2 * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kpasswd_locl.h"
37 #include <kadm5/admin.h>
42 #include <kadm5/private.h>
43 #include <kadm5/kadm5_err.h>
45 static krb5_context context
;
46 static krb5_log_facility
*log_facility
;
48 static struct getarg_strings addresses_str
;
49 krb5_addresses explicit_addresses
;
51 static sig_atomic_t exit_flag
= 0;
54 add_one_address (const char *str
, int first
)
59 ret
= krb5_parse_address (context
, str
, &tmp
);
61 krb5_err (context
, 1, ret
, "parse_address `%s'", str
);
63 krb5_copy_addresses(context
, &tmp
, &explicit_addresses
);
65 krb5_append_addresses(context
, &explicit_addresses
, &tmp
);
66 krb5_free_addresses (context
, &tmp
);
78 uint16_t len
, ap_rep_len
;
83 ap_rep_len
= ap_rep
->length
;
87 len
= 6 + ap_rep_len
+ rest
->length
;
89 *p
++ = (len
>> 8) & 0xFF;
90 *p
++ = (len
>> 0) & 0xFF;
93 *p
++ = (ap_rep_len
>> 8) & 0xFF;
94 *p
++ = (ap_rep_len
>> 0) & 0xFF;
96 memset (&msghdr
, 0, sizeof(msghdr
));
97 msghdr
.msg_name
= (void *)sa
;
98 msghdr
.msg_namelen
= sa_size
;
100 msghdr
.msg_iovlen
= sizeof(iov
)/sizeof(*iov
);
102 msghdr
.msg_control
= NULL
;
103 msghdr
.msg_controllen
= 0;
106 iov
[0].iov_base
= (char *)header
;
109 iov
[1].iov_base
= ap_rep
->data
;
110 iov
[1].iov_len
= ap_rep
->length
;
112 iov
[1].iov_base
= NULL
;
115 iov
[2].iov_base
= rest
->data
;
116 iov
[2].iov_len
= rest
->length
;
118 if (sendmsg (s
, &msghdr
, 0) < 0)
119 krb5_warn (context
, errno
, "sendmsg");
123 make_result (krb5_data
*data
,
124 uint16_t result_code
,
130 sp
= krb5_storage_emem();
131 if (sp
== NULL
) goto out
;
132 ret
= krb5_store_uint16(sp
, result_code
);
134 ret
= krb5_store_stringz(sp
, expl
);
136 ret
= krb5_storage_to_data(sp
, data
);
138 krb5_storage_free(sp
);
143 krb5_storage_free(sp
);
145 krb5_warnx (context
, "Out of memory generating error reply");
150 reply_error (krb5_realm realm
,
154 krb5_error_code error_code
,
155 uint16_t result_code
,
159 krb5_data error_data
;
161 krb5_principal server
= NULL
;
163 if (make_result(&e_data
, result_code
, expl
))
167 ret
= krb5_make_principal (context
, &server
, realm
,
168 "kadmin", "changepw", NULL
);
170 krb5_data_free (&e_data
);
175 ret
= krb5_mk_error (context
,
185 krb5_free_principal(context
, server
);
186 krb5_data_free (&e_data
);
188 krb5_warn (context
, ret
, "Could not even generate error reply");
191 send_reply (s
, sa
, sa_size
, NULL
, &error_data
);
192 krb5_data_free (&error_data
);
196 reply_priv (krb5_auth_context auth_context
,
200 uint16_t result_code
,
204 krb5_data krb_priv_data
;
205 krb5_data ap_rep_data
;
208 ret
= krb5_mk_rep (context
,
212 krb5_warn (context
, ret
, "Could not even generate error reply");
216 if (make_result(&e_data
, result_code
, expl
))
219 ret
= krb5_mk_priv (context
,
224 krb5_data_free (&e_data
);
226 krb5_warn (context
, ret
, "Could not even generate error reply");
229 send_reply (s
, sa
, sa_size
, &ap_rep_data
, &krb_priv_data
);
230 krb5_data_free (&ap_rep_data
);
231 krb5_data_free (&krb_priv_data
);
235 * Change the password for `principal', sending the reply back on `s'
236 * (`sa', `sa_size') to `pwd_data'.
