diff options
Diffstat (limited to 'contrib')
| -rwxr-xr-x | contrib/ad-keytab | 692 | ||||
| -rwxr-xr-x | contrib/commerzbank/wallet-history | 3 | ||||
| -rwxr-xr-x | contrib/convert-srvtab-db | 2 | ||||
| -rwxr-xr-x | contrib/used-principals | 2 | ||||
| -rwxr-xr-x | contrib/wallet-contacts | 2 | ||||
| -rwxr-xr-x | contrib/wallet-rekey-periodic | 10 | ||||
| -rw-r--r-- | contrib/wallet-rekey-periodic.8 | 30 | ||||
| -rwxr-xr-x | contrib/wallet-summary | 3 | ||||
| -rw-r--r-- | contrib/wallet-summary.8 | 28 | ||||
| -rwxr-xr-x | contrib/wallet-unknown-hosts | 8 | ||||
| -rw-r--r-- | contrib/wallet-unknown-hosts.8 | 30 |
11 files changed, 757 insertions, 53 deletions
diff --git a/contrib/ad-keytab b/contrib/ad-keytab new file mode 100755 index 0000000..badcb8d --- /dev/null +++ b/contrib/ad-keytab @@ -0,0 +1,692 @@ +#!/usr/bin/perl -w +# +# Create, update, delete, and display keytabs stored in Active Directory. +# +# Written by Bill MacAllister <whm@dropbox.com> +# Copyright 2016 Dropbox, Inc. +# +# SPDX-License-Identifier: MIT + +############################################################################## +# Declarations +############################################################################## + +require 5.005; + +use strict; +use warnings; + +use Authen::SASL; +use Carp; +use Getopt::Long; +use IPC::Run qw( run timeout ); +use Net::LDAP; +use Pod::Usage; + +my $opt_ad_server; +my $opt_base_dn; +my $opt_computer_rdn; +my $opt_config; +my $opt_debug; +my $opt_dump; +my $opt_help; +my $opt_manual; +my $opt_prefix; +my $opt_user_rdn; + +# LDAP conneciton +my $LDAP; + +# Configuration variables +our $AD_BASE_DN; +our $AD_COMPUTER_RDN; +our $AD_DEBUG; +our $AD_SERVER; +our $AD_SERVICE_PREFIX; +our $AD_USER_RDN; +our $KEYTAB_REALM; + +############################################################################## +# Subroutines +############################################################################## + +# Write messages to standard output and check the return status +sub msg { + my @msgs = @_; + for my $m (@msgs) { + print STDOUT $m . "\n" or croak("Problem printing to STDOUT"); + } + return; +} + +# Write debugging messages +sub dbg { + my ($m) = @_; + msg("DEBUG:$m"); + return; +} + +# Decode Active Directory's userAccountControl attribute +# Flags are powers of two starting at zero. +sub list_userAccountControl { + my ($uac) = @_; + my @flags = ( + 'SCRIPT', + 'ACCOUNTDISABLE', + 'HOMEDIR_REQUIRED', + 'LOCKOUT', + 'PASSWD_NOTREQD', + 'PASSWD_CANT_CHANGE', + 'ENCRYPTED_TEXT_PWD_ALLOWED', + 'TEMP_DUPLICATE_ACCOUNT', + 'NORMAL_ACCOUNT', + 'INTERDOMAIN_TRUST_ACCOUNT', + 'WORKSTATION_TRUST_ACCOUNT', + 'SERVER_TRUST_ACCOUNT', + 'DONT_EXPIRE_PASSWORD', + 'MNS_LOGON_ACCOUNT', + 'SMARTCARD_REQUIRED', + 'TRUSTED_FOR_DELEGATION', + 'NOT_DELEGATED', + 'USE_DES_KEY_ONLY', + 'DONT_REQ_PREAUTH', + 'PASSWORD_EXPIRED', + 'TRUSTED_TO_AUTH_FOR_DELEGATION', + 'PARTIAL_SECRETS_ACCOUNT' + ); + + my $flag_list; + my $comma = ''; + for (my $i=0; $i<scalar(@flags); $i++) { + if ($uac & (2**$i)) { + $flag_list .= $comma . $flags[$i]; + $comma = ', '; + } + } + return $flag_list; +} + +# GSS-API bind to the active directory server +sub ldap_connect { + if ($AD_DEBUG) { + dbg('binding to ' . $AD_SERVER); + } + + if ($LDAP) { + if ($AD_DEBUG) { + dbg('Already bound to ' . $AD_SERVER); + } + return $LDAP; + } + + if (!