From b1909b2daab7ad4bddb180960080e709d30329c2 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 4 May 2011 21:31:10 -0700 Subject: [PATCH] Fixes from NetBSD via Thomas Klausner and Roland C. Dowdeswell --- admin/ktutil.8 | 86 ++++++--------------- kadmin/kadmin.8 | 80 ++++---------------- kadmin/kadmind.8 | 29 ++------ kcm/kcm.8 | 85 +++++---------------- kdc/hprop.8 | 39 ++-------- kdc/hpropd.8 | 29 ++------ kdc/kdc.8 | 53 +++---------- kdc/kstash.8 | 22 ++---- kdc/string2key.8 | 43 +++-------- kpasswd/kpasswdd.8 | 27 ++----- kuser/kdestroy.1 | 2 +- kuser/kgetcred.1 | 28 ++----- kuser/kimpersonate.8 | 84 +++++---------------- kuser/kinit.1 | 86 +++++---------------- kuser/klist.1 | 31 ++------ kuser/klist.c | 22 ++++-- lib/gssapi/gssapi.3 | 97 ++++++++++++------------ lib/hx509/revoke.c | 9 ++- lib/kadm5/iprop-log.8 | 48 +++--------- lib/kadm5/iprop.8 | 140 +++++++++++++---------------------- lib/krb5/auth_context.c | 2 + lib/krb5/krb5_get_in_cred.3 | 2 +- lib/krb5/krb5_init_context.3 | 2 +- lib/krb5/salt.c | 1 + lib/roken/get_window_size.c | 63 ++++++++++------ lib/roken/getarg.c | 5 +- lib/roken/roken.h.in | 2 +- lib/vers/print_version.c | 2 + 28 files changed, 337 insertions(+), 782 deletions(-) diff --git a/admin/ktutil.8 b/admin/ktutil.8 index 3c1405b3e..1796b8f32 100644 --- a/admin/ktutil.8 +++ b/admin/ktutil.8 @@ -53,72 +53,43 @@ is a program for managing keytabs. Supported options: .Bl -tag -width Ds -.It Xo -.Fl v , -.Fl -verbose -.Xc +.It Fl v , Fl -verbose Verbose output. .El .Pp .Ar command can be one of the following: .Bl -tag -width srvconvert -.It add Xo -.Op Fl p Ar principal -.Op Fl -principal= Ns Ar principal -.Op Fl V Ar kvno -.Op Fl -kvno= Ns Ar kvno -.Op Fl e Ar enctype -.Op Fl -enctype= Ns Ar enctype -.Op Fl w Ar password -.Op Fl -password= Ns Ar password -.Op Fl r -.Op Fl -random -.Op Fl s -.Op Fl -no-salt -.Op Fl H -.Op Fl -hex -.Xc +.It add Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \ +Oo Fl V Ar kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \ +Oo Fl -enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \ +Oo Fl -password= Ns Ar password Oc Oo Fl r Oc Oo Fl -random Oc \ +Oo Fl s Oc Oo Fl -no-salt Oc Oo Fl H Oc Op Fl -hex Adds a key to the keytab. Options that are not specified will be prompted for. This requires that you know the password or the hex key of the principal to add; if what you really want is to add a new principal to the keytab, you should consider the .Ar get command, which talks to the kadmin server. -.It change Xo -.Op Fl r Ar realm -.Op Fl -realm= Ns Ar realm -.Op Fl -a Ar host -.Op Fl -admin-server= Ns Ar host -.Op Fl -s Ar port -.Op Fl -server-port= Ns Ar port -.Xc +.It change Oo Fl r Ar realm Oc Oo Fl -realm= Ns Ar realm Oc \ +Oo Fl -a Ar host Oc Oo Fl -admin-server= Ns Ar host Oc \ +Oo Fl -s Ar port Oc Op Fl -server-port= Ns Ar port Update one or several keys to new versions. By default, use the admin server for the realm of a keytab entry. Otherwise it will use the values specified by the options. .Pp If no principals are given, all the ones in the keytab are updated. -.It copy Xo -.Ar keytab-src -.Ar keytab-dest -.Xc +.It copy Ar keytab-src Ar keytab-dest Copies all the entries from .Ar keytab-src to .Ar keytab-dest . -.It get Xo -.Op Fl p Ar admin principal -.Op Fl -principal= Ns Ar admin principal -.Op Fl e Ar enctype -.Op Fl -enctypes= Ns Ar enctype -.Op Fl r Ar realm -.Op Fl -realm= Ns Ar realm -.Op Fl a Ar admin server -.Op Fl -admin-server= Ns Ar admin server -.Op Fl s Ar server port -.Op Fl -server-port= Ns Ar server port -.Ar principal ... -.Xc +.It get Oo Fl p Ar admin principal Oc \ +Oo Fl -principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \ +Oo Fl -enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \ +Oo Fl -realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \ +Oo Fl -admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \ +Oo Fl -server-port= Ns Ar server port Oc Ar principal ... For each .Ar principal , generate a new key for it (creating it if it doesn't already exist), @@ -128,35 +99,22 @@ If no .Ar realm is specified, the realm to operate on is taken from the first principal. -.It list Xo -.Op Fl -keys -.Op Fl -timestamp -.Xc +.It list Oo Fl -keys Oc Op Fl -timestamp List the keys stored in the keytab. -.It remove Xo -.Op Fl p Ar principal -.Op Fl -principal= Ns Ar principal -.Op Fl V kvno -.Op Fl -kvno= Ns Ar kvno -.Op Fl e enctype -.Op Fl -enctype= Ns Ar enctype -.Xc +.It remove Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \ +Oo Fl V kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \ +Oo Fl -enctype= Ns Ar enctype Oc Removes the specified key or keys. Not specifying a .Ar kvno removes keys with any version number. Not specifying an .Ar enctype removes keys of any type. -.It rename Xo -.Ar from-principal -.Ar to-principal -.Xc +.It rename Ar from-principal Ar to-principal Renames all entries in the keytab that match the .Ar from-principal to .Ar to-principal . -.It purge Xo -.Op Fl -age= Ns Ar age -.Xc +.It purge Op Fl -age= Ns Ar age Removes all old versions of a key for which there is a newer version that is at least .Ar age diff --git a/kadmin/kadmin.8 b/kadmin/kadmin.8 index 09a57280d..72f3845f0 100644 --- a/kadmin/kadmin.8 +++ b/kadmin/kadmin.8 @@ -40,34 +40,13 @@ .Sh SYNOPSIS .Nm .Bk -words -.Oo Fl p Ar string \*(Ba Xo -.Fl -principal= Ns Ar string -.Xc -.Oc -.Oo Fl K Ar string \*(Ba Xo -.Fl -keytab= Ns Ar string -.Xc -.Oc -.Oo Fl c Ar file \*(Ba Xo -.Fl -config-file= Ns Ar file -.Xc -.Oc -.Oo Fl k Ar file \*(Ba Xo -.Fl -key-file= Ns Ar file -.Xc -.Oc -.Oo Fl r Ar realm \*(Ba Xo -.Fl -realm= Ns Ar realm -.Xc -.Oc -.Oo Fl a Ar host \*(Ba Xo -.Fl -admin-server= Ns Ar host -.Xc -.Oc -.Oo Fl s Ar port number \*(Ba Xo -.Fl -server-port= Ns Ar port number -.Xc -.Oc +.Op Fl p Ar string \*(Ba Fl -principal= Ns Ar string +.Op Fl K Ar string \*(Ba Fl -keytab= Ns Ar string +.Op Fl c Ar file \*(Ba Fl -config-file= Ns Ar file +.Op Fl k Ar file \*(Ba Fl -key-file= Ns Ar file +.Op Fl r Ar realm \*(Ba Fl -realm= Ns Ar realm +.Op Fl a Ar host \*(Ba Fl -admin-server= Ns Ar host +.Op Fl s Ar port number \*(Ba Fl -server-port= Ns Ar port number .Op Fl l | Fl -local .Op Fl h | Fl -help .Op Fl v | Fl -version @@ -84,45 +63,21 @@ option). .