From: Russ Allbery <rra@debian.org>
Date: Wed, 29 Mar 2006 04:29:43 +0000 (+0000)
Subject:   * Subsume openafs-krb5 into this source package.
X-Git-Tag: debian/1.4.1-1~11
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=eaddfa199c4ff250130e7ed733c39aa0ccadb037;p=packages%2Fo%2Fopenafs.git

  * Subsume openafs-krb5 into this source package.
    - Acknowledge NMU.  (Closes: #304933)
    - Update to the OpenAFS aklog and asetkey.  (Closes: #196094)
    - Backport asetkey from upstream CVS.
    - Include ka-forwarder from the old migration toolkit.
---

diff --git a/debian/changelog b/debian/changelog
index a746e0751..23656815d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,11 +4,16 @@ openafs (1.4.0+rc10-1) UNRELEASED; urgency=low
     - Supports Linux 2.6.16.  (Closes: #358203)
     - Suspend should work with newer kernels.  (Closes: #341588)
     - Upstream now includes man pages, so remove our backport.
+  * Subsume openafs-krb5 into this source package.
+    - Acknowledge NMU.  (Closes: #304933)
+    - Update to the OpenAFS aklog and asetkey.  (Closes: #196094)
+    - Backport asetkey from upstream CVS.
+    - Include ka-forwarder from the old migration toolkit.
   * Subsume openafs-doc into this source package.
   * Always pass the system type into Autoconf, following autotools-dev
     best practices.
 
- -- Russ Allbery <rra@debian.org>  Tue, 28 Mar 2006 15:16:01 -0800
+ -- Russ Allbery <rra@debian.org>  Tue, 28 Mar 2006 17:03:45 -0800
 
 openafs (1.4.0-4) unstable; urgency=low
 
diff --git a/debian/control b/debian/control
index 0b4734b51..4f1f8e29f 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: net
 Priority: optional
 Maintainer: Sam Hartman <hartmans@debian.org>
 Uploaders: Russ Allbery <rra@debian.org>
-Build-Depends: debhelper (>= 4.1.16), libncurses5-dev, libpam0g-dev, bison, docbook-to-man, flex, perl, comerr-dev
+Build-Depends: debhelper (>= 4.1.16), libncurses5-dev, libpam0g-dev, bison, docbook-to-man, flex, perl, comerr-dev, libkrb5-dev
 Standards-Version: 3.6.2
 
 Package: openafs-client
@@ -75,6 +75,19 @@ Description: AFS distributed filesystem documentation
  This package contains the OpenAFS user's and reference manuals, some
  protocol documentation, and other OpenAFS documentation.
 
+Package: openafs-krb5
+Architecture: i386 powerpc sparc alpha s390 ia64 hppa amd64 ppc64
+Depends: ${shlibs:Depends}
+Description: AFS distributed filesystem Kerberos 5 integration
+ AFS is a distributed filesystem allowing cross-platform sharing of files
+ among multiple computers.  Facilities are provided for access control,
+ authentication, backup and administrative management.
+ .
+ This package provides aklog, a utility for authenticating to AFS using
+ Kerberos 5.  It also provides asetkey, a utility to set AFS server keys
+ from a Kerberos keytab, and ka-forwarder, a utility to forward kaserver
+ requests to a KDC using fakeka.
+
 Package: libopenafs-dev
 Section: libdevel
 Architecture: i386 powerpc sparc alpha s390 ia64 hppa amd64 ppc64
diff --git a/debian/copyright b/debian/copyright
index bf4f6aab8..77e1ef97a 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -358,3 +358,31 @@ Some portions of Rx are subject to the following license:
  * 2550 Garcia Avenue
  * Mountain View, California  94043
  */
+
+ka-forwarder was taken from the AFS/Kerberos 5 Migration Kit, to which it
+was donated by Jeffrey T. Hutzelman.  It is covered under the following
+license:
+/*
+ * Copyright (c) 1993 Carnegie Mellon University
+ * All Rights Reserved.
+ * 
+ * Permission to use, copy, modify and distribute this software and its
+ * documentation is hereby granted, provided that both the copyright
+ * notice and this permission notice appear in all copies of the
+ * software, derivative works or modified versions, and any portions
+ * thereof, and that both notices appear in supporting documentation.
+ *
+ * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
+ * CONDITION.  CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
+ * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
+ *
+ * Carnegie Mellon requests users of this software to return to
+ *
+ *  Software Distribution Coordinator  or  Software_Distribution@CS.CMU.EDU
+ *  School of Computer Science
+ *  Carnegie Mellon University
+ *  Pittsburgh PA 15213-3890
+ *
+ * any improvements or extensions that they make and grant Carnegie Mellon
+ * the rights to redistribute these changes.
+ */
diff --git a/debian/openafs-krb5.install b/debian/openafs-krb5.install
new file mode 100644
index 000000000..3b40c8282
--- /dev/null
+++ b/debian/openafs-krb5.install
@@ -0,0 +1,6 @@
+debian/tmp/usr/bin/aklog                usr/bin
+
+debian/tmp/usr/bin/asetkey              usr/sbin
+debian/tmp/usr/bin/ka-forwarder         usr/sbin
+
+src/aklog/aklog.1                       usr/share/man/man1
diff --git a/debian/rules b/debian/rules
index 2691de3a1..e1dc7928a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -92,6 +92,7 @@ configure-stamp:
 	    --sysconfdir=/etc --libexecdir=/usr/lib \
 	    --localstatedir=/var/lib --enable-supergroups \
 	    --enable-largefile-fileserver --enable-debug --enable-lwp-debug \
+	    --with-krb5-conf=/usr/bin/krb5-config \
 	    $(DEBIAN_OPT_FLAGS) $(SYSTEM)
 	chmod a+x src/libafs/make_kbuild_makefile.pl         
 	touch configure-stamp
diff --git a/src/aklog/Makefile.in b/src/aklog/Makefile.in
index 23851923c..516076464 100644
--- a/src/aklog/Makefile.in
+++ b/src/aklog/Makefile.in
@@ -5,8 +5,8 @@
 srcdir=@srcdir@
 include @TOP_OBJDIR@/src/config/Makefile.config
 
