ank.c revision 102644 
1/*
2 * Copyright (c) 1997-2000 Kungliga Tekniska H�gskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#include "kadmin_locl.h"
35
36RCSID("$Id: ank.c,v 1.23 2002/06/07 19:05:38 nectar Exp $");
37
38/*
39 * fetch the default principal corresponding to `princ'
40 */
41
42static krb5_error_code
43get_default (kadm5_server_context *context,
44	     krb5_principal princ,
45	     kadm5_principal_ent_t default_ent)
46{
47    krb5_error_code ret;
48    krb5_principal def_principal;
49    krb5_realm *realm = krb5_princ_realm(context->context, princ);
50
51    ret = krb5_make_principal (context->context, &def_principal,
52			       *realm, "default", NULL);
53    if (ret)
54	return ret;
55    ret = kadm5_get_principal (context, def_principal, default_ent,
56			       KADM5_PRINCIPAL_NORMAL_MASK);
57    krb5_free_principal (context->context, def_principal);
58    return ret;
59}
60
61/*
62 * Add the principal `name' to the database.
63 * Prompt for all data not given by the input parameters.
64 */
65
66static krb5_error_code
67add_one_principal (const char *name,
68		   int rand_key,
69		   int rand_password,
70		   int use_defaults,
71		   char *password,
72		   krb5_key_data *key_data,
73		   const char *max_ticket_life,
74		   const char *max_renewable_life,
75		   const char *attributes,
76		   const char *expiration,
77		   const char *pw_expiration)
78{
79    krb5_error_code ret;
80    kadm5_principal_ent_rec princ, defrec;
81    kadm5_principal_ent_rec *default_ent = NULL;
82    krb5_principal princ_ent = NULL;
83    int mask = 0;
84    int default_mask = 0;
85    char pwbuf[1024];
86
87    memset(&princ, 0, sizeof(princ));
88    ret = krb5_parse_name(context, name, &princ_ent);
89    if (ret) {
90	krb5_warn(context, ret, "krb5_parse_name");
91	return ret;
92    }
93    princ.principal = princ_ent;
94    mask |= KADM5_PRINCIPAL;
95
96    ret = set_entry(context, &princ, &mask,
97		    max_ticket_life, max_renewable_life,
98		    expiration, pw_expiration, attributes);
99    if (ret)
100	goto out;
101
102    default_ent = &defrec;
103    ret = get_default (kadm_handle, princ_ent, default_ent);
104    if (ret) {
105	default_ent  = NULL;
106	default_mask = 0;
107    } else {
108	default_mask = KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE |
109	    KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION;
110    }
111
112    if(use_defaults)
113	set_defaults(&princ, &mask, default_ent, default_mask);
114    else
115	edit_entry(&princ, &mask, default_ent, default_mask);
116    if(rand_key || key_data) {
117	princ.attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
118	mask |= KADM5_ATTRIBUTES;
119	strlcpy (pwbuf, "hemlig", sizeof(pwbuf));
120	password = pwbuf;
121    } else if (rand_password) {
122	random_password (pwbuf, sizeof(pwbuf));
123	password = pwbuf;
124    } else if(password == NULL) {
125	char *princ_name;
126	char *prompt;
127
128	krb5_unparse_name(context, princ_ent, &princ_name);
129	asprintf (&prompt, "%s's Password: ", princ_name);
130	free (princ_name);
131	ret = des_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1);
132	free (prompt);
133	if (ret)
134	    goto out;
135	password = pwbuf;
136    }
137
138    ret = kadm5_create_principal(kadm_handle, &princ, mask, password);
139    if(ret)
140	krb5_warn(context, ret, "kadm5_create_principal");
141    if(rand_key) {
142	krb5_keyblock *new_keys;
143	int n_keys, i;
144	ret = kadm5_randkey_principal(kadm_handle, princ_ent,
145				      &new_keys, &n_keys);
146	if(ret){
147	    krb5_warn(context, ret, "kadm5_randkey_principal");
148	    n_keys = 0;
149	}
150	for(i = 0; i < n_keys; i++)
151	    krb5_free_keyblock_contents(context, &new_keys[i]);
152	if (n_keys > 0)
153	    free(new_keys);
154	kadm5_get_principal(kadm_handle, princ_ent, &princ,
155			    KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
156	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
157	princ.kvno = 1;
158	kadm5_modify_principal(kadm_handle, &princ,
159			       KADM5_ATTRIBUTES | KADM5_KVNO);
160	kadm5_free_principal_ent(kadm_handle, &princ);
161    } else if (key_data) {
162	ret = kadm5_chpass_principal_with_key (kadm_handle, princ_ent,
163					       3, key_data);
164	if (ret) {
165	    krb5_warn(context, ret, "kadm5_chpass_principal_with_key");
166	}
167	kadm5_get_principal(kadm_handle, princ_ent, &princ,
168			    KADM5_PRINCIPAL | KADM5_ATTRIBUTES);
169	princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
170	kadm5_modify_principal(kadm_handle, &princ, KADM5_ATTRIBUTES);
171	kadm5_free_principal_ent(kadm_handle, &princ);
172    } else if (rand_password) {
173	char *princ_name;
174
175	krb5_unparse_name(context, princ_ent, &princ_name);
176	printf ("added %s with password `%s'\n", princ_name, password);
177	free (princ_name);
178    }
179out:
180    if (princ_ent)
181	krb5_free_principal (context, princ_ent);
182    if(default_ent)
183	kadm5_free_principal_ent (context, default_ent);
184    if (password != NULL)
185	memset (password, 0, strlen(password));
186    return ret;
187}
188
189/*
190 * parse the string `key_string' into `key', returning 0 iff succesful.
