Add new kadmin/ktutil --keep* and --enctypes opts
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
commands. Default behavior to "prune old keys".
- When setting keys for a service, we need to specify enctypes for it:
- Always use kadm5_randkey_principal_3() instead of the older
kadm5_randkey_principal().
- Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
but with a context, and simpler.
- Add --enctypes options to various kadmin/ktutil commands.
- Add [libdefaults] supported_enctypes param with enctype[:salttype]
list.
- Add [realms] realm supported_enctypes param with enctype[:salttype]
list.
Default to aes128-cts-hmac-sha1-96:normal.
This commit is contained in:
Nicolas Williams
committed by
Nico Williams
Nico Williams
parent
7b76d6719f
commit
d8394c65b7
47
kadmin/ext.c
47
kadmin/ext.c
@@ -36,7 +36,10 @@
|
||||
|
||||
struct ext_keytab_data {
|
||||
krb5_keytab keytab;
|
||||
int keep;
|
||||
int random_key_flag;
|
||||
size_t nkstuple;
|
||||
krb5_key_salt_tuple *kstuple;
|
||||
};
|
||||
|
||||
static int
|
||||
@@ -109,7 +112,8 @@ do_ext_keytab(krb5_principal principal, void *data)
|
||||
n_k++;
|
||||
}
|
||||
} else if (e->random_key_flag) {
|
||||
ret = kadm5_randkey_principal(kadm_handle, principal, &k, &n_k);
|
||||
ret = kadm5_randkey_principal_3(kadm_handle, principal, e->keep,
|
||||
e->nkstuple, e->kstuple, &k, &n_k);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
@@ -151,8 +155,30 @@ int
|
||||
ext_keytab(struct ext_keytab_options *opt, int argc, char **argv)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
int i;
|
||||
struct ext_keytab_data data;
|
||||
const char *enctypes;
|
||||
size_t i;
|
||||
|
||||
data.random_key_flag = opt->random_key_flag;
|
||||
data.keep = 0;
|
||||
i = 0;
|
||||
if (opt->keepallold_flag) {
|
||||
data.keep = 2;
|
||||
i++;
|
||||
}
|
||||
if (opt->keepold_flag) {
|
||||
data.keep = 1;
|
||||
i++;
|
||||
}
|
||||
if (opt->pruneall_flag) {
|
||||
data.keep = 1;
|
||||
i++;
|
||||
}
|
||||
if (i > 1) {
|
||||
fprintf(stderr,
|
||||
"use only one of --keepold, --keepallold, or --pruneall\n");
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
if (opt->keytab_string == NULL)
|
||||
ret = krb5_kt_default(context, &data.keytab);
|
||||
@@ -163,8 +189,19 @@ ext_keytab(struct ext_keytab_options *opt, int argc, char **argv)
|
||||
krb5_warn(context, ret, "krb5_kt_resolve");
|
||||
return 1;
|
||||
}
|
||||
|
||||
data.random_key_flag = opt->random_key_flag;
|
||||
enctypes = opt->enctypes_string;
|
||||
if (enctypes == NULL || enctypes[0] == '\0')
|
||||
enctypes = krb5_config_get_string(context, NULL, "libdefaults",
|
||||
"supported_enctypes", NULL);
|
||||
if (enctypes == NULL || enctypes[0] == '\0')
|
||||
enctypes = "aes128-cts-hmac-sha1-96";
|
||||
ret = krb5_string_to_keysalts2(context, enctypes, &data.nkstuple,
|
||||
&data.kstuple);
|
||||
if (ret) {
|
||||
fprintf(stderr, "enctype(s) unknown\n");
|
||||
krb5_kt_close(context, data.keytab);
|
||||
return ret;
|
||||
}
|
||||
|
||||
for(i = 0; i < argc; i++) {
|
||||
ret = foreach_principal(argv[i], do_ext_keytab, "ext", &data);
|
||||
@@ -173,6 +210,6 @@ ext_keytab(struct ext_keytab_options *opt, int argc, char **argv)
|
||||
}
|
||||
|
||||
krb5_kt_close(context, data.keytab);
|
||||
|
||||
free(data.kstuple);
|
||||
return ret != 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user