1 /* 2 * Copyright (c) 1997-2002 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kadmin_locl.h" 35 36 RCSID("$Id: ank.c,v 1.25 2002/12/03 14:11:24 joda Exp $"); 37 38 /* 39 * fetch the default principal corresponding to `princ' 40 */ 41 42 static krb5_error_code 43 get_default (kadm5_server_context *context, 44 krb5_principal princ, 45 kadm5_principal_ent_t default_ent) 46 { 47 krb5_error_code ret; 48 krb5_principal def_principal; 49 krb5_realm *realm = krb5_princ_realm(context->context, princ); 50 51 ret = krb5_make_principal (context->context, &def_principal, 52 *realm, "default", NULL); 53 if (ret) 54 return ret; 55 ret = kadm5_get_principal (context, def_principal, default_ent, 56 KADM5_PRINCIPAL_NORMAL_MASK); 57 krb5_free_principal (context->context, def_principal); 58 return ret; 59 } 60 61 /* 62 * Add the principal `name' to the database. 63 * Prompt for all data not given by the input parameters. 64 */ 65 66 static krb5_error_code 67 add_one_principal (const char *name, 68 int rand_key, 69 int rand_password, 70 int use_defaults, 71 char *password, 72 krb5_key_data *key_data, 73 const char *max_ticket_life, 74 const char *max_renewable_life, 75 const char *attributes, 76 const char *expiration, 77 const char *pw_expiration) 78 { 79 krb5_error_code ret; 80 kadm5_principal_ent_rec princ, defrec; 81 kadm5_principal_ent_rec *default_ent = NULL; 82 krb5_principal princ_ent = NULL; 83 int mask = 0; 84 int default_mask = 0; 85 char pwbuf[1024]; 86 87 memset(&princ, 0, sizeof(princ)); 88 ret = krb5_parse_name(context, name, &princ_ent); 89 if (ret) { 90 krb5_warn(context, ret, "krb5_parse_name"); 91 return ret; 92 } 93 princ.principal = princ_ent; 94 mask |= KADM5_PRINCIPAL; 95 96 ret = set_entry(context, &princ, &mask, 97 max_ticket_life, max_renewable_life, 98 expiration, pw_expiration, attributes); 99 if (ret) 100 goto out; 101 102 default_ent = &defrec; 103 ret = get_default (kadm_handle, princ_ent, default_ent); 104 if (ret) { 105 default_ent = NULL; 106 default_mask = 0; 107 } else { 108 default_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE | 109 KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION; 110 } 111 112 if(use_defaults) 113 set_defaults(&princ, &mask, default_ent, default_mask); 114 else 115 if(edit_entry(&princ, &mask, default_ent, default_mask)) 116 goto out; 117 if(rand_key || key_data) { 118 princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; 119 mask |= KADM5_ATTRIBUTES; 120 strlcpy (pwbuf, "hemlig", sizeof(pwbuf)); 121 password = pwbuf; 122 } else if (rand_password) { 123 random_password (pwbuf, sizeof(pwbuf)); 124 password = pwbuf; 125 } else if(password == NULL) { 126 char *princ_name; 127 char *prompt; 128 129 krb5_unparse_name(context, princ_ent, &princ_name); 130 asprintf (&prompt, "%s's Password: ", princ_name); 131 free (princ_name); 132 ret = des_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1); 133 free (prompt); 134 if (ret) 135 goto out; 136 password = pwbuf; 137 } 138 139 ret = kadm5_create_principal(kadm_handle, &princ, mask, password); 140 if(ret) { 141 krb5_warn(context, ret, "kadm5_create_principal"); 142 goto out; 143 } 144 if(rand_key) { 145 krb5_keyblock *new_keys; 146 int n_keys, i; 147 ret = kadm5_randkey_principal(kadm_handle, princ_ent, 148 &new_keys, &n_keys); 149 if(ret){ 150 krb5_warn(context, ret, "kadm5_randkey_principal"); 151 n_keys = 0; 152 } 153 for(i = 0; i < n_keys; i++) 154 krb5_free_keyblock_contents(context, &new_keys[i]); 155 if (n_keys > 0) 156 free(new_keys); 157 kadm5_get_principal(kadm_handle, princ_ent, &princ, 158 KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); 159 princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); 160 princ.kvno = 1; 161 kadm5_modify_principal(kadm_handle, &princ, 162 KADM5_ATTRIBUTES | KADM5_KVNO); 163 kadm5_free_principal_ent(kadm_handle, &princ); 164 } else if (key_data) { 165 ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent, 