svn rev #24316: trunk/src/ clients/kinit/ tests/
hartmans@MIT.EDU
hartmans at MIT.EDU
Wed Sep 15 13:13:41 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24316
Commit By: hartmans
Log Message:
ticket: 6779
subject: kinit: add KDB keytab support
This implements
http://k5wiki.kerberos.org/Projects/What_does_God_need_with_a_password.
If the KDB keytab is selected by command line options, then kinit will
register the KDB keytab and open the database. This permits an
administrator to obtain tickets as a user without knowing that user's
password.
As a result kinit links against libkadm5srv and libkdb5. Discussion is
ongoing about whether this is desirable or about whether two versions
of kinit are required.
Changed Files:
U trunk/src/clients/kinit/Makefile.in
A trunk/src/clients/kinit/extern.h
U trunk/src/clients/kinit/kinit.M
U trunk/src/clients/kinit/kinit.c
A trunk/src/clients/kinit/kinit_kdb.c
U trunk/src/tests/t_general.py
Modified: trunk/src/clients/kinit/Makefile.in
===================================================================
--- trunk/src/clients/kinit/Makefile.in 2010-09-15 17:13:34 UTC (rev 24315)
+++ trunk/src/clients/kinit/Makefile.in 2010-09-15 17:13:41 UTC (rev 24316)
@@ -5,7 +5,7 @@
PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
-SRCS=kinit.c
+SRCS=kinit.c kinit_kdb.c
##WIN32##LOCALINCLUDES=-I$(BUILDTOP)\util\windows
##WIN32##DEFINES=-DGETOPT_LONG
@@ -23,8 +23,8 @@
all-unix:: kinit
##WIN32##all-windows:: $(KINIT)
-kinit: kinit.o $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ kinit.o $(KRB5_BASE_LIBS)
+kinit: kinit.o kinit_kdb.o $(KRB5_BASE_DEPLIBS) $(KADMSRV_DEPLIBS)
+ $(CC_LINK) -o $@ kinit.o kinit_kdb.o $(KADMSRV_LIBS) $(KRB5_BASE_LIBS)
##WIN32##$(KINIT): $(OUTPRE)kinit.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB) $(EXERES)
##WIN32## link $(EXE_LINKOPTS) -out:$@ $** advapi32.lib
Added: trunk/src/clients/kinit/extern.h
===================================================================
--- trunk/src/clients/kinit/extern.h (rev 0)
+++ trunk/src/clients/kinit/extern.h 2010-09-15 17:13:41 UTC (rev 24316)
@@ -0,0 +1,7 @@
+#ifndef _KINIT_EXTERN_H
+#define _KINIT_EXTERN_H
+krb5_error_code
+kinit_kdb_init (krb5_context *pcontext,
+ char *realm);
+
+#endif
Modified: trunk/src/clients/kinit/kinit.M
===================================================================
--- trunk/src/clients/kinit/kinit.M 2010-09-15 17:13:34 UTC (rev 24315)
+++ trunk/src/clients/kinit/kinit.M 2010-09-15 17:13:41 UTC (rev 24316)
@@ -131,13 +131,17 @@
renewable life.
.TP
\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
-requests a host ticket, obtained from a key in the local host's
+requests a ticket, obtained from a key in the local host's
.I keytab
file. The name and location of the keytab file may be specified with
the
.B \-t
.I keytab_file
-option; otherwise the default name and location will be used.
+option; otherwise the default name and location will be used. By default a host ticket is requested but any principal may be specified. On a KDC, the special keytab location
+.B KDB:
+can be used to indicate that kinit should open the KDC database and
+look up the key directly. This permits an administrator to obtain
+tickets as any principal that supports password-based authentication.
