kadmin: Unbalanced quotes in command line

Ken Raeburn raeburn at MIT.EDU
Tue Jul 8 17:56:38 EDT 2008 

On Jul 8, 2008, at 10:53, Klaus Jensen wrote:
> I'm working on using a script to change the password for a given  
> principal.
> The resulting command line is something like this:
>
> kadmin -k -t keytapfile -p host/host.foobar -q "cpw -pw  
> <somepassword> princ at REALM"
>
> When <somepassword> contains a quote character (i.e. password is:  
> foobar"omg)
> I get the following error:
>
> kadmin: Unbalanced quotes in command line
>
> Note that the quote is escaped:
> kadmin -k -t keytapfile -p host/host.foobar -q "cpw -pw foobar\"omg  
> princ at REALM"
>
>
>
> I tried using kadmin without '-q' and got the same error message  
> when using
> the command directly:
>
> # kadmin -k -t keytapfile -p host/host.foobar
> kadmin:  cpw -pw foobar"omg princ at REALM
> kadmin: Unbalanced quotes in command line
>
> Samething when escaped:
>
> kadmin:  cpw -pw foobar\"omg princ at REALM
> kadmin: Unbalanced quotes in command line

Yeah, the quote handling in that code is kind of strange.  As best I  
recall, the code was vaguely modeled on a CLI that treated "" within a  
quoted string as inserting just " into that string, and unfortunately  
not on UNIX sh or csh behavior.  So:

% ../../Inst/sbin/kadmin.local -q 'ank "foo""bar"'
Authenticating as principal raeburn/admin at ATHENA.MIT.EDU with password.
WARNING: no policy specified for foo"bar at ATHENA.MIT.EDU; defaulting to  
no policy
Enter password for principal "foo"bar at ATHENA.MIT.EDU":

Or this one, which looks even stranger:

% kadmin.local -q 'ank foo""""bar'
Authenticating as principal raeburn/admin at ATHENA.MIT.EDU with password.
WARNING: no policy specified for foo"bar at ATHENA.MIT.EDU; defaulting to  
no policy
Enter password for principal "foo"bar at ATHENA.MIT.EDU":

(That's read as "foo" and then a quoted string containing one quote  
and then "bar", all pasted together as one argument.)

Getting that through the shell's parser if you use double-quoted  
strings on the shell command line will be even uglier.

I wouldn't write any scripts or anything that rely on this behavior; I  
keep hoping we'll just replace that library with an externally  
maintained, and perhaps more UNIX-like, command-line parser.  I'm sure  
there are a few out there.  (One that provides some kind of scripting  
capability would be a win, I would guess.)  If we do, I expect we'd  
keep the basic tool behavior the same, but weird quoting stuff like  
this may change.

Ken

More information about the Kerberos mailing list