diff options
| author | Russ Allbery <rra@stanford.edu> | 2010-02-09 13:17:12 -0800 | 
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2010-02-09 13:17:12 -0800 | 
| commit | 2ecd8da6a7eaab79a9b8d0a5a59d91fc377d9b95 (patch) | |
| tree | 01d46660a13779271f4b9b9534c36f7df821eab0 | |
| parent | b037770195ef0bd98d6655a65873b25d90e36032 (diff) | |
Remove the kasetkey client for setting keys in an AFS kaserver
| -rw-r--r-- | Makefile.am | 24 | ||||
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | kasetkey/README | 13 | ||||
| -rw-r--r-- | kasetkey/kasetkey.c | 582 | ||||
| -rw-r--r-- | kasetkey/kasetkey.pod | 148 | 
5 files changed, 7 insertions, 762 deletions
| diff --git a/Makefile.am b/Makefile.am index 1465a9b..b647349 100644 --- a/Makefile.am +++ b/Makefile.am @@ -34,8 +34,7 @@ EXTRA_DIST = LICENSE autogen client/wallet.pod config/allow-extract \  	config/keytab config/keytab.acl config/wallet docs/design \  	contrib/README contrib/wallet-report contrib/wallet-report.8 \  	docs/design-acl docs/design-api docs/netdb-role-api docs/notes \ -	docs/setup examples/stanford.conf kasetkey/README \ -	kasetkey/kasetkey.pod $(PERL_FILES) $(TEST_FILES) +	docs/setup examples/stanford.conf $(PERL_FILES) $(TEST_FILES)  noinst_LIBRARIES = portable/libportable.a util/libutil.a  portable_libportable_a_SOURCES = portable/dummy.c portable/macros.h \ @@ -58,15 +57,6 @@ client_wallet_LDADD = util/libutil.a portable/libportable.a $(REMCTL_LIBS) \  dist_man_MANS = client/wallet.1 server/keytab-backend.8 \  	server/wallet-admin.8 server/wallet-backend.8 -if AFS -sbin_PROGRAMS = kasetkey/kasetkey -kasetkey_kasetkey_CPPFLAGS = $(AFS_CPPFLAGS) $(KRB4_CPPFLAGS) -kasetkey_kasetkey_LDFLAGS = $(AFS_LDFLAGS) $(KRB4_LDFLAGS) -kasetkey_kasetkey_LDADD = util/libutil.a portable/libportable.a $(AFS_LIBS) \ -	$(KRB4_LIBS) -dist_man_MANS += kasetkey/kasetkey.8 -endif -  $(srcdir)/client/wallet.1: $(srcdir)/client/wallet.pod  	pod2man --release=$(VERSION) --center="Administrative Commands" \  	    --section=1 $(srcdir)/client/wallet.pod > $@ @@ -75,10 +65,6 @@ $(srcdir)/contrib/wallet-report.8: $(srcdir)/contrib/wallet-report  	pod2man --release=$(VERSION) --center="Administrative Commands" \  	    --section=8 $(srcdir)/contrib/wallet-report > $@ -$(srcdir)/kasetkey/kasetkey.8: $(srcdir)/kasetkey/kasetkey.pod -	pod2man --release=$(VERSION) --center="Administrative Commands" \ -	    --section=8 $(srcdir)/kasetkey/kasetkey.pod > $@ -  $(srcdir)/server/keytab-backend.8: $(srcdir)/server/keytab-backend  	pod2man --release=$(VERSION) --center="Administrative Commands" \  	    --section=8 $(srcdir)/server/keytab-backend > $@ @@ -104,10 +90,10 @@ warnings:  # Remove some additional files.  DISTCLEANFILES = perl/Makefile -MAINTAINERCLEANFILES = Makefile.in aclocal.m4 config.h.in config.h.in~ \ -	configure client/wallet.1 kasetkey/kasetkey.8 \ -	server/keytab-backend.8	server/wallet-backend.8 tools/compile \ -	tools/depcomp tools/install-sh tools/missing +MAINTAINERCLEANFILES = Makefile.in aclocal.m4 config.h.in config.h.in~	     \ +	configure client/wallet.1 server/keytab-backend.8		     \ +	server/wallet-backend.8 tools/compile tools/depcomp tools/install-sh \ +	tools/missing  # Take appropriate actions in the Perl directory as well.  We don't want to  # always build the Perl directory in all-local, since otherwise Automake does @@ -16,6 +16,8 @@ wallet 0.10 (unreleased)      deploying Heimdal with its internal kaserver compatibility is probably      an easier transition approach. +    Remove the kasetkey client for setting keys in an AFS kaserver. +      Correctly handle storing of data that begins with a dash and don't      parse it as an argument to wallet-backend. diff --git a/kasetkey/README b/kasetkey/README deleted file mode 100644 index 3ead85d..0000000 --- a/kasetkey/README +++ /dev/null @@ -1,13 +0,0 @@ -This program used to be called gen_srvtab and was the backend used by the -old sysctl-based srvtab distribution system.  