ts'o (tytso@dcl)
-
- * admin_server.c (close_syslog, byebye): Move these two functions
- before main(), so that they get declared properly. Otherwise
- suncc will refuse to compile the file.
-
- * kadm_funcs.c (kadm_add_entry, kadm_mod_entry, kadm_change,
- kadm_chg_srvtab): use krb5_timeofday instead of time(0).
-
-Thu Aug 4 16:37:33 1994 Tom Yu (tlyu@dragons-lair)
-
- * admin_server.c: pick up <sys/time.h> (needed to get FD_SET,
- etc.)
-
-Sat Jul 16 09:21:22 1994 Tom Yu (tlyu at dragons-lair)
-
- * Makefile.in: no longer trying to install v4kadmind as krb5kdc
- :-)
- * configure.in: another try at making dbm libs dtrt
-
-Wed Jun 29 00:24:28 1994 Tom Yu (tlyu at dragons-lair)
-
- * admin_server.c: fixed calls that should have invoked
- krb5_init_ets
-
-Sat Jun 25 09:07:48 1994 Tom Yu (tlyu at dragons-lair)
-
- * kadm_ser_wrap.c: fixed lack of a terminal 0 in a call to
- krb5_build_principal
-
+++ /dev/null
-thisconfigdir=./..
-myfulldir=kadmin/v4server
-mydir=v4server
-BUILDTOP=$(REL)..$(S)..
-DEFINES = -DKADM5 -DNEED_SOCKETS @HESIOD_DEFS@
-PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
-PROG_RPATH=$(KRB5_LIBDIR)
-LOCAL_SUBDIRS = unit-test
-
-HESIOD_LIBS=@HESIOD_LIBS@
-
-LOCALINCLUDES = $(KRB4_INCLUDES) -I. -I$(srcdir)
-
-PROG = kadmind4
-OBJS = kadm_server.o admin_server.o kadm_ser_wrap.o \
- kadm_funcs.o kadm_supp.o acl_files.o
-
-all:: $(PROG)
-
-$(PROG): $(OBJS) $(KADMCLNT_DEPLIBS) $(KDB5_DEPLIBS) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(KDB5_LIBS) \
- $(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
-
-build_pwfile: build_pwfile.o $(DB_DEPLIB) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o build_pwfile build_pwfile.o $(DB_LIB) \
- $(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
-
-install::
- $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(SERVER_BINDIR)/$(PROG)
-
-clean::
- $(RM) $(PROG) $(OBJS) build_pwfile build_pwfile.o
- $(RM) kadm_err.h kadm_err.c
+++ /dev/null
-/*
- * kadmin/v4server/acl_files.c
- *
- * Copyright 1987,1989 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- */
-
-
-/*** Routines for manipulating access control list files ***/
-
-#include <stdio.h>
-#include <string.h>
-#ifdef HAVE_STDLIB_H
-#include <stdlib.h>
-#endif
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <sys/types.h>
-#include <sys/file.h>
-#include <sys/stat.h>
-#include <errno.h>
-#include <ctype.h>
-#include <fcntl.h>
-#include "krb.h"
-#include "kadm_server.h"
-
-#ifndef KRB_REALM
-#define KRB_REALM "ATHENA.MIT.EDU"
-#endif
-
-/* "aname.inst@realm" */
-#define MAX_PRINCIPAL_SIZE (ANAME_SZ + INST_SZ + REALM_SZ + 3)
-#define INST_SEP '.'
-#define REALM_SEP '@'
-
-#define LINESIZE 2048 /* Maximum line length in an acl file */
-
-#define NEW_FILE "%s.~NEWACL~" /* Format for name of altered acl file */
-#define WAIT_TIME 300 /* Maximum time allowed write acl file */
-
-#define CACHED_ACLS 8 /* How many acls to cache */
- /* Each acl costs 1 open file descriptor */
-#define ACL_LEN 16 /* Twice a reasonable acl length */
-
-#define MAX(a,b) (((a)>(b))?(a):(b))
-#define MIN(a,b) (((a)<(b))?(a):(b))
-
-#define COR(a,b) ((a!=NULL)?(a):(b))
-
-
-#ifndef HAVE_STDLIB_H
-extern char *malloc(), *calloc();
-#endif
-
-extern time_t time();
-
-static int acl_abort(char *, FILE *);
-
-/* Canonicalize a principal name */
-/* If instance is missing, it becomes "" */
-/* If realm is missing, it becomes the local realm */
-/* Canonicalized form is put in canon, which must be big enough to hold
- MAX_PRINCIPAL_SIZE characters */
-void acl_canonicalize_principal(principal, canon)
-char *principal;
-char *canon;
-{
- char *dot, *atsign, *end, *canon_save = canon;
- char realm[REALM_SZ];
- int len;
-
- dot = strchr(principal, INST_SEP);
- atsign = strchr(principal, REALM_SEP);
-
- /* Maybe we're done already */
- if(dot != NULL && atsign != NULL) {
- if(dot < atsign) {
- /* It's for real */
- /* Copy into canon */
- strncpy(canon, principal, MAX_PRINCIPAL_SIZE);
- canon[MAX_PRINCIPAL_SIZE-1] = '\0';
- return;
- } else {
- /* Nope, it's part of the realm */
- dot = NULL;
- }
- }
-
- /* No such luck */
- end = principal + strlen(principal);
-
- /* Get the principal name */
- len = MIN(ANAME_SZ, COR(dot, COR(atsign, end)) - principal);
- if(canon + len < canon_save + MAX_PRINCIPAL_SIZE) {
- strncpy(canon, principal, len);
- canon += len;
- } else {
- strcpy(canon, "");
- return;
- }
-
- /* Add INST_SEP */
- if(canon + 1 < canon_save + MAX_PRINCIPAL_SIZE) {
- *canon++ = INST_SEP;
- } else {
- strcpy(canon, "");
- return;
- }
-
- /* Get the instance, if it exists */
- if(dot != NULL) {
- ++dot;
- len = MIN(INST_SZ, COR(atsign, end) - dot);
- if(canon + len < canon_save + MAX_PRINCIPAL_SIZE) {
- strncpy(canon, dot, len);
- canon += len;
- } else {
- strcpy(canon, "");
- return;
- }
- }
-
- /* Add REALM_SEP */
- *canon++ = REALM_SEP;
-
- /* Get the realm, if it exists */
- /* Otherwise, default to local realm */
- if(atsign != NULL) {
- ++atsign;
- len = MIN(REALM_SZ, end - atsign);
- if(canon + len + 1 < canon_save + MAX_PRINCIPAL_SIZE) {
- strncpy(canon, atsign, len);
- canon += len;
- *canon++ = '\0';
- } else {
- strcpy(canon, "");
- return;
- }
- } else if(krb_get_lrealm(realm, 1) != KSUCCESS) {
- if(canon + strlen(KRB_REALM) < canon_save + MAX_PRINCIPAL_SIZE) {
- strcpy(canon, KRB_REALM);
- } else {
- strcpy(canon, "");
- return;
- }
- } else {
- if (canon + strlen(realm) < canon_save + MAX_PRINCIPAL_SIZE) {
- strcpy(canon, realm);
- } else {
- strcpy(canon, "");
- return;
- }
- }
-}
-
-/* Get a lock to modify acl_file */
-/* Return new FILE pointer */
-/* or NULL if file cannot be modified */
-/* REQUIRES WRITE PERMISSION TO CONTAINING DIRECTORY */
-static FILE *acl_lock_file(acl_file)
-char *acl_file;
-{
- struct stat s;
- char new[LINESIZE];
- int nfd;
- FILE *nf;
- int mode;
-
- if(stat(acl_file, &s) < 0) return(NULL);
- mode = s.st_mode;
- sprintf(new, NEW_FILE, acl_file);
- for(;;) {
- /* Open the new file */
- if((nfd = open(new, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0) {
- if(errno == EEXIST) {
- /* Maybe somebody got here already, maybe it's just old */
- if(stat(new, &s) < 0) return(NULL);
- if(time(0) - s.st_ctime > WAIT_TIME) {
- /* File is stale, kill it */
- unlink(new);
- continue;
- } else {
- /* Wait and try again */
- sleep(1);
- continue;
- }
- } else {
- /* Some other error, we lose */
- return(NULL);
- }
- }
-
- /* If we got to here, the lock file is ours and ok */
- /* Reopen it under stdio */
- if((nf = fdopen(nfd, "w")) == NULL) {
- /* Oops, clean up */
- unlink(new);
- }
- return(nf);
- }
-}
-
-/* Commit changes to acl_file written onto FILE *f */
-/* Returns zero if successful */
-/* Returns > 0 if lock was broken */
-/* Returns < 0 if some other error occurs */
-/* Closes f */
-static int acl_commit(acl_file, f)
-char *acl_file;
-FILE *f;
-{
- char new[LINESIZE];
- int ret;
- struct stat s;
-
- sprintf(new, NEW_FILE, acl_file);
- if(fflush(f) < 0
- || fstat(fileno(f), &s) < 0
- || s.st_nlink == 0) {
- acl_abort(acl_file, f);
- return(-1);
- }
-
- ret = rename(new, acl_file);
- fclose(f);
- return(ret);
-}
-
-/* Abort changes to acl_file written onto FILE *f */
-/* Returns 0 if successful, < 0 otherwise */
-/* Closes f */
-static int acl_abort(acl_file, f)
-char *acl_file;
-FILE *f;
-{
- char new[LINESIZE];
- int ret;
- struct stat s;
-
- /* make sure we aren't nuking someone else's file */
- if(fstat(fileno(f), &s) < 0
- || s.st_nlink == 0) {
- fclose(f);
- return(-1);
- } else {
- sprintf(new, NEW_FILE, acl_file);
- ret = unlink(new);
- fclose(f);
- return(ret);
- }
-}
-
-/* Initialize an acl_file */
-/* Creates the file with permissions perm if it does not exist */
-/* Erases it if it does */
-/* Returns return value of acl_commit */
-int acl_initialize(acl_file, perm)
-char *acl_file;
-int perm;
-{
- FILE *new;
- int fd;
-
- /* Check if the file exists already */
- if((new = acl_lock_file(acl_file)) != NULL) {
- return(acl_commit(acl_file, new));
- } else {
- /* File must be readable and writable by owner */
- if((fd = open(acl_file, O_CREAT|O_EXCL, perm|0600)) < 0) {
- return(-1);
- } else {
- close(fd);
- return(0);
- }
- }
-}
-
-/* Eliminate all whitespace character in buf */
-/* Modifies its argument */
-static void nuke_whitespace(buf)
-char *buf;
-{
- register char *pin, *pout;
-
- for(pin = pout = buf; *pin != '\0'; pin++)
- if(!isspace((int) *pin)) *pout++ = *pin;
- *pout = '\0'; /* Terminate the string */
-}
-
-/* Hash table stuff */
-
-struct hashtbl {
- int size; /* Max number of entries */
- int entries; /* Actual number of entries */
- char **tbl; /* Pointer to start of table */
-};
-
-/* Make an empty hash table of size s */
-static struct hashtbl *make_hash(size)
-int size;
-{
- struct hashtbl *h;
-
- if(size < 1) size = 1;
- h = (struct hashtbl *) malloc(sizeof(struct hashtbl));
- h->size = size;
- h->entries = 0;
- h->tbl = (char **) calloc(size, sizeof(char *));
- return(h);
-}
-
-/* Destroy a hash table */
-static void destroy_hash(h)
-struct hashtbl *h;
-{
- int i;
-
- for(i = 0; i < h->size; i++) {
- if(h->tbl[i] != NULL) free(h->tbl[i]);
- }
- free(h->tbl);
- free(h);
-}
-
-/* Compute hash value for a string */
-static unsigned hashval(s)
-register char *s;
-{
- register unsigned hv;
-
- for(hv = 0; *s != '\0'; s++) {
- hv ^= ((hv << 3) ^ *s);
- }
- return(hv);
-}
-
-/* Add an element to a hash table */
-static void add_hash(h, el)
-struct hashtbl *h;
-char *el;
-{
- unsigned hv;
- char *s;
- char **old;
- int i;
-
- /* Make space if it isn't there already */
- if(h->entries + 1 > (h->size >> 1)) {
- old = h->tbl;
- h->tbl = (char **) calloc(h->size << 1, sizeof(char *));
- for(i = 0; i < h->size; i++) {
- if(old[i] != NULL) {
- hv = hashval(old[i]) % (h->size << 1);
- while(h->tbl[hv] != NULL) hv = (hv+1) % (h->size << 1);
- h->tbl[hv] = old[i];
- }
- }
- h->size = h->size << 1;
- free(old);
- }
-
- hv = hashval(el) % h->size;
- while(h->tbl[hv] != NULL && strcmp(h->tbl[hv], el)) hv = (hv+1) % h->size;
- s = (char *) malloc(strlen(el)+1);
- strcpy(s, el);
- h->tbl[hv] = s;
- h->entries++;
-}
-
-/* Returns nonzero if el is in h */
-static int check_hash(h, el)
-struct hashtbl *h;
-char *el;
-{
- unsigned hv;
-
- for(hv = hashval(el) % h->size;
- h->tbl[hv] != NULL;
- hv = (hv + 1) % h->size) {
- if(!strcmp(h->tbl[hv], el)) return(1);
- }
- return(0);
-}
-
-struct acl {
- char filename[LINESIZE]; /* Name of acl file */
- int fd; /* File descriptor for acl file */
- struct stat status; /* File status at last read */
- struct hashtbl *acl; /* Acl entries */
-};
-
-static struct acl acl_cache[CACHED_ACLS];
-
-static int acl_cache_count = 0;
-static int acl_cache_next = 0;
-
-/* Returns < 0 if unsuccessful in loading acl */
-/* Returns index into acl_cache otherwise */
-/* Note that if acl is already loaded, this is just a lookup */
-static int acl_load(name)
-char *name;
-{
- int i;
- FILE *f;
- struct stat s;
- char buf[MAX_PRINCIPAL_SIZE];
- char canon[MAX_PRINCIPAL_SIZE];
-
- /* See if it's there already */
- for(i = 0; i < acl_cache_count; i++) {
- if(!strcmp(acl_cache[i].filename, name)
- && acl_cache[i].fd >= 0) goto got_it;
- }
-
- /* It isn't, load it in */
- /* maybe there's still room */
- if(acl_cache_count < CACHED_ACLS) {
- i = acl_cache_count++;
- } else {
- /* No room, clean one out */
- i = acl_cache_next;
- acl_cache_next = (acl_cache_next + 1) % CACHED_ACLS;
- close(acl_cache[i].fd);
- if(acl_cache[i].acl) {
- destroy_hash(acl_cache[i].acl);
- acl_cache[i].acl = (struct hashtbl *) 0;
- }
- }
-
- /* Set up the acl */
- if (strlen (name) >= sizeof (acl_cache[i].filename) - 1) {
- return -1;
- }
- strncpy(acl_cache[i].filename, name, sizeof(acl_cache[i].filename) - 1);
- acl_cache[i].filename[sizeof(acl_cache[i].filename) - 1] = '\0';
- if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1);
- /* Force reload */
- acl_cache[i].acl = (struct hashtbl *) 0;
-
- got_it:
- /*
- * See if the stat matches
- *
- * Use stat(), not fstat(), as the file may have been re-created by
- * acl_add or acl_delete. If this happens, the old inode will have
- * no changes in the mod-time and the following test will fail.
- */
- if(stat(acl_cache[i].filename, &s) < 0) return(-1);
- if(acl_cache[i].acl == (struct hashtbl *) 0
- || s.st_nlink != acl_cache[i].status.st_nlink
- || s.st_mtime != acl_cache[i].status.st_mtime
- || s.st_ctime != acl_cache[i].status.st_ctime) {
- /* Gotta reload */
- if(acl_cache[i].fd >= 0) close(acl_cache[i].fd);
- if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1);
- if((f = fdopen(acl_cache[i].fd, "r")) == NULL) return(-1);
- if(acl_cache[i].acl) destroy_hash(acl_cache[i].acl);
- acl_cache[i].acl = make_hash(ACL_LEN);
- while(fgets(buf, sizeof(buf), f) != NULL) {
- nuke_whitespace(buf);
- acl_canonicalize_principal(buf, canon);
- if(strlen(canon) > 0) {
- add_hash(acl_cache[i].acl, canon);
- }
- }
- fclose(f);
- acl_cache[i].status = s;
- }
- return(i);
-}
-
-/* Returns nonzero if it can be determined that acl contains principal */
-/* Principal is not canonicalized, and no wildcarding is done */
-int
-acl_exact_match(acl, principal)
-char *acl;
-char *principal;
-{
- int idx;
-
- return((idx = acl_load(acl)) >= 0
- && check_hash(acl_cache[idx].acl, principal));
-}
-
-/* Returns nonzero if it can be determined that acl contains principal */
-/* Recognizes wildcards in acl of the form
- name.*@realm, *.*@realm, and *.*@* */
-int
-acl_check(acl, principal)
-char *acl;
-char *principal;
-{
- char buf[MAX_PRINCIPAL_SIZE];
- char canon[MAX_PRINCIPAL_SIZE];
- char *realm, *tmp;
-
- acl_canonicalize_principal(principal, canon);
-
- /* Is it an invalid principal name? */
- if(strlen(canon) == 0) return(0);
-
- /* Is it there? */
- if(acl_exact_match(acl, canon)) return(1);
-
- /* Try the wildcards */
- realm = strchr(canon, REALM_SEP);
- tmp = strchr(canon, INST_SEP);
- *tmp = '\0'; /* Chuck the instance */
-
- sprintf(buf, "%s.*%s", canon, realm);
- if(acl_exact_match(acl, buf)) return(1);
-
- sprintf(buf, "*.*%s", realm);
- if(acl_exact_match(acl, buf) || acl_exact_match(acl, "*.*@*")) return(1);
-
- return(0);
-}
-
-/* Adds principal to acl */
-/* Wildcards are interpreted literally */
-int
-acl_add(acl, principal)
-char *acl;
-char *principal;
-{
- int idx;
- int i;
- FILE *new;
- char canon[MAX_PRINCIPAL_SIZE];
-
- acl_canonicalize_principal(principal, canon);
-
- /* Is it an invalid principal name? */
- if(strlen(canon) == 0) return(-1);
-
- if((new = acl_lock_file(acl)) == NULL) return(-1);
- if((acl_exact_match(acl, canon))
- || (idx = acl_load(acl)) < 0) {
- acl_abort(acl, new);
- return(-1);
- }
- /* It isn't there yet, copy the file and put it in */
- for(i = 0; i < acl_cache[idx].acl->size; i++) {
- if(acl_cache[idx].acl->tbl[i] != NULL) {
- if(fputs(acl_cache[idx].acl->tbl[i], new) == EOF
- || putc('\n', new) != '\n') {
- acl_abort(acl, new);
- return(-1);
- }
- }
- }
- fputs(canon, new);
- putc('\n', new);
- return(acl_commit(acl, new));
-}
-
-/* Removes principal from acl */
-/* Wildcards are interpreted literally */
-int
-acl_delete(acl, principal)
-char *acl;
-char *principal;
-{
- int idx;
- int i;
- FILE *new;
- char canon[MAX_PRINCIPAL_SIZE];
-
- acl_canonicalize_principal(principal, canon);
-
- /* Is it an invalid principal name? */
- if(strlen(canon) == 0) return(-1);
-
- if((new = acl_lock_file(acl)) == NULL) return(-1);
- if((!acl_exact_match(acl, canon))
- || (idx = acl_load(acl)) < 0) {
- acl_abort(acl, new);
- return(-1);
- }
- /* It isn't there yet, copy the file and put it in */
- for(i = 0; i < acl_cache[idx].acl->size; i++) {
- if(acl_cache[idx].acl->tbl[i] != NULL
- && strcmp(acl_cache[idx].acl->tbl[i], canon)) {
- fputs(acl_cache[idx].acl->tbl[i], new);
- putc('\n', new);
- }
- }
- return(acl_commit(acl, new));
-}
+++ /dev/null
-PROTOTYPE ACL LIBRARY
-
-Introduction
-
-An access control list (ACL) is a list of principals, where each
-principal is is represented by a text string which cannot contain
-whitespace. The library allows application programs to refer to named
-access control lists to test membership and to atomically add and
-delete principals using a natural and intuitive interface. At
-present, the names of access control lists are required to be Unix
-filenames, and refer to human-readable Unix files; in the future, when
-a networked ACL server is implemented, the names may refer to a
-different namespace specific to the ACL service.
-
-
-Usage
-
-cc <files> -lacl -lkrb.
-
-
-
-Principal Names
-
-Principal names have the form
-
-<name>[.<instance>][@<realm>]
-
-e.g.
-
-asp
-asp.root
-asp@ATHENA.MIT.EDU
-asp.@ATHENA.MIT.EDU
-asp.root@ATHENA.MIT.EDU
-
-It is possible for principals to be underspecified. If instance is
-missing, it is assumed to be "". If realm is missing, it is assumed
-to be local_realm. The canonical form contains all of name, instance,
-and realm; the acl_add and acl_delete routines will always
-leave the file in that form. Note that the canonical form of
-asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU.
-
-
-Routines
-
-acl_canonicalize_principal(principal, buf)
-char *principal;
-char *buf; /*RETVAL*/
-
-Store the canonical form of principal in buf. Buf must contain enough
-space to store a principal, given the limits on the sizes of name,
-instance, and realm specified in /usr/include/krb.h.
-
-acl_check(acl, principal)
-char *acl;
-char *principal;
-
-Returns nonzero if principal appears in acl. Returns 0 if principal
-does not appear in acl, or if an error occurs. Canonicalizes
-principal before checking, and allows the ACL to contain wildcards.
-
-acl_exact_match(acl, principal)
-char *acl;
-char *principal;
-
-Like acl_check, but does no canonicalization or wildcarding.
-
-acl_add(acl, principal)
-char *acl;
-char *principal;
-
-Atomically adds principal to acl. Returns 0 if successful, nonzero
-otherwise. It is considered a failure if principal is already in acl.
-This routine will canonicalize principal, but will treat wildcards
-literally.
-
-acl_delete(acl, principal)
-char *acl;
-char *principal;
-
-Atomically deletes principal from acl. Returns 0 if successful,
-nonzero otherwise. It is consider a failure if principal is not
-already in acl. This routine will canonicalize principal, but will
-treat wildcards literally.
-
-acl_initialize(acl, mode)
-char *acl;
-int mode;
-
-Initialize acl. If acl file does not exist, creates it with mode
-mode. If acl exists, removes all members. Returns 0 if successful,
-nonzero otherwise. WARNING: Mode argument is likely to change with
-the eventual introduction of an ACL service.
-
-
-Known problems
-
-In the presence of concurrency, there is a very small chance that
-acl_add or acl_delete could report success even though it would have
-had no effect. This is a necessary side effect of using lock files
-for concurrency control rather than flock(2), which is not supported
-by NFS.
-
-The current implementation caches ACLs in memory in a hash-table
-format for increased efficiency in checking membership; one effect of
-the caching scheme is that one file descriptor will be kept open for
-each ACL cached, up to a maximum of 8.
+++ /dev/null
-/*
- * kadmin/v4server/admin_server.c
- *
- * Copyright 1988 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * Top-level loop of the kerberos Administration server
- */
-
-#include <mit-copyright.h>
-/*
- admin_server.c
- this holds the main loop and initialization and cleanup code for the server
-*/
-
-#ifdef _AIX
-#include <sys/select.h>
-#endif
-
-/* define it for now */
-#ifndef POSIX_SIGNALS
-#define POSIX_SIGNALS
-#endif
-
-#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <signal.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#ifndef POSIX_SIGNALS
-#ifndef sigmask
-#define sigmask(m) (1 <<((m)-1))
-#endif
-#endif /* POSIX_SIGNALS */
-#include <sys/wait.h>
-#include <errno.h>
-#include <sys/time.h>
-#include <syslog.h>
-
-#ifdef KADM5
-#include <kadm5/admin.h>
-void *kadm5_handle;
-kadm5_config_params paramsin, paramsout;
-#endif
-
-#include "k5-int.h"
-#include <kadm.h>
-#include <kadm_err.h>
-#include <krb_db.h>
-#include "com_err.h"
-#include "kadm_server.h"
-
-#ifdef POSIX_SIGTYPE
-#define SIGNAL_RETURN return
-#else
-#define SIGNAL_RETURN return(0)
-#endif
-
-/* Almost all procs and such need this, so it is global */
-admin_params prm; /* The command line parameters struct */
-
-char prog[32]; /* WHY IS THIS NEEDED??????? */
-char *progname = prog;
-char *acldir = DEFAULT_ACL_DIR;
-char krbrlm[REALM_SZ];
-extern Kadm_Server server_parm;
-krb5_context kadm_context;
-int debug;
-
-static void cleanexit(int);
-static int kadm_listen(void);
-static void process_client(int, struct sockaddr_in *);
-static void kill_children(void);
-static krb5_sigtype do_child(int);
-
-
-/* close the system log file */
-static void close_syslog()
-{
- syslog(LOG_INFO, "Shutting down V4 admin server");
-}
-
-static void byebye() /* say goodnight gracie */
-{
- printf("Admin Server (kadm server) has completed operation.\n");
-}
-
-/*
-** Main does the logical thing, it sets up the database and RPC interface,
-** as well as handling the creation and maintenance of the syslog file...
