From b2b4e89cd2d41731ac62df6551b50f935d11d9fb Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Thu, 11 Dec 2003 23:14:06 +0000 Subject: [PATCH] Remove kadmind4 and v5passwdd Per email to kerberos-announce remove kadmind4 and v5passwdd from the distribution. Ticket: new Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15880 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/ChangeLog | 4 + src/kadmin/Makefile.in | 2 +- src/kadmin/configure.in | 10 +- src/kadmin/v4server/ChangeLog | 597 ---------- src/kadmin/v4server/Makefile.in | 33 - src/kadmin/v4server/acl_files.c | 593 ---------- src/kadmin/v4server/acl_files.doc | 107 -- src/kadmin/v4server/admin_server.c | 713 ------------ src/kadmin/v4server/build_pwfile.c | 119 -- src/kadmin/v4server/kadm_funcs.c | 1003 ----------------- src/kadmin/v4server/kadm_ser_wrap.c | 301 ----- src/kadmin/v4server/kadm_server.c | 604 ---------- src/kadmin/v4server/kadm_server.h | 110 -- src/kadmin/v4server/kadm_supp.c | 120 -- src/kadmin/v4server/unit-test/ChangeLog | 97 -- src/kadmin/v4server/unit-test/Makefile.in | 32 - .../v4server/unit-test/config/ChangeLog | 16 - src/kadmin/v4server/unit-test/config/unix.exp | 42 - src/kadmin/v4server/unit-test/getpid.sh | 5 - src/kadmin/v4server/unit-test/lib/helpers.exp | 238 ---- .../unit-test/remove_changepw_perms.sh | 9 - .../unit-test/v4server.0/setup-srvtab.exp | 18 - .../v4server/unit-test/v4server.1/access.exp | 90 -- .../unit-test/v4server.1/change-password.exp | 60 - .../v4server/unit-test/v4server.1/usage.exp | 26 - src/kadmin/v5passwdd/ChangeLog | 193 ---- src/kadmin/v5passwdd/Makefile.in | 93 -- src/kadmin/v5passwdd/adm_conn.c | 768 ------------- src/kadmin/v5passwdd/adm_rw.c | 543 --------- src/kadmin/v5passwdd/kadm5_defs.h | 367 ------ src/kadmin/v5passwdd/kpasswd.c | 599 ---------- src/kadmin/v5passwdd/main.c | 324 ------ src/kadmin/v5passwdd/proto_serv.c | 864 -------------- src/kadmin/v5passwdd/srv_net.c | 867 -------------- src/kadmin/v5passwdd/v5passwd.M | 65 -- 35 files changed, 6 insertions(+), 9626 deletions(-) delete mode 100644 src/kadmin/v4server/ChangeLog delete mode 100644 src/kadmin/v4server/Makefile.in delete mode 100644 src/kadmin/v4server/acl_files.c delete mode 100644 src/kadmin/v4server/acl_files.doc delete mode 100644 src/kadmin/v4server/admin_server.c delete mode 100644 src/kadmin/v4server/build_pwfile.c delete mode 100644 src/kadmin/v4server/kadm_funcs.c delete mode 100644 src/kadmin/v4server/kadm_ser_wrap.c delete mode 100644 src/kadmin/v4server/kadm_server.c delete mode 100644 src/kadmin/v4server/kadm_server.h delete mode 100644 src/kadmin/v4server/kadm_supp.c delete mode 100644 src/kadmin/v4server/unit-test/ChangeLog delete mode 100644 src/kadmin/v4server/unit-test/Makefile.in delete mode 100644 src/kadmin/v4server/unit-test/config/ChangeLog delete mode 100644 src/kadmin/v4server/unit-test/config/unix.exp delete mode 100644 src/kadmin/v4server/unit-test/getpid.sh delete mode 100644 src/kadmin/v4server/unit-test/lib/helpers.exp delete mode 100644 src/kadmin/v4server/unit-test/remove_changepw_perms.sh delete mode 100644 src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp delete mode 100644 src/kadmin/v4server/unit-test/v4server.1/access.exp delete mode 100644 src/kadmin/v4server/unit-test/v4server.1/change-password.exp delete mode 100644 src/kadmin/v4server/unit-test/v4server.1/usage.exp delete mode 100644 src/kadmin/v5passwdd/ChangeLog delete mode 100644 src/kadmin/v5passwdd/Makefile.in delete mode 100644 src/kadmin/v5passwdd/adm_conn.c delete mode 100644 src/kadmin/v5passwdd/adm_rw.c delete mode 100644 src/kadmin/v5passwdd/kadm5_defs.h delete mode 100644 src/kadmin/v5passwdd/kpasswd.c delete mode 100644 src/kadmin/v5passwdd/main.c delete mode 100644 src/kadmin/v5passwdd/proto_serv.c delete mode 100644 src/kadmin/v5passwdd/srv_net.c delete mode 100644 src/kadmin/v5passwdd/v5passwd.M diff --git a/src/kadmin/ChangeLog b/src/kadmin/ChangeLog index bd82399af..fc365f64a 100644 --- a/src/kadmin/ChangeLog +++ b/src/kadmin/ChangeLog @@ -1,3 +1,7 @@ +2003-12-11 Sam Hartman + + * configure.in (DO_ALL): Don't build v4server on v5passwdd + 2003-08-29 Ken Raeburn * configure.in: Call KRB5_AC_NEED_DAEMON instead of checking diff --git a/src/kadmin/Makefile.in b/src/kadmin/Makefile.in index b16a10074..1eae3be20 100644 --- a/src/kadmin/Makefile.in +++ b/src/kadmin/Makefile.in @@ -2,7 +2,7 @@ thisconfigdir=. myfulldir=kadmin mydir=. BUILDTOP=$(REL).. -LOCAL_SUBDIRS = cli dbutil passwd ktutil server @V4SERVER@ v5passwdd testing +LOCAL_SUBDIRS = cli dbutil passwd ktutil server @ testing all:: diff --git a/src/kadmin/configure.in b/src/kadmin/configure.in index 914129182..11f4a9e70 100644 --- a/src/kadmin/configure.in +++ b/src/kadmin/configure.in @@ -59,15 +59,7 @@ if test "$TCL_LIBS" != "" ; then DO_ALL=tcl fi AC_SUBST(DO_ALL) -dnl See if we should build v4server -if test -z "$KRB4_LIB"; then -V4SERVER="" -else -V4SERVER=v4server -fi -AC_SUBST(V4SERVER) -dnl KRB5_BUILD_PROGRAM dnl K5_GEN_FILE(testing/scripts/env-setup.sh:testing/scripts/env-setup.shin) -V5_AC_OUTPUT_MAKEFILE(. cli dbutil passwd passwd/unit-test ktutil server v4server v4server/unit-test v5passwdd testing testing/scripts testing/util) +V5_AC_OUTPUT_MAKEFILE(. cli dbutil passwd passwd/unit-test ktutil server testing testing/scripts testing/util) diff --git a/src/kadmin/v4server/ChangeLog b/src/kadmin/v4server/ChangeLog deleted file mode 100644 index ff3de2fed..000000000 --- a/src/kadmin/v4server/ChangeLog +++ /dev/null @@ -1,597 +0,0 @@ -2003-02-08 Tom Yu - - * admin_server.c (kadm_listen): Zero sa_flags to avoid wonkiness. - -2003-01-09 Ken Raeburn - - * admin_server.c (kadm_listen): Use socklen_t when passing address - to socket functions. - -2003-01-07 Ken Raeburn - - * Makefile.ov: Deleted. - -2003-01-05 Sam Hartman - - * admin_server.c (kadm_listen): Remove declaration of errno - - * acl_files.c: Remove declaration of errno - -2002-11-26 Tom Yu - - * Makefile.in (OBJS): Remove kadm_stream.o and kadm_err.o. Also, - remove references to kadm_err.et. - - * kadm_err.et: Remove. It lives in lib/krb4 now. - - * kadm_server.h: Remove some prototypes that were moved to - kadm.h. - - * kadm_stream.c: Remove. It lives in lib/krb4 now. - -2002-11-01 Tom Yu - - * kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002 - buffer overflow. - -2002-08-29 Ken Raeburn - - * Makefile.in: Revert $(S)=>/ change, for Windows support. - -2002-08-23 Ken Raeburn - - * Makefile.in: Change $(S)=>/ and $(U)=>.. globally. - -2002-08-13 Tom Yu - - * acl_files.c (canon;): Properly handle appending of the local - realm, which was botched due to a buffer-overflow patch. - -2001-11-19 Ezra Peisach - - * kadm_server.h: Update prototype for convert_kadm5_to_kadm. - - * admin_server.c (process_client): Do not assign negative value to - unsigned variable. - (convert_kadm5_to_kadm): Return krb5_int32 instead of krb5_ui_4 to - be compatible with error codes. - -2001-07-09 Ezra Peisach - - * admin_server.c: Provide prototype for do_child and declare static. - -2001-07-01 Ezra Peisach - - * kadm_server.h: Add prototypes for missing acl_ functions. - - * admin_server.c, kadm_func.c: Declare functions static that are - local to file. - - * acl_files.c: Include kadm_server.h for prototypes. Flush out - static prototype for acl_abort. - - * kadm_supp.c: Include kadm_server.h for prototypes. - -2001-06-21 Ezra Peisach - - * kadm_supp.c (prin_vals): Pass time_t * to localtime instead of - long *. - -2001-06-18 Ezra Peisach - - * kadm_funcs.c: Cast argument to isalnum()/isdigit() to int. - - * acl_files.c (nuke_whitespace): Cast argument to isspace() to int. - -2001-06-11 Ezra Peisach - - * kadm_supp.c: Include string.h for strncpy() prototype. - -2001-06-08 Ezra Peisach - - * kadm_ser_wrap.c: Argument to quad_cksum is C_Block * - not C_Block. - (kadm_ser_init): Declare as returning int. - -2001-06-07 Ezra Peisach - - * acl_files.c, admin_server.c, kadm_funcs.c, kadm_ser_wrap.c: - Explicitly declare function return types and cleanup assignments - in conditionals. - - * kadm_server.c: Include kadm_server.h and cleanup assignments in - conditionals. - - * kadm_server.h: Include kadm5/admin.h, kadm.h, krb_db.h for - structure defintions so that many prototypes may be added to this - file. - - * kadm_stream.c: Include kadm_server.h for prototypes. Explicitly - declare functions as ints. - (stream_to_vals) Assumption made that pointer to long the same - size as krb5_ui_4 fixed. - - * kadm_supp.c: Include sys/param.h early so that MAXHOSTNAMELEN is - not defined by kadm.h and later redefined. In prin_vals(), - key_high and key_low elements of the Kadm_vals structure are longs - - use an appropriate format to printf. - -2001-06-04 Ezra Peisach - - * kadm_ser_wrap.c, kadm_server.c: Cleanup assignments in conditionals. - -2000-10-23 Tom Yu - - * kadm_ser_wrap.c (kadm_ser_in): Update call to mk_priv(). - -2000-10-10 Tom Yu - - * kadm_funcs.c: Call life_to_time() and time_to_life() as - appropriate. - -2000-07-03 Ezra Peisach - - * Makefile.in: kadmin4d depends on the kdb5 lib. - -2000-05-23 Ken Raeburn - - * admin_server.c (main, case 'r'): Reject realm name that's too - long. - - * acl_files.c (acl_load): Return error if name too long. - - * kadm_err.et (KADM_REALM_TOO_LONG): New error code. - * kadm_ser_wrap.c (kadm_ser_init): Return it instead of truncating - a too-long realm name. - -2000-05-23 Nalin Dahyabhai - - * acl_files.c (acl_canonicalize_principal): If the principal name - would be too long, return a zero-length string to mark it as invalid. - (acl_load): Don't add the principal to the hash if it's invalid. - (acl_add): Don't check the principal if it's invalid. - (acl_delete): Don't try to delete the principal if it's invalid. - - * kadm_ser_wrap.c (kadm_ser_init): Truncate "server_parm.krbrlm" - if "realm" is too long. - -2000-05-23 Tom Yu - - * kadm_server.c (kadm_ser_cpw): Add new arg to call to - chpass_principal_util(). - -1999-10-26 Wilfredo Sanchez - - * Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES, - LOCAL_INCLUDES such that one can override CFLAGS from the command - line without losing CPP search patchs and defines. Some associated - Makefile cleanup. - -Tue Jan 12 18:26:48 1999 Tom Yu - - * Makefile.in (CFLAGS): PW_CHECK functionality now in DEFS. - -1998-11-13 Theodore Ts'o - - * Makefile.in: Set the myfulldir and mydir variables (which are - relative to buildtop and thisconfigdir, respectively.) - -1998-10-27 Marc Horowitz - - * admin_server.c, kadm_funcs.c, kadm_ser_wrap.c, kadm_server.h: - convert to new crypto api - -Fri Jul 31 18:17:16 1998 Tom Yu - - * kadm_ser_wrap.c (kadm_ser_init): Remove references to - master_encblock, as it's no longer needed in the new crypto API, - adjusting kdb calls accordingly. Also punt calls to use_enctype, - process_key, etc. - - * admin_server.c (clear_secrets): Remove references to - master_encblock, due to new crypto API. - -Mon Jul 20 11:20:32 1998 Ezra Peisach - - * acl_files.c: Include stdlib.h if present. - -Thu Jul 9 21:52:41 1998 Tom Yu - - * kadm_server.c (kadm_ser_cpw): Re-enable "old-style" password - changing. Yes, it's potentially a problem due to lack of quality - checking, but we'll live with that because we can use - key-hash-based checks too. - -Wed Jul 8 01:32:52 1998 Theodore Y. Ts'o - - * kadm_ser_wrap.c (kadm_ser_init): Use krb5_425_conv_principal - instead of krb5_build_principal to create the changepw - sprinc principal. - -Fri Jul 3 18:17:48 1998 Theodore Y. Ts'o - - * Makefile.in (build_pwfile): Add rule to build the build_pwfile - program. - - * kadm_server.c (kadm_ser_cpw): Put the call to the - kadm_approve_pw in the common code, so it's executed even - if KADM5 is defined. Add appropriate syslogs to the - change password processing. - - * kadm_funcs.c (pwstring;): If NDBM_PW_CHECK is defined, then do - the NDBM-based dictionary check. Build kadmind4 using - the make option PW_CHECK=-DNDBM_PW_CHECK if this feature - is desired. - -1998-05-08 Theodore Ts'o - - * kadm_server.c (krb_log): Print the year using 4 digit to avoid - Y2K issues. - -1998-05-06 Theodore Ts'o - - * admin_server.c (argv): POSIX states that getopt returns -1 - when it is done parsing options, not EOF. - -Fri Feb 27 23:32:38 1998 Theodore Ts'o - - * Makefile.in: Changed thisconfigdir to point at the kadmin - directory, since we've moved all of the configure.in - tests to the toplevel kadmin configure.in - -Wed Feb 18 16:00:59 1998 Tom Yu - - * Makefile.in: Remove trailing slash from thisconfigdir. Fix up - BUILDTOP for new conventions. - -Mon Feb 2 17:02:29 1998 Theodore Ts'o - - * Makefile.in: Define BUILDTOP and thisconfigdir in the Makefile - -Thu Oct 23 13:07:01 1997 Ezra Peisach - - * kadm_server.h: Declare kadm_context as extern so it will not be - multiply defined in all source files. - -Wed Aug 6 20:27:27 1997 Tom Yu - - * Makefile.in: Add support for compiling with Hesiod. - -Fri Jul 25 15:49:58 1997 Tom Yu - - * kadm_funcs.c: Remove mention of dbm for now. It should probably - be added back later to deal with dbm-hashed passwd files. - -Tue Jul 1 02:38:50 1997 Tom Yu - - * kadm_funcs.c, kadm_server.c, kadm_ser_wrap.c: Reenable mod and - check_pw. - - * kadm_funcs.c, kadm_server.c, kadm_ser_wrap.c: Reenable get and - add. - -Wed Jun 18 18:38:45 1997 Tom Yu - - * kadm_funcs.c (kadm_chg_srvtab): Remove extraneous macros that - were elaborate contortions to avoid using goto. - -Mon May 26 22:44:21 1997 Tom Yu - - * Makefile.in (OBJS): Build kadm_funcs.c again. - - * kadm_funcs.c: Re-enable kadm_chg_srvtab() and update it to use - the new kadm5 interface. - - * kadm_ser_wrap.c: Re-enable kadm_ser_stab(). - - * kadm_server.c: Re-enable kadm_ser_stab(). - -Tue May 13 20:21:21 1997 Tom Yu - - * Makefile.in: - * admin_server.c: - * kadm_server.c: - * kadm_ser_wrap.c: Convert to use new kadm5 API; this still needs - work to remove references to krb5_db and to regain full v4 kadmind - functionality (or as much as is possible). - -Tue Feb 18 09:59:59 1997 Ezra Peisach - - * acl_files.c: Do not declare malloc() or calloc() if stdlib.h exists. - -Thu Feb 6 14:49:45 1997 Tom Yu - - * Makefile.in (LOCALINCLUDE): Repair lack of -I. and -I$(srcdir) - -Tue Feb 4 21:23:16 1997 Tom Yu - - * Makefile.in: - * configure.in: Update to new program build procedure. - -Fri Nov 22 15:49:27 1996 unknown - - * kadm_ser_wrap.c (endif ): use sizeof instead of h_length to - determine number of bytes of addr to copy from DNS response - [krb5-misc/211] - -Wed Nov 13 19:24:00 1996 Tom Yu - - * Makefile.in (clean): Remove kadm_err.h and kadm_err.c. - -Fri Nov 8 17:27:20 1996 Theodore Ts'o - - * admin_server.c (argv): Check the error return from - krb5_init_context(), and print an error message if - necessary. - -Mon Oct 21 17:20:32 1996 Barry Jaspan - - * admin_server.c: use params.admin_keytab instead of a hard-coded - value [krb5-admin/30] - -Thu Sep 26 17:54:33 1996 Barry Jaspan - - * admin_server.c (process_client): allow keytab to be specified on - command line; default is still wrong - -Mon Sep 23 15:36:41 1996 Barry Jaspan - - * configure.in: add unit-test subdir - -Wed Jul 31 17:53:45 1996 Tom Yu - - * kadm_ser_wrap.c: Remove #include , - because k5-int.h already grabs it if NEED_SOCKETS is - defined. - - * admin_server.c: Remove #include because k5-int.h - already grabs it if NEED_SOCKETS is defined. - -Thu Jul 18 19:46:49 1996 Marc Horowitz - - * configure.in: removed ET_RULES, replaced with AC_PROG_AWK - -Tue Jul 9 17:18:56 1996 Marc Horowitz - - * kadm_stream.c: rename HAS_STDLIB_H to HAVE_STDLIB_H to conform - to the autoconf convention - * configure.in: the old configure.in seemed to be written for some - other directory. Now it's right. - * admin_server.c, kadm_ser_wrap.c, kadm_server.c: renamed - to - * Makefile.in: complete rewrite. - -Thu Mar 21 20:33:43 1996 Richard Basch - - * kadm_funcs.c: new principals were being created with two keys, - one of which the key_data_ver=0 and had no valid data. - -Tue Mar 19 19:42:37 1996 Richard Basch - - * kadm_funcs.c: - changed all references of des-cbc-md5 to des-cbc-crc - fixed uninitialized variable - set kvno modulo 256 in database - -Wed Feb 21 23:34:31 1996 Richard Basch - - * kadm_funcs.c: Initialize the length element of the krb5_db_entry - structure in kadm_princ2entry (add_entry was failing). - -Wed Dec 13 03:51:53 1995 Chris Provenzano (proven@mit.edu) - - * kadm_funcs.c : Remove mkvno for krb5_db_entry - -Wed Sep 06 14:20:57 1995 Chris Provenzano (proven@mit.edu) - - * admin_server.c, kadm_funcs.c kadm_ser_wrap.c : - s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g - -Tue Sep 05 22:10:34 1995 Chris Provenzano (proven@mit.edu) - - * admin_server.c, kadm_funcs.c, kadm_ser_wrap.c : Remove krb5_enctype - references, and replace with krb5_keytype where appropriate. - -Tue Aug 15 14:31:37 EDT 1995 Paul Park (pjpark@mit.edu) - * admin_server,kadm_funcs,kadm_ser_wrap.c - Replace kadm_find_keytype() - with krb5_dbe_find_keytype(). - - -Thu Aug 10 14:48:26 EDT 1995 Paul Park (pjpark@mit.edu) - * kadm_funcs.c - Add kadm_find_keytype() to find a particular key/salt - pair. Use this to find keys instead of assuming that the - right one's in the first slot. - Fix transposed arguments to strncpy(). - Handle mod_princ_data stuff. - Supply saltblock to encrypt_key_data(). - * admin_server, kadm_ser_wrap.c - Use kadm_find_keytype() to find keys. - - -Mon Aug 7 13:30:46 EDT 1995 Paul Park (pjpark@mit.edu) - * admin_server,kadm_funcs,kadm_ser_wrap.c - Brute force substitutions - to get this to compile. - - -Mon Jul 17 15:12:30 EDT 1995 Paul Park (pjpark@mit.edu) - * kadm_ser_wrap.c - Add NULL stash file argument to krb5_db_fetch_mkey. - - -Fri Jul 7 16:05:11 EDT 1995 Paul Park (pjpark@mit.edu) - * Makefile.in - Remove all explicit library handling and LDFLAGS. - * configure.in - Add USE_ and KRB5_LIBRARIES. - - -Tue Jun 27 16:05:27 EDT 1995 Paul Park (pjpark@mit.edu) - * acl_files.c - Change check for return value from fputs(3) from NULL - to EOF. That's what's returned on error. - * admin_server.c - Cast 4th argument of setsockopt(2) to be const char * - * kadm_funcs.c - Cast argument to ctime(3) - * kadm_server.c - Cast first argument to strcpy(3) and strcat(3). - -Tue Jun 20 14:44:54 1995 Tom Yu (tlyu@dragons-lair) - - * configure.in: add tests for TIME_WITH_SYS_TIME and sys/time.h - -Thu Jun 15 17:52:29 EDT 1995 Paul Park (pjpark@mit.edu) - * Makefile.in - Change explicit library names to -l form, and - change target link line to use $(LD) and associated flags. - Also, for K4, use KRB4_LIB and KRB4_CRYPTO_LIB, these were - split out. - * configure.in - Add shared library usage check. - -Fri Jun 9 19:07:25 1995 - - * configure.in: Remove standardized set of autoconf macros, which - are now handled by CONFIG_RULES. - -Fri Jun 9 06:49:36 1995 Ezra Peisach - - * kadm_stream.c (vts_long, stv_long): Change u_long to krb5_ui_4 - - * kadm_server.c (kadm_ser_ckpw): Change u_long to krb5_ui_4 - - * kadm_ser_wrap.c (errpkt, kadm_ser_in): Change u_long to krb5_ui_4 - - * kadm_funcs.c (kadm_add_entry): Change u_long to krb5_ui_4 - - * admin_server.c (process_client): Change u_long to krb5_ui_4 - -Sat May 20 22:33:58 1995 Ezra Peisach - - * kadm_stream.c: Based on presence of stdlib.h, include or declare - malloc. - - * configure.in: Check for stdlib.h - -Sun May 7 13:49:54 1995 Ezra Peisach - - * admin_server.c: Avoid warning of redeclaring POSIX_SIGNALS if - already defined. - -Sat Apr 29 00:34:01 1995 Theodore Y. Ts'o - - * admin_server.c (kadm_listen): Use Posix sigaction() instead of - signal() to set signal handlers. This allows us not to - worry about System V signal semantics. Make the code use - POSIX_SIGNALS by default. - -Fri Apr 28 18:08:05 1995 Mark Eichin - - * Makefile.in (KLIB): put KRB4_LIB inside KLIB. - -Thu Apr 27 13:53:41 1995 Mark Eichin - - * Makefile.in (v4kadmind): use KRB4_LIB directly. - -Thu Apr 20 23:21:42 1995 Theodore Y. Ts'o (tytso@dcl) - - * kadm_funcs.c: Don't #include , since that's - automatically included by k5-config.h - -Thu Apr 20 15:26:48 1995 Ezra Peisach (epeisach@kangaroo.mit.edu) - - * kadm_server.c (kadm_ser_cpw, kadm_ser_ckpw): krb_int32 should be - krb5_int32. - - * acl_files.c: Declare acl_abort as static at top of file. - -Sun Apr 16 19:10:17 1995 Mark Eichin - - * kadm_server.c (kadm_ser_cpw, kadm_ser_ckpw): use krb_int32, not - long, for network 4 byte quantities. Should get rid of the - use of memcpy at some point. - -Sat Mar 25 16:59:55 1995 Mark Eichin - - * kadm_funcs.c (kadm_entry2princ): pass kadm_context in to - krb5_524_conv_principal. - -Tue Mar 14 16:45:18 1995 - - * Makefile.in: Don't link in the V4 DES library; use the des425 - library to avoid linking the DES code in twice. - -Thu Mar 2 12:25:13 1995 Theodore Y. Ts'o - - * Makefile.in (ISODELIB): Remove reference to $(ISODELIB). - -Wed Mar 1 16:30:08 1995 Theodore Y. Ts'o - - * kadm_server.c: Remove declataions of malloc(); should be done by - header files. - - * configure.in: Remove ISODE_INCLUDE, replace check for -lsocket - and -lnsl with WITH_NETLIB check. - -Tue Feb 28 02:24:56 1995 John Gilmore (gnu at toad.com) - - * admin_server.c, kadm_server.c, kadm-server.h: Avoid - includes. - -Tue Feb 7 16:42:54 1995 Mark Eichin - - * kadm_funcs.c (kadm_del_entry): fixed call to db_delete_principal. - -Wed Jan 25 18:42:42 1995 Mark Eichin (eichin@tweedledumber.cygnus.com) - - * kadm_server.h (DEL_ACL_FILE): new define, acl file for V4 delete - function. - * kadm_server.c (kadm_ser_add): new function, wrapper for V4 delete. - * kadm_funcs.c (check_access): declare int; add DEL. - (kadm_del_entry): new function, V4 delete from CNS. - (failadd): fix spelling error in log entry. - -Mon Dec 12 13:21:48 1994 Mark Eichin (eichin@cygnus.com) - - * kadm_funcs.c (kadm_entry2princ, kadm_princ2entry, - kadm_chg_srvtab): V4 and V5 max_life are in *different units* so - use the 60*5 conversion factor. - -Fri Nov 18 15:51:11 1994 Theodore Y. Ts'o (tytso@dcl) - - * kadm_funcs.c (kadm_add_entry, kadm_mod_entry, kadm_change): Add - magic numbers of keyblock structre. - -Fri Nov 18 01:11:58 1994 Mark Eichin - - * configure.in: use CHECK_SIGNALS instead of expansion (from - epeisach). - -Wed Oct 19 18:53:45 1994 Theodore Y. Ts'o (tytso@dcl) - - * kadm_ser_wrap.c (kadm_ser_init): Use krb5_use_cstype() to - initialize the master_encblock structure. - -Thu Sep 29 22:41:20 1994 Theodore Y. Ts'o (tytso@dcl) - - * Makefile.in: relink executable if libraries change - -Thu Sep 15 10:53:37 1994 Theodore Y. Ts'o (tytso@dcl) - - * admin_server.c (close_syslog, byebye): Move these two functions - before main(), so that they get declared properly. Otherwise - suncc will refuse to compile the file. - - * kadm_funcs.c (kadm_add_entry, kadm_mod_entry, kadm_change, - kadm_chg_srvtab): use krb5_timeofday instead of time(0). - -Thu Aug 4 16:37:33 1994 Tom Yu (tlyu@dragons-lair) - - * admin_server.c: pick up (needed to get FD_SET, - etc.) - -Sat Jul 16 09:21:22 1994 Tom Yu (tlyu at dragons-lair) - - * Makefile.in: no longer trying to install v4kadmind as krb5kdc - :-) - * configure.in: another try at making dbm libs dtrt - -Wed Jun 29 00:24:28 1994 Tom Yu (tlyu at dragons-lair) - - * admin_server.c: fixed calls that should have invoked - krb5_init_ets - -Sat Jun 25 09:07:48 1994 Tom Yu (tlyu at dragons-lair) - - * kadm_ser_wrap.c: fixed lack of a terminal 0 in a call to - krb5_build_principal - diff --git a/src/kadmin/v4server/Makefile.in b/src/kadmin/v4server/Makefile.in deleted file mode 100644 index e6120d102..000000000 --- a/src/kadmin/v4server/Makefile.in +++ /dev/null @@ -1,33 +0,0 @@ -thisconfigdir=./.. -myfulldir=kadmin/v4server -mydir=v4server -BUILDTOP=$(REL)..$(S).. -DEFINES = -DKADM5 -DNEED_SOCKETS @HESIOD_DEFS@ -PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) -PROG_RPATH=$(KRB5_LIBDIR) -LOCAL_SUBDIRS = unit-test - -HESIOD_LIBS=@HESIOD_LIBS@ - -LOCALINCLUDES = $(KRB4_INCLUDES) -I. -I$(srcdir) - -PROG = kadmind4 -OBJS = kadm_server.o admin_server.o kadm_ser_wrap.o \ - kadm_funcs.o kadm_supp.o acl_files.o - -all:: $(PROG) - -$(PROG): $(OBJS) $(KADMCLNT_DEPLIBS) $(KDB5_DEPLIBS) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(KDB5_LIBS) \ - $(KRB4COMPAT_LIBS) $(HESIOD_LIBS) - -build_pwfile: build_pwfile.o $(DB_DEPLIB) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o build_pwfile build_pwfile.o $(DB_LIB) \ - $(KRB4COMPAT_LIBS) $(HESIOD_LIBS) - -install:: - $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(SERVER_BINDIR)/$(PROG) - -clean:: - $(RM) $(PROG) $(OBJS) build_pwfile build_pwfile.o - $(RM) kadm_err.h kadm_err.c diff --git a/src/kadmin/v4server/acl_files.c b/src/kadmin/v4server/acl_files.c deleted file mode 100644 index 1df4d3039..000000000 --- a/src/kadmin/v4server/acl_files.c +++ /dev/null @@ -1,593 +0,0 @@ -/* - * kadmin/v4server/acl_files.c - * - * Copyright 1987,1989 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - */ - - -/*** Routines for manipulating access control list files ***/ - -#include -#include -#ifdef HAVE_STDLIB_H -#include -#endif -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include -#include -#include -#include -#include -#include "krb.h" -#include "kadm_server.h" - -#ifndef KRB_REALM -#define KRB_REALM "ATHENA.MIT.EDU" -#endif - -/* "aname.inst@realm" */ -#define MAX_PRINCIPAL_SIZE (ANAME_SZ + INST_SZ + REALM_SZ + 3) -#define INST_SEP '.' -#define REALM_SEP '@' - -#define LINESIZE 2048 /* Maximum line length in an acl file */ - -#define NEW_FILE "%s.~NEWACL~" /* Format for name of altered acl file */ -#define WAIT_TIME 300 /* Maximum time allowed write acl file */ - -#define CACHED_ACLS 8 /* How many acls to cache */ - /* Each acl costs 1 open file descriptor */ -#define ACL_LEN 16 /* Twice a reasonable acl length */ - -#define MAX(a,b) (((a)>(b))?(a):(b)) -#define MIN(a,b) (((a)<(b))?(a):(b)) - -#define COR(a,b) ((a!=NULL)?(a):(b)) - - -#ifndef HAVE_STDLIB_H -extern char *malloc(), *calloc(); -#endif - -extern time_t time(); - -static int acl_abort(char *, FILE *); - -/* Canonicalize a principal name */ -/* If instance is missing, it becomes "" */ -/* If realm is missing, it becomes the local realm */ -/* Canonicalized form is put in canon, which must be big enough to hold - MAX_PRINCIPAL_SIZE characters */ -void acl_canonicalize_principal(principal, canon) -char *principal; -char *canon; -{ - char *dot, *atsign, *end, *canon_save = canon; - char realm[REALM_SZ]; - int len; - - dot = strchr(principal, INST_SEP); - atsign = strchr(principal, REALM_SEP); - - /* Maybe we're done already */ - if(dot != NULL && atsign != NULL) { - if(dot < atsign) { - /* It's for real */ - /* Copy into canon */ - strncpy(canon, principal, MAX_PRINCIPAL_SIZE); - canon[MAX_PRINCIPAL_SIZE-1] = '\0'; - return; - } else { - /* Nope, it's part of the realm */ - dot = NULL; - } - } - - /* No such luck */ - end = principal + strlen(principal); - - /* Get the principal name */ - len = MIN(ANAME_SZ, COR(dot, COR(atsign, end)) - principal); - if(canon + len < canon_save + MAX_PRINCIPAL_SIZE) { - strncpy(canon, principal, len); - canon += len; - } else { - strcpy(canon, ""); - return; - } - - /* Add INST_SEP */ - if(canon + 1 < canon_save + MAX_PRINCIPAL_SIZE) { - *canon++ = INST_SEP; - } else { - strcpy(canon, ""); - return; - } - - /* Get the instance, if it exists */ - if(dot != NULL) { - ++dot; - len = MIN(INST_SZ, COR(atsign, end) - dot); - if(canon + len < canon_save + MAX_PRINCIPAL_SIZE) { - strncpy(canon, dot, len); - canon += len; - } else { - strcpy(canon, ""); - return; - } - } - - /* Add REALM_SEP */ - *canon++ = REALM_SEP; - - /* Get the realm, if it exists */ - /* Otherwise, default to local realm */ - if(atsign != NULL) { - ++atsign; - len = MIN(REALM_SZ, end - atsign); - if(canon + len + 1 < canon_save + MAX_PRINCIPAL_SIZE) { - strncpy(canon, atsign, len); - canon += len; - *canon++ = '\0'; - } else { - strcpy(canon, ""); - return; - } - } else if(krb_get_lrealm(realm, 1) != KSUCCESS) { - if(canon + strlen(KRB_REALM) < canon_save + MAX_PRINCIPAL_SIZE) { - strcpy(canon, KRB_REALM); - } else { - strcpy(canon, ""); - return; - } - } else { - if (canon + strlen(realm) < canon_save + MAX_PRINCIPAL_SIZE) { - strcpy(canon, realm); - } else { - strcpy(canon, ""); - return; - } - } -} - -/* Get a lock to modify acl_file */ -/* Return new FILE pointer */ -/* or NULL if file cannot be modified */ -/* REQUIRES WRITE PERMISSION TO CONTAINING DIRECTORY */ -static FILE *acl_lock_file(acl_file) -char *acl_file; -{ - struct stat s; - char new[LINESIZE]; - int nfd; - FILE *nf; - int mode; - - if(stat(acl_file, &s) < 0) return(NULL); - mode = s.st_mode; - sprintf(new, NEW_FILE, acl_file); - for(;;) { - /* Open the new file */ - if((nfd = open(new, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0) { - if(errno == EEXIST) { - /* Maybe somebody got here already, maybe it's just old */ - if(stat(new, &s) < 0) return(NULL); - if(time(0) - s.st_ctime > WAIT_TIME) { - /* File is stale, kill it */ - unlink(new); - continue; - } else { - /* Wait and try again */ - sleep(1); - continue; - } - } else { - /* Some other error, we lose */ - return(NULL); - } - } - - /* If we got to here, the lock file is ours and ok */ - /* Reopen it under stdio */ - if((nf = fdopen(nfd, "w")) == NULL) { - /* Oops, clean up */ - unlink(new); - } - return(nf); - } -} - -/* Commit changes to acl_file written onto FILE *f */ -/* Returns zero if successful */ -/* Returns > 0 if lock was broken */ -/* Returns < 0 if some other error occurs */ -/* Closes f */ -static int acl_commit(acl_file, f) -char *acl_file; -FILE *f; -{ - char new[LINESIZE]; - int ret; - struct stat s; - - sprintf(new, NEW_FILE, acl_file); - if(fflush(f) < 0 - || fstat(fileno(f), &s) < 0 - || s.st_nlink == 0) { - acl_abort(acl_file, f); - return(-1); - } - - ret = rename(new, acl_file); - fclose(f); - return(ret); -} - -/* Abort changes to acl_file written onto FILE *f */ -/* Returns 0 if successful, < 0 otherwise */ -/* Closes f */ -static int acl_abort(acl_file, f) -char *acl_file; -FILE *f; -{ - char new[LINESIZE]; - int ret; - struct stat s; - - /* make sure we aren't nuking someone else's file */ - if(fstat(fileno(f), &s) < 0 - || s.st_nlink == 0) { - fclose(f); - return(-1); - } else { - sprintf(new, NEW_FILE, acl_file); - ret = unlink(new); - fclose(f); - return(ret); - } -} - -/* Initialize an acl_file */ -/* Creates the file with permissions perm if it does not exist */ -/* Erases it if it does */ -/* Returns return value of acl_commit */ -int acl_initialize(acl_file, perm) -char *acl_file; -int perm; -{ - FILE *new; - int fd; - - /* Check if the file exists already */ - if((new = acl_lock_file(acl_file)) != NULL) { - return(acl_commit(acl_file, new)); - } else { - /* File must be readable and writable by owner */ - if((fd = open(acl_file, O_CREAT|O_EXCL, perm|0600)) < 0) { - return(-1); - } else { - close(fd); - return(0); - } - } -} - -/* Eliminate all whitespace character in buf */ -/* Modifies its argument */ -static void nuke_whitespace(buf) -char *buf; -{ - register char *pin, *pout; - - for(pin = pout = buf; *pin != '\0'; pin++) - if(!isspace((int) *pin)) *pout++ = *pin; - *pout = '\0'; /* Terminate the string */ -} - -/* Hash table stuff */ - -struct hashtbl { - int size; /* Max number of entries */ - int entries; /* Actual number of entries */ - char **tbl; /* Pointer to start of table */ -}; - -/* Make an empty hash table of size s */ -static struct hashtbl *make_hash(size) -int size; -{ - struct hashtbl *h; - - if(size < 1) size = 1; - h = (struct hashtbl *) malloc(sizeof(struct hashtbl)); - h->size = size; - h->entries = 0; - h->tbl = (char **) calloc(size, sizeof(char *)); - return(h); -} - -/* Destroy a hash table */ -static void destroy_hash(h) -struct hashtbl *h; -{ - int i; - - for(i = 0; i < h->size; i++) { - if(h->tbl[i] != NULL) free(h->tbl[i]); - } - free(h->tbl); - free(h); -} - -/* Compute hash value for a string */ -static unsigned hashval(s) -register char *s; -{ - register unsigned hv; - - for(hv = 0; *s != '\0'; s++) { - hv ^= ((hv << 3) ^ *s); - } - return(hv); -} - -/* Add an element to a hash table */ -static void add_hash(h, el) -struct hashtbl *h; -char *el; -{ - unsigned hv; - char *s; - char **old; - int i; - - /* Make space if it isn't there already */ - if(h->entries + 1 > (h->size >> 1)) { - old = h->tbl; - h->tbl = (char **) calloc(h->size << 1, sizeof(char *)); - for(i = 0; i < h->size; i++) { - if(old[i] != NULL) { - hv = hashval(old[i]) % (h->size << 1); - while(h->tbl[hv] != NULL) hv = (hv+1) % (h->size << 1); - h->tbl[hv] = old[i]; - } - } - h->size = h->size << 1; - free(old); - } - - hv = hashval(el) % h->size; - while(h->tbl[hv] != NULL && strcmp(h->tbl[hv], el)) hv = (hv+1) % h->size; - s = (char *) malloc(strlen(el)+1); - strcpy(s, el); - h->tbl[hv] = s; - h->entries++; -} - -/* Returns nonzero if el is in h */ -static int check_hash(h, el) -struct hashtbl *h; -char *el; -{ - unsigned hv; - - for(hv = hashval(el) % h->size; - h->tbl[hv] != NULL; - hv = (hv + 1) % h->size) { - if(!strcmp(h->tbl[hv], el)) return(1); - } - return(0); -} - -struct acl { - char filename[LINESIZE]; /* Name of acl file */ - int fd; /* File descriptor for acl file */ - struct stat status; /* File status at last read */ - struct hashtbl *acl; /* Acl entries */ -}; - -static struct acl acl_cache[CACHED_ACLS]; - -static int acl_cache_count = 0; -static int acl_cache_next = 0; - -/* Returns < 0 if unsuccessful in loading acl */ -/* Returns index into acl_cache otherwise */ -/* Note that if acl is already loaded, this is just a lookup */ -static int acl_load(name) -char *name; -{ - int i; - FILE *f; - struct stat s; - char buf[MAX_PRINCIPAL_SIZE]; - char canon[MAX_PRINCIPAL_SIZE]; - - /* See if it's there already */ - for(i = 0; i < acl_cache_count; i++) { - if(!strcmp(acl_cache[i].filename, name) - && acl_cache[i].fd >= 0) goto got_it; - } - - /* It isn't, load it in */ - /* maybe there's still room */ - if(acl_cache_count < CACHED_ACLS) { - i = acl_cache_count++; - } else { - /* No room, clean one out */ - i = acl_cache_next; - acl_cache_next = (acl_cache_next + 1) % CACHED_ACLS; - close(acl_cache[i].fd); - if(acl_cache[i].acl) { - destroy_hash(acl_cache[i].acl); - acl_cache[i].acl = (struct hashtbl *) 0; - } - } - - /* Set up the acl */ - if (strlen (name) >= sizeof (acl_cache[i].filename) - 1) { - return -1; - } - strncpy(acl_cache[i].filename, name, sizeof(acl_cache[i].filename) - 1); - acl_cache[i].filename[sizeof(acl_cache[i].filename) - 1] = '\0'; - if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1); - /* Force reload */ - acl_cache[i].acl = (struct hashtbl *) 0; - - got_it: - /* - * See if the stat matches - * - * Use stat(), not fstat(), as the file may have been re-created by - * acl_add or acl_delete. If this happens, the old inode will have - * no changes in the mod-time and the following test will fail. - */ - if(stat(acl_cache[i].filename, &s) < 0) return(-1); - if(acl_cache[i].acl == (struct hashtbl *) 0 - || s.st_nlink != acl_cache[i].status.st_nlink - || s.st_mtime != acl_cache[i].status.st_mtime - || s.st_ctime != acl_cache[i].status.st_ctime) { - /* Gotta reload */ - if(acl_cache[i].fd >= 0) close(acl_cache[i].fd); - if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1); - if((f = fdopen(acl_cache[i].fd, "r")) == NULL) return(-1); - if(acl_cache[i].acl) destroy_hash(acl_cache[i].acl); - acl_cache[i].acl = make_hash(ACL_LEN); - while(fgets(buf, sizeof(buf), f) != NULL) { - nuke_whitespace(buf); - acl_canonicalize_principal(buf, canon); - if(strlen(canon) > 0) { - add_hash(acl_cache[i].acl, canon); - } - } - fclose(f); - acl_cache[i].status = s; - } - return(i); -} - -/* Returns nonzero if it can be determined that acl contains principal */ -/* Principal is not canonicalized, and no wildcarding is done */ -int -acl_exact_match(acl, principal) -char *acl; -char *principal; -{ - int idx; - - return((idx = acl_load(acl)) >= 0 - && check_hash(acl_cache[idx].acl, principal)); -} - -/* Returns nonzero if it can be determined that acl contains principal */ -/* Recognizes wildcards in acl of the form - name.*@realm, *.*@realm, and *.*@* */ -int -acl_check(acl, principal) -char *acl; -char *principal; -{ - char buf[MAX_PRINCIPAL_SIZE]; - char canon[MAX_PRINCIPAL_SIZE]; - char *realm, *tmp; - - acl_canonicalize_principal(principal, canon); - - /* Is it an invalid principal name? */ - if(strlen(canon) == 0) return(0); - - /* Is it there? */ - if(acl_exact_match(acl, canon)) return(1); - - /* Try the wildcards */ - realm = strchr(canon, REALM_SEP); - tmp = strchr(canon, INST_SEP); - *tmp = '\0'; /* Chuck the instance */ - - sprintf(buf, "%s.*%s", canon, realm); - if(acl_exact_match(acl, buf)) return(1); - - sprintf(buf, "*.*%s", realm); - if(acl_exact_match(acl, buf) || acl_exact_match(acl, "*.*@*")) return(1); - - return(0); -} - -/* Adds principal to acl */ -/* Wildcards are interpreted literally */ -int -acl_add(acl, principal) -char *acl; -char *principal; -{ - int idx; - int i; - FILE *new; - char canon[MAX_PRINCIPAL_SIZE]; - - acl_canonicalize_principal(principal, canon); - - /* Is it an invalid principal name? */ - if(strlen(canon) == 0) return(-1); - - if((new = acl_lock_file(acl)) == NULL) return(-1); - if((acl_exact_match(acl, canon)) - || (idx = acl_load(acl)) < 0) { - acl_abort(acl, new); - return(-1); - } - /* It isn't there yet, copy the file and put it in */ - for(i = 0; i < acl_cache[idx].acl->size; i++) { - if(acl_cache[idx].acl->tbl[i] != NULL) { - if(fputs(acl_cache[idx].acl->tbl[i], new) == EOF - || putc('\n', new) != '\n') { - acl_abort(acl, new); - return(-1); - } - } - } - fputs(canon, new); - putc('\n', new); - return(acl_commit(acl, new)); -} - -/* Removes principal from acl */ -/* Wildcards are interpreted literally */ -int -acl_delete(acl, principal) -char *acl; -char *principal; -{ - int idx; - int i; - FILE *new; - char canon[MAX_PRINCIPAL_SIZE]; - - acl_canonicalize_principal(principal, canon); - - /* Is it an invalid principal name? */ - if(strlen(canon) == 0) return(-1); - - if((new = acl_lock_file(acl)) == NULL) return(-1); - if((!acl_exact_match(acl, canon)) - || (idx = acl_load(acl)) < 0) { - acl_abort(acl, new); - return(-1); - } - /* It isn't there yet, copy the file and put it in */ - for(i = 0; i < acl_cache[idx].acl->size; i++) { - if(acl_cache[idx].acl->tbl[i] != NULL - && strcmp(acl_cache[idx].acl->tbl[i], canon)) { - fputs(acl_cache[idx].acl->tbl[i], new); - putc('\n', new); - } - } - return(acl_commit(acl, new)); -} diff --git a/src/kadmin/v4server/acl_files.doc b/src/kadmin/v4server/acl_files.doc deleted file mode 100644 index 78c448a6d..000000000 --- a/src/kadmin/v4server/acl_files.doc +++ /dev/null @@ -1,107 +0,0 @@ -PROTOTYPE ACL LIBRARY - -Introduction - -An access control list (ACL) is a list of principals, where each -principal is is represented by a text string which cannot contain -whitespace. The library allows application programs to refer to named -access control lists to test membership and to atomically add and -delete principals using a natural and intuitive interface. At -present, the names of access control lists are required to be Unix -filenames, and refer to human-readable Unix files; in the future, when -a networked ACL server is implemented, the names may refer to a -different namespace specific to the ACL service. - - -Usage - -cc -lacl -lkrb. - - - -Principal Names - -Principal names have the form - -[.][@] - -e.g. - -asp -asp.root -asp@ATHENA.MIT.EDU -asp.@ATHENA.MIT.EDU -asp.root@ATHENA.MIT.EDU - -It is possible for principals to be underspecified. If instance is -missing, it is assumed to be "". If realm is missing, it is assumed -to be local_realm. The canonical form contains all of name, instance, -and realm; the acl_add and acl_delete routines will always -leave the file in that form. Note that the canonical form of -asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU. - - -Routines - -acl_canonicalize_principal(principal, buf) -char *principal; -char *buf; /*RETVAL*/ - -Store the canonical form of principal in buf. Buf must contain enough -space to store a principal, given the limits on the sizes of name, -instance, and realm specified in /usr/include/krb.h. - -acl_check(acl, principal) -char *acl; -char *principal; - -Returns nonzero if principal appears in acl. Returns 0 if principal -does not appear in acl, or if an error occurs. Canonicalizes -principal before checking, and allows the ACL to contain wildcards. - -acl_exact_match(acl, principal) -char *acl; -char *principal; - -Like acl_check, but does no canonicalization or wildcarding. - -acl_add(acl, principal) -char *acl; -char *principal; - -Atomically adds principal to acl. Returns 0 if successful, nonzero -otherwise. It is considered a failure if principal is already in acl. -This routine will canonicalize principal, but will treat wildcards -literally. - -acl_delete(acl, principal) -char *acl; -char *principal; - -Atomically deletes principal from acl. Returns 0 if successful, -nonzero otherwise. It is consider a failure if principal is not -already in acl. This routine will canonicalize principal, but will -treat wildcards literally. - -acl_initialize(acl, mode) -char *acl; -int mode; - -Initialize acl. If acl file does not exist, creates it with mode -mode. If acl exists, removes all members. Returns 0 if successful, -nonzero otherwise. WARNING: Mode argument is likely to change with -the eventual introduction of an ACL service. - - -Known problems - -In the presence of concurrency, there is a very small chance that -acl_add or acl_delete could report success even though it would have -had no effect. This is a necessary side effect of using lock files -for concurrency control rather than flock(2), which is not supported -by NFS. - -The current implementation caches ACLs in memory in a hash-table -format for increased efficiency in checking membership; one effect of -the caching scheme is that one file descriptor will be kept open for -each ACL cached, up to a maximum of 8. diff --git a/src/kadmin/v4server/admin_server.c b/src/kadmin/v4server/admin_server.c deleted file mode 100644 index fd5361b19..000000000 --- a/src/kadmin/v4server/admin_server.c +++ /dev/null @@ -1,713 +0,0 @@ -/* - * kadmin/v4server/admin_server.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Top-level loop of the kerberos Administration server - */ - -#include -/* - admin_server.c - this holds the main loop and initialization and cleanup code for the server -*/ - -#ifdef _AIX -#include -#endif - -/* define it for now */ -#ifndef POSIX_SIGNALS -#define POSIX_SIGNALS -#endif - -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#ifndef POSIX_SIGNALS -#ifndef sigmask -#define sigmask(m) (1 <<((m)-1)) -#endif -#endif /* POSIX_SIGNALS */ -#include -#include -#include -#include - -#ifdef KADM5 -#include -void *kadm5_handle; -kadm5_config_params paramsin, paramsout; -#endif - -#include "k5-int.h" -#include -#include -#include -#include "com_err.h" -#include "kadm_server.h" - -#ifdef POSIX_SIGTYPE -#define SIGNAL_RETURN return -#else -#define SIGNAL_RETURN return(0) -#endif - -/* Almost all procs and such need this, so it is global */ -admin_params prm; /* The command line parameters struct */ - -char prog[32]; /* WHY IS THIS NEEDED??????? */ -char *progname = prog; -char *acldir = DEFAULT_ACL_DIR; -char krbrlm[REALM_SZ]; -extern Kadm_Server server_parm; -krb5_context kadm_context; -int debug; - -static void cleanexit(int); -static int kadm_listen(void); -static void process_client(int, struct sockaddr_in *); -static void kill_children(void); -static krb5_sigtype do_child(int); - - -/* close the system log file */ -static void close_syslog() -{ - syslog(LOG_INFO, "Shutting down V4 admin server"); -} - -static void byebye() /* say goodnight gracie */ -{ - printf("Admin Server (kadm server) has completed operation.\n"); -} - -/* -** Main does the logical thing, it sets up the database and RPC interface, -** as well as handling the creation and maintenance of the syslog file... -*/ -int -main(argc, argv) /* admin_server main routine */ -int argc; -char *argv[]; -{ - int errval; - int c; - char *lrealm; - extern char *optarg; - extern int fascist_cpw; - krb5_error_code retval; - -#ifdef KADM5 - memset(¶msin, 0, sizeof(paramsin)); -#endif - - retval = krb5_init_context(&kadm_context); - if (retval) { - com_err(argv[0], retval, "while initializing krb5"); - exit(1); - } - initialize_kadm_error_table(); - prog[sizeof(prog)-1]='\0'; /* Terminate... */ - (void) strncpy(prog, argv[0], sizeof(prog)-1); - - /* initialize the admin_params structure */ - prm.sysfile = KADM_SYSLOG; /* default file name */ - prm.inter = 1; - - memset(krbrlm, 0, sizeof(krbrlm)); - - fascist_cpw = 1; /* by default, enable fascist mode */ - while ((c = getopt(argc, argv, "Df:hnd:a:r:FNk:")) != -1) - switch(c) { - case 'D': - debug++; - break; - case 'f': /* Syslog file name change */ - prm.sysfile = optarg; - break; - case 'n': - prm.inter = 0; - break; - case 'a': /* new acl directory */ - acldir = optarg; - break; - case 'd': -#ifdef KADM5 - paramsin.dbname = optarg; - paramsin.mask |= KADM5_CONFIG_DBNAME; -#else - if (errval = krb5_db_set_name(kadm_context, optarg)) { - com_err(argv[0], errval, "while setting dbname"); - exit(1); - } -#endif - break; - case 'F': - fascist_cpw++; - break; - case 'N': - fascist_cpw = 0; - break; - case 'r': - if (strlen (optarg) + 1 > REALM_SZ) { - com_err(argv[0], 0, "realm name `%s' too long", optarg); - exit(1); - } - (void) strncpy(krbrlm, optarg, sizeof(krbrlm) - 1); - break; - case 'k': -#ifdef KADM5 - paramsin.admin_keytab = optarg; - paramsin.mask |= KADM5_CONFIG_ADMIN_KEYTAB; -#endif - break; - case 'h': /* get help on using admin_server */ - default: - printf("Usage: admin_server [-h] [-n] [-F] [-N] [-r realm] [-d dbname] [-f filename] [-a acldir]\n"); - exit(-1); /* failure */ - } - - if (krbrlm[0] == 0) { - errval = krb5_get_default_realm(kadm_context, &lrealm); - if (errval) { - com_err(argv[0], errval, "while attempting to get local realm"); - exit(1); - } - (void) strncpy(krbrlm, lrealm, sizeof(krbrlm) - 1); - } - -#ifdef KADM5 - paramsin.realm = krbrlm; - paramsin.mask |= KADM5_CONFIG_REALM; - - errval = kadm5_get_config_params(kadm_context, NULL, NULL, - ¶msin, ¶msout); - if (errval) { - com_err(argv[0], errval, "while retrieving kadm5 params"); - exit(1); - } - - errval = krb5_db_set_name(kadm_context, paramsout.dbname); - if (errval) { - com_err(argv[0], errval, "while setting dbname"); - exit(1); - } -#endif /* KADM5 */ - - printf("KADM Server %s initializing\n",KADM_VERSTR); - printf("Please do not use 'kill -9' to kill this job, use a\n"); - printf("regular kill instead\n\n"); - -#ifdef KADM5 - printf("KADM Server starting in the KADM5 mode (%sprocess id %ld).\n", - debug ? "" : "parent ", (long) getpid()); -#else - printf("KADM Server starting in %s mode for the purposes for password changing\n\n", fascist_cpw ? "fascist" : "NON-FASCIST"); -#endif - - openlog(argv[0], LOG_CONS|LOG_NDELAY|LOG_PID, LOG_LOCAL6); /* XXX */ - syslog(LOG_INFO, "V4 admin server starting"); - - errval = krb5_db_init(kadm_context); /* Open the Kerberos database */ - if (errval) { - fprintf(stderr, "error: krb5_db_init() failed"); - close_syslog(); - byebye(); - exit(1); - } - - errval = krb5_db_set_lockmode(kadm_context, TRUE); - if (errval) { - com_err(argv[0], errval, "while setting db to nonblocking"); - close_syslog(); - krb5_db_fini(kadm_context); - byebye(); - exit(1); - } - /* set up the server_parm struct */ - if ((errval = kadm_ser_init(prm.inter, krbrlm -#ifdef KADM5 - , ¶msout -#endif - ))==KADM_SUCCESS) { - krb5_db_fini(kadm_context); /* Close the Kerberos database-- - will re-open later */ - errval = kadm_listen(); /* listen for calls to server from - clients */ - } - if (errval != KADM_SUCCESS) { - fprintf(stderr,"error: %s\n",error_message(errval)); - krb5_db_fini(kadm_context); /* Close if error */ - } - close_syslog(); /* Close syslog file, print - closing note */ - byebye(); /* Say bye bye on the terminal - in use */ - return 0; -} /* procedure main */ - - -static void clear_secrets() -{ - memset((char *)server_parm.master_keyblock.contents, 0, - server_parm.master_keyblock.length); - server_parm.mkvno = 0L; - return; -} - -static int exit_now = 0; - -static krb5_sigtype -doexit(sig) - int sig; -{ - exit_now = 1; - SIGNAL_RETURN; -} - -unsigned pidarraysize = 0; -int *pidarray = (int *)0; -int unknown_child = 0; - -/* -kadm_listen -listen on the admin servers port for a request -*/ -static int -kadm_listen() -{ - int found; - int admin_fd; - int peer_fd; - fd_set mask, readfds; - struct sockaddr_in peer; - socklen_t addrlen; - int pid; -#ifdef POSIX_SIGNALS - struct sigaction new_act; - - new_act.sa_handler = doexit; - new_act.sa_flags = 0; - sigemptyset(&new_act.sa_mask); - sigaction(SIGINT, &new_act, 0); - sigaction(SIGTERM, &new_act, 0); - sigaction(SIGHUP, &new_act, 0); - sigaction(SIGQUIT, &new_act, 0); - sigaction(SIGALRM, &new_act, 0); - new_act.sa_handler = SIG_IGN; - sigaction(SIGPIPE, &new_act, 0); - new_act.sa_handler = do_child; - sigaction(SIGCHLD, &new_act, 0); -#else - signal(SIGINT, doexit); - signal(SIGTERM, doexit); - signal(SIGHUP, doexit); - signal(SIGQUIT, doexit); - signal(SIGPIPE, SIG_IGN); /* get errors on write() */ - signal(SIGALRM, doexit); - signal(SIGCHLD, do_child); -#endif - - if ((admin_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) - return KADM_NO_SOCK; - if (debug) { - int one = 1; - if (setsockopt(admin_fd, SOL_SOCKET, SO_REUSEADDR, &one, - sizeof(int)) < 0) { - syslog(LOG_ERR, "setsockopt: %m"); - return KADM_NO_BIND; - } - } - if (bind(admin_fd, (struct sockaddr *)&server_parm.admin_addr, - sizeof(struct sockaddr_in)) < 0) { - syslog(LOG_ERR, "bind: %m"); - return KADM_NO_BIND; - } - (void) listen(admin_fd, 1); - FD_ZERO(&mask); - FD_SET(admin_fd, &mask); - - for (;;) { /* loop nearly forever */ - if (exit_now) { - clear_secrets(); - kill_children(); - return(0); - } - readfds = mask; - if ((found = select(admin_fd+1,&readfds,(fd_set *)0, - (fd_set *)0, (struct timeval *)0)) == 0) - continue; /* no things read */ - if (found < 0) { - if (errno != EINTR) - syslog(LOG_ERR, "select: %s", error_message(errno)); - continue; - } - if (FD_ISSET(admin_fd, &readfds)) { - /* accept the conn */ - addrlen = sizeof(peer); - if ((peer_fd = accept(admin_fd, (struct sockaddr *)&peer, - &addrlen)) < 0) { - syslog(LOG_ERR, "accept: %s", error_message(errno)); - continue; - } - - if (debug) { - process_client(peer_fd, &peer); - } else if ((pid = fork())) { - /* parent */ - if (pid < 0) { - syslog(LOG_ERR, "fork: %s", error_message(errno)); - (void) close(peer_fd); - continue; - } - /* fork succeeded: keep tabs on child */ - (void) close(peer_fd); - if (unknown_child != pid) { - if (pidarray) { - pidarray = (int *)realloc((char *)pidarray, - (++pidarraysize * sizeof(int))); - pidarray[pidarraysize-1] = pid; - } else { - pidarray = (int *)malloc((pidarraysize = 1) * sizeof(int)); - pidarray[0] = pid; - } - } /* End if unknown_child != pid.*/ - } else { - /* child */ - (void) close(admin_fd); - process_client(peer_fd, &peer); - } - } else { - syslog(LOG_ERR, "something else woke me up!"); - return(0); - } - } - /*NOTREACHED*/ -} - -static void process_client(fd, who) - int fd; - struct sockaddr_in *who; -{ - u_char *dat; - int dat_len; - u_short dlen; - int retval; - int on = 1; - int nentries = 1; - krb5_db_entry sprinc_entries; - krb5_boolean more; - krb5_keyblock cpw_skey; - krb5_key_data *kdatap; - int status; - -#ifdef KADM5 - char *service_name; - - service_name = (char *) malloc(strlen(server_parm.sname) + - strlen(server_parm.sinst) + - strlen(server_parm.krbrlm) + 3); - if (service_name == NULL) { - syslog(LOG_ERR, "error: out of memory allocating service name"); - cleanexit(1); - } - sprintf(service_name, "%s@%s", KADM5_ADMIN_SERVICE, paramsin.realm); - - retval = kadm5_init_with_skey(service_name, - paramsout.admin_keytab, - KADM5_ADMIN_SERVICE, - ¶msin, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - &kadm5_handle); - if (retval) { - syslog(LOG_ERR, "error: kadm5_init failed: %s", - error_message(retval)); - cleanexit(1); - } - free(service_name); - - retval = krb5_db_set_name(kadm_context, paramsout.dbname); - if (retval) { - syslog(LOG_ERR, "%s while setting dbname", error_message(retval)); - cleanexit(1); - } -#endif - -#ifndef NOENCRYPTION - /* Must do it here, since this is after the fork() call */ - des_init_random_number_generator(server_parm.master_keyblock.contents); -#endif /* NOENCRYPTION */ - - if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, - (const char *) &on, sizeof(on)) < 0) - syslog(LOG_ERR, "setsockopt keepalive: %d", errno); - - server_parm.recv_addr = *who; - - retval = krb5_db_init(kadm_context); - if (retval) { /* Open as client */ - syslog(LOG_ERR, "can't open krb db: %s", error_message(retval)); - cleanexit(1); - } - /* need to set service key to changepw.KRB_MASTER */ - - status = krb5_db_get_principal(kadm_context, server_parm.sprinc, - &sprinc_entries, - &nentries, &more); - /* ugh... clean this up later */ - if (status == KRB5_KDB_DB_INUSE) { - /* db locked */ - krb5_ui_4 retcode; - char *pdat; - - dat_len = KADM_VERSIZE + sizeof(krb5_ui_4); - dat = (u_char *) malloc((unsigned)dat_len); - pdat = (char *) dat; - retcode = htonl((krb5_ui_4) KADM_DB_INUSE); - (void) strncpy(pdat, KADM_ULOSE, KADM_VERSIZE); - memcpy(&pdat[KADM_VERSIZE], (char *)&retcode, sizeof(krb5_ui_4)); - goto out; - } else if (!nentries) { - syslog(LOG_ERR, "no service %s.%s", server_parm.sname, server_parm.sinst); - cleanexit(2); - } else if (status) { - syslog(LOG_ERR, error_message(status)); - cleanexit(2); - } - - status = krb5_dbe_find_enctype(kadm_context, - &sprinc_entries, - ENCTYPE_DES_CBC_MD5, - -1, - -1, - &kdatap); - if (status) { - syslog(LOG_ERR, "find enctype failed: %s", error_message(status)); - cleanexit(1); - } - - status = krb5_dbekd_decrypt_key_data(kadm_context, - &server_parm.master_keyblock, - kdatap, - &cpw_skey, - (krb5_keysalt *) NULL); - if (status) { - syslog(LOG_ERR, "decrypt_key failed: %s", error_message(status)); - cleanexit(1); - } - /* if error, will show up when rd_req fails */ - (void) krb_set_key((char *)cpw_skey.contents, 0); - while (1) { - if ((retval = krb_net_read(fd, (char *)&dlen, sizeof(u_short))) != - sizeof(u_short)) { - if (retval < 0) - syslog(LOG_ERR, "dlen read: %s", error_message(errno)); - else if (retval) - syslog(LOG_ERR, "short dlen read: %d", retval); - (void) close(fd); -#ifdef KADM5 - (void) kadm5_destroy(kadm5_handle); -#endif - cleanexit(retval ? 3 : 0); - } - if (exit_now) { - cleanexit(0); - } - dat_len = (int) ntohs(dlen); - dat = (u_char *) malloc((unsigned)dat_len); - if (!dat) { - syslog(LOG_ERR, "malloc: No memory"); - (void) close(fd); - cleanexit(4); - } - if ((retval = krb_net_read(fd, (char *)dat, dat_len)) != dat_len) { - if (retval < 0) - syslog(LOG_ERR, "data read: %s", error_message(errno)); - else - syslog(LOG_ERR, "short read: %d vs. %d", dat_len, retval); - (void) close(fd); - cleanexit(5); - } - if (exit_now) { - cleanexit(0); - } - if ((retval = kadm_ser_in(&dat,&dat_len)) != KADM_SUCCESS) - syslog(LOG_ERR, "processing request: %s", error_message(retval)); - - /* kadm_ser_in did the processing and returned stuff in - dat & dat_len , return the appropriate data */ - - out: - dlen = (u_short) dat_len; - - if (dat_len != (int)dlen) { - clear_secrets(); - abort(); /* XXX */ - } - dlen = htons(dlen); - - if (krb_net_write(fd, (char *)&dlen, sizeof(u_short)) < 0) { - syslog(LOG_ERR, "writing dlen to client: %s", error_message(errno)); - (void) close(fd); - cleanexit(6); - } - - if (krb_net_write(fd, (char *)dat, dat_len) < 0) { - syslog(LOG_ERR, "writing to client: %s", error_message(errno)); - (void) close(fd); - cleanexit(7); - } - free((char *)dat); - } - /*NOTREACHED*/ -} - -static krb5_sigtype -do_child(sig) - int sig; -{ - /* SIGCHLD brings us here */ - int pid; - register int i, j; - -#ifdef WAIT_USES_INT - int status; -#else - union wait status; -#endif - - pid = wait(&status); - - for (i = 0; i < pidarraysize; i++) - if (pidarray[i] == pid) { - /* found it */ - for (j = i; j < pidarraysize-1; j++) - /* copy others down */ - pidarray[j] = pidarray[j+1]; - pidarraysize--; -#ifdef WAIT_USES_INT - if (WIFEXITED(status) || WIFSIGNALED(status)) - if (WTERMSIG(status) || WEXITSTATUS(status)) - syslog(LOG_ERR, "child %d: termsig %d, retcode %d", pid, - WTERMSIG(status), WEXITSTATUS(status)); - -#else - if (status.w_retcode || status.w_coredump || status.w_termsig) - syslog(LOG_ERR, "child %d: termsig %d, coredump %d, retcode %d", - pid, status.w_termsig, status.w_coredump, status.w_retcode); - -#endif - SIGNAL_RETURN; - } - unknown_child = pid; -#ifdef WAIT_USES_INT - syslog(LOG_ERR, "child %d not in list: termsig %d, retcode %d", pid, - WTERMSIG(status), WEXITSTATUS(status)); - -#else - syslog(LOG_ERR, "child %d not in list: termsig %d, coredump %d, retcode %d", - pid, status.w_termsig, status.w_coredump, status.w_retcode); - -#endif - SIGNAL_RETURN; -} - -static -void cleanexit(val) - int val; -{ - krb5_db_fini(kadm_context); - clear_secrets(); - exit(val); -} - -static void -kill_children() -{ - register int i; -#ifdef POSIX_SIGNALS - sigset_t oldmask, igmask; -#else - int osigmask; -#endif - -#ifdef POSIX_SIGNALS - sigemptyset(&igmask); - sigaddset(&igmask, SIGCHLD); - sigprocmask(SIG_BLOCK, &igmask, &oldmask); -#else - osigmask = sigblock(sigmask(SIGCHLD)); -#endif - - for (i = 0; i < pidarraysize; i++) { - kill(pidarray[i], SIGINT); - syslog(LOG_ERR, "killing child %d", pidarray[i]); - } -#ifdef POSIX_SIGNALS - sigprocmask(SIG_SETMASK, &oldmask, (sigset_t*)0); -#else - sigsetmask(osigmask); -#endif - return; -} - -#ifdef KADM5 -krb5_int32 convert_kadm5_to_kadm(val) - krb5_int32 val; -{ - switch (val) { - case KADM5_AUTH_GET: - case KADM5_AUTH_ADD: - case KADM5_AUTH_MODIFY: - case KADM5_AUTH_DELETE: - case KADM5_AUTH_INSUFFICIENT: - case KADM5_AUTH_LIST: - case KADM5_AUTH_CHANGEPW: - return KADM_UNAUTH; - case KADM5_BAD_DB: - return KADM_UK_RERROR; - case KADM5_DUP: - case KADM5_POLICY_REF: - return KADM_INUSE; - case KADM5_RPC_ERROR: - return KADM_NO_CONN; - case KADM5_NO_SRV: - return KADM_NO_HOST; - case KADM5_UNK_PRINC: - case KADM5_UNK_POLICY: - return KADM_NOENTRY; - case KADM5_PASS_Q_TOOSHORT: - case KADM5_PASS_Q_CLASS: - case KADM5_PASS_Q_DICT: - case KADM5_PASS_REUSE: - case KADM5_PASS_TOOSOON: - case CHPASS_UTIL_PASSWORD_TOO_SOON: - return KADM_INSECURE_PW; - case KADM5_BAD_PASSWORD: - return KADM_NO_CRED; - case KADM5_PROTECT_PRINCIPAL: - return KADM_NO_OPCODE; - case KADM5_NOT_INIT: - case KADM5_BAD_HIST_KEY: - case KADM5_BAD_MASK: - case KADM5_BAD_CLASS: - case KADM5_BAD_LENGTH: - case KADM5_BAD_POLICY: - case KADM5_BAD_PRINCIPAL: - case KADM5_BAD_AUX_ATTR: - case KADM5_BAD_HISTORY: - case KADM5_BAD_MIN_PASS_LIFE: - return -1; - } - return val; -} -#endif diff --git a/src/kadmin/v4server/build_pwfile.c b/src/kadmin/v4server/build_pwfile.c deleted file mode 100644 index 9cede78cc..000000000 --- a/src/kadmin/v4server/build_pwfile.c +++ /dev/null @@ -1,119 +0,0 @@ -#define NDBM -/* - * build_pwfile.c --- build a table of bad passwords, keyed by their - * des equivalents. - * - * Written by Theodore Ts'o - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -#ifndef lint -static char rcsid_build_pwfile_c[] = -"$Id$"; -#endif lint - -#include -#include -#include -#include -#include - -#ifdef NDBM -#include -#else /*NDBM*/ -#include -#endif /*NDBM*/ - -#include -#include -#include -#include "kadm_server.h" - -/* Macros to convert ndbm names to dbm names. - * Note that dbm_nextkey() cannot be simply converted using a macro, since - * it is invoked giving the database, and nextkey() needs the previous key. - * - * Instead, all routines call "dbm_next" instead. - */ -#ifndef NDBM -typedef char DBM; -#define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0)) -#define dbm_fetch(db, key) fetch(key) -#define dbm_store(db, key, content, flag) store(key, content) -#define dbm_firstkey(db) firstkey() -#define dbm_next(db,key) nextkey(key) -#define dbm_close(db) dbmclose() -#else -#define dbm_next(db,key) dbm_nextkey(db) -#endif - -main(argc, argv) - int argc; - char **argv; -{ - DBM *pwfile; - FILE *f; - datum passwd, entry; - des_cblock key; - char word[1024]; - int len, filenum, i; - int wptr; - - if (argc != 2) { - fprintf(stderr,"%s: Usage: %s filename\n", argv[0], argv[0]); - exit(1); - } - if (!(f = fopen(argv[1], "r"))) { - perror(argv[1]); - exit(1); - } - pwfile = dbm_open(PW_CHECK_FILE, O_RDWR|O_CREAT, 0644); - if (!pwfile) { - fprintf(stderr, "Couldn't open %s for writing.\n", - PW_CHECK_FILE); - perror("dbm_open"); - exit(1); - } - filenum = 0; - do { - filenum++; - passwd.dptr = (char *) &filenum; - passwd.dsize = sizeof(filenum); - entry.dptr = argv[1]; - entry.dsize = strlen(argv[1])+1; - } while (dbm_store(pwfile, passwd, entry, DBM_INSERT)); - i = 0; - while (!feof(f)) { - i++; - wptr = (filenum << 24) + i; - fgets(word, sizeof(word), f); - len = strlen(word); - if (len > 0 && word[len-1] == '\n') - word[--len] = '\0'; -#ifdef NOENCRYPTION - bzero((char *) key, sizeof(des_cblock)); - key[0] = (unsigned char) 1; -#else - (void) des_string_to_key(word, key); -#endif - - passwd.dptr = (char *) key; - passwd.dsize = 8; - entry.dptr = (char *) &wptr; -#ifdef notdef - entry.dsize = sizeof(wptr); -#else - entry.dsize = 0; -#endif - dbm_store(pwfile, passwd, entry, DBM_REPLACE); - } - dbm_close(pwfile); - exit(0); -} - - - diff --git a/src/kadmin/v4server/kadm_funcs.c b/src/kadmin/v4server/kadm_funcs.c deleted file mode 100644 index 46e4dd7d6..000000000 --- a/src/kadmin/v4server/kadm_funcs.c +++ /dev/null @@ -1,1003 +0,0 @@ -/* - * kadmin/v4server/kadm_funcs.