diff options
| author | Paul Park <pjpark@mit.edu> | 1995-07-17 19:35:58 +0000 |
|---|---|---|
| committer | Paul Park <pjpark@mit.edu> | 1995-07-17 19:35:58 +0000 |
| commit | 98b59e5b55dda7eef896bb9edfc36a5b13b1eccb (patch) | |
| tree | e24aa5a4973411a7df959bd677960864c42b874b /src/kadmin/v5server | |
| parent | 014c25c2a4825abf099bd91a01daa5f33be0839e (diff) | |
| download | krb5-98b59e5b55dda7eef896bb9edfc36a5b13b1eccb.tar.gz krb5-98b59e5b55dda7eef896bb9edfc36a5b13b1eccb.tar.xz krb5-98b59e5b55dda7eef896bb9edfc36a5b13b1eccb.zip | |
Add KDC profile and stash file support
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6304 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin/v5server')
| -rw-r--r-- | src/kadmin/v5server/ChangeLog | 13 | ||||
| -rw-r--r-- | src/kadmin/v5server/admin.c | 36 | ||||
| -rw-r--r-- | src/kadmin/v5server/kadm5_defs.h | 71 | ||||
| -rw-r--r-- | src/kadmin/v5server/kadmind5.M | 8 | ||||
| -rw-r--r-- | src/kadmin/v5server/srv_key.c | 4 | ||||
| -rw-r--r-- | src/kadmin/v5server/srv_main.c | 84 |
6 files changed, 167 insertions, 49 deletions
diff --git a/src/kadmin/v5server/ChangeLog b/src/kadmin/v5server/ChangeLog index 0f8e1c60c..3aeab5aea 100644 --- a/src/kadmin/v5server/ChangeLog +++ b/src/kadmin/v5server/ChangeLog @@ -1,4 +1,17 @@ +Mon Jul 17 15:07:08 EDT 1995 Paul Park (pjpark@mit.edu) + * srv_main.c - Add stash-file handling and supply appropriate value to + krb5_db_fetch_mkey(). Add KDC profile reading/handling to + supercede any values supplied on the command line. Add call + to new admin_init() which initializes the admin module. + * srv_key.c - Add stash-file handling. + * admin.c - Add admin_init() which takes supplied per-realm defaults to + initialize the default database entry. + * kadm5_defs.h - Change PROTOTYPE to KRB5_PROTOTYPE. Update prototype + for key_init and add admin_init. + * kadmind5.M - Add description of -s stashfile. + + Fri Jul 7 16:01:37 EDT 1995 Paul Park (pjpark@mit.edu) * Makefile.in - Remove all explicit library handling and LDFLAGS. * configure.in - Add USE_<mumble> and KRB5_LIBRARIES. diff --git a/src/kadmin/v5server/admin.c b/src/kadmin/v5server/admin.c index 5a746fe72..5aed8b706 100644 --- a/src/kadmin/v5server/admin.c +++ b/src/kadmin/v5server/admin.c @@ -28,8 +28,8 @@ #include "k5-int.h" #include "kadm5_defs.h" -#include "adm_proto.h" #include "adm.h" +#include "adm_proto.h" /* * Data structure used to pass information in and out of krb5_db_iterate. @@ -45,7 +45,6 @@ struct inq_context { }; static krb5_db_entry admin_def_dbent; -static krb5_boolean admin_def_dbent_inited = 0; static const char *admin_perm_denied_fmt = "\004ACL entry prevents %s operation by %s"; static const char *admin_db_write_err_fmt = "\004database write failed during %s operation by %s"; @@ -71,16 +70,22 @@ extern char *programname; * admin_init_def_dbent() - Initialize the default database entry. */ static void -admin_init_def_dbent() +admin_init_def_dbent(mlife, mrlife, evalid, e, fvalid, f) + krb5_deltat mlife; + krb5_deltat mrlife; + krb5_boolean evalid; + krb5_timestamp e; + krb5_boolean fvalid; + krb5_flags f; { /* Zero it all out, and fill in non-zero defaults */ memset((char *) &admin_def_dbent, 0, sizeof(admin_def_dbent)); admin_def_dbent.kvno = 1; - admin_def_dbent.max_life = KRB5_KDB_MAX_LIFE; - admin_def_dbent.max_renewable_life = KRB5_KDB_MAX_RLIFE; - admin_def_dbent.expiration = KRB5_KDB_EXPIRATION; - admin_def_dbent.attributes = KRB5_KDB_DEF_FLAGS; - admin_def_dbent_inited = 1; + admin_def_dbent.max_life = (mlife > 0) ? mlife : KRB5_KDB_MAX_LIFE; + admin_def_dbent.max_renewable_life = + (mrlife > 0) ? mrlife : KRB5_KDB_MAX_RLIFE; + admin_def_dbent.expiration = (evalid) ? e : KRB5_KDB_EXPIRATION; + admin_def_dbent.attributes = (fvalid) ? f : KRB5_KDB_DEF_FLAGS; } /* @@ -442,10 +447,6 @@ admin_add_modify(kcontext, debug_level, ticket, nargs, arglist, &temp)))) { krb5_db_entry *merge; - /* Check if the default is initialized */ - if (!admin_def_dbent_inited) - admin_init_def_dbent(); - merge = (should_exist) ? &cur_dbentry : &admin_def_dbent; @@ -1384,3 +1385,14 @@ admin_extract_key(kcontext, debug_level, ticket, return(retval); } +void +admin_init(max_life, max_renew_life, e_valid, e, f_valid, f) + krb5_deltat max_life; + krb5_deltat max_renew_life; + krb5_boolean e_valid; + krb5_timestamp e; + krb5_boolean f_valid; + krb5_flags f; +{ + admin_init_def_dbent(max_life, max_renew_life, e_valid, e, f_valid, f); +} diff --git a/src/kadmin/v5server/kadm5_defs.h b/src/kadmin/v5server/kadm5_defs.h index 7d3d4d095..3ac067de7 100644 --- a/src/kadmin/v5server/kadm5_defs.h +++ b/src/kadmin/v5server/kadm5_defs.h @@ -88,7 +88,7 @@ /* srv_key.c */ krb5_error_code key_init - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, int, int, @@ -96,12 +96,13 @@ krb5_error_code key_init int, char *, char *, + char *, char *)); void key_finish - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int)); krb5_error_code key_string_to_keys - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, krb5_principal, krb5_data *, krb5_int32, @@ -111,24 +112,24 @@ krb5_error_code key_string_to_keys krb5_data *, krb5_data *)); krb5_error_code key_random_key - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, krb5_keyblock *)); krb5_error_code key_encrypt_keys - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, krb5_principal, krb5_keyblock *, krb5_keyblock *, krb5_encrypted_keyblock *, krb5_encrypted_keyblock *)); krb5_error_code key_decrypt_keys - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, krb5_principal, krb5_encrypted_keyblock *, krb5_encrypted_keyblock *, krb5_keyblock *, krb5_keyblock *)); krb5_boolean key_pwd_is_weak - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, krb5_principal, krb5_data *, krb5_int32, @@ -140,34 +141,34 @@ krb5_keyblock *key_admin_key(); /* srv_acl.c */ krb5_error_code acl_init - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, char *)); void acl_finish - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int)); krb5_boolean acl_op_permitted - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, krb5_principal, krb5_int32)); /* srv_output.c */ krb5_error_code output_init - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, char *, krb5_boolean)); void output_finish - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int)); krb5_boolean output_lang_supported - PROTOTYPE((char *)); + KRB5_PROTOTYPE((char *)); char *output_krb5_errmsg - PROTOTYPE((char *, + KRB5_PROTOTYPE((char *, krb5_boolean, krb5_int32)); char *output_adm_error - PROTOTYPE((char *, + KRB5_PROTOTYPE((char *, krb5_boolean, krb5_int32, krb5_int32, @@ -176,26 +177,26 @@ char *output_adm_error /* srv_net.c */ krb5_error_code net_init - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_int32)); void net_finish - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int)); krb5_error_code net_dispatch - PROTOTYPE((krb5_context)); + KRB5_PROTOTYPE((krb5_context)); krb5_principal net_server_princ(); /* proto_serv.c */ krb5_error_code proto_init - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, int)); void proto_finish - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int)); krb5_error_code proto_serv - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, krb5_int32, int, void *, @@ -203,14 +204,14 @@ krb5_error_code proto_serv /* passwd.c */ krb5_int32 passwd_check - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_auth_context, krb5_ticket *, krb5_data *, krb5_int32 *)); krb5_int32 passwd_change - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_auth_context, krb5_ticket *, @@ -218,7 +219,7 @@ krb5_int32 passwd_change krb5_data *, krb5_int32 *)); krb5_boolean passwd_check_npass_ok - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_principal, krb5_db_entry *, @@ -227,52 +228,58 @@ krb5_boolean passwd_check_npass_ok /* admin.c */ krb5_error_code admin_add_principal - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_ticket *, krb5_int32, krb5_data *)); krb5_error_code