oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kadmin: Check for errors in init

Browse Source
This commit is contained in:
Nicolas Williams
2022-01-17 00:45:08 -06:00
parent fc5f917a66
commit 0f843189a4
1 changed files with 123 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

187
kadmin/init.c
View File

@@ -127,21 +127,21 @@ init(struct init_options *opt, int argc, char **argv)
if (!local_flag) { if (!local_flag) {
krb5_warnx(context, "init is only available in local (-l) mode"); krb5_warnx(context, "init is only available in local (-l) mode");
return 0; return 1;
} }
if (opt->realm_max_ticket_life_string) { if (opt->realm_max_ticket_life_string) {
if (str2deltat (opt->realm_max_ticket_life_string, &max_life) != 0) { if (str2deltat (opt->realm_max_ticket_life_string, &max_life) != 0) {
krb5_warnx (context, "unable to parse \"%s\"", krb5_warnx (context, "unable to parse \"%s\"",
opt->realm_max_ticket_life_string); opt->realm_max_ticket_life_string);
return 0; return 1;
} }
} }
if (opt->realm_max_renewable_life_string) { if (opt->realm_max_renewable_life_string) {
if (str2deltat (opt->realm_max_renewable_life_string, &max_rlife) != 0) { if (str2deltat (opt->realm_max_renewable_life_string, &max_rlife) != 0) {
krb5_warnx (context, "unable to parse \"%s\"", krb5_warnx (context, "unable to parse \"%s\"",
opt->realm_max_renewable_life_string); opt->realm_max_renewable_life_string);
return 0; return 1;
} }
} }
@@ -150,107 +150,164 @@ init(struct init_options *opt, int argc, char **argv)
ret = db->hdb_open(context, db, O_RDWR | O_CREAT, 0600); ret = db->hdb_open(context, db, O_RDWR | O_CREAT, 0600);
if(ret){ if(ret){
krb5_warn(context, ret, "hdb_open"); krb5_warn(context, ret, "hdb_open");
return 0; return 1;
} }
ret = kadm5_log_reinit(kadm_handle, 0); ret = kadm5_log_reinit(kadm_handle, 0);
if (ret) if (ret) {
krb5_err(context, 1, ret, "Failed iprop log initialization"); krb5_warn(context, ret, "Failed iprop log initialization");
kadm5_log_end(kadm_handle); return 1;
}
ret = kadm5_log_end(kadm_handle);
db->hdb_close(context, db); db->hdb_close(context, db);
if (ret) {
krb5_warn(context, ret, "Failed iprop log initialization");
return 1;
}
for(i = 0; i < argc; i++){ for(i = 0; i < argc; i++){
krb5_principal princ; krb5_principal princ = NULL;
const char *realm = argv[i]; const char *realm = argv[i];
if (opt->realm_max_ticket_life_string == NULL) { if (opt->realm_max_ticket_life_string == NULL) {
max_life = 0; max_life = 0;
if(edit_deltat ("Realm max ticket life", &max_life, NULL, 0)) { if(edit_deltat ("Realm max ticket life", &max_life, NULL, 0)) {
return 0; return 1;
} }
} }
if (opt->realm_max_renewable_life_string == NULL) { if (opt->realm_max_renewable_life_string == NULL) {
max_rlife = 0; max_rlife = 0;
if(edit_deltat("Realm max renewable ticket life", &max_rlife, if(edit_deltat("Realm max renewable ticket life", &max_rlife,
NULL, 0)) { NULL, 0)) {
return 0; return 1;
} }
} }
/* Create `krbtgt/REALM' */ /* Create `krbtgt/REALM' */
ret = krb5_make_principal(context, &princ, realm, ret = krb5_make_principal(context, &princ, realm,
KRB5_TGS_NAME, realm, NULL); KRB5_TGS_NAME, realm, NULL);
if(ret) if (ret == 0)
return 0; ret = create_random_entry(princ, max_life, max_rlife, 0, 0);
create_random_entry(princ, max_life, max_rlife, 0, 0);
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
if (ret) {
krb5_warn(context, ret, "Failed to create %s@%s", KRB5_TGS_NAME,
realm);
return 1;
}
if (opt->bare_flag) if (opt->bare_flag)
continue; continue;
/* Create `kadmin/changepw' */ /* Create `kadmin/changepw' */
krb5_make_principal(context, &princ, realm, ret = krb5_make_principal(context, &princ, realm, "kadmin",
"kadmin", "changepw", NULL); "changepw", NULL);
/* /*
* The Windows XP (at least) password changing protocol * The Windows XP (at least) password changing protocol
* request the `kadmin/changepw' ticket with `renewable_ok, * request the `kadmin/changepw' ticket with `renewable_ok,
* renewable, forwardable' and so fails if we disallow * renewable, forwardable' and so fails if we disallow
* forwardable here. * forwardable here.
