summaryrefslogtreecommitdiff
path: root/kerberosV
diff options
context:
space:
mode:
Diffstat (limited to 'kerberosV')
-rw-r--r--kerberosV/src/admin/list.c4
-rw-r--r--kerberosV/src/appl/ftp/ftpd/ftpd.c16
-rw-r--r--kerberosV/src/appl/login/login.c35
-rw-r--r--kerberosV/src/appl/login/login_access.c3
-rw-r--r--kerberosV/src/appl/login/utmpx_login.c3
-rw-r--r--kerberosV/src/appl/rcp/rcp.c70
-rw-r--r--kerberosV/src/appl/rsh/rshd.c13
-rw-r--r--kerberosV/src/appl/telnet/telnet/commands.c10
-rw-r--r--kerberosV/src/appl/telnet/telnet/externs.h5
-rw-r--r--kerberosV/src/appl/telnet/telnetd/sys_term.c9
-rw-r--r--kerberosV/src/appl/xnlock/xnlock.c5
-rw-r--r--kerberosV/src/doc/setup.texi28
-rw-r--r--kerberosV/src/kadmin/kadmin_locl.h11
-rw-r--r--kerberosV/src/kadmin/kadmind.86
-rw-r--r--kerberosV/src/kdc/headers.h9
-rw-r--r--kerberosV/src/kdc/kdc_locl.h12
-rw-r--r--kerberosV/src/kpasswd/kpasswdd.813
-rw-r--r--kerberosV/src/kpasswd/kpasswdd.c13
-rw-r--r--kerberosV/src/kuser/kinit.140
-rw-r--r--kerberosV/src/kuser/kinit.c507
-rw-r--r--kerberosV/src/lib/des/rnd_keys.c8
-rw-r--r--kerberosV/src/lib/kadm5/ipropd_slave.c13
-rw-r--r--kerberosV/src/lib/krb5/crypto.c36
-rw-r--r--kerberosV/src/lib/krb5/keytab_any.c16
-rw-r--r--kerberosV/src/lib/krb5/krb5.conf.520
-rw-r--r--kerberosV/src/lib/krb5/krb5.h33
-rw-r--r--kerberosV/src/lib/krb5/krb5_context.32
-rw-r--r--kerberosV/src/lib/krb5/krb5_init_context.34
-rw-r--r--kerberosV/src/lib/krb5/krb5_keytab.36
-rw-r--r--kerberosV/src/lib/krb5/krb5_locl.h24
-rw-r--r--kerberosV/src/lib/krb5/krb5_verify_user.379
31 files changed, 582 insertions, 471 deletions
diff --git a/kerberosV/src/admin/list.c b/kerberosV/src/admin/list.c
index 3fa5a1e3485..ed1305be1ac 100644
--- a/kerberosV/src/admin/list.c
+++ b/kerberosV/src/admin/list.c
@@ -33,7 +33,7 @@
#include "ktutil_locl.h"
-RCSID("$KTH: list.c,v 1.8 2001/05/11 00:54:01 assar Exp $");
+RCSID("$KTH: list.c,v 1.9 2001/06/18 01:24:29 joda Exp $");
static int help_flag;
static int list_keys;
@@ -122,11 +122,11 @@ do_list(const char *keytab_string)
((unsigned char*)entry.keyblock.keyvalue.data)[i]);
CHECK_MAX(key);
}
- kp->next = NULL;
*kie = kp;
kie = &kp->next;
krb5_kt_free_entry(context, &entry);
}
+ *kie = NULL; /* termiate list */
ret = krb5_kt_end_seq_get(context, keytab, &cursor);
printf("%-*s %-*s %-*s", max_version, "Vno",
diff --git a/kerberosV/src/appl/ftp/ftpd/ftpd.c b/kerberosV/src/appl/ftp/ftpd/ftpd.c
index 4ec0751e5f5..7f64290da80 100644
--- a/kerberosV/src/appl/ftp/ftpd/ftpd.c
+++ b/kerberosV/src/appl/ftp/ftpd/ftpd.c
@@ -38,7 +38,7 @@
#endif
#include "getarg.h"
-RCSID("$KTH: ftpd.c,v 1.157 2001/04/19 14:41:29 joda Exp $");
+RCSID("$KTH: ftpd.c,v 1.159 2001/08/28 19:02:09 nectar Exp $");
static char version[] = "Version 6.00";
@@ -68,6 +68,7 @@ struct passwd *pw;
int debug = 0;
int ftpd_timeout = 900; /* timeout after 15 minutes of inactivity */
int maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */
+int restricted_data_ports = 1;
int logging;
int guest;
int dochroot;
@@ -217,6 +218,7 @@ struct getargs args[] = {
{ NULL, 't', arg_integer, &ftpd_timeout, "initial timeout" },
{ NULL, 'T', arg_integer, &maxtimeout, "max timeout" },
{ NULL, 'u', arg_string, &umask_string, "umask for user logins" },
+ { NULL, 'U', arg_negative_flag, &restricted_data_ports, "don't use high data ports" },
{ NULL, 'd', arg_flag, &debug, "enable debugging" },
{ NULL, 'v', arg_flag, &debug, "enable debugging" },
{ "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" },
@@ -1951,6 +1953,8 @@ pasv(void)
socket_set_address_and_port (pasv_addr,
socket_get_address (ctrl_addr),
0);
+ socket_set_portrange(pdata, restricted_data_ports,
+ pasv_addr->sa_family);
seteuid(0);
if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
seteuid(pw->pw_uid);
@@ -1993,6 +1997,8 @@ epsv(char *proto)
socket_set_address_and_port (pasv_addr,
socket_get_address (ctrl_addr),
0);
+ socket_set_portrange(pdata, restricted_data_ports,
+ pasv_addr->sa_family);
seteuid(0);
if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) {
seteuid(pw->pw_uid);
@@ -2165,7 +2171,13 @@ send_file_list(char *whichf)
char buf[MaxPathLen];
if (strpbrk(whichf, "~{[*?") != NULL) {
- int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE|GLOB_LIMIT;
+ int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE|
+#ifdef GLOB_MAXPATH
+ GLOB_MAXPATH
+#else
+ GLOB_LIMIT
+#endif
+ ;
memset(&gl, 0, sizeof(gl));
freeglob = 1;
diff --git a/kerberosV/src/appl/login/login.c b/kerberosV/src/appl/login/login.c
index 81dc1d82f3e..6ffe23e9d5b 100644
--- a/kerberosV/src/appl/login/login.c
+++ b/kerberosV/src/appl/login/login.c
@@ -39,7 +39,7 @@
#include <sys/capability.h>
#endif
-RCSID("$KTH: login.c,v 1.47 2001/02/20 01:44:45 assar Exp $");
+RCSID("$KTH: login.c,v 1.51 2001/07/06 17:36:48 assar Exp $");
static int login_timeout = 60;
@@ -174,10 +174,29 @@ krb5_verify(struct passwd *pwd, const char *password)
static krb5_error_code
krb5_to4 (krb5_ccache id)
{
- if (krb5_config_get_bool(context, NULL,
- "libdefaults",
- "krb4_get_tickets",
- NULL)) {
+ krb5_error_code ret;
+ krb5_principal princ;
+
+ int get_v4_tgt;
+
+ get_v4_tgt = krb5_config_get_bool(context, NULL,
+ "libdefaults",
+ "krb4_get_tickets",
+ NULL);
+
+ ret = krb5_cc_get_principal(context, id, &princ);
+ if (ret == 0) {
+ get_v4_tgt = krb5_config_get_bool_default(context, NULL,
+ get_v4_tgt,
+ "realms",
+ *krb5_princ_realm(context,
+ princ),
+ "krb4_get_tickets",
+ NULL);
+ krb5_free_principal(context, princ);
+ }
+
+ if (get_v4_tgt) {
CREDENTIALS c;
krb5_creds mcred, cred;
char krb4tkfile[MAXPATHLEN];
@@ -199,7 +218,7 @@ krb5_to4 (krb5_ccache id)
ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
if(ret == 0) {
- ret = krb524_convert_creds_kdc(context, id, &cred, &c);
+ ret = krb524_convert_creds_kdc_ccache(context, id, &cred, &c);
if(ret == 0) {
snprintf(krb4tkfile,sizeof(krb4tkfile),"%s%d",TKT_ROOT,
getuid());
@@ -456,6 +475,8 @@ do_login(const struct passwd *pwd, char *tty, char *ttyn)
exit(1);
}
#endif
+ if(do_osfc2_magic(pwd->pw_uid))
+ exit(1);
if(setgid(pwd->pw_gid)){
warn("setgid(%u)", (unsigned)pwd->pw_gid);
if(rootlogin == 0)
@@ -472,8 +493,6 @@ do_login(const struct passwd *pwd, char *tty, char *ttyn)
check_shadow(pwd, sp);
#endif
- if(do_osfc2_magic(pwd->pw_uid))
- exit(1);
#if defined(HAVE_GETUDBNAM) && defined(HAVE_SETLIM)
{
struct udb *udb;
diff --git a/kerberosV/src/appl/login/login_access.c b/kerberosV/src/appl/login/login_access.c
index e2979e637c1..4ee023a108c 100644
--- a/kerberosV/src/appl/login/login_access.c
+++ b/kerberosV/src/appl/login/login_access.c
@@ -1,3 +1,4 @@
+/************************************************************************
* Copyright 1995 by Wietse Venema. All rights reserved. Some individual
* files may be covered by other copyrights.
*
@@ -24,7 +25,7 @@
#include "login_locl.h"
-RCSID("$KTH: login_access.c,v 1.1 1999/05/17 22:40:05 assar Exp $");
+RCSID("$KTH: login_access.c,v 1.2 2001/06/04 14:09:45 assar Exp $");
/* Delimiters for fields and for lists of users, ttys or hosts. */
diff --git a/kerberosV/src/appl/login/utmpx_login.c b/kerberosV/src/appl/login/utmpx_login.c
index 81c911f3888..9fbe0bb133b 100644
--- a/kerberosV/src/appl/login/utmpx_login.c
+++ b/kerberosV/src/appl/login/utmpx_login.c
@@ -1,3 +1,4 @@
+/************************************************************************
* Copyright 1995 by Wietse Venema. All rights reserved. Some individual
* files may be covered by other copyrights.