$AD_SERVER) { + croak("Missing ldap host name, specify ad_server=\n"); + } + eval { + my $sasl = Authen::SASL->new(mechanism => 'GSSAPI'); + $LDAP = Net::LDAP->new($AD_SERVER, onerror => 'die'); + my $mesg = eval { $LDAP->bind(undef, sasl => $sasl) }; + }; + if ($@) { + my $error = $@; + die "ldap bind to AD failed: $error\n"; + } + return $LDAP; +} + +# Take in a base and a filter and return the assoicated DN. +sub get_dn { + my ($base, $filter) = @_; + my $dn; + + if ($AD_DEBUG) { + dbg("base:$base filter:$filter scope:subtree\n"); + } + + ldap_connect(); + my @attrs = ('objectclass'); + my $result; + eval { + $result = $LDAP->search( + base => $base, + scope => 'subtree', + filter => $filter, + attrs => \@attrs + ); + }; + if ($@) { + my $error = $@; + die "LDAP search error: $error\n"; + } + if ($result->code) { + msg("INFO base:$base filter:$filter scope:subtree\n"); + die $result->error; + } + if ($AD_DEBUG) { + dbg('returned: ' . $result->count); + } + + if ($result->count == 1) { + for my $entry ($result->entries) { + $dn = $entry->dn; + } + } elsif ($result->count > 1) { + msg('ERROR: too many AD entries for this keytab'); + for my $entry ($result->entries) { + msg('INFO: dn found ' . $entry->dn . "\n"); + } + die("INFO: use show to examine the problem\n"); + } + + return $dn; +} + +# Take a principal and split into parts. The parts are keytab type, +# keytab identifier, the base dn, the cn, and an LDAP filter. +sub kerberos_attrs { + my ($principal) = @_; + + my %attr; + $attr{principal} = $principal; + + my $dn; + my $host; + my $k_type; + my $k_id; + if ($principal =~ m,^(.*?)/(\S+),xms) { + $attr{type} = $1; + $attr{id} = $2; + # Create a filter to find the objects we create + if ($attr{id} =~ s/@(.*)//xms) { + $attr{realm} = $1; + $attr{filter} = "(userPrincipalName=${principal})"; + } elsif ($KEYTAB_REALM) { + $attr{realm} = $KEYTAB_REALM; + $attr{filter} + = "(userPrincipalName=${principal}\@${KEYTAB_REALM})"; + } else { + $attr{filter} = "(userPrincipalName=${principal}\@*)"; + } + if ($attr{type} eq 'host') { + # Host keytab attributes + $attr{base} = $AD_COMPUTER_RDN . ',' . $AD_BASE_DN; + $attr{cn} = $attr{id}; + $attr{cn} =~ s/[.].*//; + $attr{dn} = "cn=$attr{cn},$attr{base}"; + } else { + # Service keytab attributes + $attr{base} = $AD_USER_RDN . ',' . $AD_BASE_DN; + $attr{cn} = "${AD_SERVICE_PREFIX}$attr{id}"; + $attr{dn} = "cn=$attr{cn},$attr{base}"; + my $real_dn = get_dn($attr{base}, $attr{filter}); + if ($real_dn) { + if (lc($real_dn) ne lc($attr{dn})) { + $attr{dn} = $real_dn; + $attr{cn} = $real_dn; + $attr{cn} =~ s/,.*//xms; + $attr{cn} =~ s/.*?=//xms; + } + } else { + if (length($attr{cn})>20) { + my $cnt = 0; + my $this_dn; + my $this_prefix = substr($attr{cn}, 0, 18); + $attr{dn} = ''; + while ($cnt<100) { + my $this_cn = $this_prefix . sprintf('%02i', $cnt); + $this_dn = get_dn($attr{base}, "cn=$this_cn"); + if (!$this_dn) { + $attr{dn} = $this_cn . ',' . $attr{base}; + $attr{cn} = $attr{dn}; + $attr{cn} =~ s/,.*//xms; + $attr{cn} =~ s/.*?=//xms; + last; + } + $cnt++; + } + if (!$attr{dn}) { + die "ERROR: Cannot file unique dn for keytab\n"; + } + } + } + } + } + if ($AD_DEBUG) { + for my $a (sort keys %attr) { + dbg("$a = $attr{$a}"); + } + } + return %attr; +} + +# Perform an LDAP search against AD and return information about +# service and host accounts. +sub ad_show { + my ($principal, $kattr_ref) = @_; + + ldap_connect(); + my %kattr = %{$kattr_ref}; + my $base = $kattr{base}; + my $filter = $kattr{filter}; + my @attrs = (); + if (!