diff options
| author | no author <devnull@mit.edu> | 1996-12-06 14:26:18 +0000 |
|---|---|---|
| committer | no author <devnull@mit.edu> | 1996-12-06 14:26:18 +0000 |
| commit | d8084f6d1d2a9a7ff8834ea931e51ed654bec323 (patch) | |
| tree | e1bf9317be96770bb053173b9d98492422491c02 | |
| parent | 2ac4a834a034a836554037cbc72ae06ecc1bcb75 (diff) | |
| download | krb5-krb5-1.0-freeze2.zip krb5-krb5-1.0-freeze2.tar.gz krb5-krb5-1.0-freeze2.tar.bz2 | |
This commit was manufactured by cvs2svn to create tagkrb5-1.0-freeze2
'V_1_0_FREEZE_2'.
git-svn-id: svn://anonsvn.mit.edu/krb5/tags/V_1_0_FREEZE_2@9622 dc483132-0cff-0310-8789-dd5450dbe970
155 files changed, 2193 insertions, 1179 deletions
@@ -1,51 +1,80 @@ -Beta test distribution READ-ME file. ------------------------------------ + Kerberos Version 5, Release 1.0 -THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + Release Notes -Files are copyright MIT, Cygnus Support, OpenVision, Oracle, Sun Soft, -and others. + The MIT Kerberos Team -The following copyright and permission notice applies to the -OpenVision Kerberos Administration system located in kadmin/create, -kadmin/dbutil, kadmin/server, lib/kadm, and portions of lib/rpc: +Unpacking the Source Distribution +--------------------------------- - Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved - - WARNING: Retrieving the OpenVision Kerberos Administration system - source code, as described below, indicates your acceptance of the - following terms. If you do not agree to the following terms, do not - retrieve the OpenVision Kerberos administration system. - - You may freely use and distribute the Source Code and Object Code - compiled from it, but this Source Code is provided to you "AS IS" - EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR - ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL - OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR - COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY - SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS - AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE - OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR - FOR ANY OTHER REASON. - - OpenVision retains all rights, title, and interest in the donated - Source Code. With respect to OpenVision's copyrights in the donated - Source Code, OpenVision also retains rights to derivative works - of the Source Code whether created by OpenVision or a third party. - - OpenVision Technologies, Inc. has donated this Kerberos - Administration system to MIT for inclusion in the standard - Kerberos 5 distribution. This donation underscores our - commitment to continuing Kerberos technology development - and our gratitude for the valuable work which has been - performed by MIT and the Kerberos community. +The source distribution of Kerberos 5 comes in three gzipped tarfiles, +krb5-1.0.src.tar.gz, krb5-1.0.doc.tar.gz, and krb5-1.0.crypto.tar.gz. +The krb5-1.0.doc.tar.gz contains the doc/ directory and this README +file. The krb5-1.0.src.tar.gz contains the src/ directory and this +README file, except for the crypto library sources, which are in +krb5-1.0.crypto.tar.gz. + +Instruction on how to extract the entire distribution follow. These +directions assume that you want to extract into a directory called +DIST. + +If you have the GNU tar program and gzip installed, you can simply do: + + mkdir DIST + cd DIST + gtar zxpf krb5-1.0.src.tar.gz + gtar zxpf krb5-1.0.crypto.tar.gz + gtar zxpf krb5-1.0.doc.tar.gz +If you don't have GNU tar, you will need to get the FSF gzip +distribution and use gzcat: + mkdir DIST + cd DIST + gzcat krb5-1.0.src.tar.gz | tar xpf - + gzcat krb5-1.0.crypto.tar.gz | tar xpf - + gzcat krb5-1.0.doc.tar.gz | tar xpf - -Now, with that out of the way, let me point you to a few things: +Both of these methods will extract the sources into DIST/krb5-1.0/src +and the documentation into DIST/krb5-1.0/doc. + +Unpacking the Binary Distribution +--------------------------------- + +Binary distributions of Kerberos V5 are provided merely as convenience +to those people who wish to try out Kerberos V5 without needing to do +a full compile of Kerberos. + +MIT and the MIT Kerberos V5 development team make no guarantees that +we will continue to supply binary distributions for future releases of +Kerberos V5, or for any operating system/platform in particular. +These binary distributions have been prepared by members of the MIT +Kerberos V5 development team, or by volunteers who have graciously +agreed to test the pre-release snapshot. Each binary build is PGP +signed by the person who prepared the binary distribution for that +particular platform. + +While the binary distribution is *supposed* to correspond exactly to +the 1.0 Kerberos V5 source release, you have no way of knowing whether +the person who prepared the binary release might have inserted a +trojan horse, or a trapdoor. For all you know, the binary +distribution might be mailing all of your Kerberos keys to +kremvax!boris. (The same is true for the source distribution, but at +least you can audit the code yourself!) + +For this reason, if you are planning on using Kerberos V5 in +production, we strongly suggest that you obtain the source +distribution and compile it from source yourself. + +The binary distributions have been compiled so that they will install +in /usr/local. To install, su to root and and type the command: + + cd /usr/local + gunzip < /tmp/krb5-1.0.<platform>.tar.gz | tar xvf - + + +Building and Installing Kerberos 5 +---------------------------------- The first file you should look at is doc/install.ps; it contains the notes for building and installing Kerberos 5. The info file @@ -58,32 +87,168 @@ which contain the system administrator's guide, and the user's guide, respectively. They are also available as info files kerberos-admin.info and krb5-user.info, respectively. ->> << ->> Please report any problems/bugs/comments to 'krb5-bugs@mit.edu' << ->> << +Reporting Bugs +-------------- + +Please report any problems/bugs/comments using the krb5-send-pr +program. The krb5-send-pr program will be installed in the sbin +directory once you have successfully compiled and installed Kerberos +V5 (or if you have installed one of our binary distributions). + +If you are not able to use krb5-send-pr because you haven't been able +compile and install Kerberos V5 on any platform, you may send mail to +krb5-bugs@mit.edu. + +Notes and Major Changes +----------------------- + +* We are now using the GNATS system to track bug reports for Kerberos +V5. It is therefore helpful for people to use the krb5-send-pr +program when reporting bugs. The old interface of sending mail to +krb5-bugs@mit.edu will still work; however, bug reports sent in this +fashion may experience a delay in being processed. + +* The default keytab name has changed from /etc/v5srvtab to +/etc/krb5.keytab. + +* login.krb5 no longer defaults to getting krb4 tickets. + +* The Windows (win16) DLL, LIBKRB5.DLL, has been renamed to +KRB5_16.DLL. This change was necessary to distinguish it from the +win32 version, which will be named KRB5_32.DLL. Note that the +GSSAPI.DLL file has not been renamed, because this name was specified +in a draft standard for the Windows 16 GSSAPI bindings. (The 32-bit +version of the GSSAPI DLL will be named GSSAPI32.DLL.) + +* The directory structure used for installations has changed. In +particular, files previously located in $prefix/lib/krb5kdc are now +normally located in $sysconfdir/krb5kdc. With the normal configure +options, this means the KDC database goes in /usr/local/var/krb5kdc by +default. If you wish to have the old behavior, then you would use a +configure line like the following: + + configure --prefix=/usr/local --sysconfdir=/usr/local/lib +* kshd has been modified to accept krb4 encrypted rcp connections; for +this to work, the v4rcp program must be in the bin directory. +* The gssrpc library has symbol collisions with the rpc library in +some of the libcs in certain operating systems without shared +libraries, notably some ports of NetBSD and MkLinux. For those +platforms which have rpc in libc and also contain NIS in libc, +compiling with static libraries will not work because of this +conflict. NetBSD users can either upgrade to the current tree, which +includes shared libraries for more ports, choose not to build kadmind +or kadmin, or recompile NetBSD without NIS support. MkLinux users +must either recompile without NIS or not build the administration +system. + +Copyright Notice and Legal Administrivia +---------------------------------------- + +Copyright (C) 1996 by the Massachusetts Institute of Technology. + +All rights reserved. + +Export of this software from the United States of America may require +a specific license from the United States Government. It is the +responsibility of any person or organization contemplating export to +obtain such a license before exporting. + +WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +distribute this software and its documentation for any purpose and +without fee is hereby granted, provided that the above copyright +notice appear in all copies and that both that copyright notice and +this permission notice appear in supporting documentation, and that +the name of M.I.T. not be used in advertising or publicity pertaining +to distribution of the software without specific, written prior +permission. M.I.T. makes no representations about the suitability of +this software for any purpose. It is provided "as is" without express +or implied warranty. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR +IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED +WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +Individual source code files are copyright MIT, Cygnus Support, +OpenVision, Oracle, Sun Soft, and others. + +Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, +and Zephyr are trademarks of the Massachusetts Institute of Technology +(MIT). No commercial use of these trademarks may be made without +prior written permission of MIT. + +"Commercial use" means use of a name in a product or other for-profit +manner. It does NOT prevent a commercial firm from referring to the +MIT trademarks in order to convey information (although in doing so, +recognition of their trademark status should be given). + +The following copyright and permission notice applies to the +OpenVision Kerberos Administration system located in kadmin/create, +kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions +of lib/rpc: + + Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved + + WARNING: Retrieving the OpenVision Kerberos Administration system + source code, as described below, indicates your acceptance of the + following terms. If you do not agree to the following terms, do not + retrieve the OpenVision Kerberos administration system. + + You may freely use and distribute the Source Code and Object Code + compiled from it, with or without modification, but this Source + Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, + INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR + FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER + EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY + FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR + CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, + WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE + CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY + OTHER REASON. + + OpenVision retains all copyrights in the donated Source Code. OpenVision + also retains copyright to derivative works of the Source Code, whether + created by OpenVision or by a third party. The OpenVision copyright + notice must be preserved if derivative works are made based on the + donated Source Code. + + OpenVision Technologies, Inc. has donated this Kerberos + Administration system to MIT for inclusion in the standard + Kerberos 5 distribution. This donation underscores our + commitment to continuing Kerberos technology development + and our gratitude for the valuable work which has been + performed by MIT and the Kerberos community. + +Acknowledgements +---------------- Appreciation Time!!!! There are far too many people to try to thank them all; many people have contributed to the development of Kerberos -V5. This is only a partial listing.... +V5. This is only a partial listing.... + +Thanks to Paul Vixie and the Internet Software Consortium for funding +the work of Barry Jaspan. This funding was invaluable for the OV +administration server integration, as well as the 1.0 release +preparation process. Thanks to John Linn, Scott Foote, and all of the folks at OpenVision Technologies, Inc., who donated their administration server for use in the MIT release of Kerberos. -Thanks to Paul Vixie and the Internet Software Consortium for -supporting the OV administration server integration work. - -Thanks to Jeff Bigler, Mark Eichin, Mark Horowitz, Nancy Gilman, Ken +Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken Raeburn, and all of the folks at Cygnus Support, who provided innumerable bug fixes and portability enhancements to the Kerberos V5 -tree. Thanks especially ot Jeff Bigler, for the new user and system +tree. Thanks especially to Jeff Bigler, for the new user and system administrator's documentation. Thanks to Doug Engert from ANL for providing many bug fixes, as well as testing to ensure DCE interoperability. +Thanks to Ken Hornstein at NRL for providing many bug fixes and +suggestions. + Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for their many suggestions and bug fixes. @@ -92,15 +257,3 @@ past and present: Jay Berkenbilt, Richard Basch, John Carr, Don Davis, Nancy Gilman, Sam Hartman, Marc Horowitz, Barry Jaspan, John Kohl, Cliff Neuman, Kevin Mitchell, Paul Park, Ezra Peisach, Chris Provenzano, Jon Rochlis, Jeff Schiller, Harry Tsai, Ted Ts'o, Tom Yu. - -Note: - -Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and -Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No -commercial use of these trademarks may be made without prior written -permission of MIT. - -FYI, "commercial use" means use of a name in a product or other for-profit -manner. It does NOT prevent a commercial firm from referring to the MIT -trademarks in order to convey information (although in doing so, recognition -of their trademark status should be given). diff --git a/doc/ChangeLog b/doc/ChangeLog index 7b3a8bb..ed60433 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,107 @@ +Wed Dec 4 23:47:28 1996 Tom Yu <tlyu@mit.edu> + + * krb425.texinfo (Upgrading Application Servers): v5srvtab -> + krb5.keytab + +Mon Dec 2 13:00:26 1996 Barry Jaspan <bjaspan@mit.edu> + + * build.texinfo (The DejaGnu Tests): info about .k5login for + krb-root tests [krb5-doc/261] + + * install.texinfo (Add Administrators to the Kerberos Database): + note relationship between acl file and admin principals + [krb5-doc/251] + (Edit the Configuration Files): mention the logging stanza here, + too, and tell people to check it when they start the daemons + [krb5-doc/253] + + * build.texinfo (The KADM5 Tests): add section for the kadm5 tests + [krb5-doc/247] + +Fri Nov 29 19:47:38 1996 Tom Yu <tlyu@mit.edu> + + * build.texinfo (Unpacking the Sources): Mention that ./krb5-1.0 + is the default directory that the tarballs will unpack into. + Also, "/u1/krb5" -> "/u1/krb5-1.0". + (osconf.h): Remove reference to DEFAULT_LNAME_FILENAME, as we're + no longer using the aname database code. + (Options to Configure): Add mention of --localstatedir + (Shared Library Support): It's Solaris 2.4/SunOS 5.4, not Solaris + 5.4. + (Solaris 2.X): Shared libs work with gcc. + + * install.texinfo (Mapping Hostnames onto Kerberos Realms): Fix + spacing error. + + * admin.texinfo: Fix up old references to "/krb5". + + * send-pr.texinfo: krb5-send-pr is in PREFIX/sbin, not PREFIX/bin. + + * admin.texinfo: "/lib/krb5kdc" -> "/var/krb5kdc" + + * krb425.texinfo (Upgrading Application Servers): Change flag + "cygnus" to "CYGNUS". + + * install.texinfo (Please Read the Documentation): Change flag + "cygnus" to "CYGNUS". + + * admin.texinfo (domain_realm): Change flag "cygnus" to "CYGNUS". + + * definitions.texinfo: Change /usr/@value{LCPRODUCT} to /usr/local + to sync with default paths. + + * admin.texinfo (domain_realm): Conditionalize "COM" vs "EDU" in + example. + + * install.texinfo (Create Host Keys for the Slave KDCs): Change + -randpass to -randkey. [244] + +Thu Nov 28 18:54:02 1996 Tom Yu <tlyu@mit.edu> + + * krb425.texinfo: Change to use "@chapternewpage odd", also frob + copyright page as per other docs. Also, remove footnote claiming + that "Kerberos V5 is based on the MIT beta7 release". + + * admin.texinfo (capaths): Fix unquoted braces. + (appdefaults): Fix unquoted braces. + +Wed Nov 27 18:27:18 1996 Jeffrey C. G. Bigler <jcb@viola.cygnus.com> + + * Makefile: Added send-pr.texinfo to ADMIN_INCLUDES and + INSTALL_INCLUDES. + + * admin.texinfo: Added chapter on config files. Changed bug + reporting section to include send-pr file. + + * install.texinfo: Changed bug reporting section to include + send-pr file. Added reference to Sysadmin Guide chapter on config + files. + + * send-pr.texinfo: Fixed this up to match our version of + krb5-send-pr. + +Tue Nov 26 18:34:11 1996 Tom Yu <tlyu@mit.edu> + + * install.texinfo: Fix a couple of references to "@value{COMPANY}" + so they don't commit MIT to doing user support; also fixed some + punctuation errors. + +Mon Nov 25 23:39:53 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * copyright.texinfo: Change lib/kadm to lib/kadm5, and add the + kadmin/passwd to the list of directories containing OV + code. + +Sun Nov 24 23:55:52 1996 Ezra Peisach (epeisach@mit.edu) + + * build.texinfo: Remove --with-kdb-db section as it does not + exist. Add --with-tcl info. + +Tue Nov 19 13:42:00 1996 Barry Jaspan <bjaspan@mit.edu> + + * install.texinfo, build.texinfo: misc suggestions from jhawk + [krb5-doc/55] + Fri Nov 15 17:52:39 1996 Jeff Bigler <jcb@viola.cygnus.com> * Makefile (krb425-guide): added section to make krb425 guide. diff --git a/doc/Makefile b/doc/Makefile index 92a3477..1e914a5 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -9,11 +9,11 @@ GZIP=gzip -9 MANPS=./man2ps ADMIN_INCLUDES=definitions.texinfo copyright.texinfo document-list.texinfo \ - glossary.texinfo + glossary.texinfo send-pr.texinfo ADMIN_DEPS=admin.texinfo $(ADMIN_INCLUDES) INSTALL_INCLUDES=definitions.texinfo copyright.texinfo document-list.texinfo \ - build.texinfo bug-report.texinfo + build.texinfo bug-report.texinfo send-pr.texinfo INSTALL_DEPS=install.texinfo $(INSTALL_INCLUDES) USER_GUIDE_INCLUDES=definitions.texinfo copyright.texinfo glossary.texinfo diff --git a/doc/admin.texinfo b/doc/admin.texinfo index cca3e32..9ebf28d 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -15,7 +15,8 @@ @end iftex @include definitions.texinfo -@set EDITION b7-1 +@set EDITION 1.0 +@set UPDATED November 27, 1996 @finalout @c don't print black warning boxes @@ -58,6 +59,7 @@ installation. * Copyright:: * Introduction:: * How Kerberos Works:: +* Configuration Files:: * Administrating Kerberos Database Entries:: * Application Servers:: * Backups of Secure Hosts:: @@ -116,7 +118,7 @@ The appendices include sample configuration files, the list of Kerberos error messages, and a complete list of the time zones understood by @code{kadmin}. -@node How Kerberos Works, Administrating Kerberos Database Entries, Introduction, Top +@node How Kerberos Works, Configuration Files, Introduction, Top @chapter How Kerberos Works This section provides a simplified description of a general user's @@ -329,7 +331,593 @@ Following are definitions of some of the Kerberos terminology. @include glossary.texinfo -@node Administrating Kerberos Database Entries, Application Servers, How Kerberos Works, Top +@node Configuration Files, Administrating Kerberos Database Entries, How Kerberos Works, Top +@chapter Configuration Files + +@menu +* krb5.conf:: +* kdc.conf:: +@end menu + +@node krb5.conf, kdc.conf, Configuration Files, Configuration Files +@section krb5.conf + +The @code{krb5.conf} file contains Kerberos configuration information, +including the locations of KDCs and admin servers for the Kerberos +realms of interest, defaults for the current realm and for Kerberos +applications, and mappings of hostnames onto Kerberos realms. Normally, +you should install your @code{krb5.conf} file in the directory +@code{/etc}. You can override the default location by setting the +environment variable @samp{KRB5_CONFIG}. + +The @code{krb5.conf} file is set up in the style of a Windows INI file. +Sections are headed by the section name, in square brackets. Each +section may contain zero or more relations, of the form: + +@smallexample +foo = bar +@end smallexample + +@noindent +or + +@smallexample +@group +fubar = @{ + foo = bar + baz = quux +@} +@end group +@end smallexample + +The @code{krb5.conf} file may contain any or all of the following seven +sections: + +@table @b +@itemx libdefaults +Contains default values used by the Kerberos V5 library. + +@itemx appdefaults +Contains default values used by Kerberos V5 applications. + +@itemx realms +Contains subsections keyed by Kerberos realm names. Each subsection +describes realm-specific information, including where to find the +Kerberos servers for that realm. + +@itemx domain_realm +Contains relations which map domain names and subdomains onto Kerberos +realm names. This is used by programs to determine what realm a host +should be in, given its fully qualified domain name. + +@itemx logging +Contains relations which determine how Kerberos programs are to perform +logging. + +@itemx capaths +Contains the authentication paths used with direct (nonhierarchical) +cross-realm authentication. Entries in this section are used by the +client to determine the intermediate realms which may be used in +cross-realm authentication. It is also used by the end-service when +checking the transited field for trusted intermediate realms. + +@itemx kdc +For a KDC, may contain the location of the kdc.conf file. +@end table + +@menu +* libdefaults:: +* appdefaults:: +* realms (krb5.conf):: +* domain_realm:: +* logging:: +* capaths:: +* kdc:: +* Sample krb5.conf File:: +@end menu + +@node libdefaults, appdefaults, krb5.conf, krb5.conf +@subsection [libdefaults] + +The @code{libdefaults} section may contain any of the following +relations: + +@table @b +@itemx default_realm +Identifies the default Kerberos realm for the client. Set its value to +your Kerberos realm. + +@itemx default_tgs_enctypes +Identifies the supported list of session key encryption types that +should be returned by the KDC. The list may be delimited with commas or +whitespace. Currently, the only supported encryption type is +"des-cbc-crc". Support for other encryption types is planned in the +future. + +@itemx default_tkt_enctypes +Identifies the supported list of session key encryption +types that should be requested by the client. The format is the same as +for @emph{default_tkt_enctypes}. Again, the only supported encryption +type is "des-cbc-crc". + +@itemx clockskew +Sets the maximum allowable amount of clockskew in seconds that the +library will tolerate before assuming that a Kerberos message is +invalid. The default value is 300 seconds, or five minutes. + +@itemx checksum_type +Used for compatability with DCE security servers which do not support +the default CKSUMTYPE_RSA_MD5 used by this version of Kerberos. A value +of 1 indicates the default checksum type. Use a value of 2 to use the +CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and earlier. + +@itemx ccache_type +Use this parameter on systems which are DCE clients, to specify the type +of cache to be created by kinit, or when forwarded tickets are received. +DCE and Kerberos can share the cache, but some versions of DCE do not +support the default cache as created by this version of Kerberos. Use a +value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. +@end table + +@node appdefaults, realms (krb5.conf), libdefaults, krb5.conf +@subsection [appdefaults] + +Each tag in the [appdefaults] section names a Kerberos V5 application. +The value of the tag is a subsection with relations that define the +default behaviors for that application. + +For example: + +@smallexample +@group +[appdefaults] + kinit = @{ + forwardable = true + @} + telnet = @{ + forward = true + encrypt = true + autologin = true + @} +@end group +@end smallexample + +The list of specifiable options for each application may be found in +that application's man pages. The application defaults specified here +are overridden by those specified in the [realms] section. + +@node realms (krb5.conf), domain_realm, appdefaults, krb5.conf +@subsection [realms] + +Each tag in the [realms] section of the file is the name of a Kerberos +realm. The value of the tag is a subsection with relations that define +the properties of that particular realm. For each realm, the following +tags may be specified in the realm's subsection: + +@table @b +@itemx kdc +The name of a host running a KDC for that realm. An optional port +number (separated from the hostname by a colon) may be included. + +@itemx admin_server +Identifies the host where the administration server is running. +Typically this is the master Kerberos server. + +@itemx application defaults +Application defaults that are specific to a particular realm may be +specified within that realm's tag. Realm-specific application defaults +override the global defaults specified in the [appdefaults] section. +@end table + +@node domain_realm, logging, realms (krb5.conf), krb5.conf +@subsection [domain_realm] + +The [domain_realm] section provides a translation from a domain name or +hostname to a Kerberos realm name. The tag name can be a host name, or +a domain name, where domain names are indicated by a prefix of a period +(@samp{.