summaryrefslogtreecommitdiffstats
path: root/src/kadmin
Commit message (Collapse)AuthorAgeFilesLines
* Fix edge-case bugs in kdb5_util loadGreg Hudson2012-07-312-16/+25
| | | | | | | | | | | * fscanf field widths must be less than the buffer size, not equal to it. * Check for negative values of lengths we're going to allocate. * Eliminate a warning in the comparison of the regexp end offset. * process_r1_8 policy doesn't actually ignore additional values, so get rid of the comment and inequality test suggesting that it does. ticket: 7224 (new)
* Revert an out-of-scope change in policy extensionsGreg Hudson2012-07-311-1/+1
|
* Policy extensions + new policy: allowed ks typesNicolas Williams2012-07-306-85/+314
| | | | | | | | | | | | | | | | | This simply adds KADM5_API_VERSION_4 and various fields to the policy structures: - attributes (policy-ish principal attributes) - max_life (max ticket life) - max_renewable_life (max ticket renewable life) - allowed_keysalts (allowed key/salt types) - TL data (future policy extensions) Of these only allowed_keysalts is currently implemented. Some refactoring of TL data handling is also done. ticket: 7223 (new)
* Fix ugly ladder in src/kadmin/cli/kadmin.cNicolas Williams2012-07-301-144/+112
|
* De-indent process_k5beta6_record()Nicolas Williams2012-07-301-247/+210
|
* Allow using locales when gettext is absentBen Kaduk2012-07-064-0/+4
| | | | | | | | | | | Previously, if configure did not detect dgettext(), we disabled anything that smelled like localization, inadvertently including setlocale(). Now that we use setlocale(LC_ALL, ""), we have localized dates available as well as messages, so we should not disable calls to setlocale() any more. Since the routines from locale.h are only used in a relatively small number of places, just include the header directly in those files and remove it from k5-platform.h.
* Enable all localizations in main functionsBen Kaduk2012-07-065-6/+7
| | | | | | | | | | | | | | | Bite the bullet and pass LC_ALL to setlocale() instead of just LC_MESSAGES. Calls to setlocale() itself were introduced in fabbf9e443459e8c0161c84563690ed70c7f6a61 for ticket 6918, but only for LC_MESSAGES since only localized strings were needed and that was the most conservative option. However, klist, kadmin, and kinit (and perhaps others) would benefit from localized formats for times (i.e., LC_TIME). If potentially localized data is being sent on the wire, that is a bug that should be fixed. No such bugs are found with the current test suite, so we are comfortable enabling LC_ALL at this time. ticket: 7192
* Add krb5_kt_client_default APIGreg Hudson2012-07-022-0/+2
| | | | | | | | | | | | | | | | The default client keytab is intended to be used to automatically acquire initial credentials for client applications. The current hardcoded default is a placeholder, and will likely change before 1.11. Add test framework settings to ensure that a system default client keytab doesn't interfere with tests, and to allow tests to be written to deliberately use the default client keytab. Add documentation about keytabs to the concepts section of the RST docs, and describe the default client keytab there. ticket: 7188 (new)
* Remove orphaned KfM codeGreg Hudson2012-06-211-14/+0
|
* Remove orphaned Apple PKINIT supportGreg Hudson2012-04-261-65/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970
* Only store master mey list in DAL handleGreg Hudson2012-03-216-32/+26
| | | | | | | | | | | | | | r24314 (#6778) created a hybrid owernship model for the master key list, with one virtual copy stored in the DAL handle and one provided to the caller of krb5_db_fetch_mkey_list. Replace this with a model where only the DAL handle owns the list, and a caller can get access to an alias pointer with a new function krb5_db_mkey_list_alias(). Functions which previously accepted the master key list as an input parameter now expect to find it in the DAL handle. Patch by Will Fiveash <will.fiveash@oracle.com>. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25781 dc483132-0cff-0310-8789-dd5450dbe970
* Remove admin_keytab references in code and docsGreg Hudson2012-03-044-33/+1
