summaryrefslogtreecommitdiffstats
path: root/src/kadmin/server
diff options
context:
space:
mode:
authorTheodore Tso <tytso@mit.edu>1992-09-29 14:51:34 +0000
committerTheodore Tso <tytso@mit.edu>1992-09-29 14:51:34 +0000
commitd4e95b17ce5d033759cb529f0cada608982ef5c8 (patch)
tree0182c5c657e0df883466a0aa593788829919b39b /src/kadmin/server
parentd96ae575ff8eef11fe1dfb3bffdede9d31cb5e57 (diff)
downloadkrb5-d4e95b17ce5d033759cb529f0cada608982ef5c8.tar.gz
krb5-d4e95b17ce5d033759cb529f0cada608982ef5c8.tar.xz
krb5-d4e95b17ce5d033759cb529f0cada608982ef5c8.zip
*** empty log message ***
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2444 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin/server')
-rw-r--r--src/kadmin/server/Imakefile58
-rw-r--r--src/kadmin/server/adm_adm_func.c873
-rw-r--r--src/kadmin/server/adm_check.c144
-rw-r--r--src/kadmin/server/adm_extern.c65
-rw-r--r--src/kadmin/server/adm_extern.h82
-rw-r--r--src/kadmin/server/adm_fmt_inq.c218
-rw-r--r--src/kadmin/server/adm_funcs.c599
-rw-r--r--src/kadmin/server/adm_kadmin.c371
-rw-r--r--src/kadmin/server/adm_kpasswd.c122
-rw-r--r--src/kadmin/server/adm_listen.c164
-rw-r--r--src/kadmin/server/adm_nego.c339
-rw-r--r--src/kadmin/server/adm_network.c286
-rw-r--r--src/kadmin/server/adm_parse.c270
-rw-r--r--src/kadmin/server/adm_process.c454
-rw-r--r--src/kadmin/server/adm_server.c480
-rw-r--r--src/kadmin/server/adm_server.h43
-rw-r--r--src/kadmin/server/adm_v4_pwd.c437
-rw-r--r--src/kadmin/server/kadmind.M0
18 files changed, 5005 insertions, 0 deletions
diff --git a/src/kadmin/server/Imakefile b/src/kadmin/server/Imakefile
new file mode 100644
index 000000000..24d646528
--- /dev/null
+++ b/src/kadmin/server/Imakefile
@@ -0,0 +1,58 @@
+# $Source$
+# $Author$
+# $Header$
+#
+# Copyright 1989 by the Massachusetts Institute of Technology.
+#
+# For copying and distribution information,
+# please see the file <mit-copyright.h>.
+#
+# Imakefile for Kerberos admin server library.
+
+#ifdef Krb4KDCCompat
+K4LIB=-l$(KRB425LIB) -l$(DES425LIB)
+#else
+K4LIB=
+#endif
+
+SRCS = \
+ adm_server.c \
+ adm_parse.c \
+ adm_network.c \
+ adm_listen.c \
+ adm_process.c \
+ adm_nego.c \
+ adm_kpasswd.c \
+ adm_kadmin.c \
+ adm_fmt_inq.c \
+ adm_adm_func.c \
+ adm_funcs.c \
+ adm_check.c \
+ adm_extern.c
+
+OBJS = \
+ adm_server.o \
+ adm_parse.o \
+ adm_network.o \
+ adm_listen.o \
+ adm_process.o \
+ adm_nego.o \
+ adm_kpasswd.o \
+ adm_kadmin.o \
+ adm_fmt_inq.o \
+ adm_adm_func.o \
+ adm_funcs.o \
+ adm_check.o \
+ adm_extern.o
+
+ErrorTableObjectRule()
+
+all:: kadmind
+
+NormalProgramTarget(kadmind,$(OBJS),$(KDBDEPLIB) $(DEPKLIB), \
+ $(KDBLIB) $(K4LIB) $(KLIB) ,)
+Krb5InstallServerProgram(kadmind)
+
+clean::
+
+DependTarget()
diff --git a/src/kadmin/server/adm_adm_func.c b/src/kadmin/server/adm_adm_func.c
new file mode 100644
index 000000000..f694741e4
--- /dev/null
+++ b/src/kadmin/server/adm_adm_func.c
@@ -0,0 +1,873 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ *
+ * Modify the Kerberos Database
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_adm_func[] =
+ "$Id$";
+#endif /* !lint & !SABER */
+
+#include <sys/types.h>
+#include <syslog.h>
+#include <com_err.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/kdb.h>
+#include <krb5/kdb_dbm.h>
+
+#include <krb5/adm_defs.h>
+#include "adm_extern.h"
+
+#ifdef SANDIA
+extern int classification;
+#endif
+
+krb5_error_code
+ adm_build_key (newprinc, client_creds, new_passwd, oper_type, entry)
+krb5_principal newprinc;
+krb5_ticket *client_creds;
+char *new_passwd;
+int oper_type;
+krb5_db_entry entry;
+{
+ krb5_data outbuf;
+ int retval;
+#if defined(MACH_PASS) || defined(SANDIA)
+ char *tmp_phrase;
+ char *tmp_passwd;
+ int pwd_length, phrase_length;
+#endif
+
+#if defined(MACH_PASS) || defined(SANDIA)
+
+ if ((tmp_passwd = (char *) calloc (1, 120)) == (char *) 0) {
+ com_err("adm_build_key", ENOMEM, "for tmp_passwd");
+ return(3); /* No Memory */
+ }
+
+ if ((tmp_phrase = (char *) calloc (1, 120)) == (char *) 0) {
+ free(tmp_passwd);
+ com_err("adm_build_key", ENOMEM, "for tmp_phrase");
+ return(3); /* No Memory */
+ }
+
+ if (retval = get_pwd_and_phrase("adm_build_key", &tmp_passwd,
+ &tmp_phrase)) {
+ free(tmp_passwd);
+ free(tmp_phrase);
+ return(4); /* Unable to get Password */
+ }
+
+ if ((outbuf.data = (char *) calloc (1, strlen(tmp_passwd) + 1)) ==
+ (char *) 0) {
+ com_err("adm_build_key", ENOMEM, "for outbuf.data");
+ free(tmp_passwd);
+ free(tmp_phrase);
+ return(3); /* No Memory */
+ }
+
+ outbuf.length = strlen(tmp_passwd);
+ (void) memcpy(outbuf.data, tmp_passwd, strlen(tmp_passwd));
+
+#else
+
+ if ((outbuf.data = (char *) calloc (1, 3)) ==
+ (char *) 0) {
+ com_err("adm_build_key", ENOMEM, "for outbuf.data");
+ return(3); /* No Memory */
+ }
+
+ outbuf.data[0] = KADMIN;
+ outbuf.data[1] = oper_type;
+ outbuf.data[2] = KADMGOOD;
+ outbuf.length = 3;
+
+ if (oper_type == CHGOPER || oper_type == CH4OPER) {
+ outbuf.data[3] = entry.salt_type;
+ outbuf.length = 4;
+ }
+
+#endif
+
+ /* Encrypt Password and Phrase */
+ if (retval = krb5_mk_priv(&outbuf,
+ ETYPE_DES_CBC_CRC,
+ client_creds->enc_part2->session,
+ &client_server_info.server_addr,
+ &client_server_info.client_addr,
+ send_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data)) {
+ com_err("adm_build_key", retval, "during mk_priv");
+#if defined(MACH_PASS) || defined(SANDIA)
+ free(tmp_passwd);
+ free(tmp_phrase);
+#endif
+ free(outbuf.data);
+ return(5); /* Protocol Failure */
+ }
+
+#if defined(MACH_PASS) || defined(SANDIA)
+ (void) memcpy(new_passwd, tmp_passwd, strlen(tmp_passwd));
+ new_passwd[strlen(tmp_passwd)] = '\0';
+
+ free(tmp_phrase);
+ free(tmp_passwd);
+#endif
+ free(outbuf.data);
+
+ /* Send private message to Client */
+ if (krb5_write_message(&client_server_info.client_socket, &msg_data)){
+ com_err("adm_build_key", 0, "Error Performing Password Write");
+ return(5); /* Protocol Failure */
+ }
+
+ free(msg_data.data);
+
+ /* Read Client Response */
+ if (krb5_read_message(&client_server_info.client_socket, &inbuf)){
+ syslog(LOG_ERR | LOG_INFO, "Error Performing Password Read");
+ return(5); /* Protocol Failure */
+ }
+
+ /* Decrypt Client Response */
+ if (retval = krb5_rd_priv(&inbuf,
+ client_creds->enc_part2->session,
+ &client_server_info.client_addr,
+ &client_server_info.server_addr,
+ recv_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data)) {
+ syslog(LOG_ERR | LOG_INFO, "adm_build_key krb5_rd_priv error");
+ free(inbuf.data);
+ return(5); /* Protocol Failure */
+ }
+ free(inbuf.data);
+
+#if !defined(MACH_PASS) && !defined(SANDIA)
+ memcpy(new_passwd, msg_data.data, msg_data.length);
+#endif
+
+ free(msg_data.data);
+ return(0);
+}
+
+/* kadmin change password request */
+krb5_error_code
+ adm_change_pwd(prog, customer_name, client_creds, salttype)
+char *prog;
+char *customer_name;
+krb5_ticket *client_creds;
+int salttype;
+{
+ krb5_db_entry entry;
+ int nprincs = 1;
+
+ krb5_error_code retval;
+ krb5_principal newprinc;
+ char *composite_name;
+ char *new_passwd;
+ int oper_type;
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "Remote Administrative Password Change Request for %s by %s",
+ customer_name, client_server_info.name_of_client);
+
+ if (retval = krb5_parse_name(customer_name, &newprinc)) {
+ syslog(LOG_ERR | LOG_INFO, "parse failure while parsing '%s'",
+ customer_name);
+ return(5); /* Protocol Failure */
+ }
+
+ if (!(adm_princ_exists("adm_change_pwd", newprinc,
+ &entry, &nprincs))) {
+ com_err("adm_change_pwd", 0, "Principal does not exist!");
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(1); /* Principal Unknown */
+ }
+
+ if ((new_passwd = (char *) calloc (1, ADM_MAX_PW_LENGTH+1)) == (char *) 0) {
+ com_err("adm_change_pwd", ENOMEM, "while allocating new_passwd!");
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(3); /* No Memory */
+ }
+
+ oper_type = (salttype == KRB5_KDB_SALTTYPE_NORMAL) ? CHGOPER : CH4OPER;
+
+ if (retval = adm_build_key(newprinc,
+ client_creds,
+ new_passwd,
+ oper_type,
+ entry)) {
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ free(new_passwd);
+ return(retval);
+ }
+
+ retval = krb5_unparse_name(newprinc, &composite_name);
+
+ entry.salt_type = (krb5_int32) salttype;
+
+ if (retval = adm_enter_pwd_key("adm_change_pwd",
+ composite_name,
+ newprinc,
+ newprinc,
+ 1, /* chg_entry */
+ salttype,
+ new_passwd,
+ &entry)) retval = 8;
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ free(composite_name);
+
+ (void) memset(new_passwd, 0, strlen(new_passwd));
+ free(new_passwd);
+ return(0);
+}
+
+/* kadmin add new random key function */
+krb5_error_code
+ adm_change_pwd_rnd(cmdname, customer_name, client_creds)
+char *cmdname;
+char *customer_name;
+krb5_ticket *client_creds;
+{
+ krb5_db_entry entry;
+ int nprincs = 1;
+ krb5_error_code retval;
+ krb5_principal newprinc;
+
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "Remote Administrative Addition Request for %s by %s",
+ customer_name, client_server_info.name_of_client);
+
+ if (retval = krb5_parse_name(customer_name, &newprinc)) {
+ com_err("adm_change_pwd_rnd", retval, "while parsing '%s'", customer_name);
+ return(5); /* Protocol Failure */
+ }
+#ifdef SANDIA
+ if (!(newprinc[2])) {
+ if (retval = check_security(newprinc, classification)) {
+ krb5_free_principal(newprinc);
+ syslog(LOG_ERR, "Principal (%s) - Incorrect Classification level",
+ customer_name);
+ return(6);
+ }
+ }
+#endif
+ if (!(adm_princ_exists("adm_change_pwd_rnd", newprinc,
+ &entry, &nprincs))) {
+ com_err("adm_change_pwd_rnd", 0, "Principal does not exist!");
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(1); /* Principal Unknown */
+ }
+
+ if (retval = adm_enter_rnd_pwd_key("adm_change_pwd_rnd",
+ newprinc,
+ 1, /* change existing entry */
+ &entry))
+ retval = 8;
+
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(retval);
+}
+
+/* kadmin add new key function */
+krb5_error_code
+ adm_add_new_key(cmdname, customer_name, client_creds, salttype)
+char *cmdname;
+char *customer_name;
+krb5_ticket *client_creds;
+int salttype;
+{
+ krb5_db_entry entry;
+ int nprincs = 1;
+
+ krb5_error_code retval;
+ krb5_principal newprinc;
+ char *new_passwd;
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "Remote Administrative Addition Request for %s by %s",
+ customer_name, client_server_info.name_of_client);
+
+ if (retval = krb5_parse_name(customer_name, &newprinc)) {
+ com_err("adm_add_new_key", retval, "while parsing '%s'", customer_name);
+ return(5); /* Protocol Failure */
+ }
+#ifdef SANDIA
+ if (!(newprinc[2])) {
+ if (retval = check_security(newprinc, classification)) {
+ krb5_free_principal(newprinc);
+ syslog(LOG_ERR, "Principal (%s) - Incorrect Classification level",
+ customer_name);
+ return(6);
+ }
+ }
+#endif
+ if (adm_princ_exists("adm_add_new_key", newprinc, &entry, &nprincs)) {
+ com_err("adm_add_new_key", 0,
+ "principal '%s' already exists", customer_name);
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(2); /* Principal Already Exists */
+ }
+
+ if ((new_passwd = (char *) calloc (1, 255)) == (char *) 0) {
+ com_err("adm_add_new_key", ENOMEM, "for new_passwd");
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(3); /* No Memory */
+ }
+
+ if (retval = adm_build_key(newprinc,
+ client_creds,
+ new_passwd,
+ ADDOPER,
+ entry)) {
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ free(new_passwd);
+ return(retval);
+ }
+
+ if (retval = adm_enter_pwd_key( "adm_add_new_key",
+ customer_name,
+ newprinc,
+ newprinc,
+ 0, /* new_entry */
+ salttype,
+ new_passwd,
+ &entry))
+ retval = 8;
+ (void) memset(new_passwd, 0, strlen(new_passwd));
+ free(new_passwd);
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(retval);
+}
+
+/* kadmin add new random key function */
+krb5_error_code
+ adm_add_new_key_rnd(cmdname, customer_name, client_creds)
+char *cmdname;
+char *customer_name;
+krb5_ticket *client_creds;
+{
+ krb5_db_entry entry;
+ int nprincs = 1;
+ krb5_error_code retval;
+ krb5_principal newprinc;
+
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "Remote Administrative Addition Request for %s by %s",
+ customer_name, client_server_info.name_of_client);
+
+ if (retval = krb5_parse_name(customer_name, &newprinc)) {
+ com_err("adm_add_new_key_rnd", retval, "while parsing '%s'", customer_name);
+ return(5); /* Protocol Failure */
+ }
+#ifdef SANDIA
+ if (!(newprinc[2])) {
+ if (retval = check_security(newprinc, classification)) {
+ krb5_free_principal(newprinc);
+ syslog(LOG_ERR, "Principal (%s) - Incorrect Classification level",
+ customer_name);
+ return(6);
+ }
+ }
+#endif
+ if (adm_princ_exists("adm_add_new_key_rnd", newprinc, &entry, &nprincs)) {
+ com_err("adm_add_new_key_rnd", 0,
+ "principal '%s' already exists", customer_name);
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(2); /* Principal Already Exists */
+ }
+
+ if (retval = adm_enter_rnd_pwd_key("adm_add_new_key_rnd",
+ newprinc,
+ 0, /* new entry */
+ &entry))
+ retval = 8;
+
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(retval);
+}
+
+/* kadmin delete old key function */
+krb5_error_code
+ adm_del_old_key(cmdname, customer_name)
+char *cmdname;
+char *customer_name;
+{
+ krb5_db_entry entry;
+ int nprincs = 1;
+
+ krb5_error_code retval;
+ krb5_principal newprinc;
+ int one = 1;
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "Remote Administrative Deletion Request for %s by %s",
+ customer_name, client_server_info.name_of_client);
+
+ if (retval = krb5_parse_name(customer_name, &newprinc)) {
+ com_err("adm_del_old_key", retval, "while parsing '%s'", customer_name);
+ return(5); /* Protocol Failure */
+ }
+
+ if (!adm_princ_exists("adm_del_old_key", newprinc,
+ &entry, &nprincs)) {
+ com_err("adm_del_old_key", 0, "principal '%s' is not in the database",
+ customer_name);
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(1);
+ }
+
+ if (retval = krb5_db_delete_principal(newprinc, &one)) {
+ com_err("adm_del_old_key", retval,
+ "while deleting '%s'", customer_name);
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(8);
+ } else if (one != 1) {
+ com_err("adm_del_old_key", 0,
+ "no principal deleted - unknown error");
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(8);
+ }
+
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(0);
+}
+
+/* kadmin modify existing Principal function */
+krb5_error_code
+ adm_mod_old_key(cmdname, customer_name, client_creds)
+char *cmdname;
+char *customer_name;
+krb5_ticket *client_creds;
+{
+ krb5_db_entry entry;
+ int nprincs = 1;
+ extern int errno;
+
+ krb5_error_code retval;
+ krb5_principal newprinc;
+
+ krb5_data outbuf;
+ char tempstr[20];
+
+ int one = 1;
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "Remote Administrative Modification Request for %s by %s",
+ customer_name, client_server_info.name_of_client);
+
+ if (retval = krb5_parse_name(customer_name, &newprinc)) {
+ com_err("adm_mod_old_key", retval, "while parsing '%s'", customer_name);
+ return(5); /* Protocol Failure */
+ }
+
+ for ( ; ; ) {
+
+ if (!adm_princ_exists("adm_mod_old_key", newprinc,
+ &entry, &nprincs)) {
+ com_err("adm_mod_old_key", 0,
+ "principal '%s' is not in the database",
+ customer_name);
+ krb5_free_principal(newprinc);
+ return(1);
+ }
+
+ /* Send Acknowledgement */
+ if ((outbuf.data = (char *) calloc (1, 255)) == (char *) 0) {
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ com_err("adm_mod_old_key", ENOMEM, "for outbuf.data");
+ return(3); /* No Memory */
+ }
+
+ outbuf.length = 3;
+ outbuf.data[0] = KADMIND;
+ outbuf.data[1] = MODOPER;
+ outbuf.data[2] = SENDDATA3;
+
+ if (retval = krb5_mk_priv(&outbuf,
+ ETYPE_DES_CBC_CRC,
+ client_creds->enc_part2->session,
+ &client_server_info.server_addr,
+ &client_server_info.client_addr,
+ send_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data)) {
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ com_err("adm_mod_old_key", retval, "during mk_priv");
+ free(outbuf.data);
+ return(5); /* Protocol Failure */
+ }
+ free(outbuf.data);
+
+ if (krb5_write_message(&client_server_info.client_socket, &msg_data)){
