1/* $NetBSD: config.c,v 1.1.1.1 2011/04/13 18:14:36 elric Exp $ */ 2 3/* 4 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * 3. Neither the name of the Institute nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38#include "kdc_locl.h" 39#include <krb5/getarg.h> 40#include <krb5/parse_bytes.h> 41 42struct dbinfo { 43 char *realm; 44 char *dbname; 45 char *mkey_file; 46 struct dbinfo *next; 47}; 48 49static char *config_file; /* location of kdc config file */ 50 51static int require_preauth = -1; /* 1 == require preauth for all principals */ 52static char *max_request_str; /* `max_request' as a string */ 53 54static int disable_des = -1; 55static int enable_v4 = -1; 56static int enable_kaserver = -1; 57static int enable_524 = -1; 58static int enable_v4_cross_realm = -1; 59 60static int builtin_hdb_flag; 61static int help_flag; 62static int version_flag; 63 64static struct getarg_strings addresses_str; /* addresses to listen on */ 65 66static char *v4_realm; 67 68char *runas_string; 69char *chroot_string; 70 71 72static struct getargs args[] = { 73 { 74 "config-file", 'c', arg_string, &config_file, 75 "location of config file", "file" 76 }, 77 { 78 "require-preauth", 'p', arg_negative_flag, &require_preauth, 79 "don't require pa-data in as-reqs" 80 }, 81 { 82 "max-request", 0, arg_string, &max_request_str, 83 "max size for a kdc-request", "size" 84 }, 85 { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" }, 86 { "524", 0, arg_negative_flag, &enable_524, 87 "don't respond to 524 requests" 88 }, 89 { 90 "kaserver", 'K', arg_flag, &enable_kaserver, 91 "enable kaserver support" 92 }, 93 { "kerberos4", 0, arg_flag, &enable_v4, 94 "respond to kerberos 4 requests" 95 }, 96 { 97 "v4-realm", 'r', arg_string, &v4_realm, 98 "realm to serve v4-requests for" 99 }, 100 { "kerberos4-cross-realm", 0, arg_flag, 101 &enable_v4_cross_realm, 102 "respond to kerberos 4 requests from foreign realms" 103 }, 104 { "ports", 'P', arg_string, rk_UNCONST(&port_str), 105 "ports to listen to", "portspec" 106 }, 107#ifdef SUPPORT_DETACH 108#if DETACH_IS_DEFAULT 109 { 110 "detach", 'D', arg_negative_flag, &detach_from_console, 111 "don't detach from console" 112 }, 113#else 114 { 115 "detach", 0 , arg_flag, &detach_from_console, 116 "detach from console" 117 }, 118#endif 119#endif 120 { "addresses", 0, arg_strings, &addresses_str, 121 "addresses to listen on", "list of addresses" }, 122 { "disable-des", 0, arg_flag, &disable_des, 123 "disable DES" }, 124 { "builtin-hdb", 0, arg_flag, &builtin_hdb_flag, 125 "list builtin hdb backends"}, 126 { "runas-user", 0, arg_string, &runas_string, 127 "run as this user when connected to network" 128 }, 129 { "chroot", 0, arg_string, &chroot_string, 130 "chroot directory to run in" 131 }, 132 { "help", 'h', arg_flag, &help_flag }, 133 { "version", 'v', arg_flag, &version_flag } 134}; 135 136static int num_args = sizeof(args) / sizeof(args[0]); 137 138static void 139usage(int ret) 140{ 141 arg_printusage (args, num_args, NULL, ""); 142 exit (ret); 143} 144 145static void 146add_one_address (krb5_context context, const char *str, int first) 147{ 148 krb5_error_code ret; 149 krb5_addresses tmp; 150 151 ret = krb5_parse_address (context, str, &tmp); 152 if (ret) 153 krb5_err (context, 1, ret, "parse_address `%s'", str); 154 if (first) 155 krb5_copy_addresses(context, &tmp, &explicit_addresses); 156 else 157 krb5_append_addresses(context, &explicit_addresses, &tmp); 158 krb5_free_addresses (context, &tmp); 159} 160 161krb5_kdc_configuration * 162configure(krb5_context context, int argc, char **argv) 163{ 164 krb5_kdc_configuration *config; 165 krb5_error_code ret; 166 int optidx = 0; 167 const char *p; 168 169 while(getarg(args, num_args, argc, argv, &optidx)) 170 warnx("error at argument `%s'", argv[optidx]); 171 172 if(help_flag) 173 usage (0); 174 175 if (version_flag) { 176 print_version(NULL); 177 exit(0); 178 } 179 180 if (builtin_hdb_flag) { 181 char *list; 182 ret = hdb_list_builtin(context, &list); 183 if (ret) 184 krb5_err(context, 1, ret, "listing builtin hdb backends"); 185 printf("builtin hdb backends: %s\n", list); 