-*/
-int
-main(argc, argv) /* admin_server main routine */
-int argc;
-char *argv[];
-{
- int errval;
- int c;
- char *lrealm;
- extern char *optarg;
- extern int fascist_cpw;
- krb5_error_code retval;
-
-#ifdef KADM5
- memset(¶msin, 0, sizeof(paramsin));
-#endif
-
- retval = krb5_init_context(&kadm_context);
- if (retval) {
- com_err(argv[0], retval, "while initializing krb5");
- exit(1);
- }
- initialize_kadm_error_table();
- prog[sizeof(prog)-1]='\0'; /* Terminate... */
- (void) strncpy(prog, argv[0], sizeof(prog)-1);
-
- /* initialize the admin_params structure */
- prm.sysfile = KADM_SYSLOG; /* default file name */
- prm.inter = 1;
-
- memset(krbrlm, 0, sizeof(krbrlm));
-
- fascist_cpw = 1; /* by default, enable fascist mode */
- while ((c = getopt(argc, argv, "Df:hnd:a:r:FNk:")) != -1)
- switch(c) {
- case 'D':
- debug++;
- break;
- case 'f': /* Syslog file name change */
- prm.sysfile = optarg;
- break;
- case 'n':
- prm.inter = 0;
- break;
- case 'a': /* new acl directory */
- acldir = optarg;
- break;
- case 'd':
-#ifdef KADM5
- paramsin.dbname = optarg;
- paramsin.mask |= KADM5_CONFIG_DBNAME;
-#else
- if (errval = krb5_db_set_name(kadm_context, optarg)) {
- com_err(argv[0], errval, "while setting dbname");
- exit(1);
- }
-#endif
- break;
- case 'F':
- fascist_cpw++;
- break;
- case 'N':
- fascist_cpw = 0;
- break;
- case 'r':
- if (strlen (optarg) + 1 > REALM_SZ) {
- com_err(argv[0], 0, "realm name `%s' too long", optarg);
- exit(1);
- }
- (void) strncpy(krbrlm, optarg, sizeof(krbrlm) - 1);
- break;
- case 'k':
-#ifdef KADM5
- paramsin.admin_keytab = optarg;
- paramsin.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
-#endif
- break;
- case 'h': /* get help on using admin_server */
- default:
- printf("Usage: admin_server [-h] [-n] [-F] [-N] [-r realm] [-d dbname] [-f filename] [-a acldir]\n");
- exit(-1); /* failure */
- }
-
- if (krbrlm[0] == 0) {
- errval = krb5_get_default_realm(kadm_context, &lrealm);
- if (errval) {
- com_err(argv[0], errval, "while attempting to get local realm");
- exit(1);
- }
- (void) strncpy(krbrlm, lrealm, sizeof(krbrlm) - 1);
- }
-
-#ifdef KADM5
- paramsin.realm = krbrlm;
- paramsin.mask |= KADM5_CONFIG_REALM;
-
- errval = kadm5_get_config_params(kadm_context, NULL, NULL,
- ¶msin, ¶msout);
- if (errval) {
- com_err(argv[0], errval, "while retrieving kadm5 params");
- exit(1);
- }
-
- errval = krb5_db_set_name(kadm_context, paramsout.dbname);
- if (errval) {
- com_err(argv[0], errval, "while setting dbname");
- exit(1);
- }
-#endif /* KADM5 */
-
- printf("KADM Server %s initializing\n",KADM_VERSTR);
- printf("Please do not use 'kill -9' to kill this job, use a\n");
- printf("regular kill instead\n\n");
-
-#ifdef KADM5
- printf("KADM Server starting in the KADM5 mode (%sprocess id %ld).\n",
- debug ? "" : "parent ", (long) getpid());
-#else
- printf("KADM Server starting in %s mode for the purposes for password changing\n\n", fascist_cpw ? "fascist" : "NON-FASCIST");
-#endif
-
- openlog(argv[0], LOG_CONS|LOG_NDELAY|LOG_PID, LOG_LOCAL6); /* XXX */
- syslog(LOG_INFO, "V4 admin server starting");
-
- errval = krb5_db_init(kadm_context); /* Open the Kerberos database */
- if (errval) {
- fprintf(stderr, "error: krb5_db_init() failed");
- close_syslog();
- byebye();
- exit(1);
- }
-
- errval = krb5_db_set_lockmode(kadm_context, TRUE);
- if (errval) {
- com_err(argv[0], errval, "while setting db to nonblocking");
- close_syslog();
- krb5_db_fini(kadm_context);
- byebye();
- exit(1);
- }
- /* set up the server_parm struct */
- if ((errval = kadm_ser_init(prm.inter, krbrlm
-#ifdef KADM5
- , ¶msout
-#endif
- ))==KADM_SUCCESS) {
- krb5_db_fini(kadm_context); /* Close the Kerberos database--
- will re-open later */
- errval = kadm_listen(); /* listen for calls to server from
- clients */
- }
- if (errval != KADM_SUCCESS) {
- fprintf(stderr,"error: %s\n",error_message(errval));
- krb5_db_fini(kadm_context); /* Close if error */
- }
- close_syslog(); /* Close syslog file, print
- closing note */
- byebye(); /* Say bye bye on the terminal
- in use */
- return 0;
-} /* procedure main */
-
-
-static void clear_secrets()
-{
- memset((char *)server_parm.master_keyblock.contents, 0,
- server_parm.master_keyblock.length);
- server_parm.mkvno = 0L;
- return;
-}
-
-static int exit_now = 0;
-
-static krb5_sigtype
-doexit(sig)
- int sig;
-{
- exit_now = 1;
- SIGNAL_RETURN;
-}
-
-unsigned pidarraysize = 0;
-int *pidarray = (int *)0;
-int unknown_child = 0;
-
-/*
-kadm_listen
-listen on the admin servers port for a request
-*/
-static int
-kadm_listen()
-{
- int found;
- int admin_fd;
- int peer_fd;
- fd_set mask, readfds;
- struct sockaddr_in peer;
- socklen_t addrlen;
- int pid;
-#ifdef POSIX_SIGNALS
- struct sigaction new_act;
-
- new_act.sa_handler = doexit;
- new_act.sa_flags = 0;
- sigemptyset(&new_act.sa_mask);
- sigaction(SIGINT, &new_act, 0);
- sigaction(SIGTERM, &new_act, 0);
- sigaction(SIGHUP, &new_act, 0);
- sigaction(SIGQUIT, &new_act, 0);
- sigaction(SIGALRM, &new_act, 0);
- new_act.sa_handler = SIG_IGN;
- sigaction(SIGPIPE, &new_act, 0);
- new_act.sa_handler = do_child;
- sigaction(SIGCHLD, &new_act, 0);
-#else
- signal(SIGINT, doexit);
- signal(SIGTERM, doexit);
- signal(SIGHUP, doexit);
- signal(SIGQUIT, doexit);
- signal(SIGPIPE, SIG_IGN); /* get errors on write() */
- signal(SIGALRM, doexit);
- signal(SIGCHLD, do_child);
-#endif
-
- if ((admin_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
- return KADM_NO_SOCK;
- if (debug) {
- int one = 1;
- if (setsockopt(admin_fd, SOL_SOCKET, SO_REUSEADDR, &one,
- sizeof(int)) < 0) {
- syslog(LOG_ERR, "setsockopt: %m");
- return KADM_NO_BIND;
- }
- }
- if (bind(admin_fd, (struct sockaddr *)&server_parm.admin_addr,
- sizeof(struct sockaddr_in)) < 0) {
- syslog(LOG_ERR, "bind: %m");
- return KADM_NO_BIND;
- }
- (void) listen(admin_fd, 1);
- FD_ZERO(&mask);
- FD_SET(admin_fd, &mask);
-
- for (;;) { /* loop nearly forever */
- if (exit_now) {
- clear_secrets();
- kill_children();
- return(0);
- }
- readfds = mask;
- if ((found = select(admin_fd+1,&readfds,(fd_set *)0,
- (fd_set *)0, (struct timeval *)0)) == 0)
- continue; /* no things read */
- if (found < 0) {
- if (errno != EINTR)
- syslog(LOG_ERR, "select: %s", error_message(errno));
- continue;
- }
- if (FD_ISSET(admin_fd, &readfds)) {
- /* accept the conn */
- addrlen = sizeof(peer);
- if ((peer_fd = accept(admin_fd, (struct sockaddr *)&peer,
- &addrlen)) < 0) {
- syslog(LOG_ERR, "accept: %s", error_message(errno));
- continue;
- }
-
- if (debug) {
- process_client(peer_fd, &peer);
- } else if ((pid = fork())) {
- /* parent */
- if (pid < 0) {
- syslog(LOG_ERR, "fork: %s", error_message(errno));
- (void) close(peer_fd);
- continue;
- }
- /* fork succeeded: keep tabs on child */
- (void) close(peer_fd);
- if (unknown_child != pid) {
- if (pidarray) {
- pidarray = (int *)realloc((char *)pidarray,
- (++pidarraysize * sizeof(int)));
- pidarray[pidarraysize-1] = pid;
- } else {
- pidarray = (int *)malloc((pidarraysize = 1) * sizeof(int));
- pidarray[0] = pid;
- }
- } /* End if unknown_child != pid.*/
- } else {
- /* child */
- (void) close(admin_fd);
- process_client(peer_fd, &peer);
- }
- } else {
- syslog(LOG_ERR, "something else woke me up!");
- return(0);
- }
- }
- /*NOTREACHED*/
-}
-
-static void process_client(fd, who)
- int fd;
- struct sockaddr_in *who;
-{
- u_char *dat;
- int dat_len;
- u_short dlen;
- int retval;
- int on = 1;
- int nentries = 1;
- krb5_db_entry sprinc_entries;
- krb5_boolean more;
- krb5_keyblock cpw_skey;
- krb5_key_data *kdatap;
- int status;
-
-#ifdef KADM5
- char *service_name;
-
- service_name = (char *) malloc(strlen(server_parm.sname) +
- strlen(server_parm.sinst) +
- strlen(server_parm.krbrlm) + 3);
- if (service_name == NULL) {
- syslog(LOG_ERR, "error: out of memory allocating service name");
- cleanexit(1);
- }
- sprintf(service_name, "%s@%s", KADM5_ADMIN_SERVICE, paramsin.realm);
-
- retval = kadm5_init_with_skey(service_name,
- paramsout.admin_keytab,
- KADM5_ADMIN_SERVICE,
- ¶msin,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- &kadm5_handle);
- if (retval) {
- syslog(LOG_ERR, "error: kadm5_init failed: %s",
- error_message(retval));
- cleanexit(1);
- }
- free(service_name);
-
- retval = krb5_db_set_name(kadm_context, paramsout.dbname);
- if (retval) {
- syslog(LOG_ERR, "%s while setting dbname", error_message(retval));
- cleanexit(1);
- }
-#endif
-
-#ifndef NOENCRYPTION
- /* Must do it here, since this is after the fork() call */
- des_init_random_number_generator(server_parm.master_keyblock.contents);
-#endif /* NOENCRYPTION */
-
- if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE,
- (const char *) &on, sizeof(on)) < 0)
- syslog(LOG_ERR, "setsockopt keepalive: %d", errno);
-
- server_parm.recv_addr = *who;
-
- retval = krb5_db_init(kadm_context);
- if (retval) { /* Open as client */
- syslog(LOG_ERR, "can't open krb db: %s", error_message(retval));
- cleanexit(1);
- }
- /* need to set service key to changepw.KRB_MASTER */
-
- status = krb5_db_get_principal(kadm_context, server_parm.sprinc,
- &sprinc_entries,
- &nentries, &more);
- /* ugh... clean this up later */
- if (status == KRB5_KDB_DB_INUSE) {
- /* db locked */
- krb5_ui_4 retcode;
- char *pdat;
-
- dat_len = KADM_VERSIZE + sizeof(krb5_ui_4);
- dat = (u_char *) malloc((unsigned)dat_len);
- pdat = (char *) dat;
- retcode = htonl((krb5_ui_4) KADM_DB_INUSE);
- (void) strncpy(pdat, KADM_ULOSE, KADM_VERSIZE);
- memcpy(&pdat[KADM_VERSIZE], (char *)&retcode, sizeof(krb5_ui_4));
- goto out;
- } else if (!nentries) {
- syslog(LOG_ERR, "no service %s.%s", server_parm.sname, server_parm.sinst);
- cleanexit(2);
- } else if (status) {
- syslog(LOG_ERR, error_message(status));
- cleanexit(2);
- }
-
- status = krb5_dbe_find_enctype(kadm_context,
- &sprinc_entries,
- ENCTYPE_DES_CBC_MD5,
- -1,
- -1,
- &kdatap);
- if (status) {
- syslog(LOG_ERR, "find enctype failed: %s", error_message(status));
- cleanexit(1);
- }
-
- status = krb5_dbekd_decrypt_key_data(kadm_context,
- &server_parm.master_keyblock,
- kdatap,
- &cpw_skey,
- (krb5_keysalt *) NULL);
- if (status) {
- syslog(LOG_ERR, "decrypt_key failed: %s", error_message(status));
- cleanexit(1);
- }
- /* if error, will show up when rd_req fails */
- (void) krb_set_key((char *)cpw_skey.contents, 0);
- while (1) {
- if ((retval = krb_net_read(fd, (char *)&dlen, sizeof(u_short))) !=
- sizeof(u_short)) {
- if (retval < 0)
- syslog(LOG_ERR, "dlen read: %s", error_message(errno));
- else if (retval)
- syslog(LOG_ERR, "short dlen read: %d", retval);
- (void) close(fd);
-#ifdef KADM5
- (void) kadm5_destroy(kadm5_handle);
-#endif
- cleanexit(retval ? 3 : 0);
- }
- if (exit_now) {
- cleanexit(0);
- }
- dat_len = (int) ntohs(dlen);
- dat = (u_char *) malloc((unsigned)dat_len);
- if (!dat) {
- syslog(LOG_ERR, "malloc: No memory");
- (void) close(fd);
- cleanexit(4);
- }
- if ((retval = krb_net_read(fd, (char *)dat, dat_len)) != dat_len) {
- if (retval < 0)
- syslog(LOG_ERR, "data read: %s", error_message(errno));
- else
- syslog(LOG_ERR, "short read: %d vs. %d", dat_len, retval);
- (void) close(fd);
- cleanexit(5);
- }
- if (exit_now) {
- cleanexit(0);
- }
- if ((retval = kadm_ser_in(&dat,&dat_len)) != KADM_SUCCESS)
- syslog(LOG_ERR, "processing request: %s", error_message(retval));
-
- /* kadm_ser_in did the processing and returned stuff in
- dat & dat_len , return the appropriate data */
-
- out:
- dlen = (u_short) dat_len;
-
- if (dat_len != (int)dlen) {
- clear_secrets();
- abort(); /* XXX */
- }
- dlen = htons(dlen);
-
- if (krb_net_write(fd, (char *)&dlen, sizeof(u_short)) < 0) {
- syslog(LOG_ERR, "writing dlen to client: %s", error_message(errno));
- (void) close(fd);
- cleanexit(6);
- }
-
- if (krb_net_write(fd, (char *)dat, dat_len) < 0) {
- syslog(LOG_ERR, "writing to client: %s", error_message(errno));
- (void) close(fd);
- cleanexit(7);
- }
- free((char *)dat);
- }
- /*NOTREACHED*/
-}
-
-static krb5_sigtype
-do_child(sig)
- int sig;
-{
- /* SIGCHLD brings us here */
- int pid;
- register int i, j;
-
-#ifdef WAIT_USES_INT
- int status;
-#else
- union wait status;
-#endif
-
- pid = wait(&status);
-
- for (i = 0; i < pidarraysize; i++)
- if (pidarray[i] == pid) {
- /* found it */
- for (j = i; j < pidarraysize-1; j++)
- /* copy others down */
- pidarray[j] = pidarray[j+1];
- pidarraysize--;
-#ifdef WAIT_USES_INT
- if (WIFEXITED(status) || WIFSIGNALED(status))
- if (WTERMSIG(status) || WEXITSTATUS(status))
- syslog(LOG_ERR, "child %d: termsig %d, retcode %d", pid,
- WTERMSIG(status), WEXITSTATUS(status));
-
-#else
- if (status.w_retcode || status.w_coredump || status.w_termsig)
- syslog(LOG_ERR, "child %d: termsig %d, coredump %d, retcode %d",
- pid, status.w_termsig, status.w_coredump, status.w_retcode);
-
-#endif
- SIGNAL_RETURN;
- }
- unknown_child = pid;
-#ifdef WAIT_USES_INT
- syslog(LOG_ERR, "child %d not in list: termsig %d, retcode %d", pid,
- WTERMSIG(status), WEXITSTATUS(status));
-
-#else
- syslog(LOG_ERR, "child %d not in list: termsig %d, coredump %d, retcode %d",
- pid, status.w_termsig, status.w_coredump, status.w_retcode);
-
-#endif
- SIGNAL_RETURN;
-}
-
-static
-void cleanexit(val)
- int val;
-{
- krb5_db_fini(kadm_context);
- clear_secrets();
- exit(val);
-}
-
-static void
-kill_children()
-{
- register int i;
-#ifdef POSIX_SIGNALS
- sigset_t oldmask, igmask;
-#else
- int osigmask;
-#endif
-
-#ifdef POSIX_SIGNALS
- sigemptyset(&igmask);
- sigaddset(&igmask, SIGCHLD);
- sigprocmask(SIG_BLOCK, &igmask, &oldmask);
-#else
- osigmask = sigblock(sigmask(SIGCHLD));
-#endif
-
- for (i = 0; i < pidarraysize; i++) {
- kill(pidarray[i], SIGINT);
- syslog(LOG_ERR, "killing child %d", pidarray[i]);
- }
-#ifdef POSIX_SIGNALS
- sigprocmask(SIG_SETMASK, &oldmask, (sigset_t*)0);
-#else
- sigsetmask(osigmask);
-#endif
- return;
-}
-
-#ifdef KADM5
-krb5_int32 convert_kadm5_to_kadm(val)
- krb5_int32 val;
-{
- switch (val) {
- case KADM5_AUTH_GET:
- case KADM5_AUTH_ADD:
- case KADM5_AUTH_MODIFY:
- case KADM5_AUTH_DELETE:
- case KADM5_AUTH_INSUFFICIENT:
- case KADM5_AUTH_LIST:
- case KADM5_AUTH_CHANGEPW:
- return KADM_UNAUTH;
- case KADM5_BAD_DB:
- return KADM_UK_RERROR;
- case KADM5_DUP:
- case KADM5_POLICY_REF:
- return KADM_INUSE;
- case KADM5_RPC_ERROR:
- return KADM_NO_CONN;
- case KADM5_NO_SRV:
- return KADM_NO_HOST;
- case KADM5_UNK_PRINC:
- case KADM5_UNK_POLICY:
- return KADM_NOENTRY;
- case KADM5_PASS_Q_TOOSHORT:
- case KADM5_PASS_Q_CLASS:
- case KADM5_PASS_Q_DICT:
- case KADM5_PASS_REUSE:
- case KADM5_PASS_TOOSOON:
- case CHPASS_UTIL_PASSWORD_TOO_SOON:
- return KADM_INSECURE_PW;
- case KADM5_BAD_PASSWORD:
- return KADM_NO_CRED;
- case KADM5_PROTECT_PRINCIPAL:
- return KADM_NO_OPCODE;
- case KADM5_NOT_INIT:
- case KADM5_BAD_HIST_KEY:
- case KADM5_BAD_MASK:
- case KADM5_BAD_CLASS:
- case KADM5_BAD_LENGTH:
- case KADM5_BAD_POLICY:
- case KADM5_BAD_PRINCIPAL:
- case KADM5_BAD_AUX_ATTR:
- case KADM5_BAD_HISTORY:
- case KADM5_BAD_MIN_PASS_LIFE:
- return -1;
- }
- return val;
-}
-#endif
+++ /dev/null
-#define NDBM
-/*
- * build_pwfile.c --- build a table of bad passwords, keyed by their
- * des equivalents.
- *
- * Written by Theodore Ts'o
- *
- * Copyright 1988 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- */
-
-#ifndef lint
-static char rcsid_build_pwfile_c[] =
-"$Id$";
-#endif lint
-
-#include <mit-copyright.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/file.h>
-
-#ifdef NDBM
-#include <ndbm.h>
-#else /*NDBM*/
-#include <dbm.h>
-#endif /*NDBM*/
-
-#include <kadm.h>
-#include <kadm_err.h>
-#include <krb_db.h>
-#include "kadm_server.h"
-
-/* Macros to convert ndbm names to dbm names.
- * Note that dbm_nextkey() cannot be simply converted using a macro, since
- * it is invoked giving the database, and nextkey() needs the previous key.
- *
- * Instead, all routines call "dbm_next" instead.
- */
-#ifndef NDBM
-typedef char DBM;
-#define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0))
-#define dbm_fetch(db, key) fetch(key)
-#define dbm_store(db, key, content, flag) store(key, content)
-#define dbm_firstkey(db) firstkey()
-#define dbm_next(db,key) nextkey(key)
-#define dbm_close(db) dbmclose()
-#else
-#define dbm_next(db,key) dbm_nextkey(db)
-#endif
-
-main(argc, argv)
- int argc;
- char **argv;
-{
- DBM *pwfile;
- FILE *f;
- datum passwd, entry;
- des_cblock key;
- char word[1024];
- int len, filenum, i;
- int wptr;
-
- if (argc != 2) {
- fprintf(stderr,"%s: Usage: %s filename\n", argv[0], argv[0]);
- exit(1);
- }
- if (!(f = fopen(argv[1], "r"))) {
- perror(argv[1]);
- exit(1);
- }
- pwfile = dbm_open(PW_CHECK_FILE, O_RDWR|O_CREAT, 0644);
- if (!pwfile) {
- fprintf(stderr, "Couldn't open %s for writing.\n",
- PW_CHECK_FILE);
- perror("dbm_open");
- exit(1);
- }
- filenum = 0;
- do {
- filenum++;
- passwd.dptr = (char *) &filenum;
- passwd.dsize = sizeof(filenum);
- entry.dptr = argv[1];
- entry.dsize = strlen(argv[1])+1;
- } while (dbm_store(pwfile, passwd, entry, DBM_INSERT));
- i = 0;
- while (!feof(f)) {
- i++;
- wptr = (filenum << 24) + i;
- fgets(word, sizeof(word), f);
- len = strlen(word);
- if (len > 0 && word[len-1] == '\n')
- word[--len] = '\0';
-#ifdef NOENCRYPTION
- bzero((char *) key, sizeof(des_cblock));
- key[0] = (unsigned char) 1;
-#else
- (void) des_string_to_key(word, key);
-#endif
-
- passwd.dptr = (char *) key;
- passwd.dsize = 8;
- entry.dptr = (char *) &wptr;
-#ifdef notdef
- entry.dsize = sizeof(wptr);
-#else
- entry.dsize = 0;
-#endif
- dbm_store(pwfile, passwd, entry, DBM_REPLACE);
- }
- dbm_close(pwfile);
- exit(0);
-}
-
-
-
+++ /dev/null
-/*
- * kadmin/v4server/kadm_funcs.c
- *
- * Copyright 1988 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * Kerberos administration server-side database manipulation routines
- */
-
-
-#include <mit-copyright.h>
-/*
-kadm_funcs.c
-the actual database manipulation code
-*/
-
-#include <stdio.h>
-#include <string.h>
-#include <sys/param.h>
-#ifdef NDBM_PW_CHECK
-#include <ndbm.h>
-#endif
-#include <ctype.h>
-#include <pwd.h>
-#include <sys/file.h>
-#include <kadm.h>
-#include <kadm_err.h>
-#include <krb_db.h>
-#include <syslog.h>
-#include <fcntl.h>
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
-#ifdef TIME_WITH_SYS_TIME
-#include <time.h>
-#endif
-#else
-#include <time.h>
-#endif
-
-#include "kadm_server.h"
-
-extern Kadm_Server server_parm;
-
-#include <kadm5/admin.h>
-extern void *kadm5_handle;
-
-/* Generate dummy password. Yes, it's gross. */
-static char *dummypw()
-{
- static char dummybuf[256];
- int i;
-
- if (dummybuf[0] == 0)
- for (i = 0; i < 256; i++)
- dummybuf[i] = (i + 1) % 256;
- return dummybuf;
-}
-
-/*
- * kadm_entry2princ:
- *
- * Convert a kadm5_principal_ent_t to a Principal. Assumes that princ
- * is already allocated.
- */
-static krb5_error_code
-kadm_entry2princ(entry, princ)
- kadm5_principal_ent_t entry;
- Principal *princ;
-{
- char realm[REALM_SZ + 1]; /* dummy values only */
- krb5_error_code retval;
- int i;
-
- /* NOTE: does not convert the key */
- memset(princ, 0, sizeof (*princ));
- retval = krb5_524_conv_principal(kadm_context, entry->principal,
- princ->name, princ->instance, realm);
- if (retval)
- return retval;
- princ->exp_date = entry->pw_expiration;
- strncpy(princ->exp_date_txt,
- ctime((const time_t *) &entry->pw_expiration), DATE_SZ);
- princ->attributes = entry->attributes;
- princ->max_life = krb_time_to_life(0, entry->max_life);
- princ->kdc_key_ver = 1; /* entry->mkvno .... WTF??? --tlyu */
- for (i = 0; i < entry->n_key_data; i++) {
- /* XXX This assumes knowledge of the internals of krb5_key_data */
- if (entry->key_data[i].key_data_type[0] == ENCTYPE_DES_CBC_CRC &&
- entry->key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_V4) {
- princ->key_version = entry->key_data[i].key_data_kvno;
- break;
- }
- }
-
- retval = krb5_524_conv_principal(kadm_context, entry->mod_name,
- princ->mod_name, princ->mod_instance,
- realm);
- if (retval)
- return retval;
-
- princ->mod_date = entry->mod_date;
- strncpy(princ->mod_date_txt,
- ctime((const time_t *) &entry->mod_date),
- DATE_SZ);
-
- return 0;
-}
-
-static int check_access(pname, pinst, prealm, acltype)
- char *pname;
- char *pinst;
- char *prealm;
- enum acl_types acltype;
-{
- char checkname[MAX_K_NAME_SZ];
- char filename[MAXPATHLEN];
- extern char *acldir;
-
- (void) sprintf(checkname, "%s.%s@%s", pname, pinst, prealm);
-
- switch (acltype) {
- case ADDACL:
- (void) sprintf(filename, "%s%s", acldir, ADD_ACL_FILE);
- break;
- case GETACL:
- (void) sprintf(filename, "%s%s", acldir, GET_ACL_FILE);
- break;
- case MODACL:
- (void) sprintf(filename, "%s%s", acldir, MOD_ACL_FILE);
- break;
- case DELACL:
- (void) sprintf(filename, "%s%s", acldir, DEL_ACL_FILE);
- break;
- case STABACL:
- (void) sprintf(filename, "%s%s", acldir, STAB_ACL_FILE);
- break;
- }
- return(acl_check(filename, checkname));
-}
-
-static int wildcard(str)
-char *str;
-{
- if (!strcmp(str, WILDCARD_STR))
- return(1);
- return(0);
-}
-
-krb5_error_code
-kadm_add_entry (rname, rinstance, rrealm, valsin, valsout)
- char *rname; /* requestors name */
- char *rinstance; /* requestors instance */
- char *rrealm; /* requestors realm */
- Kadm_vals *valsin;
- Kadm_vals *valsout;
-{
- Principal data_i, data_o; /* temporary principal */
- u_char flags[4];
- krb5_error_code retval;
- kadm5_principal_ent_rec newentry, tmpentry;
- krb5_keyblock newpw;
- long mask = 0;
-
- if (!check_access(rname, rinstance, rrealm, ADDACL)) {
- syslog(LOG_WARNING,
- "WARNING: '%s.%s@%s' tried to add an entry for '%s.%s'",
- rname, rinstance, rrealm, valsin->name, valsin->instance);
- return KADM_UNAUTH;
- }
-
- /* Need to check here for "legal" name and instance */
- if (wildcard(valsin->name) || wildcard(valsin->instance)) {
- retval = KADM_ILL_WILDCARD;
- goto err;
- }
-
- syslog(LOG_INFO, "request to add an entry for '%s.%s' from '%s.%s@%s'",
- valsin->name, valsin->instance, rname, rinstance, rrealm);
-
- kadm_vals_to_prin(valsin->fields, &data_i, valsin);
- (void) strncpy(data_i.name, valsin->name, ANAME_SZ);
- (void) strncpy(data_i.instance, valsin->instance, INST_SZ);
-
- memset(&newentry, 0, sizeof (newentry));
- retval = krb5_425_conv_principal(kadm_context,
- data_i.name, data_i.instance,
- server_parm.krbrlm,
- &newentry.principal);
- if (retval)
- goto err_newentry;
-
- if (IS_FIELD(KADM_EXPDATE,valsin->fields)) {
- newentry.princ_expire_time = data_i.exp_date;
- mask |= KADM5_PRINC_EXPIRE_TIME;
- }
-
- if (IS_FIELD(KADM_MAXLIFE,valsin->fields)) {
- newentry.max_life = krb_life_to_time(0, data_i.max_life);
- mask |= KADM5_MAX_LIFE;
- }
-
- /* Create with ticket issuing disabled. */
- newentry.attributes = KRB5_KDB_DISALLOW_ALL_TIX;
- mask |= KADM5_PRINCIPAL|KADM5_ATTRIBUTES;
- retval = kadm5_get_principal(kadm5_handle, newentry.principal,
- &tmpentry, KADM5_PRINCIPAL_NORMAL_MASK);
- switch (retval) {
- case KADM5_UNK_PRINC:
- break;
- case 0:
- kadm5_free_principal_ent(kadm5_handle, &tmpentry);
- retval = KADM_INUSE;
- default:
- goto err_newentry;
- break;
- }
-
- retval = kadm5_create_principal(kadm5_handle, &newentry,
- mask, dummypw());
- if (retval)
- goto err_newentry;
-
- newpw.magic = KV5M_KEYBLOCK;
- if ((newpw.contents = (krb5_octet *)malloc(8)) == NULL) {
- retval = KADM_NOMEM;
- goto err_newentry;
- }
-
- data_i.key_low = ntohl(data_i.key_low);
- data_i.key_high = ntohl(data_i.key_high);
- memcpy(newpw.contents, &data_i.key_low, 4);
- memcpy((char *)(((krb5_int32 *) newpw.contents) + 1), &data_i.key_high, 4);
- newpw.length = 8;
- newpw.enctype = ENCTYPE_DES_CBC_CRC;
-
- retval = kadm5_setv4key_principal(kadm5_handle,
- newentry.principal, &newpw);
- memset((char *)newpw.contents, 0, newpw.length);
- free(newpw.contents);
- if (retval)
- goto err_newentry;
-
- newentry.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX;
- retval = kadm5_modify_principal(kadm5_handle, &newentry,
- KADM5_ATTRIBUTES);
- if (retval)
- goto err_newentry;
-
- retval = kadm5_get_principal(kadm5_handle, newentry.principal,
- &tmpentry, KADM5_PRINCIPAL_NORMAL_MASK);
- kadm5_free_principal_ent(kadm5_handle, &newentry);
- if (retval)
- goto err;
-
- kadm_entry2princ(&tmpentry, &data_o);
- kadm5_free_principal_ent(kadm5_handle, &tmpentry);
- memset((char *)flags, 0, sizeof(flags));
- SET_FIELD(KADM_NAME,flags);
- SET_FIELD(KADM_INST,flags);
- SET_FIELD(KADM_EXPDATE,flags);
- SET_FIELD(KADM_ATTR,flags);
- SET_FIELD(KADM_MAXLIFE,flags);
- kadm_prin_to_vals(flags, valsout, &data_o);
- syslog(LOG_INFO, "'%s.%s' added.", valsin->name, valsin->instance);
- return KADM_DATA; /* Set all the appropriate fields */
-
-err_newentry:
- kadm5_free_principal_ent(kadm5_handle, &newentry);
-err:
- syslog(LOG_ERR, "FAILED adding '%s.%s' (%s)",
- valsin->name, valsin->instance, error_message(retval));
- return retval;
-}
-
-#ifndef KADM5
-#define faildel(code) { (void) syslog(LOG_ERR, "FAILED deleting '%s.%s' (%s)", valsin->name, valsin->instance, error_message(code)); return code; }
-
-krb5_error_code
-kadm_del_entry (rname, rinstance, rrealm, valsin, valsout)
-char *rname; /* requestors name */
-char *rinstance; /* requestors instance */
-char *rrealm; /* requestors realm */
-Kadm_vals *valsin;
-Kadm_vals *valsout;
-{
- int numfound; /* check how many we get written */
- krb5_boolean more; /* pointer to more grabbed records */
- Principal data_i, data_o; /* temporary principal */
- u_char flags[4];
- krb5_db_entry entry, odata;
- krb5_error_code retval;
- krb5_principal inprinc;
-
- if (!check_access(rname, rinstance, rrealm, DELACL)) {
- (void) syslog(LOG_WARNING, "WARNING: '%s.%s@%s' tried to delete an entry for '%s.%s'",
- rname, rinstance, rrealm, valsin->name, valsin->instance);
- return KADM_UNAUTH;
- }
-
- /* Need to check here for "legal" name and instance */
- if (wildcard(valsin->name) || wildcard(valsin->instance)) {
- faildel(KADM_ILL_WILDCARD);
- }
-
- syslog(LOG_INFO, "request to delete an entry for '%s.%s' from '%s.%s@%s'",
- valsin->name, valsin->instance, rname, rinstance, rrealm);
-
- retval = krb5_425_conv_principal(kadm_context, valsin->name,
- valsin->instance,
- server_parm.krbrlm, &inprinc);
- if (retval)
- faildel(retval);
-
- numfound = 1;
- retval = krb5_db_get_principal(kadm_context, inprinc, &entry, &numfound,
- &more);
-
- if (retval) {
- krb5_db_free_principal(kadm_context, &entry, numfound);
- faildel(retval);
- } else if (!numfound || more) {
- faildel(KADM_NOENTRY);
- }
-
- retval = krb5_db_delete_principal(kadm_context, inprinc, &numfound);
- if (retval) {
- krb5_db_free_principal(kadm_context, &entry, numfound);
- faildel(retval);
- }
- if (!numfound) {
- krb5_db_free_principal(kadm_context, &entry, numfound);
- faildel(KADM_UK_SERROR);
- } else {
- if (retval) {
- faildel(retval);
- } else if (numfound != 1 || more) {
- krb5_db_free_principal(kadm_context, &entry, numfound);
- faildel(KADM_UK_RERROR);
- }
- kadm_entry2princ(&entry, &data_o);
- krb5_db_free_principal(kadm_context, &entry, numfound);
- memset((char *)flags, 0, sizeof(flags));
- SET_FIELD(KADM_NAME,flags);
- SET_FIELD(KADM_INST,flags);
- SET_FIELD(KADM_EXPDATE,flags);
- SET_FIELD(KADM_ATTR,flags);
- SET_FIELD(KADM_MAXLIFE,flags);
- kadm_prin_to_vals(flags, valsout, &data_o);
- syslog(LOG_INFO, "'%s.%s' deleted.", valsin->name, valsin->instance);
- return KADM_DATA; /* Set all the appropriate fields */
- }
-}
-#undef faildel
-
-#endif /* !KADM5 */
-
-krb5_error_code
-kadm_get_entry (rname, rinstance, rrealm, valsin, flags, valsout)
- char *rname; /* requestors name */
- char *rinstance; /* requestors instance */
- char *rrealm; /* requestors realm */
- Kadm_vals *valsin; /* what they wannt to get */
- u_char *flags; /* which fields we want */
- Kadm_vals *valsout; /* what data is there */
-{
- Principal data_o; /* Data object to hold Principal */
- krb5_principal inprinc;
- krb5_error_code retval;
- kadm5_principal_ent_rec ent;
-
- if (!check_access(rname, rinstance, rrealm, GETACL)) {
- syslog(LOG_WARNING, "WARNING: '%s.%s@%s' tried to get '%s.%s's entry",
- rname, rinstance, rrealm, valsin->name, valsin->instance);
- return KADM_UNAUTH;
- }
-
- if (wildcard(valsin->name) || wildcard(valsin->instance)) {
- retval = KADM_ILL_WILDCARD;
- goto err;
- }
-
- syslog(LOG_INFO, "retrieve '%s.%s's entry for '%s.%s@%s'",
- valsin->name, valsin->instance, rname, rinstance, rrealm);
-
- retval = krb5_425_conv_principal(kadm_context, valsin->name,
- valsin->instance,
- server_parm.krbrlm, &inprinc);
- if (retval)
- goto err_princ;
-
- retval = kadm5_get_principal(kadm5_handle, inprinc, &ent,
- KADM5_PRINCIPAL_NORMAL_MASK);
- krb5_free_principal(kadm_context, inprinc);
- switch (retval) {
- case KADM5_UNK_PRINC:
- retval = KADM_NOENTRY;
- goto err_princ;
- default:
- goto err_princ;
- case 0:
- break;
- }
- retval = kadm_entry2princ(&ent, &data_o);
- kadm5_free_principal_ent(kadm5_handle, &ent);
- if (retval) {
- goto err_princ;
- }
- kadm_prin_to_vals(flags, valsout, &data_o);
- syslog(LOG_INFO, "'%s.%s' retrieved.", valsin->name, valsin->instance);
- return KADM_DATA; /* Set all the appropriate fields */
-err_princ:
- krb5_free_principal(kadm_context, inprinc);
-err:
- syslog(LOG_ERR, "FAILED retrieving '%s.%s' (%s)",
- valsin->name, valsin->instance, error_message(retval));
- return retval;
-}
-
-
-krb5_error_code
-kadm_mod_entry (rname, rinstance, rrealm, valsin1, valsin2, valsout)
- char *rname; /* requestors name */
- char *rinstance; /* requestors instance */
- char *rrealm; /* requestors realm */
- Kadm_vals *valsin1, *valsin2; /* holds the parameters being
- passed in */
- Kadm_vals *valsout; /* the actual record which is returned */
-{
- Principal data_o, temp_key;
- u_char fields[4];
- krb5_keyblock newpw;
- krb5_error_code retval;
- krb5_principal theprinc;
- kadm5_principal_ent_rec entry;
- long mask = 0;
-
- if (wildcard(valsin1->name) || wildcard(valsin1->instance)) {
- retval = KADM_ILL_WILDCARD;
- goto err;
- }
-
- if (!check_access(rname, rinstance, rrealm, MODACL)) {
- syslog(LOG_WARNING, "WARNING: '%s.%s@%s' tried to change '%s.%s's entry",
- rname, rinstance, rrealm, valsin1->name, valsin1->instance);
- return KADM_UNAUTH;
- }
-
- syslog(LOG_INFO, "request to modify '%s.%s's entry from '%s.%s@%s' ",
- valsin1->name, valsin1->instance, rname, rinstance, rrealm);
- retval = krb5_425_conv_principal(kadm_context,
- valsin1->name, valsin1->instance,
- server_parm.krbrlm, &theprinc);
- if (retval)
- goto err;
- retval = kadm5_get_principal(kadm5_handle, theprinc, &entry,
- KADM5_PRINCIPAL_NORMAL_MASK);
- if (retval)
- goto err_princ;
-
- kadm_vals_to_prin(valsin2->fields, &temp_key, valsin2);
-
- if (IS_FIELD(KADM_EXPDATE,valsin2->fields)) {
- entry.princ_expire_time = temp_key.exp_date;
- mask |= KADM5_PRINC_EXPIRE_TIME;
- }
-
- if (IS_FIELD(KADM_MAXLIFE,valsin2->fields)) {
- entry.max_life = krb_life_to_time(0, temp_key.max_life);
- mask |= KADM5_MAX_LIFE;
- }
-
- retval = kadm5_modify_principal(kadm5_handle, &entry, mask);
- if (retval)
- goto err_entry;
-
- if (IS_FIELD(KADM_DESKEY,valsin2->fields)) {
- if ((newpw.contents = (krb5_octet *)malloc(8)) == NULL) {
- retval = KADM_NOMEM;
- goto err_entry;
- }
- newpw.magic = KV5M_KEYBLOCK;
- newpw.length = 8;
- newpw.enctype = ENCTYPE_DES_CBC_CRC;
- temp_key.key_low = ntohl(temp_key.key_low);
- temp_key.key_high = ntohl(temp_key.key_high);
- memcpy(newpw.contents, &temp_key.key_low, 4);
- memcpy(newpw.contents + 4, &temp_key.key_high, 4);
- memset((char *)&temp_key, 0, sizeof(temp_key));
-
- retval = kadm5_setv4key_principal(kadm5_handle, entry.principal,
- &newpw);
- krb5_free_keyblock_contents(kadm_context, &newpw);
- if (retval)
- goto err_entry;
- }
-
- kadm5_free_principal_ent(kadm5_handle, &entry);
-
- retval = kadm5_get_principal(kadm5_handle, theprinc, &entry,
- KADM5_PRINCIPAL_NORMAL_MASK);
- if (retval)
- goto err_princ;
-
- retval = kadm_entry2princ(&entry, &data_o);
- kadm5_free_principal_ent(kadm5_handle, &entry);
- krb5_free_principal(kadm_context, theprinc);
- if (retval)
- goto err;
-
- memset((char *) fields, 0, sizeof(fields));
- SET_FIELD(KADM_NAME,fields);
- SET_FIELD(KADM_INST,fields);
- SET_FIELD(KADM_EXPDATE,fields);
- SET_FIELD(KADM_ATTR,fields);
- SET_FIELD(KADM_MAXLIFE,fields);
- kadm_prin_to_vals(fields, valsout, &data_o);
- syslog(LOG_INFO, "'%s.%s' modified.", valsin1->name, valsin1->instance);
- return KADM_DATA; /* Set all the appropriate fields */
-
-err_entry:
- kadm5_free_principal_ent(kadm5_handle, &entry);
-err_princ:
- krb5_free_principal(kadm_context, theprinc);
-err:
- syslog(LOG_ERR, "FAILED modifying '%s.%s' (%s)",
- valsin1->name, valsin1->instance, error_message(retval));
- return retval;
-}
-
-#ifndef KADM5
-#define failchange(code) { syslog(LOG_ERR, "FAILED changing key for '%s.%s@%s' (%s)", rname, rinstance, rrealm, error_message(code)); return code; }
-
-krb5_error_code
-kadm_change (rname, rinstance, rrealm, newpw)
-char *rname;
-char *rinstance;
-char *rrealm;
-des_cblock newpw;
-{
- int numfound;
- krb5_boolean more;
- krb5_principal rprinc;
- krb5_error_code retval;
- krb5_keyblock localpw;
- krb5_db_entry odata;
- krb5_key_data *pkey;
- krb5_keysalt sblock;
-
- if (strcmp(server_parm.krbrlm, rrealm)) {
- syslog(LOG_ERR, "change key request from wrong realm, '%s.%s@%s'!\n",
- rname, rinstance, rrealm);
- return(KADM_WRONG_REALM);
- }
-
- if (wildcard(rname) || wildcard(rinstance)) {
- failchange(KADM_ILL_WILDCARD);
- }
- syslog(LOG_INFO, "'%s.%s@%s' wants to change its password",
- rname, rinstance, rrealm);
- retval = krb5_425_conv_principal(kadm_context, rname, rinstance,
- server_parm.krbrlm, &rprinc);
- if (retval)
- failchange(retval);
- if ((localpw.contents = (krb5_octet *)malloc(8)) == NULL)
- failchange(KADM_NOMEM);
- memcpy(localpw.contents, newpw, 8);
- localpw.magic = KV5M_KEYBLOCK;
- localpw.enctype = ENCTYPE_DES_CBC_CRC;
- localpw.length = 8;
- numfound = 1;
- retval = krb5_db_get_principal(kadm_context, rprinc, &odata,
- &numfound, &more);
- krb5_free_principal(kadm_context, rprinc);
- if (retval) {
- memset(localpw.contents, 0, localpw.length);
- free(localpw.contents);
- failchange(retval);
- } else if (numfound == 1) {
- if (retval = krb5_dbe_find_enctype(kadm_context,
- &odata,
- ENCTYPE_DES_CBC_CRC,
- KRB5_KDB_SALTTYPE_V4,
- -1,
- &pkey)) {
- failchange(retval);
- }
- pkey->key_data_kvno++;
- pkey->key_data_kvno %= 256;
- numfound = 1;
- sblock.type = KRB5_KDB_SALTTYPE_V4;
- sblock.data.length = 0;
- sblock.data.data = (char *) NULL;
- retval = krb5_dbekd_encrypt_key_data(kadm_context,
- /* XXX but I'm ifdef'd out here,
- so I can't really test this. */
- &server_parm.master_encblock,
- &localpw,
- &sblock,
- (int) pkey->key_data_kvno,
- pkey);
- memset(localpw.contents, 0, localpw.length);
- free(localpw.contents);
- if (retval) {
- failchange(retval);
- }
- retval = krb5_db_put_principal(kadm_context, &odata, &numfound);
- krb5_db_free_principal(kadm_context, &odata, 1);
- if (retval) {
- failchange(retval);
- } else if (more) {
- failchange(KADM_UK_SERROR);
- } else {
- syslog(LOG_INFO,
- "'%s.%s@%s' password changed.", rname, rinstance, rrealm);
- return KADM_SUCCESS;
- }
- }
- else {
- failchange(KADM_NOENTRY);
- }
-}
-#undef failchange
-#endif /* !KADM5 */
-
-static int
-check_pw(newpw, checkstr)
- des_cblock newpw;
- char *checkstr;
-{
-#ifdef NOENCRYPTION
- return 0;
-#else /* !NOENCRYPTION */
- des_cblock checkdes;
-
- (void) des_string_to_key(checkstr, checkdes);
- return(!memcmp(checkdes, newpw, sizeof(des_cblock)));
-#endif /* NOENCRYPTION */
-}
-
-static char *reverse(str)
- char *str;
-{
- static char newstr[80];
- char *p, *q;
- int i;
-
- i = strlen(str);
- if (i >= sizeof(newstr))
- i = sizeof(newstr)-1;
- p = str+i-1;
- q = newstr;
- q[i]='\0';
- for(; i > 0; i--)
- *q++ = *p--;
-
- return(newstr);
-}
-
-static int lower(str)
- char *str;
-{
- register char *cp;
- int effect=0;
-
- for (cp = str; *cp; cp++) {
- if (isupper((int) *cp)) {
- *cp = tolower((int) *cp);
- effect++;
- }
- }
- return(effect);
-}
-
-static int
-des_check_gecos(gecos, newpw)
- char *gecos;
- des_cblock newpw;
-{
- char *cp, *ncp, *tcp;
-
- for (cp = gecos; *cp; ) {
- /* Skip past punctuation */
- for (; *cp; cp++)
- if (isalnum((int) *cp))
- break;
- /* Skip to the end of the word */
- for (ncp = cp; *ncp; ncp++)
- if (!isalnum((int) *ncp) && *ncp != '\'')
- break;
- /* Delimit end of word */
- if (*ncp)
- *ncp++ = '\0';
- /* Check word to see if it's the password */
- if (*cp) {
- if (check_pw(newpw, cp))
- return(KADM_INSECURE_PW);
- tcp = reverse(cp);
- if (check_pw(newpw, tcp))
- return(KADM_INSECURE_PW);
- if (lower(cp)) {
- if (check_pw(newpw, cp))
- return(KADM_INSECURE_PW);
- tcp = reverse(cp);
- if (check_pw(newpw, tcp))
- return(KADM_INSECURE_PW);
- }
- cp = ncp;
- } else
- break;
- }
- return(0);
-}
-
-static int
-str_check_gecos(gecos, pwstr)
- char *gecos;
- char *pwstr;
-{
- char *cp, *ncp, *tcp;
-
- for (cp = gecos; *cp; ) {
- /* Skip past punctuation */
- for (; *cp; cp++)
- if (isalnum((int) *cp))
- break;
- /* Skip to the end of the word */
- for (ncp = cp; *ncp; ncp++)
- if (!isalnum((int) *ncp) && *ncp != '\'')
- break;
- /* Delimit end of word */
- if (*ncp)
- *ncp++ = '\0';
- /* Check word to see if it's the password */
- if (*cp) {
- if (!strcasecmp(pwstr, cp))
- return(KADM_INSECURE_PW);
- tcp = reverse(cp);
- if (!strcasecmp(pwstr, tcp))
- return(KADM_INSECURE_PW);
- cp = ncp;
- } else
- break;
- }
- return(0);
-}
-
-
-krb5_error_code
-kadm_approve_pw(rname, rinstance, rrealm, newpw, pwstring)
-char *rname;
-char *rinstance;
-char *rrealm;
-des_cblock newpw;
-char *pwstring;
-{
- int retval;
-#if NDBM_PW_CHECK
- static DBM *pwfile = NULL;
- datum passwd, entry;
-#endif
- struct passwd *ent;
-#ifdef HESIOD
- extern struct passwd *hes_getpwnam();
-#endif
-
- if (pwstring && !check_pw(newpw, pwstring))
- /*
- * Someone's trying to toy with us....
