aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2009-09-24 16:48:57 +0000
committerGreg Hudson <ghudson@mit.edu>2009-09-24 16:48:57 +0000
commit324ba91fc437b8e40ff82e710a724963051f8b5f (patch)
treea8e5a053f9b86510f0fab5bbac1f63935d1a946f /src
parent98d32ede13a18c26eaf6667800f7c499ecbf4a20 (diff)
downloadkrb5-324ba91fc437b8e40ff82e710a724963051f8b5f.zip
krb5-324ba91fc437b8e40ff82e710a724963051f8b5f.tar.gz
krb5-324ba91fc437b8e40ff82e710a724963051f8b5f.tar.bz2
Update the kadmin client code to most current coding practices
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22785 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
-rw-r--r--src/kadmin/cli/kadmin.c2244
-rw-r--r--src/kadmin/cli/keytab.c770
-rw-r--r--src/kadmin/cli/ss_wrapper.c23
-rw-r--r--src/tests/dejagnu/krb-standalone/kadmin.exp4
4 files changed, 1410 insertions, 1631 deletions
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 6f8c04b..ad9f6bc 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1994, 2008 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -52,58 +53,57 @@
/* special struct to convert flag names for principals
to actual krb5_flags for a principal */
struct pflag {
- char *flagname; /* name of flag as typed to CLI */
- int flaglen; /* length of string (not counting -,+) */
- krb5_flags theflag; /* actual principal flag to set/clear */
- int set; /* 0 means clear, 1 means set (on '-') */
+ char *flagname; /* name of flag as typed to CLI */
+ size_t flaglen; /* length of string (not counting -,+) */
+ krb5_flags theflag; /* actual principal flag to set/clear */
+ int set; /* 0 means clear, 1 means set (on '-') */
};
static struct pflag flags[] = {
-{"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1},
-{"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1},
-{"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1},
-{"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1},
-{"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1},
-{"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1},
-{"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1},
-{"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0},
-{"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0},
-{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
-{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
-{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
-{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 },
-{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 },
-{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0},
+{"allow_postdated", 15, KRB5_KDB_DISALLOW_POSTDATED, 1 },
+{"allow_forwardable", 17, KRB5_KDB_DISALLOW_FORWARDABLE, 1 },
+{"allow_tgs_req", 13, KRB5_KDB_DISALLOW_TGT_BASED, 1 },
+{"allow_renewable", 15, KRB5_KDB_DISALLOW_RENEWABLE, 1 },
+{"allow_proxiable", 15, KRB5_KDB_DISALLOW_PROXIABLE, 1 },
+{"allow_dup_skey", 14, KRB5_KDB_DISALLOW_DUP_SKEY, 1 },
+{"allow_tix", 9, KRB5_KDB_DISALLOW_ALL_TIX, 1 },
+{"requires_preauth", 16, KRB5_KDB_REQUIRES_PRE_AUTH, 0 },
+{"requires_hwauth", 15, KRB5_KDB_REQUIRES_HW_AUTH, 0 },
+{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0 },
+{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1 },
+{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 },
+{"ok_to_auth_as_delegate", 22, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, 0 },
+{"no_auth_data_required", 21, KRB5_KDB_NO_AUTH_DATA_REQUIRED, 0 },
};
static char *prflags[] = {
- "DISALLOW_POSTDATED", /* 0x00000001 */
- "DISALLOW_FORWARDABLE", /* 0x00000002 */
- "DISALLOW_TGT_BASED", /* 0x00000004 */
- "DISALLOW_RENEWABLE", /* 0x00000008 */
- "DISALLOW_PROXIABLE", /* 0x00000010 */
- "DISALLOW_DUP_SKEY", /* 0x00000020 */
- "DISALLOW_ALL_TIX", /* 0x00000040 */
- "REQUIRES_PRE_AUTH", /* 0x00000080 */
- "REQUIRES_HW_AUTH", /* 0x00000100 */
- "REQUIRES_PWCHANGE", /* 0x00000200 */
- "UNKNOWN_0x00000400", /* 0x00000400 */
- "UNKNOWN_0x00000800", /* 0x00000800 */
- "DISALLOW_SVR", /* 0x00001000 */
- "PWCHANGE_SERVICE", /* 0x00002000 */
- "SUPPORT_DESMD5", /* 0x00004000 */
- "NEW_PRINC", /* 0x00008000 */
- "UNKNOWN_0x00010000", /* 0x00010000 */
- "UNKNOWN_0x00020000", /* 0x00020000 */
- "UNKNOWN_0x00040000", /* 0x00040000 */
- "UNKNOWN_0x00080000", /* 0x00080000 */
- "OK_AS_DELEGATE", /* 0x00100000 */
- "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */
- "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */
+ "DISALLOW_POSTDATED", /* 0x00000001 */
+ "DISALLOW_FORWARDABLE", /* 0x00000002 */
+ "DISALLOW_TGT_BASED", /* 0x00000004 */
+ "DISALLOW_RENEWABLE", /* 0x00000008 */
+ "DISALLOW_PROXIABLE", /* 0x00000010 */
+ "DISALLOW_DUP_SKEY", /* 0x00000020 */
+ "DISALLOW_ALL_TIX", /* 0x00000040 */
+ "REQUIRES_PRE_AUTH", /* 0x00000080 */
+ "REQUIRES_HW_AUTH", /* 0x00000100 */
+ "REQUIRES_PWCHANGE", /* 0x00000200 */
+ "UNKNOWN_0x00000400", /* 0x00000400 */
+ "UNKNOWN_0x00000800", /* 0x00000800 */
+ "DISALLOW_SVR", /* 0x00001000 */
+ "PWCHANGE_SERVICE", /* 0x00002000 */
+ "SUPPORT_DESMD5", /* 0x00004000 */
+ "NEW_PRINC", /* 0x00008000 */
+ "UNKNOWN_0x00010000", /* 0x00010000 */
+ "UNKNOWN_0x00020000", /* 0x00020000 */
+ "UNKNOWN_0x00040000", /* 0x00040000 */
+ "UNKNOWN_0x00080000", /* 0x00080000 */
+ "OK_AS_DELEGATE", /* 0x00100000 */
+ "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */
+ "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */
};
-char *getenv();
int exit_status = 0;
char *def_realm = NULL;
char *whoami = NULL;
@@ -114,29 +114,30 @@ char *ccache_name = NULL;
int locked = 0;
-static void usage()
+static void
+usage()
{
fprintf(stderr,
- "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n"
- "\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]\n"
- "\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n"
- "where,\n\t[-x db_args]* - any number of database specific arguments.\n"
- "\t\t\tLook at each database documentation for supported arguments\n",
- whoami);
+ "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n"
+ "\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]\n"
+ "\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n"
+ "where,\n\t[-x db_args]* - any number of database specific arguments.\n"
+ "\t\t\tLook at each database documentation for supported arguments\n",
+ whoami);
exit(1);
}
-static char *strdur(duration)
- time_t duration;
+static char *
+strdur(time_t duration)
{
static char out[50];
int neg, days, hours, minutes, seconds;
if (duration < 0) {
- duration *= -1;
- neg = 1;
+ duration *= -1;
+ neg = 1;
} else
- neg = 0;
+ neg = 0;
days = duration / (24 * 3600);
duration %= 24 * 3600;
hours = duration / 3600;
@@ -145,13 +146,13 @@ static char *strdur(duration)
duration %= 60;
seconds = duration;
snprintf(out, sizeof(out), "%s%d %s %02d:%02d:%02d", neg ? "-" : "",
- days, days == 1 ? "day" : "days",
- hours, minutes, seconds);
+ days, days == 1 ? "day" : "days",
+ hours, minutes, seconds);
return out;
}
-static char *strdate(when)
- krb5_timestamp when;
+static char *
+strdate(krb5_timestamp when)
{
struct tm *tm;
static char out[40];
@@ -165,9 +166,7 @@ static char *strdate(when)
/* this is a wrapper to go around krb5_parse_principal so we can set
the default realm up properly */
static krb5_error_code
-kadmin_parse_name(name, principal)
- char *name;
- krb5_principal *principal;
+kadmin_parse_name(char *name, krb5_principal *principal)
{
char *cp, *fullname;
krb5_error_code retval;
@@ -176,63 +175,64 @@ kadmin_parse_name(name, principal)
/* assumes def_realm is initialized! */
cp = strchr(name, '@');
while (cp) {
- if (cp - name && *(cp - 1) != '\\')
- break;
- else
- cp = strchr(cp + 1, '@');
+ if (cp - name && *(cp - 1) != '\\')
+ break;
+ else
+ cp = strchr(cp + 1, '@');
}
if (cp == NULL)
- result = asprintf(&fullname, "%s@%s", name, def_realm);
+ result = asprintf(&fullname, "%s@%s", name, def_realm);
else
- result = asprintf(&fullname, "%s", name);
+ result = asprintf(&fullname, "%s", name);
if (result < 0)
- return ENOMEM;
+ return ENOMEM;
retval = krb5_parse_name(context, fullname, principal);
free(fullname);
return retval;
}
-static void extended_com_err_fn (const char *myprog, errcode_t code,
- const char *fmt, va_list args)
+static void
+extended_com_err_fn(const char *myprog, errcode_t code,
+ const char *fmt, va_list args)
{
+ const char *emsg;
+
if (code) {
- const char *emsg;
- emsg = krb5_get_error_message (context, code);
- fprintf (stderr, "%s: %s ", myprog, emsg);
- krb5_free_error_message (context, emsg);
+ emsg = krb5_get_error_message(context, code);
+ fprintf(stderr, "%s: %s ", myprog, emsg);
+ krb5_free_error_message(context, emsg);
} else {
- fprintf (stderr, "%s: ", myprog);
+ fprintf(stderr, "%s: ", myprog);
}
- vfprintf (stderr, fmt, args);
- fprintf (stderr, "\n");
+ vfprintf(stderr, fmt, args);
+ fprintf(stderr, "\n");
}
/* Create a principal using the oldest appropriate kadm5 API. */
static krb5_error_code
create_princ(kadm5_principal_ent_rec *princ, long mask, int n_ks,
- krb5_key_salt_tuple *ks, char *pass)
+ krb5_key_salt_tuple *ks, char *pass)
{
if (ks)
- return kadm5_create_principal_3(handle, princ, mask, n_ks, ks, pass);
+ return kadm5_create_principal_3(handle, princ, mask, n_ks, ks, pass);
else
- return kadm5_create_principal(handle, princ, mask, pass);
+ return kadm5_create_principal(handle, princ, mask, pass);
}
/* Randomize a principal's password using the oldest appropriate kadm5 API. */
static krb5_error_code
randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks,
- krb5_key_salt_tuple *ks)
+ krb5_key_salt_tuple *ks)
{
if (keepold || ks) {
- return kadm5_randkey_principal_3(handle, princ, keepold, n_ks, ks,
- NULL, NULL);
+ return kadm5_randkey_principal_3(handle, princ, keepold, n_ks, ks,
+ NULL, NULL);
} else
- return kadm5_randkey_principal(handle, princ, NULL, NULL);
+ return kadm5_randkey_principal(handle, princ, NULL, NULL);
}
-char *kadmin_startup(argc, argv)
- int argc;
- char *argv[];
+char *
+kadmin_startup(int argc, char *argv[])
{
extern char *optarg;
char *princstr = NULL, *keytab_name = NULL, *query = NULL;
@@ -247,155 +247,141 @@ char *kadmin_startup(argc, argv)
char **db_args = NULL;
int db_args_size = 0;
char *db_name = NULL;
- char *svcname;
+ char *svcname, *realm;
memset(&params, 0, sizeof(params));
#if defined(USE_KIM)
/* Turn off all password prompting from the KLL */
- retval = kim_library_set_allow_automatic_prompting (0);
+ retval = kim_library_set_allow_automatic_prompting(0);
if (retval) {
- com_err(whoami, retval,
+ com_err(whoami, retval,
"while calling kim_library_set_allow_automatic_prompting()");
- exit(1);
+ exit(1);
}
#endif
- if (strcmp (whoami, "kadmin.local") == 0)
- set_com_err_hook(extended_com_err_fn);
+ if (strcmp(whoami, "kadmin.local") == 0)
+ set_com_err_hook(extended_com_err_fn);
retval = kadm5_init_krb5_context(&context);
if (retval) {
- com_err(whoami, retval, "while initializing krb5 library");
- exit(1);
+ com_err(whoami, retval, "while initializing krb5 library");
+ exit(1);
}
while ((optchar = getopt(argc, argv, "x:r:p:kq:w:d:s:mc:t:e:ON")) != EOF) {
- switch (optchar) {
- case 'x':
- db_args_size++;
- {
- char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1));
- if (temp == NULL) {
- fprintf(stderr,"%s: Cannot initialize. Not enough memory\n",
- argv[0]);
- exit(1);
- }
-
- db_args = temp;
- }
- db_args[db_args_size-1] = optarg;
- db_args[db_args_size] = NULL;
- break;
-
- case 'r':
- def_realm = optarg;
- break;
- case 'p':
- princstr = optarg;
- break;
- case 'c':
- ccache_name = optarg;
- break;
- case 'k':
- use_keytab++;
- break;
- case 't':
- keytab_name = optarg;
- break;
- case 'w':
- password = optarg;
- break;
- case 'q':
- query = optarg;
- break;
- case 'd':
- /* now db_name is not a seperate argument. It has to be passed as part of the db_args */
- if (db_name)
- free(db_name);
- asprintf(&db_name, "dbname=%s", optarg);
-
- db_args_size++;
- {
- char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */
- if (temp == NULL) {
- fprintf(stderr,
- "%s: Cannot initialize. Not enough memory\n",
- argv[0]);
- exit(1);
- }
-
- db_args = temp;
- }
- db_args[db_args_size-1] = db_name;
- db_args[db_args_size] = NULL;
- break;
- case 's':
- params.admin_server = optarg;
- params.mask |= KADM5_CONFIG_ADMIN_SERVER;
- break;
- case 'm':
- params.mkey_from_kbd = 1;
- params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
- break;
- case 'e':
- retval = krb5_string_to_keysalts(optarg,
- ", \t",
- ":.-",
- 0,
- &params.keysalts,
- &params.num_keysalts);
- if (retval) {
- com_err(whoami, retval, "while parsing keysalts %s", optarg);
- exit(1);
- }
- params.mask |= KADM5_CONFIG_ENCTYPES;
- break;
- case 'O':
- params.mask |= KADM5_CONFIG_OLD_AUTH_GSSAPI;
- break;
- case 'N':
- params.mask |= KADM5_CONFIG_AUTH_NOFALLBACK;
- break;
- default:
- usage();
- }
+ switch (optchar) {
+ case 'x':
+ db_args_size++;
+ db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1));
+ if (db_args == NULL) {
+ fprintf(stderr, "%s: Cannot initialize. Not enough memory\n",
+ argv[0]);
+ exit(1);
+ }
+ db_args[db_args_size - 1] = optarg;
+ db_args[db_args_size] = NULL;
+ break;
+
+ case 'r':
+ def_realm = optarg;
+ break;
+ case 'p':
+ princstr = optarg;
+ break;
+ case 'c':
+ ccache_name = optarg;
+ break;
+ case 'k':
+ use_keytab++;
+ break;
+ case 't':
+ keytab_name = optarg;
+ break;
+ case 'w':
+ password = optarg;
+ break;
+ case 'q':
+ query = optarg;
+ break;
+ case 'd':
+ /* db_name has to be passed as part of the db_args. */
+ free(db_name);
+ asprintf(&db_name, "dbname=%s", optarg);
+
+ db_args_size++;
+ db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1));
+ if (db_args == NULL) {
+ fprintf(stderr, "%s: Cannot initialize. Not enough memory\n",
+ argv[0]);
+ exit(1);
+ }
+ db_args[db_args_size - 1] = db_name;
+ db_args[db_args_size] = NULL;
+ break;
+ case 's':
+ params.admin_server = optarg;
+ params.mask |= KADM5_CONFIG_ADMIN_SERVER;
+ break;
+ case 'm':
+ params.mkey_from_kbd = 1;
+ params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
+ break;
+ case 'e':
+ retval = krb5_string_to_keysalts(optarg, ", \t", ":.-", 0,
+ &params.keysalts,
+ &params.num_keysalts);
+ if (retval) {
+ com_err(whoami, retval, "while parsing keysalts %s", optarg);
+ exit(1);
+ }
+ params.mask |= KADM5_CONFIG_ENCTYPES;
+ break;
+ case 'O':
+ params.mask |= KADM5_CONFIG_OLD_AUTH_GSSAPI;
+ break;
+ case 'N':
+ params.mask |= KADM5_CONFIG_AUTH_NOFALLBACK;
+ break;
+ default:
+ usage();
+ }
}
if ((ccache_name && use_keytab) ||
- (keytab_name && !use_keytab))
- usage();
+ (keytab_name && !use_keytab))
+ usage();
if (def_realm == NULL && krb5_get_default_realm(context, &def_realm)) {
- if (freeprinc)
- free(princstr);
- fprintf(stderr, "%s: unable to get default realm\n", whoami);
- exit(1);
+ fprintf(stderr, "%s: unable to get default realm\n", whoami);
+ exit(1);
}
params.mask |= KADM5_CONFIG_REALM;
params.realm = def_realm;
if (params.mask & KADM5_CONFIG_OLD_AUTH_GSSAPI)
- svcname = KADM5_ADMIN_SERVICE;
+ svcname = KADM5_ADMIN_SERVICE;
else
- svcname = NULL;
+ svcname = NULL;
/*
* Set cc to an open credentials cache, either specified by the -c
* argument or the default.
