diff options
| author | Russ Allbery <rra@stanford.edu> | 2010-02-18 21:31:10 -0800 | 
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2010-02-18 21:31:10 -0800 | 
| commit | a24d3ac3c7e8cb68fe2268f337a4edb599d5f881 (patch) | |
| tree | d8666db4e54a4ebd1ae69ddfcc37d6ffb9a18e31 /perl/Wallet/Object | |
| parent | 748170660e3a7b1db4320ba9b0144da2e252cd27 (diff) | |
Support unchanging keytabs with Heimdal without remctl
Heimdal supports retrieving a keytab containing the existing keys over
the kadmin protocol.  Move the support for using remctl to retrieve an
existing keytab into Wallet::Kadmin::MIT and provide two separate
methods in the Wallet::Kadmin interface: one which rekeys and one which
doesn't.  Implement the non-rekeying interface for Heimdal.  Expand the
test suite for the unchanging keytabs to include tests for the Heimdal
method.
Diffstat (limited to 'perl/Wallet/Object')
| -rw-r--r-- | perl/Wallet/Object/Keytab.pm | 49 | 
1 files changed, 3 insertions, 46 deletions
| diff --git a/perl/Wallet/Object/Keytab.pm b/perl/Wallet/Object/Keytab.pm index 44ee003..5c66967 100644 --- a/perl/Wallet/Object/Keytab.pm +++ b/perl/Wallet/Object/Keytab.pm @@ -180,49 +180,6 @@ sub sync_list {  }  ############################################################################## -# Keytab retrieval -############################################################################## - -# Retrieve an existing keytab from the KDC via a remctl call.  The KDC needs -# to be running the keytab-backend script and support the keytab retrieve -# remctl command.  In addition, the user must have configured us with the path -# to a ticket cache and the host to which to connect with remctl.  Returns the -# keytab on success and undef on failure. -sub keytab_retrieve { -    my ($self, $keytab) = @_; -    my $host = $Wallet::Config::KEYTAB_REMCTL_HOST; -    unless ($host and $Wallet::Config::KEYTAB_REMCTL_CACHE) { -        $self->error ('keytab unchanging support not configured'); -        return; -    } -    eval { require Net::Remctl }; -    if ($@) { -        $self->error ("keytab unchanging support not available: $@"); -        return; -    } -    if ($Wallet::Config::KEYTAB_REALM) { -        $keytab .= '@' . $Wallet::Config::KEYTAB_REALM; -    } -    local $ENV{KRB5CCNAME} = $Wallet::Config::KEYTAB_REMCTL_CACHE; -    my $port = $Wallet::Config::KEYTAB_REMCTL_PORT || 0; -    my $principal = $Wallet::Config::KEYTAB_REMCTL_PRINCIPAL || ''; -    my @command = ('keytab', 'retrieve', $keytab); -    my $result = Net::Remctl::remctl ($host, $port, $principal, @command); -    if ($result->error) { -        $self->error ("cannot retrieve keytab for $keytab: ", $result->error); -        return; -    } elsif ($result->status != 0) { -        my $error = $result->stderr; -        $error =~ s/\s+$//; -        $error =~ s/\n/ /g; -        $self->error ("cannot retrieve keytab for $keytab: $error"); -        return; -    } else { -        return $result->stdout; -    } -} - -##############################################################################  # Core methods  ############################################################################## @@ -365,8 +322,9 @@ sub get {          $self->error ("cannot get $id: object is locked");          return;      } +    my $kadmin = $self->{kadmin};      if ($self->flag_check ('unchanging')) { -        my $result = $self->keytab_retrieve ($self->{name}); +        my $result = $kadmin->keytab ($self->{name});          if (defined $result) {              $self->log_action ('get', $user, $host, $time);          } @@ -379,8 +337,7 @@ sub get {      my $file = $Wallet::Config::KEYTAB_TMP . "/keytab.$$";      unlink $file;      my @enctypes = $self->attr ('enctypes'); -    my $kadmin = $self->{kadmin}; -    if (not $kadmin->keytab ($self->{name}, $file, @enctypes)) { +    if (not $kadmin->keytab_rekey ($self->{name}, $file, @enctypes)) {          $self->error ($kadmin->error);          return;      } | 