It can either load a key -from a srvtab and push it into the AFS kaserver or generate a random key, -push it into the AFS kaserver, and then write it out as a srvtab.  It has -a lot of strange issues (such as deleting and then recreating keys rather -than changing the key and incrementing the kvno), but it works. - -This program only works with the AFS kaserver and requires the AFS -libraries to compile. - -I haven't yet done the work to make compilation optional based on whether -one wants to build kaserver support (or worked out how that will be -configured in general).  That's for later. diff --git a/kasetkey/kasetkey.c b/kasetkey/kasetkey.c deleted file mode 100644 index b798680..0000000 --- a/kasetkey/kasetkey.c +++ /dev/null @@ -1,582 +0,0 @@ -/* - * Create or change a principal and/or generate a srvtab. - * - * Sets the key of a principal in the AFS kaserver given a srvtab, enables or - * disables a principal, or displays information about a principal in an AFS - * kaserver. - * - * Written by Roland Schemers <schemers@stanford.edu> - * Updated by Russ Allbery <rra@stanford.edu> - * Updated again by Anton Ushakov  <antonu@stanford.edu> - * Copyright 1994, 1998, 1999, 2000, 2006, 2007, 2008 - *     Board of Trustees, Leland Stanford Jr. University - * - * See LICENSE for licensing terms. - */ - -#include <config.h> -#include <portable/system.h> - -#include <errno.h> -#include <fcntl.h> -#include <sys/stat.h> - -#ifdef HAVE_KERBEROSIV_KRB_H -# include <kerberosIV/krb.h> -#else -# include <krb.h> -#endif - -#include <afs/stds.h> -#include <afs/kauth.h> -#include <afs/kautils.h> -#include <afs/cellconfig.h> -#include <ubik.h> - -#include <util/util.h> - -/* Normally set by the AFS libraries. */ -#ifndef SNAME_SZ -# define SNAME_SZ       40 -# define INST_SZ        40 -# define REALM_SZ       40 -#endif - -/* - * AFS currently doesn't prototype this function.  Cheat on the first argument - * since it actually takes a function with a completely variable argument - * list. - */ -#if !HAVE_DECL_UBIK_CALL -afs_int32 ubik_Call(void *, struct ubik_client *, afs_int32, ...); -#endif - -/* The name of the program, for error reporting. */ -static const char *program = NULL; - -/* Some global state information. */ -struct config { -    char *local_cell; -    int debug;                  /* Whether to enable debugging. */ -    int init;                   /* Keyfile initialization. */ -    int random;                 /* Randomize the key. */ -    int tgs;                    /* Enable the principal. */ -    int notgs;                  /* Disable the princial. */ -    char *keyfile;              /* Name of srvtab to use. */ -    char *admin;                /* Name of ADMIN user to use. */ -    char *password;             /* Password to use. */ -    char *srvtab;               /* srvtab file to generate. */ -    char *service;              /* Principal to create/enable. */ -    char *delete;               /* Principal to delete. */ -    char *examine;              /* Principal to examine. */ -    char *k5srvtab;             /* K5 converted srvtab to read for key. */ -}; - -/* Usage message.  