| | | | | | | | | The admin keytab hasn't been needed or used by kadmind since 1.4 (except possibly by legacy admin daemons which we no longer ship). Eliminate remaining references to it in code, test cases, and documentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25729 dc483132-0cff-0310-8789-dd5450dbe970
* Require IPv6 supportKen Raeburn2012-02-281-2/+0
| | | | | | | | | | | | | | The configure-time options to enable and disable IPv6 support have been deprecated for some time, but the checks for OS support were kept. This removes those checks, and unconditionally compiles in the IPv6 support. There was a configure-time test to see if the macro INET6 needed to be defined in order to enable (visibility of) OS support for IPv6, which was needed on an IRIX system we tested with. That check is retained, but the revised code is untested on IRIX. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25719 dc483132-0cff-0310-8789-dd5450dbe970
* Access controls for string RPCs [CVE-2012-1012]Greg Hudson2012-02-211-8/+11
| | | | | | | | | | | | | | | | | | In the kadmin protocol, make the access controls for get_strings/set_string mirror those of get_principal/modify_principal. Previously, anyone with global list privileges could get or modify string attributes on any principal. The impact of this depends on how generous the kadmind acl is with list permission and whether string attributes are used in a deployment (nothing in the core code uses them yet). CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C ticket: 7093 target_version: 1.10.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25704 dc483132-0cff-0310-8789-dd5450dbe970
* In kadmin_getprivs replace the non-existing "GET" privilege by "INQUIRE". Zhanna Tsitkov2012-02-151-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25702 dc483132-0cff-0310-8789-dd5450dbe970
* install sphinx-generated manpagesTom Yu2012-01-094-0/+8
| | | | | | | | | | | | | | | | | Install sphinx-generated manpages. Original nroff manpages remain for reference until proofreading is complete. Modify doc/rst_source/conf.py to better deal with shadow manpages -- sphinx will now build k5login.5 instead of .k5login.5, and kadmin.1 instead of both kadmin.1 and kadmin.local.8. Proofreaders should ensure that the original nroff manpages (and associated Makefile rules) are deleted once their reST format equivalents have been proofread. ticket: 7064 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25625 dc483132-0cff-0310-8789-dd5450dbe970
* Fix failure interval of 0 in LDAP lockout codeGreg Hudson2011-11-201-2/+3
| | | | | | | | | | | | | | | | A failure count interval of 0 caused krb5_ldap_lockout_check_policy to pass the lockout check (but didn't cause a reset of the failure count in krb5_ldap_lockout_audit). It should be treated as forever, as in the DB2 back end. This bug is the previously unknown cause of the assertion failure fixed in CVE-2011-1528. ticket: 7021 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970
* Make verto context available to kdcpreauth modulesGreg Hudson2011-11-151-1/+1
| | | | | | | | | | | | Add an event_context callback to kdcpreauth. Adjust the internal KDC and main loop interfaces to pass around the event context, and expose it to kdcpreauth modules via the rock. ticket: 7019 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25475 dc483132-0cff-0310-8789-dd5450dbe970
* Fix month/year units in getdateGreg Hudson2011-11-061-1/+2
| | | | | | | | | | | | | getdate strings like "1 month" or "next year" would fail some of the time, depending on the value of stack garbage, because DSTcorrect() doesn't set *error on success and RelativeMonth() doesn't initialize error. Make DSTcorrect() responsible for setting *error in all cases. ticket: 7003 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25444 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of fake-installGreg Hudson2011-11-043-4/+2
| | | | | | | | | Instead, use $(BUILDTOP)/plugins as the plugin base for tests. For each real plugin module, create a link in the parent directory if we're doing a shared-library build--so built KDB modules can be found in plugins/kdb, preauth modules in plugins/preauth, etc.. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25436 dc483132-0cff-0310-8789-dd5450dbe970
