1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2 /* lib/kadm5/admin.h */ 3 /* 4 * Copyright 2001, 2008 by the Massachusetts Institute of Technology. 5 * All Rights Reserved. 6 * 7 * Export of this software from the United States of America may 8 * require a specific license from the United States Government. 9 * It is the responsibility of any person or organization contemplating 10 * export to obtain such a license before exporting. 11 * 12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 13 * distribute this software and its documentation for any purpose and 14 * without fee is hereby granted, provided that the above copyright 15 * notice appear in all copies and that both that copyright notice and 16 * this permission notice appear in supporting documentation, and that 17 * the name of M.I.T. not be used in advertising or publicity pertaining 18 * to distribution of the software without specific, written prior 19 * permission. Furthermore if you modify this software you must label 20 * your software as modified software and not distribute it in such a 21 * fashion that it might be confused with the original M.I.T. software. 22 * M.I.T. makes no representations about the suitability of 23 * this software for any purpose. It is provided "as is" without express 24 * or implied warranty. 25 */ 26 /* 27 * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved 28 * 29 * $Header$ 30 */ 31 32 /* 33 * This API is not considered as stable as the main krb5 API. 34 * 35 * - We may make arbitrary incompatible changes between feature 36 * releases (e.g. from 1.7 to 1.8). 37 * - We will make some effort to avoid making incompatible changes for 38 * bugfix releases, but will make them if necessary. 39 */ 40 41 #ifndef __KADM5_ADMIN_H__ 42 #define __KADM5_ADMIN_H__ 43 44 #include <sys/types.h> 45 #include <gssrpc/rpc.h> 46 #include <krb5.h> 47 #include <kdb.h> 48 #include <com_err.h> 49 #include <kadm5/kadm_err.h> 50 #include <kadm5/chpass_util_strings.h> 51 52 #ifndef KADM5INT_BEGIN_DECLS 53 #if defined(__cplusplus) 54 #define KADM5INT_BEGIN_DECLS extern "C" { 55 #define KADM5INT_END_DECLS } 56 #else 57 #define KADM5INT_BEGIN_DECLS 58 #define KADM5INT_END_DECLS 59 #endif 60 #endif 61 62 KADM5INT_BEGIN_DECLS 63 64 #define KADM5_ADMIN_SERVICE "kadmin/admin" 65 #define KADM5_CHANGEPW_SERVICE "kadmin/changepw" 66 #define KADM5_HIST_PRINCIPAL "kadmin/history" 67 #define KADM5_KIPROP_HOST_SERVICE "kiprop" 68 69 typedef krb5_principal kadm5_princ_t; 70 typedef char *kadm5_policy_t; 71 typedef long kadm5_ret_t; 72 73 #define KADM5_PW_FIRST_PROMPT \ 74 (error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT)) 75 #define KADM5_PW_SECOND_PROMPT \ 76 (error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT)) 77 78 /* 79 * Successful return code 80 */ 81 #define KADM5_OK 0 82 83 /* 84 * Field masks 85 */ 86 87 /* kadm5_principal_ent_t */ 88 #define KADM5_PRINCIPAL 0x000001 89 #define KADM5_PRINC_EXPIRE_TIME 0x000002 90 #define KADM5_PW_EXPIRATION 0x000004 91 #define KADM5_LAST_PWD_CHANGE 0x000008 92 #define KADM5_ATTRIBUTES 0x000010 93 #define KADM5_MAX_LIFE 0x000020 94 #define KADM5_MOD_TIME 0x000040 95 #define KADM5_MOD_NAME 0x000080 96 #define KADM5_KVNO 