240 change (krb5_auth_context auth_context
,
241 krb5_principal admin_principal
,
249 char *client
= NULL
, *admin
= NULL
;
250 kadm5_config_params conf
;
251 void *kadm5_handle
= NULL
;
252 krb5_principal principal
= NULL
;
253 krb5_data
*pwd_data
= NULL
;
255 ChangePasswdDataMS chpw
;
257 memset (&conf
, 0, sizeof(conf
));
258 memset(&chpw
, 0, sizeof(chpw
));
260 if (version
== KRB5_KPASSWD_VERS_CHANGEPW
) {
261 ret
= krb5_copy_data(context
, in_data
, &pwd_data
);
263 krb5_warn (context
, ret
, "krb5_copy_data");
264 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_MALFORMED
,
265 "out out memory copying password");
268 principal
= admin_principal
;
269 } else if (version
== KRB5_KPASSWD_VERS_SETPW
) {
272 ret
= decode_ChangePasswdDataMS(in_data
->data
, in_data
->length
,
275 krb5_warn (context
, ret
, "decode_ChangePasswdDataMS");
276 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_MALFORMED
,
277 "malformed ChangePasswdData");
282 ret
= krb5_copy_data(context
, &chpw
.newpasswd
, &pwd_data
);
284 krb5_warn (context
, ret
, "krb5_copy_data");
285 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_MALFORMED
,
286 "out out memory copying password");
290 if (chpw
.targname
== NULL
&& chpw
.targrealm
!= NULL
) {
291 krb5_warn (context
, ret
, "kadm5_init_with_password_ctx");
292 reply_priv (auth_context
, s
, sa
, sa_size
,
293 KRB5_KPASSWD_MALFORMED
,
294 "targrealm but not targname");
299 krb5_principal_data princ
;
301 memset(&princ
, 0, sizeof (princ
));
302 princ
.name
= *chpw
.targname
;
303 princ
.realm
= *chpw
.targrealm
;
304 if (princ
.realm
== NULL
) {
305 ret
= krb5_get_default_realm(context
, &princ
.realm
);
309 "kadm5_init_with_password_ctx: "
310 "failed to allocate realm");
311 reply_priv (auth_context
, s
, sa
, sa_size
,
312 KRB5_KPASSWD_SOFTERROR
,
313 "failed to allocate realm");
317 ret
= krb5_copy_principal(context
, &princ
, &principal
);
318 if (*chpw
.targrealm
== NULL
)
321 krb5_warn(context
, ret
, "krb5_copy_principal");
322 reply_priv(auth_context
, s
, sa
, sa_size
,
323 KRB5_KPASSWD_HARDERROR
,
324 "failed to allocate principal");
328 principal
= admin_principal
;
330 krb5_warnx (context
, "kadm5_init_with_password_ctx: unknown proto");
331 reply_priv (auth_context
, s
, sa
, sa_size
,
332 KRB5_KPASSWD_HARDERROR
,
333 "Unknown protocol used");
337 ret
= krb5_unparse_name (context
, admin_principal
, &admin
);
339 krb5_warn (context
, ret
, "unparse_name failed");
340 reply_priv (auth_context
, s
, sa
, sa_size
,
341 KRB5_KPASSWD_HARDERROR
, "out of memory error");
345 conf
.realm
= principal
->realm
;
346 conf
.mask
|= KADM5_CONFIG_REALM
;
348 ret
= kadm5_init_with_password_ctx(context
,
355 krb5_warn (context
, ret
, "kadm5_init_with_password_ctx");
356 reply_priv (auth_context
, s
, sa
, sa_size
, 2,
361 ret
= krb5_unparse_name(context
, principal
, &client
);
363 krb5_warn (context
, ret
, "unparse_name failed");
364 reply_priv (auth_context
, s
, sa
, sa_size
,
365 KRB5_KPASSWD_HARDERROR
, "out of memory error");
369 if (krb5_principal_compare(context
, admin_principal
, principal
) == FALSE
) {
370 ret
= _kadm5_acl_check_permission(kadm5_handle
, KADM5_PRIV_CPW
,
373 krb5_warn (context
, ret
,
374 "Check ACL failed for %s for changing %s password",
376 reply_priv (auth_context
, s
, sa
, sa_size
,
377 KRB5_KPASSWD_HARDERROR
, "permission denied");
380 krb5_warnx (context
, "%s is changing password for %s", admin
, client
