From e16360e2db0a060981118db771c52bb9b096c608 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Mon, 18 Jul 2011 15:46:04 -0500 Subject: [PATCH] Add --keepold option to cpw. --- kadmin/cpw.c | 26 +++++++++++++++----------- kadmin/kadmin-commands.in | 5 +++++ kpasswd/kpasswdd.c | 2 +- lib/kadm5/ad.c | 1 + lib/kadm5/chpass_c.c | 2 ++ lib/kadm5/chpass_s.c | 24 +++++++++++++++++++++--- lib/kadm5/common_glue.c | 4 ++-- lib/kadm5/private.h | 2 +- 8 files changed, 48 insertions(+), 18 deletions(-) diff --git a/kadmin/cpw.c b/kadmin/cpw.c index c5a2eb87e..fb736fd85 100644 --- a/kadmin/cpw.c +++ b/kadmin/cpw.c @@ -35,6 +35,7 @@ #include "kadmin-commands.h" struct cpw_entry_data { + int keepold; int random_key; int random_password; char *password; @@ -42,14 +43,15 @@ struct cpw_entry_data { }; static int -set_random_key (krb5_principal principal) +set_random_key (krb5_principal principal, int keepold) { krb5_error_code ret; int i; krb5_keyblock *keys; int num_keys; - ret = kadm5_randkey_principal(kadm_handle, principal, &keys, &num_keys); + ret = kadm5_randkey_principal_3(kadm_handle, principal, keepold, 0, NULL, + &keys, &num_keys); if(ret) return ret; for(i = 0; i < num_keys; i++) @@ -59,13 +61,13 @@ set_random_key (krb5_principal principal) } static int -set_random_password (krb5_principal principal) +set_random_password (krb5_principal principal, int keepold) { krb5_error_code ret; char pw[128]; random_password (pw, sizeof(pw)); - ret = kadm5_chpass_principal(kadm_handle, principal, pw); + ret = kadm5_chpass_principal_3(kadm_handle, principal, keepold, 0, NULL, pw); if (ret == 0) { char *princ_name; @@ -79,7 +81,7 @@ set_random_password (krb5_principal principal) } static int -set_password (krb5_principal principal, char *password) +set_password (krb5_principal principal, char *password, int keepold) { krb5_error_code ret = 0; char pwbuf[128]; @@ -99,13 +101,14 @@ set_password (krb5_principal principal, char *password) password = pwbuf; } if(ret == 0) - ret = kadm5_chpass_principal(kadm_handle, principal, password); + ret = kadm5_chpass_principal_3(kadm_handle, principal, keepold, 0, NULL, + password); memset(pwbuf, 0, sizeof(pwbuf)); return ret; } static int -set_key_data (krb5_principal principal, krb5_key_data *key_data) +set_key_data (krb5_principal principal, krb5_key_data *key_data, int keepold) { krb5_error_code ret; @@ -120,13 +123,13 @@ do_cpw_entry(krb5_principal principal, void *data) struct cpw_entry_data *e = data; if (e->random_key) - return set_random_key (principal); + return set_random_key (principal, e->keepold); else if (e->random_password) - return set_random_password (principal); + return set_random_password (principal, e->keepold); else if (e->key_data) - return set_key_data (principal, e->key_data); + return set_key_data (principal, e->key_data, e->keepold); else - return set_password (principal, e->password); + return set_password (principal, e->password, e->keepold); } int @@ -138,6 +141,7 @@ cpw_entry(struct passwd_options *opt, int argc, char **argv) int num; krb5_key_data key_data[3]; + data.keepold = opt->keepold_flag; data.random_key = opt->random_key_flag; data.random_password = opt->random_password_flag; data.password = opt->password_string; diff --git a/kadmin/kadmin-commands.in b/kadmin/kadmin-commands.in index 89e67610d..28d2e9b4c 100644 --- a/kadmin/kadmin-commands.in +++ b/kadmin/kadmin-commands.in @@ -230,6 +230,11 @@ command = { type = "string" help = "DES key in hex" } + option = { + long = "keepold" + type = "flag" + help = "keep old keys/password" + } argument = "principal..." min_args = "1" help = "Changes the password of one or more principals matching the expressions." diff --git a/kpasswd/kpasswdd.c b/kpasswd/kpasswdd.c index cc1ac25f3..690bd6d6a 100644 --- a/kpasswd/kpasswdd.c +++ b/kpasswd/kpasswdd.c @@ -401,7 +401,7 @@ change (krb5_auth_context auth_context, tmp = pwd_data->data; tmp[pwd_data->length - 1] = '\0'; - ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp); + ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, 1, tmp); krb5_free_data (context, pwd_data); pwd_data = NULL; if (ret) { diff --git a/lib/kadm5/ad.c b/lib/kadm5/ad.c index 6a82fdce5..f98ee3c89 100644 --- a/lib/kadm5/ad.c +++ b/lib/kadm5/ad.c @@ -508,6 +508,7 @@ ad_get_cred(kadm5_ad_context *context, const char *password) static kadm5_ret_t kadm5_ad_chpass_principal(void *server_handle, krb5_principal principal, + int keepold, const char *password) { kadm5_ad_context *context = server_handle; diff --git a/lib/kadm5/chpass_c.c b/lib/kadm5/chpass_c.c index af4328c9c..6445b570e 100644 --- a/lib/kadm5/chpass_c.c +++ b/lib/kadm5/chpass_c.c @@ -38,6 +38,7 @@ RCSID("$Id$"); kadm5_ret_t kadm5_c_chpass_principal(void *server_handle, krb5_principal princ, + int keepold, const char *password) { kadm5_client_context *context = server_handle; @@ -59,6 +60,7 @@ kadm5_c_chpass_principal(void *server_handle, krb5_store_int32(sp, kadm_chpass); krb5_store_principal(sp, princ); krb5_store_string(sp, password); + krb5_store_int32(sp, keepold); /* extension */ ret = _kadm5_client_send(context, sp); krb5_storage_free(sp); if (ret) diff --git a/lib/kadm5/chpass_s.c b/lib/kadm5/chpass_s.c index 649c5b466..90eae4f2d 100644 --- a/lib/kadm5/chpass_s.c +++ b/lib/kadm5/chpass_s.c @@ -38,6 +38,7 @@ RCSID("$Id$"); static kadm5_ret_t change(void *server_handle, krb5_principal princ, + int keepold, const char *password, int cond) { @@ -58,6 +59,10 @@ change(void *server_handle, if(ret) goto out; + /* + * We save these for now so we can handle password history checking; + * we handle keepold further below. + */ ret = hdb_add_current_keys_to_history(context->context, &ent.entry); if (ret) goto out; @@ -98,12 +103,23 @@ change(void *server_handle, "Password reuse forbidden"); goto out2; } + } + ent.entry.kvno++; + if (keepold) { ret = hdb_seal_keys(context->context, context->db, &ent.entry); if (ret) goto out2; + } else { + HDB_extension ext; + + ext.data.element = choice_HDB_extension_data_hist_keys; + ext.data.u.hist_keys.len = 0; + ext.data.u.hist_keys.val = NULL; + ret = hdb_replace_extension(context->context, &ent.entry, &ext); + if (ret) + goto out2; } - ent.entry.kvno++; ret = _kadm5_set_modifier(context, &ent.entry); if(ret) @@ -140,9 +156,10 @@ out: kadm5_ret_t kadm5_s_chpass_principal_cond(void *server_handle, krb5_principal princ, + int keepold, const char *password) { - return change (server_handle, princ, password, 1); + return change (server_handle, princ, keepold, password, 1); } /* @@ -152,9 +169,10 @@ kadm5_s_chpass_principal_cond(void *server_handle, kadm5_ret_t kadm5_s_chpass_principal(void *server_handle, krb5_principal princ, + int keepold, const char *password) { - return change (server_handle, princ, password, 0); + return change (server_handle, princ, keepold, password, 0); } /* diff --git a/lib/kadm5/common_glue.c b/lib/kadm5/common_glue.c index 75f0f7fee..a1752b169 100644 --- a/lib/kadm5/common_glue.c +++ b/lib/kadm5/common_glue.c @@ -42,7 +42,7 @@ kadm5_chpass_principal(void *server_handle, krb5_principal princ, const char *password) { - return __CALL(chpass_principal, (server_handle, princ, password)); + return __CALL(chpass_principal, (server_handle, princ, 0, password)); } kadm5_ret_t @@ -60,7 +60,7 @@ kadm5_chpass_principal_3(void *server_handle, */ if (n_ks_tuple > 0) return KADM5_KS_TUPLE_NOSUPP; - return __CALL(chpass_principal, (server_handle, princ, password)); + return __CALL(chpass_principal, (server_handle, princ, keepold, password)); } kadm5_ret_t diff --git a/lib/kadm5/private.h b/lib/kadm5/private.h index b937b5120..9fe8f4e70 100644 --- a/lib/kadm5/private.h +++ b/lib/kadm5/private.h @@ -37,7 +37,7 @@ #define __kadm5_privatex_h__ struct kadm_func { - kadm5_ret_t (*chpass_principal) (void *, krb5_principal, const char*); + kadm5_ret_t (*chpass_principal) (void *, krb5_principal, int, const char*); kadm5_ret_t (*create_principal) (void*, kadm5_principal_ent_t, uint32_t, const char*); kadm5_ret_t (*delete_principal) (void*, krb5_principal);