diff options
Diffstat (limited to 'usr/src')
-rw-r--r-- | usr/src/cmd/krb5/kadmin/kclient/kclient.sh | 173 | ||||
-rw-r--r-- | usr/src/cmd/krb5/kadmin/kdcmgr/klookup.c | 7 | ||||
-rw-r--r-- | usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.c | 3 | ||||
-rw-r--r-- | usr/src/uts/common/gssapi/mechs/krb5/mech/k5unseal.c | 21 |
4 files changed, 122 insertions, 82 deletions
diff --git a/usr/src/cmd/krb5/kadmin/kclient/kclient.sh b/usr/src/cmd/krb5/kadmin/kclient/kclient.sh index a5a5b64212..2490ed28f8 100644 --- a/usr/src/cmd/krb5/kadmin/kclient/kclient.sh +++ b/usr/src/cmd/krb5/kadmin/kclient/kclient.sh @@ -1,4 +1,4 @@ -#!/bin/ksh -p +#!/bin/ksh93 -p # # CDDL HEADER START # @@ -94,13 +94,11 @@ function update_pam_conf { svc=${service%:*} auth_type=${service#*:} if egrep -s "^$svc[ ][ ]*auth.*pam_krb5*" $TPAM; then - printf "\n$(gettext "The %s service is already configure -d for pam_krb5, please merge this service in %s").\n" $svc $PAM >&2 + printf "$(gettext "The %s service is already configured for pam_krb5, please merge this service in %s").\n\n" $svc $PAM >&2 continue else exec 3>>$TPAM - printf "\n$svc\tauth include\t\tpam_krb5_$auth_type\n" 1 ->&3 + printf "\n$svc\tauth include\t\tpam_krb5_$auth_type\n" 1>&3 fi done @@ -145,18 +143,18 @@ function call_kadmin { kadmin -c $KRB5CCNAME -q "$getprincsubcommand" 1>$TMP_FILE 2>&1 - egrep -s $(gettext "get_principal: Principal does not exist") $TMP_FILE + egrep -s "$(gettext "get_principal: Principal does not exist")" $TMP_FILE bool1=$? - egrep -s $(gettext "get_principal: Operation requires ``get") $TMP_FILE + egrep -s "$(gettext "get_principal: Operation requires ``get")" $TMP_FILE bool2=$? if [[ $bool1 -eq 0 || $bool2 -eq 0 ]]; then kadmin -c $KRB5CCNAME -q "$anksubcommand" 1>$TMP_FILE 2>&1 - egrep -s $(gettext "add_principal: Principal or policy already exists while creating \"$service_princ@$realm\".") $TMP_FILE + egrep -s "$(gettext "add_principal: Principal or policy already exists while creating \"$service_princ@$realm\".")" $TMP_FILE bool3=$? - egrep -s $(gettext "Principal \"$service_princ@$realm\" created.") $TMP_FILE + egrep -s "$(gettext "Principal \"$service_princ@$realm\" created.")" $TMP_FILE bool4=$? if [[ $bool3 -eq 0 || $bool4 -eq 0 ]]; then @@ -180,7 +178,7 @@ function call_kadmin { fi kadmin -c $KRB5CCNAME -q "$ktaddsubcommand" 1>$TMP_FILE 2>&1 - egrep -s $(gettext "added to keytab WRFILE:$KRB5_KEYTAB_FILE.") $TMP_FILE + egrep -s "$(gettext "added to keytab WRFILE:$KRB5_KEYTAB_FILE.")" $TMP_FILE if [[ $? -ne 0 ]]; then cat $TMP_FILE; printf "\n$(gettext "kadmin: ktadd of %s failed, exiting").\n" $service_princ >&2 @@ -231,7 +229,7 @@ function writeup_krb5_conf { fi else if [[ $dnsarg = dns_lookup_realm ]]; then - + printf "\tdefault_realm = $realm\n" 1>&3 printf "\n[realms]\n" 1>&3 printf "\t$realm = {\n" 1>&3 if [[ -n $kdc_list ]]; then @@ -247,7 +245,7 @@ function writeup_krb5_conf { fi printf "\t}\n\n" 1>&3 else - printf "\n\n" 1>&3 + printf "\tdefault_realm = $realm\n\n" 1>&3 fi fi else @@ -448,7 +446,8 @@ function ping_check { if [[ -z $profile && $string == KDC ]]; then # It's difficult to sync up time with KDC esp. if in a # zone so just print a warning about KDC time sync. - printf "\n$(gettext "Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP)").