);
382 krb5_warnx (context
, "Changing password for %s", client
);
385 ret
= krb5_data_realloc(pwd_data
, pwd_data
->length
+ 1);
387 krb5_warn (context
, ret
, "malloc: out of memory");
388 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_HARDERROR
,
392 tmp
= pwd_data
->data
;
393 tmp
[pwd_data
->length
- 1] = '\0';
395 ret
= kadm5_s_chpass_principal_cond (kadm5_handle
, principal
, 1, tmp
);
396 krb5_free_data (context
, pwd_data
);
399 const char *str
= krb5_get_error_message(context
, ret
);
402 case KADM5_PASS_Q_TOOSHORT
:
403 case KADM5_PASS_Q_CLASS
:
404 case KADM5_PASS_Q_DICT
:
405 case KADM5_PASS_Q_GENERIC
:
407 "%s didn't pass password quality check with error: %s",
411 krb5_warnx(context
, "kadm5_s_chpass_principal_cond: %s", str
);
413 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_SOFTERROR
,
414 str
? str
: "Internal error");
415 krb5_free_error_message(context
, str
);
418 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_SUCCESS
,
421 free_ChangePasswdDataMS(&chpw
);
422 if (principal
!= admin_principal
)
423 krb5_free_principal(context
, principal
);
429 krb5_free_data(context
, pwd_data
);
431 kadm5_destroy (kadm5_handle
);
435 verify (krb5_auth_context
*auth_context
,
437 krb5_ticket
**ticket
,
445 krb5_address
*client_addr
)
448 uint16_t pkt_len
, pkt_ver
, ap_req_len
;
449 krb5_data ap_req_data
;
450 krb5_data krb_priv_data
;
451 krb5_const_realm client_realm
;
452 krb5_principal sprinc
;
456 * Only send an error reply if the request passes basic length
457 * verification. Otherwise, kpasswdd would reply to every UDP packet,
458 * allowing an attacker to set up a ping-pong DoS attack via a spoofed UDP
459 * packet with a source address of another UDP service that also replies
462 * Also suppress the error reply if ap_req_len is 0, which indicates
463 * either an invalid request or an error packet. An error packet may be
464 * the result of a ping-pong attacker pointing us at another kpasswdd.
466 pkt_len
= (msg
[0] << 8) | (msg
[1]);
467 pkt_ver
= (msg
[2] << 8) | (msg
[3]);
468 ap_req_len
= (msg
[4] << 8) | (msg
[5]);
469 if (pkt_len
!= len
) {
470 krb5_warnx (context
, "Strange len: %ld != %ld",
471 (long)pkt_len
, (long)len
);
474 if (ap_req_len
== 0) {
475 krb5_warnx (context
, "Request is error packet (ap_req_len == 0)");
478 if (pkt_ver
!= KRB5_KPASSWD_VERS_CHANGEPW
&&
479 pkt_ver
!= KRB5_KPASSWD_VERS_SETPW
) {
480 krb5_warnx (context
, "Bad version (%d)", pkt_ver
);
481 reply_error (NULL
, s
, sa
, sa_size
, 0, 1, "Wrong program version");
486 ap_req_data
.data
= msg
+ 6;
487 ap_req_data
.length
= ap_req_len
;
489 ret
= krb5_rd_req (context
,
497 krb5_warn (context
, ret
, "krb5_rd_req");
498 reply_error (NULL
, s
, sa
, sa_size
, ret
, 3, "Authentication failed");
502 if (!(*ticket
)->ticket
.flags
.initial
) {
503 krb5_warnx(context
, "initial flag not set");
504 reply_error((*ticket
)->server
->realm
, s
, sa
, sa_size
, ret
, 1,
510 * The service principal must be kadmin/changepw@CLIENT-REALM, there
511 * is no reason to require the KDC's default realm(s) to be the same
512 * as the realm(s) it serves. The only potential issue is when a KDC
513 * is a master for realm A and a slave for realm B, in which case it
514 * should not accept requests to change passwords for realm B, these
515 * should be sent to realm B's master. This same issue is present in
516 * the checks that only accepted local realms, there is no new risk.