}). The value of the relation is the Kerberos realm name for +that particular host or domain. Host names and domain names should be +in lower case. + +If no translation entry applies, the host's realm is considered to be +the hostname's domain portion converted to upper case. For example, the +following [domain_realm] section: + +@smallexample +@group +[domain_realm] + @value{PRIMARYDOMAIN} = @value{PRIMARYREALM} + crash.@value{PRIMARYDOMAIN} = TEST.@value{PRIMARYREALM} + @value{SECONDDOMAIN} = @value{SECONDREALM} +@end group +@end smallexample + +@noindent +maps crash.@value{PRIMARYDOMAIN} into the TEST.@value{PRIMARYREALM} +realm. All other hosts in the @value{PRIMARYDOMAIN} domain will map by +default to the @value{PRIMARYREALM} realm, and all hosts in the +@value{SECONDDOMAIN} domain will map by default into the +@value{SECONDREALM} realm. Note the entries for the hosts +@value{PRIMARYDOMAIN} and @value{SECONDDOMAIN}. Without these entries, +@ifset CYGNUS +these hosts would be mapped into the Kerberos realms @samp{COM} and +@end ifset +@ifclear CYGNUS +these hosts would be mapped into the Kerberos realms @samp{EDU} and +@end ifclear +@samp{ORG}, respectively. + +@node logging, capaths, domain_realm, krb5.conf +@subsection [logging] +The [logging] section indicates how a particular entity is to perform +its logging. The relations in this section assign one or more values to +the entity name. Currently, the following entities are used: + +@table @b +@itemx kdc +These entries specify how the KDC is to perform its logging. + +@itemx admin_server +These entries specify how the administrative server +is to perform its logging. + +@itemx default +These entries specify how to perform logging in the +absence of explicit specifications otherwise. +@end table + +Values are of the following forms: + +@table @b +@itemx FILE=<filename> + +@itemx FILE:<filename> +This value causes the entity's logging messages to go to the specified +file. If the @samp{=} form is used, the file is overwritten. If the +@samp{:} form is used, the file is appended to. + +@itemx STDERR +This value causes the entity's logging messages to go to its standard +error stream. + +@itemx CONSOLE +This value causes the entity's logging messages to go to the console, if +the system supports it. + +@itemx DEVICE=<devicename> +This causes the entity's logging messages to go to the specified device. + +@itemx SYSLOG[:<severity>[:<facility>]] +This causes the entity's logging messages to go to the system log. + +The @dfn{severity} argument specifies the default severity of system log +messages. This may be any of the following severities supported by the +@code{syslog(3)} call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT, +LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG. +For example, a value of @samp{CRIT} would specify LOG_CRIT severity. + +The facility argument specifies the facility under which the messages +are logged. This may be any of the following facilities supported by +the syslog(3) call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL, +LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and +LOG_LOCAL0 through LOG_LOCAL7. + +If no severity is specified, the default is ERR. If no facility is +specified, the default is AUTH. +@end table + +In the following example, the logging messages from the KDC will go to +the console and to the system log under the facility LOG_DAEMON with +default severity of LOG_INFO; and the logging messages from the +administrative server will be appended to the file /var/adm/kadmin.log +and sent to the device /dev/tty04. + +@smallexample +@group +[logging] + kdc = CONSOLE + kdc = SYSLOG:INFO:DAEMON + admin_server = FILE:/var/adm/kadmin.log + admin_server = DEVICE=/dev/tty04 +@end group +@end smallexample + +@node capaths, kdc, logging, krb5.conf +@subsection [capaths] + +In order to perform direct (non-hierarchical) cross-realm +authentication, a database is needed to construct the authentication +paths between the realms. This section defines that database. + +A client will use this section to find the authentication path between +its realm and the realm of the server. The server will use this section +to verify the authentication path used be the client, by checking the +transited field of the received ticket. + +There is a tag for each participating realm, and each tag has subtags +for each of the realms. The value of the subtags is an intermediate +realm which may participate in the cross-realm authentication. The +subtags may be repeated if there is more then one intermediate realm. A +value of "." means that the two realms share keys directly, and no +intermediate realms should be allowd to participate. + +There are n**2 possible entries in this table, but only those entries +which will be needed on the client or the server need to be present. +The client needs a tag for its local realm, with subtags for all the +realms of servers it will need to authenticate with. A server needs a +tag for each realm of the clients it will serve. + +For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET +realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV +which will authenticate with NERSC.GOV but not PNL.GOV. The [capath] +section for ANL.GOV systems would look like this: + +@smallexample +@group +[capaths] + ANL.GOV = @{ + TEST.ANL.GOV = . + PNL.GOV = ES.NET + NERSC.GOV = ES.NET + ES.NET = . + @} + TEST.ANL.GOV = @{ + ANL.GOV = . + @} + PNL.GOV = @{ + ANL.GOV = ES.NET + @} + NERSC.GOV = @{ + ANL.GOV = ES.NET + @} + ES.NET = @{ + ANL.GOV = . + @} +@end group +@end smallexample + +The [capath] section of the configuration file used on NERSC.GOV systems +would look like this: + +@smallexample +@group +[capaths] + NERSC.GOV = @{ + ANL.GOV = ES.NET + TEST.ANL.GOV = ES.NET + TEST.ANL.GOV = ANL.GOV + PNL.GOV = ES.NET + ES.NET = . + @} + ANL.GOV = @{ + NERSC.GOV = ES.NET + @} + PNL.GOV = @{ + NERSC.GOV = ES.NET + @} + ES.NET = @{ + NERSC.GOV = . + @} + TEST.ANL.GOV = @{ + NERSC.GOV = ANL.GOV + NERSC.GOV = ES.NET + @} +@end group +@end smallexample + +In the above examples, the ordering is not important, except when the +same subtag name is used more then once. The client will use this to +determing the path. (It is not important to the server, since the +transited field is not sorted.) + +This feature is not currently supported by DCE. DCE security servers +can be used with Kerberized clients and servers, but versions prior to +DCE 1.1 did not fill in the transited field, and should be used with +caution. + +@node kdc, Sample krb5.conf File, capaths, krb5.conf +@subsection [kdc] + +The [kdc] section is used to define configuration information necessary +for a KDC to find the KDC configuration file (@code{kdc.conf}) if it is +not in the default location. The only tag used in this section would be +@samp{profile}, which would be set to the location of the KDC +configuration file. + +@node Sample krb5.conf File, , kdc, krb5.conf +@subsection Sample krb5.conf File + +Here is an example of a generic @code{krb5.conf} file: + +@smallexample +@group +[libdefaults] + ticket_lifetime = 600 + default_realm = @value{PRIMARYREALM} + default_tkt_enctypes = des-cbc-crc + default_tgs_enctypes = des-cbc-crc + +[realms] + @value{PRIMARYREALM} = @{ + kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN} + kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} + kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN} + admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN} + default_domain = @value{PRIMARYDOMAIN} + @} + @value{SECONDREALM} = @{ + kdc = @value{KDCSERVER}.@value{SECONDDOMAIN} + kdc = @value{KDCSLAVE1}.@value{SECONDDOMAIN} + admin_server = @value{KDCSERVER}.@value{SECONDDOMAIN} + @} + +[domain_realm] + @value{PRIMARYDOMAIN} = @value{PRIMARYREALM} + +@end group +@end smallexample + +@iftex +@vfill +@end iftex + +@node kdc.conf, , krb5.conf, Configuration Files +@section kdc.conf + +The @code{kdc.conf} file contains KDC configuration information, +including defaults used when issuing Kerberos tickets. Normally, you +should install your @code{kdc.conf} file in the directory +@code{@value{ROOTDIR}/var/krb5kdc}. You can override the default +location by setting the environment variable @samp{KRB5_KDC_PROFILE}. + +The @code{kdc.conf} file is set up in the same format as the +@code{krb5.conf} file. (@xref{krb5.conf}.) The @code{kdc.conf} file +may contain any or all of the following three sections: + +@table @b +@itemx kdcdefaults +Contains default values for overall behavior of the KDC. + +@itemx realms +Contains subsections keyed by Kerberos realm names. Each subsection +describes realm-specific information, including where to find the +Kerberos servers for that realm. + +@itemx logging +Contains relations which determine how Kerberos programs are to perform +logging. +@end table + +@menu +* kdcdefaults:: +* realms (kdc.conf):: +* Sample kdc.conf File:: +@end menu + +@node kdcdefaults, realms (kdc.conf), kdc.conf, kdc.conf +@subsection [kdcdefaults] + +The following relation is defined in the [kdcdefaults] section: + +@table @b +@itemx kdc_ports +This relation lists the ports on which the Kerberos server should listen +by default. This list is a comma separated list of integers. If this +relation is not specified, the compiled-in default is usually port 88 +(the assigned Kerberos port) and port 750 (the port used by Kerberos +V4). +@end table + +@node realms (kdc.conf), Sample kdc.conf File, kdcdefaults, kdc.conf +@subsection [realms] + +Each tag in the [realms] section of the file names a Kerberos realm. +The value of the tag is a subsection where the relations in that +subsection define KDC parameters for that particular realm. + +For each realm, the following tags may be specified in the [realms] +subsection: + +@table @b +@itemx acl_file +(String.) Location of the access control list (acl) file that kadmin +uses to determine which principals are allowed which permissions on the +database. The default is @code{@value{ROOTDIR}/var/krb5kdc/kadm5.acl}. + +@itemx admin_keytab +(String.) Location of the keytab file that kadmin uses to authenticate +to the database. The default is +@code{@value{ROOTDIR}/var/krb5kdc/kadm5.keytab}. + +@itemx database_name +(String.) Location of the Kerberos database for this realm. The +default is @code{@value{ROOTDIR}/var/krb5kdc/principal}. + +@itemx default_principal_expiration +(Absolute time string.) Specifies the default expiration date of +principals created in this realm. + +@itemx default_principal_flags +(Flag string.) Specifies the default attributes of principals created +in this realm. + +@itemx dict_file +(String.) Location of the dictionary file containing strings that are +not allowed as passwords. The default is +@code{@value{ROOTDIR}/var/krb5kdc/kadm5.dict}. + +@itemx encryption_type +(Encryption type string.) Specifies the encryption type used for this +realm. Only "des-cbc-crc" is supported at this time. + +@itemx kadmind_port +(Port number.) Specifies the port that the kadmind daemon is to listen +for this realm. The assigned port for kadmind is 749. + +@itemx key_stash_file +(String.) Specifies the location where the master key has been stored +(via @code{kdb5_util stash}). The default is +@code{@value{ROOTDIR}/var/krb5kdc/.k5.@i{REALM}}, where @i{REALM} is the +Kerberos realm. + +@itemx kdc_ports +(String.) Specifies the list of ports that the KDC is to listen to for +this realm. By default, the value of kdc_ports as specified in the +[kdcdefaults] section is used. + +@itemx master_key_name +(String.) Specifies the name of the master key. + +@itemx master_key_type +(Key type string.) Specifies the master key's key type. Only +"des-cbc-crc" is supported at this time. + +@itemx max_life +(Delta time string.) Specifes the maximum time period for which a +ticket may be valid in this realm. + +@itemx max_renewable_life +(Delta time string.) Specifies the maximum time period during which a +valid ticket may be renewed in this realm. + +@itemx profile +(String.) Location of the Kerberos V5 configuration file, if different +from the default (@code{/etc/krb5.conf}). + +@itemx supported_enctypes +List of key:salt strings. Specifies the default key/salt combinations +of principals for this realm. Since only the encryption type +"des-cbc-crc" is supported, you should set this tag to +@samp{des-cbc-crc:normal}. +@end table + +@node Sample kdc.conf File, , realms (kdc.conf), kdc.conf +@subsection Sample kdc.conf File + +Here's an example of a @code{kdc.conf} file: + +@smallexample +@group +[kdcdefaults] + kdc_ports = 88 + +[realms] + @value{PRIMARYREALM} = @{ + kadmind_port = 749 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des-cbc-crc + supported_enctypes = des-cbc-crc:normal + @} + +[logging] + kdc = FILE:@value{ROOTDIR}/var/krb5kdc/kdc.log + admin_server = FILE:@value{ROOTDIR}/var/krb5kdc/kadmin.log + +@end group +@end smallexample + +@node Administrating Kerberos Database Entries, Application Servers, Configuration Files, Top @chapter Administrating the Kerberos Database Your Kerberos database contains all of your realm's Kerberos principals, @@ -1312,8 +1900,8 @@ example: @smallexample @group @b{shell%} @value{ROOTDIR}/sbin/kdb5_util -r @value{PRIMARYREALM} create -s -@b{kdb5_util: No such file or directory while setting active database to '/krb5/principal' -Initializing database '@value{ROOTDIR}/lib/krb5kdc/principal' for +@b{kdb5_util: No such file or directory while setting active database to '@value{ROOTDIR}/var/krb5kdc/principal' +Initializing database '@value{ROOTDIR}/var/krb5kdc/principal' for @result{} realm '@value{PRIMARYREALM}', master key name 'K/M@@@value{PRIMARYREALM}' You will be prompted for the database Master Password. @@ -1418,10 +2006,10 @@ kadmin:} @smallexample @group -@b{kadmin:} ktadd -k /krb5/kadmind.keytab kadmin/admin kadmin/changepw +@b{kadmin:} ktadd -k @value{ROOTDIR}/var/krb5kdc/kadmind.keytab kadmin/admin kadmin/changepw @b{kadmin: Entry for principal kadmin/admin@@@value{PRIMARYREALM} with kvno 3, encryption type DES-CBC-CRC added to keytab - WRFILE:/krb5/kadmind.keytab. + WRFILE:@value{ROOTDIR}/var/krb5kdc/kadmind.keytab. kadmin:} @end group @end smallexample @@ -1466,9 +2054,9 @@ For example: @smallexample @group -@b{kadmin:} ktremove -k /krb5/kadmind.keytab kadmin/admin +@b{kadmin:} ktremove -k @value{ROOTDIR}/var/krb5kdc/kadmind.keytab kadmin/admin @b{kadmin: Entry for principal kadmin/admin with kvno 3 removed - from keytab WRFILE:/krb5/kadmind.keytab. + from keytab WRFILE:@value{ROOTDIR}/var/krb5kdc/kadmind.keytab. kadmin:} @end group @end smallexample @@ -1677,174 +2265,17 @@ Database from a Dump File}.) @node Bug Reporting, Appendix, Backups of Secure Hosts, Top @chapter Bug Reporting -In any complex software, there will be bugs. Please send bug reports or -other problems you may uncover to the e-mail address -@b{krb5-bugs@@mit.edu}. Please mention which version of the Kerberos V5 -distribution you are using, and whether you have made any private -changes. Bug reports that include proposed fixes are especially -welcome. If you do include fixes, please send them using either context -diffs or unified diffs (using @samp{diff -c} or @samp{diff -u}, -respectively). +@include send-pr.texinfo @node Appendix, , Bug Reporting, Top @appendix Appendix @menu -* Files:: -* krb5.conf:: -* kdc.conf:: * Errors:: * kadmin Time Zones:: @end menu -@node Files, krb5.conf, Appendix, Appendix -@appendixsec Files - -@node krb5.conf, kdc.conf, Files, Appendix -@appendixsec krb5.conf - -Normally, you should install your @code{krb5.conf} file in the directory -@code{/etc}. However, note that you can override this default through -the environment variable @samp{KRB5_CONFIG}. - -Here is an example of a generic @code{krb5.conf} file: - -@smallexample -@group -[libdefaults] - ticket_lifetime = 600 - default_realm = @value{PRIMARYREALM} - default_tkt_enctypes = des-cbc-crc - default_tgs_enctypes = des-cbc-crc - -[realms] - @value{PRIMARYREALM} = @{ - kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88 - kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88 - kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88 - admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749 - default_domain = @value{PRIMARYDOMAIN} - @} - @} - -[domain_realm] - .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM} - @value{PRIMARYDOMAIN} = @value{PRIMARYREALM} - -[logging] - kdc = FILE:/dev/ttyp9 - admin_server = FILE:/dev/ttyp9 - default = FILE:/dev/ttyp9 -@end group -@end smallexample - -@iftex -@vfill -@end iftex -@page - -Here is an example of a more extensive @code{krb5.conf} file, which -includes a second Kerberos realm and authentication to Kerberos V4 as -well as V5 KDCs in the realm @code{@value{PRIMARYREALM}}: - -@smallexample -@group -[libdefaults] - ticket_lifetime = 600 - default_realm = @value{PRIMARYREALM} - default_tkt_enctypes = des-cbc-crc - default_tgs_enctypes = des-cbc-crc - krb4_srvtab = /etc/srvtab - krb4_config = /usr/krb4/lib/krb.conf - krb4_realms = /usr/krb4/lib/krb.realms - -[realms] - @value{PRIMARYREALM} = @{ - kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88 - kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88 - kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88 - admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749 - default_domain = @value{PRIMARYDOMAIN} - v4_instance_convert = @{ - bleep = @value{PRIMARYDOMAIN} - @} - @} - @value{SECONDREALM} = @{ - kdc = @value{KDCSERVER}.@value{SECONDDOMAIN} - kdc = @value{KDCSLAVE1}.@value{SECONDDOMAIN} - admin_server = @value{KDCSERVER}.@value{SECONDDOMAIN} - @} - -[domain_realm] - .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM} - @value{PRIMARYDOMAIN} = @value{PRIMARYREALM} - .@value{SECONDDOMAIN} = @value{SECONDREALM} - @value{SECONDDOMAIN} = @value{SECONDREALM} -@end group -@end smallexample - -For the KDCs, add a section onto the end of the @code{krb5.conf} file -telling where the @code{kdc.conf} file is located, as in the following -example: - -@smallexample -@group -[kdc] - profile = @value{ROOTDIR}/lib/krb5kdc/kdc.conf - -[logging] - admin_server = FILE:@value{ROOTDIR}/lib/krb5kdc/kadmind.log - kdc = FILE:@value{ROOTDIR}/lib/krb5kdc/kdc.log - default = CONSOLE -@end group -@end smallexample - -@iftex -@vfill -@end iftex -@page - -@node kdc.conf, Errors, krb5.conf, Appendix -@appendixsec kdc.conf - -Normally, you should install your @code{kdc.conf} file in the directory -@code{@value{ROOTDIR}/lib/krb5kdc}. However, note that you can override -this default by a pointer in the KDC's @code{krb5.conf} file, or through -the environment variable @samp{KRB5_KDC_PROFILE}. - -Here's an example of a @code{kdc.conf} file: - -@smallexample -@group -[kdcdefaults] - kdc_ports = 88,750 - -[realms] - @value{PRIMARYREALM} = @{ - profile = /etc/krb5.conf - database_name = @value{ROOTDIR}/lib/krb5kdc/principal - admin_database_name = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5 - admin_database_lockfile = @value{ROOTDIR}/lib/krb5kdc/principal.kadm5.lock - admin_keytab = @value{ROOTDIR}/lib/krb5kdc/kadm5.keytab - acl_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.acl - dict_file = @value{ROOTDIR}/lib/krb5kdc/kadm5.dict - key_stash_file = @value{ROOTDIR}/lib/krb5kdc/.k5.@value{PRIMARYREALM} - kadmind_port = 749 - max_life = 10h 0m 0s - max_renewable_life = 7d 0h 0m 0s - master_key_type = des-cbc-crc - supported_enctypes = des-cbc-crc:normal - @} -@end group -@end smallexample - -To add Kerberos V4 support, change the @code{supported_enctypes} line to: - -@smallexample - supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 -@end smallexample - -@node Errors, kadmin Time Zones, kdc.conf, Appendix +@node Errors, kadmin Time Zones, Appendix, Appendix @appendixsec Kerberos Error Messages @menu diff --git a/doc/build.texinfo b/doc/build.texinfo index 5852c06..366233d 100644 --- a/doc/build.texinfo +++ b/doc/build.texinfo @@ -37,14 +37,18 @@ link tree for your build tree. The first step in each of these build procedures is to unpack the source distribution. The Kerberos V5 distribution comes in two compressed tar -files. The first file, which is generally named @file{krb5.src.tar.gz}, -contains the sources for all of Kerberos except for the crypto library, -which is found in the file @file{krb5.crypto.tar.gz}. +files. The first file, which is generally named +@file{krb5-1.0.src.tar.gz}, contains the sources for all of Kerberos +except for the crypto library, which is found in the file +@file{krb5-1.0.crypto.tar.gz}. Both files should be unpacked in the same directory, such as -@file{/u1/krb5}. (In the rest of this document, we will assume that you -have chosen to unpack the Kerberos V5 source distribution in this -directory.) +@file{/u1/krb5-1.0}. (In the rest of this document, we will assume that +you have chosen to unpack the Kerberos V5 source distribution in this +directory. Note that the tarfiles will by default all unpack into the +@file{./krb5-1.0} directory, so that if your current directory is +@file{/u1} when you unpack the tarfiles, you will get +@file{/u1/krb5-1.0/src}, etc.) @node Doing the Build, Testing the Build, Unpacking the Sources, Building Kerberos V5 @@ -73,7 +77,7 @@ use the following abbreviated procedure. @enumerate @item - @code{cd /u1/krb5/src} + @code{cd /u1/krb5-1.0/src} @item @code{./configure} @item @@ -96,9 +100,9 @@ you might use the following procedure: @enumerate @item -@code{mkdir /u1/krb5/pmax} +@code{mkdir /u1/krb5-1.0/pmax} @item - @code{cd /u1/krb5/pmax} + @code{cd /u1/krb5-1.0/pmax} @item @code{../src/configure} @item @@ -118,11 +122,11 @@ you might use the following procedure: @enumerate @item - @code{mkdir /u1/krb5/solaris} + @code{mkdir /u1/krb5-1.0/solaris} @item - @code{cd /u1/krb5/solaris} + @code{cd /u1/krb5-1.0/solaris} @item - @code{/u1/krb5/src/util/lndir `pwd`/../src} + @code{/u1/krb5-1.0/src/util/lndir `pwd`/../src} @item @code{./configure} @item @@ -148,9 +152,10 @@ building Kerberos; see @ref{Doing the Build}.): @menu * The DejaGnu Tests:: +* The KADM5 Tests:: @end menu -@node The DejaGnu Tests, , Testing the Build, Testing the Build +@node The DejaGnu Tests, The KADM5 Tests, Testing the Build, Testing the Build @subsection The DejaGnu Tests Some of the built-in regression tests are setup to use the DejaGnu @@ -158,24 +163,52 @@ framework for running tests. These tests tend to be more comprehensive than the normal built-in tests as they setup test servers and test client/server activities. -DejaGnu may be found wherever GNU software is archived. +DejaGnu may be found wherever GNU software is archived. -Most of the tests are setup to run as a non-privledged user. There are -two series of tests (@samp{rlogind} and @samp{telnetd}) which require -the ability to @samp{rlogin} as root to the local machine. Admittedly, -this does require the use of a @file{.rhosts} file or some other -authenticated means. @footnote{If you are fortunate enough to have a -previous version of Kerberos V5 or V4 installed, and the Kerberos rlogin -is first in your path, you can setup @file{.k5login} or @file{.klogin} -respectively to allow you access.} +Most of the tests are setup to run as a non-privledged user. For some +of the krb-root tests to work properly, either (a) the user running the +tests must not have a .k5login file in the home directory or (b) the +.k5login file must contain an entry for @code{<username>@@KRBTEST.COM}. +There are two series of tests (@samp{rlogind} and @samp{telnetd}) which +require the ability to @samp{rlogin} as root to the local +machine. Admittedly, this does require the use of a @file{.rhosts} file +or some authenticated means. @footnote{If you are fortunate enough to +have a previous version of Kerberos V5 or V4 installed, and the Kerberos +rlogin is first in your path, you can setup @file{.k5login} or +@file{.klogin} respectively to allow you access.