summaryrefslogtreecommitdiffstats
path: root/src/kadmin
Commit message (Collapse)AuthorAgeFilesLines
* Fix a trivial file leak writing kadmind pid fileGreg Hudson2013-03-261-3/+4
| | | | | | | If we fail to write the pid to the pid file, we should still close the file before returning from write_pid_file(). The consequences of this bug are trivial because kadmin is just going to exit regardless. Reported by Will Fiveash <will.fiveash@oracle.com>.
* make dependGreg Hudson2013-03-244-48/+39
|
* Clean up getclhoststr in ipropd_svc.cGreg Hudson2013-03-211-17/+9
| | | | Based on a patch from Xi Wang <xi@mit.edu>.
* Reset ulog header if iprop load failsGreg Hudson2013-03-151-0/+2
| | | | | | | | | | | If an iprop slave tries to load a dump from the master and it fails, reset the ulog header so we take another full dump, instead of reporting that the slave is current when it isn't. Reported by Richard Basch <basch@alum.mit.edu>. ticket: 7588 target_version: 1.11.2 tags: pullup
* Fix kadmin_getpol format stringGreg Hudson2013-03-151-2/+2
| | | | | | | Commit 0780e46fc13dbafa177525164997cd204cc50b51 matched a %ld format string with the integer 0, which is an int rather than a long. Just put 0 in the format string instead. Noted by David Benjamin <davidben@mit.edu>.
* Add support for k5srvutil -e keysaltsAlex Dehnert2013-03-111-2/+8
| | | | | | | | | | | k5srvutil is a little more convenient to use for rolling keys than kadmin is. When migrating off 1DES, though, it may be desirable to explicitly specify the desired keysalts. This adds an option, -e, to k5srvutil to specify desired keysalts. [ghudson@mit.edu: style fix; make whitespace in keysalt list work] ticket: 7589 (new)
* Add and use k5memdup, k5memdup0 helpersGreg Hudson2013-02-091-4/+1
| | | | | | Add k5-int.h static functions to duplicate byte ranges, optionally with a trailing zero byte, and set an error code like k5alloc does. Use them where they would shorten existing code.
* Modernize dump.cGreg Hudson2013-02-063-1313/+697
| | | | | Reformat and simplify dump.c code according to current coding standards. No functional changes except for some error messages.
* Refactor dump.cGreg Hudson2013-02-061-175/+124
| | | | | | | When dumping, use a common iterator function to unpack the dump_args structure, unparse and filter the principal name, and convert master keys. Add helper functions to dump and load the "octets or -1" format used for optional binary fields in the current dump format.
* Reorder dump.cGreg Hudson2013-02-061-467/+439
| | | | | | Without changing anything (except to make a few internal functions static), reorder dump.c to bottom-up order so that forward function declarations aren't needed.
* Remove -b6 and -old dump formatsGreg Hudson2013-02-041-590/+8
| | | | | | | Get rid of the code to dump and load -b6 and -old format dump files. Loading these versions hasn't worked since at least 1.3. ticket: 7564 (new)
* Simplify kdb5_util create using a null passwordGreg Hudson2013-02-041-30/+7
| | | | | | kadm5_create_principal now uses a random key if passed a null password, so we don't need a multi-step process to create admin principals when creating a database any more.
* Fix kdb5_util dump.c uninitialized warningsGreg Hudson2013-02-011-1/+1
| | | | | | | | | | | | | Some versions of clang report an uninitialized variable warning (which we treat as an error) in process_k5beta_record. Due to the if-ladder style of the function, uninitialized tmpint values can be copied around in certain error cases, although the garbage values would be ultimately ignored. As a minimal fix, initialize the tmpint variables. ticket: 7560 (new) target_version: 1.11.1 tags: pullup
* Fix iprop log reinitializationGreg Hudson2013-01-222-13/+2
| | | | | | | | | | | | | | | | If the master iprop log is reinitialized to serial number 0, slaves will need to take a full dump--but after that happens, we need to know whether the slave has taken that full dump, we we don't offering full dumps indefinitely. So, record a timestamp in kdb_last_time when we reinitialize the log header, and compare the slave timestamp to kdb_last_time whenever it has the current serial number, even if it's 0. Test this by performing a propagation with sno 0 in t_iprop.py and detecting whether kpropd gets a second UPDATE_FULL_RESYNC_NEEDED response from kadmind. ticket: 7550 (new)
* Fix iprop safety net in kdb5_util loadGreg Hudson2013-01-171-2/+4
| | | | | | | | | The error message was missing a newline, and the exit behavior causes the database to be destroyed. ticket: 7370 target_version: 1.11.1 tags: pullup
* make dependGreg Hudson2013-01-105-5/+5
| | | | | Mostly this gets rid of the trailing space on line 2 after bb76891f5386526bdf91bc790c614fc9296cb5fa.
