| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Add SPDX-License-Identifier headers to all substantial source files.
Collapse copyright years. Add some Emacs configuration for files
where the copyright notice is at the end. Add a test that every
file has SPDX-License-Identifier.
|
|
Change-Id: I4c2b5d7c807d6c27dd18a3b92eef66d21287d21e
Reviewed-on: https://gerrit.stanford.edu/1481
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Fix wallet-rekey on keytabs containing multiple principals. Previous
versions assumed one could concatenate keytab files together to make a
valid keytab file, which doesn't work with some Kerberos libraries.
This caused new keys downloaded for principals after the first to be
discarded. As a side effect of this fix, wallet-rekey always appends
new keys directly to the existing keytab file, and never creates a
backup copy of that file.
Change-Id: I5f863239ce4ebba66b35ff09454f2897367bd359
Reviewed-on: https://gerrit.stanford.edu/1369
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I6a84920b0c0dc1849af8a34ecf8f3fb70b45e17c
Reviewed-on: https://gerrit.stanford.edu/843
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Change-Id: I06dd9ecca19315179bdd34d4b301548fe7604331
Reviewed-on: https://gerrit.stanford.edu/842
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
When linking the temporary keytab to its final file name, wallet wasn't
checking for errors. Caught by the new gcc warnings.
Change-Id: Ia75b231754bafc800e9e521345b85da256c95ed1
Reviewed-on: https://gerrit.stanford.edu/840
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
|
|
Rekey the keytab in the same principal order as what's stored in the
keytab rather than reversing it, since that makes it easier to test.
Suppress the error message about no data from the server if the server
sent an error. Fix some coding style and spelling errors.
|
|
In wallet-rekey, if the keytab we're supposed to rekey has no rekeyable
principals, die rather than sysdie since there's no errno error to
report.
|
|
If we get a failure to rekey a principal before we've succeeded with
any principal, abort rather than continuing.
|
|
The loop handling finding principals to rekey was not correctly
coping with principals from foreign realms.
|
|
Build a separate wallet-rekey client that rekeys every keytab given
on the command-line. Fix some coding style issues and add internal
prototypes. Build the shared source for both clients into an
uninstalled library to save compilation time.
|
|
Cleaned up several bugs preventing the rekey command from working (bad
calls to variables, matching on version of principal name already stripped
of realm), and removed debugging code.
|
|
First, testing version of wallet rekey code, committed in order to get
feedback from Russ. This code will eventually take an existing keytab
file, and for every principal belonging to our default realm in it, get
new versions of that keytab and merge them into the file. This allows
for quietly rekeying principals automatically.
|
|
Use the Kerberos portability layer from rra-c-util 3.0 and avoid
Kerberos API calls deprecated on Heimdal. Break util/util.h into
separate header files and update all source files accordingly.
The test suite is not yet updated. That will come in subsequent
commits.
|
|
The wallet client no longer enables kaserver synchronization when a
srvtab is requested with -S. Instead, it just extracts the DES key
from the keytab and writes it to a srvtab. It no longer forces the
kvno of the srvtab to 0 (a Stanford-specific action) and instead
preserves the kvno from the key in the keytab. This should now do the
right thing for sites that use a KDC that serves both Kerberos v4 and
Kerberos v5 from the same database.
|
|
Just get the client code to compile with Heimdal. This will need more
work later to use my regular Kerberos portability layer.
|
|
|
|
projects.
The configure option requesting AFS kaserver support (and thus
building kasetkey) is now --with-kaserver instead of --with-afs.
If KRB5_CONFIG was explicitly set in the environment, don't use a
different krb5-config based on --with-krb4 or --with-krb5. If
krb5-config isn't executable, don't use it. This allows one to
force library probing by setting KRB5_CONFIG to point to a
nonexistent file.
Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.
Stop setting Stanford-specific compile-time defaults for the wallet
server and port.
|
|
srvtab key before merging the keytab into an existing file.
Otherwise, if the new keys had a lower kvno than the old keys
(possible after deleting and recreating the object), the wrong key
would be extracted for the srvtab.
|
|
keytab keys into that file rather than moving aside the old keytab and
creating a new keytab with only the new keys.
Also fix get handling in the client for all types other than keytabs.
This isn't visible yet since the server doesn't yet support other types
of objects.
|
|
write the keytab to standard output rather than dying with a cryptic
error.
|
|
type from krb5.conf as well as from compile-time defaults and
command-line options.
|
|
and license statements in all files. Make sure that some files that were
missing copyright information now have them. Reference LICENSE rather
than README in all notices.
|
|
just attr to match the actual API.
|
|
object when get is called with the -S flag.
|
|
|
|
expansion. Use the fine-grained remctl API instead of the simple one
since in some cases we'll be running multiple commands.
|
