1 /* 2 * Copyright (c) 1997-2000 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kadmin_locl.h" 35 36 RCSID("$Id: ank.c,v 1.23 2002/06/07 19:05:38 nectar Exp $"); 37 38 /* 39 * fetch the default principal corresponding to `princ' 40 */ 41 42 static krb5_error_code 43 get_default (kadm5_server_context *context, 44 krb5_principal princ, 45 kadm5_principal_ent_t default_ent) 46 { 47 krb5_error_code ret; 48 krb5_principal def_principal; 49 krb5_realm *realm = krb5_princ_realm(context->context, princ); 50 51 ret = krb5_make_principal (context->context, &def_principal, 52 *realm, "default", NULL); 53 if (ret) 54 return ret; 55 ret = kadm5_get_principal (context, def_principal, default_ent, 56 KADM5_PRINCIPAL_NORMAL_MASK); 57 krb5_free_principal (context->context, def_principal); 58 return ret; 59 } 60 61 /* 62 * Add the principal `name' to the database. 63 * Prompt for all data not given by the input parameters. 64 */ 65 66 static krb5_error_code 67 add_one_principal (const char *name, 68 int rand_key, 69 int rand_password, 70 int use_defaults, 71 char *password, 72 krb5_key_data *key_data, 73 const char *max_ticket_life, 74 const char *max_renewable_life, 75 const char *attributes, 76 const char *expiration, 77 const char *pw_expiration) 78 { 79 krb5_error_code ret; 80 kadm5_principal_ent_rec princ, defrec; 81 kadm5_principal_ent_rec *default_ent = NULL; 82 krb5_principal princ_ent = NULL; 83 int mask = 0; 84 int default_mask = 0; 85 char pwbuf[1024]; 86 87 memset(&princ, 0, sizeof(princ)); 88 ret = krb5_parse_name(context, name, &princ_ent); 89 if (ret) { 90 krb5_warn(context, ret, "krb5_parse_name"); 91 return ret; 92 } 93 princ.principal = princ_ent; 94 mask |= KADM5_PRINCIPAL; 95 96 ret = set_entry(context, &princ, &mask, 97 max_ticket_life, max_renewable_life, 98 expiration, pw_expiration, attributes); 99 if (ret) 100 goto out; 101 102 default_ent = &defrec; 103 ret = get_default (kadm_handle, princ_ent, default_ent); 104 if (ret) { 105 default_ent = NULL; 106 default_mask = 0; 107 } else { 108 default_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE | 109 KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION; 110 } 111 112 if(use_defaults) 113 set_defaults(&princ, &mask, default_ent, default_mask); 114 else 115 edit_entry(&princ, &mask, default_ent, default_mask); 116 if(rand_key || key_data) { 117 princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; 118 mask |= KADM5_ATTRIBUTES; 119 strlcpy (pwbuf, "hemlig", sizeof(pwbuf)); 120 password = pwbuf; 121 } else if (rand_password) { 122 random_password (pwbuf, sizeof(pwbuf)); 123 password = pwbuf; 124 } else if(password == NULL) { 125 char *princ_name; 126 char *prompt; 127 128 krb5_unparse_name(context, princ_ent, &princ_name); 129 asprintf (&prompt, "%s's Password: ", princ_name); 130 free (princ_name); 131 ret = des_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1); 132 free (prompt); 133 if (ret) 134 goto out; 135 password = pwbuf; 136 } 137 138 ret = kadm5_create_principal(kadm_handle, &princ, mask, password); 139 if(ret) 140 krb5_warn(context, ret, "kadm5_create_principal"); 141 if(rand_key) { 142 krb5_keyblock *new_keys; 143 int n_keys, i; 144 ret = kadm5_randkey_principal(kadm_handle, princ_ent, 145 &new_keys, &n_keys); 146 if(ret){ 147 krb5_warn(context, ret, "kadm5_randkey_principal"); 148 n_keys = 0; 149 } 150 for(i = 0; i < n_keys; i++) 151 krb5_free_keyblock_contents(context, &new_keys[i]); 152 if (n_keys > 0) 153 free(new_keys); 154 kadm5_get_principal(kadm_handle, princ_ent, &princ, 155 KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); 156 princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); 157 princ.kvno = 1; 158 kadm5_modify_principal(kadm_handle, &princ, 159 KADM5_ATTRIBUTES | KADM5_KVNO); 160 kadm5_free_principal_ent(kadm_handle, &princ); 161 } else if (key_data) { 162 ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent, 