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Kerberos administration server-side database manipulation routines - */ - - -#include -/* -kadm_funcs.c -the actual database manipulation code -*/ - -#include -#include -#include -#ifdef NDBM_PW_CHECK -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_SYS_TIME_H -#include -#ifdef TIME_WITH_SYS_TIME -#include -#endif -#else -#include -#endif - -#include "kadm_server.h" - -extern Kadm_Server server_parm; - -#include -extern void *kadm5_handle; - -/* Generate dummy password. Yes, it's gross. */ -static char *dummypw() -{ - static char dummybuf[256]; - int i; - - if (dummybuf[0] == 0) - for (i = 0; i < 256; i++) - dummybuf[i] = (i + 1) % 256; - return dummybuf; -} - -/* - * kadm_entry2princ: - * - * Convert a kadm5_principal_ent_t to a Principal. Assumes that princ - * is already allocated. - */ -static krb5_error_code -kadm_entry2princ(entry, princ) - kadm5_principal_ent_t entry; - Principal *princ; -{ - char realm[REALM_SZ + 1]; /* dummy values only */ - krb5_error_code retval; - int i; - - /* NOTE: does not convert the key */ - memset(princ, 0, sizeof (*princ)); - retval = krb5_524_conv_principal(kadm_context, entry->principal, - princ->name, princ->instance, realm); - if (retval) - return retval; - princ->exp_date = entry->pw_expiration; - strncpy(princ->exp_date_txt, - ctime((const time_t *) &entry->pw_expiration), DATE_SZ); - princ->attributes = entry->attributes; - princ->max_life = krb_time_to_life(0, entry->max_life); - princ->kdc_key_ver = 1; /* entry->mkvno .... WTF??? --tlyu */ - for (i = 0; i < entry->n_key_data; i++) { - /* XXX This assumes knowledge of the internals of krb5_key_data */ - if (entry->key_data[i].key_data_type[0] == ENCTYPE_DES_CBC_CRC && - entry->key_data[i].key_data_type[1] == KRB5_KDB_SALTTYPE_V4) { - princ->key_version = entry->key_data[i].key_data_kvno; - break; - } - } - - retval = krb5_524_conv_principal(kadm_context, entry->mod_name, - princ->mod_name, princ->mod_instance, - realm); - if (retval) - return retval; - - princ->mod_date = entry->mod_date; - strncpy(princ->mod_date_txt, - ctime((const time_t *) &entry->mod_date), - DATE_SZ); - - return 0; -} - -static int check_access(pname, pinst, prealm, acltype) - char *pname; - char *pinst; - char *prealm; - enum acl_types acltype; -{ - char checkname[MAX_K_NAME_SZ]; - char filename[MAXPATHLEN]; - extern char *acldir; - - (void) sprintf(checkname, "%s.%s@%s", pname, pinst, prealm); - - switch (acltype) { - case ADDACL: - (void) sprintf(filename, "%s%s", acldir, ADD_ACL_FILE); - break; - case GETACL: - (void) sprintf(filename, "%s%s", acldir, GET_ACL_FILE); - break; - case MODACL: - (void) sprintf(filename, "%s%s", acldir, MOD_ACL_FILE); - break; - case DELACL: - (void) sprintf(filename, "%s%s", acldir, DEL_ACL_FILE); - break; - case STABACL: - (void) sprintf(filename, "%s%s", acldir, STAB_ACL_FILE); - break; - } - return(acl_check(filename, checkname)); -} - -static int wildcard(str) -char *str; -{ - if (!strcmp(str, WILDCARD_STR)) - return(1); - return(0); -} - -krb5_error_code -kadm_add_entry (rname, rinstance, rrealm, valsin, valsout) - char *rname; /* requestors name */ - char *rinstance; /* requestors instance */ - char *rrealm; /* requestors realm */ - Kadm_vals *valsin; - Kadm_vals *valsout; -{ - Principal data_i, data_o; /* temporary principal */ - u_char flags[4]; - krb5_error_code retval; - kadm5_principal_ent_rec newentry, tmpentry; - krb5_keyblock newpw; - long mask = 0; - - if (!check_access(rname, rinstance, rrealm, ADDACL)) { - syslog(LOG_WARNING, - "WARNING: '%s.%s@%s' tried to add an entry for '%s.%s'", - rname, rinstance, rrealm, valsin->name, valsin->instance); - return KADM_UNAUTH; - } - - /* Need to check here for "legal" name and instance */ - if (wildcard(valsin->name) || wildcard(valsin->instance)) { - retval = KADM_ILL_WILDCARD; - goto err; - } - - syslog(LOG_INFO, "request to add an entry for '%s.%s' from '%s.%s@%s'", - valsin->name, valsin->instance, rname, rinstance, rrealm); - - kadm_vals_to_prin(valsin->fields, &data_i, valsin); - (void) strncpy(data_i.name, valsin->name, ANAME_SZ); - (void) strncpy(data_i.instance, valsin->instance, INST_SZ); - - memset(&newentry, 0, sizeof (newentry)); - retval = krb5_425_conv_principal(kadm_context, - data_i.name, data_i.instance, - server_parm.krbrlm, - &newentry.principal); - if (retval) - goto err_newentry; - - if (IS_FIELD(KADM_EXPDATE,valsin->fields)) { - newentry.princ_expire_time = data_i.exp_date; - mask |= KADM5_PRINC_EXPIRE_TIME; - } - - if (IS_FIELD(KADM_MAXLIFE,valsin->fields)) { - newentry.max_life = krb_life_to_time(0, data_i.max_life); - mask |= KADM5_MAX_LIFE; - } - - /* Create with ticket issuing disabled. */ - newentry.attributes = KRB5_KDB_DISALLOW_ALL_TIX; - mask |= KADM5_PRINCIPAL|KADM5_ATTRIBUTES; - retval = kadm5_get_principal(kadm5_handle, newentry.principal, - &tmpentry, KADM5_PRINCIPAL_NORMAL_MASK); - switch (retval) { - case KADM5_UNK_PRINC: - break; - case 0: - kadm5_free_principal_ent(kadm5_handle, &tmpentry); - retval = KADM_INUSE; - default: - goto err_newentry; - break; - } - - retval = kadm5_create_principal(kadm5_handle, &newentry, - mask, dummypw()); - if (retval) - goto err_newentry; - - newpw.magic = KV5M_KEYBLOCK; - if ((newpw.contents = (krb5_octet *)malloc(8)) == NULL) { - retval = KADM_NOMEM; - goto err_newentry; - } - - data_i.key_low = ntohl(data_i.key_low); - data_i.key_high = ntohl(data_i.key_high); - memcpy(newpw.contents, &data_i.key_low, 4); - memcpy((char *)(((krb5_int32 *) newpw.contents) + 1), &data_i.key_high, 4); - newpw.length = 8; - newpw.enctype = ENCTYPE_DES_CBC_CRC; - - retval = kadm5_setv4key_principal(kadm5_handle, - newentry.principal, &newpw); - memset((char *)newpw.contents, 0, newpw.length); - free(newpw.contents); - if (retval) - goto err_newentry; - - newentry.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; - retval = kadm5_modify_principal(kadm5_handle, &newentry, - KADM5_ATTRIBUTES); - if (retval) - goto err_newentry; - - retval = kadm5_get_principal(kadm5_handle, newentry.principal, - &tmpentry, KADM5_PRINCIPAL_NORMAL_MASK); - kadm5_free_principal_ent(kadm5_handle, &newentry); - if (retval) - goto err; - - kadm_entry2princ(&tmpentry, &data_o); - kadm5_free_principal_ent(kadm5_handle, &tmpentry); - memset((char *)flags, 0, sizeof(flags)); - SET_FIELD(KADM_NAME,flags); - SET_FIELD(KADM_INST,flags); - SET_FIELD(KADM_EXPDATE,flags); - SET_FIELD(KADM_ATTR,flags); - SET_FIELD(KADM_MAXLIFE,flags); - kadm_prin_to_vals(flags, valsout, &data_o); - syslog(LOG_INFO, "'%s.%s' added.", valsin->name, valsin->instance); - return KADM_DATA; /* Set all the appropriate fields */ - -err_newentry: - kadm5_free_principal_ent(kadm5_handle, &newentry); -err: - syslog(LOG_ERR, "FAILED adding '%s.%s' (%s)", - valsin->name, valsin->instance, error_message(retval)); - return retval; -} - -#ifndef KADM5 -#define faildel(code) { (void) syslog(LOG_ERR, "FAILED deleting '%s.%s' (%s)", valsin->name, valsin->instance, error_message(code)); return code; } - -krb5_error_code -kadm_del_entry (rname, rinstance, rrealm, valsin, valsout) -char *rname; /* requestors name */ -char *rinstance; /* requestors instance */ -char *rrealm; /* requestors realm */ -Kadm_vals *valsin; -Kadm_vals *valsout; -{ - int numfound; /* check how many we get written */ - krb5_boolean more; /* pointer to more grabbed records */ - Principal data_i, data_o; /* temporary principal */ - u_char flags[4]; - krb5_db_entry entry, odata; - krb5_error_code retval; - krb5_principal inprinc; - - if (!check_access(rname, rinstance, rrealm, DELACL)) { - (void) syslog(LOG_WARNING, "WARNING: '%s.%s@%s' tried to delete an entry for '%s.%s'", - rname, rinstance, rrealm, valsin->name, valsin->instance); - return KADM_UNAUTH; - } - - /* Need to check here for "legal" name and instance */ - if (wildcard(valsin->name) || wildcard(valsin->instance)) { - faildel(KADM_ILL_WILDCARD); - } - - syslog(LOG_INFO, "request to delete an entry for '%s.%s' from '%s.%s@%s'", - valsin->name, valsin->instance, rname, rinstance, rrealm); - - retval = krb5_425_conv_principal(kadm_context, valsin->name, - valsin->instance, - server_parm.krbrlm, &inprinc); - if (retval) - faildel(retval); - - numfound = 1; - retval = krb5_db_get_principal(kadm_context, inprinc, &entry, &numfound, - &more); - - if (retval) { - krb5_db_free_principal(kadm_context, &entry, numfound); - faildel(retval); - } else if (!numfound || more) { - faildel(KADM_NOENTRY); - } - - retval = krb5_db_delete_principal(kadm_context, inprinc, &numfound); - if (retval) { - krb5_db_free_principal(kadm_context, &entry, numfound); - faildel(retval); - } - if (!numfound) { - krb5_db_free_principal(kadm_context, &entry, numfound); - faildel(KADM_UK_SERROR); - } else { - if (retval) { - faildel(retval); - } else if (numfound != 1 || more) { - krb5_db_free_principal(kadm_context, &entry, numfound); - faildel(KADM_UK_RERROR); - } - kadm_entry2princ(&entry, &data_o); - krb5_db_free_principal(kadm_context, &entry, numfound); - memset((char *)flags, 0, sizeof(flags)); - SET_FIELD(KADM_NAME,flags); - SET_FIELD(KADM_INST,flags); - SET_FIELD(KADM_EXPDATE,flags); - SET_FIELD(KADM_ATTR,flags); - SET_FIELD(KADM_MAXLIFE,flags); - kadm_prin_to_vals(flags, valsout, &data_o); - syslog(LOG_INFO, "'%s.%s' deleted.", valsin->name, valsin->instance); - return KADM_DATA; /* Set all the appropriate fields */ - } -} -#undef faildel - -#endif /* !KADM5 */ - -krb5_error_code -kadm_get_entry (rname, rinstance, rrealm, valsin, flags, valsout) - char *rname; /* requestors name */ - char *rinstance; /* requestors instance */ - char *rrealm; /* requestors realm */ - Kadm_vals *valsin; /* what they wannt to get */ - u_char *flags; /* which fields we want */ - Kadm_vals *valsout; /* what data is there */ -{ - Principal data_o; /* Data object to hold Principal */ - krb5_principal inprinc; - krb5_error_code retval; - kadm5_principal_ent_rec ent; - - if (!check_access(rname, rinstance, rrealm, GETACL)) { - syslog(LOG_WARNING, "WARNING: '%s.%s@%s' tried to get '%s.%s's entry", - rname, rinstance, rrealm, valsin->name, valsin->instance); - return KADM_UNAUTH; - } - - if (wildcard(valsin->name) || wildcard(valsin->instance)) { - retval = KADM_ILL_WILDCARD; - goto err; - } - - syslog(LOG_INFO, "retrieve '%s.%s's entry for '%s.%s@%s'", - valsin->name, valsin->instance, rname, rinstance, rrealm); - - retval = krb5_425_conv_principal(kadm_context, valsin->name, - valsin->instance, - server_parm.krbrlm, &inprinc); - if (retval) - goto err_princ; - - retval = kadm5_get_principal(kadm5_handle, inprinc, &ent, - KADM5_PRINCIPAL_NORMAL_MASK); - krb5_free_principal(kadm_context, inprinc); - switch (retval) { - case KADM5_UNK_PRINC: - retval = KADM_NOENTRY; - goto err_princ; - default: - goto err_princ; - case 0: - break; - } - retval = kadm_entry2princ(&ent, &data_o); - kadm5_free_principal_ent(kadm5_handle, &ent); - if (retval) { - goto err_princ; - } - kadm_prin_to_vals(flags, valsout, &data_o); - syslog(LOG_INFO, "'%s.%s' retrieved.", valsin->name, valsin->instance); - return KADM_DATA; /* Set all the appropriate fields */ -err_princ: - krb5_free_principal(kadm_context, inprinc); -err: - syslog(LOG_ERR, "FAILED retrieving '%s.%s' (%s)", - valsin->name, valsin->instance, error_message(retval)); - return retval; -} - - -krb5_error_code -kadm_mod_entry (rname, rinstance, rrealm, valsin1, valsin2, valsout) - char *rname; /* requestors name */ - char *rinstance; /* requestors instance */ - char *rrealm; /* requestors realm */ - Kadm_vals *valsin1, *valsin2; /* holds the parameters being - passed in */ - Kadm_vals *valsout; /* the actual record which is returned */ -{ - Principal data_o, temp_key; - u_char fields[4]; - krb5_keyblock newpw; - krb5_error_code retval; - krb5_principal theprinc; - kadm5_principal_ent_rec entry; - long mask = 0; - - if (wildcard(valsin1->name) || wildcard(valsin1->instance)) { - retval = KADM_ILL_WILDCARD; - goto err; - } - - if (!check_access(rname, rinstance, rrealm, MODACL)) { - syslog(LOG_WARNING, "WARNING: '%s.%s@%s' tried to change '%s.%s's entry", - rname, rinstance, rrealm, valsin1->name, valsin1->instance); - return KADM_UNAUTH; - } - - syslog(LOG_INFO, "request to modify '%s.%s's entry from '%s.%s@%s' ", - valsin1->name, valsin1->instance, rname, rinstance, rrealm); - retval = krb5_425_conv_principal(kadm_context, - valsin1->name, valsin1->instance, - server_parm.krbrlm, &theprinc); - if (retval) - goto err; - retval = kadm5_get_principal(kadm5_handle, theprinc, &entry, - KADM5_PRINCIPAL_NORMAL_MASK); - if (retval) - goto err_princ; - - kadm_vals_to_prin(valsin2->fields, &temp_key, valsin2); - - if (IS_FIELD(KADM_EXPDATE,valsin2->fields)) { - entry.princ_expire_time = temp_key.exp_date; - mask |= KADM5_PRINC_EXPIRE_TIME; - } - - if (IS_FIELD(KADM_MAXLIFE,valsin2->fields)) { - entry.max_life = krb_life_to_time(0, temp_key.max_life); - mask |= KADM5_MAX_LIFE; - } - - retval = kadm5_modify_principal(kadm5_handle, &entry, mask); - if (retval) - goto err_entry; - - if (IS_FIELD(KADM_DESKEY,valsin2->fields)) { - if ((newpw.contents = (krb5_octet *)malloc(8)) == NULL) { - retval = KADM_NOMEM; - goto err_entry; - } - newpw.magic = KV5M_KEYBLOCK; - newpw.length = 8; - newpw.enctype = ENCTYPE_DES_CBC_CRC; - temp_key.key_low = ntohl(temp_key.key_low); - temp_key.key_high = ntohl(temp_key.key_high); - memcpy(newpw.contents, &temp_key.key_low, 4); - memcpy(newpw.contents + 4, &temp_key.key_high, 4); - memset((char *)&temp_key, 0, sizeof(temp_key)); - - retval = kadm5_setv4key_principal(kadm5_handle, entry.principal, - &newpw); - krb5_free_keyblock_contents(kadm_context, &newpw); - if (retval) - goto err_entry; - } - - kadm5_free_principal_ent(kadm5_handle, &entry); - - retval = kadm5_get_principal(kadm5_handle, theprinc, &entry, - KADM5_PRINCIPAL_NORMAL_MASK); - if (retval) - goto err_princ; - - retval = kadm_entry2princ(&entry, &data_o); - kadm5_free_principal_ent(kadm5_handle, &entry); - krb5_free_principal(kadm_context, theprinc); - if (retval) - goto err; - - memset((char *) fields, 0, sizeof(fields)); - SET_FIELD(KADM_NAME,fields); - SET_FIELD(KADM_INST,fields); - SET_FIELD(KADM_EXPDATE,fields); - SET_FIELD(KADM_ATTR,fields); - SET_FIELD(KADM_MAXLIFE,fields); - kadm_prin_to_vals(fields, valsout, &data_o); - syslog(LOG_INFO, "'%s.%s' modified.", valsin1->name, valsin1->instance); - return KADM_DATA; /* Set all the appropriate fields */ - -err_entry: - kadm5_free_principal_ent(kadm5_handle, &entry); -err_princ: - krb5_free_principal(kadm_context, theprinc); -err: - syslog(LOG_ERR, "FAILED modifying '%s.%s' (%s)", - valsin1->name, valsin1->instance, error_message(retval)); - return retval; -} - -#ifndef KADM5 -#define failchange(code) { syslog(LOG_ERR, "FAILED changing key for '%s.%s@%s' (%s)", rname, rinstance, rrealm, error_message(code)); return code; } - -krb5_error_code -kadm_change (rname, rinstance, rrealm, newpw) -char *rname; -char *rinstance; -char *rrealm; -des_cblock newpw; -{ - int numfound; - krb5_boolean more; - krb5_principal rprinc; - krb5_error_code retval; - krb5_keyblock localpw; - krb5_db_entry odata; - krb5_key_data *pkey; - krb5_keysalt sblock; - - if (strcmp(server_parm.krbrlm, rrealm)) { - syslog(LOG_ERR, "change key request from wrong realm, '%s.%s@%s'!\n", - rname, rinstance, rrealm); - return(KADM_WRONG_REALM); - } - - if (wildcard(rname) || wildcard(rinstance)) { - failchange(KADM_ILL_WILDCARD); - } - syslog(LOG_INFO, "'%s.%s@%s' wants to change its password", - rname, rinstance, rrealm); - retval = krb5_425_conv_principal(kadm_context, rname, rinstance, - server_parm.krbrlm, &rprinc); - if (retval) - failchange(retval); - if ((localpw.contents = (krb5_octet *)malloc(8)) == NULL) - failchange(KADM_NOMEM); - memcpy(localpw.contents, newpw, 8); - localpw.magic = KV5M_KEYBLOCK; - localpw.enctype = ENCTYPE_DES_CBC_CRC; - localpw.length = 8; - numfound = 1; - retval = krb5_db_get_principal(kadm_context, rprinc, &odata, - &numfound, &more); - krb5_free_principal(kadm_context, rprinc); - if (retval) { - memset(localpw.contents, 0, localpw.length); - free(localpw.contents); - failchange(retval); - } else if (numfound == 1) { - if (retval = krb5_dbe_find_enctype(kadm_context, - &odata, - ENCTYPE_DES_CBC_CRC, - KRB5_KDB_SALTTYPE_V4, - -1, - &pkey)) { - failchange(retval); - } - pkey->key_data_kvno++; - pkey->key_data_kvno %= 256; - numfound = 1; - sblock.type = KRB5_KDB_SALTTYPE_V4; - sblock.data.length = 0; - sblock.data.data = (char *) NULL; - retval = krb5_dbekd_encrypt_key_data(kadm_context, - /* XXX but I'm ifdef'd out here, - so I can't really test this. */ - &server_parm.master_encblock, - &localpw, - &sblock, - (int) pkey->key_data_kvno, - pkey); - memset(localpw.contents, 0, localpw.length); - free(localpw.contents); - if (retval) { - failchange(retval); - } - retval = krb5_db_put_principal(kadm_context, &odata, &numfound); - krb5_db_free_principal(kadm_context, &odata, 1); - if (retval) { - failchange(retval); - } else if (more) { - failchange(KADM_UK_SERROR); - } else { - syslog(LOG_INFO, - "'%s.%s@%s' password changed.", rname, rinstance, rrealm); - return KADM_SUCCESS; - } - } - else { - failchange(KADM_NOENTRY); - } -} -#undef failchange -#endif /* !KADM5 */ - -static int -check_pw(newpw, checkstr) - des_cblock newpw; - char *checkstr; -{ -#ifdef NOENCRYPTION - return 0; -#else /* !NOENCRYPTION */ - des_cblock checkdes; - - (void) des_string_to_key(checkstr, checkdes); - return(!memcmp(checkdes, newpw, sizeof(des_cblock))); -#endif /* NOENCRYPTION */ -} - -static char *reverse(str) - char *str; -{ - static char newstr[80]; - char *p, *q; - int i; - - i = strlen(str); - if (i >= sizeof(newstr)) - i = sizeof(newstr)-1; - p = str+i-1; - q = newstr; - q[i]='\0'; - for(; i > 0; i--) - *q++ = *p--; - - return(newstr); -} - -static int lower(str) - char *str; -{ - register char *cp; - int effect=0; - - for (cp = str; *cp; cp++) { - if (isupper((int) *cp)) { - *cp = tolower((int) *cp); - effect++; - } - } - return(effect); -} - -static int -des_check_gecos(gecos, newpw) - char *gecos; - des_cblock newpw; -{ - char *cp, *ncp, *tcp; - - for (cp = gecos; *cp; ) { - /* Skip past punctuation */ - for (; *cp; cp++) - if (isalnum((int) *cp)) - break; - /* Skip to the end of the word */ - for (ncp = cp; *ncp; ncp++) - if (!isalnum((int) *ncp) && *ncp != '\'') - break; - /* Delimit end of word */ - if (*ncp) - *ncp++ = '\0'; - /* Check word to see if it's the password */ - if (*cp) { - if (check_pw(newpw, cp)) - return(KADM_INSECURE_PW); - tcp = reverse(cp); - if (check_pw(newpw, tcp)) - return(KADM_INSECURE_PW); - if (lower(cp)) { - if (check_pw(newpw, cp)) - return(KADM_INSECURE_PW); - tcp = reverse(cp); - if (check_pw(newpw, tcp)) - return(KADM_INSECURE_PW); - } - cp = ncp; - } else - break; - } - return(0); -} - -static int -str_check_gecos(gecos, pwstr) - char *gecos; - char *pwstr; -{ - char *cp, *ncp, *tcp; - - for (cp = gecos; *cp; ) { - /* Skip past punctuation */ - for (; *cp; cp++) - if (isalnum((int) *cp)) - break; - /* Skip to the end of the word */ - for (ncp = cp; *ncp; ncp++) - if (!isalnum((int) *ncp) && *ncp != '\'') - break; - /* Delimit end of word */ - if (*ncp) - *ncp++ = '\0'; - /* Check word to see if it's the password */ - if (*cp) { - if (!strcasecmp(pwstr, cp)) - return(KADM_INSECURE_PW); - tcp = reverse(cp); - if (!strcasecmp(pwstr, tcp)) - return(KADM_INSECURE_PW); - cp = ncp; - } else - break; - } - return(0); -} - - -krb5_error_code -kadm_approve_pw(rname, rinstance, rrealm, newpw, pwstring) -char *rname; -char *rinstance; -char *rrealm; -des_cblock newpw; -char *pwstring; -{ - int retval; -#if NDBM_PW_CHECK - static DBM *pwfile = NULL; - datum passwd, entry; -#endif - struct passwd *ent; -#ifdef HESIOD - extern struct passwd *hes_getpwnam(); -#endif - - if (pwstring && !check_pw(newpw, pwstring)) - /* - * Someone's trying to toy with us.... - */ - return(KADM_PW_MISMATCH); - if (pwstring && (strlen(pwstring) < 5)) - return(KADM_INSECURE_PW); -#if NDBM_PW_CHECK - if (!pwfile) { - pwfile = dbm_open(PW_CHECK_FILE, O_RDONLY, 0644); - } - if (pwfile) { - passwd.dptr = (char *) newpw; - passwd.dsize = 8; - entry = dbm_fetch(pwfile, passwd); - if (entry.dptr) - return(KADM_INSECURE_PW); - } -#endif - if (check_pw(newpw, rname) || check_pw(newpw, reverse(rname))) - return(KADM_INSECURE_PW); -#ifdef HESIOD - ent = hes_getpwnam(rname); -#else - ent = getpwnam(rname); -#endif - if (ent && ent->pw_gecos) { - if (pwstring) - retval = str_check_gecos(ent->pw_gecos, pwstring); - else - retval = des_check_gecos(ent->pw_gecos, newpw); - if (retval) - return(retval); - } - return(0); -} - -/* - * This routine checks to see if a principal should be considered an - * allowable service name which can be changed by kadm_change_srvtab. - * - * We do this check by using the ACL library. This makes the - * (relatively) reasonable assumption that both the name and the - * instance will not contain '.' or '@'. - */ -static int kadm_check_srvtab(name, instance) - char *name; - char *instance; -{ - char filename[MAXPATHLEN]; - extern char *acldir; - - (void) sprintf(filename, "%s%s", acldir, STAB_SERVICES_FILE); - if (!acl_check(filename, name)) - return(KADM_NOT_SERV_PRINC); - - (void) sprintf(filename, "%s%s", acldir, STAB_HOSTS_FILE); - if (acl_check(filename, instance)) - return(KADM_NOT_SERV_PRINC); - return 0; -} - -/* - * This works around a bug in kadm5, since kadm5_free_key_data() is - * actually not implemented. It abuses the knowledge that it's safe - * to call free() on the keyblocks allocated by - * kadm5_randkey_principal(). - */ -static void free_keyblocks(context, keyblocks, nkeys) - krb5_context context; - krb5_keyblock *keyblocks; - int nkeys; -{ - int i; - for (i = 0; i < nkeys; i++) { - krb5_free_keyblock_contents(context, &keyblocks[i]); - } - free(keyblocks); -} - -/* - * Routine to allow some people to change the key of a srvtab - * principal to a random key, which the admin server will return to - * the client. - */ -krb5_error_code -kadm_chg_srvtab(rname, rinstance, rrealm, values) - char *rname; /* requestors name */ - char *rinstance; /* requestors instance */ - char *rrealm; /* requestors realm */ - Kadm_vals *values; -{ - int isnew; - krb5_principal inprinc; - krb5_error_code retval; - krb5_keyblock *keyblocks; - int nkeys, i; - kadm5_principal_ent_rec princ_ent; - - memset(&princ_ent, 0, sizeof (princ_ent)); /* XXX */ - - if (!check_access(rname, rinstance, rrealm, STABACL)) { - retval = (krb5_error_code) KADM_UNAUTH; - goto err; - } - if (wildcard(rname) || wildcard(rinstance)) { - retval = (krb5_error_code) KADM_ILL_WILDCARD; - goto err; - } - retval = (krb5_error_code) kadm_check_srvtab(values->name, - values->instance); - if (retval) - goto err; - - retval = krb5_425_conv_principal(kadm_context, values->name, - values->instance, - server_parm.krbrlm, &inprinc); - if (retval) - goto err; - /* - * OK, get the entry, and create it if it doesn't exist. - */ - retval = kadm5_get_principal(kadm5_handle, inprinc, &princ_ent, - KADM5_PRINCIPAL_NORMAL_MASK); - switch (retval) { - case KADM5_UNK_PRINC: - isnew = 1; - retval = krb5_copy_principal(kadm_context, inprinc, - &princ_ent.principal); - if (retval) - goto err_princ; - - princ_ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX; - - retval = kadm5_create_principal(kadm5_handle, &princ_ent, - KADM5_PRINCIPAL|KADM5_ATTRIBUTES, - dummypw()); - if (retval) - goto err_princ_ent; - break; - case 0: - isnew = 0; - break; - default: - goto err_princ; - break; - } - - /* randomize */ - retval = kadm5_randkey_principal(kadm5_handle, inprinc, - &keyblocks, &nkeys); - if (retval) { - if (isnew) - goto err_princ_ent; - else - goto err_princ; - } - - if (isnew) { - /* Allow tickets now, if we just created this principal. */ - princ_ent.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; - retval = kadm5_modify_principal(kadm5_handle, &princ_ent, - KADM5_ATTRIBUTES); - kadm5_free_principal_ent(kadm5_handle, &princ_ent); - if (retval) - goto err_princ; - } - - for (i = 0; i < nkeys; i++) { - /* - * XXX kadm5_randkey_principal() doesn't actually generate - * multiple keys for the DES_CBC_* enctypes; rather it makes - * them all DES_CBC_CRC, thus preventing a service from using - * DES_CBC_MD5, or something. - */ - if (keyblocks[i].enctype == ENCTYPE_DES_CBC_CRC) - break; - } - if (i == nkeys) { - krb5_free_principal(kadm_context, inprinc); - free_keyblocks(kadm_context, keyblocks, nkeys); - syslog(LOG_ERR, "change_srvtab: DES_CBC_CRC key not found"); - return(KADM_NOENTRY); /* XXX not quite accurate */ - } - if (keyblocks[i].length != 8) { - krb5_free_principal(kadm_context, inprinc); - free_keyblocks(kadm_context, keyblocks, nkeys); - syslog(LOG_ERR, "change_srvtab: bad length for DES_CBC_CRC key"); - return(KADM_NOENTRY); /* XXX not quite accruate */ - } - - /* - * Set up return values. - */ - memcpy((char *)&values->key_low, keyblocks[i].contents, 4); - memcpy((char *)&values->key_high, keyblocks[i].contents + 4, 4); - values->key_low = htonl(values->key_low); - values->key_high = htonl(values->key_high); - free_keyblocks(kadm_context, keyblocks, nkeys); - retval = kadm5_get_principal(kadm5_handle, inprinc, &princ_ent, - KADM5_PRINCIPAL_NORMAL_MASK); - if (retval) - goto err_princ; - - values->exp_date = princ_ent.princ_expire_time; - values->max_life = princ_ent.kvno; /* XXX kludge for backwards compat */ - memset(values->fields, 0, sizeof(values->fields)); - SET_FIELD(KADM_NAME, values->fields); - SET_FIELD(KADM_INST, values->fields); - SET_FIELD(KADM_EXPDATE, values->fields); -#if 0 - SET_FIELD(KADM_ATTR, values->fields); /* XXX should we be doing this? */ -#endif - SET_FIELD(KADM_MAXLIFE, values->fields); - SET_FIELD(KADM_DESKEY, values->fields); - - kadm5_free_principal_ent(kadm5_handle, &princ_ent); - krb5_free_principal(kadm_context, inprinc); - - syslog(LOG_INFO, "change_srvtab: service '%s.%s' %s by %s.%s@%s.", - values->name, values->instance, - isnew ? "created" : "changed", - rname, rinstance, rrealm); - return KADM_DATA; - -err_princ_ent: - kadm5_free_principal_ent(kadm5_handle, &princ_ent); -err_princ: - krb5_free_principal(kadm_context, inprinc); -err: - syslog(LOG_ERR, - "change_srvtab: FAILED changing '%s.%s' by '%s.%s@%s' (%s)", - values->name, values->instance, - rname, rinstance, rrealm, error_message(retval)); - return retval; -} diff --git a/src/kadmin/v4server/kadm_ser_wrap.c b/src/kadmin/v4server/kadm_ser_wrap.c deleted file mode 100644 index e7914f1d2..000000000 --- a/src/kadmin/v4server/kadm_ser_wrap.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * kadmin/v4server/kadm_ser_wrap.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Kerberos administration server-side support functions - */ - - -#include -/* -kadm_ser_wrap.c -unwraps wrapped packets and calls the appropriate server subroutine -*/ - -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include "kadm_server.h" -#include -#include -#include -#include - -#ifdef KADM5 -#include -#endif - -Kadm_Server server_parm; - -/* -kadm_ser_init -set up the server_parm structure -*/ -#ifdef KADM5 -int -kadm_ser_init(inter, realm, params) - int inter; /* interactive or from file */ - char realm[]; - kadm5_config_params *params; -#else -int -kadm_ser_init(inter, realm) - int inter; /* interactive or from file */ - char realm[]; -#endif -{ - struct servent *sep; - struct hostent *hp; - char hostname[MAXHOSTNAMELEN]; - char *mkey_name; - krb5_error_code retval; - int numfound = 1; - krb5_boolean more; - krb5_db_entry master_entry; - krb5_key_data *kdatap; - - if (gethostname(hostname, sizeof(hostname))) - return KADM_NO_HOSTNAME; - - (void) strcpy(server_parm.sname, PWSERV_NAME); - (void) strcpy(server_parm.sinst, KRB_MASTER); - if (strlen (realm) > REALM_SZ) - return KADM_REALM_TOO_LONG; - (void) strncpy(server_parm.krbrlm, realm, sizeof(server_parm.krbrlm)-1); - server_parm.krbrlm[sizeof(server_parm.krbrlm) - 1] = '\0'; - - if (krb5_425_conv_principal(kadm_context, server_parm.sname, - server_parm.sinst, server_parm.krbrlm, - &server_parm.sprinc)) - return KADM_NO_MAST; - server_parm.admin_fd = -1; - /* setting up the addrs */ - if ((sep = getservbyname(KADM_SNAME, "tcp")) == NULL) - return KADM_NO_SERV; - memset((char *)&server_parm.admin_addr, 0,sizeof(server_parm.admin_addr)); - server_parm.admin_addr.sin_family = AF_INET; - if ((hp = gethostbyname(hostname)) == NULL) - return KADM_NO_HOSTNAME; - memcpy((char *) &server_parm.admin_addr.sin_addr.s_addr, hp->h_addr, - sizeof(server_parm.admin_addr.sin_addr.s_addr)); - server_parm.admin_addr.sin_port = sep->s_port; - /* setting up the database */ - mkey_name = KRB5_KDB_M_NAME; - - server_parm.master_keyblock.enctype = params->enctype; - - retval = krb5_db_setup_mkey_name(kadm_context, mkey_name, realm, - (char **) 0, - &server_parm.master_princ); - if (retval) - return KADM_NO_MAST; - krb5_db_fetch_mkey(kadm_context, server_parm.master_princ, - server_parm.master_keyblock.enctype, - (inter == 1), FALSE, - params->stash_file, - NULL, - &server_parm.master_keyblock); - if (retval) - return KADM_NO_MAST; - retval = krb5_db_verify_master_key(kadm_context, server_parm.master_princ, - &server_parm.master_keyblock); - if (retval) - return KADM_NO_VERI; - retval = krb5_db_get_principal(kadm_context, server_parm.master_princ, - &master_entry, &numfound, &more); - if (retval || more || !numfound) - return KADM_NO_VERI; - - retval = krb5_dbe_find_enctype(kadm_context, - &master_entry, - -1, -1, -1, - &kdatap); - if (retval) - return KRB5_PROG_KEYTYPE_NOSUPP; - server_parm.max_life = master_entry.max_life; - server_parm.max_rlife = master_entry.max_renewable_life; - server_parm.expiration = master_entry.expiration; - server_parm.mkvno = kdatap->key_data_kvno; - /* don't set flags, as master has some extra restrictions - (??? quoted from kdb_edit.c) */ - krb5_db_free_principal(kadm_context, &master_entry, numfound); - return KADM_SUCCESS; -} - - -static void errpkt(dat, dat_len, code) -u_char **dat; -int *dat_len; -int code; -{ - krb5_ui_4 retcode; - char *pdat; - - free((char *)*dat); /* free up req */ - *dat_len = KADM_VERSIZE + sizeof(krb5_ui_4); - *dat = (u_char *) malloc((unsigned)*dat_len); - if (!