$opt_dump) { + @attrs = ( + 'distinguishedName', 'objectclass', + 'dnsHostname', 'msds-KeyVersionNumber', + 'msds-SupportedEncryptionTypes', 'name', + 'servicePrincipalName', 'samAccountName', + 'userAccountControl', 'userPrincipalName', + 'whenChanged', 'whenCreated', + ); + } + + if ($AD_DEBUG) { + dbg("base:$base filter:$filter scope:subtree\n"); + } + + my $result; + eval { + $result = $LDAP->search( + base => $base, + scope => 'subtree', + filter => $filter, + attrs => \@attrs + ); + }; + if ($@) { + my $error = $@; + die "LDAP search error: $error\n"; + } + if ($result->code) { + msg("INFO base:$base filter:$filter scope:subtree\n"); + die $result->error; + } + if ($AD_DEBUG) { + dbg('returned: ' . $result->count); + } + if ($result->count > 0) { + for my $entry ($result->entries) { + for my $attr ( sort $entry->attributes ) { + my $out = ''; + if ($attr =~ /userAccountControl/xmsi) { + my $val = $entry->get_value($attr); + $out = "$attr: $val"; + $out .= ' (' . list_userAccountControl($val) . ')'; + msg($out); + } else { + my $val_ref = $entry->get_value($attr, asref => 1); + my @vals = @{$val_ref}; + for my $val (@vals) { + msg("$attr: $val"); + } + } + } + } + } else { + msg("$kattr{type}/$kattr{id} not found"); + } + msg(' '); + return; +} + +# Run a shell command. In this case the command will always be msktutil. +sub run_cmd { + my @cmd = @_; + + if ($AD_DEBUG) { + dbg('running command:' . join(q{ }, @cmd)); + } + + my $in; + my $out; + my $err; + my $err_flag; + eval { + run(\@cmd, \$in, \$out, \$err, timeout(60)); + if ($?) { + my $this_err = $?; + $err_flag = 1; + if ($this_err) { + msg('ERROR:' . $?); + } + if ($err) { + msg('ERROR (err):' . $err); + } + } + }; + if ($@) { + msg('ERROR (status):' . $@); + $err_flag = 1; + } + if ($err_flag) { + msg('ERROR: Problem executing:' . join(q{ }, @cmd)); + die "FATAL: Execution failed\n"; + } + + msg($out); + return; +} + +# Either create or update a keytab for the principal. Return the name +# of the keytab file created. +sub ad_create_update { + my ($file, $action, $kattr_ref) = @_; + my %kattr = %{$kattr_ref}; + + my @cmd = ('/usr/sbin/msktutil'); + push @cmd, '--' . $action; + push @cmd, '--server', $AD_SERVER; + push @cmd, '--enctypes', '0x4'; + push @cmd, '--enctypes', '0x8'; + push @cmd, '--enctypes', '0x10'; + push @cmd, '--keytab', $file; + push @cmd, '--upn', $kattr{principal}; + if ($kattr{realm}) { + push @cmd, '--realm', $kattr{realm}; + } + if ($kattr{type} eq 'host') { + push @cmd, '--base', $AD_COMPUTER_RDN; + push @cmd, '--dont-expire-password'; + push @cmd, '--computer-name', $kattr{cn}; + push @cmd, '--hostname', $kattr{id}; + } else { + my $service_id = $1; + push @cmd, '--base', $AD_USER_RDN; + push @cmd, '--use-service-account'; + push @cmd, '--service', $kattr{principal}; + push @cmd, '--account-name', $kattr{cn}; + push @cmd, '--no-pac'; + } + run_cmd(@cmd); + return; +} + +# Delete a principal from Kerberos. For AD this means just delete the +# object using LDAP. +sub ad_delete { + my ($kattr_ref) = @_; + my %kattr = %{$kattr_ref}; + + my $del_dn = get_dn($kattr{base}, $kattr{filter}); + + if (!$del_dn) { + msg("WARN: the keytab for $kattr{principal} does not exist."); + return 1; + } else { + ldap_connect(); + my $msgid = $LDAP->delete($del_dn); + if ($msgid->code) { + my $m; + $m .= "ERROR: Problem deleting $kattr{dn}\n"; + $m .= $msgid->error; + die $m; + } + } + return; +} + +############################################################################## +# Main Routine +############################################################################## + +# Get options +GetOptions( + 'ad_server=s' => \$opt_ad_server, + 'base_dn=s' => \$opt_base_dn, + 'computer_rdn=s' => \$opt_computer_rdn, + 'config=s' => \$opt_config, + 'debug' => \$opt_debug, + 'dump' => \$opt_dump, + 'help' => \$opt_help, + 'prefix' => \$opt_prefix, + 'manual' => \$opt_manual, + 'user_rdn=s' => \$opt_user_rdn +); + +# Help the user +if ($opt_manual) { + pod2usage(-verbose => 2); +} +if ($opt_help || !