519 client_realm
= krb5_principal_get_realm(context
, (*ticket
)->client
);
520 ret
= krb5_make_principal(context
, &sprinc
, client_realm
,
521 "kadmin", "changepw", NULL
);
524 same
= krb5_principal_compare(context
, sprinc
, (*ticket
)->server
);
525 krb5_free_principal(context
, sprinc
);
530 if (krb5_unparse_name(context
, (*ticket
)->server
, &sname
) != 0)
532 krb5_warnx(context
, "Invalid kpasswd service principal %s",
533 sname
? sname
: "<enomem>");
535 reply_error(NULL
, s
, sa
, sa_size
, ret
, 1, "Bad request");
538 krb_priv_data
.data
= msg
+ 6 + ap_req_len
;
539 krb_priv_data
.length
= len
- 6 - ap_req_len
;
542 * Only enforce client addresses on on tickets with addresses. If
543 * its addressless, we are guessing its behind NAT and really
544 * can't know this information.
547 if ((*ticket
)->ticket
.caddr
&& (*ticket
)->ticket
.caddr
->len
> 0) {
548 ret
= krb5_auth_con_setaddrs (context
, *auth_context
,
551 krb5_warn (context
, ret
, "krb5_auth_con_setaddr(this)");
556 ret
= krb5_rd_priv (context
,
563 krb5_warn (context
, ret
, "krb5_rd_priv");
564 reply_error ((*ticket
)->server
->realm
, s
, sa
, sa_size
, ret
, 3,
570 krb5_free_ticket (context
, *ticket
);
576 process (krb5_keytab keytab
,
578 krb5_address
*this_addr
,
585 krb5_auth_context auth_context
= NULL
;
588 krb5_address other_addr
;
591 memset(&other_addr
, 0, sizeof(other_addr
));
592 krb5_data_zero (&out_data
);
594 ret
= krb5_auth_con_init (context
, &auth_context
);
596 krb5_warn (context
, ret
, "krb5_auth_con_init");
600 krb5_auth_con_setflags (context
, auth_context
,
601 KRB5_AUTH_CONTEXT_DO_SEQUENCE
);
603 ret
= krb5_sockaddr2address (context
, sa
, &other_addr
);
605 krb5_warn (context
, ret
, "krb5_sockaddr2address");
609 ret
= krb5_auth_con_setaddrs (context
, auth_context
, this_addr
, NULL
);
611 krb5_warn (context
, ret
, "krb5_auth_con_setaddr(this)");
615 if (verify (&auth_context
, keytab
, &ticket
, &out_data
,
616 &version
, s
, sa
, sa_size
, msg
, len
, &other_addr
) == 0)
619 * We always set the client_addr, to assume that the client
620 * can ignore it if it choose to do so (just the server does
621 * so for addressless tickets).