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl p Ar string , -.Fl -principal= Ns Ar string -.Xc +.It Fl p Ar string , Fl -principal= Ns Ar string principal to authenticate as -.It Xo -.Fl K Ar string , -.Fl -keytab= Ns Ar string -.Xc +.It Fl K Ar string , Fl -keytab= Ns Ar string keytab for authentication principal -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file location of config file -.It Xo -.Fl k Ar file , -.Fl -key-file= Ns Ar file -.Xc +.It Fl k Ar file , Fl -key-file= Ns Ar file location of master key file -.It Xo -.Fl r Ar realm , -.Fl -realm= Ns Ar realm -.Xc +.It Fl r Ar realm , Fl -realm= Ns Ar realm realm to use -.It Xo -.Fl a Ar host , -.Fl -admin-server= Ns Ar host -.Xc +.It Fl a Ar host , Fl -admin-server= Ns Ar host server to contact -.It Xo -.Fl s Ar port number , -.Fl -server-port= Ns Ar port number -.Xc +.It Fl s Ar port number , Fl -server-port= Ns Ar port number port to use -.It Xo -.Fl l , -.Fl -local -.Xc +.It Fl l , Fl -local local admin mode .El .Pp @@ -148,10 +103,7 @@ Commands include: .Nm add .Op Fl r | Fl -random-key .Op Fl -random-password -.Oo Fl p Ar string \*(Ba Xo -.Fl -password= Ns Ar string -.Xc -.Oc +.Op Fl p Ar string \*(Ba Fl -password= Ns Ar string .Op Fl -key= Ns Ar string .Op Fl -max-ticket-life= Ns Ar lifetime .Op Fl -max-renewable-life= Ns Ar lifetime diff --git a/kadmin/kadmind.8 b/kadmin/kadmind.8 index c4122df92..cbfd032e9 100644 --- a/kadmin/kadmind.8 +++ b/kadmin/kadmind.8 @@ -117,34 +117,17 @@ glob-style pattern. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file location of config file -.It Xo -.Fl k Ar file , -.Fl -key-file= Ns Ar file -.Xc +.It Fl k Ar file , Fl -key-file= Ns Ar file location of master key file -.It Xo -.Fl -keytab= Ns Ar keytab -.Xc +.It Fl -keytab= Ns Ar keytab what keytab to use -.It Xo -.Fl r Ar realm , -.Fl -realm= Ns Ar realm -.Xc +.It Fl r Ar realm , Fl -realm= Ns Ar realm realm to use -.It Xo -.Fl d , -.Fl -debug -.Xc +.It Fl d , Fl -debug enable debugging -.It Xo -.Fl p Ar port , -.Fl -ports= Ns Ar port -.Xc +.It Fl p Ar port , Fl -ports= Ns Ar port ports to listen to. By default, if run as a daemon, it listens to port 749, but you can add any number of ports with this option. The port string is a whitespace separated list of port specifications, with the diff --git a/kcm/kcm.8 b/kcm/kcm.8 index 71a1e618c..cde03362d 100644 --- a/kcm/kcm.8 +++ b/kcm/kcm.8 @@ -127,91 +127,42 @@ the ticket itself. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl -cache-name= Ns Ar cachename -.Xc +.It Fl -cache-name= Ns Ar cachename system cache name -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file location of config file -.It Xo -.Fl g Ar group , -.Fl -group= Ns Ar group -.Xc +.It Fl g Ar group , Fl -group= Ns Ar group system cache group -.It Xo -.Fl -max-request= Ns Ar size -.Xc +.It Fl -max-request= Ns Ar size max size for a kcm-request -.It Xo -.Fl -disallow-getting-krbtgt -.Xc +.It Fl -disallow-getting-krbtgt disallow extracting any krbtgt from the .Nm kcm daemon. -.It Xo -.Fl -detach -.Xc +.It Fl -detach detach from console -.It Xo -.Fl h , -.Fl -help -.Xc -.It Xo -.Fl k Ar principal , -.Fl -system-principal= Ns Ar principal -.Xc +.It Fl h , Fl -help +.It Fl k Ar principal , Fl -system-principal= Ns Ar principal system principal name -.It Xo -.Fl l Ar time , -.Fl -lifetime= Ns Ar time -.Xc +.It Fl l Ar time , Fl -lifetime= Ns Ar time lifetime of system tickets -.It Xo -.Fl m Ar mode , -.Fl -mode= Ns Ar mode -.Xc +.It Fl m Ar mode , Fl -mode= Ns Ar mode octal mode of system cache -.It Xo -.Fl n , -.Fl -no-name-constraints -.Xc +.It Fl n , Fl -no-name-constraints disable credentials cache name constraints -.It Xo -.Fl r Ar time , -.Fl -renewable-life= Ns Ar time -.Xc +.It Fl r Ar time , Fl -renewable-life= Ns Ar time renewable lifetime of system tickets -.It Xo -.Fl s Ar path , -.Fl -socket-path= Ns Ar path -.Xc +.It Fl s Ar path , Fl -socket-path= Ns Ar path path to kcm domain socket -.It Xo -.Fl -door-path= Ns Ar path -.Xc +.It Fl -door-path= Ns Ar path path to kcm door socket -.It Xo -.Fl S Ar principal , -.Fl -server= Ns Ar principal -.Xc +.It Fl S Ar principal , Fl -server= Ns Ar principal server to get system ticket for -.It Xo -.Fl t Ar keytab , -.Fl -keytab= Ns Ar keytab -.Xc +.It Fl t Ar keytab , Fl -keytab= Ns Ar keytab system keytab name -.It Xo -.Fl u Ar user , -.Fl -user= Ns Ar user -.Xc +.It Fl u Ar user , Fl -user= Ns Ar user system cache owner -.It Xo -.Fl v , -.Fl -version -.Xc +.It Fl v , Fl -version .El .\".Sh ENVIRONMENT .\".Sh FILES diff --git a/kdc/hprop.8 b/kdc/hprop.8 index 61682d228..cca0d7acf 100644 --- a/kdc/hprop.8 +++ b/kdc/hprop.8 @@ -89,19 +89,11 @@ specified on the command by opening a TCP connection to port 754 .