ae77177087
several new kerberos related libraries and applications to FreeBSD: o kgetcred(1) allows one to manually get a ticket for a particular service. o kf(1) securily forwards ticket to another host through an authenticated and encrypted stream. o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1) and other user kerberos operations. klist and kswitch are just symlinks to kcc(1) now. o kswitch(1) allows you to easily switch between kerberos credentials if you're running KCM. o hxtool(1) is a certificate management tool to use with PKINIT. o string2key(1) maps a password into key. o kdigest(8) is a userland tool to access the KDC's digest interface. o kimpersonate(8) creates a "fake" ticket for a service. We also now install manpages for some lirbaries that were not installed before, libheimntlm and libhx509. - The new HEIMDAL version no longer supports Kerberos 4. All users are recommended to switch to Kerberos 5. - Weak ciphers are now disabled by default. To enable DES support (used by telnet(8)), use "allow_weak_crypto" option in krb5.conf. - libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings disabled due to the function they use (krb5_get_err_text(3)) being deprecated. I plan to work on this next. - Heimdal's KDC now require sqlite to operate. We use the bundled version and install it as libheimsqlite. If some other FreeBSD components will require it in the future we can rename it to libbsdsqlite and use for these components as well. - This is not a latest Heimdal version, the new one was released while I was working on the update. I will update it to 1.5.2 soon, as it fixes some important bugs and security issues.
525 lines
15 KiB
C
525 lines
15 KiB
C
/*
|
|
* Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
|
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of the Institute nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "kadmin_locl.h"
|
|
#include "kadmin-commands.h"
|
|
#include <parse_units.h>
|
|
#include <rtbl.h>
|
|
|
|
static struct field_name {
|
|
const char *fieldname;
|
|
unsigned int fieldvalue;
|
|
unsigned int subvalue;
|
|
uint32_t extra_mask;
|
|
const char *default_header;
|
|
const char *def_longheader;
|
|
unsigned int flags;
|
|
} field_names[] = {
|
|
{ "principal", KADM5_PRINCIPAL, 0, 0, "Principal", "Principal", 0 },
|
|
{ "princ_expire_time", KADM5_PRINC_EXPIRE_TIME, 0, 0, "Expiration", "Principal expires", 0 },
|
|
{ "pw_expiration", KADM5_PW_EXPIRATION, 0, 0, "PW-exp", "Password expires", 0 },
|
|
{ "last_pwd_change", KADM5_LAST_PWD_CHANGE, 0, 0, "PW-change", "Last password change", 0 },
|
|
{ "max_life", KADM5_MAX_LIFE, 0, 0, "Max life", "Max ticket life", 0 },
|
|
{ "max_rlife", KADM5_MAX_RLIFE, 0, 0, "Max renew", "Max renewable life", 0 },
|
|
{ "mod_time", KADM5_MOD_TIME, 0, 0, "Mod time", "Last modified", 0 },
|
|
{ "mod_name", KADM5_MOD_NAME, 0, 0, "Modifier", "Modifier", 0 },
|
|
{ "attributes", KADM5_ATTRIBUTES, 0, 0, "Attributes", "Attributes", 0 },
|
|
{ "kvno", KADM5_KVNO, 0, 0, "Kvno", "Kvno", RTBL_ALIGN_RIGHT },
|
|
{ "mkvno", KADM5_MKVNO, 0, 0, "Mkvno", "Mkvno", RTBL_ALIGN_RIGHT },
|
|
{ "last_success", KADM5_LAST_SUCCESS, 0, 0, "Last login", "Last successful login", 0 },