623 ret
= krb5_auth_con_setaddrs (context
, auth_context
,
624 this_addr
, &other_addr
);
626 krb5_warn (context
, ret
, "krb5_auth_con_setaddr(other)");
630 change (auth_context
,
636 memset (out_data
.data
, 0, out_data
.length
);
637 krb5_free_ticket (context
, ticket
);
641 krb5_free_address(context
, &other_addr
);
642 krb5_data_free(&out_data
);
643 krb5_auth_con_free(context
, auth_context
);
646 static const char *check_library
= NULL
;
647 static const char *check_function
= NULL
;
648 static getarg_strings policy_libraries
= { 0, NULL
};
649 static char sHDB
[] = "HDBGET:";
650 static char *keytab_str
= sHDB
;
651 static char *realm_str
;
652 static int version_flag
;
653 static int help_flag
;
654 static int detach_from_console
;
655 static int daemon_child
= -1;
656 static char *port_str
;
657 static char *config_file
;
659 struct getargs args
[] = {
661 { "check-library", 0, arg_string
, &check_library
,
662 "library to load password check function from", "library" },
663 { "check-function", 0, arg_string
, &check_function
,
664 "password check function to load", "function" },
665 { "policy-libraries", 0, arg_strings
, &policy_libraries
,
666 "password check function to load", "function" },
668 { "addresses", 0, arg_strings
, &addresses_str
,
669 "addresses to listen on", "list of addresses" },
670 { "detach", 0, arg_flag
, &detach_from_console
,
671 "detach from console", NULL
},
672 { "daemon-child", 0 , arg_integer
, &daemon_child
,
673 "private argument, do not use", NULL
},
674 { "keytab", 'k', arg_string
, &keytab_str
,
675 "keytab to get authentication key from", "kspec" },
676 { "config-file", 'c', arg_string
, &config_file
, NULL
, NULL
},
677 { "realm", 'r', arg_string
, &realm_str
, "default realm", "realm" },
678 { "port", 'p', arg_string
, &port_str
, "port", NULL
},
679 { "version", 0, arg_flag
, &version_flag
, NULL
, NULL
},
680 { "help", 0, arg_flag
, &help_flag
, NULL
, NULL
}
682 int num_args
= sizeof(args
) / sizeof(args
[0]);
685 doit(krb5_keytab keytab
, int port
)
690 krb5_addresses addrs
;
693 struct sockaddr_storage __ss
;
694 struct sockaddr
*sa
= (struct sockaddr
*)&__ss
;
696 if (explicit_addresses
.len
) {
697 addrs
= explicit_addresses
;
699 ret
= krb5_get_all_server_addrs(context
, &addrs
);
701 krb5_err(context
, 1, ret
, "krb5_get_all_server_addrs");
705 sockets
= malloc(n
* sizeof(*sockets
));
707 krb5_errx(context
, 1, "out of memory");
709 FD_ZERO(&real_fdset
);
710 for (i
= 0; i
< n
; ++i
) {
711 krb5_socklen_t sa_size
= sizeof(__ss
);
713 krb5_addr2sockaddr(context
, &addrs
.val
[i
], sa
, &sa_size
, port
);
715 sockets
[i
] = socket(__ss
.ss_family
, SOCK_DGRAM
, 0);
717 krb5_err(context
, 1, errno
, "socket");
718 if (bind(sockets
[i
], sa
, sa_size
) < 0) {
721 int save_errno
= errno
;
723 ret
= krb5_print_address(&addrs
.val
[i
], str
, sizeof(str
), &len
);
725 strlcpy(str
, "unknown address", sizeof(str
));
726 krb5_warn(context
, save_errno
, "bind(%s)", str
);
729 maxfd
= max(maxfd
, sockets
[i
]);
730 if (maxfd
>= FD_SETSIZE
)
731 krb5_errx(context
, 1, "fd too large");
732 FD_SET(sockets
[i
], &real_fdset