\n\n" >&2 + printf "\n$(gettext "Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function").\n" >&2 + printf "$(gettext "Both systems should run some form of time synchronization system like Network Time Protocol (NTP)").\n" >&2 break fi } @@ -601,7 +600,7 @@ function setup_keytab { kinit -S kadmin/$FKDC $ADMIN_PRINC fi klist 1>$TMP_FILE 2>&1 - if egrep -s $(gettext "Valid starting") $TMP_FILE && egrep -s "kadmin/$FKDC@$realm" $TMP_FILE; then + if egrep -s "$(gettext "Valid starting")" $TMP_FILE && egrep -s "kadmin/$FKDC@$realm" $TMP_FILE; then : else printf "\n$(gettext "kinit of %s failed, exiting").\n" $ADMIN_PRINC >&2 @@ -613,11 +612,10 @@ function setup_keytab { # other than the one listed in resolv.conf(4) ? # if [[ -z $options ]]; then - echo query "$(gettext "Do you have multiple DNS domains spanning the Kerberos realm") $realm ?" ask_fqdns=$answer if [[ $ask_fqdns == yes ]]; then - printf "$(gettext "Enter a comma-seperated list of DNS domain names"): " + printf "$(gettext "Enter a comma-separated list of DNS domain names"): " read fqdnlist verify_fqdnlist "$fqdnlist" else @@ -734,6 +732,14 @@ function canon_resolve { ip=`$KLOOKUP $name I` [[ -z $ip ]] && return + for i in $ip + do + if ping $i 2 > /dev/null 2>&1; then + break + else + i= + fi + done cname=`$KLOOKUP $ip P` [[ -z $cname ]] && return @@ -807,7 +813,9 @@ function getSRVs { $KLOOKUP $1 S | while read srv port do - print -- $srv $port + if ping $srv 2 > /dev/null 2>&1; then + print -- $srv $port + fi done } @@ -1018,6 +1026,7 @@ function getSite { [[ -z $subnetDN ]] && continue subnet_dom=$(dn2dns $subnetDN) ldapsrv=$(canon_resolve DomainDnsZones.$subnet_dom) + [[ -z $ldapsrv ]] && continue ldapsearch -R -T -h $ldapsrv $ldap_args \ -b "$subnetDN" -s base "" siteObject \ |grep ^siteObject|read j siteDN @@ -1037,10 +1046,10 @@ function doKRB5config { [[ -f $KRB5_KEYTAB_FILE ]] && \ cp $KRB5_KEYTAB_FILE ${KRB5_KEYTAB_FILE}-pre-kclient - cp $KRB5_CONFIG $KRB5_CONFIG_FILE - chmod 0644 $KRB5_CONFIG_FILE - cp $new_keytab $KRB5_KEYTAB_FILE - chmod 0600 $KRB5_KEYTAB_FILE + [[ -s $KRB5_CONFIG ]] && cp $KRB5_CONFIG $KRB5_CONFIG_FILE + [[ -s $KRB5_CONFIG_FILE ]] && chmod 0644 $KRB5_CONFIG_FILE + [[ -s $new_keytab ]] && cp $new_keytab $KRB5_KEYTAB_FILE + [[ -s $KRB5_KEYTAB_FILE ]] && chmod 0600 $KRB5_KEYTAB_FILE } function addDNSRR { @@ -1083,7 +1092,7 @@ function setSMB { return fi - svcadm refresh $smbFMRI + svcadm refresh $smbFMRI > /dev/null 2>&1 if [[ $? -ne 0 ]]; then printf "$(gettext "Warning: wasn't able to set refresh %s domain, server, and password information").\n" $smbFMRI fi @@ -1095,7 +1104,7 @@ function compareDomains { # If the client has been previously configured in a different # realm/domain then we need to prompt the user to see if they wish to # switch domains. - klist -k | grep @ | read j hspn + klist -k 2>&1 | grep @ | read j hspn [[ -z $hspn ]] && return oldDom=${hspn#*@} @@ -1181,7 +1190,7 @@ function join_domain { write_ads_krb5conf - printf "$(gettext "Attempting to join the '%s' domain").\n\n" $realm + printf "$(gettext "Attempting to join '%s' to the '%s' domain").