- */
- return(KADM_PW_MISMATCH);
- if (pwstring && (strlen(pwstring) < 5))
- return(KADM_INSECURE_PW);
-#if NDBM_PW_CHECK
- if (!pwfile) {
- pwfile = dbm_open(PW_CHECK_FILE, O_RDONLY, 0644);
- }
- if (pwfile) {
- passwd.dptr = (char *) newpw;
- passwd.dsize = 8;
- entry = dbm_fetch(pwfile, passwd);
- if (entry.dptr)
- return(KADM_INSECURE_PW);
- }
-#endif
- if (check_pw(newpw, rname) || check_pw(newpw, reverse(rname)))
- return(KADM_INSECURE_PW);
-#ifdef HESIOD
- ent = hes_getpwnam(rname);
-#else
- ent = getpwnam(rname);
-#endif
- if (ent && ent->pw_gecos) {
- if (pwstring)
- retval = str_check_gecos(ent->pw_gecos, pwstring);
- else
- retval = des_check_gecos(ent->pw_gecos, newpw);
- if (retval)
- return(retval);
- }
- return(0);
-}
-
-/*
- * This routine checks to see if a principal should be considered an
- * allowable service name which can be changed by kadm_change_srvtab.
- *
- * We do this check by using the ACL library. This makes the
- * (relatively) reasonable assumption that both the name and the
- * instance will not contain '.' or '@'.
- */
-static int kadm_check_srvtab(name, instance)
- char *name;
- char *instance;
-{
- char filename[MAXPATHLEN];
- extern char *acldir;
-
- (void) sprintf(filename, "%s%s", acldir, STAB_SERVICES_FILE);
- if (!acl_check(filename, name))
- return(KADM_NOT_SERV_PRINC);
-
- (void) sprintf(filename, "%s%s", acldir, STAB_HOSTS_FILE);
- if (acl_check(filename, instance))
- return(KADM_NOT_SERV_PRINC);
- return 0;
-}
-
-/*
- * This works around a bug in kadm5, since kadm5_free_key_data() is
- * actually not implemented. It abuses the knowledge that it's safe
- * to call free() on the keyblocks allocated by
- * kadm5_randkey_principal().
- */
-static void free_keyblocks(context, keyblocks, nkeys)
- krb5_context context;
- krb5_keyblock *keyblocks;
- int nkeys;
-{
- int i;
- for (i = 0; i < nkeys; i++) {
- krb5_free_keyblock_contents(context, &keyblocks[i]);
- }
- free(keyblocks);
-}
-
-/*
- * Routine to allow some people to change the key of a srvtab
- * principal to a random key, which the admin server will return to
- * the client.
- */
-krb5_error_code
-kadm_chg_srvtab(rname, rinstance, rrealm, values)
- char *rname; /* requestors name */
- char *rinstance; /* requestors instance */
- char *rrealm; /* requestors realm */
- Kadm_vals *values;
-{
- int isnew;
- krb5_principal inprinc;
- krb5_error_code retval;
- krb5_keyblock *keyblocks;
- int nkeys, i;
- kadm5_principal_ent_rec princ_ent;
-
- memset(&princ_ent, 0, sizeof (princ_ent)); /* XXX */
-
- if (!check_access(rname, rinstance, rrealm, STABACL)) {
- retval = (krb5_error_code) KADM_UNAUTH;
- goto err;
- }
- if (wildcard(rname) || wildcard(rinstance)) {
- retval = (krb5_error_code) KADM_ILL_WILDCARD;
- goto err;
- }
- retval = (krb5_error_code) kadm_check_srvtab(values->name,
- values->instance);
- if (retval)
- goto err;
-
- retval = krb5_425_conv_principal(kadm_context, values->name,
- values->instance,
- server_parm.krbrlm, &inprinc);
- if (retval)
- goto err;
- /*
- * OK, get the entry, and create it if it doesn't exist.
- */
- retval = kadm5_get_principal(kadm5_handle, inprinc, &princ_ent,
- KADM5_PRINCIPAL_NORMAL_MASK);
- switch (retval) {
- case KADM5_UNK_PRINC:
- isnew = 1;
- retval = krb5_copy_principal(kadm_context, inprinc,
- &princ_ent.principal);
- if (retval)
- goto err_princ;
-
- princ_ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX;
-
- retval = kadm5_create_principal(kadm5_handle, &princ_ent,
- KADM5_PRINCIPAL|KADM5_ATTRIBUTES,
- dummypw());
- if (retval)
- goto err_princ_ent;
- break;
- case 0:
- isnew = 0;
- break;
- default:
- goto err_princ;
- break;
- }
-
- /* randomize */
- retval = kadm5_randkey_principal(kadm5_handle, inprinc,
- &keyblocks, &nkeys);
- if (retval) {
- if (isnew)
- goto err_princ_ent;
- else
- goto err_princ;
- }
-
- if (isnew) {
- /* Allow tickets now, if we just created this principal. */
- princ_ent.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX;
- retval = kadm5_modify_principal(kadm5_handle, &princ_ent,
- KADM5_ATTRIBUTES);
- kadm5_free_principal_ent(kadm5_handle, &princ_ent);
- if (retval)
- goto err_princ;
- }
-
- for (i = 0; i < nkeys; i++) {
- /*
- * XXX kadm5_randkey_principal() doesn't actually generate
- * multiple keys for the DES_CBC_* enctypes; rather it makes
- * them all DES_CBC_CRC, thus preventing a service from using
- * DES_CBC_MD5, or something.
- */
- if (keyblocks[i].enctype == ENCTYPE_DES_CBC_CRC)
- break;
- }
- if (i == nkeys) {
- krb5_free_principal(kadm_context, inprinc);
- free_keyblocks(kadm_context, keyblocks, nkeys);
- syslog(LOG_ERR, "change_srvtab: DES_CBC_CRC key not found");
- return(KADM_NOENTRY); /* XXX not quite accurate */
- }
- if (keyblocks[i].length != 8) {
- krb5_free_principal(kadm_context, inprinc);
- free_keyblocks(kadm_context, keyblocks, nkeys);
- syslog(LOG_ERR, "change_srvtab: bad length for DES_CBC_CRC key");
- return(KADM_NOENTRY); /* XXX not quite accruate */
- }
-
- /*
- * Set up return values.
- */
- memcpy((char *)&values->key_low, keyblocks[i].contents, 4);
- memcpy((char *)&values->key_high, keyblocks[i].contents + 4, 4);
- values->key_low = htonl(values->key_low);
- values->key_high = htonl(values->key_high);
- free_keyblocks(kadm_context, keyblocks, nkeys);
- retval = kadm5_get_principal(kadm5_handle, inprinc, &princ_ent,
- KADM5_PRINCIPAL_NORMAL_MASK);
- if (retval)
- goto err_princ;
-
- values->exp_date = princ_ent.princ_expire_time;
- values->max_life = princ_ent.kvno; /* XXX kludge for backwards compat */
- memset(values->fields, 0, sizeof(values->fields));
- SET_FIELD(KADM_NAME, values->fields);
- SET_FIELD(KADM_INST, values->fields);
- SET_FIELD(KADM_EXPDATE, values->fields);
-#if 0
- SET_FIELD(KADM_ATTR, values->fields); /* XXX should we be doing this? */
-#endif
- SET_FIELD(KADM_MAXLIFE, values->fields);
- SET_FIELD(KADM_DESKEY, values->fields);
-
- kadm5_free_principal_ent(kadm5_handle, &princ_ent);
- krb5_free_principal(kadm_context, inprinc);
-
- syslog(LOG_INFO, "change_srvtab: service '%s.%s' %s by %s.%s@%s.",
- values->name, values->instance,
- isnew ? "created" : "changed",
- rname, rinstance, rrealm);
- return KADM_DATA;
-
-err_princ_ent:
- kadm5_free_principal_ent(kadm5_handle, &princ_ent);
-err_princ:
- krb5_free_principal(kadm_context, inprinc);
-err:
- syslog(LOG_ERR,
- "change_srvtab: FAILED changing '%s.%s' by '%s.%s@%s' (%s)",
- values->name, values->instance,
- rname, rinstance, rrealm, error_message(retval));
- return retval;
-}
+++ /dev/null
-/*
- * kadmin/v4server/kadm_ser_wrap.c
- *
- * Copyright 1988 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * Kerberos administration server-side support functions
- */
-
-
-#include <mit-copyright.h>
-/*
-kadm_ser_wrap.c
-unwraps wrapped packets and calls the appropriate server subroutine
-*/
-
-#include <stdio.h>
-#include <string.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <sys/types.h>
-#include "kadm_server.h"
-#include <kadm.h>
-#include <kadm_err.h>
-#include <krb_err.h>
-#include <syslog.h>
-
-#ifdef KADM5
-#include <kadm5/admin.h>
-#endif
-
-Kadm_Server server_parm;
-
-/*
-kadm_ser_init
-set up the server_parm structure
-*/
-#ifdef KADM5
-int
-kadm_ser_init(inter, realm, params)
- int inter; /* interactive or from file */
- char realm[];
- kadm5_config_params *params;
-#else
-int
-kadm_ser_init(inter, realm)
- int inter; /* interactive or from file */
- char realm[];
-#endif
-{
- struct servent *sep;
- struct hostent *hp;
- char hostname[MAXHOSTNAMELEN];
- char *mkey_name;
- krb5_error_code retval;
- int numfound = 1;
- krb5_boolean more;
- krb5_db_entry master_entry;
- krb5_key_data *kdatap;
-
- if (gethostname(hostname, sizeof(hostname)))
- return KADM_NO_HOSTNAME;
-
- (void) strcpy(server_parm.sname, PWSERV_NAME);
- (void) strcpy(server_parm.sinst, KRB_MASTER);
- if (strlen (realm) > REALM_SZ)
- return KADM_REALM_TOO_LONG;
- (void) strncpy(server_parm.krbrlm, realm, sizeof(server_parm.krbrlm)-1);
- server_parm.krbrlm[sizeof(server_parm.krbrlm) - 1] = '\0';
-
- if (krb5_425_conv_principal(kadm_context, server_parm.sname,
- server_parm.sinst, server_parm.krbrlm,
- &server_parm.sprinc))
- return KADM_NO_MAST;
- server_parm.admin_fd = -1;
- /* setting up the addrs */
- if ((sep = getservbyname(KADM_SNAME, "tcp")) == NULL)
- return KADM_NO_SERV;
- memset((char *)&server_parm.admin_addr, 0,sizeof(server_parm.admin_addr));
- server_parm.admin_addr.sin_family = AF_INET;
- if ((hp = gethostbyname(hostname)) == NULL)
- return KADM_NO_HOSTNAME;
- memcpy((char *) &server_parm.admin_addr.sin_addr.s_addr, hp->h_addr,
- sizeof(server_parm.admin_addr.sin_addr.s_addr));
- server_parm.admin_addr.sin_port = sep->s_port;
- /* setting up the database */
- mkey_name = KRB5_KDB_M_NAME;
-
- server_parm.master_keyblock.enctype = params->enctype;
-
- retval = krb5_db_setup_mkey_name(kadm_context, mkey_name, realm,
- (char **) 0,
- &server_parm.master_princ);
- if (retval)
- return KADM_NO_MAST;
- krb5_db_fetch_mkey(kadm_context, server_parm.master_princ,
- server_parm.master_keyblock.enctype,
- (inter == 1), FALSE,
- params->stash_file,
- NULL,
- &server_parm.master_keyblock);
- if (retval)
- return KADM_NO_MAST;
- retval = krb5_db_verify_master_key(kadm_context, server_parm.master_princ,
- &server_parm.master_keyblock);
- if (retval)
- return KADM_NO_VERI;
- retval = krb5_db_get_principal(kadm_context, server_parm.master_princ,
- &master_entry, &numfound, &more);
- if (retval || more || !numfound)
- return KADM_NO_VERI;
-
- retval = krb5_dbe_find_enctype(kadm_context,
- &master_entry,
- -1, -1, -1,
- &kdatap);
- if (retval)
- return KRB5_PROG_KEYTYPE_NOSUPP;
- server_parm.max_life = master_entry.max_life;
- server_parm.max_rlife = master_entry.max_renewable_life;
- server_parm.expiration = master_entry.expiration;
- server_parm.mkvno = kdatap->key_data_kvno;
- /* don't set flags, as master has some extra restrictions
- (??? quoted from kdb_edit.c) */
- krb5_db_free_principal(kadm_context, &master_entry, numfound);
- return KADM_SUCCESS;
-}
-
-
-static void errpkt(dat, dat_len, code)
-u_char **dat;
-int *dat_len;
-int code;
-{
- krb5_ui_4 retcode;
- char *pdat;
-
- free((char *)*dat); /* free up req */
- *dat_len = KADM_VERSIZE + sizeof(krb5_ui_4);
- *dat = (u_char *) malloc((unsigned)*dat_len);
- if (!(*dat)) {
- syslog(LOG_ERR, "malloc(%d) returned null while in errpkt!", *dat_len);
- abort();
- }
- pdat = (char *) *dat;
- retcode = htonl((krb5_ui_4) code);
- (void) strncpy(pdat, KADM_ULOSE, KADM_VERSIZE);
- memcpy(&pdat[KADM_VERSIZE], (char *)&retcode, sizeof(krb5_ui_4));
- return;
-}
-
-/*
-kadm_ser_in
-unwrap the data stored in dat, process, and return it.
-*/
-int
-kadm_ser_in(dat,dat_len)
-u_char **dat;
-int *dat_len;
-{
- u_char *in_st; /* pointer into the sent packet */
- int in_len,retc; /* where in packet we are, for
- returns */
- krb5_ui_4 r_len; /* length of the actual packet */
- KTEXT_ST authent; /* the authenticator */
- AUTH_DAT ad; /* who is this, klink */
- krb5_ui_4 ncksum; /* checksum of encrypted data */
- des_key_schedule sess_sched; /* our schedule */
- MSG_DAT msg_st;
- u_char *retdat, *tmpdat;
- int retval, retlen;
-
- if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
- || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
- errpkt(dat, dat_len, KADM_BAD_VER);
- return KADM_BAD_VER;
- }
- in_len = KADM_VERSIZE;
- /* get the length */
- if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
- || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
- || (*dat_len - r_len - KADM_VERSIZE -
- sizeof(krb5_ui_4) > sizeof(authent.dat))) {
- errpkt(dat, dat_len, KADM_LENGTH_ERROR);
- return KADM_LENGTH_ERROR;
- }
-
- in_len += retc;
- authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
- memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);
- authent.mbz = 0;
- /* service key should be set before here */
- retc = krb_rd_req(&authent, server_parm.sname, server_parm.sinst,
- server_parm.recv_addr.sin_addr.s_addr, &ad, (char *)0);
- if (retc)
- {
- errpkt(dat, dat_len,retc + krb_err_base);
- return retc + krb_err_base;
- }
-
-#define clr_cli_secrets() {memset((char *)sess_sched, 0, sizeof(sess_sched)); memset((char *)ad.session, 0, sizeof(ad.session));}
-
- in_st = *dat + *dat_len - r_len;
-#ifdef NOENCRYPTION
- ncksum = 0;
-#else
- ncksum = quad_cksum(in_st, (krb5_ui_4 *)0, (long) r_len, 0, &ad.session);
-#endif
- if (ncksum!=ad.checksum) { /* yow, are we correct yet */
- clr_cli_secrets();
- errpkt(dat, dat_len,KADM_BAD_CHK);
- return KADM_BAD_CHK;
- }
-#ifdef NOENCRYPTION
- memset(sess_sched, 0, sizeof(sess_sched));
-#else
- des_key_sched(ad.session, sess_sched);
-#endif
-
- retc = (int) krb_rd_priv(in_st, r_len, sess_sched, &ad.session,
- &server_parm.recv_addr,
- &server_parm.admin_addr, &msg_st);
- if (retc) {
- clr_cli_secrets();
- errpkt(dat, dat_len,retc + krb_err_base);
- return retc + krb_err_base;
- }
- switch (msg_st.app_data[0]) {
- case CHANGE_PW:
- retval = kadm_ser_cpw(msg_st.app_data+1,(int) msg_st.app_length,&ad,
- &retdat, &retlen);
- break;
- case ADD_ENT:
- retval = kadm_ser_add(msg_st.app_data+1,(int) msg_st.app_length,&ad,
- &retdat, &retlen);
- break;
- case MOD_ENT:
- retval = kadm_ser_mod(msg_st.app_data+1,(int) msg_st.app_length,&ad,
- &retdat, &retlen);
- break;
- case CHECK_PW:
- retval = kadm_ser_ckpw(msg_st.app_data+1,(int) msg_st.app_length,&ad,
- &retdat, &retlen);
- break;
-#ifndef KADM5
- case DEL_ENT:
- retval = kadm_ser_del(msg_st.app_data+1,(int) msg_st.app_length,&ad,
- &retdat, &retlen);
- break;
-#endif /* KADM5 */
- case GET_ENT:
- retval = kadm_ser_get(msg_st.app_data+1,(int) msg_st.app_length,&ad,
- &retdat, &retlen);
- break;
- case CHG_STAB:
- retval = kadm_ser_stab(msg_st.app_data+1,(int) msg_st.app_length,&ad,
- &retdat, &retlen);
- break;
- default:
- clr_cli_secrets();
- errpkt(dat, dat_len, KADM_NO_OPCODE);
- return KADM_NO_OPCODE;
- }
- /* Now seal the response back into a priv msg */
- free((char *)*dat);
- tmpdat = (u_char *) malloc((unsigned)(retlen + KADM_VERSIZE +
- sizeof(krb5_ui_4)));
- if (!tmpdat) {
- clr_cli_secrets();
- syslog(LOG_ERR, "malloc(%d) returned null while in kadm_ser_in!",
- retlen + KADM_VERSIZE + sizeof(krb5_ui_4));
- errpkt(dat, dat_len, KADM_NOMEM);
- return KADM_NOMEM;
- }
- (void) strncpy((char *)tmpdat, KADM_VERSTR, KADM_VERSIZE);
- retval = htonl((krb5_ui_4)retval);
- memcpy((char *)tmpdat + KADM_VERSIZE, (char *)&retval, sizeof(krb5_ui_4));
- if (retlen) {
- memcpy((char *)tmpdat + KADM_VERSIZE + sizeof(krb5_ui_4), (char *)retdat,
- retlen);
- free((char *)retdat);
- }
- /* slop for mk_priv stuff */
- *dat = (u_char *) malloc((unsigned) (retlen + KADM_VERSIZE +
- sizeof(krb5_ui_4) + 200));
- if ((*dat_len = krb_mk_priv(tmpdat, *dat,
- (u_long) (retlen + KADM_VERSIZE +
- sizeof(krb5_ui_4)),
- sess_sched,
- &ad.session, &server_parm.admin_addr,
- &server_parm.recv_addr)) < 0) {
- clr_cli_secrets();
- errpkt(dat, dat_len, KADM_NO_ENCRYPT);
- return KADM_NO_ENCRYPT;
- }
- clr_cli_secrets();
- return KADM_SUCCESS;
-}
+++ /dev/null
-/*
- * kadmin/v4server/kadm_server.c
- *
- * Copyright 1988 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * Kerberos administration server-side subroutines
- */
-
-
-#include <mit-copyright.h>
-
-#include "k5-int.h"
-
-#include <stdio.h>
-#include <string.h>
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
-#ifdef TIME_WITH_SYS_TIME
-#include <time.h>
-#endif
-#else
-#include <time.h>
-#endif
-#include <syslog.h>
-
-#ifdef KADM5
-#include <com_err.h>
-#include <kadm5/admin.h>
-#include <kadm5/chpass_util_strings.h>
-#include <krb5/kdb.h>
-extern void *kadm5_handle;
-#endif
-
-#include <kadm.h>
-#include <kadm_err.h>
-#include "kadm_server.h"
-
-extern krb5_context kadm_context;
-int fascist_cpw = 0; /* Be fascist about insecure passwords? */
-
-char pw_required[] = "The version of kpasswd that you are using is not compatible with the\nOpenV*Secure V4 Administration Server. Please contact your security\nadministrator.\n\n";
-
-char bad_pw_err[] =
- "\007\007\007ERROR: Insecure password not accepted. Please choose another.\n\n";
-
-char bad_pw_warn[] =
- "\007\007\007WARNING: You have chosen an insecure password. You may wish to\nchoose a better password.\n\n";
-
-char check_pw_msg[] =
- "You have entered an insecure password. You should choose another.\n\n";
-
-char pw_blurb[] =
-"A good password is something which is easy for you to remember, but that\npeople who know you won't easily guess; so don't use your name, or your\ndog's name, or a word from the dictionary. Passwords should be at least\n6 characters long, and may contain UPPER- and lower-case letters,\nnumbers, or punctuation. A good password can be:\n\n -- some initials, like \"GykoR-66\" for \"Get your kicks on Rte 66.\"\n -- an easily pronounced nonsense word, like \"slaRooBey\" or \"krang-its\"\n -- a mis-spelled phrase, like \"2HotPeetzas\" or \"ItzAGurl\"\n\nPlease Note: It is important that you do not tell ANYONE your password,\nincluding your friends, or even people from Athena or Information\nSystems. Remember, *YOU* are assumed to be responsible for anything\ndone using your password.\n";
-
-/* from V4 month_sname.c -- was not part of API */
-/*
- * Given an integer 1-12, month_sname() returns a string
- * containing the first three letters of the corresponding
- * month. Returns 0 if the argument is out of range.
- */
-
-static char *month_sname(n)
- int n;
-{
- static char *name[] = {
- "Jan","Feb","Mar","Apr","May","Jun",
- "Jul","Aug","Sep","Oct","Nov","Dec"
- };
- return((n < 1 || n > 12) ? 0 : name [n-1]);
-}
-
-/* from V4 log.c -- was not part of API */
-
-/*
- * krb_log() is used to add entries to the logfile (see krb_set_logfile()
- * below). Note that it is probably not portable since it makes
- * assumptions about what the compiler will do when it is called
- * with less than the correct number of arguments which is the
- * way it is usually called.
- *
- * The log entry consists of a timestamp and the given arguments
- * printed according to the given "format".
- *
- * The log file is opened and closed for each log entry.
- *
- * The return value is undefined.
- */
-
-/* static char *log_name = KRBLOG; */
-/* KRBLOG is in the V4 klog.h but may not correspond to anything installed. */
-static char *log_name = KADM_SYSLOG;
-
-static void krb_log(format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0)
- char *format;
- char *a1,*a2,*a3,*a4,*a5,*a6,*a7,*a8,*a9,*a0;
-{
- FILE *logfile;
- time_t now;
- struct tm *tm;
-
- if ((logfile = fopen(log_name,"a")) == NULL)
- return;
-
- (void) time(&now);
- tm = localtime(&now);
-
- fprintf(logfile,"%2d-%s-%d %02d:%02d:%02d ",tm->tm_mday,
- month_sname(tm->tm_mon + 1),1900+tm->tm_year,
- tm->tm_hour, tm->tm_min, tm->tm_sec);
- fprintf(logfile,format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0);
- fprintf(logfile,"\n");
- (void) fclose(logfile);
- return;
-}
-
-
-/*
-kadm_ser_cpw - the server side of the change_password routine
- recieves : KTEXT, {key}
- returns : CKSUM, RETCODE
- acl : caller can change only own password
-
-Replaces the password (i.e. des key) of the caller with that specified in key.
-Returns no actual data from the master server, since this is called by a user
-*/
-int
-kadm_ser_cpw(dat, len, ad, datout, outlen)
-u_char *dat;
-int len;
-AUTH_DAT *ad;
-u_char **datout;
-int *outlen;
-{
- krb5_int32 keylow, keyhigh;
- char pword[MAX_KPW_LEN];
- int no_pword = 0;
- des_cblock newkey;
- int status, stvlen = 0;
- int retval;
- extern int kadm_approve_pw();
-#ifdef KADM5
- kadm5_principal_ent_rec princ_ent;
- kadm5_policy_ent_rec pol_ent;
- krb5_principal user_princ;
- char msg_ret[1024], *time_string, *ptr;
- const char *msg_ptr;
- krb5_int32 now;
- time_t until;
- krb5_keyblock newkb;
-#endif
-
- /* take key off the stream, and change the database */
-
- if ((status = stv_long(dat, &keyhigh, 0, len)) < 0)
- return(KADM_LENGTH_ERROR);
- stvlen += status;
- if ((status = stv_long(dat, &keylow, stvlen, len)) < 0)
- return(KADM_LENGTH_ERROR);
- stvlen += status;
- if ((stvlen = stv_string(dat, pword, stvlen, sizeof(pword), len)) < 0) {
- no_pword++;
- pword[0]='\0';
- }
- stvlen += status;
-
- keylow = ntohl(keylow);
- keyhigh = ntohl(keyhigh);
- memcpy((char *)(((krb5_int32 *)newkey) + 1), (char *)&keyhigh, 4);
- memcpy((char *)newkey, (char *)&keylow, 4);
-
- retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm,
- newkey, no_pword ? 0 : pword);
- if (retval) {
- if (retval == KADM_PW_MISMATCH) {
- /*
- * Very strange!!! This means that the cleartext
- * password which was sent and the DES cblock
- * didn't match!
- */
- syslog(LOG_ERR, "'%s.%s@%s' sent a password string which didn't match with the DES key?!?",
- ad->pname, ad->pinst, ad->prealm);
- return(retval);
- }
- if (fascist_cpw) {
- *outlen = strlen(bad_pw_err)+strlen(pw_blurb)+1;
- *datout = (u_char *) malloc(*outlen);
- if (*datout) {
- strcpy((char *) *datout, bad_pw_err);
- strcat((char *) *datout, pw_blurb);
- } else
- *outlen = 0;
- syslog(LOG_ERR, "'%s.%s@%s' tried to use an insecure password in changepw",
- ad->pname, ad->pinst, ad->prealm);
-#ifdef notdef
- /* For debugging only, probably a bad idea */
- if (!no_pword)
- (void) krb_log("The password was %s\n", pword);
-#endif
- return(retval);
- } else {
- *outlen = strlen(bad_pw_warn) + strlen(pw_blurb)+1;
- *datout = (u_char *) malloc(*outlen);
- if (*datout) {
- strcpy((char *) *datout, bad_pw_warn);
- strcat((char *) *datout, pw_blurb);
- } else
- *outlen = 0;
- syslog(LOG_ERR, "'%s.%s@%s' used an insecure password in changepw",
- ad->pname, ad->pinst, ad->prealm);
- }
- } else {
- *datout = 0;
- *outlen = 0;
- }
-
-#ifdef KADM5
- if (no_pword)
- syslog(LOG_WARNING,
- "Old-style change password request from '%s.%s@%s'!",
- ad->pname, ad->pinst, ad->prealm);
- else {
- /*
- * We don't use the client-provided key itself, if there is a
- * password provided.
- */
- keylow = keyhigh = 0;
- memset(newkey, 0, sizeof(newkey));
- }
-
- syslog(LOG_INFO, "'%s.%s@%s' wants to change its password",
- ad->pname, ad->pinst, ad->prealm);
- if ((krb5_425_conv_principal(kadm_context, ad->pname,
- *ad->pinst ? ad->pinst : 0,
- ad->prealm, &user_princ))) {
- /* this should never happen */
- memset(newkey, 0, sizeof(newkey));
- return KADM_NOENTRY;
- }
-
- *outlen = 0;
-
- retval = krb5_timeofday(kadm_context, &now);
- if (retval) {
- msg_ptr = error_message(retval);
- goto send_response;
- }
-
- /* Use the default mask for now. */
- retval = kadm5_get_principal(kadm5_handle, user_princ,
- &princ_ent,
- KADM5_PRINCIPAL_NORMAL_MASK);
- if (retval != 0) {
- msg_ptr = error_message(retval);
- goto send_response;
- }
-
- /*
- * This daemon necessarily has the modify privilege, so
- * kadm5_chpass_principal will allow it to violate the
- * policy's minimum lifetime. Since that's A Bad Thing, we need
- * to enforce it ourselves. Unfortunately, this means we are
- * duplicating code from both ovsec_adm_server and
- * kadm5_chpass_util().
