oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kadmin: do_ext_keytab add bogus key warnings

Browse Source 
If any of the keys returned by kadmin are the magic bogus key
generate a warning to the user that they are missing the git-keys
privilege.

Change-Id: I235b87eeb2f81e8fd8c8481154d613e92a7e11e2
This commit is contained in:
Nicolas Williams
2015-03-12 22:24:24 -04:00
committed by Jeffrey Altman
parent 1bfb759a64
commit dcbe8ae73b
1 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
kadmin/ext.c
View File

@@ -48,12 +48,17 @@ do_ext_keytab(krb5_principal principal, void *data)
krb5_keyblock *k = NULL; krb5_keyblock *k = NULL;
size_t i; size_t i;
int n_k = 0; int n_k = 0;
char *unparsed = NULL;
ret = kadm5_get_principal(kadm_handle, principal, &princ, ret = kadm5_get_principal(kadm_handle, principal, &princ,
KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA); KADM5_PRINCIPAL|KADM5_KVNO|KADM5_KEY_DATA);
if (ret) if (ret)
return ret; return ret;
ret = krb5_unparse_name(context, principal, &unparsed);
if (ret)
goto out;
if (princ.n_key_data) { if (princ.n_key_data) {
keys = calloc(sizeof(*keys), princ.n_key_data); keys = calloc(sizeof(*keys), princ.n_key_data);
if (keys == NULL) { if (keys == NULL) {
@@ -62,15 +67,22 @@ do_ext_keytab(krb5_principal principal, void *data)
} }
for (i = 0; i < princ.n_key_data; i++) { for (i = 0; i < princ.n_key_data; i++) {
krb5_key_data *kd = &princ.key_data[i]; krb5_key_data *kd = &princ.key_data[i];
int warned = 0;
/* /*
* If the kadm5 client princ lacks get-keys then it may get * If the kadm5 client princ lacks get-keys then it may get
* bogus keys four bytes long. * bogus keys four bytes long.
*/ */
if (kd->key_data_length[0] == sizeof (KADM5_BOGUS_KEY_DATA) - 1 && if ((kd->key_data_length[0] == sizeof (KADM5_BOGUS_KEY_DATA) - 1)
memcmp(kd->key_data_contents[0], KADM5_BOGUS_KEY_DATA, && (ct_memcmp(kd->key_data_contents[0], KADM5_BOGUS_KEY_DATA,
kd->key_data_length[0]) == 0) kd->key_data_length[0]) == 0)) {
if (!warned) {
krb5_warnx(context, "user lacks get-keys privilege for %s",
unparsed);
warned = 1;
}
continue; continue;
}
keys[i].principal = princ.principal; keys[i].principal = princ.principal;
keys[i].vno = kd->key_data_kvno; keys[i].vno = kd->key_data_kvno;
@@ -104,7 +116,7 @@ do_ext_keytab(krb5_principal principal, void *data)
for (i = 0; i < n_k; i++) { for (i = 0; i < n_k; i++) {
ret = krb5_kt_add_entry(context, e->keytab, &keys[i]); ret = krb5_kt_add_entry(context, e->keytab, &keys[i]);
if (ret) if (ret)
krb5_warn(context, ret, "krb5_kt_add_entry(%d)", i); krb5_warn(context, ret, "krb5_kt_add_entry(%lu)", (unsigned long)i);
} }
out: out:
@@ -113,6 +125,7 @@ do_ext_keytab(krb5_principal principal, void *data)
memset(k, 0, n_k * sizeof(*k)); memset(k, 0, n_k * sizeof(*k));
free(k); free(k);
} }
free(unparsed);
free(keys); free(keys);
return 0; return 0;
} }