52 Commits

Author SHA1 Message Date
d2bc2a4ce5 kadmin: Fix return value non-checking in format_field() 2023-01-04 16:22:41 -06:00
6b64ae2cde kadmin: Fix leak of dup context 2022-03-23 23:39:34 -05:00
621deed047 kadmin: Fix re-entrance in iterations
Any callback of kadm5_iter_principals() that wants to call other kadm5
functions (such as kadm5_get_principal()) needs to do so on a different
kadm5 handle than the one used for kadm5_iter_principals().
2022-03-23 18:03:38 -05:00
1dbfd4e835 kadmin: Use kadm5_iter_principals() to list princs
Now that we have a properly working API for listing principals in an
online way, and a server-side implementation of it, use it.

This should work with old and new servers, but it will only be online
and fast when talking to new servers.

(Old servers have a bug though that prevents LIST from working.)
2022-03-20 18:32:14 -05:00
54adba6023 kadmin: format_field KRB5_TL_ETYPES do not leak enctype string
Change-Id: I745216c334c038f55711c27f7885d8f96f656e79
2022-01-16 23:32:10 -05:00
a84186653c kadmin: list_princs zero get_opt structure before use
Not all fields are assigned to.  Initialize the structure
to zero before use.

Change-Id: I2cfc60baaf8bf80389950a373c2a82f600a71aa2
2022-01-15 22:28:42 -05:00
5447b81fb1 hdb: Move virtual principals into HDB layer
This is a large commit that adds several features:

 - Revamps and moves virtual host-based service principal functionality
   from kdc/ to lib/hdb/ so that it may be automatically visible to
   lib/kadm5/, as well as kadmin(1)/kadmind(8) and ktutil(1).

   The changes are backwards-incompatible.

 - Completes support for documenting a service principal's supported
   enctypes in its HDB entry independently of its long-term keys.  This
   will reduce HDB bloat by not requiring that service principals have
   more long-term keys than they need just to document the service's
   supported enctypes.

 - Adds support for storing krb5.conf content in principals' HDB
   entries.  This may eventually be used for causing Heimdal KDC
   services to reconfigure primary/secondary roles automatically by
   discovering the configured primary in an HDB entry for the realm.

   For now this will be used to help reduce the amount of configuration
   needed by clients of an upcoming HTTP binding of the kadmin service.
2020-09-08 00:25:36 -05:00
d8394c65b7 Add new kadmin/ktutil --keep* and --enctypes opts
- Add --keepold/keepallold/pruneall options to various kadmin/ktutil
   commands.  Default behavior to "prune old keys".

 - When setting keys for a service, we need to specify enctypes for it:

    - Always use kadm5_randkey_principal_3() instead of the older
      kadm5_randkey_principal().

    - Add krb5_string_to_keysalts2(), like MIT's krb5_string_to_keysalts(),
      but with a context, and simpler.

    - Add --enctypes options to various kadmin/ktutil commands.

    - Add [libdefaults] supported_enctypes param with enctype[:salttype]
      list.

    - Add [realms] realm supported_enctypes param with enctype[:salttype]
      list.

      Default to aes128-cts-hmac-sha1-96:normal.
2019-01-02 17:29:08 -06:00
cc47c8fa7b Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.
We turn on a few extra warnings and fix the fallout that occurs
when building with --enable-developer.  Note that we get different
warnings on different machines and so this will be a work in
progress.  So far, we have built on NetBSD/amd64 5.99.64 (which
uses gcc 4.5.3) and Ubuntu 10.04.3 LTS (which uses gcc 4.4.3).

Notably, we fixed

	1.  a lot of missing structure initialisers,

	2.  unchecked return values for functions that glibc
	    marks as __attribute__((warn-unused-result)),

	3.  made minor modifications to slc and asn1_compile
	    which can generate code which generates warnings,
	    and

	4.  a few stragglers here and there.

We turned off the extended warnings for many programs in appl/ as
they are nearing the end of their useful lifetime, e.g.  rsh, rcp,
popper, ftp and telnet.

Interestingly, glibc's strncmp() macro needed to be worked around
whereas the function calls did not.

We have not yet tried this on 32 bit platforms, so there will be
a few more warnings when we do.
2012-02-20 19:45:41 +00:00
b6f4094cfe Add kvno for all keys to kadmin's get command's output
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2011-09-22 15:13:27 +02:00
e23a1efdc9 Fixes for updates of KADM5_KVNO but not KEY_DATA and vice-versa.
It turns out that updates of kvno but not key data and vice-versa are
both, allowed and actually done (e.g, in kadmin's ank).  Doing the right
thing in these cases turns out to be a bit tricky, but this commit ought
to do it.
2011-07-22 16:07:10 -05:00
c2ec368c36 Add HDB extension for storing policy regarding what historic keys may be used for 2011-07-22 16:06:00 -05:00
0879b9831a remove trailing whitespace 2011-05-21 11:57:31 -07:00
2bcacbd052 patch from Christos Zoulas 2011-04-23 18:27:35 -07:00
ce438f343c Fix error reporting prefix for kadmin list
Pass the function name into foreach_principal instead of the static
"get" string, so the correct function is reported in errors in
kadmin list.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2010-09-01 22:59:30 -07:00
890c797f68 Don't retrieve principal data for kadmin list
kadmin list and kadmin get -t used the same output display logic
as short output, which meant that they called kadm5_get_principal
for each principal.  However, they then just threw that output
away since the terse format displays only the principal name.