);
735 krb5_errx(context
, 1, "No sockets!");
737 roken_detach_finish(NULL
, daemon_child
);
739 while (exit_flag
== 0) {
741 fd_set fdset
= real_fdset
;
743 retx
= select(maxfd
+ 1, &fdset
, NULL
, NULL
, NULL
);
748 krb5_err(context
, 1, errno
, "select");
750 for (i
= 0; i
< n
; ++i
)
751 if (FD_ISSET(sockets
[i
], &fdset
)) {
753 socklen_t addrlen
= sizeof(__ss
);
755 retx
= recvfrom(sockets
[i
], buf
, sizeof(buf
), 0,
761 krb5_err(context
, 1, errno
, "recvfrom");
764 process(keytab
, sockets
[i
],
771 for (i
= 0; i
< n
; ++i
)
775 krb5_free_addresses(context
, &addrs
);
776 krb5_kt_close(context
, keytab
);
777 krb5_free_context(context
);
788 main(int argc
, char **argv
)
796 krb5_program_setup(&context
, argc
, argv
, args
, num_args
, NULL
);
799 krb5_std_usage(0, args
, num_args
);
806 if (detach_from_console
> 0 && daemon_child
== -1)
807 daemon_child
= roken_detach_prep(argc
, argv
, "--daemon-child");
809 if (config_file
== NULL
) {
810 aret
= asprintf(&config_file
, "%s/kdc.conf", hdb_db_dir(context
));
812 errx(1, "out of memory");
815 ret
= krb5_prepend_config_files_default(config_file
, &files
);
817 krb5_err(context
, 1, ret
, "getting configuration files");
819 ret
= krb5_set_config_files(context
, files
);
820 krb5_free_config_files(files
);
822 krb5_err(context
, 1, ret
, "reading configuration files");
825 krb5_set_default_realm(context
, realm_str
);
827 krb5_openlog(context
, "kpasswdd", &log_facility
);
828 krb5_set_warn_dest(context
, log_facility
);
830 if (port_str
!= NULL
) {
831 struct servent
*s
= roken_getservbyname(port_str
, "udp");
838 port
= strtol(port_str
, &ptr
, 10);
839 if (port
== 0 && ptr
== port_str
)
840 krb5_errx(context
, 1, "bad port `%s'", port_str
);
844 port
= krb5_getportbyname(context
, "kpasswd", "udp", KPASSWD_PORT
);
846 ret
= krb5_kt_register(context
, &hdb_get_kt_ops
);
848 krb5_err(context
, 1, ret
, "krb5_kt_register");
850 ret
= krb5_kt_resolve(context
, keytab_str
, &keytab
);
852 krb5_err(context
, 1, ret
, "%s", keytab_str
);
854 kadm5_setup_passwd_quality_check(context
, check_library
, check_function
);
856 for (i
= 0; i
< policy_libraries
.num_strings
; i
++) {
857 ret
= kadm5_add_passwd_quality_verifier(context
,
858 policy_libraries
.strings
[i
]);
860 krb5_err(context
, 1, ret
, "kadm5_add_passwd_quality_verifier");
862 ret
= kadm5_add_passwd_quality_verifier(context
, NULL
);
864 krb5_err(context
, 1, ret
, "kadm5_add_passwd_quality_verifier");
867 explicit_addresses
.len
= 0;
869 if (addresses_str
.num_strings
) {
872 for (j
= 0; j
< addresses_str
.num_strings
; ++j
)
873 add_one_address(addresses_str
.strings
[j
], j
== 0);
874 free_getarg_strings(&addresses_str
);
876 char **foo
= krb5_config_get_strings(context
, NULL
,
877 "kdc", "addresses", NULL
);
880 add_one_address(*foo
++, TRUE
);
882 add_one_address(*foo
++, FALSE
);
886 #ifdef HAVE_SIGACTION
891 sa
.sa_handler
= sigterm
;
892 sigemptyset(&sa
.sa_mask
);
894 sigaction(SIGINT
, &sa
, NULL
);
895 sigaction(SIGTERM
, &sa
, NULL
);
898 signal(SIGINT
, sigterm
);
899 signal(SIGTERM
, sigterm
);
904 return doit(keytab
, port
);