*/
if (ccache_name == NULL) {
- if ((retval = krb5_cc_default(context, &cc))) {
- com_err(whoami, retval,
- "while opening default credentials cache");
- exit(1);
- }
+ retval = krb5_cc_default(context, &cc);
+ if (retval) {
+ com_err(whoami, retval, "while opening default credentials cache");
+ exit(1);
+ }
} else {
- if ((retval = krb5_cc_resolve(context, ccache_name, &cc))) {
- com_err(whoami, retval,
- "while opening credentials cache %s", ccache_name);
- exit(1);
- }
+ retval = krb5_cc_resolve(context, ccache_name, &cc);
+ if (retval) {
+ com_err(whoami, retval, "while opening credentials cache %s",
+ ccache_name);
+ exit(1);
+ }
}
/*
@@ -410,93 +396,85 @@ char *kadmin_startup(argc, argv)
*/
if (princstr == NULL) {
- if (ccache_name != NULL &&
- !krb5_cc_get_principal(context, cc, &princ)) {
- if ((retval = krb5_unparse_name(context, princ, &princstr))) {
- com_err(whoami, retval,
- "while canonicalizing principal name");
- krb5_free_principal(context, princ);
- exit(1);
- }
- krb5_free_principal(context, princ);
- freeprinc++;
- } else if (use_keytab != 0) {
- if ((retval = krb5_sname_to_principal(context, NULL,
- "host",
- KRB5_NT_SRV_HST,
- &princ))) {
- com_err(whoami, retval,
- "creating host service principal");
- exit(1);
- }
- if ((retval = krb5_unparse_name(context, princ, &princstr))) {
- com_err(whoami, retval,
- "while canonicalizing principal name");
- krb5_free_principal(context, princ);
- exit(1);
- }
- krb5_free_principal(context, princ);
- freeprinc++;
- } else if (!krb5_cc_get_principal(context, cc, &princ)) {
- char *realm = NULL;
- if (krb5_unparse_name(context, princ, &canon)) {
- fprintf(stderr,
- "%s: unable to canonicalize principal\n", whoami);
- krb5_free_principal(context, princ);
- exit(1);
- }
- /* strip out realm of principal if it's there */
- realm = strchr(canon, '@');
- while (realm) {
- if (realm - canon && *(realm - 1) != '\\')
- break;
- else
- realm = strchr(realm+1, '@');
- }
- if (realm)
- *realm++ = '\0';
- cp = strchr(canon, '/');
- while (cp) {
- if (cp - canon && *(cp - 1) != '\\')
- break;
- else
- cp = strchr(cp+1, '/');
- }
- if (cp != NULL)
- *cp = '\0';
- if (asprintf(&princstr, "%s/admin%s%s", canon,
- (realm) ? "@" : "",
- (realm) ? realm : "") < 0) {
- fprintf(stderr, "%s: out of memory\n", whoami);
- exit(1);
- }
- free(canon);
- krb5_free_principal(context, princ);
- freeprinc++;
- } else if ((luser = getenv("USER"))) {
- if (asprintf(&princstr, "%s/admin@%s", luser, def_realm) < 0) {
- fprintf(stderr, "%s: out of memory\n", whoami);
- exit(1);
- }
- freeprinc++;
- } else if ((pw = getpwuid(getuid()))) {
- if (asprintf(&princstr, "%s/admin@%s", pw->pw_name,
- def_realm) < 0) {
- fprintf(stderr, "%s: out of memory\n", whoami);
- exit(1);
- }
- freeprinc++;
- } else {
- fprintf(stderr, "%s: unable to figure out a principal name\n",
- whoami);
- exit(1);
- }
+ if (ccache_name != NULL &&
+ !krb5_cc_get_principal(context, cc, &princ)) {
+ retval = krb5_unparse_name(context, princ, &princstr);
+ if (retval) {
+ com_err(whoami, retval, "while canonicalizing principal name");
+ exit(1);
+ }
+ krb5_free_principal(context, princ);
+ freeprinc++;
+ } else if (use_keytab != 0) {
+ retval = krb5_sname_to_principal(context, NULL, "host",
+ KRB5_NT_SRV_HST, &princ);
+ if (retval) {
+ com_err(whoami, retval, "creating host service principal");
+ exit(1);
+ }
+ retval = krb5_unparse_name(context, princ, &princstr);
+ if (retval) {
+ com_err(whoami, retval, "while canonicalizing principal name");
+ exit(1);
+ }
+ krb5_free_principal(context, princ);
+ freeprinc++;
+ } else if (!krb5_cc_get_principal(context, cc, &princ)) {
+ if (krb5_unparse_name(context, princ, &canon)) {
+ fprintf(stderr, "%s: unable to canonicalize principal\n",
+ whoami);
+ exit(1);
+ }
+ /* Strip out realm of principal if it's there. */
+ realm = strchr(canon, '@');
+ while (realm) {
+ if (realm > canon && *(realm - 1) != '\\')
+ break;
+ realm = strchr(realm + 1, '@');
+ }
+ if (realm)
+ *realm++ = '\0';
+ cp = strchr(canon, '/');
+ while (cp) {
+ if (cp > canon && *(cp - 1) != '\\')
+ break;
+ cp = strchr(cp + 1, '/');
+ }
+ if (cp != NULL)
+ *cp = '\0';
+ if (asprintf(&princstr, "%s/admin%s%s", canon,
+ (realm) ? "@" : "",
+ (realm) ? realm : "") < 0) {
+ fprintf(stderr, "%s: out of memory\n", whoami);
+ exit(1);
+ }
+ free(canon);
+ krb5_free_principal(context, princ);
+ freeprinc++;
+ } else if ((luser = getenv("USER"))) {
+ if (asprintf(&princstr, "%s/admin@%s", luser, def_realm) < 0) {
+ fprintf(stderr, "%s: out of memory\n", whoami);
+ exit(1);
+ }
+ freeprinc++;
+ } else if ((pw = getpwuid(getuid()))) {
+ if (asprintf(&princstr, "%s/admin@%s", pw->pw_name,
+ def_realm) < 0) {
+ fprintf(stderr, "%s: out of memory\n", whoami);
+ exit(1);
+ }
+ freeprinc++;
+ } else {
+ fprintf(stderr, "%s: unable to figure out a principal name\n",
+ whoami);
+ exit(1);
+ }
}
retval = krb5_klog_init(context, "admin_server", whoami, 0);
if (retval) {
- com_err(whoami, retval, "while setting up logging");
- exit(1);
+ com_err(whoami, retval, "while setting up logging");
+ exit(1);
}
/*
@@ -504,97 +482,83 @@ char *kadmin_startup(argc, argv)
* use it. Otherwise, use/prompt for the password.
*/
if (ccache_name) {
- printf("Authenticating as principal %s with existing credentials.\n",
- princstr);
- retval = kadm5_init_with_creds(context, princstr, cc,
- svcname,
- &params,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- db_args,
- &handle);
+ printf("Authenticating as principal %s with existing credentials.\n",
+ princstr);
+ retval = kadm5_init_with_creds(context, princstr, cc, svcname, &params,
+ KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2, db_args, &handle);
} else if (use_keytab) {
- if (keytab_name)
- printf("Authenticating as principal %s with keytab %s.\n",
- princstr, keytab_name);
- else
- printf("Authenticating as principal %s with default keytab.\n",
- princstr);
- retval = kadm5_init_with_skey(context, princstr, keytab_name,
- svcname,
- &params,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- db_args,
- &handle);
+ if (keytab_name)
+ printf("Authenticating as principal %s with keytab %s.\n",
+ princstr, keytab_name);
+ else
+ printf("Authenticating as principal %s with default keytab.\n",
+ princstr);
+ retval = kadm5_init_with_skey(context, princstr, keytab_name, svcname,
+ &params, KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2, db_args, &handle);
} else {
- printf("Authenticating as principal %s with password.\n",
- princstr);
- retval = kadm5_init_with_password(context, princstr, password,
- svcname,
- &params,
- KADM5_STRUCT_VERSION,
- KADM5_API_VERSION_2,
- db_args,
- &handle);
+ printf("Authenticating as principal %s with password.\n",
+ princstr);
+ retval = kadm5_init_with_password(context, princstr, password, svcname,
+ &params, KADM5_STRUCT_VERSION,
+ KADM5_API_VERSION_2, db_args,
+ &handle);
}
if (retval) {
- com_err(whoami, retval, "while initializing %s interface", whoami);
- if (retval == KADM5_BAD_CLIENT_PARAMS ||
- retval == KADM5_BAD_SERVER_PARAMS)
- usage();
- exit(1);
+ com_err(whoami, retval, "while initializing %s interface", whoami);
+ if (retval == KADM5_BAD_CLIENT_PARAMS ||
+ retval == KADM5_BAD_SERVER_PARAMS)
+ usage();
+ exit(1);
}
if (freeprinc)
- free(princstr);
-
- if (db_name)
- free(db_name), db_name=NULL;
+ free(princstr);
- if (db_args)
- free(db_args), db_args=NULL;
+ free(db_name);
+ free(db_args);
- if ((retval = krb5_cc_close(context, cc))) {
- com_err(whoami, retval, "while closing ccache %s",
- ccache_name);
- exit(1);
+ retval = krb5_cc_close(context, cc);
+ if (retval) {
+ com_err(whoami, retval, "while closing ccache %s", ccache_name);
+ exit(1);
}
/* register the WRFILE keytab type and set it as the default */
{
#define DEFAULT_KEYTAB "WRFILE:/etc/krb5.keytab"
- /* XXX krb5_defkeyname is an internal library global and
- should go away */
- extern char *krb5_defkeyname;
- krb5_defkeyname = DEFAULT_KEYTAB;
+ /* XXX krb5_defkeyname is an internal library global and
+ should go away */
+ extern char *krb5_defkeyname;
+ krb5_defkeyname = DEFAULT_KEYTAB;
}
- if ((retval = kadm5_init_iprop(handle, 0)) != 0) {
- com_err(whoami, retval, _("while mapping update log"));
- exit(1);
+ retval = kadm5_init_iprop(handle, 0);
+ if (retval) {
+ com_err(whoami, retval, _("while mapping update log"));
+ exit(1);
}
return query;
}
-int quit()
+int
+quit()
{
kadm5_ret_t retval;
if (locked) {
- retval = kadm5_unlock(handle);
- if (retval) {
- com_err("quit", retval, "while unlocking locked database");
- return 1;
- }
- locked = 0;
+ retval = kadm5_unlock(handle);
+ if (retval) {
+ com_err("quit", retval, "while unlocking locked database");
+ return 1;
+ }
+ locked = 0;
}
kadm5_destroy(handle);
- if (ccache_name != NULL) {
- fprintf(stderr,
- "\n\a\a\aAdministration credentials NOT DESTROYED.\n");
- }
+ if (ccache_name != NULL)
+ fprintf(stderr, "\n\a\a\aAdministration credentials NOT DESTROYED.\n");
/* insert more random cleanup here */
krb5_klog_close(context);
@@ -602,321 +566,259 @@ int quit()
return 0;
}
-void kadmin_lock(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_lock(int argc, char *argv[])
{
kadm5_ret_t retval;
if (locked)
- return;
+ return;
retval = kadm5_lock(handle);
if (retval) {
- com_err("lock", retval, "");
- return;
+ com_err("lock", retval, "");
+ return;
}
locked = 1;
}
-void kadmin_unlock(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_unlock(int argc, char *argv[])
{
kadm5_ret_t retval;
if (!locked)
- return;
+ return;
retval = kadm5_unlock(handle);
if (retval) {
- com_err("unlock", retval, "");
- return;
+ com_err("unlock", retval, "");
+ return;
}
locked = 0;
}
-void kadmin_delprinc(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_delprinc(int argc, char *argv[])
{
kadm5_ret_t retval;
- krb5_principal princ;
- char *canon;
+ krb5_principal princ = NULL;
+ char *canon = NULL;
char reply[5];
if (! (argc == 2 ||
- (argc == 3 && !strcmp("-force", argv[1])))) {
- fprintf(stderr, "usage: delete_principal [-force] principal\n");
- return;
+ (argc == 3 && !strcmp("-force", argv[1])))) {
+ fprintf(stderr, "usage: delete_principal [-force] principal\n");
