xref: /titanic_41/usr/src/lib/krb5/kadm5/admin.h (revision ba2e4443695ee6a6f420a35cd4fc3d3346d22932) 
1 /*
2  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #ifndef	__KADM5_ADMIN_H__
7 #define	__KADM5_ADMIN_H__
8 
9 #pragma ident	"%Z%%M%	%I%	%E% SMI"
10 
11 #ifdef __cplusplus
12 extern "C" {
13 #endif
14 
15 /*
16  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
17  *
18  *	Openvision retains the copyright to derivative works of
19  *	this source code.  Do *NOT* create a derivative of this
20  *	source code before consulting with your legal department.
21  *	Do *NOT* integrate *ANY* of this source code into another
22  *	product before consulting with your legal department.
23  *
24  *	For further information, read the top-level Openvision
25  *	copyright which is contained in the top-level MIT Kerberos
26  *	copyright.
27  *
28  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
29  *
30  */
31 
32 
33 /*
34  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
35  *
36  * $Header: /cvs/krbdev/krb5/src/lib/kadm5/admin.h,v 1.43.2.1 2000/05/19 22:24:14 raeburn Exp $
37  */
38 
39 #include	<sys/types.h>
40 #include	<rpc/types.h>
41 #include	<rpc/rpc.h>
42 #include	<krb5.h>
43 #include	<k5-int.h>
44 #include	<com_err.h>
45 #include	<kadm5/kadm_err.h>
46 #include	<kadm5/adb_err.h>
47 #include	<kadm5/chpass_util_strings.h>
48 
49 #define	KADM5_ADMIN_SERVICE_P	"kadmin@admin"
50 #define	KADM5_ADMIN_SERVICE	"kadmin/admin"
51 #define	KADM5_CHANGEPW_SERVICE_P	"kadmin@changepw"
52 #define	KADM5_CHANGEPW_SERVICE	"kadmin/changepw"
53 #define	KADM5_HIST_PRINCIPAL	"kadmin/history"
54 #define	KADM5_ADMIN_HOST_SERVICE "kadmin"
55 #define	KADM5_CHANGEPW_HOST_SERVICE "changepw"
56 #define	KADM5_KIPROP_HOST_SERVICE "kiprop"
57 
58 typedef krb5_principal	kadm5_princ_t;
59 typedef	char		*kadm5_policy_t;
60 typedef long		kadm5_ret_t;
61 typedef int rpc_int32;
62 typedef unsigned int rpc_u_int32;
63 
64 #define	KADM5_PW_FIRST_PROMPT \
65 	((char *)error_message(CHPASS_UTIL_NEW_PASSWORD_PROMPT))
66 #define	KADM5_PW_SECOND_PROMPT \
67 	((char *)error_message(CHPASS_UTIL_NEW_PASSWORD_AGAIN_PROMPT))
68 
69 /*
70  * Succsessfull return code
71  */
72 #define	KADM5_OK	0
73 
74 /*
75  * Field masks
76  */
77 
78 /* kadm5_principal_ent_t */
79 #define	KADM5_PRINCIPAL		0x000001
80 #define	KADM5_PRINC_EXPIRE_TIME	0x000002
81 #define	KADM5_PW_EXPIRATION	0x000004
82 #define	KADM5_LAST_PWD_CHANGE	0x000008
83 #define	KADM5_ATTRIBUTES	0x000010
84 #define	KADM5_MAX_LIFE		0x000020
85 #define	KADM5_MOD_TIME		0x000040
86 #define	KADM5_MOD_NAME		0x000080
87 #define	KADM5_KVNO		0x000100
88 #define	KADM5_MKVNO		0x000200
89 #define	KADM5_AUX_ATTRIBUTES	0x000400
90 #define	KADM5_POLICY		0x000800
91 #define	KADM5_POLICY_CLR	0x001000
92 /* version 2 masks */
93 #define	KADM5_MAX_RLIFE		0x002000
94 #define	KADM5_LAST_SUCCESS	0x004000
95 #define	KADM5_LAST_FAILED	0x008000
96 #define	KADM5_FAIL_AUTH_COUNT	0x010000
97 #define	KADM5_KEY_DATA		0x020000