} If you cannot obtain root access to your machine, all the other tests will still run. Note however, with DejaGnu 1.2, the "untested testcases" will cause the testsuite to exit with a non-zero exit status which @samp{make} will consider a failure of the testing process. Do not worry about this, as these tests are the last run when @samp{make check} is -executed from the top level of the build tree. - +executed from the top level of the build tree. This problem does not +exist with DejaGnu 1.3. + +@node The KADM5 Tests, , The DejaGnu Tests, Testing the Build +@subsection The KADM5 Tests + +Regression tests for the KADM5 system, including the GSS-RPC, KADM5 +client and server libraries, and kpasswd, are also included in this +release. Each set of KADM5 tests is contained in a sub-directory called +@code{unit-test} directly below the system being tested. For example, +lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all +based on DejaGnu (but they are not actually called part of "The DejaGnu +tests," whose naming predates the inclusion of the KADM5 system). In +addition, they require the Tool Command Language (TCL) header files and +libraries to be available during compilation and some of the tests also +require Perl in order to operate. If all of these resources are not +available during configuration, the KADM5 tests will not run. The TCL +installation directory can be specified with the @code{--with-tcl} +configure option (see @xref{Options to Configure}). The runtest and +perl programs must be in the current execution path. + +If you install DejaGnu, TCL, or Perl after configuring and building +Kerberos and then want to run the KADM5 tests, you will need to +re-configure the tree and run @code{make} at the top level again to make +sure all the proper programs are built. To save time, you actually only +need to reconfigure and build in the directories src/kadmin/testing, +src/lib/rpc, src/lib/kadm5, and src/kpasswd. @node Options to Configure, osconf.h, Testing the Build, Building Kerberos V5 @section Options to Configure @@ -203,6 +236,13 @@ desire a different location use this option. This option allows one to separate the architecture independent programs from the configuration files and manual pages. +@item --localstatedir=DIR + +This option sets the directory for locally modifiable single-machine +data. In Kerberos, this mostly is useful for setting a location for the +KDC data files, as they will be installed in LOCALSTATEDIR/krb5kdc, +which is by default PREFIX/var/krb5kdc. + @item --with-cc=COMPILER Use @code{COMPILER} as the C compiler. @@ -239,10 +279,11 @@ builtin Kerberos V4 library. @item --with-krb4=KRB4DIR -This option enables Kerberos V4 backwards compatibility. The directory -specified by @code{KRB4DIR} specifies where the V4 header files should -be found (@file{/KRB4DIR/include}) as well as where the V4 Kerberos -library should be found (@file{/KRB4DIR/lib}). +This option enables Kerberos V4 backwards compatibility using a +pre-existing Kerberos V4 installation. The directory specified by +@code{KRB4DIR} specifies where the V4 header files should be found +(@file{/KRB4DIR/include}) as well as where the V4 Kerberos library +should be found (@file{/KRB4DIR/lib}). @item --without-krb4 @@ -280,22 +321,12 @@ you're using slave servers!!! It also causes the database to be modified (and thus needing to be locked) frequently. Please note that the implementors do not regularly test this feature. -@item --with-kdb-db=database - -The configuration process will try to determine a working set of -libraries required to implement the Kerberos database. Configure will -look for interfaces that use or emulate a @samp{ndbm} or @samp{dbm} -library. Failing that, a build in copy of the Berkeley DB code will be -used. You may decide to compile a different interface than the default -by specifying one of "ndbm", "dbm", or "db". +@item --with-tcl=TCLPATH -An important note on platforms where the @samp{ndbm} implementation is -based on @sc{GDBM} (such as the Linux Slackware distribution). @sc{GDBM} -has its own built in file locking which prevents simultaneous access to -the database from two separate processes in which one wants to modify -the database while the otherone only wants to read. (i.e. the KDC and -administrative servers). In this case, you will need to specify the use -of the Berkeley DB. +Some of the unit-tests in the build tree rely upon using a program in +Tcl. The directory specified by @code{TCLPATH} specifies where the Tcl +header file (@file{/TCLPATH/include/tcl.h} as well as where the Tcl +library should be found (@file{/TCLPATH/lib}). @end table @@ -330,11 +361,6 @@ realms, their KDCs, etc. The profile file format is no longer the same format as Kerberos V4's @file{krb.conf} file. -@item DEFAULT_LNAME_FILENAME - -The pathname to the database that maps authentication names to local -account names. See kdb5_anadd(8). - @item DEFAULT_KEYTAB_NAME The type and pathname to the default server keytab file (the equivalent @@ -371,7 +397,7 @@ of the libraries may be installed on the same system and continue to work. Currently the supported platforms are: NetBSD 1.0A, AIX 3.2.5, AIX 4.1, -Solaris 5.3, Alpha OSF/1 >= 2.1, HP-UX >= 9.X. +Solaris 2.4 (aka SunOS 5.4), Alpha OSF/1 >= 2.1, HP-UX >= 9.X. To enable shared libraries on the above platforms, run the configure script with the option @samp{--enable-shared}. @@ -503,10 +529,6 @@ LD_LIBRARY_PATH environment variable when you compile it. Alternatively you can use the @code{-i} option to @samp{cc}, by using the specifying @code{--with-ccopts=-i} option to @samp{configure}. -Shared library support only works when using the Sunsoft C compiler. We -are currently using version 3.0.1. (The latest GCC may work; this -needs to be tested.) - @node SGI Irix 5.X, Ultrix 4.2/3, Solaris 2.X, OS Incompatibilities @subsection SGI Irix 5.X @@ -581,7 +603,7 @@ that you have made a change that will require that all the @code{--force} option: @example -% cd /u1/krb5/src +% cd /u1/krb5-1.0/src % ./util/reconf --force @end example @@ -601,7 +623,7 @@ Then follow the instructions for building packaged source trees (above). To install the binaries into a binary tree, do: @example -% cd /u1/krb5/src +% cd /u1/krb5-1.0/src % make all % make install DESTDIR=somewhere-else @end example diff --git a/doc/copyright.texinfo b/doc/copyright.texinfo index a91a9ad..04601e2 100644 --- a/doc/copyright.texinfo +++ b/doc/copyright.texinfo @@ -23,9 +23,9 @@ It is provided ``as is'' without express or implied warranty. @vskip 12pt @end iftex -The following copyright and permission notice applies to the -OpenVision Kerberos Administration system located in kadmin/create, -kadmin/dbutil, kadmin/server, lib/kadm, and portions of lib/rpc: +The following copyright and permission notice applies to the OpenVision +Kerberos Administration system located in kadmin/create, kadmin/dbutil, +kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc: @quotation Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved @@ -36,20 +36,22 @@ terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code -compiled from it, but this Source Code is provided to you "AS IS" -EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES -OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER -WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE -ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT -OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR -CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT -LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE -FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. +compiled from it, with or without modification, but this Source Code is +provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT +LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A +PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. +IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, +LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR +FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS +AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE +OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR +ANY OTHER REASON. -OpenVision retains all rights, title, and interest in the donated Source -Code. With respect to OpenVision's copyrights in the donated Source -Code, OpenVision also retains rights to derivative works of the Source -Code whether created by OpenVision or a third party. +OpenVision retains all copyrights in the donated Source Code. OpenVision +also retains copyright to derivative works of the Source Code, whether +created by OpenVision or by a third party. The OpenVision copyright +notice must be preserved if derivative works are made based on the +donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo index 93cc3b9..19b2b0f 100644 --- a/doc/definitions.texinfo +++ b/doc/definitions.texinfo @@ -23,8 +23,8 @@ @set PREVRELEASE beta 7 @set INSTALLDIR /usr/@value{LCPRODUCT} @set PREVINSTALLDIR @value{INSTALLDIR} -@set ROOTDIR /usr/@value{LCPRODUCT} -@set BINDIR /usr/@value{LCPRODUCT}/bin +@set ROOTDIR /usr/local +@set BINDIR /usr/local/bin @set SECONDDOMAIN fubar.org @set SECONDREALM FUBAR.ORG @set UPDATED @today diff --git a/doc/install.texinfo b/doc/install.texinfo index 216abf9..1945cc0 100644 --- a/doc/install.texinfo +++ b/doc/install.texinfo @@ -123,10 +123,17 @@ installation procedure is somewhat involved, and requires forethought and planning. @value{COMPANY} has attempted to make this @value{PRODUCT} Installation Guide as concise as possible, rather than making it an exhaustive description of the details of Kerberos. +@ifset CYGNUS Consequently, everything in this guide appears because @value{COMPANY} believes that it is important. Please read and follow these instructions carefully, and if there is anything you do not understand or are not sure of, please don't hesitate to call us. +@end ifset +@ifclear CYGNUS +Consequently, everything in this guide appears because @value{COMPANY} +believes that it is important. Please read and follow these +instructions carefully. +@end ifclear @node Overview of This Guide, , Please Read the Documentation, Introduction @section Overview of This Guide @@ -237,6 +244,12 @@ hostname-by-hostname basis. Since greater specificity takes precedence, you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions. +The @value{PRODUCT} System Administrator's Guide contains a thorough +description of the parts of the @code{krb5.conf} file and what may be +specified in each. A sample @code{krb5.conf} file appears in +@ref{krb5.conf}. You should be able to use this file, substituting the +relevant information for your Kerberos instllation for the samples. + @node Ports for the KDC and Admin Services, Slave KDCs, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions @section Ports for the KDC and Admin Services @@ -271,9 +284,10 @@ Have at least one slave KDC as a backup, for when the master KDC is down, is being upgraded, or is otherwise unavailable. @item -If your network is split such that a network outage is likely to cause -some segment or segments of the network to become cut off or isolated, -have a slave KDC accessible to each segment. +If your network is split such that a network outage is likely to cause a +network partition (some segment or segments of the network to become cut +off or isolated from other segments), have a slave KDC accessible to +each segment. @item If possible, have at least one slave KDC in a different building from @@ -304,7 +318,7 @@ effect. If the propagation time is longer than this maximum reasonable time (@i{e.g.,} you have a particularly large database, you have a lot of -slaves, and/or you experience frequent network delays), you may wish to +slaves, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in parallel. To do this, have the master KDC propagate the database to one set of slaves, and then have each of these slaves propagate the database @@ -359,12 +373,12 @@ regular intervals. All database changes (such as password changes) are made on the master KDC. Slave KDCs provide Kerberos ticket-granting services, but not database -access. This allows clients to continue to obtain tickets when the -master KDC is unavailable. +administration. This allows clients to continue to obtain tickets when +the master KDC is unavailable. -@value{COMPANY}'s recommends that you install all of your KDCs to be -able to function as either the master or one of the slaves. This will -enable you to easily switch your master KDC with one of the slaves if +@value{COMPANY} recommends that you install all of your KDCs to be able +to function as either the master or one of the slaves. This will enable +you to easily switch your master KDC with one of the slaves if necessary. (@xref{Switching Master and Slave KDCs}.) This installation procedure is based on that recommendation. @@ -401,9 +415,20 @@ Modify the configuration files, @code{/etc/krb5.conf} (@pxref{krb5.conf}) and @code{@value{ROOTDIR}/var/krb5kdc/kdc.conf} (@pxref{kdc.conf}) to reflect the correct information (such as the hostnames and realm name) for your realm. @value{COMPANY} recommends -that you keep @code{krb5.conf} in @code{/etc}. The @code{krb5.conf} -file may contain a pointer to @code{kdc.conf}, which you need to change -if you want to move @code{kdc.conf} to another location. +that you keep @code{krb5.conf} in @code{/etc}. + +Among the settings in your @code{/etc/krb5.conf} file, be sure to create +a @code{[logging]} stanza so that the KDC and kadmind will generate +logging output. For example: + +@smallexample +@group +[logging] + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmin.log + default = FILE:/var/log/krb5lib.log +@end group +@end smallexample @node Create the Database, Add Administrators to the Acl File, Edit the Configuration Files, Install the Master KDC @subsubsection Create the Database @@ -430,11 +455,10 @@ words that can be found in a dictionary, any common or popular name, especially a famous person (or cartoon character), your username in any form (@i{e.g.}, forward, backward, repeated twice, @i{etc.}), and any of the sample keys that appear in this manual. One example of a key which -would be good if it did not appear in this manual is ``MITiys4K5!'', -which represents the sentence ``@value{COMPANY} is your source for -Kerberos 5!'' (It's the first letter of each word, substituting the -numeral ``4'' for the word ``for'', and includes the punctuation mark at -the end.) +might be good if it did not appear in this manual is ``MITiys4K5!'', +which represents the sentence ``MIT is your source for Kerberos 5!'' +(It's the first letter of each word, substituting the numeral ``4'' for +the word ``for'', and includes the punctuation mark at the end.) The following is an example of how to create a Kerberos database and stash file on the master KDC, using the @code{kdb5_util} command. (The @@ -554,7 +578,10 @@ instance ``root'', you would add the following line to the acl file: Next you need to add administrative principals to the Kerberos database. (You must add at least one now.) To do this, use @code{kadmin.local} -@emph{on the master KDC}, as in the following example: +@emph{on the master KDC}. The administrative principals you create +should be the ones you added to the ACL file (see @xref{Add +Administrators to the Acl File}). In the following example, the +administration principal @code{admin/admin} is created: @smallexample @group @@ -575,6 +602,8 @@ kadmin.local:} @end group @end smallexample + + @node Create a kadmind Keytab, Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC @subsubsection Create a kadmind Keytab @@ -628,6 +657,21 @@ these daemons to start up automatically at boot time, you can add them to the KDC's @code{/etc/rc} or @code{/etc/inittab} file. You need to have a stash file in order to do this. +You can verify that they started properly by checking for their startup +messages in the logging locations you defined in @code{/etc/krb5.conf} +(see @xref{Edit the Configuration Files}). For example: + +@smallexample +@b{shell%} tail /var/log/krb5kdc.log +Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation +@b{shell%} tail /var/log/kadmin.log +Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting +@end smallexample + +Any errors the daemons encounter while starting will also be listed in +the logging output. + + @node Install the Slave KDCs, Back on the Master KDC, Install the Master KDC, Installing KDCs @subsection Install the Slave KDCs @@ -657,15 +701,15 @@ named @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} and @smallexample @group @b{shell%} @value{ROOTDIR}/sbin/kadmin -@b{kadmin:} addprinc -randpass host/@value{KDCSERVER}.@value{PRIMARYDOMAIN} +@b{kadmin:} addprinc -randkey host/@value{KDCSERVER}.@value{PRIMARYDOMAIN} @b{WARNING: no policy specified for "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; defaulting to no policy. Principal "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created. -kadmin:} addprinc -randpass host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN} +kadmin:} addprinc -randkey host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN} @b{WARNING: no policy specified for "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; defaulting to no policy. Principal "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.} -@b{kadmin:} addprinc -randpass host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN} +@b{kadmin:} addprinc -randkey host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN} @b{WARNING: no policy specified for "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}"; defaulting to no policy. Principal "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created. @@ -758,8 +802,8 @@ KDC: kerberos 88/udp kdc # Kerberos authentication (udp) kerberos 88/tcp kdc # Kerberos authentication (tcp) krb5_prop 754/tcp # Kerberos slave propagation -kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp) -kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp) +kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp) +kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp) eklogin 2105/tcp # Kerberos encrypted rlogin @end group @end smallexample @@ -1350,7 +1394,8 @@ terminology. @node Bug Reports for Kerberos V5, Files, Upgrading Existing Kerberos V5 Installations, Top @chapter Bug Reports for @value{PRODUCT} -@include bug-report.texinfo + +@include send-pr.texinfo @node Files, , Bug Reports for Kerberos V5, Top @appendix Files diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo index 2ff2b3e..c24fe7c 100644 --- a/doc/krb425.texinfo +++ b/doc/krb425.texinfo @@ -5,9 +5,9 @@ @c guide @setfilename Kerberos-V4-to-V5.info @settitle Upgrading to Kerberos V5 from Kerberos V4 -@c @setchapternewpage odd @c chapter begins on next odd page -@setchapternewpage on @c chapter begins on next page -@smallbook @c Format for 7" X 9.25" paper +@setchapternewpage odd @c chapter begins on next odd page +@c @setchapternewpage on @c chapter begins on next page +@c @smallbook @c Format for 7" X 9.25" paper @c %**end of header @paragraphindent 0 @@ -34,15 +34,13 @@ @include copyright.texinfo @end titlepage -@node Top, Introduction, (dir), (dir) +@node Top, Copyright, (dir), (dir) @ifinfo This document describes how to convert to @value{PRODUCT} from Kerberos V4. -@include copyright.texinfo -@end ifinfo - @menu +* Copyright:: * Introduction:: * Configuration Files:: * Upgrading KDCs:: @@ -51,7 +49,13 @@ This document describes how to convert to @value{PRODUCT} from Kerberos V4. * Firewall Considerations:: @end menu -@node Introduction, Configuration Files, Top, Top +@node Copyright, Introduction, Top, Top +@unnumbered Copyright +@include copyright.texinfo + +@end ifinfo + +@node Introduction, Configuration Files, Copyright, Top @chapter Introduction As with most software upgrades, @value{PRODUCT} is generally backward @@ -266,6 +270,7 @@ telnet stream tcp nowait root @end group @end smallexample +@ifset CYGNUS @strong{N.B.}: As noted in the @value{PRODUCT} Installation Guide, if you have some clients running older versions of Kerberos V5 (beta 6@footnote{@value{PRODUCT} is based on the MIT beta 7 release.} or @@ -273,6 +278,15 @@ earlier), checksums were done differently in those versions, which will cause authentication to fail. To get around this problem, have the @code{klogind} and @code{kshd} daemons ignore checksums, by replacing each @code{-c} flag above with @code{-i}. +@end ifset +@ifclear CYGNUS +@strong{N.B.}: As noted in the @value{PRODUCT} Installation Guide, if +you have some clients running older versions of Kerberos V5 (beta 6 or +earlier), checksums were done differently in those versions, which will +cause authentication to fail. To get around this problem, have the +@code{klogind} and @code{kshd} daemons ignore checksums, by replacing +each @code{-c} flag above with @code{-i}. +@end ifclear For an @emph{insecure} server, make the changes described in the @value{PRODUCT} Installation Guide. @@ -288,7 +302,7 @@ follows: @group @b{#} @value{ROOTDIR}/sbin/ktutil @b{ktutil:} rst /etc/krb-srvtab -@b{ktutil:} wkt /etc/v5srvtab +@b{ktutil:} wkt /etc/krb5.keytab @b{ktutil:} q @b{#} @end group diff --git a/doc/krb5-protocol/krb5.constants b/doc/krb5-protocol/krb5.constants index ed70559..e7cc5b8 100644 --- a/doc/krb5-protocol/krb5.constants +++ b/doc/krb5-protocol/krb5.constants @@ -13,6 +13,8 @@ des-cbc-md4 2 8 0 8 des-cbc-md5 3 8 0 8 <reserved> 4 des3-cbc-md5 5 8 0 8 +<reserved> 6 +des3-cbc-sha1 7 8 0 8 <reserved> 0x8003 -------------------------------+-------------------+------------- @@ -26,7 +28,10 @@ des-mac-k 5 8 rsa-md4-des-k 6 16 rsa-md5 7 16 rsa-md5-des 8 24 -rsa-md5-des3 9 24 +<reserved> 9 +<reserved> 10 +nist-sha1 11 20 +hmac-sha1-des3 12 20 -------------------------------+----------------- padata type |padata-type value @@ -42,6 +47,8 @@ PA-OSF-DCE 8 PA-CYBERSAFE-SECUREID 9 PA-AFS3-SALT 10 PA-ETYPE-INFO 11 +PAM-SAM-CHALLENGE 12 +PAM-SAM-RESPONSE 13 -------------------------------+------------- authorization data type |ad-type value @@ -120,6 +127,7 @@ KDC_ERR_KEY_EXPIRED 23 Password has expired - change to reset KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authentication required* KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match +KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user only KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid diff --git a/doc/send-pr.texinfo b/doc/send-pr.texinfo index 628b141..f4980a4 100644 --- a/doc/send-pr.texinfo +++ b/doc/send-pr.texinfo @@ -1,82 +1,63 @@ -If you have problems installing @value{PRODUCT}, please use the -@code{send-pr} program to fill out a Problem Report. +In any complex software, there will be bugs. If you have successfully +built and installed @value{PRODUCT}, please use the +@code{krb5-send-pr} program to fill out a Problem Report. -The @code{send-pr} program is installed in the directory -@code{@value{ROOTDIR}/bin}. - -@need 1100 -Before using @code{send-pr} for the first time, you need to install your -customer support ID into the program, by typing the command: - -@smallexample -@b{shell%} install-sid @i{customerID} -@end smallexample - -@noindent replacing @i{customerID} with your customer ID, which your -sales representative will supply. - -The @code{send-pr} program enters the problem report into our Problem -Report Management System (PRMS), which automatically assigns it to the -engineer best able to help you with problems in the assigned category. -The engineer will work with you via email, telephone, or both, and all -email related to this Problem Report will be tracked by PRMS for future -reference. If the engineer does not reply to you after a certain time, -a reminder is automatically generated. If you need to talk to someone -else in our organization about the problem (@i{e.g.}, if the engineer -gets hit by a truck), we can find out what the current state is through -the PR number. @value{COMPANY} uses PRMS for almost all of the real -problems we handle. - -The @code{send-pr} program will try to intelligently fill in as many -fields as it can. You need to choose the @dfn{category}, @dfn{class}, -@dfn{severity}, and @dfn{priority} of the problem, as well as giving us -as much information as you can about its exact nature. +Bug reports that include proposed fixes are especially welcome. If you +do include fixes, please send them using either context diffs or unified +diffs (using @samp{diff -c} or @samp{diff -u}, respectively). + +The @code{krb5-send-pr} program is installed in the directory +@code{@value{ROOTDIR}/sbin}. + +The @code{krb5-send-pr} program enters the problem report into our +Problem Report Management System (PRMS), which automatically assigns it +to the engineer best able to help you with problems in the assigned +category. The engineer will work with you via email, telephone, or +both, and all email related to this Problem Report will be tracked by +PRMS for future reference. If you need to talk to someone else in our +organization about the problem (@i{e.g.