* Allow principals to refer to nonexistent policiesGreg Hudson2013-01-092-29/+49
| | | | | | | | | | | | | | Stop using and maintaining the policy_refcnt field, and do not try to prevent deletion of a policy which is still referenced by principals. Instead, allow principals to refer to policy names which do not exist as policy objects; treat those principals as having no associated policy. In the kadmin client, warn if addprinc or modprinc tries to reference a policy which doesn't exist, since the server will no longer error out in this case. ticket: 7385
* Fix DPRINT in ipropd_svc.cGuillaume Rousse2013-01-011-1/+1
| | | | | | | | | | | cea0b28045b262b1098f17f17f78b2efbf89a6c1 contained an incorrect definition of DPRINT. Fix it. [ghudson@mit.edu: commit message] ticket: 7525 (new) target_version: 1.11.1 tags: pullup
* Separate clpreauth and kdcpreauth interfacesGreg Hudson2012-12-194-19/+19
| | | | | | | Since there is no overlap between the clpreauth and kdcpreauth interface declarations, there's no particular reason to combine them into one header. For backward compatibility and convenience, leave behind a preauth_plugin.h which includes both.
* Fix various integer issuesGreg Hudson2012-12-101-2/+1
| | | | | | | | | | | | | | | In kdc_util.c and spnego_mech.c, error returns from ASN.1 length functions could be ignored because they were assigned to unsigned values. In spnego_mech.c, two buffer size checks could be rewritten to reduce the likelihood of pointer overflow. In dump.c and kdc_preauth.c, calloc() could be used to simplify the code and avoid multiplication overflow. In pkinit_clnt.c, the wrong value was checked for a null result from malloc(), and the code could be simplified. Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>. ticket: 7488
* Make kdb5_util dump work with LDAP againGreg Hudson2012-11-121-1/+2
| | | | | | | | | | | The LDAP module doesn't support locking. There's code to ignore this in load but not in dump. dump used to only lock for iprop dumps, but now locks all the time after e65a16d898f3a686525e83661f4fd86c76e27bbf (#7384), causing it to fail with LDAP. ticket: 7445 (new) target_version: 1.11 tags: pullup
* Remove install-oldmanBen Kaduk2012-10-174-14/+0
| | | | | | The old man pages are gone, so we can't install them anymore. Also clean up install and install-unix targets that were installing the old man pages by hand.
* Remove nroff man pagesBen Kaduk2012-10-166-1662/+0
| | | | | | | We generate man pages from RST sources now; they are checked into the tree in src/man/. The gen-manpages directory is no longer needed.
* Fix a minor race in kdb5_util loadNicolas Williams2012-10-051-1/+1
| | | | | | | | | | | | | | | | | | | If a kdb5_util load gets killed between rename()ing the new KDB file into place and resetting the iprop ulog then the ulog can reflect the pre-load state, which will almost certainly be incorrect. This matters because we want to impose a timeout on full resyncs in kpropd when iprop dictates that a full resync is needed, and the simplest timeout scheme involves signaling the kdb5_util load process. But also, we want no such races in general. The fix is simple: re-initialize the ulog before renaming the new KDB file into place, then proceed as usual. If the ulog is not properly updated at the end of the load it will at least always result in subsequent iprop get updates operations always indicating that a full resync is required. ticket: 7399
* Fix policy refcount corruption race in dumpNicolas Williams2012-10-051-10/+10
| | | | ticket: 7384
* Sync iprop header in kdb5_util dumpNicolas Williams2012-10-051-0/+10
| | | | [ghudson@mit.edu: split out from previous commit]
* kdb5_util load needs iprop safety netNicolas Williams2012-10-051-15/+36
| | | | ticket: 7370
* Add -p, -F, -K options to kadmindNicolas Williams2012-10-052-14/+34
| | | | | | | | | | | | New options: -p path-to-kdb5_util -K path-to-kprop -F dump-file These are needed for testing without first having to install. ticket: 7372
* ipropd_svc.c DPRINT improvementsNicolas Williams2012-10-051-13/+34
| | | | Make DPRINT a varargs macro and add some new debug prints.
