| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define client_addr() in server_stubs.c and use it consistently in that
file and ipropd_svc.c to get the client address from a transport
handle. In it, call getpeername() on the client socket and use
inet_ntop() on the result, instead of using inet_ntoa() on the IPv4
socket address. Provide a log_badauth2 callback to GSSRPC, so that we
get a transport handle instead of an IPv4 socket address, and use
client_addr() within it instead of inet_ntoa().
ticket: 7770
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The krb5 implementation of gss_display_name() reports the name type as
GSS_C_NT_ANONYMOUS if the client uses an anonymous principal. Accept
this name type in gss_name_to_string and gss_to_krb5_name so that
anonymous kadmin can work.
Also improve code hygiene: call gss_name_to_string from
gss_to_krb5_name to reduce code repetition; use gss_oid_equal instead
of pointer comparison for name types; and don't assume that the
gss_display_name result buffer is zero-terminated.
ticket: 7740 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
| |
Make the purgekeys RPC allow self-service, like the chpass and chrand
RPCs.
ticket: 7681 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the kadmin protocol, make the access controls for
get_strings/set_string mirror those of get_principal/modify_principal.
Previously, anyone with global list privileges could get or modify
string attributes on any principal. The impact of this depends on how
generous the kadmind acl is with list permission and whether string
attributes are used in a deployment (nothing in the core code uses
them yet).
CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C
ticket: 7093
target_version: 1.10.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25704 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25215 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
ticket: 6918
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24961 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
change_password -keepold), and add a kadmin CLI command for it.
Keeping ticket open because an automated test needs to be added.
Long-term future work includes start/expire dates on keys, or
not-yet-valid flags.
ticket: 1219
status: open
target_version: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24442 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Merge Luke's users/lhoward/lockout2 branch to trunk. Implements
account lockout policies for preauth-using principals using existing
principal metadata fields and new policy fields. The kadmin API
version is bumped from 2 to 3 to compatibly extend the policy_ent_rec
structure.
ticket: 6577
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23038 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
| |
unused file svr_misc_free.c.
ticket: 6544
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22523 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kadmin v1 API and the even older ovsec_kadm_* API were legacy when
kadmin was first incorporated in 1996, and compatibility with them is
no longer believed to be necessary.
The uninstalled kadmin/passwd has been removed (since it used the ovsec
API). The test suite has been updated to use the v2 API where
appropriate, and the parts specifically designed to test the old API
have been excised.
ticket: 6544
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22521 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
kadmind server stubs.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21709 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
some introduced by the last rev) when it is known from context that
handle is not NULL.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21708 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
ticket: 6202
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20956 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix some bugs with storage being used immediately after being freed.
None look like anything an attacker can really manipulate AFAICT.
ticket: new
target_version: 1.6.4
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20485 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20465 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
server_stubs.c uses char * for error messages which it gets from com_err,
throwing away the constness of the com_err output. Made error message args
be const char * to remove warnings and prevent accidental modification of
com_err strings.
In calls to krb5_klog_syslog server_stubs.c passes void* into %s printf
formats and passes size_ts in for the field widths in %.*s formats. After
verifying that the size_ts cannot be bigger than ints (which is ensured by
trunc_name) added casts to remove spurious warnings.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20344 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
Truncate the principal names when logging a rename operation to avoid
a stack buffer overflow.
ticket: new
target_version: 1.6.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19637 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix MITKRB5-SA-2007-002: buffer overflow in krb5_klog_syslog.
* src/lib/krb5/krb/get_in_tkt.c (krb5_klog_syslog): Use vsnprintf
if available.
Everything else: use precision fields on "%s" specifiers to truncate
logged strings, in case someone doesn't have vsnprintf.
ticket: new
target_version: 1.6.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19395 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
actual LDAP bits:
* include/kdb.h (krb5_db_entry_new): Add MASK field indicating what's
changed.
(KRB5_KDB_SRV_TYPE_*): New macros indicating which type of service is
accessing the database.
* lib/kadm5/srv/svr_principal.c: Set mask field.
* lib/kadm5/srv/server_misc.c, server_init.c: Pass service type to
krb5_db_open.
* kadmin/dbutil/kdb5_stash.c (kdb5_stash): Pass service type to
krb5_db_open.
* kadmin/dbutil/kdb5_util.c (open_db_and_mkey): Pass service type to
krb5_db_open.
* kdc/main.c (init_realm): Pass service type to krb5_db_open.
* lib/kadm5/srv/svr_principal.c: Set mask field.
* kadmin/dbutil/dump.c (load_db): Pass service type to krb5_db_open.
* lib/kdb/kdb5.h (KRB5_KDB_SRV_TYPE_*): New macros.
* lib/kdb/err_handle.{c,h}: Deleted.
* lib/kadm5/clnt/err_handle.{c,h}: Deleted.
(krb5_db_clr_error): Declaration deleted.
* lib/kdb/Makefile.in, lib/kadm5/clnt/Makefile.in: Don't build them.
* lib/kdb/kdb5.c, lib/kadm5/clnt, lib/kadm5/srv: Use new error-message API.
* kdc/do_tgs_req.c (process_tgs_req): Use new error-message API.
* kdc/kdc_preauth.c (check_padata)
* kdc/do_as_req.c (process_as_req):
* kdc/main.c (init_realm):
* kadmin/server/ovsec_kadmd.c (main, do_schpw):
* schpw.c (process_chpw_request):
* kadmin/server/server_stubs.c:
* kadmin/cli/kadmin.c (extended_com_err_fn): New function.