$ARGV[0]) { + pod2usage(-verbose => 0); +} + +# Make sure that we have kerberos credentials and that KRB5CCNAME +# points to them. +if (!$ENV{'KRB5CCNAME'}) { + msg('INFO: environment variable KRB5CCNAME not found.'); + msg('ERROR: Kerberos credentials are required.'); + pod2usage(-verbose => 0); +} + +# Read the configuration file or croak +my $conf_file; +if ($opt_config) { + if (-e $opt_config) { + $conf_file = $opt_config; + } else { + msg("ERROR: Config file ($opt_config) not found"); + pod2usage(-verbose => 0); + } +} elsif ($ENV{'ADKEYTAB'}) { + $conf_file = $ENV{'ADKEYTAB'}; +} elsif (-e '.ad-keytab.conf') { + $conf_file = '.ad-keytab.conf'; +} else { + $conf_file = '/etc/wallet/wallet.conf'; +} +do $conf_file or die (($@ || $!) . "\n"); + +# Process command line options +if ($opt_ad_server) { + $AD_SERVER = $opt_ad_server; +} +if ($opt_base_dn) { + $AD_BASE_DN = $opt_base_dn; +} +if ($opt_prefix) { + $AD_SERVICE_PREFIX = $opt_prefix; +} +if ($opt_computer_rdn) { + $AD_COMPUTER_RDN = $opt_computer_rdn; +} +if ($opt_user_rdn) { + $AD_USER_RDN = $opt_user_rdn; +} +if ($opt_debug) { + $AD_DEBUG = 1; +} + +# -- Get command line arguments +my $action = shift; +my $id = shift; +my $keytab; +if ($ARGV[0]) { + $keytab = shift; +} else { + $keytab = '/etc/krb5.keytab'; +} + +my %kattr = kerberos_attrs($id); +# Validate that the keytab id makes sense for the keytab type +if ($kattr{type} eq 'host') { + if ($kattr{id} !~ /[.]/xms) { + msg('ERROR: FQDN is required'); + pod2usage(-verbose => 0); + } +} else { + if ($kattr{id} =~ /[.]/xms) { + msg('ERROR: service principal names may not contain periods'); + pod2usage(-verbose => 0); + } +} + +if ($action =~ /^(create|update)/xms) { + ad_create_update($keytab, $action, \%kattr); +} elsif ($action =~ /^del/xms) { + ad_delete(\%kattr); +} elsif ($action =~ /^sh/xms) { + ad_show($id, \%kattr); +} else { + msg("ERROR: unknown action $action"); + pod2usage(-verbose => 0); +} + +exit; + +__END__ + +=for stopwords +KDC LDAP MacAllister keytab keytabs msktutil ldapsearch MERCHANTABILITY +NONINFRINGEMENT sublicense SPDX-License-Identifier MIT + +=head1 NAME + +ad-keytab + +=head1 SYNOPSIS + +ad-keytab create|update|delete|show keytab-id [keytab-file] +[--ad_server=hostname] [--computer_rdn=dn] [--user_rdn] [--dump] +[--help] [--manual] [--debug] + +=head1 DESCRIPTION + +This script is a wrapper around msktutil and ldapsearch to simplify +the creation of host and service keytabs. The script is useful for +boot strapping the Kerberos credentials required to use Active +Directory as a backend keytab store for wallet. The script shares +the wallet configuration file. + +Generally, two keytabs will need to be created to setup wallet. One +host keytab for the wallet server host and one service keytab for +wallet to use when connecting to an Active Directory Domain +Controller. + +Note, this script does not update the Wallet database which means +any keytabs created by it will be invisible from wallet. + +=head1 ACTIONS + +=over 4 + +=item create + +Add a keytab to AD and update the keytab file. Fails if the keytab +already exists. + +=item update + +Update an existing keytab in AD and update the keytab file. Fails if +the keytab does not exist. + +=item delete + +Delete a keytab from AD and remove it