[src/netbsd-1-5]: src/crypto/dist/heimdal Pull up revisions 1.2-1.5 (requeste...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/netbsd-1-5]: src/crypto/dist/heimdal Pull up revisions 1.2-1.5 (requeste...
From: he <he%NetBSD.org@localhost>
Date: Fri, 24 Jan 2020 07:29:53 +0000
details:   https://anonhg.NetBSD.org/src/rev/6a69c2a6fe72
branches:  netbsd-1-5
changeset: 491145:6a69c2a6fe72
user:      he <he%NetBSD.org@localhost>
date:      Thu Apr 05 23:24:49 2001 +0000

description:
Pull up revisions 1.2-1.5 (requested by assar):
  Upgrade Heimdal to version 0.3e.

diffstat:

 crypto/dist/heimdal/kadmin/kadmind.c     |   42 +++++--
 crypto/dist/heimdal/lib/krb5/krb5.conf.5 |  157 +++++++++++++++++++++++++++++-
 2 files changed, 181 insertions(+), 18 deletions(-)

diffs (truncated from 326 to 300 lines):

diff -r 6874bc9fec9a -r 6a69c2a6fe72 crypto/dist/heimdal/kadmin/kadmind.c
--- a/crypto/dist/heimdal/kadmin/kadmind.c      Thu Apr 05 23:24:45 2001 +0000
+++ b/crypto/dist/heimdal/kadmin/kadmind.c      Thu Apr 05 23:24:49 2001 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,15 +33,17 @@
 
 #include "kadmin_locl.h"
 
-RCSID("$Id: kadmind.c,v 1.1.1.1 2000/06/16 18:32:07 thorpej Exp $");
+RCSID("$Id: kadmind.c,v 1.1.1.1.2.1 2001/04/05 23:24:49 he Exp $");
 
+static char *check_library  = NULL;
+static char *check_function = NULL;
 static char *config_file;
 static char *keyfile;
 static char *keytab_str = "HDB:";
 static int help_flag;
 static int version_flag;
 static int debug_flag;
-static int debug_port;
+static char *port_str;
 char *realm;
 
 static struct getargs args[] = {
@@ -60,11 +62,17 @@
     {  "realm",        'r',    arg_string,   &realm, 
        "realm to use", "realm" 
     },
+#ifdef HAVE_DLOPEN
+    { "check-library", 0, arg_string, &check_library, 
+      "library to load password check function from", "library" },
+    { "check-function", 0, arg_string, &check_function,
+      "password check function to load", "function" },
+#endif
     {  "debug",        'd',    arg_flag,   &debug_flag, 
        "enable debugging" 
     },
-    {  "debug-port",   'p',    arg_integer,&debug_port, 
-       "port to use with debug", "port" },
+    {  "ports",        'p',    arg_string, &port_str, 
+       "ports to listen to", "port" },
     {  "help",         'h',    arg_flag,   &help_flag },
     {  "version",      'v',    arg_flag,   &version_flag }
 };
@@ -80,9 +88,6 @@
     exit (ret);
 }
 
-krb5_error_code
-kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int);
-
 int
 main(int argc, char **argv)
 {
@@ -95,7 +100,9 @@
 
     set_progname(argv[0]);
 
-    krb5_init_context(&context);
+    ret = krb5_init_context(&context);
+    if (ret)
+       errx (1, "krb5_init_context failed: %d", ret);
 
     ret = krb5_openlog(context, "kadmind", &logf);
     ret = krb5_set_warn_dest(context, logf);
@@ -132,16 +139,27 @@
     if(ret)
        krb5_err(context, 1, ret, "krb5_kt_resolve");
 
+    kadm5_setup_passwd_quality_check (context, check_library, check_function);
+
     {
        int fd = 0;
+       struct sockaddr sa;
+       socklen_t sa_size;
        krb5_auth_context ac = NULL;
-       if(debug_flag){
-           if(debug_port == 0)
+       int debug_port;
+       sa_size = sizeof(sa);
+       if(debug_flag) {
+           if(port_str == NULL)
                debug_port = krb5_getportbyname (context, "kerberos-adm", 
                                                 "tcp", 749);
            else
-               debug_port = htons(debug_port);
+               debug_port = htons(atoi(port_str));
            mini_inetd(debug_port);
+       } else if(roken_getsockname(STDIN_FILENO, &sa, &sa_size) < 0 && 
+                  errno == ENOTSOCK) {
+           parse_ports(context, port_str ? port_str : "+");
+           pidfile(NULL);
+           start_server(context);
        }
        if(realm)
            krb5_set_default_realm(context, realm); /* XXX */
diff -r 6874bc9fec9a -r 6a69c2a6fe72 crypto/dist/heimdal/lib/krb5/krb5.conf.5
--- a/crypto/dist/heimdal/lib/krb5/krb5.conf.5  Thu Apr 05 23:24:45 2001 +0000
+++ b/crypto/dist/heimdal/lib/krb5/krb5.conf.5  Thu Apr 05 23:24:49 2001 +0000
@@ -1,4 +1,4 @@
-.\" $Id: krb5.conf.5,v 1.1.1.1 2000/06/16 18:32:58 thorpej Exp $
+.\" $Id: krb5.conf.5,v 1.1.1.1.2.1 2001/04/05 23:24:49 he Exp $
 .\"
 .Dd April 11, 1999
 .Dt KRB5.CONF 5
@@ -46,7 +46,6 @@
 .Li STRINGs
 consists of one or more non-white space characters.
 Currently recognised sections and bindings are:
-
 .Bl -tag -width "xxx" -offset indent
 .It Li [libdefaults]
 .Bl -tag -width "xxx" -offset indent
@@ -65,7 +64,24 @@
 These are decribed in the 
 .Xr krb5_425_conv_principal  3
 manual page.
-.It Li capath = Va realm-routing-table
+.It Li capath = {
+.Bl -tag -width "xxx" -offset indent
+.It Va destination-realm Li = Va next-hop-realm
+.It ...
+.El
+Normally, all requests to realms different from the one of the current
+client are sent to this KDC to get cross-realm tickets.
+If this KDC does not have a cross-realm key with the desired realm and
+the hierarchical path to that realm does not work, a path can be
+configured using this directive.
+The text shown above instructs the KDC to try to obtain a cross-realm
+ticket to
+.Va next-hop-realm
+when the desired realm is
+.Va destination-realm .
+This configuration should preferably be done on the KDC where it will
+help all its clients but can also be done on the client itself.
+.It Li }
 .It Li default_etypes = Va etypes...
 A list of default etypes to use.
 .It Li default_etypes_des = Va etypes...
@@ -82,6 +98,12 @@
 Default ticket lifetime.
 .It Li renew_lifetime = Va time
 Default renewable ticket lifetime.
+.It Li forwardable = Va boolean
+When obtaining initial credentials, make the credentials forwardable.
+This option is also valid in the [realms] section.
+.It Li proxiable = Va boolean
+When obtaining initial credentials, make the credentials proxiable.
+This option is also valid in the [realms] section.
 .It Li verify_ap_req_nofail = Va boolean
 Enable to make a failure to verify obtained credentials
 non-fatal. This can be useful if there is no keytab on a host.
@@ -96,8 +118,20 @@
 .It Li time_format = Va string
 How to print time strings in logs, this string is passed to
 .Xr strftime 3 .
+.It Li date_format = Va string
+How to print date strings in logs, this string is passed to
+.Xr strftime 3 .
 .It Li log_utc = Va boolean
 Write log-entries using UTC instead of your local time zone.
+.It Li srv_lookup = Va boolean
+Use DNS SRV records to lookup realm configuration information.
+.It Li srv_try_txt = Va boolean
+If a SRV lookup fails, try looking up the same info in a DNS TXT record.
+.It Li scan_interfaces = Va boolean
+Scan all network interfaces for addresses, as opposed to simply using
+the address associated with the system's host name.
+.It Li fcache_version = Va int
+Use file credential cache format version specified.
 .El
 .It Li [domain_realm]
 This is a list of mappings from DNS domain to Kerberos realm. Each
@@ -113,10 +147,18 @@
 .It Va REALM Li = {
 .Bl -tag -width "xxx" -offset indent
 .It Li kdc = Va host[:port]
