summaryrefslogtreecommitdiffstats
path: root/src/kadmin
Commit message (Collapse)AuthorAgeFilesLines
* krb5_get_error_message cannot return NULL, and returns "Success" onGreg Hudson2010-11-011-24/+4
| | | | | | error code 0. Simplify some overly paranoid code accordingly. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24489 dc483132-0cff-0310-8789-dd5450dbe970
* FILE keytabs have been able to handle write operations since krb5 1.7,Greg Hudson2010-10-261-9/+0
| | | | | | | | | | as an apparently unintended side effect of r20594. Clean up the code by combining the identical resolve functions for FILE and WRFILE, and removing the code to set up a WRFILE default keytab name in kadmin.c. Also fixes a slight display bug; k5test.py needs to be adjusted to expect the correct output. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24487 dc483132-0cff-0310-8789-dd5450dbe970
* Declare kadmin_purgekeysKen Raeburn2010-10-231-0/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24475 dc483132-0cff-0310-8789-dd5450dbe970
* Add a kadm5 RPC for purging old keys from the KDB (e.g., fromTom Yu2010-10-086-9/+128
| | | | | | | | | | | | | | | change_password -keepold), and add a kadmin CLI command for it. Keeping ticket open because an automated test needs to be added. Long-term future work includes start/expire dates on keys, or not-yet-valid flags. ticket: 1219 status: open target_version: 1.9 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24442 dc483132-0cff-0310-8789-dd5450dbe970
* Propagate modprinc -unlock from master to slave KDCsGreg Hudson2010-10-051-26/+52
| | | | | | | | | | | | Create a new tl-data type to hold the time of the last administrative unlock, and factor it into decisions about account lockout. Since tl-data values are propagated from master to slave, this will cause modprinc -unlock operations to reach slave KDCs on the next propagation. ticket: 6795 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24424 dc483132-0cff-0310-8789-dd5450dbe970
* KDC worker processes featureGreg Hudson2010-09-171-1/+1
| | | | | | | | | | Add support for a krb5kdc -w option which causes the KDC to spawn worker processes which can process requests in parallel. See also: http://k5wiki.kerberos.org/wiki/Projects/Parallel_KDC ticket: 6783 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24328 dc483132-0cff-0310-8789-dd5450dbe970
* kdb: store mkey list in context and permit NULL mkey for ↵Sam Hartman2010-09-151-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | kdb_dbe_decrypt_key_data Previously, code needed to run a loop to find the current master key, possibly fetch a new master key list and try finding the master key again around each key decryption. This was not universally done; there are cases where only the current master key was used. In addition, the correct ideom for decrypting key data is too complicated and is potentially unavailable to plugins that do not have access to the master key. Instead, store the master key list in the dal_handle whenever it is fetched and permit a NULL master key for krb5_dbe_decrypt_key_data. * Remove APIs for krb5_db_{get|set}_mkey_list * krb5_db_fetch_mkey_list: memoize master key list in dal_handle * krb5_db_free_mkey_list: don't free the memoized list; arrange for it to be freed later * krb5_dbe_decrypt_key_data: Search for correct master key on NULL argument * change call sites to take advantage ticket: 6778 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24314 dc483132-0cff-0310-8789-dd5450dbe970
* Make dependGreg Hudson2010-09-084-49/+56
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24298 dc483132-0cff-0310-8789-dd5450dbe970
* Remove count parameters from get_principal, put_principal,Greg Hudson2010-07-065-253/+158
| | | | | | | | | | | free_principal, delete_principal, and get_policy. Make get_principal allocate the DB entry container. Fold krb5_db_get_principal_ext into krb5_db_get_principal. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24175 dc483132-0cff-0310-8789-dd5450dbe970
* Remove verify_master_key from the DAL table, as well as its associatedGreg Hudson2010-07-022-14/+5
| | | | | | | | | | | libkdb5 interface. Callers can (and mostly already do) use krb5_fetch_mkey_list to verify master keyblocks. Adjust tests/create, tests/verify, and kdb5_util dump to do so. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24166 dc483132-0cff-0310-8789-dd5450dbe970