}, if the engineer gets hit by a +truck), we can find out what the current state is through the PR number. + +The @code{krb5-send-pr} program will try to intelligently fill in as +many fields as it can. You need to choose the @dfn{category}, +@dfn{class}, @dfn{severity}, and @dfn{priority} of the problem, as well +as giving us as much information as you can about its exact nature. @need 1000 The PR @b{category} will be one of: @smallexample @group -kerberos kerbnet doc help-request -info-request install query-pr id-request -send-pr +krb5-admin krb5-appl krb5-build krb5-clients +krb5-doc krb5-kdc krb5-libs krb5-misc +pty telnet test @end group @end smallexample -In general, if specific knowledge about Kerberos is requried to answer a -PR, use the @i{kerberos} or @i{doc} categories. The @i{install} -category is for problems retrieving the code off the media (@i{e.g.}, -the data on a tape seems to be corrupted.) Questions about the -installation procedures described in this document would fall under the -category @i{kerberos}. The @i{help-request} and @i{info-request} -categories are for general questions about your contract, or other -issues not necessarily related to @value{PRODUCT}. Use @i{query-pr} to -receive a current copy of your Problem Report, @i{id-request} if you -need a customer ID, and @i{send-pr} if you're having trouble using -send-pr. If your question is related to @value{PRODUCT} and you're not -sure what the most appropriate category should be, use @i{kerberos}. -The engineer can change the category if necessary. +@noindent +Choose the category that best describes the area under which your +problem falls. The @b{class} can be @dfn{sw-bug}, @dfn{doc-bug}, @dfn{change-request}, -or @dfn{support}. The first two are exactly as their names imply. The -@i{change-request} class is to inform us of changes, such as new email -addresses or new contact information. The @i{support} class is intended -for general questions about using the @value{PRODUCT} clients or -libraries. +or @dfn{support}. The first two are exactly as their names imply. Use +@i{change-request} when the software is behaving according to +specifications, but you want to request changes in some feature or +behavior. The @i{support} class is intended for more general questions +about building or using @value{PRODUCT}. The @b{severity} of the problem indicates the problem's impact on the -usability of the @value{PRODUCT} software package. If a problem is -@dfn{critical}, that means the product, component or concept is -completely non-operational, or some essential functionality is missing, -and no workaround is known. A @dfn{serious} problem is one in which the -product, component or concept is not working properly or significant -functionality is missing. Problems that would otherwise be considered -@i{critical} are rated @i{serious} when a workaround is known. A -@dfn{non-critical} problem is one that is indeed a problem, but one that -is having a minimal affect on your ability to use @value{PRODUCT}. -@i{E.g.}, The product, component or concept is working in general, but -lacks features, has irritating behavior, does something wrong, or -doesn't match its documentation. The default severity is @i{serious}. +usability of @value{PRODUCT}. If a problem is @dfn{critical}, that +means the product, component or concept is completely non-operational, +or some essential functionality is missing, and no workaround is known. +A @dfn{serious} problem is one in which the product, component or +concept is not working properly or significant functionality is missing. +Problems that would otherwise be considered @i{critical} are rated +@i{serious} when a workaround is known. A @dfn{non-critical} problem is +one that is indeed a problem, but one that is having a minimal affect on +your ability to use @value{PRODUCT}. @i{E.g.}, The product, component +or concept is working in general, but lacks features, has irritating +behavior, does something wrong, or doesn't match its documentation. The +default severity is @i{serious}. The @b{priority} indicates how urgent this particular problem is in relation to your work. Note that low priority does not imply low @@ -94,10 +75,8 @@ you are faced with a hard deadline. Conversely, a serious problem might have a low priority if the feature it is disabling is one that you do not need. -The @b{release} is as labeled on the software that was shipped. -@i{e.g.}, @code{kerbnet-@value{RELEASE}}. It is important that you tell -us which release you are using, and whether or not you have made any -private changes. +It is important that you fill in the @i{release} field and tell us +what changes you have made, if any. Bug reports that include proposed fixes are especially welcome. If you include proposed fixes, please send them using either context diffs @@ -113,50 +92,35 @@ look like this: @smallexample @group -To: bugs@@cygnus.com -Subject: "KDC reply did not match expectations" error -From: joe.smith@@toasters.com -Reply-To: joe.smith@@toasters.com -X-send-pr-version: 3.97-96q1 - ->Submitter-Id: toastersinc ->Confidential: yes ->Originator: Joe Smith (+1 415 903 1400) ->Organization: ------ -Joe Smith joe.smith@@toasters.com -Toasters, Inc. - ``The best UI in the world'' +To: krb5-bugs@@mit.edu +Subject: misspelled "Kerberos" in title of installation guide +From: jcb +Reply-To: jcb +Cc: +X-send-pr-version: 3.99 ->Synopsis: "KDC reply did not match expectations" error message + +>Submitter-Id: mit +>Originator: Jeffrey C. Gilman Bigler +>Organization: +mit +>Confidential: no +>Synopsis: Misspelled "Kerberos" in title of installation guide >Severity: non-critical >Priority: low ->Category: kerberos ->Class: sw-bug ->Release: kerbnet-1.0 +>Category: krb5-doc +>Class: doc-bug +>Release: 1.0-development >Environment: -NetBSD viola 1.1 NetBSD 1.1 (ATHENAADP) #0: Tue May 21 00:31:42 EDT 1996 -i386 -System: Intel P166 -Architecture: NetBSD - + <machine, os, target, libraries (multiple lines)> +System: ULTRIX imbrium 4.2 0 RISC +Machine: mips >Description: - <description of problem goes here> - Getting "KDC reply did not match expectations" message. This - does not seem to be affecting anything else. - + Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide" >How-To-Repeat: - <A code sample is worth a thousand words.> - <If the Problem Report is marked ``Confidential: yes'',> - <it will not be available to anyone but our engineers,> - <please contact us if you are concerned about sensitive source> - <code.> - It happens when I type kinit. - + N/A >Fix: - <If you have already found a correct way to stop this problem,> - <please let us know!> - None. Sorry. + Correct the spelling. @end group @end smallexample @@ -164,40 +128,7 @@ Architecture: NetBSD @vfill @end iftex -@page -If the @code{send-pr} program does not work for you, you can use the -following template instead: - -@smallexample -@group -To: bugs@@cygnus.com -Subject: -From: -Reply-To: -X-send-pr-version: none (typed manually) - ->Submitter-Id: ->Originator: ->Organization: - <organization of PR author (multiple lines)> ->Confidential: <[ yes | no ] (one line)> ->Synopsis: <synopsis of the problem (one line)> ->Severity: <[ non-critical | serious | critical ] (one line)> ->Priority: <[ low | medium | high ] (one line)> ->Category: <name of the product (one line)> ->Class: <[ sw-bug | doc-bug | change-request | support ] (one line)> ->Release: cns-9?q? ->Environment: - <machine, os, target, libraries (multiple lines)> -System: -Architecture: - - ->Description: - <precise description of the problem (multiple lines)> ->How-To-Repeat: - <code/input/activities to reproduce the problem (multiple lines)> ->Fix: - <how to correct or work around the problem, if known (multiple lines)> -@end group -@end smallexample +If the @code{krb5-send-pr} program does not work for you, or if you did +not get far enough in the process to have an installed and working +@code{krb5-send-pr}, you can generate your own form, using the above as +an example. diff --git a/src/ChangeLog b/src/ChangeLog index f89bb96..aadb2fd 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,23 @@ +Mon Nov 25 19:42:53 1996 Tom Yu <tlyu@mit.edu> + + * Makefile.in: Comment out distclean and realclean so no one will + be tempted to use them. [PR 222] + +Fri Nov 22 23:51:07 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * Makefile.in: All changes for the Macintosh port. Translate '%' + characters in Macfile.tmpl to '/' characters. Include the + mac/SAP directory in the kerbsrc.mac.tar tarball. Rename + the kerbsrc.tar tarball to kerbsrc.mac.tar, so that the + target name in the Makefile matches the taget which is + actually generated. Use mac/mkbindirs.sh to build the + binary hierarchy for the Macintosh build process. + +Wed Nov 20 13:28:00 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * Makefile.in (awk-windows-mac): Copy gssapi.hin to gssapi.h to + make Win16 build work. + Thu Nov 7 23:55:02 1996 Tom Yu <tlyu@voltage-multiplier.mit.edu> * aclocal.m4 (LinkFileDir, LinkFile): AC_REQUIRE the AC_LN_S macro diff --git a/src/Makefile.in b/src/Makefile.in index 738aa40..810ba1e 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -63,11 +63,14 @@ clean-unix:: mostlyclean: clean -distclean: clean - rm -f Makefile config.status - -realclean: distclean - rm -f TAGS +# This doesn't work; if you think you need it, you should use a +# separate build directory. +# +# distclean: clean +# rm -f Makefile config.status +# +# realclean: distclean +# rm -f TAGS dist: $(DISTFILES) echo cpio-`sed -e '/version_string/!d' \ @@ -220,7 +223,7 @@ FILES= ./* \ WINFILES= windows/* windows/cns/* windows/wintel/* windows/gss/* MACFILES= mac/* mac/kconfig/* mac/libraries/* mac/telnet-k5-auth/* \ - mac/gss-sample/* config/* include/* include/krb5/* \ + mac/gss-sample/* mac/SAP/* config/* include/* include/krb5/* \ include/krb5/asn.1/* include/krb5/stock/* include/sys/* \ ./patchlevel.h @@ -235,7 +238,8 @@ CLEANUP= util/profile/profile.h util/profile/prof_err.[ch] \ include/adm_err.h include/profile.h include/krb5.h \ include/krb5/osconf.h \ lib/gssapi/generic/gssapi_err_generic.[ch] \ - lib/gssapi/krb5/gssapi_err_krb5.[ch] winfile.list macfile.list + lib/gssapi/krb5/gssapi_err_krb5.[ch] winfile.list macfile.list \ + lib/gssapi/generic/gssapi.h kerbsrc.win: kerbsrc.zip @@ -299,13 +303,22 @@ Macfile: macfile.list Makefile.sav -e 's/^/:bin:PPC:/' macsrcsk5` >> Macfile echo INCLUDES = `sed -n -e 's/\(.*:\)[^:]*\.h$$/-i \1/p' macfile.maclist | sort -u` >> Macfile echo "" >> Macfile - tr '/:\\' ':\304\266'< mac/Makefile.tmpl >> Macfile + tr '%/:\\' '/:\304\266'< mac/Makefile.tmpl >> Macfile + +mac-bin-dirs: + rm -rf bin + mkdir bin bin/68K bin/CFM-68K bin/PPC + sh mac/mkbindirs.sh bin/68K $(MAC_SUBDIRS) + sh mac/mkbindirs.sh bin/CFM-68K $(MAC_SUBDIRS) + sh mac/mkbindirs.sh bin/PPC $(MAC_SUBDIRS) -kerbsrc.mac: awk-windows-mac macfile.list Macfile +kerbsrc.mac.tar: awk-windows-mac macfile.list Macfile cp mac/libraries/autoconf.h include/autoconf.h mv Macfile Makefile - tar cvf kerbsrc.tar Makefile include/autoconf.h `cat macfile.list` + tar cvf kerbsrc.mac.tar Makefile include/autoconf.h bin \ + `cat macfile.list` rm -f $(CLEANUP) + rm -rf bin rm -f include/autoconf.h Makefile macsrc* macfile.maclist mv Makefile.sav Makefile @@ -343,3 +356,4 @@ awk-windows-mac: cat $(PR)/profile.hin $(PR)prof_err.h > $(PR)profile.h cp $(PR)profile.h include/profile.h cp $(INC)/krb5/stock/osconf.h $(INC)/krb5 + cp $(GG)gssapi.hin $(GG)gssapi.h diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index f9aa5ad..a0f9faf 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,30 @@ +Fri Dec 6 00:53:08 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * v4rcp.c: Extend the platform-specific braindamage so that + FreeBSD works. This whole file is eventually going to + need serious rototilling to make it even vaguely correct. + [PR #284] + +Fri Dec 6 00:02:25 1996 Tom Yu <tlyu@mit.edu> + + * loginpaths.h: Add catch-all entries for LPATH and RPATH in case + we run across something that we haven't hardcoded paths for + yet. [267] + +Thu Dec 5 21:58:28 1996 Tom Yu <tlyu@mit.edu> + + * login.M: v5srvtab -> krb5.keytab [279] + +Sun Nov 24 23:35:22 1996 Ezra Peisach <epeisach@mit.edu> + + * login.c (try_afscall): Change to take pointer to function + instead of only calling setpag(). [krb5-appl/190] + +Fri Nov 22 15:46:46 1996 unknown <bjaspan@mit.edu> + + * kcmd.c (kcmd): use sizeof instead of h_length to determine + number of bytes of addr to copy from DNS response [krb5-misc/211] + Thu Nov 14 14:30:28 1996 Barry Jaspan <bjaspan@mit.edu> * krcp.c: don't print our own error message if kcmd returns -1 (it diff --git a/src/appl/bsd/kcmd.c b/src/appl/bsd/kcmd.c index 4b66c37..6f45835 100644 --- a/src/appl/bsd/kcmd.c +++ b/src/appl/bsd/kcmd.c @@ -180,7 +180,7 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, return (-1); } sin.sin_family = hp->h_addrtype; - memcpy((caddr_t)&sin.sin_addr,hp->h_addr, hp->h_length); + memcpy((caddr_t)&sin.sin_addr,hp->h_addr, sizeof(sin.sin_addr)); sin.sin_port = rport; if (connect(s, (struct sockaddr *)&sin, sizeof (sin)) >= 0) break; @@ -200,7 +200,7 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm, perror(0); hp->h_addr_list++; memcpy((caddr_t)&sin.sin_addr,hp->h_addr_list[0], - hp->h_length); + sizeof(sin.sin_addr)); fprintf(stderr, "Trying %s...\n", inet_ntoa(sin.sin_addr)); continue; diff --git a/src/appl/bsd/login.M b/src/appl/bsd/login.M index 0603d16..f48fd0c 100644 --- a/src/appl/bsd/login.M +++ b/src/appl/bsd/login.M @@ -25,7 +25,7 @@ possible.) It will also attempt to run .I aklog to get \fIAFS\fP tokens for the user. The version 5 tickets will be tested against a local -.I v5srvtab +.I krb5.keytab if it is available, in order to verify the tickets, before letting the user in. However, if the password matches the entry in \fI/etc/passwd\fP the user will be unconditionally allowed (permitting diff --git a/src/appl/bsd/login.c b/src/appl/bsd/login.c index 7542a23..0404549 100644 --- a/src/appl/bsd/login.c +++ b/src/appl/bsd/login.c @@ -1023,7 +1023,8 @@ static sigtype sigsys () siglongjmp(setpag_buf, 1); } -static int try_afscall () +static int try_afscall (scall) + int (*scall)(); { handler sa, osa; volatile int retval = 0; @@ -1032,7 +1033,7 @@ static int try_afscall () handler_init (sa, sigsys); handler_swap (SIGSYS, sa, osa); if (sigsetjmp(setpag_buf, 1) == 0) { - setpag (); + (*scall)(); retval = 1; } handler_set (SIGSYS, osa); diff --git a/src/appl/bsd/loginpaths.h b/src/appl/bsd/loginpaths.h index 2f2de0b..99d28b0 100644 --- a/src/appl/bsd/loginpaths.h +++ b/src/appl/bsd/loginpaths.h @@ -94,3 +94,13 @@ #define RPATH "/usr/bin:/bin" #endif #endif + +/* catch-all entries for operating systems we haven't looked up + hardcoded paths for */ +#ifndef LPATH +#define LPATH "/usr/bin:/bin" +#endif + +#ifndef RPATH +#define RPATH "/usr/bin:/bin" +#endif diff --git a/src/appl/bsd/v4rcp.c b/src/appl/bsd/v4rcp.c index 0a1ad33..56db95c 100644 --- a/src/appl/bsd/v4rcp.c +++ b/src/appl/bsd/v4rcp.c @@ -310,7 +310,8 @@ void lostconn(); int lostconn(); #endif int errno; -#ifndef __NetBSD__ +/* Kludge!!!! */ +#if (!defined(__NetBSD__) && !defined(__FreeBSD__)) extern char *sys_errlist[]; #endif int iamremote, targetshouldbedirectory; diff --git a/src/appl/gss-sample/ChangeLog b/src/appl/gss-sample/ChangeLog index 5da0236..110e722 100644 --- a/src/appl/gss-sample/ChangeLog +++ b/src/appl/gss-sample/ChangeLog @@ -1,3 +1,9 @@ +Fri Nov 22 15:48:02 1996 unknown <bjaspan@mit.edu> + + * gss-client.c (connect_to_server): use sizeof instead of h_length + to determine number of bytes of addr to copy from DNS response + [krb5-misc/211] + Sun Oct 27 22:04:59 1996 Ezra Peisach <epeisach@mit.edu> * configure.in: Add USE_GSSAPI_LIBRARY diff --git a/src/appl/gss-sample/gss-client.c b/src/appl/gss-sample/gss-client.c index 170bc63..b91ea87 100644 --- a/src/appl/gss-sample/gss-client.c +++ b/src/appl/gss-sample/gss-client.c @@ -79,7 +79,7 @@ int connect_to_server(host, port) } saddr.sin_family = hp->h_addrtype; - memcpy((char *)&saddr.sin_addr, hp->h_addr, hp->h_length); + memcpy((char *)&saddr.sin_addr, hp->h_addr, sizeof(saddr.sin_addr)); saddr.sin_port = htons(port); if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { diff --git a/src/appl/gssftp/ftp/ChangeLog b/src/appl/gssftp/ftp/ChangeLog index 9224e5d..c1531a2 100644 --- a/src/appl/gssftp/ftp/ChangeLog +++ b/src/appl/gssftp/ftp/ChangeLog @@ -1,3 +1,8 @@ +Fri Nov 22 15:48:19 1996 unknown <bjaspan@mit.edu> + + * ftp.c (hookup): use sizeof instead of h_length to determine + number of bytes of addr to copy from DNS response [krb5-misc/211] + Fri Sep 27 16:05:09 1996 Tom Yu <tlyu@mit.edu> * cmds.c (setpeer): Apply jik's fix so "-n" actually works as diff --git a/src/appl/gssftp/ftp/ftp.c b/src/appl/gssftp/ftp/ftp.c index fb6a563..0641416 100644 --- a/src/appl/gssftp/ftp/ftp.c +++ b/src/appl/gssftp/ftp/ftp.c @@ -155,7 +155,7 @@ hookup(host, port) } hisctladdr.sin_family = hp->h_addrtype; memcpy((caddr_t)&hisctladdr.sin_addr, hp->h_addr_list[0], - hp->h_length); + sizeof(hisctladdr.sin_addr)); (void) strncpy(hostnamebuf, hp->h_name, sizeof(hostnamebuf)); } hostname = hostnamebuf; @@ -177,7 +177,8 @@ hookup(host, port) perror((char *) 0); hp->h_addr_list++; memcpy((caddr_t)&hisctladdr.sin_addr, - hp->h_addr_list[0], hp->h_length); + hp->h_addr_list[0], + sizeof(hisctladdr.sin_addr)); fprintf(stdout, "Trying %s...\n", inet_ntoa(hisctladdr.sin_addr)); (void) close(s); diff --git a/src/appl/popper/Imakefile b/src/appl/popper/Imakefile deleted file mode 100644 index d46dc30..0000000 --- a/src/appl/popper/Imakefile +++ /dev/null @@ -1,93 +0,0 @@ -# $Source$ -# $Author$ -# $Id$ -# -# Copyright 1991 by the Massachusetts Institute of Technology. -# All Rights Reserved. -# -# Export of this software from the United States of America may -# require a specific license from the United States Government. -# It is the responsibility of any person or organization contemplating -# export to obtain such a license before exporting. -# -# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -# distribute this software and its documentation for any purpose and -# without fee is hereby granted, provided that the above copyright -# notice appear in all copies and that both that copyright notice and -# this permission notice appear in supporting documentation, and that -# the name of M.I.T. not be used in advertising or publicity pertaining -# to distribution of the software without specific, written prior -# permission. M.I.T. makes no representations about the suitability of -# this software for any purpose. It is provided "as is" without express -# or implied warranty. -# -# - -# Options are: -# BIND43 - If you are using BSD 4.3 domain -# name service. -# DEBUG - Include the debugging code. Note: You -# still have to use the -d or -t flag to -# enable debugging. -# HAVE_VSPRINTF - If the vsprintf functions are -# available -# on your system. -# SYSLOG42 - For BSD 4.2 syslog (default is BSD 4.3 -# syslog). -# STRNCASECMP - If you do not have strncasecmp() -# KERBEROS - If you want authentication vis Kerberos -# (tom) -# KERBEROS_PASSWD_HACK - Use popper as passwd server -# NOSTATUS - Don't create a Mail(1)-like -# Status: header - -#if defined(OS_BSD_RENO) || defined(OS_Ultrix) || defined(OS_SunOS4) || defined(OS_BSD) -BINDDEF=-DBIND43 -#else -/* assume it's not there; not really critical since we are using Kerberos to - beef up the normal IP-address checking stuff */ -BINDDEF= -#endif - -#if 0 - -/* Zephyr stuff not needed yet, since spop isn't done yet. */ -DEFINES = -DHAVE_VSPRINTF -DKERBEROS -DKRB5 -DNOSTATUS -DDEBUG $(BINDDEF) $(ZEPHDEFS) -LOCAL_LIBRARIES = $(ZEPHLIBS) $(KLIB) -DEP_LIBS= $(ZEPHDEPLIB) $(DEPKLIB) - -#else - -DEFINES = -DHAVE_VSPRINTF -DKERBEROS -DKRB5 -DNOSTATUS -DDEBUG $(BINDDEF) -LOCAL_LIBRARIES = $(KLIB) -DEP_LIBS= $(DEPKLIB) - -#endif -OBJS = pop_dele.o pop_dropcopy.o pop_dropinfo.o \ - pop_get_command.o pop_get_subcommand.o pop_init.o \ - pop_last.o pop_list.o pop_log.o pop_lower.o \ - pop_msg.o pop_parse.o pop_pass.o pop_quit.o \ - pop_rset.o pop_send.o pop_stat.o pop_updt.o \ - pop_user.o pop_xtnd.o pop_xmit.o popper.o -SRCS = pop_dele.c pop_dropcopy.c pop_dropinfo.c \ - pop_get_command.c pop_get_subcommand.c pop_init.c \ - pop_last.c pop_list.c pop_log.c pop_lower.c \ - pop_msg.c pop_parse.c pop_pass.c pop_quit.c \ - pop_rset.c pop_send.c pop_stat.c pop_updt.c \ - pop_user.c pop_xtnd.c pop_xmit.c popper.c $(SPOP_SRCS) -#if 0 -SPOP_OBJS = pop_enter.o -SPOP_SRCS = pop_enter.c -#endif - -all:: popper - -NormalProgramTarget(popper,$(OBJS),$(DEP_LIBS),$(LOCAL_LIBRARIES),) -Krb5InstallServerProgram(popper) - -#if 0 -NormalProgramTarget(spop,$(SPOP_OBJS),$(DEP_LIBS),$(LOCAL_LIBRARIES),) -Krb5InstallServerProgram(spop) -#endif - -DependTarget() diff --git a/src/appl/sample/sserver/ChangeLog b/src/appl/sample/sserver/ChangeLog index ba1d297..be41b71 100644 --- a/src/appl/sample/sserver/ChangeLog +++ b/src/appl/sample/sserver/ChangeLog @@ -1,3 +1,10 @@ +Thu Dec 5 19:44:05 1996 Tom Yu <tlyu@mit.edu> + + * sserver.M: remove ref's to "/krb5" [PR 279] + + * sserver.M: v5srvtab -> krb5.keytab; also kdb5_edit -> kadmin [PR + 279] + Thu Nov 7 15:24:43 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * sserver.c (main): Check the error return from diff --git a/src/appl/sample/sserver/sserver.M b/src/appl/sample/sserver/sserver.M index f0ea721..e879067 100644 --- a/src/appl/sample/sserver/sserver.M +++ b/src/appl/sample/sserver/sserver.M @@ -44,9 +44,8 @@ The service name used by \fIsserver\fP and \fIsclient\fP is \fBsample\fP. Hence, \fIsserver\fP will require that there be a keytab entry for the service "sample/hostname.domain.name@REALM.NAME". This keytab is generated using the -.IR krb5_edit(8) -program. The keytab file is installed in whatever -directory is defined by V5Srvtabdir (usually /etc) as "v5srvtab". +.IR kadmin(8) +program. The keytab file is usually installed as "/etc/krb5.keytab". .PP The .B \-S @@ -57,7 +56,7 @@ option allows for a different keytab than the default. using a line in /etc/inetd.conf that looks like this: .PP -sample stream tcp nowait root /krb5/sbin/sserver sserver +sample stream tcp nowait root /usr/local/sbin/sserver sserver .