diff options
Diffstat (limited to 'contrib')
| -rwxr-xr-x | contrib/convert-srvtab-db | 2 | ||||
| -rwxr-xr-x | contrib/used-principals | 6 | ||||
| -rwxr-xr-x | contrib/wallet-contacts | 6 | ||||
| -rwxr-xr-x | contrib/wallet-rekey-periodic | 262 | ||||
| -rw-r--r-- | contrib/wallet-rekey-periodic.8 | 215 | ||||
| -rwxr-xr-x | contrib/wallet-summary | 38 | ||||
| -rw-r--r-- | contrib/wallet-summary.8 | 45 | ||||
| -rwxr-xr-x | contrib/wallet-unknown-hosts | 40 | ||||
| -rw-r--r-- | contrib/wallet-unknown-hosts.8 | 49 |
9 files changed, 583 insertions, 80 deletions
diff --git a/contrib/convert-srvtab-db b/contrib/convert-srvtab-db index 6263472..e05b394 100755 --- a/contrib/convert-srvtab-db +++ b/contrib/convert-srvtab-db @@ -2,7 +2,7 @@ # # convert-srvtab-db -- Converts a leland_srvtab database to wallet # -# Written by Russ Allbery <rra@stanford.edu> +# Written by Russ Allbery <eagle@eyrie.org> # Copyright 2008 # The Board of Trustees of the Leland Stanford Junior University # diff --git a/contrib/used-principals b/contrib/used-principals index ca431e3..7169f0b 100755 --- a/contrib/used-principals +++ b/contrib/used-principals @@ -2,7 +2,7 @@ # # used-principals -- Report which Kerberos v5 principals are in use. # -# Written by Russ Allbery <rra@stanford.edu> +# Written by Russ Allbery <eagle@eyrie.org> # Copyright 2008 # The Board of Trustees of the Leland Stanford Junior University # @@ -108,7 +108,7 @@ __END__ ############################################################################## =for stopwords -KDC bzip2 +KDC bzip2 Allbery =head1 NAME @@ -178,6 +178,6 @@ purposes may require some tweaking. =head1 AUTHOR -Russ Allbery <rra@stanford.edu> +Russ Allbery <eagle@eyrie.org> =cut diff --git a/contrib/wallet-contacts b/contrib/wallet-contacts index 907c161..2799db3 100755 --- a/contrib/wallet-contacts +++ b/contrib/wallet-contacts @@ -2,7 +2,7 @@ # # wallet-contacts -- Report contact addresses for matching wallet objects. # -# Written by Russ Allbery <rra@stanford.edu> +# Written by Russ Allbery <eagle@eyrie.org> # Copyright 2009 # The Board of Trustees of the Leland Stanford Junior University # @@ -137,7 +137,7 @@ print join ("\n", @email, ''); ############################################################################## =for stopwords -ACL NetDB SQL hostname lookup swhois whois +ACL NetDB SQL hostname lookup swhois whois Allbery =head1 NAME @@ -192,6 +192,6 @@ output format. =head1 AUTHOR -Russ Allbery <rra@stanford.edu> +Russ Allbery <eagle@eyrie.org> =cut diff --git a/contrib/wallet-rekey-periodic b/contrib/wallet-rekey-periodic new file mode 100755 index 0000000..c15d83f --- /dev/null +++ b/contrib/wallet-rekey-periodic @@ -0,0 +1,262 @@ +#!/bin/sh +# +# Rekey all principals on a system at a random but constrained interval. +# +# This script is a wrapper around wallet-rekey that adds some additional +# functionality: rekeying of all keytabs at known locations on the system, +# skipping keytabs that are marked unchanging, rekeying any keytabs with DES +# keys immediately but otherwise only rekeying once a month based on a random +# interval based on the hostname, and cleaning up old keys. +# +# It's primarily meant to be run daily from cron, but can also be run manually +# from the command line to rekey specific keytab files. +# +# This script assumes Linux, and the test for Heimdal assumes that the +# Kerberos clients are installed in /usr/bin. At sites other than Stanford, +# change the principal setting near the top of the script to use your local +# realm. + +set -e + +# Red Hat puts its Kerberos binaries in an odd place. Make sure that we +# prefer the system binaries everwhere. +PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/kerberos/bin; export