From dgc@smack.uchicago.edu Wed Aug 25 16:50:37 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id QAA22075 for <bugs@RT-11.MIT.EDU>; Wed, 25 Aug 1999 16:50:32 -0400
Received: from smack.uchicago.edu by MIT.EDU with SMTP
id AA10441; Wed, 25 Aug 99 16:50:28 EDT
Received: (from dgc@localhost)
by smack.uchicago.edu (8.9.3/8.9.3) id PAA04183;
Wed, 25 Aug 1999 15:50:27 -0500 (CDT)
Message-Id: <19990825155026.I11819@smack.uchicago.edu>
Date: Wed, 25 Aug 1999 15:50:26 -0500
From: David Champion <dgc@smack.uchicago.edu>
Reply-To: David Champion <dgc@smack.uchicago.edu>
To: krb5-bugs@MIT.EDU
Cc: network-security@uchicago.edu
Subject: kadmin enhancement req
X-Send-Pr-Version: 3.99
Architecture: sun4
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libgen.so.1 => /usr/lib/libgen.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2
given with the -q option (or interactively, but that's not a big
problem.) Specifically, our account management system needs to be able
to send ank, modprinc, and cpw queries create, enable/disable, and
passwd principals. kadmin should exit with nonzero status when these
operations fail because of policy violations, bad passwords, or
nonexistent principals.
root# echo $?
0
root# /opt/sbin/kadmin -p my_princ/actmgr@REALM -w "my unfortunately exposed password" -q "modprinc -expire now -allow_tix nonexistent_princ@REALM"
root# echo $?
0
root# /opt/sbin/kadmin -p my_princ/actmgr@REALM -w "my unfortunately exposed password" -q "cpw -pw bad_password smack@UCHICAGO.EDU"
root# echo $?
0
--
-D. dgc@uchicago.edu
System Administrator, etc etc.
The University of Chicago, Inc.
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id QAA22075 for <bugs@RT-11.MIT.EDU>; Wed, 25 Aug 1999 16:50:32 -0400
Received: from smack.uchicago.edu by MIT.EDU with SMTP
id AA10441; Wed, 25 Aug 99 16:50:28 EDT
Received: (from dgc@localhost)
by smack.uchicago.edu (8.9.3/8.9.3) id PAA04183;
Wed, 25 Aug 1999 15:50:27 -0500 (CDT)
Message-Id: <19990825155026.I11819@smack.uchicago.edu>
Date: Wed, 25 Aug 1999 15:50:26 -0500
From: David Champion <dgc@smack.uchicago.edu>
Reply-To: David Champion <dgc@smack.uchicago.edu>
To: krb5-bugs@MIT.EDU
Cc: network-security@uchicago.edu
Subject: kadmin enhancement req
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 742
>Category: krb5-admin
>Synopsis: kadmin does not exist with nonzero status
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed Aug 25 16:51:00 EDT 1999
>Last-Modified:
>Originator: David Champion
>Organization:
University of Chicago>Category: krb5-admin
>Synopsis: kadmin does not exist with nonzero status
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed Aug 25 16:51:00 EDT 1999
>Last-Modified:
>Originator: David Champion
>Organization:
Show quoted text
>Release: krb5-1.0.6
>Environment:
System: SunOS smack 5.7 Generic_106541-04 sun4u sparc SUNW,Ultra-5_10>Environment:
Architecture: sun4
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libgen.so.1 => /usr/lib/libgen.so.1
libc.so.1 => /usr/lib/libc.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libmp.so.2 => /usr/lib/libmp.so.2
Show quoted text
>Description:
kadmin does not exit with nonzero status upon failure of operationsgiven with the -q option (or interactively, but that's not a big
problem.) Specifically, our account management system needs to be able
to send ank, modprinc, and cpw queries create, enable/disable, and
passwd principals. kadmin should exit with nonzero status when these
operations fail because of policy violations, bad passwords, or
nonexistent principals.
Show quoted text
>How-To-Repeat:
root# /opt/sbin/kadmin -p my_princ/actmgr@REALM -w "my unfortunately exposed password" -q "ank -policy default +requires_preauth -pw bad_password new_princ@REALM"root# echo $?
0
root# /opt/sbin/kadmin -p my_princ/actmgr@REALM -w "my unfortunately exposed password" -q "modprinc -expire now -allow_tix nonexistent_princ@REALM"
root# echo $?
0
root# /opt/sbin/kadmin -p my_princ/actmgr@REALM -w "my unfortunately exposed password" -q "cpw -pw bad_password smack@UCHICAGO.EDU"
root# echo $?
0
Show quoted text
>Fix:
Should be fairly evident....--
-D. dgc@uchicago.edu
System Administrator, etc etc.
The University of Chicago, Inc.
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: