diff options
| -rw-r--r-- | Makefile.am | 24 | ||||
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | kasetkey/README | 13 | ||||
| -rw-r--r-- | kasetkey/kasetkey.c | 582 | ||||
| -rw-r--r-- | kasetkey/kasetkey.pod | 148 |
5 files changed, 7 insertions, 762 deletions
diff --git a/Makefile.am b/Makefile.am index 1465a9b..b647349 100644 --- a/Makefile.am +++ b/Makefile.am @@ -34,8 +34,7 @@ EXTRA_DIST = LICENSE autogen client/wallet.pod config/allow-extract \ config/keytab config/keytab.acl config/wallet docs/design \ contrib/README contrib/wallet-report contrib/wallet-report.8 \ docs/design-acl docs/design-api docs/netdb-role-api docs/notes \ - docs/setup examples/stanford.conf kasetkey/README \ - kasetkey/kasetkey.pod $(PERL_FILES) $(TEST_FILES) + docs/setup examples/stanford.conf $(PERL_FILES) $(TEST_FILES) noinst_LIBRARIES = portable/libportable.a util/libutil.a portable_libportable_a_SOURCES = portable/dummy.c portable/macros.h \ @@ -58,15 +57,6 @@ client_wallet_LDADD = util/libutil.a portable/libportable.a $(REMCTL_LIBS) \ dist_man_MANS = client/wallet.1 server/keytab-backend.8 \ server/wallet-admin.8 server/wallet-backend.8 -if AFS -sbin_PROGRAMS = kasetkey/kasetkey -kasetkey_kasetkey_CPPFLAGS = $(AFS_CPPFLAGS) $(KRB4_CPPFLAGS) -kasetkey_kasetkey_LDFLAGS = $(AFS_LDFLAGS) $(KRB4_LDFLAGS) -kasetkey_kasetkey_LDADD = util/libutil.a portable/libportable.a $(AFS_LIBS) \ - $(KRB4_LIBS) -dist_man_MANS += kasetkey/kasetkey.8 -endif - $(srcdir)/client/wallet.1: $(srcdir)/client/wallet.pod pod2man --release=$(VERSION) --center="Administrative Commands" \ --section=1 $(srcdir)/client/wallet.pod > $@ @@ -75,10 +65,6 @@ $(srcdir)/contrib/wallet-report.8: $(srcdir)/contrib/wallet-report pod2man --release=$(VERSION) --center="Administrative Commands" \ --section=8 $(srcdir)/contrib/wallet-report > $@ -$(srcdir)/kasetkey/kasetkey.8: $(srcdir)/kasetkey/kasetkey.pod - pod2man --release=$(VERSION) --center="Administrative Commands" \ - --section=8 $(srcdir)/kasetkey/kasetkey.pod > $@ - $(srcdir)/server/keytab-backend.8: $(srcdir)/server/keytab-backend pod2man --release=$(VERSION) --center="Administrative Commands" \ --section=8 $(srcdir)/server/keytab-backend > $@ @@ -104,10 +90,10 @@ warnings: # Remove some additional files. DISTCLEANFILES = perl/Makefile -MAINTAINERCLEANFILES = Makefile.in aclocal.m4 config.h.in config.h.in~ \ - configure client/wallet.1 kasetkey/kasetkey.8 \ - server/keytab-backend.8 server/wallet-backend.8 tools/compile \ - tools/depcomp tools/install-sh tools/missing +MAINTAINERCLEANFILES = Makefile.in aclocal.m4 config.h.in config.h.in~ \ + configure client/wallet.1 server/keytab-backend.8 \ + server/wallet-backend.8 tools/compile tools/depcomp tools/install-sh \ + tools/missing # Take appropriate actions in the Perl directory as well. We don't want to # always build the Perl directory in all-local, since otherwise Automake does @@ -16,6 +16,8 @@ wallet 0.10 (unreleased) deploying Heimdal with its internal kaserver compatibility is probably an easier transition approach. + Remove the kasetkey client for setting keys in an AFS kaserver. + Correctly handle storing of data that begins with a dash and don't parse it as an argument to wallet-backend. diff --git a/kasetkey/README b/kasetkey/README deleted file mode 100644 index 3ead85d..0000000 --- a/kasetkey/README +++ /dev/null @@ -1,13 +0,0 @@ -This program used to be called gen_srvtab and was the backend used by the -old sysctl-based srvtab distribution system. It can either load a key -from a srvtab and push it into the AFS kaserver or generate a random key, -push it into the AFS kaserver, and then write it out as a srvtab. It has -a lot of strange issues (such as deleting and then recreating keys rather -than changing the key and incrementing the kvno), but it works. - -This