Add --permitted-enctypes command and add it to the man page too

2 files changed, 52 insertions, 8 deletions

diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 8e02a4316..28859a7f6 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -450,12 +450,14 @@ int main(int argc, char *argv[])
 	static const char *keytab = NULL;
 	static const char *enctypes_string = NULL;
 	int quiet = 0;
+	int permitted_enctypes = 0;
         struct poptOption options[] = {
                 { "server", 's', POPT_ARG_STRING, &server, 0, "Contact this specific KDC Server", "Server Name" },
                 { "principal", 'p', POPT_ARG_STRING, &principal, 0, "The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)", "Kerberos Service Principal Name" },
                 { "keytab", 'k', POPT_ARG_STRING, &keytab, 0, "File were to store the keytab information", "Keytab File Name" },
 		{ "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0, "Encryption types to request", "Comma separated encription types list" },
 		{ "quiet", 'q', POPT_ARG_NONE, &quiet, 0, "Print as little as possible", "Output only on errors"},
+		{ "permitted-enctypes", 0, POPT_ARG_NONE, &permitted_enctypes, 0, "Show the list of permitted encryption types and exit", "Permitted Encryption Types"},
 		{ NULL, 0, POPT_ARG_NONE, NULL, 0, NULL, NULL }
 	};
 	poptContext pc;
@@ -473,23 +475,44 @@ int main(int argc, char *argv[])
 	int kvno;
 	int i, ret;
 
+	krberr = krb5_init_context(&krbctx);
+	if (krberr) {
+		fprintf(stderr, "Kerberos context initialization failed\n");
+		exit(1);
+	}
+
 	pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0);
 	ret = poptGetNextOpt(pc);
-	if (ret != -1 || !server || !principal || !keytab) {
+	if (ret == -1 && permitted_enctypes &&
+	    !(server || principal || keytab || quiet)) {
+		char enc[79]; /* fit std terminal or truncate */
+
+		krberr = krb5_get_permitted_enctypes(krbctx, &ktypes);
+		if (krberr) {
+			fprintf(stderr, "No system preferred enctypes ?!\n");
+			exit(1);
+		}
+		fprintf(stdout, "Supported encryption types:\n");
+		for (i = 0; ktypes[i]; i++) {
+			krberr = krb5_enctype_to_string(ktypes[i], enc, 79);
+			if (krberr) {
+				fprintf(stderr, "Warning: failed to convert type (#%d)\n", i);
+				continue;
+			}
+			fprintf(stdout, "%s\n", enc);
+		}
+		exit (0);
+	}
+
+	if (ret != -1 || !server || !principal || !keytab || permitted_enctypes) {
 		if (!quiet) {
 			poptPrintUsage(pc, stderr, 0);
 		}
-		exit(1);
+		exit(2);
 	}
 
 	ret = asprintf(&ktname, "WRFILE:%s", keytab);
 	if (ret == -1) {
-		exit(2);
-	}
-
-	krberr = krb5_init_context(&krbctx);
-	if (krberr) {
-		fprintf(stderr, "Kerberos context initialization failed\n");
 		exit(3);
 	}
 
diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1
index 29710918a..90fba04d4 100644
--- a/ipa-client/man/ipa-getkeytab.1
+++ b/ipa-client/man/ipa-getkeytab.1
@@ -62,10 +62,31 @@ created if not existing).
 \fB\-e encryption-types\fR
 The list of encryption types to use to generate keys.
 ipa-getkeytab will use local client defaults if not provided.
+Valid values depend on the kerberos library version and configuration.
+Common values are:
+aes256-cts
+aes128-cts
+des3-hmac-sha1
+arcfour-hmac
+des-hmac-sha1
+des-cbc-md5
+des-cbc-crc
 
 \fB\-q\fR
 Keep quiet.
 
+\fB\--permitted-enctypes\fR
+This options returns a description of the permitted encryption types, like this:
+Supported encryption types:
+AES-256 CTS mode with 96-bit SHA-1 HMAC
+AES-128 CTS mode with 96-bit SHA-1 HMAC
+Triple DES cbc mode with HMAC/sha1
+ArcFour with HMAC/md5
+DES cbc mode with CRC-32
+DES cbc mode with RSA-MD5
+DES cbc mode with RSA-MD4
+
+
 .SH "EXAMPLES"
 
 Add and retrieve a keytab for the ldap service principal on