.TP
\fB-n\fP
Requests anonymous processing. Two types of anonymous principals are
Modified: trunk/src/clients/kinit/kinit.c
===================================================================
--- trunk/src/clients/kinit/kinit.c 2010-09-15 17:13:34 UTC (rev 24315)
+++ trunk/src/clients/kinit/kinit.c 2010-09-15 17:13:41 UTC (rev 24316)
@@ -31,6 +31,7 @@
#include "autoconf.h"
#include "k5-platform.h" /* for asprintf */
#include <krb5.h>
+#include "extern.h"
#include <string.h>
#include <stdio.h>
#include <time.h>
@@ -447,7 +448,7 @@
com_err(progname, code, "while initializing Kerberos 5 library");
return 0;
}
- errctx = k5->ctx;
+errctx = k5->ctx;
if (opts->k5_cache_name)
{
code = krb5_cc_resolve(k5->ctx, opts->k5_cache_name, &k5->cc);
@@ -649,6 +650,16 @@
if ((opts->action == INIT_KT) && opts->keytab_name)
{
+ if (strncmp(opts->keytab_name, "KDB:", 3) == 0) {
+ code = kinit_kdb_init(&k5->ctx,
+ krb5_princ_realm(k5->ctx, k5->me)->data);
+ if (code != 0) {
+ com_err(progname, code, "while setting up KDB keytab for realm %s",
+ krb5_princ_realm(k5->ctx, k5->me)->data);
+ goto cleanup;
+ }
+ }
+
code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab);
if (code != 0) {
com_err(progname, code, "resolving keytab %s",
Copied: trunk/src/clients/kinit/kinit_kdb.c (from rev 24315, trunk/src/lib/krb5/krb/etype_list.c)
===================================================================
--- trunk/src/clients/kinit/kinit_kdb.c (rev 0)
+++ trunk/src/clients/kinit/kinit_kdb.c 2010-09-15 17:13:41 UTC (rev 24316)
@@ -0,0 +1,70 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * clients/kinit/kinit_kdb.c
+ *
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ */
+/**
+ * @file kinit_kdb.c
+ * Operations to open the KDB and make the KDB key table available
+ * for kinit.
+ */
+
+
+#include <k5-int.h>
+#include <kadm5/admin.h>
+#include <kdb_kt.h>
+#include "extern.h"
+
+/**Server handle*/
+static void * server_handle;
+
+/**
+ *@internal Initialize KDB for given realm
+ * @param context pointer to context that will be re-initialized
+ * @@param realm name of realm to initialize
+ */
+krb5_error_code
+kinit_kdb_init (krb5_context *pcontext, char *realm)
+{
+ kadm5_config_params config;
+ krb5_error_code retval = 0;
+ if (*pcontext)
+ krb5_free_context(*pcontext);
+ memset(&config, 0, sizeof config);
+ retval = kadm5_init_krb5_context(pcontext);
+ if (retval)
+ return retval;
+ config.mask = KADM5_CONFIG_REALM;
+ config.realm = realm;
+ retval = kadm5_init(*pcontext, "kinit", NULL /*pass*/,
+ "kinit", &config,
+ KADM5_STRUCT_VERSION, KADM5_API_VERSION_3, NULL,
+ &server_handle);
+ if (retval)
+ return retval;
+ retval = krb5_kt_register(*pcontext, &krb5_kt_kdb_ops);
+ return retval;
+}
Modified: trunk/src/tests/t_general.py
===================================================================
--- trunk/src/tests/t_general.py 2010-09-15 17:13:34 UTC (rev 24315)
+++ trunk/src/tests/t_general.py 2010-09-15 17:13:41 UTC (rev 24316)
@@ -28,6 +28,11 @@
realm.kinit('user/fast', fastpw, flags=['-T', realm.ccache])
realm.klist('user/fast@%s' % realm.realm)
+ # Test kinit against kdb keytab
+ realm.run_as_master([kinit, "-k", "-t",
+ "KDB:", realm.user_princ])
+
+
# Test kdestroy and klist of a non-existent ccache.
realm.run_as_client([kdestroy])
output = realm.run_as_client([klist], expected_code=1)
More information about the cvs-krb5
mailing list