admin_delete_principal - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_ticket *, krb5_data *)); krb5_error_code admin_rename_principal - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_ticket *, krb5_data *, krb5_data *)); krb5_error_code admin_modify_principal - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_ticket *, krb5_int32, krb5_data *)); krb5_error_code admin_change_opw - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_ticket *, krb5_data *, krb5_data *)); krb5_error_code admin_change_orandpw - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_ticket *, krb5_data *)); krb5_error_code admin_inquire - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_ticket *, krb5_data *, krb5_int32 *, krb5_data **)); krb5_error_code admin_extract_key - PROTOTYPE((krb5_context, + KRB5_PROTOTYPE((krb5_context, int, krb5_ticket *, krb5_data *, krb5_data *, krb5_int32 *, krb5_data **)); +void admin_init KRB5_PROTOTYPE((krb5_deltat, + krb5_deltat, + krb5_boolean, + krb5_timestamp, + krb5_boolean, + krb5_flags)); #endif /* KADM5_DEFS_H__ */ diff --git a/src/kadmin/v5server/kadmind5.M b/src/kadmin/v5server/kadmind5.M index d494ec436..88eafc01a 100644 --- a/src/kadmin/v5server/kadmind5.M +++ b/src/kadmin/v5server/kadmind5.M @@ -49,6 +49,9 @@ port .B \-r realm ] [ +.B \-s +keystash +] [ .B \-t timeout ] [ @@ -87,6 +90,11 @@ Indicates that the master key name is to be entered manually. .IP \-e .B enctype specifies the encryption type which is to be used. +.IP \-s +.B keystash +specifies the key stash file ( created by +.I kdb5_stash(8) +) used for automatic restart. .IP \-T .B keytab specifies the name of the service key table. diff --git a/src/kadmin/v5server/srv_key.c b/src/kadmin/v5server/srv_key.c index 768b55b9d..08453f0c0 100644 --- a/src/kadmin/v5server/srv_key.c +++ b/src/kadmin/v5server/srv_key.c @@ -298,7 +298,7 @@ key_get_admin_entry(kcontext) */ krb5_error_code key_init(kcontext, debug_level, enc_type, key_type, master_key_name, manual, - db_file, db_realm, kt_name) + db_file, db_realm, kt_name, sf_name) krb5_context kcontext; int debug_level; int enc_type; @@ -308,6 +308,7 @@ key_init(kcontext, debug_level, enc_type, key_type, master_key_name, manual, char *db_file; char *db_realm; char *kt_name; + char *sf_name; { krb5_enctype kdc_etype; char *mkey_name; @@ -439,6 +440,7 @@ key_init(kcontext, debug_level, enc_type, key_type, master_key_name, manual, &master_encblock, manual, FALSE, /* Only read once if manual */ + sf_name, /* stash file */ 0, /* No salt */ &master_keyblock); if (kret) { diff --git a/src/kadmin/v5server/srv_main.c b/src/kadmin/v5server/srv_main.c index 866e064fe..ba906e365 100644 --- a/src/kadmin/v5server/srv_main.c +++ b/src/kadmin/v5server/srv_main.c @@ -33,18 +33,21 @@ #include <setjmp.h> #include "k5-int.h" #include "com_err.h" +#include "adm.h" #include "adm_proto.h" #ifdef LANGUAGES_SUPPORTED -static const char *usage_format = "%s: usage is %s [-a aclfile] [-d database] [-e enctype] [-m]\n\t[-k mkeytype] [-l langlist] [-p portnum] [-r realm] [-t timeout] [-n]\n\t[-D dbg] [-M mkeyname] [-T ktabname].\n"; +static const char *usage_format = "%s: usage is %s [-a aclfile] [-d database] [-e enctype] [-m]\n\t[-k mkeytype] [-l langlist] [-p portnum] [-r realm] [-s stash] [-t timeout] [-n]\n\t[-D dbg] [-M mkeyname] [-T ktabname].\n"; static const char *getopt_string = "a:d:e:k:l:mnp:r:t:D:M:T:"; #else /* LANGUAGES_SUPPORTED */ -static const char *usage_format = "%s: usage is %s [-a aclfile] [-d database] [-e enctype] [-m]\n\t[-k mkeytype] [-p portnum] [-r realm] [-t timeout] [-n]\n\t[-D dbg] [-M mkeyname] [-T ktabname].\n"; +static const char *usage_format = "%s: usage is %s [-a aclfile] [-d database] [-e enctype] [-m]\n\t[-k mkeytype] [-p portnum] [-r realm] [-s stash] [-t timeout] [-n]\n\t[-D dbg] [-M mkeyname] [-T ktabname].\n"; static const char *getopt_string = "a:d:e:k:mnp:r:t:D:M:T:"; #endif /* LANGUAGES_SUPPORTED */ static const char *fval_not_number = "%s: value (%s) specified for -%c is not numeric.