-Specifies a kdc for this realm. If the optional port is absent, the
+Specifies a list of kdcs for this realm. If the optional port is absent, the
 default value for the
 .Dq kerberos/udp
 service will be used.
+The kdcs will be used in the order that they are specified.
+.It Li admin_server = Va host[:port]
+Specifies the admin server for this realm, where all the modifications
+to the database are perfomed.
+.It Li kpasswd_server = Va host[:port]
+Points to the server where all the password changes are perfomed.
+If there is no such entry, the kpasswd port on the admin_server host
+will be tried.
 .It Li v4_instance_convert
 .It Li v4_name_convert
 .It Li default_domain
@@ -136,14 +178,104 @@
 .Xr krb5_openlog 3
 manual page for a list of defined destinations.
 .El
+.It Li [kdc]
+.Bl -tag -width "xxx" -offset indent
+.It database Li = {
+.Bl -tag -width "xxx" -offset indent
+.It dbname Li = Va DATABASENAME
+use this database for this realm.
+.It realm Li = Va REALM
+specifies the realm that will be stored in this database.
+.It mkey_file Li = Pa FILENAME
+use this keytab file for the master key of this database.
+If not specified
+.Va DATABASENAME Ns .mkey
+will be used.
+.It acl_file Li = PA FILENAME
+use this file for the ACL list of this database.
+.It log_file Li = Pa FILENAME
+use this file as the log of changes performed to the database.  This
+file is used by
+.Nm ipropd-master
+for propagating changes to slaves.
+.El
+.It Li }
+.It max-request = Va SIZE
+Maximum size of a kdc request.
+.It require-preauth = Va BOOL
+If set pre-authentication is required. Since krb4 requests are not
+pre-authenticated they will be rejected.
+.It ports = Va "list of ports"
+list of ports the kdc should listen to.
+.It addresses = Va "list of interfaces"
+list of addresses the kdc should bind to.
+.It enable-kerberos4 = Va BOOL
+turn on kerberos4 support.
+.It v4-realm = Va REALM
+to what realm v4 requests should be mapped.
+.It enable-524 = Va BOOL
+should the Kerberos 524 converting facility be turned on. Default is same as
+.Va enable-kerberos4 .
+.It enable-http = Va BOOL
+should the kdc answer kdc-requests over http.
+.It enable-kaserver = Va BOOL
+if this kdc should emulate the AFS kaserver.
+.It check-ticket-addresses = Va BOOL
+verify the addresses in the tickets used in tgs requests.
+.\" XXX
+.It allow-null-ticket-addresses = Va BOOL
+allow addresses-less tickets.
+.\" XXX 
+.It allow-anonymous = Va BOOL
+if the kdc is allowed to hand out anonymous tickets.
+.It encode_as_rep_as_tgs_rep = Va BOOL
+encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did.
+.\" XXX 
+.It kdc_warn_pwexpire = Va TIME
+the time before expiration that the user should be warned that her
+password is about to expire.
+.It logging = Va Logging
+What type of logging the kdc should use, see also [logging]/kdc.
+.El
+.It Li [kadmin]
+.Bl -tag -width "xxx" -offset indent
+.It require-preauth = Va BOOL
+If pre-authentication is required to talk to the kadmin server.
+.It default_keys = Va keytypes...
+for each entry in
+.Va default_keys
+try to parse it as a sequence of
+.Va etype:salttype:salt
+syntax of this if something like:
+.Pp
+[(des|des3|etype):](pw-salt|afs3-salt)[:string]
+.Pp
+if
+.Ar etype
+is omitted it means everything, and if string is omitted is means the default string (for that principal). Additional special values of keyttypes are:
+.Bl -tag -width "xxx" -offset indent
+.It v5 
+The kerberos 5 salt
+.Va pw-salt
+.It v4
+The kerberos 4 type
+.Va des:pw-salt:
+.El
+.It use_v4_salt = Va BOOL
+When true, this is the same as
+.Pp
+.Va default_keys = Va des3:pw-salt Va v4
+.Pp
+and is only left for backwards compatability.
+.El
 .El
 .Sh ENVIRONMENT
 .Ev KRB5_CONFIG
 points to the configuration file to read.
 .Sh EXAMPLE
 .Bd -literal -offset indent
-[lib_defaults]
Prev by Date: [src/netbsd-1-5]: src Pull up revision 1.3 (requested by assar):
Next by Date: [src/netbsd-1-5]: src Pull up revisions 1.3-1.4 (requested by assar):
Previous by Thread: [src/netbsd-1-5]: src Pull up revision 1.3 (requested by assar):
Next by Thread: [src/netbsd-1-5]: src Pull up revisions 1.3-1.4 (requested by assar):
Indexes:
Home | Main Index | Thread Index | Old Index