(*dat)) { - syslog(LOG_ERR, "malloc(%d) returned null while in errpkt!", *dat_len); - abort(); - } - pdat = (char *) *dat; - retcode = htonl((krb5_ui_4) code); - (void) strncpy(pdat, KADM_ULOSE, KADM_VERSIZE); - memcpy(&pdat[KADM_VERSIZE], (char *)&retcode, sizeof(krb5_ui_4)); - return; -} - -/* -kadm_ser_in -unwrap the data stored in dat, process, and return it. -*/ -int -kadm_ser_in(dat,dat_len) -u_char **dat; -int *dat_len; -{ - u_char *in_st; /* pointer into the sent packet */ - int in_len,retc; /* where in packet we are, for - returns */ - krb5_ui_4 r_len; /* length of the actual packet */ - KTEXT_ST authent; /* the authenticator */ - AUTH_DAT ad; /* who is this, klink */ - krb5_ui_4 ncksum; /* checksum of encrypted data */ - des_key_schedule sess_sched; /* our schedule */ - MSG_DAT msg_st; - u_char *retdat, *tmpdat; - int retval, retlen; - - if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4)) - || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) { - errpkt(dat, dat_len, KADM_BAD_VER); - return KADM_BAD_VER; - } - in_len = KADM_VERSIZE; - /* get the length */ - if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0 - || (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4)) - || (*dat_len - r_len - KADM_VERSIZE - - sizeof(krb5_ui_4) > sizeof(authent.dat))) { - errpkt(dat, dat_len, KADM_LENGTH_ERROR); - return KADM_LENGTH_ERROR; - } - - in_len += retc; - authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4); - memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length); - authent.mbz = 0; - /* service key should be set before here */ - retc = krb_rd_req(&authent, server_parm.sname, server_parm.sinst, - server_parm.recv_addr.sin_addr.s_addr, &ad, (char *)0); - if (retc) - { - errpkt(dat, dat_len,retc + krb_err_base); - return retc + krb_err_base; - } - -#define clr_cli_secrets() {memset((char *)sess_sched, 0, sizeof(sess_sched)); memset((char *)ad.session, 0, sizeof(ad.session));} - - in_st = *dat + *dat_len - r_len; -#ifdef NOENCRYPTION - ncksum = 0; -#else - ncksum = quad_cksum(in_st, (krb5_ui_4 *)0, (long) r_len, 0, &ad.session); -#endif - if (ncksum!=ad.checksum) { /* yow, are we correct yet */ - clr_cli_secrets(); - errpkt(dat, dat_len,KADM_BAD_CHK); - return KADM_BAD_CHK; - } -#ifdef NOENCRYPTION - memset(sess_sched, 0, sizeof(sess_sched)); -#else - des_key_sched(ad.session, sess_sched); -#endif - - retc = (int) krb_rd_priv(in_st, r_len, sess_sched, &ad.session, - &server_parm.recv_addr, - &server_parm.admin_addr, &msg_st); - if (retc) { - clr_cli_secrets(); - errpkt(dat, dat_len,retc + krb_err_base); - return retc + krb_err_base; - } - switch (msg_st.app_data[0]) { - case CHANGE_PW: - retval = kadm_ser_cpw(msg_st.app_data+1,(int) msg_st.app_length,&ad, - &retdat, &retlen); - break; - case ADD_ENT: - retval = kadm_ser_add(msg_st.app_data+1,(int) msg_st.app_length,&ad, - &retdat, &retlen); - break; - case MOD_ENT: - retval = kadm_ser_mod(msg_st.app_data+1,(int) msg_st.app_length,&ad, - &retdat, &retlen); - break; - case CHECK_PW: - retval = kadm_ser_ckpw(msg_st.app_data+1,(int) msg_st.app_length,&ad, - &retdat, &retlen); - break; -#ifndef KADM5 - case DEL_ENT: - retval = kadm_ser_del(msg_st.app_data+1,(int) msg_st.app_length,&ad, - &retdat, &retlen); - break; -#endif /* KADM5 */ - case GET_ENT: - retval = kadm_ser_get(msg_st.app_data+1,(int) msg_st.app_length,&ad, - &retdat, &retlen); - break; - case CHG_STAB: - retval = kadm_ser_stab(msg_st.app_data+1,(int) msg_st.app_length,&ad, - &retdat, &retlen); - break; - default: - clr_cli_secrets(); - errpkt(dat, dat_len, KADM_NO_OPCODE); - return KADM_NO_OPCODE; - } - /* Now seal the response back into a priv msg */ - free((char *)*dat); - tmpdat = (u_char *) malloc((unsigned)(retlen + KADM_VERSIZE + - sizeof(krb5_ui_4))); - if (!tmpdat) { - clr_cli_secrets(); - syslog(LOG_ERR, "malloc(%d) returned null while in kadm_ser_in!", - retlen + KADM_VERSIZE + sizeof(krb5_ui_4)); - errpkt(dat, dat_len, KADM_NOMEM); - return KADM_NOMEM; - } - (void) strncpy((char *)tmpdat, KADM_VERSTR, KADM_VERSIZE); - retval = htonl((krb5_ui_4)retval); - memcpy((char *)tmpdat + KADM_VERSIZE, (char *)&retval, sizeof(krb5_ui_4)); - if (retlen) { - memcpy((char *)tmpdat + KADM_VERSIZE + sizeof(krb5_ui_4), (char *)retdat, - retlen); - free((char *)retdat); - } - /* slop for mk_priv stuff */ - *dat = (u_char *) malloc((unsigned) (retlen + KADM_VERSIZE + - sizeof(krb5_ui_4) + 200)); - if ((*dat_len = krb_mk_priv(tmpdat, *dat, - (u_long) (retlen + KADM_VERSIZE + - sizeof(krb5_ui_4)), - sess_sched, - &ad.session, &server_parm.admin_addr, - &server_parm.recv_addr)) < 0) { - clr_cli_secrets(); - errpkt(dat, dat_len, KADM_NO_ENCRYPT); - return KADM_NO_ENCRYPT; - } - clr_cli_secrets(); - return KADM_SUCCESS; -} diff --git a/src/kadmin/v4server/kadm_server.c b/src/kadmin/v4server/kadm_server.c deleted file mode 100644 index 48e8d7311..000000000 --- a/src/kadmin/v4server/kadm_server.c +++ /dev/null @@ -1,604 +0,0 @@ -/* - * kadmin/v4server/kadm_server.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Kerberos administration server-side subroutines - */ - - -#include - -#include "k5-int.h" - -#include -#include -#ifdef HAVE_SYS_TIME_H -#include -#ifdef TIME_WITH_SYS_TIME -#include -#endif -#else -#include -#endif -#include - -#ifdef KADM5 -#include -#include -#include -#include -extern void *kadm5_handle; -#endif - -#include -#include -#include "kadm_server.h" - -extern krb5_context kadm_context; -int fascist_cpw = 0; /* Be fascist about insecure passwords? */ - -char pw_required[] = "The version of kpasswd that you are using is not compatible with the\nOpenV*Secure V4 Administration Server. Please contact your security\nadministrator.\n\n"; - -char bad_pw_err[] = - "\007\007\007ERROR: Insecure password not accepted. Please choose another.\n\n"; - -char bad_pw_warn[] = - "\007\007\007WARNING: You have chosen an insecure password. You may wish to\nchoose a better password.\n\n"; - -char check_pw_msg[] = - "You have entered an insecure password. You should choose another.\n\n"; - -char pw_blurb[] = -"A good password is something which is easy for you to remember, but that\npeople who know you won't easily guess; so don't use your name, or your\ndog's name, or a word from the dictionary. Passwords should be at least\n6 characters long, and may contain UPPER- and lower-case letters,\nnumbers, or punctuation. A good password can be:\n\n -- some initials, like \"GykoR-66\" for \"Get your kicks on Rte 66.\"\n -- an easily pronounced nonsense word, like \"slaRooBey\" or \"krang-its\"\n -- a mis-spelled phrase, like \"2HotPeetzas\" or \"ItzAGurl\"\n\nPlease Note: It is important that you do not tell ANYONE your password,\nincluding your friends, or even people from Athena or Information\nSystems. Remember, *YOU* are assumed to be responsible for anything\ndone using your password.\n"; - -/* from V4 month_sname.c -- was not part of API */ -/* - * Given an integer 1-12, month_sname() returns a string - * containing the first three letters of the corresponding - * month. Returns 0 if the argument is out of range. - */ - -static char *month_sname(n) - int n; -{ - static char *name[] = { - "Jan","Feb","Mar","Apr","May","Jun", - "Jul","Aug","Sep","Oct","Nov","Dec" - }; - return((n < 1 || n > 12) ? 0 : name [n-1]); -} - -/* from V4 log.c -- was not part of API */ - -/* - * krb_log() is used to add entries to the logfile (see krb_set_logfile() - * below). Note that it is probably not portable since it makes - * assumptions about what the compiler will do when it is called - * with less than the correct number of arguments which is the - * way it is usually called. - * - * The log entry consists of a timestamp and the given arguments - * printed according to the given "format". - * - * The log file is opened and closed for each log entry. - * - * The return value is undefined. - */ - -/* static char *log_name = KRBLOG; */ -/* KRBLOG is in the V4 klog.h but may not correspond to anything installed. */ -static char *log_name = KADM_SYSLOG; - -static void krb_log(format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0) - char *format; - char *a1,*a2,*a3,*a4,*a5,*a6,*a7,*a8,*a9,*a0; -{ - FILE *logfile; - time_t now; - struct tm *tm; - - if ((logfile = fopen(log_name,"a")) == NULL) - return; - - (void) time(&now); - tm = localtime(&now); - - fprintf(logfile,"%2d-%s-%d %02d:%02d:%02d ",tm->tm_mday, - month_sname(tm->tm_mon + 1),1900+tm->tm_year, - tm->tm_hour, tm->tm_min, tm->tm_sec); - fprintf(logfile,format,a1,a2,a3,a4,a5,a6,a7,a8,a9,a0); - fprintf(logfile,"\n"); - (void) fclose(logfile); - return; -} - - -/* -kadm_ser_cpw - the server side of the change_password routine - recieves : KTEXT, {key} - returns : CKSUM, RETCODE - acl : caller can change only own password - -Replaces the password (i.e. des key) of the caller with that specified in key. -Returns no actual data from the master server, since this is called by a user -*/ -int -kadm_ser_cpw(dat, len, ad, datout, outlen) -u_char *dat; -int len; -AUTH_DAT *ad; -u_char **datout; -int *outlen; -{ - krb5_int32 keylow, keyhigh; - char pword[MAX_KPW_LEN]; - int no_pword = 0; - des_cblock newkey; - int status, stvlen = 0; - int retval; - extern int kadm_approve_pw(); -#ifdef KADM5 - kadm5_principal_ent_rec princ_ent; - kadm5_policy_ent_rec pol_ent; - krb5_principal user_princ; - char msg_ret[1024], *time_string, *ptr; - const char *msg_ptr; - krb5_int32 now; - time_t until; - krb5_keyblock newkb; -#endif - - /* take key off the stream, and change the database */ - - if ((status = stv_long(dat, &keyhigh, 0, len)) < 0) - return(KADM_LENGTH_ERROR); - stvlen += status; - if ((status = stv_long(dat, &keylow, stvlen, len)) < 0) - return(KADM_LENGTH_ERROR); - stvlen += status; - if ((stvlen = stv_string(dat, pword, stvlen, sizeof(pword), len)) < 0) { - no_pword++; - pword[0]='\0'; - } - stvlen += status; - - keylow = ntohl(keylow); - keyhigh = ntohl(keyhigh); - memcpy((char *)(((krb5_int32 *)newkey) + 1), (char *)&keyhigh, 4); - memcpy((char *)newkey, (char *)&keylow, 4); - - retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm, - newkey, no_pword ? 0 : pword); - if (retval) { - if (retval == KADM_PW_MISMATCH) { - /* - * Very strange!!! This means that the cleartext - * password which was sent and the DES cblock - * didn't match! - */ - syslog(LOG_ERR, "'%s.%s@%s' sent a password string which didn't match with the DES key?!?", - ad->pname, ad->pinst, ad->prealm); - return(retval); - } - if (fascist_cpw) { - *outlen = strlen(bad_pw_err)+strlen(pw_blurb)+1; - *datout = (u_char *) malloc(*outlen); - if (*datout) { - strcpy((char *) *datout, bad_pw_err); - strcat((char *) *datout, pw_blurb); - } else - *outlen = 0; - syslog(LOG_ERR, "'%s.%s@%s' tried to use an insecure password in changepw", - ad->pname, ad->pinst, ad->prealm); -#ifdef notdef - /* For debugging only, probably a bad idea */ - if (!no_pword) - (void) krb_log("The password was %s\n", pword); -#endif - return(retval); - } else { - *outlen = strlen(bad_pw_warn) + strlen(pw_blurb)+1; - *datout = (u_char *) malloc(*outlen); - if (*datout) { - strcpy((char *) *datout, bad_pw_warn); - strcat((char *) *datout, pw_blurb); - } else - *outlen = 0; - syslog(LOG_ERR, "'%s.%s@%s' used an insecure password in changepw", - ad->pname, ad->pinst, ad->prealm); - } - } else { - *datout = 0; - *outlen = 0; - } - -#ifdef KADM5 - if (no_pword) - syslog(LOG_WARNING, - "Old-style change password request from '%s.%s@%s'!", - ad->pname, ad->pinst, ad->prealm); - else { - /* - * We don't use the client-provided key itself, if there is a - * password provided. - */ - keylow = keyhigh = 0; - memset(newkey, 0, sizeof(newkey)); - } - - syslog(LOG_INFO, "'%s.%s@%s' wants to change its password", - ad->pname, ad->pinst, ad->prealm); - if ((krb5_425_conv_principal(kadm_context, ad->pname, - *ad->pinst ? ad->pinst : 0, - ad->prealm, &user_princ))) { - /* this should never happen */ - memset(newkey, 0, sizeof(newkey)); - return KADM_NOENTRY; - } - - *outlen = 0; - - retval = krb5_timeofday(kadm_context, &now); - if (retval) { - msg_ptr = error_message(retval); - goto send_response; - } - - /* Use the default mask for now. */ - retval = kadm5_get_principal(kadm5_handle, user_princ, - &princ_ent, - KADM5_PRINCIPAL_NORMAL_MASK); - if (retval != 0) { - msg_ptr = error_message(retval); - goto send_response; - } - - /* - * This daemon necessarily has the modify privilege, so - * kadm5_chpass_principal will allow it to violate the - * policy's minimum lifetime. Since that's A Bad Thing, we need - * to enforce it ourselves. Unfortunately, this means we are - * duplicating code from both ovsec_adm_server and - * kadm5_chpass_util(). - */ - if (princ_ent.aux_attributes & KADM5_POLICY) { - retval = kadm5_get_policy(kadm5_handle, - princ_ent.policy, - &pol_ent); - if (retval != 0) { - (void) kadm5_free_principal_ent(kadm5_handle, &princ_ent); - msg_ptr = error_message(retval); - goto send_response; - } - - /* make "now" a boolean, true == too soon */ - now = ((now - princ_ent.last_pwd_change) < pol_ent.pw_min_life); - - (void) kadm5_free_policy_ent(kadm5_handle, &pol_ent); - - if(now && !(princ_ent.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - (void) kadm5_free_principal_ent(kadm5_handle, &princ_ent); - retval = CHPASS_UTIL_PASSWORD_TOO_SOON; - - until = princ_ent.last_pwd_change + pol_ent.pw_min_life; - time_string = ctime(&until); - - if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') - *ptr = '\0'; - - sprintf(msg_ret, error_message(CHPASS_UTIL_PASSWORD_TOO_SOON), - time_string); - msg_ptr = msg_ret; - - goto send_response; - } - } - - (void) kadm5_free_principal_ent(kadm5_handle, &princ_ent); - - if (no_pword) { - newkb.magic = KV5M_KEYBLOCK; - if ((newkb.contents = (krb5_octet *)malloc(8)) == NULL) { - retval = KADM_NOMEM; - goto send_response; - } - newkb.length = 8; - newkb.enctype = ENCTYPE_DES_CBC_CRC; - memcpy((char *)newkb.contents, newkey, 8); - retval = kadm5_setv4key_principal(kadm5_handle, user_princ, - &newkb); - memset(newkb.contents, 0, 8); - *msg_ret = '\0'; - } else { - retval = kadm5_chpass_principal_util(kadm5_handle, user_princ, - pword, NULL, msg_ret, - sizeof(msg_ret)); - msg_ptr = msg_ret; - } - (void) krb5_free_principal(kadm_context, user_princ); - -send_response: - - memset(newkey, 0, sizeof(newkey)); - retval = convert_kadm5_to_kadm(retval); - - if (retval) { - /* don't send message on success because kpasswd.v4 will */ - /* print "password changed" too */ - *outlen = strlen(msg_ptr)+2; - *datout = (u_char *) malloc(*outlen); - if (*datout) { - strcpy(*datout, msg_ptr); - strcat(*datout, "\n"); - } else - *outlen = 0; - } else { - syslog(LOG_INFO, - "'%s.%s@%s' password changed.", - ad->pname, ad->pinst, ad->prealm); - } - if (retval == KADM_INSECURE_PW) { - syslog(LOG_ERR, - "'%s.%s@%s' tried to use an insecure password in changepw", - ad->pname, ad->pinst, ad->prealm); - } -#else /* KADM5 */ - retval = kadm_change(ad->pname, ad->pinst, ad->prealm, newkey); - keylow = keyhigh = 0; - memset(newkey, 0, sizeof(newkey)); -#endif /* KADM5 */ - - return retval; -} - -/* -kadm_ser_add - the server side of the add_entry routine - recieves : KTEXT, {values} - returns : CKSUM, RETCODE, {values} - acl : su, sms (as alloc) - -Adds and entry containing values to the database -returns the values of the entry, so if you leave certain fields blank you will - be able to determine the default values they are set to -*/ -int -kadm_ser_add(dat,len,ad, datout, outlen) -u_char *dat; -int len; -AUTH_DAT *ad; -u_char **datout; -int *outlen; -{ - Kadm_vals values, retvals; - int status; - - if ((status = stream_to_vals(dat, &values, len)) < 0) - return(KADM_LENGTH_ERROR); - if ((status = kadm_add_entry(ad->pname, ad->pinst, ad->prealm, - &values, &retvals)) == KADM_DATA) { - *outlen = vals_to_stream(&retvals,datout); - retvals.key_low = retvals.key_high = 0; - return KADM_SUCCESS; - } else { - *outlen = 0; - return status; - } -} - -#ifndef KADM5 -/* -kadm_ser_del - the server side of the del_entry routine - recieves : KTEXT, {values} - returns : CKSUM, RETCODE, {values} - acl : su, sms (as alloc) - -Deletes an entry containing values to the database -returns the values of the entry, so if you leave certain fields blank you will - be able to determine the default values they are set to -*/ -kadm_ser_del(dat,len,ad, datout, outlen) -u_char *dat; -int len; -AUTH_DAT *ad; -u_char **datout; -int *outlen; -{ - Kadm_vals values, retvals; - int status; - - if ((status = stream_to_vals(dat, &values, len)) < 0) - return(KADM_LENGTH_ERROR); - if ((status = kadm_del_entry(ad->pname, ad->pinst, ad->prealm, - &values, &retvals)) == KADM_DATA) { - *outlen = vals_to_stream(&retvals,datout); - retvals.key_low = retvals.key_high = 0; - return KADM_SUCCESS; - } else { - *outlen = 0; - return status; - } -} - -#endif /* !KADM5 */ - -/* -kadm_ser_mod - the server side of the mod_entry routine - recieves : KTEXT, {values, values} - returns : CKSUM, RETCODE, {values} - acl : su, sms (as register or dealloc) - -Modifies all entries corresponding to the first values so they match the - second values. -returns the values for the changed entries -*/ -int -kadm_ser_mod(dat,len,ad, datout, outlen) -u_char *dat; -int len; -AUTH_DAT *ad; -u_char **datout; -int *outlen; -{ - Kadm_vals vals1, vals2, retvals; - int wh; - int status; - - if ((wh = stream_to_vals(dat, &vals1, len)) < 0) - return KADM_LENGTH_ERROR; - if ((status = stream_to_vals(dat+wh,&vals2, len-wh)) < 0) - return KADM_LENGTH_ERROR; - if ((status = kadm_mod_entry(ad->pname, ad->pinst, ad->prealm, &vals1, - &vals2, &retvals)) == KADM_DATA) { - *outlen = vals_to_stream(&retvals,datout); - retvals.key_low = retvals.key_high = 0; - return KADM_SUCCESS; - } else { - *outlen = 0; - return status; - } -} - -/* -kadm_ser_get - recieves : KTEXT, {values, flags} - returns : CKSUM, RETCODE, {count, values, values, values} - acl : su - -gets the fields requested by flags from all entries matching values -returns this data for each matching recipient, after a count of how many such - matches there were -*/ -int -kadm_ser_get(dat,len,ad, datout, outlen) -u_char *dat; -int len; -AUTH_DAT *ad; -u_char **datout; -int *outlen; -{ - Kadm_vals values, retvals; - u_char fl[FLDSZ]; - int loop,wh; - int status; - - if ((wh = stream_to_vals(dat, &values, len)) < 0) - return KADM_LENGTH_ERROR; - if (wh + FLDSZ > len) - return KADM_LENGTH_ERROR; - for (loop=FLDSZ-1; loop>=0; loop--) - fl[loop] = dat[wh++]; - if ((status = kadm_get_entry(ad->pname, ad->pinst, ad->prealm, - &values, fl, &retvals)) == KADM_DATA) { - *outlen = vals_to_stream(&retvals,datout); - retvals.key_low = retvals.key_high = 0; - return KADM_SUCCESS; - } else { - *outlen = 0; - return status; - } -} - -/* -kadm_ser_ckpw - the server side of the check_password routine - recieves : KTEXT, {key} - returns : CKSUM, RETCODE - acl : none - -Checks to see if the des key passed from the caller is a "secure" password. -*/ -int -kadm_ser_ckpw(dat, len, ad, datout, outlen) -u_char *dat; -int len; -AUTH_DAT *ad; -u_char **datout; -int *outlen; -{ - krb5_ui_4 keylow, keyhigh; - char pword[MAX_KPW_LEN]; - int no_pword = 0; - des_cblock newkey; - int stvlen = 0,status; - int retval; - extern int kadm_approve_pw(); - - /* take key off the stream, and check it */ - - if ((status = stv_long(dat, &keyhigh, 0, len)) < 0) - return(KADM_LENGTH_ERROR); - stvlen += status; - if ((status = stv_long(dat, &keylow, stvlen, len)) < 0) - return(KADM_LENGTH_ERROR); - stvlen += status; - if ((status = stv_string(dat, pword, stvlen, sizeof(pword), len)) < 0) { - no_pword++; - pword[0]='\0'; - } - stvlen += status; - - keylow = ntohl(keylow); - keyhigh = ntohl(keyhigh); - memcpy((char *)(((krb5_int32 *)newkey) + 1), (char *)&keyhigh, 4); - memcpy((char *)newkey, (char *)&keylow, 4); - keylow = keyhigh = 0; - retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm, newkey, - no_pword ? 0 : pword); - memset(newkey, 0, sizeof(newkey)); - if (retval) { - *outlen = strlen(check_pw_msg)+strlen(pw_blurb)+1; - *datout = (u_char *) malloc(*outlen); - if (*datout) { - strcpy((char *) *datout, check_pw_msg); - strcat((char *) *datout, pw_blurb); - } else - *outlen = 0; - (void) krb_log("'%s.%s@%s' sent an insecure password to be checked", - ad->pname, ad->pinst, ad->prealm); - return(retval); - } else { - *datout = 0; - *outlen = 0; - (void) krb_log("'%s.%s@%s' sent a secure password to be checked", - ad->pname, ad->pinst, ad->prealm); - } - return(0); -} - -/* -kadm_ser_stab - the server side of the change_srvtab routine - recieves : KTEXT, {values} - returns : CKSUM, RETCODE, {values} - acl : su, sms (as register or dealloc) - -Creates or modifies the specified service principal to have a random -key, which is sent back to the client. The key version is returned in -the max_life field of the values structure. It's a hack, but it's a -backwards compatible hack.... -*/ -int -kadm_ser_stab(dat, len, ad, datout, outlen) -u_char *dat; -int len; -AUTH_DAT *ad; -u_char **datout; -int *outlen; -{ - Kadm_vals values; - int status; - - if ((status = stream_to_vals(dat, &values, len)) < 0) - return KADM_LENGTH_ERROR; - status = kadm_chg_srvtab(ad->pname, ad->pinst, ad->prealm, &values); - if (status == KADM_DATA) { - *outlen = vals_to_stream(&values,datout); - values.key_low = values.key_high = 0; - return KADM_SUCCESS; - } else { - *outlen = 0; - return status; - } -} diff --git a/src/kadmin/v4server/kadm_server.h b/src/kadmin/v4server/kadm_server.h deleted file mode 100644 index 6578716d0..000000000 --- a/src/kadmin/v4server/kadm_server.h +++ /dev/null @@ -1,110 +0,0 @@ -/* - * kadmin/v4server/kadm_server.h - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Definitions for Kerberos administration server & client - */ - -#ifndef KADM_SERVER_DEFS -#define KADM_SERVER_DEFS - -#include -/* - * kadm_server.h - * Header file for the fourth attempt at an admin server - * Doug Church, December 28, 1989, MIT Project Athena - * ps. Yes that means this code belongs to athena etc... - * as part of our ongoing attempt to copyright all greek names - */ - -#include -#include -#include -#include "k5-int.h" -#ifdef KADM5 -#include -#endif -#include "kadm.h" -#include "krb_db.h" - -typedef struct { - struct sockaddr_in admin_addr; - struct sockaddr_in recv_addr; - int recv_addr_len; - int admin_fd; /* our link to clients */ - char sname[ANAME_SZ]; - char sinst[INST_SZ]; - char krbrlm[REALM_SZ]; - krb5_principal sprinc; - krb5_principal master_princ; - krb5_keyblock master_keyblock; - krb5_deltat max_life; - krb5_deltat max_rlife; - krb5_timestamp expiration; - krb5_flags flags; - krb5_kvno mkvno; -} Kadm_Server; - -#define ADD_ACL_FILE "/v4acl.add" -#define GET_ACL_FILE "/v4acl.get" -#define MOD_ACL_FILE "/v4acl.mod" -#define DEL_ACL_FILE "/v4acl.del" -#define STAB_ACL_FILE "/v4acl.srvtab" -#define STAB_SERVICES_FILE "/v4stab_services" -#define STAB_HOSTS_FILE "/v4stab_bad_hosts" - -extern krb5_context kadm_context; - -/* kadm_ser_wrap.c */ -#ifdef KADM5 -extern int kadm_ser_init(int, char *, kadm5_config_params *); -#else -extern int kadm_ser_init(int, char *); -#endif -extern int kadm_ser_in(u_char **, int *); - -/* kadm_server.c */ -int kadm_ser_cpw(u_char *, int, AUTH_DAT *, u_char **, int *); -int kadm_ser_add(u_char *, int, AUTH_DAT *, u_char **, int *); -int kadm_ser_del(u_char *, int, AUTH_DAT *, u_char **, int *); -int kadm_ser_mod(u_char *, int, AUTH_DAT *, u_char **, int *); -int kadm_ser_get(u_char *, int, AUTH_DAT *, u_char **, int *); -int kadm_ser_ckpw(u_char *, int, AUTH_DAT *, u_char **, int *); -int kadm_ser_stab(u_char *, int, AUTH_DAT *, u_char **, int *); - -/* kadm_funcs.c */ -krb5_error_code kadm_add_entry(char *, char *, char *, - Kadm_vals *, Kadm_vals *); -krb5_error_code kadm_del_entry(char *, char *, char *, - Kadm_vals *, Kadm_vals *); -krb5_error_code kadm_get_entry(char *, char *, char *, - Kadm_vals *, u_char *, Kadm_vals *); -krb5_error_code kadm_mod_entry(char *, char *, char *, - Kadm_vals *, Kadm_vals *, Kadm_vals *); -krb5_error_code kadm_change (char *, char *, char *, des_cblock); -krb5_error_code kadm_approve_pw(char *, char *, char *, des_cblock, char *); -krb5_error_code kadm_chg_srvtab(char *, char *, char *, Kadm_vals *); - -/* kadm_supp.c */ -void prin_vals(Kadm_vals *); -void kadm_prin_to_vals(u_char *, Kadm_vals *, Principal *); -void kadm_vals_to_prin(u_char *, Principal *, Kadm_vals *); - -/* acl_files.c */ -int acl_add(char *, char *); -int acl_delete(char *, char *); -int acl_check(char *, char *); -void acl_canonicalize_principal(char *, char *); -int acl_exact_match(char *, char *); -int acl_initialize(char *, int); - -/* admin_server.c */ -#ifdef KADM5 -krb5_int32 convert_kadm5_to_kadm(krb5_int32); -#endif - -#endif /* KADM_SERVER_DEFS */ diff --git a/src/kadmin/v4server/kadm_supp.c b/src/kadmin/v4server/kadm_supp.c deleted file mode 100644 index 040d9fdf9..000000000 --- a/src/kadmin/v4server/kadm_supp.c +++ /dev/null @@ -1,120 +0,0 @@ -/* - * kadmin/v4server/kadm_supp.c - * - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Support functions for Kerberos administration server & clients - */ - - -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include - -/* - kadm_supp.c - this holds the support routines for the kerberos administration server - - error: prints out a kadm error message, returns - fatal: prints out a kadm fatal error message, exits - prin_vals: prints out data associated with a Principal in the vals - structure -*/ - -#include "kadm.h" -#include "krb_db.h" -#include "kadm_server.h" - -/* -prin_vals: - recieves : a vals structure -*/ -void prin_vals(vals) -Kadm_vals *vals; -{ - time_t t = vals->exp_date; - printf("Info in Database for %s.%s:\n", vals->name, vals->instance); - printf(" Max Life: %d Exp Date: %s\n",vals->max_life, - asctime(localtime(&t))); - printf(" Attribs: %.2x key: %ld %ld\n",vals->attributes, - vals->key_low, vals->key_high); -} - -#ifdef notdef -nierror(s) -int s; -{ - extern char *error_message(); - printf("Kerberos admin server loses..... %s\n",error_message(s)); - return(s); -} -#endif - -/* kadm_prin_to_vals takes a fields arguments, a Kadm_vals and a Principal, - it copies the fields in Principal specified by fields into Kadm_vals, - i.e from old to new */ - -void -kadm_prin_to_vals(fields, new, old) -u_char fields[FLDSZ]; -Kadm_vals *new; -Principal *old; -{ - memset((char *)new, 0, sizeof(*new)); - if (IS_FIELD(KADM_NAME,fields)) { - (void) strncpy(new->name, old->name, ANAME_SZ); - SET_FIELD(KADM_NAME, new->fields); - } - if (IS_FIELD(KADM_INST,fields)) { - (void) strncpy(new->instance, old->instance, INST_SZ); - SET_FIELD(KADM_INST, new->fields); - } - if (IS_FIELD(KADM_EXPDATE,fields)) { - new->exp_date = old->exp_date; - SET_FIELD(KADM_EXPDATE, new->fields); - } - if (IS_FIELD(KADM_ATTR,fields)) { - new->attributes = old->attributes; - SET_FIELD(KADM_MAXLIFE, new->fields); - } - if (IS_FIELD(KADM_MAXLIFE,fields)) { - new->max_life = old->max_life; - SET_FIELD(KADM_MAXLIFE, new->fields); - } - if (IS_FIELD(KADM_DESKEY,fields)) { - new->key_low = old->key_low; - new->key_high = old->key_high; - SET_FIELD(KADM_DESKEY, new->fields); - } -} - -void -kadm_vals_to_prin(fields, new, old) -u_char fields[FLDSZ]; -Principal *new; -Kadm_vals *old; -{ - - memset((char *)new, 0, sizeof(*new)); - if (IS_FIELD(KADM_NAME,fields)) - (void) strncpy(new->name, old->name, ANAME_SZ); - if (IS_FIELD(KADM_INST,fields)) - (void) strncpy(new->instance, old->instance, INST_SZ); - if (IS_FIELD(KADM_EXPDATE,fields)) - new->exp_date = old->exp_date; - if (IS_FIELD(KADM_ATTR,fields)) - new->attributes = old->attributes; - if (IS_FIELD(KADM_MAXLIFE,fields)) - new->max_life = old->max_life; - if (IS_FIELD(KADM_DESKEY,fields)) { - new->key_low = old->key_low; - new->key_high = old->key_high; - } -} diff --git a/src/kadmin/v4server/unit-test/ChangeLog b/src/kadmin/v4server/unit-test/ChangeLog deleted file mode 100644 index 326a077fe..000000000 --- a/src/kadmin/v4server/unit-test/ChangeLog +++ /dev/null @@ -1,97 +0,0 @@ -2003-01-07 Ken Raeburn - - * Makefile.ov: Deleted. - -2002-08-29 Ken Raeburn - - * Makefile.in: Revert $(S)=>/ change, for Windows support. - -2002-08-23 Ken Raeburn - - * Makefile.in: Change $(S)=>/ and $(U)=>.. globally. - -1999-08-31 Ken Raeburn - - * lib/helpers.exp (unexpire): Move expiration date ahead a few - decades. - - * Makefile.in (check- check-ok): Disable tests until the tests get - updated for non-OVSEC mode, etc. - -1998-11-13 Theodore Ts'o - - * Makefile.in: Set the myfulldir and mydir variables (which are - relative to buildtop and thisconfigdir, respectively.) - -Tue Mar 3 10:30:11 1998 Ezra Peisach - - * Makefile.in (check): Use the variable DO_V4_TEST to distinguish - from the other kadmin testing. - -Fri Feb 27 23:32:38 1998 Theodore Ts'o - - * Makefile.in: Changed thisconfigdir to point at the kadmin - directory, since we've moved all of the configure.in - tests to the toplevel kadmin configure.in - -Wed Feb 18 16:01:35 1998 Tom Yu - - * Makefile.in: Remove trailing slash from thisconfigdir. Fix up - BUILDTOP for new conventions. - -Mon Feb 2 17:02:29 1998 Theodore Ts'o - - * Makefile.in: Define BUILDTOP and thisconfigdir in the Makefile - -Sat Feb 22 15:12:17 1997 Ezra Peisach - - * configure.in: Do not run test suite unless Athena compatibility - is specified as well as tcl, Perl, runtest. - - * Makefile.in (check): Do not run tests unless really setup to do so. - -Mon Nov 11 20:51:58 1996 Tom Yu - - * configure.in: Add AC_CANONICAL_HOST to deal with new pre.in. - -Mon Oct 21 17:19:41 1996 Barry Jaspan - - * v4server.0/setup-srvtab.exp: use KRB5_KTNAME instead of - ovsec_adm.srvtab explicitly - - * lib/helpers.exp: don't specify -k ovsec_adm.srvtab on the - command line, since kadmind4 now uses the config param value - [krb5-admin/30] - - * v4server.1/access.exp: start kadmin by cd'ing to the directory - first, so ps can find the process - -Thu Sep 26 17:52:21 1996 Barry Jaspan - - * Makefile.in, remove_changepw_perms.sh, lib/helpers.exp, - vrserver.0/setup-srvtab.exp, v4server.1/access.exp: use $K5ROOT - instead of /krb5 - -Mon Sep 23 15:34:56 1996 Barry Jaspan - - * adapt to krb5 build system: create Makefile.in, configure.in, - update paths in unix.exp, move helpers.exp to lib - -Tue Aug 20 13:33:29 1996 Barry Jaspan - - * Makefile.ov, helpers.exp, v4server.1/change-password.exp: use - kadmin.local instead of kdb5_edit - -Mon Jul 15 17:15:51 1996 Marc Horowitz - - * helpers.exp (exp_prog): the check for non-newline-terminated - stdout was causing failures where there weren't any. Barry - doesn't remember why this was here to begin with. - * Makefile.ov (unit-test-body), helpers.exp: some versions of - runtest do not like digits in command-line variable names. - * Makefile.ov (unit-test-body), helpers.exp: ovsec_v4adm_server - renamed to kadmind4 - * getpid.sh: grep out any programs with expect or kadmind4 in - their names. - - diff --git a/src/kadmin/v4server/unit-test/Makefile.in b/src/kadmin/v4server/unit-test/Makefile.in deleted file mode 100644 index a746dadda..000000000 --- a/src/kadmin/v4server/unit-test/Makefile.in +++ /dev/null @@ -1,32 +0,0 @@ -thisconfigdir=./../.. -myfulldir=kadmin/v4server/unit-test -mydir=v4server/unit-test -BUILDTOP=$(REL)..