From 70d3717e8bd8e71641a04471cd49cd75fbe465a1 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Apr 08 2008 22:02:42 +0000 Subject: Add --permitted-enctypes command and add it to the man page too --- diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index 8e02a43..28859a7 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -450,12 +450,14 @@ int main(int argc, char *argv[]) static const char *keytab = NULL; static const char *enctypes_string = NULL; int quiet = 0; + int permitted_enctypes = 0; struct poptOption options[] = { { "server", 's', POPT_ARG_STRING, &server, 0, "Contact this specific KDC Server", "Server Name" }, { "principal", 'p', POPT_ARG_STRING, &principal, 0, "The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)", "Kerberos Service Principal Name" }, { "keytab", 'k', POPT_ARG_STRING, &keytab, 0, "File were to store the keytab information", "Keytab File Name" }, { "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0, "Encryption types to request", "Comma separated encription types list" }, { "quiet", 'q', POPT_ARG_NONE, &quiet, 0, "Print as little as possible", "Output only on errors"}, + { "permitted-enctypes", 0, POPT_ARG_NONE, &permitted_enctypes, 0, "Show the list of permitted encryption types and exit", "Permitted Encryption Types"}, { NULL, 0, POPT_ARG_NONE, NULL, 0, NULL, NULL } }; poptContext pc; @@ -473,23 +475,44 @@ int main(int argc, char *argv[]) int kvno; int i, ret; + krberr = krb5_init_context(&krbctx); + if (krberr) { + fprintf(stderr, "Kerberos context initialization failed\n"); + exit(1); + } + pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0); ret = poptGetNextOpt(pc); - if (ret != -1 || !server || !principal || !keytab) { + if (ret == -1 && permitted_enctypes && + !(server || principal || keytab || quiet)) { + char enc[79]; /* fit std terminal or truncate */ + + krberr = krb5_get_permitted_enctypes(krbctx, &ktypes); + if (krberr) { + fprintf(stderr, "No system preferred enctypes ?!\n"); + exit(1); + } + fprintf(stdout, "Supported encryption types:\n"); + for (i = 0; ktypes[i]; i++) { + krberr = krb5_enctype_to_string(ktypes[i], enc, 79); + if (krberr) { + fprintf(stderr, "Warning: failed to convert type (#%d)\n", i); + continue; + } + fprintf(stdout, "%s\n", enc); + } + exit (0); + } + + if (ret != -1 || !server || !principal || !keytab || permitted_enctypes) { if (!quiet) { poptPrintUsage(pc, stderr, 0); } - exit(1); + exit(2); } ret = asprintf(&ktname, "WRFILE:%s", keytab); if (ret == -1) { - exit(2); - } - - krberr = krb5_init_context(&krbctx); - if (krberr) { - fprintf(stderr, "Kerberos context initialization failed\n"); exit(3); } diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1 index 2971091..90fba04 100644 --- a/ipa-client/man/ipa-getkeytab.1 +++ b/ipa-client/man/ipa-getkeytab.1 @@ -62,10 +62,31 @@ created if not existing). \fB\-e encryption-types\fR The list of encryption types to use to generate keys. ipa-getkeytab will use local client defaults if not provided. +Valid values depend on the kerberos library version and configuration. +Common values are: +aes256-cts +aes128-cts +des3-hmac-sha1 +arcfour-hmac +des-hmac-sha1 +des-cbc-md5 +des-cbc-crc \fB\-q\fR Keep quiet. +\fB\--permitted-enctypes\fR +This options returns a description of the permitted encryption types, like this: +Supported encryption types: +AES-256 CTS mode with 96-bit SHA-1 HMAC +AES-128 CTS mode with 96-bit SHA-1 HMAC +Triple DES cbc mode with HMAC/sha1 +ArcFour with HMAC/md5 +DES cbc mode with CRC-32 +DES cbc mode with RSA-MD5 +DES cbc mode with RSA-MD4 + + .SH "EXAMPLES" Add and retrieve a keytab for the ldap service principal on