1 /* 2 * Copyright (c) 1997-2000 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kadmin_locl.h" 35 36 RCSID("$Id: ank.c,v 1.22 2001/08/10 08:08:22 joda Exp $"); 37 38 /* 39 * fetch the default principal corresponding to `princ' 40 */ 41 42 static krb5_error_code 43 get_default (kadm5_server_context *context, 44 krb5_principal princ, 45 kadm5_principal_ent_t default_ent) 46 { 47 krb5_error_code ret; 48 krb5_principal def_principal; 49 krb5_realm *realm = krb5_princ_realm(context->context, princ); 50 51 ret = krb5_make_principal (context->context, &def_principal, 52 *realm, "default", NULL); 53 if (ret) 54 return ret; 55 ret = kadm5_get_principal (context, def_principal, default_ent, 56 KADM5_PRINCIPAL_NORMAL_MASK); 57 krb5_free_principal (context->context, def_principal); 58 return ret; 59 } 60 61 /* 62 * Add the principal `name' to the database. 63 * Prompt for all data not given by the input parameters. 64 */ 65 66 static krb5_error_code 67 add_one_principal (const char *name, 68 int rand_key, 69 int rand_password, 70 int use_defaults, 71 char *password, 72 krb5_key_data *key_data, 73 const char *max_ticket_life, 74 const char *max_renewable_life, 75 const char *attributes, 76 const char *expiration, 77 const char *pw_expiration) 78 { 79 krb5_error_code ret; 80 kadm5_principal_ent_rec princ, defrec; 81 kadm5_principal_ent_rec *default_ent = NULL; 82 krb5_principal princ_ent = NULL; 83 int mask = 0; 84 int default_mask = 0; 85 char pwbuf[1024]; 86 87 memset(&princ, 0, sizeof(princ)); 88 ret = krb5_parse_name(context, name, &princ_ent); 89 if (ret) { 90 krb5_warn(context, ret, "krb5_parse_name"); 91 return ret; 92 } 93 princ.principal = princ_ent; 94 mask |= KADM5_PRINCIPAL; 95 96 ret = set_entry(context, &princ, &mask, 97 max_ticket_life, max_renewable_life, 98 expiration, pw_expiration, attributes); 99 if (ret) 100 goto out; 101 102 default_ent = &defrec; 103 ret = get_default (kadm_handle, princ_ent, default_ent); 104 if (ret) { 105 default_ent = NULL; 106 default_mask = 0; 107 } else { 108 default_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE | 109 KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION; 110 } 111 112 if(use_defaults) 113 set_defaults(&princ, &mask, default_ent, default_mask); 114 else 115 edit_entry(&princ, &mask, default_ent, default_mask); 116 if(rand_key || key_data) { 117 princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX; 118 mask |= KADM5_ATTRIBUTES; 119 strlcpy (pwbuf, "hemlig", sizeof(pwbuf)); 120 password = pwbuf; 121 } else if (rand_password) { 122 random_password (pwbuf, sizeof(pwbuf)); 123 password = pwbuf; 124 } else if(password == NULL) { 125 char *princ_name; 126 char *prompt; 127 128 krb5_unparse_name(context, princ_ent, &princ_name); 129 asprintf (&prompt, "%s's Password: ", princ_name); 130 free (princ_name); 131 ret = des_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1); 132 free (prompt); 133 if (ret) 134 goto out; 135 password = pwbuf; 136 } 137 138 ret = kadm5_create_principal(kadm_handle, &princ, mask, password); 139 if(ret) 140 krb5_warn(context, ret, "kadm5_create_principal"); 141 if(rand_key) { 142 krb5_keyblock *new_keys; 143 int n_keys, i; 144 ret = kadm5_randkey_principal(kadm_handle, princ_ent, 145 &new_keys, &n_keys); 146 if(ret){ 147 krb5_warn(context, ret, "kadm5_randkey_principal"); 148 n_keys = 0; 149 } 150 for(i = 0; i < n_keys; i++) 151 krb5_free_keyblock_contents(context, &new_keys[i]); 152 free(new_keys); 153 kadm5_get_principal(kadm_handle, princ_ent, &princ, 154 KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); 155 princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); 156 princ.kvno = 1; 157 kadm5_modify_principal(kadm_handle, &princ, 158 KADM5_ATTRIBUTES | KADM5_KVNO); 159 kadm5_free_principal_ent(kadm_handle, &princ); 160 } else if (key_data) { 161 ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent, 162 