1178825Sdfr/* 2178825Sdfr * Copyright (c) 2005 Kungliga Tekniska H�gskolan 3178825Sdfr * (Royal Institute of Technology, Stockholm, Sweden). 4178825Sdfr * All rights reserved. 5178825Sdfr * 6178825Sdfr * Redistribution and use in source and binary forms, with or without 7178825Sdfr * modification, are permitted provided that the following conditions 8178825Sdfr * are met: 9178825Sdfr * 10178825Sdfr * 1. Redistributions of source code must retain the above copyright 11178825Sdfr * notice, this list of conditions and the following disclaimer. 12178825Sdfr * 13178825Sdfr * 2. Redistributions in binary form must reproduce the above copyright 14178825Sdfr * notice, this list of conditions and the following disclaimer in the 15178825Sdfr * documentation and/or other materials provided with the distribution. 16178825Sdfr * 17178825Sdfr * 3. Neither the name of the Institute nor the names of its contributors 18178825Sdfr * may be used to endorse or promote products derived from this software 19178825Sdfr * without specific prior written permission. 20178825Sdfr * 21178825Sdfr * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22178825Sdfr * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23178825Sdfr * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24178825Sdfr * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25178825Sdfr * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26178825Sdfr * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27178825Sdfr * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28178825Sdfr * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29178825Sdfr * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30178825Sdfr * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31178825Sdfr * SUCH DAMAGE. 32178825Sdfr */ 33178825Sdfr 34178825Sdfr/* 35178825Sdfr * Check database for strange configurations on default principals 36178825Sdfr */ 37178825Sdfr 38178825Sdfr#include "kadmin_locl.h" 39178825Sdfr#include "kadmin-commands.h" 40178825Sdfr 41178825SdfrRCSID("$Id: check.c 20962 2007-06-07 05:09:24Z lha $"); 42178825Sdfr 43178825Sdfrstatic int 44178825Sdfrget_check_entry(const char *name, kadm5_principal_ent_rec *ent) 45178825Sdfr{ 46178825Sdfr krb5_error_code ret; 47178825Sdfr krb5_principal principal; 48178825Sdfr 49178825Sdfr ret = krb5_parse_name(context, name, &principal); 50178825Sdfr if (ret) { 51178825Sdfr krb5_warn(context, ret, "krb5_unparse_name: %s", name); 52178825Sdfr return 1; 53178825Sdfr } 54178825Sdfr 55178825Sdfr memset(ent, 0, sizeof(*ent)); 56178825Sdfr ret = kadm5_get_principal(kadm_handle, principal, ent, 0); 57178825Sdfr krb5_free_principal(context, principal); 58178825Sdfr if(ret) 59178825Sdfr return 1; 60178825Sdfr 61178825Sdfr return 0; 62178825Sdfr} 63178825Sdfr 64178825Sdfr 65178825Sdfrstatic int 66178825Sdfrdo_check_entry(krb5_principal principal, void *data) 67178825Sdfr{ 68178825Sdfr krb5_error_code ret; 69178825Sdfr kadm5_principal_ent_rec princ; 70178825Sdfr char *name; 71178825Sdfr int i; 72178825Sdfr 73178825Sdfr ret = krb5_unparse_name(context, principal, &name); 74178825Sdfr if (ret) 75178825Sdfr return 1; 76178825Sdfr 77178825Sdfr memset (&princ, 0, sizeof(princ)); 78178825Sdfr ret = kadm5_get_principal(kadm_handle, principal, &princ, 79178825Sdfr KADM5_PRINCIPAL | KADM5_KEY_DATA); 80178825Sdfr if(ret) { 81178825Sdfr krb5_warn(context, ret, "Failed to get principal: %s", name); 82178825Sdfr free(name); 83178825Sdfr return 0; 84178825Sdfr } 85178825Sdfr 86178825Sdfr for (i = 0; i < princ.n_key_data; i++) { 87178825Sdfr size_t keysize; 88178825Sdfr ret = krb5_enctype_keysize(context, 89178825Sdfr princ.key_data[i].key_data_type[0], 90178825Sdfr &keysize); 91178825Sdfr if (ret == 0 && keysize != princ.key_data[i].key_data_length[0]) { 92178825Sdfr krb5_warnx(context, 93178825Sdfr "Principal %s enctype %d, wrong length: %lu\n", 94178825Sdfr name, princ.key_data[i].key_data_type[0], 95178825Sdfr (unsigned long)princ.key_data[i].key_data_length); 96178825Sdfr } 97178825Sdfr } 98178825Sdfr 99178825Sdfr free(name); 100178825Sdfr kadm5_free_principal_ent(kadm_handle, &princ); 101178825Sdfr 102178825Sdfr