+Tue May 13 20:21:21 1997 Tom Yu <tlyu@mit.edu>
+
+ * Makefile.in:
+ * admin_server.c:
+ * kadm_server.c:
+ * kadm_ser_wrap.c: Convert to use new kadm5 API; this still needs
+ work to remove references to krb5_db and to regain full v4 kadmind
+ functionality (or as much as is possible).
+
Tue Feb 18 09:59:59 1997 Ezra Peisach <epeisach@mit.edu>
* acl_files.c: Do not declare malloc() or calloc() if stdlib.h exists.
CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) \
- -DOVSEC_KADM -DUSE_KADM5_API_VERSION=1 -DNEED_SOCKETS
+ -DKADM5 -DNEED_SOCKETS
PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
PROG_RPATH=$(KRB5_LIBDIR)
#include <sys/time.h>
#include <syslog.h>
-#ifdef OVSEC_KADM
+#ifdef KADM5
#include <kadm5/admin.h>
-void *ovsec_handle;
-kadm5_config_params params;
+void *kadm5_handle;
+kadm5_config_params paramsin, paramsout;
#endif
#include "k5-int.h"
extern int fascist_cpw;
krb5_error_code retval;
-#ifdef OVSEC_KADM
- memset(¶ms, 0, sizeof(params));
+#ifdef KADM5
+ memset(¶msin, 0, sizeof(paramsin));
#endif
retval = krb5_init_context(&kadm_context);
acldir = optarg;
break;
case 'd':
-#ifdef OVSEC_KADM
- params.dbname = optarg;
- params.mask |= KADM5_CONFIG_DBNAME;
+#ifdef KADM5
+ paramsin.dbname = optarg;
+ paramsin.mask |= KADM5_CONFIG_DBNAME;
#else
if (errval = krb5_db_set_name(kadm_context, optarg)) {
com_err(argv[0], errval, "while setting dbname");
(void) strncpy(krbrlm, optarg, sizeof(krbrlm) - 1);
break;
case 'k':
-#ifdef OVSEC_KADM
- params.admin_keytab = optarg;
- params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
+#ifdef KADM5
+ paramsin.admin_keytab = optarg;
+ paramsin.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
#endif
break;
case 'h': /* get help on using admin_server */
(void) strncpy(krbrlm, lrealm, sizeof(krbrlm) - 1);
}
-#ifdef OVSEC_KADM
- params.realm = krbrlm;
- params.mask |= KADM5_CONFIG_REALM;
+#ifdef KADM5
+ paramsin.realm = krbrlm;
+ paramsin.mask |= KADM5_CONFIG_REALM;
if (errval = kadm5_get_config_params(kadm_context, NULL, NULL,
- ¶ms, ¶ms)) {
+ ¶msin, ¶msout)) {
com_err(argv[0], errval, "while retrieving kadm5 params");
exit(1);
}
- if (errval = krb5_db_set_name(kadm_context, params.dbname)) {
+ if (errval = krb5_db_set_name(kadm_context, paramsout.dbname)) {
com_err(argv[0], errval, "while setting dbname");
exit(1);
}
-#endif /* OVSEC_KADM */
+#endif /* KADM5 */
printf("KADM Server %s initializing\n",KADM_VERSTR);
printf("Please do not use 'kill -9' to kill this job, use a\n");
printf("regular kill instead\n\n");
-#ifdef OVSEC_KADM
- printf("KADM Server starting in the OVSEC_KADM mode (%sprocess id %d).\n",
+#ifdef KADM5
+ printf("KADM Server starting in the KADM5 mode (%sprocess id %d).\n",
debug ? "" : "parent ", getpid());
#else
printf("KADM Server starting in %s mode for the purposes for password changing\n\n", fascist_cpw ? "fascist" : "NON-FASCIST");
}
/* set up the server_parm struct */
if ((errval = kadm_ser_init(prm.inter, krbrlm
-#ifdef OVSEC_KADM
- , ¶ms
+#ifdef KADM5
+ , ¶msout
#endif
))==KADM_SUCCESS) {
krb5_db_fini(kadm_context); /* Close the Kerberos database--
krb5_key_data *kdatap;
int status;
-#ifdef OVSEC_KADM
+#ifdef KADM5
char *service_name;
service_name = (char *) malloc(strlen(server_parm.sname) +
syslog(LOG_ERR, "error: out of memory allocating service name");
cleanexit(1);
}
- sprintf(service_name, "%s/%s@%s", server_parm.sname,
- server_parm.sinst, server_parm.krbrlm);
-
- retval = ovsec_kadm_init_with_skey(service_name,
- params.admin_keytab,
- OVSEC_KADM_ADMIN_SERVICE, krbrlm,
- OVSEC_KADM_STRUCT_VERSION,
- OVSEC_KADM_API_VERSION_1,
- &ovsec_handle);
+ sprintf(service_name, "%s@%s", KADM5_ADMIN_SERVICE, paramsin.realm);
+
+ retval = kadm5_init_with_skey(service_name,
+ paramsout.admin_keytab,
