krb5 commit: Remove orphaned KfM password server support
Greg Hudson
ghudson at mit.edu
Thu Feb 11 15:31:00 EST 2021
https://github.com/krb5/krb5/commit/9241e2e2ee83b11f5f585676b1f2283670dd0178
commit 9241e2e2ee83b11f5f585676b1f2283670dd0178
Author: Robbie Harwood <rharwood at redhat.com>
Date: Fri Nov 27 14:23:54 2020 -0500
Remove orphaned KfM password server support
src/kadmin/server/ovsec_kadmd.c | 8 --
src/lib/kadm5/srv/libkadm5srv_mit.exports | 1 -
src/lib/kadm5/srv/svr_principal.c | 136 -----------------------------
3 files changed, 0 insertions(+), 145 deletions(-)
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index 73d9bac..2a386a7 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -76,10 +76,6 @@ char *kprop_port = NULL;
static krb5_context context;
static char *progname;
-#ifdef USE_PASSWORD_SERVER
-void kadm5_set_use_password_server(void);
-#endif
-
static void
usage()
{
@@ -396,10 +392,6 @@ main(int argc, char *argv[])
params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
} else if (strcmp(*argv, "-nofork") == 0) {
nofork = 1;
-#ifdef USE_PASSWORD_SERVER
- } else if (strcmp(*argv, "-passwordserver") == 0) {
- kadm5_set_use_password_server();
-#endif
#ifndef DISABLE_IPROP
} else if (strcmp(*argv, "-proponly") == 0) {
proponly = 1;
diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports
index e3c04e6..6804f1e 100644
--- a/src/lib/kadm5/srv/libkadm5srv_mit.exports
+++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports
@@ -1,7 +1,6 @@
_kadm5_check_handle
_kadm5_chpass_principal_util
hist_princ
-kadm5_set_use_password_server
kadm5_chpass_principal
kadm5_chpass_principal_3
kadm5_chpass_principal_util
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 315c541..8c3ad3a 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -9,10 +9,6 @@
#include <kadm5/admin.h>
#include <kdb.h>
#include "server_internal.h"
-#ifdef USE_PASSWORD_SERVER
-#include <sys/wait.h>
-#include <signal.h>
-#endif
#include <krb5/kadm5_hook_plugin.h>
@@ -1221,109 +1217,6 @@ static kadm5_ret_t add_to_history(krb5_context context,
return(0);
}
-/* FIXME: don't use global variable for this */
-krb5_boolean use_password_server = 0;
-
-#ifdef USE_PASSWORD_SERVER
-static krb5_boolean
-kadm5_use_password_server (void)
-{
- return use_password_server;
-}
-#endif
-
-void kadm5_set_use_password_server (void);
-
-void
-kadm5_set_use_password_server (void)
-{
- use_password_server = 1;
-}
-
-#ifdef USE_PASSWORD_SERVER
-
-/*
- * kadm5_launch_task () runs a program (task_path) to synchronize the
- * Apple password server with the Kerberos database. Password server
- * programs can receive arguments on the command line (task_argv)
- * and a block of data via stdin (data_buffer).
- *
- * Because a failure to communicate with the tool results in the
- * password server falling out of sync with the database,
- * kadm5_launch_task() always fails if it can't talk to the tool.
- */
-
-static kadm5_ret_t
-kadm5_launch_task (krb5_context context,
- const char *task_path, char * const task_argv[],
- const char *buffer)
-{
- kadm5_ret_t ret;
- int data_pipe[2];
-
- ret = pipe (data_pipe);
- if (ret)
- ret = errno;
-
- if (!ret) {
- pid_t pid = fork ();
- if (pid == -1) {
- ret = errno;
- close (data_pipe[0]);
- close (data_pipe[1]);
- } else if (pid == 0) {
- /* The child: */
-
- if (dup2 (data_pipe[0], STDIN_FILENO) == -1)
- _exit (1);
-
- close (data_pipe[0]);
- close (data_pipe[1]);
-
- execv (task_path, task_argv);
-
- _exit (1); /* Fail if execv fails */
- } else {
- /* The parent: */
- int status;
-
- ret = 0;
-
- close (data_pipe[0]);
-
- /* Write out the buffer to the child, add \n */
- if (buffer) {
- if (krb5_net_write (context, data_pipe[1], buffer, strlen (buffer)) < 0
- || krb5_net_write (context, data_pipe[1], "\n", 1) < 0)
- {
- /* kill the child to make sure waitpid() won't hang later */
- ret = errno;
- kill (pid, SIGKILL);
- }
- }
- close (data_pipe[1]);
-
- waitpid (pid, &status, 0);
-
- if (!ret) {
- if (WIFEXITED (status)) {
- /* child read password and exited. Check the return value. */
- if ((WEXITSTATUS (status) != 0) && (WEXITSTATUS (status) != 252)) {
- ret = KRB5KDC_ERR_POLICY; /* password change rejected */
- }
- } else {
- /* child read password but crashed or was killed */
- ret = KRB5KRB_ERR_GENERIC; /* FIXME: better error */
- }
- }
- }
- }
-
- return ret;
-}
-
-#endif
-
kadm5_ret_t
kadm5_chpass_principal(void *server_handle,
krb5_principal principal, char *password)
@@ -1453,35 +1346,6 @@ kadm5_chpass_principal_3(void *server_handle,
kdb->pw_expiration = ts_incr(now, pol.pw_max_life);
}
-#ifdef USE_PASSWORD_SERVER
- if (kadm5_use_password_server () &&
- (krb5_princ_size (handle->context, principal) == 1)) {
- krb5_data *princ = krb5_princ_component (handle->context, principal, 0);
- const char *path = "/usr/sbin/mkpassdb";
- char *argv[] = { "mkpassdb", "-setpassword", NULL, NULL };
- char *pstring = NULL;
-
- if (!ret) {
- pstring = malloc ((princ->length + 1) * sizeof (char));
- if (pstring == NULL) { ret = ENOMEM; }
- }
-
- if (!ret) {
- memcpy (pstring, princ->data, princ->length);
- pstring [princ->length] = '\0';
- argv[2] = pstring;
-
- ret = kadm5_launch_task (handle->context, path, argv, password);
- }
-
- if (pstring != NULL)
- free (pstring);
-
- if (ret)
- goto done;
- }
-#endif
-
ret = krb5_dbe_update_last_pwd_change(handle->context, kdb, now);
if (ret)
goto done;
More information about the cvs-krb5
mailing list