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl m Ar file , -.Fl -master-key= Ns Pa file -.Xc +.It Fl m Ar file , Fl -master-key= Ns Pa file Where to find the master key to encrypt or decrypt keys with. -.It Xo -.Fl d Ar file , -.Fl -database= Ns Pa file -.Xc +.It Fl d Ar file , Fl -database= Ns Pa file The database to be propagated. -.It Xo -.Fl -source= Ns Ar heimdal|mit-dump -.Xc +.It Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|kaserver Specifies the type of the source database. Alternatives include: .Pp .Bl -tag -width mit-dump -compact -offset indent @@ -110,36 +102,21 @@ a Heimdal database .It mit-dump a MIT Kerberos 5 dump file .El -.It Xo -.Fl k Ar keytab , -.Fl -keytab= Ns Ar keytab -.Xc ++.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab The keytab to use for fetching the key to be used for authenticating to the propagation daemon(s). The key .Pa hprop/hostname is used from this keytab. The default is to fetch the key from the KDC database. -.It Xo -.Fl R Ar string , -.Fl -v5-realm= Ns Ar string -.Xc +.It Fl R Ar string , Fl -v5-realm= Ns Ar string Local realm override. -.It Xo -.Fl D , -.Fl -decrypt -.Xc +.It Fl D , Fl -decrypt The encryption keys in the database can either be in clear, or encrypted with a master key. This option transmits the database with unencrypted keys. -.It Xo -.Fl E , -.Fl -encrypt -.Xc +.It Fl E , Fl -encrypt This option transmits the database with encrypted keys. -.It Xo -.Fl n , -.Fl -stdout -.Xc +.It Fl n , Fl -stdout Dump the database on stdout, in a format that can be fed to hpropd. .El .Sh EXAMPLES diff --git a/kdc/hpropd.8 b/kdc/hpropd.8 index 982be9f80..0b9b02cbe 100644 --- a/kdc/hpropd.8 +++ b/kdc/hpropd.8 @@ -73,34 +73,17 @@ are accepted. .Pp Options supported: .Bl -tag -width Ds -.It Xo -.Fl d Ar file , -.Fl -database= Ns Ar file -.Xc +.It Fl d Ar file , Fl -database= Ns Ar file database -.It Xo -.Fl n , -.Fl -stdin -.Xc +.It Fl n , Fl -stdin read from stdin -.It Xo -.Fl -print -.Xc +.It Fl -print print dump to stdout -.It Xo -.Fl i , -.Fl -no-inetd -.Xc +.It Fl i , Fl -no-inetd not started from inetd -.It Xo -.Fl k Ar keytab , -.Fl -keytab= Ns Ar keytab -.Xc +.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab keytab to use for authentication -.It Xo -.Fl 4 , -.Fl -v4dump -.Xc +.It Fl 4 , Fl -v4dump create v4 type DB .El .Sh SEE ALSO diff --git a/kdc/kdc.8 b/kdc/kdc.8 index 16e05ec53..93f9d282c 100644 --- a/kdc/kdc.8 +++ b/kdc/kdc.8 @@ -72,17 +72,11 @@ or from a default compiled-in value. .Pp Options supported: .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file Specifies the location of the config file, the default is .Pa /var/heimdal/kdc.conf . This is the only value that can't be specified in the config file. -.It Xo -.Fl p , -.Fl -no-require-preauth -.Xc +.It Fl p , Fl -no-require-preauth Turn off the requirement for pre-autentication in the initial AS-REQ for all principals. The use of pre-authentication makes it more difficult to do offline @@ -95,34 +89,20 @@ pre-athentication. The default is to require pre-authentication. Adding the require-preauth per principal is a more flexible way of handling this. -.It Xo -.Fl -max-request= Ns Ar size -.Xc +.It Fl -max-request= Ns Ar size Gives an upper limit on the size of the requests that the kdc is willing to handle. -.It Xo -.Fl H , -.Fl -enable-http -.Xc +.It Fl H , Fl -enable-http Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. -.It Xo -.Fl -no-524 -.Xc +.It Fl -no-524 don't respond to 524 requests -.It Xo -.Fl -kerberos4 -.Xc +.It Fl -kerberos4 respond to Kerberos 4 requests -.It Xo -.Fl -kerberos4-cross-realm -.Xc +.It Fl -kerberos4-cross-realm respond to Kerberos 4 requests from foreign realms. This is a known security hole and should not be enabled unless you understand the consequences and are willing to live with them. -.It Xo -.Fl r Ar string , -.Fl -v4-realm= Ns Ar string -.Xc +.It Fl r Ar string , Fl -v4-realm= Ns Ar string What realm this server should act as when dealing with version 4 requests. The database can contain any number of realms, but since the version 4 @@ -132,15 +112,9 @@ The default is whatever is returned by .Fn krb_get_lrealm . This option is only available if the KDC has been compiled with version 4 support. -.It Xo -.Fl K , -.Fl -kaserver -.Xc +.It Fl K , Fl -kaserver Enable kaserver emulation (in case it's compiled in). -.It Xo -.Fl P Ar portspec , -.Fl -ports= Ns Ar portspec -.Xc +.It Fl P Ar portspec , Fl -ports= Ns Ar portspec Specifies the set of ports the KDC should listen on. It is given as a white-space separated list of services or port numbers. @@ -198,11 +172,8 @@ Permit anonymous tickets with no addresses. .It Li max-kdc-datagram-reply-length = Va number Maximum packet size the UDP rely that the KDC will transmit, instead the KDC sends back a reply telling the client to use TCP instead. -.It Li transited-policy = Xo -.Li always-check \*(Ba -.Li allow-per-principal | -.Li always-honour-request -.Xc +.It Li transited-policy = Li always-check \*(Ba \ +Li allow-per-principal | Li always-honour-request This controls how KDC requests with the .Li disable-transited-check flag are handled. It can be one of: diff --git a/kdc/kstash.8 b/kdc/kstash.8 index 10f60d6dc..dca67f4a4 100644 --- a/kdc/kstash.8 +++ b/kdc/kstash.8 @@ -62,28 +62,16 @@ used by the KDC. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl e Ar string , -.Fl -enctype= Ns Ar string -.Xc +.It Fl e Ar string , Fl -enctype= Ns Ar string the encryption type to use, defaults to DES3-CBC-SHA1. -.It Xo -.Fl k Ar file , -.Fl -key-file= Ns Ar file -.Xc +.It Fl k Ar file , Fl -key-file= Ns Ar file the name of the master key file. -.It Xo -.Fl -convert-file -.Xc +.It Fl -convert-file don't ask for a new master key, just read an old master key file, and write it back in the new keyfile format. -.It Xo -.Fl -random-key -.Xc +.It Fl -random-key generate a random master key. -.It Xo -.Fl -master-key-fd= Ns Ar fd -.Xc +.It Fl -master-key-fd= Ns Ar fd filedescriptor to read passphrase from, if not specified the passphrase will be read from the terminal. .El diff --git a/kdc/string2key.8 b/kdc/string2key.8 index f92d20f18..57186aa07 100644 --- a/kdc/string2key.8 +++ b/kdc/string2key.8 @@ -65,46 +65,21 @@ performs the string-to-key function. This is useful when you want to handle the raw key instead of the password. Supported options: .Bl -tag -width Ds -.It Xo -.Fl 5 , -.Fl -version5 -.Xc +.It Fl 5 , Fl -version5 Output Kerberos v5 string-to-key -.It Xo -.Fl 4 , -.Fl -version4 -.Xc +.It Fl 4 , Fl -version4 Output Kerberos v4 string-to-key -.It Xo -.Fl a , -.Fl -afs -.Xc +.It Fl a , Fl -afs Output AFS string-to-key -.It Xo -.Fl c Ar cell , -.Fl -cell= Ns Ar cell -.Xc +.It Fl c Ar cell , Fl -cell= Ns Ar cell AFS cell to use -.It Xo -.Fl w Ar password , -.Fl -password= Ns Ar password -.Xc +.It Fl w Ar password , Fl -password= Ns Ar password Password to use -.It Xo -.Fl p Ar principal , -.Fl -principal= Ns Ar principal -.Xc +.It Fl p Ar principal , Fl -principal= Ns Ar principal Kerberos v5 principal to use -.It Xo -.Fl k Ar string , -.Fl -keytype= Ns Ar string -.Xc +.It Fl k Ar string , Fl -keytype= Ns Ar string Keytype -.It Xo -.Fl -version -.Xc +.It Fl -version print version -.It Xo -.Fl -help -.Xc +.It Fl -help .El diff --git a/kpasswd/kpasswdd.8 b/kpasswd/kpasswdd.8 index 0e05941f4..51d674beb 100644 --- a/kpasswd/kpasswdd.8 +++ b/kpasswd/kpasswdd.8 @@ -64,20 +64,14 @@ the database directly and should thus only run on the master KDC. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl -addresses= Ns Ar address -.Xc +.It Fl -addresses= Ns Ar address For each till the argument is given, add the address to what kpasswdd should listen too. -.It Xo -.Fl -check-library= Ns Ar library -.Xc +.It Fl -check-library= Ns Ar library If your system has support for dynamic loading of shared libraries, you can use an external function to check password quality. This option specifies which library to load. -.It Xo -.Fl -check-function= Ns Ar function -.Xc +.It Fl -check-function= Ns Ar function This is the function to call in the loaded library. The function should look like this: .Pp @@ -92,20 +86,11 @@ is the one who tries to change passwords, and is the new password. Note that the password (in .Fa password->data ) is not zero terminated. -.It Xo -.Fl k Ar kspec , -.Fl -keytab= Ns Ar kspec -.Xc +.It Fl k Ar kspec , Fl -keytab= Ns Ar kspec Keytab to get authentication key from. -.It Xo -.Fl r Ar realm , -.Fl -realm= Ns Ar realm -.Xc +.It Fl r Ar realm , Fl -realm= Ns Ar realm Default realm. -.It Xo -.Fl p Ar string , -.Fl -port= Ns Ar string -.Xc +.It Fl p Ar string , Fl -port= Ns Ar string Port to listen on (default service kpasswd - 464). .El .Sh DIAGNOSTICS diff --git a/kuser/kdestroy.1 b/kuser/kdestroy.1 index 0d87618a5..c8ba32432 100644 --- a/kuser/kdestroy.1 +++ b/kuser/kdestroy.1 @@ -36,7 +36,7 @@ .Os HEIMDAL .Sh NAME .Nm kdestroy -.Nd remove one credental or destroy the current ticket file +.Nd remove one credential or destroy the current ticket file .Sh SYNOPSIS .Nm .Bk -words diff --git a/kuser/kgetcred.1 b/kuser/kgetcred.1 index 42c39d356..4f0be6a42 100644 --- a/kuser/kgetcred.1 +++ b/kuser/kgetcred.1 @@ -61,30 +61,16 @@ ticket or of a special type. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl -canonicalize -.Xc +.It Fl -canonicalize requests that the KDC canonicalize the principal. -.It Xo -.Fl c Ar cache , -.Fl -cache= Ns Ar cache -.Xc +.It Fl c Ar cache , Fl -cache= Ns Ar cache the credential cache to use. -.It Xo -.Fl e Ar enctype , -.Fl -enctype= Ns Ar enctype -.Xc +.It Fl e Ar enctype , Fl -enctype= Ns Ar enctype encryption type to use. -.It Xo -.Fl -no-transit-check -.Xc -requests that the KDC doesn't do trasnit checking. -.It Xo -.Fl -version -.Xc -.It Xo -.Fl -help -.Xc +.It Fl -no-transit-check +requests that the KDC doesn't do transit checking. +.It Fl -version +.It Fl -help .El .Sh SEE ALSO .Xr kinit 1 , diff --git a/kuser/kimpersonate.8 b/kuser/kimpersonate.8 index d8fc3996a..a7a33e800 100644 --- a/kuser/kimpersonate.8 +++ b/kuser/kimpersonate.8 @@ -40,28 +40,14 @@ impersonate a user when there exist a srvtab, keyfile or KeyFile .Sh SYNOPSIS .Nm -.Oo Fl s Ar string \*(Ba Xo -.Fl -server= Ns Ar string Oc -.Xc -.Oo Fl c Ar string \*(Ba Xo -.Fl -client= Ns Ar string Oc -.Xc -.Oo Fl k Ar string \*(Ba Xo -.Fl -keytab= Ns Ar string Oc -.Xc +.Op Fl s Ar string \*(Ba Fl -server= Ns Ar string +.Op Fl c Ar string \*(Ba Fl -client= Ns Ar string +.Op Fl k Ar string \*(Ba Fl -keytab= Ns Ar string .Op Fl 5 | Fl -krb5 -.Oo Fl e Ar integer \*(Ba Xo -.Fl -expire-time= Ns Ar integer Oc -.Xc -.Oo Fl a Ar string \*(Ba Xo -.Fl -client-address= Ns Ar string Oc -.Xc -.Oo Fl t Ar string \*(Ba Xo -.Fl -enc-type= Ns Ar string Oc -.Xc -.Oo Fl f Ar string \*(Ba Xo -.Fl -ticket-flags= Ns Ar string Oc -.Xc +.Op Fl e Ar integer \*(Ba Fl -expire-time= Ns Ar integer +.Op Fl a Ar string \*(Ba Fl -client-address= Ns Ar string +.Op Fl t Ar string \*(Ba Fl -enc-type= Ns Ar string +.Op Fl f Ar string \*(Ba Fl -ticket-flags= Ns Ar string .Op Fl -verbose .Op Fl -version .Op Fl -help @@ -73,57 +59,27 @@ The service key can be read from a Kerberos 5 keytab, AFS KeyFile or (if compiled with support for Kerberos 4) a Kerberos 4 srvtab. Supported options: .Bl -tag -width Ds -.It Xo -.Fl s Ar string Ns , -.Fl -server= Ns Ar string -.Xc +.It