*
@@ -17,7 +18,7 @@
#include "login_locl.h"
-RCSID("$KTH: utmpx_login.c,v 1.25 2001/02/08 16:08:47 assar Exp $");
+RCSID("$KTH: utmpx_login.c,v 1.26 2001/06/04 14:10:19 assar Exp $");
/* utmpx_login - update utmp and wtmp after login */
diff --git a/kerberosV/src/appl/rcp/rcp.c b/kerberosV/src/appl/rcp/rcp.c
index 230e8826b19..ee19652eb1a 100644
--- a/kerberosV/src/appl/rcp/rcp.c
+++ b/kerberosV/src/appl/rcp/rcp.c
@@ -92,6 +92,7 @@ main(int argc, char **argv)
char *targ;
int optind = 0;
+ setprogname(argv[0]);
if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
&optind))
usage (1);
@@ -133,8 +134,9 @@ main(int argc, char **argv)
remin = remout = -1;
/* Command to be executed on remote system using "rsh". */
- sprintf(cmd, "rcp%s%s%s", iamrecursive ? " -r" : "",
- pflag ? " -p" : "", targetshouldbedirectory ? " -d" : "");
+ snprintf(cmd, sizeof(cmd),
+ "rcp%s%s%s", iamrecursive ? " -r" : "",
+ pflag ? " -p" : "", targetshouldbedirectory ? " -d" : "");
signal(SIGPIPE, lostconn);
@@ -151,7 +153,7 @@ main(int argc, char **argv)
void
toremote(char *targ, int argc, char **argv)
{
- int i, len;
+ int i;
char *bp, *host, *src, *suser, *thost, *tuser;
*targ++ = 0;
@@ -178,37 +180,34 @@ toremote(char *targ, int argc, char **argv)
if (*src == 0)
src = ".";
host = strchr(argv[i], '@');
- len = strlen(_PATH_RSH) + strlen(argv[i]) +
- strlen(src) + (tuser ? strlen(tuser) : 0) +
- strlen(thost) + strlen(targ) + CMDNEEDS + 20;
- if (!(bp = malloc(len)))
- err(1, "malloc");
if (host) {
- *host++ = 0;
+ *host++ = '\0';
suser = argv[i];
if (*suser == '\0')
suser = pwd->pw_name;
else if (!okname(suser))
continue;
- snprintf(bp, len,
+ asprintf(&bp,
"%s %s -l %s -n %s %s '%s%s%s:%s'",
_PATH_RSH, host, suser, cmd, src,
tuser ? tuser : "", tuser ? "@" : "",
thost, targ);
- } else
- snprintf(bp, len,
+ } else {
+ asprintf(&bp,
"exec %s %s -n %s %s '%s%s%s:%s'",
_PATH_RSH, argv[i], cmd, src,
tuser ? tuser : "", tuser ? "@" : "",
thost, targ);
+ }
+ if (bp == NULL)
+ err (1, "malloc");
susystem(bp, userid);
free(bp);
} else { /* local to remote */
if (remin == -1) {
- len = strlen(targ) + CMDNEEDS + 20;
- if (!(bp = malloc(len)))
- err(1, "malloc");
- snprintf(bp, len, "%s -t %s", cmd, targ);
+ asprintf(&bp, "%s -t %s", cmd, targ);
+ if (bp == NULL)
+ err (1, "malloc");
host = thost;
if (do_cmd(host, tuser, bp, &remin, &remout) < 0)
@@ -227,18 +226,16 @@ toremote(char *targ, int argc, char **argv)
void
tolocal(int argc, char **argv)
{
- int i, len;
+ int i;
char *bp, *host, *src, *suser;
for (i = 0; i < argc - 1; i++) {
if (!(src = colon(argv[i]))) { /* Local to local. */
- len = strlen(_PATH_CP) + strlen(argv[i]) +
- strlen(argv[argc - 1]) + 20;
- if (!(bp = malloc(len)))
- err(1, "malloc");
- snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP,
+ asprintf(&bp, "exec %s%s%s %s %s", _PATH_CP,
iamrecursive ? " -PR" : "", pflag ? " -p" : "",
argv[i], argv[argc - 1]);
+ if (bp == NULL)
+ err (1, "malloc");
if (susystem(bp, userid))
++errs;
free(bp);
@@ -258,10 +255,9 @@ tolocal(int argc, char **argv)
else if (!okname(suser))
continue;
}
- len = strlen(src) + CMDNEEDS + 20;
- if ((bp = malloc(len)) == NULL)
- err(1, "malloc");
- snprintf(bp, len, "%s -f %s", cmd, src);
+ asprintf(&bp, "%s -f %s", cmd, src);
+ if (bp == NULL)
+ err (1, "malloc");
if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
free(bp);
++errs;
@@ -275,22 +271,6 @@ tolocal(int argc, char **argv)
}
}
-static char *
-sizestr(off_t size)
-{
- static char ss[32];
- char *p;
- ss[sizeof(ss) - 1] = '\0';
- for(p = ss + sizeof(ss) - 2; p >= ss; p--) {
- *p = '0' + size % 10;
- size /= 10;
- if(size == 0)
- break;
- }
- return ss;
-}
-
-
void
source(int argc, char **argv)
{
@@ -339,8 +319,10 @@ syserr: run_err("%s: %s", name, strerror(errno));
goto next;
}
#define MODEMASK (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)
- snprintf(buf, sizeof(buf), "C%04o %s %s\n",
- stb.st_mode & MODEMASK, sizestr(stb.st_size), last);
+ snprintf(buf, sizeof(buf), "C%04o %lu %s\n",
+ stb.st_mode & MODEMASK,
+ (unsigned long)stb.st_size,
+ last);
write(remout, buf, strlen(buf));
if (response() < 0)
goto next;
diff --git a/kerberosV/src/appl/rsh/rshd.c b/kerberosV/src/appl/rsh/rshd.c
index ee532b7f292..b395307268f 100644
--- a/kerberosV/src/appl/rsh/rshd.c
+++ b/kerberosV/src/appl/rsh/rshd.c
@@ -32,7 +32,7 @@
*/
#include "rsh_locl.h"
-RCSID("$KTH: rshd.c,v 1.41 2001/02/20 01:44:48 assar Exp $");
+RCSID("$KTH: rshd.c,v 1.43 2001/07/31 09:05:45 joda Exp $");
int
login_access( struct passwd *user, char *from);
@@ -58,11 +58,13 @@ static char tkfile[MAXPATHLEN] = "";
static int do_inetd = 1;
static char *port_str;
-static int do_rhosts;
+static int do_rhosts = 1;
static int do_kerberos = 0;
static int do_vacuous = 0;
static int do_log = 1;
static int do_newpag = 1;
+static int do_addr_verify = 0;
+static int do_keepalive = 1;
static int do_version;
static int do_help = 0;
@@ -102,6 +104,7 @@ fatal (int sock, const char *m, ...)
*buf = 1;
va_start(args, m);
len = vsnprintf (buf + 1, sizeof(buf) - 1, m, args);
+ len = min(len, sizeof(buf) - 1);
va_end(args);
syslog (LOG_ERR, "%s", buf + 1);
net_write (sock, buf, len + 1);
@@ -841,14 +844,16 @@ doit (int do_kerberos, int check_rhosts)
}
struct getargs args[] = {
+ { NULL, 'a', arg_flag, &do_addr_verify },
+ { "keepalive", 'n', arg_negative_flag, &do_keepalive },
{ "inetd", 'i', arg_negative_flag, &do_inetd,
"Not started from inetd" },
{ "kerberos", 'k', arg_flag, &do_kerberos,
"Implement kerberised services" },
{ "encrypt", 'x', arg_flag, &do_encrypt,
"Implement encrypted service" },
- { "rhosts", 'l', arg_flag, &do_rhosts,
- "Check users .rhosts" },
+ { "rhosts", 'l', arg_negative_flag, &do_rhosts,
+ "Don't check users .rhosts" },
{ "port", 'p', arg_string, &port_str, "Use this port",
"port" },
{ "vacuous", 'v', arg_flag, &do_vacuous,
diff --git a/kerberosV/src/appl/telnet/telnet/commands.c b/kerberosV/src/appl/telnet/telnet/commands.c
index eac310da5fc..d89b2c3f219 100644
--- a/kerberosV/src/appl/telnet/telnet/commands.c
+++ b/kerberosV/src/appl/telnet/telnet/commands.c
@@ -33,7 +33,7 @@
#include "telnet_locl.h"
-RCSID("$KTH: commands.c,v 1.65 2001/02/20 03:12:09 assar Exp $");
+RCSID("$KTH: commands.c,v 1.67 2001/08/29 00:45:20 assar Exp $");
#if defined(IPPROTO_IP) && defined(IP_TOS)
int tos = -1;
@@ -350,11 +350,12 @@ send_wontcmd(char *name)
return(send_tncmd(send_wont, "wont", name));
}
+extern char *telopts[]; /* XXX */
+
static int
send_tncmd(void (*func)(), char *cmd, char *name)
{
char **cpp;
- extern char *telopts[];
int val = 0;
if (isprefix(name, "help") || isprefix(name, "?")) {
@@ -1564,7 +1565,7 @@ env_init(void)
* "unix:0.0", we have to get rid of "unix" and insert our
* hostname.
*/
- if ((ep = env_find("DISPLAY"))
+ if ((ep = env_find((unsigned char*)"DISPLAY"))
&& (*ep->value == ':'
|| strncmp((char *)ep->value, "unix:", 5) == 0)) {
char hbuf[256+1];
@@ -1604,7 +1605,8 @@ env_init(void)
* USER with the value from LOGNAME. By default, we
* don't export the USER variable.
