des: config
${COMPILE_PART1} des ${COMPILE_PART2}
-sys: cmd comerr afs des rx rxstat fsint sys_depinstall
+sys: cmd comerr afs des rx rxstat fsint auth sys_depinstall
${COMPILE_PART1} sys ${COMPILE_PART2}
rxkad: cmd comerr sys des rx rxkad_depinstall
${COMPILE_PART1} rxkad ${COMPILE_PART2}
-auth: cmd comerr comerr des lwp rx sys rxkad audit auth_depinstall
+auth: cmd comerr comerr des lwp rx rxkad audit sys_depinstall auth_depinstall
${COMPILE_PART1} auth ${COMPILE_PART2}
ubik: cmd comerr auth ubik_depinstall
B<asetkey> add <I<kvno>> <I<keyfile>> <I<principal>>
+B<asetkey> add <I<kvno>> <I<key>>
+
B<asetkey> delete <I<kvno>>
B<asetkey> list
The B<asetkey> command is used to add a key to an AFS KeyFile from a
Kerberos keytab. It is similar to B<bos addkey> except that it must be
run locally on the system where the KeyFile is located and it takes the
-new key from a Kerberos 5 keytab rather than prompting for the password.
+new key from the command line or a Kerberos 5 keytab rather than prompting
+for the password.
B<asetkey delete> can be used to delete a key (similar to B<bos
removekeys>), and B<asetkey list> will list the keys in a KeyFile (similar
match the kvno in the Kerberos KDC (checked with B<kvno> or the
C<getprinc> function of B<kadmin>). I<principal> should be the name of
the AFS principal in the keytab, which must be either C<afs> or
-C<afs/I<cell name>>.
+C<afs/I<cell name>>. B<asetkey> can also be used to install a key
+from a hex string.
In cells that use the Update Server to distribute the contents of the
F</usr/afs/etc> directory, it is conventional to run B<asetkey add> only
You may want to use C<afs/I<cell name>> instead of C<afs>, particularly if
you may have multiple AFS cells for a single Kerberos realm.
+In the event you have been distributed a key by a Kerberos administrator
+in the form of a hex string, you may use asetkey to install that.
+
+ % asetkey add 3 80b6a7cd7a9dadb6
+
+I<key> should be an 8 byte hex representation.
+
=head1 PRIVILEGE REQUIRED
The issuer must be able to read (for B<asetkey list>) and write (for
crfree(credp);
return -code;
-
}
#ifdef STRUCT_FILE_OPERATIONS_HAS_FLOCK
DECL_PIOCTL(PNFSNukeCreds);
DECL_PIOCTL(PNewUuid);
DECL_PIOCTL(PPrecache);
+DECL_PIOCTL(PGetPAG);
#if defined(AFS_CACHE_BYPASS)
DECL_PIOCTL(PSetCachingThreshold);
DECL_PIOCTL(PSetCachingBlkSize);
PBogus, /* 0 */
PBogus, /* 0 */
PPrecache, /* 12 */
+ PGetPAG, /* 13 */
};
static int (*(OpioctlSw[])) () = {
return EACCES;
}
+/*!
+ * VIOC_GETPAG (13) - Get PAG value
+ *
+ * \ingroup pioctl
+ *
+ * \param[in] ain not in use
+ * \param[out] aout PAG value or NOPAG
+ *
+ * \retval E2BIG Error not enough space to copy out value
+ *
+ * \post get PAG value for the caller's cred
+ */
+DECL_PIOCTL(PGetPAG)
+{
+ afs_int32 pag;
+
+ if (aoutSize < sizeof(afs_int32)) {
+ return E2BIG;
+ }
+
+ pag = PagInCred(*acred);
+
+ memcpy(aout, (char *)&pag, sizeof(afs_int32));
+ *aoutSize = sizeof(afs_int32);
+ return 0;
+}
+
DECL_PIOCTL(PPrecache)
{
afs_int32 newValue;
return 0;
}
-/* get the current AFS pag for the calling process */
-static afs_int32
-curpag()
-{
- gid_t groups[30];
- afs_uint32 g0, g1;
- afs_uint32 h, l, ret;
-
- if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
- return 0;
-
- g0 = groups[0] & 0xffff;
- g1 = groups[1] & 0xffff;
- g0 -= 0x3f00;
- g1 -= 0x3f00;
- if (g0 < 0xc000 && g1 < 0xc000) {
- l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