-OPTMZ += @KRB5CFLAGS@ -DALLOW_REGISTER
-LIBS += @KRB5LIBS@
+OPTMZ = @KRB5CFLAGS@ -DALLOW_REGISTER
+AKLIBS = ${LIBS} @KRB5LIBS@
 AFSLIBS = ${TOP_LIBDIR}/libprot.a ${TOP_LIBDIR}/libubik.a \
 	  ${TOP_LIBDIR}/libauth.a ${TOP_LIBDIR}/librxkad.a \
 	  ${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/liblwp.a \
@@ -16,32 +16,53 @@ AFSLIBS = ${TOP_LIBDIR}/libprot.a ${TOP_LIBDIR}/libubik.a \
 SRCS=	aklog.c aklog_main.c  krb_util.c linked_list.c
 OBJS=   aklog.o aklog_main.o krb_util.o linked_list.o
 
-all: aklog
+all: aklog asetkey ka-forwarder
 
 aklog:	${OBJS} ${AFSLIBS}
-	${CC} -o $@ ${CFLAGS} ${OBJS} ${LIBS} ${AFSLIBS} ${XLIBS}
+	${CC} -o $@ ${CFLAGS} ${OBJS} ${AKLIBS} ${AFSLIBS} ${XLIBS}
 
+asetkey: asetkey.o ${AFSLIBS}
+	${CC} -o $@ ${CFLAGS} asetkey.o ${AKLIBS} ${AFSLIBS} ${XLIBS}
+
+ka-forwarder: ka-forwarder.o
+	${CC} -o $@ ${CFLAGS} ka-forwarder.o ${LIBS} ${XLIBS}
 
 #
 # Installation targets
 #
 install: \
-	${DESTDIR}${bindir}/aklog
+	${DESTDIR}${bindir}/aklog \
+	${DESTDIR}${afssrvbindir}/asetkey \
+	${DESTDIR}${afssrvbindir}/ka-forwarder
 
 ${DESTDIR}${bindir}/aklog: aklog
 	${INSTALL} $? $@
 
+${DESTDIR}${afssrvbindir}/asetkey: asetkey
+	${INSTALL} $? $@
+
+${DESTDIR}${afssrvbindir}/ka-forwarder: ka-forwarder
+	${INSTALL} $? $@
+
 dest: \
-	${DEST}/bin/aklog
+	${DEST}/bin/aklog \
+	${DEST}/root.server/usr/afs/bin/asetkey \
+	${DEST}/root.server/usr/afs/bin/ka-forwarder
 