Pass in the program name four times. */ -static const char usage_message[] = "\ -Usage: %s [options]\n\ -  -a adminuser     Admin user\n\ -  -c k5srvtab      Use the key from the given srvtab (for sync w/ K5)\n\ -  -D service       Name of service to delete\n\ -  -d               Turn on debugging\n\ -  -e principal     Examine the given principal\n\ -  -f srvtab        Name of srvtab file to create\n\ -  -h               This help\n\ -  -i               Initialize DES key file\n\ -  -k keyfile       File containing srvtab for admin user\n\ -  -n               Set the principal NOTGS\n\ -  -p password      Use given password to create key\n\ -  -r               Use random key\n\ -  -s service       Name of service to create\n\ -  -t               Set the principal TGS\n\ -  -v               Print version\n\ -\n\ -To create a srvtab for rcmd.slapshot and be prompted for the admin\n\ -passowrd:\n\ -\n\ -    %s -f srvtab.rcmd.slapshot -s rcmd.slapshot -r\n\ -\n\ -To create a srvtab from within a script you must stash the DES key\n\ -in a srvtab with:\n\ -\n\ -    %s -a admin -i -k /.adminkey\n\ -\n\ -and then create a srvtab for rcmd.slapshot with:\n\ -\n\ -    %s -k /.adminkey -a admin -r -f srvtab -s rcmd.slapshot\n\ -\n"; - - -/* - * Print out the usage message and then exit with the status given as the only - * argument.  If status is zero, the message is printed to standard output; - * otherwise, it is sent to standard error. - */ -static void -usage(int status) -{ -    if (program == NULL) -        program = ""; -    fprintf((status == 0) ? stdout : stderr, usage_message, -            program, program, program, program); -    exit(status); -} - - -/* - * Parse a principal name into name, inst, and cell, filling in the cell from - * local_cell if none was given.  cell here is actually a realm and shouldn't - * need any further conversion. - */ -static void -parse_principal(struct config *config, char *principal, char *name, -                char *inst, char *cell) -{ -    long code; -    int local; - -    code = ka_ParseLoginName(principal, name, inst, cell); -    if (config->debug) -        printf("ka_ParseLoginName %ld\n", code); -    if (code != 0) -        die("can't parse principal %s", principal); -    if (cell[0] == '\0') { -        if (ka_CellToRealm(config->local_cell, cell, &local) == KANOCELL) -            die("unable to determine realm from local cell"); -    } -} - - -/* - * Given a srvtab file name, the principal, the kvno, and the key, write out a - * new srvtab file.  Dies on any error. - */ -static void -write_srvtab(const char *filename, const char *name, const char *inst, -             char *cell, unsigned char kvno, struct ktc_encryptionKey *key) -{ -    int fd; - -    fd = open(filename, O_WRONLY | O_CREAT, 0600); -    if (fd == -1) -        sysdie("can't create srvtab %s", filename); -    if (write(fd, name, strlen(name) + 1) != (ssize_t) strlen(name) + 1) -        sysdie("can't write to srvtab %s", filename); -    if (write(fd, inst, strlen(inst) + 1) != (ssize_t) strlen(inst) + 1) -        sysdie("can't write to srvtab %s", filename); -    if (write(fd, cell, strlen(cell) + 1) != (ssize_t) strlen(cell) + 1) -        sysdie("can't write to srvtab %s", filename); -    if (write(fd, &kvno, 1) != 1) -        sysdie("can't write to srvtab %s", filename); -    if (write(fd, key, sizeof(*key)) != sizeof(*key)) -        sysdie("can't write to srvtab %s", filename); -    if (close(fd) != 0) -        sysdie("can't close srvtab %s", filename); -} - - -/* - * Initialize a DES keyfile from a password.  