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ com_err("adm_mod_old_key", 0,
+ "Error Performing Modification Write");
+ return(5); /* Protocol Failure */
+ }
+ free(msg_data.data);
+
+ /* Read Client Response */
+ if (krb5_read_message(&client_server_info.client_socket, &inbuf)){
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ com_err("adm_mod_old_key", errno,
+ "Error Performing Modification Read");
+ return(5); /* Protocol Failure */
+ }
+
+ /* Decrypt Client Response */
+ if (retval = krb5_rd_priv(&inbuf,
+ client_creds->enc_part2->session,
+ &client_server_info.client_addr,
+ &client_server_info.server_addr,
+ recv_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data)) {
+ com_err("adm_mod_old_key", retval, "krb5_rd_priv error %s",
+ error_message(retval));
+ free(inbuf.data);
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(5); /* Protocol Failure */
+ }
+
+ free(inbuf.data);
+
+ if (msg_data.data[1] == KADMGOOD) break;
+
+ /* Decode Message - Modify Database */
+ if (msg_data.data[2] != SENDDATA3) {
+ free(msg_data.data);
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(5); /* Protocol Failure */
+ }
+#ifdef SANDIA
+ if (msg_data.data[3] == KMODFCNT) {
+ (void) memcpy(tempstr, (char *) msg_data.data + 4,
+ msg_data.length - 4);
+ entry.fail_auth_count = atoi(tempstr);
+ }
+#endif
+ if (msg_data.data[3] == KMODVNO) {
+ (void) memcpy(tempstr, (char *) msg_data.data + 4,
+ msg_data.length - 4);
+ entry.kvno = atoi(tempstr);
+ }
+
+ if (msg_data.data[3] == KMODATTR) {
+ if (msg_data.data[4] == ATTRPOST)
+ entry.attributes &= ~KRB5_KDB_DISALLOW_POSTDATED;
+ if (msg_data.data[4] == ATTRNOPOST)
+ entry.attributes |= KRB5_KDB_DISALLOW_POSTDATED;
+ if (msg_data.data[4] == ATTRFOR)
+ entry.attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
+ if (msg_data.data[4] == ATTRNOFOR)
+ entry.attributes |= KRB5_KDB_DISALLOW_FORWARDABLE;
+ if (msg_data.data[4] == ATTRTGT)
+ entry.attributes &= ~KRB5_KDB_DISALLOW_TGT_BASED;
+ if (msg_data.data[4] == ATTRNOTGT)
+ entry.attributes |= KRB5_KDB_DISALLOW_TGT_BASED;
+ if (msg_data.data[4] == ATTRREN)
+ entry.attributes &= ~KRB5_KDB_DISALLOW_RENEWABLE;
+ if (msg_data.data[4] == ATTRNOREN)
+ entry.attributes |= KRB5_KDB_DISALLOW_RENEWABLE;
+ if (msg_data.data[4] == ATTRPROXY)
+ entry.attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
+ if (msg_data.data[4] == ATTRNOPROXY)
+ entry.attributes |= KRB5_KDB_DISALLOW_PROXIABLE;
+ if (msg_data.data[4] == ATTRDSKEY)
+ entry.attributes &= ~KRB5_KDB_DISALLOW_DUP_SKEY;
+ if (msg_data.data[4] == ATTRNODSKEY)
+ entry.attributes |= KRB5_KDB_DISALLOW_DUP_SKEY;
+ if (msg_data.data[4] == ATTRLOCK)
+ entry.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ if (msg_data.data[4] == ATTRUNLOCK)
+ entry.attributes &= ~KRB5_KDB_DISALLOW_ALL_TIX;
+ if (msg_data.data[4] == ATTRNOSVR)
+ entry.attributes |= KRB5_KDB_DISALLOW_SVR;
+ if (msg_data.data[4] == ATTRSVR)
+ entry.attributes &= ~KRB5_KDB_DISALLOW_SVR;
+#ifdef SANDIA
+ if (msg_data.data[4] == ATTRPRE)
+ entry.attributes &= ~KRB5_KDB_REQUIRES_PRE_AUTH;
+ if (msg_data.data[4] == ATTRNOPRE)
+ entry.attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+ if (msg_data.data[4] == ATTRPWOK)
+ entry.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+ if (msg_data.data[4] == ATTRPWCHG)
+ entry.attributes |= KRB5_KDB_REQUIRES_PWCHANGE;
+ if (msg_data.data[4] == ATTRSID)
+ entry.attributes &= ~KRB5_KDB_REQUIRES_SECUREID;
+ if (msg_data.data[4] == ATTRNOSID)
+ entry.attributes |= KRB5_KDB_REQUIRES_SECUREID;
+#endif
+ }
+
+ free(msg_data.data);
+ entry.mod_name = client_server_info.client;
+ if (retval = krb5_timeofday(&entry.mod_date)) {
+ com_err("adm_mod_old_key", retval, "while fetching date");
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ return(5); /* Protocol Failure */
+ }
+
+ retval = krb5_db_put_principal(&entry, &one);
+ one = 1;
+ } /* for */
+
+ krb5_db_free_principal(&entry, nprincs);
+ krb5_free_principal(newprinc);
+
+ /* Read Client Response */
+ if (krb5_read_message(&client_server_info.client_socket, &inbuf)){
+ com_err("adm_mod_old_key", errno, "Error Performing Read");
+ return(5); /* Protocol Failure */
+ }
+
+ /* Decrypt Client Response */
+ if (retval = krb5_rd_priv(&inbuf,
+ client_creds->enc_part2->session,
+ &client_server_info.client_addr,
+ &client_server_info.server_addr,
+ recv_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data)) {
+ com_err("adm_mod_old_key", retval, "krb5_rd_priv error %s",
+ error_message(retval));
+ free(inbuf.data);
+ return(5); /* Protocol Failure */
+ }
+
+ free(msg_data.data);
+ free(inbuf.data);
+
+ return(0);
+}
+
+/* kadmin inquire existing Principal function */
+krb5_error_code
+ adm_inq_old_key(cmdname, customer_name, client_creds)
+char *cmdname;
+char *customer_name;
+krb5_ticket *client_creds;
+{
+ krb5_db_entry entry;
+ int nprincs = 1;
+
+ krb5_data outbuf;
+ krb5_error_code retval;
+ krb5_principal newprinc;
+ char *fullname;
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "Remote Administrative Inquiry Request for %s by %s",
+ customer_name, client_server_info.name_of_client);
+
+ if (retval = krb5_parse_name(customer_name, &newprinc)) {
+ com_err("adm_inq_old_key", retval, "while parsing '%s'", customer_name);
+ return(5); /* Protocol Failure */
+ }
+
+ if (retval = krb5_unparse_name(newprinc, &fullname)) {
+ krb5_free_principal(newprinc);
+ com_err("adm_inq_old_key", retval, "while unparsing");
+ return(5); /* Protocol Failure */
+ }
+
+ if (!adm_princ_exists("adm_inq_old_key", newprinc,
+ &entry, &nprincs)) {
+ krb5_free_principal(newprinc);
+ free(fullname);
+ com_err("adm_inq_old_key", 0, "principal '%s' is not in the database",
+ customer_name);
+ return(1);
+ }
+
+ if ((outbuf.data = (char *) calloc (1, 2048)) == (char *) 0) {
+ krb5_db_free_principal(&entry, nprincs);
+ krb5_free_principal(newprinc);
+ free(fullname);
+ com_err("adm_inq_old_key", ENOMEM, "for outbuf.data");
+ return(3); /* No Memory */
+ }
+
+ /* Format Inquiry Data */
+ if ((retval = adm_fmt_prt(&entry, fullname, outbuf.data))) {
+ krb5_db_free_principal(&entry, nprincs);
+ krb5_free_principal(newprinc);
+ free(fullname);
+ com_err("adm_inq_old_key", 0, "Unable to Format Inquiry Data");
+ }
+ outbuf.length = strlen(outbuf.data);
+ krb5_db_free_principal(&entry, nprincs);
+ krb5_free_principal(newprinc);
+ free(fullname);
+
+ /* Encrypt Inquiry Data */
+ if (retval = krb5_mk_priv(&outbuf,
+ ETYPE_DES_CBC_CRC,
+ client_creds->enc_part2->session,
+ &client_server_info.server_addr,
+ &client_server_info.client_addr,
+ send_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data)) {
+ com_err("adm_inq_old_key", retval, "during mk_priv");
+ free(outbuf.data);
+ return(5); /* Protocol Failure */
+ }
+
+ /* Send Inquiry Information */
+ if (krb5_write_message(&client_server_info.client_socket, &msg_data)){
+ com_err("adm_inq_old_key", 0, "Error Performing Write");
+ return(5); /* Protocol Failure */
+ }
+
+ free(msg_data.data);
+
+ /* Read Client Response */
+ if (krb5_read_message(&client_server_info.client_socket, &inbuf)){
+ com_err("adm_inq_old_key", errno, "Error Performing Read");
+ syslog(LOG_ERR, "adm_inq sock %d", client_server_info.client_socket);
+ return(5); /* Protocol Failure */
+ }
+
+ /* Decrypt Client Response */
+ if (retval = krb5_rd_priv(&inbuf,
+ client_creds->enc_part2->session,
+ &client_server_info.client_addr,
+ &client_server_info.server_addr,
+ recv_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data)) {
+ com_err("adm_inq_old_key", retval, "krb5_rd_priv error %s",
+ error_message(retval));
+ free(inbuf.data);
+ return(5); /* Protocol Failure */
+ }
+
+ free(msg_data.data);
+ free(inbuf.data);
+ return(retval);
+}
+
+#ifdef SANDIA
+krb5_error_code
+ check_security(princ, class)
+krb5_principal princ;
+int class;
+{
+ char *input_name;
+
+ if ((input_name = (char *) calloc (1, 255)) == 0) {
+ com_err("check_security",
+ ENOMEM, "while allocating memory for class check");
+ return(3);
+ }
+
+ memcpy((char *) input_name, princ->data[0].data, princ->data[0].length);
+
+ if (class) {
+ /* Must be Classified Principal */
+ if (strlen(input_name) == 8) {
+ if (!(strcmp(&input_name[7], "s") == 0) &&
+ !(strcmp(&input_name[7], "c") == 0)) {
+ free(input_name);
+ return(6);
+ }
+ } else {
+ if (!((strncmp(&input_name[strlen(input_name) - 2],
+ "_s", 2) == 0) ||
+ (strncmp(&input_name[strlen(input_name) - 2], "_c", 2) == 0))) {
+ free(input_name);
+ return(6);
+ }
+ }
+ } else {
+ /* Must be Unclassified Principal */
+ if ((strlen(input_name) >= 8) ||
+ ((strncmp(&input_name[strlen(input_name) - 2], "_s", 2) == 0) ||
+ (strncmp(&input_name[strlen(input_name) - 2], "_c", 2) == 0))) {
+ free(input_name);
+ return(6);
+ }
+ }
+
+ free(input_name);
+ return(0);
+}
+#endif
diff --git a/src/kadmin/server/adm_check.c b/src/kadmin/server/adm_check.c
new file mode 100644
index 000000000..2cef9757b
--- /dev/null
+++ b/src/kadmin/server/adm_check.c
@@ -0,0 +1,144 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ *
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_check[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <sys/types.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <com_err.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/adm_defs.h>
+#include <krb5/adm_err.h>
+#include "adm_extern.h"
+
+krb5_error_code
+adm_check_acl(name_of_client, acl_type)
+char *name_of_client;
+char *acl_type;
+{
+ FILE *acl_file;
+ char input_string[255];
+ char admin_name[255];
+#define num_of_privs 5
+ char priv[num_of_privs];
+ extern char *acl_file_name;
+ char *lcl_acl_file;
+ int i, j;
+
+ if ((lcl_acl_file = (char *) calloc(1, 80)) == (char *) 0) {
+ com_err("adm_check_acl", ENOMEM, "allocating acl file name");
+ return(KADM_ENOMEM); /* No Memory */
+ }
+
+ (void) sprintf(lcl_acl_file, "%s", acl_file_name);
+
+ if ((acl_file = fopen(lcl_acl_file, "r")) == NULL) {
+ syslog(LOG_ERR, "Cannot open acl file (%s)", acl_file_name);
+ free(lcl_acl_file);
+ return(KADM_EPERM);
+ }
+
+ for ( ;; ) {
+
+ if ((fgets(input_string, sizeof(input_string), acl_file)) == NULL) {
+ syslog(LOG_ERR, "Administrator (%s) not in ACL file (%s)",
+ name_of_client, lcl_acl_file);
+ break; /* Not Found */
+ }
+
+ if (input_string[0] == '#') continue;
+
+ i = 0;
+ while (!isspace(input_string[i]) && i < strlen(input_string)) {
+ admin_name[i] = input_string[i];
+ i++;
+ }
+
+ while (isspace(input_string[i]) && i < strlen(input_string)) {
+ i++;
+ }
+
+ priv[0] = priv[1] = priv[2] = priv[3] = priv[4] = '\0';
+
+ j = 0;
+ while ((i < strlen(input_string)) && (j < num_of_privs) &&
+ (!isspace(input_string[i]))) {
+ priv[j] = input_string[i];
+ i++; j++;
+ }
+
+ if (priv[0] == '*') {
+ priv[0] = 'a'; /* Add Priv */
+ priv[1] = 'c'; /* Changepw Priv */
+ priv[2] = 'd'; /* Delete Priv */
+ priv[3] = 'i'; /* Inquire Priv */
+ priv[4] = 'm'; /* Modify Priv */
+ }
+
+ if (!strncmp(admin_name, name_of_client,
+ strlen(name_of_client))) {
+ switch(acl_type[0]) {
+ case 'a':
+ case 'c':
+ case 'd':
+ case 'i':
+ case 'm':
+ for (i = 0; i < num_of_privs; i++) {
+ if (priv[i] == acl_type[0]) {
+ fclose(acl_file);
+ free(lcl_acl_file);
+ return(0); /* Found */
+ }
+ }
+ break;
+
+ default:
+ break;
+ }
+ }
+ }
+
+ fclose(acl_file);
+ free(lcl_acl_file);
+ return(KADM_EPERM);
+}
diff --git a/src/kadmin/server/adm_extern.c b/src/kadmin/server/adm_extern.c
new file mode 100644
index 000000000..d544ce719
--- /dev/null
+++ b/src/kadmin/server/adm_extern.c
@@ -0,0 +1,65 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ *
+ * allocations of adm_extern stuff
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_extern_c[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/copyright.h>
+
+#include <krb5/krb5.h>
+#include <krb5/kdb.h>
+#include <krb5/kdb_dbm.h>
+
+/* real declarations of KDC's externs */
+krb5_encrypt_block master_encblock;
+krb5_keyblock master_keyblock;
+krb5_principal master_princ;
+
+volatile int signal_requests_exit = 0; /* gets set when signal hits */
+
+char *dbm_db_name = DEFAULT_DBM_FILE;
+
+krb5_keyblock tgs_key;
+krb5_kvno tgs_kvno;
+
+krb5_data inbuf;
+krb5_data msg_data;
+
+int send_seqno;
+int recv_seqno;
+
+/*
+static krb5_data tgs_name = {sizeof(TGTNAME)-1, TGTNAME};
+krb5_data *tgs_server[4] = {0, &tgs_name, 0, 0};
+*/
+
+krb5_principal tgs_server;
diff --git a/src/kadmin/server/adm_extern.h b/src/kadmin/server/adm_extern.h
new file mode 100644
index 000000000..9095bdf5e
--- /dev/null
+++ b/src/kadmin/server/adm_extern.h
@@ -0,0 +1,82 @@
+/*
+ * $Source$
+ * $Author$
+ * $Id$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ *
+ * <<< Description >>>
+ */
+
+#include <krb5/copyright.h>
+
+#ifndef __ADM_EXTERN__
+#define __ADM_EXTERN__
+
+typedef struct {
+ /* Client Info */
+ struct sockaddr_in client_name;
+ krb5_address client_addr;
+ krb5_principal client;
+ char *name_of_client;
+ /* Server Info */
+ struct sockaddr_in server_name;
+ krb5_address server_addr;
+ krb5_principal server;
+ char *name_of_service;
+ /* Miscellaneous */
+ int server_socket;
+ int client_socket;
+} global_client_server_info;
+
+/* various externs for KDC */
+extern krb5_encrypt_block master_encblock;
+extern krb5_keyblock master_keyblock;
+extern krb5_principal master_princ;
+
+extern volatile int signal_requests_exit;
+extern char *dbm_db_name;
+
+extern krb5_keyblock tgs_key;
+extern krb5_kvno tgs_kvno;
+extern krb5_principal tgs_server;
+
+extern global_client_server_info client_server_info;
+extern char *adm5_tcp_portname;
+extern int adm5_tcp_port_fd;
+
+extern unsigned pidarraysize;
+extern int *pidarray;
+
+extern char *adm5_ver_str;
+extern int adm5_ver_len;
+
+extern int send_seqno;
+extern int recv_seqno;
+
+extern int exit_now;
+
+extern krb5_data inbuf;
+extern krb5_data msg_data;
+
+#endif /* __ADM_EXTERN__ */
diff --git a/src/kadmin/server/adm_fmt_inq.c b/src/kadmin/server/adm_fmt_inq.c
new file mode 100644
index 000000000..b563ec4b1
--- /dev/null
+++ b/src/kadmin/server/adm_fmt_inq.c
@@ -0,0 +1,218 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ *
+ * Administrative Display Routine
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_fmt_inq[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/kdb.h>
+#include <krb5/kdb_dbm.h>
+
+#include <com_err.h>
+#include <stdio.h>
+
+#if defined (unicos61) || (defined(mips) && defined(SYSTYPE_BSD43)) || defined(sysvimp)
+#include <time.h>
+#else
+#include <sys/time.h>
+#endif /* unicos61 */
+#if defined(aux20)
+#include <time.h>
+#endif /* aux20 */
+
+#define REALM_SEP '@'
+#define REALM_SEP_STR "@"
+
+krb5_error_code
+adm_print_attributes(ret_data, attribs)
+char *ret_data;
+krb5_flags attribs;
+{
+ char *my_data;
+
+ if ((my_data = (char *) calloc (1,255)) == (char *) 0) {
+ com_err("adm_print_attributes", ENOMEM, "");
+ }
+
+ sprintf(my_data, "Principal Attributes (PA): ");
+ if (attribs & KRB5_KDB_DISALLOW_POSTDATED)
+ strcat(my_data, "NOPOST ");
+ else
+ strcat(my_data, "POST ");
+ if (attribs & KRB5_KDB_DISALLOW_FORWARDABLE)
+ strcat(my_data, "NOFOR ");
+ else
+ strcat(my_data, "FOR ");
+ if (attribs & KRB5_KDB_DISALLOW_TGT_BASED)
+ strcat(my_data, "NOTGT ");
+ else
+ strcat(my_data, "TGT ");
+ if (attribs & KRB5_KDB_DISALLOW_RENEWABLE)
+ strcat(my_data, "NOREN ");
+ else
+ strcat(my_data, "REN ");
+ if (attribs & KRB5_KDB_DISALLOW_PROXIABLE)
+ strcat(my_data, "NOPROXY\n");
+ else
+ strcat(my_data, "PROXY\n");
+ strcat(my_data, " ");
+ if (attribs & KRB5_KDB_DISALLOW_DUP_SKEY)
+ strcat(my_data, "NODUPSKEY ");
+ else
+ strcat(my_data, "DUPSKEY ");
+ if (attribs & KRB5_KDB_DISALLOW_ALL_TIX)
+ strcat(my_data, "LOCKED ");
+ else
+ strcat(my_data, "UNLOCKED ");
+ if (attribs & KRB5_KDB_DISALLOW_SVR)
+ strcat(my_data, "NOSVR\n");
+ else
+ strcat(my_data, "SVR\n");
+
+#ifdef SANDIA
+ strcat(my_data, " ");
+ if (attribs & KRB5_KDB_REQUIRES_PRE_AUTH)
+ strcat(my_data, "PREAUTH ");
+ else
+ strcat(my_data, "NOPREAUTH ");
+ if (attribs & KRB5_KDB_REQUIRES_PWCHANGE)
+ strcat(my_data, "PWCHG ");
+ else
+ strcat(my_data, "PWOK ");