Fl s Ar string Ns , Fl -server= Ns Ar string name of server principal -.It Xo -.Fl c Ar string Ns , -.Fl -client= Ns Ar string -.Xc +.It Fl c Ar string Ns , Fl -client= Ns Ar string name of client principal -.It Xo -.Fl k Ar string Ns , -.Fl -keytab= Ns Ar string -.Xc +.It Fl k Ar string Ns , Fl -keytab= Ns Ar string name of keytab file -.It Xo -.Fl 5 Ns , -.Fl -krb5 -.Xc +.It Fl 5 Ns , Fl -krb5 create a Kerberos 5 ticket -.It Xo -.Fl e Ar integer Ns , -.Fl -expire-time= Ns Ar integer -.Xc +.It Fl e Ar integer Ns , Fl -expire-time= Ns Ar integer lifetime of ticket in seconds -.It Xo -.Fl a Ar string Ns , -.Fl -client-address= Ns Ar string -.Xc +.It Fl a Ar string Ns , Fl -client-address= Ns Ar string address of client -.It Xo -.Fl t Ar string Ns , -.Fl -enc-type= Ns Ar string -.Xc +.It Fl t Ar string Ns , Fl -enc-type= Ns Ar string encryption type -.It Xo -.Fl f Ar string Ns , -.Fl -ticket-flags= Ns Ar string -.Xc +.It Fl f Ar string Ns , Fl -ticket-flags= Ns Ar string ticket flags for krb5 ticket -.It Xo -.Fl -verbose -.Xc +.It Fl -verbose Verbose output -.It Xo -.Fl -version -.Xc +.It Fl -version Print version -.It Xo -.Fl -help -.Xc +.It Fl -help .El .Sh FILES Uses @@ -131,9 +87,9 @@ Uses .Pa /etc/srvtab and .Pa /usr/afs/etc/KeyFile -when avalible and the the +when available and the .Fl k -is used with appropriate prefix. +option is used with an appropriate prefix. .Sh EXAMPLES .Nm can be used in diff --git a/kuser/kinit.1 b/kuser/kinit.1 index ed8770aa3..7bd7e63e4 100644 --- a/kuser/kinit.1 +++ b/kuser/kinit.1 @@ -96,41 +96,23 @@ can later be used to obtain tickets for other services. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl c Ar cachename -.Fl -cache= Ns Ar cachename -.Xc +.It Fl c Ar cachename Fl -cache= Ns Ar cachename The credentials cache to put the acquired ticket in, if other than default. -.It Xo -.Fl f -.Fl -no-forwardable -.Xc +.It Fl f Fl -no-forwardable Get ticket that can be forwarded to another host, or if the negative flags use, don't get a forwardable flag. -.It Xo -.Fl t Ar keytabname , -.Fl -keytab= Ns Ar keytabname -.Xc +.It Fl t Ar keytabname , Fl -keytab= Ns Ar keytabname Don't ask for a password, but instead get the key from the specified keytab. -.It Xo -.Fl l Ar time , -.Fl -lifetime= Ns Ar time -.Xc +.It Fl l Ar time , Fl -lifetime= Ns Ar time Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like .Sq 1h . -.It Xo -.Fl p , -.Fl -proxiable -.Xc +.It Fl p , Fl -proxiable Request tickets with the proxiable flag set. -.It Xo -.Fl R , -.Fl -renew -.Xc +.It Fl R , Fl -renew Try to renew ticket. The ticket must have the .Sq renewable @@ -139,46 +121,26 @@ flag set, and must not be expired. The same as .Fl -renewable-life , with an infinite time. -.It Xo -.Fl r Ar time , -.Fl -renewable-life= Ns Ar time -.Xc +.It Fl r Ar time , Fl -renewable-life= Ns Ar time The max renewable ticket life. -.It Xo -.Fl S Ar principal , -.Fl -server= Ns Ar principal -.Xc +.It Fl S Ar principal , Fl -server= Ns Ar principal Get a ticket for a service other than krbtgt/LOCAL.REALM. -.It Xo -.Fl s Ar time , -.Fl -start-time= Ns Ar time -.Xc +.It Fl s Ar time , Fl -start-time= Ns Ar time Obtain a ticket that starts to be valid .Ar time (which can really be a generic time specification, like .Sq 1h ) seconds into the future. -.It Xo -.Fl k , -.Fl -use-keytab -.Xc +.It Fl k , Fl -use-keytab The same as .Fl -keytab , but with the default keytab name (normally .Ar FILE:/etc/krb5.keytab ) . -.It Xo -.Fl v , -.Fl -validate -.Xc +.It Fl v , Fl -validate Try to validate an invalid ticket. -.It Xo -.Fl e , -.Fl -enctypes= Ns Ar enctypes -.Xc +.It Fl e , Fl -enctypes= Ns Ar enctypes Request tickets with this particular enctype. -.It Xo -.Fl -password-file= Ns Ar filename -.Xc +.It Fl -password-file= Ns Ar filename read the password from the first line of .Ar filename . If the @@ -186,15 +148,10 @@ If the is .Ar STDIN , the password will be read from the standard input. -.It Xo -.Fl -fcache-version= Ns Ar version-number -.Xc +.It Fl -fcache-version= Ns Ar version-number Create a credentials cache of version .Ar version-number . -.It Xo -.Fl a , -.Fl -extra-addresses= Ns Ar enctypes -.Xc +.It Fl a , Fl -extra-addresses= Ns Ar enctypes Adds a set of addresses that will, in addition to the systems local addresses, be put in the ticket. This can be useful if all addresses a client can use can't be @@ -204,20 +161,13 @@ Also settable via .Li libdefaults/extra_addresses in .Xr krb5.conf 5 . -.It Xo -.Fl A , -.Fl -no-addresses -.Xc +.It Fl A , Fl -no-addresses Request a ticket with no addresses. -.It Xo -.Fl -anonymous -.Xc +.It Fl -anonymous Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically .Dq anonymous@REALM ) . -.It Xo -.Fl -enterprise -.Xc +.It Fl -enterprise Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name part of the principal, and since there are two @ characters the parser needs diff --git a/kuser/klist.1 b/kuser/klist.1 index 7e85bfc33..b7744f7e6 100644 --- a/kuser/klist.1 +++ b/kuser/klist.1 @@ -60,27 +60,14 @@ known as the ticket file). .Pp Options supported: .Bl -tag -width Ds -.It Xo -.Fl c Ar cache , -.Fl -cache= Ns Ar cache -.Xc +.It Fl c Ar cache , Fl -cache= Ns Ar cache credential cache to list -.It Xo -.Fl s , -.Fl t , -.Fl -test -.Xc +.It Fl s , Fl t , Fl -test Test for there being an active and valid TGT for the local realm of the user in the credential cache. -.It Xo -.Fl T , -.Fl -tokens -.Xc +.It Fl T , Fl -tokens display AFS tokens -.It Xo -.Fl 5 , -.Fl -v5 -.Xc +.It Fl 5 , Fl -v5 display v5 cred cache (this is the default) .It Fl f Include ticket