from the keytab file. + +=item show + +Show AD's view of the account corresponding to the keytab. This action +does not use msktutil and queries AD directly using LDAP. + +=back + +=head1 OPTIONS AND ARGUMENTS + +=over 4 + +=item keytab-id + +This is either host principal name of the form host/<fqdn> or a +service principal name of the form service/<id>. Service keytab +identifiers cannot be longer than 18 characters because of an +Active Directory restriction. + +=item keytab-filename + +The name of the keytab file. Defaults to /etc/krb5.keytab. + +=item --conf=filename + +The configuration file to read. The script searches for a configuration +file in the following order. + + * The command line switch --conf + * The environment variable ADKEYTAB + * The file .ad-keytab.conf + * The file /etc/ad-keytab.conf + +=item --ad_server=hostname + +The name of the Active Directory host to connect to. It is important +what the script contact only _one_ server due to the fact that +propagation within an Active Directory domain can be quite slow. + +=item --base_dn=ou=org,dc=domain,dc=tld + +The base distinguished name holding both computer and user accounts. + +=item --computer_rdn=dn + +The relative distinguished name to use as the base DN for both the +creation of host keytabs and searches of Active Directory. The +distinguished name formed will be computer_rdn,base_dn. + +=item --user_rdn=dn + +The relative distinguished name to use as the base DN for LDAP +searches of Active Directory for service keytabs. The distinguished +name formed will be user_rdn_rdn,base_dn. + +=item --dump + +When displaying keytab attributes show all of the attributes. + +=item --help + +Displays help text. + +=item --manual + +Displays more complete help text. + +=item --debug + +Turns on debugging displays. + +=back + +=head1 SEE ALSO + +Set the documentation for Wallet::Config for configuration information, i.e. +perldoc Wallet::Config. + +=head1 AUTHOR + +Bill MacAllister <whm@dropbox.com> + +=head1 COPYRIGHT AND LICENSE + +Copyright 2016 Dropbox, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the "Software"), +to deal in the Software without restriction, including without limitation +the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the +Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. + +SPDX-License-Identifier: MIT + +=cut diff --git a/contrib/commerzbank/wallet-history b/contrib/commerzbank/wallet-history index 9826057..0adc766 100755 --- a/contrib/commerzbank/wallet-history +++ b/contrib/commerzbank/wallet-history @@ -31,6 +31,9 @@ # perl wallet-history.pl ... (t.b.d.)... # #-------------------------------------------------------------------------------------------------------------- +# +# SPDX-License-Identifier: MIT + # Version. my $VERSION = "0.5"; diff --git a/contrib/convert-srvtab-db b/contrib/convert-srvtab-db index e05b394..2801767 100755 --- a/contrib/convert-srvtab-db +++ b/contrib/convert-srvtab-db @@ -6,7 +6,7 @@ # Copyright 2008 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and site configuration diff --git a/contrib/used-principals b/contrib/used-principals index 7169f0b..c6cac9b 100755 --- a/contrib/used-principals +++ b/contrib/used-principals @@ -6,7 +6,7 @@ # Copyright 2008 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT require 5.006; use strict; diff --git a/contrib/wallet-contacts b/contrib/wallet-contacts index 0c72c9c..6ad2292 100755 --- a/contrib/wallet-contacts +++ b/contrib/wallet-contacts @@ -6,7 +6,7 @@ # Copyright 2009, 2015 # The Board of Trustees of