Rip most of Kbind out in prep for adding SASL.

clients/ud/Makefile.in

 # $OpenLDAP$
 
 SRCS=	main.c find.c mod.c print.c auth.c util.c help.c \
-	string_to_key.c group.c edit.c globals.c
+	group.c edit.c globals.c
 XSRCS= version.c
 OBJS=	main.o find.o mod.o print.o auth.o util.o help.o \
-	string_to_key.o group.o globals.o edit.o
+	group.o globals.o edit.o
 HDRS=	ud.h
 PROGRAMS= ud
 

clients/ud/README

-Users
------
-For users, see the man page on ud.
-
-Installers
-----------
-For installers, see the header file.  Anything that is configurable is
-listed in there as a #define, and the file is pretty well commented.
-
-Kerberos users
---------------
-If you're going to use Kerberos, be sure that you have a Kerberos config file
-in /etc/krb.conf of the form:
-
-	<realm>
-	<realm> <server-for-realm> [ admin server ]
-
-This should be the realm in which users are going to authenticate, which
-is not necessarily your realm.
-
-You can certainly have other entries in this file, but you'll need at least
-these two.
-
-Also be sure that you have the necessary entries in /etc/services so that
-your client knows on which port to find a Kerberos authentication server.
-An pair of entries like this:
-
-  kerberos        750/udp         kdc             # Kerberos authentication
-  kerberos        750/tcp         kdc             # Kerberos authentication
-
-is fairly typical.

clients/ud/auth.c

@@ -36,12 +36,6 @@
 #include "ldap_defaults.h"
 #include "ud.h"
 
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-static char tktpath[20];	/* ticket file path */
-static int kinit();
-static int valid_tgt();
-#endif
-
 static void set_bound_dn(char *s);
 
 
@@ -59,12 +53,6 @@ auth( char *who, int implicit )
 	char *user;
 #endif
 	char uidname[20];
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	char **krbnames;	/* for kerberos names */
-	int kinited, ikrb;
-	char buf[5];
-	extern int krb_debug;
-#endif
 	LDAPMessage *mp;	/* returned from find() */
 	static char prompt[MED_BUF_SIZE];	/* place for us to sprintf the prompt */
 	static char name[MED_BUF_SIZE];	/* place to store the user's name */
@@ -155,88 +143,21 @@ auth( char *who, int implicit )
 	 */
 
 	if ( (krbnames = ldap_get_values( ld, mp, "krbName" )) != NULL ) {
-		int 	choice, hassimple;
-
-		hassimple = (ldap_compare_s( ld, Entry.DN, 
-				"userPassword", "x" ) == LDAP_COMPARE_FALSE);
-		(void) ldap_msgfree(mp);
-
-		/* if we're running as a server (e.g., out of inetd) */
-		if ( ! isatty( 1 ) ) {
-			strcpy( tktpath, LDAP_TMPDIR LDAP_DIRSEP "ud_tktXXXXXX" );
-			mktemp( tktpath );
-			krb_set_tkt_string( tktpath );
-		}
-
-		kinited = valid_tgt( krbnames );
-
-		if ( hassimple && !kinited ) {
-			printf("  Which password would you like to use?\n");
-			printf("    1 -> LDAP password\n");
-#ifdef UOFM
-			printf("    2 -> UMICH password (aka Uniqname or Kerberos password)\n");
-#else
-			printf("    2 -> Kerberos password\n");
-#endif
-
-			do {
-				printf("  Enter 1 or 2: ");
-				fflush(stdout);
-
-				fetch_buffer(buf, sizeof(buf), stdin);
-				choice = atoi(buf);
-			} while (choice != 1 && choice != 2);
-
-			authmethod = (choice == 1 ? LDAP_AUTH_SIMPLE :
-			    LDAP_AUTH_KRBV4);
-		} else {
-			authmethod = LDAP_AUTH_KRBV4;
-		}
+		authmethod = LDAP_AUTH_KRBV4;
+		(void) ldap_value_free(krbnames);
 	} else {
 		authmethod = LDAP_AUTH_SIMPLE;
-		(void) ldap_msgfree(mp);
 	}
+	(void) ldap_msgfree(mp);
 
 	/*
 	 * if they are already kinited, we don't need to ask for a 
 	 * password.
 	 */
 