* Rename krb5_dbekd_encrypt_key_data and krb5_dbekd_decrypt_key_data toGreg Hudson2010-07-023-31/+22
| | | | | | | | | just use the krb5_dbe prefix. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24164 dc483132-0cff-0310-8789-dd5450dbe970
* Remove the set_master_key and get_master_key DAL interfaces and theirGreg Hudson2010-07-022-8/+2
| | | | | | | | | | | | corresponding libkdb5 APIs, as they were not productively used. In kdb5_ldap_util, stop using the realm data's mkey field as a container to communicate the master key to static helper functions, since the field no longer exists. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24162 dc483132-0cff-0310-8789-dd5450dbe970
* Make kadmin work over IPv6Greg Hudson2010-06-261-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Make gssrpc work over IPv6 TCP sockets provided that the client creates and connects/binds the sockets and doesn't query their addresses or use bindresvport(). Make kadmin work within those constraints and handle IPv6. Specific changes: * Make svctcp_create() able to extract the port from an IPv6 socket, using a new helper function getport(). * Make clnttcp_create() handle a null raddr value if *sockp is set. * Make kadm5_get_service_name() use getaddrinfo() to canonicalize the admin server name. * Make libkadm5clnt's init_any() responsible for connecting its socket using a new helper function connect_to_server(), which uses getaddrinfo instead of gethostbyname. Pass a null address to clnttcp_create(). * Make libapputil's net-server.c set up IPv6 as well as IPv4 listener ports for RPC connections. * Adjust the error code expected in a libkadm5 unit test. ticket: 6746 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24147 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some dead code in kdb5_stash() left behind by r24142Greg Hudson2010-06-221-9/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24144 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate a bunch of duplicated code in kdb5_stash() by usingGreg Hudson2010-06-211-41/+3
| | | | | | util_context. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24142 dc483132-0cff-0310-8789-dd5450dbe970
* kdb5_stash() contains its own kdb5_db_open() call (because it doesn'tGreg Hudson2010-06-211-1/+1
| | | | | | | | | | | | | use util_context for some reason), which didn't work with the LDAP back end because LDAP doesn't recognize KRB5_KDB_SRV_TYPE_OTHER. As a minimal fix, change that to KRB5_KDB_SRV_TYPE_ADMIN to be consistent with open_db_and_mkey()--see also r18736. ticket: 6345 target_version: 1.8.3 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24141 dc483132-0cff-0310-8789-dd5450dbe970
* kadmin ktadd may display wrong name of default keytabGreg Hudson2010-06-082-4/+7
| | | | | | | | | | | | | | kadmin's ktadd (and ktrem) displays WRFILE:/etc/krb5.keytab whenever it uses the default keytab, even if the default has been overridden (e.g. by KRB5_KTNAME). Use krb5_kt_get_name to get the correct name of the default cache instead of displaying the string we think was used to open it. ticket: 6740 target_version: 1.8.2 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24123 dc483132-0cff-0310-8789-dd5450dbe970
* When we display enctypes, display the input name rather than theGreg Hudson2010-06-085-8/+9
| | | | | | | | | description. Affects klist -e, kdb5_util list_mkeys, kdb5_util stash (error message), kadmin getprinc, kadmin ktadd, and ktutil list -e. ticket: 5014 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24122 dc483132-0cff-0310-8789-dd5450dbe970
* make dependGreg Hudson2010-06-074-77/+87
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24119 dc483132-0cff-0310-8789-dd5450dbe970
* Remove a non-functional and unnecessary check in kdb5_util'sGreg Hudson2010-05-211-2/+0
| | | | | | | master_key_convert(). (key_data->key_data_length is an array, so its address is never null.) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24085 dc483132-0cff-0310-8789-dd5450dbe970
* Fix an error case in kdb_util's dump.c where the dump file handle wasGreg Hudson2010-05-211-0/+1
| | | | | | leaked. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24084 dc483132-0cff-0310-8789-dd5450dbe970
* Remove an unneeded conditional in the cleanup for kadmin's keytabGreg Hudson2010-05-211-5/+3