3, key_data); 163 if (ret) { 164 krb5_warn(context, ret, "kadm5_chpass_principal_with_key"); 165 } 166 kadm5_get_principal(kadm_handle, princ_ent, &princ, 167 KADM5_PRINCIPAL | KADM5_ATTRIBUTES); 168 princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); 169 kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES); 170 kadm5_free_principal_ent(kadm_handle, &princ); 171 } else if (rand_password) { 172 char *princ_name; 173 174 krb5_unparse_name(context, princ_ent, &princ_name); 175 printf ("added %s with password `%s'\n", princ_name, password); 176 free (princ_name); 177 } 178 out: 179 if (princ_ent) 180 krb5_free_principal (context, princ_ent); 181 if(default_ent) 182 kadm5_free_principal_ent (context, default_ent); 183 if (password != NULL) 184 memset (password, 0, strlen(password)); 185 return ret; 186 } 187 188 /* 189 * parse the string `key_string' into `key', returning 0 iff succesful. 190 */ 191 192 /* 193 * the ank command 194 */ 195 196 static struct getargs args[] = { 197 { "random-key", 'r', arg_flag, NULL, "set random key" }, 198 { "random-password", 0, arg_flag, NULL, "set random password" }, 199 { "password", 'p', arg_string, NULL, "princial's password" }, 200 { "key", 0, arg_string, NULL, "DES-key in hex" }, 201 { "max-ticket-life", 0, arg_string, NULL, "max ticket lifetime", 202 "lifetime"}, 203 { "max-renewable-life", 0, arg_string, NULL, 204 "max renewable lifetime", "lifetime" }, 205 { "attributes", 0, arg_string, NULL, "principal attributes", 206 "attributes"}, 207 { "expiration-time",0, arg_string, NULL, "expiration time", 208 "time"}, 209 { "pw-expiration-time", 0, arg_string, NULL, 210 "password expiration time", "time"}, 211 { "use-defaults", 0, arg_flag, NULL, "use default values" } 212 }; 213 214 static int num_args = sizeof(args) / sizeof(args[0]); 215 216 static void 217 usage(void) 218 { 219 arg_printusage (args, num_args, "add", "principal..."); 220 } 221 222 /* 223 * Parse arguments and add all the principals. 224 */ 225 226 int 227 add_new_key(int argc, char **argv) 228 { 229 char *password = NULL; 230 char *key = NULL; 231 int random_key = 0; 232 int random_password = 0; 233 int optind = 0; 234 krb5_error_code ret; 235 char *max_ticket_life = NULL; 236 char *max_renewable_life = NULL; 237 char *attributes = NULL; 238 char *expiration = NULL; 239 char *pw_expiration = NULL; 240 int use_defaults = 0; 241 int i; 242 int num; 243 krb5_key_data key_data[3]; 244 krb5_key_data *kdp = NULL; 245 246 args[0].value = &random_key; 247 args[1].value = &random_password; 248 args[2].value = &password; 249 args[3].value = &key; 250 args[4].value = &max_ticket_life; 251 args[5].value = &max_renewable_life; 252 args[6].value = &attributes; 253 args[7].value = &expiration; 254 args[8].value = &pw_expiration; 255 args[9].value = &use_defaults; 256 257 if(getarg(args, num_args, argc, argv, &optind)) { 258 usage (); 259 return 0; 260 } 261 if(optind == argc) { 262 usage (); 263 return 0; 264 } 265 266 num = 0; 267 if (random_key) 268 ++num; 269 if (random_password) 270 ++num; 271 if (password) 272 ++num; 273 if (key) 274 ++num; 275 276 if (num > 1) { 277 printf ("give only one of " 278 "--random-key, --random-password, --password, --key\n"); 279 return 0; 280 } 281 282 if (key) { 283 const char *error; 284 285 if (parse_des_key (key, key_data, &error)) { 286 printf ("failed parsing key `%s': %s\n", key, error); 287 return 0; 288 } 289 kdp = key_data; 290 } 291 292 for (i = optind; i < argc; ++i) { 293 ret = add_one_principal (argv[i], random_key, random_password, 294 use_defaults, 295 password, 296 kdp, 297 max_ticket_life, 298 max_renewable_life, 299 attributes, 300 expiration, 301 pw_expiration); 302 if (ret) { 303 krb5_warn (context, ret, "adding %s", argv[i]); 304 break; 305 } 306 } 307 if (kdp) { 308 int16_t dummy = 3; 309 kadm5_free_key_data (kadm_handle, &dummy, key_data); 310 } 311 return 0; 312 } 313