aboutsummaryrefslogtreecommitdiff
path: root/src/lib/kadm5
AgeCommit message (Collapse)AuthorFilesLines
2010-08-31For the password quality interface:Greg Hudson6-11/+18
* Add a languages argument to the check method to allow localization of error messages (currently no languages are ever passed, though). * Add an error code KADM5_PASS_Q_GENERIC. * In most built-in modules and the combo module, set an error message with krb5_set_error_message. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24279 dc483132-0cff-0310-8789-dd5450dbe970
2010-08-28Revise the password quality pluggable interface to match the projectGreg Hudson8-136/+388
page: * Modules receive the policy name but not the policy object. * Enforcement of password policy is out of the interface's scope. * Built-in modules are: empty, dict, hesiod, princ. * The consumer API loader takes care of open/close, so there is only a wrapper function for check. The project page is at: http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24266 dc483132-0cff-0310-8789-dd5450dbe970
2010-08-26Create specific error codes for plugin-related failures, now that weGreg Hudson2-2/+2
have an expansion error table to hold them in. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24260 dc483132-0cff-0310-8789-dd5450dbe970
2010-08-26Merge trunk changes from r24202 to r24258 to plugins2 branchGreg Hudson1-1/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24259 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-26In the plugins2 branch, untabify new files which accidentally usedGreg Hudson3-32/+32
tabs in indentation. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24214 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-26In the plugins2 branch, rename "init" to "initvt" in all reference toGreg Hudson5-12/+12
module vtable initializer functions. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24213 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-23On the plugins2 branch, add a comment to pwqual_dict.c labeling thatGreg Hudson1-0/+2
file as a password quality module. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24205 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-22Proof of concept code for a candidate plugin frameworkGreg Hudson10-361/+553
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins2@24203 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-08Fix a memory leak in libkadm5clnt's get_init_creds()Greg Hudson1-4/+3
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24179 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-08Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modulesGreg Hudson1-1/+2
should return in-realm aliases. Set it where appropriate, and use it in the LDAP module instead of intuiting the result based on other flags. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24178 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-06Remove count parameters from get_principal, put_principal,Greg Hudson6-297/+247
free_principal, delete_principal, and get_policy. Make get_principal allocate the DB entry container. Fold krb5_db_get_principal_ext into krb5_db_get_principal. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24175 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-02Remove verify_master_key from the DAL table, as well as its associatedGreg Hudson1-12/+0
libkdb5 interface. Callers can (and mostly already do) use krb5_fetch_mkey_list to verify master keyblocks. Adjust tests/create, tests/verify, and kdb5_util dump to do so. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24166 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-02Rename krb5_dbekd_encrypt_key_data and krb5_dbekd_decrypt_key_data toGreg Hudson2-33/+22
just use the krb5_dbe prefix. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24164 dc483132-0cff-0310-8789-dd5450dbe970
2010-07-02Remove the set_master_key and get_master_key DAL interfaces and theirGreg Hudson1-1/+0
corresponding libkdb5 APIs, as they were not productively used. In kdb5_ldap_util, stop using the realm data's mkey field as a container to communicate the master key to static helper functions, since the field no longer exists. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24162 dc483132-0cff-0310-8789-dd5450dbe970
2010-06-26Make kadmin work over IPv6Greg Hudson3-27/+65
Make gssrpc work over IPv6 TCP sockets provided that the client creates and connects/binds the sockets and doesn't query their addresses or use bindresvport(). Make kadmin work within those constraints and handle IPv6. Specific changes: * Make svctcp_create() able to extract the port from an IPv6 socket, using a new helper function getport(). * Make clnttcp_create() handle a null raddr value if *sockp is set. * Make kadm5_get_service_name() use getaddrinfo() to canonicalize the admin server name. * Make libkadm5clnt's init_any() responsible for connecting its socket using a new helper function connect_to_server(), which uses getaddrinfo instead of gethostbyname. Pass a null address to clnttcp_create(). * Make libapputil's net-server.c set up IPv6 as well as IPv4 listener ports for RPC connections. * Adjust the error code expected in a libkadm5 unit test. ticket: 6746 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24147 dc483132-0cff-0310-8789-dd5450dbe970