-	if ( authmethod == LDAP_AUTH_KRBV4 ) {
-		if ( ! kinited ) {
-			if ( krbnames[1] != NULL ) {
-				int	i;
-
-				/* ask which one to use */
-#ifdef UOFM
-				printf("  Which UMICH (aka Kerberos or uniqname) name would you like to use?\n");
-#else
-				printf("  Which Kerberos name would you like to use?\n");
-#endif
-				for ( i = 0; krbnames[i] != NULL; i++ ) {
-					printf( "    %d -> %s\n", i + 1,
-					    krbnames[i] );
-				}
-				do {
-					printf("  Enter a number between 1 and %d: ", i );
-					fflush( stdout );
-
-					fetch_buffer(buf, sizeof(buf), stdin);
-					ikrb = atoi(buf) - 1;
-				} while ( ikrb > i - 1 || ikrb < 0 );
-			} else {
-				ikrb = 0;
-			}
-
-			/* kinit */
-			if ( kinit( krbnames[ikrb] ) != 0 ) {
-				(void) ldap_value_free(rdns);
-				(void) ldap_value_free(krbnames);
-				return(-1);
-			}
-		}
-	} else {
+	if ( authmethod != LDAP_AUTH_KRBV4 )
 #endif
+	{
 		authmethod = LDAP_AUTH_SIMPLE;
 		sprintf(prompt, "  Enter your LDAP password: ");
 		do {
@@ -246,10 +167,8 @@ auth( char *who, int implicit )
 			(void) ldap_value_free(rdns);
 			return(0);
 		}
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 	}
-	(void) ldap_value_free(krbnames);
-#endif
+
 	ldap_flush_cache( ld );
 	rc = ldap_bind_s(ld, Entry.DN, passwd, authmethod);
 	if (rc != LDAP_SUCCESS) {
@@ -261,12 +180,11 @@ auth( char *who, int implicit )
 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 			if ( authmethod == LDAP_AUTH_KRBV4 ) {
 				fprintf(stderr, "  The Kerberos credentials are invalid.\n");
-			} else {
+			} else
 #endif
+			{
 				fprintf(stderr, "  The password you provided is incorrect.\n");
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 			}
-#endif
 		else
 			ldap_perror(ld, "ldap_bind_s" );
 		(void) ldap_bind_s(ld, default_bind_object,
@@ -293,138 +211,6 @@ auth( char *who, int implicit )
 	return(0);
 }
 