0x000100 97 #define KADM5_MKVNO 0x000200 98 #define KADM5_AUX_ATTRIBUTES 0x000400 99 #define KADM5_POLICY 0x000800 100 #define KADM5_POLICY_CLR 0x001000 101 /* version 2 masks */ 102 #define KADM5_MAX_RLIFE 0x002000 103 #define KADM5_LAST_SUCCESS 0x004000 104 #define KADM5_LAST_FAILED 0x008000 105 #define KADM5_FAIL_AUTH_COUNT 0x010000 106 #define KADM5_KEY_DATA 0x020000 107 #define KADM5_TL_DATA 0x040000 108 #ifdef notyet /* Novell */ 109 #define KADM5_CPW_FUNCTION 0x080000 110 #define KADM5_RANDKEY_USED 0x100000 111 #endif 112 #define KADM5_LOAD 0x200000 113 #define KADM5_KEY_HIST 0x400000 114 115 /* all but KEY_DATA, TL_DATA, LOAD */ 116 #define KADM5_PRINCIPAL_NORMAL_MASK 0x41ffff 117 118 119 /* kadm5_policy_ent_t */ 120 #define KADM5_PW_MAX_LIFE 0x00004000 121 #define KADM5_PW_MIN_LIFE 0x00008000 122 #define KADM5_PW_MIN_LENGTH 0x00010000 123 #define KADM5_PW_MIN_CLASSES 0x00020000 124 #define KADM5_PW_HISTORY_NUM 0x00040000 125 #define KADM5_REF_COUNT 0x00080000 126 #define KADM5_PW_MAX_FAILURE 0x00100000 127 #define KADM5_PW_FAILURE_COUNT_INTERVAL 0x00200000 128 #define KADM5_PW_LOCKOUT_DURATION 0x00400000 129 #define KADM5_POLICY_ATTRIBUTES 0x00800000 130 #define KADM5_POLICY_MAX_LIFE 0x01000000 131 #define KADM5_POLICY_MAX_RLIFE 0x02000000 132 #define KADM5_POLICY_ALLOWED_KEYSALTS 0x04000000 133 #define KADM5_POLICY_TL_DATA 0x08000000 134 135 /* kadm5_config_params */ 136 #define KADM5_CONFIG_REALM 0x00000001 137 #define KADM5_CONFIG_DBNAME 0x00000002 138 #define KADM5_CONFIG_MKEY_NAME 0x00000004 139 #define KADM5_CONFIG_MAX_LIFE 0x00000008 140 #define KADM5_CONFIG_MAX_RLIFE 0x00000010 141 #define KADM5_CONFIG_EXPIRATION 0x00000020 142 #define KADM5_CONFIG_FLAGS 0x00000040 143 /*#define KADM5_CONFIG_ADMIN_KEYTAB 0x00000080*/ 144 #define KADM5_CONFIG_STASH_FILE 0x00000100 145 #define KADM5_CONFIG_ENCTYPE 0x00000200 146 #define KADM5_CONFIG_ADBNAME 0x00000400 147 #define KADM5_CONFIG_ADB_LOCKFILE 0x00000800 148 #define KADM5_CONFIG_KADMIND_LISTEN 0x00001000 149 #define KADM5_CONFIG_ACL_FILE 0x00002000 150 #define KADM5_CONFIG_KADMIND_PORT 0x00004000 151 #define KADM5_CONFIG_ENCTYPES 0x00008000 152 #define KADM5_CONFIG_ADMIN_SERVER 0x00010000 153 #define KADM5_CONFIG_DICT_FILE 0x00020000 154 #define KADM5_CONFIG_MKEY_FROM_KBD 0x00040000 155 #define KADM5_CONFIG_KPASSWD_PORT 0x00080000 156 #define KADM5_CONFIG_OLD_AUTH_GSSAPI 0x00100000 157 #define KADM5_CONFIG_NO_AUTH 0x00200000 158 #define KADM5_CONFIG_AUTH_NOFALLBACK 0x00400000 159 #define KADM5_CONFIG_KPASSWD_LISTEN 0x00800000 160 #define KADM5_CONFIG_IPROP_ENABLED 0x01000000 161 #define KADM5_CONFIG_ULOG_SIZE 0x02000000 162 #define KADM5_CONFIG_POLL_TIME 0x04000000 163 #define KADM5_CONFIG_IPROP_LOGFILE 0x08000000 164 #define KADM5_CONFIG_IPROP_PORT 0x10000000 165 #define KADM5_CONFIG_KVNO 0x20000000 166 #define KADM5_CONFIG_IPROP_RESYNC_TIMEOUT 0x40000000 167 #define KADM5_CONFIG_IPROP_LISTEN 0x80000000 168 /* 169 * permission bits 170 */ 171 #define KADM5_PRIV_GET 0x01 172 #define KADM5_PRIV_ADD 0x02 173 #define KADM5_PRIV_MODIFY 0x04 174 #define KADM5_PRIV_DELETE 0x08 175 176 /* 177 * API versioning constants 178 */ 179 #define KADM5_MASK_BITS 0xffffff00 180 181 #define KADM5_STRUCT_VERSION_MASK 