| | | | | | add_principal(), squashing a false-positive memory leak from Coverity. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24083 dc483132-0cff-0310-8789-dd5450dbe970
* In getdate.y, remove an error check from r19656 which couldn't everGreg Hudson2010-05-211-2/+0
| | | | | | trigger (Convert() does not use an error parameter). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24082 dc483132-0cff-0310-8789-dd5450dbe970
* Use ANSI-style function definitions in our copy of getdate.yGreg Hudson2010-05-211-37/+11
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24081 dc483132-0cff-0310-8789-dd5450dbe970
* Get rid of some kdb5_util load code which is no longer useful afterGreg Hudson2010-05-041-32/+1
| | | | | | the introduction of the DAL. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23971 dc483132-0cff-0310-8789-dd5450dbe970
* Remove some unused format string definitions from kdb5_util's dump.cGreg Hudson2010-05-041-14/+0
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23970 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate some uses of variables as format strings. Based on a patchGreg Hudson2010-05-031-1/+1
| | | | | | | | from Guillaume Rousse <Guillaume.Rousse@inria.fr>. ticket: 6714 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23963 dc483132-0cff-0310-8789-dd5450dbe970
* Eliminate the use of variables for format strings in kdb5_util. ManyGreg Hudson2010-05-038-140/+8
| | | | | | | | | | | were unused, and localization will probably be done through _() macros, not collecting all the strings together. Elminates a number of format-security static analysis defects. ticket: 6714 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23962 dc483132-0cff-0310-8789-dd5450dbe970
* Always pass -W option to kdb5_util create in testingKen Raeburn2010-03-271-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23838 dc483132-0cff-0310-8789-dd5450dbe970
* Merge users/raeburn/branches/network-mergeKen Raeburn2010-03-177-2147/+146
| | | | | | | | | | Re-integrates the forked versions of network.c in kdc and kadmin/server. Server-specific initialization and SIGHUP-reset code is moved into other source files; the more generic network-servicing code is merged and moved into apputils library already used by both programs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811 dc483132-0cff-0310-8789-dd5450dbe970
* Fix minor error-handling bug in r23676Greg Hudson2010-01-311-1/+1
| | | | | | ticket: 6650 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23679 dc483132-0cff-0310-8789-dd5450dbe970
* Handle migration from pre-1.7 databases with master key kvno != 1Greg Hudson2010-01-281-2/+8
| | | | | | | | | | | | | | | | | | | | krb5_dbe_lookup_mkvno assumes an mkvno of 1 for entries with no explicit tl_data. We've seen at least one pre-1.7 KDB with a master kvno of 0, violating this assumption. Fix this as follows: * krb5_dbe_lookup_mkvno outputs 0 instead of 1 if no tl_data exists. * A new function krb5_dbe_get_mkvno translates this 0 value to the minimum version number in the mkey_list. (krb5_dbe_lookup_mkvno cannot do this as it doesn't take the mkey_list as a parameter.) * Call sites to krb5_dbe_lookup_mkvno are converted to krb5_dbe_get_mkvno, except for an LDAP case where it is acceptable to store 0 if the mkvno is unknown. ticket: 6650 target_version: 1.7.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23676 dc483132-0cff-0310-8789-dd5450dbe970
* disable weak crypto by defaultTom Yu2010-01-051-1/+0
| | | | | | | | | Set allow_weak_crypto=false by default. Set default master key enctype to sha256. Adjust test suite to compensate. ticket: 6621 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23586 dc483132-0cff-0310-8789-dd5450dbe970
* Anonymous documentationSam Hartman2010-01-041-1/+20
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23583 dc483132-0cff-0310-8789-dd5450dbe970
* Initialize variables in case of error path winds up freeing stack garbageEzra Peisach2010-01-031-2/+2
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23571 dc483132-0cff-0310-8789-dd5450dbe970
* Some unsigned/signed warning cleanupEzra Peisach2010-01-032-2/+4
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23568 dc483132-0cff-0310-8789-dd5450dbe970
* Unsigned/signed cleanupEzra Peisach2010-01-011-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23561 dc483132-0cff-0310-8789-dd5450dbe970
* Add a new -P option to krb5kdc and kadmind which, if given, specifiesRuss Allbery2010-01-012-0/+59
