krb5.git/src/kadmin/cli, branch proxymech Unnamed repository; edit this file 'description' to name the repository. Policy extensions + new policy: allowed ks types 2012-07-30T23:11:28+00:00 Nicolas Williams nico@cryptonector.com 2012-07-18T21:27:35+00:00 5829ca2b348974e52a67b553afc7f7491007c33a This simply adds KADM5_API_VERSION_4 and various fields to the policy structures: - attributes (policy-ish principal attributes) - max_life (max ticket life) - max_renewable_life (max ticket renewable life) - allowed_keysalts (allowed key/salt types) - TL data (future policy extensions) Of these only allowed_keysalts is currently implemented. Some refactoring of TL data handling is also done. ticket: 7223 (new) 
This simply adds KADM5_API_VERSION_4 and various fields to the
policy structures:

 - attributes         (policy-ish principal attributes)
 - max_life           (max ticket life)
 - max_renewable_life (max ticket renewable life)
 - allowed_keysalts   (allowed key/salt types)
 - TL data            (future policy extensions)

Of these only allowed_keysalts is currently implemented.

Some refactoring of TL data handling is also done.

ticket: 7223 (new)
Fix ugly ladder in src/kadmin/cli/kadmin.c 2012-07-30T22:38:57+00:00 Nicolas Williams nico@cryptonector.com 2012-07-19T03:55:22+00:00 796366a03ea170efb937913acae36a2083a5329e 






Allow using locales when gettext is absent
2012-07-06T20:34:28+00:00

Ben Kaduk
kaduk@mit.edu

2012-07-06T19:45:20+00:00

7afeca0d0f821e12298d6987a9d1cd65be7539b0

Previously, if configure did not detect dgettext(), we disabled
anything that smelled like localization, inadvertently including
setlocale().  Now that we use setlocale(LC_ALL, ""), we have
localized dates available as well as messages, so we should not
disable calls to setlocale() any more.
Since the routines from locale.h are only used in a relatively
small number of places, just include the header directly in those
files and remove it from k5-platform.h.





Previously, if configure did not detect dgettext(), we disabled
anything that smelled like localization, inadvertently including
setlocale().  Now that we use setlocale(LC_ALL, ""), we have
localized dates available as well as messages, so we should not
disable calls to setlocale() any more.
Since the routines from locale.h are only used in a relatively
small number of places, just include the header directly in those
files and remove it from k5-platform.h.







Enable all localizations in main functions
2012-07-06T18:06:12+00:00

Ben Kaduk
kaduk@mit.edu

2012-07-05T18:56:50+00:00

75c7c600b49a7f1d5cf95260fc073cb4ba5929cd

Bite the bullet and pass LC_ALL to setlocale() instead of just
LC_MESSAGES.  Calls to setlocale() itself were introduced in
fabbf9e443459e8c0161c84563690ed70c7f6a61 for ticket 6918, but
only for LC_MESSAGES since only localized strings were needed
and that was the most conservative option.
However, klist, kadmin, and kinit (and perhaps others) would benefit
from localized formats for times (i.e., LC_TIME).  If potentially
localized data is being sent on the wire, that is a bug that should
be fixed.  No such bugs are found with the current test suite, so we
are comfortable enabling LC_ALL at this time.

ticket: 7192





Bite the bullet and pass LC_ALL to setlocale() instead of just
LC_MESSAGES.  Calls to setlocale() itself were introduced in
fabbf9e443459e8c0161c84563690ed70c7f6a61 for ticket 6918, but
only for LC_MESSAGES since only localized strings were needed
and that was the most conservative option.
However, klist, kadmin, and kinit (and perhaps others) would benefit
from localized formats for times (i.e., LC_TIME).  If potentially
localized data is being sent on the wire, that is a bug that should
be fixed.  No such bugs are found with the current test suite, so we
are comfortable enabling LC_ALL at this time.

