casa-mp-base
Public
Source
--- server/keytab-backend 2016-01-17 19:13:02.000000000 -0800+++ /dev/null 2016-01-23 13:57:05.000000000 -0800-#!/usr/bin/perl-#-# Extract keytabs from the KDC without changing the key.-#-# This is a remctl backend that extracts existing keys from a KDC database-# using kadmin.local. It requires a patched version of kadmin.local that-# supports the -norandkey option. It expects a configuration file in-# /etc/krb5kdc/allow-extract that contains a list of regexes, one per line,-# matching principals that may be extracted in this fashion. (Generally you-# do not want to list user principals here.) It also expects to be able to-# write to a directory named /var/lib/keytabs; that's where it puts the-# keytabs temporarily before sending them back to via remctl.-#-# remctl should handle authorization restrictions on this script. It doesn't-# do any additional authorization checks itself.-#-# The keytab for the extracted principal will be printed to standard output.--use 5.008;-use strict;-use warnings;--use Sys::Syslog qw(openlog syslog);--# Path to configuration file listing principals that may be extracted.-our $CONFIG = '/etc/krb5kdc/allow-extract';--# The full path to a kadmin.local that supports -norandkey.-our $KADMIN = '/usr/sbin/kadmin.local';--# A temporary area into which keytabs should be written.-our $TMP = '/var/lib/keytabs';--# Set to zero to suppress syslog logging, which is used only for testing. Set-# to a reference to a string to append messages to that string instead.-our $SYSLOG;-$SYSLOG = 1 unless defined $SYSLOG;--##############################################################################-# Logging-##############################################################################--# Initialize logging.-sub log_init {- if (ref $SYSLOG) {- $$SYSLOG = '';- } elsif ($SYSLOG) {- openlog ('keytab-backend', 'pid', 'auth');- }-}--# Log a failure message to both syslog and to stderr and exit with a non-zero-# status.-sub error {- my $message = join ('', @_);- if (ref $SYSLOG) {- $$SYSLOG .= $message . "\n";- } elsif ($SYSLOG) {- syslog ('err', '%s', $message);- }