Context Navigation

Back to Ticket #50421

Ticket #50421: patch-rename-server-keytab-backend.diff

File patch-rename-server-keytab-backend.diff, 17.1 KB (added by akkornel (A. Karl Kornel), 8 years ago)
Submit with the substitution being used upstream

deleted file server/keytab-backend

-                      +
-#!/usr/bin/perl
+#
-# Extract keytabs from the KDC without changing the key.
+#
-# This is a remctl backend that extracts existing keys from a KDC database
-# using kadmin.local.  It requires a patched version of kadmin.local that
-# supports the -norandkey option.  It expects a configuration file in
-# /etc/krb5kdc/allow-extract that contains a list of regexes, one per line,
-# matching principals that may be extracted in this fashion.  (Generally you
-# do not want to list user principals here.)  It also expects to be able to
-# write to a directory named /var/lib/keytabs; that's where it puts the
-# keytabs temporarily before sending them back to via remctl.
+#
-# remctl should handle authorization restrictions on this script.  It doesn't
-# do any additional authorization checks itself.
+#
-# The keytab for the extracted principal will be printed to standard output.
-use 5.008;
-use strict;
-use warnings;
-use Sys::Syslog qw(openlog syslog);
-# Path to configuration file listing principals that may be extracted.
-our $CONFIG = '/etc/krb5kdc/allow-extract';
-# The full path to a kadmin.local that supports -norandkey.
-our $KADMIN = '/usr/sbin/kadmin.local';
-# A temporary area into which keytabs should be written.
-our $TMP = '/var/lib/keytabs';
-# Set to zero to suppress syslog logging, which is used only for testing.  Set
-# to a reference to a string to append messages to that string instead.
-our $SYSLOG;
-$SYSLOG = 1 unless defined $SYSLOG;
-##############################################################################
-# Logging
-##############################################################################
-# Initialize logging.
-sub log_init {
-    if (ref $SYSLOG) {
-        $$SYSLOG = '';
-    } elsif ($SYSLOG) {
-        openlog ('keytab-backend', 'pid', 'auth');
+    }
+}
-# Log a failure message to both syslog and to stderr and exit with a non-zero
-# status.
-sub error {
-    my $message = join ('', @_);
-    if (ref $SYSLOG) {
-        $$SYSLOG .= $message . "\n";
-    } elsif ($SYSLOG) {
-        syslog ('err', '%s', $message);
+    }
-    die "keytab-backend: $message\n";
+}
-# Log a regular message, generally for success.
-sub info {
-    my $message = join ('', @_);
-    if (ref $SYSLOG) {
-        $$SYSLOG .= $message . "\n";
-    } elsif ($SYSLOG) {
-        syslog ('info', '%s', $message);
+    }
+}
-##############################################################################
-# Implementation
-##############################################################################
-# Check and download the keytab.  This is in a subroutine call for easier
-# testing.  We separately log actions unless $SYSLOG is set to 0.  remctld
-# keeps some logs, but it won't tell us whether the download is successful or
-# not.
-sub download {
-    my (@args) = @_;
-    log_init;
-    # Set up a default identity if run from the command line.
-    $ENV{REMOTE_USER} = getpwnam ($<) || 'UNKNOWN' unless $ENV{REMOTE_USER};
-    # Read the regexes of valid principals into memory.
-    open (CONFIG, '<', $CONFIG) or error "cannot open $CONFIG: $!";
-    my @valid;
-    while (<CONFIG>) {
-        next if /^\s*\#/;
-        next if /^\s*$/;
-        s/^\s+//;
-        s/\s+$//;
-        s/\s*\#.*//;
-        push (@valid, qr/$_/);
+    }
-    close CONFIG;
-    # The first argument will be the remctl service, so skip it.
-    if (@args == 2) {
-        shift @args;
+    }
-    if (@args != 1) {
-        error "invalid arguments: @args";
+    }
-    my $principal = $args[0];
-    # Ensure that we're allowed to retrieve this principal.
-    unless ($principal =~ m%^[\w-]+(?:/[\w.-]+)?\@[\w.-]+\z%) {
-        error "bad principal name $principal";
+    }
-    my $okay;
-    for my $regex (@valid) {
-        if ($principal =~ /$regex/) {
-            $okay = 1;
-            last;
+        }
+    }