$(S)..$(S).. -# -# $Id$ -# - -check:: check-@DO_V4_TEST@ - -# When the tests get updated, nuke this and delete "-not" from the next two. -check- check-ok:: - @echo "+++" - @echo "+++ WARNING: kadmin/v4server unit tests out of date; not run." - @echo "+++" - -check--not:: - @echo "+++" - @echo "+++ WARNING: kadmin/v4server unit tests not run." - @echo "+++ Either Athena compatibility, tcl, runtest, or Perl is unavailable." - @echo "+++" - -check-ok-not unit-test:: unit-test-setup unit-test-body unit-test-cleanup - -unit-test-setup:: - $(ENV_SETUP) $(START_SERVERS_LOCAL) -v4files -kdcport 750 -keysalt des-cbc-crc:v4 - -unit-test-body:: - $(ENV_SETUP) $(RUNTEST) VFOURSERVER=../kadmind4 --tool v4server - -unit-test-cleanup:: - $(ENV_SETUP) $(STOP_SERVERS_LOCAL) -v4files diff --git a/src/kadmin/v4server/unit-test/config/ChangeLog b/src/kadmin/v4server/unit-test/config/ChangeLog deleted file mode 100644 index 663822373..000000000 --- a/src/kadmin/v4server/unit-test/config/ChangeLog +++ /dev/null @@ -1,16 +0,0 @@ -Mon Oct 21 17:20:04 1996 Barry Jaspan - - * unix.exp: specify kadmind's path and name separately, to make it - easy to cd to the path before exec'ing - -Tue Aug 20 13:34:07 1996 Barry Jaspan - - * unix.exp: use kadmin.local instead of kdb5_edit - -Mon Jul 15 17:18:56 1996 Marc Horowitz - - * unix.exp: some versions of runtest do not like digits in - command-line variable names. ovsec_edit_keytab renamed to - kadm5_keytab - - diff --git a/src/kadmin/v4server/unit-test/config/unix.exp b/src/kadmin/v4server/unit-test/config/unix.exp deleted file mode 100644 index 5a8a477e9..000000000 --- a/src/kadmin/v4server/unit-test/config/unix.exp +++ /dev/null @@ -1,42 +0,0 @@ -global env - -set kill /bin/kill - -if {[file exists /bin/sleep]} { - set sleep /bin/sleep -} else { - set sleep /usr/bin/sleep -} - -set kpasswd_v4 /usr/athena/bin/kpasswd -set ovpasswd $env(TOP)/kpasswd/kpasswd -set kadmin_local $env(TOP)/cli/kadmin.local -set remove_changepw_perms $srcdir/remove_changepw_perms.sh -set getpid $srcdir/getpid.sh -set ovsec_adm_server_path $env(TOP)/server -set ovsec_adm_server_name ./kadmind -set ovsec_edit_keytab $env(TOP)/keytab/kadm5_keytab -set hostname [exec hostname] - -# change-password.exp sends ^C to kpasswd to kill it; on HP-UX the -# default intr character is DEL, and setting it on all platforms -# won't hurt -set stty_init "intr \\^c" - -if {[info commands exp_version] != {}} { - set exp_version_4 [regexp {^4} [exp_version]] -} else { - set exp_version_4 [regexp {^4} [expect_version]] -} - -# Backward compatibility until we're using expect 5 everywhere -if {$exp_version_4} { - global wait_error_index wait_errno_index wait_status_index - set wait_error_index 0 - set wait_errno_index 1 - set wait_status_index 1 -} else { - set wait_error_index 2 - set wait_errno_index 3 - set wait_status_index 3 -} diff --git a/src/kadmin/v4server/unit-test/getpid.sh b/src/kadmin/v4server/unit-test/getpid.sh deleted file mode 100644 index 5c1b1a690..000000000 --- a/src/kadmin/v4server/unit-test/getpid.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -# tcl sucks big fat hairy rocks - -$PS_ALL | awk "/$1/"' && !/awk/ && !/getpid/ && !/expect/ && !/kadmind4/ { print $2 }' diff --git a/src/kadmin/v4server/unit-test/lib/helpers.exp b/src/kadmin/v4server/unit-test/lib/helpers.exp deleted file mode 100644 index a3087dc14..000000000 --- a/src/kadmin/v4server/unit-test/lib/helpers.exp +++ /dev/null @@ -1,238 +0,0 @@ -proc server_pids { } { - global env - - return [eval [concat exec $env(PS_ALL) | \ - awk {{/kadmind4/ && !/awk/ && !/expect/ {printf("%d ", $2)}}}]] -} - -proc server_exit { name status } { - global wait_error_index wait_errno_index wait_status_index - global server_id - global kill - - verbose "$name: stopping V4 kpasswd server." 1 - - # We can't know whether the process exists or not, so we have - # to ignore errors. XXX will close ever time out? - catch {close $server_id} - set pids [server_pids] - if {$pids != {}} { - verbose "server_exit killing process(es) $pids" - catch {exec $kill $pids} - } else { - verbose "server_exit: couldn't find running server(s) to kill" - } - - # wait hangs on AIX if the process was killed; since status == -1 - # in that case, solve the problem by not waiting; the zombies will - # be cleaned up when the test finishes - if {$status == -1} { - return 1 - } - - set ret [wait -i $server_id] - verbose "% Exit $ret" 2 - - if {[lindex $ret $wait_error_index] == -1} { - fail "$name: wait returned error [lindex $ret $wait_errno_index]" - return 0 - } else { - if { [lindex $ret $wait_status_index] == $status || - (($status<0) && ([lindex $ret $wait_status_index] == ($status+256))) } { - pass "$name" - } else { - fail "$name: unexpected return status [lindex $ret $wait_status_index], should be $status" - return 0 - } - } - - return 1 -} - -proc myfail { msg } { - global mytest_status - fail "$msg" - set mytest_status 1 -} - -proc server_start { name cmdline should_listen args } { - global spawn_id server_id env - global VFOURSERVER - global mytest_status - global sleep hostname - - set max_tries 60 - - verbose "$name: starting V4 kpasswd server." 1 - - for {set num_tries 0} {$num_tries <= $max_tries} {incr num_tries} { - if {$num_tries} { - exec $sleep 5 - verbose "Couldn't connect to V4 kpasswd server; retrying ($num_tries so far)." - } - - spawn $VFOURSERVER $cmdline - set server_id $spawn_id - - foreach test $args { - set mytest_status 0 - uplevel 1 "expect { - -i $server_id - $test - timeout { myfail \"$name: timeout\" } - eof { myfail \"$name: eof while expecting string\" } - }" - - if {$mytest_status == 1} { - return 0 - } - } - - set pids [server_pids] - - if {$should_listen} { - exec $sleep 1 - set save_spawn_id $spawn_id - spawn telnet $hostname kerberos_master - expect { - {Connection refused} { - close -i $save_spawn_id - wait -i $save_spawn_id - close - wait - continue - } - {Connected} { - send "close\n" - close - wait - set spawn_id $save_spawn_id - break - } - default { - close -i $save_spawn_id - wait -i $save_spawn_id - catch {close} - wait - continue - } - } - } else { - break - } - } - - if {$pids == {}} { - # Try twice to find the server processes. Not sure why, - # but there seems to be some sort of race condition in the OS. - - verbose "server_start: couldn't find server process(es) -- trying again" - exec $sleep 1 - set pids [server_pids] - } - - if {$num_tries > $max_tries} { - myfail "$name: couldn't connect to V4 kpasswd server" - return 0 - } else { - if {$pids != {}} { - verbose "server_start: server process ID(s) is/are $pids" - } - pass "$name" - return 1 - } -} - -proc exp_prog { name prog cmdline status args } { - global spawn_id spawn_pid - global mytest_status - global wait_error_index wait_errno_index wait_status_index - - verbose "$name: spawning $prog $cmdline" 1 - - set spawn_pid [eval "spawn $prog $cmdline"] - - # at the end, eof is success - -# lappend args { eof { if {[regexp "\[\r\n\]$" $expect_out(buffer)] == 0} { myfail "final status message not newline-terminated" } } } - lappend args { eof {} } - - foreach test $args { - set mytest_status 0 - uplevel 1 "expect { - $test - timeout { close; myfail \"$name: timeout\" } - eof { myfail \"$name: eof while expecting string\" } - }" - - if {$mytest_status == 1} { return 0 } - } - - # at this point, the id is closed and we can wait on it. - - set ret [wait] - verbose "% Exit $ret" 2 - - if {$status == -1} { return 1 } - - if {[lindex $ret $wait_error_index] == -1} { - fail "$name: wait returned error [lindex $ret $wait_errno_index]" - } else { - if { [lindex $ret $wait_status_index] == $status || - (($status<0) && ([lindex $ret $wait_status_index] == ($status+256))) } { - pass "$name" - } else { - fail "$name: unexpected return status [lindex $ret $wait_status_index], should be $status" - } - } - - return 1 -} - -proc fix_salt { name fullname oldpw newpw } { - global kadmin_local - - exp_prog "$name: kadmin.local" $kadmin_local "" 0 { - "kadmin.local:" { send "cpw $fullname\n" } - } { - "Enter password for principal \"$fullname\":" { - send "$newpw\n" - } - } { - "Re-enter password for principal \"$fullname\":" { - send "$newpw\n" - } - } { - # if we get cannot reuse pw, the salt is already right - -re "Password .* changed." { send "quit\n" } - -re "Cannot reuse password" { send "quit\n" } - } -} - -proc unexpire { name fullname } { - global kadmin_local - - # While we're at it, make sure they aren't expired. - exp_prog "$name: kadmin.local" $kadmin_local "" 0 { - "kadmin.local:" { - send "modprinc -expire \"May 6, 2029\" $fullname\n" - } - } { - -re "Principal .* modified." { send "quit\n" } - } -} - -proc kpasswd_v4 { name fullname status oldpw newpw args } { - global kpasswd_v4 s - - eval [concat { - exp_prog $name $kpasswd_v4 "-u $fullname" $status { - -re "Old password for $fullname:" { send "$oldpw\n" } - } { - -re "New Password for $fullname:" { send "$newpw\n" } - } { - -re "Verifying, please re-enter New Password for $fullname:" - { send "$newpw\n" } - } - } $args] -} diff --git a/src/kadmin/v4server/unit-test/remove_changepw_perms.sh b/src/kadmin/v4server/unit-test/remove_changepw_perms.sh deleted file mode 100644 index 226931801..000000000 --- a/src/kadmin/v4server/unit-test/remove_changepw_perms.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -# tcl sucks big fat hairy rocks - -ed $K5ROOT/ovsec_adm.acl </dev/null 2>&1 -g/changepw\/kerberos/s/^/#/ -w -q -EOF diff --git a/src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp b/src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp deleted file mode 100644 index f74e8f214..000000000 --- a/src/kadmin/v4server/unit-test/v4server.0/setup-srvtab.exp +++ /dev/null @@ -1,18 +0,0 @@ -load_lib "helpers.exp" - -set timeout 10 - -exp_prog "setup" $kadmin_local "" 0 { - "kadmin.local:" { send "ank -randkey changepw/kerberos\n" } -} { - "created" {} - "already exists" {} -} { - "kadmin.local:" { - send "ktadd -k $env(KRB5_KTNAME) changepw/kerberos\n" - } -} { - -re "Entry for principal changepw/kerberos .* added to keytab" { - send "quit\n" - } -} diff --git a/src/kadmin/v4server/unit-test/v4server.1/access.exp b/src/kadmin/v4server/unit-test/v4server.1/access.exp deleted file mode 100644 index 57ec5040b..000000000 --- a/src/kadmin/v4server/unit-test/v4server.1/access.exp +++ /dev/null @@ -1,90 +0,0 @@ -load_lib "helpers.exp" - -set timeout 30 - -# Setup: make sure the principals we will use have V4 salt -fix_salt "A.setup" testuser notathena notathena -unexpire "A.setup" testuser -unexpire "A.setup" changepw/kerberos - -proc kill_admin_server {} { - global env kill getpid - - set pid [exec $getpid kadmind] - if {$pid != ""} { - exec $kill $pid - } -} - -proc start_admin_server {} { - global ovsec_adm_server_path ovsec_adm_server_name sleep env - - set max_tries 60 - - for {set num_tries 0} {$num_tries <= $max_tries} {incr num_tries} { - if {$num_tries} { - exec $sleep 5 - verbose "$ovsec_adm_server couldn't bind; retrying ($num_tries so far)" - } - if {[catch "system {cd $ovsec_adm_server_path; exec $ovsec_adm_server_name}" msg]} { - if {[regexp {Address already in use} $msg]} { - continue - } - fail "starting $ovsec_adm_server_name: $msg" - } - return - } - fail "starting $ovsec_adm_server_name: $msg" -} - -proc remove_changepw_perms {} { - global remove_changepw_perms - - exec $remove_changepw_perms -} - -proc set_changepw_perms { perms } { - global env - - remove_changepw_perms - - exec echo "changepw/kerberos@SECURE-TEST.OV.COM $perms" \ - >> $env(K5ROOT)/ovsec_adm.acl -} - -# start off with a dead admin server -kill_admin_server - -set_changepw_perms "i" -start_admin_server -server_start A.1 "-n" 1 { - "KADM Server starting in the OVSEC_KADM mode" {} -} -kpasswd_v4 A.1 testuser 2 notathena foobar { - "Operation requires ``change-password'' privilege" {} -} { - "$kpasswd_v4: Insufficient access to perform requested operation while attempting to change password." {} -} { - "Password NOT changed." {} -} -server_exit A.1 -1 -kill_admin_server - -set_changepw_perms "c" -start_admin_server -server_start A.2 "-n" 1 { - "KADM Server starting in the OVSEC_KADM mode" {} -} -kpasswd_v4 A.2 testuser 2 notathena foobar { - "Operation requires ``get'' privilege" {} -} { - "$kpasswd_v4: Insufficient access to perform requested operation while attempting to change password." {} -} { - "Password NOT changed." {} -} -server_exit A.2 -1 -kill_admin_server - -set_changepw_perms "ci" - -start_admin_server diff --git a/src/kadmin/v4server/unit-test/v4server.1/change-password.exp b/src/kadmin/v4server/unit-test/v4server.1/change-password.exp deleted file mode 100644 index cc8e08406..000000000 --- a/src/kadmin/v4server/unit-test/v4server.1/change-password.exp +++ /dev/null @@ -1,60 +0,0 @@ -load_lib "helpers.exp" - -set timeout 30 - -spawn stty -a -expect { eof {} } -wait - -# Setup: make sure the principals we will use have V4 salt -fix_salt "CPW.setup" testuser notathena notathena -fix_salt "CPW.setup" pol1 pol111111 pol111111 -fix_salt "CPW.setup" pol2 pol222222 pol222222 -unexpire "CPW.setup" testuser -unexpire "CPW.setup" pol1 -unexpire "CPW.setup" pol2 -unexpire "CPW.setup" changepw/kerberos - -server_start "CPW.all" "-n" 1 { - "KADM Server starting in the OVSEC_KADM mode" {} -} - -kpasswd_v4 CPW.1 testuser 0 notathena foobar { "Password changed." {} } -kpasswd_v4 CPW.1 testuser 0 foobar notathena { "Password changed." {} } - -kpasswd_v4 CPW.3 pol1 -1 pol111111 foo { - "New password is too short." {} -} { - "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } -} - -kpasswd_v4 CPW.4 pol1 -1 pol111111 foooooooo { - "New password does not have enough character classes." {} -} { - "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } -} - -kpasswd_v4 CPW.5 pol1 -1 pol111111 Abyssinia { - "New password was found in a dictionary" {} -} { - "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } -} - -kpasswd_v4 CPW.6.setup pol1 0 pol111111 polAAAAAA { "Password changed." {} } -kpasswd_v4 CPW.6 pol1 -1 polAAAAAA pol111111 { - "New password was used previously." {} -} { - "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } -} - -# We used to use kdb5_edit, which reset last_pwd_change. Now we used -# kadmin.local, which doesn't, so we have to wait out the min life. -exec $sleep 30 -kpasswd_v4 CPW.7.setup pol2 0 pol222222 polBBBBBB { "Password changed." {} } -kpasswd_v4 CPW.7 pol2 -1 polBBBBBB pol222222 { - "Password cannot be changed because it was changed too recently." {} -} { - "$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break } -} - -server_exit "CPW.all" -1 diff --git a/src/kadmin/v4server/unit-test/v4server.1/usage.exp b/src/kadmin/v4server/unit-test/v4server.1/usage.exp deleted file mode 100644 index 4d292067a..000000000 --- a/src/kadmin/v4server/unit-test/v4server.1/usage.exp +++ /dev/null @@ -1,26 +0,0 @@ -load_lib "helpers.exp" - -set timeout 10 - -server_start "U.1: -h" "-h" 0 { - -re {Usage: .*} {} -} { - eof {} -} -server_exit "U.1: -h" 255 - -server_start "U.4: -n" "-n" 1 { - "Enter KDC database master key:" { - myfail "unexpected password prompt" - } - "KADM Server starting in the OVSEC_KADM mode" {} -} - -server_exit "U.4: -n" -1 - -server_start "U.5: no -n" "" 1 { - "KADM Server starting in the OVSEC_KADM mode" {} -} { - "Enter KDC database master key:" { send "mrroot\n" } -} -server_exit "U.5: no -n" -1 diff --git a/src/kadmin/v5passwdd/ChangeLog b/src/kadmin/v5passwdd/ChangeLog deleted file mode 100644 index dc3a7b010..000000000 --- a/src/kadmin/v5passwdd/ChangeLog +++ /dev/null @@ -1,193 +0,0 @@ -2003-08-29 Ken Raeburn - - * Makefile.in (SERV_OBJS): Use @LIBOBJS@. - -2003-01-09 Ken Raeburn - - * adm_conn.c (kadm_contact_server): Use socklen_t when passing - address to socket functions. - -2002-11-05 Tom Yu - - * kpasswd.c (kpwd_change_prompt_1, kpwd_change_prompt_2) - (kpwd_old_password_prompt, kpwd_old_pwd_name_fmt): Remove trailing - colon, as new implementation of krb5_read_password() appends it. - -2002-08-29 Ken Raeburn - - * Makefile.in: Revert $(S)=>/ change, for Windows support. - -2002-08-23 Ken Raeburn - - * Makefile.in: Change $(S)=>/ and $(U)=>.. globally. - -2002-06-19 Ezra Peisach - - * srv_net.c: Conditionalize debugging variables inside DEBUG - conditional. - - * kpasswd.c (main): Conditionalize local variables inside - definition of LANGUAGES_SUPPORTED to avoid a variable being set - with out use warning. - -2001-10-09 Ken Raeburn - - * adm_conn.c, adm_rw.c, kadm5_defs.h: Make prototypes - unconditional. - -2001-10-05 Ken Raeburn - - * adm_conn.c: Drop _MSDOS support. - -2001-09-01 Ken Raeburn - - * Makefile.in (COMMON_SRCS, SERV_SRCS, CLI_SRCS): All live in - srcdir. - -2001-06-22 Ezra Peisach - - * adm_conn.c (kadm_get_ccache): Cast return from getpid() to int - to match format. - -2001-06-21 Ken Raeburn - - * adm_conn.c, kpasswd.c, srv_net.c: Changed various char string - variables into macros, for better format/argument checking under - gcc. - - * main.c (pwd_change): Use strncpy instead of sprintf to copy - error message text into buffer. Use goto rather than repeated - code. - (main): Use %lx for params.mask. Make debug_level volatile. - - * srv_net.c (net_find_slave): Initialize "found". - (net_dispatch): Make "kret" volatile, so longjmp won't clobber - it. - (net_slaves_active): Variable deleted. - -2001-06-21 Ezra Peisach - - * main.c: Add prototype for daemon if needed. - -Mon Feb 26 15:22:44 2001 Ezra Peisach - - *adm_conn.c, adm_rw.c, kadm5_defs.h, kpasswd.c, main.c, - proto_serv.c, srv_net.c: Warnings cleanup including assignments in - conditionals, shadowed variables, unused variables, prototypes. - -2000-10-17 Ezra Peisach - - * adm_conn.c, kpasswd.c: Argument to krb5_read_password - takes an unsigned int. - - * kadm5_defs.h, main.c (pwd_change): Argument err_str_len changed - to unsigned int. (Argument to kadm5_chpass_principal_util()). - -2000-07-03 Ezra Peisach - - * Makefile.in: v5passwd does not depend on the kadm5 - libraries. This is the older protocol. - -2000-05-24 Ken Raeburn - Ezra Peisach - - * proto_serv.c (proto_serv): Don't overflow err_str. Pass data - pointer and not a krb5_data to sprintf. Remove unused variable - adm_errmsg. Remove unused label done. Declare variable - mime_setting only if MIME_SUPPORTED is defined. Make variables - db_opened and kret volatile. - (proto_fmt_reply_msg): Unused variable deleted. - -2000-05-23 Tom Yu - - * kadm5_defs.h: Add argument for length of error string. - - * main.c (pwd_change): Add argument for length of error string. - - * proto_serv.c (proto_serv): Fix up call to pwd_change(). - -2000-02-28 Ezra Peisach - - * proto_serv.c (proto_serv): For error return,strdup the returned - value from error_message to maintain its const status. - -1999-10-26 Wilfredo Sanchez - - * Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES, - LOCAL_INCLUDES such that one can override CFLAGS from the command - line without losing CPP search patchs and defines. Some associated - Makefile cleanup. - -Tue May 11 11:39:36 1999 Ezra Peisach - - * main.c: Remove include of gssapi_krb5.h - no longer needed. - -1998-11-13 Theodore Ts'o - - * Makefile.in: Set the myfulldir and mydir variables (which are - relative to buildtop and thisconfigdir, respectively.) - -1998-05-06 Theodore Ts'o - - * kpasswd.c (main): POSIX states that getopt returns -1 - when it is done parsing options, not EOF. - -Fri Feb 27 23:32:38 1998 Theodore Ts'o - - * Makefile.in: Changed thisconfigdir to point at the kadmin - directory, since we've moved all of the configure.in - tests to the toplevel kadmin configure.in - -Wed Feb 18 16:02:27 1998 Tom Yu - - * Makefile.in: Remove trailing slash from thisconfigdir. Fix up - BUILDTOP for new conventions. Fix up usage of $(C). - -Mon Feb 2 17:02:29 1998 Theodore Ts'o - - * Makefile.in: Define BUILDTOP and thisconfigdir in the Makefile - -Thu Sep 25 21:17:00 1997 Tom Yu - - * srv_net.c (net_init): Replace KRB5_USE_INET with something more - sane. - - * adm_conn.c (kadm_contact_server): Replace KRB5_USE_INET with - something more sane. - -Thu Sep 18 17:54:40 1997 Tom Yu - - * kpasswd.c: Replace USE_STRING_H with something more sane. - -Thu Feb 6 00:28:54 1997 Richard Basch - - * adm_conn.c adm_rw.c: - Replace the INTERFACE keyword with KRB5_CALLCONV - -Tue Feb 4 21:28:57 1997 Tom Yu - - * Makefile.in: - * configure.in: Update to new program build procedcure. - -Thu Oct 31 11:20:22 1996 Ezra Peisach - - * main.c (main): Add -T keyfile and -D debug_level - options. [krb5-admin/42] - -Tue Sep 10 14:37:23 1996 Tom Yu - - * v5passwd.M: remove extra args to .TH - -Sun Aug 18 18:29:39 1996 Ezra Peisach - - * Makefile.in: Compile v5passwd - the old passwd changing client. - - * adm_conn.c, kpasswd.c, v5passwd.M: Added the pieces required to - build a v5b6 simple password changing client. - -Thu Jul 25 17:01:32 1996 Marc Horowitz - - * Makefile.in, configure.in, adm_rw.c, kadm5_defs.h, main.c, - proto_serv.c, srv_net.c: combined pieces of the old v5server and - kadm libraries with calls to the new kadm5srv library to produce a - daemon which handles the v5b6 "simple" password changing protocol. diff --git a/src/kadmin/v5passwdd/Makefile.in b/src/kadmin/v5passwdd/Makefile.in deleted file mode 100644 index c9c7672f8..000000000 --- a/src/kadmin/v5passwdd/Makefile.in +++ /dev/null @@ -1,93 +0,0 @@ -thisconfigdir=./.. -myfulldir=kadmin/v5passwdd -mydir=v5passwdd -BUILDTOP=$(REL)..$(S).. -PROG_LIBPATH=-L$(TOPLIBD) -PROG_RPATH=$(KRB5_LIBDIR) - -COMMON_SRCS = $(srcdir)/adm_rw.c -COMMON_OBJS = adm_rw.o -SERV_SRCS = $(srcdir)/main.c $(srcdir)/srv_net.c $(srcdir)/proto_serv.c -SERV_OBJS = main.o srv_net.o proto_serv.o @LIBOBJS@ -CLI_SRCS = $(srcdir)/kpasswd.c $(srcdir)/adm_conn.c -CLI_OBJS = kpasswd.o adm_conn.o - -SRCS=$(SERV_SRCS) $(COMMON_SRCS) $(CLI_SRCS) -OBJS=$(SERV_OBJS) $(COMMON_OBJS) $(CLI_OBJS) - -SERV = v5passwdd -CLI = v5passwd - -all:: $(SERV) $(CLI) - -$(SERV): $(SERV_OBJS) $(COMMON_OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $(SERV) $(SERV_OBJS) $(COMMON_OBJS) \ - $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) - - -$(CLI): $(CLI_OBJS) $(COMMON_OBJS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o $(CLI) $(CLI_OBJS) $(COMMON_OBJS) \ - $(KRB5_BASE_LIBS) - -install:: - for f in v5passwd; do \ - $(INSTALL_PROGRAM) $$f \ - $(DESTDIR)$(CLIENT_BINDIR)$(S)`echo $$f|sed '$(transform)'`; \ - $(INSTALL_DATA) $(srcdir)$(S)$$f.M \ - ${DESTDIR}$(CLIENT_MANDIR)$(S)`echo $$f|sed '$(transform)'`.1; \ - done - for f in v5passwdd; do \ - $(INSTALL_PROGRAM) $$f \ - $(DESTDIR)$(SERVER_BINDIR)$(S)`echo $$f|sed '$(transform)'`; \ - done - -clean:: - $(RM) $(SERV) $(CLI) - -# +++ Dependency line eater +++ -# -# Makefile dependencies follow. This must be the last section in -# the Makefile.in file -# -$(OUTPRE)main.$(OBJEXT): main.c $(SRCTOP)/include/syslog.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/gssrpc/rpc.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/gssrpc/xdr.h $(BUILDTOP)/include/gssrpc/auth.h \ - $(BUILDTOP)/include/gssrpc/clnt.h $(BUILDTOP)/include/gssrpc/rpc_msg.h \ - $(BUILDTOP)/include/gssrpc/auth_unix.h $(BUILDTOP)/include/gssrpc/svc_auth.h \ - $(BUILDTOP)/include/gssrpc/svc.h $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/profile.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h $(SRCTOP)/include/krb5/kdb.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/adb_err.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(SRCTOP)/include/krb5/adm_proto.h \ - kadm5_defs.h -$(OUTPRE)srv_net.$(OBJEXT): srv_net.c $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h kadm5_defs.h $(SRCTOP)/include/krb5/adm.h -$(OUTPRE)proto_serv.$(OBJEXT): proto_serv.c $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h kadm5_defs.h $(SRCTOP)/include/krb5/adm.h \ - $(SRCTOP)/include/krb5/adm_proto.h -$(OUTPRE)adm_rw.$(OBJEXT): adm_rw.c $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm_proto.h -$(OUTPRE)kpasswd.$(OBJEXT): kpasswd.c $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm_defs.h \ - $(SRCTOP)/include/krb5/adm.h $(SRCTOP)/include/krb5/adm_proto.h -$(OUTPRE)adm_conn.$(OBJEXT): adm_conn.c $(SRCTOP)/include/k5-int.h \ - $(BUILDTOP)/include/krb5/osconf.h $(BUILDTOP)/include/krb5/autoconf.h \ - $(BUILDTOP)/include/krb5.h $(COM_ERR_DEPS) $(BUILDTOP)/include/profile.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(SRCTOP)/include/krb5/kdb.h $(SRCTOP)/include/krb5/adm.h \ - $(SRCTOP)/include/krb5/adm_proto.h - diff --git a/src/kadmin/v5passwdd/adm_conn.c b/src/kadmin/v5passwdd/adm_conn.c deleted file mode 100644 index 17028c738..000000000 --- a/src/kadmin/v5passwdd/adm_conn.c +++ /dev/null @@ -1,768 +0,0 @@ -/* - * lib/kadm/adm_conn.c - * - * Copyright 1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ -/* - * Routines to contact an administrative protocol server. - */ -#define NEED_SOCKETS -#define NEED_LOWLEVEL_IO -#include "k5-int.h" -#include "adm.h" -#include "adm_proto.h" - -#if HAVE_PWD_H -#include -#endif /* HAVE_PWD_H */ - -/* Default ticket life is 10 minutes */ -#define KADM_DEFAULT_LIFETIME (10*60) - -/* - * Strings - */ -#define kadm_cache_name_fmt "FILE:/tmp/tkt_kadm_%d" - -/* - * Prototypes for local functions - */ -static krb5_error_code kadm_get_ccache - (krb5_context, - char *, - char *, - krb5_ccache *, - krb5_principal *); -static krb5_error_code kadm_get_creds - (krb5_context, - krb5_ccache , - krb5_principal, - krb5_creds *, - const char *, - char *, - krb5_timestamp); -static krb5_error_code kadm_contact_server - (krb5_context, - krb5_data *, - int *, - krb5_address **, - krb5_address **); -static krb5_error_code kadm_get_auth - (krb5_context, - krb5_auth_context *, - krb5_address *, - krb5_address *); - -/* - * kadm_get_ccache() - Initialze a credentials cache. - * - * Cleanup after success by calling krb5_cc_destroy() and krb5_free_principal() - * Allocates new ccache and client. - */ -static krb5_error_code -kadm_get_ccache(kcontext, user, ccname, ccache, client) - krb5_context kcontext; - char *user; - char *ccname; - krb5_ccache *ccache; - krb5_principal *client; -{ - krb5_error_code kret; - char *name; - int did_malloc = 0; - char new_cache[MAXPATHLEN]; - krb5_principal tprinc; - - /* Initialize. */ - *client = (krb5_principal) NULL; - tprinc = (krb5_principal) NULL; - - /* - * If a name specified, then use that one, else get it from our - * current uid. - */ - if (user) { - name = user; - } - else { -#if HAVE_PWD_H - struct passwd *pw; - - pw = getpwuid(getuid()); - if (pw) { - name = (char *) malloc(strlen(pw->pw_name)+1); - did_malloc = 1; - strcpy(name, pw->pw_name); - } - else { - kret = errno; - goto cleanup; - } -#else /* HAVE_PWD_H */ - kret = ENOENT; - goto cleanup; -#endif /* HAVE_PWD_H */ - } - - /* Parse the name and form our principal */ - kret = krb5_parse_name(kcontext, name, client); - if (kret) - goto cleanup; - - if (!ccname) { -#if defined(_WIN32) - strcpy (new_cache, "FILE:"); - GetTempFileName (0, "tkt", 0, new_cache+5); -#else -#ifdef _MACINTOSH - (void) sprintf(new_cache, "STDIO:admcc"); -#else - (void) sprintf(new_cache, kadm_cache_name_fmt, (int) getpid()); -#endif /* _MACINTOSH */ -#endif /* _WIN32 */ - } - else - sprintf(new_cache, "FILE:%s", ccname); - - /* - * We only need to resolve the credentials cache if one hasn't - * been supplied to us. - */ - if (!