If the password wasn't given via - * a command-line option, prompt for it. - */ -static void -initialize_admin_srvtab(struct config *config) -{ -    struct ktc_encryptionKey key; -    char name[MAXKTCNAMELEN]; -    char inst[MAXKTCNAMELEN]; -    char cell[MAXKTCNAMELEN]; -    long code; - -    if (config->keyfile == NULL || config->admin == NULL) -        usage(1); - -    /* Get the password, one way or another. */ -    parse_principal(config, config->admin, name, inst, cell); -    if (config->password != NULL) { -        ka_StringToKey(config->password, cell, &key); -        memset(config->password, 0, strlen(config->password)); -    } else { -        char buffer[MAXKTCNAMELEN * 3 + 40]; - -        sprintf(buffer,"password for %s: ", config->admin); -        code = ka_ReadPassword(buffer, 1, cell, &key); -        if (code != 0) -            die("can't read password"); -    } - -    /* Create the admin srvtab, removing any old one if one exists. */ -    unlink(config->keyfile); -    write_srvtab(config->keyfile, name, inst, cell, 0, &key); -    exit(0); -} - - -/* - * Takes the configuration struct and obtains an admin token, which it stores - * in the second parameter.  Dies on any failure. - */ -static void -authenticate(struct config *config, struct ktc_token *token) -{ -    char name[MAXKTCNAMELEN]; -    char inst[MAXKTCNAMELEN]; -    char cell[MAXKTCNAMELEN]; -    long code; -    struct ktc_encryptionKey key; - -    /* Get the admin password one way or the other. */ -    parse_principal(config, config->admin, name, inst, cell); -    if (config->keyfile) { -        code = read_service_key(name, inst, cell, 0, config->keyfile, -                                (char *) &key); -        if (config->debug) -            printf("read_service_key %ld\n", code); -        if (code != 0) -            die("can't get key for %s.%s@%s from srvtab %s", name, inst, -                cell, config->keyfile); -    } else { -        char buffer[MAXKTCNAMELEN * 3 + 40]; - -        sprintf(buffer, "password for %s: ", config->admin); -        code = ka_ReadPassword(buffer, 0, cell, &key); -        if (code) -            die("can't read password"); -    } - -    /* Now, get the admin token. */ -    code = ka_GetAdminToken(name, inst, cell, &key, 300, token, 1); -    memset(&key, 0, sizeof(key)); -    if (config->debug) -        printf("ka_GetAdminToken %ld\n", code); -    if (code != 0) -        die("can't get admin token"); -} - - -/* - * Delete a principal out of the AFS kaserver. - */ -static void -delete_principal(struct config *config) -{ -    struct ktc_token token; -    struct ubik_client *conn; -    char name[MAXKTCNAMELEN]; -    char inst[MAXKTCNAMELEN]; -    char cell[MAXKTCNAMELEN]; -    long code; - -    /* Make connection to AuthServer. */ -    authenticate(config, &token); -    parse_principal(config, config->delete, name, inst, cell); -    code = ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, &token, &conn); -    if (config->debug) -        printf("ka_AuthServerConn %s %ld\n", cell, code); -    if (code != 0) -        die("can't make connection to auth server"); - -    /* Delete the user. */ -    code = ubik_Call(KAM_DeleteUser, conn, 0, name, inst); -    if (config->debug) -        printf("ubik_Call KAM_DeleteUser %ld\n", code); -    if (code != 0 && code != KANOENT) -        die("can't delete existing instance"); -    code = ubik_ClientDestroy(conn); -    exit(0); -} - - -/* - * Format a date.  The output format expects ctime-style date formatting, so - * we use that.  Takes a buffer into which to put the date.  There will be a - * trailing newline. - */ -static void -format_date(char *buffer, size_t size, time_t date) -{ -    if (date == (time_t) NEVERDATE) -        strlcpy(buffer, "never\n", size); -    else -        strlcpy(buffer, ctime(&date), size); -} - - -/* - * Enable or disable a principal in the AFS kaserver (by setting or clearing - * the NOTGS flag).  