\n\n" $upcase_nodename $realm kinit $cprinc@$realm if [[ $? -ne 0 ]]; then @@ -1309,7 +1318,7 @@ dNSHostname: ${fqdn} EOF printf "$(gettext "A machine account already exists; updating it").\n" - ldapadd -h "$dc" $ldap_args -f "$object" + ldapadd -h "$dc" $ldap_args -f "$object" > /dev/null 2>&1 if [[ $? -ne 0 ]]; then printf "$(gettext "Failed to create the AD object via LDAP").\n" error_message @@ -1548,6 +1557,7 @@ KDYNDNS=/usr/lib/krb5/kdyndns; check_bin $KDYNDNS dns_lookup=no ask_fqdns=no adddns=no +no_keytab=no checkval="" profile="" typeset -u realm @@ -1559,7 +1569,7 @@ mkdir $TMPDIR > /dev/null 2>&1 TMP_FILE=$(mktemp -q -t kclient-tmpfile.XXXXXX) export KRB5_CONFIG=$(mktemp -q -t kclient-krb5conf.XXXXXX) -KRB5CCNAME=$(mktemp -q -t kclient-krb5ccache.XXXXXX) +export KRB5CCNAME=$(mktemp -q -t kclient-krb5ccache.XXXXXX) new_keytab=$(mktemp -q -t kclient-krb5keytab.XXXXXX) if [[ -z $TMP_FILE || -z $KRB5_CONFIG || -z $KRB5CCNAME || -z $new_keytab ]] then @@ -1691,6 +1701,34 @@ else fi # +# Check to see if we will be a client of a MIT, Heimdal, Shishi, etc. +# +if [[ -z $options ]]; then + query "$(gettext "Is this a client of a non-Solaris KDC") ?" + non_solaris=$answer + if [[ $non_solaris == yes ]]; then + printf "$(gettext "Which type of KDC is the server"):\n" + printf "\t$(gettext "ms_ad: Microsoft Active Directory")\n" + printf "\t$(gettext "mit: MIT KDC server")\n" + printf "\t$(gettext "heimdal: Heimdal KDC server")\n" + printf "\t$(gettext "shishi: Shishi KDC server")\n" + printf "$(gettext "Enter required KDC type"): " + read kdctype + if [[ $kdctype == ms_ad ]]; then + msad=yes + elif [[ $kdctype == mit || $kdctype == heimdal || \ + $kdctype == shishi ]]; then + no_keytab=yes + else + printf "\n$(gettext "Invalid KDC type option, valid types are ms_ad, mit, heimdal, or shishi, exiting").\n" >&2 + error_message + fi + fi +fi + +[[ $msad == yes ]] && join_domain + +# # Check for /etc/resolv.conf # if [[ -r $RESOLV_CONF_FILE ]]; then @@ -1723,30 +1761,11 @@ else error_message fi -check_nss_conf || printf "$(gettext "/etc/nsswitch.conf does not make use of DN -S for hosts and/or ipnodes").\n" - -# -# Check to see if we will be a client of a MIT, Heimdal, Shishi, etc. -# -if [[ -z $options ]]; then - query "$(gettext "Is this a client of a non-Solaris KDC (MIT, Heimdal, Shishi, etc.)") ?" - non_solaris=$answer - if [[ $non_solaris == yes ]]; then - no_keytab=yes - else - query "$(gettext "Is this a client of a Microsoft Active Directory (MS AD) server") ?" - if [[ $answer == yes ]]; then - msad=yes - fi - fi -fi - -[[ $msad == yes ]] && join_domain +check_nss_conf || printf "$(gettext "/etc/nsswitch.conf does not make use of DNS for hosts and/or ipnodes").\n" [[ -n $fqdnlist ]] && verify_fqdnlist "$fqdnlist" -if [[ -z $options || -z $filepath ]]; then +if [[ -z $dnsarg && (-z $options || -z $filepath) ]]; then query "$(gettext "Do you want to use DNS for kerberos lookups") ?" if [[ $answer == yes ]]; then printf "\n$(gettext "Valid DNS lookup options are dns_lookup_kdc, dns_lookup_realm,\nand dns_fallback. Refer krb5.conf(4) for further details").