1 /* 2 * Copyright (c) 1997-2002 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kadmin_locl.h" 35 #include <kadm5/private.h> 36 37 RCSID("$Id: init.c,v 1.29 2002/12/03 14:08:17 joda Exp $"); 38 39 static kadm5_ret_t 40 create_random_entry(krb5_principal princ, 41 unsigned max_life, 42 unsigned max_rlife, 43 u_int32_t attributes) 44 { 45 kadm5_principal_ent_rec ent; 46 kadm5_ret_t ret; 47 int mask = 0; 48 krb5_keyblock *keys; 49 int n_keys, i; 50 51 memset(&ent, 0, sizeof(ent)); 52 ent.principal = princ; 53 mask |= KADM5_PRINCIPAL; 54 if (max_life) { 55 ent.max_life = max_life; 56 mask |= KADM5_MAX_LIFE; 57 } 58 if (max_rlife) { 59 ent.max_renewable_life = max_rlife; 60 mask |= KADM5_MAX_RLIFE; 61 } 62 ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX; 63 mask |= KADM5_ATTRIBUTES; 64 65 ret = kadm5_create_principal(kadm_handle, &ent, mask, "hemlig"); 66 if(ret) 67 return ret; 68 ret = kadm5_randkey_principal(kadm_handle, princ, &keys, &n_keys); 69 if(ret) 70 return ret; 71 for(i = 0; i < n_keys; i++) 72 krb5_free_keyblock_contents(context, &keys[i]); 73 free(keys); 74 ret = kadm5_get_principal(kadm_handle, princ, &ent, 75 KADM5_PRINCIPAL | KADM5_ATTRIBUTES); 76 if(ret) 77 return ret; 78 ent.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); 79 ent.kvno = 1; 80 ret = kadm5_modify_principal(kadm_handle, &ent, 81 KADM5_ATTRIBUTES|KADM5_KVNO); 82 kadm5_free_principal_ent (kadm_handle, &ent); 83 if(ret) 84 return ret; 85 return 0; 86 } 87 88 static struct getargs args[] = { 89 { "realm-max-ticket-life", 0, arg_string, NULL, 90 "realm max ticket lifetime" }, 91 { "realm-max-renewable-life", 0, arg_string, NULL, 92 "realm max renewable lifetime" }, 93 { "help", 'h', arg_flag, NULL }, 94 }; 95 96 static int num_args = sizeof(args) / sizeof(args[0]); 97 98 static void 99 usage(void) 100 { 101 arg_printusage (args, num_args, "init", "realm..."); 102 } 103 104 int 105 init(int argc, char **argv) 106 { 107 kadm5_ret_t ret; 108 int i; 109 char *realm_max_life = NULL; 110 char *realm_max_rlife = NULL; 111 int help_flag = 0; 112 HDB *db; 113 int optind = 0; 114 krb5_deltat max_life, max_rlife; 115 116 args[0].value = &realm_max_life; 117 args[1].value = &realm_max_rlife; 118 args[2].value = &help_flag; 119 120 if(getarg(args, num_args, argc, argv, &optind) || help_flag) { 121 usage(); 122 return 0; 123 } 124 125 if(argc - optind < 1) { 126 usage(); 127 return 0; 128 } 129 130 if (realm_max_life) { 131 if (str2deltat (realm_max_life, &max_life) != 0) { 132 krb5_warnx (context, "unable to parse `%s'", realm_max_life); 133 return 0; 134 } 135 } 136 if (realm_max_rlife) { 137 if (str2deltat (realm_max_rlife, &max_rlife) != 0) { 138 krb5_warnx (context, "unable to parse `%s'", realm_max_rlife); 139 return 0; 140 } 141 } 142 143 db = _kadm5_s_get_db(kadm_handle); 144 145 ret = db->open(context, db, O_RDWR | O_CREAT, 0600); 146 if(ret){ 147 krb5_warn(context, ret, "hdb_open"); 148 return 0; 149 } 150 db->close(context, db); 151 for(i = optind; i < argc; i++){ 152 krb5_principal princ; 153 const char *realm = argv[i]; 154 155 /* Create `krbtgt/REALM' */ 156 ret = krb5_make_principal(context, &princ, realm, 157 KRB5_TGS_NAME, realm, NULL); 158 if(ret) 159 return 0; 160 if (realm_max_life == NULL) { 161 max_life = 0; 162 if(edit_deltat ("Realm max ticket life", &max_life, NULL, 0)) { 163 krb5_free_principal(context, princ); 164 return 0; 165 } 166 } 167 if (realm_max_rlife == NULL) { 168 max_rlife = 0; 169 if(edit_deltat("Realm max renewable ticket life", &max_rlife, 170 NULL, 0)) { 171 krb5_free_principal(context, princ); 172 return 0; 173 } 174 } 175 create_random_entry(princ, max_life, max_rlife, 0); 176 krb5_free_principal(context, princ); 177 178 /* Create `kadmin/changepw' */ 179 krb5_make_principal(context, &princ, realm, 180 "kadmin", "changepw", NULL); 181 create_random_entry(princ, 5*60, 5*60, 182 KRB5_KDB_DISALLOW_TGT_BASED| 183 KRB5_KDB_PWCHANGE_SERVICE| 184 KRB5_KDB_DISALLOW_POSTDATED| 185 KRB5_KDB_DISALLOW_FORWARDABLE| 186 KRB5_KDB_DISALLOW_RENEWABLE| 187 KRB5_KDB_DISALLOW_PROXIABLE| 188 KRB5_KDB_REQUIRES_PRE_AUTH); 189 krb5_free_principal(context, princ); 190 191 /* Create `kadmin/admin' */ 192 krb5_make_principal(context, &princ, realm, 193 "kadmin", "admin", NULL); 194 create_random_entry(princ, 60*60, 60*60, KRB5_KDB_REQUIRES_PRE_AUTH); 195 krb5_free_principal(context, princ); 196 197 /* Create `changepw/kerberos' (for v4 compat) */ 198 krb5_make_principal(context, &princ, realm, 199 "changepw", "kerberos", NULL); 200 create_random_entry(princ, 60*60, 60*60, 201 KRB5_KDB_DISALLOW_TGT_BASED| 202 KRB5_KDB_PWCHANGE_SERVICE); 203 204 krb5_free_principal(context, princ); 205 206 /* Create `kadmin/hprop' for database propagation */ 207 krb5_make_principal(context, &princ, realm, 208 "kadmin", "hprop", NULL); 209 create_random_entry(princ, 60*60, 60*60, 210 KRB5_KDB_REQUIRES_PRE_AUTH| 211 KRB5_KDB_DISALLOW_TGT_BASED); 212 krb5_free_principal(context, princ); 213 214 /* Create `default' */ 215 { 216 kadm5_principal_ent_rec ent; 217 int mask = 0; 218 219 memset (&ent, 0, sizeof(ent)); 220 mask |= KADM5_PRINCIPAL; 221 krb5_make_principal(context, &ent.principal, realm, 222 "default", NULL); 223 mask |= KADM5_MAX_LIFE; 224 ent.max_life = 24 * 60 * 60; 225 mask |= KADM5_MAX_RLIFE; 226 ent.max_renewable_life = 7 * ent.max_life; 227 ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX; 228 mask |= KADM5_ATTRIBUTES; 229 230 ret = kadm5_create_principal(kadm_handle, &ent, mask, ""); 231 if (ret) 232 krb5_err (context, 1, ret, "kadm5_create_principal"); 233 234 krb5_free_principal(context, ent.principal); 235 } 236 } 237 return 0; 238 } 239