*/ */
create_random_entry(princ, 5*60, 5*60, if (ret == 0)
KRB5_KDB_DISALLOW_TGT_BASED| create_random_entry(princ, 5*60, 5*60,
KRB5_KDB_PWCHANGE_SERVICE| KRB5_KDB_DISALLOW_TGT_BASED|
KRB5_KDB_DISALLOW_POSTDATED| KRB5_KDB_PWCHANGE_SERVICE|
KRB5_KDB_DISALLOW_RENEWABLE| KRB5_KDB_DISALLOW_POSTDATED|
KRB5_KDB_DISALLOW_PROXIABLE| KRB5_KDB_DISALLOW_RENEWABLE|
KRB5_KDB_REQUIRES_PRE_AUTH, KRB5_KDB_DISALLOW_PROXIABLE|
0); KRB5_KDB_REQUIRES_PRE_AUTH,
0);
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
if (ret) {
krb5_warn(context, ret, "Failed to create kadmin/changepw@%s",
realm);
return 1;
}
/* Create `kadmin/admin' */ /* Create `kadmin/admin' */
krb5_make_principal(context, &princ, realm, ret = krb5_make_principal(context, &princ, realm,
"kadmin", "admin", NULL); "kadmin", "admin", NULL);
create_random_entry(princ, 60*60, 60*60, KRB5_KDB_REQUIRES_PRE_AUTH, 0); if (ret == 0)
ret = create_random_entry(princ, 60*60, 60*60,
KRB5_KDB_REQUIRES_PRE_AUTH, 0);
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
if (ret) {
krb5_warn(context, ret, "Failed to create kadmin/admin@%s", realm);
return 1;
}
/* Create `changepw/kerberos' (for v4 compat) */ /* Create `changepw/kerberos' (for v4 compat) */
krb5_make_principal(context, &princ, realm, ret = krb5_make_principal(context, &princ, realm,
"changepw", "kerberos", NULL); "changepw", "kerberos", NULL);
create_random_entry(princ, 60*60, 60*60, if (ret == 0)
KRB5_KDB_DISALLOW_TGT_BASED| ret = create_random_entry(princ, 60*60, 60*60,
KRB5_KDB_PWCHANGE_SERVICE, 0); KRB5_KDB_DISALLOW_TGT_BASED|
KRB5_KDB_PWCHANGE_SERVICE, 0);
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
if (ret) {
krb5_warn(context, ret, "Failed to create changepw/kerberos@%s",
realm);
return 1;
}
/* Create `kadmin/hprop' for database propagation */ /* Create `kadmin/hprop' for database propagation */
krb5_make_principal(context, &princ, realm, ret = krb5_make_principal(context, &princ, realm,
"kadmin", "hprop", NULL); "kadmin", "hprop", NULL);
create_random_entry(princ, 60*60, 60*60, if (ret == 0)
KRB5_KDB_REQUIRES_PRE_AUTH| ret = create_random_entry(princ, 60*60, 60*60,
KRB5_KDB_DISALLOW_TGT_BASED, 0); KRB5_KDB_REQUIRES_PRE_AUTH|
KRB5_KDB_DISALLOW_TGT_BASED, 0);
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
if (ret) {
krb5_warn(context, ret, "Failed to create kadmin/hprop@%s", realm);
return 1;
}
/* Create `WELLKNOWN/ANONYMOUS' for anonymous as-req */ /* Create `WELLKNOWN/ANONYMOUS' for anonymous as-req */
