Merge r24242:24397 from trunk to branches/nss. This will break the

nss branch build temporarily due to Camellia changes.


git-svn-id: svn://anonsvn.mit.edu/krb5/branches/nss@24398 dc483132-0cff-0310-8789-dd5450dbe970

NOTICE

@@ -546,6 +546,42 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+                         --------------------
+
+Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc
+have the following copyright and permission notice:
+
+  Copyright (c) 2010, Oracle America, Inc.
+
+  All rights reserved.
+
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions are met:
+
+      * Redistributions of source code must retain the above copyright
+	notice, this list of conditions and the following disclaimer.
+
+      * Redistributions in binary form must reproduce the above copyright
+	notice, this list of conditions and the following disclaimer in
+	the documentation and/or other materials provided with the
+	distribution.
+
+      * Neither the name of the “Oracle America, Inc.” nor the names of
+	its contributors may be used to endorse or promote products
+	derived from this software without specific prior written permission.
+
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+  IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+  TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+  PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+  HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+  TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 Acknowledgements for krb5-1.9
 -----------------------------
 

doc/admin.texinfo

@@ -410,6 +410,7 @@ salt.  The supported values for salts are as follows.
 * capaths::                     
 * dbdefaults::                  
 * dbmodules::                   
+* plugins::
 * pkinit client options::
 * Sample krb5.conf File::       
 @end menu
@@ -756,16 +757,17 @@ for this is not currently compiled in by default.
 The local name will be formulated from @i{exp}.
 
 The format for @i{exp} is
-@code{[@i{n}:$@i{d}..@i{string}](@i{regexp})s/@i{pattern}/@i{replacement}/g}.
+@code{[@i{n}:@i{string}](@i{regexp})s/@i{pattern}/@i{replacement}/g}.
 The integer @i{n} indicates how many components the target principal
-should have.  If this matches, then a string will be formed by putting
-together the components of the principal in the order indicated by each
-integer @i{d}, and the arbitrary string @i{string} (i.e. if the
+should have.  If this matches, then a string will be formed from
+@i{string}, substituting the realm of the principal for @code{$0} and
+the @i{n}'th component of the principal for @code{$@i{n}} (e.g. if the
 principal was @value{RANDOMUSER}/admin then [2:$2$1foo] would result in
-the string "admin@value{RANDOMUSER}foo".  If this string matches
-@i{regexp}, then the @code{s//[g]} substitution command will be run over the
-string.  The optional g will cause the substitution to be global over
-the string, instead of replacing only the first match in the string.
+the string "admin@value{RANDOMUSER}foo").  If this string matches
+@i{regexp}, then the @code{s//[g]} substitution command will be run over
+the string.  The optional g will cause the substitution to be global
+over the string, instead of replacing only the first match in the
+string.
 
 @item DEFAULT
 The principal name will be used as the local user name.  If the
@@ -780,13 +782,11 @@ For example:
 @group
 [realms]
     @value{PRIMARYREALM} = @{
-        auth_to_local = @{
-            RULE:[2:$1](@value{RANDOMUSER})s/^.*$/guest/
-            RULE:[2:$1;$2](^.*;admin$)s/;admin$//
-            RULE:[2:$2](^.*;root)s/^.*$/root/
-            DEFAULT
-            @}
-        @}
+        auth_to_local = RULE:[2:$1](@value{RANDOMUSER})s/^.*$/guest/
+        auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
+        auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
+        auto_to_local = DEFAULT
+    @}
 @end group
 @end smallexample
 
@@ -1042,7 +1042,7 @@ This LDAP specific tag indicates the list of LDAP servers that the Kerberos serv
 This LDAP specific tag indicates the number of connections to be maintained per LDAP server. This value is used if the number of connections per LDAP server are not mentioned in the configuration section under [dbmodules]. The default value is 5.
 @end table
 
-@node dbmodules, pkinit client options, dbdefaults, krb5.conf
+@node dbmodules, plugins, dbdefaults, krb5.conf
 @subsection [dbmodules]
 
 Contains database specific parameters used by the database library. Each tag in the [dbmodules] section of the file names a configuration section for database specific parameters that can be referred to by a realm. The value of the tag is a subsection where the relations in that subsection define the database specific parameters.
@@ -1090,7 +1090,65 @@ This LDAP specific tags indicates the number of connections to be maintained per
 
