xref: /freebsd/crypto/heimdal/kadmin/init.c (revision 5521ff5a4d1929056e7ffc982fac3341ca54df7c) 
1 /*
2  * Copyright (c) 1997-2000 Kungliga Tekniska H�gskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kadmin_locl.h"
35 #include <kadm5/private.h>
36 
37 RCSID("$Id: init.c,v 1.27 2000/09/10 19:20:16 joda Exp $");
38 
39 static kadm5_ret_t
40 create_random_entry(krb5_principal princ,
41 		    unsigned max_life,
42 		    unsigned max_rlife,
43 		    u_int32_t attributes)
44 {
45     kadm5_principal_ent_rec ent;
46     kadm5_ret_t ret;
47     int mask = 0;
48     krb5_keyblock *keys;
49     int n_keys, i;
50 
51     memset(&ent, 0, sizeof(ent));
52     ent.principal = princ;
53     mask |= KADM5_PRINCIPAL;
54     if (max_life) {
55 	ent.max_life = max_life;
56 	mask |= KADM5_MAX_LIFE;
57     }
58     if (max_rlife) {
59 	ent.max_renewable_life = max_rlife;
60 	mask |= KADM5_MAX_RLIFE;
61     }
62     ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX;
63     mask |= KADM5_ATTRIBUTES;
64 
65     ret = kadm5_create_principal(kadm_handle, &ent, mask, "hemlig");
66     if(ret)
67 	return ret;
68     ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys);
69     if(ret)
70 	return ret;
71     for(i = 0; i < n_keys; i++)
72 	krb5_free_keyblock_contents(context, &keys[i]);
73     free(keys);
74     ret = kadm5_get_principal(kadm_handle, princ, &ent,
75 			      KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
76     if(ret)
77 	return ret;
78     ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
79     ent.kvno = 1;
80     ret = kadm5_modify_principal(kadm_handle, &ent,
81 				 KADM5_ATTRIBUTES|KADM5_KVNO);
82     kadm5_free_principal_ent (kadm_handle, &ent);
83     if(ret)
84 	return ret;
85     return 0;
86 }
87 
88 static struct getargs args[] = {
89     { "realm-max-ticket-life",  0,	arg_string,	NULL,
90       "realm max ticket lifetime" },
91     { "realm-max-renewable-life",  0,	arg_string,	NULL,
92       "realm max renewable lifetime" },
93 };
94 
95 static int num_args = sizeof(args) / sizeof(args[0]);
96 
97 static void
98 usage(void)
99 {
100     arg_printusage (args, num_args, "init", "realm...");
101 }
102 
103 int
104 init(int argc, char **argv)
105 {
106     kadm5_ret_t ret;
107     int i;
108     char *realm_max_life  = NULL;
109     char *realm_max_rlife = NULL;
110     HDB *db;
111     int optind = 0;
112     krb5_deltat max_life, max_rlife;
113 
114     args[0].value = &realm_max_life;
115     args[1].value = &realm_max_rlife;
116 
117     if(getarg(args, num_args, argc, argv, &optind)) {
118 	usage();
119 	return 0;
120     }
121 
122     if(argc - optind < 1) {
123 	usage();
124 	return 0;
125     }
126 
127     if (realm_max_life) {
128 	if (str2deltat (realm_max_life, &max_life) != 0) {
129 	    krb5_warnx (context, "unable to parse `%s'", realm_max_life);
130 	    return 0;
131 	}
132     }
133     if (realm_max_rlife) {
134 	if (str2deltat (realm_max_rlife, &max_rlife) != 0) {
135 	    krb5_warnx (context, "unable to parse `%s'", realm_max_rlife);
136 	    return 0;
137 	}
138     }
139 
140     db = _kadm5_s_get_db(kadm_handle);
141 
142     ret = db->open(context, db, O_RDWR | O_CREAT, 0600);
143     if(ret){
144 	krb5_warn(context, ret, "hdb_open");
145 	return 0;
146     }
147     db->close(context, db);
148     for(i = optind; i < argc; i++){
149 	krb5_principal princ;
150 	const char *realm = argv[i];
151 
152 	/* Create `krbtgt/REALM' */
153 	krb5_make_principal(context, &princ, realm,
154 			    KRB5_TGS_NAME, realm, NULL);
155 	if (realm_max_life == NULL) {
156 	    max_life = 0;
157 	    edit_deltat ("Realm max ticket life", &max_life, NULL, 0);
158 	}
159 	if (realm_max_rlife == NULL) {
160 	    max_rlife = 0;
161 	    edit_deltat("Realm max renewable ticket life", &max_rlife,
162 			NULL, 0);
163 	}
164 	create_random_entry(princ, max_life, max_rlife, 0);
165 	krb5_free_principal(context, princ);
166 
167 	/* Create `kadmin/changepw' */
168 	krb5_make_principal(context, &princ, realm,
169 			    "kadmin", "changepw", NULL);
170 	create_random_entry(princ, 5*60, 5*60,
171 			    KRB5_KDB_DISALLOW_TGT_BASED|
172 			    KRB5_KDB_PWCHANGE_SERVICE|
173 			    KRB5_KDB_DISALLOW_POSTDATED|
174 			    KRB5_KDB_DISALLOW_FORWARDABLE|
175 			    KRB5_KDB_DISALLOW_RENEWABLE|
176 			    KRB5_KDB_DISALLOW_PROXIABLE|
177 			    KRB5_KDB_REQUIRES_PRE_AUTH);
178 	krb5_free_principal(context, princ);
179 
180 	/* Create `kadmin/admin' */
181 	krb5_make_principal(context, &princ, realm,
182 			    "kadmin", "admin", NULL);
183 	create_random_entry(princ, 60*60, 60*60, KRB5_KDB_REQUIRES_PRE_AUTH);
184 	krb5_free_principal(context, princ);
185 
186 	/* Create `changepw/kerberos' (for v4 compat) */
187 	krb5_make_principal(context, &princ, realm,
188 			    "changepw", "kerberos", NULL);
189 	create_random_entry(princ, 60*60, 60*60,
190 			    KRB5_KDB_DISALLOW_TGT_BASED|
191 			    KRB5_KDB_PWCHANGE_SERVICE);
192 
193 	krb5_free_principal(context, princ);
194 
195 	/* Create `kadmin/hprop' for database propagation */
196 	krb5_make_principal(context, &princ, realm,
197 			    "kadmin", "hprop", NULL);
198 	create_random_entry(princ, 60*60, 60*60,
199 			    KRB5_KDB_REQUIRES_PRE_AUTH|
200 			    KRB5_KDB_DISALLOW_TGT_BASED);
201 	krb5_free_principal(context, princ);
202 
203 	/* Create `default' */
204 	{
205 	    kadm5_principal_ent_rec ent;
206 	    int mask = 0;
207 
208 	    memset (&ent, 0, sizeof(ent));
209 	    mask |= KADM5_PRINCIPAL;
210 	    krb5_make_principal(context, &ent.principal, realm,
211 				"default", NULL);
212 	    mask |= KADM5_MAX_LIFE;
213 	    ent.max_life = 24 * 60 * 60;
214 	    mask |= KADM5_MAX_RLIFE;
215 	    ent.max_renewable_life = 7 * ent.max_life;
216 	    ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX;
217 	    mask |= KADM5_ATTRIBUTES;
218 
219 	    ret = kadm5_create_principal(kadm_handle, &ent, mask, "");
220 	    if (ret)
221 		krb5_err (context, 1, ret, "kadm5_create_principal");
222 
223 	    krb5_free_principal(context, ent.principal);
224 	}
225     }
226     return 0;
227 }
228