- */
- if (princ_ent.aux_attributes & KADM5_POLICY) {
- retval = kadm5_get_policy(kadm5_handle,
- princ_ent.policy,
- &pol_ent);
- if (retval != 0) {
- (void) kadm5_free_principal_ent(kadm5_handle, &princ_ent);
- msg_ptr = error_message(retval);
- goto send_response;
- }
-
- /* make "now" a boolean, true == too soon */
- now = ((now - princ_ent.last_pwd_change) < pol_ent.pw_min_life);
-
- (void) kadm5_free_policy_ent(kadm5_handle, &pol_ent);
-
- if(now && !(princ_ent.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- (void) kadm5_free_principal_ent(kadm5_handle, &princ_ent);
- retval = CHPASS_UTIL_PASSWORD_TOO_SOON;
-
- until = princ_ent.last_pwd_change + pol_ent.pw_min_life;
- time_string = ctime(&until);
-
- if (*(ptr = &time_string[strlen(time_string)-1]) == '\n')
- *ptr = '\0';
-
- sprintf(msg_ret, error_message(CHPASS_UTIL_PASSWORD_TOO_SOON),
- time_string);
- msg_ptr = msg_ret;
-
- goto send_response;
- }
- }
-
- (void) kadm5_free_principal_ent(kadm5_handle, &princ_ent);
-
- if (no_pword) {
- newkb.magic = KV5M_KEYBLOCK;
- if ((newkb.contents = (krb5_octet *)malloc(8)) == NULL) {
- retval = KADM_NOMEM;
- goto send_response;
- }
- newkb.length = 8;
- newkb.enctype = ENCTYPE_DES_CBC_CRC;
- memcpy((char *)newkb.contents, newkey, 8);
- retval = kadm5_setv4key_principal(kadm5_handle, user_princ,
- &newkb);
- memset(newkb.contents, 0, 8);
- *msg_ret = '\0';
- } else {
- retval = kadm5_chpass_principal_util(kadm5_handle, user_princ,
- pword, NULL, msg_ret,
- sizeof(msg_ret));
- msg_ptr = msg_ret;
- }
- (void) krb5_free_principal(kadm_context, user_princ);
-
-send_response:
-
- memset(newkey, 0, sizeof(newkey));
- retval = convert_kadm5_to_kadm(retval);
-
- if (retval) {
- /* don't send message on success because kpasswd.v4 will */
- /* print "password changed" too */
- *outlen = strlen(msg_ptr)+2;
- *datout = (u_char *) malloc(*outlen);
- if (*datout) {
- strcpy(*datout, msg_ptr);
- strcat(*datout, "\n");
- } else
- *outlen = 0;
- } else {
- syslog(LOG_INFO,
- "'%s.%s@%s' password changed.",
- ad->pname, ad->pinst, ad->prealm);
- }
- if (retval == KADM_INSECURE_PW) {
- syslog(LOG_ERR,
- "'%s.%s@%s' tried to use an insecure password in changepw",
- ad->pname, ad->pinst, ad->prealm);
- }
-#else /* KADM5 */
- retval = kadm_change(ad->pname, ad->pinst, ad->prealm, newkey);
- keylow = keyhigh = 0;
- memset(newkey, 0, sizeof(newkey));
-#endif /* KADM5 */
-
- return retval;
-}
-
-/*
-kadm_ser_add - the server side of the add_entry routine
- recieves : KTEXT, {values}
- returns : CKSUM, RETCODE, {values}
- acl : su, sms (as alloc)
-
-Adds and entry containing values to the database
-returns the values of the entry, so if you leave certain fields blank you will
- be able to determine the default values they are set to
-*/
-int
-kadm_ser_add(dat,len,ad, datout, outlen)
-u_char *dat;
-int len;
-AUTH_DAT *ad;
-u_char **datout;
-int *outlen;
-{
- Kadm_vals values, retvals;
- int status;
-
- if ((status = stream_to_vals(dat, &values, len)) < 0)
- return(KADM_LENGTH_ERROR);
- if ((status = kadm_add_entry(ad->pname, ad->pinst, ad->prealm,
- &values, &retvals)) == KADM_DATA) {
- *outlen = vals_to_stream(&retvals,datout);
- retvals.key_low = retvals.key_high = 0;
- return KADM_SUCCESS;
- } else {
- *outlen = 0;
- return status;
- }
-}
-
-#ifndef KADM5
-/*
-kadm_ser_del - the server side of the del_entry routine
- recieves : KTEXT, {values}
- returns : CKSUM, RETCODE, {values}
- acl : su, sms (as alloc)
-
-Deletes an entry containing values to the database
-returns the values of the entry, so if you leave certain fields blank you will
- be able to determine the default values they are set to
-*/
-kadm_ser_del(dat,len,ad, datout, outlen)
-u_char *dat;
-int len;
-AUTH_DAT *ad;
-u_char **datout;
-int *outlen;
-{
- Kadm_vals values, retvals;
- int status;
-
- if ((status = stream_to_vals(dat, &values, len)) < 0)
- return(KADM_LENGTH_ERROR);
- if ((status = kadm_del_entry(ad->pname, ad->pinst, ad->prealm,
- &values, &retvals)) == KADM_DATA) {
- *outlen = vals_to_stream(&retvals,datout);
- retvals.key_low = retvals.key_high = 0;
- return KADM_SUCCESS;
- } else {
- *outlen = 0;
- return status;
- }
-}
-
-#endif /* !KADM5 */
-
-/*
-kadm_ser_mod - the server side of the mod_entry routine
- recieves : KTEXT, {values, values}
- returns : CKSUM, RETCODE, {values}
- acl : su, sms (as register or dealloc)
-
-Modifies all entries corresponding to the first values so they match the
- second values.
-returns the values for the changed entries
-*/
-int
-kadm_ser_mod(dat,len,ad, datout, outlen)
-u_char *dat;
-int len;
-AUTH_DAT *ad;
-u_char **datout;
-int *outlen;
-{
- Kadm_vals vals1, vals2, retvals;
- int wh;
- int status;
-
- if ((wh = stream_to_vals(dat, &vals1, len)) < 0)
- return KADM_LENGTH_ERROR;
- if ((status = stream_to_vals(dat+wh,&vals2, len-wh)) < 0)
- return KADM_LENGTH_ERROR;
- if ((status = kadm_mod_entry(ad->pname, ad->pinst, ad->prealm, &vals1,
- &vals2, &retvals)) == KADM_DATA) {
- *outlen = vals_to_stream(&retvals,datout);
- retvals.key_low = retvals.key_high = 0;
- return KADM_SUCCESS;
- } else {
- *outlen = 0;
- return status;
- }
-}
-
-/*
-kadm_ser_get
- recieves : KTEXT, {values, flags}
- returns : CKSUM, RETCODE, {count, values, values, values}
- acl : su
-
-gets the fields requested by flags from all entries matching values
-returns this data for each matching recipient, after a count of how many such
- matches there were
-*/
-int
-kadm_ser_get(dat,len,ad, datout, outlen)
-u_char *dat;
-int len;
-AUTH_DAT *ad;
-u_char **datout;
-int *outlen;
-{
- Kadm_vals values, retvals;
- u_char fl[FLDSZ];
- int loop,wh;
- int status;
-
- if ((wh = stream_to_vals(dat, &values, len)) < 0)
- return KADM_LENGTH_ERROR;
- if (wh + FLDSZ > len)
- return KADM_LENGTH_ERROR;
- for (loop=FLDSZ-1; loop>=0; loop--)
- fl[loop] = dat[wh++];
- if ((status = kadm_get_entry(ad->pname, ad->pinst, ad->prealm,
- &values, fl, &retvals)) == KADM_DATA) {
- *outlen = vals_to_stream(&retvals,datout);
- retvals.key_low = retvals.key_high = 0;
- return KADM_SUCCESS;
- } else {
- *outlen = 0;
- return status;
- }
-}
-
-/*
-kadm_ser_ckpw - the server side of the check_password routine
- recieves : KTEXT, {key}
- returns : CKSUM, RETCODE
- acl : none
-
-Checks to see if the des key passed from the caller is a "secure" password.
-*/
-int
-kadm_ser_ckpw(dat, len, ad, datout, outlen)
-u_char *dat;
-int len;
-AUTH_DAT *ad;
-u_char **datout;
-int *outlen;
-{
- krb5_ui_4 keylow, keyhigh;
- char pword[MAX_KPW_LEN];
- int no_pword = 0;
- des_cblock newkey;
- int stvlen = 0,status;
- int retval;
- extern int kadm_approve_pw();
-
- /* take key off the stream, and check it */
-
- if ((status = stv_long(dat, &keyhigh, 0, len)) < 0)
- return(KADM_LENGTH_ERROR);
- stvlen += status;
- if ((status = stv_long(dat, &keylow, stvlen, len)) < 0)
- return(KADM_LENGTH_ERROR);
- stvlen += status;
- if ((status = stv_string(dat, pword, stvlen, sizeof(pword), len)) < 0) {
- no_pword++;
- pword[0]='\0';
- }
- stvlen += status;
-
- keylow = ntohl(keylow);
- keyhigh = ntohl(keyhigh);
- memcpy((char *)(((krb5_int32 *)newkey) + 1), (char *)&keyhigh, 4);
- memcpy((char *)newkey, (char *)&keylow, 4);
- keylow = keyhigh = 0;
- retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm, newkey,
- no_pword ? 0 : pword);
- memset(newkey, 0, sizeof(newkey));
- if (retval) {
- *outlen = strlen(check_pw_msg)+strlen(pw_blurb)+1;
- *datout = (u_char *) malloc(*outlen);
- if (*datout) {
- strcpy((char *) *datout, check_pw_msg);
- strcat((char *) *datout, pw_blurb);
- } else
- *outlen = 0;
- (void) krb_log("'%s.%s@%s' sent an insecure password to be checked",
- ad->pname, ad->pinst, ad->prealm);
- return(retval);
- } else {
- *datout = 0;
- *outlen = 0;
- (void) krb_log("'%s.%s@%s' sent a secure password to be checked",
- ad->pname, ad->pinst, ad->prealm);
- }
- return(0);
-}
-
-/*
-kadm_ser_stab - the server side of the change_srvtab routine
- recieves : KTEXT, {values}
- returns : CKSUM, RETCODE, {values}
- acl : su, sms (as register or dealloc)
-
-Creates or modifies the specified service principal to have a random
-key, which is sent back to the client. The key version is returned in
-the max_life field of the values structure. It's a hack, but it's a
-backwards compatible hack....
-*/
-int
-kadm_ser_stab(dat, len, ad, datout, outlen)
-u_char *dat;
-int len;
-AUTH_DAT *ad;
-u_char **datout;
-int *outlen;
-{
- Kadm_vals values;
- int status;
-
- if ((status = stream_to_vals(dat, &values, len)) < 0)
- return KADM_LENGTH_ERROR;
- status = kadm_chg_srvtab(ad->pname, ad->pinst, ad->prealm, &values);
- if (status == KADM_DATA) {
- *outlen = vals_to_stream(&values,datout);
- values.key_low = values.key_high = 0;
- return KADM_SUCCESS;
- } else {
- *outlen = 0;
- return status;
- }
-}
+++ /dev/null
-/*
- * kadmin/v4server/kadm_server.h
- *
- * Copyright 1988 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * Definitions for Kerberos administration server & client
- */
-
-#ifndef KADM_SERVER_DEFS
-#define KADM_SERVER_DEFS
-
-#include <mit-copyright.h>
-/*
- * kadm_server.h
- * Header file for the fourth attempt at an admin server
- * Doug Church, December 28, 1989, MIT Project Athena
- * ps. Yes that means this code belongs to athena etc...
- * as part of our ongoing attempt to copyright all greek names
- */
-
-#include <sys/types.h>
-#include <krb.h>
-#include <des.h>
-#include "k5-int.h"
-#ifdef KADM5
-#include <kadm5/admin.h>
-#endif
-#include "kadm.h"
-#include "krb_db.h"
-
-typedef struct {
- struct sockaddr_in admin_addr;
- struct sockaddr_in recv_addr;
- int recv_addr_len;
- int admin_fd; /* our link to clients */
- char sname[ANAME_SZ];
- char sinst[INST_SZ];
- char krbrlm[REALM_SZ];
- krb5_principal sprinc;
- krb5_principal master_princ;
- krb5_keyblock master_keyblock;
- krb5_deltat max_life;
- krb5_deltat max_rlife;
- krb5_timestamp expiration;
- krb5_flags flags;
- krb5_kvno mkvno;
-} Kadm_Server;
-
-#define ADD_ACL_FILE "/v4acl.add"
-#define GET_ACL_FILE "/v4acl.get"
-#define MOD_ACL_FILE "/v4acl.mod"
-#define DEL_ACL_FILE "/v4acl.del"
-#define STAB_ACL_FILE "/v4acl.srvtab"
-#define STAB_SERVICES_FILE "/v4stab_services"
-#define STAB_HOSTS_FILE "/v4stab_bad_hosts"
-
-extern krb5_context kadm_context;
-
-/* kadm_ser_wrap.c */
-#ifdef KADM5
-extern int kadm_ser_init(int, char *, kadm5_config_params *);
-#else
-extern int kadm_ser_init(int, char *);
-#endif
-extern int kadm_ser_in(u_char **, int *);
-
-/* kadm_server.c */
-int kadm_ser_cpw(u_char *, int, AUTH_DAT *, u_char **, int *);
-int kadm_ser_add(u_char *, int, AUTH_DAT *, u_char **, int *);
-int kadm_ser_del(u_char *, int, AUTH_DAT *, u_char **, int *);
-int kadm_ser_mod(u_char *, int, AUTH_DAT *, u_char **, int *);
-int kadm_ser_get(u_char *, int, AUTH_DAT *, u_char **, int *);
-int kadm_ser_ckpw(u_char *, int, AUTH_DAT *, u_char **, int *);
-int kadm_ser_stab(u_char *, int, AUTH_DAT *, u_char **, int *);
-
-/* kadm_funcs.c */
-krb5_error_code kadm_add_entry(char *, char *, char *,
- Kadm_vals *, Kadm_vals *);
-krb5_error_code kadm_del_entry(char *, char *, char *,
- Kadm_vals *, Kadm_vals *);
-krb5_error_code kadm_get_entry(char *, char *, char *,
- Kadm_vals *, u_char *, Kadm_vals *);
-krb5_error_code kadm_mod_entry(char *, char *, char *,
- Kadm_vals *, Kadm_vals *, Kadm_vals *);
-krb5_error_code kadm_change (char *, char *, char *, des_cblock);
-krb5_error_code kadm_approve_pw(char *, char *, char *, des_cblock, char *);
-krb5_error_code kadm_chg_srvtab(char *, char *, char *, Kadm_vals *);
-
-/* kadm_supp.c */
-void prin_vals(Kadm_vals *);
-void kadm_prin_to_vals(u_char *, Kadm_vals *, Principal *);
-void kadm_vals_to_prin(u_char *, Principal *, Kadm_vals *);
-
-/* acl_files.c */
-int acl_add(char *, char *);
-int acl_delete(char *, char *);
-int acl_check(char *, char *);
-void acl_canonicalize_principal(char *, char *);
-int acl_exact_match(char *, char *);
-int acl_initialize(char *, int);
-
-/* admin_server.c */
-#ifdef KADM5
-krb5_int32 convert_kadm5_to_kadm(krb5_int32);
-#endif
-
-#endif /* KADM_SERVER_DEFS */
+++ /dev/null
-/*
- * kadmin/v4server/kadm_supp.c
- *
- * Copyright 1988 by the Massachusetts Institute of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * Support functions for Kerberos administration server & clients
- */
-
-
-#include <mit-copyright.h>
-#include <stdio.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <sys/param.h>
-#include <string.h>
-
-/*
- kadm_supp.c
- this holds the support routines for the kerberos administration server
-
- error: prints out a kadm error message, returns
- fatal: prints out a kadm fatal error message, exits
- prin_vals: prints out data associated with a Principal in the vals
- structure
-*/
-
-#include "kadm.h"
-#include "krb_db.h"
-#include "kadm_server.h"
-
-/*
-prin_vals:
- recieves : a vals structure
-*/
-void prin_vals(vals)
-Kadm_vals *vals;
-{
- time_t t = vals->exp_date;
- printf("Info in Database for %s.%s:\n", vals->name, vals->instance);
- printf(" Max Life: %d Exp Date: %s\n",vals->max_life,
- asctime(localtime(&t)));
- printf(" Attribs: %.2x key: %ld %ld\n",vals->attributes,
- vals->key_low, vals->key_high);
-}
-
-#ifdef notdef
-nierror(s)
-int s;
-{
- extern char *error_message();
- printf("Kerberos admin server loses..... %s\n",error_message(s));
- return(s);
-}
-#endif
-
-/* kadm_prin_to_vals takes a fields arguments, a Kadm_vals and a Principal,
- it copies the fields in Principal specified by fields into Kadm_vals,
- i.e from old to new */
-
-void
-kadm_prin_to_vals(fields, new, old)
-u_char fields[FLDSZ];
-Kadm_vals *new;
-Principal *old;
-{
- memset((char *)new, 0, sizeof(*new));
- if (IS_FIELD(KADM_NAME,fields)) {
- (void) strncpy(new->name, old->name, ANAME_SZ);
- SET_FIELD(KADM_NAME, new->fields);
- }
- if (IS_FIELD(KADM_INST,fields)) {
- (void) strncpy(new->instance, old->instance, INST_SZ);
- SET_FIELD(KADM_INST, new->fields);
- }
- if (IS_FIELD(KADM_EXPDATE,fields)) {
- new->exp_date = old->exp_date;
- SET_FIELD(KADM_EXPDATE, new->fields);
- }
- if (IS_FIELD(KADM_ATTR,fields)) {
- new->attributes = old->attributes;
- SET_FIELD(KADM_MAXLIFE, new->fields);
- }
- if (IS_FIELD(KADM_MAXLIFE,fields)) {
- new->max_life = old->max_life;
- SET_FIELD(KADM_MAXLIFE, new->fields);
- }
- if (IS_FIELD(KADM_DESKEY,fields)) {
- new->key_low = old->key_low;
- new->key_high = old->key_high;
- SET_FIELD(KADM_DESKEY, new->fields);
- }
-}
-
-void
-kadm_vals_to_prin(fields, new, old)
-u_char fields[FLDSZ];
-Principal *new;
-Kadm_vals *old;
-{
-
- memset((char *)new, 0, sizeof(*new));
- if (IS_FIELD(KADM_NAME,fields))
- (void) strncpy(new->name, old->name, ANAME_SZ);
- if (IS_FIELD(KADM_INST,fields))
- (void) strncpy(new->instance, old->instance, INST_SZ);
- if (IS_FIELD(KADM_EXPDATE,fields))
- new->exp_date = old->exp_date;
- if (IS_FIELD(KADM_ATTR,fields))
- new->attributes = old->attributes;
- if (IS_FIELD(KADM_MAXLIFE,fields))
- new->max_life = old->max_life;
- if (IS_FIELD(KADM_DESKEY,fields)) {
- new->key_low = old->key_low;
- new->key_high = old->key_high;
- }
-}
+++ /dev/null
-2003-01-07 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.ov: Deleted.
-
-2002-08-29 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.in: Revert $(S)=>/ change, for Windows support.
-
-2002-08-23 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.in: Change $(S)=>/ and $(U)=>.. globally.
-
-1999-08-31 Ken Raeburn <raeburn@mit.edu>
-
- * lib/helpers.exp (unexpire): Move expiration date ahead a few
- decades.
-
- * Makefile.in (check- check-ok): Disable tests until the tests get
- updated for non-OVSEC mode, etc.
-
-1998-11-13 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * Makefile.in: Set the myfulldir and mydir variables (which are
- relative to buildtop and thisconfigdir, respectively.)
-
-Tue Mar 3 10:30:11 1998 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * Makefile.in (check): Use the variable DO_V4_TEST to distinguish
- from the other kadmin testing.
-
-Fri Feb 27 23:32:38 1998 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * Makefile.in: Changed thisconfigdir to point at the kadmin
- directory, since we've moved all of the configure.in
- tests to the toplevel kadmin configure.in
-
-Wed Feb 18 16:01:35 1998 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in: Remove trailing slash from thisconfigdir. Fix up
- BUILDTOP for new conventions.
-
-Mon Feb 2 17:02:29 1998 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * Makefile.in: Define BUILDTOP and thisconfigdir in the Makefile
-
-Sat Feb 22 15:12:17 1997 Ezra Peisach <epeisach@mit.edu>
-
- * configure.in: Do not run test suite unless Athena compatibility
- is specified as well as tcl, Perl, runtest.
-
- * Makefile.in (check): Do not run tests unless really setup to do so.
-
-Mon Nov 11 20:51:58 1996 Tom Yu <tlyu@mit.edu>
-
- * configure.in: Add AC_CANONICAL_HOST to deal with new pre.in.
-
-Mon Oct 21 17:19:41 1996 Barry Jaspan <bjaspan@mit.edu>
-
- * v4server.0/setup-srvtab.exp: use KRB5_KTNAME instead of
- ovsec_adm.srvtab explicitly
-
- * lib/helpers.exp: don't specify -k ovsec_adm.srvtab on the
- command line, since kadmind4 now uses the config param value
- [krb5-admin/30]
-
- * v4server.1/access.exp: start kadmin by cd'ing to the directory
- first, so ps can find the process
-
-Thu Sep 26 17:52:21 1996 Barry Jaspan <bjaspan@mit.edu>
-
- * Makefile.in, remove_changepw_perms.sh, lib/helpers.exp,
- vrserver.0/setup-srvtab.exp, v4server.1/access.exp: use $K5ROOT
- instead of /krb5
-
-Mon Sep 23 15:34:56 1996 Barry Jaspan <bjaspan@mit.edu>
-
- * adapt to krb5 build system: create Makefile.in, configure.in,
- update paths in unix.exp, move helpers.exp to lib
-
-Tue Aug 20 13:33:29 1996 Barry Jaspan <bjaspan@mit.edu>
-
- * Makefile.ov, helpers.exp, v4server.1/change-password.exp: use
- kadmin.local instead of kdb5_edit
-
-Mon Jul 15 17:15:51 1996 Marc Horowitz <marc@mit.edu>
-
- * helpers.exp (exp_prog): the check for non-newline-terminated
- stdout was causing failures where there weren't any. Barry
- doesn't remember why this was here to begin with.
- * Makefile.ov (unit-test-body), helpers.exp: some versions of
- runtest do not like digits in command-line variable names.
- * Makefile.ov (unit-test-body), helpers.exp: ovsec_v4adm_server
- renamed to kadmind4
- * getpid.sh: grep out any programs with expect or kadmind4 in
- their names.
-
-
+++ /dev/null
-thisconfigdir=./../..
-myfulldir=kadmin/v4server/unit-test
-mydir=v4server/unit-test
-BUILDTOP=$(REL)..$(S)..$(S)..
-#
-# $Id$
-#
-
-check:: check-@DO_V4_TEST@
-
-# When the tests get updated, nuke this and delete "-not" from the next two.
-check- check-ok::
- @echo "+++"
- @echo "+++ WARNING: kadmin/v4server unit tests out of date; not run."
- @echo "+++"
-
-check--not::
- @echo "+++"
- @echo "+++ WARNING: kadmin/v4server unit tests not run."
- @echo "+++ Either Athena compatibility, tcl, runtest, or Perl is unavailable."
- @echo "+++"
-
-check-ok-not unit-test:: unit-test-setup unit-test-body unit-test-cleanup
-
-unit-test-setup::
- $(ENV_SETUP) $(START_SERVERS_LOCAL) -v4files -kdcport 750 -keysalt des-cbc-crc:v4
-
-unit-test-body::
- $(ENV_SETUP) $(RUNTEST) VFOURSERVER=../kadmind4 --tool v4server
-
-unit-test-cleanup::
- $(ENV_SETUP) $(STOP_SERVERS_LOCAL) -v4files
+++ /dev/null
-Mon Oct 21 17:20:04 1996 Barry Jaspan <bjaspan@mit.edu>
-
- * unix.exp: specify kadmind's path and name separately, to make it
- easy to cd to the path before exec'ing
-
-Tue Aug 20 13:34:07 1996 Barry Jaspan <bjaspan@mit.edu>
-
- * unix.exp: use kadmin.local instead of kdb5_edit
-
-Mon Jul 15 17:18:56 1996 Marc Horowitz <marc@mit.edu>
-
- * unix.exp: some versions of runtest do not like digits in
- command-line variable names. ovsec_edit_keytab renamed to
- kadm5_keytab
-
-
+++ /dev/null
-global env
-
-set kill /bin/kill
-
-if {[file exists /bin/sleep]} {
- set sleep /bin/sleep
-} else {
- set sleep /usr/bin/sleep
-}
-
-set kpasswd_v4 /usr/athena/bin/kpasswd
-set ovpasswd $env(TOP)/kpasswd/kpasswd
-set kadmin_local $env(TOP)/cli/kadmin.local
-set remove_changepw_perms $srcdir/remove_changepw_perms.sh
-set getpid $srcdir/getpid.sh
-set ovsec_adm_server_path $env(TOP)/server
-set ovsec_adm_server_name ./kadmind
-set ovsec_edit_keytab $env(TOP)/keytab/kadm5_keytab
-set hostname [exec hostname]
-
-# change-password.exp sends ^C to kpasswd to kill it; on HP-UX the
-# default intr character is DEL, and setting it on all platforms
-# won't hurt
-set stty_init "intr \\^c"
-
-if {[info commands exp_version] != {}} {
- set exp_version_4 [regexp {^4} [exp_version]]
-} else {
- set exp_version_4 [regexp {^4} [expect_version]]
-}
-
-# Backward compatibility until we're using expect 5 everywhere
-if {$exp_version_4} {
- global wait_error_index wait_errno_index wait_status_index
- set wait_error_index 0
- set wait_errno_index 1
- set wait_status_index 1
-} else {
- set wait_error_index 2
- set wait_errno_index 3
- set wait_status_index 3
-}
+++ /dev/null
-#!/bin/sh
-
-# tcl sucks big fat hairy rocks
-
-$PS_ALL | awk "/$1/"' && !/awk/ && !/getpid/ && !/expect/ && !/kadmind4/ { print $2 }'
+++ /dev/null
-proc server_pids { } {
- global env
-
- return [eval [concat exec $env(PS_ALL) | \
- awk {{/kadmind4/ && !/awk/ && !/expect/ {printf("%d ", $2)}}}]]
-}
-
-proc server_exit { name status } {
- global wait_error_index wait_errno_index wait_status_index
- global server_id
- global kill
-
- verbose "$name: stopping V4 kpasswd server." 1
-
- # We can't know whether the process exists or not, so we have
- # to ignore errors. XXX will close ever time out?
- catch {close $server_id}
- set pids [server_pids]
- if {$pids != {}} {
- verbose "server_exit killing process(es) $pids"
- catch {exec $kill $pids}
- } else {
- verbose "server_exit: couldn't find running server(s) to kill"
- }
-
- # wait hangs on AIX if the process was killed; since status == -1
- # in that case, solve the problem by not waiting; the zombies will
- # be cleaned up when the test finishes
- if {$status == -1} {
- return 1
- }
-
- set ret [wait -i $server_id]
- verbose "% Exit $ret" 2
-
- if {[lindex $ret $wait_error_index] == -1} {
- fail "$name: wait returned error [lindex $ret $wait_errno_index]"
- return 0
- } else {
- if { [lindex $ret $wait_status_index] == $status ||
- (($status<0) && ([lindex $ret $wait_status_index] == ($status+256))) } {
- pass "$name"
- } else {
- fail "$name: unexpected return status [lindex $ret $wait_status_index], should be $status"
- return 0
- }
- }
-
- return 1
-}
-
-proc myfail { msg } {
- global mytest_status
- fail "$msg"
- set mytest_status 1
-}
-
-proc server_start { name cmdline should_listen args } {
- global spawn_id server_id env
- global VFOURSERVER
- global mytest_status
- global sleep hostname
-
- set max_tries 60
-
- verbose "$name: starting V4 kpasswd server." 1
-
- for {set num_tries 0} {$num_tries <= $max_tries} {incr num_tries} {
- if {$num_tries} {
- exec $sleep 5
- verbose "Couldn't connect to V4 kpasswd server; retrying ($num_tries so far)."
- }
-
- spawn $VFOURSERVER $cmdline
- set server_id $spawn_id
-
- foreach test $args {
- set mytest_status 0
- uplevel 1 "expect {
- -i $server_id
- $test
- timeout { myfail \"$name: timeout\" }
- eof { myfail \"$name: eof while expecting string\" }
- }"
-
- if {$mytest_status == 1} {
- return 0
- }
- }
-
- set pids [server_pids]
-
- if {$should_listen} {
- exec $sleep 1
- set save_spawn_id $spawn_id
- spawn telnet $hostname kerberos_master
- expect {
- {Connection refused} {
- close -i $save_spawn_id
- wait -i $save_spawn_id
- close
- wait
- continue
- }
- {Connected} {
- send "\1dclose\n"
- close
- wait
- set spawn_id $save_spawn_id
- break
- }
- default {
- close -i $save_spawn_id
- wait -i $save_spawn_id
- catch {close}
- wait
- continue
- }
- }
- } else {
- break
- }
- }
-
- if {$pids == {}} {
- # Try twice to find the server processes. Not sure why,
- # but there seems to be some sort of race condition in the OS.
-
- verbose "server_start: couldn't find server process(es) -- trying again"
- exec $sleep 1
- set pids [server_pids]
- }
-
- if {$num_tries > $max_tries} {
- myfail "$name: couldn't connect to V4 kpasswd server"
- return 0
- } else {
- if {$pids != {}} {
- verbose "server_start: server process ID(s) is/are $pids"
- }
- pass "$name"
- return 1
- }
-}
-
-proc exp_prog { name prog cmdline status args } {
- global spawn_id spawn_pid
- global mytest_status
- global wait_error_index wait_errno_index wait_status_index
-
- verbose "$name: spawning $prog $cmdline" 1
-
- set spawn_pid [eval "spawn $prog $cmdline"]
-
- # at the end, eof is success
-
-# lappend args { eof { if {[regexp "\[\r\n\]$" $expect_out(buffer)] == 0} { myfail "final status message not newline-terminated" } } }
- lappend args { eof {} }
-
- foreach test $args {
- set mytest_status 0
- uplevel 1 "expect {
- $test
- timeout { close; myfail \"$name: timeout\" }
- eof { myfail \"$name: eof while expecting string\" }
- }"
-
- if {$mytest_status == 1} { return 0 }
- }
-
- # at this point, the id is closed and we can wait on it.
-
- set ret [wait]
- verbose "% Exit $ret" 2
-
- if {$status == -1} { return 1 }
-
- if {[lindex $ret $wait_error_index] == -1} {
- fail "$name: wait returned error [lindex $ret $wait_errno_index]"
- } else {
- if { [lindex $ret $wait_status_index] == $status ||
- (($status<0) && ([lindex $ret $wait_status_index] == ($status+256))) } {
- pass "$name"
- } else {
- fail "$name: unexpected return status [lindex $ret $wait_status_index], should be $status"
- }
- }
-
- return 1
-}
-
-proc fix_salt { name fullname oldpw newpw } {
- global kadmin_local
-
- exp_prog "$name: kadmin.local" $kadmin_local "" 0 {
- "kadmin.local:" { send "cpw $fullname\n" }
- } {
- "Enter password for principal \"$fullname\":" {
- send "$newpw\n"
- }
- } {
- "Re-enter password for principal \"$fullname\":" {
- send "$newpw\n"
- }
- } {
- # if we get cannot reuse pw, the salt is already right
- -re "Password .* changed." { send "quit\n" }
- -re "Cannot reuse password" { send "quit\n" }
- }
-}
-
-proc unexpire { name fullname } {
- global kadmin_local
-
- # While we're at it, make sure they aren't expired.
- exp_prog "$name: kadmin.local" $kadmin_local "" 0 {
- "kadmin.local:" {
- send "modprinc -expire \"May 6, 2029\" $fullname\n"
- }
- } {
- -re "Principal .* modified." { send "quit\n" }
- }
-}
-
-proc kpasswd_v4 { name fullname status oldpw newpw args } {
- global kpasswd_v4 s
-
- eval [concat {
- exp_prog $name $kpasswd_v4 "-u $fullname" $status {
- -re "Old password for $fullname:" { send "$oldpw\n" }
- } {
- -re "New Password for $fullname:" { send "$newpw\n" }
- } {
- -re "Verifying, please re-enter New Password for $fullname:"
- { send "$newpw\n" }
- }
- } $args]
-}
+++ /dev/null
-#!/bin/sh
-
-# tcl sucks big fat hairy rocks
-
-ed $K5ROOT/ovsec_adm.acl <<EOF >/dev/null 2>&1
-g/changepw\/kerberos/s/^/#/
-w
-q
-EOF
+++ /dev/null
-load_lib "helpers.exp"
-
-set timeout 10
-
-exp_prog "setup" $kadmin_local "" 0 {
- "kadmin.local:" { send "ank -randkey changepw/kerberos\n" }
-} {
- "created" {}
- "already exists" {}
-} {
- "kadmin.local:" {
- send "ktadd -k $env(KRB5_KTNAME) changepw/kerberos\n"
- }
-} {
- -re "Entry for principal changepw/kerberos .* added to keytab" {
- send "quit\n"
- }
-}
+++ /dev/null
-load_lib "helpers.exp"
-
-set timeout 30
-
-# Setup: make sure the principals we will use have V4 salt
-fix_salt "A.setup" testuser notathena notathena
-unexpire "A.setup" testuser
-unexpire "A.setup" changepw/kerberos
-
-proc kill_admin_server {} {
- global env kill getpid
-
- set pid [exec $getpid kadmind]
- if {$pid != ""} {
- exec $kill $pid
- }
-}
-
-proc start_admin_server {} {
- global ovsec_adm_server_path ovsec_adm_server_name sleep env
-
- set max_tries 60
-
- for {set num_tries 0} {$num_tries <= $max_tries} {incr num_tries} {
- if {$num_tries} {
- exec $sleep 5
- verbose "$ovsec_adm_server couldn't bind; retrying ($num_tries so far)"
- }
- if {[catch "system {cd $ovsec_adm_server_path; exec $ovsec_adm_server_name}" msg]} {
- if {[regexp {Address already in use} $msg]} {
- continue
- }
- fail "starting $ovsec_adm_server_name: $msg"
- }
- return
- }
- fail "starting $ovsec_adm_server_name: $msg"
-}
-
-proc remove_changepw_perms {} {
- global remove_changepw_perms
-
- exec $remove_changepw_perms
-}
-
-proc set_changepw_perms { perms } {
- global env
-
- remove_changepw_perms
-
- exec echo "changepw/kerberos@SECURE-TEST.OV.COM $perms" \
- >> $env(K5ROOT)/ovsec_adm.acl
-}
-
-# start off with a dead admin server
-kill_admin_server
-
-set_changepw_perms "i"
-start_admin_server
-server_start A.1 "-n" 1 {
- "KADM Server starting in the OVSEC_KADM mode" {}
-}
-kpasswd_v4 A.1 testuser 2 notathena foobar {
- "Operation requires ``change-password'' privilege" {}
-} {
- "$kpasswd_v4: Insufficient access to perform requested operation while attempting to change password." {}
-} {
- "Password NOT changed." {}
-}
-server_exit A.1 -1
-kill_admin_server
-
-set_changepw_perms "c"
-start_admin_server
-server_start A.2 "-n" 1 {
- "KADM Server starting in the OVSEC_KADM mode" {}
-}
-kpasswd_v4 A.2 testuser 2 notathena foobar {
- "Operation requires ``get'' privilege" {}
-} {
- "$kpasswd_v4: Insufficient access to perform requested operation while attempting to change password." {}
-} {
- "Password NOT changed." {}
-}
-server_exit A.2 -1
-kill_admin_server
-
-set_changepw_perms "ci"
-
-start_admin_server
+++ /dev/null
-load_lib "helpers.exp"
-
-set timeout 30
-
-spawn stty -a
-expect { eof {} }
-wait
-
-# Setup: make sure the principals we will use have V4 salt
-fix_salt "CPW.setup" testuser notathena notathena
-fix_salt "CPW.setup" pol1 pol111111 pol111111
-fix_salt "CPW.setup" pol2 pol222222 pol222222
-unexpire "CPW.setup" testuser
-unexpire "CPW.setup" pol1
-unexpire "CPW.setup" pol2
-unexpire "CPW.setup" changepw/kerberos
-
-server_start "CPW.all" "-n" 1 {
- "KADM Server starting in the OVSEC_KADM mode" {}
-}
-
-kpasswd_v4 CPW.1 testuser 0 notathena foobar { "Password changed." {} }
-kpasswd_v4 CPW.1 testuser 0 foobar notathena { "Password changed." {} }
-
-kpasswd_v4 CPW.3 pol1 -1 pol111111 foo {
- "New password is too short." {}
-} {
- "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
-}
-
-kpasswd_v4 CPW.4 pol1 -1 pol111111 foooooooo {
- "New password does not have enough character classes." {}
-} {
- "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
-}
-
-kpasswd_v4 CPW.5 pol1 -1 pol111111 Abyssinia {
- "New password was found in a dictionary" {}
-} {
- "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
-}
-
-kpasswd_v4 CPW.6.setup pol1 0 pol111111 polAAAAAA { "Password changed." {} }
-kpasswd_v4 CPW.6 pol1 -1 polAAAAAA pol111111 {
- "New password was used previously." {}
-} {
- "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
-}
-
-# We used to use kdb5_edit, which reset last_pwd_change. Now we used
-# kadmin.local, which doesn't, so we have to wait out the min life.
-exec $sleep 30
-kpasswd_v4 CPW.7.setup pol2 0 pol222222 polBBBBBB { "Password changed." {} }
-kpasswd_v4 CPW.7 pol2 -1 polBBBBBB pol222222 {
- "Password cannot be changed because it was changed too recently." {}
-} {
- "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
-}
-
-server_exit "CPW.all" -1
+++ /dev/null
-load_lib "helpers.exp"
-
-set timeout 10
-
-server_start "U.1: -h" "-h" 0 {
- -re {Usage: .*} {}
-} {
- eof {}
-}
-server_exit "U.1: -h" 255
-
-server_start "U.4: -n" "-n" 1 {
- "Enter KDC database master key:" {
- myfail "unexpected password prompt"
- }
- "KADM Server starting in the OVSEC_KADM mode" {}
-}
-
-server_exit "U.4: -n" -1
-
-server_start "U.5: no -n" "" 1 {
- "KADM Server starting in the OVSEC_KADM mode" {}
-} {
- "Enter KDC database master key:" { send "mrroot\n" }
-}
-server_exit "U.5: no -n" -1
+++ /dev/null
-2003-08-29 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.in (SERV_OBJS): Use @LIBOBJS@.
-
-2003-01-09 Ken Raeburn <raeburn@mit.edu>
-
- * adm_conn.c (kadm_contact_server): Use socklen_t when passing
- address to socket functions.
-
-2002-11-05 Tom Yu <tlyu@mit.edu>
-
- * kpasswd.c (kpwd_change_prompt_1, kpwd_change_prompt_2)
- (kpwd_old_password_prompt, kpwd_old_pwd_name_fmt): Remove trailing
- colon, as new implementation of krb5_read_password() appends it.
-
-2002-08-29 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.in: Revert $(S)=>/ change, for Windows support.
-
-2002-08-23 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.in: Change $(S)=>/ and $(U)=>.. globally.
-
-2002-06-19 Ezra Peisach <epeisach@bu.edu>
-
- * srv_net.c: Conditionalize debugging variables inside DEBUG
- conditional.
-
- * kpasswd.c (main): Conditionalize local variables inside
- definition of LANGUAGES_SUPPORTED to avoid a variable being set
- with out use warning.
-
-2001-10-09 Ken Raeburn <raeburn@mit.edu>
-
- * adm_conn.c, adm_rw.c, kadm5_defs.h: Make prototypes
- unconditional.
-
-2001-10-05 Ken Raeburn <raeburn@mit.edu>
-
- * adm_conn.c: Drop _MSDOS support.
-
-2001-09-01 Ken Raeburn <raeburn@mit.edu>
-
- * Makefile.in (COMMON_SRCS, SERV_SRCS, CLI_SRCS): All live in
- srcdir.
-
-2001-06-22 Ezra Peisach <epeisach@mit.edu>
-
- * adm_conn.c (kadm_get_ccache): Cast return from getpid() to int
- to match format.
-
-2001-06-21 Ken Raeburn <raeburn@mit.edu>
-
- * adm_conn.c, kpasswd.c, srv_net.c: Changed various char string
- variables into macros, for better format/argument checking under
- gcc.
-
- * main.c (pwd_change): Use strncpy instead of sprintf to copy
- error message text into buffer. Use goto rather than repeated
- code.
- (main): Use %lx for params.mask. Make debug_level volatile.
-
- * srv_net.c (net_find_slave): Initialize "found".
- (net_dispatch): Make "kret" volatile, so longjmp won't clobber
- it.
- (net_slaves_active): Variable deleted.
-
-2001-06-21 Ezra Peisach <epeisach@mit.edu>
-
- * main.c: Add prototype for daemon if needed.
-
-Mon Feb 26 15:22:44 2001 Ezra Peisach <epeisach@mit.edu>
-
- *adm_conn.c, adm_rw.c, kadm5_defs.h, kpasswd.c, main.c,
- proto_serv.c, srv_net.c: Warnings cleanup including assignments in
- conditionals, shadowed variables, unused variables, prototypes.
-
-2000-10-17 Ezra Peisach <epeisach@mit.edu>
-
- * adm_conn.c, kpasswd.c: Argument to krb5_read_password
- takes an unsigned int.
-
- * kadm5_defs.h, main.c (pwd_change): Argument err_str_len changed
- to unsigned int. (Argument to kadm5_chpass_principal_util()).
-
-2000-07-03 Ezra Peisach <epeisach@mit.edu>
-
- * Makefile.in: v5passwd does not depend on the kadm5
- libraries. This is the older protocol.
-
-2000-05-24 Ken Raeburn <raeburn@mit.edu>
- Ezra Peisach <epeisach@mit.edu>
-
- * proto_serv.c (proto_serv): Don't overflow err_str. Pass data
- pointer and not a krb5_data to sprintf. Remove unused variable
- adm_errmsg. Remove unused label done. Declare variable
- mime_setting only if MIME_SUPPORTED is defined. Make variables
- db_opened and kret volatile.
- (proto_fmt_reply_msg): Unused variable deleted.
-
-2000-05-23 Tom Yu <tlyu@mit.edu>
-
- * kadm5_defs.h: Add argument for length of error string.
-
- * main.c (pwd_change): Add argument for length of error string.
-
- * proto_serv.c (proto_serv): Fix up call to pwd_change().
-
-2000-02-28 Ezra Peisach <epeisach@mit.edu>
-
- * proto_serv.c (proto_serv): For error return,strdup the returned
- value from error_message to maintain its const status.
-
-1999-10-26 Wilfredo Sanchez <tritan@mit.edu>
-
- * Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
- LOCAL_INCLUDES such that one can override CFLAGS from the command
- line without losing CPP search patchs and defines. Some associated
- Makefile cleanup.
-
-Tue May 11 11:39:36 1999 Ezra Peisach <epeisach@mit.edu>
-
- * main.c: Remove include of gssapi_krb5.h - no longer needed.
-
-1998-11-13 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * Makefile.in: Set the myfulldir and mydir variables (which are
- relative to buildtop and thisconfigdir, respectively.)
-
-1998-05-06 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * kpasswd.c (main): POSIX states that getopt returns -1
- when it is done parsing options, not EOF.
-
-Fri Feb 27 23:32:38 1998 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * Makefile.in: Changed thisconfigdir to point at the kadmin
- directory, since we've moved all of the configure.in
- tests to the toplevel kadmin configure.in
-
-Wed Feb 18 16:02:27 1998 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in: Remove trailing slash from thisconfigdir. Fix up
- BUILDTOP for new conventions. Fix up usage of $(C).
-
-Mon Feb 2 17:02:29 1998 Theodore Ts'o <tytso@rsts-11.mit.edu>
-
- * Makefile.in: Define BUILDTOP and thisconfigdir in the Makefile
-
-Thu Sep 25 21:17:00 1997 Tom Yu <tlyu@mit.edu>
-
- * srv_net.c (net_init): Replace KRB5_USE_INET with something more
- sane.
-
- * adm_conn.c (kadm_contact_server): Replace KRB5_USE_INET with
- something more sane.
-
-Thu Sep 18 17:54:40 1997 Tom Yu <tlyu@mit.edu>
-
- * kpasswd.c: Replace USE_STRING_H with something more sane.
-
-Thu Feb 6 00:28:54 1997 Richard Basch <basch@lehman.com>
-
- * adm_conn.c adm_rw.c:
- Replace the INTERFACE keyword with KRB5_CALLCONV
-
-Tue Feb 4 21:28:57 1997 Tom Yu <tlyu@mit.edu>
-
- * Makefile.in:
- * configure.in: Update to new program build procedcure.
-
-Thu Oct 31 11:20:22 1996 Ezra Peisach <epeisach@mit.edu>
-
- * main.c (main): Add -T keyfile and -D debug_level
- options. [krb5-admin/42]
-
-Tue Sep 10 14:37:23 1996 Tom Yu <tlyu@mit.edu>
-
- * v5passwd.M: remove extra args to .TH
-
-Sun Aug 18 18:29:39 1996 Ezra Peisach <epeisach@kangaroo.mit.edu>
-
- * Makefile.in: Compile v5passwd - the old passwd changing client.
-
- * adm_conn.c, kpasswd.c, v5passwd.M: Added the pieces required to
- build a v5b6 simple password changing client.
-
-Thu Jul 25 17:01:32 1996 Marc Horowitz <marc@mit.edu>
-
- * Makefile.in, configure.in, adm_rw.c, kadm5_defs.h, main.c,
- proto_serv.c, srv_net.c: combined pieces of the old v5server and
- kadm libraries with calls to the new kadm5srv library to produce a
- daemon which handles the v5b6 "simple" password changing protocol.
+++ /dev/null
-thisconfigdir=./..
-myfulldir=kadmin/v5passwdd
-mydir=v5passwdd
-BUILDTOP=$(REL)..$(S)..
-PROG_LIBPATH=-L$(TOPLIBD)
-PROG_RPATH=$(KRB5_LIBDIR)
-
-COMMON_SRCS = $(srcdir)/adm_rw.c
-COMMON_OBJS = adm_rw.o
-SERV_SRCS = $(srcdir)/main.c $(srcdir)/srv_net.c $(srcdir)/proto_serv.c
-SERV_OBJS = main.o srv_net.o proto_serv.o @LIBOBJS@
-CLI_SRCS = $(srcdir)/kpasswd.c $(srcdir)/adm_conn.c
-CLI_OBJS = kpasswd.o adm_conn.o
-
-SRCS=$(SERV_SRCS) $(COMMON_SRCS) $(CLI_SRCS)
-OBJS=$(SERV_OBJS) $(COMMON_OBJS) $(CLI_OBJS)
-
-SERV = v5passwdd
-CLI = v5passwd
-
-all:: $(SERV) $(CLI)
-
-$(SERV): $(SERV_OBJS) $(COMMON_OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $(SERV) $(SERV_OBJS) $(COMMON_OBJS) \
- $(KADMSRV_LIBS) $(KRB5_BASE_LIBS)
-
-
-$(CLI): $(CLI_OBJS) $(COMMON_OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $(CLI) $(CLI_OBJS) $(COMMON_OBJS) \
- $(KRB5_BASE_LIBS)
-
-install::
- for f in v5passwd; do \
- $(INSTALL_PROGRAM) $$f \
- $(DESTDIR)$(CLIENT_BINDIR)$(S)`echo $$f|sed '$(transform)'`; \
- $(INSTALL_DATA) $(srcdir)$(S)$$f.M \
- ${DESTDIR}$(CLIENT_MANDIR)$(S)`echo $$f|sed '$(transform)'`.1; \
- done
- for f in v5passwdd; do \
- $(INSTALL_PROGRAM) $$f \
- $(DESTDIR)$(SERVER_BINDIR)$(S)`echo $$f|sed '$(transform)'`; \
- done
-
-clean::
- $(RM) $(SERV) $(CLI)
-
-# +++ Dependency line eater +++
-#
-# Makefile dependencies follow. This must be the last section in
-# the Makefile.in file
-#
-$(OUTPRE)main.$(OBJEXT): main.c $(SRCTOP)/include/syslog.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/kadm5/admin.h \
- $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \
- $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \
- $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \
- $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \
- $(BUILDTOP)/include/gssrpc/svc.h $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \
- $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \
- $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \
- $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(SRCTOP)/include/krb5/adm_proto.h \
- kadm5_defs.h
-$(OUTPRE)srv_net.$(OBJEXT): srv_net.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h kadm5_defs.h $(SRCTOP)/include/krb5/adm.h
-$(OUTPRE)proto_serv.$(OBJEXT): proto_serv.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h kadm5_defs.h $(SRCTOP)/include/krb5/adm.h \
- $(SRCTOP)/include/krb5/adm_proto.h
-$(OUTPRE)adm_rw.$(OBJEXT): adm_rw.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm_proto.h
-$(OUTPRE)kpasswd.$(OBJEXT): kpasswd.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm_defs.h \
- $(SRCTOP)/include/krb5/adm.h $(SRCTOP)/include/krb5/adm_proto.h
-$(OUTPRE)adm_conn.$(OBJEXT): adm_conn.c $(SRCTOP)/include/k5-int.h \
- $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \
- $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \
- $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
- $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm.h \
- $(SRCTOP)/include/krb5/adm_proto.h
-
+++ /dev/null
-/*
- * lib/kadm/adm_conn.c
- *
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-/*
- * Routines to contact an administrative protocol server.
- */
-#define NEED_SOCKETS
-#define NEED_LOWLEVEL_IO
-#include "k5-int.h"
-#include "adm.h"
-#include "adm_proto.h"
-
-#if HAVE_PWD_H
-#include <pwd.h>
-#endif /* HAVE_PWD_H */
-
-/* Default ticket life is 10 minutes */
-#define KADM_DEFAULT_LIFETIME (10*60)
-
-/*
- * Strings
- */
-#define kadm_cache_name_fmt "FILE:/tmp/tkt_kadm_%d"
-
-/*
- * Prototypes for local functions
- */
-static krb5_error_code kadm_get_ccache
- (krb5_context,
- char *,
- char *,
- krb5_ccache *,
- krb5_principal *);
-static krb5_error_code kadm_get_creds
- (krb5_context,
- krb5_ccache ,
- krb5_principal,
- krb5_creds *,
- const char *,
- char *,
- krb5_timestamp);
-static krb5_error_code kadm_contact_server
- (krb5_context,
- krb5_data *,
- int *,
- krb5_address **,
- krb5_address **);
-static krb5_error_code kadm_get_auth
- (krb5_context,
- krb5_auth_context *,
- krb5_address *,
- krb5_address *);
-\f
-/*
- * kadm_get_ccache() - Initialze a credentials cache.
- *
- * Cleanup after success by calling krb5_cc_destroy() and krb5_free_principal()
- * Allocates new ccache and client.
- */
-static krb5_error_code
-kadm_get_ccache(kcontext, user, ccname, ccache, client)
- krb5_context kcontext;
- char *user;
- char *ccname;
- krb5_ccache *ccache;
- krb5_principal *client;
-{
- krb5_error_code kret;
- char *name;
- int did_malloc = 0;
- char new_cache[MAXPATHLEN];
- krb5_principal tprinc;
-
- /* Initialize. */
- *client = (krb5_principal) NULL;
- tprinc = (krb5_principal) NULL;
-
- /*
- * If a name specified, then use that one, else get it from our
- * current uid.
- */
- if (user) {
- name = user;
- }
- else {
-#if HAVE_PWD_H
- struct passwd *pw;
-
- pw = getpwuid(getuid());
- if (pw) {
- name = (char *) malloc(strlen(pw->pw_name)+1);
- did_malloc = 1;
- strcpy(name, pw->pw_name);
- }
- else {
- kret = errno;
- goto cleanup;
- }
-#else /* HAVE_PWD_H */
- kret = ENOENT;
- goto cleanup;
-#endif /* HAVE_PWD_H */
- }
-
- /* Parse the name and form our principal */
- kret = krb5_parse_name(kcontext, name, client);
- if (kret)
- goto cleanup;
-
- if (!ccname) {
-#if defined(_WIN32)
- strcpy (new_cache, "FILE:");
- GetTempFileName (0, "tkt", 0, new_cache+5);
-#else
-#ifdef _MACINTOSH
- (void) sprintf(new_cache, "STDIO:admcc");
-#else
- (void) sprintf(new_cache, kadm_cache_name_fmt, (int) getpid());
-#endif /* _MACINTOSH */
-#endif /* _WIN32 */
- }
- else
- sprintf(new_cache, "FILE:%s", ccname);
-
- /*
- * We only need to resolve the credentials cache if one hasn't
- * been supplied to us.
- */
- if (!(*ccache) && (kret = krb5_cc_resolve(kcontext, new_cache, ccache)))
- goto cleanup;
-
- /* XXX assumes a file ccache */
- if ((kret = krb5_cc_get_principal(kcontext, *ccache, &tprinc)) ==
- KRB5_FCC_NOFILE)
- kret = krb5_cc_initialize(kcontext, *ccache, *client);
-
-
- cleanup:
- if (did_malloc)
- free(name);
-
- if (tprinc)
- krb5_free_principal(kcontext, tprinc);
-
- if (kret) {
- if (*client)
- krb5_free_principal(kcontext, *client);
- }
-
- return(kret);
-}
-\f
-/*
- * kadm_get_creds() - Get initial credentials.
- *
- * Cleanup after success by calling krb5_free_principal().
- * Allocates new principal for creds->server.
- */
-static krb5_error_code
-kadm_get_creds(kcontext, ccache, client, creds, prompt, oldpw, tlife)
- krb5_context kcontext;
- krb5_ccache ccache;
- krb5_principal client;
- krb5_creds *creds;
- const char *prompt;
- char *oldpw;
- krb5_timestamp tlife;
-{
- char *client_name;
- krb5_error_code kret;
- krb5_address **my_addresses;
- unsigned int old_pwsize;
- krb5_creds tcreds;
-
- /* Initialize */
- my_addresses = (krb5_address **) NULL;
- client_name = (char *) NULL;
-
- /* Get the string form for our principal */
- kret = krb5_unparse_name(kcontext, client, &client_name);
- if (kret)
- return(kret);
-
- kret = krb5_os_localaddr(kcontext, &my_addresses);
- if (kret)
- goto cleanup;
-
- creds->client = client;
- /*
- * Build server principal name:
- * "changepw" is service
- * realm name is instance
- * realm name is realm name
- */
- kret = krb5_build_principal_ext(kcontext,
- &creds->server,
- client->realm.length,
- client->realm.data,
- strlen(KRB5_ADM_SERVICE_INSTANCE),
- KRB5_ADM_SERVICE_INSTANCE,
- client->realm.length,
- client->realm.data,
- 0);
- if (kret)
- goto cleanup;
-
- /* Attempt to retrieve an appropriate entry from the credentials cache. */
- if ((kret = krb5_cc_retrieve_cred(kcontext,
- ccache,
- KRB5_TC_MATCH_SRV_NAMEONLY,
- creds,
- &tcreds))
- == KRB5_CC_NOTFOUND) {
- krb5_timestamp jetzt;
-
- if (prompt != (char *) NULL) {
- /* Read the password */
- old_pwsize = KRB5_ADM_MAX_PASSWORD_LEN;
- kret = krb5_read_password(kcontext, prompt, (char *) NULL,
- oldpw, &old_pwsize);
- if (kret)
- goto cleanup;
- }
-
- kret = krb5_timeofday(kcontext, &jetzt);
- if (kret)
- goto cleanup;
-
- if (tlife > 0)
- creds->times.endtime = jetzt + tlife;
- else
- creds->times.endtime = jetzt + KADM_DEFAULT_LIFETIME;
-
- /* Get our initial ticket */
- kret = krb5_get_in_tkt_with_password(kcontext,
- 0,
- my_addresses,
- NULL,
- NULL,
- oldpw,
- ccache,
- creds,
- 0);
- }
- else {
- krb5_principal sclient, sserver;
-
- if (!kret) {
- /*
- * We found the credentials cache entry - copy it out.
- *
- * We'd like to just blast tcreds on top of creds, but we cannot.
- * other logic uses the client data, and rather than going and
- * chasing all that logic down, might as well pretend that we just
- * filled in all the other muck.
- */
- sclient = creds->client;
- sserver = creds->server;
- memcpy((char *) creds, (char *) &tcreds, sizeof(tcreds));
- if (creds->client)
- krb5_free_principal(kcontext, creds->client);
- if (creds->server)
- krb5_free_principal(kcontext, creds->server);
- creds->client = sclient;
- creds->server = sserver;
- }
- }
-
- cleanup:
- if (kret) {
- if (creds->server) {
- krb5_free_principal(kcontext, creds->server);
- creds->server = 0;
- }
- }
- if (my_addresses)
- krb5_free_addresses(kcontext, my_addresses);
- if (client_name)
- krb5_xfree(client_name);
- return(kret);
-}
-\f
-/*
- * kadm_contact_server() - Establish a connection to the server.
- *
- * Cleanup after success by calling close() and free().
- * Opens/connects socket *sockp. Allocates address storage for local/remote.
- */
-static krb5_error_code
-kadm_contact_server(kcontext, realmp, sockp, local, remote)
- krb5_context kcontext;
- krb5_data *realmp;
- int *sockp;
- krb5_address **local;
- krb5_address **remote;
-{
- struct hostent *remote_host;
- struct servent *service;
- char **hostlist;
- int i, count;
-
- krb5_error_code kret;
-
- struct sockaddr_in in_local;
- struct sockaddr_in in_remote;
- socklen_t addr_len;
-
- const char *realm_admin_names[4];
- char *realm_name;
- krb5_boolean found;
-
- /* Initialize */
- hostlist = (char **) NULL;
- *sockp = -1;
- realm_name = (char *) NULL;
-
- /*
- * XXX - only know ADDRTYPE_INET.
- */
-#ifdef HAVE_NETINET_IN_H
- *local = (krb5_address *) malloc(sizeof(krb5_address));
- *remote = (krb5_address *) malloc(sizeof(krb5_address));
- realm_name = (char *) malloc((size_t) realmp->length + 1);
- if ((*local == (krb5_address *) NULL) ||
- (*remote == (krb5_address *) NULL) ||
- (realm_name == (char *) NULL)) {
- kret = ENOMEM;
- goto cleanup;
- }
- (*local)->addrtype = (*remote)->addrtype = ADDRTYPE_INET;
- (*local)->length = (*remote)->length = sizeof(struct in_addr);
- (*local)->contents = (krb5_octet *) malloc(sizeof(struct in_addr));
- (*remote)->contents = (krb5_octet *) malloc(sizeof(struct in_addr));
- if (((*local)->contents == NULL) || ((*remote)->contents == NULL)) {
- kret = ENOMEM;
- goto cleanup;
- }
-
- /*
- * First attempt to find addresses from our config file, if we cannot
- * find an entry, then try getservbyname().
- */
- found = 0;
-#ifndef OLD_CONFIG_FILES
- strncpy(realm_name, realmp->data, (size_t) realmp->length);
- realm_name[realmp->length] = '\0';
- realm_admin_names[0] = "realms";
- realm_admin_names[1] = realm_name;
- realm_admin_names[2] = "admin_server";
- realm_admin_names[3] = (char *) NULL;
- if (!(kret = profile_get_values(kcontext->profile,
- realm_admin_names,
- &hostlist))) {
- int hi;
- char *cport;
- char *cp;
- krb5_int32 pport;
-
- for (hi = 0; hostlist[hi]; hi++) {
- /*
- * This knows a little too much about the format of profile
- * entries. Shouldn't it just be some sort of tuple?
- *
- * The form is assumed to be:
- * admin_server = <hostname>[:<portname>[<whitespace>]]
- */
- cport = (char *) NULL;
- pport = (u_short) KRB5_ADM_DEFAULT_PORT;
- cp = strchr(hostlist[hi], ' ');
- if (cp)
- *cp = '\0';
- cp = strchr(hostlist[hi], '\t');
- if (cp)
- *cp = '\0';
- cport = strchr(hostlist[hi], ':');
- if (cport) {
- *cport = '\0';
- cport++;
-
- pport = atoi (cport);
- if (pport == 0) {
- kret = KRB5_CONFIG_BADFORMAT;
- goto cleanup;
- }
- }
-
- /*
- * Now that we have a host name, get the host entry.
- */
- remote_host = gethostbyname(hostlist[hi]);
- if (remote_host == (struct hostent *) NULL) {
- kret = KRB5_CONFIG_BADFORMAT;
- goto cleanup;
- }
-
- /*
- * Fill in our address values.
- */
- in_remote.sin_family = remote_host->h_addrtype;
- (void) memcpy((char *) &in_remote.sin_addr,
- (char *) remote_host->h_addr,
- sizeof(in_remote.sin_addr));
- in_remote.sin_port = htons((u_short) pport);
-
- /* Open a tcp socket */
- *sockp = (int) socket(PF_INET, SOCK_STREAM, 0);
- if (*sockp < 0) {
- kret = SOCKET_ERRNO;
- goto cleanup;
- }
- else kret = 0;
-
- /* Attempt to connect to the remote address. */
- if (connect(*sockp,
- (struct sockaddr *) &in_remote,
- sizeof(in_remote)) < 0) {
- /* Failed, go to next address */
- kret = SOCKET_ERRNO;
- closesocket((SOCKET)*sockp);
- *sockp = -1;
- continue;
- }
-
- /* Find out local address */
- addr_len = sizeof(in_local);
- if (getsockname((SOCKET) *sockp,
- (struct sockaddr *) &in_local,
- &addr_len) < 0) {
- /* Couldn't get our local address? */
- kret = SOCKET_ERRNO;
- goto cleanup;
- }
- else {
- /* Connection established. */
- memcpy((char *) (*remote)->contents,
- (char *) &in_remote.sin_addr,
- sizeof(struct in_addr));
- memcpy((char *) (*local)->contents,
- (char *) &in_local.sin_addr,
- sizeof(struct in_addr));
- found = 1;
- break;
- }
- }
- if (!found) {
- krb5_xfree(hostlist);
- hostlist = (char **) NULL;
- }
- }
-#endif /* OLD_CONFIG_FILES */
- if (!found) {
- /*
- * Use the old way of finding our administrative server.
- *
- * This consists of looking up an entry in /etc/services and if
- * we don't find it, then we are just out of luck. Then, we use
- * that port number along with the address of the kdc.
- */
- if ((service = getservbyname(KRB5_ADM_SERVICE_NAME, "tcp")) == NULL) {
- kret = ENOENT;
- goto cleanup;
- }
- in_remote.sin_port = service->s_port;
-
- kret = krb5_get_krbhst(kcontext, realmp, &hostlist);
- if (kret)
- goto cleanup;
-
- /* Now count the number of hosts in the realm */
- count = 0;
- for (i=0; hostlist[i]; i++)
- count++;
- if (count == 0) {
- kret = ENOENT; /* something better? */
- goto cleanup;
- }
-
- /* Now find an available host */
- for (i=0; hostlist[i]; i++) {
- remote_host = gethostbyname(hostlist[i]);
- if (remote_host != (struct hostent *) NULL) {
- in_remote.sin_family = remote_host->h_addrtype;
- (void) memcpy((char *) &in_remote.sin_addr,
- (char *) remote_host->h_addr,
- sizeof(in_remote.sin_addr));
-
- /* Open a tcp socket */
- *sockp = (int) socket(PF_INET, SOCK_STREAM, 0);
- if (*sockp < 0) {
- kret = SOCKET_ERRNO;
- goto cleanup;
- }
- else kret = 0;
-
- if (connect(*sockp,
- (struct sockaddr *) &in_remote,
- sizeof(in_remote)) < 0) {
- kret = SOCKET_ERRNO;
- closesocket((SOCKET)*sockp);
- *sockp = -1;
- continue;
- }
-
- /* Find out local address */
- addr_len = sizeof(in_local);
- if (getsockname((SOCKET)*sockp,
- (struct sockaddr *) &in_local,
- &addr_len) < 0) {
- kret = SOCKET_ERRNO;
- goto cleanup;
- }
- else {
- memcpy((char *) (*remote)->contents,
- (char *) &in_remote.sin_addr,
- sizeof(struct in_addr));
-
- memcpy((char *) (*local)->contents,
- (char *) &in_local.sin_addr,
- sizeof(struct in_addr));
- found = 1;
- break;
- }
- }
- }
- if (!found)
- kret = KRB5_SERVICE_UNKNOWN;
- }
-#else /* HAVE_NETINET_IN_H */
- kret = ENOENT;
-#endif /* HAVE_NETINET_IN_H */
-
- cleanup:
- if (kret) {
- if (*sockp >= 0)
- closesocket((SOCKET)*sockp);
- if (*local && (*local)->contents)
- free((*local)->contents);
- if (*remote && (*remote)->contents)
- free((*remote)->contents);
- if (*local) {
- memset((char *) (*local), 0, sizeof(krb5_address));
- free(*local);
- *local = (krb5_address *) NULL;
- }
- if (*remote) {
- memset((char *) (*remote), 0, sizeof(krb5_address));
- free(*remote);
- *remote = (krb5_address *) NULL;
- }
- }
- if (realm_name)
- free(realm_name);
- if (hostlist)
- krb5_xfree(hostlist);
- return(kret);
-}
-\f
-/*
- * kadm_get_auth() - Get authorization context.
- *
- * Cleanup after success by calling krb5_xfree().
- * New krb5_auth_context allocated in *ctxp
- */
-static krb5_error_code
-kadm_get_auth(kcontext, ctxp, local, remote)
- krb5_context kcontext;
- krb5_auth_context *ctxp;
- krb5_address *local;
- krb5_address *remote;
-{
- krb5_auth_con_init(kcontext, ctxp);
- krb5_auth_con_setflags(kcontext, *ctxp,
- KRB5_AUTH_CONTEXT_RET_SEQUENCE|
- KRB5_AUTH_CONTEXT_DO_SEQUENCE);
- krb5_auth_con_setaddrs(kcontext, *ctxp, local, remote);
- return(0);
-}
-\f
-/*
- * krb5_adm_connect() - Establish the connection to the service.
- *
- * If *ccachep is not null, then that ccache is used to establish the identity
- * of the caller. (Argument list is ugly, I know)
- *
- * Errors are not reported by this routine.
- * Cleanup after successful invocation must:
- * destroy/close ccache.
- * free auth_context
- * close socket.
- */
-krb5_error_code KRB5_CALLCONV
-krb5_adm_connect(kcontext, user, prompt, opassword, sockp, ctxp,
- ccachep, ccname, tlife)
- krb5_context kcontext; /* Context handle (In ) */
- char *user; /* User specified (In ) */
- const char *prompt; /* Old password prompt (In ) */
- char *opassword; /* Old Password (I/O) */
- int *sockp; /* Socket for conn. (Out) */
- krb5_auth_context *ctxp; /* Auth context (Out) */
- krb5_ccache *ccachep; /* Credentials cache (I/O) */
- char *ccname; /* Cred cache name (In ) */
- krb5_timestamp tlife; /* Ticket lifetime (In ) */
-{
- krb5_error_code kret;
- krb5_principal client;
- krb5_creds creds;
- krb5_data server_realm;
- krb5_data request_data, suppl_data;
- krb5_data response_data;
- krb5_address *local_addr;
- krb5_address *remote_addr;
- krb5_boolean ccache_supplied;
-
- char *server;
-
- /* Initialize */
- memset((char *) &creds, 0, sizeof(krb5_creds));
- server = (char *) NULL;
- *sockp = -1;
- local_addr = remote_addr = (krb5_address *) NULL;
- client = (krb5_principal) NULL;
- *ctxp = (krb5_auth_context) NULL;
- ccache_supplied = (*ccachep != (krb5_ccache) NULL);
-
- /*
- * Find the appropriate credentials cache and set up our identity.
- */
- kret = kadm_get_ccache(kcontext, user, ccname, ccachep, &client);
- if (kret)
- goto cleanup;
-
- /*
- * Get initial credentials.
- */
- kret = kadm_get_creds(kcontext, *ccachep, client, &creds,
- prompt, opassword, tlife);
- if (kret)
- goto cleanup;
-
- /*
- * Establish connection to server.
- */
- if ((server_realm.data = (char *) malloc(client->realm.length+1)) ==
- (char *) NULL)
- goto cleanup;
-
- server_realm.length = client->realm.length;
- memcpy(server_realm.data, client->realm.data, server_realm.length);
- server_realm.data[server_realm.length] = '\0';
-
- kret = kadm_contact_server(kcontext, &server_realm, sockp,
- &local_addr, &remote_addr);
- if (kret)
- goto cleanup;
-
- /*
- * Obtain our authorization context
- */
- kret = kadm_get_auth(kcontext, ctxp, local_addr, remote_addr);
- if (kret)
- goto cleanup;
-
- /*
- * Format, then send the KRB_AP_REQ
- */
- suppl_data.data = NULL;
- suppl_data.length = 0;
-
- kret = krb5_mk_req_extended(kcontext, ctxp, AP_OPTS_MUTUAL_REQUIRED,
- &suppl_data, &creds, &request_data);
- if (kret)
- goto cleanup;
-
- kret = krb5_write_message(kcontext, sockp, &request_data);
- if (kret)
- goto cleanup;
-
- /*
- * Now read back the response.
- */
- kret = krb5_read_message(kcontext, sockp, &response_data);
- if (kret) {
- goto cleanup;
- }
- else {
- krb5_ap_rep_enc_part *reply = NULL;
-
- kret = krb5_rd_rep(kcontext, *ctxp, &response_data, &reply);
- if (reply)
- krb5_free_ap_rep_enc_part(kcontext, reply);
- }
- cleanup:
- if (server)
- free(server);
- if (kret) {
- if (*ctxp) {
- krb5_xfree(*ctxp);
- *ctxp = (krb5_auth_context) NULL;
- }
- if (*sockp >= 0) {
- closesocket((SOCKET)*sockp);
- *sockp = -1;
- }
- if (local_addr && local_addr->contents)
- free(local_addr->contents);
- if (remote_addr && remote_addr->contents)
- free(remote_addr->contents);
- if (local_addr)
- free(local_addr);
- if (remote_addr)
- free(remote_addr);
- if (creds.server)
- krb5_free_principal(kcontext, creds.server);
- if (client)
- krb5_free_principal(kcontext, client);
- if (*ccachep && !ccache_supplied) {
- krb5_cc_destroy(kcontext, *ccachep);
- *ccachep = (krb5_ccache) NULL;
- }
- }
- return(kret);
-
-}
-\f
-/*
- * krb5_adm_disconnect() - Disconnect from the administrative service.
- *
- * If ccache is supplied, then it is destroyed. Otherwise, the ccache is
- * the caller's responsibility to close.
- */
-void KRB5_CALLCONV
-krb5_adm_disconnect(kcontext, socketp, auth_context, ccache)
- krb5_context kcontext;
- int *socketp;
- krb5_auth_context auth_context;
- krb5_ccache ccache;
-{
- if (ccache)
- krb5_cc_destroy(kcontext, ccache);
- if (auth_context)
- krb5_xfree(auth_context);
- if (*socketp >= 0)
- closesocket((SOCKET)*socketp);
-}
-
+++ /dev/null
-/*
- * lib/kadm/adm_rw.c
- *
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-/*
- * Routines to engage in the administrative (password changing) protocol.
- */
-#define NEED_SOCKETS
-#include "k5-int.h"
-#include "adm_proto.h"
-
-/*
- * Local prototypes (needed or else the PC will pass fail).
- */
-static void kadm_copyin_int32 (char *, krb5_int32 *);
-static void kadm_copyout_int32 (krb5_int32, char *);
-
-/*
- * Routines to [de]serialize integers.
- *
- * kadm_copyin_int32 - Move a 32-bit integer fron network byte order to
- * host byte order.
- * kadm_copyout_int32 - Move a 32-bit integer from host byte order to
- * network byte order.