 @end table
 
-@node pkinit client options, Sample krb5.conf File, dbmodules, krb5.conf
+@node plugins, pkinit client options, dbmodules, krb5.conf
+
+@menu
+* pwqual interface::             
+@end menu
+
+Tags in the [plugins] section can be used to register dynamic plugin
+modules and to turn modules on and off.  Not every krb5 pluggable
+interface uses the [plugins] section; the ones that do are documented
+here.
+
+Each pluggable interface corresponds to a subsection of [plugins].
+All subsections support the same tags:
+
+@table @b
+@itemx module
+This tag may have multiple values.  Each value is a string of the form
+"modulename:pathname", which causes the shared object located at
+pathname to be registered as a dynamic module named modulename for the
+pluggable interface.  If pathname is not an absolute path, it will be
+treated as relative to the "krb5/plugins" subdirectory of the krb5
+library directory.
+
+@itemx enable_only
+This tag may have multiple values.  If there are values for this tag,
+then only the named modules will be enabled for the pluggable
+interface.
+
+@itemx disable
+This tag may have multiple values.  If there are values for this tag,
+then the named modules will be disabled for the pluggable interface.
+@end table
+
+The following subsections are currently supported within the [plugins]
+section:
+
+@node pwqual interface, , plugins, plugins
+
+The pwqual subsection controls modules for the password quality
+interface, which is used to reject weak passwords when passwords are
+changed.  In addition to any registered dynamic modules, the following
+built-in modules exist (and may be disabled with the disable tag):
+
+@table @b
+@itemx dict
+Checks against the realm dictionary file
+
+@itemx empty
+Rejects empty passwords
+
+@itemx hesiod
+Checks against user information stored in Hesiod (only if Kerberos was
+built with Hesiod support)
+
+@itemx princ
+Checks against components of the principal name
+@end table
+
+@node pkinit client options, Sample krb5.conf File, plugins, krb5.conf
 @subsection pkinit options
 
 @menu

doc/krb5conf.texinfo

@@ -40,6 +40,21 @@ foo = baz
 
 then the second value of foo (baz) would never be read.
 
+The @code{krb5.conf} file can include other files using either of the
+following directives at the beginning of a line:
+
+@smallexample
+include @var{FILENAME}
+includedir @var{DIRNAME}
+@end smallexample
+
+@var{FILENAME} or @var{DIRNAME} should be an absolute path.  The named
+file or directory must exist and be readable.  Including a directory
+includes all files within the directory whose names consist solely of
+alphanumeric characters, dashes, or underscores.  Included profile files
+are syntactically independent of their parents, so each included file
+must begin with a section header.
+
 The @code{krb5.conf} file may contain any or all of the following 
 sections:
 
@@ -74,6 +89,10 @@ client to determine the intermediate realms which may be used in
 cross-realm authentication.  It is also used by the end-service when
 checking the transited field for trusted intermediate realms.
 
+@itemx plugins
+Contains tags to register dynamic plugin modules and to turn modules on
+and off.
+
 @ignore
 this doesn't seem to be used
 @itemx kdc

src/Makefile.in

@@ -9,6 +9,7 @@ mydir=.
 #	plugins/authdata/greet
 SUBDIRS=util include lib \
 	@ldap_plugin_dir@ \
+	plugins/kadm5_hook/test \
 	plugins/kdb/db2 \
 	plugins/preauth/pkinit \
 	plugins/preauth/encrypted_challenge \
@@ -445,6 +446,7 @@ ETOUT =	\
 	$(INC)asn1_err.h $(ET)asn1_err.c \
 	$(INC)kdb5_err.h $(ET)kdb5_err.c \
 	$(INC)krb5_err.h $(ET)krb5_err.c \
+	$(INC)k5e1_err.h $(ET)k5e1_err.c \
 	$(INC)kv5m_err.h $(ET)kv5m_err.c \
 	$(INC)krb524_err.h $(ET)krb524_err.c \
 	$(PR)prof_err.h $(PR)prof_err.c \
@@ -501,6 +503,8 @@ $(INC)kdb5_err.h: $(AH) $(ET)kdb5_err.et
 	$(AWK) -f $(AH) outfile=$@ $(ET)kdb5_err.et
 $(INC)krb5_err.h: $(AH) $(ET)krb5_err.et
 	$(AWK) -f $(AH) outfile=$@ $(ET)krb5_err.et
+$(INC)k5e1_err.h: $(AH) $(ET)k5e1_err.et
+	$(AWK) -f $(AH) outfile=$@ $(ET)k5e1_err.et
 $(INC)kv5m_err.h: $(AH) $(ET)kv5m_err.et
 	$(AWK) -f $(AH) outfile=$@ $(ET)kv5m_err.et
 $(INC)krb524_err.h: $(AH) $(ET)krb524_err.et
@@ -524,6 +528,8 @@ $(ET)kdb5_err.c: $(AC) $(ET)kdb5_err.et
 	$(AWK) -f $(AC) outfile=$@ $(ET)kdb5_err.et
 $(ET)krb5_err.c: $(AC) $(ET)krb5_err.et
 	$(AWK) -f $(AC) outfile=$@ $(ET)krb5_err.et
+$(ET)k5e1_err.c: $(AC) $(ET)k5e1_err.et
+	$(AWK) -f $(AC) outfile=$@ $(ET)k5e1_err.et
 $(ET)kv5m_err.c: $(AC) $(ET)kv5m_err.et
 	$(AWK) -f $(AC) outfile=$@ $(ET)kv5m_err.et
 $(ET)krb524_err.c: $(AC) $(ET)krb524_err.et
@@ -541,8 +547,8 @@ $(CE)test1.c: $(AC) $(CE)test1.et
 $(CE)test2.c: $(AC) $(CE)test2.et
 	$(AWK) -f $(AC) outfile=$@ $(CE)test2.et
 