98 #define	KADM5_TL_DATA		0x040000
99 /* all but KEY_DATA and TL_DATA */
100 #define	KADM5_PRINCIPAL_NORMAL_MASK 0x01ffff
101 
102 /* kadm5_policy_ent_t */
103 #define	KADM5_PW_MAX_LIFE	0x004000
104 #define	KADM5_PW_MIN_LIFE	0x008000
105 #define	KADM5_PW_MIN_LENGTH	0x010000
106 #define	KADM5_PW_MIN_CLASSES	0x020000
107 #define	KADM5_PW_HISTORY_NUM	0x040000
108 #define	KADM5_REF_COUNT		0x080000
109 
110 /* kadm5_config_params */
111 #define KADM5_CONFIG_REALM		0x0000001
112 #define KADM5_CONFIG_DBNAME		0x0000002
113 #define KADM5_CONFIG_MKEY_NAME		0x0000004
114 #define KADM5_CONFIG_MAX_LIFE		0x0000008
115 #define KADM5_CONFIG_MAX_RLIFE		0x0000010
116 #define KADM5_CONFIG_EXPIRATION		0x0000020
117 #define KADM5_CONFIG_FLAGS		0x0000040
118 #define KADM5_CONFIG_ADMIN_KEYTAB	0x0000080
119 #define KADM5_CONFIG_STASH_FILE		0x0000100
120 #define KADM5_CONFIG_ENCTYPE		0x0000200
121 #define KADM5_CONFIG_ADBNAME		0x0000400
122 #define KADM5_CONFIG_ADB_LOCKFILE	0x0000800
123 #define KADM5_CONFIG_PROFILE		0x0001000
124 #define KADM5_CONFIG_ACL_FILE		0x0002000
125 #define KADM5_CONFIG_KADMIND_PORT	0x0004000
126 #define KADM5_CONFIG_ENCTYPES		0x0008000
127 #define KADM5_CONFIG_ADMIN_SERVER	0x0010000
128 #define KADM5_CONFIG_DICT_FILE		0x0020000
129 #define KADM5_CONFIG_MKEY_FROM_KBD	0x0040000
130 #define KADM5_CONFIG_KPASSWD_PORT	0x0080000
131 #define KADM5_CONFIG_KPASSWD_SERVER	0x0100000
132 #define	KADM5_CONFIG_KPASSWD_PROTOCOL	0x0200000
133 #define	KADM5_CONFIG_IPROP_ENABLED	0x0400000
134 #define	KADM5_CONFIG_ULOG_SIZE		0x0800000
135 #define	KADM5_CONFIG_POLL_TIME		0x1000000
136 
137 /* password change constants */
138 #define	KRB5_KPASSWD_SUCCESS		0
139 #define	KRB5_KPASSWD_MALFORMED		1
140 #define	KRB5_KPASSWD_HARDERROR		2
141 #define	KRB5_KPASSWD_AUTHERROR		3
142 #define	KRB5_KPASSWD_SOFTERROR		4
143 #define	KRB5_KPASSWD_ACCESSDENIED	5
144 #define	KRB5_KPASSWD_BAD_VERSION	6
145 #define	KRB5_KPASSWD_INITIAL_FLAG_NEEDED	7
146 #define	KRB5_KPASSWD_POLICY_REJECT	8
147 #define	KRB5_KPASSWD_BAD_PRINCIPAL	9
148 #define	KRB5_KPASSWD_ETYPE_NOSUPP	10
149 
150 /*
151  * permission bits
152  */
153 #define	KADM5_PRIV_GET		0x01
154 #define	KADM5_PRIV_ADD		0x02
155 #define	KADM5_PRIV_MODIFY	0x04
156 #define	KADM5_PRIV_DELETE	0x08
157 
158 /*
159  * API versioning constants
160  */
161 #define	KADM5_MASK_BITS		0xffffff00
162 
163 #define	KADM5_STRUCT_VERSION_MASK	0x12345600
164 #define	KADM5_STRUCT_VERSION_1	(KADM5_STRUCT_VERSION_MASK|0x01)
165 #define	KADM5_STRUCT_VERSION	KADM5_STRUCT_VERSION_1
166 
167 #define	KADM5_API_VERSION_MASK	0x12345700
168 #define	KADM5_API_VERSION_1	(KADM5_API_VERSION_MASK|0x01)
169 #define	KADM5_API_VERSION_2	(KADM5_API_VERSION_MASK|0x02)
170 
171 #ifdef KRB5_DNS_LOOKUP
172 /*
173  * Name length constants for DNS lookups
174  */
175 #define	MAX_HOST_NAMELEN 256
176 #define	MAX_DNS_NAMELEN (15*(MAX_HOST_NAMELEN + 1)+1)
177 #endif /* KRB5_DNS_LOOKUP */
178 
179 typedef struct _kadm5_principal_ent_t_v2 {
180 	krb5_principal	principal;