- h = (g0 >> 14);
- h = (g1 >> 14) + h + h + h;
- ret = ((h << 28) | l);
- /* Additional testing */
- if (((ret >> 24) & 0xff) == 'A')
- return ret;
- else
- return -1;
- }
- return -1;
-}
-
/* Returns the AFS pag number, if any, otherwise return -1 */
afs_int32
getPAG()
assert(sizeof(afs_uint32) == 4);
assert(sizeof(afs_int32) == 4);
- pag = curpag();
+ pag = ktc_curpag();
if (pag == 0 || pag == -1)
return -1;
#define USING_HEIMDAL 1
#endif
+static int
+char2hex(char c)
+{
+ if (c >= '0' && c <= '9')
+ return (c - 48);
+ if ((c >= 'a') && (c <= 'f'))
+ return (c - 'a' + 10);
+
+ if ((c >= 'A') && (c <= 'F'))
+ return (c - 'A' + 10);
+
+ return -1;
+}
+
+static int
+hex2char(char c)
+{
+ if (c <= 9)
+ return (c + 48);
+
+ return (c - 10 + 'a');
+}
+
int
main(int argc, char *argv[])
{
fprintf(stderr, "%s: usage is '%s <opcode> options, e.g.\n",
argv[0], argv[0]);
fprintf(stderr, "\t%s add <kvno> <keyfile> <princ>\n", argv[0]);
+ fprintf(stderr, "\tOR\n\t%s add <kvno> <key>\n", argv[0]);
+ fprintf(stderr, "\t\tEx: %s add 0 \"80b6a7cd7a9dadb6\"\n", argv[0]);
fprintf(stderr, "\t%s delete <kvno>\n", argv[0]);
fprintf(stderr, "\t%s list\n", argv[0]);
exit(1);
krb5_principal principal;
krb5_keyblock *key;
krb5_error_code retval;
- int kvno;
+ int kvno, keymode = 0;
if (argc != 5) {
- fprintf(stderr, "%s add: usage is '%s add <kvno> <keyfile> "
- "<princ>\n", argv[0], argv[0]);
- exit(1);
+ if (argc == 4)
+ keymode = 1;
+ else {
+ fprintf(stderr, "%s add: usage is '%s add <kvno> <keyfile> "
+ "<princ>\n", argv[0], argv[0]);
+ fprintf(stderr, "\tOR\n\t%s add <kvno> <key>\n", argv[0]);
+ fprintf(stderr, "\t\tEx: %s add 0 \"80b6a7cd7a9dadb6\"\n", argv[0]);
+ exit(1);
+ }
}
- krb5_init_context(&context);
-
kvno = atoi(argv[2]);
- retval = krb5_parse_name(context, argv[4], &principal);
- if (retval != 0) {
+ if (keymode) {
+ char tkey[8];
+ int i;
+ char *cp;
+ if (strlen(argv[3]) != 16) {
+ printf("key %s is not in right format\n", argv[3]);
+ printf(" <key> should be an 8byte hex representation \n");
+ printf(" Ex: setkey add 0 \"80b6a7cd7a9dadb6\"\n");
+ exit(1);
+ }
+ memset(tkey, 0, sizeof(tkey));
+ for (i = 7, cp = argv[3] + 15; i >= 0; i--, cp -= 2)
+ tkey[i] = char2hex(*cp) + char2hex(*(cp - 1)) * 16;
+ code = afsconf_AddKey(tdir, kvno, tkey, 1);
+ } else {
+ krb5_init_context(&context);
+
+ retval = krb5_parse_name(context, argv[4], &principal);
+ if (retval != 0) {
afs_com_err(argv[0], retval, "while parsing AFS principal");
exit(1);
- }
- retval = krb5_kt_read_service_key(context, argv[3], principal, kvno,
- ENCTYPE_DES_CBC_CRC, &key);
- if (retval != 0) {
+ }
+ retval = krb5_kt_read_service_key(context, argv[3], principal, kvno,
+ ENCTYPE_DES_CBC_CRC, &key);
+ if (retval != 0) {
afs_com_err(argv[0], retval, "while extracting AFS service key");
exit(1);
- }
-
+ }
+
#ifdef USING_HEIMDAL
-#define deref_key_length(key) \
- key->keyvalue.length
-
-#define deref_key_contents(key) \
- key->keyvalue.data
+#define deref_key_length(key) \
+ key->keyvalue.length
+
+#define deref_key_contents(key) \
+ key->keyvalue.data
#else
-#define deref_key_length(key) \
- key->length
-
-#define deref_key_contents(key) \
- key->contents
+#define deref_key_length(key) \
+ key->length
+
+#define deref_key_contents(key) \
+ key->contents
#endif
- if (deref_key_length(key) != 8) {
+ if (deref_key_length(key) != 8) {
fprintf(stderr, "Key length should be 8, but is really %d!\n",