0x12345600 182 #define KADM5_STRUCT_VERSION_1 (KADM5_STRUCT_VERSION_MASK|0x01) 183 #define KADM5_STRUCT_VERSION KADM5_STRUCT_VERSION_1 184 185 #define KADM5_API_VERSION_MASK 0x12345700 186 #define KADM5_API_VERSION_2 (KADM5_API_VERSION_MASK|0x02) 187 #define KADM5_API_VERSION_3 (KADM5_API_VERSION_MASK|0x03) 188 #define KADM5_API_VERSION_4 (KADM5_API_VERSION_MASK|0x04) 189 190 typedef struct _kadm5_principal_ent_t { 191 krb5_principal principal; 192 krb5_timestamp princ_expire_time; 193 krb5_timestamp last_pwd_change; 194 krb5_timestamp pw_expiration; 195 krb5_deltat max_life; 196 krb5_principal mod_name; 197 krb5_timestamp mod_date; 198 krb5_flags attributes; 199 krb5_kvno kvno; 200 krb5_kvno mkvno; 201 char *policy; 202 long aux_attributes; 203 204 /* version 2 fields */ 205 krb5_deltat max_renewable_life; 206 krb5_timestamp last_success; 207 krb5_timestamp last_failed; 208 krb5_kvno fail_auth_count; 209 krb5_int16 n_key_data; 210 krb5_int16 n_tl_data; 211 krb5_tl_data *tl_data; 212 krb5_key_data *key_data; 213 } kadm5_principal_ent_rec, *kadm5_principal_ent_t; 214 215 typedef struct _kadm5_policy_ent_t { 216 char *policy; 217 long pw_min_life; 218 long pw_max_life; 219 long pw_min_length; 220 long pw_min_classes; 221 long pw_history_num; 222 long policy_refcnt; /* no longer used */ 223 224 /* version 3 fields */ 225 krb5_kvno pw_max_fail; 226 krb5_deltat pw_failcnt_interval; 227 krb5_deltat pw_lockout_duration; 228 229 /* version 4 fields */ 230 krb5_flags attributes; 231 krb5_deltat max_life; 232 krb5_deltat max_renewable_life; 233 char *allowed_keysalts; 234 krb5_int16 n_tl_data; 235 krb5_tl_data *tl_data; 236 } kadm5_policy_ent_rec, *kadm5_policy_ent_t; 237 238 /* 239 * Data structure returned by kadm5_get_config_params() 240 */ 241 typedef struct _kadm5_config_params { 242 long mask; 243 char * realm; 244 int kadmind_port; 245 int kpasswd_port; 246 247 char * admin_server; 248 #ifdef notyet /* Novell */ /* ABI change? */ 249 char * kpasswd_server; 250 #endif 251 252 /* Deprecated except for db2 backwards compatibility. Don't add 253 new uses except as fallbacks for parameters that should be 254 specified in the database module section of the config 255 file. */ 256 char * dbname; 257 258 char * acl_file; 259 char * dict_file; 260 261 int mkey_from_kbd; 262 char * stash_file; 263 char * mkey_name; 264 krb5_enctype enctype; 265 krb5_deltat max_life; 266 krb5_deltat max_rlife; 267 krb5_timestamp expiration; 268 krb5_flags flags; 269 krb5_key_salt_tuple *keysalts; 270 krb5_int32 num_keysalts; 271 krb5_kvno kvno; 272 bool_t iprop_enabled; 273 uint32_t iprop_ulogsize; 274 krb5_deltat iprop_poll_time; 275 char * iprop_logfile; 276 /* char * iprop_server;*/ 277 int iprop_port; 278 int iprop_resync_timeout; 279 char * kadmind_listen; 280 char * kpasswd_listen; 281 char * iprop_listen; 282 } kadm5_config_params; 283 284 typedef struct _kadm5_key_data { 285 krb5_kvno kvno; 286 krb5_keyblock key; 287 krb5_keysalt salt; 288 } kadm5_key_data; 289 290 /* 291 * functions 292 */ 293 294 /* The use_kdc_config parameter is no longer used, as configuration is 295 * retrieved from the context profile. */ 296 krb5_error_code kadm5_get_config_params(krb5_context