The second argument says to enable if it's true, disable - * otherwise. - */ -static void -enable_principal(struct config *config, int enable) -{ -    struct ktc_token token; -    struct ubik_client *conn; -    struct kaentryinfo entry; -    char name[MAXKTCNAMELEN]; -    char inst[MAXKTCNAMELEN]; -    char cell[MAXKTCNAMELEN]; -    long code; - -    /* Make connection to AuthServer. */ -    authenticate(config, &token); -    parse_principal(config, config->service, name, inst, cell); -    code = ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, &token, &conn); -    if (config->debug) -        printf("ka_AuthServerConn %s %ld\n", cell, code); -    if (code != 0) -        die("can't make connection to auth server"); - -    /* Retrieve the principal information. */ -    code = ubik_Call(KAM_GetEntry, conn, 0, name, inst, KAMAJORVERSION, -                     &entry); -    if (config->debug) -        printf("ubik_Call KAM_GetEntry %ld\n", code); -    if (code != 0) -        die("can't retrieve current flags"); - -    /* Set the flags. */ -    if (enable) -        entry.flags &= ~KAFNOTGS; -    else -        entry.flags |= KAFNOTGS; -    code = ubik_Call(KAM_SetFields, conn, 0, name, inst, entry.flags, 0, 0, -                     -1, 0, 0); -    if (config->debug) -        printf("ubik_Call KAM_SetFields %ld\n", code); -    if (code != 0) -        die("can't %s principal", enable ? "enable" : "disable"); -    code = ubik_ClientDestroy(conn); -    exit(0); -} - - -/* - * Examine a principal.  The output format is compatible with the old Stanford - * Kerberos v4 kadmin, which may be compatible with Kerberos v4 kadmin in - * general (I haven't checked). - */ -static void -examine_principal(struct config *config) -{ -    struct ktc_token token; -    struct ubik_client *conn; -    struct kaentryinfo entry; -    char name[MAXKTCNAMELEN]; -    char inst[MAXKTCNAMELEN]; -    char cell[MAXKTCNAMELEN]; -    long code; -    char edate[64], cdate[64], mdate[64]; - -    /* Make connection to AuthServer. */ -    authenticate(config, &token); -    parse_principal(config, config->examine, name, inst, cell); -    code = ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, &token, &conn); -    if (config->debug) -        printf("ka_AuthServerConn %s %ld\n", cell, code); -    if (code != 0) -        die("can't make connection to auth server"); - -    /* Retrieve and format the entry. */ -    code = ubik_Call(KAM_GetEntry, conn, 0, name, inst, KAMAJORVERSION, -                     &entry); -    if (config->debug) -        printf("ubik_Call KAM_GetEntry %ld\n", code); -    if (code != 0) { -        if (code == KANOENT) -            die("no such entry in the database"); -        else -            die("can't retrieve principal information"); -    } -    format_date(edate, sizeof(edate), entry.user_expiration); -    format_date(mdate, sizeof(cdate), entry.modification_time); -    format_date(cdate, sizeof(mdate), entry.change_password_time); -    printf("status: %s\n", (entry.flags & KAFNOTGS) ? "disabled" : "enabled"); -    printf("account expiration: %s", edate); -    printf("password last changed: %s", cdate); -    printf("modification time: %s", mdate); -    printf("modified by: %s%s%s\n", entry.modification_user.name, -           (entry.modification_user.instance[0] != '\0') ? "." : "", -           entry.modification_user.instance); -    code = ubik_ClientDestroy(conn); -    exit(0); -} - - -/* - * Create a new principal in the AFS kaserver (deleting it and recreating it - * if it already exists) with either the indicated key or with a random key, - * and then write out a srvtab for that principal.  