+ if (attribs & KRB5_KDB_REQUIRES_HW_AUTH)
+ strcat(my_data, "SID\n");
+ else
+ strcat(my_data, "NOSID\n");
+#endif
+ (void) strcat(ret_data, my_data);
+ free(my_data);
+ return(0);
+}
+
+krb5_error_code
+adm_print_exp_time(ret_data, time_input)
+char *ret_data;
+krb5_timestamp *time_input;
+{
+ char *my_data;
+ struct tm *exp_time;
+
+ if ((my_data = (char *) calloc (1,255)) == (char *) 0) {
+ com_err("adm_print_attributes", ENOMEM, "");
+ }
+
+ exp_time = localtime((time_t *) time_input);
+ sprintf(my_data,
+ "Principal Expiration Date (PED): %02d%02d/%02d/%02d:%02d:%02d:%02d\n",
+ (exp_time->tm_year >= 100) ? 20 : 19,
+ (exp_time->tm_year >= 100) ? exp_time->tm_year - 100 : exp_time->tm_year,
+ exp_time->tm_mon + 1,
+ exp_time->tm_mday,
+ exp_time->tm_hour,
+ exp_time->tm_min,
+ exp_time->tm_sec);
+ (void) strcat(ret_data, my_data);
+ free(my_data);
+ return(0);
+}
+
+krb5_error_code
+adm_fmt_prt(entry, Principal_name, ret_data)
+krb5_db_entry *entry;
+char *Principal_name;
+char *ret_data;
+{
+ struct tm *mod_time;
+#ifdef SANDIA
+ krb5_error_code retval;
+ struct tm *exp_time;
+ int pwd_expire;
+ krb5_timestamp now;
+#endif
+
+ char *my_data;
+ char thisline[80];
+
+ if ((my_data = (char *) calloc (1, 2048)) == (char *) 0) {
+ com_err("adm_print_attributes", ENOMEM, "");
+ }
+
+ (void) sprintf(my_data, "\n\nPrincipal: %s\n\n", Principal_name);
+ sprintf(thisline,
+ "Maximum Ticket Lifetime (MTL) = %d (seconds)\n", entry->max_life);
+ strcat(my_data, thisline);
+ sprintf(thisline, "Maximum Renewal Lifetime (MRL) = %d (seconds)\n",
+ entry->max_renewable_life);
+ strcat(my_data, thisline);
+ sprintf(thisline, "Principal Key Version (PKV) = %d\n", entry->kvno);
+ strcat(my_data, thisline);
+ (void) adm_print_exp_time(my_data, &entry->expiration);
+ mod_time = localtime((time_t *) &entry->mod_date);
+ sprintf(thisline,
+ "Last Modification Date (LMD): %02d%02d/%02d/%02d:%02d:%02d:%02d\n",
+ (mod_time->tm_year >= 100) ? 20 : 19,
+ (mod_time->tm_year >= 100) ? mod_time->tm_year - 100 : mod_time->tm_year,
+ mod_time->tm_mon + 1,
+ mod_time->tm_mday,
+ mod_time->tm_hour,
+ mod_time->tm_min,
+ mod_time->tm_sec);
+ strcat(my_data, thisline);
+ (void) adm_print_attributes(my_data, entry->attributes);
+ switch (entry->salt_type & 0xff) {
+ case 0 : strcat(my_data,
+ "Principal Salt Type (PST) = Version 5 Normal\n");
+ break;
+ case 1 : strcat(my_data, "Principal Salt Type (PST) = Version 4\n");
+ break;
+ case 2 : strcat(my_data, "Principal Salt Type (PST) = NOREALM\n");
+ break;
+ case 3 : strcat(my_data, "Principal Salt Type (PST) = ONLYREALM\n");
+ break;
+ case 4 : strcat(my_data, "Principal Salt Type (PST) = Special\n");
+ break;
+ }
+#ifdef SANDIA
+ sprintf(thisline,
+ "Invalid Authentication Count (FCNT) = %d\n", entry->fail_auth_count);
+ strcat(my_data, thisline);
+ retval = krb5_timeofday(&now);
+ pwd_expire = (now - entry->last_pwd_change) / 86400;
+ sprintf(thisline, "Password Age is %d Days\n", pwd_expire);
+ strcat(my_data, thisline);
+#endif
+ (void) strcat(ret_data, my_data);
+ free(my_data);
+ return(0);
+}
diff --git a/src/kadmin/server/adm_funcs.c b/src/kadmin/server/adm_funcs.c
new file mode 100644
index 000000000..b40a46938
--- /dev/null
+++ b/src/kadmin/server/adm_funcs.c
@@ -0,0 +1,599 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ *
+ * Modify the Kerberos Database
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_funcs[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <com_err.h>
+#include <sys/types.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/kdb.h>
+#include <krb5/kdb_dbm.h>
+#include <krb5/asn1.h>
+
+#include <krb5/adm_defs.h>
+#include "adm_extern.h"
+
+#include <krb5/adm_err.h>
+#include <krb5/errors.h>
+#include <krb5/kdb5_err.h>
+#include <krb5/krb5_err.h>
+
+struct saltblock {
+ int salttype;
+ krb5_data saltdata;
+};
+
+extern krb5_encrypt_block master_encblock;
+extern krb5_keyblock master_keyblock;
+
+#define norealm_salt(princ, retdata) krb5_principal2salt(&(princ)[1], retdata)
+
+struct mblock {
+ krb5_deltat max_life;
+ krb5_deltat max_rlife;
+ krb5_timestamp expiration;
+ krb5_flags flags;
+ krb5_kvno mkvno;
+} mblock = { /* XXX */
+ KRB5_KDB_MAX_LIFE,
+ KRB5_KDB_MAX_RLIFE,
+ KRB5_KDB_EXPIRATION,
+ KRB5_KDB_DEF_FLAGS,
+ 0
+};
+
+typedef unsigned char des_cblock[8];
+
+ /* krb5_kvno may be narrow */
+#include <krb5/widen.h>
+
+krb5_error_code adm_get_rnd_key PROTOTYPE((char *,
+ krb5_ticket *,
+ krb5_authenticator *,
+ krb5_principal,
+ int,
+ krb5_db_entry *));
+
+krb5_error_code adm_modify_kdb PROTOTYPE((char const *,
+ char const *,
+ krb5_const_principal,
+ const krb5_keyblock *,
+ const krb5_keyblock *,
+ int,
+ struct saltblock *,
+ struct saltblock *,
+ krb5_db_entry *));
+
+krb5_error_code adm_enter_pwd_key PROTOTYPE((char *,
+ char *,
+ krb5_const_principal,
+ krb5_const_principal,
+ int,
+ int,
+ char *,
+ krb5_db_entry *));
+
+krb5_error_code adm_negotiate_key PROTOTYPE((char const *,
+ krb5_ticket *,
+ char *));
+
+#include <krb5/narrow.h>
+
+
+krb5_kvno
+adm_princ_exists(cmdname, principal, entry, nprincs)
+char *cmdname;
+krb5_principal principal;
+krb5_db_entry *entry;
+int *nprincs;
+{
+ krb5_boolean more;
+ krb5_error_code retval;
+
+ if (retval = krb5_db_get_principal(principal, entry, nprincs, &more)) {
+ com_err("adm_princ_exists", retval,
+ "while attempting to verify principal's existence");
+ return(0);
+ }
+
+ if (! *nprincs) return(0);
+
+ return(*nprincs);
+}
+
+krb5_error_code
+adm_modify_kdb(DECLARG(char const *, cmdname),
+ DECLARG(char const *, newprinc),
+ DECLARG(krb5_const_principal, principal),
+ DECLARG(const krb5_keyblock *, key),
+ DECLARG(const krb5_keyblock *, alt_key),
+ DECLARG(int, req_type),
+ DECLARG(struct saltblock *, salt),
+ DECLARG(struct saltblock *, altsalt),
+ DECLARG(krb5_db_entry *, entry))
+OLDDECLARG(char const *, cmdname)
+OLDDECLARG(char const *, newprinc)
+OLDDECLARG(krb5_const_principal, principal)
+OLDDECLARG(const krb5_keyblock *, key)
+OLDDECLARG(const krb5_keyblock *, alt_key)
+OLDDECLARG(int, req_type)
+OLDDECLARG(struct saltblock *, salt)
+OLDDECLARG(struct saltblock *, altsalt)
+OLDDECLARG(krb5_db_entry *, entry)
+
+{
+ krb5_error_code retval;
+ int one = 1;
+
+ krb5_kvno KDB5_VERSION_NUM = 1;
+ krb5_deltat KDB5_MAX_TKT_LIFE = KRB5_KDB_MAX_LIFE;
+ krb5_deltat KDB5_MAX_REN_LIFE = KRB5_KDB_MAX_RLIFE;
+ krb5_timestamp KDB5_EXP_DATE = KRB5_KDB_EXPIRATION;
+ extern krb5_flags NEW_ATTRIBUTES;
+
+ if (key && key->length) {
+ retval = krb5_kdb_encrypt_key(&master_encblock,
+ key,
+ &entry->key);
+ if (retval) {
+ com_err("adm_modify_kdb", retval,
+ "while encrypting key for '%s'", newprinc);
+ return(KADM_NO_ENCRYPT);
+ }
+ }
+
+ if (alt_key && alt_key->length) {
+ retval = krb5_kdb_encrypt_key(&master_encblock,
+ alt_key,
+ &entry->alt_key);
+ if (retval) {
+ com_err("adm_modify_kdb", retval,
+ "while encrypting alt_key for '%s'", newprinc);
+ return(KADM_NO_ENCRYPT);
+ }
+ }
+
+ if (!req_type) { /* New entry - initialize */
+ memset((char *) &entry, 0, sizeof(entry));
+ entry->principal = (krb5_principal) principal;
+ entry->kvno = KDB5_VERSION_NUM;
+ entry->max_life = KDB5_MAX_TKT_LIFE;
+ entry->max_renewable_life = KDB5_MAX_REN_LIFE;
+ entry->mkvno = mblock.mkvno;
+ entry->expiration = KDB5_EXP_DATE;
+ entry->mod_name = master_princ;
+ } else { /* Modify existing entry */
+ entry->kvno++;
+#ifdef SANDIA
+ entry->attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+#endif
+ entry->mod_name = (krb5_principal) principal;
+ }
+
+ if (retval = krb5_timeofday(&entry->mod_date)) {
+ com_err("adm_modify_kdb", retval, "while fetching date");
+ memset((char *) entry->key.contents, 0, entry->key.length);
+ memset((char *) entry->alt_key.contents, 0, entry->alt_key.length);
+ if (entry->key.contents)
+ xfree(entry->key.contents);
+ if (entry->alt_key.contents)
+ xfree(entry->alt_key.contents);
+ return(KRB_ERR_GENERIC);
+ }
+
+ if (!req_type) {
+ if (salt->salttype == KRB5_KDB_SALTTYPE_V4) {
+ entry->attributes = (KRB5_KDB_DISALLOW_DUP_SKEY | NEW_ATTRIBUTES)
+#ifdef SANDIA
+ & ~KRB5_KDB_REQUIRES_PRE_AUTH & ~KRB5_KDB_REQUIRES_HW_AUTH
+#endif
+ ;
+ } else {
+ entry->attributes = NEW_ATTRIBUTES;
+ }
+
+#ifdef SANDIA
+ entry->last_pwd_change = entry->mod_date;
+ entry->last_success = entry->mod_date;
+ entry->fail_auth_count = 0;
+#endif
+
+ if (salt) {
+ entry->salt_type = salt->salttype;
+ entry->salt_length = salt->saltdata.length;
+ entry->salt = (krb5_octet *) salt->saltdata.data;
+ } else {
+ entry->salt_type = KRB5_KDB_SALTTYPE_NORMAL;
+ entry->salt_length = 0;
+ entry->salt = 0;
+ }
+
+ /* Set up version 4 alt key and alt salt info.....*/
+ if (altsalt) {
+ entry->alt_salt_type = altsalt->salttype;
+ entry->alt_salt_length = altsalt->saltdata.length;
+ entry->alt_salt = (krb5_octet *) altsalt->saltdata.data;
+ } else {
+ entry->alt_salt_type = KRB5_KDB_SALTTYPE_NORMAL;
+ entry->alt_salt_length = 0;
+ entry->alt_salt = 0;
+ }
+ } else {
+ if (retval = krb5_timeofday(&entry->last_pwd_change)) {
+ com_err("adm_modify_kdb", retval, "while fetching date");
+ memset((char *) entry->key.contents, 0, entry->key.length);
+ memset((char *) entry->alt_key.contents, 0, entry->alt_key.length);
+ if (entry->key.contents)
+ xfree(entry->key.contents);
+ if (entry->alt_key.contents)
+ xfree(entry->alt_key.contents);
+ return(5);
+ }
+ }
+
+ retval = krb5_db_put_principal(entry, &one);
+
+ memset((char *) entry->key.contents, 0, entry->key.length);
+ if (entry->key.contents)
+ xfree(entry->key.contents);
+
+ memset((char *) entry->alt_key.contents, 0, entry->alt_key.length);
+ if (entry->alt_key.contents)
+ xfree(entry->alt_key.contents);
+
+ if (retval) {
+ com_err("adm_modify_kdb", retval,
+ "while storing entry for '%s'\n", newprinc);
+ return(kdb5_err_base + retval);
+ }
+
+ if (one != 1)
+ com_err("adm_modify_kdb", 0, "entry not stored in database (unknown failure)");
+ return(0);
+}
+
+krb5_error_code
+adm_enter_pwd_key(DECLARG(char *, cmdname),
+ DECLARG(char *, newprinc),
+ DECLARG(krb5_const_principal, princ),
+ DECLARG(krb5_const_principal, string_princ),
+ DECLARG(int, req_type),
+ DECLARG(int, salttype),
+ DECLARG(char *, new_password),
+ DECLARG(krb5_db_entry *, entry))
+OLDDECLARG(char *, cmdname)
+OLDDECLARG(char *, newprinc)
+OLDDECLARG(krb5_const_principal, princ)
+OLDDECLARG(krb5_const_principal, string_princ)
+OLDDECLARG(int, req_type)
+OLDDECLARG(int, salttype)
+OLDDECLARG(char *, new_password)
+OLDDECLARG(krb5_db_entry *, entry)
+{
+ krb5_error_code retval;
+ krb5_keyblock tempkey;
+ krb5_data pwd;
+ struct saltblock salt;
+ struct saltblock altsalt;
+ krb5_keyblock alttempkey;
+ krb5_octet v4_keyptr[8];
+
+ pwd.data = new_password;
+ pwd.length = strlen((char *) new_password);
+
+ salt.salttype = salttype;
+
+ switch (salttype) {
+ case KRB5_KDB_SALTTYPE_NORMAL:
+ if (retval = krb5_principal2salt(string_princ, &salt.saltdata)) {
+ com_err("adm_enter_pwd_key", retval,
+ "while converting principal to salt for '%s'", newprinc);
+ return(KRB_ERR_GENERIC);
+ }
+
+ altsalt.salttype = KRB5_KDB_SALTTYPE_V4;
+ altsalt.saltdata.data = 0;
+ altsalt.saltdata.length = 0;
+ break;
+
+ case KRB5_KDB_SALTTYPE_V4:
+ salt.saltdata.data = 0;
+ salt.saltdata.length = 0;
+ if (retval = krb5_principal2salt(string_princ, &altsalt.saltdata)) {
+ com_err("adm_enter_pwd_key", retval,
+ "while converting principal to altsalt for '%s'", newprinc);
+ return(KRB_ERR_GENERIC);
+ }
+
+ altsalt.salttype = KRB5_KDB_SALTTYPE_NORMAL;
+ break;
+
+ case KRB5_KDB_SALTTYPE_NOREALM:
+ if (retval = norealm_salt(string_princ, &salt.saltdata)) {
+ com_err("adm_enter_pwd_key", retval,
+ "while converting principal to salt for '%s'", newprinc);
+ return(KRB_ERR_GENERIC);
+ }
+
+ altsalt.salttype = KRB5_KDB_SALTTYPE_V4;
+ altsalt.saltdata.data = 0;
+ altsalt.saltdata.length = 0;
+ break;
+
+ case KRB5_KDB_SALTTYPE_ONLYREALM:
+ {
+ krb5_data *foo;
+ if (retval = krb5_copy_data(krb5_princ_realm(string_princ),
+ &foo)) {
+ com_err("adm_enter_pwd_key", retval,
+ "while converting principal to salt for '%s'", newprinc);
+ return(KRB_ERR_GENERIC);
+ }
+
+ salt.saltdata = *foo;
+ xfree(foo);
+ altsalt.salttype = KRB5_KDB_SALTTYPE_V4;
+ altsalt.saltdata.data = 0;
+ altsalt.saltdata.length = 0;
+ break;
+ }
+
+ default:
+ com_err("adm_enter_pwd_key", 0,
+ "Don't know how to enter salt type %d", salttype);
+ return(KRB_ERR_GENERIC);
+ }
+
+ if (retval = krb5_string_to_key(&master_encblock,
+ master_keyblock.keytype,
+ &tempkey,
+ &pwd,
+ &salt.saltdata)) {
+ com_err("adm_enter_pwd_key", retval,
+ "while converting password to alt_key for '%s'", newprinc);
+ memset((char *) new_password, 0, sizeof(new_password)); /* erase it */
+ xfree(salt.saltdata.data);
+ return(retval);
+ }
+
+ if (retval = krb5_string_to_key(&master_encblock,
+ master_keyblock.keytype,
+ &alttempkey,
+ &pwd,
+ &altsalt.saltdata)) {
+ com_err("adm_enter_pwd_key", retval,
+ "while converting password to alt_key for '%s'", newprinc);
+ xfree(salt.saltdata.data);
+ free(entry->alt_key.contents);
+ memset((char *) new_password, 0, sizeof(new_password)); /* erase it */
+ return(retval);
+ }
+
+ memset((char *) new_password, 0, sizeof(new_password)); /* erase it */
+
+ retval = adm_modify_kdb("adm_enter_pwd_key",
+ newprinc,
+ princ,
+ &tempkey,
+ &alttempkey,
+ req_type,
+ &salt,
+ &altsalt,
+ entry);
+
+ memset((char *) tempkey.contents, 0, tempkey.length);
+ memset((char *) alttempkey.contents, 0, alttempkey.length);
+ if (entry->alt_key.contents)
+ free(entry->alt_key.contents);
+ return(retval);
+}
+
+krb5_error_code
+adm5_change(prog, newprinc, client_creds)
+char *prog;
+krb5_principal newprinc;
+krb5_ticket *client_creds;
+{
+ krb5_db_entry entry;
+ int nprincs = 1;
+
+ krb5_error_code retval;
+ char *composite_name;
+ char new_passwd[ADM_MAX_PW_LENGTH + 1];
+
+ if (!(adm_princ_exists("adm5_change", newprinc,
+ &entry, &nprincs))) {
+ com_err("adm5_change", 0, "No principal exists!");
+ krb5_free_principal(newprinc);
+ return(1);
+ }
+
+ memset((char *) new_passwd, 0, ADM_MAX_PW_LENGTH + 1);
+
+ /* Negotiate for New Key */
+ if (retval = adm_negotiate_key("adm5_change", client_creds,
+ new_passwd)) {
+ krb5_db_free_principal(&entry, nprincs);
+ krb5_free_principal(newprinc);
+ return(1);
+ }
+
+ retval = krb5_unparse_name(newprinc, &composite_name);
+
+ if (entry.salt_type == KRB5_KDB_SALTTYPE_V4) {
+ entry.salt_type = KRB5_KDB_SALTTYPE_NORMAL;
+ entry.alt_salt_type = KRB5_KDB_SALTTYPE_V4;
+ com_err("adm5_change", 0, "Converting v4user to v5user");
+ }
+
+ retval = adm_enter_pwd_key("adm5_change",
+ composite_name,
+ newprinc,
+ newprinc,
+ 1, /* change */
+ KRB5_KDB_SALTTYPE_NORMAL,
+ new_passwd,
+ &entry);
+ (void) memset(new_passwd, 0, strlen(new_passwd));
+ krb5_free_principal(newprinc);
+ krb5_db_free_principal(&entry, nprincs);
+ free(composite_name);
+ return(retval);
+}
+
+#ifdef SANDIA
+krb5_error_code
+adm5_create_rnd(prog, change_princ, client_auth_data, client_creds)
+char *prog;
+krb5_principal change_princ;
+krb5_authenticator *client_auth_data;
+krb5_ticket *client_creds;
+{
+ krb5_db_entry entry;
+ int nprincs = 1;
+
+ krb5_error_code retval;
+
+ if (!(adm_princ_exists("adm5_create_rnd",
+ change_princ,
+ &entry,
+ &nprincs))) {
+ com_err("adm5_create_rnd", 0, "No principal exists!");
+ krb5_free_principal(change_princ);
+ return(1);
+ }
+
+ if (retval = adm_get_rnd_key("adm5_create_rnd",
+ client_creds,
+ client_auth_data,
+ change_princ,
+ 1, /* change */
+ &entry)) {
+ krb5_db_free_principal(&entry, nprincs);
+ krb5_free_principal(change_princ);
+ return(retval);
+ }
+
+ krb5_free_principal(change_princ);
+ krb5_db_free_principal(&entry, nprincs);
+ return(0);
+}
+#endif
+#define MAXMSGSZ 255
+
+krb5_error_code
+adm_enter_rnd_pwd_key(DECLARG(char *, cmdname),
+ DECLARG(krb5_principal, change_princ),
+ DECLARG(int, req_type),
+ DECLARG(krb5_db_entry *, entry))
+OLDDECLARG(char *, cmdname)
+OLDDECLARG(krb5_principal, change_princ)
+OLDDECLARG(int, req_type)
+OLDDECLARG(krb5_db_entry *, entry)
+{
+ krb5_error_code retval;
+ krb5_keyblock *tempkey;
+ krb5_pointer master_random;
