krb5.git/src/lib/kadm5, branch gss_cs MIT Kerberos patches Fix uninitialized warning in client_init.c 2013-12-21T15:08:06+00:00 Greg Hudson ghudson@mit.edu 2013-12-21T15:08:06+00:00 815565f918f2c64c59561dbe37efc251ddb67c22 ticket: 7800 
ticket: 7800
Allow realm in kadm5_init service names 2013-12-21T05:06:22+00:00 Greg Hudson ghudson@mit.edu 2013-12-19T18:33:33+00:00 5341cfde2b3e607e294bb0d057dc3540172a8b1b Previously, if you passed a service name with a realm part to a kadm5_init function, you would get a KRB5_PARSE_MALFORMED error because the code would internally append its own '@realm' suffix before parsing the name. Fix this as follows: Change gic_iter so instead of producing a full service name, it produces a krb5_principal which is taken from the cred it acquires. Pass the client and full service name around as principals, rather than strings, and use the gss_nt_krb5_principal name type to import them in setup_gss(). Don't append a realm to the input service name; instead, pass the input service name directly to the gic functions (which do not need a realm in the service name and will ignore the realm if one is present). For the INIT_CREDS case, parse the input service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the realm. ticket: 7800 
Previously, if you passed a service name with a realm part to a
kadm5_init function, you would get a KRB5_PARSE_MALFORMED error
because the code would internally append its own '@realm' suffix
before parsing the name.  Fix this as follows:

Change gic_iter so instead of producing a full service name, it
produces a krb5_principal which is taken from the cred it acquires.
Pass the client and full service name around as principals, rather
than strings, and use the gss_nt_krb5_principal name type to import
them in setup_gss().  Don't append a realm to the input service name;
instead, pass the input service name directly to the gic functions
(which do not need a realm in the service name and will ignore the
realm if one is present).  For the INIT_CREDS case, parse the input
service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the
realm.

ticket: 7800
Simplify libkadm5 client realm initialization 2013-12-21T05:06:22+00:00 Greg Hudson ghudson@mit.edu 2013-12-19T17:22:47+00:00 33b06596be92f7d8458ac6b136f092e235dec834 The "realm" variable in init_any is used only to fill in the realm of the service principal in gic_iter(). The service principal realm should always be the realm we looked up config parameters for, so we can supply that realm to get_init_creds() unconditionally and eliminate the case where we use the client principal realm. Also get rid of an outdated comment and an #if 0 block we will never need again, and use SNPRINTF_OVERFLOW to check the snprintf result. 
The "realm" variable in init_any is used only to fill in the realm of
the service principal in gic_iter().  The service principal realm
should always be the realm we looked up config parameters for, so we
can supply that realm to get_init_creds() unconditionally and
eliminate the case where we use the client principal realm.

Also get rid of an outdated comment and an #if 0 block we will never
need again, and use SNPRINTF_OVERFLOW to check the snprintf result.
Avoid deprecated krb5_get_in_tkt_with_keytab 2013-11-04T18:51:14+00:00 Ben Kaduk kaduk@mit.edu 2012-07-10T14:14:52+00:00 29dee7d2cece615bec4616fa9b727e77210051db The kprop code has been pretty unloved, and uses some routines that are marked as deprecated (which show up as warnings in the build log). Use the documented replacement for krb5_get_in_tkt_with_keytab, krb5_get_init_creds_keytab, instead. As a bonus, there is no longer a side effect of a credentials cache that needs to be destroyed. The also-deprecated function krb5_get_in_tkt_with_skey was backending to it when no keyblock was passed in; we can unroll the call to krb5_get_init_creds_keytab ourselves as the documented workaround. While here, improve style compliance with regards to cleanup. The setkey test just wants to know whether it can use the key it just put into a keytab to get credentials; as such the recommended krb5_get_init_creds_keytab is quite sufficient. While here, use that interface to request the particular enctype as well, reducing the scope of an XXX comment. ticket: 6366 
The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead.  As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.

The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.

The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.

ticket: 6366
Don't cache active master key list in kadmind 2013-10-25T15:36:11+00:00 Greg Hudson ghudson@mit.edu 2013-10-23T22:56:20+00:00 74c1420ea4dffc1105247e362decf608440751ae "kdb5_util use_mkey" should not require a kadmind restart to take effect. At the cost of fetching the K/M principal once for each key change operation, make kadmind use the current active master key list for each operation. ticket: 7685 target_version: 1.12 tags: pullup 
"kdb5_util use_mkey" should not require a kadmind restart to take
effect.  At the cost of fetching the K/M principal once for each key
change operation, make kadmind use the current active master key list
for each operation.

ticket: 7685
target_version: 1.12
tags: pullup
Add kadmin support for principals without keys 2013-07-15T16:31:38+00:00 Greg Hudson ghudson@mit.edu 2013-07-09T14:58:49+00:00 57d0b4b300e43722ae9f080fbf132edeb3834323 Add kadmin support for "addprinc -nokey", which creates a principal with no keys, and "purgekeys -all", which deletes all keys from a principal. The KDC was modified by #7630 to support principals without keys. ticket: 7679 (new) 
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal.  The KDC was modified by #7630 to support principals
without keys.

ticket: 7679 (new)
Avoid allocating zero key_data structures 2013-07-15T16:20:26+00:00 Greg Hudson ghudson@mit.edu 2013-07-15T16:20:26+00:00 d9457b501cbab535e5968dbdf195ca334b9fa555 When we allocate space for an array of key_data structures, make sure we allocate at least one, so we don't spuriously fail on platforms where malloc(0) returns NULL. Where we use malloc, use k5calloc instead. Where we use krb5_db_alloc or realloc, just allocate an extra entry. 
When we allocate space for an array of key_data structures, make sure
we allocate at least one, so we don't spuriously fail on platforms
where malloc(0) returns NULL.  Where we use malloc, use k5calloc
instead.  Where we use krb5_db_alloc or realloc, just allocate an
extra entry.
Use k5calloc instead of k5alloc where appropriate 2013-07-12T00:39:51+00:00 Greg Hudson ghudson@mit.edu 2013-07-12T00:39:51+00:00 443ce5fef316e3dc324fe84557a06b069dbe33f9 Wherever we use k5alloc with a multiplication in the size parameter,, use the new k5calloc helper function instead. 
Wherever we use k5alloc with a multiplication in the size parameter,,
use the new k5calloc helper function instead.
Fix various warnings 2013-06-07T19:19:37+00:00 Greg Hudson ghudson@mit.edu 2013-06-07T19:17:31+00:00 e51c089b745161dd6e1d64998e99d065fc22377e 






Make empty passwords work via init_creds APIs
2013-05-27T16:49:34+00:00

Greg Hudson
ghudson@mit.edu

2013-05-23T19:33:58+00:00

f3458ed803ae97b6c6c7c63baeb82b26c4943d4c

In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password.  This allows empty passwords to work via
the API.

Remove the kadm5 test which explicitly uses an empty password.

Based on a patch from Stef Walter.

ticket: 7642





In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password.  This allows empty passwords to work via
the API.

Remove the kadm5 test which explicitly uses an empty password.

Based on a patch from Stef Walter.

ticket: 7642