Theodore Tso [Tue, 7 Nov 1995 21:45:22 +0000 (21:45 +0000)]
* kdb.h: Added prototype for krb5_dbe_search_enctype(). Changed
prototype of krb5_dbe_find_enctype() so that ktype is of
type krb5_int32. (krb5_enctype is unsigned, so -1 doesn't
work!)
Theodore Tso [Tue, 7 Nov 1995 21:44:52 +0000 (21:44 +0000)]
* kdb_xdr.c (krb5_dbe_search_enctype): Make a more general version
of kdb5_dbe_find_enctype() which allows you to search the
keylist looking for multiple keys that fit your criteria.
Eventually we should convert all programs to use
kdb5_dbe_search_enctype() instead of kdb5_dbe_find_enctype().
Mark Eichin [Fri, 3 Nov 1995 21:53:05 +0000 (21:53 +0000)]
remove rcs keyword cruft which doesn't make much sense in CVS.
removal simplifies merging. I left in the RCSID's that are in actual
error table values (*_RCSID typically) but comments had them elided
(Source keywords replaced with a literal pathname, Id totally removed.)
* adm.h : Constant changes for the new kadmin code.
* kdb.h : Added attribute bit KRB5_KDB_NEW_PRINC. This will
allow kadmin administrators with add acls to modify a
principal until this bit is cleared.
* decrypt_key.c (krb5_dbekd_decrypt_key_data()) : If key salt length
is 0 then set keysalt->data.data to NULL.
* kdb_cpw.c (add_key_rnd(), add_key_pwd()) : When creating new keys
for a new kvno and there are multiple enctypes that use a
common keytype, then set the enctype in the key to the first
specified enctype and skip all other enctypes that use
the same keytype. (This assumes the salt type is the same too.)
This way when the kdc needs to get the server key it doesn't
need to gues what enctypes the server supports.
* kdb_xdr.c (krb5_dbe_find_enctype()): Match keys that use common
keytypes but different enctypes. Eg. ENCTYPE_DES_CBC_MD5
matches ENCTYPE_DES_CBC_CRC and vice versa.
* kdb_xdr.c krb5_dbe_find_enctype()): If kvno = 0 then determine
maxkvno for all the keys and then search keys for a key that
matches enctype salttype and has kvno == maxkvno. This
is different than when kvno = -1 which searches the keys
for THE key with the greatest kvno which also matches enctype
and salttype.
* kdb_kdr.c (krb5_dbe_find_enctype()): If kvno = ktype = stype = -1
then set kvno = 0. The first doesn't make a lot of sense.
* kdb_xdr.c (krb5_dbe_encode_last_pwd_change(),
krb5_dbe_decode_last_pwd_change()) : Added.
* kdb_xdr.c (krb5_decode_princ_contents()) : Don't try to allocate
space for keys if n_key_data = 0.
Richard Basch [Tue, 24 Oct 1995 23:14:56 +0000 (23:14 +0000)]
For compatibility with older .conf files, keep the domain name check
being done in lower case, and if necessary, convert it to upper case
if the domain is being used as the default realm.
In addition, there was an extra free without an associated *alloc.
Theodore Tso [Tue, 24 Oct 1995 21:33:29 +0000 (21:33 +0000)]
Manually defined PROVIDE_* for Macintosh and MS-DOS so that libcrypto
knows which encryption systems to include. Otherwise, we would be
building an exportable (and useless) krb5 library for the Mac and PC.
Richard Basch [Tue, 24 Oct 1995 01:19:13 +0000 (01:19 +0000)]
Rather than displaying the master key version twice, display the actual
key version for the "Key version" field. (It only displays the version
for the first key in the database.)
Richard Basch [Tue, 24 Oct 1995 01:18:15 +0000 (01:18 +0000)]
Read the V4 Kerberos master key from /.k. Only prompt the user for the
V4 master key if the command-line option so indicates, or the key cannot
be read from /.k.
Richard Basch [Tue, 24 Oct 1995 01:15:50 +0000 (01:15 +0000)]
Try to do a best realm match for a hostname, trying all the domain components.
For example, the realm search for a host A.B.C.D will include
A.B.C.D .B.C.D B.C.D .C.D C.D .D D
If all of them fail, assume the realm is B.C.D (as was previously the case).
Richard Basch [Mon, 23 Oct 1995 21:55:51 +0000 (21:55 +0000)]
1. Do not end syslog messages with \n (it messes up the logs).
2. Prototyped envvarok() to ensure proper usage.
3. Prohibit the change of ELF_LD_* environment variables (Linux)
4. Syslog attempts to pass bad environment variables.
Richard Basch [Mon, 23 Oct 1995 21:52:12 +0000 (21:52 +0000)]
Print messages using \r\n so that the display in binary mode will be correct.
Additionally, perror should not be using \n as it appends the error message.