Also supported is reading - * the key from an existing srvtab (likely created via Kerberos v5 kadmin from - * a keytab). - */ -static void -generate_srvtab(struct config *config) -{ -    struct ktc_token token; -    struct ubik_client *conn; -    char name[MAXKTCNAMELEN]; -    char inst[MAXKTCNAMELEN]; -    char cell[MAXKTCNAMELEN]; -    long code; -    struct ktc_encryptionKey key; - -    /* Make connection to AuthServer. */ -    authenticate(config, &token); -    parse_principal(config, config->service, name, inst, cell); -    code = ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, &token, &conn); -    if (config->debug) -        printf("ka_AuthServerConn %s %ld\n", cell, code); -    if (code != 0) -        die("can't make connection to auth server"); - -    /* Get the key for the principal we're creating. */ -    if (config->k5srvtab != NULL) {  -        char buffer[SNAME_SZ * 4]; -        char *p; -        char sname[SNAME_SZ]; -        char sinst[INST_SZ]; -        char srealm[REALM_SZ]; -        unsigned char kvno; -        FILE *srvtab; - -        /* Read the whole converted srvtab into memory. */ -        srvtab = fopen(config->k5srvtab, "r"); -        if (srvtab == NULL) -            sysdie("can't open converted srvtab %s", config->k5srvtab); -        if (fgets(buffer, sizeof(buffer), srvtab) == NULL) -            sysdie("can't read converted srvtab %s", config->k5srvtab); -        fclose(srvtab); - -        /* Now parse it.  Fields are delimited by NUL. */ -        p = buffer; -        strncpy(sname, p, SNAME_SZ - 1); -        sname[sizeof(sname) - 1] = '\0'; -        p += strlen(sname) + 1; -        strncpy(sinst, p, INST_SZ - 1); -        sinst[sizeof(sinst) - 1] = '\0'; -        p += strlen(sinst) + 1; -        strncpy(srealm, p, REALM_SZ - 1); -        srealm[sizeof(srealm) - 1] = '\0'; -        p += strlen(srealm) + 1; -        memcpy(&kvno, p, sizeof(unsigned char)); -        p += sizeof(unsigned char); -        memcpy(key.data, p, sizeof(key)); -        memset(buffer, 0, sizeof(buffer)); -    } else if (config->random) { -        code = ubik_Call(KAM_GetRandomKey, conn, 0, &key); -        if (config->debug) -            printf("ubik_Call KAM_GetRandomKey %ld\n", code); -        if (code != 0) -            die("can't get random key"); -    } else { -        code = ka_ReadPassword((char *) "service password: ", 1, cell, &key); -        if (code != 0) -            die("can't read password"); -    } - -    /* -     * Now, we have the key.  Try to create the principal.  If it already -     * exists, try deleting it first and then creating it again. -     */ -    code = ubik_Call(KAM_CreateUser, conn, 0, name, inst, key); -    if (config->debug) -        printf("ubik_Call KAM_CreateUser %ld\n", code); -    if (code == KAEXIST) { -        code = ubik_Call(KAM_DeleteUser, conn, 0, name, inst); -        if (config->debug) -            printf("ubik_Call KAM_DeleteUser %ld\n", code); -        if (code != 0) -            die("can't delete existing instance"); -        code = ubik_Call(KAM_CreateUser, conn, 0, name, inst, key); -        if (config->debug) -            printf("ubik_Call KAM_CreateUser %ld\n", code); -    } -    if (code != 0) -        die("can't create user"); -    code = ubik_ClientDestroy (conn); - -    /* Create the srvtab file.  