(*ccache) && (kret = krb5_cc_resolve(kcontext, new_cache, ccache))) - goto cleanup; - - /* XXX assumes a file ccache */ - if ((kret = krb5_cc_get_principal(kcontext, *ccache, &tprinc)) == - KRB5_FCC_NOFILE) - kret = krb5_cc_initialize(kcontext, *ccache, *client); - - - cleanup: - if (did_malloc) - free(name); - - if (tprinc) - krb5_free_principal(kcontext, tprinc); - - if (kret) { - if (*client) - krb5_free_principal(kcontext, *client); - } - - return(kret); -} - -/* - * kadm_get_creds() - Get initial credentials. - * - * Cleanup after success by calling krb5_free_principal(). - * Allocates new principal for creds->server. - */ -static krb5_error_code -kadm_get_creds(kcontext, ccache, client, creds, prompt, oldpw, tlife) - krb5_context kcontext; - krb5_ccache ccache; - krb5_principal client; - krb5_creds *creds; - const char *prompt; - char *oldpw; - krb5_timestamp tlife; -{ - char *client_name; - krb5_error_code kret; - krb5_address **my_addresses; - unsigned int old_pwsize; - krb5_creds tcreds; - - /* Initialize */ - my_addresses = (krb5_address **) NULL; - client_name = (char *) NULL; - - /* Get the string form for our principal */ - kret = krb5_unparse_name(kcontext, client, &client_name); - if (kret) - return(kret); - - kret = krb5_os_localaddr(kcontext, &my_addresses); - if (kret) - goto cleanup; - - creds->client = client; - /* - * Build server principal name: - * "changepw" is service - * realm name is instance - * realm name is realm name - */ - kret = krb5_build_principal_ext(kcontext, - &creds->server, - client->realm.length, - client->realm.data, - strlen(KRB5_ADM_SERVICE_INSTANCE), - KRB5_ADM_SERVICE_INSTANCE, - client->realm.length, - client->realm.data, - 0); - if (kret) - goto cleanup; - - /* Attempt to retrieve an appropriate entry from the credentials cache. */ - if ((kret = krb5_cc_retrieve_cred(kcontext, - ccache, - KRB5_TC_MATCH_SRV_NAMEONLY, - creds, - &tcreds)) - == KRB5_CC_NOTFOUND) { - krb5_timestamp jetzt; - - if (prompt != (char *) NULL) { - /* Read the password */ - old_pwsize = KRB5_ADM_MAX_PASSWORD_LEN; - kret = krb5_read_password(kcontext, prompt, (char *) NULL, - oldpw, &old_pwsize); - if (kret) - goto cleanup; - } - - kret = krb5_timeofday(kcontext, &jetzt); - if (kret) - goto cleanup; - - if (tlife > 0) - creds->times.endtime = jetzt + tlife; - else - creds->times.endtime = jetzt + KADM_DEFAULT_LIFETIME; - - /* Get our initial ticket */ - kret = krb5_get_in_tkt_with_password(kcontext, - 0, - my_addresses, - NULL, - NULL, - oldpw, - ccache, - creds, - 0); - } - else { - krb5_principal sclient, sserver; - - if (!kret) { - /* - * We found the credentials cache entry - copy it out. - * - * We'd like to just blast tcreds on top of creds, but we cannot. - * other logic uses the client data, and rather than going and - * chasing all that logic down, might as well pretend that we just - * filled in all the other muck. - */ - sclient = creds->client; - sserver = creds->server; - memcpy((char *) creds, (char *) &tcreds, sizeof(tcreds)); - if (creds->client) - krb5_free_principal(kcontext, creds->client); - if (creds->server) - krb5_free_principal(kcontext, creds->server); - creds->client = sclient; - creds->server = sserver; - } - } - - cleanup: - if (kret) { - if (creds->server) { - krb5_free_principal(kcontext, creds->server); - creds->server = 0; - } - } - if (my_addresses) - krb5_free_addresses(kcontext, my_addresses); - if (client_name) - krb5_xfree(client_name); - return(kret); -} - -/* - * kadm_contact_server() - Establish a connection to the server. - * - * Cleanup after success by calling close() and free(). - * Opens/connects socket *sockp. Allocates address storage for local/remote. - */ -static krb5_error_code -kadm_contact_server(kcontext, realmp, sockp, local, remote) - krb5_context kcontext; - krb5_data *realmp; - int *sockp; - krb5_address **local; - krb5_address **remote; -{ - struct hostent *remote_host; - struct servent *service; - char **hostlist; - int i, count; - - krb5_error_code kret; - - struct sockaddr_in in_local; - struct sockaddr_in in_remote; - socklen_t addr_len; - - const char *realm_admin_names[4]; - char *realm_name; - krb5_boolean found; - - /* Initialize */ - hostlist = (char **) NULL; - *sockp = -1; - realm_name = (char *) NULL; - - /* - * XXX - only know ADDRTYPE_INET. - */ -#ifdef HAVE_NETINET_IN_H - *local = (krb5_address *) malloc(sizeof(krb5_address)); - *remote = (krb5_address *) malloc(sizeof(krb5_address)); - realm_name = (char *) malloc((size_t) realmp->length + 1); - if ((*local == (krb5_address *) NULL) || - (*remote == (krb5_address *) NULL) || - (realm_name == (char *) NULL)) { - kret = ENOMEM; - goto cleanup; - } - (*local)->addrtype = (*remote)->addrtype = ADDRTYPE_INET; - (*local)->length = (*remote)->length = sizeof(struct in_addr); - (*local)->contents = (krb5_octet *) malloc(sizeof(struct in_addr)); - (*remote)->contents = (krb5_octet *) malloc(sizeof(struct in_addr)); - if (((*local)->contents == NULL) || ((*remote)->contents == NULL)) { - kret = ENOMEM; - goto cleanup; - } - - /* - * First attempt to find addresses from our config file, if we cannot - * find an entry, then try getservbyname(). - */ - found = 0; -#ifndef OLD_CONFIG_FILES - strncpy(realm_name, realmp->data, (size_t) realmp->length); - realm_name[realmp->length] = '\0'; - realm_admin_names[0] = "realms"; - realm_admin_names[1] = realm_name; - realm_admin_names[2] = "admin_server"; - realm_admin_names[3] = (char *) NULL; - if (!(kret = profile_get_values(kcontext->profile, - realm_admin_names, - &hostlist))) { - int hi; - char *cport; - char *cp; - krb5_int32 pport; - - for (hi = 0; hostlist[hi]; hi++) { - /* - * This knows a little too much about the format of profile - * entries. Shouldn't it just be some sort of tuple? - * - * The form is assumed to be: - * admin_server = [:[]] - */ - cport = (char *) NULL; - pport = (u_short) KRB5_ADM_DEFAULT_PORT; - cp = strchr(hostlist[hi], ' '); - if (cp) - *cp = '\0'; - cp = strchr(hostlist[hi], '\t'); - if (cp) - *cp = '\0'; - cport = strchr(hostlist[hi], ':'); - if (cport) { - *cport = '\0'; - cport++; - - pport = atoi (cport); - if (pport == 0) { - kret = KRB5_CONFIG_BADFORMAT; - goto cleanup; - } - } - - /* - * Now that we have a host name, get the host entry. - */ - remote_host = gethostbyname(hostlist[hi]); - if (remote_host == (struct hostent *) NULL) { - kret = KRB5_CONFIG_BADFORMAT; - goto cleanup; - } - - /* - * Fill in our address values. - */ - in_remote.sin_family = remote_host->h_addrtype; - (void) memcpy((char *) &in_remote.sin_addr, - (char *) remote_host->h_addr, - sizeof(in_remote.sin_addr)); - in_remote.sin_port = htons((u_short) pport); - - /* Open a tcp socket */ - *sockp = (int) socket(PF_INET, SOCK_STREAM, 0); - if (*sockp < 0) { - kret = SOCKET_ERRNO; - goto cleanup; - } - else kret = 0; - - /* Attempt to connect to the remote address. */ - if (connect(*sockp, - (struct sockaddr *) &in_remote, - sizeof(in_remote)) < 0) { - /* Failed, go to next address */ - kret = SOCKET_ERRNO; - closesocket((SOCKET)*sockp); - *sockp = -1; - continue; - } - - /* Find out local address */ - addr_len = sizeof(in_local); - if (getsockname((SOCKET) *sockp, - (struct sockaddr *) &in_local, - &addr_len) < 0) { - /* Couldn't get our local address? */ - kret = SOCKET_ERRNO; - goto cleanup; - } - else { - /* Connection established. */ - memcpy((char *) (*remote)->contents, - (char *) &in_remote.sin_addr, - sizeof(struct in_addr)); - memcpy((char *) (*local)->contents, - (char *) &in_local.sin_addr, - sizeof(struct in_addr)); - found = 1; - break; - } - } - if (!found) { - krb5_xfree(hostlist); - hostlist = (char **) NULL; - } - } -#endif /* OLD_CONFIG_FILES */ - if (!found) { - /* - * Use the old way of finding our administrative server. - * - * This consists of looking up an entry in /etc/services and if - * we don't find it, then we are just out of luck. Then, we use - * that port number along with the address of the kdc. - */ - if ((service = getservbyname(KRB5_ADM_SERVICE_NAME, "tcp")) == NULL) { - kret = ENOENT; - goto cleanup; - } - in_remote.sin_port = service->s_port; - - kret = krb5_get_krbhst(kcontext, realmp, &hostlist); - if (kret) - goto cleanup; - - /* Now count the number of hosts in the realm */ - count = 0; - for (i=0; hostlist[i]; i++) - count++; - if (count == 0) { - kret = ENOENT; /* something better? */ - goto cleanup; - } - - /* Now find an available host */ - for (i=0; hostlist[i]; i++) { - remote_host = gethostbyname(hostlist[i]); - if (remote_host != (struct hostent *) NULL) { - in_remote.sin_family = remote_host->h_addrtype; - (void) memcpy((char *) &in_remote.sin_addr, - (char *) remote_host->h_addr, - sizeof(in_remote.sin_addr)); - - /* Open a tcp socket */ - *sockp = (int) socket(PF_INET, SOCK_STREAM, 0); - if (*sockp < 0) { - kret = SOCKET_ERRNO; - goto cleanup; - } - else kret = 0; - - if (connect(*sockp, - (struct sockaddr *) &in_remote, - sizeof(in_remote)) < 0) { - kret = SOCKET_ERRNO; - closesocket((SOCKET)*sockp); - *sockp = -1; - continue; - } - - /* Find out local address */ - addr_len = sizeof(in_local); - if (getsockname((SOCKET)*sockp, - (struct sockaddr *) &in_local, - &addr_len) < 0) { - kret = SOCKET_ERRNO; - goto cleanup; - } - else { - memcpy((char *) (*remote)->contents, - (char *) &in_remote.sin_addr, - sizeof(struct in_addr)); - - memcpy((char *) (*local)->contents, - (char *) &in_local.sin_addr, - sizeof(struct in_addr)); - found = 1; - break; - } - } - } - if (!found) - kret = KRB5_SERVICE_UNKNOWN; - } -#else /* HAVE_NETINET_IN_H */ - kret = ENOENT; -#endif /* HAVE_NETINET_IN_H */ - - cleanup: - if (kret) { - if (*sockp >= 0) - closesocket((SOCKET)*sockp); - if (*local && (*local)->contents) - free((*local)->contents); - if (*remote && (*remote)->contents) - free((*remote)->contents); - if (*local) { - memset((char *) (*local), 0, sizeof(krb5_address)); - free(*local); - *local = (krb5_address *) NULL; - } - if (*remote) { - memset((char *) (*remote), 0, sizeof(krb5_address)); - free(*remote); - *remote = (krb5_address *) NULL; - } - } - if (realm_name) - free(realm_name); - if (hostlist) - krb5_xfree(hostlist); - return(kret); -} - -/* - * kadm_get_auth() - Get authorization context. - * - * Cleanup after success by calling krb5_xfree(). - * New krb5_auth_context allocated in *ctxp - */ -static krb5_error_code -kadm_get_auth(kcontext, ctxp, local, remote) - krb5_context kcontext; - krb5_auth_context *ctxp; - krb5_address *local; - krb5_address *remote; -{ - krb5_auth_con_init(kcontext, ctxp); - krb5_auth_con_setflags(kcontext, *ctxp, - KRB5_AUTH_CONTEXT_RET_SEQUENCE| - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - krb5_auth_con_setaddrs(kcontext, *ctxp, local, remote); - return(0); -} - -/* - * krb5_adm_connect() - Establish the connection to the service. - * - * If *ccachep is not null, then that ccache is used to establish the identity - * of the caller. (Argument list is ugly, I know) - * - * Errors are not reported by this routine. - * Cleanup after successful invocation must: - * destroy/close ccache. - * free auth_context - * close socket. - */ -krb5_error_code KRB5_CALLCONV -krb5_adm_connect(kcontext, user, prompt, opassword, sockp, ctxp, - ccachep, ccname, tlife) - krb5_context kcontext; /* Context handle (In ) */ - char *user; /* User specified (In ) */ - const char *prompt; /* Old password prompt (In ) */ - char *opassword; /* Old Password (I/O) */ - int *sockp; /* Socket for conn. (Out) */ - krb5_auth_context *ctxp; /* Auth context (Out) */ - krb5_ccache *ccachep; /* Credentials cache (I/O) */ - char *ccname; /* Cred cache name (In ) */ - krb5_timestamp tlife; /* Ticket lifetime (In ) */ -{ - krb5_error_code kret; - krb5_principal client; - krb5_creds creds; - krb5_data server_realm; - krb5_data request_data, suppl_data; - krb5_data response_data; - krb5_address *local_addr; - krb5_address *remote_addr; - krb5_boolean ccache_supplied; - - char *server; - - /* Initialize */ - memset((char *) &creds, 0, sizeof(krb5_creds)); - server = (char *) NULL; - *sockp = -1; - local_addr = remote_addr = (krb5_address *) NULL; - client = (krb5_principal) NULL; - *ctxp = (krb5_auth_context) NULL; - ccache_supplied = (*ccachep != (krb5_ccache) NULL); - - /* - * Find the appropriate credentials cache and set up our identity. - */ - kret = kadm_get_ccache(kcontext, user, ccname, ccachep, &client); - if (kret) - goto cleanup; - - /* - * Get initial credentials. - */ - kret = kadm_get_creds(kcontext, *ccachep, client, &creds, - prompt, opassword, tlife); - if (kret) - goto cleanup; - - /* - * Establish connection to server. - */ - if ((server_realm.data = (char *) malloc(client->realm.length+1)) == - (char *) NULL) - goto cleanup; - - server_realm.length = client->realm.length; - memcpy(server_realm.data, client->realm.data, server_realm.length); - server_realm.data[server_realm.length] = '\0'; - - kret = kadm_contact_server(kcontext, &server_realm, sockp, - &local_addr, &remote_addr); - if (kret) - goto cleanup; - - /* - * Obtain our authorization context - */ - kret = kadm_get_auth(kcontext, ctxp, local_addr, remote_addr); - if (kret) - goto cleanup; - - /* - * Format, then send the KRB_AP_REQ - */ - suppl_data.data = NULL; - suppl_data.length = 0; - - kret = krb5_mk_req_extended(kcontext, ctxp, AP_OPTS_MUTUAL_REQUIRED, - &suppl_data, &creds, &request_data); - if (kret) - goto cleanup; - - kret = krb5_write_message(kcontext, sockp, &request_data); - if (kret) - goto cleanup; - - /* - * Now read back the response. - */ - kret = krb5_read_message(kcontext, sockp, &response_data); - if (kret) { - goto cleanup; - } - else { - krb5_ap_rep_enc_part *reply = NULL; - - kret = krb5_rd_rep(kcontext, *ctxp, &response_data, &reply); - if (reply) - krb5_free_ap_rep_enc_part(kcontext, reply); - } - cleanup: - if (server) - free(server); - if (kret) { - if (*ctxp) { - krb5_xfree(*ctxp); - *ctxp = (krb5_auth_context) NULL; - } - if (*sockp >= 0) { - closesocket((SOCKET)*sockp); - *sockp = -1; - } - if (local_addr && local_addr->contents) - free(local_addr->contents); - if (remote_addr && remote_addr->contents) - free(remote_addr->contents); - if (local_addr) - free(local_addr); - if (remote_addr) - free(remote_addr); - if (creds.server) - krb5_free_principal(kcontext, creds.server); - if (client) - krb5_free_principal(kcontext, client); - if (*ccachep && !ccache_supplied) { - krb5_cc_destroy(kcontext, *ccachep); - *ccachep = (krb5_ccache) NULL; - } - } - return(kret); - -} - -/* - * krb5_adm_disconnect() - Disconnect from the administrative service. - * - * If ccache is supplied, then it is destroyed. Otherwise, the ccache is - * the caller's responsibility to close. - */ -void KRB5_CALLCONV -krb5_adm_disconnect(kcontext, socketp, auth_context, ccache) - krb5_context kcontext; - int *socketp; - krb5_auth_context auth_context; - krb5_ccache ccache; -{ - if (ccache) - krb5_cc_destroy(kcontext, ccache); - if (auth_context) - krb5_xfree(auth_context); - if (*socketp >= 0) - closesocket((SOCKET)*socketp); -} - diff --git a/src/kadmin/v5passwdd/adm_rw.c b/src/kadmin/v5passwdd/adm_rw.c deleted file mode 100644 index 8b5c71a8d..000000000 --- a/src/kadmin/v5passwdd/adm_rw.c +++ /dev/null @@ -1,543 +0,0 @@ -/* - * lib/kadm/adm_rw.c - * - * Copyright 1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * Routines to engage in the administrative (password changing) protocol. - */ -#define NEED_SOCKETS -#include "k5-int.h" -#include "adm_proto.h" - -/* - * Local prototypes (needed or else the PC will pass fail). - */ -static void kadm_copyin_int32 (char *, krb5_int32 *); -static void kadm_copyout_int32 (krb5_int32, char *); - -/* - * Routines to [de]serialize integers. - * - * kadm_copyin_int32 - Move a 32-bit integer fron network byte order to - * host byte order. - * kadm_copyout_int32 - Move a 32-bit integer from host byte order to - * network byte order. - */ -static void -kadm_copyin_int32(cp, ip) - char *cp; - krb5_int32 *ip; -{ - *ip = (((krb5_int32) ((unsigned char) cp[0]) << 24) + - ((krb5_int32) ((unsigned char) cp[1]) << 16) + - ((krb5_int32) ((unsigned char) cp[2]) << 8) + - ((krb5_int32) ((unsigned char) cp[3]))); -} - -static void -kadm_copyout_int32(outint, cp) - krb5_int32 outint; - char *cp; -{ - cp[0] = (char) ((outint >> 24) & 0xff); - cp[1] = (char) ((outint >> 16) & 0xff); - cp[2] = (char) ((outint >> 8) & 0xff); - cp[3] = (char) (outint & 0xff); -} - -/* - * krb5_free_adm_data() - Free data blocks allocated by read_adm... routines. - */ -void KRB5_CALLCONV -krb5_free_adm_data(kcontext, ncomp, datap) - krb5_context kcontext; - krb5_int32 ncomp; - krb5_data *datap; -{ - int i; - - if (datap) { - for (i=0; i 0)) - krb5_xfree(datap[i].data); - - krb5_xfree(datap); - } -} - -/* - * krb5_send_adm_cmd() - Send an administrative command. - * - * Send a list of data in a KRB_PRIV message. Data takes the format: - * nargs (4 octets in network order) - * arg size 1 (4 octets in network order) - * arg data 1 ("arg size 1" octets) - * . - * . - * . - */ -krb5_error_code KRB5_CALLCONV -krb5_send_adm_cmd(kcontext, sock, ctx, nargs, arglist) - krb5_context kcontext; /* Context handle (In ) */ - krb5_pointer sock; /* Socket to write to (In ) */ - krb5_auth_context ctx; /* Auth context (In ) */ - krb5_int32 nargs; /* Number of arguments (In ) */ - krb5_data *arglist; /* Components to write (In ) */ -{ - size_t writebufsize; - int i; - char *writebuf; - krb5_error_code ret; - krb5_int32 ac_flags; - - /* - * First check that our auth context has the right flags in it. - */ - ret = krb5_auth_con_getflags(kcontext, ctx, &ac_flags); - if (ret) - return(ret); - - if ((ac_flags & (KRB5_AUTH_CONTEXT_RET_SEQUENCE| - KRB5_AUTH_CONTEXT_DO_SEQUENCE)) != - (KRB5_AUTH_CONTEXT_RET_SEQUENCE|KRB5_AUTH_CONTEXT_DO_SEQUENCE)) { - /* XXX - need a better error */ - return(KRB5KRB_AP_ERR_MSG_TYPE); - } - - ret = 0; - /* Calculate write buffer size */ - writebufsize = sizeof(krb5_int32); - for (i=0; i= sizeof(krb5_int32)) { - curr = msg_data.data; - kadm_copyin_int32(curr, nargs); - curr += sizeof(krb5_int32); - - /* Are there any components to copy? */ - if (*nargs > 0) { - - /* Get the memory for the list */ - *arglist = (krb5_data *) - malloc((size_t) (*nargs) * sizeof(krb5_data)); - if (*arglist != NULL) { - krb5_data *xarglist; - - xarglist = *arglist; - memset((char *) (xarglist), 0, - (size_t) (*nargs) * sizeof(krb5_data)); - - replyok = 1; - /* Copy out each list entry */ - for (i=0; i<*nargs; i++) { - - /* First get the length of the reply component */ - if (curr + sizeof(krb5_int32) - msg_data.data <= - msg_data.length) { - - kadm_copyin_int32(curr, &len32); - xarglist[i].length = (int) len32; - curr += sizeof(krb5_int32); - - /* Then get the memory for the actual data */ - if ((curr + xarglist[i].length - - msg_data.data <= msg_data.length) && - (xarglist[i].data = (char *) - malloc(xarglist[i].length+1))) { - - /* Then copy it out */ - memcpy(xarglist[i].data, - curr, - xarglist[i].length); - curr += xarglist[i].length; - - /* Null terminate for convenience */ - xarglist[i].data[xarglist[i].length] - = '\0'; - } - else { - /* Not enough remaining data. */ - replyok = 0; - break; - } - } - else { - /* Not enough remaining data */ - replyok = 0; - break; - } - } - if (!replyok) - krb5_free_adm_data(kcontext, *nargs, *arglist); - } - } - else { - if (*nargs == 0) { - *arglist = (krb5_data *) NULL; - replyok = 1; - } - } - } - if (!replyok) { - ret = KRB5KRB_AP_ERR_MSG_TYPE; /* syntax error */ - } - memset(msg_data.data, 0, msg_data.length); - krb5_xfree(msg_data.data); - } - krb5_xfree(read_data.data); - } - return(ret); -} - -/* - * krb5_read_adm_reply() - Read an administrative protocol response. - * - * Expect to read them out in the same format as send_adm_reply shoots them - * in. - * - * It is the caller's responsibility to free the memory allocated for - * the read in component list. - */ -krb5_error_code KRB5_CALLCONV -krb5_read_adm_reply(kcontext, sock, ctx, cmd_stat, ncomps, complist) - krb5_context kcontext; /* Context handle (In ) */ - krb5_pointer sock; /* Socket to read from (In ) */ - krb5_auth_context ctx; /* Auth context (In ) */ - krb5_int32 *cmd_stat; /* Command status (Out) */ - krb5_int32 *ncomps; /* # of reply components(Out) */ - krb5_data **complist; /* List of components (Out) */ -{ - krb5_data read_data; - krb5_error_code ret; - krb5_data msg_data; - krb5_replay_data replay_data; - krb5_int32 ac_flags; - krb5_int32 len32; - - /* - * First check that our auth context has the right flags in it. - */ - ret = krb5_auth_con_getflags(kcontext, ctx, &ac_flags); - if (ret) - return(ret); - - if ((ac_flags & (KRB5_AUTH_CONTEXT_RET_SEQUENCE| - KRB5_AUTH_CONTEXT_DO_SEQUENCE)) != - (KRB5_AUTH_CONTEXT_RET_SEQUENCE|KRB5_AUTH_CONTEXT_DO_SEQUENCE)) { - /* XXX - need a better error */ - return(KRB5KRB_AP_ERR_MSG_TYPE); - } - - if (!(ret = krb5_read_message(kcontext, sock, &read_data))) { - if (!(ret = krb5_rd_priv(kcontext, - ctx, - &read_data, - &msg_data, - &replay_data))) { - char *curr; - int replyok; - int i; - - replyok = 0; - /* We'd better have at least two reply components */ - if (msg_data.length >= (2*sizeof(krb5_int32))) { - curr = msg_data.data; - kadm_copyin_int32(curr, cmd_stat); - curr += sizeof(krb5_int32); - kadm_copyin_int32(curr, ncomps); - curr += sizeof(krb5_int32); - - /* Are there any components to copy? */ - if (*ncomps > 0) { - - /* Get the memory for the list */ - *complist = (krb5_data *) - malloc((size_t) ((*ncomps) * sizeof(krb5_data))); - if (*complist) { - krb5_data *xcomplist; - - xcomplist = *complist; - memset((char *) (xcomplist), 0, - (size_t) ((*ncomps) * sizeof(krb5_data))); - - replyok = 1; - /* Copy out each list entry */ - for (i=0; i<*ncomps; i++) { - - /* First get the length of the reply component */ - if (curr + sizeof(krb5_int32) - msg_data.data <= - msg_data.length) { - kadm_copyin_int32(curr, &len32); - xcomplist[i].length = (int) len32; - curr += sizeof(krb5_int32); - - /* Then get the memory for the actual data */ - if ((curr + xcomplist[i].length - - msg_data.data <= msg_data.length) && - (xcomplist[i].data = (char *) - malloc(xcomplist[i].length+1))) { - - /* Then copy it out */ - memcpy(xcomplist[i].data, - curr, - xcomplist[i].length); - curr += xcomplist[i].length; - - /* Null terminate for convenience */ - xcomplist[i].data[xcomplist[i].length] - = '\0'; - } - else { - /* Not enough remaining data. */ - replyok = 0; - break; - } - } - else { - /* Not enough remaining data */ - replyok = 0; - break; - } - } - if (!replyok) - krb5_free_adm_data(kcontext, *ncomps, *complist); - } - } - else { - if (*ncomps == 0) { - *complist = (krb5_data *) NULL; - replyok = 1; - } - } - } - if (!replyok) { - ret = KRB5KRB_AP_ERR_MSG_TYPE; /* syntax error */ - } - memset(msg_data.data, 0, msg_data.length); - krb5_xfree(msg_data.data); - } - krb5_xfree(read_data.data); - } - return(ret); -} diff --git a/src/kadmin/v5passwdd/kadm5_defs.h b/src/kadmin/v5passwdd/kadm5_defs.h deleted file mode 100644 index 3f587eaf3..000000000 --- a/src/kadmin/v5passwdd/kadm5_defs.h +++ /dev/null @@ -1,367 +0,0 @@ -/* - * kadmin/v5server/kadm5_defs.h - * - * Copyright 1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * kadmind5 - * Version 5 administrative daemon. - */ -#ifndef KADM5_DEFS_H__ -#define KADM5_DEFS_H__ - -/* - * Debug definitions. - */ -#define DEBUG_SPROC 1 -#define DEBUG_OPERATION 2 -#define DEBUG_HOST 4 -#define DEBUG_REALM 8 -#define DEBUG_REQUESTS 16 -#define DEBUG_ACL 32 -#define DEBUG_PROTO 64 -#define DEBUG_CALLS 128 -#define DEBUG_NOSLAVES 256 -#ifdef DEBUG -#define DPRINT(l1, cl, al) if ((cl & l1) != 0) xprintf al -#else /* DEBUG */ -#define DPRINT(l1, cl, al) -#endif /* DEBUG */ -#define DLOG(l1, cl, msg) if ((cl & l1) != 0) \ - com_err(programname, 0, msg) - -/* - * Access control bits. - */ -#define ACL_ADD_PRINCIPAL 1 -#define ACL_DELETE_PRINCIPAL 2 -#define ACL_MODIFY_PRINCIPAL 4 -#define ACL_CHANGEPW 8 -#define ACL_CHANGE_OWN_PW 16 -#define ACL_INQUIRE 32 -#define ACL_EXTRACT 64 -#define ACL_RENAME_PRINCIPAL (ACL_ADD_PRINCIPAL+ACL_DELETE_PRINCIPAL) - -#define ACL_PRINCIPAL_MASK (ACL_ADD_PRINCIPAL|ACL_DELETE_PRINCIPAL|\ - ACL_MODIFY_PRINCIPAL) -#define ACL_PASSWD_MASK (ACL_CHANGEPW|ACL_CHANGE_OWN_PW) -#define ACL_ALL_MASK (ACL_ADD_PRINCIPAL | \ - ACL_DELETE_PRINCIPAL | \ - ACL_MODIFY_PRINCIPAL | \ - ACL_CHANGEPW | \ - ACL_CHANGE_OWN_PW | \ - ACL_INQUIRE | \ - ACL_EXTRACT) -/* - * Subcodes. - */ -#define KADM_BAD_ARGS 10 -#define KADM_BAD_CMD 11 -#define KADM_NO_CMD 12 -#define KADM_BAD_PRINC 20 -#define KADM_PWD_TOO_SHORT 21 -#define KADM_PWD_WEAK 22 -#define KADM_NOT_ALLOWED 100 - -/* - * Reply status values. - */ -#define KRB5_ADM_SUCCESS 0 -#define KRB5_ADM_CMD_UNKNOWN 1 -#define KRB5_ADM_PW_UNACCEPT 2 -#define KRB5_ADM_BAD_PW 3 -#define KRB5_ADM_NOT_IN_TKT 4 -#define KRB5_ADM_CANT_CHANGE 5 -#define KRB5_ADM_LANG_NOT_SUPPORTED 6 - -#define KRB5_ADM_P_ALREADY_EXISTS 64 -#define KRB5_ADM_P_DOES_NOT_EXIST 65 -#define KRB5_ADM_NOT_AUTHORIZED 66 -#define KRB5_ADM_BAD_OPTION 67 -#define KRB5_ADM_VALUE_REQUIRED 68 -#define KRB5_ADM_SYSTEM_ERROR 69 -#define KRB5_ADM_KEY_DOES_NOT_EXIST 70 -#define KRB5_ADM_KEY_ALREADY_EXISTS 71 -#define KRB5_ADM_BAD_DESKEY 72 - -/* - * Inter-module function prototypes - */ - -krb5_keytab key_keytab_id (void); -krb5_error_code key_open_db (krb5_context); -krb5_error_code key_close_db (krb5_context); - -#if 0 -/* srv_key.c */ -krb5_error_code key_init - (krb5_context, - int, - int, - char *, - int, - char *, - char *, - char *, - char *, - krb5_int32, - krb5_key_salt_tuple *); -void key_finish - (krb5_context, - int); -krb5_error_code key_string_to_keys - (krb5_context, - krb5_db_entry *, - krb5_data *, - krb5_int32, - krb5_key_salt_tuple *, - krb5_int32 *, - krb5_key_data **); -krb5_error_code key_random_key - (krb5_context, - krb5_db_entry *, - krb5_int32 *, - krb5_key_data **); -krb5_error_code key_encrypt_keys - (krb5_context, - krb5_db_entry *, - krb5_int32 *, - krb5_key_data *, - krb5_key_data **); -krb5_error_code key_decrypt_keys - (krb5_context, - krb5_db_entry *, - krb5_int32 *, - krb5_key_data *, - krb5_key_data **); -krb5_boolean key_pwd_is_weak - (krb5_context, - krb5_db_entry *, - krb5_data *); -krb5_db_entry *key_master_entry(); -char *key_master_realm(); -krb5_keyblock *key_admin_key(); -krb5_encrypt_block *key_master_encblock(); -void key_free_key_data (krb5_key_data *, - krb5_int32); -krb5_error_code key_dbent_to_keysalts - (krb5_db_entry *, - krb5_int32 *, - krb5_key_salt_tuple **); -krb5_error_code key_update_tl_attrs - (krb5_context, - krb5_db_entry *, - krb5_principal, - krb5_boolean); - -/* srv_acl.c */ -krb5_error_code acl_init - (krb5_context, - int, - char *); -void acl_finish - (krb5_context, - int); -krb5_boolean acl_op_permitted - (krb5_context, - krb5_principal, - krb5_int32, - char *); - -#endif - -/* srv_output.c */ -krb5_error_code output_init - (krb5_context, - int, - char *, - krb5_boolean); -void output_finish - (krb5_context, - int); -krb5_boolean output_lang_supported - (char *); -char *output_krb5_errmsg - (char *, - krb5_boolean, - krb5_int32); -char *output_adm_error - (char *, - krb5_boolean, - krb5_int32, - krb5_int32, - krb5_int32, - krb5_data *); - -/* srv_net.c */ -krb5_error_code net_init - (krb5_context, - char *, - int, - krb5_int32); -void net_finish - (krb5_context, - int); -krb5_error_code net_dispatch - (krb5_context, int); -krb5_principal net_server_princ (void); - -/* proto_serv.c */ -krb5_error_code proto_init - (krb5_context, - int, - int); -void proto_finish - (krb5_context, - int); -krb5_error_code proto_serv - (krb5_context, - krb5_int32, - int, - void *, - void *); - -krb5_int32 passwd_change - (krb5_context, - int, - krb5_auth_context, - krb5_ticket *, - krb5_data *, - krb5_data *, - krb5_int32 *); - -krb5_int32 pwd_change - (krb5_context, - int, - krb5_auth_context, - krb5_ticket *, - krb5_data *, - krb5_data *, - char [], - unsigned int); - -#if 0 - -/* passwd.c */ -krb5_int32 passwd_check - (krb5_context, - int, - krb5_auth_context, - krb5_ticket *, - krb5_data *, - krb5_int32 *); -krb5_int32 passwd_change - (krb5_context, - int, - krb5_auth_context, - krb5_ticket *, - krb5_data *, - krb5_data *, - krb5_int32 *); -krb5_boolean passwd_check_npass_ok - (krb5_context, - int, - krb5_principal, - krb5_db_entry *, - krb5_data *, - krb5_int32 *); -krb5_boolean passwd_check_opass_ok - (krb5_context, - int, - krb5_principal, - krb5_db_entry *, - krb5_data *); - -/* admin.c */ -krb5_error_code admin_add_principal - (krb5_context, - int, - krb5_ticket *, - krb5_int32, - krb5_data *); -krb5_error_code admin_delete_principal - (krb5_context, - int, - krb5_ticket *, - krb5_data *); -krb5_error_code admin_rename_principal - (krb5_context, - int, - krb5_ticket *, - krb5_data *, - krb5_data *); -krb5_error_code admin_modify_principal - (krb5_context, - int, - krb5_ticket *, - krb5_int32, - krb5_data *); -krb5_error_code admin_change_opw - (krb5_context, - int, - krb5_ticket *, - krb5_data *, - krb5_data *); -krb5_error_code admin_change_orandpw - (krb5_context, - int, - krb5_ticket *, - krb5_data *); -krb5_error_code admin_inquire - (krb5_context, - int, - krb5_ticket *, - krb5_data *, - krb5_int32 *, - krb5_data **); -krb5_error_code admin_extract_key - (krb5_context, - int, - krb5_ticket *, - krb5_data *, - krb5_data *, - krb5_int32 *, - krb5_data **); -krb5_error_code admin_add_key - (krb5_context, - int, - krb5_ticket *, - krb5_int32, - krb5_data *); -krb5_error_code admin_delete_key - (krb5_context, - int, - krb5_ticket *, - krb5_int32, - krb5_data *); -void admin_init (krb5_deltat, - krb5_deltat, - krb5_boolean, - krb5_timestamp, - krb5_boolean, - krb5_flags); -#endif - -#endif /* KADM5_DEFS_H__ */ diff --git a/src/kadmin/v5passwdd/kpasswd.c b/src/kadmin/v5passwdd/kpasswd.c deleted file mode 100644 index 9a9318044..000000000 --- a/src/kadmin/v5passwdd/kpasswd.c +++ /dev/null @@ -1,599 +0,0 @@ -/* - * kadmin/kpasswd/kpasswd.c - * - * Copyright 1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * kpasswd - * change your password with Version 5 Kerberos using the new password - * changing protocol. - */ - -/* - * Include files. - */ -#include "k5-int.h" -#include "adm_defs.h" -#include "adm.h" -#include "krb5/adm_proto.h" - -#ifdef HAVE_STRING_H -#include -#else /* HAVE_STRING_H */ -#include -#endif /* HAVE_STRING_H */ - - -/* - * Local definitions. - */ -#define KPWD_MAX_TRIES 4 - -/* - * Local data. - */ -#define kpwd_serror_head "server" -#define kpwd_change_prompt_1 " Enter new password" -#define kpwd_change_prompt_2 "Re-enter new password" -#define kpwd_old_password_prompt " Enter old password" -#define kpwd_old_pwd_name_fmt "Enter old password for %s" - -#ifdef LANGUAGES_SUPPORTED -#define kpwd_usage_error_fmt "%s: usage is %s [-u user] [-l language]\n" -#define kpwd_getoptstring "l:u:" -#else /* LANGUAGES_SUPPORTED */ -#define kpwd_usage_error_fmt "%s: usage is %s [-u user]\n" -#define kpwd_getoptstring "u:" -#endif /* LANGUAGES_SUPPORTED */ -#define kpwd_extra_args "extra arguments" -#if 0 -#define kpwd_bad_option_fmt "%s: unrecognized option -%c.\n" -#endif -#define kpwd_no_memory_fmt "%s: not enough resources to allocate %d bytes for %s.\n" -#define kpwd_bad_client_fmt "%s: %s%s%s %s not recognized by the server.\n" -#define kpwd_no_server_fmt "%s: cannot find server for %s.\n" -#define kpwd_incorrect_fmt "%s: incorrect password\n" -#define kpwd_cant_connect_fmt "%s: cannot contact server (%s).\n" -#define kpwd_proto_error_fmt "%s: protocol error during %s request (%s).\n" -#define kpwd_pwproto_unsupp_fmt "%s: %s request not supported by server.\n" -#define kpwd_pwproto_error "%s: server error (%s) during %s request.\n" -#define kpwd_pwd_unacceptable "%s: your new password is unacceptable to the server, %s.\n" -#define kpwd_read_pass_error "%s: error (%s) reading passwords.