PATH + +# The rekeying interval. Rekeying will be done, on average, every this number +# of days. +INTERVAL=30 + +# Under normal circumstances, we don't want to rekey every host at the same +# time. We therefore run this script daily, but we only do the rekeying if +# it's our day to do so. +# +# For the decision whether we should go on this day, we want to do something +# relatively random, but zero-intervention and with no state. We therefore +# hash the hostname with MD5 and mod it with $INTERVAL, which gives us a +# number between 0 and $INTERVAL - 1. Then, take the mod of the day of the +# year. If the result matches the number we got, we rekey. +# +# We do the check later, since we always want to rekey if we see DES keys. +hostnum=$(hostname | md5sum | awk '{print $1}') +DAY=$(awk "END { print 0x$hostnum % $INTERVAL }" </dev/null) + +# Get the principal with which we're going to run all of our commands. We +# can't just blindly use the first key in /etc/krb5.keytab, since Heimdal +# sometimes reorders the principals in unuseful ways and the host/* key isn't +# first. +hostname=$(hostname --fqdn) +principal="host/${hostname}@stanford.edu" + +# Do the actual check to see if this is our day to go. +is_active_day () { + if expr \( $(date +%j) % "$INTERVAL" \) = "$DAY" >/dev/null ; then + return 0 + else + return 1 + fi +} + +# Returns whether the installed Kerberos implementation on the local system is +# Heimdal. +is_heimdal () { + if [ -x '/usr/bin/kgetcred' ] ; then + return 0 + else + return 1 + fi +} + +# Print the list of principals in a keytab. +principals () { + if is_heimdal ; then + ktutil -k "$1" list | awk '{ + if (FNR > 3) { + princ = $3 + sub(/@.*/, "", princ) + print princ + } + }' | sort -u + else + klist -k "$1" | awk '{ + if (FNR > 3) { + princ = $2 + sub(/@.*/, "", princ) + print princ + } + }' | sort -u + fi +} + +# Run a command under k5start using the host/* principal for the current +# hostname as the authentication credentials. +run_k5start () { + k5start -qf /etc/krb5.keytab "$principal" -- "$@" +} + +# Check all of the principals in a keytab and see if any of them are +# unchanging. If any are, we skip rekeying this keytab, since otherwise we're +# going to accumulate multiple copies of the same key and the cleanup +# functions won't remove the excess keys. +is_unchanging () { + princs=$(principals "$1") + for princ in $princs ; do + if run_k5start wallet show keytab "$princ" 2>&1 \ + | grep -q 'Flags: unchanging' ; then + return 0 + fi + done + return 1 +} + +# Check whether any of the principals in this keytab have DES keys. This is a +# bit complicated, since we don't want to trigger this if there are DES keys +# but ones with old kvnos. +# +# We get a list of all the unique kvnos in the file, and then a list of all +# the unique kvnos of DES keys in the file. If those lists match, we consider +# this a DES keytab; if not, there's at least one kvno with non-DES keys, so +# we consider this a non-DES keytab. +is_des () { + if is_heimdal ; then + all=$(ktutil -k "$1" list | sed '1,3d' | awk '{print $1}' | sort -nu) + des=$(ktutil -k "$1" list | grep des-cbc-crc | awk '{print $1}' \ + | sort -nu) + else + all=$(klist -k "$1" | sed '1,3d' | awk '{print $1}' | sort -nu) + des=$(klist -ke "$1" | egrep '\(DES cbc|des-cbc-crc' \ + | awk '{print $1}' | sort -nu) + fi + if [ "$all" = "$des" ] ; then + return 0 + else + return 1 + fi +} + +# Rekey the given keytab file if it exists, this is either the active day or +# the keytab contains DES keys, and it isn't unchanging. On Heimdal, we'll +# also purge old keys. We can't do this on MIT because the kadmin routine +# that purges old keys requires admin authentication. +rekey () { + if [ -f "$1" ] ; then + if is_des "$1" || is_active_day ; then + if ! is_unchanging "$1" ; then + if is_heimdal ; then + ktutil -k "$1" purge + fi + run_k5start wallet-rekey "$1" + fi + fi + fi +} + +# The default action is to rekey the host keytab, the WebAuth keytab, and any +# keytabs found in /etc/keytabs/*. But if we're given keytabs on the command +# line, we'll rekey those instead. (This won't generally be used since we're +# installed as a cron job.) +if [ -z "$1" ] ; then + for file in /etc/webauth/keytab /etc/keytabs/* /etc/krb5.keytab ; do + rekey "$file" + done +else + for file in "$@" ; do + rekey "$file" + done +fi + +# Documentation. Use a hack to hide this from the shell. Because of the +# above exit line, this should never be executed. +DOCS=<<__END_OF_DOCS__ + +=for stopwords +Allbery DES Heimdal hostname keytab keytabs ktutil rekey rekeyable +rekeying wallet-rekey wallet-rekey-periodic + +=head1 NAME + +wallet-rekey-periodic - Periodically rekey all system keytabs + +=head1 SYNOPSIS + +B<wallet-rekey-periodic> [I<keytab> ...] + +=head1 DESCRIPTION + +B<wallet-rekey-periodic> is a wrapper around wallet-rekey that adds some +additional functionality: rekeying of all keytabs at known locations on +the system, skipping keytabs that are marked unchanging, rekeying any +keytabs with DES keys immediately but otherwise only rekeying once a month +based on a random interval based on the hostname, and cleaning up old +keys. + +It's primarily meant to be run daily from cron, but can also be run +manually from the command line to rekey specific keytab files. + +B<wallet-rekey-periodic> will, for each keytab, find a list of all +principals in that keytab and see if any of them still have DES keys. If +so, it will always attempt to rekey that keytab. If not, it will only do +so, for a given system, once every 30 days (based on a hash of the +hostname). It will also always skip keytabs that contain any principals +that wallet says are unchanging, since otherwise the current wallet-rekey +implementation will duplicate the existing keys. + +On Heimdal systems, this command will remove keys older than a week before +rekeying the keytab. This relies on B<ktutil> functionality that's +available only in Heimdal, so MIT Kerberos keytabs will slowly grow unless +they're manually pruned. This will be fixed in a later release of +B<wallet-rekey>. + +If no keytabs are given on the command line, B<wallet-rekey-periodic> will +rekey a set of system keytabs described below under L</FILES>. Otherwise, +it will rekey the keytabs given. + +=head1 FILES + +=over 4 + +=item F</etc/keytabs/*> + +=item F</etc/krb5.keytab> + +=item F</etc/webauth/keytab> + +The default list of locations checked for rekeyable keytabs. If run with +no command-line arguments, B<wallet-rekey-periodic> will try to rekey +every principal in each keytab found at any of these paths. + +=back + +=head1 AUTHOR + +Russ Allbery <eagle@eyrie.org> + +=head1 COPYRIGHT AND LICENSE + +Copyright 2013, 2014 The Board of Trustees of the Leland Stanford Junior +University + +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the "Software"), +to deal in the Software without restriction, including without limitation +the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. + +=head1 SEE ALSO + +ktutil(8), wallet(1), wallet-rekey(1) + +=cut + +__END_OF_DOCS__ diff --git a/contrib/wallet-rekey-periodic.8 b/contrib/wallet-rekey-periodic.8 new file mode 100644 index 0000000..0899a6e --- /dev/null +++ b/contrib/wallet-rekey-periodic.8 @@ -0,0 +1,215 @@ +.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} +.\} +.rr rF +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "WALLET-REKEY-PERIODIC 8" +.TH WALLET-REKEY-PERIODIC 8 "2014-07-16" "1.1" "wallet" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +wallet\-rekey\-periodic \- Periodically rekey all system keytabs +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBwallet-rekey-periodic\fR [\fIkeytab\fR ...] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fBwallet-rekey-periodic\fR is a wrapper around wallet-rekey that adds some +additional functionality: rekeying of all keytabs at known locations on +the system, skipping keytabs that are marked unchanging, rekeying any +keytabs with \s-1DES\s0 keys immediately but otherwise only rekeying once a month +based on a random interval based on the hostname, and cleaning up old +keys. +.PP +It's primarily meant to be run daily from cron, but can also be run +manually from the command line to rekey specific keytab files. +.PP +\&\fBwallet-rekey-periodic\fR will, for each keytab, find a list of all +principals in that keytab and see if any of them still have \s-1DES\s0 keys. If +so, it will always attempt to rekey that keytab. If not, it will only do +so, for a given system, once every 30 days (based on a hash of the +hostname). It will also always skip keytabs that contain any principals +that wallet says are unchanging, since otherwise the current wallet-rekey +implementation will duplicate the existing keys. +.PP +On Heimdal systems, this command will remove keys older than a week before +rekeying the keytab. This relies on \fBktutil\fR functionality that's +available only in Heimdal, so \s-1MIT\s0 Kerberos keytabs will slowly grow unless +they're manually pruned. This will be fixed in a later release of +\&\fBwallet-rekey\fR. +.PP +If no keytabs are given on the command line, \fBwallet-rekey-periodic\fR will +rekey a set of system keytabs described below under \*(L"\s-1FILES\*(R"\s0. Otherwise, +it will rekey the keytabs given. +.SH "FILES" +.IX Header "FILES" +.IP "\fI/etc/keytabs/*\fR" 4 +.IX Item "/etc/keytabs/*" +.PD 0 +.IP "\fI/etc/krb5.keytab\fR" 4 +.IX Item "/etc/krb5.keytab" +.IP "\fI/etc/webauth/keytab\fR" 4 +.IX Item "/etc/webauth/keytab" +.PD +The default list of locations checked for rekeyable keytabs. If run with +no command-line arguments, \fBwallet-rekey-periodic\fR will try to rekey +every principal in each keytab found at any of these paths. +.SH "AUTHOR" +.IX Header "AUTHOR" +Russ Allbery <eagle@eyrie.org> +.SH "COPYRIGHT AND LICENSE" +.IX Header "COPYRIGHT AND LICENSE" +Copyright 2013, 2014 The Board of Trustees of the Leland Stanford Junior +University +.PP +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the \*(L"Software\*(R"), +to deal in the Software without restriction, including without limitation +the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following conditions: +.PP +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. +.PP +\&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIktutil\fR\|(8), \fIwallet\fR\|(1), \fIwallet\-rekey\fR\|(1) diff --git a/contrib/wallet-summary b/contrib/wallet-summary index 4e76119..5cbf6e0 100755 --- a/contrib/wallet-summary +++ b/contrib/wallet-summary @@ -1,8 +1,23 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Summarize keytabs in the wallet database. ############################################################################## +# Modules and declarations +############################################################################## + +require 5.005; + +use strict; +use vars qw($ADDRESS $DUMPFILE @PATTERNS $REPORTS); +use warnings; + +use Getopt::Long qw(GetOptions); +use File::Path qw(mkpath); +use POSIX qw(strftime); +use Wallet::Report (); + +############################################################################## # Site configuration ############################################################################## @@ -15,6 +30,7 @@ $ADDRESS = 'nobody@example.com'; # The various classification patterns for srvtabs. @PATTERNS = ([qr(/cgi\z), '*/cgi', 'CGI users'], + [qr(/cron\z), '*/cron', 'Cron users'], [qr(^(?i)http/), 'HTTP/*', 'HTTP Negotiate-Auth'], [qr(^cifs/), 'cifs/*', 'CIFS'], [qr(^host/), 'host/*', 'Host login'], @@ -29,20 +45,6 @@ $ADDRESS = 'nobody@example.com'; [qr(^service/), 'service/*', 'Service principals']); ############################################################################## -# Modules and declarations -############################################################################## - -require 5.005; - -use strict; -use vars qw($ADDRESS $DUMPFILE @PATTERNS $REPORTS); - -use Getopt::Long qw(GetOptions); -use File::Path qw(mkpath); -use POSIX qw(strftime); -use Wallet::Report (); - -############################################################################## # Database queries ############################################################################## @@ -144,7 +146,7 @@ if ($mail) { } # Run the report. -my @principals = read_dump; +my @principals = read_dump (); report_principals (@principals); # If -m was given, take the saved report and mail it as well. @@ -170,7 +172,7 @@ close REPORT; ############################################################################## =for stopwords --hm keytab keytabs MERCHANTABILITY NONINFRINGEMENT sublicense +-hm keytab keytabs MERCHANTABILITY NONINFRINGEMENT sublicense Allbery =head1 NAME @@ -233,7 +235,7 @@ future development. =head1 AUTHOR -Russ Allbery <rra@stanford.edu> +Russ Allbery <eagle@eyrie.org> =head1 COPYRIGHT AND LICENSE diff --git a/contrib/wallet-summary.8 b/contrib/wallet-summary.8 index b632c53..206e24a 100644 --- a/contrib/wallet-summary.8 +++ b/contrib/wallet-summary.8 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.26) +.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== @@ -38,6 +38,8 @@ . ds PI \(*p . ds L" `` . ds R" '' +. ds C` +. ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. @@ -48,17 +50,24 @@ .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX .. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} .\} +.rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -124,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "WALLET-SUMMARY 8" -.TH WALLET-SUMMARY 8 "2013-03-27" "1.0" "wallet" +.TH WALLET-SUMMARY 8 "2014-07-16" "1.1" "wallet" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -176,7 +185,7 @@ how recently the keytabs were downloaded. These could be useful areas of future development. .SH "AUTHOR" .IX Header "AUTHOR" -Russ Allbery <rra@stanford.edu> +Russ Allbery <eagle@eyrie.org> .SH "COPYRIGHT AND LICENSE" .IX Header "COPYRIGHT AND LICENSE" Copyright 2003, 2008, 2010, 2013 The Board of Trustees of the Leland @@ -192,10 +201,10 @@ Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. .PP -\&\s-1THE\s0 \s-1SOFTWARE\s0 \s-1IS\s0 \s-1PROVIDED\s0 \*(L"\s-1AS\s0 \s-1IS\s0\*(R", \s-1WITHOUT\s0 \s-1WARRANTY\s0 \s-1OF\s0 \s-1ANY\s0 \s-1KIND\s0, \s-1EXPRESS\s0 \s-1OR\s0 -\&\s-1IMPLIED\s0, \s-1INCLUDING\s0 \s-1BUT\s0 \s-1NOT\s0 \s-1LIMITED\s0 \s-1TO\s0 \s-1THE\s0 \s-1WARRANTIES\s0 \s-1OF\s0 \s-1MERCHANTABILITY\s0, -\&\s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0 \s-1AND\s0 \s-1NONINFRINGEMENT\s0. \s-1IN\s0 \s-1NO\s0 \s-1EVENT\s0 \s-1SHALL\s0 -\&\s-1THE\s0 \s-1AUTHORS\s0 \s-1OR\s0 \s-1COPYRIGHT\s0 \s-1HOLDERS\s0 \s-1BE\s0 \s-1LIABLE\s0 \s-1FOR\s0 \s-1ANY\s0 \s-1CLAIM\s0, \s-1DAMAGES\s0 \s-1OR\s0 \s-1OTHER\s0 -\&\s-1LIABILITY\s0, \s-1WHETHER\s0 \s-1IN\s0 \s-1AN\s0 \s-1ACTION\s0 \s-1OF\s0 \s-1CONTRACT\s0, \s-1TORT\s0 \s-1OR\s0 \s-1OTHERWISE\s0, \s-1ARISING\s0 -\&\s-1FROM\s0, \s-1OUT\s0 \s-1OF\s0 \s-1OR\s0 \s-1IN\s0 \s-1CONNECTION\s0 \s-1WITH\s0 \s-1THE\s0 \s-1SOFTWARE\s0 \s-1OR\s0 \s-1THE\s0 \s-1USE\s0 \s-1OR\s0 \s-1OTHER\s0 -\&\s-1DEALINGS\s0 \s-1IN\s0 \s-1THE\s0 \s-1SOFTWARE\s0. +\&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE.\s0 diff --git a/contrib/wallet-unknown-hosts b/contrib/wallet-unknown-hosts index 1aea11f..50b5a04 100755 --- a/contrib/wallet-unknown-hosts +++ b/contrib/wallet-unknown-hosts @@ -1,8 +1,21 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Report host keytabs in wallet for unknown hosts. ############################################################################## +# Modules and declarations +############################################################################## + +require 5.006; + +use strict; +use warnings; + +use DB_File (); +use Wallet::Report (); +use Wallet::Server (); + +############################################################################## # Site configuration ############################################################################## @@ -22,9 +35,10 @@ our $MIN = 3; our $THRESHOLD = time - 30 * 24 * 60 * 60; # Set up a Net::DNS resolver that will be used by local_check_keytab. +my $DNS; BEGIN { use Net::DNS; - our $DNS = Net::DNS::Resolver->new; + $DNS = Net::DNS::Resolver->new; } # Pre-filter. This is called for all host-based keytabs and is the place to @@ -55,18 +69,6 @@ sub local_check_keytab { } ############################################################################## -# Modules and declarations -############################################################################## - -require 5.006; - -use strict; - -use DB_File (); -use Wallet::Report (); -use Wallet::Server (); - -############################################################################## # Utility functions ############################################################################## @@ -97,6 +99,7 @@ sub check_host { # Do a scan of all host-based keytabs in wallet and record those that are not # found in DNS or which should not be used according to site configuration. sub check { + my %history; tie %history, 'DB_File', $HISTORY; my @keytabs = list_keytabs; for my $keytab (@keytabs) { @@ -124,6 +127,7 @@ sub check { # list (given as a threshold time in seconds since epoch). sub report { my ($min, $threshold) = @_; + my %history; tie %history, 'DB_File', $HISTORY; for my $keytab (sort keys %history) { my ($count, $time) = split (',', $history{$keytab}); @@ -142,6 +146,7 @@ sub report { sub purge { my ($user, $min, $threshold) = @_; my $wallet = Wallet::Server->new ($user, 'localhost'); + my %history; tie %history, 'DB_File', $HISTORY; for my $keytab (sort keys %history) { my ($count, $time) = split (',', $history{$keytab}); @@ -161,7 +166,7 @@ sub purge { my $command = shift or die "Usage: $0 (check | report | purge)\n"; if ($command eq 'check') { - check; + check (); } elsif ($command eq 'report') { my ($min, $threshold) = @_; $min = $MIN unless defined ($min); @@ -170,6 +175,7 @@ if ($command eq 'check') { report ($min, $threshold); } elsif ($command eq 'purge') { my $user = $ENV{REMOTE_USER} or die "$0: REMOTE_USER must be set\n"; + my ($min, $threshold) = @_; $min = $MIN unless defined ($min); die "$0: minimum count must be at least 1\n" if $min < 1; $threshold = $THRESHOLD unless defined ($threshold); @@ -184,7 +190,7 @@ if ($command eq 'check') { =for stopwords ACL API CNAME DNS IP env keytab keytabs timestamp MERCHANTABILITY -NONINFRINGEMENT sublicense +NONINFRINGEMENT sublicense Allbery =head1 NAME @@ -251,7 +257,7 @@ actions as a local administrator. =head1 AUTHOR -Russ Allbery <rra@stanford.edu> +Russ Allbery <eagle@eyrie.org> =head1 COPYRIGHT AND LICENSE diff --git a/contrib/wallet-unknown-hosts.8 b/contrib/wallet-unknown-hosts.8 index 4fa91a6..29f21ed 100644 --- a/contrib/wallet-unknown-hosts.8 +++ b/contrib/wallet-unknown-hosts.8 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.26) +.