181 	krb5_timestamp	princ_expire_time;
182 	krb5_timestamp	last_pwd_change;
183 	krb5_timestamp	pw_expiration;
184 	krb5_deltat	max_life;
185 	krb5_principal	mod_name;
186 	krb5_timestamp	mod_date;
187 	krb5_flags	attributes;
188 	krb5_kvno	kvno;
189 	krb5_kvno	mkvno;
190 	char		*policy;
191 	long		aux_attributes;
192 
193 	/* version 2 fields */
194 	krb5_deltat max_renewable_life;
195 	krb5_timestamp last_success;
196 	krb5_timestamp last_failed;
197 	krb5_kvno fail_auth_count;
198 	krb5_int16 n_key_data;
199 	krb5_int16 n_tl_data;
200 	krb5_tl_data *tl_data;
201 	krb5_key_data *key_data;
202 } kadm5_principal_ent_rec_v2, *kadm5_principal_ent_t_v2;
203 
204 typedef struct _kadm5_principal_ent_t_v1 {
205 	krb5_principal	principal;
206 	krb5_timestamp	princ_expire_time;
207 	krb5_timestamp	last_pwd_change;
208 	krb5_timestamp	pw_expiration;
209 	krb5_deltat	max_life;
210 	krb5_principal	mod_name;
211 	krb5_timestamp	mod_date;
212 	krb5_flags	attributes;
213 	krb5_kvno	kvno;
214 	krb5_kvno	mkvno;
215 	char		*policy;
216 	long		aux_attributes;
217 } kadm5_principal_ent_rec_v1, *kadm5_principal_ent_t_v1;
218 
219 
220 typedef struct _kadm5_principal_ent_t_v2
221 kadm5_principal_ent_rec, *kadm5_principal_ent_t;
222 
223 typedef struct _kadm5_policy_ent_t {
224 	char		*policy;
225 	long		pw_min_life;
226 	long		pw_max_life;
227 	long		pw_min_length;
228 	long		pw_min_classes;
229 	long		pw_history_num;
230 	long		policy_refcnt;
231 } kadm5_policy_ent_rec, *kadm5_policy_ent_t;
232 
233 typedef struct __krb5_key_salt_tuple {
234      krb5_enctype	ks_enctype;
235      krb5_int32		ks_salttype;
236 } krb5_key_salt_tuple;
237 
238 /*
239  * New types to indicate which protocol to use when sending
240  * password change requests
241  */
242 typedef enum {
243 	KRB5_CHGPWD_RPCSEC,
244 	KRB5_CHGPWD_CHANGEPW_V2
245 } krb5_chgpwd_prot;
246 
247 /*
248  * Data structure returned by kadm5_get_config_params()
249  */
250 typedef struct _kadm5_config_params {
251 	long		mask;
252 	char 		*realm;
253 	char 		*profile;
254 	int		kadmind_port;
255 	char 		*admin_server;
256 	char 		*dbname;
257 	char 		*admin_dbname;
258 	char 		*admin_lockfile;
259 	char 		*admin_keytab;
260 	char 		*acl_file;
261 	char 		*dict_file;
262 	int		mkey_from_kbd;
263 	char 		*stash_file;
264 	char 		*mkey_name;
265 	krb5_enctype	enctype;
266 	krb5_deltat	max_life;
267 	krb5_deltat	max_rlife;
268 	krb5_timestamp	expiration;
269 	krb5_flags		flags;
270 	krb5_key_salt_tuple 	*keysalts;
271 	krb5_int32		num_keysalts;
272 	char 			*kpasswd_server;
273 	int			kpasswd_port;
274 	krb5_chgpwd_prot	kpasswd_protocol;
275 	bool_t			iprop_enabled;
276 	int			iprop_ulogsize;
277 	char			*iprop_polltime;
278 } kadm5_config_params;
279 
280 /***********************************************************************
281  * This is the old krb5_realm_read_params, which I mutated into
282  * kadm5_get_config_params but which old code (kdb5_* and krb5kdc)
283  * still uses.