return 0; 103178825Sdfr} 104178825Sdfr 105178825Sdfrint 106178825Sdfrcheck(void *opt, int argc, char **argv) 107178825Sdfr{ 108178825Sdfr kadm5_principal_ent_rec ent; 109178825Sdfr krb5_error_code ret; 110178825Sdfr char *realm = NULL, *p, *p2; 111178825Sdfr int found; 112178825Sdfr 113178825Sdfr if (argc == 0) { 114178825Sdfr ret = krb5_get_default_realm(context, &realm); 115178825Sdfr if (ret) { 116178825Sdfr krb5_warn(context, ret, "krb5_get_default_realm"); 117178825Sdfr goto fail; 118178825Sdfr } 119178825Sdfr } else { 120178825Sdfr realm = strdup(argv[0]); 121178825Sdfr if (realm == NULL) { 122178825Sdfr krb5_warnx(context, "malloc"); 123178825Sdfr goto fail; 124178825Sdfr } 125178825Sdfr } 126178825Sdfr 127178825Sdfr /* 128178825Sdfr * Check krbtgt/REALM@REALM 129178825Sdfr * 130178825Sdfr * For now, just check existance 131178825Sdfr */ 132178825Sdfr 133178825Sdfr if (asprintf(&p, "%s/%s@%s", KRB5_TGS_NAME, realm, realm) == -1) { 134178825Sdfr krb5_warn(context, errno, "asprintf"); 135178825Sdfr goto fail; 136178825Sdfr } 137178825Sdfr 138178825Sdfr ret = get_check_entry(p, &ent); 139178825Sdfr if (ret) { 140178825Sdfr printf("%s doesn't exist, are you sure %s is a realm in your database", 141178825Sdfr p, realm); 142178825Sdfr free(p); 143178825Sdfr goto fail; 144178825Sdfr } 145178825Sdfr free(p); 146178825Sdfr 147178825Sdfr kadm5_free_principal_ent(kadm_handle, &ent); 148178825Sdfr 149178825Sdfr /* 150178825Sdfr * Check kadmin/admin@REALM 151178825Sdfr */ 152178825Sdfr 153178825Sdfr if (asprintf(&p, "kadmin/admin@%s", realm) == -1) { 154178825Sdfr krb5_warn(context, errno, "asprintf"); 155178825Sdfr goto fail; 156178825Sdfr } 157178825Sdfr 158178825Sdfr ret = get_check_entry(p, &ent); 159178825Sdfr if (ret) { 160178825Sdfr printf("%s doesn't exist, " 161178825Sdfr "there is no way to do remote administration", p); 162178825Sdfr free(p); 163178825Sdfr goto fail; 164178825Sdfr } 165178825Sdfr free(p); 166178825Sdfr 167178825Sdfr kadm5_free_principal_ent(kadm_handle, &ent); 168178825Sdfr 169178825Sdfr /* 170178825Sdfr * Check kadmin/changepw@REALM 171178825Sdfr */ 172178825Sdfr 173178825Sdfr if (asprintf(&p, "kadmin/changepw@%s", realm) == -1) { 174178825Sdfr krb5_warn(context, errno, "asprintf"); 175178825Sdfr goto fail; 176178825Sdfr } 177178825Sdfr 178178825Sdfr ret = get_check_entry(p, &ent); 179178825Sdfr if (ret) { 180178825Sdfr printf("%s doesn't exist, " 181178825Sdfr "there is no way to do change password", p); 182178825Sdfr free(p); 183178825Sdfr goto fail; 184178825Sdfr } 185178825Sdfr free(p); 186178825Sdfr 187178825Sdfr kadm5_free_principal_ent(kadm_handle, &ent); 188178825Sdfr 189178825Sdfr /* 190178825Sdfr * Check for duplicate afs keys 191178825Sdfr */ 192178825Sdfr 193178825Sdfr p2 = strdup(realm); 194178825Sdfr if (p2 == NULL) { 195178825Sdfr krb5_warn(context, errno, "malloc"); 196178825Sdfr free(p); 197178825Sdfr goto fail; 198178825Sdfr } 199178825Sdfr strlwr(p2); 200178825Sdfr 201178825Sdfr if (asprintf(&p, "afs/%s@%s", p2, realm) == -1) { 202178825Sdfr krb5_warn(context, errno, "asprintf"); 203178825Sdfr free(p2); 204178825Sdfr goto fail; 205178825Sdfr } 206178825Sdfr free(p2); 207178825Sdfr 208178825Sdfr ret = get_check_entry(p, &ent); 209178825Sdfr free(p); 210178825Sdfr if (ret == 0) { 211178825Sdfr kadm5_free_principal_ent(kadm_handle, &ent); 212178825Sdfr found = 1; 213178825Sdfr } else 214178825Sdfr found = 0; 215178825Sdfr 216178825Sdfr if (asprintf(&p, "afs@%s", realm) == -1) { 217178825Sdfr krb5_warn(context, errno, "asprintf"); 218178825Sdfr goto fail; 219178825Sdfr } 220178825Sdfr 221178825Sdfr ret = get_check_entry(p, &ent); 222178825Sdfr free(p); 223178825Sdfr if (ret == 0) { 224178825Sdfr kadm5_free_principal_ent(kadm_handle, &ent); 225178825Sdfr if (found) { 226178825Sdfr krb5_warnx(context, "afs@REALM and afs/cellname@REALM both exists"); 227178825Sdfr goto fail; 228178825Sdfr } 229178825Sdfr } 230178825Sdfr 231178825Sdfr foreach_principal("*", do_check_entry, "check", NULL); 232178825Sdfr 233178825Sdfr free(realm); 234178825Sdfr return 0; 235178825Sdfrfail: 236178825Sdfr free(realm); 237178825Sdfr return 1; 238178825Sdfr} 239