2010-06-25Adjust function names and declarations in libkadm5's client_init.c; inGreg Hudson1-149/+95
particular, avoid the use of library namespace prefixes for static helper functions. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24146 dc483132-0cff-0310-8789-dd5450dbe970
2010-06-25Simplify the iprop conditionalization of _kadm5_init_any()Greg Hudson1-25/+19
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24145 dc483132-0cff-0310-8789-dd5450dbe970
2010-06-07make dependGreg Hudson4-44/+45
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24119 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-18When parsing a KDC or admin server string, allow the name or addressGreg Hudson1-7/+32
to be enclosed in brackets so that IPv6 addresses can be represented. (IPv6 addresses contain colons, which look like port separators.) ticket: 6562 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24055 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-18Improve the error message from kadmin when hostname resolution failsGreg Hudson3-4/+7
for the admin server. (The extended message won't be displayed by kadmin currently; that's a separate issue.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24054 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-04Remove some unused fields from kadm5_config_params. Bump the clientGreg Hudson4-10/+2
and server sonames. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23969 dc483132-0cff-0310-8789-dd5450dbe970
2010-05-04Eliminate the unused realm_dbname field from krb5_realm_paramsGreg Hudson2-6/+1
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23968 dc483132-0cff-0310-8789-dd5450dbe970
2010-03-11Lazy history key creationGreg Hudson2-60/+37
Create kadmin/history lazily when we need it (i.e. when a password is changed on a principal with a policy) instead of whenever we open the database. Allows kadmin.local to be used as a read-only tool on non- kadmin-conformant database back ends such as the Samba bridge. ticket: 6679 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23799 dc483132-0cff-0310-8789-dd5450dbe970
2010-03-10Use KRB5_CONF_ macros instead of strings in the source file for profile ↵Zhanna Tsitkov1-3/+3
config attributes "default" and "logging" git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23798 dc483132-0cff-0310-8789-dd5450dbe970
2010-02-28Remove some more test suite cruft:Greg Hudson1-7/+2
* localhostname from get_hostname was unused. * database_name is no longer used except (misleadingly) in kdb5_util output. * admin_database_name and admin_database_lockfile are no longer used. * default_domain is only used for v4->v5 principal conversion, which isn't tested. * libkadm5's init-v2.exp had a copy of get_hostname; domain and localhostname from it were unused. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23759 dc483132-0cff-0310-8789-dd5450dbe970
2010-02-24Two problems in kadm5_get_principal mask handlingGreg Hudson1-6/+8
KADM5_MOD_NAME was being applied to entry->principal instead of entry->mod_name. KADM5_MKVNO was not being applied to entry->mkvno. Patch from Marcus Watts <mdw@umich.edu>. ticket: 6668 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23749 dc483132-0cff-0310-8789-dd5450dbe970
2010-02-11Minimal support for updating history keyGreg Hudson5-131/+113
Add minimal support for re-randomizing the history key: * cpw -randkey kadmin/history now works, but creates only one key. * cpw -randkey -keepold kadmin/history still fails. * libkadm5 no longer caches the history key. Performance impact is minimal since password changes are not common. * randkey no longer checks the newly randomized key against old keys, and the disabled code to do so in setkey/setv4key is gone, so now only kadm5_chpass_principal_3 accesses the password history. ticket: 6660 target_version: 1.8 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23716 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-28Handle migration from pre-1.7 databases with master key kvno != 1Greg Hudson1-1/+2
krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no explicit tl_data. We've seen at least one pre-1.7 KDB with a master kvno of 0, violating this assumption. Fix this as follows: * krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists. * A new function krb5_dbe_get_mkvno translates this 0 value to the minimum version number in the mkey_list. (krb5_dbe_lookup_mkvno cannot do this as it doesn't take the mkey_list as a parameter.) * Call sites to krb5_dbe_lookup_mkvno are converted to krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable to store 0 if the mkvno is unknown. ticket: 6650 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23676 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-19Change basename of libkadm5 libraries to avoid Heimdal conflictGreg Hudson4-2/+12
ticket: 6644 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23662 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-14Make history key exempt from permitted_enctypesGreg Hudson1-7/+7
In kdb_init_hist, just use the first key entry in the kadmin/history entry. This makes the history key work even if the enctype is disallowed by allow_weak_crypto=false or other configuration. ticket: 6640 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23657 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-08Restore interoperability with 1.6 addprinc -randkeyGreg Hudson1-0/+28
