From beb5cf017d14cac92e021db395eb0755806ced18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Thu, 9 Dec 2004 12:15:20 +0000 Subject: [PATCH] add --random-key git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14377 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kdc/kstash.8 | 56 ++++++++++++++++++++++++++++++++++++++++++++++------ kdc/kstash.c | 36 ++++++++++++++++++++++----------- 2 files changed, 75 insertions(+), 17 deletions(-) diff --git a/kdc/kstash.8 b/kdc/kstash.8 index f0515a73b..a829f36da 100644 --- a/kdc/kstash.8 +++ b/kdc/kstash.8 @@ -1,6 +1,37 @@ +.\" Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" .\" $Id$ .\" -.Dd September 1, 2000 +.Dd December 9, 2004 .Dt KSTASH 8 .Os HEIMDAL .Sh NAME @@ -8,6 +39,7 @@ .Nd "store the KDC master password in a file" .Sh SYNOPSIS .Nm +.Bk -words .Oo Fl e Ar string \*(Ba Xo .Fl -enctype= Ns Ar string .Xc @@ -17,9 +49,12 @@ .Xc .Oc .Op Fl -convert-file +.Op Fl -random-key .Op Fl -master-key-fd= Ns Ar fd +.Op Fl -random-key .Op Fl h | Fl -help .Op Fl -version +.Ek .Sh DESCRIPTION .Nm reads the Kerberos master key and stores it in a file that will be @@ -31,25 +66,34 @@ Supported options: .Fl e Ar string , .Fl -enctype= Ns Ar string .Xc -the encryption type to use, defaults to DES3-CBC-SHA1 +the encryption type to use, defaults to DES3-CBC-SHA1. .It Xo .Fl k Ar file , .Fl -key-file= Ns Ar file .Xc -the name of the master key file +the name of the master key file. .It Xo .Fl -convert-file .Xc don't ask for a new master key, just read an old master key file, and -write it back in the new keyfile format +write it back in the new keyfile format. +.It Xo +.Fl -random-key +.Xc +generate a random master key. .It Xo .Fl -master-key-fd= Ns Ar fd .Xc filedescriptor to read passphrase from, if not specified the -passphrase will be read from the terminal +passphrase will be read from the terminal/. .El .\".Sh ENVIRONMENT -.\".Sh FILES +.Sh FILES +.Pa /var/heimdal/m-key +is the default keyfile is no other keyfile is specified. +The format of a Heimdal master key is the same as a keytab, so +.Nm ktutil +list can be used to list the content of the file. .\".Sh EXAMPLES .\".Sh DIAGNOSTICS .Sh SEE ALSO diff --git a/kdc/kstash.c b/kdc/kstash.c index 55922ee8e..2bf4a2b2a 100644 --- a/kdc/kstash.c +++ b/kdc/kstash.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -43,6 +43,7 @@ int help_flag; int version_flag; int master_key_fd = -1; +int random_key; const char *enctype_str = "des3-cbc-sha1"; @@ -53,6 +54,7 @@ struct getargs args[] = { "just convert keyfile to new format" }, { "master-key-fd", 0, arg_integer, &master_key_fd, "filedescriptor to read passphrase from", "fd" }, + { "random-key", 0, arg_flag, &random_key, "generate a random master key" }, { "help", 'h', arg_flag, &help_flag }, { "version", 0, arg_flag, &version_flag } }; @@ -78,6 +80,10 @@ main(int argc, char **argv) exit(0); } + if (master_key_fd != -1 && random_key) + krb5_errx(context, 1, "random-key and master-key-fd " + "is mutual exclusive"); + ret = krb5_string_to_enctype(context, enctype_str, &enctype); if(ret) krb5_err(context, 1, ret, "krb5_string_to_enctype"); @@ -96,18 +102,26 @@ main(int argc, char **argv) /* XXX better value? */ salt.saltvalue.data = NULL; salt.saltvalue.length = 0; - if(master_key_fd != -1) { - ssize_t n; - n = read(master_key_fd, buf, sizeof(buf)); - if(n <= 0) - krb5_err(context, 1, errno, "failed to read passphrase"); - buf[n] = '\0'; - buf[strcspn(buf, "\r\n")] = '\0'; + if (random_key) { + ret = krb5_generate_random_keyblock(context, enctype, &key); + if (ret) + krb5_err(context, 1, ret, "krb5_generate_random_keyblock"); + } else { - if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) - exit(1); + if(master_key_fd != -1) { + ssize_t n; + n = read(master_key_fd, buf, sizeof(buf)); + if(n <= 0) + krb5_err(context, 1, errno, "failed to read passphrase"); + buf[n] = '\0'; + buf[strcspn(buf, "\r\n")] = '\0'; + + } else { + if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Master key: ", 1)) + exit(1); + } + krb5_string_to_key_salt(context, enctype, buf, salt, &key); } - krb5_string_to_key_salt(context, enctype, buf, salt, &key); ret = hdb_add_master_key(context, &key, &mkey); krb5_free_keyblock_contents(context, &key);