+ return;
}
retval = kadmin_parse_name(argv[argc - 1], &princ);
if (retval) {
- com_err("delete_principal", retval, "while parsing principal name");
- return;
+ com_err("delete_principal", retval, "while parsing principal name");
+ return;
}
retval = krb5_unparse_name(context, princ, &canon);
if (retval) {
- com_err("delete_principal", retval,
- "while canonicalizing principal");
- krb5_free_principal(context, princ);
- return;
+ com_err("delete_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
if (argc == 2) {
- printf("Are you sure you want to delete the principal \"%s\"? (yes/no): ", canon);
- fgets(reply, sizeof (reply), stdin);
- if (strcmp("yes\n", reply)) {
- fprintf(stderr, "Principal \"%s\" not deleted\n", canon);
- free(canon);
- krb5_free_principal(context, princ);
- return;
- }
+ printf("Are you sure you want to delete the principal \"%s\"? "
+ "(yes/no): ", canon);
+ fgets(reply, sizeof (reply), stdin);
+ if (strcmp("yes\n", reply)) {
+ fprintf(stderr, "Principal \"%s\" not deleted\n", canon);
+ goto cleanup;
+ }
}
retval = kadm5_delete_principal(handle, princ);
- krb5_free_principal(context, princ);
if (retval) {
- com_err("delete_principal", retval,
- "while deleting principal \"%s\"", canon);
- free(canon);
- return;
+ com_err("delete_principal", retval,
+ "while deleting principal \"%s\"", canon);
+ goto cleanup;
}
- printf("Principal \"%s\" deleted.\nMake sure that you have removed this principal from all ACLs before reusing.\n", canon);
+ printf("Principal \"%s\" deleted.\nMake sure that you have removed this "
+ "principal from all ACLs before reusing.\n", canon);
+
+cleanup:
+ krb5_free_principal(context, princ);
free(canon);
- return;
}
-void kadmin_cpw(argc, argv)
- int argc;
- char *argv[];
+static void
+cpw_usage(const char *str)
+{
+ if (str)
+ fprintf(stderr, "%s\n", str);
+ fprintf(stderr, "usage: change_password [-randkey] [-keepold] "
+ "[-e keysaltlist] [-pw password] principal\n");
+}
+
+void
+kadmin_cpw(int argc, char *argv[])
{
kadm5_ret_t retval;
static char newpw[1024];
static char prompt1[1024], prompt2[1024];
- char *canon;
- char *pwarg = NULL;
+ char *canon = NULL, *pwarg = NULL;
int n_ks_tuple = 0, randkey = 0;
krb5_boolean keepold = FALSE;
krb5_key_salt_tuple *ks_tuple = NULL;
- krb5_principal princ;
+ krb5_principal princ = NULL;
char **db_args = NULL;
int db_args_size = 0;
-
if (argc < 2) {
- goto usage;
+ cpw_usage(NULL);
+ return;
}
for (argv++, argc--; argc > 1; argc--, argv++) {
- if (!strcmp("-x", *argv)) {
- argc--;
- if (argc < 1) {
- fprintf(stderr, "change_password: missing db argument\n");
- goto usage;
- }
- db_args_size++;
- {
- char **temp = realloc(db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */
- if (temp == NULL) {
- fprintf(stderr,"change_password: Not enough memory\n");
- free(db_args), db_args = NULL;
- exit(1);
- }
-
- db_args = temp;
- }
- db_args[db_args_size-1] = *++argv;
- db_args[db_args_size] = NULL;
- continue;
- }
- if (!strcmp("-pw", *argv)) {
- argc--;
- if (argc < 1) {
- fprintf(stderr, "change_password: missing password arg\n");
- goto usage;
- }
- pwarg = *++argv;
- continue;
- }
- if (!strcmp("-randkey", *argv)) {
- randkey++;
- continue;
- }
- if (!strcmp("-keepold", *argv)) {
- keepold = TRUE;
- continue;
- }
- if (!strcmp("-e", *argv)) {
- argc--;
- if (argc < 1) {
- fprintf(stderr,
- "change_password: missing keysaltlist arg\n");
- goto usage;
- }
- retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
- &ks_tuple, &n_ks_tuple);
- if (retval) {
- com_err("change_password", retval,
- "while parsing keysalts %s", *argv);
- return;
- }
- continue;
- }
- goto usage;
+ if (!strcmp("-x", *argv)) {
+ argc--;
+ if (argc < 1) {
+ cpw_usage("change_password: missing db argument");
+ goto cleanup;
+ }
+ db_args_size++;
+ db_args = realloc(db_args, sizeof(char*) * (db_args_size + 1));
+ if (db_args == NULL) {
+ fprintf(stderr, "change_password: Not enough memory\n");
+ exit(1);
+ }
+ db_args[db_args_size - 1] = *++argv;
+ db_args[db_args_size] = NULL;
+ } else if (!strcmp("-pw", *argv)) {
+ argc--;
+ if (argc < 1) {
+ cpw_usage("change_password: missing password arg");
+ goto cleanup;
+ }
+ pwarg = *++argv;
+ } else if (!strcmp("-randkey", *argv)) {
+ randkey++;
+ } else if (!strcmp("-keepold", *argv)) {
+ keepold = TRUE;
+ } else if (!strcmp("-e", *argv)) {
+ argc--;
+ if (argc < 1) {
+ cpw_usage("change_password: missing keysaltlist arg");
+ goto cleanup;
+ }
+ retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
+ &ks_tuple, &n_ks_tuple);
+ if (retval) {
+ com_err("change_password", retval,
+ "while parsing keysalts %s", *argv);
+ goto cleanup;
+ }
+ } else {
+ cpw_usage(NULL);
+ goto cleanup;
+ }
}
if (*argv == NULL) {
- com_err("change_password", 0, "missing principal name");
- goto usage;
+ com_err("change_password", 0, "missing principal name");
+ cpw_usage(NULL);
+ goto cleanup;
}
retval = kadmin_parse_name(*argv, &princ);
if (retval) {
- com_err("change_password", retval, "while parsing principal name");
- if (ks_tuple != NULL)
- free(ks_tuple);
- if (db_args) free(db_args);
- return;
+ com_err("change_password", retval, "while parsing principal name");
+ goto cleanup;
}
retval = krb5_unparse_name(context, princ, &canon);
if (retval) {
- com_err("change_password", retval, "while canonicalizing principal");
- krb5_free_principal(context, princ);
- if (ks_tuple != NULL)
- free(ks_tuple);
- if (db_args) free(db_args);
- return;
+ com_err("change_password", retval, "while canonicalizing principal");
+ goto cleanup;
}
if (pwarg != NULL) {
- if (keepold || ks_tuple != NULL) {
- retval = kadm5_chpass_principal_3(handle, princ, keepold,
- n_ks_tuple, ks_tuple, pwarg);
- if (ks_tuple != NULL)
- free(ks_tuple);
- } else {
- retval = kadm5_chpass_principal(handle, princ, pwarg);
- }
- krb5_free_principal(context, princ);
- if (retval) {
- com_err("change_password", retval,
- "while changing password for \"%s\".", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
- }
- printf("Password for \"%s\" changed.\n", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
+ if (keepold || ks_tuple != NULL) {
+ retval = kadm5_chpass_principal_3(handle, princ, keepold,
+ n_ks_tuple, ks_tuple, pwarg);
+ } else {
+ retval = kadm5_chpass_principal(handle, princ, pwarg);
+ }
+ if (retval) {
+ com_err("change_password", retval,
+ "while changing password for \"%s\".", canon);
+ goto cleanup;
+ }
+ printf("Password for \"%s\" changed.\n", canon);
} else if (randkey) {
- retval = randkey_princ(princ, keepold, n_ks_tuple, ks_tuple);
- if (ks_tuple != NULL)
- free(ks_tuple);
- krb5_free_principal(context, princ);
- if (retval) {
- com_err("change_password", retval,
- "while randomizing key for \"%s\".", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
- }
- printf("Key for \"%s\" randomized.\n", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
- } else if (argc == 1) {
- unsigned int i = sizeof (newpw) - 1;
-
- snprintf(prompt1, sizeof(prompt1),
- "Enter password for principal \"%.900s\"",
- *argv);
- snprintf(prompt2, sizeof(prompt2),
- "Re-enter password for principal \"%.900s\"",
- *argv);
- retval = krb5_read_password(context, prompt1, prompt2,
- newpw, &i);
- if (retval) {
- com_err("change_password", retval,
- "while reading password for \"%s\".", canon);
- free(canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
- krb5_free_principal(context, princ);
- if (db_args) free(db_args);
- return;
- }
- if (keepold || ks_tuple != NULL) {
- retval = kadm5_chpass_principal_3(handle, princ, keepold,
- n_ks_tuple, ks_tuple,
- newpw);
- if (ks_tuple != NULL)
- free(ks_tuple);
- } else {
- retval = kadm5_chpass_principal(handle, princ, newpw);
- }
- krb5_free_principal(context, princ);
- memset(newpw, 0, sizeof (newpw));
- if (retval) {
- com_err("change_password", retval,
- "while changing password for \"%s\".", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
- }
- printf("Password for \"%s\" changed.\n", canon);
- free(canon);
- if (db_args) free(db_args);
- return;
+ retval = randkey_princ(princ, keepold, n_ks_tuple, ks_tuple);
+ if (retval) {
+ com_err("change_password", retval,
+ "while randomizing key for \"%s\".", canon);
+ goto cleanup;
+ }
+ printf("Key for \"%s\" randomized.\n", canon);
} else {
- free(canon);
- krb5_free_principal(context, princ);
- usage:
- if (db_args) free(db_args);
- if (ks_tuple != NULL)
- free(ks_tuple);
- fprintf(stderr,
- "usage: change_password [-randkey] [-keepold] "
- "[-e keysaltlist] [-pw password] "
- "principal\n");
- return;
+ unsigned int i = sizeof (newpw) - 1;
+
+ snprintf(prompt1, sizeof(prompt1),
+ "Enter password for principal \"%s\"", canon);
+ snprintf(prompt2, sizeof(prompt2),
+ "Re-enter password for principal \"%s\"", canon);
+ retval = krb5_read_password(context, prompt1, prompt2,
+ newpw, &i);
+ if (retval) {
+ com_err("change_password", retval,
+ "while reading password for \"%s\".", canon);
+ goto cleanup;
+ }
+ if (keepold || ks_tuple != NULL) {
+ retval = kadm5_chpass_principal_3(handle, princ, keepold,
+ n_ks_tuple, ks_tuple,
+ newpw);
+ } else {
+ retval = kadm5_chpass_principal(handle, princ, newpw);
+ }
+ memset(newpw, 0, sizeof (newpw));
+ if (retval) {
+ com_err("change_password", retval,
+ "while changing password for \"%s\".", canon);
+ goto cleanup;
+ }
+ printf("Password for \"%s\" changed.\n", canon);
}
+cleanup:
+ free(canon);
+ free(db_args);
+ krb5_free_principal(context, princ);
+ free(ks_tuple);
}
static void
kadmin_free_tl_data(kadm5_principal_ent_t princ)
{
- krb5_tl_data *tl_data = princ->tl_data;
- int n_tl_data = princ->n_tl_data;
+ krb5_tl_data *tl_data = princ->tl_data, *next;
+ int n_tl_data = princ->n_tl_data;
int i;
princ->n_tl_data = 0;
- princ->tl_data = NULL;
+ princ->tl_data = NULL;
for (i = 0; tl_data && (i < n_tl_data); i++) {
- krb5_tl_data *next = tl_data->tl_data_next;
- if (tl_data->tl_data_contents)
- free(tl_data->tl_data_contents);
- free(tl_data);
- tl_data = next;
+ next = tl_data->tl_data_next;
+ free(tl_data->tl_data_contents);
+ free(tl_data);
+ tl_data = next;
}
}
+/*
+ * Parse addprinc or modprinc arguments. Some output fields may be
+ * filled in on error.
+ */
#define KRB5_TL_DB_ARGS 0x7fff
static int
-kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
- ks_tuple, n_ks_tuple,
+kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc,
+ long *mask, char **pass, krb5_boolean *randkey,
+ krb5_key_salt_tuple **ks_tuple, int *n_ks_tuple,
#if APPLE_PKINIT
- cert_hash,
+ char **cert_hash,
#endif /* APPLE_PKINIT */
- caller)
- int argc;
- char *argv[];
- kadm5_principal_ent_t oprinc;
- long *mask;
- char **pass;
- krb5_boolean *randkey;
- krb5_key_salt_tuple **ks_tuple;
- int *n_ks_tuple;
-#if APPLE_PKINIT
- char **cert_hash;
-#endif /* APPLE_PKINIT */
- char *caller;
+ char *caller)
{
- int i, j, attrib_set;
+ int i, attrib_set;
+ size_t j;
time_t date;
time_t now;
krb5_error_code retval;
@@ -932,239 +834,229 @@ kadmin_parse_princ_args(argc, argv, oprinc, mask, pass, randkey,
time(&now);
*randkey = FALSE;
for (i = 1; i < argc - 1; i++) {
- attrib_set = 0;
- if (strlen(argv[i]) == 2 &&
- !strcmp("-x",argv[i])) {
- if (++i > argc - 2)
- return -1;
-
- tl_data = malloc(sizeof(krb5_tl_data));
- if (tl_data == NULL) {
- fprintf(stderr, "Not enough memory\n");
- return ENOMEM;
- }
-
- memset(tl_data, 0, sizeof(krb5_tl_data));
- tl_data->tl_data_type = KRB5_TL_DB_ARGS;
- tl_data->tl_data_length = strlen(argv[i])+1;
- tl_data->tl_data_contents = strdup(argv[i]);
-
- if (tail) {
- tail->tl_data_next = tl_data;
- } else {
- oprinc->tl_data = tl_data;
- }
- tail = tl_data;
- oprinc->n_tl_data++;
-
- if (tl_data->tl_data_contents == NULL) {
- fprintf(stderr, "Not enough memory\n");
- return ENOMEM;
- }
- *mask |= KADM5_TL_DATA;
- continue;
- }
- if (strlen(argv[i]) == 7 &&
- !strcmp("-expire", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- oprinc->princ_expire_time = date;
- *mask |= KADM5_PRINC_EXPIRE_TIME;
- continue;
- }
- }
- if (strlen(argv[i]) == 9 &&
- !strcmp("-pwexpire", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- oprinc->pw_expiration = date;
- *mask |= KADM5_PW_EXPIRATION;
- continue;
- }
- }
- if (strlen(argv[i]) == 8 &&
- !strcmp("-maxlife", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- oprinc->max_life = date - now;
- *mask |= KADM5_MAX_LIFE;
- continue;
- }
- }
- if (strlen(argv[i]) == 13 &&
- !strcmp("-maxrenewlife", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- oprinc->max_renewable_life = date - now;
- *mask |= KADM5_MAX_RLIFE;
- continue;
- }
- }
- if (strlen(argv[i]) == 5 &&
- !strcmp("-kvno", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- oprinc->kvno = atoi(argv[i]);
- *mask |= KADM5_KVNO;
- continue;
- }
- }
- if (strlen(argv[i]) == 7 &&
- !strcmp("-policy", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- oprinc->policy = argv[i];
- *mask |= KADM5_POLICY;
- continue;
- }
- }
- if (strlen(argv[i]) == 12 &&
- !strcmp("-clearpolicy", argv[i])) {
- oprinc->policy = NULL;
- *mask |= KADM5_POLICY_CLR;
- continue;
- }
- if (strlen(argv[i]) == 3 &&
- !strcmp("-pw", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- *pass = argv[i];
- continue;
- }
- }
- if (strlen(argv[i]) == 8 &&
- !strcmp("-randkey", argv[i])) {
- *randkey = TRUE;
- continue;
- }
+ attrib_set = 0;
+ if (strlen(argv[i]) == 2 && !strcmp("-x",argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+
+ tl_data = malloc(sizeof(krb5_tl_data));
+ if (tl_data == NULL) {
+ fprintf(stderr, "Not enough memory\n");
+ exit(1);
+ }
+
+ memset(tl_data, 0, sizeof(krb5_tl_data));
+ tl_data->tl_data_type = KRB5_TL_DB_ARGS;
+ tl_data->tl_data_length = strlen(argv[i])+1;
+ tl_data->tl_data_contents = (krb5_octet *) strdup(argv[i]);
+
+ if (tail) {
+ tail->tl_data_next = tl_data;
+ } else {
+ oprinc->tl_data = tl_data;
+ }
+ tail = tl_data;
+ oprinc->n_tl_data++;
+
+ if (tl_data->tl_data_contents == NULL) {
+ fprintf(stderr, "Not enough memory\n");
+ exit(1);
+ }
+ *mask |= KADM5_TL_DATA;
+ continue;
+ }
+ if (strlen(argv[i]) == 7 && !strcmp("-expire", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ oprinc->princ_expire_time = date;
+ *mask |= KADM5_PRINC_EXPIRE_TIME;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 9 && !strcmp("-pwexpire", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ oprinc->pw_expiration = date;
+ *mask |= KADM5_PW_EXPIRATION;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 8 && !strcmp("-maxlife", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ oprinc->max_life = date - now;
+ *mask |= KADM5_MAX_LIFE;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 13 && !strcmp("-maxrenewlife", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ oprinc->max_renewable_life = date - now;
+ *mask |= KADM5_MAX_RLIFE;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 5 && !strcmp("-kvno", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ oprinc->kvno = atoi(argv[i]);
+ *mask |= KADM5_KVNO;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 7 && !strcmp("-policy", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ oprinc->policy = argv[i];
+ *mask |= KADM5_POLICY;
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 12 && !strcmp("-clearpolicy", argv[i])) {
+ oprinc->policy = NULL;
+ *mask |= KADM5_POLICY_CLR;
+ continue;
+ }
+ if (strlen(argv[i]) == 3 && !strcmp("-pw", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ *pass = argv[i];
+ continue;
+ }
+ }
+ if (strlen(argv[i]) == 8 && !strcmp("-randkey", argv[i])) {
+ *randkey = TRUE;
+ continue;
+ }
#if APPLE_PKINIT
- if (strlen(argv[i]) == 9 &&
- !strcmp("-certhash", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- *cert_hash = argv[i];
- continue;
- }
- }
+ if (strlen(argv[i]) == 9 && !strcmp("-certhash", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ *cert_hash = argv[i];
+ continue;
+ }
+ }
#endif /* APPLE_PKINIT */
- if (!strcmp("-e", argv[i])) {
- if (++i > argc - 2)
- return -1;
- else {
- retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0,
- ks_tuple, n_ks_tuple);
- if (retval) {
- com_err(caller, retval,
- "while parsing keysalts %s", argv[i]);
- return -1;
- }
- }
- continue;
- }
- for (j = 0; j < sizeof (flags) / sizeof (struct pflag); j++) {
- if (strlen(argv[i]) == flags[j].flaglen + 1 &&
- !strcmp(flags[j].flagname,
- &argv[i][1] /* strip off leading + or - */)) {
- if ((flags[j].set && argv[i][0] == '-') ||
- (!flags[j].set && argv[i][0] == '+')) {
- oprinc->attributes |= flags[j].theflag;
- *mask |= KADM5_ATTRIBUTES;
- attrib_set++;
- break;
- } else if ((flags[j].set && argv[i][0] == '+') ||
- (!flags[j].set && argv[i][0] == '-')) {
- oprinc->attributes &= ~flags[j].theflag;
- *mask |= KADM5_ATTRIBUTES;
- attrib_set++;
- break;
- } else {
- return -1;
- }
- }
- }
- if (!attrib_set)
- return -1; /* nothing was parsed */
- }
- if (i != argc - 1) {
- return -1;
+ if (!strcmp("-e", argv[i])) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ retval = krb5_string_to_keysalts(argv[i], ", \t", ":.-", 0,
+ ks_tuple, n_ks_tuple);
+ if (retval) {
+ com_err(caller, retval,
+ "while parsing keysalts %s", argv[i]);
+ return -1;
+ }
+ }
+ continue;
+ }
+ for (j = 0; j < sizeof(flags) / sizeof(struct pflag); j++) {
+ if (strlen(argv[i]) == flags[j].flaglen + 1 &&
+ !strcmp(flags[j].flagname,
+ &argv[i][1] /* strip off leading + or - */)) {
+ if ((flags[j].set && argv[i][0] == '-') ||
+ (!flags[j].set && argv[i][0] == '+')) {
+ oprinc->attributes |= flags[j].theflag;
+ *mask |= KADM5_ATTRIBUTES;
+ attrib_set++;
+ break;
+ } else if ((flags[j].set && argv[i][0] == '+') ||
+ (!flags[j].set && argv[i][0] == '-')) {
+ oprinc->attributes &= ~flags[j].theflag;
+ *mask |= KADM5_ATTRIBUTES;
+ attrib_set++;
+ break;
+ } else {
+ return -1;
+ }
+ }
+ }
+ if (!attrib_set)
+ return -1; /* nothing was parsed */
}
+ if (i != argc - 1)
+ return -1;
retval = kadmin_parse_name(argv[i], &oprinc->principal);
if (retval) {
- com_err(caller, retval, "while parsing principal");
- return -1;
+ com_err(caller, retval, "while parsing principal");
+ return -1;
}
return 0;
}
static void
-kadmin_addprinc_usage(func)
- char *func;
+kadmin_addprinc_usage()
{
- fprintf(stderr, "usage: %s [options] principal\n", func);
+ fprintf(stderr, "usage: add_principal [options] principal\n");
fprintf(stderr, "\toptions are:\n");
- fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n\t\t[-pw password] [-maxrenewlife maxrenewlife]\n\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n"
+ fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] "
+ "[-pwexpire pwexpdate] [-maxlife maxtixlife]\n"
+ "\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n"
+ "\t\t[-pw password] [-maxrenewlife maxrenewlife]\n"
+ "\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n"
#if APPLE_PKINIT
"\t\t[-certhash hash_string]\n"
#endif /* APPLE_PKINIT */
);
fprintf(stderr, "\tattributes are:\n");
fprintf(stderr, "%s%s%s",
- "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
- "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
- "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
- "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
- "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
- "\t\t\tLook at each database documentation for supported arguments\n");
+ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
+ "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
+ "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
+ "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
+ "\t\t\tLook at each database documentation for supported arguments\n");
}
static void
-kadmin_modprinc_usage(func)
- char *func;
+kadmin_modprinc_usage()
{
- fprintf(stderr, "usage: %s [options] principal\n", func);
+ fprintf(stderr, "usage: modify_principal [options] principal\n");
fprintf(stderr, "\toptions are:\n");
fprintf(stderr, "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife]\n\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n\t\t[-maxrenewlife maxrenewlife] [{+|-}attribute]\n");
fprintf(stderr, "\tattributes are:\n");
fprintf(stderr, "%s%s%s",
- "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
- "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
- "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
- "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
- "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
- "\t\t\tLook at each database documentation for supported arguments\n"
- );
+ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
+ "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
+ "\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n"
+ "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
+ "\t\t\tLook at each database documentation for supported arguments\n"
+ );
}
/* Create a dummy password for old-style (pre-1.8) randkey creation. */
@@ -1176,21 +1068,20 @@ prepare_dummy_password(char *buf, size_t sz)
/* Must try to pass any password policy in place, and be valid UTF-8. */
strlcpy(buf, "6F a[", sz);
for (i = strlen(buf); i < sz - 1; i++)
- buf[i] = 'a' + (i % 26);
+ buf[i] = 'a' + (i % 26);
buf[sz - 1] = '\0';
}
-void kadmin_addprinc(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_addprinc(int argc, char *argv[])
{
kadm5_principal_ent_rec princ;
kadm5_policy_ent_rec defpol;
long mask;
krb5_boolean randkey = FALSE, old_style_randkey = FALSE;
int n_ks_tuple;
- krb5_key_salt_tuple *ks_tuple;
- char *pass, *canon;
+ krb5_key_salt_tuple *ks_tuple = NULL;
+ char *pass, *canon = NULL;
krb5_error_code retval;
char newpw[1024], dummybuf[256];
static char prompt1[1024], prompt2[1024];
@@ -1202,35 +1093,28 @@ void kadmin_addprinc(argc, argv)
memset(&princ, 0, sizeof(princ));
princ.attributes = 0;
- if (kadmin_parse_princ_args(argc, argv,
- &princ, &mask, &pass, &randkey,
- &ks_tuple, &n_ks_tuple,
+ if (kadmin_parse_princ_args(argc, argv, &princ, &mask, &pass, &randkey,
+ &ks_tuple, &n_ks_tuple,
#if APPLE_PKINIT
&cert_hash,
#endif /* APPLE_PKINIT */
- "add_principal")) {
- kadmin_addprinc_usage("add_principal");
- kadmin_free_tl_data(&princ); /* need to free ks_tuple also??? */
- return;
+ "add_principal")) {
+ kadmin_addprinc_usage();
+ goto cleanup;
}
#if APPLE_PKINIT
if(cert_hash != NULL) {
- fprintf(stderr,
+ fprintf(stderr,
"add_principal: -certhash not allowed; use modify_principal\n");
- return;
+ goto cleanup;
}
#endif /* APPLE_PKINIT */
retval = krb5_unparse_name(context, princ.principal, &canon);
if (retval) {
- com_err("add_principal",
- retval, "while canonicalizing principal");
- krb5_free_principal(context, princ.principal);
- if (ks_tuple != NULL)
- free(ks_tuple);
- kadmin_free_tl_data(&princ);
- return;
+ com_err("add_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
/*
@@ -1239,124 +1123,98 @@ void kadmin_addprinc(argc, argv)
* -clearpolicy was specified, then KADM5_POLICY_CLR should be
* unset, since it is never valid for kadm5_create_principal.
*/
- if ((! (mask & KADM5_POLICY)) &&
- (! (mask & KADM5_POLICY_CLR))) {
- if (! kadm5_get_policy(handle, "default", &defpol)) {
- fprintf(stderr,
- "NOTICE: no policy specified for %s; assigning \"default\"\n",
- canon);
- princ.policy = "default";
- mask |= KADM5_POLICY;
- (void) kadm5_free_policy_ent(handle, &defpol);
- } else
- fprintf(stderr,
- "WARNING: no policy specified for %s; defaulting to no policy\n",
- canon);
+ if (!(mask & KADM5_POLICY) && !(mask & KADM5_POLICY_CLR)) {
+ if (!kadm5_get_policy(handle, "default", &defpol)) {
+ fprintf(stderr, "NOTICE: no policy specified for %s; "
+ "assigning \"default\"\n", canon);
+ princ.policy = "default";
+ mask |= KADM5_POLICY;
+ kadm5_free_policy_ent(handle, &defpol);
+ } else
+ fprintf(stderr, "WARNING: no policy specified for %s; "
+ "defaulting to no policy\n", canon);
}
mask &= ~KADM5_POLICY_CLR;
if (randkey) {
- pass = NULL;
+ pass = NULL;
} else if (pass == NULL) {
- unsigned int sz = sizeof (newpw) - 1;
-
- snprintf(prompt1, sizeof(prompt1),
- "Enter password for principal \"%.900s\"",
- canon);
- snprintf(prompt2, sizeof(prompt2),
- "Re-enter password for principal \"%.900s\"",
- canon);
- retval = krb5_read_password(context, prompt1, prompt2,
- newpw, &sz);
- if (retval) {
- com_err("add_principal", retval,
- "while reading password for \"%s\".", canon);
- free(canon);
- krb5_free_principal(context, princ.principal);
- kadmin_free_tl_data(&princ);
- return;
- }
- pass = newpw;
+ unsigned int sz = sizeof(newpw) - 1;
+
+ snprintf(prompt1, sizeof(prompt1),
+ "Enter password for principal \"%s\"", canon);
+ snprintf(prompt2, sizeof(prompt2),
+ "Re-enter password for principal \"%s\"", canon);
+ retval = krb5_read_password(context, prompt1, prompt2, newpw, &sz);
+ if (retval) {
+ com_err("add_principal", retval,
+ "while reading password for \"%s\".", canon);
+ goto cleanup;
+ }
+ pass = newpw;
}
mask |= KADM5_PRINCIPAL;
retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass);
if (retval == EINVAL && randkey) {
- /*
- * The server doesn't support randkey creation. Create the principal
- * with a dummy password and disallow tickets.