284  ***********************************************************************/
285 
286 /*
287  * Data structure returned by krb5_read_realm_params()
288  */
289 typedef struct __krb5_realm_params {
290     char *realm_profile;
291     char *realm_dbname;
292     char *realm_mkey_name;
293     char *realm_stash_file;
294     char *realm_kdc_ports;
295     char *realm_kdc_tcp_ports;
296     char *realm_acl_file;
297     krb5_int32		realm_kadmind_port;
298     krb5_enctype	realm_enctype;
299     krb5_deltat		realm_max_life;
300     krb5_deltat		realm_max_rlife;
301     krb5_timestamp	realm_expiration;
302     krb5_flags		realm_flags;
303     krb5_key_salt_tuple	*realm_keysalts;
304     unsigned int	realm_kadmind_port_valid:1;
305     unsigned int	realm_enctype_valid:1;
306     unsigned int	realm_max_life_valid:1;
307     unsigned int	realm_max_rlife_valid:1;
308     unsigned int	realm_expiration_valid:1;
309     unsigned int	realm_flags_valid:1;
310     unsigned int	realm_filler:7;
311     krb5_int32		realm_num_keysalts;
312 } krb5_realm_params;
313 
314 /*
315  * functions
316  */
317 
318 
319 kadm5_ret_t
320 kadm5_get_master(krb5_context context, const char *realm, char **master);
321 
322 kadm5_ret_t
323 kadm5_get_adm_host_srv_name(krb5_context context,
324 			    const char *realm, char **host_service_name);
325 
326 kadm5_ret_t
327 kadm5_get_cpw_host_srv_name(krb5_context context,
328 			    const char *realm, char **host_service_name);
329 
330 krb5_error_code kadm5_get_config_params(krb5_context context,
331 					char *kdcprofile, char *kdcenv,
332 					kadm5_config_params *params_in,
333 					kadm5_config_params *params_out);
334 
335 /* SUNWresync121 XXX */
336 krb5_error_code kadm5_free_config_params(krb5_context context,
337 					kadm5_config_params *params);
338 
339 krb5_error_code kadm5_free_realm_params(krb5_context kcontext,
340 					kadm5_config_params *params);
341 
342 kadm5_ret_t    kadm5_init(char *client_name, char *pass,
343 			char *service_name,
344 			kadm5_config_params *params,
345 			krb5_ui_4 struct_version,
346 			krb5_ui_4 api_version,
347 			void **server_handle);
348 
349 kadm5_ret_t    kadm5_init_with_password(char *client_name,
350 					char *pass,
351 					char *service_name,
352 					kadm5_config_params *params,
353 					krb5_ui_4 struct_version,
354 					krb5_ui_4 api_version,
355 					void **server_handle);
356 kadm5_ret_t    kadm5_init_with_skey(char *client_name,
357 				    char *keytab,
358 				    char *service_name,
359 				    kadm5_config_params *params,
360 				    krb5_ui_4 struct_version,
361 				    krb5_ui_4 api_version,
362 				    void **server_handle);
363 
364 kadm5_ret_t    kadm5_init_with_creds(char *client_name,
365 				     krb5_ccache cc,
366 				     char *service_name,
367 				     kadm5_config_params *params,
368 				     krb5_ui_4 struct_version,
369 				     krb5_ui_4 api_version,
370 				     void **server_handle);
371 kadm5_ret_t    kadm5_flush(void *server_handle);
372 kadm5_ret_t    kadm5_destroy(void *server_handle);
373 kadm5_ret_t    kadm5_create_principal(void *server_handle,
374 				      kadm5_principal_ent_t ent,
375 				      long mask, char *pass);
376 kadm5_ret_t    kadm5_create_principal_3(void *server_handle,
377 					kadm5_principal_ent_t ent,
378 					long mask,
379 					int n_ks_tuple,
380 					krb5_key_salt_tuple *ks_tuple,
381 					char *pass);
382 kadm5_ret_t    kadm5_delete_principal(void *server_handle,
383 				      krb5_principal principal);
384 kadm5_ret_t    kadm5_modify_principal(void *server_handle,
385 				      kadm5_principal_ent_t ent,
386 				      long mask);
387 kadm5_ret_t    kadm5_rename_principal(void *server_handle,
388 				    krb5_principal, krb5_principal);
389 
390 kadm5_ret_t    kadm5_get_principal(void *server_handle,
391 				krb5_principal principal,
392 				kadm5_principal_ent_t ent,
393 				long mask);
394 
395 kadm5_ret_t    kadm5_chpass_principal(void *server_handle,
396 				      krb5_principal principal,
397 				      char *pass);
398 kadm5_ret_t    kadm5_chpass_principal_3(void *server_handle,
399 					krb5_principal principal,
400 					krb5_boolean keepold,
401 					int n_ks_tuple,
402 					krb5_key_salt_tuple *ks_tuple,
403 					char *pass);
404 
405 /*
406  * Solaris Kerberos:
407  * this routine is only implemented in the client library.