* Fix kdb5_util dump raceNicolas Williams2012-10-052-34/+32
| | | | ticket: 7377
* Cleanup dump_db()Nicolas Williams2012-10-051-20/+14
|
* Use a single global dump for iprop full syncsNicolas Williams2012-10-052-88/+211
| | | | | | | | | | | | | | | | | | | | | | | | | | Use a global dump (the default dump file) for full syncs for iprop. When a slave asks for a fullsync we kprop the existing global dump to it if that is good enough, else we dump the DB and send the new global dump. Before this change kadmind would run kdb5_util dump -i... each time a slave asked for a full dump. This was done in a sub-process, thankfully, but it was still a waste of time and storage (e.g., if one has a huge KDB). Also, long dump times might cause a slave to give up (the timeout for this is now configurable). But since iprop dumps bear a serial number and timestamp and since slaves will resync from that point forward, it doesn't matter if the dump we send a slave is fresh as long as it is fresh enough (i.e., that its sno and timestamp are in the ulog). Also: - Rename dumps into place instead of unlink, create, write (but we still keep the dump ok files as lock files and as a method of signaling to kprop that the dump is complete). ticket: 7371
* Fix edge-case bugs in kdb5_util loadGreg Hudson2012-07-312-16/+25
| | | | | | | | | | | * fscanf field widths must be less than the buffer size, not equal to it. * Check for negative values of lengths we're going to allocate. * Eliminate a warning in the comparison of the regexp end offset. * process_r1_8 policy doesn't actually ignore additional values, so get rid of the comment and inequality test suggesting that it does. ticket: 7224 (new)
* Revert an out-of-scope change in policy extensionsGreg Hudson2012-07-311-1/+1
|
* Policy extensions + new policy: allowed ks typesNicolas Williams2012-07-306-85/+314
| | | | | | | | | | | | | | | | | This simply adds KADM5_API_VERSION_4 and various fields to the policy structures: - attributes (policy-ish principal attributes) - max_life (max ticket life) - max_renewable_life (max ticket renewable life) - allowed_keysalts (allowed key/salt types) - TL data (future policy extensions) Of these only allowed_keysalts is currently implemented. Some refactoring of TL data handling is also done. ticket: 7223 (new)
* Fix ugly ladder in src/kadmin/cli/kadmin.cNicolas Williams2012-07-301-144/+112
|
* De-indent process_k5beta6_record()Nicolas Williams2012-07-301-247/+210
|
* Allow using locales when gettext is absentBen Kaduk2012-07-064-0/+4
| | | | | | | | | | | Previously, if configure did not detect dgettext(), we disabled anything that smelled like localization, inadvertently including setlocale(). Now that we use setlocale(LC_ALL, ""), we have localized dates available as well as messages, so we should not disable calls to setlocale() any more. Since the routines from locale.h are only used in a relatively small number of places, just include the header directly in those files and remove it from k5-platform.h.
