krb5 commit [krb5-1.13]: kadm5_randkey_principal interop with Solaris KDC
Tom Yu
tlyu at mit.edu
Thu Aug 21 18:11:04 EDT 2014
https://github.com/krb5/krb5/commit/bfd301a2d167c36ee4d5b53d06ae65ba814fa2d8
commit bfd301a2d167c36ee4d5b53d06ae65ba814fa2d8
Author: Tomas Kuthan <tkuthan at gmail.com>
Date: Wed May 28 15:24:20 2014 +0200
kadm5_randkey_principal interop with Solaris KDC
When kadm5_randkey_principal is called on Solaris kadmind (as opposed
to kadm5_randkey_principal_3), the KDC assumes the peer is a Solaris 9
system, and only creates DES keys.
For better interoperability, always call kadm5_randkey_principal_3
first. If this procedure is not present on the remote server, fall
back to calling kadm5_randkey_principal if possible.
[ghudson at mit.edu: adjusted comments, argument wrapping, commit
message]
(cherry picked from commit e86e3baaa684a7e891ffe852d74095c1a8b630ba)
ticket: 7997
version_fixed: 1.13
status: resolved
src/kadmin/cli/kadmin.c | 33 ++++++++++++++++++++++-----------
src/kadmin/cli/kadmin.h | 7 +++++++
src/kadmin/cli/keytab.c | 7 ++-----
3 files changed, 31 insertions(+), 16 deletions(-)
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 1ce30ee..a81036c 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -220,16 +220,25 @@ create_princ(kadm5_principal_ent_rec *princ, long mask, int n_ks,
return kadm5_create_principal(handle, princ, mask, pass);
}
-/* Randomize a principal's password using the oldest appropriate kadm5 API. */
-static krb5_error_code
-randkey_princ(krb5_principal princ, krb5_boolean keepold, int n_ks,
- krb5_key_salt_tuple *ks)
+/* Randomize a principal's password using the appropriate kadm5 API. */
+krb5_error_code
+randkey_princ(void *lhandle, krb5_principal princ, krb5_boolean keepold,
+ int n_ks, krb5_key_salt_tuple *ks, krb5_keyblock **key,
+ int *n_keys)
{
- if (keepold || ks) {
- return kadm5_randkey_principal_3(handle, princ, keepold, n_ks, ks,
- NULL, NULL);
- } else
- return kadm5_randkey_principal(handle, princ, NULL, NULL);
+ krb5_error_code ret;
+
+ /* Try the newer API first, because the Solaris kadmind only creates DES
+ * keys when the old API is used. */
+ ret = kadm5_randkey_principal_3(lhandle, princ, keepold, n_ks, ks, key,
+ n_keys);
+
+ /* Fall back to the old version if we get an error and aren't using any new
+ * parameters. */
+ if (ret == KADM5_RPC_ERROR && !keepold && ks == NULL)
+ ret = kadm5_randkey_principal(lhandle, princ, key, n_keys);
+
+ return ret;
}
static krb5_boolean
@@ -830,7 +839,8 @@ kadmin_cpw(int argc, char *argv[])
}
printf(_("Password for \"%s\" changed.\n"), canon);
} else if (randkey) {
- retval = randkey_princ(princ, keepold, n_ks_tuple, ks_tuple);
+ retval = randkey_princ(handle, princ, keepold, n_ks_tuple, ks_tuple,
+ NULL, NULL);
if (retval) {
com_err("change_password", retval,
_("while randomizing key for \"%s\"."), canon);
@@ -1273,7 +1283,8 @@ kadmin_addprinc(int argc, char *argv[])
}
if (old_style_randkey) {
/* Randomize the password and re-enable tickets. */
- retval = randkey_princ(princ.principal, FALSE, n_ks_tuple, ks_tuple);
+ retval = randkey_princ(handle, princ.principal, FALSE, n_ks_tuple,
+ ks_tuple, NULL, NULL);
if (retval) {
com_err("add_principal", retval,
_("while randomizing key for \"%s\"."), canon);
diff --git a/src/kadmin/cli/kadmin.h b/src/kadmin/cli/kadmin.h
index 7afa0c9..9cff390 100644
--- a/src/kadmin/cli/kadmin.h
+++ b/src/kadmin/cli/kadmin.h
@@ -57,6 +57,13 @@ extern void kadmin_getstrings(int argc, char *argv[]);
extern void kadmin_setstring(int argc, char *argv[]);
extern void kadmin_delstring(int argc, char *argv[]);
+#include <kdb.h>
+
+krb5_error_code
+randkey_princ(void *lhandle, krb5_principal princ, krb5_boolean keepold,
+ int n_ks, krb5_key_salt_tuple *ks, krb5_keyblock **key,
+ int *n_keys);
+
#include "autoconf.h"
#ifdef TIME_WITH_SYS_TIME
diff --git a/src/kadmin/cli/keytab.c b/src/kadmin/cli/keytab.c
index 6c0c92c..e260fbe 100644
--- a/src/kadmin/cli/keytab.c
+++ b/src/kadmin/cli/keytab.c
@@ -284,11 +284,8 @@ add_principal(void *lhandle, char *keytab_str, krb5_keytab keytab,
code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys);
else
#endif
- if (keepold || ks_tuple != NULL) {
- code = kadm5_randkey_principal_3(lhandle, princ, keepold,
- n_ks_tuple, ks_tuple, &keys, &nkeys);
- } else
- code = kadm5_randkey_principal(lhandle, princ, &keys, &nkeys);
+ code = randkey_princ(lhandle, princ, keepold, n_ks_tuple, ks_tuple,
+ &keys, &nkeys);
if (code != 0) {
if (code == KADM5_UNK_PRINC) {
fprintf(stderr, _("%s: Principal %s does not exist.\n"),
More information about the cvs-krb5
mailing list