Mike Friedman wrote:
>
>
> But this still doesn't deal with the return code issue.
>
I determined by observation that often the 2nd line of STDOUT (when run
via -q, not when run interactively) indicates whether or not the command
was successful. I wrote these routines around that, and we use them for
a few different things (expunging accounts in bulk, randomizing
passwords in bulk, a temp/guest account scheme that randomizes a pool of
principles every night at 3am, etc.).
I'm not 100% sure I want the world to see the full module though ... I'm
a little embarassed about some of the hacks I've made, and concerned
about one or two security issues. But, perhaps peer review would be
good there. We restrict access to the module this is in, to keep the
wrong people from doing bad things. We also restrict the machines where
the routines are allowed to live (a brief analysis of "k5adm_verifypass"
will make it clear why we do that: if verifypass is invoked on a machine
that has normal users logged in, they might catch the text of the
password in ps). (and, in practice, the $kadmcom variable in the
*_command and *_verifypass routines is actually set to a wrapper program
that does some uid checking and setting just for an extra layer of
paranoia)
For k5adm_command, the return value is that one important line of output
from kadmin. For the other routines, they check that string to see if
it contains the right wording that indicates kadmin was successful, and
then return 1 for success and 0 for failure.
My main problem is that for some strange character usage (things that
should be _encouraged_, like control chracters in passwords) in
passwords, these routines simply wont work because of the text
processing things that perl does. With enough time I'm sure I could
actually fix that, but I haven't.
If someone does create a perl module that accesses the kadmin API, I'd
_love_ to switch to that. But, until that real API gets written, these
might be good enough. Though, I would heavily encourage you to consider
all of the different security issues in where you run run these
routines, or even where you allow them to be stored. If you use them in
a CGI script, be aware that that means anyone with the ability to create
CGI scripts on your server might be able to use these routines to
subvert things in your realm.
(so, now I'll sit back and wait for everyone to point out all of the
flaws ... :-} )
sub k5adm_command {
my $command = shift @_;
my $response;
my $princ = "someone/admin@MYREALM";
my $kadmcom = "/usr/local/sbin/kadmin";
my $keytab = "/etc/krb5.keytab";
my $comstr;
$comstr = sprintf "%s -p %s -q '%s' -k -t %s 2> /dev/null | head -2 |
tail -1|", $kadmcom, $princ, $command, $keytab;
open (K5ADM_COMMAND, $comstr);
$response = <K5ADM_COMMAND>;
chop $response;
close (K5ADM_COMMAND);
return $response;
}
sub k5adm_verifypass {
my $username = shift @_;
my $password = shift @_;
my $response;
my $kadmcom = "/usr/local/sbin/kadmin";
my $comstr;
$comstr = sprintf "%s -p %s -q 'getprivs' -w '%s' 2> /dev/null | head
-2 | tail -1|", $kadmcom, $username, $password;
open (K5ADM_COMMAND, $comstr);
$response = <K5ADM_COMMAND>;
chop $response;
close (K5ADM_COMMAND);
if ($response =~ "^current") {
# k5adm_log("exists", $princ, 1, $response);
return 1;
}
else {
# k5adm_log("exists", $princ, 0, $response);
return 0;
}
}
sub k5adm_exists {
my $princ = shift @_;
my $response;
my $com;
$response = k5adm_command ("getprinc $princ");
if ($response =~ "^Principal: $princ") {
# k5adm_log("exists", $princ, 1, $response);
return 1;
}
else {
# k5adm_log("exists", $princ, 0, $response);
return 0;
}
}
sub k5adm_setpass {
my $princ = shift @_;
my $pass = shift @_;
my $response;
unless (k5adm_exists($princ, $debug)) {
k5adm_create($princ, $debug);
}
$response = k5adm_command ("cpw -pw \"$pass\" $princ");
chop $response;
if ($response =~ /changed$/) {
# k5adm_log("setpass", $princ, 1, $response);
return 1;
}
else {
# k5adm_log("setpass", $princ, 0, $response);
return 0;
}
}
sub k5adm_create {
my $princ = shift @_;
my $response;
$response = k5adm_command ("ank -randkey $princ");
chop $response;
if ($response =~ /created$/) {
# k5adm_log("create", $princ, 1, $response);
return 1;
}
else {
# k5adm_log("create", $princ, 0, $response);
return 0;
}
}
sub k5adm_delete {
my $princ = shift @_;
my $response;
$response = k5adm_command ("delprinc -force $princ");
if ($response =~ /deleted\.$/) {
# k5adm_log("delete", $princ, 1, $response);
return 1;
}
else {
# k5adm_log("delete", $princ, 0, $response);
return 0;
}
}
--
John "kzin" Rudd http://people.ucsc.edu/~jrudd
Truth decays into beauty, while beauty soon becomes merely charm. Charm
ends up as strangeness, and even that doesn't last. (Physics of Quarks)
-----===== Kein Mitleid Fu:r MicroSoft (www.kmfms.com) ======-----