-    unless ($okay) {
-        error "permission denied: $ENV{REMOTE_USER} may not retrieve"
-            . " $principal";
+    }
-    # Do the actual work.
-    my $filename = "$TMP/keytab$$";
-    my $command = "ktadd -k $filename -q -norandkey $principal";
-    my $output = `$KADMIN -q '$command' 2>&1`;
-    if ($? != 0) {
-        my $status = ($? >> 8);
-        warn $output;
-        error "retrieve of $principal failed for $ENV{REMOTE_USER}:"
-            . " kadmin.local exited with status $status";
+    }
-    open (KEYTAB, '<', $filename)
-        or error "cannot open temporary keytab $filename: $!";
-    print while <KEYTAB>;
-    close KEYTAB;
-    unlink $filename;
-    info ("keytab $principal retrieved by $ENV{REMOTE_USER}");
+}
-download (@ARGV);
-__END__
-##############################################################################
-# Documentation
-##############################################################################
-=for stopwords
-keytab-backend keytabs KDC keytab kadmin.local -norandkey ktadd remctld
-auth Allbery rekeying MERCHANTABILITY NONINFRINGEMENT sublicense
-kadmin.local.
-=head1 NAME
-keytab-backend - Extract keytabs from the KDC without changing the key
-=head1 SYNOPSIS
-B<keytab-backend> retrieve I<principal>
-=head1 DESCRIPTION
-B<keytab-backend> retrieves a keytab for an existing principal from the
-KDC database without changing the current key.  It allows generation of a
-keytab for a service without rekeying that service.  It requires a
-B<kadmin.local> patched to support the B<-norandkey> option to B<ktadd>.
-This script is intended to run under B<remctld>.  On success, it prints
-the keytab to standard output, logs a success message to syslog (facility
-auth, priority info), and exits with status 0.  On failure, it prints out
-an error message, logs an error to syslog (facility auth, priority err),
-and exits with a non-zero status.
-The principal is checked for basic sanity (only accepting alphanumerics,
-C<_>, and C<-> with an optional instance and then only alphanumerics,
-C<_>, C<->, and C<.> in the realm) and then checked against a
-configuration file that lists regexes of principals that can be retrieved.
-When deploying this software, limit as tightly as possible which
-principals can be downloaded in this fashion.  Generally only shared
-service principals used on multiple systems should be made available in
-this way.
-B<keytab-backend> does not do any authorization checks.  Those should be
-done by B<remctld> before it is called.
-=head1 FILES
-=over 4
-=item F</etc/krb5kdc/allow-extract>
-The configuration file that controls which principals can have their
-keytabs retrieved.  Blank lines and lines starting with C<#>, as well as
-anything after C<#> on a line, are ignored.  All other lines should be
-Perl regular expressions, one per line, that match principals whose
-keytabs can be retrieved by B<keytab-backend>.  Any principal that does
-not match one of those regular expressions cannot be retrieved.
-=item F</var/lib/keytabs>
-The temporary directory used for creating keytabs.  B<keytab-backend> will
-create the keytab in this directory, make sure that was successful, and
-then delete the temporary file after the results have been sent to
-standard output.
-=back
-=head1 AUTHOR
-Russ Allbery <eagle@eyrie.org>
-=head1 COPYRIGHT AND LICENSE
-Copyright 2006, 2007, 2008, 2010, 2013 The Board of Trustees of the Leland
-Stanford Junior University
-Permission is hereby granted, free of charge, to any person obtaining a
-copy of this software and associated documentation files (the "Software"),
-to deal in the Software without restriction, including without limitation
-the rights to use, copy, modify, merge, publish, distribute, sublicense,
-and/or sell copies of the Software, and to permit persons to whom the
-Software is furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
-THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-DEALINGS IN THE SOFTWARE.
-=head1 SEE ALSO
-kadmin.local(8), remctld(8)
-This program is part of the wallet system.  The current version is
-available from L<http://www.eyrie.org/~eagle/software/wallet/>.
-=cut