*/
- if ((env_find("USER") == NULL) && (ep = env_find("LOGNAME"))) {
+ if ((env_find((unsigned char*)"USER") == NULL) &&
+ (ep = env_find((unsigned char*)"LOGNAME"))) {
env_define((unsigned char *)"USER", ep->value);
env_unexport((unsigned char *)"USER");
}
diff --git a/kerberosV/src/appl/telnet/telnet/externs.h b/kerberosV/src/appl/telnet/telnet/externs.h
index 69102df3ad4..17e43cd1b84 100644
--- a/kerberosV/src/appl/telnet/telnet/externs.h
+++ b/kerberosV/src/appl/telnet/telnet/externs.h
@@ -33,7 +33,7 @@
* @(#)externs.h 8.3 (Berkeley) 5/30/95
*/
-/* $KTH: externs.h,v 1.21 2001/03/06 20:10:13 assar Exp $ */
+/* $KTH: externs.h,v 1.23 2001/08/29 00:45:20 assar Exp $ */
#ifndef BSD
# define BSD 43
@@ -95,6 +95,8 @@ extern char
dont[],
will[],
wont[],
+ do_dont_resp[],
+ will_wont_resp[],
options[], /* All the little options */
*hostname; /* Who are we connected to? */
#if defined(ENCRYPTION)
@@ -433,3 +435,4 @@ extern int linemode;
#ifdef KLUDGELINEMODE
extern int kludgelinemode;
#endif
+extern int want_status_response;
diff --git a/kerberosV/src/appl/telnet/telnetd/sys_term.c b/kerberosV/src/appl/telnet/telnetd/sys_term.c
index cd927e0ed36..09519a869ae 100644
--- a/kerberosV/src/appl/telnet/telnetd/sys_term.c
+++ b/kerberosV/src/appl/telnet/telnetd/sys_term.c
@@ -33,7 +33,7 @@
#include "telnetd.h"
-RCSID("$KTH: sys_term.c,v 1.100 2001/04/24 23:11:43 assar Exp $");
+RCSID("$KTH: sys_term.c,v 1.103 2001/08/29 00:45:22 assar Exp $");
#if defined(_CRAY) || (defined(__hpux) && !defined(HAVE_UTMPX_H))
# define PARENT_DOES_UTMP
@@ -142,6 +142,9 @@ char wtmpf[] = "/etc/wtmp";
#ifdef HAVE_UTIL_H
#include <util.h>
#endif
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
# ifndef TCSANOW
# ifdef TCSETS
@@ -398,7 +401,7 @@ int getpty(int *ptynum)
#if SunOS == 40
int dummy;
#endif
-#if 0 /* && defined(HAVE_OPENPTY) */
+#if __linux
int master;
int slave;
if(openpty(&master, &slave, line, 0, 0) == 0){
@@ -822,8 +825,6 @@ void getptyslave(void)
int t = -1;
struct winsize ws;
- extern int def_row, def_col;
- extern int def_tspeed, def_rspeed;
/*
* Opening the slave side may cause initilization of the
* kernel tty structure. We need remember the state of
diff --git a/kerberosV/src/appl/xnlock/xnlock.c b/kerberosV/src/appl/xnlock/xnlock.c
index 3b13b0bbc88..e7c5ac1a90a 100644
--- a/kerberosV/src/appl/xnlock/xnlock.c
+++ b/kerberosV/src/appl/xnlock/xnlock.c
@@ -8,7 +8,7 @@
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
-RCSID("$KTH: xnlock.c,v 1.85 2001/03/15 17:13:13 joda Exp $");
+RCSID("$KTH: xnlock.c,v 1.87 2001/06/23 22:20:04 assar Exp $");
#endif
#include <stdio.h>
@@ -574,7 +574,6 @@ verify_krb5(const char *password)
NULL)) {
CREDENTIALS c;
krb5_creds mcred, cred;
- char krb4tkfile[MAXPATHLEN];
krb5_make_principal(context, &mcred.server,
client->realm,
@@ -583,7 +582,7 @@ verify_krb5(const char *password)
NULL);
ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
if(ret == 0) {
- ret = krb524_convert_creds_kdc(context, id, &cred, &c);
+ ret = krb524_convert_creds_kdc_ccache(context, id, &cred, &c);
if(ret == 0)
tf_setup(&c, c.pname, c.pinst);
memset(&c, 0, sizeof(c));
diff --git a/kerberosV/src/doc/setup.texi b/kerberosV/src/doc/setup.texi
index a993592f462..89f55e181cb 100644
--- a/kerberosV/src/doc/setup.texi
+++ b/kerberosV/src/doc/setup.texi
@@ -1,4 +1,4 @@
-@c $KTH: setup.texi,v 1.22 2001/02/11 17:10:34 assar Exp $
+@c $KTH: setup.texi,v 1.25 2001/08/24 05:24:33 assar Exp $
@node Setting up a realm, Things in search for a better place, Building and Installing, Top
@@ -209,6 +209,10 @@ following syntax:
principal [priv1,priv2,...] [glob-pattern]
@end smallexample
+The matching is from top to bottom for matching principal (and if given,
+glob-pattern). When there is a match, the rights of that lines are
+used.
+
The privileges you can assign to a principal are: @samp{add},
@samp{change-password} (or @samp{cpw} for short), @samp{delete},
@samp{get}, @samp{list}, and @samp{modify}, or the special privilege
@@ -399,13 +403,23 @@ slave# /usr/heimdal/libexec/ipropd-slave master &
Salting is used to make it harder to precalculate all possible
keys. Using a salt increases the search space to make it almost
-impossible to precalculate all keys. In salting you just append the salt
-to the password, or somehow merge the password with the salt.
+impossible to precalculate all keys. Salting is the process of mixing a
+public string (the salt) with the password, then sending it through an
+encryption-type specific string-to-key function that will output the
+fixed size encryption key.
+
+In Kerberos 5 the salt is determined by the encryption-type, except
+in some special cases.
+
+In @code{des} there is the Kerberos 4 salt
+(none at all) or the afs-salt (using the cell (realm in
+afs-lingo)).
+
+In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses)
+there is no salt. This is to be compatible with NTLM keys in Windows
+NT 4.
-In Kerberos 5 the salting is determined by the encryption-type, except
-in case of @code{des}. In @code{des} there is the kerberos 4 salting
-(none at all) or the afs-salting (using the cell (realm in
-afs-lingo)). @code{[kadmin]default_keys} in @file{krb5.conf} controls
+@code{[kadmin]default_keys} in @file{krb5.conf} controls
what salting to use,
The syntax of @code{[kadmin]default_keys} is
diff --git a/kerberosV/src/kadmin/kadmin_locl.h b/kerberosV/src/kadmin/kadmin_locl.h
index e50c9156da2..460989ea611 100644
--- a/kerberosV/src/kadmin/kadmin_locl.h
+++ b/kerberosV/src/kadmin/kadmin_locl.h
@@ -32,7 +32,7 @@
*/
/*
- * $KTH: kadmin_locl.h,v 1.36 2001/05/07 05:32:04 assar Exp $
+ * $KTH: kadmin_locl.h,v 1.40 2001/08/22 20:30:24 assar Exp $
*/
#ifndef __ADMIN_LOCL_H__
@@ -75,6 +75,9 @@
#ifdef HAVE_UTIL_H
#include <util.h>
#endif
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
@@ -83,7 +86,7 @@
#endif
#include <err.h>
#include <roken.h>
-#ifdef HAVE_OPENSSL_DES_H
+#ifdef HAVE_OPENSSL
#include <openssl/des.h>
#else
#include <des.h>
@@ -145,6 +148,8 @@ int edit_deltat (const char *prompt, krb5_deltat *value, int *mask, int bit);
int edit_entry(kadm5_principal_ent_t ent, int *mask,
kadm5_principal_ent_t default_ent, int default_mask);
+void set_defaults(kadm5_principal_ent_t ent, int *mask,
+ kadm5_principal_ent_t default_ent, int default_mask);
int set_entry(krb5_context context,
kadm5_principal_ent_t ent,
int *mask,
@@ -159,8 +164,6 @@ foreach_principal(const char *exp,
const char *funcname,
void *data);
-void get_response(const char *prompt, const char *def, char *buf, size_t len);
-
int parse_des_key (const char *key_string,
krb5_key_data *key_data, const char **err);
diff --git a/kerberosV/src/kadmin/kadmind.8 b/kerberosV/src/kadmin/kadmind.8
index d2d2d427cd7..7c0f27602c8 100644
--- a/kerberosV/src/kadmin/kadmind.8
+++ b/kerberosV/src/kadmin/kadmind.8
@@ -131,7 +131,7 @@ compiled in defaults:
.Ed
.\".Sh DIAGNOSTICS
.Sh SEE ALSO
-.Xr kdc 8 ,
+.Xr passwd 1 ,
.Xr kadmin 8 ,
-.Xr kpasswdd 8 ,
-.Xr kpasswd 1
+.Xr kdc 8 ,
+.Xr kpasswdd 8
diff --git a/kerberosV/src/kdc/headers.h b/kerberosV/src/kdc/headers.h
index 30ca24a2e46..894bbf43e07 100644
--- a/kerberosV/src/kdc/headers.h
+++ b/kerberosV/src/kdc/headers.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -32,7 +32,7 @@
*/
/*
- * $KTH: headers.h,v 1.11 2001/02/15 04:20:53 assar Exp $
+ * $KTH: headers.h,v 1.13 2001/08/22 20:30:25 assar Exp $
*/
#ifndef __HEADERS_H__
@@ -77,13 +77,16 @@
#ifdef HAVE_UTIL_H
#include <util.h>
#endif
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
#include <err.h>
#include <roken.h>
#include <getarg.h>
#include <base64.h>
#include <parse_units.h>
/* openssl/des.h does not have des_random_key, so we don't use it */
-#ifdef XHAVE_OPENSSL_DES_H
+#ifdef HAVE_OPENSSL
#include <openssl/des.h>
#else
#include <des.h>
diff --git a/kerberosV/src/kdc/kdc_locl.h b/kerberosV/src/kdc/kdc_locl.h
index 1e09e1e1182..64f1ebd3896 100644
--- a/kerberosV/src/kdc/kdc_locl.h
+++ b/kerberosV/src/kdc/kdc_locl.h
@@ -32,7 +32,7 @@
*/
/*
- * $KTH: kdc_locl.h,v 1.48 2001/01/30 01:44:07 assar Exp $
+ * $KTH: kdc_locl.h,v 1.52 2001/08/22 20:30:25 assar Exp $
*/
#ifndef __KDC_LOCL_H__
@@ -67,8 +67,6 @@ extern krb5_boolean allow_anonymous;
extern char *v4_realm;
extern int enable_v4;
extern int enable_524;
-#endif
-#ifdef KASERVER
extern krb5_boolean enable_kaserver;
#endif
@@ -106,13 +104,17 @@ krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*,
krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*,
const PrincipalName*, size_t*);
krb5_error_code encrypt_v4_ticket (void*, size_t, des_cblock*, EncryptedData*);
-krb5_error_code get_des_key(hdb_entry*, krb5_boolean, Key**);
+krb5_error_code get_des_key(hdb_entry*, krb5_boolean, krb5_boolean, Key**);
int maybe_version4 (unsigned char*, int);
#endif
-#ifdef KASERVER
+#ifdef KRB4
krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*,
struct sockaddr_in*);
#endif
+#ifdef HAVE_OPENSSL
+#define des_new_random_key des_random_key
+#endif
+
#endif /* __KDC_LOCL_H__ */
diff --git a/kerberosV/src/kpasswd/kpasswdd.8 b/kerberosV/src/kpasswd/kpasswdd.8
index ebc487f49fc..0ba3f18bd65 100644
--- a/kerberosV/src/kpasswd/kpasswdd.8
+++ b/kerberosV/src/kpasswd/kpasswdd.8
@@ -1,4 +1,4 @@
-.\" $KTH: kpasswdd.8,v 1.5 2001/06/08 21:35:32 joda Exp $
+.\" $KTH: kpasswdd.8,v 1.6 2001/07/12 08:42:27 assar Exp $
.\"
.Dd April 19, 1999
.Dt KPASSWDD 8
@@ -77,12 +77,5 @@ logged to syslog.