\n"; static const char *extra_params = "%s extra paramters beginning with %s... \n"; static const char *daemon_err = "%s: cannot spawn and detach.\n"; +static const char *grealm_err = "%s: cannot get default realm.\n"; +static const char *pinit_err = "%s: cannot open configuration file %s.\n"; static const char *no_memory_fmt = "%s: cannot allocate %d bytes for %s.\n"; static const char *begin_op_msg = "\007%s starting."; static const char *disp_err_fmt = "\004dispatch error."; @@ -108,6 +111,13 @@ main(argc, argv) char *db_realm = (char *) NULL; char *master_key_name = (char *) NULL; char *keytab_name = (char *) NULL; + char *stash_name = (char *) NULL; + krb5_deltat maxlife = -1; + krb5_deltat maxrlife = -1; + krb5_timestamp def_expiration; + krb5_flags def_flags; + krb5_boolean exp_valid, flags_valid; + krb5_realm_params *rparams; /* Kerberatic contexts */ krb5_context kcontext; @@ -126,12 +136,14 @@ main(argc, argv) * [-n] <do not fork/disassociate> * [-p portnumber] <listen on port> * [-r realmname] <realm> + * [-s stashfile] <stashfile> * [-t timeout] <inactivity timeout> * [-D debugmask] <debug mask> * [-M masterkeyname] <name of master key> * [-T keytabname] <key table file> */ error = 0; + exp_valid = flags_valid = FALSE; while ((option = getopt(argc, argv, getopt_string)) != EOF) { switch (option) { case 'a': @@ -173,6 +185,9 @@ main(argc, argv) case 'r': db_realm = optarg; break; + case 's': + stash_name = optarg; + break; case 't': if (sscanf(optarg, "%d", &timeout) != 1) { fprintf(stderr, fval_not_number, argv[0], optarg, 't'); @@ -233,6 +248,62 @@ main(argc, argv) krb5_init_ets(kcontext); krb5_klog_init(kcontext, "admin_server", programname, 1); + /* + * Attempt to read the KDC profile. If we do, then read appropriate values + * from it and supercede values supplied on the command line. + */ + if (!(error = krb5_read_realm_params(kcontext, + db_realm, + (char *) NULL, + (char *) NULL, + &rparams))) { + /* Get the value for the database */ + if (rparams->realm_dbname) + db_file = strdup(rparams->realm_dbname); + + /* Get the value for the master key name */ + if (rparams->realm_mkey_name) + master_key_name = strdup(rparams->realm_mkey_name); + + /* Get the value for the master key type */ + if (rparams->realm_keytype_valid) + key_type = rparams->realm_keytype; + + /* Get the value for the port */ + if (rparams->realm_kadmind_port_valid) + service_port = rparams->realm_kadmind_port; + + /* Get the value for the encryption type */ + if (rparams->realm_enctype_valid) + enc_type = rparams->realm_enctype; + + /* Get the value for the stashfile */ + if (rparams->realm_stash_file) + stash_name = strdup(rparams->realm_stash_file); + + /* Get the value for maximum ticket lifetime. */ + if (rparams->realm_max_life_valid) + maxlife = rparams->realm_max_life; + + /* Get the value for maximum renewable ticket lifetime. */ + if (rparams->realm_max_rlife_valid) + maxrlife = rparams->realm_max_rlife; + + /* Get the value for the default principal expiration */ + if (rparams->realm_expiration_valid) { + def_expiration = rparams->realm_expiration; + exp_valid = TRUE; + } + + /* Get the value for the default principal flags */ + if (rparams->realm_flags_valid) { + def_flags = rparams->realm_flags; + flags_valid = TRUE; + } + + krb5_free_realm_params(kcontext, rparams); + } + if ((signal_number = #if POSIX_SETJMP sigsetjmp(terminal_jmp, 1) @@ -273,7 +344,7 @@ main(argc, argv) */ error = key_init(kcontext, debug_level, enc_type, key_type, master_key_name, manual_entry, db_file, db_realm, - keytab_name); + keytab_name, stash_name); if (!error) { error = acl_init(kcontext, debug_level, acl_file); if (!error) { @@ -283,7 +354,12 @@ main(argc, argv) error = net_init(kcontext, debug_level, service_port); if (!error) { error = proto_init(kcontext, debug_level, timeout); - + admin_init(maxlife, + maxrlife, + exp_valid, + def_expiration, + flags_valid, + def_flags); if (error) errmsg = proto_msg; } |