(kadmin_startup): Tell com_err library to use it, for kadmin.local.
* lib/kdb/libkdb5.exports: Don't export krb5_db_clr_error.
* lib/kdb/Makefile.in: (SRCS, STLIBOBJS): Don't build err_handle.c.
* lib/kdb/kdb5.c (kdb_load_library): Don't pass argument to init_library.
(krb5_db_clr_error): Function deleted.
* lib/kdb/kdb5.h (struct _kdb_vftabl): Remove argument from init_library field.
* lib/kadm5/logger.c (krb5_klog_init): Save the krb5_context pointer.
(klog_com_err_proc): Use it, and call new error-message API.
* lib/kadm5/srv/svr_principal.c: Use new error-message API.
* kadmin/dbutil/kdb5_util.c (extended_com_err_fn): New function.
(main): Tell com_err library to use it.
* plugins/kdb/db2: Use new error-message APIs and updated DAL
interface.
* lib/kadm5/kadm_rpc.h: Delete err_str fields.
* lib/kadm5/kadm_rpc_xdr.c: Don't process them.
* kadmin/server/server_stubs.c: Don't use ret.err_str field.
* include/k5-thread.h (k5_key_t): Deleted unused values.
* lib/kdb/kdb5.h (KDB_MODULE_SECTION): Change db_modules to dbmodules.
(KDB_MODULE_DEF_SECTION): New macro.
* tests/Makefile.in (krb5.conf): Rename db_modules to dbmodules.
* tests/dejagnu/config/default.exp (setup_krb5_conf): Likewise.
* kadmin/testing/proto/krb5.conf.proto: Likewise.
* lib/kdb/libkdb5.exports: Do export krb5_def_store_mkey.
* lib/kadm5/admin.h (KADM5_CPW_FUNCTION, KADM5_RANDKEY_USED): New macros.
(struct _kadm5_config_params): New field kpasswd_server.
* lib/krb5/error_tables/kdb5_err.et (KRB5_KDB_SERVER_INTERNAL_ERR):
New error code.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17899 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
| |
include directives sometimes using krb5/foo.h and sometimes using foo.h, and
-I options always given for both directories in both source and build trees,
push include/krb5/* up a level and drop the krb5 directory (except, for the
moment, the change log).
Updated #include directives, -I options, and dependencies accordingly, and
deleted one or two bits of old, unused code that was noticed in the process.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17730 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
likewise _1_svc to _2_svc in the kadmin server. Delete the RPC functions from
the libkadm5clnt export list.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17345 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
Will probably break things.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17258 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
ticket: 2674
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16673 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remaining work includes:
* Default to using kadmin/fqdn for SEAM compatibility
* Namespace cleanups and other API tweaks -- this API is not stable yet
* Fix lib/rpc/unit-test testsuite to test RPCSEC_GSS in addition to
AUTH_GSSAPI
Additional work will be tracked in separate tickets. This merge is
bracketed between the tags "tlyu-umich-rpc-merge-pre" and
"tlyu-umich-rpc-merge-post".
ticket: 2578
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16467 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thanks, the patch has been applied and will appear in a future release.
* misc.c (chpass_principal_wrapper_3): Renamed from
chpass_principal_wrapper; calls chpass_principal_3 now.
(randkey_principal_wrapper_3): Renamed from
randkey_principal_wrapper; calls randkey_principal_3 now. Patch
from Ben Cox.
* server_stubs.c (chpass_principal_1_svc)
(chpass_principal3_1_svc): Call chpass_principal_wrapper_3.
(chrand_principal_1_svc, chrand_principal3_1_svc): Call
randkey_principal_wrapper_3. Patch from Ben Cox.
ticket: 1207
version_reported: 1.2.6
target_version: 1.3
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14915 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
of places. Patch from Mark Levinson; fixes [krb5-admin/1140].
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14680 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
| |
* misc.h: Add prototypes for kadm_1 and process_chpw_request.
* ovsec_kadmd.c: Include misc.h and remove prototype for
process_chpw_request and kadm_1.
* kadm_rpc_svc.c, schpw.c: Include misc.h for prototypes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13537 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
routines to end in _svc so as to not conflict with prototypes of
client side handlers.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13014 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12502 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12121 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
| |
create_principal_3.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12083 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
| |
setkey_principal3_1, and chrand_principal3_1 to do the obvious
things.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12053 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
memory in request.
(setup_gss_names): Free memory in case of failure.
(chrand_principal_1): Call free_server_handle for failure
cleanup.
* ovsec_kadmd.c (main): Cleanup memory by calling acl_finish,
gss_release_name, and krb5_free_context
Some of these fixes are to make accounting easier with Purify upon
shutdown while the server_stubs.c fixes take care of a per-request memory
leak present for many requests.
automatically CVS: CVS: Committing in . CVS: CVS: Modified Files:
----------------------------------------------------------------------
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10233 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10111 dc483132-0cff-0310-8789-dd5450dbe970
|
| |
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10072 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
OV_MERGE branches. This includes, but is not limited to, the new openvision
admin system, and major changes to gssapi to add functionality, and bring
the implementation in line with rfc1964. before committing, the
code was built and tested for netbsd and solaris.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@8774 dc483132-0cff-0310-8789-dd5450dbe970
|
