Russ Allbery [Mon, 25 Mar 2013 16:33:34 +0000 (09:33 -0700)]
Update to rra-c-util 4.8
* Fix Heimdal libroken probes for old versions of Heimdal.
* Fix Kerberos header probing with non-standard include paths.
* Pass --deps to krb5-config if it is supported.
* Properly find krb5.h on NetBSD systems.
* Fix stripping of -I/usr/include from krb5-config output.
* Avoid using krb5-config if specific Kerberos paths are configured.
* Use PATH_KRB5_CONFIG instead of KRB5_CONFIG to locate krb5-config.
* Replace concat with xasprintf.
* xasprintf is now void and always calls the failure handler on error.
* Improve __attribute__ portability to old GCC or non-GCC compilers.
* Add -D_FORTIFY_SOURCE=2 to make warnings flags.
* Probe for ssize_t and replace it in portable/system.h if not found.
* Include strings.h in portable/system.h if it exists.
* Add a pointer to rra-c-util in all files.
Russ Allbery [Tue, 12 Mar 2013 02:30:02 +0000 (19:30 -0700)]
Exit with non-zero status if check_passwd fails
Exit with a non-zero status if the check_passwd command rejects the
password. Previously, an error would be reported but the backend
would always report a successful zero status if the password could be
checked, even if it was rejected.
Russ Allbery [Tue, 12 Mar 2013 02:19:50 +0000 (19:19 -0700)]
In Heimdal version, do password strength check with IPC::Run
Something about the workaround code to suppress the stderr result
from Heimdal's libraries causes STDERR handling to get messed up
in Perl. Since the password strength checking program returns its
error on stderr, this is a problem. IPC::Run works properly and is
much more succinct, so switch to it.
Russ Allbery [Mon, 25 Feb 2013 04:23:30 +0000 (20:23 -0800)]
Further Heimdal error handling fixes
Clean up error reporting in the Heimdal version of kadmin-backend.
Use the correct (rather than the documented) way to tell
Heimdal::Kadm5 to throw exceptions, and ensure that all kadmin
functions uniformly use the same standard error formatting and exit
status for kadmin failures.
Also suppress the standard error output from the Heimdal library since
Heimdal::Kadm5 does not.
Russ Allbery [Fri, 22 Feb 2013 02:21:38 +0000 (18:21 -0800)]
Retry connecting to Heimdal if the first try fails
In the Heimdal version of kadmin-backend, retry the kadmin connection
once if the first connection fails. This is a workaround for a
transient networking error that we're seeing at Stanford and therefore
may not be fully appropriate for other sites. Even on a successful
reconnect, this will cause some errors to be sent to standard error
due to the behavior of Heimdal::Kadm5.
Russ Allbery [Thu, 9 Jun 2011 21:33:44 +0000 (14:33 -0700)]
Update to rra-c-util 3.6
* Check for krb5-config in /usr/kerberos/bin as well as user's PATH.
* Add replacement for krb5_appdefault_* functions for AIX Kerberos.
* Fix broken GCC attribute markers.
* Fix Kerberos library probing without transitive shared libraries.
* Suppress warnings when probing for AIX-only Kerberos headers.
* Support Heimdal GSS-API on OpenBSD without a separate libroken.
* Update GCC warning flags for GCC 4.6.1.
Russ Allbery [Wed, 8 Jun 2011 20:26:04 +0000 (13:26 -0700)]
Add support for separate password change blacklist
Add support for a separate blacklist of principals whose passwords
cannot be changed with reset_passwd but who do not themselves have the
ability to reset passwords.
Russ Allbery [Thu, 6 Jan 2011 20:20:50 +0000 (12:20 -0800)]
Correctly handle incorrect password errors from Heimdal
Properly handle incorrect password errors from Heimdal's kpasswd.
Previously, if change_passwd failed because the original password was
incorrect, kadmin-remctl would output a confusing Expect error.
Jon Robertson [Thu, 5 Aug 2010 04:21:39 +0000 (21:21 -0700)]
Fixed to kadmin_create default attributes in kadmin-backend-heim
The code for creating a Kerberos principal was trying to get the default
set of attributes and then modify them before fully creating the account,
in order to properly create a disabled account. However, the default
attributes seem to not be created until the principal is fully created,
so we actually lose the default attributes by doing so. As a fix, hand
the routine our own default set of attributes. This isn't optimal, but
it's better than nothing.
* Restore default settings after probing for GSS-API libraries.
* Support the *BSD build of Heimdal in the Kerberos probes.
