Merge branch 'dev' into 'master'

laps 0.0.4 Changes include: * The feature for "-i" interactive is now documented. * A new environment variable/config option is available: LAPS_KINIT_HOST_SCRIPT_OPTS. It is intended for passing to kinit-host the "--atdomain" option which was recently added to upstream kinit-host. See merge request bgstack15/laps!5
author: B Stack <bgstack15@gmail.com> 2019-05-29 14:57:02 +0000
committer: B Stack <bgstack15@gmail.com> 2019-05-29 14:57:02 +0000
commit: 1fa2f17b65c7ebfff60672bbaf46b9d51d4984f2 (patch)
tree: 070a5c84596f22c4cb2f5eb70e460154aa2cfe01
parent: Merge branch 'michaelweiser/laps-empty-timestamp' (diff)
parent: fix minor style issues (diff)
download: laps-1fa2f17b65c7ebfff60672bbaf46b9d51d4984f2.tar.gz
laps-1fa2f17b65c7ebfff60672bbaf46b9d51d4984f2.tar.bz2
laps-1fa2f17b65c7ebfff60672bbaf46b9d51d4984f2.zip
5 files changed, 29 insertions, 17 deletions
diff --git a/laps.spec b/laps.spec
index 303a66d..9fce9fb 100644
--- a/laps.spec
+++ b/laps.spec
@@ -1,6 +1,6 @@
 %define debug_package %{nil}
 Name:		laps
-Version:	0.0.3
+Version:	0.0.4
 Release:	1
 Summary:	local administrator password solution
 
@@ -11,7 +11,7 @@ Source0:	laps-%{version}.tgz
 
 BuildArch:	noarch
 BuildRequires:	coreutils
-Requires:	bgscripts-core
+Requires:	bgscripts-core >= 1.4.3
 Requires:	krb5-workstation
 Requires:	openldap-clients
 Requires:	passwd
diff --git a/src/etc/laps/laps.conf.example b/src/etc/laps/laps.conf.example
index 14c5f8a..f33c494 100644
--- a/src/etc/laps/laps.conf.example
+++ b/src/etc/laps/laps.conf.example
@@ -22,6 +22,7 @@ LAPS_LDAPSEARCH_FILTER="(cn=${LAPS_HOST}*)"
 LAPS_KINIT_BIN="/usr/bin/kinit"
 LAPS_DATETIME_PY="/usr/share/laps/dependencies/datetime.py"
 LAPS_KINIT_HOST_SCRIPT_DEFAULT="/usr/bin/kinit-host"
+LAPS_KINIT_HOST_SCRIPT_OPTS="" # useful if you need to pass "--atdomain AD.EXAMPLE.COM"
 LAPS_KINIT_HOST_SCRIPT="/usr/bin/kinit-host"
 LAPS_KLIST_BIN="/usr/bin/klist"
 LAPS_LDAPMODIFY_BIN="/usr/bin/ldapmodify"
diff --git a/src/usr/share/doc/laps/changes b/src/usr/share/doc/laps/changes
index 51a0c15..867a14a 100644
--- a/src/usr/share/doc/laps/changes
+++ b/src/usr/share/doc/laps/changes
@@ -1,8 +1,12 @@
 * Oct 24 2018 B Stack <bgstack15@gmail.com> 0.0.2-1
-- fix $2 read action should provide date of expiration on -d 1
+- fix #2 read action should provide date of expiration on -d 1
 - fix #3 add readme.md to front directory
 - fix #4 laps does not recognize expired kerberos tickets
 
 * Mar  1 2019 B Stack <bgstack15@gmail.com> 0.0.3-1
 - fix #5 document the recommended use of "-f" for first run
 - merge !1 handle empty password change timestamp LDAP attribute
+
+* May 29 2019 B Stack <bgstack15@gmail.com> - 0.0.4-1
+- fix #6 document the -i interactive flag
+- fix #7 add LAPS_KINIT_HOST_SCRIPT_OPTS
diff --git a/src/usr/share/doc/laps/version.txt b/src/usr/share/doc/laps/version.txt
index bcab45a..81340c7 100644
--- a/src/usr/share/doc/laps/version.txt
+++ b/src/usr/share/doc/laps/version.txt
@@ -1 +1 @@
-0.0.3
+0.0.4
diff --git a/src/usr/share/laps/laps.sh b/src/usr/share/laps/laps.sh
index c81e7a4..daa0d2f 100755
--- a/src/usr/share/laps/laps.sh
+++ b/src/usr/share/laps/laps.sh
@@ -12,7 +12,7 @@
 # Improve:
 # Dependencies:
 #    bundled: dependencies/datetime.py
-#    framework.sh (bgscripts-core)
+#    framework.sh, kinit-host (bgscripts-core >= 1.4.3)
 #    kinit, klist (krb5-workstation)
 #    ldapsearch, ldapmodify (openldap-clients)
 #    passwd (passwd)
@@ -23,12 +23,12 @@
 #    sed (sed)
 #    awk (gawk)
 fiversion="2018-09-12a"
-lapsversion="2019-03-01a"
+lapsversion="2019-05-29a"
 