program only works with the AFS kaserver and requires the AFS -libraries to compile. - -I haven't yet done the work to make compilation optional based on whether -one wants to build kaserver support (or worked out how that will be -configured in general). That's for later. diff --git a/kasetkey/kasetkey.c b/kasetkey/kasetkey.c deleted file mode 100644 index b798680..0000000 --- a/kasetkey/kasetkey.c +++ /dev/null @@ -1,582 +0,0 @@ -/* - * Create or change a principal and/or generate a srvtab. - * - * Sets the key of a principal in the AFS kaserver given a srvtab, enables or - * disables a principal, or displays information about a principal in an AFS - * kaserver. - * - * Written by Roland Schemers <schemers@stanford.edu> - * Updated by Russ Allbery <rra@stanford.edu> - * Updated again by Anton Ushakov <antonu@stanford.edu> - * Copyright 1994, 1998, 1999, 2000, 2006, 2007, 2008 - * Board of Trustees, Leland Stanford Jr. University - * - * See LICENSE for licensing terms. - */ - -#include <config.h> -#include <portable/system.h> - -#include <errno.h> -#include <fcntl.h> -#include <sys/stat.h> - -#ifdef HAVE_KERBEROSIV_KRB_H -# include <kerberosIV/krb.h> -#else -# include <krb.h> -#endif - -#include <afs/stds.h> -#include <afs/kauth.h> -#include <afs/kautils.h> -#include <afs/cellconfig.h> -#include <ubik.h> - -#include <util/util.h> - -/* Normally set by the AFS libraries. */ -#ifndef SNAME_SZ -# define SNAME_SZ 40 -# define INST_SZ 40 -# define REALM_SZ 40 -#endif - -/* - * AFS currently doesn't prototype this function. Cheat on the first argument - * since it actually takes a function with a completely variable argument - * list. - */ -#if !HAVE_DECL_UBIK_CALL -afs_int32 ubik_Call(void *, struct ubik_client *, afs_int32, ...); -#endif - -/* The name of the program, for error reporting. */ -static const char *program = NULL; - -/* Some global state information. */ -struct config { - char *local_cell; - int debug; /* Whether to enable debugging. */ - int init; /* Keyfile initialization. */ - int random; /* Randomize the key. */ - int tgs; /* Enable the principal. */ - int notgs; /* Disable the princial. */ - char *keyfile; /* Name of srvtab to use. */ - char *admin; /* Name of ADMIN user to use. */ - char *password; /* Password to use. */ - char *srvtab; /* srvtab file to generate. */ - char *service; /* Principal to create/enable. */ - char *delete; /* Principal to delete. */ - char *examine; /* Principal to examine. */ - char *k5srvtab; /* K5 converted srvtab to read for key. */ -}; - -/* Usage message. Pass in the program name four times. */ -static const char usage_message[] = "\ -Usage: %s [options]\n\ - -a adminuser Admin user\n\ - -c k5srvtab Use the key from the given srvtab (for sync w/ K5)\n\ - -D service Name of service to delete\n\ - -d Turn on debugging\n\ - -e principal Examine the given principal\n\ - -f srvtab Name of srvtab file to create\n\ - -h This help\n\ - -i Initialize DES key file\n\ - -k keyfile File containing srvtab for admin user\n\ - -n Set the principal NOTGS\n\ - -p password Use given password to create key\n\ - -r Use random key\n\ - -s service Name of service to create\n\ - -t Set the principal TGS\n\ - -v Print version\n\ -\n\ -To create a srvtab for rcmd.slapshot and be prompted for the admin\n\ -passowrd:\n\ -\n\ - %s -f srvtab.rcmd.slapshot -s rcmd.slapshot -r\n\ -\n\ -To create a srvtab from within a script you must stash the DES key\n\ -in a srvtab with:\n\ -\n\ - %s -a admin -i -k /.adminkey\n\ -\n\ -and then create a srvtab for rcmd.slapshot with:\n\ -\n\ - %s -k /.adminkey -a admin -r -f srvtab -s rcmd.slapshot\n\ -\n"; - - -/* - * Print out the usage message and then exit with the status given as the only - * argument. If status is zero, the message is printed to standard output; - * otherwise, it is sent to standard error. - */ -static void -usage(int status) -{ - if (program == NULL) - program = ""; - fprintf((status == 0) ? stdout : stderr, usage_message, - program, program, program, program); - exit(status); -} - - -/* - * Parse a principal name into name, inst, and cell, filling in the cell from - * local_cell if none was given. cell here is actually a realm and shouldn't - * need any further conversion. - */ -static void -parse_principal(struct config *config, char *principal, char *name, - char *inst, char *cell) -{ - long code; - int local; - - code = ka_ParseLoginName(principal, name, inst, cell); - if (config->debug) - printf("ka_ParseLoginName %ld\n", code); - if (code != 0) - die("can't parse principal %s", principal); - if (cell[0] == '\0') { - if (ka_CellToRealm(config->local_cell, cell, &local) == KANOCELL) - die("unable to determine realm from local cell"); - } -} - - -/* - * Given a srvtab file name, the principal, the kvno, and the key, write out a - * new srvtab file. Dies on any error. - */ -static void -write_srvtab(const char *filename, const char *name, const char *inst, - char *cell, unsigned char kvno, struct ktc_encryptionKey *key) -{ - int fd; - - fd = open(filename, O_WRONLY | O_CREAT, 0600); - if (fd == -1) - sysdie("can't create srvtab %s", filename); - if (write(fd, name, strlen(name) + 1) != (ssize_t) strlen(name) + 1) - sysdie("can't write to srvtab %s", filename); - if (write(fd, inst, strlen(inst) + 1) != (ssize_t) strlen(inst) + 1) - sysdie("can't write to srvtab %s", filename); - if (write(fd, cell, strlen(cell) + 1) != (ssize_t) strlen(cell) + 1) - sysdie("can't write to srvtab %s", filename); - if (write(fd, &kvno, 1) != 1) - sysdie("can't write to srvtab %s", filename); - if (write(fd, key, sizeof(*key)) != sizeof(*key)) - sysdie("can't write to srvtab %s", filename); - if (close(fd) != 0) - sysdie("can't close srvtab %s", filename); -} - - -/* - * Initialize a DES keyfile from a password. If the password wasn't given via - * a command-line option, prompt for it. - */ -static void -initialize_admin_srvtab(struct config *config) -{ - struct ktc_encryptionKey key; - char name[MAXKTCNAMELEN]; - char inst[MAXKTCNAMELEN]; - char cell[MAXKTCNAMELEN]; - long code; - - if (config->keyfile == NULL || config->admin == NULL) - usage(1); - - /* Get the password, one way or another. */ - parse_principal(config, config->admin, name, inst, cell); - if (config->password != NULL) { - ka_StringToKey(config->password, cell, &key); - memset(config->password, 0, strlen(config->password)); - } else { - char buffer[MAXKTCNAMELEN * 3 + 40]; - - sprintf(buffer,"password for %s: ", config->admin); - code = ka_ReadPassword(buffer, 1, cell, &key); - if (code != 0) - die("can't read password"); - } - - /* Create the admin srvtab, removing any old one if one exists. */ - unlink(config->keyfile); - write_srvtab(config->keyfile, name, inst, cell, 0, &key); - exit(0); -} - - -/* - * Takes the configuration struct and obtains an admin token, which it stores - * in the second parameter. Dies on any failure. - */ -static void -authenticate(struct config *config, struct ktc_token *token) -{ - char name[MAXKTCNAMELEN]; - char inst[MAXKTCNAMELEN]; - char cell[MAXKTCNAMELEN]; - long code; - struct ktc_encryptionKey key; - - /* Get the admin password one way or the other. */ - parse_principal(config, config->admin, name, inst, cell); - if (config->keyfile) { - code = read_service_key(name, inst, cell, 0, config->keyfile, - (char *) &key); - if (config->debug) - printf("read_service_key %ld\n", code); - if (code != 0) - die("can't get key for %s.%s@%s from srvtab %s", name, inst, - cell, config->keyfile); - } else { - char buffer[MAXKTCNAMELEN * 3 + 40]; - - sprintf(buffer, "password for %s: ", config->admin); - code = ka_ReadPassword(buffer, 0, cell, &key); - if (code) - die("can't read password"); - } - - /* Now, get the admin token. */ - code = ka_GetAdminToken(name, inst, cell, &key, 300, token, 1); - memset(&key, 0, sizeof(key)); - if (config->debug) - printf("ka_GetAdminToken %ld\n", code); - if (code != 0) - die("can't get admin token"); -} - - -/* - * Delete a principal out of the AFS kaserver. - */ -static void -delete_principal(struct config *config) -{ - struct ktc_token token; - struct ubik_client *conn; - char name[MAXKTCNAMELEN]; - char inst[MAXKTCNAMELEN]; - char cell[MAXKTCNAMELEN]; - long code; - - /* Make connection to AuthServer. */ - authenticate(config, &token); - parse_principal(config, config->delete, name, inst, cell); - code = ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, &token, &conn); - if (config->debug) - printf("ka_AuthServerConn %s %ld\n", cell, code); - if (code != 0) - die("can't make connection to auth server"); - - /* Delete the user. */ - code = ubik_Call(KAM_DeleteUser, conn, 0, name, inst); - if (config->debug) - printf("ubik_Call KAM_DeleteUser %ld\n", code); - if (code != 0 && code != KANOENT) - die("can't delete existing instance"); - code = ubik_ClientDestroy(conn); - exit(0); -} - - -/* - * Format a date. The output format expects ctime-style date formatting, so - * we use that. Takes a buffer into which to put the date. There will be a - * trailing newline. - */ -static void -format_date(char *buffer, size_t size, time_t date) -{ - if (date == (time_t) NEVERDATE) - strlcpy(buffer, "never\n", size); - else - strlcpy(buffer, ctime(&date), size); -} - - -/* - * Enable or disable a principal in the AFS kaserver (by setting or clearing - * the NOTGS flag). The second argument says to enable if it's true, disable - * otherwise. - */ -static void -enable_principal(struct config *config, int enable) -{ - struct ktc_token token; - struct ubik_client *conn; - struct kaentryinfo entry; - char name[MAXKTCNAMELEN]; - char inst[MAXKTCNAMELEN]; - char cell[MAXKTCNAMELEN]; - long code; - - /* Make connection to AuthServer. */ - authenticate(config, &token); - parse_principal(config, config->service, name, inst, cell); - code = ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, &token, &conn); - if (config->debug) - printf("ka_AuthServerConn %s %ld\n", cell, code); - if (code != 0) - die("can't make connection to auth server"); - - /* Retrieve the principal information. */ - code = ubik_Call(KAM_GetEntry, conn, 0, name, inst, KAMAJORVERSION, - &entry); - if (config->debug) - printf("ubik_Call KAM_GetEntry %ld\n", code); - if (code != 0) - die("can't retrieve current flags"); - - /* Set the flags. */ - if (enable) - entry.flags &= ~KAFNOTGS; - else - entry.flags |= KAFNOTGS; - code = ubik_Call(KAM_SetFields, conn, 0, name, inst, entry.flags, 0, 0, - -1, 0, 0); - if (config->debug) - printf("ubik_Call KAM_SetFields %ld\n", code); - if (code != 0) - die("can't %s principal", enable ? "enable" : "disable"); - code = ubik_ClientDestroy(conn); - exit(0); -} - - -/* - * Examine a principal. The output format is compatible with the old Stanford - * Kerberos v4 kadmin, which may be compatible with Kerberos v4 kadmin in - * general (I haven't checked). - */ -static void -examine_principal(struct config *config) -{ - struct ktc_token token; - struct ubik_client *conn; - struct kaentryinfo entry; - char name[MAXKTCNAMELEN]; - char inst[MAXKTCNAMELEN]; - char cell[MAXKTCNAMELEN]; - long code; - char edate[64], cdate[64], mdate[64]; - - /* Make connection to AuthServer. */ - authenticate(config, &token); - parse_principal(config, config->examine, name, inst, cell); - code = ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, &token, &conn); - if (config->debug) - printf("ka_AuthServerConn %s %ld\n", cell, code); - if (code != 0) - die("can't make connection to auth server"); - - /* Retrieve and format the entry. */ - code = ubik_Call(KAM_GetEntry, conn, 0, name, inst, KAMAJORVERSION, - &entry); - if (config->debug) - printf("ubik_Call KAM_GetEntry %ld\n", code); - if (code != 0) { - if (code == KANOENT) - die("no such entry in the database"); - else - die("can't retrieve principal information"); - } - format_date(edate, sizeof(edate), entry.user_expiration); - format_date(mdate, sizeof(cdate), entry.modification_time); - format_date(cdate, sizeof(mdate), entry.change_password_time); - printf("status: %s\n", (entry.flags & KAFNOTGS) ? "disabled" : "enabled"); - printf("account expiration: %s", edate); - printf("password last changed: %s", cdate); - printf("modification time: %s", mdate); - printf("modified by: %s%s%s\n", entry.modification_user.name, - (entry.modification_user.instance[0] != '\0') ? "." : "", - entry.modification_user.instance); - code = ubik_ClientDestroy(conn); - exit(0); -} - - -/* - * Create a new principal in the AFS kaserver (deleting it and recreating it - * if it already exists) with either the indicated key or with a random key, - * and then write out a srvtab for that principal. Also supported is reading - * the key from an existing srvtab (likely created via Kerberos v5 kadmin from - * a keytab). - */ -static void -generate_srvtab(struct config *config) -{ - struct ktc_token token; - struct ubik_client *conn; - char name[MAXKTCNAMELEN]; - char inst[MAXKTCNAMELEN]; - char cell[MAXKTCNAMELEN]; - long code; - struct ktc_encryptionKey key; - - /* Make connection to AuthServer. */ - authenticate(config, &token); - parse_principal(config, config->service, name, inst, cell); - code = ka_AuthServerConn(cell, KA_MAINTENANCE_SERVICE, &token, &conn); - if (config->debug) - printf("ka_AuthServerConn %s %ld\n", cell, code); - if (code != 0) - die("can't make connection to auth server"); - - /* Get the key for the principal we're creating. */ - if (config->k5srvtab != NULL) { - char buffer[SNAME_SZ * 4]; - char *p; - char sname[SNAME_SZ]; - char sinst[INST_SZ]; - char srealm[REALM_SZ]; - unsigned char kvno; - FILE *srvtab; - - /* Read the whole converted srvtab into memory. */ - srvtab = fopen(config->k5srvtab, "r"); - if (srvtab == NULL) - sysdie("can't open converted srvtab %s", config->k5srvtab); - if (fgets(buffer, sizeof(buffer), srvtab) == NULL) - sysdie("can't read converted srvtab %s", config->k5srvtab); - fclose(srvtab); - - /* Now parse it. Fields are delimited by NUL. */ - p = buffer; - strncpy(sname, p, SNAME_SZ - 1); - sname[sizeof(sname) - 1] = '\0'; - p += strlen(sname) + 1; - strncpy(sinst, p, INST_SZ - 1); - sinst[sizeof(sinst) - 1] = '\0'; - p += strlen(sinst) + 1; - strncpy(srealm, p, REALM_SZ - 1); - srealm[sizeof(srealm) - 1] = '\0'; - p += strlen(srealm) + 1; - memcpy(&kvno, p, sizeof(unsigned char)); - p += sizeof(unsigned char); - memcpy(key.data, p, sizeof(key)); - memset(buffer, 0, sizeof(buffer)); - } else if (config->random) { - code = ubik_Call(KAM_GetRandomKey, conn, 0, &key); - if (config->debug) - printf("ubik_Call KAM_GetRandomKey %ld\n", code); - if (code != 0) - die("can't get random key"); - } else { - code = ka_ReadPassword((char *) "service password: ", 1, cell, &key); - if (code != 0) - die("can't read password"); - } - - /* - * Now, we have the key. Try to create the principal. If it already - * exists, try deleting it first and then creating it again. - */ - code = ubik_Call(KAM_CreateUser, conn, 0, name, inst, key); - if (config->debug) - printf("ubik_Call KAM_CreateUser %ld\n", code); - if (code == KAEXIST) { - code = ubik_Call(KAM_DeleteUser, conn, 0, name, inst); - if (config->debug) - printf("ubik_Call KAM_DeleteUser %ld\n", code); - if (code != 0) - die("can't delete existing instance"); - code = ubik_Call(KAM_CreateUser, conn, 0, name, inst, key); - if (config->debug) - printf("ubik_Call KAM_CreateUser %ld\n", code); - } - if (code != 0) - die("can't create user"); - code = ubik_ClientDestroy (conn); - - /* Create the srvtab file. Don't bother if we have a converted one. */ - if (config->srvtab && !config->k5srvtab) { - unsigned char kvno = 0; - - /* Make a backup copy of any existing one, just in case. */ - if (access(config->srvtab, F_OK) == 0) { - char backup[MAXPATHLEN]; - - snprintf(backup, sizeof(backup), "%s.bak", config->srvtab); - if (rename(config->srvtab, backup) != 0) - sysdie("can't create backup srvtab %s", backup); - } - write_srvtab(config->srvtab, name, inst, cell, kvno, &key); - } - memset(&key, 0, sizeof(key)); - exit(0); -} - - -int -main(int argc, char *argv[]) -{ - long code; - int opt; - struct config config; - - /* Initialize, get our local cell, etc. */ - memset(&config, 0, sizeof(config)); - code = ka_Init(0); - config.local_cell = ka_LocalCell(); - if (config.local_cell == NULL || code != 0) - die("can't initialize"); - - /* Parse options. */ - while ((opt = getopt(argc, argv, "a:c:D:de:f:hik:np:rs:tv")) != EOF) { - switch (opt) { - case 'a': config.admin = optarg; break; - case 'c': config.k5srvtab = optarg; break; - case 'D': config.delete = optarg; break; - case 'd': config.debug = 1; break; - case 'e': config.examine = optarg; break; - case 'f': config.srvtab = optarg; break; - case 'i': config.init = 1; break; - case 'k': config.keyfile = optarg; break; - case 'n': config.notgs = 1; break; - case 'p': config.password = optarg; break; - case 'r': config.random = 1; break; - case 's': config.service = optarg; break; - case 't': config.tgs = 1; break; - - /* Usage doesn't return. */ - case 'h': - usage(0); - case 'v': - printf("kasetkey %s\n", PACKAGE_VERSION); - exit(0); - default: - usage(1); - } - } - - /* Take the right action. */ - if (config.random && config.k5srvtab) - usage(1); - if (config.notgs && config.tgs) - die("cannot set principal both TGS and NOTGS at the same time"); - if ((config.notgs || config.tgs) && config.service == NULL) - die("must specify a principal with -s"); - if (config.debug) - fprintf(stdout, "cell: %s\n", config.local_cell); - if (config.init) - initialize_admin_srvtab(&config); - else if (config.tgs || config.notgs) - enable_principal(&config, config.tgs); - else if (config.examine != NULL) - examine_principal(&config); - else if (config.service != NULL) - generate_srvtab(&config); - else if (config.delete != NULL) - delete_principal(&config); - else - usage(1); - exit(0); -} diff --git a/kasetkey/kasetkey.pod b/kasetkey/kasetkey.pod deleted file mode 100644 index dcaa8b4..0000000 --- a/kasetkey/kasetkey.pod +++ /dev/null @@ -1,148 +0,0 @@ -=head1 NAME - -kasetkey - Manipulate AFS kaserver service principal keys - -=head1 SYNOPSIS - -B<kasetkey> [B<-dhv>] B<-a> I<admin> B<-i> [B<-p> I<password>] - B<-k> I<keyfile> - -B<kasetkey> [B<-dhv>] B<-a> I<admin> [B<-k> I<keyfile>] B<-D> I<service> - -B<kasetkey> [B<-dhv>] B<-a> I<admin> [B<-k> I<keyfile>] - [ B<-c> I<k5srvtab> | B<-r> ] B<-s> I<service> B<-f> I<srvtab> - -=head1 DESCRIPTION - -B<kasetkey> manipulates principals in an AFS kaserver, usually service -principals. It's primarily designed for automatic generation of srvtabs -for keys without regular passwords, but it can be used to do other -automated tasks, authenticating from a srvtab. - -To start using B<kasetkey>, obtain a srvtab for a principal with the ADMIN -flag set in the AFS kaserver. Such a srvtab can be created from the -password of that principal using B<kasetkey> with the B<-i> flag. Then, -use B<-s> to create a srvtab for a particular principal or B<-D> to delete -a principal from the Kerberos database, passing via B<-k> the path to the -srvtab containing the key for an ADMIN principal. If you don't use B<-k>, -B<kasetkey> will prompt you for the password of the given ADMIN principal. - -When generating a srvtab for a particular principal using B<-s>, you have -your choice of ways of setting the key for that principal. The default is -to prompt you for a password, but usually that's not what you want. -Provide the B<-r> flag to set a random key, which is normally what you -want to do for a pure Kerberos v4 principal. When synchronizing Kerberos -v5 with Kerberos v4, generate a keytab in Kerberos v5, convert it to a -srvtab using B<ktutil>, and then provide that srvtab to B<kasetkey> with -the B<-c> flag. B<kasetkey> will then set the key in the AFS kaserver to -match. - -B<kasetkey> uses a simple, brute-force approach to setting keys in the AFS -kaserver. It creates the principal if it doesn't already exist, and if it -does already exist, it deletes it and then recreates it. - -=head1 OPTIONS - -=over 4 - -=item B<-a> I<admin> - -The user as whom changes should be performed. This user must have the -ADMIN flag set in the AFS kaserver. - -=item B<-c> I<srvtab> - -When creating a service principal using B<-s>, take the key for that -principal from I<srvtab>. I<srvtab> must contain a DES key and can be -created via B<ktutil> from a Kerberos v5 keytab. - -=item B<-D> I<service> - -Delete the principal I<service> from the AFS kaserver. - -=item B<-d> - -Turn on debugging. This prints out more information about the exit status -of all of the API calls used. - -=item B<-f> I<srvtab> - -Where to write the srvtab for a newly created (or modified) principal. -Used only with B<-s>. - -=item B<-h> - -Display an option summary and a few examples and then exit. - -=item B<-i> - -Initialize a srvtab. Takes the user from B<-a> and either prompts for the -password or takes it from the B<-p> flag. Writes out the srvtab to the -path given to B<-k>. - -=item B<-k> I<srvtab> - -The srvtab to use to authenticate. The key in the srvtab must be the key -for the user given with B<-a>. - -=item B<-p> I<password> - -The password for the user for which a srvtab is being initialized. This -is only used with the B<-i> flag. - -=item B<-r> - -When generating a new srvtab with B<-s>, randomize the key for that user. - -=item B<-s> I<service> - -Create a new srvtab for the principal I<service>. If this principal -already exists, it's deleted and recreated. Takes the key for the -principal from the srvtab specified with B<-c>, randomizes it if B<-r> is -given, or prompts for it. - -=item B<-v> - -Prints the version of B<kasetkey> and exits. - -=back - -=head1 EXAMPLES - -To create a srvtab for rcmd.slapshot and be prompted for the admin -passowrd: - - kasetkey -f srvtab.rcmd.slapshot -s rcmd.slapshot -r - -To create a srvtab from within a script you must stash the DES key -in a srvtab with: - - kasetkey -a admin -i -k /.adminkey - -(which will prompt you for the password) and then create a srvtab for -rcmd.slapshot with: - - kasetkey -k /.adminkey -a admin -r -f srvtab -s rcmd.slapshot - -=head1 CAVEATS - -The error reporting of this program is not great. If an action fails, run -it again with the B<-d> flag, which will print out the return status of -every AFS operation. You can then pass the failing error code to the -B<translate_et> program, installed with AFS, to translate the code into an -error message. - -=head1 SEE ALSO - -kas(8), kaserver(8), ktutil(8) - -This program is part of the wallet system. The current version is available -from L<http://www.eyrie.org/~eagle/software/wallet/>. - -=head1 AUTHORS - -Originally written by Roland Schemers. Revised to use srvtabs rather than -simple DES keys and to support principal deletion by Russ Allbery -<rra@stanford.edu>, who currently maintains it. - -=cut |