Theodore Tso [Mon, 23 Oct 1995 20:41:16 +0000 (20:41 +0000)]
Add new option 's' which automatically stashes the master key in the
key stash file. This eliminates the need for the admin to type
kdb5_stash right after kdb5_create.
Sam Hartman [Mon, 16 Oct 1995 22:12:23 +0000 (22:12 +0000)]
----------------------------------------------------------------------
automatically CVS: CVS: Committing in . CVS: CVS: Modified Files:
----------------------------------------------------------------------
login.krb5: Don't display warning about no tickets being obtained if -F, -f or -k
specified.
Theodore Tso [Wed, 11 Oct 1995 01:47:09 +0000 (01:47 +0000)]
Added the "/nod" option to the gssapi.dll and libkrb5.dll linker
commands. This prevents the linker from searching the llibcew.lib
library for some externals which are already in ldllcew.lib. This is
what we want since we are building a DLL. Without the "/nod" option we
get a bunch of duplicate definitions.
Sam Hartman [Tue, 10 Oct 1995 03:13:48 +0000 (03:13 +0000)]
Fix handling of session key for Kerberos5. I don't think this should
fix the mutual authentication bug with beta 4, but this should help
forwarding credentials and should also help if someone actually
defines ENCRYPTION.
If user defines ENCRYPTION, telnetd has the nasty behavior of
encrypting one side of the conversation, without telling the user; in
particular, only server output is encrypted. Fixed by sending a do
encrypt if encryption defined; fix taken from Athena telnetd.
Sam Hartman [Tue, 10 Oct 1995 03:11:08 +0000 (03:11 +0000)]
Fix handling of session key for Kerberos5. I don't think this should
fix the mutual authentication bug with beta 4, but this should help
forwarding credentials and should also help if someone actually
defines ENCRYPTION.
Ezra Peisach [Sun, 8 Oct 1995 18:29:25 +0000 (18:29 +0000)]
(recv_token): When continuning a partial read over the network, put
the incomming data into the middle of the token - not back at the
start.
Now, can someone explain why under NetBSD, in one direction 400+ bytes
could be sent at one time, but in the reverse, 102 had to be broken down
into 100 + 2? Anyways, this fixes the NetBSD problem with the tests.
* ksu.h: Remove local_realm from krb5_authorization.
* authorization.c (krb5_authorization): Remove old copied code
that is in krb5 library and is out of date. Use the
configurable aname to localname methods.
* main.c (main): Add krb5_secure_config_files so that users cannot
override system config files.
Theodore Tso [Fri, 6 Oct 1995 04:33:53 +0000 (04:33 +0000)]
do_tgs_req.c (process_tgs_req): Use a slightly more compressed logging
format.
do_as_req.c (process_as_req): Unify the logging and error packet
production, to make sure that both logging and an error packet is
returned for each error condition.
Theodore Tso [Fri, 6 Oct 1995 03:02:40 +0000 (03:02 +0000)]
network.c (setup_network):
main.c (initialize_realms): Massive revamp of how the network ports
are setup. The default port list for a realm is read from
[kdcdefaults]/kdc_ports from the kdc.conf file. For each realm, a
list of ports can be specified in [realms]/<realm>/kdc_ports.
extern.h (kdc_realm_t): Remove realm_pport and realm_sport, and added
realm_ports.
do_tgs_req.c (process_tgs_req):
do_as_req.c (process_as_req):
dispatch.c (dispatch): Pass the portnumber of the incoming request down
to process_as_req and process_tgs_req, instead of the boolean
"is_secondary".
kerberos_v4.c (kerb_get_principal, kerberos_v4): Fix gcc -Wall flames,
by fixing signed vs. unsigned types.
Theodore Tso [Fri, 6 Oct 1995 02:47:46 +0000 (02:47 +0000)]
Remove the profile relation, since it's really a bad idea. Removed
the "port" and "secondary_port" relations, and replaced them with the
"kdc_port" relation, which takes a list of ports.
Theodore Tso [Fri, 6 Oct 1995 02:46:27 +0000 (02:46 +0000)]
Remove pport and sport from the krb5_realm_params file, and replace it
with ports, which is a char * list of all of the ports which should be
listed to for this realm.
Ezra Peisach [Thu, 5 Oct 1995 17:30:42 +0000 (17:30 +0000)]
* init_os_ctx.c (krb5_secure_config_files): New function that
will set flag and path to prevent user from overriding
configuration files with environment variables.
This is intended for those pesky suid root programs so that they cannot
break security as easily...
Theodore Tso [Wed, 4 Oct 1995 03:12:32 +0000 (03:12 +0000)]
Use the kdc.conf file to determine the default list of keysalt tuples
to be used. This is stored in std_ks_tuple, and is used by cpw.c for
random keys and when a list of keysalts is not specified.