flags in short form, each character stands for a @@ -113,10 +100,7 @@ hardware authenticated This information is also output with the .Fl -verbose option, but in a more verbose way. -.It Xo -.Fl v , -.Fl -verbose -.Xc +.It Fl v , Fl -verbose Verbose output. Include all possible information: .Bl -tag -width XXXX -offset indent .It Server @@ -141,10 +125,7 @@ the flags set on the ticket .It Addresses the set of addresses from which this ticket is valid .El -.It Xo -.Fl l , -.Fl -list-caches -.Xc +.It Fl l , Fl -list-caches List the credential caches for the current users, not all cache types supports listing multiple caches. .Pp diff --git a/kuser/klist.c b/kuser/klist.c index f77908a34..986fd1a70 100644 --- a/kuser/klist.c +++ b/kuser/klist.c @@ -39,21 +39,29 @@ #include "kcc-commands.h" static char* -printable_time(time_t t) +printable_time_internal(time_t t, int x) { static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof(s)); - s[15] = 0; + char *p; + + if ((p = ctime(&t)) == NULL) + strlcpy(s, "?", sizeof(s)); + else + strlcpy(s, p + 4, sizeof(s)); + s[x] = 0; return s; } +static char* +printable_time(time_t t) +{ + return printable_time_internal(t, 20); +} + static char* printable_time_long(time_t t) { - static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof(s)); - s[20] = 0; - return s; + return printable_time_internal(t, 20); } #define COL_ISSUED NP_(" Issued","") diff --git a/lib/gssapi/gssapi.3 b/lib/gssapi/gssapi.3 index e1fb65e64..fa9b33e54 100644 --- a/lib/gssapi/gssapi.3 +++ b/lib/gssapi/gssapi.3 @@ -53,57 +53,52 @@ These functions constitute the gssapi library, .Em libgssapi . Declarations for these functions may be obtained from the include file .Pa gssapi.h . -.sp 2 -.nf -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u -\fIName/Page\fP \fIDescription\fP -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC -.sp 5p -gss_accept_sec_context.3 -gss_acquire_cred.3 -gss_add_cred.3 -gss_add_oid_set_member.3 -gss_canonicalize_name.3 -gss_compare_name.3 -gss_context_time.3 -gss_create_empty_oid_set.3 -gss_delete_sec_context.3 -gss_display_name.3 -gss_display_status.3 -gss_duplicate_name.3 -gss_export_name.3 -gss_export_sec_context.3 -gss_get_mic.3 -gss_import_name.3 -gss_import_sec_context.3 -gss_indicate_mechs.3 -gss_init_sec_context.3 -gss_inquire_context.3 -gss_inquire_cred.3 -gss_inquire_cred_by_mech.3 -gss_inquire_mechs_for_name.3 -gss_inquire_names_for_mech.3 -gss_krb5_ccache_name.3 -gss_krb5_compat_des3_mic.3 -gss_krb5_copy_ccache.3 -gss_krb5_extract_authz_data_from_sec_context.3 -gss_krb5_import_ccache.3 -gss_process_context_token.3 -gss_release_buffer.3 -gss_release_cred.3 -gss_release_name.3 -gss_release_oid_set.3 -gss_seal.3 -gss_sign.3 -gss_test_oid_set_member.3 -gss_unseal.3 -gss_unwrap.3 -gss_verify.3 -gss_verify_mic.3 -gss_wrap.3 -gss_wrap_size_limit.3 -.ta -.Fi +.Bl -column -compact +.It Sy Name/Page +.It Xr gss_accept_sec_context 3 +.It Xr gss_acquire_cred 3 +.It Xr gss_add_cred 3 +.It Xr gss_add_oid_set_member 3 +.It Xr gss_canonicalize_name 3 +.It Xr gss_compare_name 3 +.It Xr gss_context_time 3 +.It Xr gss_create_empty_oid_set 3 +.It Xr gss_delete_sec_context 3 +.It Xr gss_display_name 3 +.It Xr gss_display_status 3 +.It Xr gss_duplicate_name 3 +.It Xr gss_export_name 3 +.It Xr gss_export_sec_context 3 +.It Xr gss_get_mic 3 +.It Xr gss_import_name 3 +.It Xr gss_import_sec_context 3 +.It Xr gss_indicate_mechs 3 +.It Xr gss_init_sec_context 3 +.It Xr gss_inquire_context 3 +.It Xr gss_inquire_cred 3 +.It Xr gss_inquire_cred_by_mech 3 +.It Xr gss_inquire_mechs_for_name 3 +.It Xr gss_inquire_names_for_mech 3 +.It Xr gss_krb5_ccache_name 3 +.It Xr gss_krb5_compat_des3_mic 3 +.It Xr gss_krb5_copy_ccache 3 +.It Xr gss_krb5_extract_authz_data_from_sec_context 3 +.It Xr gss_krb5_import_ccache 3 +.It Xr gss_process_context_token 3 +.It Xr gss_release_buffer 3 +.It Xr gss_release_cred 3 +.It Xr gss_release_name 3 +.It Xr gss_release_oid_set 3 +.It Xr gss_seal 3 +.It Xr gss_sign 3 +.It Xr gss_test_oid_set_member 3 +.It Xr gss_unseal 3 +.It Xr gss_unwrap 3 +.It Xr gss_verify 3 +.It Xr gss_verify_mic 3 +.It Xr gss_wrap 3 +.It Xr gss_wrap_size_limit 3 +.El .Sh COMPATIBILITY The .Nm Heimdal diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c index 715438d4b..e414c762b 100644 --- a/lib/hx509/revoke.c +++ b/lib/hx509/revoke.c @@ -1054,8 +1054,13 @@ static char * printable_time(time_t t) { static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof(s)); - s[20] = 0; + char *p; + if ((p = ctime(&t)) == NULL) + strlcpy(s, "?", sizeof(s)); + else { + strlcpy(s, p + 4, sizeof(s)); + s[20] = 0; + } return s; } diff --git a/lib/kadm5/iprop-log.8 b/lib/kadm5/iprop-log.8 index 5fa86b527..5d326c7e5 100644 --- a/lib/kadm5/iprop-log.8 +++ b/lib/kadm5/iprop-log.8 @@ -83,28 +83,17 @@ maintain the iprop log file .Sh DESCRIPTION Supported options: .Bl -tag -width Ds -.It Xo -.Fl -version -.Xc -.It Xo -.Fl h , -.Fl -help -.Xc +.It Fl -version +.It Fl h , Fl -help .El .Pp command can be one of the following: .Bl -tag -width truncate .It truncate .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file configuration file -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc +.It Fl r Ar string , Fl -realm= Ns Ar string realm .El .Pp @@ -113,10 +102,7 @@ last entry of the old log. If the log is truncted by emptying the file, the log will start over at the first version (0). .It dump .