diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c index ae3b08e66..2501f8e4a 100644 --- a/client/ipa-getkeytab.c +++ b/client/ipa-getkeytab.c @@ -559,7 +559,16 @@ done: return ret; } -static char *ask_password(krb5_context krbctx) +/* Prompt for either a password. + * This can be either asking for a new or existing password. + * + * To set a new password provide values for both prompt1 and prompt2 and + * set match=true to enforce that the two entered passwords match. + * + * To prompt for an existing password provide prompt1 and set match=false. + */ +static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2, + bool match) { krb5_prompt ap_prompts[2]; krb5_data k5d_pw0; @@ -567,24 +576,27 @@ static char *ask_password(krb5_context krbctx) char pw0[256]; char pw1[256]; char *password; + int num_prompts = match ? 2:1; k5d_pw0.length = sizeof(pw0); k5d_pw0.data = pw0; - ap_prompts[0].prompt = _("New Principal Password"); + ap_prompts[0].prompt = prompt1; ap_prompts[0].hidden = 1; ap_prompts[0].reply = &k5d_pw0; - k5d_pw1.length = sizeof(pw1); - k5d_pw1.data = pw1; - ap_prompts[1].prompt = _("Verify Principal Password"); - ap_prompts[1].hidden = 1; - ap_prompts[1].reply = &k5d_pw1; + if (match) { + k5d_pw1.length = sizeof(pw1); + k5d_pw1.data = pw1; + ap_prompts[1].prompt = prompt2; + ap_prompts[1].hidden = 1; + ap_prompts[1].reply = &k5d_pw1; + } krb5_prompter_posix(krbctx, NULL, NULL, NULL, - 2, ap_prompts); + num_prompts, ap_prompts); - if (strcmp(pw0, pw1)) { + if (match && (strcmp(pw0, pw1))) { fprintf(stderr, _("Passwords do not match!")); return NULL; } @@ -735,6 +747,7 @@ int main(int argc, const char *argv[]) static const char *ca_cert_file = NULL; int quiet = 0; int askpass = 0; + int askbindpw = 0; int permitted_enctypes = 0; int retrieve = 0; struct poptOption options[] = { @@ -762,6 +775,8 @@ int main(int argc, const char *argv[]) _("LDAP DN"), _("DN to bind as if not using kerberos") }, { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, _("LDAP password"), _("password to use if not using kerberos") }, + { NULL, 'W', POPT_ARG_NONE, &askbindpw, 0, + _("Prompt for LDAP password"), NULL }, { "cacert", 0, POPT_ARG_STRING, &ca_cert_file, 0, _("Path to the IPA CA certificate"), _("IPA CA certificate")}, { "ldapuri", 'H', POPT_ARG_STRING, &ldap_uri, 0, @@ -833,9 +848,24 @@ int main(int argc, const char *argv[]) exit(2); } + if (askbindpw && bindpw != NULL) { + fprintf(stderr, _("Bind password already provided (-w).\n")); + if (!quiet) { + poptPrintUsage(pc, stderr, 0); + } + exit(2); + } + + if (askbindpw) { + bindpw = ask_password(krbctx, _("Enter LDAP password"), NULL, false); + if (!bindpw) { + exit(2); + } + } + if (NULL!=binddn && NULL==bindpw) { fprintf(stderr, - _("Bind password required when using a bind DN.\n")); + _("Bind password required when using a bind DN (-w or -W).\n")); if (!quiet) poptPrintUsage(pc, stderr, 0); exit(10); @@ -899,7 +929,8 @@ int main(int argc, const char *argv[]) } if (askpass) { - password = ask_password(krbctx); + password = ask_password(krbctx, _("New Principal Password"), + _("Verify Principal Password"), true); if (!password) { exit(2); } diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1 index 20ceee2e6..6a17d8625 100644 --- a/client/man/ipa-getkeytab.1 +++ b/client/man/ipa-getkeytab.1 @@ -21,7 +21,7 @@ .SH "NAME" ipa\-getkeytab \- Get a keytab for a Kerberos principal .SH "SYNOPSIS" -ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ] +ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB-W\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ] .SH "DESCRIPTION" Retrieves a Kerberos \fIkeytab\fR. @@ -44,7 +44,7 @@ provided, so the principal name is just the service name and hostname (ldap/foo.example.com from the example above). -ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication. +ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR \fB\-w|\-\-bindpw\fR options are used for this authentication. \fB-W\fR can be used instead of \fB\-w|\-\-bindpw\fR to interactively prompt for the bind password. \fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal. This renders all other keytabs for that principal invalid. @@ -98,11 +98,14 @@ DES cbc mode with RSA\-MD4 Use this password for the key instead of one randomly generated. .TP \fB\-D, \-\-binddn\fR -The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option. +The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR or \fB\-W\fR options. .TP \fB\-w, \-\-bindpw\fR The LDAP password to use when not binding with Kerberos. \fB\-D\fR and \fB\-w\fR can not be used together with \fB\-Y\fR. .TP +\fB\-W\fR +Interactive prompt for the bind password. \fB\-D\fR and \fB\-W\fR can not be used together with \fB\-Y\fR +.TP \fB\-\-cacert\fR The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections. Defaults to /etc/ipa/ca.crt