-KRBHDEP = $(INC)krb5\krb5.hin $(INC)krb5_err.h $(INC)kdb5_err.h \
-	$(INC)kv5m_err.h $(INC)krb524_err.h $(INC)asn1_err.h
+KRBHDEP = $(INC)krb5\krb5.hin $(INC)krb5_err.h $(INC)k5e1_err.h \
+	$(INC)kdb5_err.h $(INC)kv5m_err.h $(INC)krb524_err.h $(INC)asn1_err.h
 
 $(INC)krb5\krb5.h: $(KRBHDEP)
 	rm -f $@

src/clients/kinit/Makefile.in

@@ -5,7 +5,7 @@ DEFS=
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
 
-SRCS=kinit.c
+SRCS=kinit.c kinit_kdb.c
 
 ##WIN32##LOCALINCLUDES=-I$(BUILDTOP)\util\windows
 ##WIN32##DEFINES=-DGETOPT_LONG
@@ -23,8 +23,8 @@ SRCS=kinit.c
 all-unix:: kinit
 ##WIN32##all-windows:: $(KINIT)
 
-kinit: kinit.o $(KRB5_BASE_DEPLIBS)
-	$(CC_LINK) -o $@ kinit.o $(KRB5_BASE_LIBS)
+kinit: kinit.o kinit_kdb.o $(KRB5_BASE_DEPLIBS) $(KADMSRV_DEPLIBS)
+	$(CC_LINK) -o $@ kinit.o kinit_kdb.o $(KADMSRV_LIBS) $(KRB5_BASE_LIBS)
 
 ##WIN32##$(KINIT): $(OUTPRE)kinit.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB) $(EXERES)
 ##WIN32##	link $(EXE_LINKOPTS) -out:$@ $** advapi32.lib

src/clients/kinit/deps

@@ -4,4 +4,24 @@
 $(OUTPRE)kinit.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
   $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \
-  kinit.c
+  extern.h kinit.c
+$(OUTPRE)kinit_kdb.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+  $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \
+  $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \
+  $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \
+  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
+  $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \
+  $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \
+  $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \
+  $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \
+  $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \
+  $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \
+  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+  $(top_srcdir)/include/kdb.h $(top_srcdir)/include/kdb_kt.h \
+  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+  $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h extern.h kinit_kdb.c

src/clients/kinit/extern.h

@@ -0,0 +1,36 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * clients/kinit/extern.h
+ *
+ * Copyright (C) 2010 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * Global declarations for kinit.
+ */
+
+#ifndef KINIT_EXTERN_H
+#define KINIT_EXTERN_H
+
+krb5_error_code kinit_kdb_init(krb5_context *pcontext, char *realm);
+
+#endif /* KINIT_EXTERN_H */

src/clients/kinit/kinit.M

@@ -131,13 +131,19 @@ ticket cannot be renewed, even if the ticket is still within its
 renewable life.
 .TP
 \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]
-requests a host ticket, obtained from a key in the local host's
+requests a ticket, obtained from a key in the local host's
 .I keytab
 file.  The name and location of the keytab file may be specified with
 the
 .B \-t
 .I keytab_file
-option; otherwise the default name and location will be used.
+option; otherwise the default name and location will be used.  By
+default a host ticket is requested but any principal may be
+specified. On a KDC, the special keytab location
+.B KDB:
+can be used to indicate that kinit should open the KDC database and
+look up the key directly.  This permits an administrator to obtain
+tickets as any principal that supports password-based authentication.
 .TP
 \fB-n\fP
 Requests anonymous processing.  Two types of anonymous principals are

src/clients/kinit/kinit.c

@@ -31,6 +31,7 @@
 #include "autoconf.h"
 #include "k5-platform.h"        /* for asprintf */
 #include <krb5.h>
+#include "extern.h"
 #include <string.h>
 #include <stdio.h>
 #include <time.h>
@@ -649,6 +650,17 @@ k5_kinit(opts, k5)
 
     if ((opts->action == INIT_KT) && opts->keytab_name)
     {
+        if (strncmp(opts->keytab_name, "KDB:", 3) == 0) {
+            code = kinit_kdb_init(&k5->ctx,
+                                  krb5_princ_realm(k5->ctx, k5->me)->data);
+            if (code != 0) {
+                com_err(progname, code,
+                        "while setting up KDB keytab for realm %s",
+                        krb5_princ_realm(k5->ctx, k5->me)->data);
+                goto cleanup;
+            }
+        }
+
         code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab);
         if (code != 0) {
             com_err(progname, code, "resolving keytab %s",