Don't bother if we have a converted one. */ -    if (config->srvtab && !config->k5srvtab) { -        unsigned char kvno = 0; - -        /* Make a backup copy of any existing one, just in case. */ -        if (access(config->srvtab, F_OK) == 0) { -            char backup[MAXPATHLEN]; - -            snprintf(backup, sizeof(backup), "%s.bak", config->srvtab); -            if (rename(config->srvtab, backup) != 0) -                sysdie("can't create backup srvtab %s", backup); -        } -        write_srvtab(config->srvtab, name, inst, cell, kvno, &key); -    } -    memset(&key, 0, sizeof(key)); -    exit(0); -} - - -int -main(int argc, char *argv[]) -{ -    long code; -    int opt; -    struct config config; -  -    /* Initialize, get our local cell, etc. */ -    memset(&config, 0, sizeof(config)); -    code = ka_Init(0); -    config.local_cell = ka_LocalCell(); -    if (config.local_cell == NULL || code != 0) -        die("can't initialize"); - -    /* Parse options. */ -    while ((opt = getopt(argc, argv, "a:c:D:de:f:hik:np:rs:tv")) != EOF) { -        switch (opt) { -        case 'a': config.admin = optarg;        break; -        case 'c': config.k5srvtab = optarg;     break; -        case 'D': config.delete = optarg;       break; -        case 'd': config.debug = 1;             break; -        case 'e': config.examine = optarg;      break; -        case 'f': config.srvtab = optarg;       break; -        case 'i': config.init = 1;              break; -        case 'k': config.keyfile = optarg;      break; -        case 'n': config.notgs = 1;             break; -        case 'p': config.password = optarg;     break; -        case 'r': config.random = 1;            break; -        case 's': config.service = optarg;      break; -        case 't': config.tgs = 1;               break; - -        /* Usage doesn't return. */ -        case 'h': -            usage(0); -        case 'v': -            printf("kasetkey %s\n", PACKAGE_VERSION); -            exit(0); -        default: -            usage(1); -        } -    } - -    /* Take the right action. */ -    if (config.random && config.k5srvtab) -        usage(1); -    if (config.notgs && config.tgs) -        die("cannot set principal both TGS and NOTGS at the same time"); -    if ((config.notgs || config.tgs) && config.service == NULL) -        die("must specify a principal with -s"); -    if (config.debug) -        fprintf(stdout, "cell: %s\n", config.local_cell); -    if (config.init) -        initialize_admin_srvtab(&config); -    else if (config.tgs || config.notgs) -        enable_principal(&config, config.tgs); -    else if (config.examine != NULL) -        examine_principal(&config); -    else if (config.service != NULL) -        generate_srvtab(&config); -    else if (config.delete != NULL) -        delete_principal(&config); -    else -        usage(1); -    exit(0); -} diff --git a/kasetkey/kasetkey.pod b/kasetkey/kasetkey.pod deleted file mode 100644 index dcaa8b4..0000000 --- a/kasetkey/kasetkey.pod +++ /dev/null @@ -1,148 +0,0 @@ -=head1 NAME - -kasetkey - Manipulate AFS kaserver service principal keys - -=head1 SYNOPSIS - -B<kasetkey> [B<-dhv>] B<-a> I<admin> B<-i> [B<-p> I<password>] -    B<-k> I<keyfile> - -B<kasetkey> [B<-dhv>] B<-a> I<admin> [B<-k> I<keyfile>] B<-D> I<service> - -B<kasetkey> [B<-dhv>] B<-a> I<admin> [B<-k> I<keyfile>] -    [ B<-c> I<k5srvtab> | B<-r> ] B<-s> I<service> B<-f> I<srvtab> - -=head1 DESCRIPTION - -B<kasetkey> manipulates principals in an AFS kaserver, usually service -principals.  It's primarily designed for automatic generation of srvtabs -for keys without regular passwords, but it can be used to do other -automated tasks, authenticating from a srvtab. - -To start using B<kasetkey>, obtain a srvtab for a principal with the ADMIN -flag set in the AFS kaserver.  Such a srvtab can be created from the -password of that principal using B<kasetkey> with the B<-i> flag.  Then, -use B<-s> to create a srvtab for a particular principal or B<-D> to delete -a principal from the Kerberos database, passing via B<-k> the path to the -srvtab containing the key for an ADMIN principal.  