|
|
{ "last_failed", KADM5_LAST_FAILED, 0, 0, "Last fail", "Last failed login", 0 },
|
|
{ "fail_auth_count", KADM5_FAIL_AUTH_COUNT, 0, 0, "Fail count", "Failed login count", RTBL_ALIGN_RIGHT },
|
|
{ "policy", KADM5_POLICY, 0, 0, "Policy", "Policy", 0 },
|
|
{ "keytypes", KADM5_KEY_DATA, 0, KADM5_PRINCIPAL, "Keytypes", "Keytypes", 0 },
|
|
{ "password", KADM5_TL_DATA, KRB5_TL_PASSWORD, KADM5_KEY_DATA, "Password", "Password", 0 },
|
|
{ "pkinit-acl", KADM5_TL_DATA, KRB5_TL_PKINIT_ACL, 0, "PK-INIT ACL", "PK-INIT ACL", 0 },
|
|
{ "aliases", KADM5_TL_DATA, KRB5_TL_ALIASES, 0, "Aliases", "Aliases", 0 },
|
|
{ NULL }
|
|
};
|
|
|
|
struct field_info {
|
|
struct field_name *ff;
|
|
char *header;
|
|
struct field_info *next;
|
|
};
|
|
|
|
struct get_entry_data {
|
|
void (*format)(struct get_entry_data*, kadm5_principal_ent_t);
|
|
rtbl_t table;
|
|
uint32_t mask;
|
|
uint32_t extra_mask;
|
|
struct field_info *chead, **ctail;
|
|
};
|
|
|
|
static int
|
|
add_column(struct get_entry_data *data, struct field_name *ff, const char *header)
|
|
{
|
|
struct field_info *f = malloc(sizeof(*f));
|
|
if (f == NULL)
|
|
return ENOMEM;
|
|
f->ff = ff;
|
|
if(header)
|
|
f->header = strdup(header);
|
|
else
|
|
f->header = NULL;
|
|
f->next = NULL;
|
|
*data->ctail = f;
|
|
data->ctail = &f->next;
|
|
data->mask |= ff->fieldvalue;
|
|
data->extra_mask |= ff->extra_mask;
|
|
if(data->table != NULL)
|
|
rtbl_add_column_by_id(data->table, ff->fieldvalue,
|
|
header ? header : ff->default_header, ff->flags);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* return 0 iff `salt' actually is the same as the current salt in `k'
|
|
*/
|
|
|
|
static int
|
|
cmp_salt (const krb5_salt *salt, const krb5_key_data *k)
|
|
{
|
|
if (salt->salttype != (size_t)k->key_data_type[1])
|
|
return 1;
|
|
if (salt->saltvalue.length != (size_t)k->key_data_length[1])
|
|
return 1;
|
|
return memcmp (salt->saltvalue.data, k->key_data_contents[1],
|
|
salt->saltvalue.length);
|
|
}
|
|
|
|
static void
|
|
format_keytype(krb5_key_data *k, krb5_salt *def_salt, char *buf, size_t buf_len)
|
|
{
|
|
krb5_error_code ret;
|
|
char *s;
|
|
|
|
ret = krb5_enctype_to_string (context,
|
|
k->key_data_type[0],
|
|
&s);
|
|
if (ret)
|
|
asprintf (&s, "unknown(%d)", k->key_data_type[0]);
|
|
strlcpy(buf, s, buf_len);
|
|
free(s);
|
|
|
|
strlcat(buf, "(", buf_len);
|
|
|
|
ret = krb5_salttype_to_string (context,
|
|
k->key_data_type[0],
|
|
k->key_data_type[1],
|
|
&s);
|
|
if (ret)
|
|
asprintf (&s, "unknown(%d)", k->key_data_type[1]);
|
|
strlcat(buf, s, buf_len);
|
|
free(s);
|
|
|
|
if (cmp_salt(def_salt, k) == 0)
|
|
s = strdup("");
|
|
else if(k->key_data_length[1] == 0)
|
|
s = strdup("()");
|
|
else
|
|
asprintf (&s, "(%.*s)", k->key_data_length[1],
|
|
(char *)k->key_data_contents[1]);
|
|
strlcat(buf, s, buf_len);
|
|
free(s);
|
|
|
|
strlcat(buf, ")", buf_len);
|
|
}
|
|
|
|
static void
|
|
format_field(kadm5_principal_ent_t princ, unsigned int field,
|
|
unsigned int subfield, char *buf, size_t buf_len, int condensed)
|
|
{
|
|
switch(field) {
|
|
case KADM5_PRINCIPAL:
|
|
if(condensed)
|
|
krb5_unparse_name_fixed_short(context, princ->principal, buf, buf_len);
