xref: /freebsd/crypto/heimdal/kadmin/init.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*
2  * Copyright (c) 1997-2002 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kadmin_locl.h"
35 #include <kadm5/private.h>
36 
37 RCSID("$Id: init.c,v 1.29 2002/12/03 14:08:17 joda Exp $");
38 
39 static kadm5_ret_t
40 create_random_entry(krb5_principal princ,
41 		    unsigned max_life,
42 		    unsigned max_rlife,
43 		    u_int32_t attributes)
44 {
45     kadm5_principal_ent_rec ent;
46     kadm5_ret_t ret;
47     int mask = 0;
48     krb5_keyblock *keys;
49     int n_keys, i;
50 
51     memset(&ent, 0, sizeof(ent));
52     ent.principal = princ;
53     mask |= KADM5_PRINCIPAL;
54     if (max_life) {
55 	ent.max_life = max_life;
56 	mask |= KADM5_MAX_LIFE;
57     }
58     if (max_rlife) {
59 	ent.max_renewable_life = max_rlife;
60 	mask |= KADM5_MAX_RLIFE;
61     }
62     ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX;
63     mask |= KADM5_ATTRIBUTES;
64 
65     ret = kadm5_create_principal(kadm_handle, &ent, mask, "hemlig");
66     if(ret)
67 	return ret;
68     ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys);
69     if(ret)
70 	return ret;
71     for(i = 0; i < n_keys; i++)
72 	krb5_free_keyblock_contents(context, &keys[i]);
73     free(keys);
74     ret = kadm5_get_principal(kadm_handle, princ, &ent,
75 			      KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
76     if(ret)
77 	return ret;
78     ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
79     ent.kvno = 1;
80     ret = kadm5_modify_principal(kadm_handle, &ent,
81 				 KADM5_ATTRIBUTES|KADM5_KVNO);
82     kadm5_free_principal_ent (kadm_handle, &ent);
83     if(ret)
84 	return ret;
85     return 0;
86 }
87 
88 static struct getargs args[] = {
89     { "realm-max-ticket-life",  0,	arg_string,	NULL,
90       "realm max ticket lifetime" },
91     { "realm-max-renewable-life",  0,	arg_string,	NULL,
92       "realm max renewable lifetime" },
93     { "help", 'h', arg_flag, NULL },
94 };
95 
96 static int num_args = sizeof(args) / sizeof(args[0]);
97 
98 static void
99 usage(void)
100 {
101     arg_printusage (args, num_args, "init", "realm...");
102 }
103 
104 int
105 init(int argc, char **argv)
106 {
107     kadm5_ret_t ret;
108     int i;
109     char *realm_max_life  = NULL;
110     char *realm_max_rlife = NULL;
111     int help_flag = 0;
112     HDB *db;
113     int optind = 0;
114     krb5_deltat max_life, max_rlife;
115 
116     args[0].value = &realm_max_life;
117     args[1].value = &realm_max_rlife;
118     args[2].value = &help_flag;
119 
120     if(getarg(args, num_args, argc, argv, &optind) || help_flag) {
121 	usage();
122 	return 0;
123     }
124 
125     if(argc - optind < 1) {
126 	usage();
127 	return 0;
128     }
129 
130     if (realm_max_life) {
131 	if (str2deltat (realm_max_life, &max_life) != 0) {
132 	    krb5_warnx (context, "unable to parse `%s'", realm_max_life);
133 	    return 0;
134 	}
135     }
136     if (realm_max_rlife) {
137 	if (str2deltat (realm_max_rlife, &max_rlife) != 0) {
138 	    krb5_warnx (context, "unable to parse `%s'", realm_max_rlife);
139 	    return 0;
140 	}
141     }
142 