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-
-#define FIVEMINS	( 5 * 60 )
-#define TGT		"krbtgt"
-
-static int
-valid_tgt( char **names )
-{
-	int		i;
-	char		name[ ANAME_SZ ], inst[ INST_SZ ], realm[ REALM_SZ ];
-	CREDENTIALS	cred;
-
-	for ( i = 0; names[i] != NULL; i++ ) {
-		if ( kname_parse( name, inst, realm, names[i] ) != KSUCCESS ) {
-			fprintf( stderr, "Bad format for krbName %s\n",
-			    names[i] );
-			fprintf( stderr, "Contact x500@umich.edu\n" );
-			return( 0 );
-		}
-
-#ifdef HAVE_AFS_KERBEROS
-		/*
-		 * realm must be uppercase for krb_ routines
-		 */
-		ldap_pvt_str2upper( realm );
-#endif /* HAVE_AFS_KERBEROS */
-
-		/*
-		* check ticket file for a valid ticket granting ticket
-		* my check is: have ticket granting ticket and it is good for
-		* at least 5 more minutes
-		*/
-		if ( krb_get_cred( TGT, realm, realm,
-		    &cred ) == KSUCCESS && time( 0 ) + FIVEMINS <
-		    cred.issue_date + (u_char)cred.lifetime * FIVEMINS ) {
-			return( 1 );
-		}
-	}
-
-	return( 0 );
-}
-
-static char *kauth_name;
-
-#ifndef HAVE_KTH_KERBEROS
-
-/*ARGSUSED*/
-int
-krbgetpass( char *user, char *inst, char *realm, char *pw, C_Block key )
-{
-	char	*p, lcrealm[ REALM_SZ ], prompt[256], *passwd;
-
-#ifdef UOFM
-	sprintf(prompt, "  Enter the UMICH password (same as Uniqname or Kerberos password)\n  for %s: ", kauth_name );
-#else
-	sprintf(prompt, "  Enter Kerberos password for %s: ", kauth_name );
-#endif
-	do {
-		passwd = getpassphrase(prompt);
-	} while (passwd != NULL && *passwd == '\0');
-	if (passwd == NULL) {
-		return(-1);
-	}
-
-#ifdef HAVE_AFS_KERBEROS
-	strcpy( lcrealm, realm );
-	for ( p = lcrealm; *p != '\0'; ++p ) {
-		*p = TOLOWER( (unsigned char) *p );
-	}
-
-	ka_StringToKey( passwd, lcrealm, key );
-#else /* HAVE_AFS_KERBEROS */
-	string_to_key( passwd, key );
-#endif /* HAVE_AFS_KERBEROS */
-
-	return( 0 );
-}
-#endif /* HAVE_KTH_KERBEROS */
-
-static int
-kinit( char *kname )
-{
-	int	rc;
-	char	name[ ANAME_SZ ], inst[ INST_SZ ], realm[ REALM_SZ ];
-
-	kauth_name = kname;
-
-	if ( kname_parse( name, inst, realm, kname ) != KSUCCESS ) {
-		fprintf( stderr, "Bad format for krbName %s\n",
-		    kname );
-		fprintf( stderr, "Contact x500@umich.edu\n" );
-		return( -1 );
-	}
-
-#ifdef HAVE_AFS_KERBEROS
-	/* realm must be uppercase for AFS krb_ routines */
-	ldap_pvt_str2upper( realm );
-#endif /* HAVE_AFS_KERBEROS */
-
-#ifdef HAVE_KTH_KERBEROS
-	/* Kth kerberos knows how to do both string to keys */
-	rc = krb_get_pw_in_tkt( name, inst, realm, TGT, realm,
-		DEFAULT_TKT_LIFE, 0 );
-#else
-	rc = krb_get_in_tkt( name, inst, realm, TGT, realm,
-	    DEFAULT_TKT_LIFE, krbgetpass, NULL, NULL );
-#endif
-
-	if ( rc != KSUCCESS ) {
-		switch ( rc ) {
-		case SKDC_CANT:
-			fprintf( stderr, "Can't contact Kerberos server for %s\n", realm );
-			break;
-		default:
-			fprintf( stderr, "%s: %s\n", name, krb_err_txt[ rc ] );
-			break;
-		}
-		return( -1 );
-	}
-
-	return( 0 );
-}
-
-void
-destroy_tickets( void )
-{
-	if ( *tktpath != '\0' ) {
-		unlink( tktpath );
-	}
-}
-#endif
-
 static void
 set_bound_dn( char *s )
 {

clients/ud/etc.ud.conf

-server	<your ldap server host name here>
-base	<your X.500 default search base here>

clients/ud/main.c

@@ -279,9 +279,6 @@ do_commands( void )
 	printf(" Thank you!\n");
 	
 	ldap_unbind(ld);
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	destroy_tickets();
-#endif
 	exit( EXIT_SUCCESS );
 	/* NOTREACHED */
 }