\n" @@ -1756,6 +1775,7 @@ if [[ -z $options || -z $filepath ]]; then set_dns_value $dnsarg fi else + [[ -z $dnsarg ]] && dnsarg=none set_dns_value $dnsarg fi @@ -1768,12 +1788,12 @@ if [[ -n $kdc_list ]]; then fi fi -if [[ -z $realm && -z $filepath ]]; then +if [[ -z $realm ]]; then printf "$(gettext "Enter the Kerberos realm"): " read realm checkval="REALM"; check_value $realm fi -if [[ -z $KDC && -z $filepath ]]; then +if [[ -z $KDC ]]; then printf "$(gettext "Specify the master KDC hostname for the above realm"): " read KDC checkval="KDC"; check_value $KDC @@ -1786,6 +1806,16 @@ FKDC=`$KLOOKUP $KDC` # ping_check $FKDC "KDC" +if [[ -z $kdc_list && (-z $options || -z $filepath) ]]; then + query "$(gettext "Do you have any slave KDC(s)") ?" + if [[ $answer == yes ]]; then + printf "$(gettext "Enter a comma-separated list of slave KDC host names"): " + read kdc_list + fi +fi + +[[ -n $kdc_list ]] && verify_kdcs "$kdc_list" + # # Check to see if we will have a dynamic presence in the realm # @@ -1810,21 +1840,11 @@ if [[ -z $options ]]; then fi fi -if [[ -z $options || -z $filepath ]]; then - query "$(gettext "Do you have any slave KDC(s)") ?" - if [[ $answer == yes ]]; then - printf "$(gettext "Enter a comma-seperated list of slave KDC host names"): " - read kdc_list - fi -fi - -[[ -n $kdc_list ]] && verify_kdcs "$kdc_list" - -if [[ -z $options || -z $filepath ]]; then +if [[ -n $domain_list && (-z $options || -z $filepath) ]]; then query "$(gettext "Do you have multiple domains/hosts to map to realm %s" ) ?" $realm if [[ $answer == yes ]]; then - printf "$(gettext "Enter a comma-seperated list of domain/hosts + printf "$(gettext "Enter a comma-separated list of domain/hosts to map to the default realm"): " read domain_list fi @@ -1841,7 +1861,6 @@ writeup_krb5_conf # Is this client going to use krb-nfs? If so then we need to at least # uncomment the krb5* sec flavors in nfssec.conf. # -echo if [[ -z $options ]]; then query "$(gettext "Do you plan on doing Kerberized nfs") ?" add_nfs=$answer @@ -1871,7 +1890,6 @@ fi # Copy over krb5.conf master copy from filepath # if [[ -z $options || -z $filepath ]]; then - echo query "$(gettext "Do you want to copy over the master krb5.conf file") ?" if [[ $answer == yes ]]; then printf "$(gettext "Enter the pathname of the file to be copied"): " @@ -1879,27 +1897,30 @@ if [[ -z $options || -z $filepath ]]; then fi fi -if [[ -z $filepath ]]; then - doKRB5config -else - if [[ -r $filepath ]]; then - cp $filepath $KRB5_CONFIG_FILE - if [[ $? -eq 0 ]]; then - printf "\n$(gettext "Copied %s").\n" $filepath - else - printf "\n$(gettext "Copy of %s failed, exiting").\n" $filepath >&2 - error_message - fi +if [[ -n $filepath && -r $filepath ]]; then + cp $filepath $KRB5_CONFIG + if [[ $? -eq 0 ]]; then + printf "$(gettext "Copied %s to %s").\n" $filepath $KRB5_CONFIG else - printf "\n$(gettext "%s not found, exiting").\n" $filepath >&2 + printf "$(gettext "Copy of %s failed, exiting").\n" $filepath >&2 error_message fi +elif [[ -n $filepath ]]; then + printf "\n$(gettext "%s not found, exiting").