+ int salttype = KRB5_KDB_SALTTYPE_NORMAL;
+ struct saltblock salt;
+ char *principal_name;
+
+ salt.salttype = salttype;
+ entry->salt_type = salttype;
+
+ if (retval = krb5_init_random_key(&master_encblock,
+ &master_keyblock,
+ &master_random)) {
+ com_err("adm_enter_rnd_pwd_key", 0, "Unable to Initialize Random Key");
+ (void) krb5_finish_key(&master_encblock);
+ memset((char *)master_keyblock.contents, 0, master_keyblock.length);
+ xfree(master_keyblock.contents);
+ goto finish;
+ }
+
+ /* Get Random Key */
+ if (retval = krb5_random_key(&master_encblock,
+ master_random,
+ &tempkey)) {
+ com_err("adm_enter_rnd_pwd_key", 0, "Unable to Obtain Random Key");
+ goto finish;
+ }
+
+ /* Tie the Random Key to the Principal */
+ if (retval = krb5_principal2salt(change_princ, &salt.saltdata)) {
+ com_err("adm_enter_rnd_pwd_key", 0, "Principal2salt Failure");
+ goto finish;
+ }
+
+ retval = krb5_unparse_name(change_princ, &principal_name);
+ if (retval)
+ return retval;
+
+ /* Modify Database */
+ retval = adm_modify_kdb("adm_enter_rnd_pwd_key",
+ principal_name,
+ change_princ,
+ tempkey,
+ tempkey,
+ req_type,
+ &salt,
+ &salt,
+ entry);
+ free(principal_name);
+
+ if (retval) {
+ com_err("adm_enter_rnd_pwd_key", 0, "Database Modification Failure");
+ retval = 2;
+ goto finish;
+ }
+
+ finish:
+
+ if(retval) {
+ memset((char *) tempkey->contents, 0, tempkey->length);
+ return(retval);
+ }
+
+ memset((char *) tempkey->contents, 0, tempkey->length);
+
+ return(0);
+}
diff --git a/src/kadmin/server/adm_kadmin.c b/src/kadmin/server/adm_kadmin.c
new file mode 100644
index 000000000..abf38cad6
--- /dev/null
+++ b/src/kadmin/server/adm_kadmin.c
@@ -0,0 +1,371 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ */
+
+/*
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_kadmin[] =
+"$Header$";
+#endif /* lint */
+
+/*
+ adm_kadmin.c
+*/
+
+#include <sys/types.h>
+#include <syslog.h>
+#include <com_err.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/kdb.h>
+#include <krb5/adm_defs.h>
+#include "adm_extern.h"
+
+krb5_error_code
+adm5_kadmin(prog, client_auth_data, client_creds, retbuf, otype)
+char *prog;
+krb5_authenticator *client_auth_data;
+krb5_ticket *client_creds;
+char *retbuf; /* Allocated in Calling Routine */
+int *otype;
+{
+ krb5_error_code retval;
+ kadmin_requests request_type;
+ krb5_data msg_data, outbuf, inbuf;
+
+ char *customer_name;
+ char *completion_msg;
+ int length_of_name;
+
+ int salttype;
+
+ outbuf.data = retbuf; /* Do NOT free outbuf.data */
+
+ for ( ; ; ) { /* Use "return", "break", or "goto"
+ to exit for loop */
+
+ /* Encode Acknowledgement Message */
+ retbuf[0] = KADMIND;
+ retbuf[1] = KADMSAG;
+ retbuf[2] = SENDDATA2;
+ outbuf.length = 3;
+
+ retval = krb5_mk_priv(&outbuf,
+ ETYPE_DES_CBC_CRC,
+ client_creds->enc_part2->session,
+ &client_server_info.server_addr,
+ &client_server_info.client_addr,
+ send_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data);
+ if (retval ) {
+ syslog(LOG_ERR,
+ "adm5_kadmin - Error Performing Acknowledgement mk_priv");
+ return(5); /* Protocol Failure */
+ }
+
+ /* Send Acknowledgement Reply to Client */
+ if (retval = krb5_write_message(&client_server_info.client_socket,
+ &msg_data)){
+ syslog(LOG_ERR,
+ "adm5_kadmin - Error Performing Acknowledgement Write: %s",
+ error_message(retval));
+ return(5); /* Protocol Failure */
+ }
+ free(msg_data.data);
+
+ /* Read Username */
+ if (krb5_read_message(&client_server_info.client_socket, &inbuf)){
+ syslog(LOG_ERR | LOG_INFO, "Error Performing Username Read");
+ return(5); /* Protocol Failure */
+ }
+
+ /* Decrypt Client Response */
+ if ((retval = krb5_rd_priv(&inbuf,
+ client_creds->enc_part2->session,
+ &client_server_info.client_addr,
+ &client_server_info.server_addr,
+ recv_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data))) {
+ free(inbuf.data);
+ syslog(LOG_ERR | LOG_INFO, "Error decoding Username - rd_priv");
+ return(5); /* Protocol Failure */
+ }
+ free(inbuf.data);
+
+ request_type.appl_code = msg_data.data[0];
+ request_type.oper_code = msg_data.data[1];
+ if (msg_data.data[2] != SENDDATA2) {
+ syslog(LOG_ERR | LOG_INFO,
+ "Invalid Protocol String - Response not SENDDATA2");
+ free(msg_data.data);
+ return(5); /* Protocol Failure */
+ }
+
+ length_of_name = msg_data.length - 3;
+
+ if (request_type.oper_code == COMPLETE) {
+ *otype = 0;
+ free(msg_data.data);
+ retval = 0;
+ goto finish_req;
+ }
+
+ if (!length_of_name) {
+ syslog(LOG_ERR,
+ "adm5_kadmin error: Invalid KADMIN request - No Customer");
+ free(msg_data.data);
+ return(5); /* Protocol Error */
+ }
+
+ if ((customer_name = (char *) calloc(1, length_of_name + 1)) ==
+ (char *) 0) {
+ syslog(LOG_ERR, "adm5_kadmin error: No Memory for Customer Name");
+ free(msg_data.data);
+ return(3); /* No Memory */
+ }
+
+ (void) memcpy(customer_name, (char *) msg_data.data + 3,
+ length_of_name);
+ customer_name[length_of_name] = '\0';
+
+ free(msg_data.data);
+
+ if ((completion_msg = (char *) calloc (1,512)) == (char *) 0) {
+ syslog(LOG_ERR, "adm5_kadmin - No Memory for completion_msg");
+ free(customer_name);
+ return(3); /* No Memory */
+ }
+
+ switch(request_type.oper_code) {
+ case ADDOPER:
+ /* Check for Add Privilege */
+ if (retval = adm_check_acl(client_server_info.name_of_client,
+ "a")) {
+ retval = 7;
+ goto process_retval;
+ }
+ *otype = 1;
+ salttype = KRB5_KDB_SALTTYPE_NORMAL;
+ retval = adm_add_new_key("adm5_kadmin", customer_name,
+ client_creds, salttype);
+ goto process_retval;
+
+ case CHGOPER:
+ /* Check for Password Privilege */
+ if (retval = adm_check_acl(client_server_info.name_of_client,
+ "c")) {
+ retval = 7;
+ goto process_retval;
+ }
+ *otype = 2;
+ salttype = KRB5_KDB_SALTTYPE_NORMAL;
+ retval = adm_change_pwd("adm5_kadmin", customer_name,
+ client_creds, salttype);
+ goto process_retval;
+
+ case ADROPER:
+ /* Check for Add Privilege */
+ if (retval = adm_check_acl(client_server_info.name_of_client,
+ "a")) {
+ retval = 7;
+ goto process_retval;
+ }
+ *otype = 3;
+ retval = adm_add_new_key_rnd("adm5_kadmin", customer_name,
+ client_creds);
+ goto process_retval;
+
+ case CHROPER:
+ /* Check for Password Privilege */
+ if (retval = adm_check_acl(client_server_info.name_of_client,
+ "c")) {
+ retval = 7;
+ goto process_retval;
+ }
+ *otype = 4;
+ retval = adm_change_pwd_rnd("adm5_kadmin", customer_name,
+ client_creds);
+ goto process_retval;
+
+ case DELOPER:
+ /* Check for Delete Privilege */
+ if (retval = adm_check_acl(client_server_info.name_of_client,
+ "d")) {
+ retval = 7;
+ goto process_retval;
+ }
+ *otype = 5;
+ retval = adm_del_old_key("adm5_kadmin", customer_name);
+ goto process_retval;
+
+ case MODOPER:
+ /* Check for Modify Privilege */
+ if (retval = adm_check_acl(client_server_info.name_of_client,
+ "m")) {
+ retval = 7;
+ goto process_retval;
+ }
+ *otype = 6;
+ retval = adm_mod_old_key("adm5_kadmin", customer_name,
+ client_creds);
+ goto process_retval;
+
+ case INQOPER:
+ /* Check for Inquiry Privilege */
+ if (retval = adm_check_acl(client_server_info.name_of_client,
+ "i")) {
+ retval = 7;
+ goto process_retval;
+ }
+ *otype = 7;
+ retval = adm_inq_old_key("adm5_kadmin", customer_name,
+ client_creds);
+ goto process_retval;
+
+ case AD4OPER:
+ /* Check for Add Privilege */
+ if (retval = adm_check_acl(client_server_info.name_of_client,
+ "a")) {
+ retval = 7;
+ goto process_retval;
+ }
+ *otype = 8;
+ salttype = KRB5_KDB_SALTTYPE_V4;
+ retval = adm_add_new_key("adm5_kadmin", customer_name,
+ client_creds, salttype);
+ goto process_retval;
+
+ case CH4OPER:
+ /* Check for Password Privilege */
+ if (retval = adm_check_acl(client_server_info.name_of_client,
+ "c")) {
+ retval = 7;
+ goto process_retval;
+ }
+ *otype = 9;
+ salttype = KRB5_KDB_SALTTYPE_V4;
+ retval = adm_change_pwd("adm5_kadmin", customer_name,
+ client_creds, salttype);
+ goto process_retval;
+
+ default:
+ retbuf[0] = KADMIN;
+ retbuf[1] = KUNKNOWNOPER;
+ retbuf[2] = '\0';
+ sprintf(completion_msg, "%s %s from %s FAILED",
+ "kadmin",
+ "Unknown or Non-Implemented Operation Type!",
+ inet_ntoa(client_server_info.client_name.sin_addr));
+ syslog(LOG_AUTH | LOG_INFO, completion_msg);
+ free(completion_msg);
+ retval = 255;
+ goto send_last;
+ } /* switch (request_type.oper_code) */
+
+process_retval:
+ switch (retval) {
+ case 0:
+ retbuf[0] = KADMIN;
+ retbuf[1] = request_type.oper_code;
+ retbuf[2] = KADMGOOD;
+ retbuf[3] = '\0';
+ goto send_last;
+
+ case 1: /* Principal Unknown */
+ case 2: /* Principal Already Exists */
+ case 3: /* ENOMEM */
+ case 4: /* Password Failure */
+ case 5: /* Protocol Failure */
+ case 6: /* Security Failure */
+ case 7: /* Admin Client Not in ACL List */
+ case 8: /* Database Update Failure */
+ retbuf[0] = KADMIN;
+ retbuf[1] = request_type.oper_code;
+ retbuf[2] = KADMBAD;
+ retbuf[3] = '\0';
+ sprintf((char *)retbuf +3, "%s",
+ kadmind_kadmin_response[retval]);
+ sprintf(completion_msg,
+ "%s %s from %s FAILED - %s",
+ "kadmin",
+ oper_type[request_type.oper_code],
+ inet_ntoa(client_server_info.client_name.sin_addr),
+ kadmind_kadmin_response[retval]);
+ syslog(LOG_AUTH | LOG_INFO, completion_msg);
+ free(completion_msg);
+ goto send_last;
+
+ default:
+ retbuf[0] = KADMIN;
+ retbuf[1] = request_type.oper_code;
+ retbuf[2] = KUNKNOWNERR;
+ retbuf[3] = '\0';
+ sprintf(completion_msg, "%s %s from %s FAILED",
+ "ksrvutil",
+ oper_type[1],
+ inet_ntoa( client_server_info.client_name.sin_addr));
+ syslog(LOG_AUTH | LOG_INFO, completion_msg);
+ retval = 255;
+ goto send_last;
+ } /* switch(retval) */
+
+send_last:
+ free(customer_name);
+ free(completion_msg);
+ outbuf.data = retbuf;
+ outbuf.length = strlen(retbuf) + 1;
+
+ /* Send Completion Message */
+ if (retval = krb5_mk_priv(&outbuf,
+ ETYPE_DES_CBC_CRC,
+ client_creds->enc_part2->session,
+ &client_server_info.server_addr,
+ &client_server_info.client_addr,
+ send_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data)) {
+ syslog(LOG_ERR, "adm5_kadmin - Error Performing Final mk_priv");
+ return(1);
+ }
+
+ /* Send Final Reply to Client */
+ if (retval = krb5_write_message(&client_server_info.client_socket,
+ &msg_data)){
+ syslog(LOG_ERR, "adm5_kadmin - Error Performing Final Write: %s",
+ error_message(retval));
+ return(1);
+ }
+ free(msg_data.data);
+ } /* for */
+
+finish_req:
+ return(retval);
+}
diff --git a/src/kadmin/server/adm_kpasswd.c b/src/kadmin/server/adm_kpasswd.c
new file mode 100644
index 000000000..f01475fc4
--- /dev/null
+++ b/src/kadmin/server/adm_kpasswd.c
@@ -0,0 +1,122 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ */
+
+/*
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_kpasswd[] =
+"$Header$";
+#endif /* lint */
+
+/*
+ adm_kpasswd.c
+*/
+
+#include <sys/types.h>
+#include <syslog.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <com_err.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+
+#include <krb5/krb5.h>
+#include <krb5/kdb.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/adm_defs.h>
+#include "adm_extern.h"
+
+extern krb5_encrypt_block master_encblock;
+extern krb5_keyblock master_keyblock;
+
+struct cpw_keyproc_arg {
+ krb5_keyblock *key;
+};
+
+krb5_error_code
+adm5_kpasswd(prog, request_type, client_creds, retbuf, otype)
+char *prog;
+kadmin_requests *request_type;
+krb5_ticket *client_creds;
+char *retbuf;
+int *otype;
+{
+ char completion_msg[520];
+ krb5_error_code retval;
+
+ switch (request_type->oper_code) {
+ case CHGOPER:
+ *otype = 3;
+ syslog(LOG_AUTH | LOG_INFO,
+ "adm_kpasswd: kpasswd change received");
+ retval = adm5_change("adm5_kpasswd",
+ client_server_info.client,
+ client_creds);
+
+ switch(retval) {
+ case 0:
+ retbuf[0] = KPASSWD;
+ retbuf[1] = CHGOPER;
+ retbuf[2] = KPASSGOOD;
+ retbuf[3] = '\0';
+ break;
+
+ case 1:
+ retbuf[0] = KPASSWD;
+ retbuf[1] = CHGOPER;
+ retbuf[2] = KPASSBAD;
+ retbuf[3] = '\0';
+ sprintf((char *)retbuf +3, "%s",
+ kadmind_kpasswd_response[retval]);
+ sprintf(completion_msg,
+ "kpasswd change from %s FAILED: %s",
+ inet_ntoa(client_server_info.client_name.sin_addr),
+ kadmind_kpasswd_response[retval]);
+ syslog(LOG_AUTH | LOG_INFO, completion_msg);
+ goto finish;
+
+ default:
+ retbuf[0] = KPASSWD;
+ retbuf[1] = CHGOPER;
+ retbuf[2] = KUNKNOWNERR;
+ retbuf[3] = '\0';
+ sprintf(completion_msg, "kpasswd change from %s FAILED",
+ inet_ntoa(client_server_info.client_name.sin_addr));
+ syslog(LOG_AUTH | LOG_INFO, completion_msg);
+ retval = 255;
+ goto finish;
+ } /* switch (retval) */
+ break;
+
+ default:
+ retbuf[0] = KPASSWD;
+ retbuf[1] = KUNKNOWNOPER;
+ retbuf[2] = '\0';
+ sprintf(completion_msg, "kpasswd %s from %s FAILED",
+ "Unknown or Non-Implemented Operation Type!",
+ inet_ntoa(client_server_info.client_name.sin_addr ));
+ syslog(LOG_AUTH | LOG_INFO, completion_msg);
+ retval = 255;
+ goto finish;
+ } /* switch (request_type->oper_code) */
+
+finish:
+ return(retval);
+}
diff --git a/src/kadmin/server/adm_listen.c b/src/kadmin/server/adm_listen.c
new file mode 100644
index 000000000..abedc1d79
--- /dev/null
+++ b/src/kadmin/server/adm_listen.c
@@ -0,0 +1,164 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Network Listen Loop for the Kerberos Version 5 Administration server
+ */
+
+/*
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_listen[] =
+"$Header$";
+#endif /* lint */
+
+/*
+ adm_listen.c
+*/
+
+#include <sys/types.h>
+#include <syslog.h>
+#include <signal.h>
+#include <com_err.h>
+
+#ifndef sigmask
+#define sigmask(m) (1 <<((m)-1))
+#endif
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/adm_defs.h>
+#include "adm_extern.h"
+
+void
+kill_children()
+{
+ register int i;
+ int osigmask;
+
+ osigmask = sigblock(sigmask(SIGCHLD));
+
+ for (i = 0; i < pidarraysize; i++) {
+ kill(pidarray[i], SIGINT);
+ syslog(LOG_AUTH | LOG_INFO, "Killing Admin Child %d", pidarray[i]);
+ }
+
+ sigsetmask(osigmask);
+ return;
+}
+
+/*
+adm5_listen_and_process - listen on the admin servers port for a request
+*/
+adm5_listen_and_process(prog)
+const char *prog;
+{
+ extern int errno;
+ int found;
+ fd_set mask, readfds;
+ int addrlen;
+ krb5_error_code process_client();
+ krb5_error_code retval;
+ void kill_children();
+ int pid;
+
+ (void) listen(client_server_info.server_socket, 1);
+
+ FD_ZERO(&mask);
+ FD_SET(client_server_info.server_socket, &mask);
+
+ for (;;) { /* loop nearly forever */
+ if (exit_now) {
+ kill_children();
+ return(0);
+ }
+
+ readfds = mask;
+ if ((found = select(client_server_info.server_socket + 1,
+ &readfds,
+ (fd_set *)0,
+ (fd_set *)0,
+ (struct timeval *)0)) == 0)
+ continue; /* no things read */
+
+ if (found < 0) {
+ if (errno != EINTR)
+ syslog(LOG_AUTH | LOG_INFO,
+ "%s: select: %s", "adm5_listen_and_process",
+ error_message(errno));
+ continue;
+ }
+
+ if (FD_ISSET(client_server_info.server_socket, &readfds)) {
+ /* accept the conn */
+ addrlen = sizeof(client_server_info.client_name);
+ if ((client_server_info.client_socket =
+ accept(client_server_info.server_socket,
+ (struct sockaddr *) &client_server_info.client_name,
+ &addrlen)) < 0) {
+ syslog(LOG_AUTH | LOG_INFO, "%s: accept: %s",
+ "adm5_listen_and_process",
+ error_message(errno));
+ continue;
+ }
+#ifndef DEBUG
+ /* if you want a sep daemon for each server */
+ if (!(pid = fork())) {
+ /* child */
+ (void) close(client_server_info.server_socket);
+
+ retval = process_client("adm5_listen_and_process");
+ exit(retval);
+ } else {
+ /* parent */
+ if (pid < 0) {
+ syslog(LOG_AUTH | LOG_INFO, "%s: fork: %s",
+ "adm5_listen_and_process",
+ error_message(errno));
+ (void) close(client_server_info.client_socket);
+ continue;
+ }
+
+ /* fork succeded: keep tabs on child */
+
+ (void) close(client_server_info.client_socket);
+ if (pidarray) {
+ pidarray = (int *) realloc((char *)pidarray,
+ (++pidarraysize) * sizeof(int));
+ pidarray[pidarraysize - 1] = pid;
+ } else {
+ pidarraysize = 1;
+ pidarray =
+ (int *) malloc(pidarraysize *sizeof(int));
+ pidarray[0] = pid;
+ }
+ }
+#else
+ /* do stuff */
+
+ retval = process_client("adm5_listen_and_process");
+ exit(retval);
+#endif /* DEBUG */