 ${DEST}/bin/aklog: aklog
 	${INSTALL} $? $@
 
+${DEST}/root.server/usr/afs/bin/asetkey: asetkey
+	${INSTALL} $? $@
+
+${DEST}/root.server/usr/afs/bin/ka-forwarder: ka-forwarder
+	${INSTALL} $? $@
+
 #
 # Misc. targets
 #
 clean:
-	$(RM) -f *.o ${OBJS} aklog
+	$(RM) -f *.o ${OBJS} aklog asetkey ka-forwarder
 
 include ../config/Makefile.version
 
diff --git a/src/aklog/asetkey.c b/src/aklog/asetkey.c
new file mode 100644
index 000000000..3bd768ab0
--- /dev/null
+++ b/src/aklog/asetkey.c
@@ -0,0 +1,139 @@
+/*
+ * $Id: asetkey.c,v 1.4 2006/02/17 17:58:21 rees Exp $
+ *
+ * asetkey - Manipulates an AFS KeyFile
+ *
+ * Updated for Kerberos 5
+ */
+
+#include <afsconfig.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#ifdef HAVE_MEMORY_H
+#include <memory.h>
+#endif /* HAVE_MEMORY_H */
+#ifdef HAVE_STRING_H
+#include <string.h>
+#else /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#endif /* HAVE_STRING_H */
+
+#include <krb5.h>
+
+#include <afs/stds.h>
+#include <afs/com_err.h>
+#include <afs/cellconfig.h>
+#include <afs/keys.h>
+#include <afs/dirpath.h>
+
+int
+main(int argc, char *argv[])
+{
+    struct afsconf_dir *tdir;
+    register long code;
+    const char *confdir;
+
+    if (argc == 1) {
+	fprintf(stderr, "%s: usage is '%s <opcode> options, e.g.\n",
+		argv[0], argv[0]);
+	fprintf(stderr, "\t%s add <kvno> <keyfile> <princ>\n", argv[0]);
+	fprintf(stderr, "\t%s delete <kvno>\n", argv[0]);
+	fprintf(stderr, "\t%s list\n", argv[0]);
+	exit(1);
+    }
+
+    confdir = AFSDIR_SERVER_ETC_DIRPATH;
+
+    tdir = afsconf_Open(confdir);
+    if (!tdir) {
+	fprintf(stderr, "%s: can't initialize conf dir '%s'\n", argv[0],
+		confdir);
+	exit(1);
+    }
+    if (strcmp(argv[1], "add")==0) {
+	krb5_context context;
+	krb5_principal principal;
+	krb5_keyblock *key;
+	krb5_error_code retval;
+	int kvno;
+
+	if (argc != 5) {
+	    fprintf(stderr, "%s add: usage is '%s add <kvno> <keyfile> "
+		    "<princ>\n", argv[0], argv[0]);
+	    exit(1);
+	}
+
+	krb5_init_context(&context);
+
+	kvno = atoi(argv[2]);
+	retval = krb5_parse_name(context, argv[4], &principal);
+	if (retval != 0) {
+		com_err(argv[0], retval, "while parsing AFS principal");
+		exit(1);
+	}
+	retval = krb5_kt_read_service_key(context, argv[3], principal, kvno,
+					  ENCTYPE_DES_CBC_CRC, &key);
+	if (retval != 0) {
+		com_err(argv[0], retval, "while extracting AFS service key");
+		exit(1);
+	}
+
+	if (key->length != 8) {
+		fprintf(stderr, "Key length should be 8, but is really %d!\n",
+		       key->length);
+		exit(1);
+	}
+
+	code = afsconf_AddKey(tdir, kvno, (char *) key->contents, 1);
+	if (code) {
+	    fprintf(stderr, "%s: failed to set key, code %d.\n", argv[0], code);
+	    exit(1);
+	}
+	krb5_free_principal(context, principal);
+	krb5_free_keyblock(context, key);
+    }
+    else if (strcmp(argv[1], "delete")==0) {
+	long kvno;
+	if (argc != 3) {
+	    fprintf(stderr, "%s delete: usage is '%s delete <kvno>\n",
+		    argv[0], argv[0]);
+	    exit(1);
+	}
+	kvno = atoi(argv[2]);
+	code = afsconf_DeleteKey(tdir, kvno);
+	if (code) {
+	    fprintf(stderr, "%s: failed to delete key %d, (code %d)\n",
+		    argv[0], kvno, code);
+	    exit(1);
+	}
+    }
+    else if (strcmp(argv[1], "list") == 0) {
+	struct afsconf_keys tkeys;
+	register int i, j;
+	