* Fix krb5_free_error_message replacement for older Kerberos libraries.
The MIT implementation of check_expires was calling str2time twice.
Also update the documentation to reflect that the second argument to
check_expires is optional and "now" is a valid expiration time.
Jon Robertson [Fri, 11 Jun 2010 07:28:19 +0000 (00:28 -0700)]
kadmin-backend: Fixed expiration time output
When expiration time was not set but password expiration time was, and
the soonest time of the two was requested, nothing was returned. Fixed
this to return the password expiration time.
Jon Robertson [Wed, 26 May 2010 18:14:08 +0000 (11:14 -0700)]
Added more support for account and password expiration
* Fixed bugs in the existing expiration command for Heimdal, and added
it to the help command for both MIT and Heimdal.
* Added pwexpiration command that works like the expiration command, but
for password expiration.
* Added check_expire command that will return expiration times in GMT
for either account or password expiration.
The commands have been tested against Heimdal, though not yet against MIT.
Russ Allbery [Sun, 16 May 2010 19:17:36 +0000 (12:17 -0700)]
Improve principal creation attributes for Heimdal
In the Heimdal backend, don't set KADM5_POLICY_NORMAL_MASK or
KADM5_POLICY_CLR as attributes when creating a new principal. These
are not valid attribute values and end up setting or clearing large
numbers of other attributes.
In the Heimdal backend, don't unconditionally set the preauth required
attribute on newly created principals. This should be handled using
the "default" principal in Heimdal to configure the desired default
principal lifetime and attributes.
Russ Allbery [Fri, 26 Mar 2010 06:09:45 +0000 (23:09 -0700)]
Replace checking with policy for kadmin-backend
kadmin-backend for an MIT Kerberos server no longer has the boolean
checking configuration parameter, which said whether to do password
checking. Instead, there is a new policy configuration parameter
which, if set, sets that password policy for newly created accounts.
To duplicate the previous behavior when checking was true, set policy
to "standard".
Garrett Wollman [Fri, 26 Mar 2010 04:17:06 +0000 (21:17 -0700)]
Add expiration command and kadmin extra options
Add an expiration command to the MIT Kerberos interface that sets the
expiration time for a principal. Add an extra_options configuration
parameter that adds extra options to the kadmin create command for that
principal.
Russ Allbery [Tue, 16 Feb 2010 18:10:52 +0000 (10:10 -0800)]
Map all external check errors to the same generic kpasswd error
For the Heimdal version of kadmin-backend, map all errors from the
external password check program except for password too short errors
to the same generic kpasswd string, maintaining our interface for AS
systems even if Cracklib provides specific errors.
Russ Allbery [Tue, 16 Feb 2010 18:00:48 +0000 (10:00 -0800)]
Do password strength checking for create and reset_passwd
For the Heimdal version of kadmin-backend, do password strength checking
and report a proper error in both create and reset_passwd. Previously,
a failure of strength checking would cause a silent failure to create a
principal.
Jon Robertson [Tue, 16 Feb 2010 17:52:24 +0000 (09:52 -0800)]
Added translation of MIT kpasswd errors to Heimdal
For downstream apps that currently expect the change_passwd errors to be
specific strings, we translate known error cases from Heimdal kpasswd to
the matching error cases from MIT kpasswd.
Russ Allbery [Thu, 11 Feb 2010 04:55:46 +0000 (20:55 -0800)]
Use external program password checking in kadmin-backend-heim
Use the Heimdal external program API for password strength checking in
kadmin-backend-heim and check password strength on create if strength
checking is enabled for that instance, since the Heimdal kadmin API
doesn't enforce password strength on passwords changed by
administrators.
Russ Allbery [Wed, 10 Feb 2010 23:06:08 +0000 (15:06 -0800)]
Cast result_string in ksetpass for Heimdal
The Heimdal krb5_set_password_using_ccache function returns krb5_data
structs and on Heimdal the data element is a void *. Cast it to a
char * for our diagnostic output.
Russ Allbery [Wed, 10 Feb 2010 23:03:58 +0000 (15:03 -0800)]
Rewrite the error handling in ksetpass and passwd_change
Take advantage of the new portability layer and use die/warn and
die_krb5/warn_krb5 where appropriate. Use xmalloc and concat functions
where appropriate. Use the Kerberos portability layer to avoid calling
deprecated functions on Heimdal.
Jon Robertson [Wed, 10 Feb 2010 16:44:31 +0000 (08:44 -0800)]
Multiple output and production readiness fixes
* Changed formatting of Expect statements for kpasswd to use Heimdal
kpasswd.