 usage() {
    ${PAGER:-/usr/bin/less -F} >&2 <<ENDUSAGE
 laps is the Local Administrator Password Solution for GNU/Linux.
-usage: laps.sh [-duV] [-c conffile] [-t|-a] [-f] [-r [-u <username>] [-h <hostname>]]
+usage: laps.sh [-duV] [-c conffile] [-t|-a] [-f] [-r [-u <username>] [-h <hostname>]] [-i]
 version ${lapsversion}
  -d debug   Show debugging info, including parsed variables.
  --usage    Show this usage block.
@@ -41,6 +41,7 @@ version ${lapsversion}
  -r read    Read password; do not set it. Can only be used by a domain admin. Can only be used with -u.
  -u user    Connect with kerberos ticket for this user. Default is "machine" to use host keytab.
  -h <hostname>  Read this hostname instead of \$( hostname -s )
+ -i interactive Allow laps to prompt for password if a keytab does not yet exist.
 Debug levels:
  0 Silent
  9 displays sensitive info, specifically the generated password
@@ -104,11 +105,12 @@ main_workflow() {
    fi
 
    # 1. kinit-host
-   get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}" || { ferror "${0}: unable to get host kerberos ticket. Aborted." ; exit 6 ; }
+   get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KINIT_HOST_SCRIPT_OPTS}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}" || { ferror "${0}: unable to get host kerberos ticket. Aborted." ; exit 6 ; }
 
    # 2. fetch timestamp from ldap
    LAPS_epoch="$( wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}" )"
-   test $? -eq 0 || return 1
+   LAPS_epoch_response="$?"
+   test ${LAPS_epoch_response} -eq 0 || return "${LAPS_epoch_response}"
 
    # 3. check timestamp to see if close to expiration
    check_ts_against_expiration_threshold "${LAPS_THRESHOLD}" "${LAPS_epoch}" "${LAPS_FORCE}"
@@ -129,19 +131,20 @@ main_workflow() {
 }
 
 get_host_keytab() {
-   # call: get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}"
+   # call: get_host_keytab "${LAPS_KINIT_HOST_SCRIPT}" "${LAPS_KINIT_HOST_SCRIPT_OPTS}" "${LAPS_KLIST_BIN}" "${LAPS_KRB5CC_TMPFILE}"
    # returns: nothing.
    # action: get host kerberos ticket-granting ticket
    debuglev 10 && ferror "get_host_keytab $@"
    ___ghk_kinit_host_script="${1}"
-   ___ghk_klist_bin="${2}"
-   ___ghk_krb5cc_tmpfile="${3}"
+   ___ghk_kinit_host_script_opts="${2}"
+   ___ghk_klist_bin="${3}"
+   ___ghk_krb5cc_tmpfile="${4}"
 
    test -z "${___ghk_kinit_host_script}" && ___ghk_kinit_host_script="${LAPS_KINIT_HOST_SCRIPT_DEFAULT}"
 
    if test -e "${___ghk_kinit_host_script}" ;
    then
-      KRB5CCNAME=FILE:"${___ghk_krb5cc_tmpfile}" "${___ghk_kinit_host_script}"
+      KRB5CCNAME=FILE:"${___ghk_krb5cc_tmpfile}" "${___ghk_kinit_host_script}" ${___ghk_kinit_host_script_opts}
    else
       debuglev 3 && ferror "debug3: Using built-in logic to fetch host kerberos ticket because unable to find LAPS_KINIT_HOST_SCRIPT=${___ghk_kinit_host_script}"
       # do internal logic here
@@ -152,6 +155,7 @@ get_host_keytab() {
          ferror "${scriptname}: 4 fatal! Unable to find kinit. Please use variable LAPS_KINIT_BIN. Aborted."
       fi
       # cannot use requested server name here. root@localhost can only use its own kerberos ticket.
+      # observe that no domain name is given (after the dollar sign). This will force kerberos to choose, based on the default_realm value in /etc/krb5.conf.
       "${___ghk_kinit_bin}" -k -c "${___ghk_krb5cc_tmpfile}" "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\$" | debuglevoutput 7
    fi
 