- */
- prepare_dummy_password(dummybuf, sizeof(dummybuf));
- princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
- mask |= KADM5_ATTRIBUTES;
- pass = dummybuf;
- retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass);
- old_style_randkey = 1;
+ /*
+ * The server doesn't support randkey creation. Create the principal
+ * with a dummy password and disallow tickets.
+ */
+ prepare_dummy_password(dummybuf, sizeof(dummybuf));
+ princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ mask |= KADM5_ATTRIBUTES;
+ pass = dummybuf;
+ retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass);
+ old_style_randkey = 1;
}
if (retval) {
- com_err("add_principal", retval, "while creating \"%s\".",
- canon);
- krb5_free_principal(context, princ.principal);
- free(canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
- kadmin_free_tl_data(&princ);
- return;
+ com_err("add_principal", retval, "while creating \"%s\".", canon);
+ goto cleanup;
}
if (old_style_randkey) {
- /* Randomize the password and re-enable tickets. */
- retval = randkey_princ(princ.principal, FALSE, n_ks_tuple, ks_tuple);
- if (retval) {
- com_err("add_principal", retval,
- "while randomizing key for \"%s\".", canon);
- krb5_free_principal(context, princ.principal);
- free(canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
- kadmin_free_tl_data(&princ);
- return;
- }
- princ.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; /* clear notix */
- mask = KADM5_ATTRIBUTES;
- retval = kadm5_modify_principal(handle, &princ, mask);
- if (retval) {
- com_err("add_principal", retval,
- "while clearing DISALLOW_ALL_TIX for \"%s\".", canon);
- krb5_free_principal(context, princ.principal);
- free(canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
- kadmin_free_tl_data(&princ);
- return;
- }
+ /* Randomize the password and re-enable tickets. */
+ retval = randkey_princ(princ.principal, FALSE, n_ks_tuple, ks_tuple);
+ if (retval) {
+ com_err("add_principal", retval,
+ "while randomizing key for \"%s\".", canon);
+ goto cleanup;
+ }
+ princ.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX; /* clear notix */
+ mask = KADM5_ATTRIBUTES;
+ retval = kadm5_modify_principal(handle, &princ, mask);
+ if (retval) {
+ com_err("add_principal", retval,
+ "while clearing DISALLOW_ALL_TIX for \"%s\".", canon);
+ goto cleanup;
+ }
}
- krb5_free_principal(context, princ.principal);
printf("Principal \"%s\" created.\n", canon);
- if (ks_tuple != NULL)
- free(ks_tuple);
+
+cleanup:
+ krb5_free_principal(context, princ.principal);
+ free(ks_tuple);
free(canon);
kadmin_free_tl_data(&princ);
-
}
-void kadmin_modprinc(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_modprinc(int argc, char *argv[])
{
kadm5_principal_ent_rec princ, oldprinc;
- krb5_principal kprinc;
+ krb5_principal kprinc = NULL;
long mask;
krb5_error_code retval;
- char *pass, *canon;
+ char *pass, *canon = NULL;
krb5_boolean randkey = FALSE;
int n_ks_tuple = 0;
- krb5_key_salt_tuple *ks_tuple;
+ krb5_key_salt_tuple *ks_tuple = NULL;
#if APPLE_PKINIT
char *cert_hash = NULL;
#endif /* APPLE_PKINIT */
if (argc < 2) {
- kadmin_modprinc_usage("modify_principal");
- return;
+ kadmin_modprinc_usage();
+ return;
}
memset(&oldprinc, 0, sizeof(oldprinc));
@@ -1364,77 +1222,44 @@ void kadmin_modprinc(argc, argv)
retval = kadmin_parse_name(argv[argc - 1], &kprinc);
if (retval) {
- com_err("modify_principal", retval, "while parsing principal");
- return;
+ com_err("modify_principal", retval, "while parsing principal");
+ return;
}
retval = krb5_unparse_name(context, kprinc, &canon);
if (retval) {
- com_err("modify_principal", retval,
- "while canonicalizing principal");
- krb5_free_principal(context, kprinc);
- return;
+ com_err("modify_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
retval = kadm5_get_principal(handle, kprinc, &oldprinc,
- KADM5_PRINCIPAL_NORMAL_MASK);
+ KADM5_PRINCIPAL_NORMAL_MASK);
if (retval) {
- com_err("modify_principal", retval, "while getting \"%s\".",
- canon);
- krb5_free_principal(context, kprinc);
- free(canon);
- return;
+ com_err("modify_principal", retval, "while getting \"%s\".", canon);
+ goto cleanup;
}
princ.attributes = oldprinc.attributes;
kadm5_free_principal_ent(handle, &oldprinc);
retval = kadmin_parse_princ_args(argc, argv,
- &princ, &mask,
- &pass, &randkey,
- &ks_tuple, &n_ks_tuple,
+ &princ, &mask,
+ &pass, &randkey,
+ &ks_tuple, &n_ks_tuple,
#if APPLE_PKINIT
&cert_hash,
#endif /* APPLE_PKINIT */
- "modify_principal");
- if (ks_tuple != NULL) {
- free(ks_tuple);
- kadmin_modprinc_usage("modify_principal");
- free(canon);
- krb5_free_principal(context, kprinc);
- kadmin_free_tl_data(&princ); /* Apple had this commented out. Why? */
- return;
- }
- if (retval) {
- kadmin_modprinc_usage("modify_principal");
- free(canon);
- krb5_free_principal(context, kprinc);
- kadmin_free_tl_data(&princ); /* Apple had this commented out. Why? */
- return;
- }
- if (randkey) {
- fprintf(stderr, "modify_principal: -randkey not allowed\n");
- krb5_free_principal(context, princ.principal);
- free(canon);
- krb5_free_principal(context, kprinc);
- kadmin_free_tl_data(&princ);
- return;
- }
- if (pass) {
- fprintf(stderr,
- "modify_principal: -pw not allowed; use change_password\n");
- krb5_free_principal(context, princ.principal);
- free(canon);
- krb5_free_principal(context, kprinc);
- kadmin_free_tl_data(&princ);
- return;
+ "modify_principal");
+ if (retval || ks_tuple != NULL || randkey || pass) {
+ kadmin_modprinc_usage();
+ goto cleanup;
}
#if APPLE_PKINIT
if (cert_hash) {
- /*
+ /*
* Use something other than the 1st preferred enctype here for fallback
* to pwd authentication
*/
krb5_key_salt_tuple key_salt = {ENCTYPE_ARCFOUR_HMAC, KRB5_KDB_SALTTYPE_CERTHASH};
krb5_keyblock keyblock;
kadm5_ret_t kadmin_rtn;
-
+
keyblock.magic = KV5M_KEYBLOCK;
keyblock.enctype = ENCTYPE_ARCFOUR_HMAC;
keyblock.length = strlen(cert_hash);
@@ -1447,275 +1272,250 @@ void kadmin_modprinc(argc, argv)
com_err("modify_principal", kadmin_rtn,
"while adding certhash for \"%s\".", canon);
printf("realm %s data %s\n", (char *)kprinc->realm.data, (char *)kprinc->data->data);
- free(canon);
- krb5_free_principal(context, princ.principal);
- krb5_free_principal(context, kprinc);
- return;
+ goto cleanup;
}
retval = 0;
}
#endif /* APPLE_PKINIT */
if (mask) {
- /* skip this if all we're doing is setting certhash */
- retval = kadm5_modify_principal(handle, &princ, mask);
+ /* Skip this if all we're doing is setting certhash. */
+ retval = kadm5_modify_principal(handle, &princ, mask);
}
- krb5_free_principal(context, kprinc);
- krb5_free_principal(context, princ.principal);
if (retval) {
- com_err("modify_principal", retval,
- "while modifying \"%s\".", canon);
- free(canon);
- kadmin_free_tl_data(&princ);
- return;
+ com_err("modify_principal", retval, "while modifying \"%s\".", canon);
+ goto cleanup;
}
printf("Principal \"%s\" modified.\n", canon);
+cleanup:
+ krb5_free_principal(context, kprinc);
+ krb5_free_principal(context, princ.principal);
kadmin_free_tl_data(&princ);
free(canon);
+ free(ks_tuple);
}
-void kadmin_getprinc(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getprinc(int argc, char *argv[])
{
kadm5_principal_ent_rec dprinc;
- krb5_principal princ;
+ krb5_principal princ = NULL;
krb5_error_code retval;
- char *canon, *modcanon;
+ char *canon = NULL, *modcanon = NULL;
int i;
+ size_t j;
- if (! (argc == 2 ||
- (argc == 3 && !strcmp("-terse", argv[1])))) {
- fprintf(stderr, "usage: get_principal [-terse] principal\n");
- return;
+ if (!(argc == 2 || (argc == 3 && !strcmp("-terse", argv[1])))) {
+ fprintf(stderr, "usage: get_principal [-terse] principal\n");
+ return;
}
-
memset(&dprinc, 0, sizeof(dprinc));
- memset(&princ, 0, sizeof(princ));
retval = kadmin_parse_name(argv[argc - 1], &princ);
if (retval) {
- com_err("get_principal", retval, "while parsing principal");
- return;
+ com_err("get_principal", retval, "while parsing principal");
+ return;
}
retval = krb5_unparse_name(context, princ, &canon);
if (retval) {
- com_err("get_principal", retval, "while canonicalizing principal");
- krb5_free_principal(context, princ);
- return;
+ com_err("get_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
retval = kadm5_get_principal(handle, princ, &dprinc,
- KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA);
- krb5_free_principal(context, princ);
+ KADM5_PRINCIPAL_NORMAL_MASK | KADM5_KEY_DATA);
if (retval) {
- com_err("get_principal", retval, "while retrieving \"%s\".", canon);
- free(canon);
- return;
+ com_err("get_principal", retval, "while retrieving \"%s\".", canon);
+ goto cleanup;
}
- free(canon);
- canon = NULL;
retval = krb5_unparse_name(context, dprinc.principal, &canon);
if (retval) {
- com_err("get_principal", retval, "while canonicalizing principal");
- kadm5_free_principal_ent(handle, &dprinc);
- return;
+ com_err("get_principal", retval, "while canonicalizing principal");
+ goto cleanup;
}
retval = krb5_unparse_name(context, dprinc.mod_name, &modcanon);
if (retval) {
- com_err("get_principal", retval, "while unparsing modname");
- kadm5_free_principal_ent(handle, &dprinc);
- free(canon);
- return;
+ com_err("get_principal", retval, "while unparsing modname");
+ goto cleanup;
}
if (argc == 2) {
- printf("Principal: %s\n", canon);
- printf("Expiration date: %s\n", dprinc.princ_expire_time ?
- strdate(dprinc.princ_expire_time) : "[never]");
- printf("Last password change: %s\n", dprinc.last_pwd_change ?
- strdate(dprinc.last_pwd_change) : "[never]");
- printf("Password expiration date: %s\n",
- dprinc.pw_expiration ?
- strdate(dprinc.pw_expiration) : "[none]");
- printf("Maximum ticket life: %s\n", strdur(dprinc.max_life));
- printf("Maximum renewable life: %s\n", strdur(dprinc.max_renewable_life));
- printf("Last modified: %s (%s)\n", strdate(dprinc.mod_date), modcanon);
- printf("Last successful authentication: %s\n",
- dprinc.last_success ? strdate(dprinc.last_success) :
- "[never]");
- printf("Last failed authentication: %s\n",
- dprinc.last_failed ? strdate(dprinc.last_failed) :
- "[never]");
- printf("Failed password attempts: %d\n",
- dprinc.fail_auth_count);
- printf("Number of keys: %d\n", dprinc.n_key_data);
- for (i = 0; i < dprinc.n_key_data; i++) {
- krb5_key_data *key_data = &dprinc.key_data[i];
- char enctype[BUFSIZ], salttype[BUFSIZ];
-
- if (krb5_enctype_to_string(key_data->key_data_type[0],
- enctype, sizeof(enctype)))
- snprintf(enctype, sizeof(enctype), "<Encryption type 0x%x>",
- key_data->key_data_type[0]);
- printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype);
- if (key_data->key_data_ver > 1) {
- if (krb5_salttype_to_string(key_data->key_data_type[1],
- salttype, sizeof(salttype)))
- snprintf(salttype, sizeof(salttype), "<Salt type 0x%x>",
- key_data->key_data_type[1]);
- printf("%s\n", salttype);
- } else
- printf("no salt\n");
- }
- printf("MKey: vno %d\n",
- dprinc.mkvno);
-
- printf("Attributes:");
- for (i = 0; i < sizeof (prflags) / sizeof (char *); i++) {
- if (dprinc.attributes & (krb5_flags) 1 << i)
- printf(" %s", prflags[i]);
- }
- printf("\n");
- printf("Policy: %s\n", dprinc.policy ? dprinc.policy : "[none]");
+ printf("Principal: %s\n", canon);
+ printf("Expiration date: %s\n", dprinc.princ_expire_time ?
+ strdate(dprinc.princ_expire_time) : "[never]");
+ printf("Last password change: %s\n", dprinc.last_pwd_change ?
+ strdate(dprinc.last_pwd_change) : "[never]");
+ printf("Password expiration date: %s\n",
+ dprinc.pw_expiration ?