+ KADM5_ADMIN_SERVICE,
+ ¶msin,
+ KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2,
+ &kadm5_handle);
if (retval) {
- syslog(LOG_ERR, "error: ovsec_kadm_init failed: %s",
+ syslog(LOG_ERR, "error: kadm5_init failed: %s",
error_message(retval));
cleanexit(1);
}
free(service_name);
-
- if (retval = krb5_db_set_name(kadm_context, params.dbname)) {
+ if (retval = krb5_db_set_name(kadm_context, paramsout.dbname)) {
syslog(LOG_ERR, "%s while setting dbname", error_message(retval));
cleanexit(1);
}
else if (retval)
syslog(LOG_ERR, "short dlen read: %d", retval);
(void) close(fd);
-#ifdef OVSEC_KADM
- (void) ovsec_kadm_destroy(ovsec_handle);
+#ifdef KADM5
+ (void) kadm5_destroy(kadm5_handle);
#endif
cleanexit(retval ? 3 : 0);
}
return;
}
-#ifdef OVSEC_KADM
-krb5_ui_4 convert_ovsec_to_kadm(val)
+#ifdef KADM5
+krb5_ui_4 convert_kadm5_to_kadm(val)
krb5_ui_4 val;
{
switch (val) {
#include <krb_err.h>
#include <syslog.h>
-#ifdef OVSEC_KADM
+#ifdef KADM5
#include <kadm5/admin.h>
-extern void *ovsec_handle;
#endif
Kadm_Server server_parm;
kadm_ser_init
set up the server_parm structure
*/
-#ifdef OVSEC_KADM
+#ifdef KADM5
kadm_ser_init(inter, realm, params)
int inter; /* interactive or from file */
char realm[];
/* setting up the database */
mkey_name = KRB5_KDB_M_NAME;
-#ifdef OVSEC_KADM
+#ifdef KADM5
server_parm.master_keyblock.enctype = params->enctype;
krb5_use_enctype(kadm_context, &server_parm.master_encblock,
server_parm.master_keyblock.enctype);
krb5_db_fetch_mkey(kadm_context, server_parm.master_princ,
&server_parm.master_encblock,
(inter == 1), FALSE,
-#ifdef OVSEC_KADM
+#ifdef KADM5
params->stash_file,
#else
(char *) NULL,
retval = kadm_ser_cpw(msg_st.app_data+1,(int) msg_st.app_length,&ad,
&retdat, &retlen);
break;
-#ifndef OVSEC_KADM
+#ifndef KADM5
case ADD_ENT:
retval = kadm_ser_add(msg_st.app_data+1,(int) msg_st.app_length,&ad,
&retdat, &retlen);
retval = kadm_ser_stab(msg_st.app_data+1,(int) msg_st.app_length,&ad,
&retdat, &retlen);
break;
-#endif /* OVSEC_KADM */
+#endif /* KADM5 */
default:
clr_cli_secrets();
errpkt(dat, dat_len, KADM_NO_OPCODE);
#include <time.h>
#endif
-#ifdef OVSEC_KADM
+#ifdef KADM5
#include <com_err.h>
#include <kadm5/admin.h>
#include <kadm5/chpass_util_strings.h>
#include <krb5/kdb.h>
-extern void *ovsec_handle;
+extern void *kadm5_handle;
#endif
#include <kadm.h>
extern krb5_context kadm_context;
int fascist_cpw = 0; /* Be fascist about insecure passwords? */
-#ifdef OVSEC_KADM
+#ifdef KADM5
char pw_required[] = "The version of kpasswd that you are using is not compatible with the\nOpenV*Secure V4 Administration Server. Please contact your security\nadministrator.\n\n";
-#else /* !OVSEC_KADM */
+#else /* !KADM5 */
char bad_pw_err[] =
"\007\007\007ERROR: Insecure password not accepted. Please choose another.\n\n";
char pw_blurb[] =
"A good password is something which is easy for you to remember, but that\npeople who know you won't easily guess; so don't use your name, or your\ndog's name, or a word from the dictionary. Passwords should be at least\n6 characters long, and may contain UPPER- and lower-case letters,\nnumbers, or punctuation. A good password can be:\n\n -- some initials, like \"GykoR-66\" for \"Get your kicks on Rte 66.\"\n -- an easily pronounced nonsense word, like \"slaRooBey\" or \"krang-its\"\n -- a mis-spelled phrase, like \"2HotPeetzas\" or \"ItzAGurl\"\n\nPlease Note: It is important that you do not tell ANYONE your password,\nincluding your friends, or even people from Athena or Information\nSystems. Remember, *YOU* are assumed to be responsible for anything\ndone using your password.\n";
-#endif /* OVSEC_KADM */
+#endif /* KADM5 */
/* from V4 month_sname.c -- was not part of API */
/*
int status, stvlen = 0;
int retval;
extern int kadm_approve_pw();