.Sh BUGS
The default password quality checks are too basic.
.Sh SEE ALSO
-.Xr kdc 8 ,
-.Xr passwd 1
-.\".Sh ENVIRONMENT
-.\".Sh FILES
-.\".Sh EXAMPLES
-.\".Sh SEE ALSO
-.\".Sh STANDARDS
-.\".Sh HISTORY
-.\".Sh AUTHORS
+.Xr passwd 1 ,
+.Xr kdc 8
diff --git a/kerberosV/src/kpasswd/kpasswdd.c b/kerberosV/src/kpasswd/kpasswdd.c
index 81aff7792de..19bf3db158c 100644
--- a/kerberosV/src/kpasswd/kpasswdd.c
+++ b/kerberosV/src/kpasswd/kpasswdd.c
@@ -32,7 +32,7 @@
*/
#include "kpasswd_locl.h"
-RCSID("$KTH: kpasswdd.c,v 1.51 2001/05/14 06:18:56 assar Exp $");
+RCSID("$KTH: kpasswdd.c,v 1.52 2001/07/02 16:27:09 assar Exp $");
#include <kadm5/admin.h>
@@ -442,7 +442,7 @@ doit (krb5_keytab keytab, int port)
sockets = malloc (n * sizeof(*sockets));
if (sockets == NULL)
krb5_errx (context, 1, "out of memory");
- maxfd = 0;
+ maxfd = -1;
FD_ZERO(&real_fdset);
for (i = 0; i < n; ++i) {
int sa_size;
@@ -455,14 +455,21 @@ doit (krb5_keytab keytab, int port)
if (bind (sockets[i], sa, sa_size) < 0) {
char str[128];
size_t len;
+ int save_errno = errno;
+
ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
- krb5_err (context, 1, errno, "bind(%s)", str);
+ if (ret)
+ strlcpy(str, "unknown address", sizeof(str));
+ krb5_warn (context, save_errno, "bind(%s)", str);
+ continue;
}
maxfd = max (maxfd, sockets[i]);
if (maxfd >= FD_SETSIZE)
krb5_errx (context, 1, "fd too large");
FD_SET(sockets[i], &real_fdset);
}
+ if (maxfd == -1)
+ krb5_errx (context, 1, "No sockets!");
while(exit_flag == 0) {
int ret;
diff --git a/kerberosV/src/kuser/kinit.1 b/kerberosV/src/kuser/kinit.1
index 9bd905d8676..b75b9785800 100644
--- a/kerberosV/src/kuser/kinit.1
+++ b/kerberosV/src/kuser/kinit.1
@@ -1,15 +1,15 @@
-.\" $KTH: kinit.1,v 1.11 2001/06/08 21:35:32 joda Exp $
+.\" $KTH: kinit.1,v 1.14 2001/08/31 10:02:21 joda Exp $
.\"
.Dd May 29, 1998
.Dt KINIT 1
.Os HEIMDAL
.Sh NAME
-.Nm kinit ,
-.Nm kauth
+.Nm kinit
.Nd acquire initial tickets
.Sh SYNOPSIS
.Nm kinit
.Op Fl 4 | Fl -524init
+.Op Fl 9 | Fl -524convert
.Op Fl -afslog
.Oo Fl c Ar cachename \*(Ba Xo
.Fl -cache= Ns Ar cachename
@@ -41,8 +41,8 @@
.Oc
.Op Fl k | Fl -use-keytab
.Op Fl v | Fl -validate
-.Oo Fl e Ar enctype \*(Ba Xo
-.Fl -enctypes= Ns Ar enctype
+.Oo Fl e Ar enctypes \*(Ba Xo
+.Fl -enctypes= Ns Ar enctypes
.Xc
.Oc
.Op Fl -fcache-version= Ns Ar integer
@@ -162,20 +162,20 @@ issued to an anonymous principal, typically
.Pp
The following options are only available if
.Nm
-has been compiled with support for Kerberos 4. The
-.Nm kauth
-program is identical to
-.Nm kinit ,
-but has these options enabled by
-default.
+has been compiled with support for Kerberos 4.
.Bl -tag -width Ds
.It Xo
.Fl 4 Ns ,
.Fl -524init
.Xc
-Try to convert the obtained Kerberos 5 krbtgt to a version 4 compatible
-ticket. It will store this ticket in the default Kerberos 4 ticket
-file.
+Try to convert the obtained Kerberos 5 krbtgt to a version 4
+compatible ticket. It will store this ticket in the default Kerberos 4
+ticket file.
+.It Xo
+.Fl 9 Ns ,
+.Fl -524convert
+.Xc
+only convert ticket to version 4
.It Fl -afslog
Gets AFS tickets, converts them to version 4 format, and stores them
in the kernel. Only useful if you have AFS.
@@ -201,12 +201,12 @@ command. When it finishes the credentials will be removed.
.Sh ENVIRONMENT
.Bl -tag -width Ds
.It Ev KRB5CCNAME
-Specifies the default cache file.
+Specifies the default credentials cache.
.It Ev KRB5_CONFIG
-The directory where the
+The file name of
.Pa krb5.conf
-can be found, default is
-.Pa /etc .
+, the default being
+.Pa /etc/krb5.conf .
.It Ev KRBTKFILE
Specifies the Kerberos 4 ticket file to store version 4 tickets in.
.El
@@ -216,8 +216,8 @@ Specifies the Kerberos 4 ticket file to store version 4 tickets in.
