Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 294175 Details for
Bug 430037
allow to specify a list of enctypes on the ipa-getkeytab command line
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
adds the requested feature
freeipa-654-getkeytab-enctypes.patch (text/plain), 6.99 KB, created by
Simo Sorce
on 2008-02-07 00:53:01 UTC
(
hide
)
Description:
adds the requested feature
Filename:
MIME Type:
Creator:
Simo Sorce
Created:
2008-02-07 00:53:01 UTC
Size:
6.99 KB
patch
obsolete
># HG changeset patch ># User Simo Sorce <ssorce@redhat.com> ># Date 1202342482 18000 ># Node ID cca2d2c1bfd04dffa208951d0fea67bc02c95728 ># Parent 1e2925559262d4f876795bdc4e34045d9eb9dbf6 >Add switch to be able to provide a comma separate list of encryption types >we want to have in the keytab. >This superceedes any default enctype. > >diff -r 1e2925559262 -r cca2d2c1bfd0 ipa-client/ipa-getkeytab.c >--- a/ipa-client/ipa-getkeytab.c Wed Feb 06 17:03:24 2008 -0500 >+++ b/ipa-client/ipa-getkeytab.c Wed Feb 06 19:01:22 2008 -0500 >@@ -1,4 +1,4 @@ >-/* Authors: Simo Sorce <ssorce@redhat.com> >+/* Authors: Simo Sorce <ssorce@redhat.com> > * > * Copyright (C) 2007 Red Hat > * see file 'COPYING' for use and warranty information >@@ -15,7 +15,7 @@ > * You should have received a copy of the GNU General Public License > * along with this program; if not, write to the Free Software > * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA >- */ >+ */ > > #define _GNU_SOURCE > >@@ -67,6 +67,58 @@ static int ldap_sasl_interact(LDAP *ld, > #define KEYTAB_SET_OID "2.16.840.1.113730.3.8.3.1" > #define KEYTAB_RET_OID "2.16.840.1.113730.3.8.3.2" > >+/* returns 0 if no enctypes available, >0 if enctypes are available */ >+static int get_enctypes(krb5_context krbctx, const char *str, >+ krb5_enctype **ktypes) >+{ >+ krb5_error_code krberr; >+ krb5_enctype *types; >+ char *p, *tmp, *t; >+ int n, i, j; >+ >+ if (str == NULL) { >+ krberr = krb5_get_permitted_enctypes(krbctx, ktypes); >+ if (krberr) { >+ fprintf(stderr, "No system preferred enctypes ?!\n"); >+ return 0; >+ } >+ return 1; >+ } >+ >+ t = tmp = strdup(str); >+ if (!tmp) return 0; >+ >+ /* count */ >+ p = t; >+ while (p = strchr(t, ',')) { >+ t = p+1; >+ n++; >+ } >+ n++; /* count the last one that is 0 terminated instead */ >+ >+ types = calloc(sizeof(krb5_enctype), n+1); >+ if (!types) return 0; >+ >+ for (i = 0, j = 0, t = tmp; i < n; i++) { >+ p = strchr(t, ','); >+ if (p ) *p = '\0'; >+ krberr = krb5_string_to_enctype(t, &types[j]); >+ if (krberr != 0) { >+ fprintf(stderr, >+ "Warning unrecognized encryption type: [%s]\n", >+ t); >+ } else { >+ j++; >+ } >+ t = p+1; >+ } >+ >+ free(tmp); >+ *ktypes = types; >+ >+ return j; >+} >+ > static void free_keys(krb5_context krbctx, krb5_keyblock *keys, int num_keys) > { > int i; >@@ -77,30 +129,22 @@ static void free_keys(krb5_context krbct > free(keys); > } > >-static int create_keys(krb5_context krbctx, krb5_keyblock **keys) >+static int create_keys(krb5_context krbctx, krb5_enctype *ktypes, >+ krb5_keyblock **keys) > { > krb5_error_code krberr; >- krb5_enctype *ktypes; > krb5_keyblock *key; > int i, j, k, max_keys; >- >- krberr = krb5_get_permitted_enctypes(krbctx, &ktypes); >- if (krberr) { >- fprintf(stderr, "No preferred enctypes ?!\n"); >- return 0; >- } > > for (i = 0; ktypes[i]; i++) /* count max encodings */ ; > max_keys = i; > if (!max_keys) { >- krb5_free_ktypes(krbctx, ktypes); >- fprintf(stderr, "No preferred enctypes ?!\n"); >+ fprintf(stderr, "No enctypes available\n"); > return 0; > } > > key = calloc(max_keys, sizeof(krb5_keyblock)); > if (!key) { >- krb5_free_ktypes(krbctx, ktypes); > fprintf(stderr, "Out of Memory!\n"); > return 0; > } >@@ -118,7 +162,6 @@ static int create_keys(krb5_context krbc > krberr = krb5_c_enctype_compare(krbctx, ktypes[i], > ktypes[j], &similar); > if (krberr) { >- krb5_free_ktypes(krbctx, ktypes); > free_keys(krbctx, key, i); > fprintf(stderr, "Enctype comparison failed!