context, 297 int use_kdc_config, 298 kadm5_config_params *params_in, 299 kadm5_config_params *params_out); 300 301 krb5_error_code kadm5_free_config_params(krb5_context context, 302 kadm5_config_params *params); 303 304 krb5_error_code kadm5_get_admin_service_name(krb5_context, char *, 305 char *, size_t); 306 307 /* 308 * For all initialization functions, the caller must first initialize 309 * a context with kadm5_init_krb5_context which will survive as long 310 * as the resulting handle. The caller should free the context with 311 * krb5_free_context. 312 */ 313 314 kadm5_ret_t kadm5_init(krb5_context context, char *client_name, 315 char *pass, char *service_name, 316 kadm5_config_params *params, 317 krb5_ui_4 struct_version, 318 krb5_ui_4 api_version, 319 char **db_args, 320 void **server_handle); 321 kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name, 322 char *service_name, 323 kadm5_config_params *params, 324 krb5_ui_4 struct_version, 325 krb5_ui_4 api_version, 326 char **db_args, 327 void **server_handle); 328 kadm5_ret_t kadm5_init_with_password(krb5_context context, 329 char *client_name, 330 char *pass, 331 char *service_name, 332 kadm5_config_params *params, 333 krb5_ui_4 struct_version, 334 krb5_ui_4 api_version, 335 char **db_args, 336 void **server_handle); 337 kadm5_ret_t kadm5_init_with_skey(krb5_context context, 338 char *client_name, 339 char *keytab, 340 char *service_name, 341 kadm5_config_params *params, 342 krb5_ui_4 struct_version, 343 krb5_ui_4 api_version, 344 char **db_args, 345 void **server_handle); 346 kadm5_ret_t kadm5_init_with_creds(krb5_context context, 347 char *client_name, 348 krb5_ccache cc, 349 char *service_name, 350 kadm5_config_params *params, 351 krb5_ui_4 struct_version, 352 krb5_ui_4 api_version, 353 char **db_args, 354 void **server_handle); 355 kadm5_ret_t kadm5_lock(void *server_handle); 356 kadm5_ret_t kadm5_unlock(void *server_handle); 357 kadm5_ret_t kadm5_flush(void *server_handle); 358 kadm5_ret_t kadm5_destroy(void *server_handle); 359 kadm5_ret_t kadm5_create_principal(void *server_handle, 360 kadm5_principal_ent_t ent, 361 long mask, char *pass); 362 kadm5_ret_t kadm5_create_principal_3(void *server_handle, 363 kadm5_principal_ent_t ent, 364 long mask, 365 int n_ks_tuple, 366 krb5_key_salt_tuple *ks_tuple, 367 char *pass); 368 kadm5_ret_t kadm5_delete_principal(void *server_handle, 369 krb5_principal principal); 370 kadm5_ret_t kadm5_modify_principal(void *server_handle, 371 kadm5_principal_ent_t ent, 372 long mask); 373 kadm5_ret_t kadm5_rename_principal(void *server_handle, 374 krb5_principal,krb5_principal); 375 kadm5_ret_t kadm5_get_principal(void *server_handle, 376 krb5_principal principal, 377 kadm5_principal_ent_t ent, 378 long mask); 379 kadm5_ret_t kadm5_chpass_principal(void *server_handle, 380 krb5_principal principal, 381 char *pass); 382 kadm5_ret_t kadm5_chpass_principal_3(void *server_handle, 383 krb5_principal principal, 384 krb5_boolean keepold, 385 int n_ks_tuple, 386 krb5_key_salt_tuple *ks_tuple, 387 char *pass); 388 kadm5_ret_t kadm5_randkey_principal(void *server_handle, 389 krb5_principal principal, 390 krb5_keyblock **keyblocks, 391 int *n_keys); 392 kadm5_ret_t