.Sh SEE ALSO
.Xr kdestroy 1 ,
.Xr klist 1 ,
-.Xr krb5.conf 5 ,
-.Xr krb5_appdefault 3
+.Xr krb5_appdefault 3 ,
+.Xr krb5.conf 5
.\".Sh STANDARDS
.\".Sh HISTORY
.\".Sh AUTHORS
diff --git a/kerberosV/src/kuser/kinit.c b/kerberosV/src/kuser/kinit.c
index 8980882779e..5aa3ed2db23 100644
--- a/kerberosV/src/kuser/kinit.c
+++ b/kerberosV/src/kuser/kinit.c
@@ -32,7 +32,104 @@
*/
#include "kuser_locl.h"
-RCSID("$KTH: kinit.c,v 1.75 2001/05/07 21:08:15 assar Exp $");
+RCSID("$KTH: kinit.c,v 1.85 2001/09/02 16:57:32 joda Exp $");
+
+int forwardable_flag = -1;
+int proxiable_flag = -1;
+int renewable_flag = -1;
+int renew_flag = 0;
+int validate_flag = 0;
+int version_flag = 0;
+int help_flag = 0;
+int addrs_flag = 1;
+int anonymous_flag = 0;
+char *lifetime = NULL;
+char *renew_life = NULL;
+char *server = NULL;
+char *cred_cache = NULL;
+char *start_str = NULL;
+struct getarg_strings etype_str;
+int use_keytab = 0;
+char *keytab_str = NULL;
+#ifdef KRB4
+int get_v4_tgt = -1;
+int do_afslog = -1;
+int convert_524;
+#endif
+int fcache_version;
+
+static struct getargs args[] = {
+#ifdef KRB4
+ { "524init", '4', arg_flag, &get_v4_tgt,
+ "obtain version 4 TGT" },
+
+ { "524convert", '9', arg_flag, &convert_524,
+ "only convert ticket to version 4" },
+
+ { "afslog", 0 , arg_flag, &do_afslog,
+ "obtain afs tokens" },
+#endif
+ { "cache", 'c', arg_string, &cred_cache,
+ "credentials cache", "cachename" },
+
+ { "forwardable", 'f', arg_flag, &forwardable_flag,
+ "get forwardable tickets"},
+
+ { "keytab", 't', arg_string, &keytab_str,
+ "keytab to use", "keytabname" },
+
+ { "lifetime", 'l', arg_string, &lifetime,
+ "lifetime of tickets", "time"},
+
+ { "proxiable", 'p', arg_flag, &proxiable_flag,
+ "get proxiable tickets" },
+
+ { "renew", 'R', arg_flag, &renew_flag,
+ "renew TGT" },
+
+ { "renewable", 0, arg_flag, &renewable_flag,
+ "get renewable tickets" },
+
+ { "renewable-life", 'r', arg_string, &renew_life,
+ "renewable lifetime of tickets", "time" },
+
+ { "server", 'S', arg_string, &server,
+ "server to get ticket for", "principal" },
+
+ { "start-time", 's', arg_string, &start_str,
+ "when ticket gets valid", "time" },
+
+ { "use-keytab", 'k', arg_flag, &use_keytab,
+ "get key from keytab" },
+
+ { "validate", 'v', arg_flag, &validate_flag,
+ "validate TGT" },
+
+ { "enctypes", 'e', arg_strings, &etype_str,
+ "encryption types to use", "enctypes" },
+
+ { "fcache-version", 0, arg_integer, &fcache_version,
+ "file cache version to create" },
+
+ { "addresses", 0, arg_negative_flag, &addrs_flag,
+ "request a ticket with no addresses" },
+
+ { "anonymous", 0, arg_flag, &anonymous_flag,
+ "request an anonymous ticket" },
+
+ { "version", 0, arg_flag, &version_flag },
+ { "help", 0, arg_flag, &help_flag }
+};
+
+static void
+usage (int ret)
+{
+ arg_printusage (args,
+ sizeof(args)/sizeof(*args),
+ NULL,
+ "[principal [command]]");
+ exit (ret);
+}
#ifdef KRB4
/* for when the KDC tells us it's a v4 one, we try to talk that */
@@ -53,7 +150,7 @@ do_v4_fallback (krb5_context context,
const krb5_principal principal,
int lifetime,
int use_srvtab, const char *srvtab_str,
- char *passwd, size_t passwd_size)
+ const char *passwd)
{
int ret;
krb_principal princ;
@@ -93,13 +190,12 @@ do_v4_fallback (krb5_context context,
KRB_TICKET_GRANTING_TICKET, princ.realm,
lifetime, passwd, &key);
}
- memset (passwd, 0, passwd_size);
memset (key, 0, sizeof(key));
if (ret) {
warnx ("%s", krb_get_err_text(ret));
return 1;
}
- if (k_hasafs()) {
+ if (do_afslog && k_hasafs()) {
if ((ret = krb_afslog(NULL, NULL)) != 0 && ret != KDC_PR_UNKNOWN) {
if(ret > 0)
warnx ("%s", krb_get_err_text(ret));
@@ -159,98 +255,59 @@ kinit_get_default_principal (krb5_context context,
#endif /* !KRB4 */
-int forwardable_flag = -1;
-int proxiable_flag = -1;
-int renewable_flag = -1;
-int renew_flag = 0;
-int validate_flag = 0;
-int version_flag = 0;
-int help_flag = 0;
-int addrs_flag = 1;
-int anonymous_flag = 0;
-char *lifetime = NULL;
-char *renew_life = NULL;
-char *server = NULL;
-char *cred_cache = NULL;
-char *start_str = NULL;
-struct getarg_strings etype_str;
-int use_keytab = 0;
-char *keytab_str = NULL;
-#ifdef KRB4
-extern int do_afslog;
-extern int get_v4_tgt;
-#endif
-int fcache_version;
-
-static struct getargs args[] = {
-#ifdef KRB4
- { "524init", '4', arg_flag, &get_v4_tgt,
- "obtain version 4 TGT" },
-
- { "afslog", 0 , arg_flag, &do_afslog,
- "obtain afs tokens" },
-#endif
- { "cache", 'c', arg_string, &cred_cache,
- "credentials cache", "cachename" },
-
- { "forwardable", 'f', arg_flag, &forwardable_flag,
- "get forwardable tickets"},
-
- { "keytab", 't', arg_string, &keytab_str,
- "keytab to use", "keytabname" },
-
- { "lifetime", 'l', arg_string, &lifetime,
- "lifetime of tickets", "time"},
-
- { "proxiable", 'p', arg_flag, &proxiable_flag,
- "get proxiable tickets" },
-
- { "renew", 'R', arg_flag, &renew_flag,
- "renew TGT" },
-
- { "renewable", 0, arg_flag, &renewable_flag,
- "get renewable tickets" },
-
- { "renewable-life", 'r', arg_string, &renew_life,
- "renewable lifetime of tickets", "time" },
-
- { "server", 'S', arg_string, &server,
- "server to get ticket for", "principal" },
-
- { "start-time", 's', arg_string, &start_str,
- "when ticket gets valid", "time" },
-
- { "use-keytab", 'k', arg_flag, &use_keytab,
- "get key from keytab" },
-
- { "validate", 'v', arg_flag, &validate_flag,
- "validate TGT" },
-
- { "enctypes", 'e', arg_strings, &etype_str,
- "encryption types to use", "enctypes" },
+static krb5_error_code
+get_server(krb5_context context,
+ krb5_principal client,
+ const char *server,
+ krb5_principal *princ)
+{
+ krb5_realm *client_realm;
+ if(server)
+ return krb5_parse_name(context, server, princ);
- { "fcache-version", 0, arg_integer, &fcache_version,
- "file cache version to create" },
+ client_realm = krb5_princ_realm (context, client);
+ return krb5_make_principal(context, princ, *client_realm,
+ KRB5_TGS_NAME, *client_realm, NULL);
+}
- { "addresses", 0, arg_negative_flag, &addrs_flag,
- "request a ticket with no addresses" },
+#ifdef KRB4
+static krb5_error_code
+do_524init(krb5_context context, krb5_ccache ccache,
+ krb5_creds *creds, const char *server)
+{
+ krb5_error_code ret;
+ CREDENTIALS c;
+ krb5_creds in_creds, *real_creds;
- { "anonymous", 0, arg_flag, &anonymous_flag,
- "request an anonymous ticket" },
+ if(creds != NULL)
+ real_creds = creds;
+ else {
+ krb5_principal client;
+ krb5_cc_get_principal(context, ccache, &client);
+ memset(&in_creds, 0, sizeof(in_creds));
+ ret = get_server(context, client, server, &in_creds.server);
+ if(ret)
+ return ret;
+ ret = krb5_get_credentials(context, 0, ccache, &in_creds, &real_creds);
+ if(ret)
+ return ret;
+ }
+ ret = krb524_convert_creds_kdc_ccache(context, ccache, real_creds, &c);
+ if(ret)
+ krb5_warn(context, ret, "converting creds");
+ else {
+ int tret = tf_setup(&c, c.pname, c.pinst);
+ if(tret)
+ krb5_warnx(context, "saving v4 creds: %s", krb_get_err_text(tret));
+ }
- { "version", 0, arg_flag, &version_flag },
- { "help", 0, arg_flag, &help_flag }
-};
+ if(creds == NULL)
+ krb5_free_creds(context, real_creds);
+ memset(&c, 0, sizeof(c));
-static void
-usage (int ret)
-{
- arg_printusage (args,
- sizeof(args)/sizeof(*args),
- NULL,
- "[principal [command]]");
- exit (ret);
+ return ret;
}
+#endif
static int
renew_validate(krb5_context context,
@@ -271,21 +328,10 @@ renew_validate(krb5_context context,
krb5_warn(context, ret, "krb5_cc_get_principal");
return ret;
}
- if(server) {
- ret = krb5_parse_name(context, server, &in.server);
- if(ret) {
- krb5_warn(context, ret, "krb5_parse_name");
- goto out;
- }
- } else {
- krb5_realm *client_realm = krb5_princ_realm (context, in.client);
-
- ret = krb5_make_principal(context, &in.server, *client_realm,
- KRB5_TGS_NAME, *client_realm, NULL);
- if(ret) {
- krb5_warn(context, ret, "krb5_make_principal");
- goto out;
- }
+ ret = get_server(context, in.client, server, &in.server);
+ if(ret) {