408  */
409 kadm5_ret_t    kadm5_randkey_principal_old(void *server_handle,
410 				    krb5_principal principal,
411 				    krb5_keyblock **keyblocks,
412 				    int *n_keys);
413 
414 kadm5_ret_t    kadm5_randkey_principal(void *server_handle,
415 				       krb5_principal principal,
416 				       krb5_keyblock **keyblocks,
417 				       int *n_keys);
418 
419 kadm5_ret_t    kadm5_randkey_principal_3(void *server_handle,
420 					 krb5_principal principal,
421 					 krb5_boolean keepold,
422 					 int n_ks_tuple,
423 					 krb5_key_salt_tuple *ks_tuple,
424 					 krb5_keyblock **keyblocks,
425 					 int *n_keys);
426 kadm5_ret_t    kadm5_setv4key_principal(void *server_handle,
427 					krb5_principal principal,
428 					krb5_keyblock *keyblock);
429 
430 kadm5_ret_t    kadm5_setkey_principal(void *server_handle,
431 				      krb5_principal principal,
432 				      krb5_keyblock *keyblocks,
433 				      int n_keys);
434 
435 kadm5_ret_t    kadm5_setkey_principal_3(void *server_handle,
436 					krb5_principal principal,
437 					krb5_boolean keepold,
438 					int n_ks_tuple,
439 					krb5_key_salt_tuple *ks_tuple,
440 					krb5_keyblock *keyblocks,
441 					int n_keys);
442 
443 kadm5_ret_t    kadm5_create_policy(void *server_handle,
444 				   kadm5_policy_ent_t ent,
445 				   long mask);
446 /*
447  * kadm5_create_policy_internal is not part of the supported,
448  * exposed API.  It is available only in the server library, and you
449  * shouldn't use it unless you know why it's there and how it's
450  * different from kadm5_create_policy.
451  */
452 kadm5_ret_t    kadm5_create_policy_internal(void *server_handle,
453 					    kadm5_policy_ent_t
454 					    entry, long mask);
455 kadm5_ret_t    kadm5_delete_policy(void *server_handle,
456 				   kadm5_policy_t policy);
457 kadm5_ret_t    kadm5_modify_policy(void *server_handle,
458 				   kadm5_policy_ent_t ent,
459 				   long mask);
460 /*
461  * kadm5_modify_policy_internal is not part of the supported,
462  * exposed API.  It is available only in the server library, and you
463  * shouldn't use it unless you know why it's there and how it's
464  * different from kadm5_modify_policy.
465  */
466 kadm5_ret_t    kadm5_modify_policy_internal(void *server_handle,
467 					    kadm5_policy_ent_t
468 					    entry, long mask);
469 
470 kadm5_ret_t    kadm5_get_policy(void *server_handle,
471 				kadm5_policy_t policy,
472 				kadm5_policy_ent_t ent);
473 
474 kadm5_ret_t    kadm5_get_privs(void *server_handle,
475 			    long *privs);
476 
477 kadm5_ret_t    kadm5_chpass_principal_util(void *server_handle,
478 					   krb5_principal princ,
479 					   char *new_pw,
480 					   char **ret_pw,
481 					   char *msg_ret,
482 					   int msg_len);
483 
484 kadm5_ret_t    kadm5_free_principal_ent(void *server_handle,
485 					kadm5_principal_ent_t
486 					ent);
487 kadm5_ret_t    kadm5_free_policy_ent(void *server_handle,
488 				     kadm5_policy_ent_t ent);
489 
490 kadm5_ret_t    kadm5_get_principals(void *server_handle,
491 				    char *exp, char ***princs,
492 				    int *count);
493 
494 kadm5_ret_t    kadm5_get_policies(void *server_handle,
495 				  char *exp, char ***pols,
496 				  int *count);
497 
498 
499 kadm5_ret_t    kadm5_free_key_data(void *server_handle,
500 				   krb5_int16 *n_key_data,
501 				   krb5_key_data *key_data);
502 
503 kadm5_ret_t kadm5_free_name_list(void *server_handle,
504 				char **names, int count);
505 
506 
507 krb5_chgpwd_prot _kadm5_get_kpasswd_protocol(void *server_handle);
508 kadm5_ret_t	kadm5_chpass_principal_v2(void *server_handle,
509 					krb5_principal princ,
510 					char *new_password,
511 					kadm5_ret_t *srvr_rsp_code,
512 					krb5_data *srvr_msg);
513 
514 void handle_chpw(krb5_context context, int s, void *serverhandle,
515 			kadm5_config_params *params);
516 
517 #ifdef __cplusplus
518 }
519 #endif
520 
521 #endif	/* __KADM5_ADMIN_H__ */
522