* Exit on error in kadmind kprop childGreg Hudson2011-11-041-2/+2
| | | | | | | | | | | | When we fork from kadmind to dump the database and kprop to an iprop slave, if we encounter an error in the child process we should exit rather than returning to the main loop. ticket: 7000 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25433 dc483132-0cff-0310-8789-dd5450dbe970
* Make reindentTom Yu2011-10-171-1/+1
| | | | | | | Also fix pkinit_crypto_nss.c struct initializers and add parens to a ternary operator in do_as_req.c for better indentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25362 dc483132-0cff-0310-8789-dd5450dbe970
* Allow password changes over NATsGreg Hudson2011-10-151-23/+8
| | | | | | | | | | | | In the kpasswd server code, don't set a remote address in the auth context before calling krb5_rd_priv, since the kpasswd protocol is well-protected against reflection attacks. This allows password changes to work in cases where a NAT has changed the client IP address as it is seen by the server. ticket: 6979 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25356 dc483132-0cff-0310-8789-dd5450dbe970
* make dependTom Yu2011-10-141-7/+8
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25344 dc483132-0cff-0310-8789-dd5450dbe970
* Make dispatch() respond via a callbackGreg Hudson2011-10-031-17/+10
| | | | | | From npmccallum@redhat.com with changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25291 dc483132-0cff-0310-8789-dd5450dbe970
* Man page spelling corrections from ville.skytta@iki.fiGreg Hudson2011-10-023-13/+13
| | | | | | ticket: 6968 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25290 dc483132-0cff-0310-8789-dd5450dbe970
* Add kadmin functionality for string attributesGreg Hudson2011-09-217-1/+288
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25215 dc483132-0cff-0310-8789-dd5450dbe970
* Split signal setup into loop_setup_signals()Greg Hudson2011-09-141-1/+13
| | | | | | | In the KDC, set up signals in the worker process child after forking from the monitor process. From npmccallum@redhat.com. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25176 dc483132-0cff-0310-8789-dd5450dbe970
* Fix verto.h dependencies for system libvertoGreg Hudson2011-09-091-53/+51
| | | | | | | | When we have conditionally built bundled source, we need logic in depfix.pl and variables in pre.in to avoid depending on the bundled verto.h in generated dependencies. Add that logic for verto. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25170 dc483132-0cff-0310-8789-dd5450dbe970
* Instead of passing a 0 to add_new_mkey for kvno and leavingKen Raeburn2011-09-051-1/+3
| | | | | | | | | | new_mkey_kvno (used when stashing) uninitialized, use get_next_kvno to set the latter to the only non-zero value that add_new_mkey will accept. ticket: 6617 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25148 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent per krb5-batch-reindent.el.Ken Raeburn2011-09-042-10/+11
| | | | | | | Some minor reformatting added in places to avoid exceeding 80 columns. Used Emacs 22.1 built-in C mode. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25144 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of variables triggering gcc's "defined but not used"Ken Raeburn2011-09-041-4/+0
| | | | | | complaints, almost entirely "rcsid" variables. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25141 dc483132-0cff-0310-8789-dd5450dbe970
* make dependKen Raeburn2011-09-041-37/+41
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25137 dc483132-0cff-0310-8789-dd5450dbe970
* Migrate net-server loop to use libvertoGreg Hudson2011-09-022-100/+33
| | | | | | From npmccallum@redhat.com. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25132 dc483132-0cff-0310-8789-dd5450dbe970
* Remove vestigial reset_db() in kadmindGreg Hudson2011-09-021-34/+1
| | | | | | From npmccallum@redhat.com. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25131 dc483132-0cff-0310-8789-dd5450dbe970
* Remove ancient Purify support in kadmindGreg Hudson2011-09-021-67/+0