deref_key_length(key));
exit(1);
+ }
+ code = afsconf_AddKey(tdir, kvno, (char *) deref_key_contents(key), 1);
}
- code = afsconf_AddKey(tdir, kvno, (char *) deref_key_contents(key), 1);
if (code) {
fprintf(stderr, "%s: failed to set key, code %ld.\n", argv[0], code);
exit(1);
}
- krb5_free_principal(context, principal);
- krb5_free_keyblock(context, key);
+ if (keymode == 0) {
+ krb5_free_principal(context, principal);
+ krb5_free_keyblock(context, key);
+ }
}
else if (strcmp(argv[1], "delete")==0) {
long kvno;
KOBJS= cellconfig.o ktc.krb.o userok.o writeconfig.o authcon.o \
acfg_errors.o ktc_errors.o
-LIBS=libauth.a ${TOP_LIBDIR}/libsys.a \
+LIBS=libauth.a \
${TOP_LIBDIR}/librxkad.a ${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/util.a
UKSRCS=${KSRCS} cellconfig.h acfg_errors.c keys.h cellconfig.c \
ktc.c authcon.c ktc_errors.c
-all: ${TOP_LIBDIR}/libauth.a ${TOP_LIBDIR}/libauth.krb.a depinstall copyauth setkey
+all: ${TOP_LIBDIR}/libauth.a ${TOP_LIBDIR}/libauth.krb.a depinstall
depinstall: ${TOP_INCDIR}/afs/keys.h \
${TOP_INCDIR}/afs/cellconfig.h \
#
# Install targets
#
-install: copyauth libauth.a libauth.krb.a auth.h cellconfig.h
+install: libauth.a libauth.krb.a auth.h cellconfig.h
${INSTALL} -d ${DESTDIR}${libdir}/afs
${INSTALL} -d ${DESTDIR}${includedir}/afs
${INSTALL_DATA} libauth.a ${DESTDIR}${libdir}/afs/libauth.a
${INSTALL_DATA} cellconfig.h ${DESTDIR}${includedir}/afs/cellconfig.h
${INSTALL_DATA} auth.h ${DESTDIR}${includedir}/afs/auth.h
${INSTALL_DATA} ktc.h ${DESTDIR}${includedir}/afs/ktc.h
- ${INSTALL_PROGRAM} copyauth ${DESTDIR}${sbindir}/copyauth
-dest: copyauth libauth.a libauth.krb.a auth.h cellconfig.h
+dest: libauth.a libauth.krb.a auth.h cellconfig.h
${INSTALL} -d ${DEST}/lib/afs
${INSTALL} -d ${DEST}/include/afs
${INSTALL_DATA} libauth.a ${DEST}/lib/afs/libauth.a
${INSTALL_DATA} cellconfig.h ${DEST}/include/afs/cellconfig.h
${INSTALL_DATA} auth.h ${DEST}/include/afs/auth.h
${INSTALL_DATA} ktc.h ${DEST}/include/afs/ktc.h
- ${INSTALL_PROGRAM} copyauth ${DEST}/etc/copyauth
#
# Misc. targets
return 0;
}
-static afs_uint32
-curpag(void)
+afs_uint32
+ktc_curpag(void)
{
-#if defined(AFS_AIX51_ENV)
- int code = getpagvalue("afs");
- if (code < 0 && errno == EINVAL)
- code = 0;
- return code;
-#else
- gid_t groups[NGROUPS_MAX];
- afs_uint32 g0, g1;
- afs_uint32 h, l, ret;
+ int code;
+ struct ViceIoctl iob;
+ afs_int32 pag;
- if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
- return 0;
+ /* now setup for the pioctl */
+ iob.in = -1;
+ iob.in_size = 0;
+ iob.out = &pag;
+ iob.out_size = sizeof(afs_int32);
- g0 = groups[0] & 0xffff;
- g1 = groups[1] & 0xffff;
- g0 -= 0x3f00;
- g1 -= 0x3f00;
- if (g0 < 0xc000 && g1 < 0xc000) {
- l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
- h = (g0 >> 14);
- h = (g1 >> 14) + h + h + h;
- ret = ((h << 28) | l);
- /* Additional testing */
- if (((ret >> 24) & 0xff) == 'A')
- return ret;
- else
- return -1;
- }
- return -1;
+ code = PIOCTL(0, VIOC_GETPAG, &iob, 0);
+ if (code < 0) {
+#if defined(AFS_AIX51_ENV)
+ code = getpagvalue("afs");
+ if (code < 0 && errno == EINVAL)
+ code = 0;
+ return code;
+#else
+ gid_t groups[NGROUPS_MAX];
+ afs_uint32 g0, g1;
+ afs_uint32 h, l, ret;
+
+ if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
+ return 0;
+
+ g0 = groups[0] & 0xffff;
+ g1 = groups[1] & 0xffff;
+ g0 -= 0x3f00;
+ g1 -= 0x3f00;
+ if (g0 < 0xc000 && g1 < 0xc000) {