+ } else {
+ syslog(LOG_AUTH | LOG_INFO, "%s: something else woke me up!",
+ "adm5_listen_and_process");
+ return(0);
+ }
+ }
+}
diff --git a/src/kadmin/server/adm_nego.c b/src/kadmin/server/adm_nego.c
new file mode 100644
index 000000000..124372032
--- /dev/null
+++ b/src/kadmin/server/adm_nego.c
@@ -0,0 +1,339 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ *
+ * Modify the Kerberos Database
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_nego[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <com_err.h>
+#include <sys/types.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+
+#include <stdio.h>
+
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/asn1.h>
+
+#include <krb5/adm_defs.h>
+#include "adm_extern.h"
+
+krb5_error_code
+adm_negotiate_key(DECLARG(char const *, prog),
+ DECLARG(krb5_ticket *, client_creds),
+ DECLARG(char *, new_passwd))
+OLDDECLARG(char const *, prog)
+OLDDECLARG(krb5_ticket *, client_creds)
+OLDDECLARG(char *, new_passwd)
+
+{
+ krb5_data msg_data, inbuf;
+ krb5_error_code retval;
+#if defined(MACH_PASS) || defined(SANDIA) /* Machine-generated passwords. */
+ krb5_pwd_data *pwd_data;
+ krb5_pwd_data encodable_data;
+ krb5_data *encoded_pw_string;
+ passwd_phrase_element **next_passwd_phrase_element;
+ char *tmp_passwd, *tmp_phrase;
+ krb5_authenticator *client_auth_data;
+ int count, i, j, k;
+ int legit_passwd = 0;
+#endif
+ extern int errno;
+
+#if defined(MACH_PASS) || defined(SANDIA) /* Machine-generated passwords. */
+
+#define clear_encodable_data() \
+{ encodable_data.sequence_count = 0; \
+ encodable_data.element = 0; \
+}
+
+#define free_seq_list() \
+{ free(encodable_data.element); \
+}
+
+#define free_pwd_and_phrase_structures() \
+{ next_passwd_phrase_element = encodable_data.element; \
+ for (k = 0; \
+ *next_passwd_phrase_element != 0 && k < encodable_data.sequence_count; \
+ k++) { \
+ free(*next_passwd_phrase_element); \
+ *next_passwd_phrase_element = 0; \
+ next_passwd_phrase_element++; } \
+}
+
+#define free_passwds() \
+{ next_passwd_phrase_element = encodable_data.element; \
+ for (k = 0; \
+ *next_passwd_phrase_element != 0 && k < encodable_data.sequence_count; \
+ k++) { \
+ memset((char *) (*next_passwd_phrase_element)->passwd->data, \
+ 0, (*next_passwd_phrase_element)->passwd->length); \
+ free((*next_passwd_phrase_element)->passwd->data); \
+ next_passwd_phrase_element++; } \
+}
+
+#define free_phrases() \
+{ next_passwd_phrase_element = encodable_data.element; \
+ for (k = 0; \
+ *next_passwd_phrase_element != 0 && k < encodable_data.sequence_count; \
+ k++) { \
+ memset((char *) (*next_passwd_phrase_element)->phrase->data, \
+ 0, (*next_passwd_phrase_element)->phrase->length); \
+ free((*next_passwd_phrase_element)->phrase->data); \
+ next_passwd_phrase_element++; } \
+}
+
+ encodable_data.sequence_count =
+ ADM_MAX_PW_CHOICES * ADM_MAX_PW_ITERATIONS;
+
+ /* Allocate List of Password and Phrase Addresses Pointers */
+ if ((encodable_data.element = (passwd_phrase_element **) calloc(
+ encodable_data.sequence_count + 1,
+ sizeof(passwd_phrase_element *))) ==
+ (passwd_phrase_element **) 0) {
+ clear_encodable_data();
+ com_err("adm_negotiate_key", 0,
+ "No Memory for Password and Phrase List");
+ return(1);
+ }
+
+ next_passwd_phrase_element = encodable_data.element;
+
+ /* Allow for ADM_MAX_PW_ITERATIONS Sets of Five Passwords/Phrases */
+ for ( i = 0; i < ADM_MAX_PW_ITERATIONS; i++) {
+ if ( i == ADM_MAX_PW_ITERATIONS ) {
+ com_err("adm_negotiate_key", 0,
+ "Excessive Password List Requests");
+ return(1);
+ }
+
+ /* Allocate passwd_phrase_element structures */
+ for (j = 0; j < ADM_MAX_PW_CHOICES; j++) {
+ if ((*next_passwd_phrase_element =
+ (passwd_phrase_element *) calloc(1,
+ sizeof(passwd_phrase_element))) ==
+ (passwd_phrase_element *) 0) {
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+ com_err("adm_negotiate_key", 0,
+ "No Memory for Additional Password and Phrase Structures");
+ return(1);
+ }
+
+ if ((retval = get_pwd_and_phrase("adm_negotiate_key",
+ &tmp_passwd, &tmp_phrase))) {
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+ com_err("adm_negotiate_key", 0, "Unable to get_pwd_and_phrase");
+ return(1);
+ }
+
+ if (((*next_passwd_phrase_element)->passwd =
+ (krb5_data *) calloc(1,
+ sizeof(krb5_data))) == (krb5_data *) 0) {
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+ com_err("adm_negotiate_key", 0,
+ "No Memory for Additional Password and Phrase Structures");
+ return(1);
+ }
+
+ if (((*next_passwd_phrase_element)->passwd->data =
+ (char *) calloc (1,
+ strlen(tmp_passwd))) == (char *) 0) {
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+ com_err("adm_negotiate_key", ENOMEM,
+ "for Additional Passwords");
+ }
+
+ strcpy((*next_passwd_phrase_element)->passwd->data, tmp_passwd);
+ (*next_passwd_phrase_element)->passwd->length = strlen(tmp_passwd);
+
+ if (((*next_passwd_phrase_element)->phrase =
+ (krb5_data *) calloc(1,
+ sizeof(krb5_data))) == (krb5_data *) 0) {
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+ com_err("adm_negotiate_key", 0,
+ "No Memory for Additional Password and Phrase Structures");
+ return(1);
+ }
+
+ if (((*next_passwd_phrase_element)->phrase->data =
+ (char *) calloc (1,
+ strlen(tmp_phrase))) == (char *) 0) {
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+ com_err("adm_negotiate_key", ENOMEM,
+ "for Additional Passwords");
+ }
+
+ strcpy((*next_passwd_phrase_element)->phrase->data, tmp_phrase);
+ (*next_passwd_phrase_element)->phrase->length = strlen(tmp_phrase);
+
+ free(tmp_passwd);
+ free(tmp_phrase);
+
+ next_passwd_phrase_element++;
+ }
+ } /* for i <= KADM_MAX_PW_CHOICES */
+
+ /* Asn.1 Encode the Passwords and Phrases */
+ if ((retval = encode_krb5_pwd_data(&encodable_data,
+ &encoded_pw_string))) {
+ com_err("adm_negotiate_key", 0,
+ "Unable to encode Password and Phrase Data");
+ return(1);
+ }
+
+ /* Free Phrases But Hold onto Passwds for Awhile*/
+ free_phrases();
+
+ /* Encrypt Password/Phrases Encoding */
+ retval = krb5_mk_priv(encoded_pw_string,
+ ETYPE_DES_CBC_CRC,
+ client_creds->enc_part2->session,
+ &client_server_info.server_addr,
+ &client_server_info.client_addr,
+ send_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data);
+ if (retval ) {
+ free_passwds();
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+ com_err("adm_negotiate_key", retval, "during mk_priv");
+ return(1);
+ }
+
+ /* Send Encrypted/Encoded Passwords and Phrases to Client */
+ if (krb5_write_message(&client_server_info.client_socket, &msg_data)){
+ free(msg_data.data);
+ free_passwds();
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+ com_err("adm_negotiate_key", 0, "Error Performing Password Write");
+ return(1);
+ }
+ free(msg_data.data);
+
+#endif /* MACH_PASS - Machine-gen. passwords */
+ /* Read Client Response */
+ if (krb5_read_message(&client_server_info.client_socket, &inbuf)){
+#if defined(MACH_PASS) || defined(SANDIA)
+ free_passwds();
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+#endif
+ com_err("adm_negotiate_key", errno, "Error Performing Password Read");
+ return(1);
+ }
+
+ /* Decrypt Client Response */
+ if ((retval = krb5_rd_priv(&inbuf,
+ client_creds->enc_part2->session,
+ &client_server_info.client_addr,
+ &client_server_info.server_addr,
+ recv_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data))) {
+ free(inbuf.data);
+#if defined(MACH_PASS) || defined(SANDIA)
+ free_passwds();
+ free_pwd_and_phrase_structures();
+ free_seq_list();
+ clear_encodable_data();
+#endif
+ com_err("adm_negotiate_key", retval, "krb5_rd_priv error %s",
+ error_message(retval));
+ return(1);
+ }
+ free(inbuf.data);
+
+#if defined(MACH_PASS) || defined(SANDIA) /* Machine-generated passwords */
+ legit_passwd = 0;
+ next_passwd_phrase_element = encodable_data.element;
+ /* Compare Response with Acceptable Passwords */
+ for (j = 0;
+ j < ADM_MAX_PW_CHOICES * ADM_MAX_PW_ITERATIONS;
+ j++) {
+ if ((retval = memcmp(msg_data.data,
+ (*next_passwd_phrase_element)->passwd->data,
+ strlen((*next_passwd_phrase_element)->passwd->data))) == 0) {
+ legit_passwd++;
+ break; /* Exit Loop - Match Found */
+ }
+ next_passwd_phrase_element++;
+ }
+ /* Now Free Passwds */
+ free_passwds();
+
+ /* free password_and_phrase structures */
+ free_pwd_and_phrase_structures();
+
+ /* free passwd_phrase_element list */
+ free_seq_list();
+
+ /* clear krb5_pwd_data */
+ clear_encodable_data();
+
+ if (!(legit_passwd)) {
+ com_err("adm_negotiate_key", 0, "Invalid Password Entered");
+ return(1);
+ }
+#endif
+ strncpy(new_passwd, msg_data.data, msg_data.length);
+ free(msg_data.data);
+
+ return(0);
+}
+
diff --git a/src/kadmin/server/adm_network.c b/src/kadmin/server/adm_network.c
new file mode 100644
index 000000000..a7de9f2eb
--- /dev/null
+++ b/src/kadmin/server/adm_network.c
@@ -0,0 +1,286 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Network Initialization/Shutdown Component of the
+ * Version 5 Administration network
+ */
+
+/*
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_network[] =
+"$Header$";
+#endif /* lint */
+
+/*
+ * adm_network.c
+ */
+
+#include <stdio.h>
+#include <com_err.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/param.h>
+#include <signal.h>
+
+#ifndef sigmask
+#define sigmask(m) (1 <<((m)-1))
+#endif
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+#include <netdb.h>
+
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/adm_defs.h>
+#include "adm_extern.h"
+
+extern int errno;
+
+krb5_error_code
+closedown_network(prog)
+const char *prog;
+{
+ if (client_server_info.server_socket == -1) return(1);
+
+ (void) close(client_server_info.server_socket);
+ client_server_info.server_socket = -1;
+ return(0);
+}
+
+krb5_sigtype
+doexit()
+{
+ exit_now = 1;
+#if defined (POSIX) || defined(SYSV) || defined(sun) && !defined(sysvimp) || defined(ultrix) || (defined(mips) && defined(SYSTYPE_BSD43)) || defined(convex)
+ return;
+#else /* !POSIX */
+ return(0);
+#endif /* POSIX */
+}
+
+/*
+ * SIGCHLD brings us here
+ */
+krb5_sigtype
+do_child()
+{
+ /*
+ * <sys/param.h> has been included, so BSD will be defined on
+ * BSD systems
+ */
+#if BSD > 0 && BSD <= 43
+#ifndef WEXITSTATUS
+#define WEXITSTATUS(w) (w).w_retcode
+#define WTERMSIG(w) (w).w_termsig
+#endif
+ union wait status;
+#else
+ int status;
+#endif
+ int pid, i, j;
+
+ pid = wait(&status);
+ if (pid < 0) {
+#ifdef SYSV
+ signal(SIGCHLD, do_child);
+#endif
+#if defined (POSIX) || defined(SYSV) || defined(sun) && !defined(sysvimp) || defined(ultrix) || (defined(mips) && defined(SYSTYPE_BSD43)) || defined(convex)
+ return;
+#else /* !POSIX */
+ return(0);
+#endif /* POSIX */
+ }
+
+ for (i = 0; i < pidarraysize; i++)
+ if (pidarray[i] == pid) {
+ /* found it */
+ for (j = i; j < pidarraysize-1; j++)
+ /* copy others down */
+ pidarray[j] = pidarray[j+1];
+ pidarraysize--;
+ if ( !WIFEXITED(status) ) {
+ com_err("adm_network", 0, "child %d: termsig %d",
+ pid, WTERMSIG(status) );
+ com_err("adm_network", 0, "retcode %d",
+ WEXITSTATUS(status));
+ }
+
+#ifdef SYSV
+ signal(SIGCHLD, do_child);
+#endif
+
+#if defined (POSIX) || defined(SYSV) || defined(sun) && !defined(sysvimp) || defined(ultrix) || (defined(mips) && defined(SYSTYPE_BSD43)) || defined(convex)
+ return;
+#else /* !POSIX */
+ return(0);
+#endif /* POSIX */
+ }
+#ifdef SYSV
+ signal(SIGCHLD, do_child);
+#endif
+
+ com_err("adm_network", 0,
+ "child %d not in list: termsig %d, retcode %d", pid,
+ WTERMSIG(status), WEXITSTATUS(status));
+
+#if defined (POSIX) || defined(SYSV) || defined(sun) && !defined(sysvimp) || defined(ultrix) || (defined(mips) && defined(SYSTYPE_BSD43)) || defined(convex)
+ return;
+#else /* !POSIX */
+ return(0);
+#endif /* POSIX */
+}
+
+krb5_error_code
+setup_network(prog)
+const char *prog;
+{
+ krb5_error_code retval;
+ char server_host_name[MAXHOSTNAMELEN];
+ char *lrealm;
+ krb5_sigtype doexit(), do_child();
+ struct servent *service_servent;
+ struct hostent *service_hostent;
+
+ signal(SIGINT, doexit);
+ signal(SIGTERM, doexit);
+ signal(SIGHUP, doexit);
+ signal(SIGQUIT, doexit);
+ signal(SIGPIPE, SIG_IGN); /* get errors on write() */
+ signal(SIGALRM, doexit);
+ signal(SIGCHLD, do_child);
+
+ client_server_info.name_of_service = malloc(768);
+ if (!client_server_info.name_of_service) {
+ com_err("setup_network", 0,
+ "adm_network: No Memory for name_of_service");
+ return ENOMEM;
+ }
+
+
+ if (retval = krb5_get_default_realm(&lrealm)) {
+ free(client_server_info.name_of_service);
+ com_err( "setup_network", 0,
+ "adm_network: Unable to get Default Realm");
+ return retval;
+ }
+
+ (void) sprintf(client_server_info.name_of_service, "%s%s%s%s%s",
+ CPWNAME, "/", lrealm, "", "");
+ free(lrealm);
+
+#ifdef DEBUG
+ fprintf(stderr, "client_server_info.name_of_service = %s\n",
+ client_server_info.name_of_service);
+#endif /* DEBUG */
+
+ if ((retval = krb5_parse_name(client_server_info.name_of_service,
+ &client_server_info.server))) {
+ free(client_server_info.name_of_service);
+ com_err( "setup_network", retval,
+ "adm_network: Unable to Parse Server Name");
+ return retval;
+ }
+
+ if (gethostname(server_host_name, sizeof(server_host_name))) {
+ retval = errno;
+ krb5_free_principal(client_server_info.server);
+ free(client_server_info.name_of_service);
+ com_err( "setup_network", retval,
+ "adm_network: Unable to Identify Who I am");
+ return retval;
+ }
+
+ service_hostent = gethostbyname(server_host_name);
+ if (!service_hostent) {
+ retval = errno;
+ free(client_server_info.name_of_service);
+ com_err("setup_network", retval, "adm_network: Failed gethostname");
+ return retval;
+ }
+
+#ifdef DEBUG
+ fprintf(stderr, "Official host name = %s\n", service_hostent->h_name);
+#endif /* DEBUG */
+
+ client_server_info.server_name.sin_family = AF_INET;
+
+#ifdef unicos61
+ memcpy((char *) &client_server_info.server_name.sin_addr,
+ (char *) service_hostent->h_addr, service_hostent->h_length);
+#else
+ memcpy((char *) &client_server_info.server_name.sin_addr.s_addr,
+ (char *) service_hostent->h_addr, service_hostent->h_length);
+#endif /* unicos61 */
+
+ client_server_info.server_socket = -1;
+
+#ifdef DEBUG
+ fprintf(stderr, "adm5_tcp_portname = %s\n", adm5_tcp_portname);
+#endif /* DEBUG */
+
+ service_servent = getservbyname(adm5_tcp_portname, "tcp");
+
+ if (!service_servent) {
+ krb5_free_principal(client_server_info.server);
+ free(client_server_info.name_of_service);
+ com_err("setup_network", 0, "adm_network: %s/tcp service unknown",
+ adm5_tcp_portname);
+ return(1);
+ }
+
+#ifdef DEBUG
+ fprintf(stderr, "Official service name = %s\n", service_servent->s_name);
+#endif /* DEBUG */
+
+ client_server_info.server_name.sin_port = service_servent->s_port;
+
+ if ((client_server_info.server_socket =
+ socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+ retval = errno;
+ krb5_free_principal(client_server_info.server);
+ free(client_server_info.name_of_service);
+ com_err("setup_network", retval,
+ "adm_network: Cannot create server socket.");
+ return(1);
+ }
+
+#ifdef DEBUG
+ fprintf(stderr, "Socket File Descriptor = %d\n",
+ client_server_info.server_socket);
+ fprintf(stderr, "sin_family = %d\n",
+ client_server_info.server_name.sin_family);
+ fprintf(stderr, "sin_port = %d\n",
+ client_server_info.server_name.sin_port);
+ fprintf(stderr, "in_addr.s_addr = %s\n",
+ inet_ntoa( client_server_info.server_name.sin_addr ));
+#endif /* DEBUG */
+
+ if (bind(client_server_info.server_socket,
+ &client_server_info.server_name,
+ sizeof(client_server_info.server_name)) < 0) {
+ retval = errno;
+ krb5_free_principal(client_server_info.server);
+ free(client_server_info.name_of_service);
+ com_err("setup_network", retval,
+ "adm_network: Cannot bind server socket.");
+ return(1);
+ }
+
+ return(0);
+}
diff --git a/src/kadmin/server/adm_parse.c b/src/kadmin/server/adm_parse.c
new file mode 100644
index 000000000..eb284c78f
--- /dev/null
+++ b/src/kadmin/server/adm_parse.c
@@ -0,0 +1,270 @@
+#ifdef SANDIA
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ *
+ * Edit a KDC database.
