From b28b4d09b660a1b00367ad10a8057878208e2f06 Mon Sep 17 00:00:00 2001 From: Ezra Peisach Date: Sat, 20 May 1995 17:59:18 +0000 Subject: [PATCH] kprop.M and kpropd.M: Document -P (port) option kprop.h: Change path to kdb5_edit to reflect current reality. (should be determined by configure....) kpropd.c: use krb5_int32 for over-the-wire length of database Make -s (srvtab) option work. kprop.c: Add support for keytab and port specification Add call to krb5_auth_setaddrs Use krb5_int32 for OTW db length git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5827 dc483132-0cff-0310-8789-dd5450dbe970 --- src/slave/ChangeLog | 19 +++++++++++++++ src/slave/kprop.M | 14 +++++++++++ src/slave/kprop.c | 59 ++++++++++++++++++++++++++++++++++++--------- src/slave/kprop.h | 2 +- src/slave/kpropd.M | 12 ++++++++- src/slave/kpropd.c | 39 ++++++++++++++++++++++++------ 6 files changed, 124 insertions(+), 21 deletions(-) diff --git a/src/slave/ChangeLog b/src/slave/ChangeLog index 9151a4013..d8650f598 100644 --- a/src/slave/ChangeLog +++ b/src/slave/ChangeLog @@ -1,3 +1,22 @@ +Sat May 20 13:46:36 1995 Ezra Peisach + + * kprop.M: Document -P (port) option. + + * kpropd.M: Document -P (port) option. + + * kprop.h: KPROPD_DEFAULT_KDB5_EDIT was pointing to wrong place. + +Mon May 15 13:11:15 1995 Ezra Peisach + + * kpropd.c (recv_database): Use krb5_int32 for over the wire + database length. + (kerberos_authenticate): Make keytab support work + + * kprop.c (PRS): Add support for keytab and port specification. + (xmit_database): Use krb5_int32 for length of database to go over + the wire. + (kerberos_authenticate): Add krb5_auth_setaddrs call + Wed May 03 03:30:51 1995 Chris Provenzano (proven@mit.edu) * kpropd.c: (krb5_recvauth()): No longer needs the rc_type arg. diff --git a/src/slave/kprop.M b/src/slave/kprop.M index 23170b8d9..292cc4036 100644 --- a/src/slave/kprop.M +++ b/src/slave/kprop.M @@ -33,6 +33,13 @@ kprop \- propagate a Kerberos V5 principal database to a slave server .I file ] [ .B \-d +] [ +.B \-P +.I port +] [ +] [ +.B \-s +.I srvtab ] .I slave_host .br @@ -63,5 +70,12 @@ The option the filename where the dumped principal database file is to be found; by default the dumped database file is KPROP_DEFAULT_FILE (normally /krb5/slave_datatrans). +.PP +The +.B \-P +.I port +option allows one to override the default port to contact the +.I kpropd +server on the remote host. .SH SEE ALSO kpropd(8), kdb5_edit(8), krb5kdc(8) diff --git a/src/slave/kprop.c b/src/slave/kprop.c index 880fea6e6..922b19e1f 100644 --- a/src/slave/kprop.c +++ b/src/slave/kprop.c @@ -51,9 +51,11 @@ static char *kprop_version = KPROP_PROT_VERSION; char *progname = 0; int debug = 0; +char *srvtab = 0; char *slave_host; char *realm = 0; char *file = KPROP_DEFAULT_FILE; +short port = 0; krb5_principal my_principal; /* The Kerberos principal we'll be */ /* running under, initialized in */ @@ -89,7 +91,7 @@ void update_last_prop_file static void usage() { - fprintf(stderr, "\nUsage: %s [-r realm] [-f file] [-d] slave_host\n\n", + fprintf(stderr, "\nUsage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host\n\n", progname); exit(1); } @@ -167,6 +169,24 @@ void PRS(context, argv) case 'd': debug++; break; + case 'P': + if (*word) + port = htons(atoi(word)); + else + port = htons(atoi(*argv++)); + if (!port) + usage(); + word = 0; + break; + case 's': + if (*word) + srvtab = word; + else + srvtab = *argv++; + if (!srvtab) + usage(); + word = 0; + break; default: usage(); } @@ -192,6 +212,7 @@ void get_tickets(context) struct hostent *hp; krb5_error_code retval; static char tkstring[] = "/tmp/kproptktXXXXXX"; + krb5_keytab keytab = NULL; /* * Figure out what tickets we'll be using to send stuff @@ -270,8 +291,15 @@ void get_tickets(context) com_err(progname, retval, "While copying client principal"); exit(1); } + if (srvtab) { + if (retval = krb5_kt_resolve(context, srvtab, &keytab)) { + com_err(progname, retval, "while resolving keytab"); + exit(1); + } + } + retval = krb5_get_in_tkt_with_keytab(context, 0, 0, NULL, - NULL, NULL, ccache, &creds, 0); + NULL, keytab, ccache, &creds, 0); if (retval) { com_err(progname, retval, "while getting initial ticket\n"); exit(1); @@ -306,16 +334,19 @@ open_connection(host, fd, Errmsg) *fd = -1; return(0); } - sp = getservbyname(KPROP_SERVICE, "tcp"); - if (sp == 0) { - (void) strcpy(Errmsg, KPROP_SERVICE); - (void) strcat(Errmsg, "/tcp: unknown service"); - *fd = -1; - return(0); - } sin.sin_family = hp->h_addrtype; memcpy((char *)&sin.sin_addr, hp->h_addr, hp->h_length); - sin.sin_port = sp->s_port; + if(!port) { + sp = getservbyname(KPROP_SERVICE, "tcp"); + if (sp == 0) { + (void) strcpy(Errmsg, KPROP_SERVICE); + (void) strcat(Errmsg, "/tcp: unknown service"); + *fd = -1; + return(0); + } + sin.sin_port = sp->s_port; + } else + sin.sin_port = port; s = socket(AF_INET, SOCK_STREAM, 0); if (s < 0) { @@ -373,6 +404,12 @@ void kerberos_authenticate(context, auth_context, fd, me, new_creds) krb5_auth_con_setflags(context, *auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); + if (retval = krb5_auth_con_setaddrs(context, *auth_context, &sender_addr, + &receiver_addr)) { + com_err(progname, retval, "in krb5_auth_con_setaddrs"); + exit(1); + } + if (retval = krb5_sendauth(context, auth_context, (void *)&fd, kprop_version, me, creds.server, AP_OPTS_MUTUAL_REQUIRED, NULL, &creds, NULL, @@ -507,7 +544,7 @@ xmit_database(context, auth_context, my_creds, fd, database_fd, database_size) int database_fd; int database_size; { - int send_size, sent_size, n; + krb5_int32 send_size, sent_size, n; krb5_data inbuf, outbuf; char buf[KPROP_BUFSIZ]; krb5_error_code retval; diff --git a/src/slave/kprop.h b/src/slave/kprop.h index a9f574025..f91fcc1e8 100644 --- a/src/slave/kprop.h +++ b/src/slave/kprop.h @@ -30,7 +30,7 @@ #define KPROP_DEFAULT_FILE "/krb5/slave_datatrans" #define KPROPD_DEFAULT_FILE "/krb5/from_master" #define KPROP_CKSUMTYPE CKSUMTYPE_RSA_MD4_DES -#define KPROPD_DEFAULT_KDB5_EDIT "/krb5/bin/kdb5_edit" +#define KPROPD_DEFAULT_KDB5_EDIT "/krb5/admin/kdb5_edit" #define KPROPD_DEFAULT_KRB_DB "/krb5/principal" #define KPROPD_ACL_FILE "/krb5/kpropd.acl" diff --git a/src/slave/kpropd.M