@@ -179,7 +183,8 @@ get_attrib_from_ldap() {
 
    # execute to check for ldap or kerberos errors
    ___gtfl_stderr="$( KRB5CCNAME="${___gtfl_krb5cc_tmpfile}" LDAPCONF="${___gtfl_ldapconf}" "${___gtfl_ldapsearch_bin}" ${___gtfl_ldapsearch_flags} "${___gtfl_ldapsearch_filter}" "${___gtfl_attrib}" 2>&1 1>/dev/null )"
-   if test "$?" -ne 0 ;
+   ___gtfl_stderr_response="$?"
+   if test ${___gtfl_stderr_response} -ne 0 ;
    then
       if echo "${___gtfl_stderr}" | grep -qiE 'Ticket expired' ;
       then
@@ -224,7 +229,7 @@ get_attrib_from_ldap() {
 
 wrapper_get_timestamp_from_ldap() {
    # call: wrapper_get_timestamp_from_ldap "${LAPS_LDAPSEARCH_BIN}" "${LAPS_LDAPSEARCH_FLAGS}" "${LAPS_LDAPSEARCH_FILTER}" "${LAPS_ATTRIB_TIME}" "${LAPS_LDAPCONF}" "${LAPS_DATETIME_PY}" "${LAPS_KRB5CC_TMPFILE}"
-   debuglev 10 && ferror "$wrapper_get_timestamp_from_ldap $@"
+   debuglev 10 && ferror "wrapper_get_timestamp_from_ldap $@"
    ___wgtfl_ldapsearch_bin="${1}"
    ___wgtfl_ldapsearch_flags="${2}"
    ___wgtfl_ldapsearch_filter="${3}"
@@ -234,10 +239,11 @@ wrapper_get_timestamp_from_ldap() {
    ___wgtfl_krb5cc_tmpfile="${7}"
 
    ts_filetime="$( get_attrib_from_ldap "${___wgtfl_ldapsearch_bin}" "${___wgtfl_ldapsearch_flags}" "${___wgtfl_ldapsearch_filter}" "${___wgtfl_attrib}" "${___wgtfl_ldapconf}" "${___wgtfl_krb5cc_tmpfile}" )"
-   test "$?" -eq 0 || return 1
+   ts_filetime_response="$?"
+   test ${ts_filetime_response} -eq 0 || return "${ts_filetime_response}"
 
    ts_epoch=0
-   if test -n "$ts_filetime" ;
+   if test -n "${ts_filetime}" ;
    then
       debuglev 3 && ferror "timestamp(FILETIME): ${ts_filetime}"
       ts_epoch="$( "${___wgtfl_datetime_py}" -e "${ts_filetime}" )"
@@ -662,6 +668,7 @@ test -z "${LAPS_LDAPMODIFY_STATUS_TMPFILE}" && LAPS_LDAPMODIFY_STATUS_TMPFILE="$
 test -z "${LAPS_LDAPSEARCH_STATUS_TMPFILE}" && LAPS_LDAPSEARCH_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
 test -z "${LAPS_PASSWORD_STATUS_TMPFILE}" && LAPS_PASSWORD_STATUS_TMPFILE="$( TMPDIR="${LAPS_TMPDIR}" mktemp )"
 define_if_new LAPS_KINIT_HOST_SCRIPT "/usr/share/bgscripts/work/kinit-host.sh"
+define_if_new LAPS_KINIT_HOST_SCRIPT_OPTS ""
 define_if_new LAPS_KINIT_HOST_SCRIPT_DEFAULT "/usr/share/bgscripts/work/kinit-host.sh"
 define_if_new LAPS_KLIST_BIN "/usr/bin/klist"
 define_if_new LAPS_KINIT_BIN "/usr/bin/kinit"
author	B Stack <bgstack15@gmail.com>	2019-05-29 14:57:02 +0000
committer	B Stack <bgstack15@gmail.com>	2019-05-29 14:57:02 +0000
commit	1fa2f17b65c7ebfff60672bbaf46b9d51d4984f2 (patch)
tree	070a5c84596f22c4cb2f5eb70e460154aa2cfe01
parent	Merge branch 'michaelweiser/laps-empty-timestamp' (diff)
parent	fix minor style issues (diff)
download	laps-1fa2f17b65c7ebfff60672bbaf46b9d51d4984f2.tar.gz laps-1fa2f17b65c7ebfff60672bbaf46b9d51d4984f2.tar.bz2 laps-1fa2f17b65c7ebfff60672bbaf46b9d51d4984f2.zip