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_parse[] =
+"$Id$";
+#endif /* !lint & !SABER */
+
+#include <syslog.h>
+#include <stdio.h>
+
+#if defined (unicos61) || (defined(mips) && defined(SYSTYPE_BSD43)) || defined(sysvimp)
+#include <time.h>
+#else
+#include <sys/time.h>
+#endif /* unicos61 */
+#if defined(aux20)
+#include <time.h>
+#endif /* aux20 */
+
+#include <krb5/krb5.h>
+#include <krb5/kdb.h>
+#include <krb5/kdb_dbm.h>
+
+void
+kadmin_parse_and_set(input_string)
+char *input_string;
+{
+ extern int classification;
+ extern krb5_kvno KDB5_VERSION_NUM;
+ extern krb5_deltat KDB5_MAX_TKT_LIFE;
+ extern krb5_deltat KDB5_MAX_REN_LIFE;
+ extern krb5_timestamp KDB5_EXP_DATE;
+ extern krb5_flags NEW_ATTRIBUTES;
+
+ int num_args;
+ char parameter[40];
+ char first_token[40];
+ char second_token[40];
+
+ int bypass = 0;
+
+ struct tm exp_date;
+ long todays_date;
+ int year;
+ int month;
+ int mday;
+
+ first_token[0] = second_token[0] = '\0';
+ num_args = sscanf(input_string, "%s %s %s", parameter,
+ first_token, second_token);
+
+ if (strcmp(parameter, "BYPASS") == 0) {
+ bypass++;
+ syslog(LOG_ERR,
+ "CAUTION: Classified and Unclassified Principals will be allowed");
+ return;
+ }
+
+ if (strcmp(parameter, "CLASSIFICATION") == 0) {
+ if (strcmp(first_token, "CLASS") == 0) {
+ classification = 1;
+ if (bypass) classification = 0;
+ }
+ return;
+ }
+
+ if (strcmp(parameter, "VERSION_NUM") == 0) {
+ if (num_args < 2) {
+ KDB5_VERSION_NUM = 1;
+ } else {
+ KDB5_VERSION_NUM = atoi(first_token);
+ }
+ return;
+ }
+
+ if (strcmp(parameter, "MAX_TKT_LIFE") == 0) {
+ if (num_args < 2) {
+ KDB5_MAX_TKT_LIFE = KRB5_KDB_MAX_LIFE;
+ } else {
+ switch (second_token[0]) {
+ case 's':
+ KDB5_MAX_TKT_LIFE = atoi(first_token);
+ break;
+ case 'm':
+ KDB5_MAX_TKT_LIFE = atoi(first_token) * 60;
+ break;
+ case 'h':
+ KDB5_MAX_TKT_LIFE = atoi(first_token) * 3600;
+ break;
+ case 'd':
+ KDB5_MAX_TKT_LIFE = atoi(first_token) * 86400;
+ break;
+ case 'w':
+ KDB5_MAX_TKT_LIFE = atoi(first_token) * 604800;
+ break;
+ case 'M': /* 30 days */
+ KDB5_MAX_TKT_LIFE = atoi(first_token) * 18144000;
+ break;
+ case 'y': /* 365 days */
+ KDB5_MAX_TKT_LIFE = atoi(first_token) * 220752000;
+ break;
+ case 'e': /* eternity */
+ KDB5_MAX_TKT_LIFE = 2145830400;
+ break;
+ default:
+ break;
+ }
+ }
+ return;
+ }
+
+ if (strcmp(parameter, "MAX_REN_LIFE") == 0) {
+ if (num_args < 2) {
+ KDB5_MAX_REN_LIFE = KRB5_KDB_MAX_RLIFE;
+ } else {
+ switch (second_token[0]) {
+ case 's':
+ KDB5_MAX_REN_LIFE = atoi(first_token);
+ break;
+ case 'm':
+ KDB5_MAX_REN_LIFE = atoi(first_token) * 60;
+ break;
+ case 'h':
+ KDB5_MAX_REN_LIFE = atoi(first_token) * 3600;
+ break;
+ case 'd':
+ KDB5_MAX_REN_LIFE = atoi(first_token) * 86400;
+ break;
+ case 'w':
+ KDB5_MAX_REN_LIFE = atoi(first_token) * 604800;
+ break;
+ case 'M': /* 30 days */
+ KDB5_MAX_REN_LIFE = atoi(first_token) * 18144000;
+ break;
+ case 'y': /* 365 days */
+ KDB5_MAX_REN_LIFE = atoi(first_token) * 220752000;
+ break;
+ case 'e': /* eternity */
+ KDB5_MAX_REN_LIFE = 2145830400;
+ break;
+ default:
+ break;
+ }
+ }
+ return;
+ }
+
+
+ if (strcmp(parameter, "SET_EXP_DATE") == 0) {
+ (void) time(&todays_date);
+ switch (first_token[0]) {
+ case 'e': /* eternity */
+ KDB5_EXP_DATE = 2145830400;
+ year = 2037;
+ month = 12;
+ mday = 30;
+ sprintf(first_token, "%s", "eternity");
+ break;
+ case 'y': /* yesterday */
+ KDB5_EXP_DATE = todays_date - 86400;
+ year = 1970;
+ month = 01;
+ mday = 01;
+ sprintf(first_token, "%s", "yesterday");
+ break;
+ case '0':
+ case '1':
+ case '2':
+ case '3':
+ case '9':
+ sscanf(first_token, "%d/%d/%d", &year, &month, &mday);
+ year = (year > 1900) ? year - 1900 : year;
+ year = (year > 137) ? year - 100 : year;
+ year = (year > 137) ? 137 : year;
+ exp_date.tm_year =
+ ((year >= 00 && year < 38) ||
+ (year >= 70 && year <= 138)) ? year : 137;
+ exp_date.tm_mon =
+ (month >= 1 &&
+ month <= 12) ? month - 1 : 0;
+ exp_date.tm_mday =
+ (mday >= 1 &&
+ mday <= 31) ? mday : 1;
+ exp_date.tm_hour = 0;
+ exp_date.tm_min = 1;
+ exp_date.tm_sec = 0;
+ KDB5_EXP_DATE = convert_tm_to_sec(&exp_date);
+ break;
+ default:
+ KDB5_EXP_DATE = KRB5_KDB_EXPIRATION;
+ sprintf(first_token, "%s", "Default KDB Expiration");
+ break;
+ }
+ if (year < 1900) year += 1900;
+ if (year < 1938) year += 100;
+ return;
+ }
+
+ if (strcmp(parameter, "SET_PWCHG") == 0) {
+ if (num_args < 2) {
+ NEW_ATTRIBUTES = NEW_ATTRIBUTES | KRB5_KDB_REQUIRES_PWCHANGE;
+ } else {
+ if (first_token[0] == 'y' || first_token[0] == 'Y') {
+ NEW_ATTRIBUTES = NEW_ATTRIBUTES | KRB5_KDB_REQUIRES_PWCHANGE;
+ } else {
+ NEW_ATTRIBUTES = NEW_ATTRIBUTES & ~KRB5_KDB_REQUIRES_PWCHANGE;
+ KDB5_VERSION_NUM = 1;
+ }
+ }
+ return;
+ }
+
+ if (strcmp(parameter, "SET_PREAUTH") == 0) {
+ if (num_args < 2) {
+ NEW_ATTRIBUTES = NEW_ATTRIBUTES | KRB5_KDB_REQUIRES_PRE_AUTH;
+ } else {
+ if (first_token[0] == 'y' || first_token[0] == 'Y') {
+ NEW_ATTRIBUTES = NEW_ATTRIBUTES | KRB5_KDB_REQUIRES_PRE_AUTH;
+ } else {
+ NEW_ATTRIBUTES = NEW_ATTRIBUTES & ~KRB5_KDB_REQUIRES_PRE_AUTH;
+ }
+ }
+ return;
+ }
+
+ if (strcmp(parameter, "SET_SECUREID") == 0) {
+ if (num_args < 2) {
+ NEW_ATTRIBUTES = NEW_ATTRIBUTES | KRB5_KDB_REQUIRES_HW_AUTH |
+ KRB5_KDB_REQUIRES_PRE_AUTH;
+ } else {
+ if (first_token[0] == 'y' || first_token[0] == 'Y') {
+ NEW_ATTRIBUTES = NEW_ATTRIBUTES | KRB5_KDB_REQUIRES_HW_AUTH |
+ KRB5_KDB_REQUIRES_PRE_AUTH;
+ } else {
+ NEW_ATTRIBUTES = NEW_ATTRIBUTES & ~KRB5_KDB_REQUIRES_HW_AUTH;
+ }
+ }
+ return;
+ }
+}
+#endif
diff --git a/src/kadmin/server/adm_process.c b/src/kadmin/server/adm_process.c
new file mode 100644
index 000000000..0e3d0d478
--- /dev/null
+++ b/src/kadmin/server/adm_process.c
@@ -0,0 +1,454 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ */
+
+/*
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_process[] =
+"$Header$";
+#endif /* lint */
+
+/*
+ adm_process.c
+*/
+
+#include <sys/types.h>
+#include <syslog.h>
+#include <sys/wait.h>
+#include <stdio.h>
+#include <com_err.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/kdb.h>
+#include <krb5/adm_defs.h>
+#include "adm_extern.h"
+
+extern krb5_encrypt_block master_encblock;
+extern krb5_keyblock master_keyblock;
+
+struct cpw_keyproc_arg {
+ krb5_keyblock *key;
+};
+
+static krb5_error_code
+cpw_keyproc(DECLARG(krb5_pointer, keyprocarg),
+ DECLARG(krb5_principal, server),
+ DECLARG(krb5_kvno, key_vno),
+ DECLARG(krb5_keyblock **, key))
+OLDDECLARG(krb5_pointer, keyprocarg)
+OLDDECLARG(krb5_principal, server)
+OLDDECLARG(krb5_kvno, key_vno)
+OLDDECLARG(krb5_keyblock **, key)
+{
+ krb5_error_code retval;
+ krb5_db_entry cpw_entry;
+ krb5_principal cpw_krb;
+ krb5_keyblock *realkey;
+
+ struct cpw_keyproc_arg *arg;
+
+ krb5_boolean more;
+
+ int nprincs = 1;
+
+ arg = ( struct cpw_keyproc_arg *) keyprocarg;
+
+ if (arg->key) {
+ *key = arg->key;
+ } else {
+ if (retval = krb5_parse_name(client_server_info.name_of_service,
+ &cpw_krb)) {
+ syslog(LOG_ERR,
+ "cpw_keyproc %d while attempting to parse \"%s\"",
+ client_server_info.name_of_service, retval);
+ return(0);
+ }
+
+ if (retval = krb5_db_get_principal(cpw_krb, &cpw_entry,
+ &nprincs, &more)) {
+ syslog(LOG_ERR,
+ "cpw_keyproc %d while extracting %s entry",
+ client_server_info.name_of_service, retval);
+ return(0);
+ }
+
+ if (!nprincs) return(0);
+
+ if ((realkey = (krb5_keyblock *) calloc (1,
+ sizeof(krb5_keyblock))) == (krb5_keyblock * ) 0) {
+ krb5_db_free_principal(&cpw_entry, nprincs);
+ syslog(LOG_ERR, "cpw_keyproc: No Memory for server key");
+ close(client_server_info.client_socket);
+ return(0);
+ }
+
+ /* Extract the real kadmin/<realm> keyblock */
+ if (retval = krb5_kdb_decrypt_key(
+ &master_encblock,
+ &cpw_entry.key,
+ realkey)) {
+ krb5_db_free_principal(&cpw_entry, nprincs);
+ free(realkey);
+ syslog(LOG_ERR,
+ "cpw_keyproc: Cannot extract %s from master key",
+ client_server_info.name_of_service);
+ exit(0);
+ }
+
+ *key = realkey;
+ }
+
+ return(0);
+}
+
+krb5_error_code
+process_client(prog)
+char *prog;
+{
+ krb5_error_code retval;
+
+ struct cpw_keyproc_arg cpw_key;
+
+ int on = 1;
+ krb5_db_entry server_entry;
+
+ krb5_ticket *client_creds;
+ krb5_authenticator *client_auth_data;
+ char retbuf[512];
+
+ krb5_data final_msg;
+ char completion_msg[520];
+ kadmin_requests request_type;
+
+ int number_of_entries;
+ krb5_boolean more;
+ int namelen;
+
+ char *req_type = "";
+ int otype;
+
+ u_short data_len;
+ krb5_data outbuf;
+ krb5_data inbuf, msg_data;
+ extern int errno;
+
+ krb5_timestamp adm_time;
+
+ outbuf.data = retbuf;
+ if (setsockopt(client_server_info.client_socket,
+ SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) {
+ syslog(LOG_ERR, "adm_process: setsockopt keepalive: %d", errno);
+ }
+
+ /* V4 kpasswd Protocol Hack */
+ /* Read Length of Data */
+ retval = krb5_net_read(client_server_info.client_socket,
+ (char *) &data_len, 2);
+ if (retval < 0) {
+ syslog(LOG_ERR, "kadmind error: net_read Length Failure");
+ (void) sprintf(retbuf, "kadmind error during net_read for Length\n");
+ exit(0);
+ }
+
+ if (retval = krb5_db_init()) { /* Open as client */
+ syslog(LOG_ERR, "adm_process: Can't Open Database");
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+/* Get Server Credentials for Mutual Authentication and Private
+ * Messages Note: Here client is the kadmin/<realm> server
+ */
+ number_of_entries = 1;
+ if ((retval = krb5_db_get_principal(client_server_info.server,
+ &server_entry,
+ &number_of_entries,
+ &more))) {
+ syslog(LOG_ERR,
+ "kadmind error: krb5_db_get_principal error: %d", retval);
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+ if (more) {
+ krb5_db_free_principal(&server_entry, number_of_entries);
+ syslog(LOG_ERR, "kadmind error: kadmin/<realm> service not unique");
+ exit(1);
+ }
+
+ if (number_of_entries != 1) {
+ krb5_db_free_principal(&server_entry, number_of_entries);
+ syslog(LOG_ERR, "kadmind error: kadmin/<realm> service UNKNOWN");
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+ if ((cpw_key.key = (krb5_keyblock *) calloc (1,
+ sizeof(krb5_keyblock))) == (krb5_keyblock *) 0) {
+ krb5_db_free_principal(&server_entry, number_of_entries);
+ syslog(LOG_ERR,
+ "kadmind error: No Memory for server key");
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+ /* Extract the real kadmin/<realm> keyblock */
+ if (retval = krb5_kdb_decrypt_key(
+ &master_encblock,
+ &server_entry.key,
+ (krb5_keyblock *) cpw_key.key)) {
+ krb5_db_free_principal(&server_entry, number_of_entries);
+ free(cpw_key.key);
+ syslog(LOG_ERR,
+ "kadmind error: Cannot extract kadmin/<realm> from master key");
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+/*
+ * To verify authenticity, we need to know the address of the
+ * client.
+ */
+
+ namelen = sizeof(client_server_info.client_addr);
+ if (getpeername(client_server_info.client_socket,
+ (struct sockaddr *) &client_server_info.client_addr,
+ &namelen) < 0) {
+ syslog(LOG_ERR, "kadmind error: Unable to Obtain Client Name.");
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+ /* we use mutual authentication */
+ client_server_info.client_addr.addrtype =
+ client_server_info.client_name.sin_family;
+ client_server_info.client_addr.length = SIZEOF_INADDR;
+ client_server_info.client_addr.contents =
+ (krb5_octet *) &client_server_info.client_name.sin_addr;
+
+ client_server_info.server_addr.addrtype =
+ client_server_info.server_name.sin_family;
+ client_server_info.server_addr.length = SIZEOF_INADDR;
+ client_server_info.server_addr.contents =
+ (krb5_octet *) &client_server_info.server_name.sin_addr;
+
+ krb5_init_ets();
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "Request for Administrative Service Received from %s - Authenticating.",
+ inet_ntoa( client_server_info.client_name.sin_addr ));
+
+ if ((retval = krb5_recvauth(
+ (krb5_pointer) &client_server_info.client_socket,
+ ADM5_CPW_VERSION,
+ client_server_info.server,
+ &client_server_info.client_addr,
+ 0,
+ cpw_keyproc,
+ (krb5_pointer) &cpw_key,
+ 0,
+ &send_seqno,
+ &client_server_info.client,
+ &client_creds,
+ &client_auth_data
+ ))) {
+ syslog(LOG_ERR, "kadmind error: %s during recvauth\n",
+ error_message(retval));
+ (void) sprintf(retbuf, "kadmind error during recvauth: %s\n",
+ error_message(retval));
+ } else {
+ /* Check if ticket was issued using password (and not tgt)
+ within the last 5 minutes */
+
+ if (!(client_creds->enc_part2->flags & TKT_FLG_INITIAL)) {
+ syslog(LOG_ERR,
+ "Client ticket not initial");
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+ if (retval = krb5_timeofday(&adm_time)) {
+ syslog(LOG_ERR,
+ "Can't get time of day");
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+ if ((client_creds->enc_part2->times.authtime - adm_time) > 60*5) {
+ syslog(LOG_ERR,
+ "Client ticket not recent");
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+ recv_seqno = client_auth_data->seq_number;
+
+ if ((client_server_info.name_of_client =
+ (char *) calloc (1, 3 * 255)) == (char *) 0) {
+ syslog(LOG_ERR, "kadmind error: No Memory for name_of_client");
+ close(client_server_info.client_socket);
+ exit(0);
+ }
+
+ if ((retval = krb5_unparse_name(client_server_info.client,
+ &client_server_info.name_of_client))) {
+ syslog(LOG_ERR, "kadmind error: unparse failed.",
+ error_message(retval));
+ goto finish;
+ }
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "Request for Administrative Service Received from %s at %s.",
+ client_server_info.name_of_client,
+ inet_ntoa( client_server_info.client_name.sin_addr ));
+
+ /* compose the reply */
+ outbuf.data[0] = KADMIND;
+ outbuf.data[1] = KADMSAG;
+ outbuf.length = 2;
+ }
+
+ /* write back the response */
+ if ((retval = krb5_write_message(&client_server_info.client_socket,
+ &outbuf))){
+ syslog(LOG_ERR, "kadmind error: Write Message Failure: %s",
+ error_message(retval));
+ retval = 1;
+ goto finish;
+ }
+
+ /* Ok Now let's get the first private message and respond */
+ if (retval = krb5_read_message(&client_server_info.client_socket,
+ &inbuf)){
+ syslog(LOG_ERR, "kadmind error: read First Message Failure: %s",
+ error_message(retval));
+ retval = 1;
+ goto finish;
+ }
+
+ if ((retval = krb5_rd_priv(&inbuf,
+ client_creds->enc_part2->session,
+ &client_server_info.client_addr,
+ &client_server_info.server_addr,
+ client_auth_data->seq_number,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data))) {
+ syslog(LOG_ERR, "kadmind error: rd_priv:%s\n", error_message(retval));
+ goto finish;
+ }
+ free(inbuf.data);
+
+ request_type.appl_code = msg_data.data[0];
+ request_type.oper_code = msg_data.data[1];
+
+ free(msg_data.data);
+
+ switch (request_type.appl_code) {
+ case KPASSWD:
+ req_type = "kpasswd";
+ if (retval = adm5_kpasswd("process_client", &request_type,
+ client_creds, retbuf, &otype)) {
+ goto finish;
+ }
+ break;
+
+ case KADMIN:
+ req_type = "kadmin";
+ if (retval = adm5_kadmin("process_client", client_auth_data,
+ client_creds, retbuf, &otype)) {
+ goto finish;
+ }
+ retbuf[0] = KADMIN;
+ retbuf[2] = KADMGOOD;
+ retbuf[3] = '\0';
+ otype = 0;
+ break;
+
+ default:
+ retbuf[0] = KUNKNOWNAPPL;
+ retbuf[1] = '\0';
+ sprintf(completion_msg, "%s from %s (%02x) FAILED",
+ "Unknown Application Type!",
+ inet_ntoa(client_server_info.client_name.sin_addr),
+ request_type.appl_code);
+ /* Service Not Supported */
+ retval = 255;
+ syslog(LOG_AUTH | LOG_INFO, completion_msg);
+ goto finish;
+ } /* switch(request_type.appl_code) */
+
+ if ((final_msg.data = (char *) calloc(1,10)) == (char *) 0) {
+ syslog(LOG_ERR | LOG_INFO, "no Memory while allocating final_msg.data");
+ return ENOMEM;
+ }
+ final_msg.data = retbuf;
+ final_msg.length = strlen(retbuf) + 1;
+
+ /* Send Completion Message */
+ if (retval = krb5_mk_priv(&final_msg,
+ ETYPE_DES_CBC_CRC,
+ client_creds->enc_part2->session,
+ &client_server_info.server_addr,
+ &client_server_info.client_addr,
+ send_seqno,
+ KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
+ 0,
+ 0,
+ &msg_data)) {
+ syslog(LOG_ERR, "kadmind error Error Performing Final mk_priv");
+ free(final_msg.data);
+ goto finish;
+ }
+ free(final_msg.data);
+
+ /* Send Final Reply to Client */
+ if (retval = krb5_write_message(&client_server_info.client_socket,
+ &msg_data)){
+ syslog(LOG_ERR, "Error Performing Final Write: %s",
+ error_message(retval));
+ retval = 1;
+ goto finish;
+ }
+ free(msg_data.data);
+
+finish:
+
+ if (retval) {
+ free (client_server_info.name_of_client);
+ close(client_server_info.client_socket);
+ exit(1);
+ }
+
+ sprintf(completion_msg,
+ "%s %s for %s at %s - Completed Successfully",
+ req_type,
+ oper_type[otype],
+ client_server_info.name_of_client,
+ inet_ntoa( client_server_info.client_name.sin_addr ));
+ syslog(LOG_AUTH | LOG_INFO, completion_msg);
+ free (client_server_info.name_of_client);
+ close(client_server_info.client_socket);
+ return 0;
+}
diff --git a/src/kadmin/server/adm_server.c b/src/kadmin/server/adm_server.c
new file mode 100644
index 000000000..c61a8dad4
--- /dev/null
+++ b/src/kadmin/server/adm_server.c
@@ -0,0 +1,480 @@
+/*
+ * $Source$
+ * $Author$
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ *
+ * Top-level loop of the Kerberos Version 5 Administration server
+ */
+
+/*
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ */
+
+#if !defined(lint) && !defined(SABER)
+static char rcsid_adm_server_c[] =
+"$Header$";
+#endif /* lint */
+
+/*
+ adm_server.c
+ this holds the main loop and initialization and cleanup code for the server
+*/
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <syslog.h>
+#include <string.h>
+#include <com_err.h>
+
+#include <signal.h>
+#ifndef sigmask
+#define sigmask(m) (1 <<((m)-1))
+#endif
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#ifndef hpux
+#include <arpa/inet.h>
+#endif
+
+#ifndef __STDC__
+#include <varargs.h>
+#endif
+
+#include <krb5/krb5.h>
+#include <krb5/kdb.h>
+#include <krb5/dbm.h>
+#include <krb5/ext-proto.h>
+#include <krb5/los-proto.h>
+#include <krb5/mit-des.h>
+#include <krb5/kdb_dbm.h>
+
+#include <krb5/adm_defs.h>
+#include "adm_server.h"
+#include "adm_extern.h"
+
+global_client_server_info client_server_info;
+
+#ifdef SANDIA
+int classification; /* default = Unclassified */
+#endif
+
+krb5_flags NEW_ATTRIBUTES;
+
+cleanexit(val)
+ int val;
+{
+ (void) krb5_db_fini();
+ exit(val);
+}
+
+krb5_error_code
+closedown_db()
+{
+ krb5_error_code retval;
+
+ /* clean up master key stuff */
+ retval = krb5_finish_key(&master_encblock);
+
+ memset((char *)&master_encblock, 0, sizeof(master_encblock));
+ memset((char *)tgs_key.contents, 0, tgs_key.length);
+
+ /* close database */
+ if (retval) {
+ (void) krb5_db_fini();
+ return(retval);
+ } else
+ return(krb5_db_fini());
+}
+
+void
+usage(name)
+char *name;
+{
+ fprintf(stderr, "Usage: %s\t[-a aclfile] [-d dbname] [-k masterkeytype]",
+ name);
+ fprintf(stderr, "\n\t[-h] [-m] [-M masterkeyname] [-r realm]\n");
+ return;
+}
+
+krb5_error_code
+process_args(argc, argv)
+int argc;
+char **argv;
+{
+ krb5_error_code retval;
+ int c;
+ krb5_boolean manual = FALSE;
+ int keytypedone = 0;
+ char *db_realm = 0;
+ char *mkey_name = 0;
+ char *local_realm;
+ krb5_enctype etype;
+
+#ifdef SANDIA
+ char input_string[80];
+ FILE *startup_file;
+#endif
+
+ extern char *optarg;
+
+#ifdef SANDIA
+ classification = 0;
+
+ if ((startup_file =
+ fopen(DEFAULT_KDCPARM_NAME, "r")) == (FILE *) 0) {
+ syslog(LOG_ERR,
+ "Cannot open parameter file (%s) - Using default parameters",
+ DEFAULT_KDCPARM_NAME);
+ syslog(LOG_ERR, "Only Unclassified Principals will be allowed");
+ } else {
+ for ( ;; ) {
+ if ((fgets(input_string, sizeof(input_string), startup_file)) == NULL)
+ break;
+ kadmin_parse_and_set(input_string);
+ }
+ fclose(startup_file);
+ }
+#endif
+ while ((c = getopt(argc, argv, "hmMa:d:k:r:")) != EOF) {
+ switch(c) {
+ case 'a': /* new acl directory */
+ acl_file_name = optarg;
+ break;
+
+ case 'd':
+ /* put code to deal with alt database place */
+ dbm_db_name = optarg;
+ if (retval = krb5_dbm_db_set_name(dbm_db_name)) {
+ fprintf(stderr, "opening database %s: %s",
+ dbm_db_name, error_message(retval));
+ exit(1);
+ }
+ break;
+
+ case 'k': /* keytype for master key */
+ master_keyblock.keytype = atoi(optarg);
+ keytypedone++;
+ break;
+
+ case 'm': /* manual type-in of master key */
+ manual = TRUE;
+ break;
+
+ case 'M': /* master key name in DB */
+ mkey_name = optarg;
+ break;
+
+ case 'r':
+ db_realm = optarg;
+ break;
+
+ case 'h': /* get help on using adm_server */
+ default:
+ usage(argv[0]);
+ exit(1); /* Failure - Exit */
+ }
+
+ }
+
+ if (!db_realm) {
+ /* no realm specified, use default realm */
+ if (retval = krb5_get_default_realm(&local_realm)) {
+ com_err(argv[0], retval,
+ "while attempting to retrieve default realm");
+ exit(1);
+ }
+ db_realm = local_realm;
+ }
+
+ if (!mkey_name) {
+ mkey_name = KRB5_KDB_M_NAME;
+ }
+
+ if (!keytypedone) {
+ master_keyblock.keytype = KEYTYPE_DES;
+ }
+
+ /* assemble & parse the master key name */
+ if (retval = krb5_db_setup_mkey_name(mkey_name,
+ db_realm,
+ (char **) 0,
+ &master_princ)) {
+ com_err(argv[0], retval, "while setting up master key name");
+ exit(1);
+ }
+
+ master_encblock.crypto_entry = &mit_des_cryptosystem_entry;
+
+ if (retval = krb5_db_fetch_mkey(
+ master_princ,
+ &master_encblock,
+ manual,
+ FALSE, /* only read it once, if at all */
+ 0, /* No salt supplied */
+ &master_keyblock)) {
+ com_err(argv[0], retval, "while fetching master key");
+ exit(1);
+ }
+
+ /* initialize random key generators */
+ for (etype = 0; etype <= krb5_max_cryptosystem; etype++) {
+ if (krb5_csarray[etype]) {
+ if (retval = (*krb5_csarray[etype]->system->
+ init_random_key)(&master_keyblock,
+ &krb5_csarray[etype]->random_sequence)) {
+ com_err(argv[0], retval,
+ "while setting up random key generator for etype %d--etype disabled",
+ etype);
+ krb5_csarray[etype] = 0;
+ }
+ }
+ }
+
+ return(0);
+}
+
+krb5_error_code
+init_db(dbname, masterkeyname, masterkeyblock)
+char *dbname;
+krb5_principal masterkeyname;
+krb5_keyblock *masterkeyblock;
+
+{
+ krb5_error_code retval;
+
+ krb5_db_entry server_entry;
+ krb5_boolean more;
+ int number_of_entries;
+ char tgs_name[255];
+
+ /* set db name if appropriate */
+ if (dbname && (retval = krb5_db_set_name(dbname)))
+ return(retval);
+
+ /* initialize database */
+ if (retval = krb5_db_init())
+ return(retval);
+
+ if (retval = krb5_db_verify_master_key(masterkeyname,
+ masterkeyblock,
+ &master_encblock)) {
+ master_encblock.crypto_entry = 0;
+ return(retval);
+ }
+
+ /* do any necessary key pre-processing */
+ if (retval = krb5_process_key(&master_encblock, masterkeyblock)) {
+ master_encblock.crypto_entry = 0;
+ (void) krb5_db_fini();
+ return(retval);
+ }
+
+/*
+ fetch the TGS key, and hold onto it; this is an efficiency hack
+ the master key name here is from the master_princ global,
+ so we can safely share its substructure
+ */
+ strcpy(tgs_name, TGTNAME);
+ strcat(tgs_name, "/");
+ strcat(tgs_name, masterkeyname->realm.data);
+ krb5_parse_name(tgs_name, &tgs_server);
+
+ tgs_server->type = KRB5_NT_SRV_INST;
+
+ number_of_entries = 1;
+ if (retval = krb5_db_get_principal(
+ tgs_server,
+ &server_entry,
+ &number_of_entries,
+ &more)) {
+ return(retval);
+ }
+
+ if (more) {
+ krb5_db_free_principal(&server_entry, number_of_entries);
+ (void) krb5_finish_key(&master_encblock);
+ memset((char *)&master_encblock, 0, sizeof(master_encblock));
+ (void) krb5_db_fini();
+ return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE);
+ } else if (number_of_entries != 1) {
+ krb5_db_free_principal(&server_entry, number_of_entries);
+ (void) krb5_finish_key(&master_encblock);
+ memset((char *)&master_encblock, 0, sizeof(master_encblock));
+ (void) krb5_db_fini();
+ return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN);
+ }
+
+/*
+ convert server.key into a real key
+ (it may be encrypted in the database)
+ */
+ if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server_entry.key, &tgs_key)) {
+ krb5_db_free_principal(&server_entry, number_of_entries);
+ (void) krb5_finish_key(&master_encblock);
+ memset((char *)&master_encblock, 0, sizeof(master_encblock));
+ (void) krb5_db_fini();
+ return(retval);
+ }
+
+ tgs_kvno = server_entry.kvno;
+ krb5_db_free_principal(&server_entry, number_of_entries);
+ return(0);
+}
+
+krb5_sigtype
+request_exit()
+{
+ signal_requests_exit = 1;
+ return;
+}
+
+void
+setup_signal_handlers()
+{
+ krb5_sigtype request_exit();
+
+ (void)signal(SIGINT, request_exit);
+ (void)signal(SIGHUP, request_exit);
+ (void)signal(SIGTERM, request_exit);
+ return;
+}
+
+static void
+kdc_com_err_proc(whoami, code, format, pvar)
+ const char *whoami;
+ long code;
+ const char *format;
+ va_list pvar;
+{
+#ifndef __STDC__
+ extern int vfprintf();
+#endif
+
+ if (whoami) {
+ fputs(whoami, stderr);
+ fputs(": ", stderr);
+ }
+
+ if (code) {
+ fputs(error_message(code), stderr);
+ fputs(" ", stderr);
+ }
+
+ if (format) {
+ vfprintf (stderr, format, pvar);
+ }
+
+ putc('\n', stderr);
+ /* should do this only on a tty in raw mode */
+ putc('\r', stderr);
+ fflush(stderr);
+
+ if (format) {
+ /* now need to frob the format a bit... */
+ if (code) {
+ char *nfmt;
+ nfmt = (char *) malloc(
+ strlen(format)+strlen(error_message(code))+2);
+ strcpy(nfmt, error_message(code));
+ strcat(nfmt, " ");
+ strcat(nfmt, format);
+ vsyslog(LOG_ERR, nfmt, pvar);
+ } else {
+ vsyslog(LOG_ERR, format, pvar);
+ }
+ } else {
+ if (code) {
+ syslog(LOG_ERR, "%s", error_message(code));
+ }
+ }
+ return;
+}
+
+void
+setup_com_err()
+{
+ initialize_krb5_error_table();
+ initialize_kdb5_error_table();
+ initialize_isod_error_table();
+
+ (void) set_com_err_hook(kdc_com_err_proc);
+ return;
+}
+
+/*
+** Main does the logical thing, it sets up the database and RPC interface,
+** as well as handling the creation and maintenance of the syslog file...