- */
-static void
-kadm_copyin_int32(cp, ip)
- char *cp;
- krb5_int32 *ip;
-{
- *ip = (((krb5_int32) ((unsigned char) cp[0]) << 24) +
- ((krb5_int32) ((unsigned char) cp[1]) << 16) +
- ((krb5_int32) ((unsigned char) cp[2]) << 8) +
- ((krb5_int32) ((unsigned char) cp[3])));
-}
-
-static void
-kadm_copyout_int32(outint, cp)
- krb5_int32 outint;
- char *cp;
-{
- cp[0] = (char) ((outint >> 24) & 0xff);
- cp[1] = (char) ((outint >> 16) & 0xff);
- cp[2] = (char) ((outint >> 8) & 0xff);
- cp[3] = (char) (outint & 0xff);
-}
-\f
-/*
- * krb5_free_adm_data() - Free data blocks allocated by read_adm... routines.
- */
-void KRB5_CALLCONV
-krb5_free_adm_data(kcontext, ncomp, datap)
- krb5_context kcontext;
- krb5_int32 ncomp;
- krb5_data *datap;
-{
- int i;
-
- if (datap) {
- for (i=0; i<ncomp; i++)
- if (datap[i].data && (datap[i].length > 0))
- krb5_xfree(datap[i].data);
-
- krb5_xfree(datap);
- }
-}
-\f
-/*
- * krb5_send_adm_cmd() - Send an administrative command.
- *
- * Send a list of data in a KRB_PRIV message. Data takes the format:
- * nargs (4 octets in network order)
- * arg size 1 (4 octets in network order)
- * arg data 1 ("arg size 1" octets)
- * .
- * .
- * .
- */
-krb5_error_code KRB5_CALLCONV
-krb5_send_adm_cmd(kcontext, sock, ctx, nargs, arglist)
- krb5_context kcontext; /* Context handle (In ) */
- krb5_pointer sock; /* Socket to write to (In ) */
- krb5_auth_context ctx; /* Auth context (In ) */
- krb5_int32 nargs; /* Number of arguments (In ) */
- krb5_data *arglist; /* Components to write (In ) */
-{
- size_t writebufsize;
- int i;
- char *writebuf;
- krb5_error_code ret;
- krb5_int32 ac_flags;
-
- /*
- * First check that our auth context has the right flags in it.
- */
- ret = krb5_auth_con_getflags(kcontext, ctx, &ac_flags);
- if (ret)
- return(ret);
-
- if ((ac_flags & (KRB5_AUTH_CONTEXT_RET_SEQUENCE|
- KRB5_AUTH_CONTEXT_DO_SEQUENCE)) !=
- (KRB5_AUTH_CONTEXT_RET_SEQUENCE|KRB5_AUTH_CONTEXT_DO_SEQUENCE)) {
- /* XXX - need a better error */
- return(KRB5KRB_AP_ERR_MSG_TYPE);
- }
-
- ret = 0;
- /* Calculate write buffer size */
- writebufsize = sizeof(krb5_int32);
- for (i=0; i<nargs; i++) {
- writebufsize += sizeof(krb5_int32); /* for argument size */
- writebufsize += arglist[i].length; /* for actual arg */
- }
-
- writebuf = (char *) malloc(writebufsize);
- if (writebuf != NULL) {
- char *curr;
- krb5_data write_data, out_data;
- krb5_replay_data replay_data;
-
- /* Serialize into write buffer - first number of arguments */
- curr = writebuf;
- kadm_copyout_int32(nargs, curr);
- curr += sizeof(krb5_int32);
-
- /* Then the arguments */
- for (i=0; i<nargs; i++) {
- kadm_copyout_int32(arglist[i].length, curr);
- curr += sizeof(krb5_int32);
- memcpy(curr, arglist[i].data, arglist[i].length);
- curr += arglist[i].length;
- }
-
- /* Set up the message */
- write_data.length = writebufsize;
- write_data.data = writebuf;
-
- /* Generate the message */
- ret = krb5_mk_priv(kcontext, ctx, &write_data,
- &out_data, &replay_data);
- if (!ret) {
- /* Write the message */
- ret = krb5_write_message(kcontext, sock, &out_data);
- krb5_free_data_contents(kcontext, &out_data);
- if (ret)
- goto cleanup;
- }
-
- cleanup:
- /* Paranoia */
- memset(writebuf, 0, writebufsize);
- free(writebuf);
- }
- else {
- /* error */
- ret = ENOMEM;
- }
- return(ret);
-}
-\f
-/*
- * krb5_send_adm_reply() - Send an administrative reply.
- *
- * Send a reply in a KRB_PRIV message. Data takes the format:
- * status (4 octets in network order)
- * ncomps (4 octets in network order)
- * comp size 1 (4 octets in network order)
- * comp data 1 ("comp size 1" octets)
- * .
- * .
- * .
- */
-krb5_error_code
-krb5_send_adm_reply(kcontext, sock, ctx, cmd_stat, ncomps, complist)
- krb5_context kcontext; /* Context handle (In ) */
- krb5_pointer sock; /* Socket to write to (In ) */
- krb5_auth_context ctx; /* Auth context (In ) */
- krb5_int32 cmd_stat; /* Command status (In ) */
- krb5_int32 ncomps; /* Number of arguments (In ) */
- krb5_data *complist; /* Components to write (In ) */
-{
- size_t writebufsize;
- int i;
- char *writebuf;
- krb5_error_code ret;
- krb5_int32 ac_flags;
-
- /*
- * First check that our auth context has the right flags in it.
- */
- ret = krb5_auth_con_getflags(kcontext, ctx, &ac_flags);
- if (ret)
- return(ret);
-
- if ((ac_flags & (KRB5_AUTH_CONTEXT_RET_SEQUENCE|
- KRB5_AUTH_CONTEXT_DO_SEQUENCE)) !=
- (KRB5_AUTH_CONTEXT_RET_SEQUENCE|KRB5_AUTH_CONTEXT_DO_SEQUENCE)) {
- /* XXX - need a better error */
- return(KRB5KRB_AP_ERR_MSG_TYPE);
- }
-
- ret = 0;
- /* Calculate write buffer size */
- writebufsize = 2 * sizeof(krb5_int32);
- for (i=0; i<ncomps; i++) {
- writebufsize += sizeof(krb5_int32); /* for argument size */
- writebufsize += complist[i].length; /* for actual arg */
- }
-
- writebuf = (char *) malloc(writebufsize);
- if (writebuf != NULL) {
- char *curr;
- krb5_data write_data, out_data;
- krb5_replay_data replay_data;
-
- /* Serialize into write buffer - first command status */
- curr = writebuf;
- kadm_copyout_int32(cmd_stat, curr);
- curr += sizeof(krb5_int32);
-
- /* Now number of reply components */
- kadm_copyout_int32(ncomps, curr);
- curr += sizeof(krb5_int32);
-
- /* Then the arguments */
- for (i=0; i<ncomps; i++) {
- kadm_copyout_int32(complist[i].length, curr);
- curr += sizeof(krb5_int32);
- memcpy(curr, complist[i].data, complist[i].length);
- curr += complist[i].length;
- }
-
- /* Set up the message */
- write_data.length = writebufsize;
- write_data.data = writebuf;
-
- /* Generate the message */
- ret = krb5_mk_priv(kcontext, ctx, &write_data, &out_data,
- &replay_data);
- if (!ret) {
- /* Write the message */
- ret = krb5_write_message(kcontext, sock, &out_data);
- krb5_free_data_contents(kcontext, &out_data);
- if (ret)
- goto cleanup;
- }
-
- cleanup:
- /* Paranoia */
- memset(writebuf, 0, writebufsize);
- free(writebuf);
- }
- else {
- /* error */
- ret = ENOMEM;
- }
- return(ret);
-}
-\f
-/*
- * krb5_read_adm_cmd() - Read an administrative protocol command.
- *
- * Read an administrative command from the socket. Expect data in the
- * same format as send_adm_cmd shoots them out in.
- *
- * It is the caller's responsibility to free the memory allocated for
- * the read in argument list.
- */
-krb5_error_code
-krb5_read_adm_cmd(kcontext, sock, ctx, nargs, arglist)
- krb5_context kcontext; /* Context handle (In ) */
- krb5_pointer sock; /* Socket to read from (In ) */
- krb5_auth_context ctx; /* Auth context (In ) */
- krb5_int32 *nargs; /* Number of arguments (Out) */
- krb5_data **arglist; /* List of arguments (Out) */
-{
- krb5_data read_data;
- krb5_error_code ret;
- krb5_data msg_data;
- krb5_replay_data replay_data;
- krb5_int32 ac_flags;
- krb5_int32 len32;
-
- /*
- * First check that our auth context has the right flags in it.
- */
- ret = krb5_auth_con_getflags(kcontext, ctx, &ac_flags);
- if (ret)
- return(ret);
-
- if ((ac_flags & (KRB5_AUTH_CONTEXT_RET_SEQUENCE|
- KRB5_AUTH_CONTEXT_DO_SEQUENCE)) !=
- (KRB5_AUTH_CONTEXT_RET_SEQUENCE|KRB5_AUTH_CONTEXT_DO_SEQUENCE)) {
- /* XXX - need a better error */
- return(KRB5KRB_AP_ERR_MSG_TYPE);
- }
-
- if (!(ret = krb5_read_message(kcontext, sock, &read_data))) {
- if (!(ret = krb5_rd_priv(kcontext,
- ctx,
- &read_data,
- &msg_data,
- &replay_data))) {
- char *curr;
- int replyok;
- int i;
-
- replyok = 0;
- /* We'd better have at least one reply component */
- if (msg_data.length >= sizeof(krb5_int32)) {
- curr = msg_data.data;
- kadm_copyin_int32(curr, nargs);
- curr += sizeof(krb5_int32);
-
- /* Are there any components to copy? */
- if (*nargs > 0) {
-
- /* Get the memory for the list */
- *arglist = (krb5_data *)
- malloc((size_t) (*nargs) * sizeof(krb5_data));
- if (*arglist != NULL) {
- krb5_data *xarglist;
-
- xarglist = *arglist;
- memset((char *) (xarglist), 0,
- (size_t) (*nargs) * sizeof(krb5_data));
-
- replyok = 1;
- /* Copy out each list entry */
- for (i=0; i<*nargs; i++) {
-
- /* First get the length of the reply component */
- if (curr + sizeof(krb5_int32) - msg_data.data <=
- msg_data.length) {
-
- kadm_copyin_int32(curr, &len32);
- xarglist[i].length = (int) len32;
- curr += sizeof(krb5_int32);
-
- /* Then get the memory for the actual data */
- if ((curr + xarglist[i].length -
- msg_data.data <= msg_data.length) &&
- (xarglist[i].data = (char *)
- malloc(xarglist[i].length+1))) {
-
- /* Then copy it out */
- memcpy(xarglist[i].data,
- curr,
- xarglist[i].length);
- curr += xarglist[i].length;
-
- /* Null terminate for convenience */
- xarglist[i].data[xarglist[i].length]
- = '\0';
- }
- else {
- /* Not enough remaining data. */
- replyok = 0;
- break;
- }
- }
- else {
- /* Not enough remaining data */
- replyok = 0;
- break;
- }
- }
- if (!replyok)
- krb5_free_adm_data(kcontext, *nargs, *arglist);
- }
- }
- else {
- if (*nargs == 0) {
- *arglist = (krb5_data *) NULL;
- replyok = 1;
- }
- }
- }
- if (!replyok) {
- ret = KRB5KRB_AP_ERR_MSG_TYPE; /* syntax error */
- }
- memset(msg_data.data, 0, msg_data.length);
- krb5_xfree(msg_data.data);
- }
- krb5_xfree(read_data.data);
- }
- return(ret);
-}
-\f
-/*
- * krb5_read_adm_reply() - Read an administrative protocol response.
- *
- * Expect to read them out in the same format as send_adm_reply shoots them
- * in.
- *
- * It is the caller's responsibility to free the memory allocated for
- * the read in component list.
- */
-krb5_error_code KRB5_CALLCONV
-krb5_read_adm_reply(kcontext, sock, ctx, cmd_stat, ncomps, complist)
- krb5_context kcontext; /* Context handle (In ) */
- krb5_pointer sock; /* Socket to read from (In ) */
- krb5_auth_context ctx; /* Auth context (In ) */
- krb5_int32 *cmd_stat; /* Command status (Out) */
- krb5_int32 *ncomps; /* # of reply components(Out) */
- krb5_data **complist; /* List of components (Out) */
-{
- krb5_data read_data;
- krb5_error_code ret;
- krb5_data msg_data;
- krb5_replay_data replay_data;
- krb5_int32 ac_flags;
- krb5_int32 len32;
-
- /*
- * First check that our auth context has the right flags in it.
- */
- ret = krb5_auth_con_getflags(kcontext, ctx, &ac_flags);
- if (ret)
- return(ret);
-
- if ((ac_flags & (KRB5_AUTH_CONTEXT_RET_SEQUENCE|
- KRB5_AUTH_CONTEXT_DO_SEQUENCE)) !=
- (KRB5_AUTH_CONTEXT_RET_SEQUENCE|KRB5_AUTH_CONTEXT_DO_SEQUENCE)) {
- /* XXX - need a better error */
- return(KRB5KRB_AP_ERR_MSG_TYPE);
- }
-
- if (!(ret = krb5_read_message(kcontext, sock, &read_data))) {
- if (!(ret = krb5_rd_priv(kcontext,
- ctx,
- &read_data,
- &msg_data,
- &replay_data))) {
- char *curr;
- int replyok;
- int i;
-
- replyok = 0;
- /* We'd better have at least two reply components */
- if (msg_data.length >= (2*sizeof(krb5_int32))) {
- curr = msg_data.data;
- kadm_copyin_int32(curr, cmd_stat);
- curr += sizeof(krb5_int32);
- kadm_copyin_int32(curr, ncomps);
- curr += sizeof(krb5_int32);
-
- /* Are there any components to copy? */
- if (*ncomps > 0) {
-
- /* Get the memory for the list */
- *complist = (krb5_data *)
- malloc((size_t) ((*ncomps) * sizeof(krb5_data)));
- if (*complist) {
- krb5_data *xcomplist;
-
- xcomplist = *complist;
- memset((char *) (xcomplist), 0,
- (size_t) ((*ncomps) * sizeof(krb5_data)));
-
- replyok = 1;
- /* Copy out each list entry */
- for (i=0; i<*ncomps; i++) {
-
- /* First get the length of the reply component */
- if (curr + sizeof(krb5_int32) - msg_data.data <=
- msg_data.length) {
- kadm_copyin_int32(curr, &len32);
- xcomplist[i].length = (int) len32;
- curr += sizeof(krb5_int32);
-
- /* Then get the memory for the actual data */
- if ((curr + xcomplist[i].length -
- msg_data.data <= msg_data.length) &&
- (xcomplist[i].data = (char *)
- malloc(xcomplist[i].length+1))) {
-
- /* Then copy it out */
- memcpy(xcomplist[i].data,
- curr,
- xcomplist[i].length);
- curr += xcomplist[i].length;
-
- /* Null terminate for convenience */
- xcomplist[i].data[xcomplist[i].length]
- = '\0';
- }
- else {
- /* Not enough remaining data. */
- replyok = 0;
- break;
- }
- }
- else {
- /* Not enough remaining data */
- replyok = 0;
- break;
- }
- }
- if (!replyok)
- krb5_free_adm_data(kcontext, *ncomps, *complist);
- }
- }
- else {
- if (*ncomps == 0) {
- *complist = (krb5_data *) NULL;
- replyok = 1;
- }
- }
- }
- if (!replyok) {
- ret = KRB5KRB_AP_ERR_MSG_TYPE; /* syntax error */
- }
- memset(msg_data.data, 0, msg_data.length);
- krb5_xfree(msg_data.data);
- }
- krb5_xfree(read_data.data);
- }
- return(ret);
-}
+++ /dev/null
-/*
- * kadmin/v5server/kadm5_defs.h
- *
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-/*
- * kadmind5
- * Version 5 administrative daemon.
- */
-#ifndef KADM5_DEFS_H__
-#define KADM5_DEFS_H__
-
-/*
- * Debug definitions.
- */
-#define DEBUG_SPROC 1
-#define DEBUG_OPERATION 2
-#define DEBUG_HOST 4
-#define DEBUG_REALM 8
-#define DEBUG_REQUESTS 16
-#define DEBUG_ACL 32
-#define DEBUG_PROTO 64
-#define DEBUG_CALLS 128
-#define DEBUG_NOSLAVES 256
-#ifdef DEBUG
-#define DPRINT(l1, cl, al) if ((cl & l1) != 0) xprintf al
-#else /* DEBUG */
-#define DPRINT(l1, cl, al)
-#endif /* DEBUG */
-#define DLOG(l1, cl, msg) if ((cl & l1) != 0) \
- com_err(programname, 0, msg)
-
-/*
- * Access control bits.
- */
-#define ACL_ADD_PRINCIPAL 1
-#define ACL_DELETE_PRINCIPAL 2
-#define ACL_MODIFY_PRINCIPAL 4
-#define ACL_CHANGEPW 8
-#define ACL_CHANGE_OWN_PW 16
-#define ACL_INQUIRE 32
-#define ACL_EXTRACT 64
-#define ACL_RENAME_PRINCIPAL (ACL_ADD_PRINCIPAL+ACL_DELETE_PRINCIPAL)
-
-#define ACL_PRINCIPAL_MASK (ACL_ADD_PRINCIPAL|ACL_DELETE_PRINCIPAL|\
- ACL_MODIFY_PRINCIPAL)
-#define ACL_PASSWD_MASK (ACL_CHANGEPW|ACL_CHANGE_OWN_PW)
-#define ACL_ALL_MASK (ACL_ADD_PRINCIPAL | \
- ACL_DELETE_PRINCIPAL | \
- ACL_MODIFY_PRINCIPAL | \
- ACL_CHANGEPW | \
- ACL_CHANGE_OWN_PW | \
- ACL_INQUIRE | \
- ACL_EXTRACT)
-/*
- * Subcodes.
- */
-#define KADM_BAD_ARGS 10
-#define KADM_BAD_CMD 11
-#define KADM_NO_CMD 12
-#define KADM_BAD_PRINC 20
-#define KADM_PWD_TOO_SHORT 21
-#define KADM_PWD_WEAK 22
-#define KADM_NOT_ALLOWED 100
-
-/*
- * Reply status values.
- */
-#define KRB5_ADM_SUCCESS 0
-#define KRB5_ADM_CMD_UNKNOWN 1
-#define KRB5_ADM_PW_UNACCEPT 2
-#define KRB5_ADM_BAD_PW 3
-#define KRB5_ADM_NOT_IN_TKT 4
-#define KRB5_ADM_CANT_CHANGE 5
-#define KRB5_ADM_LANG_NOT_SUPPORTED 6
-
-#define KRB5_ADM_P_ALREADY_EXISTS 64
-#define KRB5_ADM_P_DOES_NOT_EXIST 65
-#define KRB5_ADM_NOT_AUTHORIZED 66
-#define KRB5_ADM_BAD_OPTION 67
-#define KRB5_ADM_VALUE_REQUIRED 68
-#define KRB5_ADM_SYSTEM_ERROR 69
-#define KRB5_ADM_KEY_DOES_NOT_EXIST 70
-#define KRB5_ADM_KEY_ALREADY_EXISTS 71
-#define KRB5_ADM_BAD_DESKEY 72
-
-/*
- * Inter-module function prototypes
- */
-
-krb5_keytab key_keytab_id (void);
-krb5_error_code key_open_db (krb5_context);
-krb5_error_code key_close_db (krb5_context);
-
-#if 0
-/* srv_key.c */
-krb5_error_code key_init
- (krb5_context,
- int,
- int,
- char *,
- int,
- char *,
- char *,
- char *,
- char *,
- krb5_int32,
- krb5_key_salt_tuple *);
-void key_finish
- (krb5_context,
- int);
-krb5_error_code key_string_to_keys
- (krb5_context,
- krb5_db_entry *,
- krb5_data *,
- krb5_int32,
- krb5_key_salt_tuple *,
- krb5_int32 *,
- krb5_key_data **);
-krb5_error_code key_random_key
- (krb5_context,
- krb5_db_entry *,
- krb5_int32 *,
- krb5_key_data **);
-krb5_error_code key_encrypt_keys
- (krb5_context,
- krb5_db_entry *,
- krb5_int32 *,
- krb5_key_data *,
- krb5_key_data **);
-krb5_error_code key_decrypt_keys
- (krb5_context,
- krb5_db_entry *,
- krb5_int32 *,
- krb5_key_data *,
- krb5_key_data **);
-krb5_boolean key_pwd_is_weak
- (krb5_context,
- krb5_db_entry *,
- krb5_data *);
-krb5_db_entry *key_master_entry();
-char *key_master_realm();
-krb5_keyblock *key_admin_key();
-krb5_encrypt_block *key_master_encblock();
-void key_free_key_data (krb5_key_data *,
- krb5_int32);
-krb5_error_code key_dbent_to_keysalts
- (krb5_db_entry *,
- krb5_int32 *,
- krb5_key_salt_tuple **);
-krb5_error_code key_update_tl_attrs
- (krb5_context,
- krb5_db_entry *,
- krb5_principal,
- krb5_boolean);
-
-/* srv_acl.c */
-krb5_error_code acl_init
- (krb5_context,
- int,
- char *);
-void acl_finish
- (krb5_context,
- int);
-krb5_boolean acl_op_permitted
- (krb5_context,
- krb5_principal,
- krb5_int32,
- char *);
-
-#endif
-
-/* srv_output.c */
-krb5_error_code output_init
- (krb5_context,
- int,
- char *,
- krb5_boolean);
-void output_finish
- (krb5_context,
- int);
-krb5_boolean output_lang_supported
- (char *);
-char *output_krb5_errmsg
- (char *,
- krb5_boolean,
- krb5_int32);
-char *output_adm_error
- (char *,
- krb5_boolean,
- krb5_int32,
- krb5_int32,
- krb5_int32,
- krb5_data *);
-
-/* srv_net.c */
-krb5_error_code net_init
- (krb5_context,
- char *,
- int,
- krb5_int32);
-void net_finish
- (krb5_context,
- int);
-krb5_error_code net_dispatch
- (krb5_context, int);
-krb5_principal net_server_princ (void);
-
-/* proto_serv.c */
-krb5_error_code proto_init
- (krb5_context,
- int,
- int);
-void proto_finish
- (krb5_context,
- int);
-krb5_error_code proto_serv
- (krb5_context,
- krb5_int32,
- int,
- void *,
- void *);
-
-krb5_int32 passwd_change
- (krb5_context,
- int,
- krb5_auth_context,
- krb5_ticket *,
- krb5_data *,
- krb5_data *,
- krb5_int32 *);
-
-krb5_int32 pwd_change
- (krb5_context,
- int,
- krb5_auth_context,
- krb5_ticket *,
- krb5_data *,
- krb5_data *,
- char [],
- unsigned int);
-
-#if 0
-
-/* passwd.c */
-krb5_int32 passwd_check
- (krb5_context,
- int,
- krb5_auth_context,
- krb5_ticket *,
- krb5_data *,
- krb5_int32 *);
-krb5_int32 passwd_change
- (krb5_context,
- int,
- krb5_auth_context,
- krb5_ticket *,
- krb5_data *,
- krb5_data *,
- krb5_int32 *);
-krb5_boolean passwd_check_npass_ok
- (krb5_context,
- int,
- krb5_principal,
- krb5_db_entry *,
- krb5_data *,
- krb5_int32 *);
-krb5_boolean passwd_check_opass_ok
- (krb5_context,
- int,
- krb5_principal,
- krb5_db_entry *,
- krb5_data *);
-
-/* admin.c */
-krb5_error_code admin_add_principal
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_int32,
- krb5_data *);
-krb5_error_code admin_delete_principal
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_data *);
-krb5_error_code admin_rename_principal
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_data *,
- krb5_data *);
-krb5_error_code admin_modify_principal
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_int32,
- krb5_data *);
-krb5_error_code admin_change_opw
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_data *,
- krb5_data *);
-krb5_error_code admin_change_orandpw
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_data *);
-krb5_error_code admin_inquire
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_data *,
- krb5_int32 *,
- krb5_data **);
-krb5_error_code admin_extract_key
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_data *,
- krb5_data *,
- krb5_int32 *,
- krb5_data **);
-krb5_error_code admin_add_key
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_int32,
- krb5_data *);
-krb5_error_code admin_delete_key
- (krb5_context,
- int,
- krb5_ticket *,
- krb5_int32,
- krb5_data *);
-void admin_init (krb5_deltat,
- krb5_deltat,
- krb5_boolean,
- krb5_timestamp,
- krb5_boolean,
- krb5_flags);
-#endif
-
-#endif /* KADM5_DEFS_H__ */
+++ /dev/null
-/*
- * kadmin/kpasswd/kpasswd.c
- *
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-/*
- * kpasswd
- * change your password with Version 5 Kerberos using the new password
- * changing protocol.
- */
-\f
-/*
- * Include files.
- */
-#include "k5-int.h"
-#include "adm_defs.h"
-#include "adm.h"
-#include "krb5/adm_proto.h"
-
-#ifdef HAVE_STRING_H
-#include <string.h>
-#else /* HAVE_STRING_H */
-#include <strings.h>
-#endif /* HAVE_STRING_H */
-
-\f
-/*
- * Local definitions.
- */
-#define KPWD_MAX_TRIES 4
-\f
-/*
- * Local data.
- */
-#define kpwd_serror_head "server"
-#define kpwd_change_prompt_1 " Enter new password"
-#define kpwd_change_prompt_2 "Re-enter new password"
-#define kpwd_old_password_prompt " Enter old password"
-#define kpwd_old_pwd_name_fmt "Enter old password for %s"
-
-#ifdef LANGUAGES_SUPPORTED
-#define kpwd_usage_error_fmt "%s: usage is %s [-u user] [-l language]\n"
-#define kpwd_getoptstring "l:u:"
-#else /* LANGUAGES_SUPPORTED */
-#define kpwd_usage_error_fmt "%s: usage is %s [-u user]\n"
-#define kpwd_getoptstring "u:"
-#endif /* LANGUAGES_SUPPORTED */
-#define kpwd_extra_args "extra arguments"
-#if 0
-#define kpwd_bad_option_fmt "%s: unrecognized option -%c.\n"
-#endif
-#define kpwd_no_memory_fmt "%s: not enough resources to allocate %d bytes for %s.\n"
-#define kpwd_bad_client_fmt "%s: %s%s%s %s not recognized by the server.\n"
-#define kpwd_no_server_fmt "%s: cannot find server for %s.\n"
-#define kpwd_incorrect_fmt "%s: incorrect password\n"
-#define kpwd_cant_connect_fmt "%s: cannot contact server (%s).\n"
-#define kpwd_proto_error_fmt "%s: protocol error during %s request (%s).\n"
-#define kpwd_pwproto_unsupp_fmt "%s: %s request not supported by server.\n"
-#define kpwd_pwproto_error "%s: server error (%s) during %s request.\n"
-#define kpwd_pwd_unacceptable "%s: your new password is unacceptable to the server, %s.\n"
-#define kpwd_read_pass_error "%s: error (%s) reading passwords.\n"
-
-static const char *kpwd_password_text = "passwords";
-#if 0
-static const char *kpwd_realm_text = "realm name";
-#endif
-static const char *kpwd_args_text = "arguments";
-
-static const char *kpwd_try_again_text = "try again";
-static const char *kpwd_seeyalater_text = "password not changed";
-
-#if 0
-static const char *kpwd_mime_text = "MIME-enable";
-static const char *kpwd_language_text = "set language";
-#endif
-static const char *kpwd_check_pwd_text = "check password";
-static const char *kpwd_change_pwd_text = "change password";
-static const char *kpwd_quit_text = "quit";
-
-static const char *kpwd_you = "you";
-static const char *kpwd_is_second = "are";
-static const char *kpwd_is_third = "is";
-static const char *kpwd_quote = "'";
-static const char *kpwd_null = "";
-
-static const char *kpwd_this_realm = "this realm";
-
-static const char *kpwd_replies[] = {
- "Operation successful", /* KRB5_ADM_SUCCESS */
- "Command not recognized", /* KRB5_ADM_CMD_UNKNOWN */
- "Password unacceptable to server", /* KRB5_ADM_PW_UNACCEPT */
- "Old password incorrect", /* KRB5_ADM_BAD_PW */
- "Invalid ticket (TKT_FLAG_INITIAL not set)",/* KRB5_ADM_NOT_IN_TKT */
- "Server refused password change", /* KRB5_ADM_CANT_CHANGE */
- "Language not supported", /* KRB5_ADM_LANG_NOT_SUPPORTED */
-};
-static const char *kpwd_replies_unknown = "UNKNOWN ERROR";
-\f
-static void
-usage(invocation, more_info)
- char *invocation;
- char *more_info;
-{
- if (more_info)
- fprintf(stderr, "%s: %s\n", invocation, more_info);
- fprintf(stderr, kpwd_usage_error_fmt, invocation, invocation);
-}
-
-static const char *
-kpwd_reply_to_string(status)
- krb5_int32 status;
-{
- int idx;
- const char *rval;
-
- switch (status) {
- case KRB5_ADM_SUCCESS:
- case KRB5_ADM_CMD_UNKNOWN:
- case KRB5_ADM_PW_UNACCEPT:
- case KRB5_ADM_BAD_PW:
- case KRB5_ADM_NOT_IN_TKT:
- case KRB5_ADM_CANT_CHANGE:
- case KRB5_ADM_LANG_NOT_SUPPORTED:
- idx = (int) status;
- rval = kpwd_replies[idx];
- break;
- default:
- rval = kpwd_replies_unknown;
- break;
- }
- return(rval);
-}
-
-static void
-kpwd_print_sreply(progname, ncomps, complist)
- char *progname;
- krb5_int32 ncomps;
- krb5_data *complist;
-{
- krb5_int32 i;
- /*
- * If language/mime suporrt enabled, need to have mime-decoder here.
- */
- if (ncomps > 0) {
- fprintf(stderr, "%s - %s: %s\n", progname, kpwd_serror_head,
- complist[0].data);
- for (i=1; i<ncomps; i++)
- fprintf(stderr, "\t%s\n", complist[i].data);
- }
-}
-\f
-int
-main(argc, argv)
- int argc;
- char *argv[];
-{
- int option;
- extern int optind;
- extern char *optarg;
- int error;
-
- char *name;
-#ifdef LANGUAGES_SUPPORTED
- int mflag;
- int lflag;
-#endif
- char *language;
-
- krb5_error_code kret;
- krb5_context kcontext;
- krb5_auth_context auth_context;
- krb5_ccache ccache;
- char *opassword;
- char *npassword;
- char *opwd_prompt;
-
- int conn_socket = -1;
-
- int npass_tries;
- int send_quit;
-
- /*
- * Initialize.
- */
- language = name = opwd_prompt = (char *) NULL;
- error = 0;
-#ifdef LANGUAGES_SUPPORTED
- mflag = lflag = 0;
-#endif
- send_quit = 0;
- ccache = (krb5_ccache) NULL;
-
- /*
- * Usage is:
- * kpasswd [-u user] [-l language]
- */
- while ((option = getopt(argc, argv, kpwd_getoptstring)) != -1) {
- switch (option) {
- case 'u':
- if ((name = (char *) malloc(strlen(optarg)+1)) == NULL) {
- fprintf(stderr, kpwd_no_memory_fmt, argv[0],
- strlen(optarg)+1, kpwd_args_text);
- error = ENOMEM;
- break;
- }
- strcpy(name, optarg);
- break;
-#ifdef LANGUAGES_SUPPORTED
- case 'l':
- lflag++;
- mflag++;
- if ((language = (char *) malloc(strlen(optarg)+1)) == NULL) {
- fprintf(stderr, kpwd_no_memory_fmt, argv[0],
- strlen(optarg)+1, kpwd_args_text);
- error = ENOMEM;
- break;
- }
- strcpy(language, optarg);
- break;
-#endif /* LANGUAGES_SUPPORTED */
- default:
- error++;
- break;
- }
- if (error)
- break;
- }
- if (error || ((argc - optind) > 0)) {
- usage(argv[0], (error) ? (char *) NULL: kpwd_extra_args);
- error++;
- if (name)
- free(name);
- if (language)
- free(language);
- return(error);
- }
-
- /*
- * Initialize Kerberos
- */
- kret = krb5_init_context(&kcontext);
- if (kret) {
- com_err(argv[0], kret, "while initializing krb5");
- exit(1);
- }
-
- /* Get space for passwords */
- if (
- ((npassword = (char *) malloc(KRB5_ADM_MAX_PASSWORD_LEN))
- == (char *) NULL) ||
- ((opassword = (char *) malloc(KRB5_ADM_MAX_PASSWORD_LEN))
- == (char *) NULL))
- {
- fprintf(stderr, kpwd_no_memory_fmt, argv[0], KRB5_ADM_MAX_PASSWORD_LEN,
- kpwd_password_text);
- if (npassword)
- free(npassword);
- krb5_free_context(kcontext);
- return(ENOMEM);
- }
-
- /* From now on, all error legs via 'goto cleanup' */
-
- if (name) {
- size_t prompt_len;
-
- prompt_len = strlen(kpwd_old_pwd_name_fmt) - 2 + strlen(name) + 1;
- opwd_prompt = (char *) malloc(prompt_len);
- if (opwd_prompt)
- sprintf(opwd_prompt, kpwd_old_pwd_name_fmt, name);
- }
- /*
- * Establish the connection.
- */
- kret = krb5_adm_connect(kcontext, name,
- (opwd_prompt) ?
- opwd_prompt : kpwd_old_password_prompt,
- opassword, &conn_socket, &auth_context,
- &ccache, (char *) NULL, 0);
- if (kret) {
- switch (kret) {
- case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
- fprintf(stderr, kpwd_bad_client_fmt, argv[0],
- (name) ? kpwd_quote : kpwd_null,
- (name) ? name : kpwd_you,
- (name) ? kpwd_quote : kpwd_null,
- (name) ? kpwd_is_third : kpwd_is_second);
- break;
- case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
- fprintf(stderr, kpwd_no_server_fmt, argv[0],
- (name) ? name : kpwd_this_realm);
- break;
- case KRB5KRB_AP_ERR_BAD_INTEGRITY:
- fprintf(stderr, kpwd_incorrect_fmt, argv[0]);
- break;
- default:
- fprintf(stderr, kpwd_cant_connect_fmt, argv[0],
- error_message(kret));
- break;
- }
- goto cleanup;
- }
-
- if (opwd_prompt)
- free(opwd_prompt);
- send_quit = 1;
-
-#ifdef LANGUAGES_SUPPORTED
- /*
- * We have the connection - see if we have to send some precursory data.
