2 * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "ktutil_locl.h"
39 open_kadmin_connection(char *principal
,
44 static kadm5_config_params conf
;
47 memset(&conf
, 0, sizeof(conf
));
50 conf
.realm
= strdup(realm
);
51 if (conf
.realm
== NULL
) {
52 krb5_set_error_message(context
, 0, "malloc: out of memory");
55 conf
.mask
|= KADM5_CONFIG_REALM
;
59 conf
.admin_server
= admin_server
;
60 conf
.mask
|= KADM5_CONFIG_ADMIN_SERVER
;
64 conf
.kadmind_port
= htons(server_port
);
65 conf
.mask
|= KADM5_CONFIG_KADMIND_PORT
;
68 /* should get realm from each principal, instead of doing
69 everything with the same (local) realm */
71 ret
= kadm5_init_with_password_ctx(context
,
79 krb5_warn(context
, ret
, "kadm5_init_with_password");
86 parse_enctypes(struct get_options
*opt
,
88 krb5_key_salt_tuple
**ks
)
98 if (opt
->enctypes_strings
.num_strings
== 0) {
99 str
= krb5_config_get_string(context
, NULL
, "libdefaults",
100 "supported_enctypes", NULL
);
102 str
= "aes128-cts-hmac-sha1-96";
103 return krb5_string_to_keysalts2(context
, str
, nks
, ks
);
106 for (i
= 0; i
< opt
->enctypes_strings
.num_strings
; i
++) {
107 if (asprintf(&tmp
, "%s%s%s", i
? s
: "", i
? "," : "",
108 opt
->enctypes_strings
.strings
[i
]) == -1) {
110 return krb5_enomem(context
);
114 ret
= krb5_string_to_keysalts2(context
, s
, nks
, ks
);
120 kt_get(struct get_options
*opt
, int argc
, char **argv
)
122 krb5_error_code ret
= 0;
124 void *kadm_handle
= NULL
;
125 krb5_key_salt_tuple
*ks
= NULL
;
129 unsigned int failed
= 0;
133 if (opt
->keepallold_flag
) {
137 if (opt
->keepold_flag
) {
141 if (opt
->pruneall_flag
) {
146 fprintf(stderr
, "use only one of --keepold, --keepallold, or --pruneall\n");
150 if ((ret
= parse_enctypes(opt
, &nks
, &ks
))) {
151 fprintf(stderr
, "invalid enctype(s)\n");
155 if((keytab
= ktutil_open_keytab()) == NULL
) {
160 if(opt
->realm_string
)
161 krb5_set_default_realm(context
, opt
->realm_string
);
163 for(a
= 0; a
< argc
; a
++){
164 krb5_principal princ_ent
;
165 kadm5_principal_ent_rec princ
;
170 krb5_keytab_entry entry
;
172 ret
= krb5_parse_name(context
, argv
[a
], &princ_ent
);
174 krb5_warn(context
, ret
, "can't parse principal %s", argv
[a
]);
178 memset(&princ
, 0, sizeof(princ
));
179 princ
.principal
= princ_ent
;
180 mask
|= KADM5_PRINCIPAL
;
181 princ
.attributes
|= KRB5_KDB_DISALLOW_ALL_TIX
;
182 mask
|= KADM5_ATTRIBUTES
;
183 princ
.princ_expire_time
= 0;
184 mask
|= KADM5_PRINC_EXPIRE_TIME
;
186 if(kadm_handle
== NULL
) {
188 if(opt
->realm_string
!= NULL
)
189 r
= opt
->realm_string
;
191 r
= krb5_principal_get_realm(context
, princ_ent
);
192 kadm_handle
= open_kadmin_connection(opt
->principal_string
,
194 opt
->admin_server_string
,
195 opt
->server_port_integer
);
196 if(kadm_handle
== NULL
)
200 if (opt
->create_flag
) {
201 ret
= kadm5_create_principal(kadm_handle
, &princ
, mask
, "thisIs_aUseless.password123");
204 else if(ret
!= KADM5_DUP
) {
205 krb5_warn(context
, ret
, "kadm5_create_principal(%s)", argv
[a
]);
206 krb5_free_principal(context
, princ_ent
);
211 if (opt
->change_keys_flag
) {
212 ret
= kadm5_randkey_principal_3(kadm_handle
, princ_ent
, keep
, nks
, ks
,
215 krb5_warn(context
, ret
, "kadm5_randkey_principal(%s)", argv
[a
]);
216 krb5_free_principal(context
, princ_ent
);
222 ret
= kadm5_get_principal(kadm_handle
, princ_ent
, &princ
,
223 KADM5_PRINCIPAL
| KADM5_KVNO
| KADM5_ATTRIBUTES
);
225 krb5_warn(context
, ret
, "kadm5_get_principal(%s)", argv
[a
]);
226 for (j
= 0; j
< n_keys
; j
++)
227 krb5_free_keyblock_contents(context
, &keys
[j
]);
228 krb5_free_principal(context
, princ_ent
);
232 if(!created
&& (princ
.attributes
& KRB5_KDB_DISALLOW_ALL_TIX
))
233 krb5_warnx(context
, "%s: disallow-all-tix flag set - clearing", argv
[a
]);
234 princ
.attributes
&= (~KRB5_KDB_DISALLOW_ALL_TIX
);
235 mask
= KADM5_ATTRIBUTES
;
240 ret
= kadm5_modify_principal(kadm_handle
, &princ
, mask
);
242 krb5_warn(context
, ret
, "kadm5_modify_principal(%s)", argv
[a
]);
243 for (j
= 0; j
< n_keys
; j
++)
244 krb5_free_keyblock_contents(context
, &keys
[j
]);
245 krb5_free_principal(context
, princ_ent
);
249 for(j
= 0; j
< n_keys
; j
++) {
250 entry
.principal
= princ_ent
;
251 entry
.vno
= princ
.kvno
;
252 entry
.keyblock
= keys
[j
];
253 entry
.timestamp
= time (NULL
);
254 ret
= krb5_kt_add_entry(context
, keytab
, &entry
);
256 krb5_warn(context
, ret
, "krb5_kt_add_entry");
257 krb5_free_keyblock_contents(context
, &keys
[j
]);
260 kadm5_free_principal_ent(kadm_handle
, &princ
);
261 krb5_free_principal(context
, princ_ent
);
264 kadm5_destroy(kadm_handle
);
265 krb5_kt_close(context
, keytab
);
267 return ret
!= 0 || failed
> 0;