186 free(list); 187 exit(0); 188 } 189 190 argc -= optidx; 191 argv += optidx; 192 193 if (argc != 0) 194 usage(1); 195 196 { 197 char **files; 198 199 if (config_file == NULL) { 200 asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)); 201 if (config_file == NULL) 202 errx(1, "out of memory"); 203 } 204 205 ret = krb5_prepend_config_files_default(config_file, &files); 206 if (ret) 207 krb5_err(context, 1, ret, "getting configuration files"); 208 209 ret = krb5_set_config_files(context, files); 210 krb5_free_config_files(files); 211 if(ret) 212 krb5_err(context, 1, ret, "reading configuration files"); 213 } 214 215 ret = krb5_kdc_get_config(context, &config); 216 if (ret) 217 krb5_err(context, 1, ret, "krb5_kdc_default_config"); 218 219 kdc_openlog(context, "kdc", config); 220 221 ret = krb5_kdc_set_dbinfo(context, config); 222 if (ret) 223 krb5_err(context, 1, ret, "krb5_kdc_set_dbinfo"); 224 225 if(max_request_str) 226 max_request_tcp = max_request_udp = parse_bytes(max_request_str, NULL); 227 228 if(max_request_tcp == 0){ 229 p = krb5_config_get_string (context, 230 NULL, 231 "kdc", 232 "max-request", 233 NULL); 234 if(p) 235 max_request_tcp = max_request_udp = parse_bytes(p, NULL); 236 } 237 238 if(require_preauth != -1) 239 config->require_preauth = require_preauth; 240 241 if(port_str == NULL){ 242 p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL); 243 if (p != NULL) 244 port_str = strdup(p); 245 } 246 247 explicit_addresses.len = 0; 248 249 if (addresses_str.num_strings) { 250 int i; 251 252 for (i = 0; i < addresses_str.num_strings; ++i) 253 add_one_address (context, addresses_str.strings[i], i == 0); 254 free_getarg_strings (&addresses_str); 255 } else { 256 char **foo = krb5_config_get_strings (context, NULL, 257 "kdc", "addresses", NULL); 258 259 if (foo != NULL) { 260 add_one_address (context, *foo++, TRUE); 261 while (*foo) 262 add_one_address (context, *foo++, FALSE); 263 } 264 } 265 266 if(enable_v4 != -1) 267 config->enable_v4 = enable_v4; 268 269 if(enable_v4_cross_realm != -1) 270 config->enable_v4_cross_realm = enable_v4_cross_realm; 271 272 if(enable_524 != -1) 273 config->enable_524 = enable_524; 274 275 if(enable_http == -1) 276 enable_http = krb5_config_get_bool(context, NULL, "kdc", 277 "enable-http", NULL); 278 279 if(request_log == NULL) 280 request_log = krb5_config_get_string(context, NULL, 281 "kdc", 282 "kdc-request-log", 283 NULL); 284 285 if (krb5_config_get_string(context, NULL, "kdc", 286 "enforce-transited-policy", NULL)) 287 krb5_errx(context, 1, "enforce-transited-policy deprecated, " 288 "use [kdc]transited-policy instead"); 289 290 if (enable_kaserver != -1) 291 config->enable_kaserver = enable_kaserver; 292 293#ifdef SUPPORT_DETACH 294 if(detach_from_console == -1) 295 detach_from_console = krb5_config_get_bool_default(context, NULL, 296 DETACH_IS_DEFAULT, 297 "kdc", 298 "detach", NULL); 299#endif /* SUPPORT_DETACH */ 300 301 if(max_request_tcp == 0) 302 max_request_tcp = 64 * 1024; 303 if(max_request_udp == 0) 304 max_request_udp = 64 * 1024; 305 306 if (port_str == NULL) 307 port_str = "+"; 308 309 if (v4_realm) 310 config->v4_realm = v4_realm; 311 312 if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)) 313 krb5_errx(context, 1, "Kerberos 4 enabled but no realm configured"); 314 315 if(disable_des == -1) 316 disable_des = krb5_config_get_bool_default(context, NULL, 317 FALSE, 318 "kdc", 319 "disable-des", NULL); 320 if(disable_des) { 321 krb5_enctype_disable(context, ETYPE_DES_CBC_CRC); 322 krb5_enctype_disable(context, ETYPE_DES_CBC_MD4); 323 krb5_enctype_disable(context, ETYPE_DES_CBC_MD5); 324 krb5_enctype_disable(context, ETYPE_DES_CBC_NONE); 325 krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); 326 krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); 327 328 kdc_log(context, config, 329 0, "DES was disabled, turned off Kerberos V4, 524 " 330 "and kaserver"); 331 config->enable_v4 = 0; 332 config->enable_524 = 0; 333 config->enable_kaserver = 0; 334 } 335 336 krb5_kdc_windc_init(context); 337 338 krb5_kdc_pkinit_config(context, config); 339 340 return config; 341} 342