clients/ud/string_to_key.c

-/* $OpenLDAP$ */
-/*
- * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
- */
-#include "portable.h"
-
-#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd)
-/*
- * Copyright 1985, 1986, 1987, 1988, 1989 by the Massachusetts Institute
- * of Technology.
- *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
- *
- * These routines perform encryption and decryption using the DES
- * private key algorithm, or else a subset of it-- fewer inner loops.
- * (AUTH_DES_ITER defaults to 16, may be less.)
- *
- * Under U.S. law, this software may not be exported outside the US
- * without license from the U.S. Commerce department.
- *
- * The key schedule is passed as an arg, as well as the cleartext or
- * ciphertext.  The cleartext and ciphertext should be in host order.
- *
- * These routines form the library interface to the DES facilities.
- *
- *	spm	8/85	MIT project athena
- */
-
-#include <stdio.h>
-#include <ac/krb.h>
-
-#if defined( DEBUG ) && defined( HAVE_DES_DEBUG )
-#define USE_DES_DEBUG
-extern int des_debug;
-#endif
-
-extern void des_fixup_key_parity();
-
-#ifndef HAVE_AFS_KERBEROS
-#define WORLDPEACEINOURTIME
-#endif
-
-#if defined(WORLDPEACEINOURTIME) /* Use original, not ifs version */
-#ifndef HAVE_KERBEROS_V
-/*
- * convert an arbitrary length string to a DES key
- */
-void
-des_string_to_key( char *str, register des_cblock *key )
-{
-    register char *in_str;
-    register unsigned temp,i;
-    register int j;
-    register long length;
-    static unsigned char *k_p;
-    static int forward;
-    register char *p_char;
-    static char k_char[64];
-    static des_key_schedule key_sked;
-    extern unsigned long des_cbc_cksum();
-
-    in_str = str;
-    forward = 1;
-    p_char = k_char;
-    length = strlen(str);
-
-    /* init key array for bits */
-    memset(k_char, '\0', sizeof(k_char));
-
-#ifdef USE_DES_DEBUG
-    if (des_debug)
-	fprintf(stdout,
-		"\n\ninput str length = %d  string = %s\nstring = 0x ",
-		length,str);
-#endif
-
-    /* get next 8 bytes, strip parity, xor */
-    for (i = 1; i <= length; i++) {
-	/* get next input key byte */
-	temp = (unsigned int) *str++;
-#ifdef USE_DES_DEBUG
-	if (des_debug)
-	    fprintf(stdout,"%02x ",temp & 0xff);
-#endif
-	/* loop through bits within byte, ignore parity */
-	for (j = 0; j <= 6; j++) {
-	    if (forward)
-		*p_char++ ^= (int) temp & 01;
-	    else
-		*--p_char ^= (int) temp & 01;
-	    temp = temp >> 1;
-	} while (--j > 0);
-
-	/* check and flip direction */
-	if ((i%8) == 0)
-	    forward = !forward;
-    }
-
-    /* now stuff into the key des_cblock, and force odd parity */
-    p_char = k_char;
-    k_p = (unsigned char *) key;
-
-    for (i = 0; i <= 7; i++) {
-	temp = 0;
-	for (j = 0; j <= 6; j++)
-	    temp |= *p_char++ << (1+j);
-	*k_p++ = (unsigned char) temp;
-    }
-
-    /* fix key parity */
-    des_fixup_key_parity(key);
-
-    /* Now one-way encrypt it with the folded key */
-    (void) des_key_sched(key,key_sked);
-    (void) des_cbc_cksum((des_cblock *)in_str,key,length,key_sked,key);
-    /* erase key_sked */
-    memset((char *)key_sked, '\0', sizeof(key_sked));
-
-    /* now fix up key parity again */
-    des_fixup_key_parity(key);
-
-#ifdef USE_DES_DEBUG
-    if (des_debug)
-	fprintf(stdout,
-		"\nResulting string_to_key = 0x%lx 0x%lx\n",
-		*((unsigned long *) key),
-		*((unsigned long *) key+1));
-#endif
-}
-
-#endif /* HAVE_KERBEROS_V */
-#else /* Use ifs version */
-
-#if 0
-#include <stdio.h>
-    /* These two needed for rxgen output to work */
-#include <sys/types.h>
-#include <rx/xdr.h>
-#include <afs/cellconfig.h>
-#include <afs/auth.h>
-
-#include "/usr/andy/kauth/kauth.h"
-#include "/usr/andy/kauth/kautils.h"
-#endif
-
-/* This defines the Andrew string_to_key function.  It accepts a password
-   string as input and converts its via a one-way encryption algorithm to a DES
-   encryption key.  It is compatible with the original Andrew authentication
-   service password database. */
-
-static void
-Andrew_StringToKey(
-  char          *str,
-  char          *cell,                  /* cell for password */
-  des_cblock *key
-)
-{   char  password[8+1];                /* crypt is limited to 8 chars anyway */
-    int   i;
-    int   passlen;
-
-    memset(key, '\0', sizeof(des_cblock));
-    memset(password, '\0', sizeof(password));
-
-    strncpy (password, cell, 8);
-    passlen = strlen (str);
-    if (passlen > 8) passlen = 8;
-
-    for (i=0; i<passlen; i++)
-        password[i] = str[i] ^ cell[i];
-
-    for (i=0;i<8;i++)
-        if (password[i] == '\0') password[i] = 'X';
-
-    /* crypt only considers the first 8 characters of password but for some
-       reason returns eleven characters of result (plus the two salt chars). */
-    strncpy(key, crypt(password, "#~") + 2, sizeof(des_cblock));
-
-    /* parity is inserted into the LSB so leftshift each byte up one bit.  This
-       allows ascii characters with a zero MSB to retain as much significance
-       as possible. */
-    {   char *keybytes = (char *)key;
-        unsigned int temp;
-
-        for (i = 0; i < 8; i++) {
-            temp = (unsigned int) keybytes[i];
-            keybytes[i] = (unsigned char) (temp << 1);
-        }
-    }
-    des_fixup_key_parity (key);
-}
-
-static void
-StringToKey(
-  char          *str,
-  char          *cell,                  /* cell for password */
-  des_cblock	*key
-)
-{   des_key_schedule schedule;
-    char temp_key[8];
-    char ivec[8];
-    char password[BUFSIZ];
-    int  passlen;
-
-    strncpy (password, str, sizeof(password));
-    if ((passlen = strlen (password)) < sizeof(password)-1)
-        strncat (password, cell, sizeof(password)-passlen);
-    if ((passlen = strlen(password)) > sizeof(password)) passlen = sizeof(password);
-
-    AC_MEMCPY(ivec, "kerberos", 8);
-    AC_MEMCPY(temp_key, "kerberos", 8);
-    des_fixup_key_parity (temp_key);
-    des_key_sched (temp_key, schedule);
-    des_cbc_cksum (password, ivec, passlen, schedule, ivec);
-
-    AC_MEMCPY(temp_key, ivec, 8);
-    des_fixup_key_parity (temp_key);
-    des_key_sched (temp_key, schedule);
-    des_cbc_cksum (password, key, passlen, schedule, ivec);
-
-    des_fixup_key_parity (key);
-}
-
-void
-ka_StringToKey (
-  char          *str,
-  char          *cell,                  /* cell for password */
-  des_cblock	*key
-)
-{   char  realm[REALM_SZ];
-
-#if NOWAYOUTTODAY
-    long  code;
-#if 0
-    code = ka_CellToRealm (cell, realm, 0/*local*/);
-#endif
-    if (code) strcpy (realm, "");
-    else lcstring (realm, realm, sizeof(realm)); /* for backward compatibility */
-#else
-	(void)strcpy(realm, cell);
-#endif
-
-    if (strlen(str) > 8) StringToKey (str, realm, key);
-    else Andrew_StringToKey (str, realm, key);
-}
-
-/*
- * convert an arbitrary length string to a DES key
- */
-int
-des_string_to_key( char *str, register des_cblock *key )
-{
-	/* NB: i should probably call routine to get local cell here */
-	ka_StringToKey(str, "umich.edu", key);
-	return 0;
-}
-
-#endif /* Use IFS Version */
-
-#endif /* kerberos */

