kadmin/cpw.c

   1 /*
   2  * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 #include "kadmin_locl.h"
  35 #include "kadmin-commands.h"
  36
  37 struct cpw_entry_data {
  38     int keepold;
  39     int random_key;
  40     int random_password;
  41     char *password;
  42     krb5_key_data *key_data;
  43     void *kadm_handle;
  44 };
  45
  46 static int
  47 set_random_key(void *dup_kadm_handle, krb5_principal principal, int keepold)
  48 {
  49     krb5_error_code ret;
  50     int i;
  51     krb5_keyblock *keys;
  52     int num_keys;
  53
  54     ret = kadm5_randkey_principal_3(dup_kadm_handle, principal, keepold, 0,
  55                                     NULL, &keys, &num_keys);
  56     if(ret)
  57         return ret;
  58     for(i = 0; i < num_keys; i++)
  59         krb5_free_keyblock_contents(context, &keys[i]);
  60     free(keys);
  61     return 0;
  62 }
  63
  64 static int
  65 set_random_password(void *dup_kadm_handle,
  66                     krb5_principal principal,
  67                     int keepold)
  68 {
  69     krb5_error_code ret;
  70     char pw[128];
  71     char *princ_name;
  72
  73     ret = krb5_unparse_name(context, principal, &princ_name);
  74     if (ret)
  75         return ret;
  76
  77     random_password(pw, sizeof(pw));
  78     ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold, 0,
  79                                    NULL, pw);
  80     if (ret == 0)
  81         printf ("%s's password set to \"%s\"\n", princ_name, pw);
  82     free(princ_name);
  83     memset_s(pw, sizeof(pw), 0, sizeof(pw));
  84     return ret;
  85 }
  86
  87 static int
  88 set_password(void *dup_kadm_handle,
  89              krb5_principal principal,
  90              char *password,
  91              int keepold)
  92 {
  93     krb5_error_code ret = 0;
  94     char pwbuf[128];
  95     int aret;
  96
  97     if(password == NULL) {
  98         char *princ_name;
  99         char *prompt;
 100
 101         ret = krb5_unparse_name(context, principal, &princ_name);
 102         if (ret)
 103             return ret;
 104         aret = asprintf(&prompt, "%s's Password: ", princ_name);
 105         free (princ_name);
 106         if (aret == -1)
 107             return ENOMEM;
 108         ret = UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt,
 109                                      UI_UTIL_FLAG_VERIFY |
 110                                      UI_UTIL_FLAG_VERIFY_SILENT);
 111         free (prompt);
 112         if(ret){
 113             return KRB5_LIBOS_BADPWDMATCH;
 114         }
 115         password = pwbuf;
 116     }
 117     if(ret == 0)
 118         ret = kadm5_chpass_principal_3(dup_kadm_handle, principal, keepold, 0,
 119                                        NULL, password);
 120     memset_s(pwbuf, sizeof(pwbuf), 0, sizeof(pwbuf));
 121     return ret;
 122 }
 123
 124 static int
 125 set_key_data(void *dup_kadm_handle,
 126              krb5_principal principal,
 127              krb5_key_data *key_data,
 128              int keepold)
 129 {
 130     krb5_error_code ret;
 131
 132     ret = kadm5_chpass_principal_with_key_3(dup_kadm_handle, principal, keepold,
 133                                             3, key_data);
 134     return ret;
 135 }
 136
 137 static int
 138 do_cpw_entry(krb5_principal principal, void *data)
 139 {
 140     struct cpw_entry_data *e = data;
 141
 142     if (e->random_key)
 143         return set_random_key(e->kadm_handle, principal, e->keepold);
 144     else if (e->random_password)
 145         return set_random_password(e->kadm_handle, principal, e->keepold);
 146     else if (e->key_data)
 147         return set_key_data(e->kadm_handle, principal, e->key_data, e->keepold);
 148     else
 149         return set_password(e->kadm_handle, principal, e->password, e->keepold);
 150 }
 151
 152 int
 153 cpw_entry(struct passwd_options *opt, int argc, char **argv)
 154 {
 155     krb5_error_code ret = 0;
 156     int i;
 157     struct cpw_entry_data data;
 158     int num;
 159     krb5_key_data key_data[3];
 160
 161     data.kadm_handle = NULL;
 162     ret = kadm5_dup_context(kadm_handle, &data.kadm_handle);
 163     if (ret)
 164         krb5_err(context, 1, ret, "Could not duplicate kadmin connection");
 165     data.random_key = opt->random_key_flag;
 166     data.random_password = opt->random_password_flag;
 167     data.password = opt->password_string;
 168     data.key_data        = NULL;
 169
 170     /*
 171      * --keepold is the the default, and it should mean "prune all old keys not
 172      * needed to decrypt extant tickets".
 173      */
 174     num = 0;
 175     data.keepold = 1;
 176     if (opt->keepold_flag) {
 177         data.keepold = 1;
 178         num++;
 179     }
 180     if (opt->keepallold_flag) {
 181         data.keepold = 2;
 182         num++;
 183     }
 184     if (opt->pruneall_flag) {
 185         data.keepold = 0;
 186         num++;
 187     }
 188     if (num > 1) {
 189         fprintf(stderr, "use only one of --keepold, --keepallold, and --pruneall\n");
 190         return 1;
 191     }
 192
 193     num = 0;
 194     if (data.random_key)
 195         ++num;
 196     if (data.random_password)
 197         ++num;
 198     if (data.password)
 199         ++num;
 200     if (opt->key_string)
 201         ++num;
 202
 203     if (num > 1) {
 204         fprintf (stderr, "give only one of "
 205                 "--random-key, --random-password, --password, --key\n");
 206         return 1;
 207     }
 208
 209     if (opt->key_string) {
 210         const char *error;
 211
 212         if (parse_des_key (opt->key_string, key_data, &error)) {
 213             fprintf (stderr, "failed parsing key \"%s\": %s\n",
 214                      opt->key_string, error);
 215             return 1;
 216         }
 217         data.key_data = key_data;
 218     }
 219
 220     for(i = 0; i < argc; i++)
 221         ret = foreach_principal(argv[i], do_cpw_entry, "cpw", &data);
 222
 223     kadm5_destroy(data.kadm_handle);
 224
 225     if (data.key_data) {
 226         int16_t dummy;
 227         kadm5_free_key_data (kadm_handle, &dummy, key_data);
 228     }
 229
 230     return ret != 0;
 231 }