+ l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
+ h = (g0 >> 14);
+ h = (g1 >> 14) + h + h + h;
+ ret = ((h << 28) | l);
+ /* Additional testing */
+ if (((ret >> 24) & 0xff) == 'A')
+ return ret;
+ else
+ return -1;
+ }
+ return -1;
#endif
+ }
+ return pag;
}
int
afs_uint32 pag;
struct stat sbuf;
char fname[256], *prefix = "/ticket/";
+ char fname5[256], *prefix5 = "FILE:/ticket/krb5cc_";
int numenv;
char **newenv, **senv, **denv;
LOCK_GLOBAL_MUTEX;
if (stat("/ticket", &sbuf) == -1) {
prefix = "/tmp/tkt";
+ prefix5 = "FILE:/tmp/krb5cc_";
}
- pag = curpag() & 0xffffffff;
+ pag = ktc_curpag() & 0xffffffff;
if (pag == -1) {
sprintf(fname, "%s%d", prefix, getuid());
+ sprintf(fname5, "%s%d", prefix5, getuid());
} else {
sprintf(fname, "%sp%lu", prefix, afs_cast_uint32(pag));
+ sprintf(fname5, "%sp%lud", prefix5, (long unsigned int) pag);
}
ktc_set_tkt_string(fname);
newenv = (char **)malloc((numenv + 2) * sizeof(char *));
for (senv = environ, denv = newenv; *senv; senv++) {
- if (strncmp(*senv, "KRBTKFILE=", 10) != 0)
+ if (strncmp(*senv, "KRBTKFILE=", 10) != 0 &&
+ strncmp(*senv, "KRB5CCNAME=", 11) != 0)
*denv++ = *senv;
}
- *denv = (char *)malloc(10 + strlen(fname) + 1);
+ *denv = malloc(10+11 + strlen(fname) + strlen(fname5) + 2);
strcpy(*denv, "KRBTKFILE=");
strcat(*denv, fname);
+ *(denv+1) = *denv + strlen(*denv) + 1;
+ denv++;
+ strcpy(*denv, "KRB5CCNAME=");
+ strcat(*denv, fname5);
*++denv = 0;
environ = newenv;
UNLOCK_GLOBAL_MUTEX;
#define VIOC_CBADDR _CVICEIOCTL(3) /* push callback addr */
#define VIOC_DISCON _CVICEIOCTL(5) /* set/get discon mode */
#define VIOC_NEWUUID _CVICEIOCTL(9) /* new uuid */
-#define VIOCPRECACHE _CVICEIOCTL(12) /* precache size */
+#define VIOCPRECACHE _CVICEIOCTL(12) /* precache size */
+#define VIOC_GETPAG _CVICEIOCTL(13) /* get pag value */
/* OpenAFS-specific 'O' pioctl's */
#define VIOC_NFS_NUKE_CREDS _OVICEIOCTL(1) /* nuke creds for all PAG's */
%{_bindir}/unlog
%{_sbindir}/backup
%{_sbindir}/butc
-%{_sbindir}/copyauth
%{_sbindir}/fms
%{_sbindir}/fstrace
%{_sbindir}/kas
return (ret);
}
-/* get the current AFS pag for the calling process */
-static afs_int32
-curpag(void)
-{
-#if defined(AFS_AIX51_ENV)
- int code = getpagvalue("afs");
- if (code < 0 && errno == EINVAL)
- code = 0;
- return code;
-#else
- gid_t groups[NGROUPS_MAX];
- afs_uint32 g0, g1;
- afs_uint32 h, l, ret;
-
- if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
- return 0;
-
- g0 = groups[0] & 0xffff;
- g1 = groups[1] & 0xffff;
- g0 -= 0x3f00;
- g1 -= 0x3f00;
- if (g0 < 0xc000 && g1 < 0xc000) {
- l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
- h = (g0 >> 14);
- h = (g1 >> 14) + h + h + h;
- ret = ((h << 28) | l);
- /* Additional testing */
- if (((ret >> 24) & 0xff) == 'A')
- return ret;
- else
- return -1;
- }
- return -1;
-#endif
-}
-
/* Returns the AFS pag number, if any, otherwise return -1 */
afs_int32
getPAG(void)
{
afs_int32 pag;
- pag = curpag();
+ pag = ktc_curpag();
if (pag == 0 || pag == -1)
return -1;
${TOP_LIBDIR}/libdes.a \
${TOP_LIBDIR}/librx.a \
${TOP_LIBDIR}/liblwp.a \
- ${TOP_LIBDIR}/libsys.a \
${TOP_LIBDIR}/libafsutil.a
all: ${TOP_LIBDIR}/librxkad.a fc_test depinstall
pagsh.krb: libsys.a
${CC} ${CFLAGS} -c ${srcdir}/pagsh.c -DAFS_KERBEROS_ENV
- ${CC} ${CFLAGS} -o pagsh.krb pagsh.o ${LIBS}
+ ${CC} ${CFLAGS} -o pagsh.krb pagsh.o ${TOP_LIBDIR}/libauth.krb.a ${TOP_LIBDIR}/librxkad.a ${TOP_LIBDIR}/libdes.a ${LIBS}