clients/ud/ud.h

@@ -82,15 +82,6 @@
 #define G_JOIN		0
 #define G_RESIGN	1
 
-/*
- *  Authentication method we will be using.
- */
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-#define UD_AUTH_METHOD		LDAP_AUTH_KRBV4
-#else
-#define UD_AUTH_METHOD		LDAP_AUTH_SIMPLE
-#endif
-
 /*
  *  TRUE and FALSE - just in case we need them.
  */
@@ -193,10 +184,6 @@ extern char Version[];
 
 /* in auth.c: */
 int  auth	LDAP_P(( char *who, int implicit ));
-#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && defined(_AC_KRB_H)
-int  krbgetpass LDAP_P(( char *u, char *in, char *re, char *pw, C_Block key ));
-void destroy_tickets LDAP_P(( void ));
-#endif
 
 /* in edit.c: */
 void edit	LDAP_P(( char *who ));
@@ -263,16 +250,6 @@ void initialize_attribute_strings	LDAP_P(( void ));
 void print_URL	LDAP_P(( struct attribute A ));
 void print_one_URL	LDAP_P(( char *s, int l_lead, char *tag, int u_lead ));
 
-/* in string_to_key.c: */
-#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd) && defined(_AC_KRB_H)
-#if defined(HAVE_AFS_KERBEROS) || !defined(HAVE_KERBEROS_V)
-void  des_string_to_key	LDAP_P(( char *str, des_cblock *key ));
-#endif
-#if defined(HAVE_AFS_KERBEROS)
-void ka_StringToKey LDAP_P(( char *str, char *cell, des_cblock *key ));
-#endif
-#endif
-
 /* in util.c: */
 void printbase	LDAP_P(( char *lead, char *s ));
 void fetch_buffer	LDAP_P(( char *buffer, int length, FILE *where ));

clients/ud/util.c

@@ -107,9 +107,6 @@ fatal( char *s )
 {
 	if (errno != 0)
 		perror(s);
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
-	destroy_tickets();
-#endif
 	exit( EXIT_FAILURE );
 }