new file server/keytab-backend.in

-                      -
+#!@PERL@
+#
+# Extract keytabs from the KDC without changing the key.
+#
+# This is a remctl backend that extracts existing keys from a KDC database
+# using kadmin.local.  It requires a patched version of kadmin.local that
+# supports the -norandkey option.  It expects a configuration file in
+# /etc/krb5kdc/allow-extract that contains a list of regexes, one per line,
+# matching principals that may be extracted in this fashion.  (Generally you
+# do not want to list user principals here.)  It also expects to be able to
+# write to a directory named /var/lib/keytabs; that's where it puts the
+# keytabs temporarily before sending them back to via remctl.
+#
+# remctl should handle authorization restrictions on this script.  It doesn't
+# do any additional authorization checks itself.
+#
+# The keytab for the extracted principal will be printed to standard output.
+use 5.008;
+use strict;
+use warnings;
+use Sys::Syslog qw(openlog syslog);
+# Path to configuration file listing principals that may be extracted.
+our $CONFIG = '/etc/krb5kdc/allow-extract';
+# The full path to a kadmin.local that supports -norandkey.
+our $KADMIN = '/usr/sbin/kadmin.local';
+# A temporary area into which keytabs should be written.
+our $TMP = '/var/lib/keytabs';
+# Set to zero to suppress syslog logging, which is used only for testing.  Set
+# to a reference to a string to append messages to that string instead.
+our $SYSLOG;
+$SYSLOG = 1 unless defined $SYSLOG;
+##############################################################################
+# Logging
+##############################################################################
+# Initialize logging.
+sub log_init {
+    if (ref $SYSLOG) {
+        $$SYSLOG = '';
+    } elsif ($SYSLOG) {
+        openlog ('keytab-backend', 'pid', 'auth');
+    }
+}
+# Log a failure message to both syslog and to stderr and exit with a non-zero
+# status.
+sub error {
+    my $message = join ('', @_);
+    if (ref $SYSLOG) {
+        $$SYSLOG .= $message . "\n";
+    } elsif ($SYSLOG) {
+        syslog ('err', '%s', $message);
+    }
+    die "keytab-backend: $message\n";
+}
+# Log a regular message, generally for success.
+sub info {
+    my $message = join ('', @_);
+    if (ref $SYSLOG) {
+        $$SYSLOG .= $message . "\n";
+    } elsif ($SYSLOG) {
+        syslog ('info', '%s', $message);
+    }
+}
+##############################################################################
+# Implementation
+##############################################################################
+# Check and download the keytab.  This is in a subroutine call for easier
+# testing.  We separately log actions unless $SYSLOG is set to 0.  remctld
+# keeps some logs, but it won't tell us whether the download is successful or
+# not.
+sub download {
+    my (@args) = @_;
+    log_init;
+    # Set up a default identity if run from the command line.
+    $ENV{REMOTE_USER} = getpwnam ($<) || 'UNKNOWN' unless $ENV{REMOTE_USER};
+    # Read the regexes of valid principals into memory.
+    open (CONFIG, '<', $CONFIG) or error "cannot open $CONFIG: $!";
+    my @valid;
+    while (<CONFIG>) {
+        next if /^\s*\#/;
+        next if /^\s*$/;
+        s/^\s+//;
+        s/\s+$//;
+        s/\s*\#.*//;
+        push (@valid, qr/$_/);
+    }
+    close CONFIG;
+    # The first argument will be the remctl service, so skip it.
+    if (@args == 2) {
+        shift @args;
+    }
+    if (@args != 1) {
+        error "invalid arguments: @args";
+    }
+    my $principal = $args[0];
+    # Ensure that we're allowed to retrieve this principal.
+    unless ($principal =~ m%^[\w-]+(?:/[\w.-]+)?\@[\w.-]+\z%) {
+        error "bad principal name $principal";
+    }
+    my $okay;
+    for my $regex (@valid) {
+        if ($principal =~ /$regex/) {