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: @@ -66,7 +65,7 @@ sample 13135/tcp .PP When using \fIsclient,\fP you will first have to have an entry in the Kerberos database, by using -.IR kdb5_edit(8), +.IR kadmin(8), and then you have to get Kerberos tickets, by using .IR kinit(8). @@ -109,10 +108,10 @@ didn't restart \fIinetd\fP after editing inetd.conf. .PP 4) \fIsclient\fP returns the error: .PP -/krb5/bin/sclient: Server not found in Kerberos database while using sendauth +sclient: Server not found in Kerberos database while using sendauth .PP This means that the "sample/hostname@LOCAL.REALM" service was not -defined in the Kerberos database; it should be created using \fIkdb5_edit,\fP +defined in the Kerberos database; it should be created using \fIkadmin,\fP and a keytab file needs to be generated to make the key for that service principal available for \fIssclient\fP. .PP diff --git a/src/appl/simple/client/ChangeLog b/src/appl/simple/client/ChangeLog index 275d42b..db1136c 100644 --- a/src/appl/simple/client/ChangeLog +++ b/src/appl/simple/client/ChangeLog @@ -1,3 +1,8 @@ +Fri Nov 22 15:48:30 1996 unknown <bjaspan@mit.edu> + + * sim_client.c (main): use sizeof instead of h_length to determine + number of bytes of addr to copy from DNS response [krb5-misc/211] + Thu Nov 7 15:26:10 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * sim_client.c (main): Check the error return from diff --git a/src/appl/simple/client/sim_client.c b/src/appl/simple/client/sim_client.c index 9def260..a573dfa 100644 --- a/src/appl/simple/client/sim_client.c +++ b/src/appl/simple/client/sim_client.c @@ -163,7 +163,7 @@ main(argc, argv) /* Set server's address */ (void) memset((char *)&s_sock, 0, sizeof(s_sock)); - memcpy((char *)&s_sock.sin_addr, host->h_addr, host->h_length); + memcpy((char *)&s_sock.sin_addr, host->h_addr, sizeof(s_sock.sin_addr)); #ifdef DEBUG printf("s_sock.sin_addr is %s\n", inet_ntoa(s_sock.sin_addr)); #endif @@ -198,7 +198,7 @@ main(argc, argv) fprintf(stderr, "%s: unknown host\n", hostname); exit(1); } - memcpy((char *)&c_sock.sin_addr, host->h_addr, host->h_length); + memcpy((char *)&c_sock.sin_addr, host->h_addr, sizeof(c_sock.sin_addr)); #endif diff --git a/src/appl/simple/server/ChangeLog b/src/appl/simple/server/ChangeLog index 58042da..6e30ce4 100644 --- a/src/appl/simple/server/ChangeLog +++ b/src/appl/simple/server/ChangeLog @@ -1,3 +1,8 @@ +Fri Nov 22 15:48:42 1996 unknown <bjaspan@mit.edu> + + * sim_server.c (argv): use sizeof instead of h_length to determine + number of bytes of addr to copy from DNS response [krb5-misc/211] + Thu Nov 7 15:26:44 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * sim_server.c (argv): Check the error return from diff --git a/src/appl/simple/server/sim_server.c b/src/appl/simple/server/sim_server.c index 551a4f3..255d786 100644 --- a/src/appl/simple/server/sim_server.c +++ b/src/appl/simple/server/sim_server.c @@ -151,7 +151,7 @@ char *argv[]; fprintf(stderr, "%s: host unknown\n", full_hname); exit(1); } - memcpy((char *)&s_sock.sin_addr, host->h_addr, host->h_length); + memcpy((char *)&s_sock.sin_addr, host->h_addr, sizeof(s_sock.sin_addr)); /* Open socket */ if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { diff --git a/src/appl/telnet/telnet/ChangeLog b/src/appl/telnet/telnet/ChangeLog index 8080dba..f58e895 100644 --- a/src/appl/telnet/telnet/ChangeLog +++ b/src/appl/telnet/telnet/ChangeLog @@ -1,3 +1,25 @@ +Tue Nov 26 20:41:31 1996 Tom Yu <tlyu@voltage-multiplier.mit.edu> + + * configure.in: Check for apra/inet.h + + * commands.c: Remove explicit declaration of inet_addr, and + declare INADDR_NONE to be 0xffffffff again, but mask off the lower + 32 bits while doing the compare. + +Sat Nov 23 00:33:58 1996 Sam Hartman <hartmans@mit.edu> + + * commands.c (tn): Patch from mycroft@mit.edu for Alpha NetBSD. + Comparing to -1 is not 64-bit clean. + [233] + (INADDR_NONE): Mycroft suggests using -1 not 0xffffffff if I have + to define it ourselves. [233] + + Fri Nov 22 15:48:57 1996 unknown <bjaspan@mit.edu> + + * commands.c (sourceroute): use sizeof instead of h_length to + determine number of bytes of addr to copy from DNS response + [krb5-misc/211] + Thu Nov 14 14:25:51 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * sys_bsd.c(intr): Added checks to intr_waiting and intr_happened diff --git a/src/appl/telnet/telnet/commands.c b/src/appl/telnet/telnet/commands.c index cfd975e..0b42efe 100644 --- a/src/appl/telnet/telnet/commands.c +++ b/src/appl/telnet/telnet/commands.c @@ -44,6 +44,9 @@ #endif /* defined(unix) */ #include <sys/socket.h> #include <netinet/in.h> +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif /* HAVE_ARPA_INET_H */ #ifdef CRAY #include <fcntl.h> #endif /* CRAY */ @@ -89,6 +92,9 @@ #ifndef MAXDNAME #define MAXDNAME 256 /*per the rfc*/ #endif +#ifndef INADDR_NONE +#define INADDR_NONE 0xffffffff +#endif #if defined(IPPROTO_IP) && defined(IP_TOS) int tos = -1; @@ -2352,8 +2358,6 @@ ayt_status() } #endif -unsigned long inet_addr(); - int tn(argc, argv) int argc; @@ -2443,10 +2447,10 @@ tn(argc, argv) } else { #endif temp = inet_addr(hostp); - if (temp != (unsigned long) -1) { + if (temp & 0xffffffff != INADDR_NONE) { sin.sin_addr.s_addr = temp; sin.sin_family = AF_INET; - (void) strcpy(_hostname, hostp); + (void) strcpy(_hostname, hostp); hostname = _hostname; } else { host = gethostbyname(hostp); @@ -2454,9 +2458,10 @@ tn(argc, argv) sin.sin_family = host->h_addrtype; #if defined(h_addr) /* In 4.3, this is a #define */ memcpy((caddr_t)&sin.sin_addr, - host->h_addr_list[0], host->h_length); + host->h_addr_list[0], sizeof(sin.sin_addr)); #else /* defined(h_addr) */ - memcpy((caddr_t)&sin.sin_addr, host->h_addr, host->h_length); + memcpy((caddr_t)&sin.sin_addr, host->h_addr, + sizeof(sin.sin_addr)); #endif /* defined(h_addr) */ strncpy(_hostname, host->h_name, sizeof(_hostname)); _hostname[sizeof(_hostname)-1] = '\0'; @@ -2546,9 +2551,9 @@ tn(argc, argv) perror((char *)0); host->h_addr_list++; memcpy((caddr_t)&sin.sin_addr, - host->h_addr_list[0], host->h_length); + host->h_addr_list[0], sizeof(sin.sin_addr)); memcpy((caddr_t)&hostaddr, - host->h_addr_list[0], host->h_length); + host->h_addr_list[0], sizeof(sin.sin_addr)); (void) NetClose(net); continue; } @@ -3055,9 +3060,10 @@ sourceroute(arg, cpp, lenp) } else if (host = gethostbyname(cp)) { #if defined(h_addr) memcpy((caddr_t)&sin_addr, - host->h_addr_list[0], host->h_length); + host->h_addr_list[0], sizeof(sin_addr)); #else - memcpy((caddr_t)&sin_addr, host->h_addr, host->h_length); + memcpy((caddr_t)&sin_addr, host->h_addr, + sizeof(sin_addr)); #endif } else { *cpp = cp; diff --git a/src/appl/telnet/telnet/configure.in b/src/appl/telnet/telnet/configure.in index 619153f..3d08e2f 100644 --- a/src/appl/telnet/telnet/configure.in +++ b/src/appl/telnet/telnet/configure.in @@ -3,7 +3,7 @@ CONFIG_RULES AC_PROG_INSTALL AC_VFORK AC_CHECK_HEADERS(string.h arpa/nameser.h) -AC_HAVE_HEADERS(unistd.h sys/select.h stdlib.h) +AC_HAVE_HEADERS(unistd.h sys/select.h stdlib.h arpa/inet.h) AC_CHECK_LIB(termcap,main,AC_DEFINE(TERMCAP) LIBS="$LIBS -ltermcap", AC_CHECK_LIB(curses,setupterm,LIBS="$LIBS -lcurses") diff --git a/src/appl/user_user/ChangeLog b/src/appl/user_user/ChangeLog index 62651d0..e005075 100644 --- a/src/appl/user_user/ChangeLog +++ b/src/appl/user_user/ChangeLog @@ -1,3 +1,8 @@ +Fri Nov 22 15:49:09 1996 unknown <bjaspan@mit.edu> + + * client.c (argv): use sizeof instead of h_length to determine + number of bytes of addr to copy from DNS response [krb5-misc/211] + Thu Nov 7 15:36:15 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * client.c (argv): diff --git a/src/appl/user_user/client.c b/src/appl/user_user/client.c index 4bee708..2cf85ae 100644 --- a/src/appl/user_user/client.c +++ b/src/appl/user_user/client.c @@ -128,7 +128,8 @@ char *argv[]; fprintf (stderr, "uu-client: unable to connect to \"%s\"\n", hname); return 5; } - memcpy ((char *)&serv_net_addr.sin_addr, host->h_addr_list[i++], host->h_length); + memcpy ((char *)&serv_net_addr.sin_addr, host->h_addr_list[i++], + sizeof(serv_net_addr.sin_addr)); if (connect(s, (struct sockaddr *)&serv_net_addr, sizeof (serv_net_addr)) == 0) break; com_err ("uu-client", errno, "connecting to \"%s\" (%s).", diff --git a/src/clients/kinit/ChangeLog b/src/clients/kinit/ChangeLog index c3bbbeb..f3d8f2d 100644 --- a/src/clients/kinit/ChangeLog +++ b/src/clients/kinit/ChangeLog @@ -1,3 +1,7 @@ +Thu Dec 5 21:59:08 1996 Tom Yu <tlyu@mit.edu> + + * kinit.M: v5srvtab -> krb5.keytab [279] + Wed Nov 6 09:31:35 1996 Theodore Y. Ts'o <tytso@mit.edu> * kinit.c (main): Check the return code from krb5_init_context, diff --git a/src/clients/kinit/kinit.M b/src/clients/kinit/kinit.M index 86465b9..6681967 100644 --- a/src/clients/kinit/kinit.M +++ b/src/clients/kinit/kinit.M @@ -130,7 +130,7 @@ Location of the credentials (ticket) cache. /tmp/krb5cc_[uid] default credentials cache ([uid] is the decimal UID of the user). .TP -/etc/v5srvtab +/etc/krb5.keytab default location for the local host's .B keytab file. diff --git a/src/clients/klist/ChangeLog b/src/clients/klist/ChangeLog index 8b0051b..f72ff09 100644 --- a/src/clients/klist/ChangeLog +++ b/src/clients/klist/ChangeLog @@ -1,3 +1,7 @@ +Thu Dec 5 21:59:34 1996 Tom Yu <tlyu@mit.edu> + + * klist.M: v5srvtab -> krb5.keytab [279] + Wed Nov 6 12:02:59 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * klist.c (main): Check the error return from krb5_init_context(), diff --git a/src/clients/klist/klist.M b/src/clients/klist/klist.M index acf80ab..99b42b9 100644 --- a/src/clients/klist/klist.M +++ b/src/clients/klist/klist.M @@ -107,7 +107,7 @@ Location of the credentials (ticket) cache. default location of the credentials cache ([uid] is the decimal UID of the user). .TP -/etc/v5srvtab +/etc/krb5.keytab default location of the .B keytab file. diff --git a/src/config-files/ChangeLog b/src/config-files/ChangeLog index 26edc44..fd73b3e 100644 --- a/src/config-files/ChangeLog +++ b/src/config-files/ChangeLog @@ -1,3 +1,8 @@ +Tue Nov 26 19:24:34 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * kdc.conf: Fixed paths to use the GNU standard conventions. + [PR#246] + Thu Nov 14 23:08:37 1996 Tom Yu <tlyu@mit.edu> * krb5.conf.M: Note change in default_keytab_name. diff --git a/src/config-files/kdc.conf b/src/config-files/kdc.conf index c985669..cf8cbe1 100644 --- a/src/config-files/kdc.conf +++ b/src/config-files/kdc.conf @@ -3,10 +3,10 @@ [realms] ATHENA.MIT.EDU = { - database_name = /usr/local/lib/krb5kdc/principal - admin_keytab = FILE:/usr/local/lib/krb5kdc/kadm5.keytab - acl_file = /usr/local/lib/krb5kdc/kadm5.acl - key_stash_file = /usr/local/lib/krb5kdc/.k5stash + database_name = /usr/local/var/krb5kdc/principal + admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab + acl_file = /usr/local/var/krb5kdc/kadm5.acl + key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s diff --git a/src/include/ChangeLog b/src/include/ChangeLog index 3a2976d..8ff29d5 100644 --- a/src/include/ChangeLog +++ b/src/include/ChangeLog @@ -1,3 +1,8 @@ +Sat Nov 23 00:16:46 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * k5-int.h: Remove DES3 and SHA support, since what's there isn't + fully correct. [PR#231] + Wed Nov 13 14:28:08 1996 Tom Yu <tlyu@mit.edu> * k5-int.h, krb5.hin: Revert kt_default_name changes. diff --git a/src/include/k5-int.h b/src/include/k5-int.h index f6f30ef..02cb5c2 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -145,12 +145,12 @@ #define PROVIDE_DES_CBC_CRC #define PROVIDE_DES_CBC_RAW #define PROVIDE_DES_CBC_CKSUM -#define PROVIDE_DES3_CBC_SHA -#define PROVIDE_DES3_CBC_RAW +/* #define PROVIDE_DES3_CBC_SHA */ +/* #define PROVIDE_DES3_CBC_RAW */ #define PROVIDE_CRC32 #define PROVIDE_RSA_MD4 #define PROVIDE_RSA_MD5 -#define PROVIDE_NIST_SHA +/* #define PROVIDE_NIST_SHA */ #ifndef _SIZE_T_DEFINED typedef unsigned int size_t; diff --git a/src/include/kerberosIV/ChangeLog b/src/include/kerberosIV/ChangeLog index 7475525..694a618 100644 --- a/src/include/kerberosIV/ChangeLog +++ b/src/include/kerberosIV/ChangeLog @@ -1,3 +1,7 @@ +Fri Nov 22 11:34:46 1996 Sam Hartman <hartmans@mit.edu> + + * Makefile.in: Install krb_err.h [218] + Thu Oct 31 17:27:08 1996 Sam Hartman <hartmans@mit.edu> * Makefile.in (install): Start installing headers again [36] diff --git a/src/include/kerberosIV/Makefile.in b/src/include/kerberosIV/Makefile.in index 669e341..0e4705f 100644 --- a/src/include/kerberosIV/Makefile.in +++ b/src/include/kerberosIV/Makefile.in @@ -1,4 +1,5 @@ -KRB4_HEADERS=krb.h des.h kadm.h mit-copyright.h +KRB4_HEADERS=krb.h des.h kadm.h mit-copyright.h \ + krb_err.h all:: diff --git a/src/include/krb5/k5-config.h b/src/include/krb5/k5-config.h deleted file mode 100644 index 9d2ec6c..0000000 --- a/src/include/krb5/k5-config.h +++ /dev/null @@ -1,311 +0,0 @@ -/* - * Copyright 1990,1991,1994,1995 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * Configuration definition file. - */ - - -#ifndef KRB5_CONFIG__ -#define KRB5_CONFIG__ - -#ifdef _MSDOS -/* - * Machine-type definitions: PC Clone 386 running Microloss Windows - */ - -/* Kerberos Windows initialization file */ -#define KERBEROS_INI "kerberos.ini" -#define INI_FILES "Files" -#define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */ -#define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */ - -#define KRB5_DBM_COMPAT__ /* Don't load dbm.h */ -#define KRB5_KDB5__ /* Don't load kdb.h */ -#define KRB5_KDB5_DBM__ /* Don't load kdb_dbm.h */ - -#define BITS16 -#define SIZEOF_INT 2 -#define SIZEOF_SHORT 2 -#define SIZEOF_LONG 4 -#define MAXHOSTNAMELEN 512 -#define MAXPATHLEN 256 /* Also for Windows temp files */ - -#define KRB5_USE_INET -#define MSDOS_FILESYSTEM -#define USE_STRING_H -#define HAVE_SRAND -#define HAVE_ERRNO -#define HAS_STRDUP -#define NO_USERID -#define NOFCHMOD -#define NOCHMOD -#define NO_PASSWORD -#define WM_KERBEROS5_CHANGED "Kerberos5 Changed" - -#define HAS_ANSI_VOLATILE -#define HAS_VOID_TYPE -#define KRB5_PROVIDE_PROTOTYPES -#define HAVE_STDARG_H -#define HAVE_SYS_TYPES_H - -#ifndef _SIZE_T_DEFINED -typedef unsigned int size_t; -#define _SIZE_T_DEFINED -#endif - -#ifndef KRB5_SYSTYPES__ -#define KRB5_SYSTYPES__ -#include <sys/types.h> -typedef unsigned long u_long; /* Not part of sys/types.h on the pc */ -typedef unsigned int u_int; -typedef unsigned short u_short; -typedef unsigned char u_char; -#endif /* KRB5_SYSTYPES__ */ - -#ifndef INTERFACE -#define INTERFACE __far __export __pascal -#define INTERFACE_C __far __export __cdecl -#endif - -/* - * The following defines are needed to make <windows.h> work - * in stdc mode (/Za flag). Winsock.h needs <windows.h>. - */ -#define FAR _far -#define NEAR _near -#define _far __far -#define _near __near -#define _pascal __pascal -#define _cdecl __cdecl -#define _huge __huge - -#ifdef NEED_WINDOWS -#include <windows.h> -#endif - -#ifdef NEED_LOWLEVEL_IO -/* Ugly. Microsoft, in stdc mode, doesn't support the low-level i/o - * routines directly. Rather, they only export the _<function> version. - * The following defines works around this problem. - */ -#include <sys\types.h> -#include <sys\stat.h> -#include <fcntl.h> -#include <io.h> -#include <process.h> -#define O_RDONLY _O_RDONLY -#define O_WRONLY _O_WRONLY -#define O_RDWR _O_RDWR -#define O_APPEND _O_APPEND -#define O_CREAT _O_CREAT -#define O_TRUNC _O_TRUNC -#define O_EXCL _O_EXCL -#define O_TEXT _O_TEXT -#define O_BINARY _O_BINARY -#define O_NOINHERIT _O_NOINHERIT -#define stat _stat -#define unlink _unlink -#define lseek _lseek -#define write _write -#define open _open -#define close _close -#define read _read -#define fstat _fstat -#define mktemp _mktemp -#define dup _dup - -#define getpid _getpid -#endif - -#ifdef NEED_SYSERROR -/* Only needed by util/et/error_message.c but let's keep the source clean */ -#define sys_nerr _sys_nerr -#define sys_errlist _sys_errlist -#endif - -/* XXX these should be parameterized soon... */ -#define PROVIDE_DES_CBC_MD5 -#define PROVIDE_DES_CBC_CRC -#define PROVIDE_RAW_DES_CBC -#define PROVIDE_CRC32 -#define PROVIDE_DES_CBC_CKSUM -#define PROVIDE_RSA_MD4 -#define PROVIDE_RSA_MD5 -#define DEFAULT_PWD_STRING1 "Enter password:" -#define DEFAULT_PWD_STRING2 "Re-enter password for verification:" - -/* Functions with slightly different names on the PC -*/ -#define strcasecmp _stricmp -#define strdup _strdup -#define off_t _off_t - -#else /* Rest of include file is for non-Microloss-Windows */ - -#if defined(_MACINTOSH) -#include <stddef.h> - -typedef struct { - int dummy; -} datum; - -#include <stddef.h> - -#ifdef NEED_LOWLEVEL_IO -#include <fcntl.h> -#endif - -#ifndef _MWERKS -/* there is no <stat.h> for mpw */ -typedef unsigned long mode_t; -typedef unsigned long ino_t; -typedef unsigned long dev_t; -typedef short nlink_t; -typedef unsigned long uid_t; -typedef unsigned long gid_t; -typedef long off_t; -struct stat -{ - mode_t st_mode; /* File mode; see #define's below */ - ino_t st_ino; /* File serial number */ - dev_t st_dev; /* ID of device containing this file */ - nlink_t st_nlink; /* Number of links */ - uid_t st_uid; /* User ID of the file's owner */ - gid_t st_gid; /* Group ID of the file's group */ - dev_t st_rdev; /* Device type */ - off_t st_size; /* File size in bytes */ - unsigned long st_atime; /* Time of last access */ - unsigned long st_mtime; /* Time of last data modification */ - unsigned long st_ctime; /* Time of last file status change */ - long st_blksize; /* Optimal blocksize */ - long st_blocks; /* blocks allocated for file */ -}; - -int stat(const char *path, struct stat *buf); -int fstat(int fildes, struct stat *buf); - -#endif /* _MWERKS */ - -#define EFBIG 1000 - -#define NOFCHMOD 1 -#define NOCHMOD 1 -#define _MACSOCKAPI_ - -#define THREEPARAMOPEN(x,y,z) open(x,y) -#define MAXPATHLEN 255 - -/* protocol families same as address families */ -#define PF_INET AF_INET - -/* XXX these should be parameterized soon... */ -#define PROVIDE_DES_CBC_MD5 -#define PROVIDE_DES_CBC_CRC -#define PROVIDE_RAW_DES_CBC -#define PROVIDE_CRC32 -#define PROVIDE_DES_CBC_CKSUM -#define PROVIDE_RSA_MD4 -#define PROVIDE_RSA_MD5 - -#else /* _MACINTOSH */ -#define THREEPARAMOPEN(x,y,z) open(x,y,z) -#endif /* _MACINTOSH */ - -#ifndef KRB5_AUTOCONF__ -#define KRB5_AUTOCONF__ -#include "autoconf.h" -#endif - -#ifndef KRB5_SYSTYPES__ -#define KRB5_SYSTYPES__ - -#ifdef HAVE_SYS_TYPES_H /* From autoconf.h */ -#include <sys/types.h> -#else /* HAVE_SYS_TYPES_H */ -typedef unsigned long u_long; -typedef unsigned int u_int; -typedef unsigned short u_short; -typedef unsigned char u_char; -#endif /* HAVE_SYS_TYPES_H */ -#endif /* KRB5_SYSTYPES__ */ - -#ifdef SYSV -/* Change srandom and random to use rand and srand */ -/* Taken from the Sandia changes. XXX We should really just include */ -/* srandom and random into Kerberos release, since rand() is a really */ -/* bad random number generator.... [tytso:19920616.2231EDT] */ -#define random() rand() -#define srandom(a) srand(a) -#ifndef unicos61 -#define utimes(a,b) utime(a,b) -#endif /* unicos61 */ -#endif /* SYSV */ - -/* XXX these should be parameterized soon... */ -#define PROVIDE_DES_CBC_MD5 -#define PROVIDE_DES_CBC_CRC -#define PROVIDE_RAW_DES_CBC -#define PROVIDE_CRC32 -#define PROVIDE_DES_CBC_CKSUM -#define PROVIDE_RSA_MD4 -#define PROVIDE_RSA_MD5 - -#define DEFAULT_PWD_STRING1 "Enter password:" -#define DEFAULT_PWD_STRING2 "Re-enter password for verification:" - -#define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ -#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ -#define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */ - -/* - * For paranoid DOE types that don't want to give helpful error - * messages to the client....er, attacker - */ -#undef KRBCONF_VAGUE_ERRORS - -/* - * Define this if you want the KDC to modify the Kerberos database; - * this allows the last request information to be updated, as well as - * the failure count information. - * - * Note that this doesn't work if you're using slave servers!!! It - * also causes the database to be modified (and thus need to be - * locked) frequently. - */ -#undef KRBCONF_KDC_MODIFIES_KDB - -/* - * Windows requires a different api interface to each function. Here - * just define it as NULL. - */ -#define INTERFACE -#define INTERFACE_C -#define FAR -#define NEAR -#ifndef O_BINARY -#define O_BINARY 0 -#endif - -#ifndef HAS_LABS -#define labs(x) abs(x) -#endif - -#endif /* _MSDOS */ -#endif /* KRB5_CONFIG__ */ diff --git a/src/kadmin.v4/server/ChangeLog b/src/kadmin.v4/server/ChangeLog index 1bb368a..b411bb8 100644 --- a/src/kadmin.v4/server/ChangeLog +++ b/src/kadmin.v4/server/ChangeLog @@ -1,3 +1,9 @@ +Fri Nov 22 15:49:35 1996 unknown <bjaspan@mit.edu> + + * kadm_ser_wrap.c (kadm_ser_init): use sizeof instead of h_length + to determine number of bytes of addr to copy from DNS response + [krb5-misc/211] + Thu Jun 13 22:09:02 1996 Tom Yu <tlyu@voltage-multiplier.mit.edu> * configure.in: remove ref to ET_RULES diff --git a/src/kadmin.v4/server/kadm_ser_wrap.c b/src/kadmin.v4/server/kadm_ser_wrap.c index 7c373b3..bc8f0b5 100644 --- a/src/kadmin.v4/server/kadm_ser_wrap.c +++ b/src/kadmin.v4/server/kadm_ser_wrap.c @@ -72,7 +72,7 @@ kadm_ser_init(inter, realm) if ((hp = gethostbyname(hostname)) == NULL) return KADM_NO_HOSTNAME; memcpy((char *) &server_parm.admin_addr.sin_addr.s_addr, hp->h_addr, - hp->h_length); + sizeof(server_parm.admin_addr.sin_addr.s_addr)); server_parm.admin_addr.sin_port = sep->s_port; /* setting up the database */ mkey_name = KRB5_KDB_M_NAME; diff --git a/src/kadmin/cli/ChangeLog b/src/kadmin/cli/ChangeLog index d06ca6e..bcdb670 100644 --- a/src/kadmin/cli/ChangeLog +++ b/src/kadmin/cli/ChangeLog @@ -1,3 +1,13 @@ +Thu Dec 5 19:30:22 1996 Tom Yu <tlyu@mit.edu> + + * kadmin.M: Missed a ref to /krb5. [279] + + * kadmin.M: Change example to no longer use /krb5. [PR 279] + + * kadmin.M: v5srvtab -> krb5.keytab [PR 279] + + * kadmin.c (DEFAULT_KEYTAB): v5srvtab -> krb5.keytab [PR 278] + Wed Nov 13 14:29:02 1996 Tom Yu <tlyu@mit.edu> * Makefile.in (clean-unix): Remove getdate.c and kadmin_ct.c. diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M index f0f8913..a74874f 100644 --- a/src/kadmin/cli/kadmin.M +++ b/src/kadmin/cli/kadmin.M @@ -676,7 +676,7 @@ is added, ignoring multiple keys with the same encryption type but different salt types. If the .B \-k argument is not specified, the default keytab -.I /etc/v5srvtab +.I /etc/krb5.keytab is used. If the .B \-q option is specified, less verbose status information is displayed. @@ -695,13 +695,10 @@ command. .RS .TP EXAMPLE: -kadmin: ktadd -k /krb5/kadmind.keytab kadmin/admin kadmin/changepw -Entry for principal kadmin/admin@ATHENA.MIT.EDU with +kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu +Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type DES-CBC-CRC added to keytab - WRFILE:/krb5/kadmind.keytab. -Entry for principal kadmin/changepw@ATHENA.MIT.EDU - with kvno 3, encryption type DES-CBC-CRC added to keytab - WRFILE:/krb5/kadmind.keytab. + WRFILE:/tmp/foo-new-keytab kadmin: .RE .fi @@ -716,7 +713,7 @@ parsed as an integer, and all entries whose kvno match that integer are removed. If the .B \-k argument is not specifeid, the default keytab -.I /etc/v5srvtab +.I /etc/krb5.keytab is used. If the .B \-q option is specified, less verbose status information is displayed. @@ -725,9 +722,9 @@ option is specified, less verbose status information is displayed. .RS .TP EXAMPLE: -kadmin: ktremove -k /krb5/kadmind.keytab kadmin/admin +kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin Entry for principal kadmin/admin with kvno 3 removed - from keytab WRFILE:/krb5/kadmind.keytab. + from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. kadmin: .RE .fi diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index d8011f8..9c57c86 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -421,7 +421,7 @@ char *kadmin_startup(argc, argv) exit(1); } { -#define DEFAULT_KEYTAB "WRFILE:/etc/v5srvtab" +#define DEFAULT_KEYTAB "WRFILE:/etc/krb5.keytab" /* XXX krb5_defkeyname is an internal library global and should go away */ extern char *krb5_defkeyname; diff --git a/src/kadmin/passwd/ChangeLog b/src/kadmin/passwd/ChangeLog index 5b50393..2436ec6 100644 --- a/src/kadmin/passwd/ChangeLog +++ b/src/kadmin/passwd/ChangeLog @@ -1,3 +1,23 @@ +Wed Nov 27 13:50:03 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * configure.in: Link against kdb5 explicitly on all systems except + BSD systems, due to hairy shared library issues. [PR#257] + n.b., this is only a short-term fix for the 1.0 release. + The correct long-term fix is to not require kadm5 clients + to need to link against libkdb5 at all. + +Fri Nov 22 18:42:02 1996 Sam Hartman <hartmans@planet-zorp.MIT.EDU> + + * configure.in: Do not link against kdb5 because this causes + NetBSD getpwuid to fail. [228] + + * kpasswd.c (kpasswd): Remove cast from uid_t to int. [228] + +Wed Nov 20 16:00:49 1996 Barry Jaspan <bjaspan@mit.edu> + + * unit-test/Makefile.in (unit-test-): warn more loudly about unrun + tests + Wed Nov 13 19:23:15 1996 Tom Yu <tlyu@mit.edu> * unit-test/Makefile.in (clean): Remove logfiles. diff --git a/src/kadmin/passwd/configure.in b/src/kadmin/passwd/configure.in index 2331e44..874f338 100644 --- a/src/kadmin/passwd/configure.in +++ b/src/kadmin/passwd/configure.in @@ -7,8 +7,28 @@ AC_PROG_AWK USE_KADMCLNT_LIBRARY USE_GSSAPI_LIBRARY USE_GSSRPC_LIBRARY -USE_KDB5_LIBRARY USE_DYN_LIBRARY + +dnl +dnl The following is a kludge to get around a shared library problem +dnl for NetBSD and Linux. We have to include -lkdb5 under Linux, and +dnl we can't include -lkdb5 under NetBSD, due to various breakages in +dnl each system's shared library implementation +dnl +AC_MSG_CHECKING([for build host]) +AC_CACHE_VAL(krb5_cv_host, [export CC +AC_CANONICAL_HOST +krb5_cv_host=$host]) +AC_MSG_RESULT($krb5_cv_host) +case $krb5_cv_host in +*-*-*bsd*) + echo "Skipping USE KDB5 LIBRARY on BSD to avoid libdb incompatibilites" + ;; +*) + USE_KDB5_LIBRARY + ;; +esac + KRB5_LIBRARIES V5_USE_SHARED_LIB V5_AC_OUTPUT_MAKEFILE diff --git a/src/kadmin/passwd/kpasswd.c b/src/kadmin/passwd/kpasswd.c index e425280..48cb4cc 100644 --- a/src/kadmin/passwd/kpasswd.c +++ b/src/kadmin/passwd/kpasswd.c @@ -137,7 +137,7 @@ kpasswd(context, argc, argv) /* if either krb5_cc failed check the passwd file */ if (code != 0) { - pw = getpwuid((int) getuid()); + pw = getpwuid( getuid()); if (pw == NULL) { com_err(whoami, 0, string_text(KPW_STR_NOT_IN_PASSWD_FILE)); return(MISC_EXIT_STATUS); diff --git a/src/kadmin/passwd/unit-test/Makefile.in b/src/kadmin/passwd/unit-test/Makefile.in index f2192df..8ffc57f 100644 --- a/src/kadmin/passwd/unit-test/Makefile.in +++ b/src/kadmin/passwd/unit-test/Makefile.in @@ -1,8 +1,10 @@ check unit-test:: unit-test-@DO_TEST@ unit-test-: - @echo "The kpasswd tests require Perl, Tcl, and runtest" - @echo "No tests run here" + @echo "+++" + @echo "+++ WARNING: kpasswd unit tests not run." + @echo "+++ Either tcl, runtest, or Perl is unavailable." + @echo "+++" unit-test-ok:: unit-test-setup unit-test-body unit-test-cleanup diff --git a/src/kadmin/server/ChangeLog b/src/kadmin/server/ChangeLog index 6092176..9d031cb 100644 --- a/src/kadmin/server/ChangeLog +++ b/src/kadmin/server/ChangeLog @@ -1,3 +1,7 @@ +Tue Nov 19 16:48:50 1996 Barry Jaspan <bjaspan@mit.edu> + + * ovsec_kadmd.c: don't syslog \n's + Wed Nov 13 14:29:34 1996 Tom Yu <tlyu@mit.edu> * ovsec_kadmd.c (main): Note that krb5_defkeyname is an internal diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index 21514ac..bd31a0b 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -183,7 +183,7 @@ int main(int argc, char *argv[]) if (ret = kadm5_get_config_params(context, NULL, NULL, ¶ms, ¶ms)) { - krb5_klog_syslog(LOG_ERR, "%s: %s while initializing, aborting\n", + krb5_klog_syslog(LOG_ERR, "%s: %s while initializing, aborting", whoami, error_message(ret)); fprintf(stderr, "%s: %s while initializing, aborting\n", whoami, error_message(ret)); @@ -197,7 +197,7 @@ int main(int argc, char *argv[]) if ((params.mask & REQUIRED_PARAMS) != REQUIRED_PARAMS) { krb5_klog_syslog(LOG_ERR, "%s: Missing required configuration values " - "while initializing, aborting\n", whoami, + "while initializing, aborting", whoami, (params.mask & REQUIRED_PARAMS) ^ REQUIRED_PARAMS); fprintf(stderr, "%s: Missing required configuration values " "(%x) while initializing, aborting\n", whoami, @@ -724,7 +724,7 @@ void log_badauth(OM_uint32 major, OM_uint32 minor, krb5_klog_syslog(LOG_NOTICE, "Authentication attempt failed: %s, GSS-API " "error strings are:", a); log_badauth_display_status(" ", major, minor); - krb5_klog_syslog(LOG_NOTICE, " GSS-API error strings complete.\n"); + krb5_klog_syslog(LOG_NOTICE, " GSS-API error strings complete."); } void log_badauth_display_status(char *msg, OM_uint32 major, OM_uint32 minor) @@ -752,11 +752,11 @@ void log_badauth_display_status_1(char *m, OM_uint32 code, int type, GSS_C_MECH_CODE, 1); } else krb5_klog_syslog(LOG_ERR, "GSS-API authentication error %s: " - "recursive failure!\n", msg); + "recursive failure!", msg); return; } - krb5_klog_syslog(LOG_NOTICE, "%s %s\n", m, (char *)msg.value); + krb5_klog_syslog(LOG_NOTICE, "%s %s", m, (char *)msg.value); (void) gss_release_buffer(&minor_stat, &msg); if (!msg_ctx) diff --git a/src/kadmin/testing/scripts/ChangeLog b/src/kadmin/testing/scripts/ChangeLog index 852bc20..fd53ba0 100644 --- a/src/kadmin/testing/scripts/ChangeLog +++ b/src/kadmin/testing/scripts/ChangeLog @@ -1,3 +1,7 @@ +Thu Dec 5 19:34:09 1996 Tom Yu <tlyu@mit.edu> + + * save_files.sh (files): Also save /etc/krb5.keytab. [PR 278] + Thu Nov 14 15:28:16 1996 Barry Jaspan <bjaspan@mit.edu> * env-setup.shin, init_db, save_files.sh, start_servers, diff --git a/src/kadmin/testing/scripts/save_files.sh b/src/kadmin/testing/scripts/save_files.sh index 14fe892..7218203 100644 --- a/src/kadmin/testing/scripts/save_files.sh +++ b/src/kadmin/testing/scripts/save_files.sh @@ -15,7 +15,7 @@ done # /.secure/etc/passwd /etc/athena/inetd.conf" files="/etc/krb.conf /etc/krb.realms /etc/athena/krb.conf \ - /etc/athena/krb.realms /etc/v5srvtab" + /etc/athena/krb.realms /etc/v5srvtab /etc/krb5.keytab" name=`basename $0` diff --git a/src/kadmin/testing/util/ChangeLog b/src/kadmin/testing/util/ChangeLog index e324ed6..698414a 100644 --- a/src/kadmin/testing/util/ChangeLog +++ b/src/kadmin/testing/util/ChangeLog @@ -1,3 +1,16 @@ +Fri Dec 6 00:04:10 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * test.c: Change test looking for tcl 7.05 and greater to be tcl + 7.04 and greater, since BSDI ships with tcl 7.04, and + needs this change. [PR#282] + +Thu Dec 5 22:47:27 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * tcl_ovsec_kadm.c: + * tcl_kadm5.c: Remove #include of <malloc.h>, which is not + guaranteed to be there. #include of <stdlib.h> is all you + need for malloc(), per ANSI. [PR#281] + Wed Nov 13 09:55:05 1996 Ezra Peisach <epeisach@mit.edu> * Makefile.in (clean): Remove built programs. diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c index 2aa3663..409f023 100644 --- a/src/kadmin/testing/util/tcl_kadm5.c +++ b/src/kadmin/testing/util/tcl_kadm5.c @@ -4,7 +4,6 @@ #define USE_KADM5_API_VERSION 2 #include <kadm5/admin.h> #include <com_err.h> -#include <malloc.h> #include <k5-int.h> #include <errno.h> #include <stdlib.h> diff --git a/src/kadmin/testing/util/tcl_ovsec_kadm.c b/src/kadmin/testing/util/tcl_ovsec_kadm.c index 0c6aaac..40a854e 100644 --- a/src/kadmin/testing/util/tcl_ovsec_kadm.c +++ b/src/kadmin/testing/util/tcl_ovsec_kadm.c @@ -4,7 +4,6 @@ #define USE_KADM5_API_VERSION 1 #include <kadm5/admin.h> #include <com_err.h> -#include <malloc.h> #include <k5-int.h> #include <errno.h> #include <stdlib.h> diff --git a/src/kadmin/testing/util/test.c b/src/kadmin/testing/util/test.c index 75a0fc2..f9da052 100644 --- a/src/kadmin/testing/util/test.c +++ b/src/kadmin/testing/util/test.c @@ -1,8 +1,8 @@ #include <tcl.h> -#define IS_TCL_7_5 ((TCL_MAJOR_VERSION * 100 + TCL_MINOR_VERSION) >= 705) +#define _TCL_MAIN ((TCL_MAJOR_VERSION * 100 + TCL_MINOR_VERSION) >= 704) -#if IS_TCL_7_5 +#if _TCL_MAIN int main(argc, argv) int argc; /* Number of command-line arguments. */ diff --git a/src/kadmin/v4server/ChangeLog b/src/kadmin/v4server/ChangeLog index 7572a63..2966ad1 100644 --- a/src/kadmin/v4server/ChangeLog +++ b/src/kadmin/v4server/ChangeLog @@ -1,3 +1,9 @@ +Fri Nov 22 15:49:27 1996 unknown <bjaspan@mit.edu> + + * kadm_ser_wrap.c (endif ): use sizeof instead of h_length to + determine number of bytes of addr to copy from DNS response + [krb5-misc/211] + Wed Nov 13 19:24:00 1996 Tom Yu <tlyu@mit.edu> * Makefile.in (clean): Remove kadm_err.h and kadm_err.c. diff --git a/src/kadmin/v4server/kadm_ser_wrap.c b/src/kadmin/v4server/kadm_ser_wrap.c index 3d4c045..7ea289f 100644 --- a/src/kadmin/v4server/kadm_ser_wrap.c +++ b/src/kadmin/v4server/kadm_ser_wrap.c @@ -82,7 +82,7 @@ kadm_ser_init(inter, realm) if ((hp = gethostbyname(hostname)) == NULL) return KADM_NO_HOSTNAME; memcpy((char *) &server_parm.admin_addr.sin_addr.s_addr, hp->h_addr, - hp->h_length); + sizeof(server_parm.admin_addr.sin_addr.s_addr)); server_parm.admin_addr.sin_port = sep->s_port; /* setting up the database */ mkey_name = KRB5_KDB_M_NAME; diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index dd74460..190c4f3 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,21 @@ +Sat Nov 23 17:26:22 1996 Mark Eichin <eichin@kitten.gen.ma.us> + + * [krb5-libs/149] only generate requests that you can actually + handle. + + Tue Sep 3 22:53:56 1996 Mark Eichin <eichin@cygnus.com> + + * kdc_preauth.c (get_preauth_hint_list): detect ap->get_edata + return status and don't pass back hint if it failed. + (get_etype_info): malloc one more word in entry for end marker. + +Wed Nov 20 11:25:05 1996 Barry Jaspan <bjaspan@mit.edu> + + * main.c (initialize_realms): krb5_aprof_init can succeed while + leaving aprof == NULL, but krb5_aprof_finish will fail. This is + just more grossness that needs to be redone when the kdc.conf + interface is reworked. + Thu Nov 7 12:27:21 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * kdc_preauth.c (check_padata): Fixed error handling; in order for diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 0350068..dd8d09b 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -203,8 +203,15 @@ void get_preauth_hint_list(request, client, server, e_data) memset(*pa, 0, sizeof(krb5_pa_data)); (*pa)->magic = KV5M_PA_DATA; (*pa)->pa_type = ap->type; - if (ap->get_edata) - (ap->get_edata)(kdc_context, request, client, server, *pa); + if (ap->get_edata) { + retval = (ap->get_edata)(kdc_context, request, client, server, *pa); + if (retval) { + /* just failed on this type, continue */ + free(*pa); + *pa = 0; + continue; + } + } pa++; } retval = encode_krb5_padata_sequence((const krb5_pa_data **) pa_data, @@ -433,7 +440,7 @@ get_etype_info(context, request, client, server, pa_data) salt.data = 0; - entry = malloc((client->n_key_data * 2) * sizeof(krb5_etype_info_entry *)); + entry = malloc((client->n_key_data * 2 + 1) * sizeof(krb5_etype_info_entry *)); if (entry == NULL) return ENOMEM; entry[0] = NULL; diff --git a/src/kdc/main.c b/src/kdc/main.c index dd4ae76..bc7a2fe 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -721,7 +721,9 @@ initialize_realms(kcontext, argc, argv) hierarchy[2] = (char *) NULL; if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_ports)) default_ports = 0; - krb5_aprof_finish(aprof); + /* aprof_init can return 0 with aprof == NULL */ + if (aprof) + krb5_aprof_finish(aprof); } if (default_ports == 0) default_ports = strdup(DEFAULT_KDC_PORTLIST); diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index dbc3c84..7f5856d 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,14 @@ +Thu Dec 5 23:27:00 1996 Tom Yu <tlyu@mit.edu> + + * krb524d.c (main): Ignore SIGHUP for now. [27] + +Thu Dec 5 23:12:29 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * cnv_tkt_skey.c (krb524_convert_tkt_skey): Change the issue time + of the V4 ticket to be the current time (since the + lifetime of the V4 ticket was calculated assuming that the + issue time would be the current time). [PR#283,PR#22] + Mon Nov 11 16:23:32 1996 Mark Eichin <eichin@cygnus.com> * krb524d.c (do_connection): only free v4/v5 keyblock contents and diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index a7d5e54..19bb386 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -161,7 +161,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey) (char *) v5etkt->session->contents, lifetime, /* issue_data */ - v5etkt->times.starttime, + server_time, sname, sinst, v4_skey->contents); diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c index 2c4d3f8..7d6e9ba 100644 --- a/src/krb524/krb524d.c +++ b/src/krb524/krb524d.c @@ -119,7 +119,7 @@ int main(argc, argv) } signal(SIGINT, request_exit); - signal(SIGHUP, request_exit); + signal(SIGHUP, SIG_IGN); signal(SIGTERM, request_exit); if (use_keytab) diff --git a/src/lib/ChangeLog b/src/lib/ChangeLog index c7e7fb6..791ed2b 100644 --- a/src/lib/ChangeLog +++ b/src/lib/ChangeLog @@ -1,3 +1,15 @@ +Sat Nov 23 00:25:25 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * libkrb5.def: Renamed to krb5_16.def [PR#204] + + * Makefile.in (all-windows): Change name of dll from krb5_16.dll, + which will be the final name of the DLL. [PR#204] + +Wed Nov 20 18:28:47 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * Makefile.in (clean-windows): Change the name of the Windows (16) + dll to be krb516.dll, instead of libkrb5.dll + Fri Jul 12 20:32:29 1996 Theodore Y. Ts'o <tytso@mit.edu> * win_glue.c: Added TIMEBOMB_INFO string which tells the user the diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index f0eaef8..b8cd398 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -19,10 +19,10 @@ clean-unix:: $(RM) $(CLEANLIBS) clean-windows:: - $(RM) libkrb5.dll libkrb5.lib libkrb5.bak libkrb5.map winsock.lib + $(RM) krb5_16.dll krb5_16.lib krb5_16.bak krb5_16.map winsock.lib $(RM) gssapi.dll gssapi.lib gssapi.bak gssapi.map # -# Windows stuff to make libkrb5.dll and libkrb5.lib. Currently it +# Windows stuff to make krb5_16.dll and krb5_16.lib. Currently it # combines crypto, krb5, kadm and the util/et directories. # ALIB = kadm\kadm.lib @@ -34,7 +34,7 @@ PLIB = $(BUILDTOP)\util\profile\profile.lib WLIB = .\winsock.lib LIBS = $(ALIB) $(CLIB) $(KLIB) $(GLIB) $(ETLIB) $(PLIB) $(WLIB) -lib-windows: winsock.lib libkrb5.lib gssapi.lib +lib-windows: winsock.lib krb5_16.lib gssapi.lib gssapi.lib:: gssapi.dll implib /nologo gssapi.lib gssapi.dll @@ -44,13 +44,13 @@ gssapi.dll:: $(GLIB) $(LIBS) gssapi.def win_glue.obj $(LIBS) ldllcew libw oldnames, gssapi.def rc /nologo /p /k gssapi.dll -libkrb5.lib:: libkrb5.dll - implib /nologo libkrb5.lib libkrb5.dll +krb5_16.lib:: krb5_16.dll + implib /nologo krb5_16.lib krb5_16.dll -libkrb5.dll:: $(LIBS) libkrb5.def win_glue.obj - link /co /seg:400 /noe /nod /nol win_glue, libkrb5.dll, libkrb5.map, \ - $(LIBS) ldllcew libw oldnames, libkrb5.def - rc /nologo /p /k libkrb5.dll +krb5_16.dll:: $(LIBS) krb5_16.def win_glue.obj + link /co /seg:400 /noe /nod /nol win_glue, krb5_16.dll, krb5_16.map, \ + $(LIBS) ldllcew libw oldnames, krb5_16.def + rc /nologo /p /k krb5_16.dll sap_glue.obj: win_glue.c $(CC) $(CFLAGS) -DSAP_TIMEBOMB -I$(VERS_DIR) /c \ @@ -83,7 +83,7 @@ all-windows:: @echo Making in lib cd .. -all-windows:: libkrb5.lib gssapi.lib +all-windows:: krb5_16.lib gssapi.lib clean-windows:: @echo Making clean in lib\crypto diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog index 6803199..ecdb1d4 100644 --- a/src/lib/crypto/ChangeLog +++ b/src/lib/crypto/ChangeLog @@ -1,3 +1,17 @@ +Sat Nov 23 00:22:20 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * cryptoconf.c: Also zero out the entries in cryptoconf, to make + sure no one tries to use triple DES and SHA. + +Fri Nov 22 20:49:13 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * configure.in (enableval): Disable triple DES and SHA, since + what's there isn't the final triple DES. [PR#231] + +Mon Nov 18 20:38:24 1996 Ezra Peisach <epeisach@mit.edu> + [krb5-libs/201] + * configure.in: Set shared library version to 1.0. + Thu Jun 6 00:04:38 1996 Theodore Y. Ts'o <tytso@mit.edu> * Makefile.in (all-windows): Don't pass $(LIBCMD) on the command diff --git a/src/lib/crypto/configure.in b/src/lib/crypto/configure.in index 9e04510..53f9fcc 100644 --- a/src/lib/crypto/configure.in +++ b/src/lib/crypto/configure.in @@ -19,17 +19,17 @@ if test "$enableval" = yes; then else AC_MSG_RESULT(Disabling DES_CBC_MD5) fi -AC_ARG_ENABLE([des3-cbc-sha], -[ --enable-des3-cbc-sha enable DES3_CBC_SHA (DEFAULT). - --disable-des3-cbc-sha disable DES3_CBC_SHA.], -, -enableval=yes)dnl -if test "$enableval" = yes; then - AC_MSG_RESULT(Enabling DES3_CBC_SHA) - AC_DEFINE(PROVIDE_DES3_CBC_SHA) -else - AC_MSG_RESULT(Disabling DES3_CBC_SHA) -fi +dnl AC_ARG_ENABLE([des3-cbc-sha], +dnl [ --enable-des3-cbc-sha enable DES3_CBC_SHA (DEFAULT). +dnl --disable-des3-cbc-sha disable DES3_CBC_SHA.], +dnl , +dnl enableval=yes)dnl +dnl if test "$enableval" = yes; then +dnl AC_MSG_RESULT(Enabling DES3_CBC_SHA) +dnl AC_DEFINE(PROVIDE_DES3_CBC_SHA) +dnl else +dnl AC_MSG_RESULT(Disabling DES3_CBC_SHA) +dnl fi AC_ARG_WITH([des-cbc-crc], [ --enable-des-cbc-crc enable DES_CBC_CRC (DEFAULT). --disable-des-cbc-crc disable DES_CBC_CRC.], @@ -52,17 +52,17 @@ if test "$enableval" = yes; then else AC_MSG_RESULT(Disabling DES_CBC_RAW) fi -AC_ARG_WITH([des3-cbc-raw], -[ --enable-des3-cbc-raw enable DES3_CBC_RAW (DEFAULT). - --disable-des3-cbc-raw disable DES3_CBC_RAW.], -, -enableval=yes)dnl -if test "$enableval" = yes; then - AC_MSG_RESULT(Enabling DES3_CBC_RAW) - AC_DEFINE(PROVIDE_DES3_CBC_RAW) -else - AC_MSG_RESULT(Disabling DES3_CBC_RAW) -fi +dnl AC_ARG_WITH([des3-cbc-raw], +dnl [ --enable-des3-cbc-raw enable DES3_CBC_RAW (DEFAULT). +dnl --disable-des3-cbc-raw disable DES3_CBC_RAW.], +dnl , +dnl enableval=yes)dnl +dnl if test "$enableval" = yes; then +dnl AC_MSG_RESULT(Enabling DES3_CBC_RAW) +dnl AC_DEFINE(PROVIDE_DES3_CBC_RAW) +dnl else +dnl AC_MSG_RESULT(Disabling DES3_CBC_RAW) +dnl fi AC_ARG_WITH([des-cbc-cksum], [ --enable-des-cbc-cksum enable DES_CBC_CKSUM (DEFAULT). --disable-des-cbc-cksum disable DES_CBC_CKSUM.], @@ -107,20 +107,20 @@ if test "$enableval" = yes; then else AC_MSG_RESULT(Disabling RSA_MD5) fi -AC_ARG_WITH([nist-sha], -[ --enable-nist-sha enable NIST_SHA (DEFAULT). - --disable-nist-sha disable NIST_SHA.], -, -enableval=yes)dnl -if test "$enableval" = yes; then - AC_MSG_RESULT(Enabling NIST_SHA) - AC_DEFINE(PROVIDE_NIST_SHA) -else - AC_MSG_RESULT(Disabling NIST_SHA) -fi +dnl AC_ARG_WITH([nist-sha], +dnl [ --enable-nist-sha enable NIST_SHA (DEFAULT). +dnl --disable-nist-sha disable NIST_SHA.], +dnl , +dnl enableval=yes)dnl +dnl if test "$enableval" = yes; then +dnl AC_MSG_RESULT(Enabling NIST_SHA) +dnl AC_DEFINE(PROVIDE_NIST_SHA) +dnl else +dnl AC_MSG_RESULT(Disabling NIST_SHA) +dnl fi V5_SHARED_LIB_OBJS SubdirLibraryRule([${OBJS}]) DO_SUBDIRS -V5_MAKE_SHARED_LIB(libcrypto,0.1,.., ./crypto) +V5_MAKE_SHARED_LIB(libcrypto,1.0,.., ./crypto) V5_AC_OUTPUT_MAKEFILE diff --git a/src/lib/crypto/cryptoconf.c b/src/lib/crypto/cryptoconf.c index 768c6cf..62be745 100644 --- a/src/lib/crypto/cryptoconf.c +++ b/src/lib/crypto/cryptoconf.c @@ -53,8 +53,10 @@ #ifdef PROVIDE_NIST_SHA #include "shs.h" -#define SHA_CKENTRY &nist_sha_cksumtable_entry -#define HMAC_SHA_CKENTRY &hmac_sha_cksumtable_entry +/* #define SHA_CKENTRY &nist_sha_cksumtable_entry */ +/* #define HMAC_SHA_CKENTRY &hmac_sha_cksumtable_entry */ +#define SHA_CKENTRY 0 +#define HMAC_SHA_CKENTRY 0 #else #define SHA_CKENTRY 0 #define HMAC_SHA_CKENTRY 0 @@ -109,7 +111,11 @@ #include "des_int.h" #define _DES_DONE__ #endif -#define DES3_CBC_SHA_CSENTRY &krb5_des3_sha_cst_entry +/* Don't try to enable triple DES unless you know what you are doing; */ +/* the current implementation of triple DES is NOT the final and */ +/* correct implementation.!!! */ +/* #define DES3_CBC_SHA_CSENTRY &krb5_des3_sha_cst_entry */ +#define DES3_CBC_SHA_CSENTRY 0 #else #define DES3_CBC_SHA_CSENTRY 0 #endif @@ -119,7 +125,8 @@ #include "des_int.h" #define _DES_DONE__ #endif -#define DES3_CBC_RAW_CSENTRY &krb5_des3_raw_cst_entry +/* #define DES3_CBC_RAW_CSENTRY &krb5_des3_raw_cst_entry */ +#define DES3_CBC_RAW_CSENTRY 0 #else #define DES3_CBC_RAW_CSENTRY 0 #endif diff --git a/src/lib/des425/ChangeLog b/src/lib/des425/ChangeLog index c0c8faa..8b1457e 100644 --- a/src/lib/des425/ChangeLog +++ b/src/lib/des425/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 18 20:39:02 1996 Ezra Peisach <epeisach@mit.edu> + + * configure.in: Set shared library version to 1.0. [krb5-libs/201] + Wed Aug 7 12:50:36 1996 Ezra Peisach <epeisach@mit.edu> * new_rnd_key.c (des_set_sequence_number): Change cast to diff --git a/src/lib/des425/configure.in b/src/lib/des425/configure.in index 08126b0..07072c9 100644 --- a/src/lib/des425/configure.in +++ b/src/lib/des425/configure.in @@ -29,5 +29,5 @@ AC_SUBST(CRYPTO_SH_VERS) KRB5_SH_VERS=$krb5_cv_shlib_version_libkrb5 AC_SUBST(KRB5_SH_VERS) KRB5_RUN_FLAGS -V5_MAKE_SHARED_LIB(libdes425,0.1,.., ./des425) +V5_MAKE_SHARED_LIB(libdes425,1.0,.., ./des425) V5_AC_OUTPUT_MAKEFILE diff --git a/src/lib/gssapi/ChangeLog b/src/lib/gssapi/ChangeLog index 505b5d3..b29cc37 100644 --- a/src/lib/gssapi/ChangeLog +++ b/src/lib/gssapi/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 18 20:39:41 1996 Ezra Peisach <epeisach@mit.edu> + + * configure.in: Set shared library version to 1.0. [krb5-libs/201] + Tue Jul 23 22:50:22 1996 Theodore Y. Ts'o <tytso@mit.edu> * Makefile.in (MAC_SUBDIRS): Remove mechglue from the list of diff --git a/src/lib/gssapi/configure.in b/src/lib/gssapi/configure.in index 164582c..f2bb704 100644 --- a/src/lib/gssapi/configure.in +++ b/src/lib/gssapi/configure.in @@ -7,7 +7,7 @@ AC_PROG_ARCHIVE_ADD AC_PROG_RANLIB AC_PROG_INSTALL DO_SUBDIRS -V5_MAKE_SHARED_LIB(libgssapi_krb5,0.1,.., ./gssapi) +V5_MAKE_SHARED_LIB(libgssapi_krb5,1.0,.., ./gssapi) CRYPTO_SH_VERS=$krb5_cv_shlib_version_libcrypto AC_SUBST(CRYPTO_SH_VERS) COMERR_SH_VERS=$krb5_cv_shlib_version_libcom_err diff --git a/src/lib/gssapi/generic/ChangeLog b/src/lib/gssapi/generic/ChangeLog index 9934708..30fd1c3 100644 --- a/src/lib/gssapi/generic/ChangeLog +++ b/src/lib/gssapi/generic/ChangeLog @@ -1,3 +1,12 @@ +Wed Nov 20 13:59:58 1996 Ezra Peisach <epeisach@mit.edu> + + * Makefile.in (install): Install gssapi.h from the build tree. + +Tue Nov 19 16:43:16 1996 Tom Yu <tlyu@mit.edu> + + * Makefile.in (gssapi.h): grep USE_.*_H out from autoconf.h as + well (some stuff was depending on USE_STRING_H). + Mon Nov 18 12:38:34 1996 Tom Yu <tlyu@mit.edu> *gssapi.h: Renamed to gssapi.hin. diff --git a/src/lib/gssapi/generic/Makefile.in b/src/lib/gssapi/generic/Makefile.in index 1e1aa7e..87b414f 100644 --- a/src/lib/gssapi/generic/Makefile.in +++ b/src/lib/gssapi/generic/Makefile.in @@ -37,6 +37,7 @@ gssapi.h: gssapi.hin echo "/* It contains some choice pieces of autoconf.h */" >> $@ grep SIZEOF $(BUILDTOP)/include/krb5/autoconf.h >> $@ grep 'HAVE_.*_H' $(BUILDTOP)/include/krb5/autoconf.h >> $@ + grep 'USE_.*_H' $(BUILDTOP)/include/krb5/autoconf.h >> $@ echo "/* End of gssapi.h prologue. */" cat $(srcdir)/gssapi.hin >> $@ @@ -84,7 +85,8 @@ OBJS = \ $(OBJS): $(HDRS) $(ETHDRS) -EXPORTED_HEADERS= gssapi.h gssapi_generic.h +EXPORTED_HEADERS= gssapi_generic.h +EXPORTED_BUILT_HEADERS= gssapi.h all-unix:: shared $(SRCS) $(ETHDRS) $(OBJS) @@ -116,5 +118,9 @@ install:: do $(INSTALL_DATA) $(srcdir)/$$f \ $(DESTDIR)$(KRB5_INCDIR)/gssapi/$$f ; \ done + @set -x; for f in $(EXPORTED_BUILT_HEADERS) ; \ + do $(INSTALL_DATA) $$f \ + $(DESTDIR)$(KRB5_INCDIR)/gssapi/$$f ; \ + done depend:: $(ETSRCS) diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index fb51f0d..9863207 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,27 @@ +Wed Nov 20 19:55:29 1996 Marc Horowitz <marc@cygnus.com> + + * init_sec_context.c (make_ap_rep, krb5_gss_init_sec_context), + accept_sec_context.c (krb5_gss_accept_sec_context): fix up use of + gss flags. under some circumstances, the context would not have + checked for replay or sequencing, even if those features were + requested. + + * init_sec_context.c (make_ap_req), (krb5_gss_init_sec_context): + If delegation is requested, but forwarding the credentials fails, + instead of aborting the context setup, just don't forward + credentials. + + * gssapiP_krb5.h (krb5_gss_ctx_id_t), ser_sctx.c + (kg_ctx_externalize, kg_ctx_internalize), init_sec_context.c + (krb5_gss_init_sec_context), get_tkt_flags.c + (gss_krb5_get_tkt_flags), accept_sec_context.c + (krb5_gss_accept_sec_context): rename ctx->flags to + ctx->krb_flags, to disambiguate it from ctx->gss_flags + + * accept_sec_context.c (krb5_gss_accept_sec_context): If the subkey + isn't present in the authenticator, then use the session key + instead. + Sat Oct 19 00:38:22 1996 Theodore Y. Ts'o <tytso@mit.edu> * ser_sctx.c (kg_oid_externalize, kg_oid_internalize, diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 2346069..1589835 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -384,8 +384,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, ctx->mech_used = mech_used; ctx->auth_context = auth_context; ctx->initiate = 0; - ctx->gss_flags = GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG | - (gss_flags & (GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG)); + ctx->gss_flags = KG_IMPLFLAGS(gss_flags); ctx->seed_init = 0; ctx->big_endian = bigend; @@ -417,6 +416,29 @@ krb5_gss_accept_sec_context(minor_status, context_handle, return(GSS_S_FAILURE); } + /* use the session key if the subkey isn't present */ + + if (ctx->subkey == NULL) { + if ((code = krb5_auth_con_getkey(context, auth_context, + &ctx->subkey))) { + krb5_free_principal(context, ctx->there); + krb5_free_principal(context, ctx->here); + xfree(ctx); + *minor_status = code; + return(GSS_S_FAILURE); + } + } + + if (ctx->subkey == NULL) { + krb5_free_principal(context, ctx->there); + krb5_free_principal(context, ctx->here); + xfree(ctx); + /* this isn't a very good error, but it's not clear to me this + can actually happen */ + *minor_status = KRB5KDC_ERR_NULL_KEY; + return(GSS_S_FAILURE); + } + switch(ctx->subkey->enctype) { case ENCTYPE_DES_CBC_MD5: case ENCTYPE_DES_CBC_CRC: @@ -464,7 +486,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, } ctx->endtime = ticket->enc_part2->times.endtime; - ctx->flags = ticket->enc_part2->flags; + ctx->krb_flags = ticket->enc_part2->flags; krb5_free_ticket(context, ticket); /* Done with ticket */ @@ -487,8 +509,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle, } g_order_init(&(ctx->seqstate), ctx->seq_recv, - (gss_flags & GSS_C_REPLAY_FLAG) != 0, - (gss_flags & GSS_C_SEQUENCE_FLAG) != 0); + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0); /* at this point, the entire context structure is filled in, so it can be released. */ @@ -545,7 +567,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, *time_rec = ctx->endtime - now; if (ret_flags) - *ret_flags = KG_IMPLFLAGS(gss_flags); + *ret_flags = ctx->gss_flags; ctx->established = 1; diff --git a/src/lib/gssapi/krb5/get_tkt_flags.c b/src/lib/gssapi/krb5/get_tkt_flags.c index 5dd9106..eebf06d 100644 --- a/src/lib/gssapi/krb5/get_tkt_flags.c +++ b/src/lib/gssapi/krb5/get_tkt_flags.c @@ -48,7 +48,7 @@ gss_krb5_get_tkt_flags(minor_status, context_handle, ticket_flags) } if (ticket_flags) - *ticket_flags = ctx->flags; + *ticket_flags = ctx->krb_flags; *minor_status = 0; return(GSS_S_COMPLETE); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index ee327ba..97f2d51 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -113,7 +113,7 @@ typedef struct _krb5_gss_ctx_id_rec { krb5_gss_enc_desc enc; krb5_gss_enc_desc seq; krb5_timestamp endtime; - krb5_flags flags; + krb5_flags krb_flags; krb5_int32 seq_send; krb5_int32 seq_recv; void *seqstate; diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 690d5af..3b8935f 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -30,15 +30,15 @@ static krb5_error_code make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, - req_flags, flags, mech_type, token) + req_flags, krb_flags, mech_type, token) krb5_context context; krb5_auth_context * auth_context; krb5_gss_cred_id_t cred; krb5_principal server; krb5_timestamp *endtime; gss_channel_bindings_t chan_bindings; - OM_uint32 req_flags; - krb5_flags *flags; + OM_uint32 *req_flags; + krb5_flags *krb_flags; gss_OID mech_type; gss_buffer_t token; { @@ -74,8 +74,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, /* build the checksum field */ - if(*flags && GSS_C_DELEG_FLAG) { - + if (*req_flags & GSS_C_DELEG_FLAG) { /* first get KRB_CRED message, so we know its length */ /* clear the time check flag that was set in krb5_auth_con_init() */ @@ -83,20 +82,27 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, krb5_auth_con_setflags(context, *auth_context, con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME); - if ((code = krb5_fwd_tgt_creds(context, *auth_context, 0, + code = krb5_fwd_tgt_creds(context, *auth_context, 0, cred->princ, server, cred->ccache, 1, - &credmsg))) - return(code); + &credmsg); /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */ krb5_auth_con_setflags(context, *auth_context, con_flags); - if(credmsg.length+28 > KRB5_INT16_MAX) { - krb5_xfree(credmsg.data); - return(KRB5KRB_ERR_FIELD_TOOLONG); - } + if (code) { + /* don't fail here; just don't accept/do the delegation + request */ + *req_flags &= ~GSS_C_DELEG_FLAG; - checksum_data.length = 28+credmsg.length; + checksum_data.length = 24; + } else { + if (credmsg.length+28 > KRB5_INT16_MAX) { + krb5_xfree(credmsg.data); + return(KRB5KRB_ERR_FIELD_TOOLONG); + } + + checksum_data.length = 28+credmsg.length; + } } else { checksum_data.length = 24; } @@ -115,7 +121,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, TWRITE_INT(ptr, md5.length, 0); TWRITE_STR(ptr, (unsigned char *) md5.contents, md5.length); - TWRITE_INT(ptr, KG_IMPLFLAGS(req_flags), 0); + TWRITE_INT(ptr, *req_flags, 0); /* done with this, free it */ xfree(md5.contents); @@ -151,7 +157,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, mk_req_flags = AP_OPTS_USE_SUBKEY; - if (req_flags & GSS_C_MUTUAL_FLAG) + if (*req_flags & GSS_C_MUTUAL_FLAG) mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED; if ((code = krb5_mk_req_extended(context, auth_context, mk_req_flags, @@ -160,7 +166,7 @@ make_ap_req(context, auth_context, cred, server, endtime, chan_bindings, /* store the interesting stuff from creds and authent */ *endtime = out_creds->times.endtime; - *flags = out_creds->ticket_flags; + *krb_flags = out_creds->ticket_flags; /* build up the token */ @@ -264,15 +270,15 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, err = 0; if (mech_type == GSS_C_NULL_OID) { - mech_type = cred->rfc_mech?gss_mech_krb5:gss_mech_krb5_old; - } else if (g_OID_equal(mech_type, gss_mech_krb5)) { - if (!cred->rfc_mech) - err = 1; - } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) { - if (!cred->prerfc_mech) - err = 1; - } else - err = 1; + mech_type = cred->rfc_mech?gss_mech_krb5:gss_mech_krb5_old; + } else if (g_OID_equal(mech_type, gss_mech_krb5)) { + if (!cred->rfc_mech) + err = 1; + } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) { + if (!cred->prerfc_mech) + err = 1; + } else + err = 1; if (err) { *minor_status = 0; @@ -318,9 +324,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, ctx->mech_used = mech_type; ctx->auth_context = NULL; ctx->initiate = 1; - ctx->gss_flags = ((req_flags & (GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG)) | - GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG); - ctx->flags = req_flags & GSS_C_DELEG_FLAG; + ctx->gss_flags = KG_IMPLFLAGS(req_flags); ctx->seed_init = 0; ctx->big_endian = 0; /* all initiators do little-endian, as per spec */ ctx->seqstate = 0; @@ -352,7 +356,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, if ((code = make_ap_req(context, &(ctx->auth_context), cred, ctx->there, &ctx->endtime, input_chan_bindings, - req_flags, &ctx->flags, mech_type, &token))) { + &ctx->gss_flags, &ctx->krb_flags, mech_type, + &token))) { krb5_free_principal(context, ctx->here); krb5_free_principal(context, ctx->there); xfree(ctx); @@ -438,7 +443,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, *output_token = token; if (ret_flags) - *ret_flags = KG_IMPLFLAGS(req_flags); + *ret_flags = ctx->gss_flags; if (actual_mech_type) *actual_mech_type = mech_type; @@ -452,8 +457,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, } else { ctx->seq_recv = ctx->seq_send; g_order_init(&(ctx->seqstate), ctx->seq_recv, - (req_flags & GSS_C_REPLAY_FLAG) != 0, - (req_flags & GSS_C_SEQUENCE_FLAG) != 0); + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0); ctx->established = 1; /* fall through to GSS_S_COMPLETE */ } @@ -477,7 +482,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, if ((ctx->established) || (((gss_cred_id_t) cred) != claimant_cred_handle) || - ((req_flags & GSS_C_MUTUAL_FLAG) == 0)) { + ((ctx->gss_flags & GSS_C_MUTUAL_FLAG) == 0)) { (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL); /* XXX this minor status is wrong if an arg was changed */ @@ -534,8 +539,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, /* store away the sequence number */ ctx->seq_recv = ap_rep_data->seq_number; g_order_init(&(ctx->seqstate), ctx->seq_recv, - (req_flags & GSS_C_REPLAY_FLAG) != 0, - (req_flags & GSS_C_SEQUENCE_FLAG) !=0); + (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, + (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) !=0); /* free the ap_rep_data */ krb5_free_ap_rep_enc_part(context, ap_rep_data); diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c index 259cce5..22b5c36 100644 --- a/src/lib/gssapi/krb5/ser_sctx.c +++ b/src/lib/gssapi/krb5/ser_sctx.c @@ -515,7 +515,7 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain) &bp, &remain); (void) krb5_ser_pack_int32((krb5_int32) ctx->endtime, &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) ctx->flags, + (void) krb5_ser_pack_int32((krb5_int32) ctx->krb_flags, &bp, &remain); (void) krb5_ser_pack_int32((krb5_int32) ctx->seq_send, &bp, &remain); @@ -632,7 +632,7 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain) (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->endtime = (krb5_timestamp) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ctx->flags = (krb5_flags) ibuf; + ctx->krb_flags = (krb5_flags) ibuf; (void) krb5_ser_unpack_int32(&ctx->seq_send, &bp, &remain); (void) krb5_ser_unpack_int32(&ctx->seq_recv, &bp, &remain); (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); diff --git a/src/lib/gssapi/mechglue/ChangeLog b/src/lib/gssapi/mechglue/ChangeLog index 97558b1..9f8fb1b 100644 --- a/src/lib/gssapi/mechglue/ChangeLog +++ b/src/lib/gssapi/mechglue/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 18 20:43:54 1996 Ezra Peisach <epeisach@mit.edu> + + * configure.in: Shared library version number to 1.0. [krb5-libs/201] + Wed Jun 12 00:50:32 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * Makefile.in: Remove include of config/windows.in; that's done diff --git a/src/lib/gssapi/mechglue/configure.in b/src/lib/gssapi/mechglue/configure.in index 73cf30e..bd9b4db 100644 --- a/src/lib/gssapi/mechglue/configure.in +++ b/src/lib/gssapi/mechglue/configure.in @@ -13,7 +13,7 @@ case $host in *-*-aix*) # don't build libgssapi.a on AIX ;; *) - V5_MAKE_SHARED_LIB(libgssapi,0.1,.., ./mechglue) + V5_MAKE_SHARED_LIB(libgssapi,1.0,.., ./mechglue) AppendRule([install:: libgssapi.[$](LIBEXT) [$](INSTALL_DATA) libgssapi.[$](LIBEXT) [$](DESTDIR)[$](KRB5_LIBDIR)[$](S)libgssapi.[$](LIBEXT)]) LinkFileDir([$](TOPLIBD)/libgssapi.[$](LIBEXT),libgssapi.[$](LIBEXT),./gssapi/mechglue) diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog index 9a08922..f3bf0c4 100644 --- a/src/lib/kadm5/srv/ChangeLog +++ b/src/lib/kadm5/srv/ChangeLog @@ -1,3 +1,15 @@ +Tue Nov 26 03:04:04 1996 Sam Hartman <hartmans@mit.edu> + + * server_acl.c (acl_load_acl_file): Fix coredump by allowing + catchall_entry to be null, but do not reference it if it is. + Thanks to marc. [242] + +Mon Nov 25 17:53:20 1996 Barry Jaspan <bjaspan@mit.edu> + + * server_acl.c: set acl_catchall_entry to "" instead of NULL, + since it is presumed to contain something, but we don't want any + default entry [krb5-admin/237] + Wed Nov 13 19:20:36 1996 Tom Yu <tlyu@mit.edu> * Makefile.in (clean-unix): Remove shared/*. diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c index 16a7f4e..3e731fe 100644 --- a/src/lib/kadm5/srv/server_acl.c +++ b/src/lib/kadm5/srv/server_acl.c @@ -276,7 +276,8 @@ char tmpbuf[10]; } else { com_err(acl_acl_file, errno, acl_cantopen_msg); - if (acl_list_head = acl_parse_line(acl_catchall_entry)) { + if (acl_catchall_entry && + (acl_list_head = acl_parse_line(acl_catchall_entry))) { acl_list_tail = acl_list_head; } else { diff --git a/src/lib/kadm5/unit-test/ChangeLog b/src/lib/kadm5/unit-test/ChangeLog index aba10a9..d169ba8 100644 --- a/src/lib/kadm5/unit-test/ChangeLog +++ b/src/lib/kadm5/unit-test/ChangeLog @@ -1,3 +1,7 @@ +Wed Nov 20 15:59:34 1996 Barry Jaspan <bjaspan@mit.edu> + + * Makefile.in (check-): warn more loudly about unrun tests + Mon Nov 11 20:51:27 1996 Tom Yu <tlyu@mit.edu> * configure.in: Add AC_CANONICAL_HOST to deal with new pre.in. diff --git a/src/lib/kadm5/unit-test/Makefile.in b/src/lib/kadm5/unit-test/Makefile.in index 455f428..333c663 100644 --- a/src/lib/kadm5/unit-test/Makefile.in +++ b/src/lib/kadm5/unit-test/Makefile.in @@ -49,7 +49,10 @@ server-iter-test: iter-test.o $(SRVDEPLIBS) check:: check-@DO_TEST@ check-:: - @echo "Either tcl, runtest, or Perl is unavailable. Kadm5 unit tests not run" + @echo "+++" + @echo "+++ WARNING: lib/kadm5 unit tests not run." + @echo "+++ Either tcl, runtest, or Perl is unavailable." + @echo "+++" check-ok unit-test:: unit-test-client unit-test-server diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog index 3f74707..ca9b830 100644 --- a/src/lib/kdb/ChangeLog +++ b/src/lib/kdb/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 18 20:40:12 1996 Ezra Peisach <epeisach@mit.edu> + + * configure.in: Set shared library version to 1.0. [krb5-libs/201] + Tue Nov 12 23:41:55 1996 Mark Eichin <eichin@cygnus.com> * kdb_dbm.c: Ditch DB_OPENCLOSE conditionals, and fix the real diff --git a/src/lib/kdb/configure.in b/src/lib/kdb/configure.in index 75c4e40..8f04d98 100644 --- a/src/lib/kdb/configure.in +++ b/src/lib/kdb/configure.in @@ -20,7 +20,7 @@ KRB5_RUN_FLAGS V5_USE_SHARED_LIB KRB5_LIBRARIES V5_SHARED_LIB_OBJS -V5_MAKE_SHARED_LIB(libkdb5,0.1,.., ./kdb) +V5_MAKE_SHARED_LIB(libkdb5,1.0,.., ./kdb) AppendRule([all-unix:: ../libkdb5.a]) KRB5_SH_VERS=$krb5_cv_shlib_version_libkrb5 AC_SUBST(KRB5_SH_VERS) diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog index 27ab65f..1c7296b 100644 --- a/src/lib/krb4/ChangeLog +++ b/src/lib/krb4/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 18 20:40:39 1996 Ezra Peisach <epeisach@mit.edu> + + * configure.in: Set shared library version to 1.0. [krb5-libs/201] + Thu Nov 7 12:33:06 1996 Theodore Y. Ts'o <tytso@mit.edu> * g_in_tkt.c: diff --git a/src/lib/krb4/configure.in b/src/lib/krb4/configure.in index 4e3dd8c..2a4c8b3 100644 --- a/src/lib/krb4/configure.in +++ b/src/lib/krb4/configure.in @@ -44,7 +44,7 @@ AC_HAVE_FUNCS(strsave seteuid setreuid setresuid) AC_PROG_AWK V5_SHARED_LIB_OBJS SubdirLibraryRule([$(OBJS)]) -V5_MAKE_SHARED_LIB(libkrb4,0.1,.., ./krb4) +V5_MAKE_SHARED_LIB(libkrb4,1.0,.., ./krb4) CopyHeader(krb_err.h,$(EHDRDIR)) CRYPTO_SH_VERS=$krb5_cv_shlib_version_libcrypto AC_SUBST(CRYPTO_SH_VERS) diff --git a/src/lib/krb5/ChangeLog b/src/lib/krb5/ChangeLog index 00b17c7..e77f6b9 100644 --- a/src/lib/krb5/ChangeLog +++ b/src/lib/krb5/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 18 20:42:39 1996 Ezra Peisach <epeisach@mit.edu> + + * configure.in: Set shared library version to 1.0. [krb5-libs/201] + Wed Oct 23 01:15:40 1996 Theodore Y. Ts'o <tytso@mit.edu> * configure.in, Makefile.in: Check to see if the -lgen library diff --git a/src/lib/krb5/configure.in b/src/lib/krb5/configure.in index c612ed7..2ac53bd 100644 --- a/src/lib/krb5/configure.in +++ b/src/lib/krb5/configure.in @@ -16,7 +16,7 @@ dnl AC_CHECK_LIB(gen,compile,SHLIB_GEN=-lgen,SHLIB_GEN='') AC_SUBST(SHLIB_GEN) dnl -V5_MAKE_SHARED_LIB(libkrb5,0.1,.., ./krb5) +V5_MAKE_SHARED_LIB(libkrb5,1.0,.., ./krb5) CRYPTO_SH_VERS=$krb5_cv_shlib_version_libcrypto AC_SUBST(CRYPTO_SH_VERS) COMERR_SH_VERS=$krb5_cv_shlib_version_libcom_err diff --git a/src/lib/krb5/error_tables/ChangeLog b/src/lib/krb5/error_tables/ChangeLog index 0b60e42..6eff8a2 100644 --- a/src/lib/krb5/error_tables/ChangeLog +++ b/src/lib/krb5/error_tables/ChangeLog @@ -1,3 +1,7 @@ +Tue Nov 19 17:06:26 1996 Barry Jaspan <bjaspan@mit.edu> + + * krb5_err.et: add KRB5_KT_KVNONOTFOUND [krb5-libs/198] + Wed Nov 6 11:15:32 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * krb5_err.et: Make the KRB5_CONFIG_CANTOPEN and diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et index 06af955..1b42232 100644 --- a/src/lib/krb5/error_tables/krb5_err.et +++ b/src/lib/krb5/error_tables/krb5_err.et @@ -300,5 +300,6 @@ error_code KRB5_CONFIG_NODEFREALM, "Configuration file does not specify default error_code KRB5_SAM_UNSUPPORTED, "Bad SAM flags in obtain_sam_padata" error_code KRB5_KT_NAME_TOOLONG, "Keytab name too long" +error_code KRB5_KT_KVNONOTFOUND, "Key version number for principal in key table is incorrect" end diff --git a/src/lib/krb5/keytab/file/ChangeLog b/src/lib/krb5/keytab/file/ChangeLog index c37f709..f14e2a0 100644 --- a/src/lib/krb5/keytab/file/ChangeLog +++ b/src/lib/krb5/keytab/file/ChangeLog @@ -1,3 +1,8 @@ +Tue Nov 19 17:06:59 1996 Barry Jaspan <bjaspan@mit.edu> + + * ktf_g_ent.c (krb5_ktfile_get_entry): return KRB5_KT_KVNONOTFOUND + when appropriate [krb5-libs/198] + Wed Jul 24 17:10:11 1996 Theodore Y. Ts'o <tytso@mit.edu> * ktf_g_name.c (krb5_ktfile_get_name): Use the error code diff --git a/src/lib/krb5/keytab/file/ktf_g_ent.c b/src/lib/krb5/keytab/file/ktf_g_ent.c index 4805d5c..e42dcdb 100644 --- a/src/lib/krb5/keytab/file/ktf_g_ent.c +++ b/src/lib/krb5/keytab/file/ktf_g_ent.c @@ -40,6 +40,7 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry) { krb5_keytab_entry cur_entry, new_entry; krb5_error_code kerror = 0; + int found_wrong_kvno = 0; /* Open the keyfile for reading */ if ((kerror = krb5_ktfileint_openr(context, id))) @@ -92,14 +93,21 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry) krb5_kt_free_entry(context, &cur_entry); cur_entry = new_entry; break; - } + } else + found_wrong_kvno++; } } else { krb5_kt_free_entry(context, &new_entry); } } - if (kerror == KRB5_KT_END) - kerror = cur_entry.principal ? 0 : KRB5_KT_NOTFOUND; + if (kerror == KRB5_KT_END) { + if (cur_entry.principal) + kerror = 0; + else if (found_wrong_kvno) + kerror = KRB5_KT_KVNONOTFOUND; + else + kerror = KRB5_KT_NOTFOUND; + } if (kerror) { (void) krb5_ktfileint_close(context, id); krb5_kt_free_entry(context, &cur_entry); diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index c702d0a..18bf885 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,10 @@ +Thu Nov 21 13:54:01 1996 Ezra Peisach <epeisach@mit.edu> + + * recvauth.c (krb5_recvauth): If there is an error, and the server + argument to krb5_recvauth is NULL, create a dummy server + entry for the krb5_error structure so that krb5_mk_error + will not die with missing required fields. [krb5-libs/209] + Wed Nov 13 14:30:47 1996 Tom Yu <tlyu@mit.edu> * init_ctx.c: Revert previous kt_default_name changes. diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c index d6d6772..d5e7b5f 100644 --- a/src/lib/krb5/krb/recvauth.c +++ b/src/lib/krb5/krb/recvauth.c @@ -57,6 +57,7 @@ krb5_recvauth(context, auth_context, krb5_rcache rcache = 0; krb5_octet response; krb5_data null_server; + int need_error_free = 0; /* * Zero out problem variable. If problem is set at the end of @@ -173,7 +174,14 @@ krb5_recvauth(context, auth_context, memset((char *)&error, 0, sizeof(error)); krb5_us_timeofday(context, &error.stime, &error.susec); - error.server = server; + if(server) + error.server = server; + else { + /* If this fails - ie. ENOMEM we are hosed + we cannot even send the error if we wanted to... */ + (void) krb5_parse_name(context, "????", &error.server); + need_error_free = 1; + } error.error = problem - ERROR_TABLE_BASE_krb5; if (error.error > 127) @@ -190,6 +198,9 @@ krb5_recvauth(context, auth_context, goto cleanup; } free(error.text.data); + if(need_error_free) + krb5_free_principal(context, error.server); + } else { outbuf.length = 0; outbuf.data = 0; diff --git a/src/lib/libkrb5.def b/src/lib/krb5_16.def index 9d9d5e5..9d9d5e5 100644 --- a/src/lib/libkrb5.def +++ b/src/lib/krb5_16.def diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index b4e0eb7..38639cb 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,18 @@ +Fri Nov 22 15:50:42 1996 unknown <bjaspan@mit.edu> + + * get_myaddress.c (get_myaddress): use krb5_os_localaddr instead + of ioctl() to get local IP addresses [krb5-libs/227] + + * clnt_generic.c, clnt_simple.c, getrpcport.c: use sizeof instead + of h_length to determine number of bytes of addr to copy from DNS + response [krb5-misc/211] + +Fri Nov 22 11:49:43 1996 Sam Hartman <hartmans@mit.edu> + + * types.hin: Include stdlib.h if found at config time [203] + + * configure.in: Substitute STDLIB_INCLUDE into types.h. [203] + Tue Nov 12 16:27:27 1996 Barry Jaspan <bjaspan@mit.edu> * auth_gssapi.c (auth_gssapi_create): handle channel bindings diff --git a/src/lib/rpc/clnt_generic.c b/src/lib/rpc/clnt_generic.c index f111c2e..9eeabe1 100644 --- a/src/lib/rpc/clnt_generic.c +++ b/src/lib/rpc/clnt_generic.c @@ -73,7 +73,7 @@ clnt_create(hostname, prog, vers, proto) sin.sin_family = h->h_addrtype; sin.sin_port = 0; memset(sin.sin_zero, 0, sizeof(sin.sin_zero)); - memmove((char*)&sin.sin_addr, h->h_addr, h->h_length); + memmove((char*)&sin.sin_addr, h->h_addr, sizeof(sin.sin_addr)); p = getprotobyname(proto); if (p == NULL) { rpc_createerr.cf_stat = RPC_UNKNOWNPROTO; diff --git a/src/lib/rpc/clnt_simple.c b/src/lib/rpc/clnt_simple.c index 0d8f7a4..9b5ba9f 100644 --- a/src/lib/rpc/clnt_simple.c +++ b/src/lib/rpc/clnt_simple.c @@ -88,7 +88,8 @@ callrpc(host, prognum, versnum, procnum, inproc, in, outproc, out) return ((int) RPC_UNKNOWNHOST); timeout.tv_usec = 0; timeout.tv_sec = 5; - memmove((char *)&server_addr.sin_addr, hp->h_addr, hp->h_length); + memmove((char *)&server_addr.sin_addr, hp->h_addr, + sizeof(server_addr.sin_addr)); server_addr.sin_family = AF_INET; server_addr.sin_port = 0; if ((crp->client = clntudp_create(&server_addr, (rpc_u_int32)prognum, diff --git a/src/lib/rpc/configure.in b/src/lib/rpc/configure.in index c221704..dde9d53 100644 --- a/src/lib/rpc/configure.in +++ b/src/lib/rpc/configure.in @@ -6,7 +6,11 @@ AC_PROG_ARCHIVE AC_PROG_ARCHIVE_ADD AC_PROG_RANLIB AC_PROG_INSTALL - +dnl Arrange for types.hin to include stdlib.h +AC_CHECK_HEADER(stdlib.h, [ + STDLIB_INCLUDE="#include <stdlib.h>"], + [STDLIB_INCLUDE=""]) +AC_SUBST(STDLIB_INCLUDE) dnl ### Check where struct rpcent is declared. # # This is necessary to determine: diff --git a/src/lib/rpc/get_myaddress.c b/src/lib/rpc/get_myaddress.c index fa4c54e..7986a38 100644 --- a/src/lib/rpc/get_myaddress.c +++ b/src/lib/rpc/get_myaddress.c @@ -38,6 +38,46 @@ static char sccsid[] = "@(#)get_myaddress.c 1.4 87/08/11 Copyr 1984 Sun Micro"; * Copyright (C) 1984, Sun Microsystems, Inc. */ +#ifdef GSSAPI_KRB5 +#include <rpc/types.h> +#include <rpc/pmap_prot.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <krb5.h> +/* + * don't use gethostbyname, which would invoke yellow pages + */ +get_myaddress(addr) + struct sockaddr_in *addr; +{ + krb5_address **addrs, **a; + int ret; + + /* Hack! krb5_os_localaddr does not use the context arg! */ + if (ret = krb5_os_localaddr(NULL, &addrs)) { + com_err("get_myaddress", ret, "calling krb5_os_localaddr"); + exit(1); + } + a = addrs; + while (*a) { + if ((*a)->addrtype == ADDRTYPE_INET) { + memset(addr, 0, sizeof(*addr)); + addr->sin_family = AF_INET; + addr->sin_port = htons(PMAPPORT); + memcpy(&addr->sin_addr, (*a)->contents, sizeof(addr->sin_addr)); + break; + } + a++; + } + if (*a == NULL) { + com_err("get_myaddress", 0, "no local AF_INET address"); + exit(1); + } + /* Hack! krb5_free_addresses does not use the context arg! */ + krb5_free_addresses(NULL, addrs); +} + +#else /* !GSSAPI_KRB5 */ #include <rpc/types.h> #include <rpc/pmap_prot.h> #include <sys/socket.h> @@ -93,3 +133,4 @@ get_myaddress(addr) } (void) close(s); } +#endif /* !GSSAPI_KRB5 */ diff --git a/src/lib/rpc/getrpcport.c b/src/lib/rpc/getrpcport.c index d209a15..1bc239f 100644 --- a/src/lib/rpc/getrpcport.c +++ b/src/lib/rpc/getrpcport.c @@ -48,7 +48,7 @@ getrpcport(host, prognum, versnum, proto) if ((hp = gethostbyname(host)) == NULL) return (0); - memmove((char *) &addr.sin_addr, hp->h_addr, hp->h_length); + memmove((char *) &addr.sin_addr, hp->h_addr, sizeof(addr.sin_addr)); addr.sin_family = AF_INET; addr.sin_port = 0; return (pmap_getport(&addr, prognum, versnum, proto)); diff --git a/src/lib/rpc/types.hin b/src/lib/rpc/types.hin index 9bd357d..8722759 100644 --- a/src/lib/rpc/types.hin +++ b/src/lib/rpc/types.hin @@ -61,9 +61,7 @@ typedef unsigned long rpc_u_int32; # define NULL 0 #endif -#if defined(__osf__) -#include <stdlib.h> -#endif +@STDLIB_INCLUDE@ #define mem_alloc(bsize) (char *) malloc(bsize) #define mem_free(ptr, bsize) free(ptr) diff --git a/src/lib/rpc/unit-test/ChangeLog b/src/lib/rpc/unit-test/ChangeLog index 05a3de5..0303efb 100644 --- a/src/lib/rpc/unit-test/ChangeLog +++ b/src/lib/rpc/unit-test/ChangeLog @@ -1,3 +1,7 @@ +Wed Nov 20 16:00:21 1996 Barry Jaspan <bjaspan@mit.edu> + + * Makefile.in (unit-test-): warn more loudly about unrun tests + Thu Nov 14 22:27:05 1996 Tom Yu <tlyu@mit.edu> * server.c (main): Add declaration of optind for systems that diff --git a/src/lib/rpc/unit-test/Makefile.in b/src/lib/rpc/unit-test/Makefile.in index 3690dc3..26c10c7 100644 --- a/src/lib/rpc/unit-test/Makefile.in +++ b/src/lib/rpc/unit-test/Makefile.in @@ -29,8 +29,10 @@ client.o server.o: rpc_test.h check unit-test:: unit-test-@DO_TEST@ unit-test-: - @echo "The rpc tests require Perl, Tcl, and runtest" - @echo "No tests run here" + @echo "+++" + @echo "+++ WARNING: lib/rpc unit tests not run." + @echo "+++ Either tcl, runtest, or Perl is unavailable." + @echo "+++" unit-test-ok:: unit-test-setup unit-test-body unit-test-cleanup diff --git a/src/mac/ChangeLog b/src/mac/ChangeLog index 654a0a8..b3be53f 100644 --- a/src/mac/ChangeLog +++ b/src/mac/ChangeLog @@ -1,3 +1,11 @@ +Fri Nov 22 07:54:57 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * Makefile.tmpl: Use '%' in Makefiles where you really want a '/' + character in the mpw Makefile. (Translation in + src/Makefile.in) + + * version.r: Fix typos, and set version resource for 1.0 release. + Fri Nov 8 17:44:10 1996 Theodore Y. Ts'o <tytso@mit.edu> * Makefile.tmpl: Add in version resource diff --git a/src/mac/Makefile.tmpl b/src/mac/Makefile.tmpl index 84ebae4..5a42dd4 100644 --- a/src/mac/Makefile.tmpl +++ b/src/mac/Makefile.tmpl @@ -3,11 +3,11 @@ KH68K = {KH}KerberosHeaders68K KHCFM-68K = {KH}KerberosHeadersCFM-68K KHPPC = {KH}KerberosHeadersPPC -GSSRTLCFM68K = "{MW68KLibraries}ANSI (4i/8d) C.CFM68K.Lib" \ +GSSRTLCFM68K = "{MW68KLibraries}ANSI (4i%8d) C.CFM68K.Lib" \ {MW68KLibraries}SIOUX.CFM68K.Lib \ {MW68KLibraries}InterfaceLib \ {MW68KLibraries}MWCFM68KRuntime.Lib \ - "{MW68KLibraries}MathLibCFM68K (4i/8d).Lib" + "{MW68KLibraries}MathLibCFM68K (4i%8d).Lib" GSSRTLCFMPPC = "{MWPPCLibraries}ANSI C.PPC.Lib" \ {MWPPCLibraries}SIOUX.PPC.Lib {MWPPCLibraries}MWCRuntime.Lib \ @@ -113,7 +113,6 @@ link-68KCFM-SAP : -sym fullpath -map libgss.68K.MAP -o GSSLibrarySAP.68K \ {GSSRTLCFM68K} {GSSOBJS68KCFM-SAP} {GSSOBJS68KCFM} Rez "/mac/SAP/GSSforSAP.r" -a -o GSSLibrarySAP.68K - Rez "/mac/version.r" -a -o GSSLibrarySAP.68K link-PPC-SAP : MWLinkPPC -sharedlibrary -name GSSLibrary -m "" \ @@ -122,7 +121,6 @@ link-PPC-SAP : -sym fullpath -map libgss.PPC.MAP -o GSSLibrarySAP.PPC \ {GSSRTLCFMPPC} {GSSOBJSPPC-SAP} {GSSOBJSPPC} Rez "/mac/SAP/GSSforSAP.r" -a -o GSSLibrarySAP.PPC - Rez "/mac/version.r" -a -o GSSLibrarySAP.PPC link-CFMFAT-SAP : Duplicate -y GSSLibrarySAP.68K GSSLibSAP diff --git a/src/mac/SAP/GSSforSAP.r b/src/mac/SAP/GSSforSAP.r index ca25a83..8910dd7 100644 --- a/src/mac/SAP/GSSforSAP.r +++ b/src/mac/SAP/GSSforSAP.r @@ -1,4 +1,17 @@ +#ifdef mw_rez +#include <SysTypes.r> +#include <Types.r> +#else +#include "SysTypes.r" #include "Types.r" +#endif + +resource 'vers' (1) { + 0x01, 0x00, final, 0x00, + verUS, + "1.0", + "1.0(SAP), Copyright 1996 Massachusetts Institute of Technology" +}; resource 'DITL' (135, nonpurgeable) { { /* array DITLarray: 2 elements */ diff --git a/src/mac/gss-sample/ChangeLog b/src/mac/gss-sample/ChangeLog index 63f0612..9975f8a 100644 --- a/src/mac/gss-sample/ChangeLog +++ b/src/mac/gss-sample/ChangeLog @@ -1,3 +1,10 @@ +Fri Nov 22 15:51:55 1996 unknown <bjaspan@mit.edu> + + * gss-client.c (connect_to_server): use sizeof instead of h_length + to determine number of bytes of addr to copy from DNS response + [krb5-misc/211] + + Thu 26 12:00:00 1995 John Rivlin <jrivlin@fusion.com> * Created GSS Sample program diff --git a/src/mac/gss-sample/gss-client.c b/src/mac/gss-sample/gss-client.c index d7dd26e..b2be7c8 100644 --- a/src/mac/gss-sample/gss-client.c +++ b/src/mac/gss-sample/gss-client.c @@ -336,7 +336,7 @@ SOCKET connect_to_server(char *host, u_short port) } saddr.sin_family = hp->h_addrtype; - memcpy((char *)&saddr.sin_addr, hp->h_addr, hp->h_length); + memcpy((char *)&saddr.sin_addr, hp->h_addr, sizeof(saddr.sin_addr)); saddr.sin_port = htons(port); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == (SOCKET) -1) { diff --git a/src/mac/libraries/ChangeLog b/src/mac/libraries/ChangeLog index 1a8d737..4388c5e 100644 --- a/src/mac/libraries/ChangeLog +++ b/src/mac/libraries/ChangeLog @@ -1,3 +1,9 @@ +Sat Nov 23 00:18:20 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * KerberosHeaders.h: Remove DES3 and SHA support for 1.0, since + what's there isn't the correct final algorithm. (They + will be re-added later.) [PR #231] + Tue Apr 30 14:53:54 1996 <tytso@rsts-11.mit.edu> * KerberosHeaders.h: Removed PROVIDE_SNEFRU (shouldn't be there) diff --git a/src/mac/libraries/KerberosHeaders.h b/src/mac/libraries/KerberosHeaders.h index ac4e62d..a25d001 100644 --- a/src/mac/libraries/KerberosHeaders.h +++ b/src/mac/libraries/KerberosHeaders.h @@ -35,9 +35,9 @@ typedef unsigned int size_t; #define PROVIDE_DES_CBC_CRC #define PROVIDE_DES_CBC_MD5 #define PROVIDE_DES_CBC_RAW -#define PROVIDE_DES3_CBC_MD5 -#define PROVIDE_DES3_CBC_RAW - +/* #define PROVIDE_DES3_CBC_MD5 */ +/* #define PROVIDE_DES3_CBC_RAW */ +/* #define PROVIDE_NIST_SHA */ #define NO_SYS_TYPES_H #define NO_SYS_STAT_H diff --git a/src/mac/mkbindirs.sh b/src/mac/mkbindirs.sh new file mode 100644 index 0000000..cdc2af2 --- /dev/null +++ b/src/mac/mkbindirs.sh @@ -0,0 +1,13 @@ +#!