d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2b519b1707
freebsd-dev/crypto/heimdal/lib/kadm5/admin.h
Stanislav Sedov ae77177087 - Update FreeBSD Heimdal distribution to version 1.5.1. This also brings 
several new kerberos related libraries and applications to FreeBSD:
  o kgetcred(1) allows one to manually get a ticket for a particular service.
  o kf(1) securily forwards ticket to another host through an authenticated
    and encrypted stream.
  o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
    and other user kerberos operations. klist and kswitch are just symlinks
    to kcc(1) now.
  o kswitch(1) allows you to easily switch between kerberos credentials if
    you're running KCM.
  o hxtool(1) is a certificate management tool to use with PKINIT.
  o string2key(1) maps a password into key.
  o kdigest(8) is a userland tool to access the KDC's digest interface.
  o kimpersonate(8) creates a "fake" ticket for a service.

  We also now install manpages for some lirbaries that were not installed
  before, libheimntlm and libhx509.

- The new HEIMDAL version no longer supports Kerberos 4.  All users are
  recommended to switch to Kerberos 5.

- Weak ciphers are now disabled by default.  To enable DES support (used
  by telnet(8)), use "allow_weak_crypto" option in krb5.conf.

- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
  disabled due to the function they use (krb5_get_err_text(3)) being
  deprecated.  I plan to work on this next.

- Heimdal's KDC now require sqlite to operate.  We use the bundled version
  and install it as libheimsqlite.  If some other FreeBSD components will
  require it in the future we can rename it to libbsdsqlite and use for these
  components as well.

- This is not a latest Heimdal version, the new one was released while I was
  working on the update.  I will update it to 1.5.2 soon, as it fixes some
  important bugs and security issues.
2012-03-22 08:48:42 +00:00