+            $okay = 1;
+            last;
+        }
+    }
+    unless ($okay) {
+        error "permission denied: $ENV{REMOTE_USER} may not retrieve"
+            . " $principal";
+    }
+    # Do the actual work.
+    my $filename = "$TMP/keytab$$";
+    my $command = "ktadd -k $filename -q -norandkey $principal";
+    my $output = `$KADMIN -q '$command' 2>&1`;
+    if ($? != 0) {
+        my $status = ($? >> 8);
+        warn $output;
+        error "retrieve of $principal failed for $ENV{REMOTE_USER}:"
+            . " kadmin.local exited with status $status";
+    }
+    open (KEYTAB, '<', $filename)
+        or error "cannot open temporary keytab $filename: $!";
+    print while <KEYTAB>;
+    close KEYTAB;
+    unlink $filename;
+    info ("keytab $principal retrieved by $ENV{REMOTE_USER}");
+}
+download (@ARGV);
+__END__
+##############################################################################
+# Documentation
+##############################################################################
+=for stopwords
+keytab-backend keytabs KDC keytab kadmin.local -norandkey ktadd remctld
+auth Allbery rekeying MERCHANTABILITY NONINFRINGEMENT sublicense
+kadmin.local.
+=head1 NAME
+keytab-backend - Extract keytabs from the KDC without changing the key
+=head1 SYNOPSIS
+B<keytab-backend> retrieve I<principal>
+=head1 DESCRIPTION
+B<keytab-backend> retrieves a keytab for an existing principal from the
+KDC database without changing the current key.  It allows generation of a
+keytab for a service without rekeying that service.  It requires a
+B<kadmin.local> patched to support the B<-norandkey> option to B<ktadd>.
+This script is intended to run under B<remctld>.  On success, it prints
+the keytab to standard output, logs a success message to syslog (facility
+auth, priority info), and exits with status 0.  On failure, it prints out
+an error message, logs an error to syslog (facility auth, priority err),
+and exits with a non-zero status.
+The principal is checked for basic sanity (only accepting alphanumerics,
+C<_>, and C<-> with an optional instance and then only alphanumerics,
+C<_>, C<->, and C<.> in the realm) and then checked against a
+configuration file that lists regexes of principals that can be retrieved.
+When deploying this software, limit as tightly as possible which
+principals can be downloaded in this fashion.  Generally only shared
+service principals used on multiple systems should be made available in
+this way.
+B<keytab-backend> does not do any authorization checks.  Those should be
+done by B<remctld> before it is called.
+=head1 FILES
+=over 4
+=item F</etc/krb5kdc/allow-extract>
+The configuration file that controls which principals can have their
+keytabs retrieved.  Blank lines and lines starting with C<#>, as well as
+anything after C<#> on a line, are ignored.  All other lines should be
+Perl regular expressions, one per line, that match principals whose
+keytabs can be retrieved by B<keytab-backend>.  Any principal that does
+not match one of those regular expressions cannot be retrieved.
+=item F</var/lib/keytabs>
+The temporary directory used for creating keytabs.  B<keytab-backend> will
+create the keytab in this directory, make sure that was successful, and
+then delete the temporary file after the results have been sent to
+standard output.
+=back
+=head1 AUTHOR
+Russ Allbery <eagle@eyrie.org>
+=head1 COPYRIGHT AND LICENSE
+Copyright 2006, 2007, 2008, 2010, 2013 The Board of Trustees of the Leland
+Stanford Junior University
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the "Software"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
+=head1 SEE ALSO
+kadmin.local(8), remctld(8)
+This program is part of the wallet system.  The current version is
+available from L<http://www.eyrie.org/~eagle/software/wallet/>.
+=cut

Download in other formats:

Original Format