| | | | | | | | | the path to which to write the PID file of the daemon after it finishes initializing. Ticket: 6618 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23560 dc483132-0cff-0310-8789-dd5450dbe970
* Fix spelling and hyphen errors in man pagesRuss Allbery2009-12-311-3/+3
| | | | | | | | | | | Fix spelling errors in man pages detected by Debian's Lintian program. Also escape some -'s that are intended to be literal ASCII dashes and not Unicode hyphens so that groff won't change them into true hyphens. ticket: 6616 component: krb5-doc git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23554 dc483132-0cff-0310-8789-dd5450dbe970
* Whitespace fixes for new anonymous supportGreg Hudson2009-12-281-7/+8
| | | | | | ticket: 6607 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23528 dc483132-0cff-0310-8789-dd5450dbe970
* Anonymous support for KerberosSam Hartman2009-12-281-4/+15
| | | | | | | | | | | | | | | | | | | | | | This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
* Reformat new commentsKen Raeburn2009-12-031-14/+20
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23441 dc483132-0cff-0310-8789-dd5450dbe970
* fix slow behavior on Mac OS X with link-local addressesKen Raeburn2009-12-031-10/+48
| | | | | | | | | | | | | | | | | | | | | | | | | When using my previous patch, if a local hostname like "foobar.local" is looked up, you may get back a link-local IPv6 address. However, the KDC seems to be unable to respond from that address, resulting in a ~1s delay for each KDC exchange while waiting for the client to fail over to another address (in my case, another IPv6 address). Create a new object for holding whatever auxiliary information might be needed to properly transmit the response to the client. Currently, that only means the interface index number under IPv6. Fill it in on receipt, always; copy it back to the pktinfo structure when transmitting, ONLY if the local source address is link-local. If an error occurs while transmitting the reply, print both the remote destination address and the local source address. Use getnameinfo instead of inet_ntop. Apply the same changes to kadmind, to keep the versions of network.c more or less in sync. ticket: 6591 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23440 dc483132-0cff-0310-8789-dd5450dbe970
* allow testing even if name->addr->name mapping doesn't workKen Raeburn2009-12-032-5/+4
| | | | | | | | | | | | | | | Many of the tests are set up to fail if the local hostname can't be mapped to an address and back to a name again. If the name results in an address, and we can get a fully-qualified name or something that looks like it, though, we should be able to just go ahead and run some tests. This is also closer to the current behavior of sname_to_principal when reverse DNS is enabled. ticket: 6590 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23439 dc483132-0cff-0310-8789-dd5450dbe970
* Consolidate Makefile variables now that we have only a single globalGreg Hudson2009-11-2214-289/+276
| | | | | | | | | | | | | configure script: $(SRCTOP) --> $(top_srcdir) $(srcdir)/$(thisconfigdir) --> $(top_srcdir) $(thisconfigdir) --> $(BUILDTOP) $(myfulldir) --> $(mydir) ticket: 6583 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23308 dc483132-0cff-0310-8789-dd5450dbe970
* Use "unsigned short" instead of "u_short" in argument to SET macro;Ken Raeburn2009-11-041-8/+13
| | | | | | | | | the Emacs cc-mode indentation code seems to get confused by the one-word case. Reindent. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23129 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent and manually restore some BSD-style files that wereTom Yu2009-11-043-1/+4
| | | | | | previously incorrectly marked as krb5-style. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23126 dc483132-0cff-0310-8789-dd5450dbe970
* Reindent after making fixes for emacs-23Tom Yu2009-11-034-8/+8
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23123 dc483132-0cff-0310-8789-dd5450dbe970
* make mark-cstyleTom Yu2009-10-3133-8481/+8492
| | | | | | make reindent git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
* Fix printf argument type mismatches related to pw_max_fail inGreg Hudson2009-10-261-4/+5
| | | | | | kadmin.c. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23044 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-03-04 09:45:35 +0000