- */
- if (mflag) {
- /*
- * Need to engage in protocol for MIME setting
- */
- krb5_data mime_data;
- krb5_int32 mime_status;
- krb5_int32 mime_ncomps;
- krb5_data *mime_reply;
-
- mime_data.data = KRB5_ADM_MIME_CMD;
- mime_data.length = strlen(mime_data.data);
- if ((kret = krb5_send_adm_cmd(kcontext,
- &conn_socket,
- auth_context,
- 1,
- &mime_data)) ||
- (kret = krb5_read_adm_reply(kcontext,
- &conn_socket,
- auth_context,
- &mime_status,
- &mime_ncomps,
- &mime_reply))) {
- fprintf(stderr, kpwd_proto_error_fmt, argv[0], kpwd_mime_text,
- error_message(kret));
- send_quit = 0;
- goto cleanup;
- }
- switch (mime_status) {
- case KRB5_ADM_SUCCESS:
- break;
- case KRB5_ADM_CMD_UNKNOWN:
- fprintf(stderr, kpwd_pwproto_unsupp_fmt, argv[0], kpwd_mime_text);
- if (mime_ncomps > 0)
- kpwd_print_sreply(argv[0], mime_ncomps, mime_reply);
- break;
- default:
- fprintf(stderr, kpwd_pwproto_error, argv[0],
- kpwd_reply_to_string(mime_status), kpwd_mime_text);
- if (mime_ncomps > 0)
- kpwd_print_sreply(argv[0], mime_ncomps, mime_reply);
- goto cleanup;
- }
- krb5_free_adm_data(kcontext, mime_ncomps, mime_reply);
- }
- if (lflag && language) {
- /*
- * Need to engage in protocol for language setting
- */
- krb5_data lang_data[2];
- krb5_int32 lang_status;
- krb5_int32 lang_ncomps;
- krb5_data *lang_reply;
-
- lang_data[0].data = KRB5_ADM_LANGUAGE_CMD;
- lang_data[0].length = strlen(lang_data[0].data);
- lang_data[1].data = language;
- lang_data[1].length = strlen(language);
- if ((kret = krb5_send_adm_cmd(kcontext,
- &conn_socket,
- auth_context,
- 2,
- lang_data)) ||
- (kret = krb5_read_adm_reply(kcontext,
- &conn_socket,
- auth_context,
- &lang_status,
- &lang_ncomps,
- &lang_reply))) {
- fprintf(stderr, kpwd_proto_error_fmt, argv[0], kpwd_language_text,
- error_message(kret));
- send_quit = 0;
- goto cleanup;
- }
- switch (lang_status) {
- case KRB5_ADM_SUCCESS:
- break;
- case KRB5_ADM_CMD_UNKNOWN:
- fprintf(stderr, kpwd_pwproto_unsupp_fmt, argv[0],
- kpwd_language_text);
- if (lang_ncomps > 0)
- kpwd_print_sreply(argv[0], lang_ncomps, lang_reply);
- break;
- default:
- fprintf(stderr, kpwd_pwproto_error, argv[0],
- kpwd_reply_to_string(lang_status), kpwd_language_text);
- if (lang_ncomps > 0)
- kpwd_print_sreply(argv[0], lang_ncomps, lang_reply);
- goto cleanup;
- }
- krb5_free_adm_data(kcontext, lang_ncomps, lang_reply);
- }
-#endif /* LANGUAGES_SUPPORTED */
-
- /* Now - Actually change the password. */
- for (npass_tries = 1; npass_tries <= KPWD_MAX_TRIES; npass_tries++) {
- unsigned int npass_len;
-
- npass_len = KRB5_ADM_MAX_PASSWORD_LEN;
- if (!(kret = krb5_read_password(kcontext,
- kpwd_change_prompt_1,
- kpwd_change_prompt_2,
- npassword,
- &npass_len))) {
- krb5_data check_data[2];
- krb5_int32 check_status;
- krb5_int32 check_ncomps;
- krb5_data *check_reply;
- krb5_data set_data[3];
- krb5_int32 set_status;
- krb5_int32 set_ncomps;
- krb5_data *set_reply;
-
- check_data[0].data = KRB5_ADM_CHECKPW_CMD;
- check_data[0].length = strlen(check_data[0].data);
- check_data[1].data = npassword;
- check_data[1].length = npass_len;
- if ((kret = krb5_send_adm_cmd(kcontext,
- &conn_socket,
- auth_context,
- 2,
- check_data)) ||
- (kret = krb5_read_adm_reply(kcontext,
- &conn_socket,
- auth_context,
- &check_status,
- &check_ncomps,
- &check_reply))) {
- fprintf(stderr, kpwd_proto_error_fmt, argv[0],
- kpwd_check_pwd_text, error_message(kret));
- send_quit = 0;
- error++;
- break;
- }
- if ((check_status != KRB5_ADM_SUCCESS) &&
- (check_status != KRB5_ADM_PW_UNACCEPT)) {
- error++;
- fprintf(stderr, kpwd_pwproto_error, argv[0],
- kpwd_reply_to_string(check_status),
- kpwd_check_pwd_text);
- if (check_ncomps > 0)
- kpwd_print_sreply(argv[0], check_ncomps, check_reply);
- }
-
- if (check_status == KRB5_ADM_PW_UNACCEPT) {
- fprintf(stderr, kpwd_pwd_unacceptable, argv[0],
- (npass_tries < KPWD_MAX_TRIES) ?
- kpwd_try_again_text : kpwd_seeyalater_text);
- if (check_ncomps > 0)
- kpwd_print_sreply(argv[0], check_ncomps, check_reply);
- if (npass_tries == KPWD_MAX_TRIES)
- kret = check_status;
- continue;
- }
- krb5_free_adm_data(kcontext, check_ncomps, check_reply);
- if (error)
- break;
-
- /* Now actually change the password */
- set_data[0].data = KRB5_ADM_CHANGEPW_CMD;
- set_data[0].length = strlen(set_data[0].data);
- set_data[1].data = opassword;
- set_data[1].length = strlen(opassword);
- set_data[2].data = npassword;
- set_data[2].length = npass_len;
- if ((kret = krb5_send_adm_cmd(kcontext,
- &conn_socket,
- auth_context,
- 3,
- set_data)) ||
- (kret = krb5_read_adm_reply(kcontext,
- &conn_socket,
- auth_context,
- &set_status,
- &set_ncomps,
- &set_reply))) {
- fprintf(stderr, kpwd_proto_error_fmt, argv[0],
- kpwd_change_pwd_text, error_message(kret));
- send_quit = 0;
- error++;
- break;
- }
- if (set_status != KRB5_ADM_SUCCESS) {
- fprintf(stderr, kpwd_pwproto_error, argv[0],
- kpwd_reply_to_string(set_status),
- kpwd_change_pwd_text);
- if (set_ncomps > 0)
- kpwd_print_sreply(argv[0], set_ncomps, set_reply);
- error++;
- }
- krb5_free_adm_data(kcontext, set_ncomps, set_reply);
- break;
- }
- else {
- fprintf(stderr, kpwd_read_pass_error, argv[0],
- error_message(kret));
- error++;
- break;
- }
- }
-
- cleanup:
- if (kret)
- error = kret;
- if (language)
- free(language);
- if (name)
- free(name);
-
- /* Clear and free password storage */
- if (opassword) {
- memset(opassword, 0, KRB5_ADM_MAX_PASSWORD_LEN);
- free(opassword);
- }
- if (npassword) {
- memset(npassword, 0, KRB5_ADM_MAX_PASSWORD_LEN);
- free(npassword);
- }
-
- if (send_quit) {
- /*
- * Need to send quit command.
- */
- krb5_data quit_data;
- krb5_int32 quit_status;
- krb5_int32 quit_ncomps;
- krb5_data *quit_reply;
-
- quit_data.data = KRB5_ADM_QUIT_CMD;
- quit_data.length = strlen(quit_data.data);
- if ((kret = krb5_send_adm_cmd(kcontext,
- &conn_socket,
- auth_context,
- 1,
- &quit_data)) ||
- (kret = krb5_read_adm_reply(kcontext,
- &conn_socket,
- auth_context,
- &quit_status,
- &quit_ncomps,
- &quit_reply))) {
- fprintf(stderr, kpwd_proto_error_fmt, argv[0], kpwd_quit_text,
- error_message(kret));
- goto done;
- }
- switch (quit_status) {
- case KRB5_ADM_SUCCESS:
- break;
- case KRB5_ADM_CMD_UNKNOWN:
- fprintf(stderr, kpwd_pwproto_unsupp_fmt, argv[0], kpwd_quit_text);
- if (quit_ncomps > 0)
- kpwd_print_sreply(argv[0], quit_ncomps, quit_reply);
- break;
- default:
- fprintf(stderr, kpwd_pwproto_error, argv[0],
- kpwd_reply_to_string(quit_status), kpwd_quit_text);
- if (quit_ncomps > 0)
- kpwd_print_sreply(argv[0], quit_ncomps, quit_reply);
- }
- krb5_free_adm_data(kcontext, quit_ncomps, quit_reply);
- }
-
- done:
- krb5_adm_disconnect(kcontext, &conn_socket, auth_context, ccache);
- krb5_free_context(kcontext);
- return(error);
-}
+++ /dev/null
-#include <stdio.h>
-#include <signal.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <string.h>
-#include <setjmp.h>
-
-#include <krb5.h>
-#include <kadm5/admin.h>
-#include <krb5/adm_proto.h>
-#include "kadm5_defs.h"
-
-#if defined(NEED_DAEMON_PROTO)
-extern int daemon(int, int);
-#endif
-
-static krb5_keytab keytab;
-char *programname;
-kadm5_config_params params;
-void *global_server_handle;
-#if POSIX_SETJMP
-static sigjmp_buf terminal_jmp;
-#else /* POSIX_SETJMP */
-static jmp_buf terminal_jmp;
-#endif /* POSIX_SETJMP */
-
-krb5_keytab key_keytab_id()
-{
- return(keytab);
-}
-
-static krb5_sigtype
-unhandled_signal(signo)
- int signo;
-{
-#if POSIX_SETJMP
- siglongjmp(terminal_jmp, signo);
-#else /* POSIX_SETJMP */
- longjmp(terminal_jmp, signo);
-#endif /* POSIX_SETJMP */
- /* NOTREACHED */
-}
-
-static void usage()
-{
- fprintf(stderr, "Usage: kadmind [-r realm] [-m] [-nofork] "
- "[-D debuglevel] [-T keytable] [-port port-number]\n");
- exit(1);
-}
-
-int main(int argc, char *argv[])
-{
- int ret;
- volatile int nofork;
- int timeout = -1;
- krb5_error_code code;
- volatile int debug_level = 0;
-#if POSIX_SIGNALS
- struct sigaction s_action;
-#endif /* POSIX_SIGNALS */
- krb5_context context;
-
- programname = argv[0];
-
- nofork = 0;
-
- memset((char *) ¶ms, 0, sizeof(params));
-
- argc--; argv++;
- while (argc) {
- if (strcmp(*argv, "-r") == 0) {
- argc--; argv++;
- if (!argc)
- usage();
- params.realm = *argv;
- params.mask |= KADM5_CONFIG_REALM;
- argc--; argv++;
- continue;
- } else if (strcmp(*argv, "-m") == 0) {
- params.mkey_from_kbd = 1;
- params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
- } else if (strcmp(*argv, "-nofork") == 0) {
- nofork = 1;
- } else if(strcmp(*argv, "-port") == 0) {
- argc--; argv++;
- if(!argc)
- usage();
- params.kadmind_port = atoi(*argv);
- params.mask |= KADM5_CONFIG_KADMIND_PORT;
- } else if (strcmp(*argv, "-T") == 0) {
- argc--; argv++;
- if (!argc)
- usage();
- params.admin_keytab = *argv;
- params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
- argc--; argv++;
- continue;
- } else if (strcmp(*argv, "-D") == 0) {
- if (!argc)
- usage();
- argc--; argv++;
- debug_level = atoi(*argv);
- } else
- break;
- argc--; argv++;
- }
-
- if (argc != 0)
- usage();
-
- ret = krb5_init_context(&context);
- if (ret) {
- fprintf(stderr, "%s: %s while initializing context, aborting\n",
- programname, error_message(ret));
- exit(1);
- }
-
- krb5_klog_init(context, "admin_server", programname, 1);
-
- ret = kadm5_get_config_params(context, NULL, NULL, ¶ms,
- ¶ms);
- if (ret) {
- krb5_klog_syslog(LOG_ERR, "%s: %s while initializing, aborting\n",
- programname, error_message(ret));
- fprintf(stderr, "%s: %s while initializing, aborting\n",
- programname, error_message(ret));
- krb5_klog_close(context);
- exit(1);
- }
-
-#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_ACL_FILE | \
- KADM5_CONFIG_ADMIN_KEYTAB)
-
- if ((params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) {
- krb5_klog_syslog(LOG_ERR, "%s: Missing required configuration values "
- "(%x) while initializing, aborting\n", programname,
- (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS);
- fprintf(stderr, "%s: Missing required configuration values "
- "(%lx) while initializing, aborting\n", programname,
- (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS);
- krb5_klog_close(context);
- exit(1);
- }
-
- if ((code = krb5_kt_resolve(context, params.admin_keytab, &keytab))) {
- fprintf(stderr, "%s: cannot resolve keytab %s (%s).\n",
- programname, params.admin_keytab, error_message(code));
- exit(1);
- }
-
- if (!nofork &&
- daemon(0, ((params.mask&KADM5_CONFIG_MKEY_FROM_KBD)?
- params.mkey_from_kbd:0))) {
- fprintf(stderr, "%s: cannot spawn and detach.\n", argv[0]);
- perror(argv[0]);
- return(2);
- }
-
-#if POSIX_SIGNALS
- (void) sigemptyset(&s_action.sa_mask);
- s_action.sa_flags = 0;
- s_action.sa_handler = unhandled_signal;
- (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGQUIT, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGALRM, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL);
-#else /* POSIX_SIGNALS */
- signal(SIGINT, unhandled_signal);
- signal(SIGTERM, unhandled_signal);
- signal(SIGHUP, unhandled_signal);
- signal(SIGQUIT, unhandled_signal);
- signal(SIGPIPE, unhandled_signal);
- signal(SIGALRM, unhandled_signal);
- signal(SIGCHLD, unhandled_signal);
-#endif /* POSIX_SIGNALS */
-
- krb5_klog_syslog(LOG_INFO, "starting");
-
- code = net_init(context, params.realm, debug_level,
- (params.mask&KADM5_CONFIG_KADMIND_PORT)?
- params.kadmind_port:0);
- if (code) {
- krb5_klog_syslog(LOG_ERR, "%s: %s while initializing network",
- programname, error_message(code));
- fprintf(stderr, "%s: %s while initializing network\n",
- programname, error_message(code));
-
- exit(1);
- }
-
- code = proto_init(context, debug_level, timeout);
- if (code) {
- krb5_klog_syslog(LOG_ERR, "%s: %s while initializing proto",
- programname, error_message(code));
- fprintf(stderr, "%s: %s while initializing proto\n",
- programname, error_message(code));
- }
-
- if (
-#if POSIX_SETJMP
- sigsetjmp(terminal_jmp, 1) == 0
-#else /* POSIX_SETJMP */
- setjmp(terminal_jmp) == 0
-#endif /* POSIX_SETJMP */
- )
- {
- code = net_dispatch(context, !nofork);
- if (code) {
- krb5_klog_syslog(LOG_ERR, "%s: %s while dispatching requests",
- programname, error_message(code));
- fprintf(stderr, "%s: %s while dispatching requests\n",
- programname, error_message(code));
-
- exit(1);
- }
- }
-
- net_finish(context, debug_level);
-
- krb5_klog_syslog(LOG_INFO, "finished, exiting");
- krb5_klog_close(context);
- exit(2);
-}
-
-krb5_error_code key_open_db(krb5_context context)
-{
- return(kadm5_init("kadmind", NULL,
- NULL, ¶ms,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- &global_server_handle));
-}
-
-krb5_error_code key_close_db(krb5_context context)
-{
- kadm5_destroy(global_server_handle);
- return(0);
-}
-
-krb5_int32
-pwd_change(kcontext, debug_level, auth_context, ticket,
- olddata, newdata, err_str, err_str_len)
- krb5_context kcontext;
- int debug_level;
- krb5_auth_context auth_context;
- krb5_ticket *ticket;
- krb5_data *olddata;
- krb5_data *newdata;
- char err_str[];
- unsigned int err_str_len;
-{
- kadm5_ret_t ret;
- krb5_int32 now;
- kadm5_policy_ent_rec pol;
- kadm5_principal_ent_rec princ;
- krb5_principal principal;
-
- /* Make sure the ticket is initial, otherwise don't trust it */
- if ((ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) {
- return(KRB5_ADM_NOT_IN_TKT);
- }
-
- /* a principal can always change its own password, so there's no
- acl check to do here */
-
- principal = ticket->enc_part2->client;
-
- /* check to see if the min_time has passed. this is stolen
- from chpass_principal_wrapper */
-
- ret = krb5_timeofday(kcontext, &now);
- if (ret) {
- /* XXX - The only caller is known to use a 1K buffer. */
- system_error:
- strncpy(err_str, error_message(ret), 1024);
- return(KRB5_ADM_SYSTEM_ERROR);
- }
-
- if((ret = kadm5_get_principal(global_server_handle, principal,
- &princ,
- KADM5_PRINCIPAL_NORMAL_MASK)) !=
- KADM5_OK) {
- goto system_error;
- }
- if(princ.aux_attributes & KADM5_POLICY) {
- if((ret=kadm5_get_policy(global_server_handle,
- princ.policy, &pol)) != KADM5_OK) {
- (void) kadm5_free_principal_ent(global_server_handle, &princ);
- goto system_error;
- }
- if((now - princ.last_pwd_change) < pol.pw_min_life &&
- !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- (void) kadm5_free_policy_ent(global_server_handle, &pol);
- (void) kadm5_free_principal_ent(global_server_handle, &princ);
- /* XXX - The only caller is known to use a 1K buffer. */
- strncpy(err_str, error_message(ret), 1024);
- return(KRB5_ADM_PW_UNACCEPT);
- }
-
- ret = kadm5_free_policy_ent(global_server_handle, &pol);
- if (ret) {
- (void) kadm5_free_principal_ent(global_server_handle, &princ);
- goto system_error;
- }
- }
-
- ret = kadm5_free_principal_ent(global_server_handle, &princ);
- if (ret) {
- goto system_error;
- }
-
- /* ok, it's not too early to change the password. change it. */
-
- ret = kadm5_chpass_principal_util(global_server_handle,
- principal, newdata->data,
- NULL, err_str, err_str_len);
- if (ret)
- return(KRB5_ADM_PW_UNACCEPT);
-
- return(KRB5_ADM_SUCCESS);
-}
+++ /dev/null
-/*
- * kadmin/v5server/proto_serv.c
- *
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-/*
- * proto_serv.c - Engage in protocol. This module reflects the connection
- * protocol as implemented in lib/krb5/os/adm_conn.c. Any changes
- * in one module must be reflected in the other.
- */
-#define NEED_SOCKETS
-#include "k5-int.h"
-#include <signal.h>
-#include "com_err.h"
-#include "kadm5_defs.h"
-#include "adm.h"
-#include "adm_proto.h"
-#include <setjmp.h>
-
-static const char *proto_addrs_msg = "\004%d: cannot get memory for addresses";
-static const char *proto_rcache_msg = "\004%d: cannot get replay cache";
-static const char *proto_ap_req_msg = "\004%d: error reading AP_REQ message";
-static const char *proto_auth_con_msg = "\004%d: cannot get authorization context";
-static const char *proto_rd_req_msg = "\004%d: cannot decode AP_REQ message";
-static const char *proto_mk_rep_msg = "\004%d: cannot generate AP_REP message";
-static const char *proto_wr_rep_msg = "\004%d: cannot write AP_REP message";
-static const char *proto_conn_abort_msg = "\007%d: connection destroyed by client";
-static const char *proto_seq_err_msg = "\004%d: protocol sequence violation";
-static const char *proto_rd_cmd_msg = "\004%d: cannot read administrative protocol command";
-static const char *proto_db_open_msg = "\004%d: cannot open database";
-static const char *proto_db_close_msg = "\004%d: cannot close database";
-static const char *proto_wr_reply_msg = "\004%d: cannot write administrative protocol reply";
-extern char *programname;
-
-static int proto_proto_timeout = -1;
-static int proto_debug_level = 0;
-#if POSIX_SETJMP
-static sigjmp_buf timeout_jmp;
-#else /* POSIX_SETJMP */
-static jmp_buf timeout_jmp;
-#endif /* POSIX_SETJMP */
-
-static krb5_sigtype
-proto_alarmclock(signo)
- int signo;
-{
-#if POSIX_SETJMP
- siglongjmp(timeout_jmp, 1);
-#else /* POSIX_SETJMP */
- longjmp(timeout_jmp, 1);
-#endif /* POSIX_SETJMP */
- /* NOTREACHED */
-}
-
-krb5_error_code
-proto_init(kcontext, debug_level, timeo)
- krb5_context kcontext;
- int debug_level;
- int timeo;
-{
- krb5_error_code kret;
-
- proto_debug_level = debug_level;
- DPRINT(DEBUG_CALLS, proto_debug_level,
- ("* proto_init(timeo=%d)\n", timeo));
- kret = 0;
- proto_proto_timeout = timeo;
- DPRINT(DEBUG_CALLS, proto_debug_level, ("X proto_init() = %d\n", kret));
- return(kret);
-}
-
-void
-proto_finish(kcontext, debug_level)
- krb5_context kcontext;
- int debug_level;
-{
- DPRINT(DEBUG_CALLS, proto_debug_level, ("* proto_finish()\n"));
- DPRINT(DEBUG_CALLS, proto_debug_level, ("X proto_finish()\n"));
-}
-
-krb5_error_code
-proto_serv(kcontext, my_id, cl_sock, sv_p, cl_p)
- krb5_context kcontext;
- krb5_int32 my_id;
- int cl_sock;
- void *sv_p;
- void *cl_p;
-{
- volatile krb5_error_code kret;
- struct sockaddr_in *cl_addr;
- struct sockaddr_in *sv_addr;
-
- krb5_data in_data;
- krb5_data out_data;
- krb5_rcache rcache;
- krb5_auth_context auth_context;
- krb5_flags ap_options;
- krb5_ticket *ticket;
- krb5_address *local;
- krb5_address *remote;
-
-#if POSIX_SIGNALS
- struct sigaction s_action;
-#endif /* POSIX_SIGNALS */
-
- char *curr_lang = (char *) NULL;
-#ifdef MIME_SUPPORTED
- krb5_boolean mime_setting = 0;
-#endif
-
- krb5_int32 num_args;
- krb5_data *arglist;
-
- volatile krb5_boolean db_opened;
-
- cl_addr = (struct sockaddr_in *) cl_p;
- sv_addr = (struct sockaddr_in *) sv_p;
- DPRINT(DEBUG_CALLS, proto_debug_level,
- ("* proto_serv(id=%d, sock=%d, local=%x, remote=%x)\n",
- my_id, cl_sock,
- ntohl(sv_addr->sin_addr.s_addr),
- ntohl(cl_addr->sin_addr.s_addr)));
-
- /* Initialize */
- memset((char *) &in_data, 0, sizeof(in_data));
- memset((char *) &out_data, 0, sizeof(out_data));
- num_args = 0;
- local = (krb5_address *) NULL;
- remote = (krb5_address *) NULL;
- ticket = (krb5_ticket *) NULL;
- rcache = (krb5_rcache) NULL;
-#if POSIX_SIGNALS
- (void) sigemptyset(&s_action.sa_mask);
- s_action.sa_flags = 0;
-#endif /* POSIX_SIGNALS */
- db_opened = 0;
-
- /* Get memory for addresses */
- local = (krb5_address *) malloc(sizeof(krb5_address));
- remote = (krb5_address *) malloc(sizeof(krb5_address));
- if (!local || !remote) {
- kret = ENOMEM;
- com_err(programname, kret, proto_addrs_msg, my_id);
- goto cleanup;
- }
-
- local->contents = (krb5_octet *) malloc(sizeof(struct in_addr));
- remote->contents = (krb5_octet *) malloc(sizeof(struct in_addr));
- if (!local->contents || !remote->contents) {
- kret = ENOMEM;
- com_err(programname, kret, proto_addrs_msg, my_id);
- goto cleanup;
- }
-
- /*
- * First setup the replay cache.
- */
- kret = krb5_get_server_rcache(kcontext,
- krb5_princ_component(kcontext,
- net_server_princ(),
- 0),
- &rcache);
- if (kret) {
- com_err(programname, kret, proto_rcache_msg, my_id);
- goto cleanup;
- }
-
- /* Initialize the auth context */
- kret = krb5_auth_con_init(kcontext, &auth_context);
- if (kret) {
- com_err(programname, kret, proto_auth_con_msg, my_id);
- goto cleanup;
- }
-
- krb5_auth_con_setrcache(kcontext, auth_context, rcache);
-
- /*
- * Set up addresses.
- */
- local->addrtype = remote->addrtype = ADDRTYPE_INET;
- local->length = remote->length = sizeof(struct in_addr);
- memcpy((char *) local->contents,
- (char *) &sv_addr->sin_addr,
- sizeof(struct in_addr));
- memcpy((char *) remote->contents,
- (char *) &cl_addr->sin_addr,
- sizeof(struct in_addr));
- krb5_auth_con_setflags(kcontext, auth_context,
- KRB5_AUTH_CONTEXT_RET_SEQUENCE|
- KRB5_AUTH_CONTEXT_DO_SEQUENCE);
- krb5_auth_con_setaddrs(kcontext, auth_context, local, remote);
-
- DPRINT(DEBUG_PROTO, proto_debug_level,
- ("= %d:read message(local=%x, remote=%x)\n",
- my_id,
- ntohl(sv_addr->sin_addr.s_addr),
- ntohl(cl_addr->sin_addr.s_addr)));
- /* Now, read in the AP_REQ message and decode it. */
- kret = krb5_read_message(kcontext, (krb5_pointer) &cl_sock, &in_data);
- if (kret) {
- com_err(programname, kret, proto_ap_req_msg, my_id);
- goto cleanup;
- }
-
- DPRINT(DEBUG_PROTO, proto_debug_level,
- ("= %d:parse message(%d bytes)\n", my_id, in_data.length));
-
- /* Parse the AP_REQ message */
- kret = krb5_rd_req(kcontext, &auth_context, &in_data,
- net_server_princ(), key_keytab_id(),
- &ap_options, &ticket);
- if (kret) {
- com_err(programname, kret, proto_rd_req_msg, my_id);
- goto err_reply;
- }
-
- DPRINT(DEBUG_PROTO, proto_debug_level,
- ("= %d:check AP_REQ(options are %x)\n", my_id, ap_options));
- /* Check our options */
- if ((ap_options & AP_OPTS_MUTUAL_REQUIRED) == 0) {
- kret = KRB5KRB_AP_ERR_MSG_TYPE;
- goto err_reply;
- }
-
- DPRINT(DEBUG_PROTO, proto_debug_level,
- ("= %d:make AP_REP\n", my_id));
- kret = krb5_mk_rep(kcontext, auth_context, &out_data);
- if (kret) {
- com_err(programname, kret, proto_mk_rep_msg, my_id);
- goto cleanup;
- }
-
- DPRINT(DEBUG_PROTO, proto_debug_level,
- ("= %d:write AP_REP(%d bytes)\n", my_id, out_data.length));
- kret = krb5_write_message(kcontext, (krb5_pointer) &cl_sock,
- &out_data);
- if (kret) {
- com_err(programname, kret, proto_wr_rep_msg, my_id);
- goto cleanup;
- }
-
- /*
- * Initialization is now complete.
- *
- * If enabled, the protocol times out after proto_proto_timeout seconds.
- */
- if (
-#if POSIX_SETJMP
- sigsetjmp(timeout_jmp, 1) == 0
-#else /* POSIX_SETJMP */
- setjmp(timeout_jmp) == 0
-#endif /* POSIX_SETJMP */
- ) {
- if (proto_proto_timeout > 0) {
-#if POSIX_SIGNALS
- s_action.sa_handler = proto_alarmclock;
- (void) sigaction(SIGALRM, &s_action, (struct sigaction *) NULL);
-#else /* POSIX_SIGNALS */
- signal(SIGALRM, proto_alarmclock);
-#endif /* POSIX_SIGNALS */
- }
- /*
- * Loop forever - or until somebody puts us out of our misery.
- */
- while (1) {
- krb5_int32 cmd_error;
- /* If this size changed, change the sprintf below */
- char err_str[1024];
- krb5_int32 cmd_repl_ncomps;
- krb5_data *cmd_repl_complist;
- int do_quit;
-
- /*
- * Read a command and figure out what to do.
- */
- if (proto_proto_timeout > 0)
- alarm((unsigned) proto_proto_timeout);
- num_args = 0;
- DPRINT(DEBUG_PROTO, proto_debug_level,
- ("= %d:waiting for command\n", my_id));
- kret = krb5_read_adm_cmd(kcontext,
- (krb5_pointer) &cl_sock,
- auth_context,
- &num_args,
- &arglist);
- if (proto_proto_timeout > 0)
- alarm(0);
- if (kret) {
- /*
- * It's OK to have connections abort here.
- */
- if (kret == ECONNABORTED) {
- com_err(programname, kret, proto_conn_abort_msg, my_id);
- kret = 0;
- }
- else if (kret == KRB5KRB_AP_ERR_BADORDER) {
- com_err(programname, kret, proto_seq_err_msg, my_id);
- kret = 0;
- }
- else
- com_err(programname, kret, proto_rd_cmd_msg, my_id);
- goto cleanup;
- }
-
- cmd_error = KRB5_ADM_SUCCESS;
- do_quit = 0;
-
- /*
- * First open the database. We only have it open for the
- * lifetime of a command so that we are sure to close it after
- * performing an update. This also reduces the likelihood
- * that somebody'll have stale data lying around since we're
- * most likely going to change something here.
- */
- if ((kret = key_open_db(kcontext))) {
- com_err(programname, kret, proto_db_open_msg, my_id);
- goto cleanup;
- }
- else
- db_opened = 1;
-
- /*
- * Now check our arguments.
- */
- DPRINT(DEBUG_PROTO, proto_debug_level,
- ("= %d:parse command\n", my_id));
- cmd_repl_ncomps = 0;
- cmd_repl_complist = (krb5_data *) NULL;
- if (num_args > 0) {
- if (!strcasecmp(arglist[0].data, KRB5_ADM_QUIT_CMD)) {
- /*
- * QUIT command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:QUIT command\n", my_id));
- /* QUIT takes no arguments */
- if (num_args == 1) {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:QUIT command syntax OK\n", my_id));
- do_quit = 1;
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:QUIT command syntax BAD\n", my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- strcpy(err_str,
- "Bad argument list format for quit command.");
- }
- }
- else if (!strcasecmp(arglist[0].data, KRB5_ADM_CHECKPW_CMD)) {
- /*
- * CHECKPW command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHECKPW command\n", my_id));
- if (num_args == 2) {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHECKPW command syntax OK\n", my_id));
- cmd_error = 0;
- err_str[0] = '\0';
-#if 0
- cmd_error = pwd_check(kcontext,
- proto_debug_level,
- auth_context,
- ticket,
- &arglist[1],
- &err_str);
-#endif
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHECKPW command syntax BAD\n", my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
-
- strcpy(err_str,
- "Bad argument list format for checkpw command.");
- }
- }
- else if (!strcasecmp(arglist[0].data, KRB5_ADM_CHANGEPW_CMD)) {
- /*
- * CHANGEPW command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHANGEPW command\n", my_id));
- if (num_args == 3) {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHANGEPW command syntax OK\n", my_id));
- cmd_error = pwd_change(kcontext,
- proto_debug_level,
- auth_context,
- ticket,
- &arglist[1],
- &arglist[2],
- err_str,
- sizeof(err_str));
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHANGEPW command syntax BAD\n", my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- strcpy(err_str,
- "Bad argument list format for changepw command.");
- }
- }
-#if 0
-#ifdef MOTD_SUPPORTED
- else if (!strcasecmp(arglist[0].data, KRB5_ADM_MOTD_CMD)) {
- /*
- * MOTD command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:MOTD command\n", my_id));
- if (num_args <= 2) {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:MOTD command syntax OK\n", my_id));
- printf("@@@ motd command ");
- if (num_args == 2)
- printf("context is %s", arglist[2].data);
- printf("\n");
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:MOTD command syntax BAD\n", my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
-#endif /* MOTD_SUPPORTED */
-#ifdef MIME_SUPPORTED
- else if (!strcasecmp(arglist[0].data, KRB5_ADM_MIME_CMD)) {
- /*
- * MIME command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:MIME command\n", my_id));
- if (num_args == 1) {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:MIME command syntax OK\n", my_id));
- mime_setting = 1;
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:MIME command syntax BAD\n", my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
-#endif /* MIME_SUPPORTED */
-#ifdef LANGUAGES_SUPPORTED
- else if (!strcasecmp(arglist[0].data, KRB5_ADM_LANGUAGE_CMD)) {
- /*
- * LANGUAGE command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:LANGUAGE command\n", my_id));
- if (num_args == 2) {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:LANGUAGE command syntax OK\n", my_id));
- if (output_lang_supported(arglist[1].data)) {
- if (curr_lang)
- free(curr_lang);
- curr_lang = (char *)
- malloc(strlen(arglist[1].data));
- if (curr_lang)
- strcpy(curr_lang, arglist[1].data);
- }
- else
- cmd_error = KRB5_ADM_LANG_NOT_SUPPORTED;
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:LANGUAGE command syntax BAD\n", my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
-#endif /* LANGUAGES_SUPPORTED */
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_ADD_PRINC_CMD)) {
- /*
- * ADD PRINCIPAL command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:ADD PRINCIPAL command\n", my_id));
- /* At least one argument */
- if (num_args > 1) {
- cmd_error = admin_add_principal(kcontext,
- proto_debug_level,
- ticket,
- num_args-1,
- &arglist[1]);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:ADD PRINCIPAL command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_DEL_PRINC_CMD)) {
- /*
- * DELETE PRINCIPAL command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:DELETE PRINCIPAL command\n", my_id));
- /* Only one argument */
- if (num_args == 2) {
- cmd_error = admin_delete_principal(kcontext,
- proto_debug_level,
- ticket,
- &arglist[1]);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:DELETE PRINCIPAL command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_REN_PRINC_CMD)) {
- /*
- * RENAME PRINCIPAL command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:RENAME PRINCIPAL command\n", my_id));
- /* Two arguments */
- if (num_args == 3) {
- cmd_error = admin_rename_principal(kcontext,
- proto_debug_level,
- ticket,
- &arglist[1],
- &arglist[2]);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:RENAME PRINCIPAL command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_MOD_PRINC_CMD)) {
- /*
- * MODIFY PRINCIPAL command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:MODIFY PRINCIPAL command\n", my_id));
- /* At least one argument */
- if (num_args > 1) {
- cmd_error = admin_modify_principal(kcontext,
- proto_debug_level,
- ticket,
- num_args-1,
- &arglist[1]);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:MODIFY PRINCIPAL command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_CHG_OPW_CMD)) {
- /*
- * CHANGE OTHER'S PASSWORD command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHANGE OTHER'S PASSWORD command\n", my_id));
- /* Two arguments */
- if (num_args == 3) {
- cmd_error = admin_change_opwd(kcontext,
- proto_debug_level,
- ticket,
- &arglist[1],
- &arglist[2]);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHANGE OTHER'S PASSWORD command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_CHG_ORPW_CMD)) {
- /*
- * CHANGE OTHER'S RANDOM PASSWORD command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHANGE OTHER'S RANDOM PASSWORD command\n", my_id));
- /* One argument */
- if (num_args == 2) {
- cmd_error = admin_change_orandpwd(kcontext,
- proto_debug_level,
- ticket,
- &arglist[1]);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:CHANGE OTHER'S RANDOM PASSWORD command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_INQ_PRINC_CMD)) {
- /*
- * INQUIRE PRINCIPAL command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:INQUIRE PRINCIPAL command\n", my_id));
- /* One argument */
- if (num_args == 2) {
- cmd_error = admin_inquire(kcontext,
- proto_debug_level,
- ticket,
- &arglist[1],
- &cmd_repl_ncomps,
- &cmd_repl_complist);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:INQUIRE PRINCIPAL command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_EXT_KEY_CMD)) {
- /*
- * EXTRACT KEY command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:EXTRACT KEY command\n", my_id));
- /* Two arguments */
- if (num_args == 3) {
- cmd_error = admin_extract_key(kcontext,
- proto_debug_level,
- ticket,
- &arglist[1],
- &arglist[2],
- &cmd_repl_ncomps,
- &cmd_repl_complist);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:EXTRACT KEY command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_ADD_KEY_CMD)) {
- /*
- * ADD KEY command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:ADD KEY command\n", my_id));
- /* Must have at least three arguments */
- if (num_args > 3) {
- cmd_error = admin_add_key(kcontext,
- proto_debug_level,
- ticket,
- num_args-1,
- &arglist[1]);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:ADD KEY command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
- else if (!strcasecmp(arglist[0].data,
- KRB5_ADM_DEL_KEY_CMD)) {
- /*
- * DELETE KEY command handling here.