#
# Test programs.
#include "AFS_component_version_number.c"
-int ktc_newpag(void);
-
int
main(int argc, char *argv[])
{
fprintf(stderr, "No shell\n");
exit(1);
}
-
-
-#ifdef AFS_KERBEROS_ENV
-/* stolen from auth/ktc.c */
-
-static afs_uint32
-curpag(void)
-{
-#if defined(AFS_AIX51_ENV)
- int code = getpagvalue("afs");
- if (code < 0 && errno == EINVAL)
- code = 0;
- return code;
-#else
- afs_uint32 groups[NGROUPS_MAX];
- afs_uint32 g0, g1;
- afs_uint32 h, l, ret;
-
- if (getgroups(sizeof groups / sizeof groups[0], groups) < 2)
- return 0;
-
- g0 = groups[0] & 0xffff;
- g1 = groups[1] & 0xffff;
- g0 -= 0x3f00;
- g1 -= 0x3f00;
- if ((g0 < 0xc000) && (g1 < 0xc000)) {
- l = ((g0 & 0x3fff) << 14) | (g1 & 0x3fff);
- h = (g0 >> 14);
- h = (g1 >> 14) + h + h + h;
- ret = ((h << 28) | l);
- /* Additional testing */
- if (((ret >> 24) & 0xff) == 'A')
- return ret;
- else
- return -1;
- }
- return -1;
-#endif
-}
-
-int
-ktc_newpag(void)
-{
- extern char **environ;
-
- afs_uint32 pag;
- struct stat sbuf;
- char fname[256], *prefix = "/ticket/";
- char fname5[256], *prefix5 = "FILE:/ticket/krb5cc_";
- int numenv;
- char **newenv, **senv, **denv;
-
- if (stat("/ticket", &sbuf) == -1) {
- prefix = "/tmp/tkt";
- prefix5 = "FILE:/tmp/krb5cc_";
- }
-
- pag = curpag() & 0xffffffff;
- if (pag == -1) {
- sprintf(fname, "%s%d", prefix, getuid());
- sprintf(fname5, "%s%d", prefix5, getuid());
- } else {
- sprintf(fname, "%sp%lud", prefix, (long unsigned int) pag);
- sprintf(fname5, "%sp%lud", prefix5, (long unsigned int) pag);
- }
-/* ktc_set_tkt_string(fname); */
-
- for (senv = environ, numenv = 0; *senv; senv++)
- numenv++;
- newenv = (char **)malloc((numenv + 2) * sizeof(char *));
-
- for (senv = environ, denv = newenv; *senv; *senv++) {
- if (strncmp(*senv, "KRBTKFILE=", 10) != 0 &&
- strncmp(*senv, "KRB5CCNAME=", 11) != 0)
- *denv++ = *senv;
- }
-
- *denv = malloc(10+11 + strlen(fname) + strlen(fname5) + 2);
- strcpy(*denv, "KRBTKFILE=");
- strcat(*denv, fname);
- *(denv+1) = *denv + strlen(*denv) + 1;
- denv++;
- strcpy(*denv, "KRB5CCNAME=");
- strcat(*denv, fname5);
- *++denv = 0;
- environ = newenv;
- return 0;
-}
-
-#endif