|
|
else
|
|
krb5_unparse_name_fixed(context, princ->principal, buf, buf_len);
|
|
break;
|
|
|
|
case KADM5_PRINC_EXPIRE_TIME:
|
|
time_t2str(princ->princ_expire_time, buf, buf_len, !condensed);
|
|
break;
|
|
|
|
case KADM5_PW_EXPIRATION:
|
|
time_t2str(princ->pw_expiration, buf, buf_len, !condensed);
|
|
break;
|
|
|
|
case KADM5_LAST_PWD_CHANGE:
|
|
time_t2str(princ->last_pwd_change, buf, buf_len, !condensed);
|
|
break;
|
|
|
|
case KADM5_MAX_LIFE:
|
|
deltat2str(princ->max_life, buf, buf_len);
|
|
break;
|
|
|
|
case KADM5_MAX_RLIFE:
|
|
deltat2str(princ->max_renewable_life, buf, buf_len);
|
|
break;
|
|
|
|
case KADM5_MOD_TIME:
|
|
time_t2str(princ->mod_date, buf, buf_len, !condensed);
|
|
break;
|
|
|
|
case KADM5_MOD_NAME:
|
|
if (princ->mod_name == NULL)
|
|
strlcpy(buf, "unknown", buf_len);
|
|
else if(condensed)
|
|
krb5_unparse_name_fixed_short(context, princ->mod_name, buf, buf_len);
|
|
else
|
|
krb5_unparse_name_fixed(context, princ->mod_name, buf, buf_len);
|
|
break;
|
|
case KADM5_ATTRIBUTES:
|
|
attributes2str (princ->attributes, buf, buf_len);
|
|
break;
|
|
case KADM5_KVNO:
|
|
snprintf(buf, buf_len, "%d", princ->kvno);
|
|
break;
|
|
case KADM5_MKVNO:
|
|
/* XXX libkadm5srv decrypts the keys, so mkvno is always 0. */
|
|
strlcpy(buf, "unknown", buf_len);
|
|
break;
|
|
case KADM5_LAST_SUCCESS:
|
|
time_t2str(princ->last_success, buf, buf_len, !condensed);
|
|
break;
|
|
case KADM5_LAST_FAILED:
|
|
time_t2str(princ->last_failed, buf, buf_len, !condensed);
|
|
break;
|
|
case KADM5_FAIL_AUTH_COUNT:
|
|
snprintf(buf, buf_len, "%d", princ->fail_auth_count);
|
|
break;
|
|
case KADM5_POLICY:
|
|
if(princ->policy != NULL)
|
|
strlcpy(buf, princ->policy, buf_len);
|
|
else
|
|
strlcpy(buf, "none", buf_len);
|
|
break;
|
|
case KADM5_KEY_DATA:{
|
|
krb5_salt def_salt;
|
|
int i;
|
|
char buf2[1024];
|
|
krb5_get_pw_salt (context, princ->principal, &def_salt);
|
|
|
|
*buf = '\0';
|
|
for (i = 0; i < princ->n_key_data; ++i) {
|
|
format_keytype(&princ->key_data[i], &def_salt, buf2, sizeof(buf2));
|
|
if(i > 0)
|
|
strlcat(buf, ", ", buf_len);
|
|
strlcat(buf, buf2, buf_len);
|
|
}
|
|
krb5_free_salt (context, def_salt);
|
|
break;
|
|
}
|
|
case KADM5_TL_DATA: {
|
|
krb5_tl_data *tl;
|
|
|
|
for (tl = princ->tl_data; tl != NULL; tl = tl->tl_data_next)
|
|
if ((unsigned)tl->tl_data_type == subfield)
|
|
break;
|
|
if (tl == NULL) {
|
|
strlcpy(buf, "", buf_len);
|
|
break;
|
|
}
|
|
|
|
switch (subfield) {
|
|
case KRB5_TL_PASSWORD:
|
|
snprintf(buf, buf_len, "\"%.*s\"",
|
|
(int)tl->tl_data_length,
|
|
(const char *)tl->tl_data_contents);
|
|
break;
|
|
case KRB5_TL_PKINIT_ACL: {
|
|
HDB_Ext_PKINIT_acl acl;
|
|
size_t size;
|
|
int ret;
|
|
size_t i;
|
|
|
|
ret = decode_HDB_Ext_PKINIT_acl(tl->tl_data_contents,
|
|
tl->tl_data_length,
|
|
&acl,
|
|
&size);
|
|
if (ret) {
|
|
snprintf(buf, buf_len, "failed to decode ACL");
|
|
break;
|
|
}
|
|
|
|
buf[0] = '\0';
|
|
for (i = 0; i < acl.len; i++) {
|
|
strlcat(buf, "subject: ", buf_len);
|
|
strlcat(buf, acl.val[i].subject, buf_len);
|
|
if (acl.val[i].issuer) {
|
|
strlcat(buf, " issuer:", buf_len);
|
|
strlcat(buf, *acl.val[i].issuer, buf_len);
|
|
}