/bin/sh +# +# This shell script creates the Macintosh binary hierarchies. + +topbin=$1 +shift + +for DIR do + mkdir $topbin/$DIR + for SDIR in `sed -n -e 's/MAC_SUBDIRS.*=//p' $DIR/Makefile.in`; do + /bin/sh mac/mkbindirs.sh $topbin $DIR/$SDIR; + done +done diff --git a/src/mac/version.r b/src/mac/version.r index 85ece85..a83d10f 100644 --- a/src/mac/version.r +++ b/src/mac/version.r @@ -1,9 +1,14 @@ +#ifdef mw_rez #include <SysTypes.r> #include <Types.r> +#else +#include "SysTypes.r" +#include "Types.r" +#endif resource 'vers' (1) { - 0x00, 0x07, beta, 0x01, - verUS - "Beta 7 Build 1", - "Beta 7 Build 1, Copyright 1996 Massachusetts Institute of Technology" + 0x01, 0x00, final, 0x00, + verUS, + "1.0", + "1.0, Copyright 1996 Massachusetts Institute of Technology" }; diff --git a/src/patchlevel.h b/src/patchlevel.h index ab2b4e2..45d84f1 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -1,2 +1,3 @@ -#define KRB5_MAJOR_RELEASE BETA_7 +#define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 0 +#define KRB5_PATCHLEVEL 0 diff --git a/src/slave/ChangeLog b/src/slave/ChangeLog index 60673e1..acaeb8a 100644 --- a/src/slave/ChangeLog +++ b/src/slave/ChangeLog @@ -1,3 +1,20 @@ +Thu Dec 5 21:15:27 1996 Tom Yu <tlyu@mit.edu> + + * kslave_update: Update script for new filename conventions. [PR + 280] + + * kprop.M: Update outdated references to kdb5_edit and /krb5 [PR + 279] + + * kpropd.M: Update outdated references to kdb5_edit and /krb5 [PR + 279] + +Fri Nov 22 15:52:07 1996 unknown <bjaspan@mit.edu> + + * kprop.c (open_connection): use sizeof instead of h_length to + determine number of bytes of addr to copy from DNS response + [krb5-misc/211] + Thu Nov 7 15:18:01 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * kprop.c (main): diff --git a/src/slave/kprop.M b/src/slave/kprop.M index 7a25db6..a0b5ac8 100644 --- a/src/slave/kprop.M +++ b/src/slave/kprop.M @@ -35,8 +35,8 @@ Kerberos server to a slave Kerberos server, which is specfied by .IR slave_host . This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created -by kdb5_edit, and is normally KPROP_DEFAULT_FILE -(/krb5/slave_datatrans). +by kdb5_util, and is normally KPROP_DEFAULT_FILE +(/usr/local/var/krb5kdc/slave_datatrans). .SH OPTIONS .TP \fB\-r\fP \fIrealm\fP @@ -48,7 +48,7 @@ is used. \fB\-f\fP \fIfile\fP specifies the filename where the dumped principal database file is to be found; by default the dumped database file is KPROP_DEFAULT_FILE -(normally /krb5/slave_datatrans). +(normally /usr/local/var/krb5kdc/slave_datatrans). .TP \fB\-P\fP \fIport\fP specifies the port to use to contact the @@ -61,4 +61,4 @@ prints debugging information. \fB\-s\fP \fIkeytab\fP specifies the location of the keytab file. .SH SEE ALSO -kpropd(8), kdb5_edit(8), krb5kdc(8) +kpropd(8), kdb5_util(8), krb5kdc(8) diff --git a/src/slave/kprop.c b/src/slave/kprop.c index 3c48481..0ddcc2f 100644 --- a/src/slave/kprop.c +++ b/src/slave/kprop.c @@ -324,7 +324,7 @@ open_connection(host, fd, Errmsg) return(0); } sin.sin_family = hp->h_addrtype; - memcpy((char *)&sin.sin_addr, hp->h_addr, hp->h_length); + memcpy((char *)&sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr)); if(!port) { sp = getservbyname(KPROP_SERVICE, "tcp"); if (sp == 0) { diff --git a/src/slave/kpropd.M b/src/slave/kpropd.M index 3228ed9..e037a11 100644 --- a/src/slave/kpropd.M +++ b/src/slave/kpropd.M @@ -35,7 +35,7 @@ kpropd \- Kerberos V5 slave KDC update server .I principal_database ] [ .B \-p -.I kdb5_edit_prog +.I kdb5_util_prog ] [ .B \-d ] [ @@ -52,7 +52,7 @@ is the server which accepts connections from the program. .I kpropd accepts the dumped KDC database and places it in a file, and then runs -.IR kdb5_edit (8) +.IR kdb5_util (8) to load the dumped database into the active database which is used by .IR krb5kdc (8). Thus, the master Kerberos server can use @@ -66,7 +66,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: -kprop stream tcp nowait root /krb5/bin/kpropd kpropd +kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd However, kpropd can also run as a standalone deamon, if the .B \-S @@ -84,13 +84,13 @@ is used. \fB\-f\fP \fIfile\fP specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is KPROPD_DEFAULT_FILE -(normally /krb5/from_master). +(normally /usr/local/var/krb5kdc/from_master). .TP .B \-p allows the user to specify the pathname to the -.IR kdb5_edit (8) -program; by default the pathname used is KPROPD_DEFAULT_KDB5_EDIT -(normally /krb5/bin/kdb5_edit). +.IR kdb5_util (8) +program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL +(normally /usr/local/sbin/kdb5_util). .TP .B \-S turn on standalone mode. Normally, kpropd is invoked out of @@ -124,4 +124,4 @@ Access file for Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via kprop. .SH SEE ALSO -kprop(8), kdb5_edit(8), krb5kdc(8), inetd(8) +kprop(8), kdb5_util(8), krb5kdc(8), inetd(8) diff --git a/src/slave/kslave_update b/src/slave/kslave_update index d6207de..a4da274 100644 --- a/src/slave/kslave_update +++ b/src/slave/kslave_update @@ -1,16 +1,16 @@ #!/bin/sh # -# Propagate if database (principal.pag) has been modified since last dump +# Propagate if database (principal.db) has been modified since last dump # (dumpfile.dump_ok) or if database has been dumped since last successful # propagation (dumpfile.<slave machine>.last_prop) -KDB_DIR=/krb5 +KDB_DIR=/usr/local/var/krb5kdc -KDB_FILE=$KDB_DIR/principal.page +KDB_FILE=$KDB_DIR/principal.db DUMPFILE=$KDB_DIR/slave_datatrans -KDB5_EDIT=/krb5/sbin/kdb5_edit -KPROP=/krb5/sbin/kprop - +KDB5_UTIL=/usr/local/sbin/kdb5_util +KPROP=/usr/local/sbin/kprop + SLAVE=$1 if [ -z "${SLAVE}" ] then @@ -23,7 +23,7 @@ if [ "`ls -t $DUMPFILE.dump_ok $KDB_FILE | sed -n 1p`" = "$KDB_FILE" -o \ then date - $KDB5_EDIT -R "ddb $DUMPFILE" >/dev/null + $KDB5_EDIT dump $DUMPFILE > /dev/null $KPROP -d -f $DUMPFILE ${SLAVE} rm $DUMPFILE diff --git a/src/tests/dejagnu/ChangeLog b/src/tests/dejagnu/ChangeLog index 52b0d0d..619475c 100644 --- a/src/tests/dejagnu/ChangeLog +++ b/src/tests/dejagnu/ChangeLog @@ -1,3 +1,7 @@ +Wed Nov 20 16:01:34 1996 Barry Jaspan <bjaspan@mit.edu> + + * Makefile.in (check-): warn more loudly about unrun tests + Mon Oct 7 15:46:47 1996 Ezra Peisach <epeisach@kangaroo.mit.edu> * Makefile.in (HAVE_RUNTEST): Renamed from RUNTEST as diff --git a/src/tests/dejagnu/Makefile.in b/src/tests/dejagnu/Makefile.in index bab9ca7..50b97e7 100644 --- a/src/tests/dejagnu/Makefile.in +++ b/src/tests/dejagnu/Makefile.in @@ -7,7 +7,10 @@ all install:: check:: check-$(HAVE_RUNTEST) check-:: - @echo "Dejagnu is not installed on this system. No tests run." + @echo "+++" + @echo "+++ WARNING: tests/dejagnu tests not run." + @echo "+++ runtest is unavailable." + @echo "+++" check-runtest:: t_inetd site.exp $(HAVE_RUNTEST) --tool krb --srcdir $(srcdir) $(RUNTESTFLAGS) diff --git a/src/tests/dejagnu/config/ChangeLog b/src/tests/dejagnu/config/ChangeLog index 5416b6a..a037337 100644 --- a/src/tests/dejagnu/config/ChangeLog +++ b/src/tests/dejagnu/config/ChangeLog @@ -1,3 +1,14 @@ +Mon Nov 25 14:23:06 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * defualt.exp: Ezra's fix so that the dejagnu tests don't bomb out + if KRB5_KTNAME is set for some reason. + +Tue Nov 19 15:13:30 1996 Tom Yu <tlyu@mit.edu> + + * default.exp (check_k5login): Check for principal + $env(USER)@$REALMNAME rather than simply $env(USER), so that + kuser_ok dtrt, hopefully. + Mon Nov 11 20:52:27 1996 Mark Eichin <eichin@cygnus.com> * dejagnu: set env(TERM) dumb, find ktutil diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index 4e3ebeb..9e728ca 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -134,6 +134,7 @@ if ![info exists SHELL_PROMPT] { proc check_k5login { testname } { global env + global REALMNAME if ![file exists ~/.k5login] { return 1 @@ -141,7 +142,7 @@ proc check_k5login { testname } { set file [open ~/.k5login r] while { [gets $file principal] != -1 } { - if { $principal == $env(USER) } { + if { $principal == "$env(USER)@$REALMNAME" } { close $file return 1 } @@ -760,6 +761,7 @@ proc start_kerberos_daemons { standalone } { global kadmind_pid global kadmind_spawn_id global tmppwd + global env if ![setup_kerberos_db 0] { return 0 @@ -818,6 +820,17 @@ proc start_kerberos_daemons { standalone } { # Give the kerberos daemon a few seconds to get set up. sleep 2 + + # + # Save setting of KRB5_KTNAME. We do not want to override kdc.conf + # file during kadmind startup. (this is in case user has KRB5_KTNAME + # set before starting make check) + # + if [info exists env(KRB5_KTNAME)] { + set start_save_ktname $env(KRB5_KTNAME) + } + catch "unset env(KRB5_KTNAME)" + if ![file exists $kadmind_lfile] then { catch [touch $kadmind_lfile] sleep 1 @@ -841,10 +854,20 @@ proc start_kerberos_daemons { standalone } { if {$count >= $retry} { fail "kadmin5 (starting)" + if [info exists start_save_ktname] { + set env(KRB5_KTNAME) $start_save_ktname + unset start_save_ktname + } stop_kerberos_daemons return 0 } + # Restore KRB5_KTNAME + if [info exists start_save_ktname] { + set env(KRB5_KTNAME) $start_save_ktname + unset start_save_ktname + } + switch -regexp [tail1 $kadmind_lfile] { "cannot initialize network" { fail "kadmind (network init)" diff --git a/src/tests/misc/test_getsockname.c b/src/tests/misc/test_getsockname.c index 12efa06..b4f6cb4 100644 --- a/src/tests/misc/test_getsockname.c +++ b/src/tests/misc/test_getsockname.c @@ -46,7 +46,7 @@ main(argc, argv) /* Set server's address */ (void) memset((char *)&s_sock, 0, sizeof(s_sock)); - memcpy((char *)&s_sock.sin_addr, host->h_addr, host->h_length); + memcpy((char *)&s_sock.sin_addr, host->h_addr, sizeof(s_sock.sin_addr)); #ifdef DEBUG printf("s_sock.sin_addr is %s\n", inet_ntoa(s_sock.sin_addr)); #endif diff --git a/src/util/ChangeLog b/src/util/ChangeLog index 9a3cb27..4c5f1c6 100644 --- a/src/util/ChangeLog +++ b/src/util/ChangeLog @@ -1,3 +1,12 @@ +Mon Nov 25 21:00:24 1996 Tom Yu <tlyu@mit.edu> + + * mkrel: Add support for --srconly, --doconly, --nocheckout, + --repository, etc. They do the obvious things. + +Fri Nov 22 11:08:16 1996 Sam Hartman <hartmans@tertius.mit.edu> + + * makeshlib.sh (VERSION): Fix SunOS shared libs [226] + Tue Nov 12 17:32:08 1996 Barry Jaspan <bjaspan@mit.edu> * send-pr/send-pr.sh (MAIL_AGENT): change "[-x" to "[ -x" diff --git a/src/util/db2/obj/ChangeLog b/src/util/db2/obj/ChangeLog index d2c8bb8..6f09fcd 100644 --- a/src/util/db2/obj/ChangeLog +++ b/src/util/db2/obj/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 25 16:20:35 1996 Sam Hartman <hartmans@mit.edu> + + * Makefile.in (check): Remove install rule to fix pmake problem. [236] + Wed Sep 11 18:55:38 1996 Tom Yu <tlyu@mit.edu> * Makefile.in (memmove.o): add -DMEMMOVE to compile as memmove diff --git a/src/util/db2/obj/Makefile.in b/src/util/db2/obj/Makefile.in index 4445e37..0c022e2 100644 --- a/src/util/db2/obj/Makefile.in +++ b/src/util/db2/obj/Makefile.in @@ -56,10 +56,6 @@ check:: dbtest TMPDIR=$(TMPDIR) $(FCTSH) $(top_srcdir)/test/run.test install:: - cp $(LIBDB) $(libdir) - $(RANLIB) $(libdir)/$(LIBDB) - cp $(top_srcdir)/include/db.h $(includedir) - cp ../db-config.h $(includedir) clean:: rm -f $(ALL_OBJS) $(LIBDB) \ diff --git a/src/util/et/ChangeLog b/src/util/et/ChangeLog index 38d80eb..227dc7c 100644 --- a/src/util/et/ChangeLog +++ b/src/util/et/ChangeLog @@ -1,3 +1,7 @@ +Mon Nov 18 20:37:19 1996 Ezra Peisach <epeisach@mit.edu> + + * configure.in: Set shared library version to 1.0. [krb5-libs/201] + Wed Nov 13 19:19:08 1996 Tom Yu <tlyu@mit.edu> * Makefile.in (clean-unix): Remove shared/*. diff --git a/src/util/et/configure.in b/src/util/et/configure.in index 7b0cf00..15fd8d8 100644 --- a/src/util/et/configure.in +++ b/src/util/et/configure.in @@ -25,5 +25,5 @@ AC_HEADER_STDARG AC_HAVE_HEADERS(stdlib.h) CopySrcHeader(com_err.h,$(BUILDTOP)/include) V5_SHARED_LIB_OBJS -V5_MAKE_SHARED_LIB(libcom_err,0.1,[$](TOPLIBD), ../util/et) +V5_MAKE_SHARED_LIB(libcom_err,1.0,[$](TOPLIBD), ../util/et) V5_AC_OUTPUT_MAKEFILE diff --git a/src/util/makeshlib.sh b/src/util/makeshlib.sh index 74c73b7..a8afb3b 100644 --- a/src/util/makeshlib.sh +++ b/src/util/makeshlib.sh @@ -96,15 +96,16 @@ mips-sni-sysv4) optflags="" if test "$HAVE_GCC"x = "x" ; then - optflags="-h $library" + optflags="" + CC=ld else # XXX assumes that we're either using # recent gld (binutils 2.7?) or else using native ld - optflags="-Wl,-h -Wl,$library" + optflags="" fi echo ld -dp -assert pure-text $ldflags -o $library $optflags $FILES $libdirfl - ld -dp -assert pure-text $ldflags -o $library $optflags $FILES $libdirfl +ld -dp -assert pure-text $ldflags -o $library $optflags $FILES $libdirfl stat=$? ;; *-*-aix*) diff --git a/src/util/mkrel b/src/util/mkrel index 20b61a3..d072dfc 100644 --- a/src/util/mkrel +++ b/src/util/mkrel @@ -1,12 +1,25 @@ #!/bin/sh -: ${repository=/afs/athena.mit.edu/astaff/project/krbdev/.cvsroot} -case $# in -2);; -*) - echo "usage: $0 release-tag release-dir" +repository=/afs/athena.mit.edu/astaff/project/krbdev/.cvsroot +dodoc=t +dosrc=t +checkout=t +while test $# -gt 2; do + case $1 in + --srconly) + dodoc=nil;; + --doconly) + dosrc=nil;; + --repository) + shift; repository=$1;; + --nocheckout) + checkout=nil;; + esac + shift +done +if test $# -lt 2; then + echo "usage: $0 [opts] release-tag release-dir" exit 1 - ;; -esac +fi reltag=$1 reldir=$2 @@ -24,37 +37,48 @@ if test ! -d $reldir; then fi echo "Checking out krb5 with tag $reltag into directory $reldir..." -(cd $reldir; cvs -q -d $repository export -r$reltag krb5) +if test $checkout = t; then + (cd $reldir; cvs -q -d $repository export -r$reltag krb5) +fi -echo "Building autoconf..." -(cd $reldir/src/util/autoconf - M4=gm4 ./configure - make) +if test $dosrc = t; then + echo "Building autoconf..." + (cd $reldir/src/util/autoconf + M4=gm4 ./configure + make) -echo "Creating configure scripts..." -(cd $reldir/src; util/reconf) + echo "Creating configure scripts..." + (cd $reldir/src; util/reconf) -echo "Cleaning src/util/autoconf..." -(cd $reldir/src/util/autoconf; make distclean) + echo "Cleaning src/util/autoconf..." + (cd $reldir/src/util/autoconf; make distclean) +fi echo "Nuking unneeded files..." find $reldir \( -name TODO -o -name todo -o -name .cvsignore \ -o -name BADSYMS -o -name .Sanitize \) -print \ | xargs rm -f -echo "Building doc..." -(cd $reldir/doc; make) +if test $dodoc = t; then + echo "Building doc..." + (cd $reldir/doc; make) +fi echo "Generating tarfiles..." -gtar --exclude $reldir/src/lib/crypto \ - --exclude $reldir/src/lib/des425 \ - -zcf ${reldir}.src.tar.gz $reldir +if test $dosrc = t; then + gtar --exclude $reldir/src/lib/crypto \ + --exclude $reldir/src/lib/des425 \ + --exclude $reldir/doc \ + -zcf ${reldir}.src.tar.gz $reldir -gtar zcf ${reldir}.crypto.tar.gz \ - $reldir/src/lib/crypto \ - $reldir/src/lib/des425 + gtar zcf ${reldir}.crypto.tar.gz \ + $reldir/src/lib/crypto \ + $reldir/src/lib/des425 +fi -gtar zcf ${reldir}.doc.tar.gz $reldir/doc $reldir/README +if test $dodoc = t; then + gtar zcf ${reldir}.doc.tar.gz $reldir/doc $reldir/README +fi ls -l ${reldir}.*.tar.gz diff --git a/src/util/pty/ChangeLog b/src/util/pty/ChangeLog index 8816ca8..6482c6c 100644 --- a/src/util/pty/ChangeLog +++ b/src/util/pty/ChangeLog @@ -1,3 +1,13 @@ +Thu Dec 5 22:43:35 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * update_utmp.c (pty_update_utmp): Apply platform specific patch + so that HPUX works. (Kludge for 1.0 release) [PR#40] + +Fri Nov 22 11:52:52 1996 Sam Hartman <hartmans@mit.edu> + + * configure.in : Make sure time_t is define [203] + * update_wtmp.c (ptyint_update_wtmp): Use time_t for call to time(2). [203] + Fri Nov 15 08:33:54 1996 Ezra Peisach <epeisach@mit.edu> * update_utmp.c (pty_update_utmp): Handle case where utmp uses diff --git a/src/util/pty/configure.in b/src/util/pty/configure.in index 2394deb..3c6386a 100644 --- a/src/util/pty/configure.in +++ b/src/util/pty/configure.in @@ -50,6 +50,7 @@ dnl AC_SUBST(LOGINLIBS) dnl AC_TYPE_MODE_T +AC_CHECK_TYPE(time_t, int) AC_FUNC_CHECK(strsave,AC_DEFINE(HAS_STRSAVE)) AC_HAVE_FUNCS(getutent setreuid gettosbyname setsid ttyname line_push ptsname grantpt openpty logwtmp getutmpx) AC_CHECK_HEADERS(unistd.h stdlib.h string.h utmpx.h utmp.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h) diff --git a/src/util/pty/update_utmp.c b/src/util/pty/update_utmp.c index 9effab1..3b1f741 100644 --- a/src/util/pty/update_utmp.c +++ b/src/util/pty/update_utmp.c @@ -138,8 +138,14 @@ long pty_update_utmp (process_type, pid, username, line, host, flags) #ifdef UT_EXIT_STRUCTURE_DIFFER utx.ut_exit.ut_exit = ent.ut_exit.e_exit; #else +/* KLUDGE for now; eventually this will be a feature test... See PR#[40] */ +#ifdef __hpux + utx.ut_exit.__e_termination = ent.ut_exit.e_termination; + utx.ut_exit.__e_exit = ent.ut_exit.e_exit; +#else utx.ut_exit = ent.ut_exit; #endif +#endif utx.ut_tv.tv_sec = ent.ut_time; utx.ut_tv.tv_usec = 0; #endif diff --git a/src/util/pty/update_wtmp.c b/src/util/pty/update_wtmp.c index c2f9461..7f68902 100644 --- a/src/util/pty/update_wtmp.c +++ b/src/util/pty/update_wtmp.c @@ -40,6 +40,7 @@ long ptyint_update_wtmp (ent , host, user) struct utmp ut; struct stat statb; int fd; + time_t uttime; #ifdef HAVE_UPDWTMPX struct utmpx utx; @@ -71,7 +72,8 @@ long ptyint_update_wtmp (ent , host, user) #ifndef NO_UT_HOST (void)strncpy(ut.ut_host, ent->ut_host, sizeof(ut.ut_host)); #endif - (void)time(&ut.ut_time); + (void)time(&uttime); + ut.ut_time = uttime; #if defined(HAVE_GETUTENT) && defined(USER_PROCESS) if (ent->ut_name) { if (!ut.ut_pid) diff --git a/src/util/send-pr/Makefile.in b/src/util/send-pr/Makefile.in index 0c71461..f3887da 100644 --- a/src/util/send-pr/Makefile.in +++ b/src/util/send-pr/Makefile.in @@ -24,21 +24,21 @@ install-sid: install-sid.sh sed -e 's,@ADMIN_BINDIR@,$(ADMIN_BINDIR),g' $(srcdir)/install-sid.sh > install-sid install:: all - if [ -d $(prefix) ]; then true ; else mkdir $(prefix) ; fi - if [ -d $(ADMIN_BINDIR) ]; then true ; else mkdir $(ADMIN_BINDIR) ; fi - cp send-pr $(ADMIN_BINDIR)/$(sendprname) - chmod 755 $(ADMIN_BINDIR)/$(sendprname) - cp install-sid $(ADMIN_BINDIR) - chmod 755 $(ADMIN_BINDIR)/install-sid - if [ -d $(datadir) ] ; then true ; else mkdir $(datadir) ; fi - if [ -d $(datadir)/gnats ] ; then true ; else mkdir $(datadir)/gnats ; fi - cp $(srcdir)/categories $(datadir)/gnats/mit - chmod 644 $(datadir)/gnats/mit - -parent=`echo $(man1dir)|sed -e 's@/[^/]*$$@@'`; \ + if [ -d $(DESTDIR)$(prefix) ]; then true ; else mkdir $(DESTDIR)$(prefix) ; fi + if [ -d $(DESTDIR)$(ADMIN_BINDIR) ]; then true ; else mkdir $(DESTDIR)$(ADMIN_BINDIR) ; fi + cp send-pr $(DESTDIR)$(ADMIN_BINDIR)/$(sendprname) + chmod 755 $(DESTDIR)$(ADMIN_BINDIR)/$(sendprname) + cp install-sid $(DESTDIR)$(ADMIN_BINDIR) + chmod 755 $(DESTDIR)$(ADMIN_BINDIR)/install-sid + if [ -d $(DESTDIR)$(datadir) ] ; then true ; else mkdir $(DESTDIR)$(datadir) ; fi + if [ -d $(DESTDIR)$(datadir)/gnats ] ; then true ; else mkdir $(DESTDIR)$(datadir)/gnats ; fi + cp $(srcdir)/categories $(DESTDIR)$(datadir)/gnats/mit + chmod 644 $(DESTDIR)$(datadir)/gnats/mit + -parent=`echo $(DESTDIR)$(man1dir)|sed -e 's@/[^/]*$$@@'`; \ if [ -d $$parent ] ; then true ; else mkdir $$parent ; fi - if [ -d $(man1dir) ] ; then true ; else mkdir $(man1dir) ; fi - cp $(srcdir)/send-pr.1 $(man1dir)/$(sendprname).1 - chmod 644 $(man1dir)/$(sendprname).1 + if [ -d $(DESTDIR)$(man1dir) ] ; then true ; else mkdir $(DESTDIR)$(man1dir) ; fi + cp $(srcdir)/send-pr.1 $(DESTDIR)$(man1dir)/$(sendprname).1 + chmod 644 $(DESTDIR)$(man1dir)/$(sendprname).1 clean:: rm -f install-sid send-pr send-pr.el* diff --git a/src/util/send-pr/send-pr.sh b/src/util/send-pr/send-pr.sh index 96a9c24..7514462 100644 --- a/src/util/send-pr/send-pr.sh +++ b/src/util/send-pr/send-pr.sh @@ -31,7 +31,7 @@ SUBMITTER=@SUBMITTER@ GNATS_ROOT= # The default mail address for PR submissions. -GNATS_ADDR=krb5-bugs@mit.edu +GNATS_ADDR=bugs # Where the gnats category tree lives. DATADIR=@DATADIR@ @@ -55,17 +55,17 @@ GNATS_SITE=mit # What mailer to use. This must come after the config file, since it is # host-dependent. -MAIL_AGENT="/usr/sbin/sendmail -oi -t" -if [ ! -x `echo $MAIL_AGENT|sed 's/ .*//'` ] ; then - ( [ -x /usr/lib/sendmail ] && MAIL_AGENT="/usr/lib/sendmail -oi -t" ) || \ - ( [ -x /usr/sbin/sendmail ] && MAIL_AGENT="/usr/sbin/sendmail -oi -t " ) || \ +MAIL_AGENT="/usr/lib/sendmail -oi -t" +if [ ! -r `echo $MAIL_AGENT|sed 's/ .*//'` ] ; then + ( [ -r /usr/lib/sendmail ] && MAIL_AGENT="/usr/lib/sendmail -oi -t" ) || \ + ( [ -r /usr/sbin/sendmail ] && MAIL_AGENT="/usr/sbin/sendmail -oi -t " ) || \ MAIL_AGENT="sendmail -oi -t " fi # How to read the passwd database. PASSWD="cat /etc/passwd" -ECHON=bsd +ECHON=sysv if [ $ECHON = bsd ] ; then ECHON1="echo -n" diff --git a/src/windows/cns/ChangeLog b/src/windows/cns/ChangeLog index 3ca9e96..6526c65 100644 --- a/src/windows/cns/ChangeLog +++ b/src/windows/cns/ChangeLog @@ -1,3 +1,11 @@ +Sat Nov 23 00:26:44 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * Makefile.in (KLIB): Change krb516.dll to krb5_16.dll. [PR#204] + +Wed Nov 20 18:32:06 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * Makefile.in (KLIB): Change libkrb5.dll to be krb516.dll + Wed Jun 12 00:20:08 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * makefile: Renamed to Makefile.in, so that we can do WIN16/WIN32 diff --git a/src/windows/cns/Makefile.in b/src/windows/cns/Makefile.in index 3fae32b..6ef265c 100644 --- a/src/windows/cns/Makefile.in +++ b/src/windows/cns/Makefile.in @@ -23,7 +23,7 @@ XOBJS = !if $(KVERSION) == 5 BUILDTOP =..\.. LIBDIR = $(BUILDTOP)\lib -KLIB = $(LIBDIR)\libkrb5.lib +KLIB = $(LIBDIR)\krb5_16.lib WLIB = $(LIBDIR)\winsock.lib INCLUDES = /I$(BUILDTOP)\include /I$(BUILDTOP)\include\krb5 XOBJS = kpasswd.obj diff --git a/src/windows/gss/ChangeLog b/src/windows/gss/ChangeLog index 5681c50..b2fa4d7 100644 --- a/src/windows/gss/ChangeLog +++ b/src/windows/gss/ChangeLog @@ -1,7 +1,13 @@ +Fri Nov 22 15:52:55 1996 unknown <bjaspan@mit.edu> + + * gss-client.c (connect_to_server): use sizeof instead of h_length + to determine number of bytes of addr to copy from DNS response + [krb5-misc/211] + Tue Oct 29 10:17:25 1996 Theodore Y. Ts'o <tytso@mit.edu> * gss-client.c (client_establish_context): Fix typo; service_name - really should be nt_service_name. + really should be nt_service_name. Thu Jul 25 02:16:56 1996 Theodore Y. Ts'o <tytso@mit.edu> diff --git a/src/windows/gss/gss-client.c b/src/windows/gss/gss-client.c index 0a98774..d5e8972 100644 --- a/src/windows/gss/gss-client.c +++ b/src/windows/gss/gss-client.c @@ -154,7 +154,7 @@ connect_to_server (char *host, u_short port) } saddr.sin_family = hp->h_addrtype; - memcpy((char *)&saddr.sin_addr, hp->h_addr, hp->h_length); + memcpy((char *)&saddr.sin_addr, hp->h_addr, sizeof(saddr.sin_addr)); saddr.sin_port = htons(port); if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { diff --git a/src/windows/wintel/ChangeLog b/src/windows/wintel/ChangeLog index 521c68f..ea8b75f 100644 --- a/src/windows/wintel/ChangeLog +++ b/src/windows/wintel/ChangeLog @@ -1,3 +1,11 @@ +Sat Nov 23 00:27:45 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> + + * Makefile.in (KLIB): Change krb516.dll to krb5_16.dll. [PR#204] + +Wed Nov 20 18:32:26 1996 Theodore Y. Ts'o <tytso@mit.edu> + + * Makefile.in (KLIB): Change libkrb5.dll to be krb516.dll + Wed Jun 12 00:22:02 1996 Theodore Ts'o <tytso@rsts-11.mit.edu> * makefile: Renamed to Makefile.in, so that we can do WIN16/WIN32 diff --git a/src/windows/wintel/Makefile.in b/src/windows/wintel/Makefile.in index 7134945..5f49bcf 100644 --- a/src/windows/wintel/Makefile.in +++ b/src/windows/wintel/Makefile.in @@ -24,7 +24,7 @@ XOBJS = !if $(KVERSION) == 5 BUILDTOP =..\.. LIBDIR = $(BUILDTOP)\lib -KLIB = $(LIBDIR)\libkrb5.lib +KLIB = $(LIBDIR)\krb5_16.lib WLIB = $(LIBDIR)\winsock.lib INCLUDES = /I$(BUILDTOP)\include /I$(BUILDTOP)\include\krb5 \ /I$(BUILDTOP)\lib\crypto\des |