143     db = _kadm5_s_get_db(kadm_handle);
144 
145     ret = db->open(context, db, O_RDWR | O_CREAT, 0600);
146     if(ret){
147 	krb5_warn(context, ret, "hdb_open");
148 	return 0;
149     }
150     db->close(context, db);
151     for(i = optind; i < argc; i++){
152 	krb5_principal princ;
153 	const char *realm = argv[i];
154 
155 	/* Create `krbtgt/REALM' */
156 	ret = krb5_make_principal(context, &princ, realm,
157 				  KRB5_TGS_NAME, realm, NULL);
158 	if(ret)
159 	    return 0;
160 	if (realm_max_life == NULL) {
161 	    max_life = 0;
162 	    if(edit_deltat ("Realm max ticket life", &max_life, NULL, 0)) {
163 		krb5_free_principal(context, princ);
164 		return 0;
165 	    }
166 	}
167 	if (realm_max_rlife == NULL) {
168 	    max_rlife = 0;
169 	    if(edit_deltat("Realm max renewable ticket life", &max_rlife,
170 			   NULL, 0)) {
171 		krb5_free_principal(context, princ);
172 		return 0;
173 	    }
174 	}
175 	create_random_entry(princ, max_life, max_rlife, 0);
176 	krb5_free_principal(context, princ);
177 
178 	/* Create `kadmin/changepw' */
179 	krb5_make_principal(context, &princ, realm,
180 			    "kadmin", "changepw", NULL);
181 	create_random_entry(princ, 5*60, 5*60,
182 			    KRB5_KDB_DISALLOW_TGT_BASED|
183 			    KRB5_KDB_PWCHANGE_SERVICE|
184 			    KRB5_KDB_DISALLOW_POSTDATED|
185 			    KRB5_KDB_DISALLOW_FORWARDABLE|
186 			    KRB5_KDB_DISALLOW_RENEWABLE|
187 			    KRB5_KDB_DISALLOW_PROXIABLE|
188 			    KRB5_KDB_REQUIRES_PRE_AUTH);
189 	krb5_free_principal(context, princ);
190 
191 	/* Create `kadmin/admin' */
192 	krb5_make_principal(context, &princ, realm,
193 			    "kadmin", "admin", NULL);
194 	create_random_entry(princ, 60*60, 60*60, KRB5_KDB_REQUIRES_PRE_AUTH);
195 	krb5_free_principal(context, princ);
196 
197 	/* Create `changepw/kerberos' (for v4 compat) */
198 	krb5_make_principal(context, &princ, realm,
199 			    "changepw", "kerberos", NULL);
200 	create_random_entry(princ, 60*60, 60*60,
201 			    KRB5_KDB_DISALLOW_TGT_BASED|
202 			    KRB5_KDB_PWCHANGE_SERVICE);
203 
204 	krb5_free_principal(context, princ);
205 
206 	/* Create `kadmin/hprop' for database propagation */
207 	krb5_make_principal(context, &princ, realm,
208 			    "kadmin", "hprop", NULL);
209 	create_random_entry(princ, 60*60, 60*60,
210 			    KRB5_KDB_REQUIRES_PRE_AUTH|
211 			    KRB5_KDB_DISALLOW_TGT_BASED);
212 	krb5_free_principal(context, princ);
213 
214 	/* Create `default' */
215 	{
216 	    kadm5_principal_ent_rec ent;
217 	    int mask = 0;
218 
219 	    memset (&ent, 0, sizeof(ent));
220 	    mask |= KADM5_PRINCIPAL;
221 	    krb5_make_principal(context, &ent.principal, realm,
222 				"default", NULL);
223 	    mask |= KADM5_MAX_LIFE;
224 	    ent.max_life = 24 * 60 * 60;
225 	    mask |= KADM5_MAX_RLIFE;
226 	    ent.max_renewable_life = 7 * ent.max_life;
227 	    ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX;
228 	    mask |= KADM5_ATTRIBUTES;
229 
230 	    ret = kadm5_create_principal(kadm_handle, &ent, mask, "");
231 	    if (ret)
232 		krb5_err (context, 1, ret, "kadm5_create_principal");
233 
234 	    krb5_free_principal(context, ent.principal);
235 	}
236     }
237     return 0;
238 }
239