* Removed testing line that was specifying realm.
* Fixed date output for the examine command.
* Fixed days output for the examine command when only one day.
* Fixed output for the examine command when principal does not exist.
* Fixed bug in kadmin_reset with sending instance rather than principal to
be reset.
Jon Robertson [Tue, 26 Jan 2010 00:45:13 +0000 (16:45 -0800)]
Added ability to ignore enable for locked accounts
Added a new configuration option for each instance type, locked. This is
an array containing a command and all arguments to it, which is used to
determine if a principal is marked to not be re-enabled via kadmin-backend.
If no command is set, none is checked. The command is given the instance
name, and if the command returns 0, then the instance is locked and may
not be re-enabled via this interface. This is done to support accounts
that may be locked for policy reasons, where we must go through extra steps
befor re-enabling the command.
Jon Robertson [Wed, 13 Jan 2010 20:26:58 +0000 (12:26 -0800)]
Added translator of Heimdal output to MIT get output
Heimdal uses a different syntax for the output of its get command than
MIT's getprinc. The output from the examine command was originally based
upon the Heimdal::Kadm5 'dump' command, which models its output off of
Heimdal's get command. Because downstream apps might be taking the output
of kadmin-backend examine, we replicate the Heimdal::Kadm5 code to
construct the get output here, but modelled to replicate MIT instead. In
the long term, we would love to verify and have any applications using
the output fixed so that we aren't taking the arbitrary workaround.
Jon Robertson [Thu, 10 Dec 2009 18:58:55 +0000 (10:58 -0800)]
Added version of kadmin-backend for Heimdal
kadmin-backend-heim will use Heimdal::Kadm5 to operate on a Heimdal KDC
as kadmin-backend works on an MIT KDC. All functions are the same, and
it is identical from a use standpoint. The longer-term plan will merge
the two back together and let kadmin-backend choose whether to use Heimdal
or MIT based on a config file value, but that is waiting on some discovery
first.
Jon Robertson [Thu, 10 Dec 2009 18:58:55 +0000 (10:58 -0800)]
Added version of kadmin-backend for Heimdal
kadmin-backend-heim will use Heimdal::Kadm5 to operate on a Heimdal KDC
as kadmin-backend works on an MIT KDC. All functions are the same, and
it is identical from a use standpoint. The longer-term plan will merge
the two back together and let kadmin-backend choose whether to use Heimdal
or MIT based on a config file value, but that is waiting on some discovery
first.
Russ Allbery [Mon, 5 Oct 2009 23:01:30 +0000 (16:01 -0700)]
Update build system to my current standards
Enable Automake silent rules. For a quieter build, pass the
--enable-silent-rules option to configure or build with make V=0.
Update to rra-c-util 2.0:
* Sanity-check the results of krb5-config before proceeding.
* Fall back on manual probing if krb5-config results don't work.
* Don't break if the user clobbers CPPFLAGS or LDFLAGS at build time.
* Support Solaris 10's native generic GSS-API libraries.
* Require Autoconf 2.64 and Automake 1.11.
Russ Allbery [Thu, 8 Jan 2009 03:51:58 +0000 (19:51 -0800)]
Redo how examine of arbitrary instances is handled
The previous attempt still didn't work because there was nothing in the
%CONFIG hash for the unknown instance. Now, fall back to the '' instance
for configuration on how to handle unknown instances and document that
fallback.
Improve the conversion of Kerberos v5 principal names to Kerberos v4
principal names for examine against an AFS kaserver, although it's
still not as good as calling the Kerberos library routine would be.
Russ Allbery [Thu, 8 Jan 2009 03:09:44 +0000 (19:09 -0800)]
Significant improvements to Kerberos and remctl configure probes
Attempt to determine if the library directory for remctl (and the
directory for Kerberos and GSS-API libraries if krb5-config isn't
found) is lib32 or lib64 instead of lib and set LDFLAGS accordingly.
Based on an idea from the CMU Autoconf macros.
Add --with-remctl-include, --with-remctl-lib, --with-gssapi-include,
--with-gssapi-lib, --with-krb5-include, and --with-krb5-lib configure
options to allow more specific setting of paths if necessary.
Check at configure time that we can link with the remctl library we
found.
Russ Allbery [Wed, 7 Jan 2009 19:15:28 +0000 (11:15 -0800)]
Support examining principals with unmanaged instances
Properly add support for examining principals with instances we don't
manage. Previous versions were supposed to support this but didn't
due to a bug in argument passing.