1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
# Wallet::Object::Keytab -- Keytab object implementation for the wallet.
# $Id$
#
# Written by Russ Allbery <rra@stanford.edu>
# Copyright 2007 Board of Trustees, Leland Stanford Jr. University
#
# See README for licensing terms.
##############################################################################
# Modules and declarations
##############################################################################
package Wallet::Object::Keytab;
require 5.006;
use strict;
use vars qw(@ISA $VERSION);
use Wallet::Config ();
use Wallet::Object::Base;
@ISA = qw(Wallet::Object::Base);
# This version should be increased on any code change to this module. Always
# use two digits for the minor version with a leading zero if necessary so
# that it will sort properly.
$VERSION = '0.01';
##############################################################################
# kadmin Interaction
##############################################################################
# Make sure that principals are well-formed and don't contain characters that
# will cause us problems when talking to kadmin. Takes a principal and
# returns true if it's okay, false otherwise. Note that we do not permit
# realm information here.
sub _valid_principal {
my ($self, $principal) = @_;
if ($principal !~ m,^[\w-]+(/[\w_-]+)?\z,) {
return undef;
}
return 1;
}
# Run a kadmin command and capture the output. Returns the output, either as
# a list of lines or, in scalar context, as one string. The exit status of
# kadmin is often worthless.
sub _kadmin {
my ($self, $command) = @_;
my @args = ('-p', $Wallet::Config::KEYTAB_PRINCIPAL, '-k', '-t',
$Wallet::Config::KEYTAB_FILE, '-q', $command);
push (@args, '-s', $Wallet::Config::KEYTAB_HOST)
if $Wallet::Config::KEYTAB_HOST;
push (@args, '-r', $Wallet::Config::KEYTAB_REALM)
if $Wallet::Config::KEYTAB_REALM;
my $pid = open (KADMIN, '-|');
if (not defined $pid) {
die "error: cannot fork: $!\n";
} elsif ($pid == 0) {
open (STDERR, '>&STDOUT') or die "error: cannot dup stdout: $!\n";
exec ($Wallet::Config::KEYTAB_KADMIN, @args)
or die "error: cannot run $Wallet::Config::KEYTAB_KADMIN\n";
}
local $_;
my @output;
while (<KADMIN>) {
push (@output, $_) unless /Authenticating as principal/;
}
close KADMIN;
return wantarray ? @output : join ('', @output);
}
# Check whether a given principal already exists in Kerberos. Returns true if
# so, false otherwise.
sub _kadmin_exists {
my ($self, $principal) = @_;
return undef unless $self->_valid_principal ($principal);
if ($Wallet::Config::KEYTAB_REALM) {
$principal .= '@' . $Wallet::Config::KEYTAB_REALM;
}
my $output = $self->_kadmin ("getprinc $principal");
if ($output =~ /does not exist/) {
return undef;
} else {
return 1;
}
}
# Create a principal in Kerberos. Since this is only called by create, it
# throws an exception on failure rather than setting the error and returning
# undef.
sub _kadmin_addprinc {
my ($self, $principal) = @_;
unless ($self->_valid_principal ($principal)) {
die "invalid principal name $principal\n";
}
if ($Wallet::Config::KEYTAB_REALM) {
$principal .= '@' . $Wallet::Config::KEYTAB_REALM;
}
my $flags = $Wallet::Config::KEYTAB_FLAGS;
my $output = $self->_kadmin ("addprinc -randkey $flags $principal");
if ($output =~ /^add_principal: (.*)/m) {
die "error adding principal $principal: $!\n";
}
return 1;
}
# Create a keytab from a principal. Return true if successful, false
# otherwise. If the keytab creation fails, sets the error.
sub _kadmin_ktadd {
my ($self, $principal, $file) = @_;
unless ($self->_valid_principal ($principal)) {
$self->{error} = "invalid principal name: $principal";
return undef;
}
if ($Wallet::Config::KEYTAB_REALM) {
$principal .= '@' . $Wallet::Config::KEYTAB_REALM;
}
my $output = $self->_kadmin ("ktadd -q -k $file $principal");
if ($output =~ /^(?:kadmin|ktadd): (.*)/m) {
$self->{error} = "error creating keytab for $principal: $1";
return undef;
}
return 1;
}
# Delete a principal from Kerberos. Return true if successful, false
# otherwise. If the deletion fails, sets the error. If the principal doesn't
# exist, return success; we're bringing reality in line with our expectations.
sub _kadmin_delprinc {
my ($self, $principal) = @_;
unless ($self->_valid_principal ($principal)) {
$self->{error} = "invalid principal name: $principal";
return undef;
}
if (not $self->_kadmin_exists ($principal)) {
return 1;
}
if ($Wallet::Config::KEYTAB_REALM) {
$principal .= '@' . $Wallet::Config::KEYTAB_REALM;
}
my $output = $self->_kadmin ("delprinc -force $principal");
if ($output =~ /^delete_principal: (.*)/m) {
$self->{error} = "error deleting $principal: $1";
return undef;
}
return 1;
}
##############################################################################
# Implementation
##############################################################################
# Override create to start by creating the principal in Kerberos and only
# create the entry in the database if that succeeds. Error handling isn't
# great here since we don't have a way to communicate the error back to the
# caller.
sub create {
my ($class, $type, $name, $dbh, $creator, $host, $time) = @_;
$class->_kadmin_addprinc ($name);
return $class->SUPER::create ($type, $name, $dbh, $creator, $host, $time);
}
# Override destroy to delete the principal out of Kerberos as well.
sub destroy {
my ($self, $user, $host, $time) = @_;
return undef if not $self->_kadmin_delprinc ($self->{name});
return $self->SUPER::destroy ($user, $host, $time);
}
# Our get implementation. Generate a keytab into a temporary file and then
# return that as the return value.
sub get {
my ($self, $user, $host, $time) = @_;
$time ||= time;
my $file = $Wallet::Config::KEYTAB_TMP . "/keytab.$$";
return undef if not $self->_kadmin_ktadd ($self->{name}, $file);
local *KEYTAB;
unless (open (KEYTAB, '<', $file)) {
my $princ = $self->{name};
$self->{error} = "error opening keytab for principal $princ: $!";
return undef;
}
local $/;
undef $!;
my $data = <KEYTAB>;
if ($!) {
my $princ = $self->{name};
$self->{error} = "error reading keytab for principal $princ: $!";
return undef;
}
close KEYTAB;
unlink $file;
$self->log_action ('get', $user, $host, $time);
return $data;
}
1;
__END__;
|
