From fed79b33b994a620fbbdd23b3fc5f94b21759bc2 Mon Sep 17 00:00:00 2001 From: Johan Danielsson Date: Mon, 21 Oct 2002 13:21:24 +0000 Subject: [PATCH] add option to disable kerberos 4 kadmin git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11489 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kadmin/kadm_conn.c | 5 ++++- kadmin/kadmind.8 | 12 +++++++++--- kadmin/kadmind.c | 10 +++++++++- kadmin/server.c | 7 ++++++- 4 files changed, 28 insertions(+), 6 deletions(-) diff --git a/kadmin/kadm_conn.c b/kadmin/kadm_conn.c index 68f4ebdc6..26990da06 100644 --- a/kadmin/kadm_conn.c +++ b/kadmin/kadm_conn.c @@ -62,12 +62,15 @@ add_kadm_port(krb5_context context, const char *service, unsigned int port) kadm_ports = p; } +extern int do_kerberos4; + static void add_standard_ports (krb5_context context) { add_kadm_port(context, "kerberos-adm", 749); #ifdef KRB4 - add_kadm_port(context, "kerberos-master", 751); + if(do_kerberos4) + add_kadm_port(context, "kerberos-master", 751); #endif } diff --git a/kadmin/kadmind.8 b/kadmin/kadmind.8 index 0d5622f28..adb8f41e0 100644 --- a/kadmin/kadmind.8 +++ b/kadmin/kadmind.8 @@ -26,6 +26,7 @@ .Fl -ports= Ns Ar port .Xc .Oc +.Op Fl -no-kerberos4 .Sh DESCRIPTION .Nm listens for requests for changes to the Kerberos database and performs @@ -118,11 +119,16 @@ enable debugging .Fl -ports= Ns Ar port .Xc ports to listen to. By default, if run as a daemon, it listen to ports -749, and 751 (if built with Kerberos 4 support), but you can add any -number of ports with this option. The port string is a whitespace -separated list of port specifications, with the special string +749, and 751 (if Kerberos 4 support is built and enabled), but you can +add any number of ports with this option. The port string is a +whitespace separated list of port specifications, with the special +string .Dq + representing the default set of ports. +.It Fl -no-kerberos4 +make +.Nm +ignore Kerberos 4 kadmin requests. .El .\".Sh ENVIRONMENT .Sh FILES diff --git a/kadmin/kadmind.c b/kadmin/kadmind.c index 56d7d5c05..51a37412c 100644 --- a/kadmin/kadmind.c +++ b/kadmin/kadmind.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -45,6 +45,9 @@ static int version_flag; static int debug_flag; static char *port_str; char *realm; +#ifdef KRB4 +int do_kerberos4 = 1; +#endif static struct getargs args[] = { { @@ -71,6 +74,11 @@ static struct getargs args[] = { { "debug", 'd', arg_flag, &debug_flag, "enable debugging" }, +#ifdef KRB4 + { "kerberos4", 0, arg_negative_flag, &do_kerberos4, + "don't respond to kerberos 4 requests" + }, +#endif { "ports", 'p', arg_string, &port_str, "ports to listen to", "port" }, { "help", 'h', arg_flag, &help_flag }, diff --git a/kadmin/server.c b/kadmin/server.c index 2cc2145b5..527a14520 100644 --- a/kadmin/server.c +++ b/kadmin/server.c @@ -532,6 +532,8 @@ handle_v5(krb5_context context, v5_loop (context, ac, initial, kadm_handle, fd); } +extern int do_kerberos4; + krb5_error_code kadmind_loop(krb5_context context, krb5_auth_context ac, @@ -551,7 +553,10 @@ kadmind_loop(krb5_context context, if(len > 0xffff && (len & 0xffff) == ('K' << 8) + 'A') { len >>= 16; #ifdef KRB4 - handle_v4(context, keytab, len, fd); + if(do_kerberos4) + handle_v4(context, keytab, len, fd); + else + krb5_errx(context, 1, "version 4 kadmin is disabled"); #else krb5_errx(context, 1, "packet appears to be version 4"); #endif