259 lines
8.0 KiB
C
Raw Blame History

/*
* Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef __KADM5_ADMIN_H__
#define __KADM5_ADMIN_H__
#define KADM5_API_VERSION_1 1
#define KADM5_API_VERSION_2 2
#ifndef USE_KADM5_API_VERSION
#define USE_KADM5_API_VERSION KADM5_API_VERSION_2
#endif
#if USE_KADM5_API_VERSION != KADM5_API_VERSION_2
#error No support for API versions other than 2
#endif
#define KADM5_STRUCT_VERSION 0
#include <krb5.h>
#define KRB5_KDB_DISALLOW_POSTDATED 0x00000001
#define KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002
#define KRB5_KDB_DISALLOW_TGT_BASED 0x00000004
#define KRB5_KDB_DISALLOW_RENEWABLE 0x00000008
#define KRB5_KDB_DISALLOW_PROXIABLE 0x00000010
#define KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020
#define KRB5_KDB_DISALLOW_ALL_TIX 0x00000040
#define KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080
#define KRB5_KDB_REQUIRES_HW_AUTH 0x00000100
#define KRB5_KDB_REQUIRES_PWCHANGE 0x00000200
#define KRB5_KDB_DISALLOW_SVR 0x00001000
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
#define KRB5_KDB_TRUSTED_FOR_DELEGATION 0x00020000
#define KRB5_KDB_ALLOW_KERBEROS4 0x00040000
#define KRB5_KDB_ALLOW_DIGEST 0x00080000
#define KADM5_PRINCIPAL 0x000001
#define KADM5_PRINC_EXPIRE_TIME 0x000002
#define KADM5_PW_EXPIRATION 0x000004
#define KADM5_LAST_PWD_CHANGE 0x000008
#define KADM5_ATTRIBUTES 0x000010
#define KADM5_MAX_LIFE 0x000020
#define KADM5_MOD_TIME 0x000040
#define KADM5_MOD_NAME 0x000080
#define KADM5_KVNO 0x000100
#define KADM5_MKVNO 0x000200
#define KADM5_AUX_ATTRIBUTES 0x000400
#define KADM5_POLICY 0x000800
#define KADM5_POLICY_CLR 0x001000
#define KADM5_MAX_RLIFE 0x002000
#define KADM5_LAST_SUCCESS 0x004000
#define KADM5_LAST_FAILED 0x008000
#define KADM5_FAIL_AUTH_COUNT 0x010000
#define KADM5_KEY_DATA 0x020000
#define KADM5_TL_DATA 0x040000
#define KADM5_PRINCIPAL_NORMAL_MASK (~(KADM5_KEY_DATA | KADM5_TL_DATA))
#define KADM5_PW_MAX_LIFE 0x004000
#define KADM5_PW_MIN_LIFE 0x008000
#define KADM5_PW_MIN_LENGTH 0x010000
#define KADM5_PW_MIN_CLASSES 0x020000
#define KADM5_PW_HISTORY_NUM 0x040000
#define KADM5_REF_COUNT 0x080000
#define KADM5_POLICY_NORMAL_MASK (~0)
#define KADM5_ADMIN_SERVICE "kadmin/admin"
#define KADM5_HIST_PRINCIPAL "kadmin/history"
#define KADM5_CHANGEPW_SERVICE "kadmin/changepw"
typedef struct {
int16_t key_data_ver; /* Version */
int16_t key_data_kvno; /* Key Version */
int16_t key_data_type[2]; /* Array of types */
int16_t key_data_length[2]; /* Array of lengths */
void* key_data_contents[2];/* Array of pointers */
} krb5_key_data;
typedef struct _krb5_tl_data {
struct _krb5_tl_data* tl_data_next;
int16_t tl_data_type;
int16_t tl_data_length;
void* tl_data_contents;
} krb5_tl_data;
#define KRB5_TL_LAST_PWD_CHANGE 0x0001
#define KRB5_TL_MOD_PRINC 0x0002
#define KRB5_TL_KADM_DATA 0x0003
#define KRB5_TL_KADM5_E_DATA 0x0004
#define KRB5_TL_RB1_CHALLENGE 0x0005
#define KRB5_TL_SECURID_STATE 0x0006
#define KRB5_TL_PASSWORD 0x0007
#define KRB5_TL_EXTENSION 0x0008
#define KRB5_TL_PKINIT_ACL 0x0009
#define KRB5_TL_ALIASES 0x000a
typedef struct _kadm5_principal_ent_t {
krb5_principal principal;
krb5_timestamp princ_expire_time;
krb5_timestamp last_pwd_change;
krb5_timestamp pw_expiration;
krb5_deltat max_life;
krb5_principal mod_name;
krb5_timestamp mod_date;
krb5_flags attributes;
krb5_kvno kvno;
krb5_kvno mkvno;
char * policy;
uint32_t aux_attributes;
krb5_deltat max_renewable_life;
krb5_timestamp last_success;
krb5_timestamp last_failed;
krb5_kvno fail_auth_count;
int16_t n_key_data;
int16_t n_tl_data;
krb5_tl_data *tl_data;
krb5_key_data *key_data;
} kadm5_principal_ent_rec, *kadm5_principal_ent_t;
typedef struct _kadm5_policy_ent_t {
char *policy;
uint32_t pw_min_life;
uint32_t pw_max_life;
uint32_t pw_min_length;
uint32_t pw_min_classes;
uint32_t pw_history_num;
uint32_t policy_refcnt;
} kadm5_policy_ent_rec, *kadm5_policy_ent_t;
#define KADM5_CONFIG_REALM (1 << 0)
#define KADM5_CONFIG_PROFILE (1 << 1)
#define KADM5_CONFIG_KADMIND_PORT (1 << 2)
#define KADM5_CONFIG_ADMIN_SERVER (1 << 3)
#define KADM5_CONFIG_DBNAME (1 << 4)
#define KADM5_CONFIG_ADBNAME (1 << 5)
#define KADM5_CONFIG_ADB_LOCKFILE (1 << 6)
#define KADM5_CONFIG_ACL_FILE (1 << 7)
#define KADM5_CONFIG_DICT_FILE (1 << 8)
#define KADM5_CONFIG_ADMIN_KEYTAB (1 << 9)
#define KADM5_CONFIG_MKEY_FROM_KEYBOARD (1 << 10)
#define KADM5_CONFIG_STASH_FILE (1 << 11)
#define KADM5_CONFIG_MKEY_NAME (1 << 12)
#define KADM5_CONFIG_ENCTYPE (1 << 13)
#define KADM5_CONFIG_MAX_LIFE (1 << 14)
#define KADM5_CONFIG_MAX_RLIFE (1 << 15)
#define KADM5_CONFIG_EXPIRATION (1 << 16)
#define KADM5_CONFIG_FLAGS (1 << 17)
#define KADM5_CONFIG_ENCTYPES (1 << 18)
#define KADM5_PRIV_GET (1 << 0)
#define KADM5_PRIV_ADD (1 << 1)
#define KADM5_PRIV_MODIFY (1 << 2)
#define KADM5_PRIV_DELETE (1 << 3)
#define KADM5_PRIV_LIST (1 << 4)
#define KADM5_PRIV_CPW (1 << 5)
#define KADM5_PRIV_ALL (KADM5_PRIV_GET | KADM5_PRIV_ADD | KADM5_PRIV_MODIFY | KADM5_PRIV_DELETE | KADM5_PRIV_LIST | KADM5_PRIV_CPW)
typedef struct {
int XXX;
}krb5_key_salt_tuple;
typedef struct _kadm5_config_params {
uint32_t mask;
/* Client and server fields */
char *realm;
int kadmind_port;
/* client fields */
char *admin_server;
/* server fields */
char *dbname;
char *acl_file;
/* server library (database) fields */
char *stash_file;
} kadm5_config_params;
typedef krb5_error_code kadm5_ret_t;
#include "kadm5-protos.h"
#if 0
/* unimplemented functions */
kadm5_ret_t
kadm5_decrypt_key(void *server_handle,
kadm5_principal_ent_t entry, int32_t
ktype, int32_t stype, int32_t
kvno, krb5_keyblock *keyblock,
krb5_keysalt *keysalt, int *kvnop);
kadm5_ret_t
kadm5_create_policy(void *server_handle,
kadm5_policy_ent_t policy, uint32_t mask);
kadm5_ret_t
kadm5_delete_policy(void *server_handle, char *policy);
kadm5_ret_t
kadm5_modify_policy(void *server_handle,
kadm5_policy_ent_t policy,
uint32_t mask);
kadm5_ret_t
kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t ent);
kadm5_ret_t
kadm5_get_policies(void *server_handle, char *exp,
char ***pols, int *count);
void
kadm5_free_policy_ent(kadm5_policy_ent_t policy);
#endif
#endif /* __KADM5_ADMIN_H__ */
Reference in New Issue View Git Blame Copy Permalink