+ strdate(dprinc.pw_expiration) : "[none]");
+ printf("Maximum ticket life: %s\n", strdur(dprinc.max_life));
+ printf("Maximum renewable life: %s\n",
+ strdur(dprinc.max_renewable_life));
+ printf("Last modified: %s (%s)\n", strdate(dprinc.mod_date), modcanon);
+ printf("Last successful authentication: %s\n",
+ dprinc.last_success ? strdate(dprinc.last_success) :
+ "[never]");
+ printf("Last failed authentication: %s\n",
+ dprinc.last_failed ? strdate(dprinc.last_failed) :
+ "[never]");
+ printf("Failed password attempts: %d\n",
+ dprinc.fail_auth_count);
+ printf("Number of keys: %d\n", dprinc.n_key_data);
+ for (i = 0; i < dprinc.n_key_data; i++) {
+ krb5_key_data *key_data = &dprinc.key_data[i];
+ char enctype[BUFSIZ], salttype[BUFSIZ];
+
+ if (krb5_enctype_to_string(key_data->key_data_type[0],
+ enctype, sizeof(enctype)))
+ snprintf(enctype, sizeof(enctype), "<Encryption type 0x%x>",
+ key_data->key_data_type[0]);
+ printf("Key: vno %d, %s, ", key_data->key_data_kvno, enctype);
+ if (key_data->key_data_ver > 1) {
+ if (krb5_salttype_to_string(key_data->key_data_type[1],
+ salttype, sizeof(salttype)))
+ snprintf(salttype, sizeof(salttype), "<Salt type 0x%x>",
+ key_data->key_data_type[1]);
+ printf("%s\n", salttype);
+ } else
+ printf("no salt\n");
+ }
+ printf("MKey: vno %d\n",
+ dprinc.mkvno);
+
+ printf("Attributes:");
+ for (j = 0; j < sizeof(prflags) / sizeof(char *); j++) {
+ if (dprinc.attributes & (krb5_flags) 1 << j)
+ printf(" %s", prflags[j]);
+ }
+ printf("\n");
+ printf("Policy: %s\n", dprinc.policy ? dprinc.policy : "[none]");
} else {
- printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\""
- "\t%d\t%d\t%d\t%d\t%d",
- canon, dprinc.princ_expire_time, dprinc.last_pwd_change,
- dprinc.pw_expiration, dprinc.max_life, modcanon,
- dprinc.mod_date, dprinc.attributes, dprinc.kvno,
- dprinc.mkvno, dprinc.policy ? dprinc.policy : "[none]",
- dprinc.max_renewable_life, dprinc.last_success,
- dprinc.last_failed, dprinc.fail_auth_count,
- dprinc.n_key_data);
- for (i = 0; i < dprinc.n_key_data; i++)
- printf("\t%d\t%d\t%d\t%d",
- dprinc.key_data[i].key_data_ver,
- dprinc.key_data[i].key_data_kvno,
- dprinc.key_data[i].key_data_type[0],
- dprinc.key_data[i].key_data_type[1]);
- printf("\n");
- }
- free(modcanon);
+ printf("\"%s\"\t%d\t%d\t%d\t%d\t\"%s\"\t%d\t%d\t%d\t%d\t\"%s\""
+ "\t%d\t%d\t%d\t%d\t%d",
+ canon, dprinc.princ_expire_time, dprinc.last_pwd_change,
+ dprinc.pw_expiration, dprinc.max_life, modcanon,
+ dprinc.mod_date, dprinc.attributes, dprinc.kvno,
+ dprinc.mkvno, dprinc.policy ? dprinc.policy : "[none]",
+ dprinc.max_renewable_life, dprinc.last_success,
+ dprinc.last_failed, dprinc.fail_auth_count,
+ dprinc.n_key_data);
+ for (i = 0; i < dprinc.n_key_data; i++)
+ printf("\t%d\t%d\t%d\t%d",
+ dprinc.key_data[i].key_data_ver,
+ dprinc.key_data[i].key_data_kvno,
+ dprinc.key_data[i].key_data_type[0],
+ dprinc.key_data[i].key_data_type[1]);
+ printf("\n");
+ }
+cleanup:
+ krb5_free_principal(context, princ);
kadm5_free_principal_ent(handle, &dprinc);
+ free(modcanon);
free(canon);
}
-void kadmin_getprincs(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getprincs(int argc, char *argv[])
{
krb5_error_code retval;
char *expr, **names;
int i, count;
expr = NULL;
- if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) {
- fprintf(stderr, "usage: get_principals [expression]\n");
- return;
+ if (!(argc == 1 || (argc == 2 && (expr = argv[1])))) {
+ fprintf(stderr, "usage: get_principals [expression]\n");
+ return;
}
retval = kadm5_get_principals(handle, expr, &names, &count);
if (retval) {
- com_err("get_principals", retval, "while retrieving list.");
- return;
+ com_err("get_principals", retval, "while retrieving list.");
+ return;
}
for (i = 0; i < count; i++)
- printf("%s\n", names[i]);
+ printf("%s\n", names[i]);
kadm5_free_name_list(handle, names, count);
}
static int
-kadmin_parse_policy_args(argc, argv, policy, mask, caller)
- int argc;
- char *argv[];
- kadm5_policy_ent_t policy;
- long *mask;
- char *caller;
+kadmin_parse_policy_args(int argc, char *argv[], kadm5_policy_ent_t policy,
+ long *mask, char *caller)
{
int i;
- time_t now;
- time_t date;
+ time_t now, date;
time(&now);
*mask = 0;
for (i = 1; i < argc - 1; i++) {
- if (strlen(argv[i]) == 8 &&
- !strcmp(argv[i], "-maxlife")) {
- if (++i > argc -2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- policy->pw_max_life = date - now;
- *mask |= KADM5_PW_MAX_LIFE;
- continue;
- }
- } else if (strlen(argv[i]) == 8 &&
- !strcmp(argv[i], "-minlife")) {
- if (++i > argc - 2)
- return -1;
- else {
- date = get_date(argv[i]);
- if (date == (time_t)-1) {
- fprintf(stderr, "Invalid date specification \"%s\".\n",
- argv[i]);
- return -1;
- }
- policy->pw_min_life = date - now;
- *mask |= KADM5_PW_MIN_LIFE;
- continue;
- }
- } else if (strlen(argv[i]) == 10 &&
- !strcmp(argv[i], "-minlength")) {
- if (++i > argc - 2)
- return -1;
- else {
- policy->pw_min_length = atoi(argv[i]);
- *mask |= KADM5_PW_MIN_LENGTH;
- continue;
- }
- } else if (strlen(argv[i]) == 11 &&
- !strcmp(argv[i], "-minclasses")) {
- if (++i > argc - 2)
- return -1;
- else {
- policy->pw_min_classes = atoi(argv[i]);
- *mask |= KADM5_PW_MIN_CLASSES;
- continue;
- }
- } else if (strlen(argv[i]) == 8 &&
- !strcmp(argv[i], "-history")) {
- if (++i > argc - 2)
- return -1;
- else {
- policy->pw_history_num = atoi(argv[i]);
- *mask |= KADM5_PW_HISTORY_NUM;
- continue;
- }
- } else
- return -1;
+ if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-maxlife")) {
+ if (++i > argc -2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ policy->pw_max_life = date - now;
+ *mask |= KADM5_PW_MAX_LIFE;
+ continue;
+ }
+ } else if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-minlife")) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ date = get_date(argv[i]);
+ if (date == (time_t)-1) {
+ fprintf(stderr, "Invalid date specification \"%s\".\n",
+ argv[i]);
+ return -1;
+ }
+ policy->pw_min_life = date - now;
+ *mask |= KADM5_PW_MIN_LIFE;
+ continue;
+ }
+ } else if (strlen(argv[i]) == 10 && !strcmp(argv[i], "-minlength")) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ policy->pw_min_length = atoi(argv[i]);
+ *mask |= KADM5_PW_MIN_LENGTH;
+ continue;
+ }
+ } else if (strlen(argv[i]) == 11 && !strcmp(argv[i], "-minclasses")) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ policy->pw_min_classes = atoi(argv[i]);
+ *mask |= KADM5_PW_MIN_CLASSES;
+ continue;
+ }
+ } else if (strlen(argv[i]) == 8 && !strcmp(argv[i], "-history")) {
+ if (++i > argc - 2)
+ return -1;
+ else {
+ policy->pw_history_num = atoi(argv[i]);
+ *mask |= KADM5_PW_HISTORY_NUM;
+ continue;
+ }
+ } else
+ return -1;
}
if (i != argc -1) {
- fprintf(stderr, "%s: parser lost count!\n", caller);
- return -1;
+ fprintf(stderr, "%s: parser lost count!\n", caller);
+ return -1;
} else
- return 0;
+ return 0;
}
static void
-kadmin_addmodpol_usage(func)
- char *func;
+kadmin_addmodpol_usage(char *func)
{
fprintf(stderr, "usage; %s [options] policy\n", func);
fprintf(stderr, "\toptions are:\n");
fprintf(stderr, "\t\t[-maxlife time] [-minlife time] [-minlength length]\n\t\t[-minclasses number] [-history number]\n");
}
-void kadmin_addpol(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_addpol(int argc, char *argv[])
{
krb5_error_code retval;
long mask;
@@ -1723,24 +1523,20 @@ void kadmin_addpol(argc, argv)
memset(&policy, 0, sizeof(policy));
if (kadmin_parse_policy_args(argc, argv, &policy, &mask, "add_policy")) {
- kadmin_addmodpol_usage("add_policy");
- return;
- } else {
- policy.policy = argv[argc - 1];
- mask |= KADM5_POLICY;
- retval = kadm5_create_policy(handle, &policy, mask);
- if (retval) {
- com_err("add_policy", retval, "while creating policy \"%s\".",
- policy.policy);
- return;
- }
- }
- return;
+ kadmin_addmodpol_usage("add_policy");
+ return;
+ }
+ policy.policy = argv[argc - 1];
+ mask |= KADM5_POLICY;
+ retval = kadm5_create_policy(handle, &policy, mask);
+ if (retval) {
+ com_err("add_policy", retval, "while creating policy \"%s\".",
+ policy.policy);
+ }
}
-void kadmin_modpol(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_modpol(int argc, char *argv[])
{
krb5_error_code retval;
long mask;
@@ -1748,133 +1544,121 @@ void kadmin_modpol(argc, argv)
memset(&policy, 0, sizeof(policy));
if (kadmin_parse_policy_args(argc, argv, &policy, &mask,
- "modify_policy")) {
- kadmin_addmodpol_usage("modify_policy");
- return;
- } else {
- policy.policy = argv[argc - 1];
- retval = kadm5_modify_policy(handle, &policy, mask);
- if (retval) {
- com_err("modify_policy", retval, "while modifying policy \"%s\".",
- policy.policy);
- return;
- }
- }
- return;
+ "modify_policy")) {
+ kadmin_addmodpol_usage("modify_policy");
+ return;
+ }
+ policy.policy = argv[argc - 1];
+ retval = kadm5_modify_policy(handle, &policy, mask);
+ if (retval) {
+ com_err("modify_policy", retval, "while modifying policy \"%s\".",
+ policy.policy);
+ }
}
-void kadmin_delpol(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_delpol(int argc, char *argv[])
{
krb5_error_code retval;
char reply[5];
- if (! (argc == 2 ||
- (argc == 3 && !strcmp("-force", argv[1])))) {
- fprintf(stderr, "usage: delete_policy [-force] policy\n");
- return;
+ if (!(argc == 2 || (argc == 3 && !strcmp("-force", argv[1])))) {
+ fprintf(stderr, "usage: delete_policy [-force] policy\n");
+ return;
}
if (argc == 2) {
- printf("Are you sure you want to delete the policy \"%s\"? (yes/no): ", argv[1]);
- fgets(reply, sizeof (reply), stdin);
- if (strcmp("yes\n", reply)) {
- fprintf(stderr, "Policy \"%s\" not deleted.\n", argv[1]);
- return;
- }
+ printf("Are you sure you want to delete the policy \"%s\"? (yes/no): ",
+ argv[1]);
+ fgets(reply, sizeof(reply), stdin);
+ if (strcmp("yes\n", reply)) {
+ fprintf(stderr, "Policy \"%s\" not deleted.\n", argv[1]);
+ return;
+ }
}
retval = kadm5_delete_policy(handle, argv[argc - 1]);
if (retval) {
- com_err("delete_policy:", retval, "while deleting policy \"%s\"",
- argv[argc - 1]);
- return;
+ com_err("delete_policy:", retval, "while deleting policy \"%s\"",
+ argv[argc - 1]);
}
- return;
}
-void kadmin_getpol(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getpol(int argc, char *argv[])
{
krb5_error_code retval;
kadm5_policy_ent_rec policy;
- if (! (argc == 2 ||
- (argc == 3 && !strcmp("-terse", argv[1])))) {
- fprintf(stderr, "usage: get_policy [-terse] policy\n");
- return;
+ if (!(argc == 2 || (argc == 3 && !strcmp("-terse", argv[1])))) {
+ fprintf(stderr, "usage: get_policy [-terse] policy\n");
+ return;
}
retval = kadm5_get_policy(handle, argv[argc - 1], &policy);
if (retval) {
- com_err("get_policy", retval, "while retrieving policy \"%s\".",
- argv[argc - 1]);
- return;
+ com_err("get_policy", retval, "while retrieving policy \"%s\".",
+ argv[argc - 1]);
+ return;
}
if (argc == 2) {
- printf("Policy: %s\n", policy.policy);
- printf("Maximum password life: %ld\n", policy.pw_max_life);
- printf("Minimum password life: %ld\n", policy.pw_min_life);
- printf("Minimum password length: %ld\n", policy.pw_min_length);
- printf("Minimum number of password character classes: %ld\n",
- policy.pw_min_classes);
- printf("Number of old keys kept: %ld\n", policy.pw_history_num);
- printf("Reference count: %ld\n", policy.policy_refcnt);
+ printf("Policy: %s\n", policy.policy);
+ printf("Maximum password life: %ld\n", policy.pw_max_life);
+ printf("Minimum password life: %ld\n", policy.pw_min_life);
+ printf("Minimum password length: %ld\n", policy.pw_min_length);
+ printf("Minimum number of password character classes: %ld\n",
+ policy.pw_min_classes);
+ printf("Number of old keys kept: %ld\n", policy.pw_history_num);
+ printf("Reference count: %ld\n", policy.policy_refcnt);
} else {
- printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n",
- policy.policy, policy.pw_max_life, policy.pw_min_life,
- policy.pw_min_length, policy.pw_min_classes,
- policy.pw_history_num, policy.policy_refcnt);
+ printf("\"%s\"\t%ld\t%ld\t%ld\t%ld\t%ld\t%ld\n",
+ policy.policy, policy.pw_max_life, policy.pw_min_life,
+ policy.pw_min_length, policy.pw_min_classes,
+ policy.pw_history_num, policy.policy_refcnt);
}
kadm5_free_policy_ent(handle, &policy);
- return;
}
-void kadmin_getpols(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getpols(int argc, char *argv[])
{
krb5_error_code retval;
char *expr, **names;
int i, count;
expr = NULL;
- if (! (argc == 1 || (argc == 2 && (expr = argv[1])))) {
- fprintf(stderr, "usage: get_policies [expression]\n");
- return;
+ if (!(argc == 1 || (argc == 2 && (expr = argv[1])))) {
+ fprintf(stderr, "usage: get_policies [expression]\n");
+ return;
}
retval = kadm5_get_policies(handle, expr, &names, &count);
if (retval) {
- com_err("get_policies", retval, "while retrieving list.");
- return;
+ com_err("get_policies", retval, "while retrieving list.");
+ return;
}
for (i = 0; i < count; i++)
- printf("%s\n", names[i]);
+ printf("%s\n", names[i]);
kadm5_free_name_list(handle, names, count);
}
-void kadmin_getprivs(argc, argv)
- int argc;
- char *argv[];
+void
+kadmin_getprivs(int argc, char *argv[])
{
static char *privs[] = {"GET", "ADD", "MODIFY", "DELETE"};
krb5_error_code retval;
- int i;
+ size_t i;
long plist;
if (argc != 1) {
- fprintf(stderr, "usage: get_privs\n");
- return;
+ fprintf(stderr, "usage: get_privs\n");
+ return;
}
retval = kadm5_get_privs(handle, &plist);
if (retval) {
- com_err("get_privs", retval, "while retrieving privileges");
- return;
+ com_err("get_privs", retval, "while retrieving privileges");
+ return;
}
printf("current privileges:");
for (i = 0; i < sizeof (privs) / sizeof (char *); i++) {
- if (plist & 1 << i)
- printf(" %s", privs[i]);
+ if (plist & 1 << i)
+ printf(" %s", privs[i]);
}
printf("\n");
- return;
}
diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c
index 5fb5613..643e91d 100644
--- a/src/kadmin/cli/keytab.c
+++ b/src/kadmin/cli/keytab.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved.