|
|
if (acl.val[i].anchor) {
|
|
strlcat(buf, " anchor:", buf_len);
|
|
strlcat(buf, *acl.val[i].anchor, buf_len);
|
|
}
|
|
if (i + 1 < acl.len)
|
|
strlcat(buf, ", ", buf_len);
|
|
}
|
|
free_HDB_Ext_PKINIT_acl(&acl);
|
|
break;
|
|
}
|
|
case KRB5_TL_ALIASES: {
|
|
HDB_Ext_Aliases alias;
|
|
size_t size;
|
|
int ret;
|
|
size_t i;
|
|
|
|
ret = decode_HDB_Ext_Aliases(tl->tl_data_contents,
|
|
tl->tl_data_length,
|
|
&alias,
|
|
&size);
|
|
if (ret) {
|
|
snprintf(buf, buf_len, "failed to decode alias");
|
|
break;
|
|
}
|
|
buf[0] = '\0';
|
|
for (i = 0; i < alias.aliases.len; i++) {
|
|
char *p;
|
|
ret = krb5_unparse_name(context, &alias.aliases.val[i], &p);
|
|
if (ret)
|
|
break;
|
|
if (i > 0)
|
|
strlcat(buf, " ", buf_len);
|
|
strlcat(buf, p, buf_len);
|
|
free(p);
|
|
}
|
|
free_HDB_Ext_Aliases(&alias);
|
|
break;
|
|
}
|
|
default:
|
|
snprintf(buf, buf_len, "unknown type %d", subfield);
|
|
break;
|
|
}
|
|
break;
|
|
}
|
|
default:
|
|
strlcpy(buf, "<unknown>", buf_len);
|
|
break;
|
|
}
|
|
}
|
|
|
|
static void
|
|
print_entry_short(struct get_entry_data *data, kadm5_principal_ent_t princ)
|
|
{
|
|
char buf[1024];
|
|
struct field_info *f;
|
|
|
|
for(f = data->chead; f != NULL; f = f->next) {
|
|
format_field(princ, f->ff->fieldvalue, f->ff->subvalue, buf, sizeof(buf), 1);
|
|
rtbl_add_column_entry_by_id(data->table, f->ff->fieldvalue, buf);
|
|
}
|
|
}
|
|
|
|
static void
|
|
print_entry_long(struct get_entry_data *data, kadm5_principal_ent_t princ)
|
|
{
|
|
char buf[1024];
|
|
struct field_info *f;
|
|
int width = 0;
|
|
|
|
for(f = data->chead; f != NULL; f = f->next) {
|
|
int w = strlen(f->header ? f->header : f->ff->def_longheader);
|
|
if(w > width)
|
|
width = w;
|
|
}
|
|
for(f = data->chead; f != NULL; f = f->next) {
|
|
format_field(princ, f->ff->fieldvalue, f->ff->subvalue, buf, sizeof(buf), 0);
|
|
printf("%*s: %s\n", width, f->header ? f->header : f->ff->def_longheader, buf);
|
|
}
|
|
printf("\n");
|
|
}
|
|
|
|
static int
|
|
do_get_entry(krb5_principal principal, void *data)
|
|
{
|
|
kadm5_principal_ent_rec princ;
|
|
krb5_error_code ret;
|
|
struct get_entry_data *e = data;
|
|
|
|
memset(&princ, 0, sizeof(princ));
|
|
ret = kadm5_get_principal(kadm_handle, principal,
|
|
&princ,
|
|
e->mask | e->extra_mask);
|
|
if(ret)
|
|
return ret;
|
|
else {
|
|
(e->format)(e, &princ);
|
|
kadm5_free_principal_ent(kadm_handle, &princ);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static void
|
|
free_columns(struct get_entry_data *data)
|
|
{
|
|
struct field_info *f, *next;
|
|
for(f = data->chead; f != NULL; f = next) {
|
|
free(f->header);
|
|
next = f->next;
|
|
free(f);
|
|
}
|
|
data->chead = NULL;
|
|
data->ctail = &data->chead;
|
|
}
|
|
|
|
static int
|
|
setup_columns(struct get_entry_data *data, const char *column_info)
|
|
{
|
|
char buf[1024], *q;
|
|
char *field, *header;
|
|
struct field_name *f;
|
|
|
|
while(strsep_copy(&column_info, ",", buf, sizeof(buf)) != -1) {
|
|
q = buf;
|
|
field = strsep(&q, "=");
|
|
header = strsep(&q, "=");
|
|
for(f = field_names; f->fieldname != NULL; f++) {
|
|
if(strcasecmp(field, f->fieldname) == 0) {
|
|
add_column(data, f, header);
|
|
break;
|