* Enable all localizations in main functionsBen Kaduk2012-07-065-6/+7
| | | | | | | | | | | | | | | Bite the bullet and pass LC_ALL to setlocale() instead of just LC_MESSAGES. Calls to setlocale() itself were introduced in fabbf9e443459e8c0161c84563690ed70c7f6a61 for ticket 6918, but only for LC_MESSAGES since only localized strings were needed and that was the most conservative option. However, klist, kadmin, and kinit (and perhaps others) would benefit from localized formats for times (i.e., LC_TIME). If potentially localized data is being sent on the wire, that is a bug that should be fixed. No such bugs are found with the current test suite, so we are comfortable enabling LC_ALL at this time. ticket: 7192
* Add krb5_kt_client_default APIGreg Hudson2012-07-022-0/+2
| | | | | | | | | | | | | | | | The default client keytab is intended to be used to automatically acquire initial credentials for client applications. The current hardcoded default is a placeholder, and will likely change before 1.11. Add test framework settings to ensure that a system default client keytab doesn't interfere with tests, and to allow tests to be written to deliberately use the default client keytab. Add documentation about keytabs to the concepts section of the RST docs, and describe the default client keytab there. ticket: 7188 (new)
* Remove orphaned KfM codeGreg Hudson2012-06-211-14/+0
|
* Remove orphaned Apple PKINIT supportGreg Hudson2012-04-261-65/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25830 dc483132-0cff-0310-8789-dd5450dbe970
* Only store master mey list in DAL handleGreg Hudson2012-03-216-32/+26
| | | | | | | | | | | | | | r24314 (#6778) created a hybrid owernship model for the master key list, with one virtual copy stored in the DAL handle and one provided to the caller of krb5_db_fetch_mkey_list. Replace this with a model where only the DAL handle owns the list, and a caller can get access to an alias pointer with a new function krb5_db_mkey_list_alias(). Functions which previously accepted the master key list as an input parameter now expect to find it in the DAL handle. Patch by Will Fiveash <will.fiveash@oracle.com>. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25781 dc483132-0cff-0310-8789-dd5450dbe970
* Remove admin_keytab references in code and docsGreg Hudson2012-03-044-33/+1
| | | | | | | | | The admin keytab hasn't been needed or used by kadmind since 1.4 (except possibly by legacy admin daemons which we no longer ship). Eliminate remaining references to it in code, test cases, and documentation. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25729 dc483132-0cff-0310-8789-dd5450dbe970
* Require IPv6 supportKen Raeburn2012-02-281-2/+0
| | | | | | | | | | | | | | The configure-time options to enable and disable IPv6 support have been deprecated for some time, but the checks for OS support were kept. This removes those checks, and unconditionally compiles in the IPv6 support. There was a configure-time test to see if the macro INET6 needed to be defined in order to enable (visibility of) OS support for IPv6, which was needed on an IRIX system we tested with. That check is retained, but the revised code is untested on IRIX. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25719 dc483132-0cff-0310-8789-dd5450dbe970
* Access controls for string RPCs [CVE-2012-1012]Greg Hudson2012-02-211-8/+11
| | | | | | | | | | | | | | | | | | In the kadmin protocol, make the access controls for get_strings/set_string mirror those of get_principal/modify_principal. Previously, anyone with global list privileges could get or modify string attributes on any principal. The impact of this depends on how generous the kadmind acl is with list permission and whether string attributes are used in a deployment (nothing in the core code uses them yet). CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C ticket: 7093 target_version: 1.10.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25704 dc483132-0cff-0310-8789-dd5450dbe970
* In kadmin_getprivs replace the non-existing "GET" privilege by "INQUIRE". Zhanna Tsitkov2012-02-151-1/+1
| | | | git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25702 dc483132-0cff-0310-8789-dd5450dbe970
* install sphinx-generated manpagesTom Yu2012-01-094-0/+8
| | | | | | | | | | | | | | | | | Install sphinx-generated manpages. Original nroff manpages remain for reference until proofreading is complete. Modify doc/rst_source/conf.py to better deal with shadow manpages -- sphinx will now build k5login.5 instead of .k5login.5, and kadmin.1 instead of both kadmin.1 and kadmin.local.8. Proofreaders should ensure that the original nroff manpages (and associated Makefile rules) are deleted once their reST format equivalents have been proofread. ticket: 7064 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25625 dc483132-0cff-0310-8789-dd5450dbe970
* Fix failure interval of 0 in LDAP lockout codeGreg Hudson2011-11-201-2/+3
| | | | | | | | | | | | | | | | A failure count interval of 0 caused krb5_ldap_lockout_check_policy to pass the lockout check (but didn't cause a reset of the failure count in krb5_ldap_lockout_audit). It should be treated as forever, as in the DB2 back end. This bug is the previously unknown cause of the assertion failure fixed in CVE-2011-1528. ticket: 7021 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25480 dc483132-0cff-0310-8789-dd5450dbe970
* Make verto context available to kdcpreauth modulesGreg Hudson2011-11-151-1/+1
| | | | | | | | | | | | Add an event_context callback to kdcpreauth. Adjust the internal KDC and main loop interfaces to pass around the event context, and expose it to kdcpreauth modules via the rock. ticket: 7019 target_version: 1.10 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25475 dc483132-0cff-0310-8789-dd5450dbe970
generated by cgit (git 2.34.1) at 2026-01-05 08:28:11 +0000