+ krb5_warn(context, ret, "get_server");
+ goto out;
}
flags.i = 0;
flags.b.renewable = flags.b.renew = renew;
@@ -317,6 +363,18 @@ renew_validate(krb5_context context,
goto out;
}
ret = krb5_cc_store_cred(context, cache, out);
+
+#ifdef KRB4
+ if(ret == 0 && server == NULL) {
+ /* only do this if it's a general renew-my-tgt request */
+ if(get_v4_tgt)
+ do_524init(context, cache, out, NULL);
+
+ if(do_afslog && k_hasafs())
+ krb5_afslog(context, cache, NULL, NULL);
+ }
+#endif
+
krb5_free_creds (context, out);
if(ret) {
krb5_warn(context, ret, "krb5_cc_store_cred");
@@ -327,108 +385,20 @@ out:
return ret;
}
-int
-main (int argc, char **argv)
+static krb5_error_code
+get_new_tickets(krb5_context context,
+ krb5_principal principal,
+ krb5_ccache ccache,
+ krb5_deltat ticket_life)
{
krb5_error_code ret;
- krb5_context context;
- krb5_ccache ccache;
- krb5_principal principal;
- krb5_creds cred;
- int optind = 0;
krb5_get_init_creds_opt opt;
- krb5_deltat start_time = 0;
- krb5_deltat ticket_life = 0;
krb5_addresses no_addrs;
+ krb5_creds cred;
char passwd[256];
+ krb5_deltat start_time = 0;
- setprogname (argv[0]);
memset(&cred, 0, sizeof(cred));
-
- ret = krb5_init_context (&context);
- if (ret)
- errx(1, "krb5_init_context failed: %d", ret);
-
- /* XXX no way to figure out if set without explict test */
- if(krb5_config_get_string(context, NULL, "libdefaults",
- "forwardable", NULL))
- forwardable_flag = krb5_config_get_bool (context, NULL,
- "libdefaults",
- "forwardable",
- NULL);
-
-#ifdef KRB4
- get_v4_tgt = krb5_config_get_bool_default (context, NULL,
- get_v4_tgt,
- "libdefaults",
- "krb4_get_tickets",
- NULL);
-#endif
-
- if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
- usage(1);
-
- if (help_flag)
- usage (0);
-
- if(version_flag) {
- print_version(NULL);
- exit(0);
- }
-
- argc -= optind;
- argv += optind;
-
- if (argv[0]) {
- ret = krb5_parse_name (context, argv[0], &principal);
- if (ret)
- krb5_err (context, 1, ret, "krb5_parse_name");
- } else {
- ret = kinit_get_default_principal (context, &principal);
- if (ret)
- krb5_err (context, 1, ret, "krb5_get_default_principal");
- }
-
- if(fcache_version)
- krb5_set_fcache_version(context, fcache_version);
-
- if(cred_cache)
- ret = krb5_cc_resolve(context, cred_cache, &ccache);
- else {
- if(argc > 1) {
- char s[1024];
- ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache);
- if(ret)
- krb5_err(context, 1, ret, "creating cred cache");
- snprintf(s, sizeof(s), "%s:%s",
- krb5_cc_get_type(context, ccache),
- krb5_cc_get_name(context, ccache));
- setenv("KRB5CCNAME", s, 1);
-#ifdef KRB4
- snprintf(s, sizeof(s), "%s_XXXXXX", TKT_ROOT);
- close(mkstemp(s));
- setenv("KRBTKFILE", s, 1);
- if (k_hasafs ())
- k_setpag();
-#endif
- } else
- ret = krb5_cc_default (context, &ccache);
- }
- if (ret)
- krb5_err (context, 1, ret, "resolving credentials cache");
-
- if (lifetime) {
- int tmp = parse_time (lifetime, "s");
- if (tmp < 0)
- errx (1, "unparsable time: %s", lifetime);
-
- ticket_life = tmp;
- }
- if(renew_flag || validate_flag) {
- ret = renew_validate(context, renew_flag, validate_flag,
- ccache, server, ticket_life);
- exit(ret != 0);
- }
krb5_get_init_creds_opt_init (&opt);
@@ -486,17 +456,6 @@ main (int argc, char **argv)
etype_str.num_strings);
}
-#ifdef KRB4
- get_v4_tgt = krb5_config_get_bool_default (context,
- NULL,
- get_v4_tgt,
- "realms",
- krb5_princ_realm(context,
- principal),
- "krb4_get_tickets",
- NULL);
-#endif
-
if(use_keytab || keytab_str) {
krb5_keytab kt;
if(keytab_str)
@@ -542,13 +501,12 @@ main (int argc, char **argv)
int exit_val;
exit_val = do_v4_fallback (context, principal, ticket_life,
- use_keytab, keytab_str,
- passwd, sizeof(passwd));
+ use_keytab, keytab_str, passwd);
+ get_v4_tgt = 0;
+ do_afslog = 0;
memset(passwd, 0, sizeof(passwd));
- if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY) {
- krb5_free_context (context);
+ if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY)
return exit_val;
- }
}
#endif
memset(passwd, 0, sizeof(passwd));
@@ -557,11 +515,9 @@ main (int argc, char **argv)
case 0:
break;
case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
- memset(passwd, 0, sizeof(passwd));
exit(1);
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
- memset(passwd, 0, sizeof(passwd));
krb5_errx(context, 1, "Password incorrect");
break;
default:
@@ -576,19 +532,115 @@ main (int argc, char **argv)
if (ret)
krb5_err (context, 1, ret, "krb5_cc_store_cred");
+ krb5_free_creds_contents (context, &cred);
+
+ return 0;
+}
+
+int
+main (int argc, char **argv)
+{
+ krb5_error_code ret;
+ krb5_context context;
+ krb5_ccache ccache;
+ krb5_principal principal;
+ int optind = 0;
+ krb5_deltat ticket_life = 0;
+
+ setprogname (argv[0]);
+
+ ret = krb5_init_context (&context);
+ if (ret)
+ errx(1, "krb5_init_context failed: %d", ret);
+
+ if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
+ usage(1);
+
+ if (help_flag)
+ usage (0);
+
+ if(version_flag) {
+ print_version(NULL);
+ exit(0);
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ if (argv[0]) {
+ ret = krb5_parse_name (context, argv[0], &principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_parse_name");
+ } else {
+ ret = kinit_get_default_principal (context, &principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_get_default_principal");
+ }
+
+ if(fcache_version)
+ krb5_set_fcache_version(context, fcache_version);
+
+ if(cred_cache)
+ ret = krb5_cc_resolve(context, cred_cache, &ccache);
+ else {
+ if(argc > 1) {
+ char s[1024];
+ ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache);
+ if(ret)
+ krb5_err(context, 1, ret, "creating cred cache");
+ snprintf(s, sizeof(s), "%s:%s",
+ krb5_cc_get_type(context, ccache),
+ krb5_cc_get_name(context, ccache));
+ setenv("KRB5CCNAME", s, 1);
#ifdef KRB4
- if(get_v4_tgt) {
- CREDENTIALS c;
- ret = krb524_convert_creds_kdc(context, ccache, &cred, &c);
- if(ret)
- krb5_warn(context, ret, "converting creds");
- else
- tf_setup(&c, c.pname, c.pinst);
- memset(&c, 0, sizeof(c));
+ {
+ int fd;
+ snprintf(s, sizeof(s), "%s_XXXXXX", TKT_ROOT);
+ if((fd = mkstemp(s)) >= 0) {
+ close(fd);
+ setenv("KRBTKFILE", s, 1);
+ if (k_hasafs ())
+ k_setpag();
+ }
+ }
+#endif
+ } else
+ ret = krb5_cc_default (context, &ccache);
}
+ if (ret)
+ krb5_err (context, 1, ret, "resolving credentials cache");
+
+ if (lifetime) {
+ int tmp = parse_time (lifetime, "s");
+ if (tmp < 0)
+ errx (1, "unparsable time: %s", lifetime);
+
+ ticket_life = tmp;
+ }
+#ifdef KRB4
+ if(get_v4_tgt == -1)
+ krb5_appdefault_boolean(context, "kinit",
+ krb5_principal_get_realm(context, principal),
+ "krb4_get_tickets", TRUE, &get_v4_tgt);
+#endif
+
+
+ if(renew_flag || validate_flag) {
+ ret = renew_validate(context, renew_flag, validate_flag,
+ ccache, server, ticket_life);
+ exit(ret != 0);
+ }
+
+#ifdef KRB4
+ if(!convert_524)
+#endif
+ get_new_tickets(context, principal, ccache, ticket_life);
+
+#ifdef KRB4
+ if(get_v4_tgt)
+ do_524init(context, ccache, NULL, server);
if(do_afslog && k_hasafs())
krb5_afslog(context, ccache, NULL, NULL);
- krb5_free_creds_contents (context, &cred);
#endif
if(argc > 1) {
pid_t pid = fork();
@@ -616,6 +668,7 @@ main (int argc, char **argv)
#endif
} else
krb5_cc_close (context, ccache);
+ krb5_free_principal(context, principal);
krb5_free_context (context);
return 0;
}
diff --git a/kerberosV/src/lib/des/rnd_keys.c b/kerberosV/src/lib/des/rnd_keys.c
index 1a83c3dbf07..e2247a5dbac 100644
--- a/kerberosV/src/lib/des/rnd_keys.c
+++ b/kerberosV/src/lib/des/rnd_keys.c
@@ -34,7 +34,7 @@
#ifdef HAVE_CONFIG_H
#include "config.h"
-RCSID("$KTH: rnd_keys.c,v 1.56 1999/12/02 16:58:39 joda Exp $");
+RCSID("$KTH: rnd_keys.c,v 1.58 2001/08/21 15:32:07 assar Exp $");
#endif
#include <des.h>
@@ -74,10 +74,6 @@ RCSID("$KTH: rnd_keys.c,v 1.56 1999/12/02 16:58:39 joda Exp $");
#include <fcntl.h>
#endif
-#ifdef HAVE_WINSOCK_H
-#include <winsock.h>
-#endif
-
/*
* Generate "random" data by checksumming a file.