163 3, key_data); 164 if (ret) { 165 krb5_warn(context, ret, "kadm5_chpass_principal_with_key"); 166 } 167 kadm5_get_principal(kadm_handle, princ_ent, &princ, 168 KADM5_PRINCIPAL | KADM5_ATTRIBUTES); 169 princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); 170 kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES); 171 kadm5_free_principal_ent(kadm_handle, &princ); 172 } else if (rand_password) { 173 char *princ_name; 174 175 krb5_unparse_name(context, princ_ent, &princ_name); 176 printf ("added %s with password `%s'\n", princ_name, password); 177 free (princ_name); 178 } 179 out: 180 if (princ_ent) 181 krb5_free_principal (context, princ_ent); 182 if(default_ent) 183 kadm5_free_principal_ent (context, default_ent); 184 if (password != NULL) 185 memset (password, 0, strlen(password)); 186 return ret; 187 } 188 189 /* 190 * parse the string `key_string' into `key', returning 0 iff succesful. 191 */ 192 193 /* 194 * the ank command 195 */ 196 197 static struct getargs args[] = { 198 { "random-key", 'r', arg_flag, NULL, "set random key" }, 199 { "random-password", 0, arg_flag, NULL, "set random password" }, 200 { "password", 'p', arg_string, NULL, "princial's password" }, 201 { "key", 0, arg_string, NULL, "DES-key in hex" }, 202 { "max-ticket-life", 0, arg_string, NULL, "max ticket lifetime", 203 "lifetime"}, 204 { "max-renewable-life", 0, arg_string, NULL, 205 "max renewable lifetime", "lifetime" }, 206 { "attributes", 0, arg_string, NULL, "principal attributes", 207 "attributes"}, 208 { "expiration-time",0, arg_string, NULL, "expiration time", 209 "time"}, 210 { "pw-expiration-time", 0, arg_string, NULL, 211 "password expiration time", "time"}, 212 { "use-defaults", 0, arg_flag, NULL, "use default values" } 213 }; 214 215 static int num_args = sizeof(args) / sizeof(args[0]); 216 217 static void 218 usage(void) 219 { 220 arg_printusage (args, num_args, "add", "principal..."); 221 } 222 223 /* 224 * Parse arguments and add all the principals. 225 */ 226 227 int 228 add_new_key(int argc, char **argv) 229 { 230 char *password = NULL; 231 char *key = NULL; 232 int random_key = 0; 233 int random_password = 0; 234 int optind = 0; 235 krb5_error_code ret; 236 char *max_ticket_life = NULL; 237 char *max_renewable_life = NULL; 238 char *attributes = NULL; 239 char *expiration = NULL; 240 char *pw_expiration = NULL; 241 int use_defaults = 0; 242 int i; 243 int num; 244 krb5_key_data key_data[3]; 245 krb5_key_data *kdp = NULL; 246 247 args[0].value = &random_key; 248 args[1].value = &random_password; 249 args[2].value = &password; 250 args[3].value = &key; 251 args[4].value = &max_ticket_life; 252 args[5].value = &max_renewable_life; 253 args[6].value = &attributes; 254 args[7].value = &expiration; 255 args[8].value = &pw_expiration; 256 args[9].value = &use_defaults; 257 258 if(getarg(args, num_args, argc, argv, &optind)) { 259 usage (); 260 return 0; 261 } 262 if(optind == argc) { 263 usage (); 264 return 0; 265 } 266 267 num = 0; 268 if (random_key) 269 ++num; 270 if (random_password) 271 ++num; 272 if (password) 273 ++num; 274 if (key) 275 ++num; 276 277 if (num > 1) { 278 printf ("give only one of " 279 "--random-key, --random-password, --password, --key\n"); 280 return 0; 281 } 282 283 if (key) { 284 const char *error; 285 286 if (parse_des_key (key, key_data, &error)) { 287 printf ("failed parsing key `%s': %s\n", key, error); 288 return 0; 289 } 290 kdp = key_data; 291 } 292 293 for (i = optind; i < argc; ++i) { 294 ret = add_one_principal (argv[i], random_key, random_password, 295 use_defaults, 296 password, 297 kdp, 298 max_ticket_life, 299 max_renewable_life, 300 attributes, 301 expiration, 302 pw_expiration); 303 if (ret) { 304 krb5_warn (context, ret, "adding %s", argv[i]); 305 break; 306 } 307 } 308 if (kdp) { 309 int16_t dummy = 3; 310 kadm5_free_key_data (kadm_handle, &dummy, key_data); 311 } 312 return 0; 313 } 314