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file configuration file .It Xo .Fl r Ar string , @@ -128,23 +114,15 @@ realm Print out all entries in the log to standard output. .It replay .Bl -tag -width Ds -.It Xo -.Fl -start-version= Ns Ar version-number -.Xc +.It Fl -start-version= Ns Ar version-number start replay with this version .It Xo .Fl -end-version= Ns Ar version-number .Xc end replay with this version -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file configuration file -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc +.It Fl r Ar string , Fl -realm= Ns Ar string realm .El .Pp @@ -152,15 +130,9 @@ Replay the changes from specified entries (or all if none is specified) in the transaction log to the database. .It last-version .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file configuration file -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc +.It Fl r Ar string , Fl -realm= Ns Ar string realm .El .Pp diff --git a/lib/kadm5/iprop.8 b/lib/kadm5/iprop.8 index 0a07d7300..dcdff4a45 100644 --- a/lib/kadm5/iprop.8 +++ b/lib/kadm5/iprop.8 @@ -38,51 +38,49 @@ .Nm iprop , .Nm ipropd-master , .Nm ipropd-slave -.Nd -propagate changes to a Heimdal Kerberos master KDC to slave KDCs +.Nd propagate changes to a Heimdal Kerberos master KDC to slave KDCs .Sh SYNOPSIS .Nm ipropd-master .Oo Fl c Ar string \*(Ba Xo -.Fl -config-file= Ns Ar string +.Fl Fl config-file= Ns Ar string .Xc .Oc .Oo Fl r Ar string \*(Ba Xo -.Fl -realm= Ns Ar string +.Fl Fl realm= Ns Ar string .Xc .Oc .Oo Fl k Ar kspec \*(Ba Xo -.Fl -keytab= Ns Ar kspec +.Fl Fl keytab= Ns Ar kspec .Xc .Oc .Oo Fl d Ar file \*(Ba Xo -.Fl -database= Ns Ar file +.Fl Fl database= Ns Ar file .Xc .Oc -.Op Fl -slave-stats-file= Ns Ar file -.Op Fl -time-missing= Ns Ar time -.Op Fl -time-gone= Ns Ar time -.Op Fl -detach -.Op Fl -version -.Op Fl -help +.Op Fl Fl slave-stats-file= Ns Ar file +.Op Fl Fl time-missing= Ns Ar time +.Op Fl Fl time-gone= Ns Ar time +.Op Fl Fl detach +.Op Fl Fl version +.Op Fl Fl help .Nm ipropd-slave .Oo Fl c Ar string \*(Ba Xo -.Fl -config-file= Ns Ar string +.Fl Fl config-file= Ns Ar string .Xc .Oc .Oo Fl r Ar string \*(Ba Xo -.Fl -realm= Ns Ar string +.Fl Fl realm= Ns Ar string .Xc .Oc .Oo Fl k Ar kspec \*(Ba Xo -.Fl -keytab= Ns Ar kspec +.Fl Fl keytab= Ns Ar kspec .Xc .Oc -.Op Fl -time-lost= Ns Ar time -.Op Fl -detach -.Op Fl -version -.Op Fl -help +.Op Fl Fl time-lost= Ns Ar time +.Op Fl Fl detach +.Op Fl Fl version +.Op Fl Fl help .Ar master -.Pp .Sh DESCRIPTION .Nm ipropd-master is used to propagate changes to a Heimdal Kerberos database from the @@ -96,9 +94,9 @@ file in the KDC's database directory, e.g.\& .Pa /var/heimdal/slaves . This has principals one per-line of the form .Dl iprop/ Ns Ar slave Ns @ Ns Ar REALM -where -.Ar slave -is the hostname of the slave server in the given +where +.Ar slave +is the hostname of the slave server in the given .Ar REALM , e.g.\& .Dl iprop/kerberos-1.example.com@EXAMPLE.COM @@ -110,20 +108,23 @@ In contrast to .Xr hprop 8 , which sends the whole database to the slaves regularly, .Nm -normally sends only the changes as they happen on the master. The -master keeps track of all the changes by assigning a version number to -every change to the database. The slaves know which was the latest -version they saw, and in this way it can be determined if they are in -sync or not. A log of all the changes is kept on the master. When a -slave is at an older version than the oldest one in the log, the whole -database has to be sent. +normally sends only the changes as they happen on the master. +The master keeps track of all the changes by assigning a version +number to every change to the database. +The slaves know which was the latest version they saw, and in this +way it can be determined if they are in sync or not. +A log of all the changes is kept on the master. +When a slave is at an older version than the oldest one in the log, +the whole database has to be sent. .Pp The changes are propagated over a secure channel (on port 2121 by -default). This should normally be defined as +default). +This should normally be defined as .Dq iprop/tcp in .Pa /etc/services -or another source of the services database. The master and slaves +or another source of the services database. +The master and slaves must each have access to a keytab with keys for the .Nm iprop service principal on the local host. @@ -136,78 +137,37 @@ file (e.g.\& Supported options for .Nm ipropd-master : .Bl -tag -width Ds -.It Xo -.Fl c Ar string , -.Fl -config-file= Ns Ar string -.Xc -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc -.It Xo -.Fl k Ar kspec , -.Fl -keytab= Ns Ar kspec -.Xc +.It Fl c Ar string , Fl Fl config-file= Ns Ar string +.It Fl r Ar string , Fl Fl realm= Ns Ar string +.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec keytab to get authentication from -.It Xo -.Fl d Ar file , -.Fl -database= Ns Ar file -.Xc +.It Fl d Ar file , Fl Fl database= Ns Ar file Database (default per KDC) -.It Xo -.Fl -slave-stats-file= Ns Ar file -.Xc +.It Fl Fl slave-stats-file= Ns Ar file file for slave status information -.It Xo -.Fl -time-missing= Ns Ar time -.Xc +.It Fl Fl time-missing= Ns Ar time time before slave is polled for presence (default 2 min) -.It Xo -.Fl -time-gone= Ns Ar time -.Xc +.It Fl Fl time-gone= Ns Ar time time of inactivity after which a slave is considered gone (default 5 min) -.It Xo -.Fl -detach -.Xc +.It Fl Fl detach detach from console -.It Xo -.Fl -version -.Xc -.It Xo -.Fl -help -.Xc +.It Fl Fl version +.It Fl Fl help .El .Pp Supported options for .Nm ipropd-slave : .Bl -tag -width Ds -.It Xo -.Fl c Ar string , -.Fl -config-file= Ns Ar string -.Xc -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc -.It Xo -.Fl k Ar kspec , -.Fl -keytab= Ns Ar kspec -.Xc +.It Fl c Ar string , Fl Fl config-file= Ns Ar string +.It Fl r Ar string , Fl Fl realm= Ns Ar string +.