For terse get output, instead use a separate set of functions that
just print the string version of the principal name and do not
retrieve additional information.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2010-09-01 22:59:12 -07:00
433b1d5073 drop RCSID 2010-03-16 12:52:58 -07:00
d5970c0851 Report mkvno as unknown
When the principal is retrieved from the database via libkadm5srv, the
keys are always decrypted, so the reported mkvno is always 0.  Rather
than returning 0 and implying that the key in the database is not
encrypted, report the mkvno as unknown for right now.

A better fix is required to either not decrypt the keys when retrieving
get information or to get the mkvno before keys are decrypted.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
2010-02-02 19:36:20 -08:00
6937d41a02 remove trailing whitespace
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-09-13 09:21:03 +00:00
e172367898 switch to utf8 encoding of all files
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-09-13 08:53:55 +00:00
8d40c2994b check return value of alloc functions, from Charles Longeau
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21745 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-07-31 16:11:25 +00:00
ea6db777a0 add setting and displaying aliases
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20239 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-02-17 00:00:41 +00:00
c86020bf6d (format_field): optionally print issuer and anchor.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17833 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-07-14 02:31:30 +00:00
652da91adb Rename u_intXX_t to uintXX_t
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17447 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-05-05 10:52:01 +00:00
091fba8a25 return 1 on failure, update (c)
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16658 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-01-25 12:29:46 +00:00
a4ef0411e1 Add printing of pkinit-acls. Don't print password by default. Return 1
on failure processing any of the principals.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16653 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-01-25 12:16:00 +00:00
abf82fc886 Remove structure that is never used (sneaked in the large TL_DATA patch).
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15910 ec53bebd-3082-4978-b11e-865c3cabbd6b
2005-08-11 20:48:30 +00:00
a76cd62f8b Indent.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15907 ec53bebd-3082-4978-b11e-865c3cabbd6b
2005-08-11 20:33:57 +00:00
0de0d9727e Extend struct field_name to have a subvalue and a extra_mask. Use
that to implement printing of KADM5_TL_DATA options and fix a
dependency bug (keys needed principal to print the salting).


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15890 ec53bebd-3082-4978-b11e-865c3cabbd6b
2005-08-11 13:44:34 +00:00
5ce5bb68b5 (getit): init data.mask to 0.
Problem found by Andrew Abartlet <abartlet@samba.org>


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15310 ec53bebd-3082-4978-b11e-865c3cabbd6b
2005-05-30 20:41:17 +00:00
b4e6b5dc46 (getit): always free columns
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14334 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-11-01 16:54:53 +00:00
d7c3e29589 print keytypes on long format
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14117 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-08-13 14:05:33 +00:00
d6e16be502 (format_field): allow mod_name to be optional
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14030 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-07-06 04:26:17 +00:00
5836537f76 argument number checks are now done by slc
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14026 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-07-05 11:41:22 +00:00
d970c48c81 print error messages to stderr; change all in-string quoting to use "
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14021 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-07-04 15:09:42 +00:00
74c605506c implement output column selection, similar to ps -o
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14002 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-06-27 15:13:36 +00:00
9929f779ec move kadmin-commands.h from kadmin_locl.h so kadmind does not depend on it
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14000 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-06-27 15:04:07 +00:00
d7f9fac88e convert to use slc; also add stash subcommand
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13970 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-06-21 19:19:45 +00:00
5640b8bb3d (print_entry_terse): handle error when unparsing name
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12607 ec53bebd-3082-4978-b11e-865c3cabbd6b
2003-08-21 14:23:25 +00:00
8d186e2484 (getit): new foreach_principal
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9854 ec53bebd-3082-4978-b11e-865c3cabbd6b
2001-05-07 05:31:43 +00:00
cedb41f6fc avoid asprintf'ing NULL strings
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9394 ec53bebd-3082-4978-b11e-865c3cabbd6b
2000-12-15 14:24:24 +00:00
ebc19dc219 don't try to print modifier name if it isn't set
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9147 ec53bebd-3082-4978-b11e-865c3cabbd6b
2000-11-08 23:26:41 +00:00
f2337ccf1e (print_entry_long): actually print the actual saltvalue used if it's
not the default


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9061 ec53bebd-3082-4978-b11e-865c3cabbd6b
2000-09-19 12:11:35 +00:00
47b95f3233 make get' and list' aliases to each other, but with different
defaults


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9043 ec53bebd-3082-4978-b11e-865c3cabbd6b
2000-09-10 19:18:37 +00:00
c5b916ca6f remove advertising clause
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7464 ec53bebd-3082-4978-b11e-865c3cabbd6b
1999-12-02 17:05:13 +00:00
7c846975b0 update with new names of functions in util
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@6847 ec53bebd-3082-4978-b11e-865c3cabbd6b
1999-08-19 20:32:05 +00:00
0b54ed61fe (print_entry_long): print the keytypes and salts available for the
principal


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@5363 ec53bebd-3082-4978-b11e-865c3cabbd6b
1999-02-15 21:01:42 +00:00
2d1323df4b *** empty log message ***
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@5129 ec53bebd-3082-4978-b11e-865c3cabbd6b
1998-08-18 21:11:34 +00:00
b404d83805 Use `foreach_principal'. Add long, short, and terse (equivalent to
`list') output formats. Short is the default.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4503 ec53bebd-3082-4978-b11e-865c3cabbd6b
1998-03-01 04:08:18 +00:00
bbd95df4f6 Move stuff to util.c
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@3935 ec53bebd-3082-4978-b11e-865c3cabbd6b
1997-11-11 20:37:57 +00:00