+*/
+main(argc, argv) /* adm_server main routine */
+int argc;
+char **argv;
+{
+ krb5_error_code retval;
+ int errout = 0;
+
+ adm5_ver_len = ADM5_VERSIZE;
+
+ /* Get the Name of this program (adm_server) for Error Messages */
+ if (strrchr(argv[0], '/'))
+ argv[0] = (char *)strrchr(argv[0], '/') + 1;
+
+ setup_com_err();
+
+ /* Use Syslog for Messages */
+#ifndef LOG_AUTH /* 4.2 syslog */
+#define LOG_AUTH 0
+ openlog(argv[0], LOG_CONS|LOG_NDELAY|LOG_PID, LOG_LOCAL6);
+#else
+ openlog(argv[0], LOG_AUTH|LOG_CONS|LOG_NDELAY|LOG_PID, LOG_LOCAL6);
+#endif /* LOG_AUTH */
+
+ process_args(argc, argv); /* includes reading master key */
+
+ setup_signal_handlers();
+
+ if (retval = init_db(dbm_db_name,
+ master_princ,
+ &master_keyblock)) {
+ com_err(argv[0], retval, "while initializing database");
+ exit(1);
+ }
+
+ if (retval = setup_network(argv[0])) {
+ exit(1);
+ }
+
+ syslog(LOG_AUTH | LOG_INFO, "Admin Server Commencing Operation");
+
+ if (retval = adm5_listen_and_process(argv[0])){
+ krb5_free_principal(client_server_info.server);
+ com_err(argv[0], retval, "while processing network requests");
+ errout++;
+ }
+
+ free(client_server_info.name_of_service);
+ krb5_free_principal(client_server_info.server);
+
+shutdown:
+ if (errout = closedown_network(argv[0])) {
+ com_err(argv[0], retval, "while shutting down network");
+ retval = retval + errout;
+ }
+
+ if (errout = closedown_db()) {
+ com_err(argv[0], retval, "while closing database");
+ retval = retval + errout;
+ }
+
+ syslog(LOG_AUTH | LOG_INFO, "Admin Server Shutting Down");
+
+ printf("Admin Server (kadmind) has completed operation.\n");
+
+ exit(retval);
+}
diff --git a/src/kadmin/server/adm_server.h b/src/kadmin/server/adm_server.h
new file mode 100644
index 000000000..d5b600a59
--- /dev/null
+++ b/src/kadmin/server/adm_server.h
@@ -0,0 +1,43 @@
+/*
+ * $Source$
+ * $Author$
+ * $Id$
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ *
+ * <<< Description >>>
+ */
+
+char prog[32];
+char *progname = prog;
+char *acl_file_name = DEFAULT_ACL_NAME;
+char *adm5_ver_str = ADM5_VERSTR;
+int adm5_ver_len;
+
+char *adm5_tcp_portname = ADM5_PORTNAME;
+int adm5_tcp_port_fd = -1;
+
+unsigned pidarraysize = 0;
+int *pidarray = (int *) 0;
+
+int exit_now = 0;
diff --git a/src/kadmin/server/adm_v4_pwd.c b/src/kadmin/server/adm_v4_pwd.c
new file mode 100644
index 000000000..65ccefe5c
--- /dev/null
+++ b/src/kadmin/server/adm_v4_pwd.c
@@ -0,0 +1,437 @@
+
+/*
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
+ * any purpose. It is provided "as is" without express or implied warranty.
+ */
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+#include <syslog.h>
+#include <stdio.h>
+
+#define MAX_KTXT_LEN 1250
+#define ANAME_SZ 40
+#define INST_SZ 40
+#define REALM_SZ 40
+#define DATE_SZ 26
+
+typedef unsigned char des_cblock[8]; /* crypto-block size */
+#define C_Block des_cblock
+typedef struct des_ks_struct { des_cblock _; } des_key_schedule[16];
+#define Key_schedule des_key_schedule
+
+int des_debug = 0;
+
+struct ktext {
+ int length; /* Length of the text */
+ unsigned char dat[MAX_KTXT_LEN]; /* The data itself */
+ unsigned long mbz; /* zero to catch runaway strings */
+};
+
+typedef struct ktext *KTEXT;
+typedef struct ktext KTEXT_ST;
+
+struct auth_dat {
+ unsigned char k_flags; /* Flags from ticket */
+ char pname[ANAME_SZ]; /* Principal's name */
+ char pinst[INST_SZ]; /* His Instance */
+ char prealm[REALM_SZ]; /* His Realm */
+ unsigned long checksum; /* Data checksum (opt) */
+ C_Block session; /* Session Key */
+ int life; /* Life of ticket */
+ unsigned long time_sec; /* Time ticket issued */
+ unsigned long address; /* Address in ticket */
+ KTEXT_ST reply; /* Auth reply (opt) */
+};
+
+typedef struct auth_dat AUTH_DAT;
+
+#define KADM_VERSTR "SKADM.m1"
+#define KADM_VERSIZE strlen(KADM_VERSTR)
+
+struct msg_dat {
+ unsigned char *app_data; /* pointer to appl data */
+ unsigned long app_length; /* length of appl data */
+ unsigned long hash; /* hash to lookup replay */
+ int swap; /* swap bytes? */
+ long time_sec; /* msg timestamp seconds */
+ unsigned char time_5ms; /* msg timestamp 5ms units */
+};
+
+typedef struct msg_dat MSG_DAT;
+
+typedef struct {
+ char name[ANAME_SZ];
+ char instance[INST_SZ];
+
+ unsigned long key_low;
+ unsigned long key_high;
+ unsigned long exp_date;
+ char exp_date_txt[DATE_SZ];
+ unsigned long mod_date;
+ char mod_date_txt[DATE_SZ];
+ unsigned short attributes;
+ unsigned char max_life;
+ unsigned char kdc_key_ver;
+ unsigned char key_version;
+
+ char mod_name[ANAME_SZ];
+ char mod_instance[INST_SZ];
+ char *old;
+} V4_Principal;
+
+ /* V5 Definitions */
+#include <krb5/adm_defs.h>
+#include <krb5/krb5.h>
+#include <krb5/osconf.h>
+#include <krb5/kdb.h>
+#include <krb5/kdb_dbm.h>
+#include <krb5/encryption.h>
+#include <krb5/mit-des.h>
+
+#include "adm_extern.h"
+
+struct saltblock {
+ int salttype;
+ krb5_data saltdata;
+};
+
+struct cpw_keyproc_arg {
+ krb5_keyblock *key;
+};
+
+/*
+process_v4_kpasswd
+unwrap the data stored in dat, process, and return it.
+ */
+process_v4_kpasswd(dat, dat_len, cpw_key)
+u_char **dat;
+int *dat_len;
+struct cpw_keyproc_arg *cpw_key;
+
+{
+ u_char *in_st; /* pointer into the sent packet */
+ int in_len,retc; /* where in packet we are, for
+ returns */
+ u_long r_len; /* length of the actual packet */
+ KTEXT_ST authent; /* the authenticator */
+ AUTH_DAT ad; /* who is this, klink */
+ u_long ncksum; /* checksum of encrypted data */
+ des_key_schedule sess_sched; /* our schedule */
+ MSG_DAT msg_st;
+ u_char *retdat, *tmpdat;
+ int retval, retlen;
+ u_short dlen;
+ extern int errno;
+
+ if (strncmp(KADM_VERSTR, (char *) *dat, KADM_VERSIZE)) {
+ syslog(LOG_ERR, "process_v4_kpasswd: Bad Version String");
+ return(1);
+ }
+
+ in_len = KADM_VERSIZE;
+ /* get the length */
+ if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0) {
+ syslog(LOG_AUTH | LOG_INFO, "process_v4_kpasswd: Bad Length");
+ return(1);
+ }
+
+ in_len += retc;
+ authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_long);
+ memcpy((char *) authent.dat, (char *) (*dat) + in_len, authent.length);
+ authent.mbz = 0;
+
+ if (retval = krb_set_key(cpw_key->key->contents, 0) != 0) {
+ syslog(LOG_ERR, "process_v4_kpasswd: Bad set_key Request");
+ return(1);
+ }
+
+ /* service key should be set before here */
+ if (retc = krb4_rd_req(&authent,
+ CPWNAME,
+ client_server_info.server->realm.data,
+ client_server_info.client_name.sin_addr.s_addr,
+ &ad,
+ (char *) 0)) {
+ syslog(LOG_AUTH | LOG_INFO, "process_v4_kpasswd: Bad Read Request");
+ return(1);
+ }
+
+#define clr_cli_secrets() \
+{ \
+ memset((char *) sess_sched, 0, sizeof(sess_sched)); \
+ memset((char *) ad.session, 0, sizeof(ad.session)); \
+}
+
+ in_st = *dat + *dat_len - r_len;
+ ncksum = des_quad_cksum(in_st, (u_long *) 0, (long) r_len, 0, ad.session);
+ if (ncksum!=ad.checksum) { /* yow, are we correct yet */
+ clr_cli_secrets();
+ syslog(LOG_ERR, "process_v4_kpasswd: Invalid Checksum");
+ return(1);
+ }
+
+ des_key_sched(ad.session, sess_sched);
+
+ if (retc = (int) krb4_rd_priv(in_st,
+ r_len,
+ sess_sched,
+ ad.session,
+ &client_server_info.client_name,
+ &client_server_info.server_name,
+ &msg_st)) {
+ syslog(LOG_ERR, "process_v4_kpasswd: Bad Read Private Code = %d",
+ retc);
+ clr_cli_secrets();
+ return(1);
+ }
+
+ if (msg_st.app_data[0] != 2) { /* Only Valid Request is CHANGE_PW = 2 */
+ syslog(LOG_ERR, "process_v4_kpasswd: Invalid V4 Request");
+ clr_cli_secrets();
+ return(1);
+ }
+
+ retval = adm_v4_cpw(msg_st.app_data+1,
+ (int) msg_st.app_length,
+ &ad,
+ &retdat,
+ &retlen);
+
+ if (retval) {
+ syslog(LOG_ERR,
+ "process_v4_kpasswd: Password Modification for %s%s%s Failed",
+ ad.pname, (ad.pinst[0] != '\0') ? "/" : "",
+ (ad.pinst[0] != '\0') ? ad.pinst : "");
+ } else {
+ syslog(LOG_ERR,
+ "process_v4_kpasswd: Password Modification for %s%s%s Complete",
+ ad.pname, (ad.pinst[0] != '\0') ? "/" : "",
+ (ad.pinst[0] != '\0') ? ad.pinst : "");
+ }
+
+ /* Now seal the response back into a priv msg */
+ free((char *)*dat);
+ tmpdat = (u_char *) malloc((unsigned)(retlen + KADM_VERSIZE +
+ sizeof(u_long)));
+
+ (void) strncpy((char *) tmpdat, KADM_VERSTR, KADM_VERSIZE);
+
+ retval = htonl((u_long) retval);
+
+ memcpy((char *) tmpdat + KADM_VERSIZE, (char *) &retval, sizeof(u_long));
+
+ if (retlen) {
+ memcpy((char *) tmpdat + KADM_VERSIZE + sizeof(u_long),
+ (char *) retdat, retlen);
+ free((char *) retdat);
+ }
+
+ /* slop for mk_priv stuff */
+ *dat = (u_char *) malloc((unsigned) (retlen + KADM_VERSIZE +
+ sizeof(u_long) + 200));
+
+ if ((*dat_len = krb4_mk_priv(tmpdat, *dat,
+ (u_long) (retlen + KADM_VERSIZE +
+ sizeof(u_long)),
+ sess_sched,
+ ad.session,
+ &client_server_info.server_name,
+ &client_server_info.client_name)) < 0) {
+ clr_cli_secrets();
+ syslog(LOG_ERR, "process_v4_kpasswd: Bad mk_priv");
+ return(1);
+ }
+
+ dlen = (u_short) *dat_len;
+
+ dlen = htons(dlen);
+
+ if (krb5_net_write(client_server_info.client_socket,
+ (char *) &dlen, 2) < 0) {
+ syslog(LOG_ERR, "process_v4_kpasswd: Error writing dlen to client");
+ (void) close(client_server_info.client_socket);
+ }
+
+ if (krb5_net_write(client_server_info.client_socket,
+ (char *) *dat, *dat_len) < 0) {
+ syslog(LOG_ERR, "writing to client: %s",error_message(errno));
+ (void) close(client_server_info.client_socket);
+ }
+
+ free((char *) *dat);
+ clr_cli_secrets();
+
+ return(0);
+}
+
+krb5_kvno
+princ_exists(principal, entry)
+krb5_principal principal;
+krb5_db_entry *entry;
+{
+ int nprincs = 1;
+ krb5_boolean more;
+ krb5_error_code retval;
+ krb5_kvno vno;
+
+ nprincs = 1;
+ if (retval = krb5_db_get_principal(principal, entry, &nprincs, &more)) {
+ return 0;
+ }
+
+ if (!nprincs)
+ return 0;
+
+ return(nprincs);
+}
+
+/*
+adm_v4_cpw - the server side of the change_password routine
+ recieves : KTEXT, {key}
+ returns : CKSUM, RETCODE
+ acl : caller can change only own password
+
+Replaces the password (i.e. des key) of the caller with that specified in key.
+Returns no actual data from the master server, since this is called by a user
+*/
+int
+adm_v4_cpw(dat, len, ad, datout, outlen)
+u_char *dat;
+int len;
+AUTH_DAT *ad;
+u_char **datout;
+int *outlen;
+{
+ krb5_db_entry entry;
+ krb5_keyblock *v5_keyblock;
+
+ int number_of_principals;
+ krb5_error_code retval;
+ int one = 1;
+ char v5_principal[255];
+
+ C_Block v4_clear_key;
+ unsigned long keylow, keyhigh;
+ int stvlen;
+
+ /* Identify the Customer */
+ (void) sprintf(v5_principal, "%s%s%s\0", ad->pname,
+ (ad->pinst[0] != '\0') ? "/" : "",
+ (ad->pinst[0] != '\0') ? ad->pinst : "");
+
+ /* take key off the stream, and change the database */
+
+ if ((stvlen = stv_long(dat, &keyhigh, 0, len)) < 0) {
+ syslog(LOG_ERR, "adm_v4_cpw - (keyhigh) Length Error for stv_long");
+ return(1);
+ }
+ if (stv_long(dat, &keylow, stvlen, len) < 0) {
+ syslog(LOG_ERR, "adm_v4_cpw - (keylow) Length Error for stv_long");
+ return(1);
+ }
+
+ keylow = ntohl(keylow);
+ keyhigh = ntohl(keyhigh);
+
+ /* Convert V4 Key to V5 Key */
+ (void) memcpy(v4_clear_key, (char *) &keylow, 4);
+ (void) memcpy(((long *) v4_clear_key) + 1, (char *) &keyhigh, 4);
+
+ /* Zero Next Output Entry */
+ memset((char *) &entry, 0, sizeof(entry));
+
+ if (retval = krb5_parse_name(v5_principal, &entry.principal)) {
+ syslog(LOG_ERR, "adm_v4_cpw - Error parsing %s",
+ v5_principal);
+ return(1);
+ }
+
+ if (!(number_of_principals = princ_exists(entry.principal, &entry))) {
+ syslog(LOG_ERR, "adm_v4_cpw - principal %s is NOT in the database",
+ v5_principal);
+ return(1);
+ }
+
+ /* Allocate v5_keyblock and fill some fields */
+ if (!(v5_keyblock = (krb5_keyblock *) calloc (1,
+ sizeof(krb5_keyblock)))) {
+ syslog(LOG_ERR, "adm_v4_cpw - Error Allocating krb5_keyblock");
+ return(1);
+ }
+
+ v5_keyblock->keytype = KEYTYPE_DES;
+ v5_keyblock->length = 8;
+ if (!(v5_keyblock->contents = (krb5_octet *) calloc (1,
+ 8))) {
+ syslog(LOG_ERR,
+ "adm_v4_cpw - Error Allocating krb5_keyblock->contents\n");
+ free(v5_keyblock);
+ return(1);
+ }
+
+ memcpy(v5_keyblock->contents, v4_clear_key, 8);
+
+ if (retval = krb5_kdb_encrypt_key(&master_encblock,
+ v5_keyblock,
+ &entry.key)) {
+ syslog(LOG_ERR,
+ "adm_v4_cpw - Error %d while encrypting key for '%s'\n", retval,
+ v5_principal);
+ return(1);
+ }
+ entry.alt_key.length = 0;
+
+ /* Increment Version Number */
+ entry.kvno = entry.kvno + 1;
+#ifdef SANDIA
+ entry.attributes &= ~KRB5_KDB_REQUIRES_PWCHANGE;
+#endif
+ if (retval = krb5_timeofday(&entry.mod_date)) {
+ syslog(LOG_ERR, "adm_v4_cpw - Error while fetching date");
+ return(1);
+ }
+#ifdef SANDIA
+ entry.last_pwd_change = entry.mod_date;
+#endif
+ entry.mod_name = entry.principal; /* Should be Person who did Action */
+
+ /* Write the Modified Principal to the V5 Database */
+ if (retval = krb5_db_put_principal(&entry, &one)) {
+ syslog(LOG_ERR,
+ "adm_v4_cpw - Error %d while Entering Principal for '%s'",
+ retval, v5_principal);
+ return(1);
+ }
+
+ *datout = 0;
+ *outlen = 0;
+
+ return(0);
+}
+
+stv_long(st, dat, loc, maxlen)
+u_char *st; /* a base pointer to the stream */
+u_long *dat; /* the attributes field */
+int loc; /* offset into the stream for current data */
+int maxlen; /* maximum length of st */
+{
+ u_long temp = 0; /* to hold the net order short */
+
+#ifdef BITS64
+ if (loc + 4 > maxlen)
+ return(-1);
+ (void) memcpy((char *) &temp + 4, (char *) ((u_long)st + (u_long)loc), 4);
+ *dat = ntohl(temp); /* convert to network order */
+ return(4);
+#else
+ if (loc + sizeof(u_long) > maxlen)
+ return(-1);
+ (void) memcpy((char *) &temp, (char *) ((u_long)st + (u_long)loc),
+ sizeof(u_long));
+ *dat = ntohl(temp); /* convert to network order */
+ return(sizeof(u_long));
+#endif
+}
diff --git a/src/kadmin/server/kadmind.M b/src/kadmin/server/kadmind.M
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/src/kadmin/server/kadmind.M
generated by cgit (git 2.34.1) at 2026-01-03 20:57:42 +0000