+	code = afsconf_GetKeys(tdir, &tkeys);
+	if (code) {
+	    fprintf(stderr, "%s: failed to get keys, code %d\n", argv[0], code);
+	    exit(1);
+	}
+	for(i=0;i<tkeys.nkeys;i++) {
+	    if (tkeys.key[i].kvno != -1) {
+		printf("kvno %4d: key is: ", tkeys.key[i].kvno);
+		for (j = 0; j < 8; j++)
+			printf("%02x", (unsigned char) tkeys.key[i].key[j]);
+		printf("\n");
+	    }
+	}
+	printf("All done.\n");
+    }
+    else {
+	fprintf(stderr, "%s: unknown operation '%s', type '%s' for "
+		"assistance\n", argv[0], argv[1], argv[0]);
+	exit(1);
+    }
+    exit(0);
+}
diff --git a/src/aklog/ka-forwarder.c b/src/aklog/ka-forwarder.c
new file mode 100644
index 000000000..f8732d3d0
--- /dev/null
+++ b/src/aklog/ka-forwarder.c
@@ -0,0 +1,282 @@
+/*
+ * COPYRIGHT NOTICE
+ * Copyright (c) 1994 Carnegie Mellon University
+ * All Rights Reserved.
+ * 
+ * See <cmu_copyright.h> for use and distribution information.
+ */
+
+/*
+ * HISTORY
+ * $Log: ka-forwarder.c,v $
+ * Revision 1.1  1997/06/03 18:23:54  kenh
+ * .
+ *
+ * Revision 1.4  1996/08/09  01:00:21  jhutz
+ * 	When initializing the array of fakeka servers, remember to set
+ * 	the address family of each server; otherwise SunOS complains.
+ * 	[1996/08/09  00:58:46  jhutz]
+ *
+ * Revision 1.3  1996/08/09  00:17:19  jhutz
+ * 	Merged in changes from Chuck Silvers:
+ * 	- Support for more than one fakeka server
+ * 	- Support for specifying ports for each fakeka server separately from the
+ * 	  others, and from the port we listen on.
+ * 
+ * 	Plus a minor bug fix to Chuck's code.
+ * 	Basically, this version is designed to provide both reliability and
+ * 	load-balancing cheaply.  Basically, we forward packets to all of the
+ * 	fakeka servers in round-robin fashion.  So, if a client is losing on
+ * 	one server, its retry should go to a different one, if more than one
+ * 	is specified.
+ * 	[1996/08/03  02:13:36  jhutz]
+ * 
+ * Revision 1.2  1995/02/23  18:26:36  chs
+ * 	Created.
+ * 	[1995/02/23  18:26:03  chs]
+ * 
+ * $EndLog$
+ */
+
+/*
+ * This program is intended to run on afs DB servers.
+ * Its function is to forward KA requests to a fakeka server
+ * running on an MIT kerberos server.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+
+#if	HAVE_GETOPT_H
+#include <getopt.h>
+#else
+int getopt (int, char * const *, const char *);
+int optind, opterr;
+char *optarg;
+#endif
+
+#define BUFFER_SIZE 2048
+
+
+char *prog;
+
+int num_servers, cur_server;
+struct sockaddr_in *servers;
+
+
+void
+perrorexit(str)
+char *str;
+{
+    perror(str);
+    exit(1);
+}
+
+
+void
+setup_servers(argc, argv)
+int argc;
+char **argv;
+{
+    int i;
+    u_int fwdaddr;
+    u_short fwdport;
+
+    num_servers = argc;
+
+    servers = malloc(sizeof(*servers) * num_servers);
+    if (servers == NULL)
+	perrorexit("malloc failed");
+
+    for (i = 0; i < num_servers; i++) {
+	char *host, *port;
+
+	fwdport = htons(7004);
+
+	host = argv[i];
+	port = strchr(host, '/');
+	if (port != NULL) {
+	    *port++ = 0;
+
+	    if (isdigit(port[0])) {
+		fwdport = htons(atoi(port));
+	    }
+	    else {
+		struct servent *srv = getservbyname(port, "udp");
+		if (!srv) {
+		    fprintf(stderr, "%s: unknown service %s\n", prog, port);
+		    exit(1);
+		}
+		fwdport = srv->s_port;
+	    }
+	}
+
+	if (isdigit(host[0])) {