*
@@ -194,6 +190,7 @@ sigALRM(int sig)
#endif
#endif
+#ifndef HAVE_SETITIMER
static void
des_not_rand_data(unsigned char *data, int size)
{
@@ -204,6 +201,7 @@ des_not_rand_data(unsigned char *data, int size)
for(i = 0; i < size; ++i)
data[i] ^= random() % 0x100;
}
+#endif
#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__)
diff --git a/kerberosV/src/lib/kadm5/ipropd_slave.c b/kerberosV/src/lib/kadm5/ipropd_slave.c
index fe678c0475f..852d976f7f3 100644
--- a/kerberosV/src/lib/kadm5/ipropd_slave.c
+++ b/kerberosV/src/lib/kadm5/ipropd_slave.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "iprop.h"
-RCSID("$KTH: ipropd_slave.c,v 1.21 2000/08/06 02:06:19 assar Exp $");
+RCSID("$KTH: ipropd_slave.c,v 1.24 2001/08/31 03:12:17 assar Exp $");
static krb5_log_facility *log_facility;
@@ -72,10 +72,6 @@ get_creds(krb5_context context, const char *keytab_str,
char *server;
char keytab_buf[256];
- ret = krb5_kt_register(context, &hdb_kt_ops);
- if(ret)
- krb5_err(context, 1, ret, "krb5_kt_register");
-
if (keytab_str == NULL) {
ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
if (ret)
@@ -348,7 +344,8 @@ main(int argc, char **argv)
master = argv[0];
- krb5_openlog (context, "ipropd-master", &log_facility);
+ pidfile (NULL);
+ krb5_openlog (context, "ipropd-slave", &log_facility);
krb5_set_warn_dest(context, log_facility);
ret = krb5_kt_register(context, &hdb_kt_ops);
@@ -430,4 +427,4 @@ main(int argc, char **argv)
}
return 0;
- }
+}
diff --git a/kerberosV/src/lib/krb5/crypto.c b/kerberosV/src/lib/krb5/crypto.c
index 99aef49c00c..65b5757eddf 100644
--- a/kerberosV/src/lib/krb5/crypto.c
+++ b/kerberosV/src/lib/krb5/crypto.c
@@ -32,7 +32,7 @@
*/
#include "krb5_locl.h"
-RCSID("$KTH: crypto.c,v 1.50 2001/05/14 06:14:45 assar Exp $");
+RCSID("$KTH: crypto.c,v 1.53 2001/08/22 20:30:29 assar Exp $");
#undef CRYPTO_DEBUG
#ifdef CRYPTO_DEBUG
@@ -1724,7 +1724,7 @@ ARCFOUR_subencrypt(krb5_context context,
krb5_keyblock kb;
unsigned char t[4];
RC4_KEY rc4_key;
- char *cdata = (char *)data;
+ unsigned char *cdata = data;
unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
t[0] = (usage >> 0) & 0xFF;
@@ -1780,7 +1780,7 @@ ARCFOUR_subdecrypt(krb5_context context,
krb5_keyblock kb;
unsigned char t[4];
RC4_KEY rc4_key;
- char *cdata = (char *)data;
+ unsigned char *cdata = data;
unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
unsigned char cksum_data[16];
@@ -2654,7 +2654,7 @@ krb5_decrypt_EncryptedData(krb5_context context,
* *
************************************************************/
-#ifdef HAVE_OPENSSL_DES_H
+#ifdef HAVE_OPENSSL
#include <openssl/rand.h>
/* From openssl/crypto/rand/rand_lcl.h */
@@ -2682,7 +2682,7 @@ seed_something(void)
we do not have to deal with it. */
if (RAND_status() != 1) {
krb5_context context;
- char *p;
+ const char *p;
/* Try using egd */
if (!krb5_init_context(&context)) {
@@ -2998,6 +2998,7 @@ krb5_string_to_key_derived(krb5_context context,
struct encryption_type *et = _find_enctype(etype);
krb5_error_code ret;
struct key_data kd;
+ size_t keylen = et->keytype->bits / 8;
u_char *tmp;
if(et == NULL) {
@@ -3006,13 +3007,28 @@ krb5_string_to_key_derived(krb5_context context,
return KRB5_PROG_ETYPE_NOSUPP;
}
ALLOC(kd.key, 1);
+ if(kd.key == NULL) {
+ krb5_set_error_string (context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size);
+ if(ret) {
+ free(kd.key);
+ return ret;
+ }
kd.key->keytype = etype;
- tmp = malloc (et->keytype->bits / 8);
- _krb5_n_fold(str, len, tmp, et->keytype->bits / 8);
- krb5_data_alloc(&kd.key->keyvalue, et->keytype->size);
+ tmp = malloc (keylen);
+ if(tmp == NULL) {
+ krb5_free_keyblock(context, kd.key);
+ krb5_set_error_string (context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ _krb5_n_fold(str, len, tmp, keylen);
kd.schedule = NULL;
- DES3_postproc (context, tmp, et->keytype->bits / 8, &kd); /* XXX */
- ret = derive_key(context,
+ DES3_postproc (context, tmp, keylen, &kd); /* XXX */
+ memset(tmp, 0, keylen);
+ free(tmp);
+ ret = derive_key(context,
et,
&kd,
"kerberos", /* XXX well known constant */
diff --git a/kerberosV/src/lib/krb5/keytab_any.c b/kerberosV/src/lib/krb5/keytab_any.c
index 07b142e41cd..d3901e3e29e 100644
--- a/kerberosV/src/lib/krb5/keytab_any.c
+++ b/kerberosV/src/lib/krb5/keytab_any.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$KTH: keytab_any.c,v 1.2 2001/05/14 06:14:48 assar Exp $");
+RCSID("$KTH: keytab_any.c,v 1.4 2001/06/24 02:22:33 assar Exp $");
struct any_data {
krb5_keytab kt;
@@ -68,7 +68,7 @@ any_resolve(krb5_context context, const char *name, krb5_keytab id)
}
if (a0 == NULL) {
a0 = a;
- a->name = strdup(name);
+ a->name = strdup(buf);
if (a->name == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
ret = ENOMEM;
@@ -141,8 +141,7 @@ any_start_seq_get(krb5_context context,
if (ret) {
free (c->data);
c->data = NULL;
- krb5_set_error_string (context, "malloc: out of memory");
- return ENOMEM;
+ return ret;
}
return 0;
}
@@ -165,14 +164,15 @@ any_next_entry (krb5_context context,
ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor);
if (ret2)
return ret2;
- ed->a = ed->a->next;
+ while ((ed->a = ed->a->next) != NULL) {
+ ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
+ if (ret2 == 0)
+ break;
+ }
if (ed->a == NULL) {
krb5_clear_error_string (context);
return KRB5_CC_END;
}
- ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor);
- if (ret2)
- return ret2;
} else
return ret;
} while (ret == KRB5_CC_END);
diff --git a/kerberosV/src/lib/krb5/krb5.conf.5 b/kerberosV/src/lib/krb5/krb5.conf.5
index 38ed4373ffe..7a3d84f36b9 100644
--- a/kerberosV/src/lib/krb5/krb5.conf.5
+++ b/kerberosV/src/lib/krb5/krb5.conf.5
@@ -1,4 +1,4 @@
-.\" $KTH: krb5.conf.5,v 1.17 2001/05/31 13:58:34 assar Exp $
+.\" $KTH: krb5.conf.5,v 1.22 2001/08/30 18:54:01 joda Exp $
.\"
.Dd April 11, 1999
.Dt KRB5.CONF 5
@@ -70,7 +70,7 @@ When obtaining initial credentials, make the credentials proxiable.
.It Li no-addresses = Va boolean
When obtaining initial credentials, request them for an empty set of
addresses, making the tickets valid from any address.
-.It Li ticket_life = Va time
+.It Li ticket_lifetime = Va time
Default ticket lifetime.
.It Li renew_lifetime = Va time
Default renewable ticket lifetime.
@@ -153,8 +153,6 @@ How to print date strings in logs, this string is passed to
Write log-entries using UTC instead of your local time zone.
.It Li srv_lookup = Va boolean
Use DNS SRV records to lookup realm configuration information.
-.It Li srv_try_txt = Va boolean
-If a SRV lookup fails, try looking up the same info in a DNS TXT record.
.It Li scan_interfaces = Va boolean
Scan all network interfaces for addresses, as opposed to simply using
the address associated with the system's host name.
@@ -162,7 +160,8 @@ the address associated with the system's host name.
Use file credential cache format version specified.
.It Li krb4_get_tickets = Va boolean
Also get Kerberos 4 tickets in
-.Nm kinit
+.Nm kinit ,
+.Nm login ,
and other programs.
This option is also valid in the [realms] section.
.El
@@ -192,6 +191,9 @@ to the database are perfomed.
Points to the server where all the password changes are perfomed.
If there is no such entry, the kpasswd port on the admin_server host
will be tried.
+.It Li krb524_server = Va Host[:port]
+Points to the server that does 524 conversions. If it is not
+mentioned, the krb524 port on the kdcs will be tried.
.It Li v4_instance_convert
.It Li v4_name_convert
.It Li default_domain
@@ -340,10 +342,10 @@ that reads
.Nm
and tries to emit useful diagnostics from parsing errors. Note that
this program does not have any way of knowing what options are
-actually used and thus cannot warn about unknown or misspelt ones.
+actually used and thus cannot warn about unknown or misspelled ones.