\n" - -static const char *kpwd_password_text = "passwords"; -#if 0 -static const char *kpwd_realm_text = "realm name"; -#endif -static const char *kpwd_args_text = "arguments"; - -static const char *kpwd_try_again_text = "try again"; -static const char *kpwd_seeyalater_text = "password not changed"; - -#if 0 -static const char *kpwd_mime_text = "MIME-enable"; -static const char *kpwd_language_text = "set language"; -#endif -static const char *kpwd_check_pwd_text = "check password"; -static const char *kpwd_change_pwd_text = "change password"; -static const char *kpwd_quit_text = "quit"; - -static const char *kpwd_you = "you"; -static const char *kpwd_is_second = "are"; -static const char *kpwd_is_third = "is"; -static const char *kpwd_quote = "'"; -static const char *kpwd_null = ""; - -static const char *kpwd_this_realm = "this realm"; - -static const char *kpwd_replies[] = { - "Operation successful", /* KRB5_ADM_SUCCESS */ - "Command not recognized", /* KRB5_ADM_CMD_UNKNOWN */ - "Password unacceptable to server", /* KRB5_ADM_PW_UNACCEPT */ - "Old password incorrect", /* KRB5_ADM_BAD_PW */ - "Invalid ticket (TKT_FLAG_INITIAL not set)",/* KRB5_ADM_NOT_IN_TKT */ - "Server refused password change", /* KRB5_ADM_CANT_CHANGE */ - "Language not supported", /* KRB5_ADM_LANG_NOT_SUPPORTED */ -}; -static const char *kpwd_replies_unknown = "UNKNOWN ERROR"; - -static void -usage(invocation, more_info) - char *invocation; - char *more_info; -{ - if (more_info) - fprintf(stderr, "%s: %s\n", invocation, more_info); - fprintf(stderr, kpwd_usage_error_fmt, invocation, invocation); -} - -static const char * -kpwd_reply_to_string(status) - krb5_int32 status; -{ - int idx; - const char *rval; - - switch (status) { - case KRB5_ADM_SUCCESS: - case KRB5_ADM_CMD_UNKNOWN: - case KRB5_ADM_PW_UNACCEPT: - case KRB5_ADM_BAD_PW: - case KRB5_ADM_NOT_IN_TKT: - case KRB5_ADM_CANT_CHANGE: - case KRB5_ADM_LANG_NOT_SUPPORTED: - idx = (int) status; - rval = kpwd_replies[idx]; - break; - default: - rval = kpwd_replies_unknown; - break; - } - return(rval); -} - -static void -kpwd_print_sreply(progname, ncomps, complist) - char *progname; - krb5_int32 ncomps; - krb5_data *complist; -{ - krb5_int32 i; - /* - * If language/mime suporrt enabled, need to have mime-decoder here. - */ - if (ncomps > 0) { - fprintf(stderr, "%s - %s: %s\n", progname, kpwd_serror_head, - complist[0].data); - for (i=1; i 0)) { - usage(argv[0], (error) ? (char *) NULL: kpwd_extra_args); - error++; - if (name) - free(name); - if (language) - free(language); - return(error); - } - - /* - * Initialize Kerberos - */ - kret = krb5_init_context(&kcontext); - if (kret) { - com_err(argv[0], kret, "while initializing krb5"); - exit(1); - } - - /* Get space for passwords */ - if ( - ((npassword = (char *) malloc(KRB5_ADM_MAX_PASSWORD_LEN)) - == (char *) NULL) || - ((opassword = (char *) malloc(KRB5_ADM_MAX_PASSWORD_LEN)) - == (char *) NULL)) - { - fprintf(stderr, kpwd_no_memory_fmt, argv[0], KRB5_ADM_MAX_PASSWORD_LEN, - kpwd_password_text); - if (npassword) - free(npassword); - krb5_free_context(kcontext); - return(ENOMEM); - } - - /* From now on, all error legs via 'goto cleanup' */ - - if (name) { - size_t prompt_len; - - prompt_len = strlen(kpwd_old_pwd_name_fmt) - 2 + strlen(name) + 1; - opwd_prompt = (char *) malloc(prompt_len); - if (opwd_prompt) - sprintf(opwd_prompt, kpwd_old_pwd_name_fmt, name); - } - /* - * Establish the connection. - */ - kret = krb5_adm_connect(kcontext, name, - (opwd_prompt) ? - opwd_prompt : kpwd_old_password_prompt, - opassword, &conn_socket, &auth_context, - &ccache, (char *) NULL, 0); - if (kret) { - switch (kret) { - case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: - fprintf(stderr, kpwd_bad_client_fmt, argv[0], - (name) ? kpwd_quote : kpwd_null, - (name) ? name : kpwd_you, - (name) ? kpwd_quote : kpwd_null, - (name) ? kpwd_is_third : kpwd_is_second); - break; - case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: - fprintf(stderr, kpwd_no_server_fmt, argv[0], - (name) ? name : kpwd_this_realm); - break; - case KRB5KRB_AP_ERR_BAD_INTEGRITY: - fprintf(stderr, kpwd_incorrect_fmt, argv[0]); - break; - default: - fprintf(stderr, kpwd_cant_connect_fmt, argv[0], - error_message(kret)); - break; - } - goto cleanup; - } - - if (opwd_prompt) - free(opwd_prompt); - send_quit = 1; - -#ifdef LANGUAGES_SUPPORTED - /* - * We have the connection - see if we have to send some precursory data. - */ - if (mflag) { - /* - * Need to engage in protocol for MIME setting - */ - krb5_data mime_data; - krb5_int32 mime_status; - krb5_int32 mime_ncomps; - krb5_data *mime_reply; - - mime_data.data = KRB5_ADM_MIME_CMD; - mime_data.length = strlen(mime_data.data); - if ((kret = krb5_send_adm_cmd(kcontext, - &conn_socket, - auth_context, - 1, - &mime_data)) || - (kret = krb5_read_adm_reply(kcontext, - &conn_socket, - auth_context, - &mime_status, - &mime_ncomps, - &mime_reply))) { - fprintf(stderr, kpwd_proto_error_fmt, argv[0], kpwd_mime_text, - error_message(kret)); - send_quit = 0; - goto cleanup; - } - switch (mime_status) { - case KRB5_ADM_SUCCESS: - break; - case KRB5_ADM_CMD_UNKNOWN: - fprintf(stderr, kpwd_pwproto_unsupp_fmt, argv[0], kpwd_mime_text); - if (mime_ncomps > 0) - kpwd_print_sreply(argv[0], mime_ncomps, mime_reply); - break; - default: - fprintf(stderr, kpwd_pwproto_error, argv[0], - kpwd_reply_to_string(mime_status), kpwd_mime_text); - if (mime_ncomps > 0) - kpwd_print_sreply(argv[0], mime_ncomps, mime_reply); - goto cleanup; - } - krb5_free_adm_data(kcontext, mime_ncomps, mime_reply); - } - if (lflag && language) { - /* - * Need to engage in protocol for language setting - */ - krb5_data lang_data[2]; - krb5_int32 lang_status; - krb5_int32 lang_ncomps; - krb5_data *lang_reply; - - lang_data[0].data = KRB5_ADM_LANGUAGE_CMD; - lang_data[0].length = strlen(lang_data[0].data); - lang_data[1].data = language; - lang_data[1].length = strlen(language); - if ((kret = krb5_send_adm_cmd(kcontext, - &conn_socket, - auth_context, - 2, - lang_data)) || - (kret = krb5_read_adm_reply(kcontext, - &conn_socket, - auth_context, - &lang_status, - &lang_ncomps, - &lang_reply))) { - fprintf(stderr, kpwd_proto_error_fmt, argv[0], kpwd_language_text, - error_message(kret)); - send_quit = 0; - goto cleanup; - } - switch (lang_status) { - case KRB5_ADM_SUCCESS: - break; - case KRB5_ADM_CMD_UNKNOWN: - fprintf(stderr, kpwd_pwproto_unsupp_fmt, argv[0], - kpwd_language_text); - if (lang_ncomps > 0) - kpwd_print_sreply(argv[0], lang_ncomps, lang_reply); - break; - default: - fprintf(stderr, kpwd_pwproto_error, argv[0], - kpwd_reply_to_string(lang_status), kpwd_language_text); - if (lang_ncomps > 0) - kpwd_print_sreply(argv[0], lang_ncomps, lang_reply); - goto cleanup; - } - krb5_free_adm_data(kcontext, lang_ncomps, lang_reply); - } -#endif /* LANGUAGES_SUPPORTED */ - - /* Now - Actually change the password. */ - for (npass_tries = 1; npass_tries <= KPWD_MAX_TRIES; npass_tries++) { - unsigned int npass_len; - - npass_len = KRB5_ADM_MAX_PASSWORD_LEN; - if (!(kret = krb5_read_password(kcontext, - kpwd_change_prompt_1, - kpwd_change_prompt_2, - npassword, - &npass_len))) { - krb5_data check_data[2]; - krb5_int32 check_status; - krb5_int32 check_ncomps; - krb5_data *check_reply; - krb5_data set_data[3]; - krb5_int32 set_status; - krb5_int32 set_ncomps; - krb5_data *set_reply; - - check_data[0].data = KRB5_ADM_CHECKPW_CMD; - check_data[0].length = strlen(check_data[0].data); - check_data[1].data = npassword; - check_data[1].length = npass_len; - if ((kret = krb5_send_adm_cmd(kcontext, - &conn_socket, - auth_context, - 2, - check_data)) || - (kret = krb5_read_adm_reply(kcontext, - &conn_socket, - auth_context, - &check_status, - &check_ncomps, - &check_reply))) { - fprintf(stderr, kpwd_proto_error_fmt, argv[0], - kpwd_check_pwd_text, error_message(kret)); - send_quit = 0; - error++; - break; - } - if ((check_status != KRB5_ADM_SUCCESS) && - (check_status != KRB5_ADM_PW_UNACCEPT)) { - error++; - fprintf(stderr, kpwd_pwproto_error, argv[0], - kpwd_reply_to_string(check_status), - kpwd_check_pwd_text); - if (check_ncomps > 0) - kpwd_print_sreply(argv[0], check_ncomps, check_reply); - } - - if (check_status == KRB5_ADM_PW_UNACCEPT) { - fprintf(stderr, kpwd_pwd_unacceptable, argv[0], - (npass_tries < KPWD_MAX_TRIES) ? - kpwd_try_again_text : kpwd_seeyalater_text); - if (check_ncomps > 0) - kpwd_print_sreply(argv[0], check_ncomps, check_reply); - if (npass_tries == KPWD_MAX_TRIES) - kret = check_status; - continue; - } - krb5_free_adm_data(kcontext, check_ncomps, check_reply); - if (error) - break; - - /* Now actually change the password */ - set_data[0].data = KRB5_ADM_CHANGEPW_CMD; - set_data[0].length = strlen(set_data[0].data); - set_data[1].data = opassword; - set_data[1].length = strlen(opassword); - set_data[2].data = npassword; - set_data[2].length = npass_len; - if ((kret = krb5_send_adm_cmd(kcontext, - &conn_socket, - auth_context, - 3, - set_data)) || - (kret = krb5_read_adm_reply(kcontext, - &conn_socket, - auth_context, - &set_status, - &set_ncomps, - &set_reply))) { - fprintf(stderr, kpwd_proto_error_fmt, argv[0], - kpwd_change_pwd_text, error_message(kret)); - send_quit = 0; - error++; - break; - } - if (set_status != KRB5_ADM_SUCCESS) { - fprintf(stderr, kpwd_pwproto_error, argv[0], - kpwd_reply_to_string(set_status), - kpwd_change_pwd_text); - if (set_ncomps > 0) - kpwd_print_sreply(argv[0], set_ncomps, set_reply); - error++; - } - krb5_free_adm_data(kcontext, set_ncomps, set_reply); - break; - } - else { - fprintf(stderr, kpwd_read_pass_error, argv[0], - error_message(kret)); - error++; - break; - } - } - - cleanup: - if (kret) - error = kret; - if (language) - free(language); - if (name) - free(name); - - /* Clear and free password storage */ - if (opassword) { - memset(opassword, 0, KRB5_ADM_MAX_PASSWORD_LEN); - free(opassword); - } - if (npassword) { - memset(npassword, 0, KRB5_ADM_MAX_PASSWORD_LEN); - free(npassword); - } - - if (send_quit) { - /* - * Need to send quit command. - */ - krb5_data quit_data; - krb5_int32 quit_status; - krb5_int32 quit_ncomps; - krb5_data *quit_reply; - - quit_data.data = KRB5_ADM_QUIT_CMD; - quit_data.length = strlen(quit_data.data); - if ((kret = krb5_send_adm_cmd(kcontext, - &conn_socket, - auth_context, - 1, - &quit_data)) || - (kret = krb5_read_adm_reply(kcontext, - &conn_socket, - auth_context, - &quit_status, - &quit_ncomps, - &quit_reply))) { - fprintf(stderr, kpwd_proto_error_fmt, argv[0], kpwd_quit_text, - error_message(kret)); - goto done; - } - switch (quit_status) { - case KRB5_ADM_SUCCESS: - break; - case KRB5_ADM_CMD_UNKNOWN: - fprintf(stderr, kpwd_pwproto_unsupp_fmt, argv[0], kpwd_quit_text); - if (quit_ncomps > 0) - kpwd_print_sreply(argv[0], quit_ncomps, quit_reply); - break; - default: - fprintf(stderr, kpwd_pwproto_error, argv[0], - kpwd_reply_to_string(quit_status), kpwd_quit_text); - if (quit_ncomps > 0) - kpwd_print_sreply(argv[0], quit_ncomps, quit_reply); - } - krb5_free_adm_data(kcontext, quit_ncomps, quit_reply); - } - - done: - krb5_adm_disconnect(kcontext, &conn_socket, auth_context, ccache); - krb5_free_context(kcontext); - return(error); -} diff --git a/src/kadmin/v5passwdd/main.c b/src/kadmin/v5passwdd/main.c deleted file mode 100644 index ae6824726..000000000 --- a/src/kadmin/v5passwdd/main.c +++ /dev/null @@ -1,324 +0,0 @@ -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include "kadm5_defs.h" - -#if defined(NEED_DAEMON_PROTO) -extern int daemon(int, int); -#endif - -static krb5_keytab keytab; -char *programname; -kadm5_config_params params; -void *global_server_handle; -#if POSIX_SETJMP -static sigjmp_buf terminal_jmp; -#else /* POSIX_SETJMP */ -static jmp_buf terminal_jmp; -#endif /* POSIX_SETJMP */ - -krb5_keytab key_keytab_id() -{ - return(keytab); -} - -static krb5_sigtype -unhandled_signal(signo) - int signo; -{ -#if POSIX_SETJMP - siglongjmp(terminal_jmp, signo); -#else /* POSIX_SETJMP */ - longjmp(terminal_jmp, signo); -#endif /* POSIX_SETJMP */ - /* NOTREACHED */ -} - -static void usage() -{ - fprintf(stderr, "Usage: kadmind [-r realm] [-m] [-nofork] " - "[-D debuglevel] [-T keytable] [-port port-number]\n"); - exit(1); -} - -int main(int argc, char *argv[]) -{ - int ret; - volatile int nofork; - int timeout = -1; - krb5_error_code code; - volatile int debug_level = 0; -#if POSIX_SIGNALS - struct sigaction s_action; -#endif /* POSIX_SIGNALS */ - krb5_context context; - - programname = argv[0]; - - nofork = 0; - - memset((char *) ¶ms, 0, sizeof(params)); - - argc--; argv++; - while (argc) { - if (strcmp(*argv, "-r") == 0) { - argc--; argv++; - if (!argc) - usage(); - params.realm = *argv; - params.mask |= KADM5_CONFIG_REALM; - argc--; argv++; - continue; - } else if (strcmp(*argv, "-m") == 0) { - params.mkey_from_kbd = 1; - params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - } else if (strcmp(*argv, "-nofork") == 0) { - nofork = 1; - } else if(strcmp(*argv, "-port") == 0) { - argc--; argv++; - if(!argc) - usage(); - params.kadmind_port = atoi(*argv); - params.mask |= KADM5_CONFIG_KADMIND_PORT; - } else if (strcmp(*argv, "-T") == 0) { - argc--; argv++; - if (!argc) - usage(); - params.admin_keytab = *argv; - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; - argc--; argv++; - continue; - } else if (strcmp(*argv, "-D") == 0) { - if (!argc) - usage(); - argc--; argv++; - debug_level = atoi(*argv); - } else - break; - argc--; argv++; - } - - if (argc != 0) - usage(); - - ret = krb5_init_context(&context); - if (ret) { - fprintf(stderr, "%s: %s while initializing context, aborting\n", - programname, error_message(ret)); - exit(1); - } - - krb5_klog_init(context, "admin_server", programname, 1); - - ret = kadm5_get_config_params(context, NULL, NULL, ¶ms, - ¶ms); - if (ret) { - krb5_klog_syslog(LOG_ERR, "%s: %s while initializing, aborting\n", - programname, error_message(ret)); - fprintf(stderr, "%s: %s while initializing, aborting\n", - programname, error_message(ret)); - krb5_klog_close(context); - exit(1); - } - -#define REQUIRED_PARAMS (KADM5_CONFIG_REALM | KADM5_CONFIG_ACL_FILE | \ - KADM5_CONFIG_ADMIN_KEYTAB) - - if ((params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { - krb5_klog_syslog(LOG_ERR, "%s: Missing required configuration values " - "(%x) while initializing, aborting\n", programname, - (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); - fprintf(stderr, "%s: Missing required configuration values " - "(%lx) while initializing, aborting\n", programname, - (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); - krb5_klog_close(context); - exit(1); - } - - if ((code = krb5_kt_resolve(context, params.admin_keytab, &keytab))) { - fprintf(stderr, "%s: cannot resolve keytab %s (%s).\n", - programname, params.admin_keytab, error_message(code)); - exit(1); - } - - if (!nofork && - daemon(0, ((params.mask&KADM5_CONFIG_MKEY_FROM_KBD)? - params.mkey_from_kbd:0))) { - fprintf(stderr, "%s: cannot spawn and detach.\n", argv[0]); - perror(argv[0]); - return(2); - } - -#if POSIX_SIGNALS - (void) sigemptyset(&s_action.sa_mask); - s_action.sa_flags = 0; - s_action.sa_handler = unhandled_signal; - (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGQUIT, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGALRM, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL); -#else /* POSIX_SIGNALS */ - signal(SIGINT, unhandled_signal); - signal(SIGTERM, unhandled_signal); - signal(SIGHUP, unhandled_signal); - signal(SIGQUIT, unhandled_signal); - signal(SIGPIPE, unhandled_signal); - signal(SIGALRM, unhandled_signal); - signal(SIGCHLD, unhandled_signal); -#endif /* POSIX_SIGNALS */ - - krb5_klog_syslog(LOG_INFO, "starting"); - - code = net_init(context, params.realm, debug_level, - (params.mask&KADM5_CONFIG_KADMIND_PORT)? - params.kadmind_port:0); - if (code) { - krb5_klog_syslog(LOG_ERR, "%s: %s while initializing network", - programname, error_message(code)); - fprintf(stderr, "%s: %s while initializing network\n", - programname, error_message(code)); - - exit(1); - } - - code = proto_init(context, debug_level, timeout); - if (code) { - krb5_klog_syslog(LOG_ERR, "%s: %s while initializing proto", - programname, error_message(code)); - fprintf(stderr, "%s: %s while initializing proto\n", - programname, error_message(code)); - } - - if ( -#if POSIX_SETJMP - sigsetjmp(terminal_jmp, 1) == 0 -#else /* POSIX_SETJMP */ - setjmp(terminal_jmp) == 0 -#endif /* POSIX_SETJMP */ - ) - { - code = net_dispatch(context, !nofork); - if (code) { - krb5_klog_syslog(LOG_ERR, "%s: %s while dispatching requests", - programname, error_message(code)); - fprintf(stderr, "%s: %s while dispatching requests\n", - programname, error_message(code)); - - exit(1); - } - } - - net_finish(context, debug_level); - - krb5_klog_syslog(LOG_INFO, "finished, exiting"); - krb5_klog_close(context); - exit(2); -} - -krb5_error_code key_open_db(krb5_context context) -{ - return(kadm5_init("kadmind", NULL, - NULL, ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_2, - &global_server_handle)); -} - -krb5_error_code key_close_db(krb5_context context) -{ - kadm5_destroy(global_server_handle); - return(0); -} - -krb5_int32 -pwd_change(kcontext, debug_level, auth_context, ticket, - olddata, newdata, err_str, err_str_len) - krb5_context kcontext; - int debug_level; - krb5_auth_context auth_context; - krb5_ticket *ticket; - krb5_data *olddata; - krb5_data *newdata; - char err_str[]; - unsigned int err_str_len; -{ - kadm5_ret_t ret; - krb5_int32 now; - kadm5_policy_ent_rec pol; - kadm5_principal_ent_rec princ; - krb5_principal principal; - - /* Make sure the ticket is initial, otherwise don't trust it */ - if ((ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) { - return(KRB5_ADM_NOT_IN_TKT); - } - - /* a principal can always change its own password, so there's no - acl check to do here */ - - principal = ticket->enc_part2->client; - - /* check to see if the min_time has passed. this is stolen - from chpass_principal_wrapper */ - - ret = krb5_timeofday(kcontext, &now); - if (ret) { - /* XXX - The only caller is known to use a 1K buffer. */ - system_error: - strncpy(err_str, error_message(ret), 1024); - return(KRB5_ADM_SYSTEM_ERROR); - } - - if((ret = kadm5_get_principal(global_server_handle, principal, - &princ, - KADM5_PRINCIPAL_NORMAL_MASK)) != - KADM5_OK) { - goto system_error; - } - if(princ.aux_attributes & KADM5_POLICY) { - if((ret=kadm5_get_policy(global_server_handle, - princ.policy, &pol)) != KADM5_OK) { - (void) kadm5_free_principal_ent(global_server_handle, &princ); - goto system_error; - } - if((now - princ.last_pwd_change) < pol.pw_min_life && - !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - (void) kadm5_free_policy_ent(global_server_handle, &pol); - (void) kadm5_free_principal_ent(global_server_handle, &princ); - /* XXX - The only caller is known to use a 1K buffer. */ - strncpy(err_str, error_message(ret), 1024); - return(KRB5_ADM_PW_UNACCEPT); - } - - ret = kadm5_free_policy_ent(global_server_handle, &pol); - if (ret) { - (void) kadm5_free_principal_ent(global_server_handle, &princ); - goto system_error; - } - } - - ret = kadm5_free_principal_ent(global_server_handle, &princ); - if (ret) { - goto system_error; - } - - /* ok, it's not too early to change the password. change it. */ - - ret = kadm5_chpass_principal_util(global_server_handle, - principal, newdata->data, - NULL, err_str, err_str_len); - if (ret) - return(KRB5_ADM_PW_UNACCEPT); - - return(KRB5_ADM_SUCCESS); -} diff --git a/src/kadmin/v5passwdd/proto_serv.c b/src/kadmin/v5passwdd/proto_serv.c deleted file mode 100644 index 013d8fb40..000000000 --- a/src/kadmin/v5passwdd/proto_serv.c +++ /dev/null @@ -1,864 +0,0 @@ -/* - * kadmin/v5server/proto_serv.c - * - * Copyright 1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * proto_serv.c - Engage in protocol. This module reflects the connection - * protocol as implemented in lib/krb5/os/adm_conn.c. Any changes - * in one module must be reflected in the other. - */ -#define NEED_SOCKETS -#include "k5-int.h" -#include -#include "com_err.h" -#include "kadm5_defs.h" -#include "adm.h" -#include "adm_proto.h" -#include - -static const char *proto_addrs_msg = "\004%d: cannot get memory for addresses"; -static const char *proto_rcache_msg = "\004%d: cannot get replay cache"; -static const char *proto_ap_req_msg = "\004%d: error reading AP_REQ message"; -static const char *proto_auth_con_msg = "\004%d: cannot get authorization context"; -static const char *proto_rd_req_msg = "\004%d: cannot decode AP_REQ message"; -static const char *proto_mk_rep_msg = "\004%d: cannot generate AP_REP message"; -static const char *proto_wr_rep_msg = "\004%d: cannot write AP_REP message"; -static const char *proto_conn_abort_msg = "\007%d: connection destroyed by client"; -static const char *proto_seq_err_msg = "\004%d: protocol sequence violation"; -static const char *proto_rd_cmd_msg = "\004%d: cannot read administrative protocol command"; -static const char *proto_db_open_msg = "\004%d: cannot open database"; -static const char *proto_db_close_msg = "\004%d: cannot close database"; -static const char *proto_wr_reply_msg = "\004%d: cannot write administrative protocol reply"; -extern char *programname; - -static int proto_proto_timeout = -1; -static int proto_debug_level = 0; -#if POSIX_SETJMP -static sigjmp_buf timeout_jmp; -#else /* POSIX_SETJMP */ -static jmp_buf timeout_jmp; -#endif /* POSIX_SETJMP */ - -static krb5_sigtype -proto_alarmclock(signo) - int signo; -{ -#if POSIX_SETJMP - siglongjmp(timeout_jmp, 1); -#else /* POSIX_SETJMP */ - longjmp(timeout_jmp, 1); -#endif /* POSIX_SETJMP */ - /* NOTREACHED */ -} - -krb5_error_code -proto_init(kcontext, debug_level, timeo) - krb5_context kcontext; - int debug_level; - int timeo; -{ - krb5_error_code kret; - - proto_debug_level = debug_level; - DPRINT(DEBUG_CALLS, proto_debug_level, - ("* proto_init(timeo=%d)\n", timeo)); - kret = 0; - proto_proto_timeout = timeo; - DPRINT(DEBUG_CALLS, proto_debug_level, ("X proto_init() = %d\n", kret)); - return(kret); -} - -void -proto_finish(kcontext, debug_level) - krb5_context kcontext; - int debug_level; -{ - DPRINT(DEBUG_CALLS, proto_debug_level, ("* proto_finish()\n")); - DPRINT(DEBUG_CALLS, proto_debug_level, ("X proto_finish()\n")); -} - -krb5_error_code -proto_serv(kcontext, my_id, cl_sock, sv_p, cl_p) - krb5_context kcontext; - krb5_int32 my_id; - int cl_sock; - void *sv_p; - void *cl_p; -{ - volatile krb5_error_code kret; - struct sockaddr_in *cl_addr; - struct sockaddr_in *sv_addr; - - krb5_data in_data; - krb5_data out_data; - krb5_rcache rcache; - krb5_auth_context auth_context; - krb5_flags ap_options; - krb5_ticket *ticket; - krb5_address *local; - krb5_address *remote; - -#if POSIX_SIGNALS - struct sigaction s_action; -#endif /* POSIX_SIGNALS */ - - char *curr_lang = (char *) NULL; -#ifdef MIME_SUPPORTED - krb5_boolean mime_setting = 0; -#endif - - krb5_int32 num_args; - krb5_data *arglist; - - volatile krb5_boolean db_opened; - - cl_addr = (struct sockaddr_in *) cl_p; - sv_addr = (struct sockaddr_in *) sv_p; - DPRINT(DEBUG_CALLS, proto_debug_level, - ("* proto_serv(id=%d, sock=%d, local=%x, remote=%x)\n", - my_id, cl_sock, - ntohl(sv_addr->sin_addr.s_addr), - ntohl(cl_addr->sin_addr.s_addr))); - - /* Initialize */ - memset((char *) &in_data, 0, sizeof(in_data)); - memset((char *) &out_data, 0, sizeof(out_data)); - num_args = 0; - local = (krb5_address *) NULL; - remote = (krb5_address *) NULL; - ticket = (krb5_ticket *) NULL; - rcache = (krb5_rcache) NULL; -#if POSIX_SIGNALS - (void) sigemptyset(&s_action.sa_mask); - s_action.sa_flags = 0; -#endif /* POSIX_SIGNALS */ - db_opened = 0; - - /* Get memory for addresses */ - local = (krb5_address *) malloc(sizeof(krb5_address)); - remote = (krb5_address *) malloc(sizeof(krb5_address)); - if (!local || !remote) { - kret = ENOMEM; - com_err(programname, kret, proto_addrs_msg, my_id); - goto cleanup; - } - - local->contents = (krb5_octet *) malloc(sizeof(struct in_addr)); - remote->contents = (krb5_octet *) malloc(sizeof(struct in_addr)); - if (!local->contents || !remote->contents) { - kret = ENOMEM; - com_err(programname, kret, proto_addrs_msg, my_id); - goto cleanup; - } - - /* - * First setup the replay cache. - */ - kret = krb5_get_server_rcache(kcontext, - krb5_princ_component(kcontext, - net_server_princ(), - 0), - &rcache); - if (kret) { - com_err(programname, kret, proto_rcache_msg, my_id); - goto cleanup; - } - - /* Initialize the auth context */ - kret = krb5_auth_con_init(kcontext, &auth_context); - if (kret) { - com_err(programname, kret, proto_auth_con_msg, my_id); - goto cleanup; - } - - krb5_auth_con_setrcache(kcontext, auth_context, rcache); - - /* - * Set up addresses. - */ - local->addrtype = remote->addrtype = ADDRTYPE_INET; - local->length = remote->length = sizeof(struct in_addr); - memcpy((char *) local->contents, - (char *) &sv_addr->sin_addr, - sizeof(struct in_addr)); - memcpy((char *) remote->contents, - (char *) &cl_addr->sin_addr, - sizeof(struct in_addr)); - krb5_auth_con_setflags(kcontext, auth_context, - KRB5_AUTH_CONTEXT_RET_SEQUENCE| - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - krb5_auth_con_setaddrs(kcontext, auth_context, local, remote); - - DPRINT(DEBUG_PROTO, proto_debug_level, - ("= %d:read message(local=%x, remote=%x)\n", - my_id, - ntohl(sv_addr->sin_addr.s_addr), - ntohl(cl_addr->sin_addr.s_addr))); - /* Now, read in the AP_REQ message and decode it. */ - kret = krb5_read_message(kcontext, (krb5_pointer) &cl_sock, &in_data); - if (kret) { - com_err(programname, kret, proto_ap_req_msg, my_id); - goto cleanup; - } - - DPRINT(DEBUG_PROTO, proto_debug_level, - ("= %d:parse message(%d bytes)\n", my_id, in_data.length)); - - /* Parse the AP_REQ message */ - kret = krb5_rd_req(kcontext, &auth_context, &in_data, - net_server_princ(), key_keytab_id(), - &ap_options, &ticket); - if (kret) { - com_err(programname, kret, proto_rd_req_msg, my_id); - goto err_reply; - } - - DPRINT(DEBUG_PROTO, proto_debug_level, - ("= %d:check AP_REQ(options are %x)\n", my_id, ap_options)); - /* Check our options */ - if ((ap_options & AP_OPTS_MUTUAL_REQUIRED) == 0) { - kret = KRB5KRB_AP_ERR_MSG_TYPE; - goto err_reply; - } - - DPRINT(DEBUG_PROTO, proto_debug_level, - ("= %d:make AP_REP\n", my_id)); - kret = krb5_mk_rep(kcontext, auth_context, &out_data); - if (kret) { - com_err(programname, kret, proto_mk_rep_msg, my_id); - goto cleanup; - } - - DPRINT(DEBUG_PROTO, proto_debug_level, - ("= %d:write AP_REP(%d bytes)\n", my_id, out_data.length)); - kret = krb5_write_message(kcontext, (krb5_pointer) &cl_sock, - &out_data); - if (kret) { - com_err(programname, kret, proto_wr_rep_msg, my_id); - goto cleanup; - } - - /* - * Initialization is now complete. - * - * If enabled, the protocol times out after proto_proto_timeout seconds. - */ - if ( -#if POSIX_SETJMP - sigsetjmp(timeout_jmp, 1) == 0 -#else /* POSIX_SETJMP */ - setjmp(timeout_jmp) == 0 -#endif /* POSIX_SETJMP */ - ) { - if (proto_proto_timeout > 0) { -#if POSIX_SIGNALS - s_action.sa_handler = proto_alarmclock; - (void) sigaction(SIGALRM, &s_action, (struct sigaction *) NULL); -#else /* POSIX_SIGNALS */ - signal(SIGALRM, proto_alarmclock); -#endif /* POSIX_SIGNALS */ - } - /* - * Loop forever - or until somebody puts us out of our misery. - */ - while (1) { - krb5_int32 cmd_error; - /* If this size changed, change the sprintf below */ - char err_str[1024]; - krb5_int32 cmd_repl_ncomps; - krb5_data *cmd_repl_complist; - int do_quit; - - /* - * Read a command and figure out what to do. - */ - if (proto_proto_timeout > 0) - alarm((unsigned) proto_proto_timeout); - num_args = 0; - DPRINT(DEBUG_PROTO, proto_debug_level, - ("= %d:waiting for command\n", my_id)); - kret = krb5_read_adm_cmd(kcontext, - (krb5_pointer) &cl_sock, - auth_context, - &num_args, - &arglist); - if (proto_proto_timeout > 0) - alarm(0); - if (kret) { - /* - * It's OK to have connections abort here. - */ - if (kret == ECONNABORTED) { - com_err(programname, kret, proto_conn_abort_msg, my_id); - kret = 0; - } - else if (kret == KRB5KRB_AP_ERR_BADORDER) { - com_err(programname, kret, proto_seq_err_msg, my_id); - kret = 0; - } - else - com_err(programname, kret, proto_rd_cmd_msg, my_id); - goto cleanup; - } - - cmd_error = KRB5_ADM_SUCCESS; - do_quit = 0; - - /* - * First open the database. We only have it open for the - * lifetime of a command so that we are sure to close it after - * performing an update. This also reduces the likelihood - * that somebody'll have stale data lying around since we're - * most likely going to change something here. - */ - if ((kret = key_open_db(kcontext))) { - com_err(programname, kret, proto_db_open_msg, my_id); - goto cleanup; - } - else - db_opened = 1; - - /* - * Now check our arguments. - */ - DPRINT(DEBUG_PROTO, proto_debug_level, - ("= %d:parse command\n", my_id)); - cmd_repl_ncomps = 0; - cmd_repl_complist = (krb5_data *) NULL; - if (num_args > 0) { - if (!strcasecmp(arglist[0].data, KRB5_ADM_QUIT_CMD)) { - /* - * QUIT command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:QUIT command\n", my_id)); - /* QUIT takes no arguments */ - if (num_args == 1) { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:QUIT command syntax OK\n", my_id)); - do_quit = 1; - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:QUIT command syntax BAD\n", my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - strcpy(err_str, - "Bad argument list format for quit command."); - } - } - else if (!strcasecmp(arglist[0].data, KRB5_ADM_CHECKPW_CMD)) { - /* - * CHECKPW command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHECKPW command\n", my_id)); - if (num_args == 2) { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHECKPW command syntax OK\n", my_id)); - cmd_error = 0; - err_str[0] = '\0'; -#if 0 - cmd_error = pwd_check(kcontext, - proto_debug_level, - auth_context, - ticket, - &arglist[1], - &err_str); -#endif - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHECKPW command syntax BAD\n", my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - - strcpy(err_str, - "Bad argument list format for checkpw command."); - } - } - else if (!strcasecmp(arglist[0].data, KRB5_ADM_CHANGEPW_CMD)) { - /* - * CHANGEPW command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHANGEPW command\n", my_id)); - if (num_args == 3) { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHANGEPW command syntax OK\n", my_id)); - cmd_error = pwd_change(kcontext, - proto_debug_level, - auth_context, - ticket, - &arglist[1], - &arglist[2], - err_str, - sizeof(err_str)); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHANGEPW command syntax BAD\n", my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - strcpy(err_str, - "Bad argument list format for changepw command."); - } - } -#if 0 -#ifdef MOTD_SUPPORTED - else if (!strcasecmp(arglist[0].data, KRB5_ADM_MOTD_CMD)) { - /* - * MOTD command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:MOTD command\n", my_id)); - if (num_args <= 2) { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:MOTD command syntax OK\n", my_id)); - printf("@@@ motd command "); - if (num_args == 2) - printf("context is %s", arglist[2].data); - printf("\n"); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:MOTD command syntax BAD\n", my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } -#endif /* MOTD_SUPPORTED */ -#ifdef MIME_SUPPORTED - else if (!strcasecmp(arglist[0].data, KRB5_ADM_MIME_CMD)) { - /* - * MIME command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:MIME command\n", my_id)); - if (num_args == 1) { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:MIME command syntax OK\n", my_id)); - mime_setting = 1; - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:MIME command syntax BAD\n", my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } -#endif /* MIME_SUPPORTED */ -#ifdef LANGUAGES_SUPPORTED - else if (!strcasecmp(arglist[0].data, KRB5_ADM_LANGUAGE_CMD)) { - /* - * LANGUAGE command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:LANGUAGE command\n", my_id)); - if (num_args == 2) { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:LANGUAGE command syntax OK\n", my_id)); - if (output_lang_supported(arglist[1].data)) { - if (curr_lang) - free(curr_lang); - curr_lang = (char *) - malloc(strlen(arglist[1].data)); - if (curr_lang) - strcpy(curr_lang, arglist[1].data); - } - else - cmd_error = KRB5_ADM_LANG_NOT_SUPPORTED; - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:LANGUAGE command syntax BAD\n", my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } -#endif /* LANGUAGES_SUPPORTED */ - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_ADD_PRINC_CMD)) { - /* - * ADD PRINCIPAL command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:ADD PRINCIPAL command\n", my_id)); - /* At least one argument */ - if (num_args > 1) { - cmd_error = admin_add_principal(kcontext, - proto_debug_level, - ticket, - num_args-1, - &arglist[1]); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:ADD PRINCIPAL command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_DEL_PRINC_CMD)) { - /* - * DELETE PRINCIPAL command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:DELETE PRINCIPAL command\n", my_id)); - /* Only one argument */ - if (num_args == 2) { - cmd_error = admin_delete_principal(kcontext, - proto_debug_level, - ticket, - &arglist[1]); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:DELETE PRINCIPAL command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_REN_PRINC_CMD)) { - /* - * RENAME PRINCIPAL command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:RENAME PRINCIPAL command\n", my_id)); - /* Two arguments */ - if (num_args == 3) { - cmd_error = admin_rename_principal(kcontext, - proto_debug_level, - ticket, - &arglist[1], - &arglist[2]); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:RENAME PRINCIPAL command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_MOD_PRINC_CMD)) { - /* - * MODIFY PRINCIPAL command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:MODIFY PRINCIPAL command\n", my_id)); - /* At least one argument */ - if (num_args > 1) { - cmd_error = admin_modify_principal(kcontext, - proto_debug_level, - ticket, - num_args-1, - &arglist[1]); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:MODIFY PRINCIPAL command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_CHG_OPW_CMD)) { - /* - * CHANGE OTHER'S PASSWORD command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHANGE OTHER'S PASSWORD command\n", my_id)); - /* Two arguments */ - if (num_args == 3) { - cmd_error = admin_change_opwd(kcontext, - proto_debug_level, - ticket, - &arglist[1], - &arglist[2]); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHANGE OTHER'S PASSWORD command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_CHG_ORPW_CMD)) { - /* - * CHANGE OTHER'S RANDOM PASSWORD command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHANGE OTHER'S RANDOM PASSWORD command\n", my_id)); - /* One argument */ - if (num_args == 2) { - cmd_error = admin_change_orandpwd(kcontext, - proto_debug_level, - ticket, - &arglist[1]); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:CHANGE OTHER'S RANDOM PASSWORD command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_INQ_PRINC_CMD)) { - /* - * INQUIRE PRINCIPAL command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:INQUIRE PRINCIPAL command\n", my_id)); - /* One argument */ - if (num_args == 2) { - cmd_error = admin_inquire(kcontext, - proto_debug_level, - ticket, - &arglist[1], - &cmd_repl_ncomps, - &cmd_repl_complist); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:INQUIRE PRINCIPAL command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_EXT_KEY_CMD)) { - /* - * EXTRACT KEY command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:EXTRACT KEY command\n", my_id)); - /* Two arguments */ - if (num_args == 3) { - cmd_error = admin_extract_key(kcontext, - proto_debug_level, - ticket, - &arglist[1], - &arglist[2], - &cmd_repl_ncomps, - &cmd_repl_complist); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:EXTRACT KEY command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_ADD_KEY_CMD)) { - /* - * ADD KEY command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:ADD KEY command\n", my_id)); - /* Must have at least three arguments */ - if (num_args > 3) { - cmd_error = admin_add_key(kcontext, - proto_debug_level, - ticket, - num_args-1, - &arglist[1]); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:ADD KEY command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } - else if (!strcasecmp(arglist[0].data, - KRB5_ADM_DEL_KEY_CMD)) { - /* - * DELETE KEY command handling here. - */ - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:DELETE KEY command\n", my_id)); - /* At least three arguments */ - if (num_args > 3) { - cmd_error = admin_delete_key(kcontext, - proto_debug_level, - ticket, - num_args-1, - &arglist[1]); - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:DELETE KEY command syntax BAD\n", - my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - err_aux = KADM_BAD_ARGS; - } - } -#endif /* 0 */ - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:UNKNOWN command %s\n", my_id, - arglist[0].data)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - sprintf(err_str, "Command %-.900s not supported", arglist[0].data); /* XXX Knows size of err_str. */ - } - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, - ("> %d:NO command!\n", my_id)); - cmd_error = KRB5_ADM_CMD_UNKNOWN; - strcpy(err_str, "No command in message."); - } - - /* - * Close the database. - */ - if ((kret = key_close_db(kcontext))) { - com_err(programname, kret, proto_db_close_msg, my_id); - goto cleanup; - } - else - db_opened = 0; - - /* - * Now make the reply. - */ - DPRINT(DEBUG_PROTO, proto_debug_level, - ("= %d:sending reply(stat=%d)\n", my_id, cmd_error)); - if (cmd_error == KRB5_ADM_SUCCESS) { - kret = krb5_send_adm_reply(kcontext, - (krb5_pointer) &cl_sock, - auth_context, - cmd_error, - cmd_repl_ncomps, - cmd_repl_complist); - if (kret) { - com_err(programname, kret, proto_wr_reply_msg, my_id); - goto cleanup; - } - } - else { - krb5_data reply_comps; - - reply_comps.data = err_str; - reply_comps.length = strlen(err_str); - kret = krb5_send_adm_reply(kcontext, - (krb5_pointer) &cl_sock, - auth_context, - cmd_error, - 1, - &reply_comps); - if (kret) { - com_err(programname, kret, proto_wr_reply_msg, my_id); - goto cleanup; - } - } - if (cmd_repl_ncomps > 0) - krb5_free_adm_data(kcontext, - cmd_repl_ncomps, - cmd_repl_complist); - - if (do_quit) - break; - krb5_free_adm_data(kcontext, num_args, arglist); - } - } - else { - DPRINT(DEBUG_REQUESTS, proto_debug_level, ("connection timed out")); - } - - - err_reply: - if (kret) { - krb5_error_code er_kret; - krb5_error errbuf; - char *errmsg; - krb5_data errout; - - memset((char *) &errbuf, 0, sizeof(errbuf)); - krb5_us_timeofday(kcontext, &errbuf.stime, &errbuf.susec); - errbuf.server = net_server_princ(); - errbuf.error = kret - ERROR_TABLE_BASE_krb5; - if (errbuf.error > 127) - errbuf.error = KRB5KRB_ERR_GENERIC; - /* Format the error message in our language */ - errmsg = strdup(error_message(kret)); - errbuf.text.length = strlen(errmsg); - errbuf.text.data = errmsg; - er_kret = krb5_mk_error(kcontext, &errbuf, &errout); - if (!er_kret) - krb5_write_message(kcontext, (krb5_pointer) &cl_sock, &errout); - if(errmsg) free(errmsg); - free(errbuf.text.data); - krb5_free_data_contents(kcontext, &errout); - } - - cleanup: - /* If the alarm was set, make sure it's cancelled */ - if (proto_proto_timeout > 0) - alarm(0); - if (ticket) - krb5_free_ticket(kcontext, ticket); - /* - * Don't need to close the replay cache because it's attached to the - * auth context. - */ - if (auth_context) - krb5_auth_con_free(kcontext, auth_context); - if (curr_lang) - free(curr_lang); - if (num_args) - krb5_free_adm_data(kcontext, num_args, arglist); - if (in_data.data) - krb5_free_data_contents(kcontext, &in_data); - if (out_data.data) - krb5_free_data_contents(kcontext, &out_data); - if (local && local->contents) - free(local->contents); - if (remote && remote->contents) - free(remote->contents); - if (local) - free(local); - if (remote) - free(remote); - if (db_opened) - key_close_db(kcontext); - close(cl_sock); - - DPRINT(DEBUG_CALLS, proto_debug_level, ("X proto_serv() = %d\n", kret)); - return(kret); -} diff --git a/src/kadmin/v5passwdd/srv_net.c b/src/kadmin/v5passwdd/srv_net.c deleted file mode 100644 index cae81fcf3..000000000 --- a/src/kadmin/v5passwdd/srv_net.c +++ /dev/null @@ -1,867 +0,0 @@ -/* - * kadmin/v5server/srv_net.c - * - * Copyright 1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - */ - -/* - * srv_net.c - handle networking functions of the administrative server. - */ -#include -#include -#include -#include -#ifdef USE_PTHREADS -#include -#endif /* USE_PTHREADS */ - -#define NEED_SOCKETS -#include "k5-int.h" -#include "com_err.h" -#include "kadm5_defs.h" -#include "adm.h" - -#if HAVE_SYS_SELECT_H -#include -#endif - -/* linux doesn't have SOMAXCONN */ -#ifndef SOMAXCONN -#define SOMAXCONN 5 -#endif - -/* - * This module can use the pthreads library. To do so, define USE_PTHREADS. - * You'll need to find out what else pthreads requires (e.g. -lmach -lc_r - * under OSF/1). - */ -#ifdef USE_PTHREADS -#define net_slave_type pthread_t * -#ifndef MAX_SLAVES -#define MAX_SLAVES 2*SOMAXCONN -#endif /* MAX_SLAVES */ -#else /* USE_PTHREADS */ -#define net_slave_type pid_t -#ifndef MAX_SLAVES -#define MAX_SLAVES 2*SOMAXCONN -#endif /* MAX_SLAVES */ -#endif /* USE_PTHREADS */ -#define NET_SLAVE_FULL_SLEEP 2 /* seconds */ - -/* - * Slave information storage. - */ -typedef struct _net_slave_info { - int sl_inuse; - net_slave_type sl_id; - krb5_context sl_context; - int sl_socket; - struct sockaddr_in sl_local_addr; /* local address */ - struct sockaddr_in sl_remote_addr; /* remote address */ -} net_slave_info; - -/* - * Error messages. - */ -#define net_waiterr_msg "\004child wait failed - cannot reap children" -#if 0 -#define net_def_realm_fmt "%s: cannot get default realm (%s).\n" -#endif -#define net_no_mem_fmt "%s: cannot get memory.\n" -#define net_parse_srv_fmt "%s: cannot parse server name %s (%s).\n" -#define net_no_hostname_fmt "%s: cannot get our host name (%s).\n" -#define net_no_hostent_fmt "%s: cannot get our host entry (%s).\n" -#define net_no_servent_fmt "%s: cannot get service entry for %s (%s).\n" -#define net_sockerr_fmt "%s: cannot open network socket (%s).\n" -#define net_soerr_fmt "%s: cannot set socket options (%s).\n" -#define net_binderr_fmt "%s: cannot bind to network address (%s).\n" - -#define net_select_fmt "\004select failed" -#define net_cl_disp_fmt "\004client dispatch failed" -#define net_not_ready_fmt "\004select error - no socket to read" -#define net_dispatch_msg "network dispatch" - -#ifdef DEBUG -static int net_debug_level = 0; -#endif - -static char *net_service_name = (char *) NULL; -static int net_service_princ_init = 0; -static krb5_principal net_service_principal = (krb5_principal) NULL; -#if 0 -static int net_server_addr_init = 0; -#endif -static struct sockaddr_in net_server_addr; -static int net_listen_socket = -1; -static int net_max_slaves = 0; -static net_slave_info *net_slave_table = (net_slave_info *) NULL; - -#if POSIX_SETJMP -static sigjmp_buf shutdown_jmp; -#else /* POSIX_SETJMP */ -static jmp_buf shutdown_jmp; -#endif /* POSIX_SETJMP */ - -extern char *programname; - -/* - * net_find_free_entry() - Find a free entry in the slave table. - */ -static net_slave_info * -net_find_free_entry() -{ - int i, found; - - /* Find a table entry */ - while (1) { - found = 0; - for (i=0; isl_inuse = 0; -} - -/* - * net_shutdown() - Destroy all slaves on signal reception - */ -static krb5_sigtype -net_shutdown(signo) - int signo; -{ - int i; - - /* Loop through all slaves */ - for (i=0; i 0) { - DPRINT(DEBUG_SPROC, net_debug_level, - ("| process %d finished with %d\n", deadmeat, child_exit)); - slent = net_find_slave(deadmeat); - if (slent) { - net_free_slave_entry(slent); - } - else { - DPRINT(DEBUG_SPROC, net_debug_level, - ("| cannot find slave entry for %d\n", deadmeat)); - } - } - if ((deadmeat == -1) && (errno != ECHILD)) - com_err(programname, errno, net_waiterr_msg); -} -#endif /* USE_PTHREADS */ - -#if USE_PTHREADS -/* - * net_slave_proto() - pthread main routine. - */ -static krb5_error_code -net_slave_proto(stent) - net_slave_info *stent; -{ - krb5_error_code kret; - - DPRINT(DEBUG_CALLS, net_debug_level, - ("* net_slave_proto()\n")); - DPRINT(DEBUG_SPROC, net_debug_level, - ("| thread %d starting\n", stent->sl_id)); - kret = proto_serv(stent->sl_context, - (krb5_int32) stent->sl_id, - stent->sl_socket, - &stent->sl_local_addr, - &stent->sl_remote_addr); - DPRINT(DEBUG_SPROC, net_debug_level, - ("| thread %d finished with %d\n", stent->sl_id, kret)); - DPRINT(DEBUG_CALLS, net_debug_level, - ("* net_slave_proto() = %d\n", kret)); - net_free_slave_entry(stent); - return(kret); -} -#endif /* USE_PTHREADS */ - -/* - * net_dispatch_client() - Handle client dispatch. - */ -static krb5_error_code -net_dispatch_client(kcontext, listen_sock, conn_sock, client_addr) - krb5_context kcontext; - int listen_sock; - int conn_sock; - struct sockaddr_in *client_addr; -{ - krb5_error_code kret; - net_slave_info *slent; - - DPRINT(DEBUG_CALLS, net_debug_level, - ("* net_dispatch_client(listen=%d)\n", listen_sock)); - kret = 0; - - /* Find a free entry */ - slent = net_find_free_entry(); - - /* Initialize the slave entry */ - slent->sl_context = kcontext; - slent->sl_socket = conn_sock; - memcpy((char *) &slent->sl_remote_addr, - (char *) client_addr, - sizeof(struct sockaddr_in)); - memcpy((char *) &slent->sl_local_addr, - (char *) &net_server_addr, - sizeof(struct sockaddr_in)); - -#ifdef DEBUG - if ((net_debug_level & DEBUG_NOSLAVES) == 0) { -#endif /* DEBUG */ - /* Do a real slave creation */ -#if USE_PTHREADS - if (!slent->sl_id) - slent->sl_id = (pthread_t *) malloc(sizeof(pthread_t)); - if (slent->sl_id == (pthread_t *) NULL) { - kret = ENOMEM; - goto done; - } - if (kret = pthread_create(slent->sl_id, - pthread_attr_default, - (pthread_startroutine_t) net_slave_proto, - (pthread_addr_t) slent)) { - kret = errno; - goto done; - } - if (pthread_detach(slent->sl_id)) { - DPRINT(DEBUG_SPROC, net_debug_level, - ("| (%d) child thread %d detach failed (%d)\n", - getpid(), slent->sl_id, errno)); - } - DPRINT(DEBUG_SPROC, net_debug_level, - ("| (%d) created child thread %d\n", - getpid(), slent->sl_id)); -#else /* USE_PTHREADS */ - slent->sl_id = fork(); - if (slent->sl_id < 0) { - kret = errno; - slent->sl_inuse = 0; - goto done; - } - - if (slent->sl_id > 0) { - /* parent */ - DPRINT(DEBUG_SPROC, net_debug_level, - ("| (%d) created child process %d\n", - getpid(), slent->sl_id)); - close(conn_sock); - kret = 0; - goto done; - } - else { -#if POSIX_SIGNALS - struct sigaction s_action; -#endif /* POSIX_SIGNALS */ - - /* child */ -#if POSIX_SIGNALS - (void) sigemptyset(&s_action.sa_mask); - s_action.sa_flags = 0; - /* Ignore SIGINT, SIGTERM, SIGHUP, SIGQUIT and SIGPIPE */ - s_action.sa_handler = SIG_IGN; - (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGQUIT, &s_action, (struct sigaction *) NULL); - (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL); - /* Restore to default SIGCHLD */ - s_action.sa_handler = SIG_DFL; - (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL); -#else /* POSIX_SIGNALS */ - signal(SIGINT, SIG_IGN); /* Ignore SIGINT */ - signal(SIGTERM, SIG_IGN); /* Ignore SIGTERM */ - signal(SIGHUP, SIG_IGN); /* Ignore SIGHUP */ - signal(SIGQUIT, SIG_IGN); /* Ignore SIGQUIT */ - signal(SIGPIPE, SIG_IGN); /* Ignore SIGPIPE */ - signal(SIGCHLD, SIG_DFL); /* restore SIGCHLD handling */ -#endif /* POSIX_SIGNALS */ - close(listen_sock); - slent->sl_id = getpid(); - DPRINT(DEBUG_SPROC, net_debug_level, - ("| process %d starting\n", slent->sl_id)); - kret = proto_serv(slent->sl_context, - (krb5_int32) slent->sl_id, - slent->sl_socket, - &slent->sl_local_addr, - &slent->sl_remote_addr); - DPRINT(DEBUG_SPROC, net_debug_level, - ("| process %d exiting with %d\n", getpid(), kret)); - exit(kret); - } -#endif /* USE_PTHREADS */ -#ifdef DEBUG - } - else { - net_slave_info *sl1; -#if POSIX_SIGNALS - struct sigaction s_action; -#endif /* POSIX_SIGNALS */ - - /* - * Ignore SIGPIPE. - */ -#if POSIX_SIGNALS - (void) sigemptyset(&s_action.sa_mask); - s_action.sa_flags = 0; - s_action.sa_handler = SIG_IGN; - (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL); -#else /* POSIX_SIGNALS */ - signal(SIGPIPE, SIG_IGN); /* Ignore SIGPIPE */ -#endif /* POSIX_SIGNALS */ - DPRINT(DEBUG_SPROC, net_debug_level, - ("| (%d) not doing child creation\n", getpid())); - slent->sl_id = (net_slave_type) getpid(); - kret = proto_serv(slent->sl_context, - (krb5_int32) slent->sl_id, - slent->sl_socket, - &slent->sl_local_addr, - &slent->sl_remote_addr); - sl1 = net_find_slave(slent->sl_id); - if (sl1) - net_free_slave_entry(sl1); - DPRINT(DEBUG_SPROC, net_debug_level, - ("| (%d) returned with %d\n", getpid(), kret)); - kret = 0; - } -#endif /* DEBUG */ - done: - DPRINT(DEBUG_CALLS, net_debug_level, - ("X net_dispatch_client() = %d\n", kret)); - return(kret); -} - -/* - * net_init() - Initialize network context. - */ -krb5_error_code -net_init(kcontext, realm, debug_level, port) - krb5_context kcontext; - char * realm; - int debug_level; - krb5_int32 port; -{ - krb5_error_code kret; - char our_host_name[MAXHOSTNAMELEN]; - struct hostent *our_hostent; - struct servent *our_servent; - -#ifdef DEBUG - net_debug_level = debug_level; -#endif - DPRINT(DEBUG_CALLS, net_debug_level, ("* net_init(port=%d)\n", port)); - - /* Allocate the slave table */ - net_slave_table = (net_slave_info *) - malloc((size_t) (MAX_SLAVES * sizeof(net_slave_info))); - /* Make our service name */ - net_service_name = (char *) malloc(strlen(realm) + - strlen(KRB5_ADM_SERVICE_INSTANCE) + 2); - if ((net_service_name == (char *) NULL) || - (net_slave_table == (net_slave_info *) NULL)) { - kret = ENOMEM; - fprintf(stderr, net_no_mem_fmt, programname); - goto done; - } - (void) sprintf(net_service_name, "%s%s%s", - KRB5_ADM_SERVICE_INSTANCE, "/", realm); - memset((char *) net_slave_table, 0, - (size_t) (MAX_SLAVES * sizeof(net_slave_info))); - net_max_slaves = MAX_SLAVES; - DPRINT(DEBUG_HOST, net_debug_level, - ("- name of service is %s\n", net_service_name)); - - /* Now formulate the principal name */ - kret = krb5_parse_name(kcontext, net_service_name, &net_service_principal); - if (kret) { - fprintf(stderr, net_parse_srv_fmt, programname, net_service_name, - error_message(kret)); - goto done; - } - net_service_princ_init = 1; - -#ifdef HAVE_NETINET_IN_H - /* Now get our host name/entry */ - if (gethostname(our_host_name, sizeof(our_host_name))) { - kret = errno; - fprintf(stderr, net_no_hostname_fmt, programname, error_message(kret)); - goto done; - } - if (!(our_hostent = gethostbyname(our_host_name))) { - kret = KRB5_ERR_BAD_HOSTNAME; /* perhaps put h_errno in the msg */ - fprintf(stderr, net_no_hostent_fmt, programname, error_message(kret)); - goto done; - } - DPRINT(DEBUG_HOST, net_debug_level, - ("- name of host is %s\n", our_hostent->h_name)); - - /* Now initialize our network address */ - net_server_addr.sin_family = AF_INET; - memcpy((char *) &net_server_addr.sin_addr, - (char *) our_hostent->h_addr, - sizeof(net_server_addr.sin_addr)); - DPRINT(DEBUG_HOST, net_debug_level, - ("- address of host is %x\n", - ntohl(net_server_addr.sin_addr.s_addr))); - - /* - * Fill in the port address. - * If the port is supplied by the invoker, then use that one. - * If not, then try the profile, and if all fails, then use the service - * entry. - */ - if (port > 0) { - net_server_addr.sin_port = htons(port); - DPRINT(DEBUG_HOST, net_debug_level, - ("- service name (%s) is on port %d from options\n", - KRB5_ADM_SERVICE_NAME, - ntohs(net_server_addr.sin_port))); - } - else { - char **admin_hostlist; - const char *realm_admin_names[4]; /* XXX */ - krb5_boolean found; - - /* - * Try to get the service entry out of the profile. - */ - admin_hostlist = (char **) NULL; - realm_admin_names[0] = "realms"; - realm_admin_names[1] = realm; - realm_admin_names[2] = "admin_server"; - realm_admin_names[3] = (char *) NULL; - found = 0; -#ifndef OLD_CONFIG_FILES - if (!(kret = profile_get_values(kcontext->profile, - realm_admin_names, - &admin_hostlist))) { - int hi; - char *cport; - char *cp; - krb5_int32 pport; - int ai; - - cport = (char *) NULL; - pport = KRB5_ADM_DEFAULT_PORT; - for (hi=0; admin_hostlist[hi]; hi++) { - /* - * This knows a little too much about the format of profile - * entries. Shouldn't it just be some sort of tuple? - * - * The form is assumed to be: - * admin_server = [:[]] - */ - cp = strchr(admin_hostlist[hi], ' '); - if (cp) - *cp = '\0'; - cp = strchr(admin_hostlist[hi], '\t'); - if (cp) - *cp = '\0'; - cport = strchr(admin_hostlist[hi], ':'); - if (cport) { - *cport = '\0'; - cport++; - if (sscanf(cport, "%d", &pport) != 1) { - DPRINT(DEBUG_HOST, net_debug_level, - ("- profile entry for %s has bad port %s\n", - admin_hostlist[hi], - cport)); - pport = KRB5_ADM_DEFAULT_PORT; - } - } - /* - * We've stripped away the crud. Now check to see if the - * profile entry matches our hostname. If so, then this - * is the one to use. Additionally, check the host alias - * list. - */ - if (!strcmp(admin_hostlist[hi], our_hostent->h_name)) { - net_server_addr.sin_port = ntohs((u_short) pport); - DPRINT(DEBUG_HOST, net_debug_level, - ("- service name (%s) is on port %d from profile\n", - KRB5_ADM_SERVICE_NAME, - pport)); - found = 1; - } - else { - for (ai=0; our_hostent->h_aliases[ai]; ai++) { - if (!strcmp(admin_hostlist[hi], - our_hostent->h_aliases[ai])) { - net_server_addr.sin_port = ntohs(pport); - DPRINT(DEBUG_HOST, net_debug_level, - ("- service name (%s) is on port %d from profile and alias\n", - KRB5_ADM_SERVICE_NAME, - pport)); - found = 1; - break; - } - } - } - } - krb5_xfree(admin_hostlist); - } -#endif /* OLD_CONFIG_FILES */ - - /* - * If we didn't find an entry in the profile, then as a last gasp - * effort, attempt to find it in /etc/services. - */ - if (!found) { - /* Get the service entry out of /etc/services */ - if (!(our_servent = getservbyname(KRB5_ADM_SERVICE_NAME, "tcp"))) { - kret = errno; - fprintf(stderr, net_no_servent_fmt, programname, - KRB5_ADM_SERVICE_NAME, error_message(kret)); - goto done; - } - net_server_addr.sin_port = our_servent->s_port; - DPRINT(DEBUG_HOST, net_debug_level, - ("- service name (%s) is on port %d from services\n", - our_servent->s_name, - ntohs(our_servent->s_port))); - } - } -#if 0 - net_server_addr_init = 1; -#endif - - /* Now open the listen socket */ - net_listen_socket = socket(AF_INET, SOCK_STREAM, 0); - if (net_listen_socket < 0) { - kret = errno; - fprintf(stderr, net_sockerr_fmt, programname, error_message(kret)); - goto done; - } - - /* If we have a non-default port number, then allow reuse of address */ - if (net_server_addr.sin_port != htons(KRB5_ADM_DEFAULT_PORT)) { - int allowed; - - allowed = 1; - if (setsockopt(net_listen_socket, - SOL_SOCKET, - SO_REUSEADDR, - (char *) &allowed, - sizeof(allowed)) < 0) { - kret = errno; - fprintf(stderr, net_soerr_fmt, programname, error_message(kret)); - goto done; - } - } - - /* Bind socket */ - if (bind(net_listen_socket, - (struct sockaddr *) &net_server_addr, - sizeof(net_server_addr)) < 0) { - kret = errno; - fprintf(stderr, net_binderr_fmt, programname, error_message(kret)); - goto done; - } - else { - DPRINT(DEBUG_HOST, net_debug_level, - ("- bound socket %d on port\n", net_listen_socket)); - kret = 0; - } -#else /* HAVE_NETINET_IN_H */ - /* Don't know how to do anything else. */ - kret = ENOENT; -#endif /* HAVE_NETINET_IN_H */ - - done: - DPRINT(DEBUG_CALLS, net_debug_level, ("X net_init() = %d\n", kret)); - return(kret); -} - -/* - * net_finish() - Finish network context. - */ -void -net_finish(kcontext, debug_level) - krb5_context kcontext; - int debug_level; -{ - DPRINT(DEBUG_CALLS, net_debug_level, ("* net_finish()\n")); - if (net_max_slaves) { - net_max_slaves = 0; - free(net_slave_table); - } - if (net_listen_socket >= 0) - close(net_listen_socket); - if (net_service_princ_init) - krb5_free_principal(kcontext, net_service_principal); - if (net_service_name) - free(net_service_name); - DPRINT(DEBUG_CALLS, net_debug_level, ("X net_finish()\n")); -} - -/* - * net_dispatch() - Listen and dispatch request. - * - * Loop forever selecting on the listen socket. When an incoming connection - * comes in, dispatch to net_client_connect(). - */ -krb5_error_code -net_dispatch(kcontext, detached) - krb5_context kcontext; - int detached; -{ - volatile krb5_error_code kret; - fd_set mask, readfds; - int nready; -#if POSIX_SIGNALS - struct sigaction s_action; -#endif /* POSIX_SIGNALS */ - - DPRINT(DEBUG_CALLS, net_debug_level, ("* net_dispatch()\n")); - - kret = 0; - - /* Set up the fdset mask */ - FD_ZERO(&mask); - FD_SET(net_listen_socket, &mask); - -#if POSIX_SIGNALS - (void) sigemptyset(&s_action.sa_mask); - s_action.sa_flags = 0; - s_action.sa_handler = net_shutdown; - (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL); -#ifdef DEBUG - (void) sigaction(SIGINT, &s_action, (struct sigaction *) NULL); -#endif /* DEBUG */ - if (!detached) - (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL); -#else /* POSIX_SIGNALS */ - /* - * SIGTERM (or SIGINT, if debug, or SIGHUP if not detached) shuts us down. - */ - signal(SIGTERM, net_shutdown); -#ifdef DEBUG - signal(SIGINT, net_shutdown); -#endif /* DEBUG */ - if (!detached) - signal(SIGHUP, net_shutdown); -#endif /* POSIX_SIGNALS */ - -#if !USE_PTHREADS -#if POSIX_SIGNALS - s_action.sa_handler = net_reaper; - (void) sigaction(SIGCHLD, &s_action, (struct sigaction *) NULL); -#else /* POSIX_SIGNALS */ - /* - * SIGCHILD indicates end of child process life. - */ - signal(SIGCHLD, net_reaper); -#endif /* POSIX_SIGNALS */ -#endif /* !USE_PTHREADS */ - - /* Receive connections on the socket */ - DPRINT(DEBUG_OPERATION, net_debug_level, ("+ listening on socket\n")); - if ( -#if POSIX_SETJMP - sigsetjmp(shutdown_jmp, 1) == 0 -#else /* POSIX_SETJMP */ - setjmp(shutdown_jmp) == 0 -#endif /* POSIX_SETJMP */ - ) { - if (listen(net_listen_socket, SOMAXCONN) < 0) - kret = errno; - } - else - kret = EINTR; - DPRINT(DEBUG_OPERATION, net_debug_level, ("+ listen done\n")); - - while (kret == 0) { - /* - * Prepare to catch signals. - */ - if ( -#if POSIX_SETJMP - sigsetjmp(shutdown_jmp, 1) == 0 -#else /* POSIX_SETJMP */ - setjmp(shutdown_jmp) == 0 -#endif /* POSIX_SETJMP */ - ) { - readfds = mask; - DPRINT(DEBUG_OPERATION, net_debug_level, ("+ doing select\n")); - if ((nready = select(net_listen_socket+1, - &readfds, - (fd_set *) NULL, - (fd_set *) NULL, - (struct timeval *) NULL)) == 0) { - DPRINT(DEBUG_OPERATION, net_debug_level, ("+ nobody ready\n")); - continue; /* Nobody ready */ - } - - if ((nready < 0) && (errno != EINTR)) { - com_err(net_dispatch_msg, errno, net_select_fmt); - continue; - } - - if (FD_ISSET(net_listen_socket, &readfds)) { - struct sockaddr_in client_addr; - int addrlen; - int conn_sock; - - addrlen = sizeof(client_addr); - DPRINT(DEBUG_OPERATION, net_debug_level, - ("+ accept connection\n")); - while (((conn_sock = accept(net_listen_socket, - (struct sockaddr *) &client_addr, - &addrlen)) < 0) && - (errno == EINTR)); - - if (conn_sock < 0) { - kret = errno; - break; - } - DPRINT(DEBUG_OPERATION, net_debug_level, - ("+ accepted connection\n")); - kret = net_dispatch_client(kcontext, - net_listen_socket, - conn_sock, - &client_addr); - if (kret) { - com_err(net_dispatch_msg, kret, net_cl_disp_fmt); - continue; - } - DPRINT(DEBUG_OPERATION, net_debug_level, - ("+ dispatch done\n")); - } - else { - com_err(net_dispatch_msg, 0, net_not_ready_fmt); - kret = EIO; - } - } - else { - DPRINT(DEBUG_OPERATION, net_debug_level, - ("+ dispatch interrupted by SIGTERM\n")); - kret = 0; - break; - } - } - - DPRINT(DEBUG_CALLS, net_debug_level, ("X net_dispatch() = %d\n", kret)); - return(kret); -} - -/* - * Return our service principal. - */ -krb5_principal -net_server_princ() -{ - if (net_service_princ_init) - return(net_service_principal); - else - return((krb5_principal) NULL); -} diff --git a/src/kadmin/v5passwdd/v5passwd.M b/src/kadmin/v5passwdd/v5passwd.M deleted file mode 100644 index bdea7784f..000000000 --- a/src/kadmin/v5passwdd/v5passwd.M +++ /dev/null @@ -1,65 +0,0 @@ -.\" kadmin/v5passwdd/v5passwd.M -.\" -.\" Copyright 1995 by the Massachusetts Institute of Technology. -.\" -.\" Export of this software from the United States of America may -.\" require a specific license from the United States Government. -.\" It is the responsibility of any person or organization contemplating -.\" export to obtain such a license before exporting. -.\" -.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\" distribute this software and its documentation for any purpose and -.\" without fee is hereby granted, provided that the above copyright -.\" notice appear in all copies and that both that copyright notice and -.\" this permission notice appear in supporting documentation, and that -.\" the name of M.I.T. not be used in advertising or publicity pertaining -.\" to distribution of the software without specific, written prior -.\" permission. Furthermore if you modify this software you must label -.\" your software as modified software and not distribute it in such a -.\" fashion that it might be confused with the original M.I.T. software. -.\" M.I.T. makes no representations about the suitability of -.\" this software for any purpose. It is provided "as is" without express -.\" or implied warranty. -.\" -.\" -.TH V5PASSWD 1 -.SH NAME -v5passwd \- change a user's Kerberos password -.SH SYNOPSIS -.B v5passwd -[ -.B \-u -.IR username[/instance][@realm] -] -.SH DESCRIPTION -The -.I v5passwd -command is used to change a Kerberos principal's password using the -older administrative protocol. - -If the -.I \-u -option is specified, a partially or fully qualified Kerberos principal may -be supplied. Otherwise, the principal name is derived from the identity -of the user invoking the -.I v5passwd -command. - -.PP -The -.I v5passwd -command prompts for the current Kerberos password, which is verified by the -Kerberos server. If the old password is correct, the user is prompted twice -for the new password. Success or failure is indicated by messages printed -out by -.I v5passwd. - - -.SH FILES -.TP 2i -/tmp/tkt_kpw_[uid] -the temporary credentials cache ([uid] is the decimal UID of the user) for -the lifetime of the password changing operation. -.SH SEE ALSO -kadmin(8), kadmind(8), v5passwdd(8) -.SH BUGS -- 2.26.2