- */
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:DELETE KEY command\n", my_id));
- /* At least three arguments */
- if (num_args > 3) {
- cmd_error = admin_delete_key(kcontext,
- proto_debug_level,
- ticket,
- num_args-1,
- &arglist[1]);
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:DELETE KEY command syntax BAD\n",
- my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- err_aux = KADM_BAD_ARGS;
- }
- }
-#endif /* 0 */
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:UNKNOWN command %s\n", my_id,
- arglist[0].data));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- sprintf(err_str, "Command %-.900s not supported", arglist[0].data); /* XXX Knows size of err_str. */
- }
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level,
- ("> %d:NO command!\n", my_id));
- cmd_error = KRB5_ADM_CMD_UNKNOWN;
- strcpy(err_str, "No command in message.");
- }
-
- /*
- * Close the database.
- */
- if ((kret = key_close_db(kcontext))) {
- com_err(programname, kret, proto_db_close_msg, my_id);
- goto cleanup;
- }
- else
- db_opened = 0;
-
- /*
- * Now make the reply.
- */
- DPRINT(DEBUG_PROTO, proto_debug_level,
- ("= %d:sending reply(stat=%d)\n", my_id, cmd_error));
- if (cmd_error == KRB5_ADM_SUCCESS) {
- kret = krb5_send_adm_reply(kcontext,
- (krb5_pointer) &cl_sock,
- auth_context,
- cmd_error,
- cmd_repl_ncomps,
- cmd_repl_complist);
- if (kret) {
- com_err(programname, kret, proto_wr_reply_msg, my_id);
- goto cleanup;
- }
- }
- else {
- krb5_data reply_comps;
-
- reply_comps.data = err_str;
- reply_comps.length = strlen(err_str);
- kret = krb5_send_adm_reply(kcontext,
- (krb5_pointer) &cl_sock,
- auth_context,
- cmd_error,
- 1,
- &reply_comps);
- if (kret) {
- com_err(programname, kret, proto_wr_reply_msg, my_id);
- goto cleanup;
- }
- }
- if (cmd_repl_ncomps > 0)
- krb5_free_adm_data(kcontext,
- cmd_repl_ncomps,
- cmd_repl_complist);
-
- if (do_quit)
- break;
- krb5_free_adm_data(kcontext, num_args, arglist);
- }
- }
- else {
- DPRINT(DEBUG_REQUESTS, proto_debug_level, ("connection timed out"));
- }
-
-
- err_reply:
- if (kret) {
- krb5_error_code er_kret;
- krb5_error errbuf;
- char *errmsg;
- krb5_data errout;
-
- memset((char *) &errbuf, 0, sizeof(errbuf));
- krb5_us_timeofday(kcontext, &errbuf.stime, &errbuf.susec);
- errbuf.server = net_server_princ();
- errbuf.error = kret - ERROR_TABLE_BASE_krb5;
- if (errbuf.error > 127)
- errbuf.error = KRB5KRB_ERR_GENERIC;
- /* Format the error message in our language */
- errmsg = strdup(error_message(kret));
- errbuf.text.length = strlen(errmsg);
- errbuf.text.data = errmsg;
- er_kret = krb5_mk_error(kcontext, &errbuf, &errout);
- if (!er_kret)
- krb5_write_message(kcontext, (krb5_pointer) &cl_sock, &errout);
- if(errmsg) free(errmsg);
- free(errbuf.text.data);
- krb5_free_data_contents(kcontext, &errout);
- }
-
- cleanup:
- /* If the alarm was set, make sure it's cancelled */
- if (proto_proto_timeout > 0)
- alarm(0);
- if (ticket)
- krb5_free_ticket(kcontext, ticket);
- /*
- * Don't need to close the replay cache because it's attached to the
- * auth context.
- */
- if (auth_context)
- krb5_auth_con_free(kcontext, auth_context);
- if (curr_lang)
- free(curr_lang);
- if (num_args)
- krb5_free_adm_data(kcontext, num_args, arglist);
- if (in_data.data)
- krb5_free_data_contents(kcontext, &in_data);
- if (out_data.data)
- krb5_free_data_contents(kcontext, &out_data);
- if (local && local->contents)
- free(local->contents);
- if (remote && remote->contents)
- free(remote->contents);
- if (local)
- free(local);
- if (remote)
- free(remote);
- if (db_opened)
- key_close_db(kcontext);
- close(cl_sock);
-
- DPRINT(DEBUG_CALLS, proto_debug_level, ("X proto_serv() = %d\n", kret));
- return(kret);
-}
+++ /dev/null
-/*
- * kadmin/v5server/srv_net.c
- *
- * Copyright 1995 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. Furthermore if you modify this software you must label
- * your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
- * M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- */
-
-/*
- * srv_net.c - handle networking functions of the administrative server.
- */
-#include <errno.h>
-#include <setjmp.h>
-#include <sys/wait.h>
-#include <signal.h>
-#ifdef USE_PTHREADS
-#include <pthread.h>
-#endif /* USE_PTHREADS */
-
-#define NEED_SOCKETS
-#include "k5-int.h"
-#include "com_err.h"
-#include "kadm5_defs.h"
-#include "adm.h"
-
-#if HAVE_SYS_SELECT_H
-#include <sys/select.h>
-#endif
-
-/* linux doesn't have SOMAXCONN */
-#ifndef SOMAXCONN
-#define SOMAXCONN 5
-#endif
-
-/*
- * This module can use the pthreads library. To do so, define USE_PTHREADS.
- * You'll need to find out what else pthreads requires (e.g. -lmach -lc_r
- * under OSF/1).
- */
-#ifdef USE_PTHREADS
-#define net_slave_type pthread_t *
-#ifndef MAX_SLAVES
-#define MAX_SLAVES 2*SOMAXCONN
-#endif /* MAX_SLAVES */
-#else /* USE_PTHREADS */
-#define net_slave_type pid_t
-#ifndef MAX_SLAVES
-#define MAX_SLAVES 2*SOMAXCONN
-#endif /* MAX_SLAVES */
-#endif /* USE_PTHREADS */
-#define NET_SLAVE_FULL_SLEEP 2 /* seconds */
-
-/*
- * Slave information storage.
- */
-typedef struct _net_slave_info {
- int sl_inuse;
- net_slave_type sl_id;
- krb5_context sl_context;
- int sl_socket;
- struct sockaddr_in sl_local_addr; /* local address */
- struct sockaddr_in sl_remote_addr; /* remote address */
-} net_slave_info;
-
-/*
- * Error messages.
- */
-#define net_waiterr_msg "\004child wait failed - cannot reap children"
-#if 0
-#define net_def_realm_fmt "%s: cannot get default realm (%s).\n"
-#endif
-#define net_no_mem_fmt "%s: cannot get memory.\n"
-#define net_parse_srv_fmt "%s: cannot parse server name %s (%s).\n"
-#define net_no_hostname_fmt "%s: cannot get our host name (%s).\n"
-#define net_no_hostent_fmt "%s: cannot get our host entry (%s).\n"
-#define net_no_servent_fmt "%s: cannot get service entry for %s (%s).\n"
-#define net_sockerr_fmt "%s: cannot open network socket (%s).\n"
-#define net_soerr_fmt "%s: cannot set socket options (%s).\n"
-#define net_binderr_fmt "%s: cannot bind to network address (%s).\n"
-
-#define net_select_fmt "\004select failed"
-#define net_cl_disp_fmt "\004client dispatch failed"
-#define net_not_ready_fmt "\004select error - no socket to read"
-#define net_dispatch_msg "network dispatch"
-
-#ifdef DEBUG
-static int net_debug_level = 0;
-#endif
-
-static char *net_service_name = (char *) NULL;
-static int net_service_princ_init = 0;
-static krb5_principal net_service_principal = (krb5_principal) NULL;
-#if 0
-static int net_server_addr_init = 0;
-#endif
-static struct sockaddr_in net_server_addr;
-static int net_listen_socket = -1;
-static int net_max_slaves = 0;
-static net_slave_info *net_slave_table = (net_slave_info *) NULL;
-
-#if POSIX_SETJMP
-static sigjmp_buf shutdown_jmp;
-#else /* POSIX_SETJMP */
-static jmp_buf shutdown_jmp;
-#endif /* POSIX_SETJMP */
-
-extern char *programname;
-\f
-/*
- * net_find_free_entry() - Find a free entry in the slave table.
- */
-static net_slave_info *
-net_find_free_entry()
-{
- int i, found;
-
- /* Find a table entry */
- while (1) {
- found = 0;
- for (i=0; i<net_max_slaves; i++) {
- if (!net_slave_table[i].sl_inuse) {
- net_slave_table[i].sl_inuse = 1;
- found = 1;
- break;
- }
- }
- if (found)
- break;
- sleep(NET_SLAVE_FULL_SLEEP);
- }
- return(&net_slave_table[i]);
-}
-\f
-/*
- * net_find_slave() - Find a slave entry by its identity.
- */
-static net_slave_info *
-net_find_slave(id)
- net_slave_type id;
-{
- int i, found = 0;
-
- for (i=0; i<net_max_slaves; i++) {
- if (net_slave_table[i].sl_inuse &&
- (net_slave_table[i].sl_id == id)) {
- found = 1;
- break;
- }
- }
- if (found)
- return(&net_slave_table[i]);
- else
- return((net_slave_info *) NULL);
-}
-
-/*
- * net_free_slave_entry() - Mark an entry as free.
- */
-static void
-net_free_slave_entry(entp)
- net_slave_info *entp;
-{
- entp->sl_inuse = 0;
-}
-\f
-/*
- * net_shutdown() - Destroy all slaves on signal reception
- */
-static krb5_sigtype
-net_shutdown(signo)
- int signo;
-{
- int i;
-
- /* Loop through all slaves */
- for (i=0; i<net_max_slaves; i++) {
- if (net_slave_table[i].sl_inuse){
-#ifdef DEBUG
- /* If not us (see net_dispatch_client) */
- if (net_slave_table[i].sl_id != (net_slave_type) getpid()) {
-#endif /* DEBUG */
-#if USE_PTHREADS
- pthread_cancel(*net_slave_table[i].sl_id);
-#else /* USE_PTHREADS */
- kill(net_slave_table[i].sl_id, SIGKILL);
-#endif /* USE_PTHREADS */
-#ifdef DEBUG
- }
-#endif /* DEBUG */
- }
- }
- sleep(5); /* to allow children to die and be reaped */
-#if POSIX_SETJMP
- siglongjmp(shutdown_jmp, 1);
-#else /* POSIX_SETJMP */
- longjmp(shutdown_jmp, 1);
-#endif /* POSIX_SETJMP */
- /* NOTREACHED */
-}
-\f
-#if !USE_PTHREADS
-/*
- * net_reaper() - Child process termination handler.
- */
-static krb5_sigtype
-net_reaper(signo)
- int signo;
-{
-#ifdef WAIT_USES_INT
- int child_exit;
-#else /* WAIT_USES_INT */
- union wait child_exit;
-#endif /* WAIT_USES_INT */
- pid_t deadmeat;
- net_slave_info *slent;
-
- /* Reap everybody we can */
- while (
- (
-#ifdef HAVE_WAITPID
- deadmeat = waitpid((pid_t) -1, &child_exit, WNOHANG)
-#else /* HAVE_WAITPID */
- deadmeat = wait3(&child_exit, WNOHANG, (struct rusage *) NULL)
-#endif /* HAVE_WAITPID */
- ) > 0) {
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| process %d finished with %d\n", deadmeat, child_exit));
- slent = net_find_slave(deadmeat);
- if (slent) {
- net_free_slave_entry(slent);
- }
- else {
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| cannot find slave entry for %d\n", deadmeat));
- }
- }
- if ((deadmeat == -1) && (errno != ECHILD))
- com_err(programname, errno, net_waiterr_msg);
-}
-#endif /* USE_PTHREADS */
-\f
-#if USE_PTHREADS
-/*
- * net_slave_proto() - pthread main routine.
- */
-static krb5_error_code
-net_slave_proto(stent)
- net_slave_info *stent;
-{
- krb5_error_code kret;
-
- DPRINT(DEBUG_CALLS, net_debug_level,
- ("* net_slave_proto()\n"));
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| thread %d starting\n", stent->sl_id));
- kret = proto_serv(stent->sl_context,
- (krb5_int32) stent->sl_id,
- stent->sl_socket,
- &stent->sl_local_addr,
- &stent->sl_remote_addr);
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| thread %d finished with %d\n", stent->sl_id, kret));
- DPRINT(DEBUG_CALLS, net_debug_level,
- ("* net_slave_proto() = %d\n", kret));
- net_free_slave_entry(stent);
- return(kret);
-}
-#endif /* USE_PTHREADS */
-\f
-/*
- * net_dispatch_client() - Handle client dispatch.
- */
-static krb5_error_code
-net_dispatch_client(kcontext, listen_sock, conn_sock, client_addr)
- krb5_context kcontext;
- int listen_sock;
- int conn_sock;
- struct sockaddr_in *client_addr;
-{
- krb5_error_code kret;
- net_slave_info *slent;
-
- DPRINT(DEBUG_CALLS, net_debug_level,
- ("* net_dispatch_client(listen=%d)\n", listen_sock));
- kret = 0;
-
- /* Find a free entry */
- slent = net_find_free_entry();
-
- /* Initialize the slave entry */
- slent->sl_context = kcontext;
- slent->sl_socket = conn_sock;
- memcpy((char *) &slent->sl_remote_addr,
- (char *) client_addr,
- sizeof(struct sockaddr_in));
- memcpy((char *) &slent->sl_local_addr,
- (char *) &net_server_addr,
- sizeof(struct sockaddr_in));
-
-#ifdef DEBUG
- if ((net_debug_level & DEBUG_NOSLAVES) == 0) {
-#endif /* DEBUG */
- /* Do a real slave creation */
-#if USE_PTHREADS
- if (!slent->sl_id)
- slent->sl_id = (pthread_t *) malloc(sizeof(pthread_t));
- if (slent->sl_id == (pthread_t *) NULL) {
- kret = ENOMEM;
- goto done;
- }
- if (kret = pthread_create(slent->sl_id,
- pthread_attr_default,
- (pthread_startroutine_t) net_slave_proto,
- (pthread_addr_t) slent)) {
- kret = errno;
- goto done;
- }
- if (pthread_detach(slent->sl_id)) {
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| (%d) child thread %d detach failed (%d)\n",
- getpid(), slent->sl_id, errno));
- }
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| (%d) created child thread %d\n",
- getpid(), slent->sl_id));
-#else /* USE_PTHREADS */
- slent->sl_id = fork();
- if (slent->sl_id < 0) {
- kret = errno;
- slent->sl_inuse = 0;
- goto done;
- }
-
- if (slent->sl_id > 0) {
- /* parent */
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| (%d) created child process %d\n",
- getpid(), slent->sl_id));
- close(conn_sock);
- kret = 0;
- goto done;
- }
- else {
-#if POSIX_SIGNALS
- struct sigaction s_action;
-#endif /* POSIX_SIGNALS */
-
- /* child */
-#if POSIX_SIGNALS
- (void) sigemptyset(&s_action.sa_mask);
- s_action.sa_flags = 0;
- /* Ignore SIGINT, SIGTERM, SIGHUP, SIGQUIT and SIGPIPE */
- s_action.sa_handler = SIG_IGN;
- (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGQUIT, &s_action, (struct sigaction *) NULL);
- (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL);
- /* Restore to default SIGCHLD */
- s_action.sa_handler = SIG_DFL;
- (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL);
-#else /* POSIX_SIGNALS */
- signal(SIGINT, SIG_IGN); /* Ignore SIGINT */
- signal(SIGTERM, SIG_IGN); /* Ignore SIGTERM */
- signal(SIGHUP, SIG_IGN); /* Ignore SIGHUP */
- signal(SIGQUIT, SIG_IGN); /* Ignore SIGQUIT */
- signal(SIGPIPE, SIG_IGN); /* Ignore SIGPIPE */
- signal(SIGCHLD, SIG_DFL); /* restore SIGCHLD handling */
-#endif /* POSIX_SIGNALS */
- close(listen_sock);
- slent->sl_id = getpid();
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| process %d starting\n", slent->sl_id));
- kret = proto_serv(slent->sl_context,
- (krb5_int32) slent->sl_id,
- slent->sl_socket,
- &slent->sl_local_addr,
- &slent->sl_remote_addr);
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| process %d exiting with %d\n", getpid(), kret));
- exit(kret);
- }
-#endif /* USE_PTHREADS */
-#ifdef DEBUG
- }
- else {
- net_slave_info *sl1;
-#if POSIX_SIGNALS
- struct sigaction s_action;
-#endif /* POSIX_SIGNALS */
-
- /*
- * Ignore SIGPIPE.
- */
-#if POSIX_SIGNALS
- (void) sigemptyset(&s_action.sa_mask);
- s_action.sa_flags = 0;
- s_action.sa_handler = SIG_IGN;
- (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL);
-#else /* POSIX_SIGNALS */
- signal(SIGPIPE, SIG_IGN); /* Ignore SIGPIPE */
-#endif /* POSIX_SIGNALS */
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| (%d) not doing child creation\n", getpid()));
- slent->sl_id = (net_slave_type) getpid();
- kret = proto_serv(slent->sl_context,
- (krb5_int32) slent->sl_id,
- slent->sl_socket,
- &slent->sl_local_addr,
- &slent->sl_remote_addr);
- sl1 = net_find_slave(slent->sl_id);
- if (sl1)
- net_free_slave_entry(sl1);
- DPRINT(DEBUG_SPROC, net_debug_level,
- ("| (%d) returned with %d\n", getpid(), kret));
- kret = 0;
- }
-#endif /* DEBUG */
- done:
- DPRINT(DEBUG_CALLS, net_debug_level,
- ("X net_dispatch_client() = %d\n", kret));
- return(kret);
-}
-\f
-/*
- * net_init() - Initialize network context.
- */
-krb5_error_code
-net_init(kcontext, realm, debug_level, port)
- krb5_context kcontext;
- char * realm;
- int debug_level;
- krb5_int32 port;
-{
- krb5_error_code kret;
- char our_host_name[MAXHOSTNAMELEN];
- struct hostent *our_hostent;
- struct servent *our_servent;
-
-#ifdef DEBUG
- net_debug_level = debug_level;
-#endif
- DPRINT(DEBUG_CALLS, net_debug_level, ("* net_init(port=%d)\n", port));
-
- /* Allocate the slave table */
- net_slave_table = (net_slave_info *)
- malloc((size_t) (MAX_SLAVES * sizeof(net_slave_info)));
- /* Make our service name */
- net_service_name = (char *) malloc(strlen(realm) +
- strlen(KRB5_ADM_SERVICE_INSTANCE) + 2);
- if ((net_service_name == (char *) NULL) ||
- (net_slave_table == (net_slave_info *) NULL)) {
- kret = ENOMEM;
- fprintf(stderr, net_no_mem_fmt, programname);
- goto done;
- }
- (void) sprintf(net_service_name, "%s%s%s",
- KRB5_ADM_SERVICE_INSTANCE, "/", realm);
- memset((char *) net_slave_table, 0,
- (size_t) (MAX_SLAVES * sizeof(net_slave_info)));
- net_max_slaves = MAX_SLAVES;
- DPRINT(DEBUG_HOST, net_debug_level,
- ("- name of service is %s\n", net_service_name));
-
- /* Now formulate the principal name */
- kret = krb5_parse_name(kcontext, net_service_name, &net_service_principal);
- if (kret) {
- fprintf(stderr, net_parse_srv_fmt, programname, net_service_name,
- error_message(kret));
- goto done;
- }
- net_service_princ_init = 1;
-
-#ifdef HAVE_NETINET_IN_H
- /* Now get our host name/entry */
- if (gethostname(our_host_name, sizeof(our_host_name))) {
- kret = errno;
- fprintf(stderr, net_no_hostname_fmt, programname, error_message(kret));
- goto done;
- }
- if (!(our_hostent = gethostbyname(our_host_name))) {
- kret = KRB5_ERR_BAD_HOSTNAME; /* perhaps put h_errno in the msg */
- fprintf(stderr, net_no_hostent_fmt, programname, error_message(kret));
- goto done;
- }
- DPRINT(DEBUG_HOST, net_debug_level,
- ("- name of host is %s\n", our_hostent->h_name));
-
- /* Now initialize our network address */
- net_server_addr.sin_family = AF_INET;
- memcpy((char *) &net_server_addr.sin_addr,
- (char *) our_hostent->h_addr,
- sizeof(net_server_addr.sin_addr));
- DPRINT(DEBUG_HOST, net_debug_level,
- ("- address of host is %x\n",
- ntohl(net_server_addr.sin_addr.s_addr)));
-
- /*
- * Fill in the port address.
- * If the port is supplied by the invoker, then use that one.
- * If not, then try the profile, and if all fails, then use the service
- * entry.
- */
- if (port > 0) {
- net_server_addr.sin_port = htons(port);
- DPRINT(DEBUG_HOST, net_debug_level,
- ("- service name (%s) is on port %d from options\n",
- KRB5_ADM_SERVICE_NAME,
- ntohs(net_server_addr.sin_port)));
- }
- else {
- char **admin_hostlist;
- const char *realm_admin_names[4]; /* XXX */
- krb5_boolean found;
-
- /*
- * Try to get the service entry out of the profile.
- */
- admin_hostlist = (char **) NULL;
- realm_admin_names[0] = "realms";
- realm_admin_names[1] = realm;
- realm_admin_names[2] = "admin_server";
- realm_admin_names[3] = (char *) NULL;
- found = 0;
-#ifndef OLD_CONFIG_FILES
- if (!(kret = profile_get_values(kcontext->profile,
- realm_admin_names,
- &admin_hostlist))) {
- int hi;
- char *cport;
- char *cp;
- krb5_int32 pport;
- int ai;
-
- cport = (char *) NULL;
- pport = KRB5_ADM_DEFAULT_PORT;
- for (hi=0; admin_hostlist[hi]; hi++) {
- /*
- * This knows a little too much about the format of profile
- * entries. Shouldn't it just be some sort of tuple?
- *
- * The form is assumed to be:
- * admin_server = <hostname>[:<portname>[<whitespace>]]
- */
- cp = strchr(admin_hostlist[hi], ' ');
- if (cp)
- *cp = '\0';
- cp = strchr(admin_hostlist[hi], '\t');
- if (cp)
- *cp = '\0';
- cport = strchr(admin_hostlist[hi], ':');
- if (cport) {
- *cport = '\0';
- cport++;
- if (sscanf(cport, "%d", &pport) != 1) {
- DPRINT(DEBUG_HOST, net_debug_level,
- ("- profile entry for %s has bad port %s\n",
- admin_hostlist[hi],
- cport));
- pport = KRB5_ADM_DEFAULT_PORT;
- }
- }
- /*
- * We've stripped away the crud. Now check to see if the
- * profile entry matches our hostname. If so, then this
- * is the one to use. Additionally, check the host alias
- * list.
- */
- if (!strcmp(admin_hostlist[hi], our_hostent->h_name)) {
- net_server_addr.sin_port = ntohs((u_short) pport);
- DPRINT(DEBUG_HOST, net_debug_level,
- ("- service name (%s) is on port %d from profile\n",
- KRB5_ADM_SERVICE_NAME,
- pport));
- found = 1;
- }
- else {
- for (ai=0; our_hostent->h_aliases[ai]; ai++) {
- if (!strcmp(admin_hostlist[hi],
- our_hostent->h_aliases[ai])) {
- net_server_addr.sin_port = ntohs(pport);
- DPRINT(DEBUG_HOST, net_debug_level,
- ("- service name (%s) is on port %d from profile and alias\n",
- KRB5_ADM_SERVICE_NAME,
- pport));
- found = 1;
- break;
- }
- }
- }
- }
- krb5_xfree(admin_hostlist);
- }
-#endif /* OLD_CONFIG_FILES */
-
- /*
- * If we didn't find an entry in the profile, then as a last gasp
- * effort, attempt to find it in /etc/services.
- */
- if (!found) {
- /* Get the service entry out of /etc/services */
- if (!(our_servent = getservbyname(KRB5_ADM_SERVICE_NAME, "tcp"))) {
- kret = errno;
- fprintf(stderr, net_no_servent_fmt, programname,
- KRB5_ADM_SERVICE_NAME, error_message(kret));
- goto done;
- }
- net_server_addr.sin_port = our_servent->s_port;
- DPRINT(DEBUG_HOST, net_debug_level,
- ("- service name (%s) is on port %d from services\n",
- our_servent->s_name,
- ntohs(our_servent->s_port)));
- }
- }
-#if 0
- net_server_addr_init = 1;
-#endif
-
- /* Now open the listen socket */
- net_listen_socket = socket(AF_INET, SOCK_STREAM, 0);
- if (net_listen_socket < 0) {
- kret = errno;
- fprintf(stderr, net_sockerr_fmt, programname, error_message(kret));
- goto done;
- }
-
- /* If we have a non-default port number, then allow reuse of address */
- if (net_server_addr.sin_port != htons(KRB5_ADM_DEFAULT_PORT)) {
- int allowed;
-
- allowed = 1;
- if (setsockopt(net_listen_socket,
- SOL_SOCKET,
- SO_REUSEADDR,
- (char *) &allowed,
- sizeof(allowed)) < 0) {
- kret = errno;
- fprintf(stderr, net_soerr_fmt, programname, error_message(kret));
- goto done;
- }
- }
-
- /* Bind socket */
- if (bind(net_listen_socket,
- (struct sockaddr *) &net_server_addr,
- sizeof(net_server_addr)) < 0) {
- kret = errno;
- fprintf(stderr, net_binderr_fmt, programname, error_message(kret));
- goto done;
- }
- else {
- DPRINT(DEBUG_HOST, net_debug_level,
- ("- bound socket %d on port\n", net_listen_socket));
- kret = 0;
- }
-#else /* HAVE_NETINET_IN_H */
- /* Don't know how to do anything else. */
- kret = ENOENT;
-#endif /* HAVE_NETINET_IN_H */
-
- done:
- DPRINT(DEBUG_CALLS, net_debug_level, ("X net_init() = %d\n", kret));
- return(kret);
-}
-\f
-/*
- * net_finish() - Finish network context.
- */
-void
-net_finish(kcontext, debug_level)
- krb5_context kcontext;
- int debug_level;
-{
- DPRINT(DEBUG_CALLS, net_debug_level, ("* net_finish()\n"));
- if (net_max_slaves) {
- net_max_slaves = 0;
- free(net_slave_table);
- }
- if (net_listen_socket >= 0)
- close(net_listen_socket);
- if (net_service_princ_init)
- krb5_free_principal(kcontext, net_service_principal);
- if (net_service_name)
- free(net_service_name);
- DPRINT(DEBUG_CALLS, net_debug_level, ("X net_finish()\n"));
-}
-\f
-/*
- * net_dispatch() - Listen and dispatch request.
- *
- * Loop forever selecting on the listen socket. When an incoming connection
- * comes in, dispatch to net_client_connect().
- */
-krb5_error_code
-net_dispatch(kcontext, detached)
- krb5_context kcontext;
- int detached;
-{
- volatile krb5_error_code kret;
- fd_set mask, readfds;
- int nready;
-#if POSIX_SIGNALS
- struct sigaction s_action;
-#endif /* POSIX_SIGNALS */
-
- DPRINT(DEBUG_CALLS, net_debug_level, ("* net_dispatch()\n"));
-
- kret = 0;
-
- /* Set up the fdset mask */
- FD_ZERO(&mask);
- FD_SET(net_listen_socket, &mask);
-
-#if POSIX_SIGNALS
- (void) sigemptyset(&s_action.sa_mask);
- s_action.sa_flags = 0;
- s_action.sa_handler = net_shutdown;
- (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL);
-#ifdef DEBUG
- (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL);
-#endif /* DEBUG */
- if (!detached)
- (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL);
-#else /* POSIX_SIGNALS */
- /*
- * SIGTERM (or SIGINT, if debug, or SIGHUP if not detached) shuts us down.
- */
- signal(SIGTERM, net_shutdown);
-#ifdef DEBUG
- signal(SIGINT, net_shutdown);
-#endif /* DEBUG */
- if (!detached)
- signal(SIGHUP, net_shutdown);
-#endif /* POSIX_SIGNALS */
-
-#if !USE_PTHREADS
-#if POSIX_SIGNALS
- s_action.sa_handler = net_reaper;
- (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL);
-#else /* POSIX_SIGNALS */
- /*
- * SIGCHILD indicates end of child process life.
- */
- signal(SIGCHLD, net_reaper);
-#endif /* POSIX_SIGNALS */
-#endif /* !USE_PTHREADS */
-
- /* Receive connections on the socket */
- DPRINT(DEBUG_OPERATION, net_debug_level, ("+ listening on socket\n"));
- if (
-#if POSIX_SETJMP
- sigsetjmp(shutdown_jmp, 1) == 0
-#else /* POSIX_SETJMP */
- setjmp(shutdown_jmp) == 0
-#endif /* POSIX_SETJMP */
- ) {
- if (listen(net_listen_socket, SOMAXCONN) < 0)
- kret = errno;
- }
- else
- kret = EINTR;
- DPRINT(DEBUG_OPERATION, net_debug_level, ("+ listen done\n"));
-
- while (kret == 0) {
- /*
- * Prepare to catch signals.
- */
- if (
-#if POSIX_SETJMP
- sigsetjmp(shutdown_jmp, 1) == 0
-#else /* POSIX_SETJMP */
- setjmp(shutdown_jmp) == 0
-#endif /* POSIX_SETJMP */
- ) {
- readfds = mask;
- DPRINT(DEBUG_OPERATION, net_debug_level, ("+ doing select\n"));
- if ((nready = select(net_listen_socket+1,
- &readfds,
- (fd_set *) NULL,
- (fd_set *) NULL,
- (struct timeval *) NULL)) == 0) {
- DPRINT(DEBUG_OPERATION, net_debug_level, ("+ nobody ready\n"));
- continue; /* Nobody ready */
- }
-
- if ((nready < 0) && (errno != EINTR)) {
- com_err(net_dispatch_msg, errno, net_select_fmt);
- continue;
- }
-
- if (FD_ISSET(net_listen_socket, &readfds)) {
- struct sockaddr_in client_addr;
- int addrlen;
- int conn_sock;
-
- addrlen = sizeof(client_addr);
- DPRINT(DEBUG_OPERATION, net_debug_level,
- ("+ accept connection\n"));
- while (((conn_sock = accept(net_listen_socket,
- (struct sockaddr *) &client_addr,
- &addrlen)) < 0) &&
- (errno == EINTR));
-
- if (conn_sock < 0) {
- kret = errno;
- break;
- }
- DPRINT(DEBUG_OPERATION, net_debug_level,
- ("+ accepted connection\n"));
- kret = net_dispatch_client(kcontext,
- net_listen_socket,
- conn_sock,
- &client_addr);
- if (kret) {
- com_err(net_dispatch_msg, kret, net_cl_disp_fmt);
- continue;
- }
- DPRINT(DEBUG_OPERATION, net_debug_level,
- ("+ dispatch done\n"));
- }
- else {
- com_err(net_dispatch_msg, 0, net_not_ready_fmt);
- kret = EIO;
- }
- }
- else {
- DPRINT(DEBUG_OPERATION, net_debug_level,
- ("+ dispatch interrupted by SIGTERM\n"));
- kret = 0;
- break;
- }
- }
-
- DPRINT(DEBUG_CALLS, net_debug_level, ("X net_dispatch() = %d\n", kret));
- return(kret);
-}
-\f
-/*
- * Return our service principal.
- */
-krb5_principal
-net_server_princ()
-{
- if (net_service_princ_init)
- return(net_service_principal);
- else
- return((krb5_principal) NULL);
-}
+++ /dev/null
-.\" kadmin/v5passwdd/v5passwd.M
-.\"
-.\" Copyright 1995 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\" require a specific license from the United States Government.
-.\" It is the responsibility of any person or organization contemplating
-.\" export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission. Furthermore if you modify this software you must label
-.\" your software as modified software and not distribute it in such a
-.\" fashion that it might be confused with the original M.I.T. software.
-.\" M.I.T. makes no representations about the suitability of
-.\" this software for any purpose. It is provided "as is" without express
-.\" or implied warranty.
-.\"
-.\"
-.TH V5PASSWD 1
-.SH NAME
-v5passwd \- change a user's Kerberos password
-.SH SYNOPSIS
-.B v5passwd
-[
-.B \-u
-.IR username[/instance][@realm]
-]
-.SH DESCRIPTION
-The
-.I v5passwd
-command is used to change a Kerberos principal's password using the
-older administrative protocol.
-
-If the
-.I \-u
-option is specified, a partially or fully qualified Kerberos principal may
-be supplied. Otherwise, the principal name is derived from the identity
-of the user invoking the
-.I v5passwd
-command.
-
-.PP
-The
-.I v5passwd
-command prompts for the current Kerberos password, which is verified by the
-Kerberos server. If the old password is correct, the user is prompted twice
-for the new password. Success or failure is indicated by messages printed
-out by
-.I v5passwd.
-
-
-.SH FILES
-.TP 2i
-/tmp/tkt_kpw_[uid]
-the temporary credentials cache ([uid] is the decimal UID of the user) for
-the lifetime of the password changing operation.
-.SH SEE ALSO
-kadmin(8), kadmind(8), v5passwdd(8)
-.SH BUGS
projects / krb5.git / commitdiff