diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-07-09 10:58:49 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-07-15 12:31:38 -0400 |
commit | 57d0b4b300e43722ae9f080fbf132edeb3834323 (patch) | |
tree | e7d31391c1f241f1685abbb945c85f3c215659ff /src/kadmin | |
parent | d9457b501cbab535e5968dbdf195ca334b9fa555 (diff) | |
download | krb5-57d0b4b300e43722ae9f080fbf132edeb3834323.tar.gz krb5-57d0b4b300e43722ae9f080fbf132edeb3834323.tar.xz krb5-57d0b4b300e43722ae9f080fbf132edeb3834323.zip |
Add kadmin support for principals without keys
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal. The KDC was modified by #7630 to support principals
without keys.
ticket: 7679 (new)
Diffstat (limited to 'src/kadmin')
-rw-r--r-- | src/kadmin/cli/kadmin.c | 49 |
1 files changed, 34 insertions, 15 deletions
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index 6f6a8ba464..b2b464b058 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -940,8 +940,8 @@ unlock_princ(kadm5_principal_ent_t princ, long *mask, const char *caller) static int kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, long *mask, char **pass, krb5_boolean *randkey, - krb5_key_salt_tuple **ks_tuple, int *n_ks_tuple, - char *caller) + krb5_boolean *nokey, krb5_key_salt_tuple **ks_tuple, + int *n_ks_tuple, char *caller) { int i, attrib_set; size_t j; @@ -955,6 +955,7 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, *ks_tuple = NULL; time(&now); *randkey = FALSE; + *nokey = FALSE; for (i = 1; i < argc - 1; i++) { attrib_set = 0; if (!strcmp("-x",argv[i])) { @@ -1048,6 +1049,10 @@ kadmin_parse_princ_args(int argc, char *argv[], kadm5_principal_ent_t oprinc, *randkey = TRUE; continue; } + if (!strcmp("-nokey", argv[i])) { + *nokey = TRUE; + continue; + } if (!strcmp("-unlock", argv[i])) { unlock_princ(oprinc, mask, caller); continue; @@ -1104,9 +1109,9 @@ kadmin_addprinc_usage() fprintf(stderr, _("usage: add_principal [options] principal\n")); fprintf(stderr, _("\toptions are:\n")); fprintf(stderr, - _("\t\t[-x db_princ_args]* [-expire expdate] " + _("\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] " "[-pwexpire pwexpdate] [-maxlife maxtixlife]\n" - "\t\t[-kvno kvno] [-policy policy] [-clearpolicy] [-randkey]\n" + "\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" "\t\t[-pw password] [-maxrenewlife maxrenewlife]\n" "\t\t[-e keysaltlist]\n\t\t[{+|-}attribute]\n") ); @@ -1170,7 +1175,7 @@ kadmin_addprinc(int argc, char *argv[]) { kadm5_principal_ent_rec princ; long mask; - krb5_boolean randkey = FALSE, old_style_randkey = FALSE; + krb5_boolean randkey = FALSE, nokey = FALSE, old_style_randkey = FALSE; int n_ks_tuple; krb5_key_salt_tuple *ks_tuple = NULL; char *pass, *canon = NULL; @@ -1183,7 +1188,8 @@ kadmin_addprinc(int argc, char *argv[]) princ.attributes = 0; if (kadmin_parse_princ_args(argc, argv, &princ, &mask, &pass, &randkey, - &ks_tuple, &n_ks_tuple, "add_principal")) { + &nokey, &ks_tuple, &n_ks_tuple, + "add_principal")) { kadmin_addprinc_usage(); goto cleanup; } @@ -1214,7 +1220,10 @@ kadmin_addprinc(int argc, char *argv[]) /* Don't send KADM5_POLICY_CLR to the server. */ mask &= ~KADM5_POLICY_CLR; - if (randkey) { + if (nokey) { + pass = NULL; + mask |= KADM5_KEY_DATA; + } else if (randkey) { pass = NULL; } else if (pass == NULL) { unsigned int sz = sizeof(newpw) - 1; @@ -1245,6 +1254,11 @@ kadmin_addprinc(int argc, char *argv[]) retval = create_princ(&princ, mask, n_ks_tuple, ks_tuple, pass); old_style_randkey = 1; } + if (retval == KADM5_BAD_MASK && nokey) { + fprintf(stderr, _("Admin server does not support -nokey while " + "creating \"%s\"\n"), canon); + goto cleanup; + } if (retval) { com_err("add_principal", retval, "while creating \"%s\".", canon); goto cleanup; @@ -1283,7 +1297,7 @@ kadmin_modprinc(int argc, char *argv[]) long mask; krb5_error_code retval; char *pass, *canon = NULL; - krb5_boolean randkey = FALSE; + krb5_boolean randkey = FALSE, nokey = FALSE; int n_ks_tuple = 0; krb5_key_salt_tuple *ks_tuple = NULL; @@ -1316,10 +1330,10 @@ kadmin_modprinc(int argc, char *argv[]) kadm5_free_principal_ent(handle, &oldprinc); retval = kadmin_parse_princ_args(argc, argv, &princ, &mask, - &pass, &randkey, + &pass, &randkey, &nokey, &ks_tuple, &n_ks_tuple, "modify_principal"); - if (retval || ks_tuple != NULL || randkey || pass) { + if (retval || ks_tuple != NULL || randkey || nokey || pass) { kadmin_modprinc_usage(); goto cleanup; } @@ -1801,13 +1815,15 @@ kadmin_purgekeys(int argc, char *argv[]) if (argc == 4 && strcmp(argv[1], "-keepkvno") == 0) { keepkvno = atoi(argv[2]); pname = argv[3]; - } - if (argc == 2) { + } else if (argc == 3 && strcmp(argv[1], "-all") == 0) { + keepkvno = KRB5_INT32_MAX; + pname = argv[2]; + } else if (argc == 2) { pname = argv[1]; } if (pname == NULL) { - fprintf(stderr, _("usage: purgekeys [-keepkvno oldest_kvno_to_keep] " - "principal\n")); + fprintf(stderr, _("usage: purgekeys " + "[-all|-keepkvno oldest_kvno_to_keep] principal\n")); return; } @@ -1830,7 +1846,10 @@ kadmin_purgekeys(int argc, char *argv[]) goto cleanup; } - printf(_("Old keys for principal \"%s\" purged.\n"), canon); + if (keepkvno == KRB5_INT32_MAX) + printf(_("All keys for principal \"%s\" removed.\n"), canon); + else + printf(_("Old keys for principal \"%s\" purged.\n"), canon); cleanup: krb5_free_principal(context, princ); free(canon); |