\n"); > return 0; >@@ -129,15 +172,12 @@ static int create_keys(krb5_context krbc > > krberr = krb5_c_make_random_key(krbctx, ktypes[i], &key[k]); > if (krberr) { >- krb5_free_ktypes(krbctx, ktypes); > free_keys(krbctx, key, k); > fprintf(stderr, "Making random key failed!\n"); > return 0; > } > k++; > } >- >- krb5_free_ktypes(krbctx, ktypes); > > *keys = key; > return k; >@@ -300,7 +340,7 @@ static int ldap_set_keytab(const char *s > /* find base dn */ > /* TODO: address the case where we have multiple naming contexts */ > tv.tv_sec = 10; >- tv.tv_usec = 0; >+ tv.tv_usec = 0; > > /* perform password change */ > ret = ldap_extended_operation(ld, >@@ -313,9 +353,10 @@ static int ldap_set_keytab(const char *s > } > > ber_bvfree(control); >+ control = NULL; > > tv.tv_sec = 10; >- tv.tv_usec = 0; >+ tv.tv_usec = 0; > > ret = ldap_result(ld, msgid, 1, &tv, &res); > if (ret == -1) { >@@ -328,7 +369,7 @@ static int ldap_set_keytab(const char *s > fprintf(stderr, "Operation failed! %s\n", ldap_err2string(ret)); > goto error_out; > } >- >+ > ret = ldap_parse_result(ld, res, &rc, NULL, &err, NULL, &srvctrl, 0); > if(ret != LDAP_SUCCESS || rc != LDAP_SUCCESS) { > fprintf(stderr, "Operation failed! %s\n", err?err:ldap_err2string(ret)); >@@ -379,7 +420,7 @@ static int ldap_set_keytab(const char *s > for (i = 0; i < num_keys; i++) { > ret = ber_scanf(sctrl, "{i}", &encs[i]); > if (ret == LBER_ERROR) break; >- } >+ } > *enctypes = encs; > > if (err) ldap_memfree(err); >@@ -407,10 +448,12 @@ int main(int argc, char *argv[]) > static const char *server = NULL; > static const char *principal = NULL; > static const char *keytab = NULL; >+ static const char *enctypes_string = NULL; > struct poptOption options[] = { > { "server", 's', POPT_ARG_STRING, &server, 0, "Contact this specific KDC Server", "Server Name" }, > { "principal", 'p', POPT_ARG_STRING, &principal, 0, "The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)", "Kerberos Service Principal Name" }, > { "keytab", 'k', POPT_ARG_STRING, &keytab, 0, "File were to store the keytab information", "Keytab File Name" }, >+ { "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0, "Encryption types to request", "Comma separated encription types list" }, > { NULL, 0, POPT_ARG_NONE, NULL, 0, NULL, NULL } > }; > poptContext pc; >@@ -423,6 +466,7 @@ int main(int argc, char *argv[]) > krb5_keyblock *keys = NULL; > int num_keys = 0; > ber_int_t *enctypes; >+ krb5_enctype *ktypes; > krb5_keytab kt; > int kvno; > int i, ret; >@@ -453,13 +497,15 @@ int main(int argc, char *argv[]) > > krberr = krb5_cc_default(krbctx, &ccache); > if (krberr) { >- fprintf(stderr, "Kerberos Credential Cache not found\nDo you have a Kerberos Ticket?\n"); >+ fprintf(stderr, "Kerberos Credential Cache not found\n" >+ "Do you have a Kerberos Ticket?\n"); > exit(5); > } >- >+ > krberr = krb5_cc_get_principal(krbctx, ccache, &uprinc); > if (krberr) { >- fprintf(stderr, "Kerberos User Principal not found\nDo you have a valid Credential Cache?\n"); >+ fprintf(stderr, "Kerberos User Principal not found\n" >+ "Do you have a valid Credential Cache?\n"); > exit(6); > } > >@@ -470,11 +516,16 @@ int main(int argc, char *argv[]) > } > > /* create key material */ >- num_keys = create_keys(krbctx, &keys); >+ ret = get_enctypes(krbctx, enctypes_string, &ktypes); >+ if (ret == 0) { >+ exit(8); >+ } >+ num_keys = create_keys(krbctx, ktypes, &keys); > if (!num_keys) { > fprintf(stderr, "Failed to create random key material\n"); > exit(8); > } >+ krb5_free_ktypes(krbctx, ktypes); > > kvno = ldap_set_keytab(server, principal, uprinc, keys, num_keys, &enctypes); > if (!kvno) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=294175">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 430037
: 294175