oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Make kadmin ext work when lacking get-keys priv

Browse Source 
When we added the get-keys privilege we lost the ability to setup
keytabs with the kadmin ext command.  The fix is to note that we got
bogus key data and randkey (as we used to).
This commit is contained in:
Nicolas Williams
2014-03-25 21:45:10 -05:00
parent 1fad1f8984
commit b80b21c8a8
3 changed files with 26 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
kadmin/ext.c
View File

@@ -46,15 +46,16 @@ do_ext_keytab(krb5_principal principal, void *data)
struct ext_keytab_data *e = data;
krb5_keytab_entry *keys = NULL;
krb5_keyblock *k = NULL;
int i, n_k;
int i;
int n_k = 0;
ret = kadm5_get_principal(kadm_handle, principal, &princ,
KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA);
if(ret)
if (ret)
return ret;
if (princ.n_key_data) {
keys = malloc(sizeof(*keys) * princ.n_key_data);
keys = calloc(sizeof(*keys), princ.n_key_data);
if (keys == NULL) {
kadm5_free_principal_ent(kadm_handle, &princ);
krb5_clear_error_message(context);
@@ -63,22 +64,33 @@ do_ext_keytab(krb5_principal principal, void *data)
for (i = 0; i < princ.n_key_data; i++) {
krb5_key_data *kd = &princ.key_data[i];
/*
* If the kadm5 client princ lacks get-keys then it may get
* bogus keys four bytes long.
*/
if (kd->key_data_length[0] == sizeof (KADM5_BOGUS_KEY_DATA) - 1 &&
memcmp(kd->key_data_contents[0], KADM5_BOGUS_KEY_DATA,
kd->key_data_length[0]) == 0)
continue;
keys[i].principal = princ.principal;
keys[i].vno = kd->key_data_kvno;
keys[i].keyblock.keytype = kd->key_data_type[0];
keys[i].keyblock.keyvalue.length = kd->key_data_length[0];
keys[i].keyblock.keyvalue.data = kd->key_data_contents[0];
keys[i].timestamp = time(NULL);
n_k++;
}
}
n_k = princ.n_key_data;
} else {
if (n_k == 0) {
/* Probably lack get-keys privilege, but we may be able to set keys */
ret = kadm5_randkey_principal(kadm_handle, principal, &k, &n_k);
if (ret) {
kadm5_free_principal_ent(kadm_handle, &princ);
return ret;
}
keys = malloc(sizeof(*keys) * n_k);
keys = calloc(sizeof(*keys), n_k);
if (keys == NULL) {
kadm5_free_principal_ent(kadm_handle, &princ);
krb5_clear_error_message(context);
@@ -92,9 +104,9 @@ do_ext_keytab(krb5_principal principal, void *data)
}
}
for(i = 0; i < n_k; i++) {
for (i = 0; i < n_k; i++) {
ret = krb5_kt_add_entry(context, e->keytab, &keys[i]);
if(ret)
if (ret)
krb5_warn(context, ret, "krb5_kt_add_entry(%d)", i);
}