-#ifdef OVSEC_KADM
- ovsec_kadm_principal_ent_t princ_ent;
- ovsec_kadm_policy_ent_t pol_ent;
+#ifdef KADM5
+ kadm5_principal_ent_rec princ_ent;
+ kadm5_policy_ent_rec pol_ent;
krb5_principal user_princ;
char msg_ret[1024], *time_string, *ptr;
const char *msg_ptr;
memcpy((char *)(((krb5_int32 *)newkey) + 1), (char *)&keyhigh, 4);
memcpy((char *)newkey, (char *)&keylow, 4);
-#ifdef OVSEC_KADM
+#ifdef KADM5
/* we don't use the client-provided key itself */
keylow = keyhigh = 0;
memset(newkey, 0, sizeof(newkey));
goto send_response;
}
- retval = ovsec_kadm_get_principal(ovsec_handle, user_princ,
- &princ_ent);
+ /* Use the default mask for now. */
+ retval = kadm5_get_principal(kadm5_handle, user_princ,
+ &princ_ent,
+ KADM5_PRINCIPAL_NORMAL_MASK);
if (retval != 0) {
msg_ptr = error_message(retval);
goto send_response;
/*
* This daemon necessarily has the modify privilege, so
- * ovsec_kadm_chpass_principal will allow it to violate the
+ * kadm5_chpass_principal will allow it to violate the
* policy's minimum lifetime. Since that's A Bad Thing, we need
* to enforce it ourselves. Unfortunately, this means we are
* duplicating code from both ovsec_adm_server and
- * ovsec_kadm_chpass_util().
+ * kadm5_chpass_util().
*/
- if (princ_ent->aux_attributes & OVSEC_KADM_POLICY) {
- retval = ovsec_kadm_get_policy(ovsec_handle,
- princ_ent->policy,
- &pol_ent);
+ if (princ_ent.aux_attributes & KADM5_POLICY) {
+ retval = kadm5_get_policy(kadm5_handle,
+ princ_ent.policy,
+ &pol_ent);
if (retval != 0) {
- (void) ovsec_kadm_free_principal_ent(ovsec_handle, princ_ent);
+ (void) kadm5_free_principal_ent(kadm5_handle, &princ_ent);
msg_ptr = error_message(retval);
goto send_response;
}
/* make "now" a boolean, true == too soon */
- now = ((now - princ_ent->last_pwd_change) < pol_ent->pw_min_life);
+ now = ((now - princ_ent.last_pwd_change) < pol_ent.pw_min_life);
- (void) ovsec_kadm_free_policy_ent(ovsec_handle, pol_ent);
+ (void) kadm5_free_policy_ent(kadm5_handle, &pol_ent);
- if(now && !(princ_ent->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
- (void) ovsec_kadm_free_principal_ent(ovsec_handle, princ_ent);
+ if(now && !(princ_ent.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
+ (void) kadm5_free_principal_ent(kadm5_handle, &princ_ent);
retval = CHPASS_UTIL_PASSWORD_TOO_SOON;
- until = princ_ent->last_pwd_change + pol_ent->pw_min_life;
+ until = princ_ent.last_pwd_change + pol_ent.pw_min_life;
time_string = ctime(&until);
if (*(ptr = &time_string[strlen(time_string)-1]) == '\n')
}
}
- (void) ovsec_kadm_free_principal_ent(ovsec_handle, princ_ent);
+ (void) kadm5_free_principal_ent(kadm5_handle, &princ_ent);
- retval = ovsec_kadm_chpass_principal_util(ovsec_handle, user_princ,
- pword, NULL, msg_ret);
+ retval = kadm5_chpass_principal_util(kadm5_handle, user_princ,
+ pword, NULL, msg_ret);
msg_ptr = msg_ret;
(void) krb5_free_principal(kadm_context, user_princ);
send_response:
- retval = convert_ovsec_to_kadm(retval);
+ retval = convert_kadm5_to_kadm(retval);
if (retval) {
/* don't send message on success because kpasswd.v4 will */
krb_log("'%s.%s@%s' tried to use an insecure password in changepw",
ad->pname, ad->pinst, ad->prealm);
}
-#else /* OVSEC_KADM */
+#else /* KADM5 */
if (retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm,
newkey, no_pword ? 0 : pword)) {
if (retval == KADM_PW_MISMATCH) {
retval = kadm_change(ad->pname, ad->pinst, ad->prealm, newkey);
keylow = keyhigh = 0;
memset(newkey, 0, sizeof(newkey));
-#endif /* OVSEC_KADM */
+#endif /* KADM5 */
return retval;
}
-#ifndef OVSEC_KADM
+#ifndef KADM5
/*
kadm_ser_add - the server side of the add_entry routine
recieves : KTEXT, {values}
return status;
}
}
-#endif /* !OVSEC_KADM */
+#endif /* !KADM5 */
projects / krb5.git / commitdiff