*
@@ -7,14 +8,14 @@
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -25,7 +26,7 @@
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
@@ -45,12 +46,12 @@ static char *rcsid = "$Header$";
#include <adm_proto.h>
#include "kadmin.h"
-static int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
- krb5_boolean keepold,
- int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
- char *princ_str);
-static int remove_principal(char *keytab_str, krb5_keytab keytab, char
- *princ_str, char *kvno_str);
+static void add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
+ krb5_boolean keepold,
+ int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
+ char *princ_str);
+static void remove_principal(char *keytab_str, krb5_keytab keytab,
+ char *princ_str, char *kvno_str);
static char *etype_string(krb5_enctype enctype);
static int quiet;
@@ -59,417 +60,411 @@ static int quiet;
static int norandkey;
#endif
-static void add_usage()
+static void
+add_usage()
{
#ifdef KADMIN_LOCAL
- fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]\n");
+ fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]\n");
#else
- fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]\n");
+ fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]\n");
#endif
}
-
-static void rem_usage()
+
+static void
+rem_usage()
{
- fprintf(stderr, "Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n");
+ fprintf(stderr, "Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n");
}
-static int process_keytab(krb5_context my_context, char **keytab_str,
- krb5_keytab *keytab)
+static int
+process_keytab(krb5_context my_context, char **keytab_str,
+ krb5_keytab *keytab)
{
- int code;
-
- if (*keytab_str == NULL) {
- /* XXX krb5_defkeyname is an internal library global and
- should go away */
- if (! (*keytab_str = strdup(krb5_defkeyname))) {
- com_err(whoami, ENOMEM, "while creating keytab name");
- return 1;
- }
- code = krb5_kt_default(my_context, keytab);
- if (code != 0) {
- com_err(whoami, code, "while opening default keytab");
- free(*keytab_str);
- return 1;
- }
- } else {
- if (strchr(*keytab_str, ':') != NULL) {
- *keytab_str = strdup(*keytab_str);
- if (*keytab_str == NULL) {
- com_err(whoami, ENOMEM, "while creating keytab name");
- return 1;
- }
- } else {
- if (asprintf(keytab_str, "WRFILE:%s", *keytab_str) < 0) {
- *keytab_str = NULL;
- com_err(whoami, ENOMEM, "while creating keytab name");
- return 1;
- }
- }
-
- code = krb5_kt_resolve(my_context, *keytab_str, keytab);
- if (code != 0) {
- com_err(whoami, code, "while resolving keytab %s", *keytab_str);
- free(keytab_str);
- return 1;
- }
- }
-
- return 0;
+ int code;
+ char *name = *keytab_str;
+
+ if (name == NULL) {
+ /* XXX krb5_defkeyname is an internal library global and
+ should go away */
+ name = strdup(krb5_defkeyname);
+ if (!name) {
+ com_err(whoami, ENOMEM, "while creating keytab name");
+ return 1;
+ }
+ code = krb5_kt_default(my_context, keytab);
+ if (code != 0) {
+ com_err(whoami, code, "while opening default keytab");
+ free(name);
+ return 1;
+ }
+ } else {
+ if (strchr(name, ':') != NULL)
+ name = strdup(name);
+ else if (asprintf(keytab_str, "WRFILE:%s", name) < 0)
+ name = NULL;
+ if (name == NULL) {
+ com_err(whoami, ENOMEM, "while creating keytab name");
+ return 1;
+ }
+
+ code = krb5_kt_resolve(my_context, name, keytab);
+ if (code != 0) {
+ com_err(whoami, code, "while resolving keytab %s", name);
+ free(name);
+ return 1;
+ }
+ }
+
+ *keytab_str = name;
+ return 0;
}
-
-void kadmin_keytab_add(int argc, char **argv)
+void
+kadmin_keytab_add(int argc, char **argv)
{
- krb5_keytab keytab = 0;
- char *keytab_str = NULL, **princs;
- int code, num, i;
- krb5_error_code retval;
- int n_ks_tuple = 0;
- krb5_boolean keepold = FALSE;
- krb5_key_salt_tuple *ks_tuple = NULL;
-
- argc--; argv++;
- quiet = 0;
+ krb5_keytab keytab = 0;
+ char *keytab_str = NULL, **princs;
+ int code, num, i;
+ krb5_error_code retval;
+ int n_ks_tuple = 0;
+ krb5_boolean keepold = FALSE;
+ krb5_key_salt_tuple *ks_tuple = NULL;
+
+ argc--; argv++;
+ quiet = 0;
#ifdef KADMIN_LOCAL
- norandkey = 0;
+ norandkey = 0;
#endif
- while (argc) {
- if (strncmp(*argv, "-k", 2) == 0) {
- argc--; argv++;
- if (!argc || keytab_str) {
- add_usage();
- return;
- }
- keytab_str = *argv;
- } else if (strcmp(*argv, "-q") == 0) {
- quiet++;
+ while (argc) {
+ if (strncmp(*argv, "-k", 2) == 0) {
+ argc--; argv++;
+ if (!argc || keytab_str) {
+ add_usage();
+ return;
+ }
+ keytab_str = *argv;
+ } else if (strcmp(*argv, "-q") == 0) {
+ quiet++;
#ifdef KADMIN_LOCAL
} else if (strcmp(*argv, "-norandkey") == 0) {
- norandkey++;
+ norandkey++;
#endif
- } else if (strcmp(*argv, "-e") == 0) {
- argc--;
- if (argc < 1) {
- add_usage();
- return;
- }
- retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
- &ks_tuple, &n_ks_tuple);
- if (retval) {
- com_err("ktadd", retval, "while parsing keysalts %s",
- *argv);
-
- return;
- }
- } else
- break;
- argc--; argv++;
- }
-
- if (argc == 0) {
- add_usage();
- return;
- }
+ } else if (strcmp(*argv, "-e") == 0) {
+ argc--;
+ if (argc < 1) {
+ add_usage();
+ return;
+ }
+ retval = krb5_string_to_keysalts(*++argv, ", \t", ":.-", 0,
+ &ks_tuple, &n_ks_tuple);
+ if (retval) {
+ com_err("ktadd", retval, "while parsing keysalts %s",
+ *argv);
+
+ return;
+ }
+ } else
+ break;
+ argc--; argv++;
+ }
+
+ if (argc == 0) {
+ add_usage();
+ return;
+ }
#ifdef KADMIN_LOCAL
- if (norandkey && ks_tuple) {
- fprintf(stderr, "cannot specify keysaltlist when not changing key\n");
- return;
- }
+ if (norandkey && ks_tuple) {
+ fprintf(stderr, "cannot specify keysaltlist when not changing key\n");
+ return;
+ }
#endif
- if (process_keytab(context, &keytab_str, &keytab))
- return;
-
- while (*argv) {
- if (strcmp(*argv, "-glob") == 0) {
- if (*++argv == NULL) {
- add_usage();
- break;
- }
-
- code = kadm5_get_principals(handle, *argv, &princs, &num);
- if (code) {
- com_err(whoami, code, "while expanding expression \"%s\".",
- *argv);
- argv++;
- continue;
- }
-
- for (i = 0; i < num; i++)
- (void) add_principal(handle, keytab_str, keytab,
- keepold, n_ks_tuple, ks_tuple,
- princs[i]);
- kadm5_free_name_list(handle, princs, num);
- } else
- (void) add_principal(handle, keytab_str, keytab,
- keepold, n_ks_tuple, ks_tuple,
- *argv);
- argv++;
- }
-
- code = krb5_kt_close(context, keytab);
- if (code != 0)
- com_err(whoami, code, "while closing keytab");
-
- free(keytab_str);
+ if (process_keytab(context, &keytab_str, &keytab))
+ return;
+
+ while (*argv) {
+ if (strcmp(*argv, "-glob") == 0) {
+ if (*++argv == NULL) {
+ add_usage();
+ break;
+ }
+
+ code = kadm5_get_principals(handle, *argv, &princs, &num);
+ if (code) {
+ com_err(whoami, code, "while expanding expression \"%s\".",
+ *argv);
+ argv++;
+ continue;
+ }
+
+ for (i = 0; i < num; i++)
+ add_principal(handle, keytab_str, keytab, keepold,
+ n_ks_tuple, ks_tuple, princs[i]);
+ kadm5_free_name_list(handle, princs, num);
+ } else {
+ add_principal(handle, keytab_str, keytab, keepold,
+ n_ks_tuple, ks_tuple, *argv);
+ argv++;
+ }
+ }
+
+ code = krb5_kt_close(context, keytab);
+ if (code != 0)
+ com_err(whoami, code, "while closing keytab");
+
+ free(keytab_str);
}
-void kadmin_keytab_remove(int argc, char **argv)
+void
+kadmin_keytab_remove(int argc, char **argv)
{
- krb5_keytab keytab = 0;
- char *keytab_str = NULL;
- int code;
-
- argc--; argv++;
- quiet = 0;
- while (argc) {
- if (strncmp(*argv, "-k", 2) == 0) {
- argc--; argv++;
- if (!argc || keytab_str) {
- rem_usage();
- return;
- }
- keytab_str = *argv;
- } else if (strcmp(*argv, "-q") == 0) {
- quiet++;
- } else
- break;
- argc--; argv++;
- }
-
- if (argc != 1 && argc != 2) {
- rem_usage();
- return;
- }
- if (process_keytab(context, &keytab_str, &keytab))
- return;
-
- (void) remove_principal(keytab_str, keytab, argv[0], argv[1]);
-
- code = krb5_kt_close(context, keytab);
- if (code != 0)
- com_err(whoami, code, "while closing keytab");
-
- free(keytab_str);
+ krb5_keytab keytab = 0;
+ char *keytab_str = NULL;
+ int code;
+
+ argc--; argv++;
+ quiet = 0;
+ while (argc) {
+ if (strncmp(*argv, "-k", 2) == 0) {
+ argc--; argv++;
+ if (!argc || keytab_str) {
+ rem_usage();
+ return;
+ }
+ keytab_str = *argv;
+ } else if (strcmp(*argv, "-q") == 0) {
+ quiet++;
+ } else
+ break;
+ argc--; argv++;
+ }
+
+ if (argc != 1 && argc != 2) {
+ rem_usage();
+ return;
+ }
+ if (process_keytab(context, &keytab_str, &keytab))
+ return;
+
+ remove_principal(keytab_str, keytab, argv[0], argv[1]);
+
+ code = krb5_kt_close(context, keytab);
+ if (code != 0)
+ com_err(whoami, code, "while closing keytab");
+
+ free(keytab_str);
}
-static
-int add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
- krb5_boolean keepold, int n_ks_tuple,
- krb5_key_salt_tuple *ks_tuple,
- char *princ_str)
+static void
+add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
+ krb5_boolean keepold, int n_ks_tuple,
+ krb5_key_salt_tuple *ks_tuple, char *princ_str)
{
- kadm5_principal_ent_rec princ_rec;
- krb5_principal princ;
- krb5_keytab_entry new_entry;
- krb5_keyblock *keys;
- int code, nkeys, i;
+ kadm5_principal_ent_rec princ_rec;
+ krb5_principal princ = NULL;
+ krb5_keytab_entry new_entry;
+ krb5_keyblock *keys;
+ int code, nkeys, i;
- (void) memset(&princ_rec, 0, sizeof(princ_rec));
+ memset(&princ_rec, 0, sizeof(princ_rec));
- princ = NULL;
- keys = NULL;
- nkeys = 0;
+ princ = NULL;
+ keys = NULL;
+ nkeys = 0;
- code = krb5_parse_name(context, princ_str, &princ);
- if (code != 0) {
- com_err(whoami, code, "while parsing -add principal name %s",
- princ_str);
- goto cleanup;
- }
+ code = krb5_parse_name(context, princ_str, &princ);
+ if (code != 0) {
+ com_err(whoami, code, "while parsing -add principal name %s",
+ princ_str);
+ goto cleanup;
+ }
#ifdef KADMIN_LOCAL
- if (norandkey)
- code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys);
- else
+ if (norandkey)
+ code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys);
+ else
#endif
- if (keepold || ks_tuple != NULL) {
- code = kadm5_randkey_principal_3(lhandle, princ,
- keepold, n_ks_tuple, ks_tuple,
- &keys, &nkeys);
- } else {
- code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys);
- }
- if (code != 0) {
- if (code == KADM5_UNK_PRINC) {
- fprintf(stderr, "%s: Principal %s does not exist.\n",
- whoami, princ_str);
- } else
- com_err(whoami, code, "while changing %s's key",
- princ_str);
- goto cleanup;
- }
-
- code = kadm5_get_principal(lhandle, princ, &princ_rec,
- KADM5_PRINCIPAL_NORMAL_MASK);
- if (code != 0) {
- com_err(whoami, code, "while retrieving principal");
- goto cleanup;
- }
-
- for (i = 0; i < nkeys; i++) {
- memset(&new_entry, 0, sizeof(new_entry));
- new_entry.principal = princ;
- new_entry.key = keys[i];
- new_entry.vno = princ_rec.kvno;
-
- code = krb5_kt_add_entry(context, keytab, &new_entry);
- if (code != 0) {
- com_err(whoami, code, "while adding key to keytab");
- (void) kadm5_free_principal_ent(lhandle, &princ_rec);
- goto cleanup;
- }
-
- if (!quiet)
- printf("Entry for principal %s with kvno %d, "
- "encryption type %s added to keytab %s.\n",
- princ_str, princ_rec.kvno,
- etype_string(keys[i].enctype), keytab_str);
- }
-
- code = kadm5_free_principal_ent(lhandle, &princ_rec);