the Leland Stanford Junior University # -# See LICENSE for licensing terms. +# SPDX-License-Identifier: MIT ############################################################################## # Modules and declarations diff --git a/contrib/wallet-rekey-periodic b/contrib/wallet-rekey-periodic index c15d83f..1e22e1e 100755 --- a/contrib/wallet-rekey-periodic +++ b/contrib/wallet-rekey-periodic @@ -170,7 +170,7 @@ DOCS=<<__END_OF_DOCS__ =for stopwords Allbery DES Heimdal hostname keytab keytabs ktutil rekey rekeyable -rekeying wallet-rekey wallet-rekey-periodic +rekeying wallet-rekey wallet-rekey-periodic SPDX-License-Identifier MIT =head1 NAME @@ -232,7 +232,7 @@ Russ Allbery <eagle@eyrie.org> =head1 COPYRIGHT AND LICENSE -Copyright 2013, 2014 The Board of Trustees of the Leland Stanford Junior +Copyright 2013-2014 The Board of Trustees of the Leland Stanford Junior University Permission is hereby granted, free of charge, to any person obtaining a @@ -253,6 +253,8 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +SPDX-License-Identifier: MIT + =head1 SEE ALSO ktutil(8), wallet(1), wallet-rekey(1) @@ -260,3 +262,7 @@ ktutil(8), wallet(1), wallet-rekey(1) =cut __END_OF_DOCS__ + +# Local Variables: +# copyright-at-end-flag: t +# End: diff --git a/contrib/wallet-rekey-periodic.8 b/contrib/wallet-rekey-periodic.8 index 0cd04f3..f2f619a 100644 --- a/contrib/wallet-rekey-periodic.8 +++ b/contrib/wallet-rekey-periodic.8 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.29) +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== @@ -46,7 +46,7 @@ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" -.\" If the F register is turned on, we'll generate index entries on stderr for +.\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. @@ -54,20 +54,16 @@ .\" Avoid warning from groff about undefined register 'F'. .de IX .. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 . \} .\} -.rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -133,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "WALLET-REKEY-PERIODIC 8" -.TH WALLET-REKEY-PERIODIC 8 "2016-01-18" "1.3" "wallet" +.TH WALLET-REKEY-PERIODIC 8 "2018-06-03" "1.4" "wallet" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -190,7 +186,7 @@ every principal in each keytab found at any of these paths. Russ Allbery <eagle@eyrie.org> .SH "COPYRIGHT AND LICENSE" .IX Header "COPYRIGHT AND LICENSE" -Copyright 2013, 2014 The Board of Trustees of the Leland Stanford Junior +Copyright 2013\-2014 The Board of Trustees of the Leland Stanford Junior University .PP Permission is hereby granted, free of charge, to any person obtaining a @@ -205,11 +201,13 @@ all copies or substantial portions of the Software. .PP \&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.\s0 \s-1IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\s0 +.PP +SPDX-License-Identifier: \s-1MIT\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIktutil\fR\|(8), \fIwallet\fR\|(1), \fIwallet\-rekey\fR\|(1) diff --git a/contrib/wallet-summary b/contrib/wallet-summary index ba224d0..8a12294 100755 --- a/contrib/wallet-summary +++ b/contrib/wallet-summary @@ -173,6 +173,7 @@ close REPORT; =for stopwords -hm keytab keytabs MERCHANTABILITY NONINFRINGEMENT sublicense Allbery +SPDX-License-Identifier MIT =head1 NAME @@ -260,4 +261,6 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +SPDX-License-Identifier: MIT + =cut diff --git a/contrib/wallet-summary.8 b/contrib/wallet-summary.8 index e64bc61..08a01d6 100644 --- a/contrib/wallet-summary.8 +++ b/contrib/wallet-summary.8 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.29) +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== @@ -46,7 +46,7 @@ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" -.