Add new kadmin/ktutil --keep* and --enctypes opts

- Add --keepold/keepallold/pruneall options to various kadmin/ktutil commands. Default behavior to "prune old keys". - When setting keys for a service, we need to specify enctypes for it: - Always use kadm5_randkey_principal_3() instead of the older kadm5_randkey_principal(). - Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(), but with a context, and simpler. - Add --enctypes options to various kadmin/ktutil commands. - Add [libdefaults] supported_enctypes param with enctype[:salttype] list. - Add [realms] realm supported_enctypes param with enctype[:salttype] list. Default to aes128-cts-hmac-sha1-96:normal.
2019-01-01 17:25:06 -06:00
parent 7b76d6719f
commit d8394c65b7
18 changed files with 574 additions and 142 deletions
--- a/kadmin/cpw.c
+++ b/kadmin/cpw.c
@@ -148,12 +148,34 @@ cpw_entry(struct passwd_options *opt, int argc, char **argv)
    int num;
    krb5_key_data key_data[3];

-    data.keepold = opt->keepold_flag;
    data.random_key = opt->random_key_flag;
    data.random_password = opt->random_password_flag;
    data.password = opt->password_string;
    data.key_data	 = NULL;

+    /*
+     * --keepold is the the default, and it should mean "prune all old keys not
+     * needed to decrypt extant tickets".
+     */
+    num = 0;
+    data.keepold = 0;
+    if (opt->keepold_flag) {
+        data.keepold = 1;
+        num++;
+    }
+    if (opt->keepallold_flag) {
+        data.keepold = 2;
+        num++;
+    }
+    if (opt->pruneall_flag) {
+        data.keepold = 0;
+        num++;
+    }
+    if (num > 1) {
+        fprintf(stderr, "use only one of --keepold, --keepallold, and --pruneall\n");
+        return 1;
+    }
+
    num = 0;
    if (data.random_key)
 	++num;