.Sh SEE ALSO
-.Xr verify_krb5_conf 8 ,
-.Xr krb5_openlog 3 ,
+.Xr kinit 1 ,
.Xr krb5_425_conv_principal 3 ,
+.Xr krb5_openlog 3 ,
.Xr strftime 3 ,
-.Xr kinit 1
+.Xr verify_krb5_conf 8
diff --git a/kerberosV/src/lib/krb5/krb5.h b/kerberosV/src/lib/krb5/krb5.h
index 84d7130ab19..3150d9a382b 100644
--- a/kerberosV/src/lib/krb5/krb5.h
+++ b/kerberosV/src/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $KTH: krb5.h,v 1.190 2001/05/16 22:23:56 assar Exp $ */
+/* $KTH: krb5.h,v 1.196 2001/07/02 22:24:46 joda Exp $ */
#ifndef __KRB5_H__
#define __KRB5_H__
@@ -42,6 +42,7 @@
#include <kerberosV/asn1_err.h>
#include <kerberosV/krb5_err.h>
#include <kerberosV/heim_err.h>
+#include <kerberosV/k524_err.h>
#include <kerberosV/krb5_asn1.h>
@@ -291,8 +292,8 @@ typedef union {
#define KRB5_VERIFY_AP_REQ_IGNORE_INVALID (1 << 0)
-#define KRB5_GC_CACHED 1
-#define KRB5_GC_USER_USER 2
+#define KRB5_GC_CACHED (1U << 0)
+#define KRB5_GC_USER_USER (1U << 1)
/* constants for compare_creds (and cc_retrieve_cred) */
#define KRB5_TC_DONT_MATCH_REALM (1U << 31)
@@ -377,7 +378,6 @@ typedef struct krb5_context_data {
krb5_boolean scan_interfaces; /* `ifconfig -a' */
krb5_boolean srv_lookup; /* do SRV lookups */
krb5_boolean srv_try_txt; /* try TXT records also */
- krb5_boolean srv_try_rfc2052; /* try RFC2052 compatible records */
int32_t fcache_vno; /* create cache files w/ this
version */
int num_kt_types; /* # of registered keytab types */
@@ -385,6 +385,7 @@ typedef struct krb5_context_data {
const char *date_fmt;
char *error_string;
char error_buf[256];
+ krb5_addresses *ignore_addresses;
} krb5_context_data;
typedef struct krb5_ticket {
@@ -619,7 +620,8 @@ typedef struct krb5_verify_opt {
const char *service;
} krb5_verify_opt;
-#define KRB5_VERIFY_LREALMS 1
+#define KRB5_VERIFY_LREALMS 1
+#define KRB5_VERIFY_NO_ADDRESSES 2
extern const krb5_cc_ops krb5_fcc_ops;
extern const krb5_cc_ops krb5_mcc_ops;
@@ -639,6 +641,27 @@ extern const krb5_kt_ops krb5_any_ops;
#define KPASSWD_PORT 464
+/* types for the new krbhst interface */
+struct krb5_krbhst_data;
+typedef struct krb5_krbhst_data *krb5_krbhst_handle;
+
+#define KRB5_KRBHST_KDC 1
+#define KRB5_KRBHST_ADMIN 2
+#define KRB5_KRBHST_CHANGEPW 3
+#define KRB5_KRBHST_KRB524 4
+
+typedef struct krb5_krbhst_info {
+ enum { KRB5_KRBHST_UDP,
+ KRB5_KRBHST_TCP,
+ KRB5_KRBHST_HTTP } proto;
+ unsigned short port;
+ unsigned short def_port;
+ struct addrinfo *ai;
+ struct krb5_krbhst_info *next;
+ char hostname[1]; /* has to come last */
+} krb5_krbhst_info;
+
+
struct credentials; /* this is to keep the compiler happy */
struct getargs;
diff --git a/kerberosV/src/lib/krb5/krb5_context.3 b/kerberosV/src/lib/krb5/krb5_context.3
index 14979a05df5..698ec01fa4a 100644
--- a/kerberosV/src/lib/krb5/krb5_context.3
+++ b/kerberosV/src/lib/krb5/krb5_context.3
@@ -1,5 +1,5 @@
.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
-.\" $KTH: krb5_context.3,v 1.1 2001/01/28 21:39:29 assar Exp $
+.\" $KTH: krb5_context.3,v 1.2 2001/06/24 00:52:53 assar Exp $
.Dd Jan 21, 2001
.Dt KRB5_CONTEXT 3
.Os HEIMDAL
diff --git a/kerberosV/src/lib/krb5/krb5_init_context.3 b/kerberosV/src/lib/krb5/krb5_init_context.3
index 56ef56f87f8..e522a63f49a 100644
--- a/kerberosV/src/lib/krb5/krb5_init_context.3
+++ b/kerberosV/src/lib/krb5/krb5_init_context.3
@@ -1,5 +1,5 @@
.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
-.\" $KTH: krb5_init_context.3,v 1.2 2001/05/23 16:24:02 assar Exp $
+.\" $KTH: krb5_init_context.3,v 1.4 2001/07/12 08:42:28 assar Exp $
.Dd Jan 21, 2001
.Dt KRB5_CONTEXT 3
.Os HEIMDAL
@@ -34,6 +34,6 @@ Failure means either that something bad happened during initialization
or that Kerberos should not be used
.Bq ENXIO .
.Sh SEE ALSO
-.Xr krb5_context 3 ,
.Xr errno 2 ,
+.Xr krb5_context 3 ,
.Xr kerberos 8
diff --git a/kerberosV/src/lib/krb5/krb5_keytab.3 b/kerberosV/src/lib/krb5/krb5_keytab.3
index fde3036c2bf..65ba9194d6f 100644
--- a/kerberosV/src/lib/krb5/krb5_keytab.3
+++ b/kerberosV/src/lib/krb5/krb5_keytab.3
@@ -1,5 +1,5 @@
.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
-.\" $KTH: krb5_keytab.3,v 1.1 2001/02/05 18:17:46 assar Exp $
+.\" $KTH: krb5_keytab.3,v 1.2 2001/07/12 08:42:28 assar Exp $
.Dd Feb 5, 2001
.Dt KRB5_KEYTAB 3
.Os HEIMDAL
@@ -354,5 +354,5 @@ main (int argc, char **argv)
}
.Ed
.Sh SEE ALSO
-.Xr kerberos 8 ,
-.Xr krb5.conf 5
+.Xr krb5.conf 5 ,
+.Xr kerberos 8
diff --git a/kerberosV/src/lib/krb5/krb5_locl.h b/kerberosV/src/lib/krb5/krb5_locl.h
index 1220082158c..300a65051a7 100644
--- a/kerberosV/src/lib/krb5/krb5_locl.h
+++ b/kerberosV/src/lib/krb5/krb5_locl.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $KTH: krb5_locl.h,v 1.66 2001/05/10 15:31:34 assar Exp $ */
+/* $KTH: krb5_locl.h,v 1.67 2001/08/22 20:30:30 assar Exp $ */
#ifndef __KRB5_LOCL_H__
#define __KRB5_LOCL_H__
@@ -109,29 +109,17 @@ struct sockaddr_dl;
#include <parse_time.h>
#include <base64.h>
-#ifdef HAVE_OPENSSL_DES_H
+#ifdef HAVE_OPENSSL
#include <openssl/des.h>
-#else
-#include <des.h>
-#endif
-#ifdef HAVE_OPENSSL_MD4_H
#include <openssl/md4.h>
-#else
-#include <md4.h>
-#endif
-#ifdef HAVE_OPENSSL_MD5_H
#include <openssl/md5.h>
-#else
-#include <md5.h>
-#endif
-#ifdef HAVE_OPENSSL_SHA_H
#include <openssl/sha.h>
-#else
-#include <sha.h>
-#endif
-#ifdef HAVE_OPENSSL_RC4_H
#include <openssl/rc4.h>
#else
+#include <des.h>
+#include <md4.h>
+#include <md5.h>
+#include <sha.h>
#include <rc4.h>
#endif
diff --git a/kerberosV/src/lib/krb5/krb5_verify_user.3 b/kerberosV/src/lib/krb5/krb5_verify_user.3
index 5da911391f0..3996da40044 100644
--- a/kerberosV/src/lib/krb5/krb5_verify_user.3
+++ b/kerberosV/src/lib/krb5/krb5_verify_user.3
@@ -1,6 +1,6 @@
.\" Copyright (c) 2001 Kungliga Tekniska Högskolan
-.\" $Id: krb5_verify_user.3,v 1.1 2001/06/24 19:05:37 hin Exp $
-.Dd Jun 24, 2001
+.\" $KTH: krb5_verify_user.3,v 1.1 2001/06/27 17:08:04 assar Exp $
+.Dd June 27, 2001
.Dt KRB5_VERIFY_USER 3
.Os HEIMDAL
.Sh NAME
@@ -16,51 +16,37 @@
.Sh DESCRIPTION
The
.Nm krb5_verify_user
-function verify user
-.Fa principal
-with
-.Fa password .
-If the flag
-.Fa secure
-is given the password is verified against
-.Fa service .
-As a side effect, fresh tickets are obtained and stored in
-.Fa ccache .
-If
-.Fa password
-is
-NULL, a password is asked. If
+function verifies the password supplied by a user.
+The principal whose
+password will be verified is specified in
+.Fa principal .
+New tickets will be obtained as a side-effect and stored in
.Fa ccache
-is NULL, the default credential-cache is used.
-.Pp
-The
-.Fa service
-is the service part service principal.
-.Nm krb5_verify_user
-take the
-.Fa service
-and appends the host's name and uses that a the service principal. If
+(if NULL, the default ccache is used).
+If the password is not supplied in
+.Fa password
+(and is given as
+.Dv NULL )
+the user will be prompted for it.
+If
+.Fa secure
+the ticket will be verified against the locally stored service key
.Fa service
-is NULL, the service
+(by default
.Ql host
-is used.
+if given as
+.Dv NULL
+).
.Pp
+The
.Nm krb5_verify_user_lrealm
-works the same way as
-.Nm krb5_verify_user,
-with the exception that the realm of
+function does the same, except that it ignores the realm in
.Fa principal
-is ignored and all local realms in
-.Xr krb5.conf 5
-are tried.
-.Sh BUGS
-Not setting
-.Fa secure
-should be considered a bug since the answer from the KDC isn't
-verified. The answer could be faked answer from malicious computer.
+and tries all the local realms (see
+.Xr krb5.conf 5).
.Sh EXAMPLE
-Here is a example program that verify a password. If uses the
-.Q1 host/`hostname`
+Here is a example program that verifies a password. it uses the
+.Ql host/`hostname`
service principal in
.Pa krb5.keytab .
.Bd -literal
@@ -72,27 +58,28 @@ main(int argc, char **argv)
char *user;
krb5_error_code error;
krb5_principal princ;
- krb5_context c;
+ krb5_context context;
if (argc != 2)
errx(1, "usage: verify_passwd <principal-name>");
user = argv[1];
- if (krb5_init_context(&c) < 0)
+ if (krb5_init_context(&context) < 0)
errx(1, "krb5_init_context");
- if ((error = krb5_parse_name(c, user, &princ)) != 0)
- krb5_err(c, 1, error, "krb5_parse_name");
+ if ((error = krb5_parse_name(context, user, &princ)) != 0)
+ krb5_err(context, 1, error, "krb5_parse_name");
- error = krb5_verify_user(c, princ, NULL, NULL, TRUE, NULL);
+ error = krb5_verify_user(context, princ, NULL, NULL, TRUE, NULL);
if (error)
- krb5_err(c, 1, error, "krb5_verify_user");
+ krb5_err(context, 1, error, "krb5_verify_user");
return 0;
}
.Ed
.Sh SEE ALSO
+.Xr krb5_kt_default 3 ,
.Xr krb5_init_context 3 ,
.Xr krb5_err 3 ,
.Xr krb5.conf 5