+	    fwdaddr = inet_addr(host);
+	}
+	else {
+	    struct hostent *h = gethostbyname(host);
+	    if (!h) {
+		fprintf(stderr, "%s: unknown host %s\n", prog, host);
+		exit(1);
+	    }
+	    bcopy(h->h_addr, &fwdaddr, 4);
+	}
+
+	servers[i].sin_family = AF_INET;
+	servers[i].sin_addr.s_addr = fwdaddr;
+	servers[i].sin_port = fwdport;
+    }
+}
+
+
+int
+setup_socket(port)
+u_short port;
+{
+    int s, rv;
+    struct sockaddr_in sin;
+
+    s = socket(AF_INET, SOCK_DGRAM, 0);
+    if (s < 0)
+	perrorexit("Couldn't create socket");
+
+    sin.sin_family = AF_INET;
+    sin.sin_addr.s_addr = 0;
+    sin.sin_port = htons(port);
+
+    rv = bind(s, (struct sockaddr *)&sin, sizeof(sin));
+    if (rv < 0)
+	perrorexit("Couldn't bind socket");
+
+    return s;
+}
+
+
+int
+packet_is_reply(from)
+struct sockaddr_in *from;
+{
+    int i;
+
+    for (i = 0; i < num_servers; i++) {
+	struct sockaddr_in *sin = &servers[i];
+
+	if (from->sin_addr.s_addr == sin->sin_addr.s_addr &&
+	    from->sin_port == sin->sin_port)
+	{
+	    return 1;
+	}
+    }
+
+    return 0;
+}
+
+
+int
+main(argc, argv)
+int argc;
+char **argv;
+{
+    int c, s, rv;
+    u_short port;
+
+    if (argc < 2) {
+	fprintf(stderr,
+		"usage: %s [-p port] <host>[/port] [host/port ...]\n",
+		argv[0]);
+	exit(1);
+    }
+
+    prog = argv[0];
+    port = 7004;
+
+    while ((c = getopt(argc, argv, "p:")) != -1) {
+	switch (c) {
+	case 'p':
+	    port = atoi(optarg);
+	    break;
+	default:
+	    fprintf(stderr, "%s: invalid option '%c'\n", prog, c);
+	    exit(1);
+	}
+    }
+
+    /*
+     * hmm, different implementations of getopt seem to do different things
+     * when there aren't any options.  linux sets optind = 1, which I would
+     * call correct, but sunos sets optind = 0.  try to do the right thing.
+     */
+    if (optind == 0)
+	optind = 1;
+
+    setup_servers(argc - optind, argv + optind);
+    s = setup_socket(port);
+
+    openlog("ka-forwarder", LOG_PID, LOG_DAEMON);
+
+    for (;;) {
+	char buf[BUFFER_SIZE], *bufp, *sendptr;
+	struct sockaddr_in from, reply, *to;
+	int fromlen, sendlen;
+
+	bufp = buf + 8;
+	fromlen = sizeof(from);
+
+	rv = recvfrom(s, bufp, sizeof(buf) - 8,
+		      0, (struct sockaddr *)&from, &fromlen);
+	if (rv < 0) {
+	    syslog(LOG_ERR, "recvfrom: %m");
+	    sleep(1);
+	    continue;
+	}
+
+	if (packet_is_reply(&from)) {
+	    /* this is a reply, forward back to user */
+
+	    to = &reply;
+	    reply.sin_family = AF_INET;
+	    bcopy(bufp, &reply.sin_addr.s_addr, 4);
+	    bcopy(bufp + 4, &reply.sin_port, 2);
+	    sendptr = bufp + 8;
+	    sendlen = rv - 8;
+	}
+	else {
+	    /* this is a request, forward to server */
+
+	    cur_server = (cur_server + 1) % num_servers;
+	    to = &servers[cur_server];
+
+	    bcopy(&from.sin_addr.s_addr, bufp - 8, 4);
+	    bcopy(&from.sin_port, bufp - 4, 2);
+
+	    sendptr = bufp - 8;
+	    sendlen = rv + 8;
+	}
+
+	{
+	    char a1[16], a2[16];
+	    strcpy(a1, inet_ntoa(from.sin_addr));
+	    strcpy(a2, inet_ntoa(to->sin_addr));
+
+	    syslog(LOG_INFO, "forwarding %d bytes from %s/%d to %s/%d\n",
+		   sendlen, a1, htons(from.sin_port), a2, htons(to->sin_port));
+	}
+
+	rv = sendto(s, sendptr, sendlen,
+		    0, (struct sockaddr *)to, sizeof(*to));
+	if (rv < 0) {
+	    syslog(LOG_ERR, "sendto: %m");
+	}
+    }
+}