ticket: 7192







Remove orphaned KfM code
2012-06-21T20:53:43+00:00

Greg Hudson
ghudson@mit.edu

2012-06-21T20:53:43+00:00

f22b98916070be6b3778888df1e65ced07c47131












Remove orphaned Apple PKINIT support
2012-04-26T21:46:57+00:00

Greg Hudson
ghudson@mit.edu

2012-04-26T21:46:57+00:00

7150b8eab9fb4bf643dd1a7ac4f5be3ca455dfcb

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970





git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970







In kadmin_getprivs replace the non-existing "GET" privilege by "INQUIRE". 
2012-02-15T18:55:16+00:00

Zhanna Tsitkov
tsitkova@mit.edu

2012-02-15T18:55:16+00:00

822d8b73fd19bd2647c8d0aaba21a2b961f3d40b

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25702 dc483132-0cff-0310-8789-dd5450dbe970





git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25702 dc483132-0cff-0310-8789-dd5450dbe970







install sphinx-generated manpages
2012-01-09T20:13:10+00:00

Tom Yu
tlyu@mit.edu

2012-01-09T20:13:10+00:00

bde5e9efadbdf0fb0b2d1dd16efcb83e82e433e4

Install sphinx-generated manpages.  Original nroff manpages remain for
reference until proofreading is complete.  Modify
doc/rst_source/conf.py to better deal with shadow manpages -- sphinx
will now build k5login.5 instead of .k5login.5, and kadmin.1 instead
of both kadmin.1 and kadmin.local.8.

Proofreaders should ensure that the original nroff manpages (and
associated Makefile rules) are deleted once their reST format
equivalents have been proofread.

ticket: 7064
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25625 dc483132-0cff-0310-8789-dd5450dbe970





Install sphinx-generated manpages.  Original nroff manpages remain for
reference until proofreading is complete.  Modify
doc/rst_source/conf.py to better deal with shadow manpages -- sphinx
will now build k5login.5 instead of .k5login.5, and kadmin.1 instead
of both kadmin.1 and kadmin.local.8.

Proofreaders should ensure that the original nroff manpages (and
associated Makefile rules) are deleted once their reST format
equivalents have been proofread.

ticket: 7064
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25625 dc483132-0cff-0310-8789-dd5450dbe970







Fix failure interval of 0 in LDAP lockout code
2011-11-20T05:19:45+00:00

Greg Hudson
ghudson@mit.edu

2011-11-20T05:19:45+00:00

4a84d4137426d0951d5565adef30efebab719d23

A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit).  It should be treated as forever, as in
the DB2 back end.

This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.

ticket: 7021
target_version: 1.10
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970





A failure count interval of 0 caused krb5_ldap_lockout_check_policy to
pass the lockout check (but didn't cause a reset of the failure count
in krb5_ldap_lockout_audit).  It should be treated as forever, as in
the DB2 back end.

This bug is the previously unknown cause of the assertion failure
fixed in CVE-2011-1528.

ticket: 7021
target_version: 1.10
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970







Fix month/year units in getdate
2011-11-06T04:32:34+00:00

Greg Hudson
ghudson@mit.edu

2011-11-06T04:32:34+00:00

e10f243be294ba9b3ba4b39a1a6bdf4bbbaf0fcf

getdate strings like "1 month" or "next year" would fail some of the
time, depending on the value of stack garbage, because DSTcorrect()
doesn't set *error on success and RelativeMonth() doesn't initialize
error.  Make DSTcorrect() responsible for setting *error in all cases.

ticket: 7003
target_version: 1.10
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25444 dc483132-0cff-0310-8789-dd5450dbe970





getdate strings like "1 month" or "next year" would fail some of the
time, depending on the value of stack garbage, because DSTcorrect()
doesn't set *error on success and RelativeMonth() doesn't initialize
error.  Make DSTcorrect() responsible for setting *error in all cases.

ticket: 7003
target_version: 1.10
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25444 dc483132-0cff-0310-8789-dd5450dbe970