\" If the F register is turned on, we'll generate index entries on stderr for +.\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. @@ -54,20 +54,16 @@ .\" Avoid warning from groff about undefined register 'F'. .de IX .. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 . \} .\} -.rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -133,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "WALLET-SUMMARY 8" -.TH WALLET-SUMMARY 8 "2016-01-18" "1.3" "wallet" +.TH WALLET-SUMMARY 8 "2018-06-03" "1.4" "wallet" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -203,8 +199,10 @@ all copies or substantial portions of the Software. .PP \&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.\s0 \s-1IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\s0 +.PP +SPDX-License-Identifier: \s-1MIT\s0 diff --git a/contrib/wallet-unknown-hosts b/contrib/wallet-unknown-hosts index 50b5a04..adf7b27 100755 --- a/contrib/wallet-unknown-hosts +++ b/contrib/wallet-unknown-hosts @@ -190,7 +190,7 @@ if ($command eq 'check') { =for stopwords ACL API CNAME DNS IP env keytab keytabs timestamp MERCHANTABILITY -NONINFRINGEMENT sublicense Allbery +NONINFRINGEMENT sublicense Allbery SPDX-License-Identifier MIT =head1 NAME @@ -282,4 +282,10 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +SPDX-License-Identifier: MIT + =cut + +# Local Variables: +# copyright-at-end-flag: t +# End: diff --git a/contrib/wallet-unknown-hosts.8 b/contrib/wallet-unknown-hosts.8 index 2e52b11..4046854 100644 --- a/contrib/wallet-unknown-hosts.8 +++ b/contrib/wallet-unknown-hosts.8 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.29) +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== @@ -46,7 +46,7 @@ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" -.\" If the F register is turned on, we'll generate index entries on stderr for +.\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. @@ -54,20 +54,16 @@ .\" Avoid warning from groff about undefined register 'F'. .de IX .. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{ -. if \nF \{ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" .. -. if !\nF==2 \{ -. nr % 0 -. nr F 2 -. \} +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 . \} .\} -.rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. @@ -133,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "WALLET-UNKNOWN-HOSTS 8" -.TH WALLET-UNKNOWN-HOSTS 8 "2016-01-18" "1.3" "wallet" +.TH WALLET-UNKNOWN-HOSTS 8 "2018-06-03" "1.4" "wallet" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -150,7 +146,7 @@ env REMOTE_USER=\fIprincipal\fR \fBwallet-unknown-hosts\fR purge \fImin\fR \fIda .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBwallet-unknown-hosts\fR constructs a database recording host-based keytabs -in wallet whose corresponding hosts are not found in \s-1DNS. \s0 It records in +in wallet whose corresponding hosts are not found in \s-1DNS.\s0 It records in that database the number of times the host wasn't found and the timestamp of the first time it was not found. It can then generate a report of host-based keytab objects that have not been found for a minimum number of @@ -216,8 +212,10 @@ all copies or substantial portions of the Software. .PP \&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.\s0 \s-1IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\s0 +.PP +SPDX-License-Identifier: \s-1MIT\s0 |