\n" $filepath >&2 + error_message fi +doKRB5config + # # Populate any service keys needed for the client in the keytab file # -[[ $no_keytab != yes ]] && setup_keytab +if [[ $no_keytab != yes ]]; then + setup_keytab +else + printf "\n$(gettext "Note: %s file not created, please refer to verify_ap_req_nofail in krb5.conf(4) for the implications").\n" $KRB5_KEYTAB_FILE + printf "$(gettext "Client will also not be able to host services that use Kerberos").\n" +fi printf -- "\n---------------------------------------------------\n" printf "$(gettext "Setup COMPLETE").\n\n" diff --git a/usr/src/cmd/krb5/kadmin/kdcmgr/klookup.c b/usr/src/cmd/krb5/kadmin/kdcmgr/klookup.c index 206940d5d1..aeed39a2d4 100644 --- a/usr/src/cmd/krb5/kadmin/kdcmgr/klookup.c +++ b/usr/src/cmd/krb5/kadmin/kdcmgr/klookup.c @@ -169,7 +169,8 @@ main(int argc, char **argv) } else if (typestr && *typestr == 'I') { (void) inet_ntop(AF_INET, (void *)ansp, nbuf, INET6_ADDRSTRLEN); - (void) strncpy(name, nbuf, MAXHOSTNAMELEN); + len = size; + (void) printf("%s\n", nbuf); } else if (type == T_PTR) { len = dn_expand(answer, end, ansp, name, hostlen); if (len < 0) { @@ -180,7 +181,7 @@ main(int argc, char **argv) ansp += len; if (type == rr_type && class == C_IN) { found = 1; - if (type != T_SRV) + if (type != T_SRV && !(typestr && *typestr == 'I')) break; } } @@ -194,7 +195,7 @@ main(int argc, char **argv) *cp = tolower(*cp); } - if (type != T_SRV) + if (type != T_SRV && !(typestr && *typestr == 'I')) (void) printf("%s\n", name); res_ndestroy(&stat); diff --git a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.c b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.c index cc7aa941c6..fec3936685 100644 --- a/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.c +++ b/usr/src/lib/gss_mechs/mech_krb5/krb5/os/dnsglue.c @@ -1,5 +1,5 @@ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -93,6 +93,7 @@ krb5int_dns_init(struct krb5int_dns_state **dsp, #endif #if HAVE_RES_NSEARCH + memset(&statbuf, 0, sizeof(statbuf)); ret = res_ninit(&statbuf); if (ret < 0) return -1; diff --git a/usr/src/uts/common/gssapi/mechs/krb5/mech/k5unseal.c b/usr/src/uts/common/gssapi/mechs/krb5/mech/k5unseal.c index bf85b27284..61a47cb3d6 100644 --- a/usr/src/uts/common/gssapi/mechs/krb5/mech/k5unseal.c +++ b/usr/src/uts/common/gssapi/mechs/krb5/mech/k5unseal.c @@ -1,5 +1,5 @@ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -93,7 +93,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, int direction; krb5_ui_4 seqnum; OM_uint32 retval; - size_t sumlen; + size_t sumlen, blocksize; int tmsglen; krb5_keyusage sign_usage = KG_USAGE_SIGN; @@ -277,6 +277,23 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, token.length = tmsglen; } else { conflen = kg_confounder_size(context, ctx->enc); + /* + * Solaris Kerberos: we want to perform a sanity check on the + * pad length, so we know it can not be more than the blocksize. + */ + code = krb5_c_block_size(context, ctx->enc->enctype, &blocksize); + if (code != 0) { + if (sealalg != 0xffff) + xfree_wrap(plain, tmsglen); + *minor_status = code; + return(GSS_S_FAILURE); + } + if (plain[tmsglen-1] > blocksize) { + if (sealalg != 0xffff) + xfree_wrap(plain, tmsglen); + *minor_status = KG_BAD_LENGTH; + return(GSS_S_FAILURE); + } token.length = tmsglen - conflen - plain[tmsglen-1]; } |