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== @@ -38,6 +38,8 @@ . ds PI \(*p . ds L" `` . ds R" '' +. ds C` +. ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. @@ -48,17 +50,24 @@ .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. -.ie \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX .. -. nr % 0 -. rr F -.\} -.el \{\ -. de IX +.nr rF 0 +.if \n(.g .if rF .nr rF 1 +.if (\n(rF:(\n(.g==0)) \{ +. if \nF \{ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. +. if !\nF==2 \{ +. nr % 0 +. nr F 2 +. \} +. \} .\} +.rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -124,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "WALLET-UNKNOWN-HOSTS 8" -.TH WALLET-UNKNOWN-HOSTS 8 "2013-03-27" "1.0" "wallet" +.TH WALLET-UNKNOWN-HOSTS 8 "2014-07-16" "1.1" "wallet" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +150,7 @@ env REMOTE_USER=\fIprincipal\fR \fBwallet-unknown-hosts\fR purge \fImin\fR \fIda .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBwallet-unknown-hosts\fR constructs a database recording host-based keytabs -in wallet whose corresponding hosts are not found in \s-1DNS\s0. It records in +in wallet whose corresponding hosts are not found in \s-1DNS. \s0 It records in that database the number of times the host wasn't found and the timestamp of the first time it was not found. It can then generate a report of host-based keytab objects that have not been found for a minimum number of @@ -178,7 +187,7 @@ list of keytab objects the same as with the \f(CW\*(C`report\*(C'\fR argument, u same additional arguments, but rather than printing them out will instead delete them from the wallet database. To run \f(CW\*(C`purge\*(C'\fR, the environment variable \s-1REMOTE_USER\s0 must be set to a principal that's a member of the -\&\f(CW\*(C`ADMIN\*(C'\fR \s-1ACL\s0. +\&\f(CW\*(C`ADMIN\*(C'\fR \s-1ACL.\s0 .SH "BUGS" .IX Header "BUGS" \&\fBwallet-unknown-hosts\fR doesn't have any facility to purge from its @@ -189,7 +198,7 @@ Wallet::Server \s-1API\s0 and needs to be fixed by providing some way to perform actions as a local administrator. .SH "AUTHOR" .IX Header "AUTHOR" -Russ Allbery <rra@stanford.edu> +Russ Allbery <eagle@eyrie.org> .SH "COPYRIGHT AND LICENSE" .IX Header "COPYRIGHT AND LICENSE" Copyright 2010, 2013 The Board of Trustees of the Leland Stanford Junior @@ -205,10 +214,10 @@ Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. .PP -\&\s-1THE\s0 \s-1SOFTWARE\s0 \s-1IS\s0 \s-1PROVIDED\s0 \*(L"\s-1AS\s0 \s-1IS\s0\*(R", \s-1WITHOUT\s0 \s-1WARRANTY\s0 \s-1OF\s0 \s-1ANY\s0 \s-1KIND\s0, \s-1EXPRESS\s0 \s-1OR\s0 -\&\s-1IMPLIED\s0, \s-1INCLUDING\s0 \s-1BUT\s0 \s-1NOT\s0 \s-1LIMITED\s0 \s-1TO\s0 \s-1THE\s0 \s-1WARRANTIES\s0 \s-1OF\s0 \s-1MERCHANTABILITY\s0, -\&\s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0 \s-1AND\s0 \s-1NONINFRINGEMENT\s0. \s-1IN\s0 \s-1NO\s0 \s-1EVENT\s0 \s-1SHALL\s0 -\&\s-1THE\s0 \s-1AUTHORS\s0 \s-1OR\s0 \s-1COPYRIGHT\s0 \s-1HOLDERS\s0 \s-1BE\s0 \s-1LIABLE\s0 \s-1FOR\s0 \s-1ANY\s0 \s-1CLAIM\s0, \s-1DAMAGES\s0 \s-1OR\s0 \s-1OTHER\s0 -\&\s-1LIABILITY\s0, \s-1WHETHER\s0 \s-1IN\s0 \s-1AN\s0 \s-1ACTION\s0 \s-1OF\s0 \s-1CONTRACT\s0, \s-1TORT\s0 \s-1OR\s0 \s-1OTHERWISE\s0, \s-1ARISING\s0 -\&\s-1FROM\s0, \s-1OUT\s0 \s-1OF\s0 \s-1OR\s0 \s-1IN\s0 \s-1CONNECTION\s0 \s-1WITH\s0 \s-1THE\s0 \s-1SOFTWARE\s0 \s-1OR\s0 \s-1THE\s0 \s-1USE\s0 \s-1OR\s0 \s-1OTHER\s0 -\&\s-1DEALINGS\s0 \s-1IN\s0 \s-1THE\s0 \s-1SOFTWARE\s0. +\&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE.\s0 |