The arcfour string-to-key operation in krb5 1.7 (or later) disagrees with the dummy password used by the addprinc -randkey operation in krb5 1.6's kadmin client, because it's not valid UTF-8. Recognize the 1.6 dummy password and use a random password instead. ticket: 6626 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23610 dc483132-0cff-0310-8789-dd5450dbe970
2010-01-07When retrieving the kadmin/history key, accept any enctype, as theGreg Hudson1-2/+2
current master key enctype may not match the one the KDB was created with. ticket: 6546 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23607 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-29MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referralsTom Yu1-0/+3
On certain error conditions, prep_reprocess_req() calls kdc_err() with a null pointer as the format string, causing a null dereference and denial of service. Legitimate protocol requests can trigger this problem. ticket: 6608 tags: pullup target_version: 1.7.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23533 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-28Whitespace fixes for new anonymous supportGreg Hudson1-2/+3
ticket: 6607 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
2009-12-28Anonymous support for KerberosSam Hartman5-22/+60
This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-23Check return value of gethostname in krb5_klog_initGreg Hudson1-2/+5
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23313 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-22Consolidate Makefile variables now that we have only a single globalGreg Hudson8-273/+271
configure script: $(SRCTOP) --> $(top_srcdir) $(srcdir)/$(thisconfigdir) --> $(top_srcdir) $(thisconfigdir) --> $(BUILDTOP) $(myfulldir) --> $(mydir) ticket: 6583 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23308 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-22In _kadm5_init_any on error - if we created a cache entry, destroy itEzra Peisach1-0/+8
(parallel to kadm5_destroy code). Also - free config_params. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23300 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-22Clean up some memory leaks by releasing contextEzra Peisach2-1/+5
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23299 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-21Memory leak in _kadm5_init_any introduced with ipropdEzra Peisach1-0/+2
Fix minor memory leak introduced by the ipropd integration. ticket: 6582 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23296 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-20Correct argument to kadm5_get_principal is a pointer to a struct - notEzra Peisach1-2/+6
a pointer to a pointer.... Does not really matter as the field is not used - this test program expects a failer. Clean up memory leaks by freeing principal and releasing context. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23295 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-20The size of kadm5_server_handle_rec differs between the client andEzra Peisach2-4/+11
server code. Valgrind picked up on access past end of allocated structure. Include proper internal header in client/server test. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23294 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-18minor reindentZhanna Tsitkov1-24/+16
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23286 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-04Reindent and manually restore some BSD-style files that wereTom Yu5-256/+259
previously incorrectly marked as krb5-style. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23126 dc483132-0cff-0310-8789-dd5450dbe970
2009-11-03Reindent after making fixes for emacs-23Tom Yu1-2/+2
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23123 dc483132-0cff-0310-8789-dd5450dbe970
2009-10-31make mark-cstyleTom Yu37-5953/+5972
make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
2009-10-29Rename api.3 to api.current in the libkadm5 unit tests. This way theGreg Hudson17-0/+0
main body of tests won't have to be moved every time the current API version of libkadm5 changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23087 dc483132-0cff-0310-8789-dd5450dbe970
2009-10-27Heimdal DB bridge plugin for KDC back endGreg Hudson1-1/+3
Merge Luke's users/lhoward/heimmig branch to trunk. Implements a KDC back-end plugin which interfaces to a Heimdal HDB plugin. ticket: 6578 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23073 dc483132-0cff-0310-8789-dd5450dbe970
2009-10-26Remove the libkadm5 api.2 unit tests which don't pertain to the cpol,Greg Hudson14-6600/+0
mpol, or gpol operations. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23043 dc483132-0cff-0310-8789-dd5450dbe970
2009-10-25Account lockoutGreg Hudson35-36/+8672
Merge Luke's users/lhoward/lockout2 branch to trunk. Implements account lockout policies for preauth-using principals using existing principal metadata fields and new policy fields. The kadmin API version is bumped from 2 to 3 to compatibly extend the policy_ent_rec structure. ticket: 6577 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit v1.1 at 2024-09-08 06:05:13 +0000