166 3, key_data); 167 if (ret) { 168 krb5_warn(context, ret, "kadm5_chpass_principal_with_key"); 169 } 170 kadm5_get_principal(kadm_handle, princ_ent, &princ, 171 KADM5_PRINCIPAL | KADM5_ATTRIBUTES); 172 princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); 173 kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES); 174 kadm5_free_principal_ent(kadm_handle, &princ); 175 } else if (rand_password) { 176 char *princ_name; 177 178 krb5_unparse_name(context, princ_ent, &princ_name); 179 printf ("added %s with password `%s'\n", princ_name, password); 180 free (princ_name); 181 } 182 out: 183 if (princ_ent) 184 krb5_free_principal (context, princ_ent); 185 if(default_ent) 186 kadm5_free_principal_ent (context, default_ent); 187 if (password != NULL) 188 memset (password, 0, strlen(password)); 189 return ret; 190 } 191 192 /* 193 * parse the string `key_string' into `key', returning 0 iff succesful. 194 */ 195 196 /* 197 * the ank command 198 */ 199 200 static struct getargs args[] = { 201 { "random-key", 'r', arg_flag, NULL, "set random key" }, 202 { "random-password", 0, arg_flag, NULL, "set random password" }, 203 { "password", 'p', arg_string, NULL, "princial's password" }, 204 { "key", 0, arg_string, NULL, "DES-key in hex" }, 205 { "max-ticket-life", 0, arg_string, NULL, "max ticket lifetime", 206 "lifetime"}, 207 { "max-renewable-life", 0, arg_string, NULL, 208 "max renewable lifetime", "lifetime" }, 209 { "attributes", 0, arg_string, NULL, "principal attributes", 210 "attributes"}, 211 { "expiration-time",0, arg_string, NULL, "expiration time", 212 "time"}, 213 { "pw-expiration-time", 0, arg_string, NULL, 214 "password expiration time", "time"}, 215 { "use-defaults", 0, arg_flag, NULL, "use default values" } 216 }; 217 218 static int num_args = sizeof(args) / sizeof(args[0]); 219 220 static void 221 usage(void) 222 { 223 arg_printusage (args, num_args, "add", "principal..."); 224 } 225 226 /* 227 * Parse arguments and add all the principals. 228 */ 229 230 int 231 add_new_key(int argc, char **argv) 232 { 233 char *password = NULL; 234 char *key = NULL; 235 int random_key = 0; 236 int random_password = 0; 237 int optind = 0; 238 krb5_error_code ret; 239 char *max_ticket_life = NULL; 240 char *max_renewable_life = NULL; 241 char *attributes = NULL; 242 char *expiration = NULL; 243 char *pw_expiration = NULL; 244 int use_defaults = 0; 245 int i; 246 int num; 247 krb5_key_data key_data[3]; 248 krb5_key_data *kdp = NULL; 249 250 args[0].value = &random_key; 251 args[1].value = &random_password; 252 args[2].value = &password; 253 args[3].value = &key; 254 args[4].value = &max_ticket_life; 255 args[5].value = &max_renewable_life; 256 args[6].value = &attributes; 257 args[7].value = &expiration; 258 args[8].value = &pw_expiration; 259 args[9].value = &use_defaults; 260 261 if(getarg(args, num_args, argc, argv, &optind)) { 262 usage (); 263 return 0; 264 } 265 if(optind == argc) { 266 usage (); 267 return 0; 268 } 269 270 num = 0; 271 if (random_key) 272 ++num; 273 if (random_password) 274 ++num; 275 if (password) 276 ++num; 277 if (key) 278 ++num; 279 280 if (num > 1) { 281 printf ("give only one of " 282 "--random-key, --random-password, --password, --key\n"); 283 return 0; 284 } 285 286 if (key) { 287 const char *error; 288 289 if (parse_des_key (key, key_data, &error)) { 290 printf ("failed parsing key `%s': %s\n", key, error); 291 return 0; 292 } 293 kdp = key_data; 294 } 295 296 for (i = optind; i < argc; ++i) { 297 ret = add_one_principal (argv[i], random_key, random_password, 298 use_defaults, 299 password, 300 kdp, 301 max_ticket_life, 302 max_renewable_life, 303 attributes, 304 expiration, 305 pw_expiration); 306 if (ret) { 307 krb5_warn (context, ret, "adding %s", argv[i]); 308 break; 309 } 310 } 311 if (kdp) { 312 int16_t dummy = 3; 313 kadm5_free_key_data (kadm_handle, &dummy, key_data); 314 } 315 return 0; 316 } 317