191 */
192
193/*
194 * the ank command
195 */
196
197static struct getargs args[] = {
198    { "random-key",	'r',	arg_flag,	NULL, "set random key" },
199    { "random-password", 0,	arg_flag,	NULL, "set random password" },
200    { "password",	'p',	arg_string,	NULL, "princial's password" },
201    { "key",		0,	arg_string,	NULL, "DES-key in hex" },
202    { "max-ticket-life",  0,	arg_string,	NULL, "max ticket lifetime",
203      "lifetime"},
204    { "max-renewable-life",  0,	arg_string,	NULL,
205      "max renewable lifetime", "lifetime" },
206    { "attributes",	0,	arg_string,	NULL, "principal attributes",
207      "attributes"},
208    { "expiration-time",0,	arg_string,	NULL, "expiration time",
209      "time"},
210    { "pw-expiration-time", 0,  arg_string,	NULL,
211      "password expiration time", "time"},
212    { "use-defaults",	0,	arg_flag,	NULL, "use default values" }
213};
214
215static int num_args = sizeof(args) / sizeof(args[0]);
216
217static void
218usage(void)
219{
220    arg_printusage (args, num_args, "add", "principal...");
221}
222
223/*
224 * Parse arguments and add all the principals.
225 */
226
227int
228add_new_key(int argc, char **argv)
229{
230    char *password = NULL;
231    char *key = NULL;
232    int random_key = 0;
233    int random_password = 0;
234    int optind = 0;
235    krb5_error_code ret;
236    char *max_ticket_life	= NULL;
237    char *max_renewable_life	= NULL;
238    char *attributes		= NULL;
239    char *expiration		= NULL;
240    char *pw_expiration		= NULL;
241    int use_defaults = 0;
242    int i;
243    int num;
244    krb5_key_data key_data[3];
245    krb5_key_data *kdp = NULL;
246
247    args[0].value = &random_key;
248    args[1].value = &random_password;
249    args[2].value = &password;
250    args[3].value = &key;
251    args[4].value = &max_ticket_life;
252    args[5].value = &max_renewable_life;
253    args[6].value = &attributes;
254    args[7].value = &expiration;
255    args[8].value = &pw_expiration;
256    args[9].value = &use_defaults;
257
258    if(getarg(args, num_args, argc, argv, &optind)) {
259	usage ();
260	return 0;
261    }
262    if(optind == argc) {
263	usage ();
264	return 0;
265    }
266
267    num = 0;
268    if (random_key)
269	++num;
270    if (random_password)
271	++num;
272    if (password)
273	++num;
274    if (key)
275	++num;
276
277    if (num > 1) {
278	printf ("give only one of "
279		"--random-key, --random-password, --password, --key\n");
280	return 0;
281    }
282
283    if (key) {
284	const char *error;
285
286	if (parse_des_key (key, key_data, &error)) {
287	    printf ("failed parsing key `%s': %s\n", key, error);
288	    return 0;
289	}
290	kdp = key_data;
291    }
292
293    for (i = optind; i < argc; ++i) {
294	ret = add_one_principal (argv[i], random_key, random_password,
295				 use_defaults,
296				 password,
297				 kdp,
298				 max_ticket_life,
299				 max_renewable_life,
300				 attributes,
301				 expiration,
302				 pw_expiration);
303	if (ret) {
304	    krb5_warn (context, ret, "adding %s", argv[i]);
305	    break;
306	}
307    }
308    if (kdp) {
309	int16_t dummy = 3;
310	kadm5_free_key_data (kadm_handle, &dummy, key_data);
311    }
312    return 0;
313}
314