b/src/slave/kpropd.M index 3f2a8a947..15ff7f91a 100644 --- a/src/slave/kpropd.M +++ b/src/slave/kpropd.M @@ -41,7 +41,10 @@ kpropd \- Kerberos V5 slave KDC update server .B \-d ] [ .B \-S -] +] [ +.B \-P +.I port +] .br .SH DESCRIPTION .I kpropd @@ -115,6 +118,13 @@ option is selected, will not detach itself from the current job and run in the background. Instead, it will run in the foreground and print out debugging messages during the database propagation. +.PP +The +.B \-P +option allows for an alternate port number for +.I kpropd +to listen on. This is only useful if the program is run in standalone +mode. .SH SEE ALSO kprop(8), kdb5_edit(8), krb5kdc(8), inetd(8) diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c index ccd4aff75..6005742f3 100644 --- a/src/slave/kpropd.c +++ b/src/slave/kpropd.c @@ -63,7 +63,7 @@ static char *kprop_version = KPROP_PROT_VERSION; char *progname; int debug = 0; char *srvtab = 0; -int standalone; +int standalone = 0; krb5_principal server; /* This is our server principal name */ krb5_principal client; /* This is who we're talking to */ @@ -78,6 +78,7 @@ char *kerb_database = KPROPD_DEFAULT_KRB_DB; int database_fd; krb5_address sender_addr; krb5_address receiver_addr; +short port = 0; void PRS PROTOTYPE((char**)); @@ -116,6 +117,7 @@ static void usage() "\nUsage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n", progname); fprintf(stderr, "\t[-F kerberos_db_file ] [-p kdb5_edit_pathname]\n"); + fprintf(stderr, "\t[-P port]\n"); exit(1); } @@ -145,14 +147,18 @@ void do_standalone() com_err(progname, errno, "while obtaining socket"); exit(1); } - sp = getservbyname(KPROP_SERVICE, "tcp"); - if (sp == NULL) { - com_err(progname, 0, "%s/tcp: unknown service", KPROP_SERVICE); - exit(1); - } memset((char *) &sin,0, sizeof(sin)); + if(!port) { + sp = getservbyname(KPROP_SERVICE, "tcp"); + if (sp == NULL) { + com_err(progname, 0, "%s/tcp: unknown service", KPROP_SERVICE); + exit(1); + } + sin.sin_port = sp->s_port; + } else { + sin.sin_port = port; + } sin.sin_family = AF_INET; - sin.sin_port = sp->s_port; if ((ret = bind(finet, (struct sockaddr *) &sin, sizeof(sin))) < 0) { if (debug) { int on = 1; @@ -373,6 +379,15 @@ void PRS(argv) usage(); word = 0; break; + case 'P': + if (*word) + port = htons(atoi(word)); + else + port = htons(atoi(*argv++)); + if (!port) + usage(); + word = 0; + break; case 'r': if (*word) realm = word; @@ -464,6 +479,7 @@ kerberos_authenticate(context, fd, clientp, sin) krb5_ticket * ticket; struct sockaddr_in r_sin; int sin_length; + krb5_keytab keytab = NULL; /* * Set recv_addr and send_addr @@ -515,8 +531,15 @@ kerberos_authenticate(context, fd, clientp, sin) exit(1); } + if (srvtab) { + if (retval = krb5_kt_resolve(context, srvtab, &keytab)) { + syslog(LOG_ERR, "Error in krb5_kt_resolve: %s", error_message(retval)); + exit(1); + } + } + if (retval = krb5_recvauth(context, &auth_context, (void *) &fd, - kprop_version, server, 0, NULL, &ticket)){ + kprop_version, server, 0, keytab, &ticket)){ syslog(LOG_ERR, "Error in krb5_recvauth: %s", error_message(retval)); exit(1); } -- 2.26.2