- if (code != 0) {
- com_err(whoami, code, "while freeing principal entry");
- goto cleanup;
- }
+ if (keepold || ks_tuple != NULL) {
+ code = kadm5_randkey_principal_3(lhandle, princ, keepold,
+ n_ks_tuple, ks_tuple, &keys, &nkeys);
+ } else
+ code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys);
+ if (code != 0) {
+ if (code == KADM5_UNK_PRINC) {
+ fprintf(stderr, "%s: Principal %s does not exist.\n",
+ whoami, princ_str);
+ } else
+ com_err(whoami, code, "while changing %s's key", princ_str);
+ goto cleanup;
+ }
+
+ code = kadm5_get_principal(lhandle, princ, &princ_rec,
+ KADM5_PRINCIPAL_NORMAL_MASK);
+ if (code != 0) {
+ com_err(whoami, code, "while retrieving principal");
+ goto cleanup;
+ }
+
+ for (i = 0; i < nkeys; i++) {
+ memset(&new_entry, 0, sizeof(new_entry));
+ new_entry.principal = princ;
+ new_entry.key = keys[i];
+ new_entry.vno = princ_rec.kvno;
+
+ code = krb5_kt_add_entry(context, keytab, &new_entry);
+ if (code != 0) {
+ com_err(whoami, code, "while adding key to keytab");
+ kadm5_free_principal_ent(lhandle, &princ_rec);
+ goto cleanup;
+ }
+
+ if (!quiet) {
+ printf("Entry for principal %s with kvno %d, "
+ "encryption type %s added to keytab %s.\n",
+ princ_str, princ_rec.kvno,
+ etype_string(keys[i].enctype), keytab_str);
+ }
+ }
+
+ code = kadm5_free_principal_ent(lhandle, &princ_rec);
+ if (code != 0) {
+ com_err(whoami, code, "while freeing principal entry");
+ goto cleanup;
+ }
cleanup:
- if (nkeys) {
- for (i = 0; i < nkeys; i++)
- krb5_free_keyblock_contents(context, &keys[i]);
- free(keys);
- }
- if (princ)
- krb5_free_principal(context, princ);
-
- return code;
+ if (nkeys) {
+ for (i = 0; i < nkeys; i++)
+ krb5_free_keyblock_contents(context, &keys[i]);
+ free(keys);
+ }
+ krb5_free_principal(context, princ);
}
-int remove_principal(char *keytab_str, krb5_keytab keytab, char
- *princ_str, char *kvno_str)
+void
+remove_principal(char *keytab_str, krb5_keytab keytab,
+ char *princ_str, char *kvno_str)
{
- krb5_principal princ;
- krb5_keytab_entry entry;
- krb5_kt_cursor cursor;
- enum { UNDEF, SPEC, HIGH, ALL, OLD } mode;
- int code, did_something;
- krb5_kvno kvno;
-
- code = krb5_parse_name(context, princ_str, &princ);
- if (code != 0) {
- com_err(whoami, code, "while parsing principal name %s",
- princ_str);
- return code;
- }
-
- mode = UNDEF;
- if (kvno_str == NULL) {
- mode = HIGH;
- kvno = 0;
- } else if (strcmp(kvno_str, "all") == 0) {
- mode = ALL;
- kvno = 0;
- } else if (strcmp(kvno_str, "old") == 0) {
- mode = OLD;
- kvno = 0;
- } else {
- mode = SPEC;
- kvno = atoi(kvno_str);
- }
-
- /* kvno is set to specified value for SPEC, 0 otherwise */
- code = krb5_kt_get_entry(context, keytab, princ, kvno, 0, &entry);
- if (code != 0) {
- if (code == ENOENT) {
- fprintf(stderr, "%s: Keytab %s does not exist.\n",
- whoami, keytab_str);
- } else if (code == KRB5_KT_NOTFOUND) {
- if (mode != SPEC)
- fprintf(stderr, "%s: No entry for principal "
- "%s exists in keytab %s\n",
- whoami, princ_str, keytab_str);
- else
- fprintf(stderr, "%s: No entry for principal "
- "%s with kvno %d exists in keytab "
- "%s.\n", whoami, princ_str, kvno,
- keytab_str);
- } else {
- com_err(whoami, code, "while retrieving highest kvno "
- "from keytab");
- }
- return code;
- }
-
- /* set kvno to spec'ed value for SPEC, highest kvno otherwise */
- kvno = entry.vno;
- krb5_kt_free_entry(context, &entry);
-
- code = krb5_kt_start_seq_get(context, keytab, &cursor);
- if (code != 0) {
- com_err(whoami, code, "while starting keytab scan");
- return code;
- }
-
- did_something = 0;
- while ((code = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
- if (krb5_principal_compare(context, princ, entry.principal) &&
- ((mode == ALL) ||
- (mode == SPEC && entry.vno == kvno) ||
- (mode == OLD && entry.vno != kvno) ||
- (mode == HIGH && entry.vno == kvno))) {
-
- /*
- * Ack! What a kludge... the scanning functions lock
- * the keytab so entries cannot be removed while they
- * are operating.
- */
- code = krb5_kt_end_seq_get(context, keytab, &cursor);
- if (code != 0) {
- com_err(whoami, code, "while temporarily ending "
- "keytab scan");
- return code;
- }
- code = krb5_kt_remove_entry(context, keytab, &entry);
- if (code != 0) {
- com_err(whoami, code, "while deleting entry from keytab");
- return code;
- }
- code = krb5_kt_start_seq_get(context, keytab, &cursor);
- if (code != 0) {
- com_err(whoami, code, "while restarting keytab scan");
- return code;
- }
-
- did_something++;
- if (!quiet)
- printf("Entry for principal %s with kvno %d "
- "removed from keytab %s.\n",
- princ_str, entry.vno, keytab_str);
- }
- krb5_kt_free_entry(context, &entry);
- }
- if (code && code != KRB5_KT_END) {
- com_err(whoami, code, "while scanning keytab");
- return code;
- }
- if ((code = krb5_kt_end_seq_get(context, keytab, &cursor))) {
- com_err(whoami, code, "while ending keytab scan");
- return code;
- }
-
- /*
- * If !did_someting then mode must be OLD or we would have
- * already returned with an error. But check it anyway just to
- * prevent unexpected error messages...
- */
- if (!did_something && mode == OLD) {
- fprintf(stderr, "%s: There is only one entry for principal "
- "%s in keytab %s\n", whoami, princ_str, keytab_str);
- return 1;
- }
-
- return 0;
+ krb5_principal princ;
+ krb5_keytab_entry entry;
+ krb5_kt_cursor cursor;
+ enum { UNDEF, SPEC, HIGH, ALL, OLD } mode;
+ int code, did_something;
+ krb5_kvno kvno;
+
+ code = krb5_parse_name(context, princ_str, &princ);
+ if (code != 0) {
+ com_err(whoami, code, "while parsing principal name %s", princ_str);
+ return code;
+ }
+
+ mode = UNDEF;
+ if (kvno_str == NULL) {
+ mode = HIGH;
+ kvno = 0;
+ } else if (strcmp(kvno_str, "all") == 0) {
+ mode = ALL;
+ kvno = 0;
+ } else if (strcmp(kvno_str, "old") == 0) {
+ mode = OLD;
+ kvno = 0;
+ } else {
+ mode = SPEC;
+ kvno = atoi(kvno_str);
+ }
+
+ /* kvno is set to specified value for SPEC, 0 otherwise */
+ code = krb5_kt_get_entry(context, keytab, princ, kvno, 0, &entry);
+ if (code != 0) {
+ if (code == ENOENT) {
+ fprintf(stderr, "%s: Keytab %s does not exist.\n",
+ whoami, keytab_str);
+ } else if (code == KRB5_KT_NOTFOUND) {
+ if (mode != SPEC) {
+ fprintf(stderr, "%s: No entry for principal "
+ "%s exists in keytab %s\n",
+ whoami, princ_str, keytab_str);
+ } else {
+ fprintf(stderr, "%s: No entry for principal "
+ "%s with kvno %d exists in keytab "
+ "%s.\n", whoami, princ_str, kvno, keytab_str);
+ }
+ } else
+ com_err(whoami, code, "while retrieving highest kvno from keytab");
+ return code;
+ }
+
+ /* set kvno to spec'ed value for SPEC, highest kvno otherwise */
+ kvno = entry.vno;
+ krb5_kt_free_entry(context, &entry);
+
+ code = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (code != 0) {
+ com_err(whoami, code, "while starting keytab scan");
+ return code;
+ }
+
+ did_something = 0;
+ while ((code = krb5_kt_next_entry(context, keytab, &entry,
+ &cursor)) == 0) {
+ if (krb5_principal_compare(context, princ, entry.principal) &&
+ ((mode == ALL) ||
+ (mode == SPEC && entry.vno == kvno) ||
+ (mode == OLD && entry.vno != kvno) ||
+ (mode == HIGH && entry.vno == kvno))) {
+
+ /*
+ * Ack! What a kludge... the scanning functions lock
+ * the keytab so entries cannot be removed while they
+ * are operating.
+ */
+ code = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (code != 0) {
+ com_err(whoami, code, "while temporarily ending keytab scan");
+ return code;
+ }
+ code = krb5_kt_remove_entry(context, keytab, &entry);
+ if (code != 0) {
+ com_err(whoami, code, "while deleting entry from keytab");
+ return code;
+ }
+ code = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (code != 0) {
+ com_err(whoami, code, "while restarting keytab scan");
+ return code;
+ }
+
+ did_something++;
+ if (!quiet)
+ printf("Entry for principal %s with kvno %d "
+ "removed from keytab %s.\n",
+ princ_str, entry.vno, keytab_str);
+ }
+ krb5_kt_free_entry(context, &entry);
+ }
+ if (code && code != KRB5_KT_END) {
+ com_err(whoami, code, "while scanning keytab");
+ return code;
+ }
+ code = krb5_kt_end_seq_get(context, keytab, &cursor);
+ if (code) {
+ com_err(whoami, code, "while ending keytab scan");
+ return code;
+ }
+
+ /*
+ * If !did_someting then mode must be OLD or we would have
+ * already returned with an error. But check it anyway just to
+ * prevent unexpected error messages...
+ */
+ if (!did_something && mode == OLD) {
+ fprintf(stderr, "%s: There is only one entry for principal "
+ "%s in keytab %s\n", whoami, princ_str, keytab_str);
+ return 1;
+ }
+
+ return 0;
}
/*
@@ -477,14 +472,15 @@ int remove_principal(char *keytab_str, krb5_keytab keytab, char
* encryption type. XXX copied from klist.c; this should be a
* library function, or perhaps just #defines
*/
-static char *etype_string(enctype)
- krb5_enctype enctype;
+static char *
+etype_string(krb5_enctype enctype)
{
static char buf[100];
krb5_error_code ret;
- if ((ret = krb5_enctype_to_string(enctype, buf, sizeof(buf))))
- snprintf(buf, sizeof(buf), "etype %d", enctype);
+ ret = krb5_enctype_to_string(enctype, buf, sizeof(buf));
+ if (ret)
+ snprintf(buf, sizeof(buf), "etype %d", enctype);
return buf;
}
diff --git a/src/kadmin/cli/ss_wrapper.c b/src/kadmin/cli/ss_wrapper.c
index f73ba82..93cf1dc 100644
--- a/src/kadmin/cli/ss_wrapper.c
+++ b/src/kadmin/cli/ss_wrapper.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1994 by the Massachusetts Institute of Technology.
* All Rights Reserved.
@@ -35,9 +36,8 @@ extern ss_request_table kadmin_cmds;
extern int exit_status;
extern char *whoami;
-int main(argc, argv)
- int argc;
- char *argv[];
+int
+main(int argc, char *argv[])
{
char *request;
krb5_error_code retval;
@@ -46,18 +46,17 @@ int main(argc, argv)
whoami = ((whoami = strrchr(argv[0], '/')) ? whoami+1 : argv[0]);
request = kadmin_startup(argc, argv);
- sci_idx = ss_create_invocation(whoami, "5.0", (char *) NULL,
- &kadmin_cmds, &retval);
+ sci_idx = ss_create_invocation(whoami, "5.0", NULL, &kadmin_cmds, &retval);
if (retval) {
- ss_perror(sci_idx, retval, "creating invocation");
- exit(1);
+ ss_perror(sci_idx, retval, "creating invocation");
+ exit(1);
}
if (request) {
- code = ss_execute_line(sci_idx, request);
- if (code != 0) {
- ss_perror(sci_idx, code, request);
- exit_status++;
- }
+ code = ss_execute_line(sci_idx, request);
+ if (code != 0) {
+ ss_perror(sci_idx, code, request);
+ exit_status++;
+ }
} else
retval = ss_listen(sci_idx);
return quit() ? 1 : exit_status;
diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp
index 3ec5103..1eac9e3 100644
--- a/src/tests/dejagnu/krb-standalone/kadmin.exp
+++ b/src/tests/dejagnu/krb-standalone/kadmin.exp
@@ -269,8 +269,8 @@ proc kadmin_cpw { pname password } {
send "adminpass$KEY\r"
}
- expect "Enter password for principal \"$pname\":" { send "$password\r" }
- expect "Re-enter password for principal \"$pname\":" { send "$password\r" }
+ expect "Enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" }
+ expect "Re-enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" }
# When in doubt, jam one of these in there.
expect "\r"
expect "Password for \"$pname@$REALMNAME\" changed."
generated by cgit v1.1 at 2024-07-09 11:28:43 +0000