| | | | | | From npmccallum@redhat.com. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25130 dc483132-0cff-0310-8789-dd5450dbe970
* Don't bother logging SIGPIPE in kadmindGreg Hudson2011-09-021-19/+2
| | | | | | From npmccallum@redhat.com. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25129 dc483132-0cff-0310-8789-dd5450dbe970
* Add a loop_ prefix to net-server.c functionsGreg Hudson2011-09-021-7/+7
| | | | | | From npmccallum@redhat.com. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25128 dc483132-0cff-0310-8789-dd5450dbe970
* Remove an unused variableEzra Peisach2011-08-191-1/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25104 dc483132-0cff-0310-8789-dd5450dbe970
* Define KRB5_TL_DB_ARGS unconditionally in kdb.hGreg Hudson2011-07-261-1/+0
| | | | | | | | | Due to an apparent merge bug, KRB5_TL_DB_ARGS was defined in a SECURID conditional block, and several source files worked around the problem by defining the constant themselves or defining SECURID. Move the definition and remove the workarounds. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25055 dc483132-0cff-0310-8789-dd5450dbe970
* Fix process list spew in verbose kadmin testsGreg Hudson2011-07-181-2/+2
| | | | | | | Set PS_PID to "ps uwwp" so we display only the process we're trying to point out, and not the whole process table. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25021 dc483132-0cff-0310-8789-dd5450dbe970
* make dependEzra Peisach2011-07-012-1/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25007 dc483132-0cff-0310-8789-dd5450dbe970
* Fix a minor memory leak in kadminGreg Hudson2011-06-231-10/+11
| | | | | | | | | kadmin_getprinc() was using the variable "canon" for two purposes. After r22785, canon wasn't freed between constructions, so the first value was leaked. Fix by using separate variables for separate strings. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24987 dc483132-0cff-0310-8789-dd5450dbe970
* Use AI_ADDRCONFIG for more efficient getaddrinfoGreg Hudson2011-06-231-1/+1
| | | | | | | | | | | | | | | Add AI_ADDRCONFIG to the hint flags for every invocation of getaddrinfo which wasn't already using it. This is often the default behavior when no hints are specified, but we tend to specify hints a lot, so we have to say it ourselves. AI_ADDRCONFIG causes AAAA lookups to be skipped if the system has no public IPv6 interface addresses, usually saving a couple of DNS queries per getaddrinfo call and allowing DNS caching to be much more effective without the need for negative caching. ticket: 6923 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24978 dc483132-0cff-0310-8789-dd5450dbe970
* Handle invalid intervals in lockout-related kadmin parametersGreg Hudson2011-06-101-8/+18
| | | | | | ticket: 6911 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24966 dc483132-0cff-0310-8789-dd5450dbe970
* Set LC_MESSAGES to "C" in tests which run commandsGreg Hudson2011-06-101-0/+3
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24964 dc483132-0cff-0310-8789-dd5450dbe970
* Add setlocale() calls to main functionsGreg Hudson2011-06-104-0/+4
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24963 dc483132-0cff-0310-8789-dd5450dbe970
* Mark up strings for translationGreg Hudson2011-06-1017-684/+737
| | | | | | ticket: 6918 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
* Document the lockout-related options in kadmin (modprinc -unlock andGreg Hudson2011-05-161-0/+21
| | | | | | | | | | addpol/modpol -maxfailure, -failurecountinterval, and -lockoutduration), in the man page and in admin.texinfo. Based on text submitted by shawn.emery@oracle.com. ticket: 6910 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24932 dc483132-0cff-0310-8789-dd5450dbe970
* In kadmin, try using get_date() for lockout-related duration inputs toGreg Hudson2011-05-161-6/+17
| | | | | | | | | | | modpol and addpol, but still allow bare numbers of seconds since that's what we took in 1.8 and 1.9. Use strdur() to display lockout-related durations in getpol. Reported by shawn.emery@oracle.com. ticket: 6911 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24931 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-07 09:57:47 +0000