kadm5_randkey_principal_3(void *server_handle, 393 krb5_principal principal, 394 krb5_boolean keepold, 395 int n_ks_tuple, 396 krb5_key_salt_tuple *ks_tuple, 397 krb5_keyblock **keyblocks, 398 int *n_keys); 399 400 kadm5_ret_t kadm5_setkey_principal(void *server_handle, 401 krb5_principal principal, 402 krb5_keyblock *keyblocks, 403 int n_keys); 404 405 kadm5_ret_t kadm5_setkey_principal_3(void *server_handle, 406 krb5_principal principal, 407 krb5_boolean keepold, 408 int n_ks_tuple, 409 krb5_key_salt_tuple *ks_tuple, 410 krb5_keyblock *keyblocks, 411 int n_keys); 412 413 kadm5_ret_t kadm5_setkey_principal_4(void *server_handle, 414 krb5_principal principal, 415 krb5_boolean keepold, 416 kadm5_key_data *key_data, 417 int n_key_data); 418 419 kadm5_ret_t kadm5_decrypt_key(void *server_handle, 420 kadm5_principal_ent_t entry, krb5_int32 421 ktype, krb5_int32 stype, krb5_int32 422 kvno, krb5_keyblock *keyblock, 423 krb5_keysalt *keysalt, int *kvnop); 424 425 kadm5_ret_t kadm5_create_policy(void *server_handle, 426 kadm5_policy_ent_t ent, 427 long mask); 428 kadm5_ret_t kadm5_delete_policy(void *server_handle, 429 kadm5_policy_t policy); 430 kadm5_ret_t kadm5_modify_policy(void *server_handle, 431 kadm5_policy_ent_t ent, 432 long mask); 433 kadm5_ret_t kadm5_get_policy(void *server_handle, 434 kadm5_policy_t policy, 435 kadm5_policy_ent_t ent); 436 kadm5_ret_t kadm5_get_privs(void *server_handle, 437 long *privs); 438 439 kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, 440 krb5_principal princ, 441 char *new_pw, 442 char **ret_pw, 443 char *msg_ret, 444 unsigned int msg_len); 445 446 kadm5_ret_t kadm5_free_principal_ent(void *server_handle, 447 kadm5_principal_ent_t 448 ent); 449 kadm5_ret_t kadm5_free_policy_ent(void *server_handle, 450 kadm5_policy_ent_t ent); 451 452 kadm5_ret_t kadm5_get_principals(void *server_handle, 453 char *exp, char ***princs, 454 int *count); 455 456 kadm5_ret_t kadm5_get_policies(void *server_handle, 457 char *exp, char ***pols, 458 int *count); 459 460 kadm5_ret_t kadm5_free_key_data(void *server_handle, 461 krb5_int16 *n_key_data, 462 krb5_key_data *key_data); 463 464 kadm5_ret_t kadm5_free_name_list(void *server_handle, char **names, 465 int count); 466 467 krb5_error_code kadm5_init_krb5_context (krb5_context *); 468 469 krb5_error_code kadm5_init_iprop(void *server_handle, char **db_args); 470 471 kadm5_ret_t kadm5_get_principal_keys(void *server_handle, 472 krb5_principal principal, 473 krb5_kvno kvno, 474 kadm5_key_data **key_data, 475 int *n_key_data); 476 477 kadm5_ret_t kadm5_purgekeys(void *server_handle, 478 krb5_principal principal, 479 int keepkvno); 480 481 kadm5_ret_t kadm5_get_strings(void *server_handle, 482 krb5_principal principal, 483 krb5_string_attr **strings_out, 484 int *count_out); 485 486 kadm5_ret_t kadm5_set_string(void *server_handle, 487 krb5_principal principal, 488 const char *key, 489 const char *value); 490 491 kadm5_ret_t kadm5_free_strings(void *server_handle, 492 krb5_string_attr *strings, 493 int count); 494 495 kadm5_ret_t kadm5_free_kadm5_key_data(krb5_context context, int n_key_data, 496 kadm5_key_data *key_data); 497 498 KADM5INT_END_DECLS 499 500 #endif /* __KADM5_ADMIN_H__ */ 501