If you don't use B<-k>, -B<kasetkey> will prompt you for the password of the given ADMIN principal. - -When generating a srvtab for a particular principal using B<-s>, you have -your choice of ways of setting the key for that principal.  The default is -to prompt you for a password, but usually that's not what you want. -Provide the B<-r> flag to set a random key, which is normally what you -want to do for a pure Kerberos v4 principal.  When synchronizing Kerberos -v5 with Kerberos v4, generate a keytab in Kerberos v5, convert it to a -srvtab using B<ktutil>, and then provide that srvtab to B<kasetkey> with -the B<-c> flag.  B<kasetkey> will then set the key in the AFS kaserver to -match. - -B<kasetkey> uses a simple, brute-force approach to setting keys in the AFS -kaserver.  It creates the principal if it doesn't already exist, and if it -does already exist, it deletes it and then recreates it. - -=head1 OPTIONS - -=over 4 - -=item B<-a> I<admin> - -The user as whom changes should be performed.  This user must have the -ADMIN flag set in the AFS kaserver. - -=item B<-c> I<srvtab> - -When creating a service principal using B<-s>, take the key for that -principal from I<srvtab>.  I<srvtab> must contain a DES key and can be -created via B<ktutil> from a Kerberos v5 keytab. - -=item B<-D> I<service> - -Delete the principal I<service> from the AFS kaserver. - -=item B<-d> - -Turn on debugging.  This prints out more information about the exit status -of all of the API calls used. - -=item B<-f> I<srvtab> - -Where to write the srvtab for a newly created (or modified) principal. -Used only with B<-s>. - -=item B<-h> - -Display an option summary and a few examples and then exit. - -=item B<-i> - -Initialize a srvtab.  Takes the user from B<-a> and either prompts for the -password or takes it from the B<-p> flag.  Writes out the srvtab to the -path given to B<-k>. - -=item B<-k> I<srvtab> - -The srvtab to use to authenticate.  The key in the srvtab must be the key -for the user given with B<-a>. - -=item B<-p> I<password> - -The password for the user for which a srvtab is being initialized.  This -is only used with the B<-i> flag. - -=item B<-r> - -When generating a new srvtab with B<-s>, randomize the key for that user. - -=item B<-s> I<service> - -Create a new srvtab for the principal I<service>.  If this principal -already exists, it's deleted and recreated.  Takes the key for the -principal from the srvtab specified with B<-c>, randomizes it if B<-r> is -given, or prompts for it. - -=item B<-v> - -Prints the version of B<kasetkey> and exits. - -=back - -=head1 EXAMPLES - -To create a srvtab for rcmd.slapshot and be prompted for the admin -passowrd: - -    kasetkey -f srvtab.rcmd.slapshot -s rcmd.slapshot -r - -To create a srvtab from within a script you must stash the DES key -in a srvtab with: - -    kasetkey -a admin -i -k /.adminkey - -(which will prompt you for the password) and then create a srvtab for -rcmd.slapshot with: - -    kasetkey -k /.adminkey -a admin -r -f srvtab -s rcmd.slapshot - -=head1 CAVEATS - -The error reporting of this program is not great.  If an action fails, run -it again with the B<-d> flag, which will print out the return status of -every AFS operation.  You can then pass the failing error code to the -B<translate_et> program, installed with AFS, to translate the code into an -error message. - -=head1 SEE ALSO - -kas(8), kaserver(8), ktutil(8) - -This program is part of the wallet system.  The current version is available -from L<http://www.eyrie.org/~eagle/software/wallet/>. - -=head1 AUTHORS - -Originally written by Roland Schemers.  Revised to use srvtabs rather than -simple DES keys and to support principal deletion by Russ Allbery -<rra@stanford.edu>, who currently maintains it. - -=cut | 