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec keytab to get authentication from -.It Xo -.Fl -time-lost= Ns Ar time -.Xc +.It Fl Fl time-lost= Ns Ar time time before server is considered lost (default 5 min) -.It Xo -.Fl -detach -.Xc +.It Fl Fl detach detach from console -.It Xo -.Fl -version -.Xc -.It Xo -.Fl -help -.Xc +.It Fl Fl version +.It Fl Fl help .El Time arguments for the relevant options above may be specified in forms like 5 min, 300 s, or simply a number of seconds. diff --git a/lib/krb5/auth_context.c b/lib/krb5/auth_context.c index ea59c7393..4f74adb9e 100644 --- a/lib/krb5/auth_context.c +++ b/lib/krb5/auth_context.c @@ -262,6 +262,7 @@ krb5_auth_con_getaddrs(krb5_context context, return 0; } +/* coverity[+alloc : arg-*2] */ static krb5_error_code copy_key(krb5_context context, krb5_keyblock *in, @@ -289,6 +290,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context, return copy_key(context, auth_context->local_subkey, keyblock); } +/* coverity[+alloc : arg-*2] */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, diff --git a/lib/krb5/krb5_get_in_cred.3 b/lib/krb5/krb5_get_in_cred.3 index 11dc3d314..c415aeca3 100644 --- a/lib/krb5/krb5_get_in_cred.3 +++ b/lib/krb5/krb5_get_in_cred.3 @@ -169,7 +169,7 @@ but are more specialized. .Nm krb5_get_in_tkt_with_password uses the clients password to authenticate. If the password argument is -.DV NULL +.Dv NULL the user user queried with the default password query function. .Pp .Nm krb5_get_in_tkt_with_keytab diff --git a/lib/krb5/krb5_init_context.3 b/lib/krb5/krb5_init_context.3 index 01d9cc782..95f46085a 100644 --- a/lib/krb5/krb5_init_context.3 +++ b/lib/krb5/krb5_init_context.3 @@ -219,7 +219,7 @@ error-code handler to the specified .Fa context . The error handler must generated by the the re-rentrant version of the -.Xr compile_et 3 +.Xr compile_et 1 program. .Fn krb5_add_extra_addresses add a list of addresses that should be added when requesting tickets. diff --git a/lib/krb5/salt.c b/lib/krb5/salt.c index 5a2115f95..5e4c8a1c8 100644 --- a/lib/krb5/salt.c +++ b/lib/krb5/salt.c @@ -33,6 +33,7 @@ #include "krb5_locl.h" +/* coverity[+alloc : arg-*3] */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_salttype_to_string (krb5_context context, krb5_enctype etype, diff --git a/lib/roken/get_window_size.c b/lib/roken/get_window_size.c index 13e7ebf15..03d16db84 100644 --- a/lib/roken/get_window_size.c +++ b/lib/roken/get_window_size.c @@ -58,32 +58,46 @@ #include "roken.h" ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL -get_window_size(int fd, struct winsize *wp) +get_window_size(int fd, int *lines, int *columns) { - int ret = -1; - - memset(wp, 0, sizeof(*wp)); + int ret; + char *s; #if defined(TIOCGWINSZ) - ret = ioctl(fd, TIOCGWINSZ, wp); + { + struct winsize ws; + ret = ioctl(fd, TIOCGWINSZ, &ws); + if (ret != -1) { + if (lines) + *lines = ws.ws_row; + if (columns) + *columns = ws.ws_col; + return 0; + } + } #elif defined(TIOCGSIZE) { struct ttysize ts; ret = ioctl(fd, TIOCGSIZE, &ts); - if(ret == 0) { - wp->ws_row = ts.ts_lines; - wp->ws_col = ts.ts_cols; - } + if (ret != -1) { + if (lines) + *lines = ts.ws_lines; + if (columns) + *columns = ts.ts_cols; + return 0; + } } #elif defined(HAVE__SCRSIZE) { int dst[2]; - - _scrsize(dst); - wp->ws_row = dst[1]; - wp->ws_col = dst[0]; - ret = 0; + + _scrsize(dst); + if (lines) + *lines = dst[1]; + if (columns) + *columns = dst[0]; + return 0; } #elif defined(_WIN32) { @@ -100,14 +114,17 @@ get_window_size(int fd, struct winsize *wp) } } #endif - if (ret != 0) { - char *s; - if((s = getenv("COLUMNS"))) - wp->ws_col = atoi(s); - if((s = getenv("LINES"))) - wp->ws_row = atoi(s); - if(wp->ws_col > 0 && wp->ws_row > 0) - ret = 0; + if (columns) { + if ((s = getenv("COLUMNS"))) + *columns = atoi(s); + else + return -1; } - return ret; + if (lines) { + if ((s = getenv("LINES"))) + *lines = atoi(s); + else + return -1; + } + return 0; } diff --git a/lib/roken/getarg.c b/lib/roken/getarg.c index 1a7321878..03c221408 100644 --- a/lib/roken/getarg.c +++ b/lib/roken/getarg.c @@ -228,7 +228,6 @@ arg_printusage_i18n (struct getargs *args, size_t i, max_len = 0; char buf[128]; int col = 0, columns; - struct winsize ws; if (progname == NULL) progname = getprogname(); @@ -240,9 +239,7 @@ arg_printusage_i18n (struct getargs *args, mandoc_template(args, num_args, progname, extra_string, i18n); return; } - if(get_window_size(2, &ws) == 0) - columns = ws.ws_col; - else + if(get_window_size(2, NULL, &columns) == -1) columns = 80; col = 0; col += fprintf (stderr, "%s: %s", usage, progname); diff --git a/lib/roken/roken.h.in b/lib/roken/roken.h.in index 7324acf64..9723c876c 100644 --- a/lib/roken/roken.h.in +++ b/lib/roken/roken.h.in @@ -759,7 +759,7 @@ struct winsize { }; #endif -ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, struct winsize *); +ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, int *, int *); #ifndef HAVE_VSYSLOG #define vsyslog rk_vsyslog diff --git a/lib/vers/print_version.c b/lib/vers/print_version.c index f5c11b403..23cd25e0c 100644 --- a/lib/vers/print_version.c +++ b/lib/vers/print_version.c @@ -52,5 +52,7 @@ print_version(const char *progname) package_list = "no version information"; fprintf(stderr, "%s (%s)\n", progname, package_list); fprintf(stderr, "Copyright 1995-2011 Kungliga Tekniska Högskolan\n"); +#ifdef PACKAGE_BUGREPORT fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT); +#endif }