|
}
|
|
}
|
|
if(f->fieldname == NULL) {
|
|
krb5_warnx(context, "unknown field name \"%s\"", field);
|
|
free_columns(data);
|
|
return -1;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
do_list_entry(krb5_principal principal, void *data)
|
|
{
|
|
char buf[1024];
|
|
krb5_error_code ret;
|
|
|
|
ret = krb5_unparse_name_fixed_short(context, principal, buf, sizeof(buf));
|
|
if (ret != 0)
|
|
return ret;
|
|
printf("%s\n", buf);
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
listit(const char *funcname, int argc, char **argv)
|
|
{
|
|
int i;
|
|
krb5_error_code ret, saved_ret = 0;
|
|
|
|
for (i = 0; i < argc; i++) {
|
|
ret = foreach_principal(argv[i], do_list_entry, funcname, NULL);
|
|
if (saved_ret == 0 && ret != 0)
|
|
saved_ret = ret;
|
|
}
|
|
return saved_ret != 0;
|
|
}
|
|
|
|
#define DEFAULT_COLUMNS_SHORT "principal,princ_expire_time,pw_expiration,last_pwd_change,max_life,max_rlife"
|
|
#define DEFAULT_COLUMNS_LONG "principal,princ_expire_time,pw_expiration,last_pwd_change,max_life,max_rlife,kvno,mkvno,last_success,last_failed,fail_auth_count,mod_time,mod_name,attributes,keytypes,pkinit-acl,aliases"
|
|
|
|
static int
|
|
getit(struct get_options *opt, const char *name, int argc, char **argv)
|
|
{
|
|
int i;
|
|
krb5_error_code ret;
|
|
struct get_entry_data data;
|
|
|
|
if(opt->long_flag == -1 && (opt->short_flag == 1 || opt->terse_flag == 1))
|
|
opt->long_flag = 0;
|
|
if(opt->short_flag == -1 && (opt->long_flag == 1 || opt->terse_flag == 1))
|
|
opt->short_flag = 0;
|
|
if(opt->terse_flag == -1 && (opt->long_flag == 1 || opt->short_flag == 1))
|
|
opt->terse_flag = 0;
|
|
if(opt->long_flag == 0 && opt->short_flag == 0 && opt->terse_flag == 0)
|
|
opt->short_flag = 1;
|
|
|
|
if (opt->terse_flag)
|
|
return listit(name, argc, argv);
|
|
|
|
data.table = NULL;
|
|
data.chead = NULL;
|
|
data.ctail = &data.chead;
|
|
data.mask = 0;
|
|
data.extra_mask = 0;
|
|
|
|
if(opt->short_flag) {
|
|
data.table = rtbl_create();
|
|
rtbl_set_separator(data.table, " ");
|
|
data.format = print_entry_short;
|
|
} else
|
|
data.format = print_entry_long;
|
|
if(opt->column_info_string == NULL) {
|
|
if(opt->long_flag)
|
|
ret = setup_columns(&data, DEFAULT_COLUMNS_LONG);
|
|
else
|
|
ret = setup_columns(&data, DEFAULT_COLUMNS_SHORT);
|
|
} else
|
|
ret = setup_columns(&data, opt->column_info_string);
|
|
|
|
if(ret != 0) {
|
|
if(data.table != NULL)
|
|
rtbl_destroy(data.table);
|
|
return 0;
|
|
}
|
|
|
|
for(i = 0; i < argc; i++)
|
|
ret = foreach_principal(argv[i], do_get_entry, name, &data);
|
|
|
|
if(data.table != NULL) {
|
|
rtbl_format(data.table, stdout);
|
|
rtbl_destroy(data.table);
|
|
}
|
|
free_columns(&data);
|
|
return ret != 0;
|
|
}
|
|
|
|
int
|
|
get_entry(struct get_options *opt, int argc, char **argv)
|
|
{
|
|
return getit(opt, "get", argc, argv);
|
|
}
|
|
|
|
int
|
|
list_princs(struct list_options *opt, int argc, char **argv)
|
|
{
|
|
if(sizeof(struct get_options) != sizeof(struct list_options)) {
|
|
krb5_warnx(context, "programmer error: sizeof(struct get_options) != sizeof(struct list_options)");
|
|
return 0;
|
|
}
|
|
return getit((struct get_options*)opt, "list", argc, argv);
|
|
}
|