krb5_make_principal(context, &princ, realm, ret = krb5_make_principal(context, &princ, realm, KRB5_WELLKNOWN_NAME,
KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, NULL); KRB5_ANON_NAME, NULL);
create_random_entry(princ, 60*60, 60*60, if (ret == 0)
KRB5_KDB_REQUIRES_PRE_AUTH, 0); ret = create_random_entry(princ, 60*60, 60*60,
KRB5_KDB_REQUIRES_PRE_AUTH, 0);
krb5_free_principal(context, princ); krb5_free_principal(context, princ);
if (ret) {
krb5_warn(context, ret, "Failed to create %s/%s@%s",
KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, realm);
return 1;
}
/* Create `WELLKNOWN/FEDERATED' for GSS preauth */ /* Create `WELLKNOWN/FEDERATED' for GSS preauth */
krb5_make_principal(context, &princ, realm, ret = krb5_make_principal(context, &princ, realm,
KRB5_WELLKNOWN_NAME, KRB5_FEDERATED_NAME, NULL); KRB5_WELLKNOWN_NAME, KRB5_FEDERATED_NAME, NULL);
create_random_entry(princ, 60*60, 60*60, if (ret == 0)
KRB5_KDB_REQUIRES_PRE_AUTH, 0); ret = create_random_entry(princ, 60*60, 60*60,
krb5_free_principal(context, princ); KRB5_KDB_REQUIRES_PRE_AUTH, 0);
krb5_free_principal(context, princ);
if (ret) {
krb5_warn(context, ret, "Failed to create %s/%s@%s",
KRB5_WELLKNOWN_NAME, KRB5_FEDERATED_NAME, realm);
return 1;
}
/* Create `WELLKNONW/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L' for FAST cookie */ /*
krb5_make_principal(context, &princ, KRB5_WELLKNOWN_ORG_H5L_REALM, * Create `WELLKNONW/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L' for FAST cookie.
KRB5_WELLKNOWN_NAME, "org.h5l.fast-cookie", NULL); *
create_random_entry(princ, 60*60, 60*60, * There can be only one.
KRB5_KDB_REQUIRES_PRE_AUTH| */
KRB5_KDB_DISALLOW_TGT_BASED| if (i == 0) {
KRB5_KDB_DISALLOW_ALL_TIX, CRE_DUP_OK); ret = krb5_make_principal(context, &princ, KRB5_WELLKNOWN_ORG_H5L_REALM,
krb5_free_principal(context, princ); KRB5_WELLKNOWN_NAME, "org.h5l.fast-cookie", NULL);
if (ret == 0)
ret = create_random_entry(princ, 60*60, 60*60,
KRB5_KDB_REQUIRES_PRE_AUTH|
KRB5_KDB_DISALLOW_TGT_BASED|
KRB5_KDB_DISALLOW_ALL_TIX, CRE_DUP_OK);
krb5_free_principal(context, princ);
if (ret && ret != KADM5_DUP) {
krb5_warn(context, ret,
"Failed to create %s/org.h5l.fast-cookie@%s",
KRB5_WELLKNOWN_NAME, KRB5_WELLKNOWN_ORG_H5L_REALM);
return 1;
}
}
/* Create `default' */ /* Create `default' */
{ {
@@ -259,18 +316,20 @@ init(struct init_options *opt, int argc, char **argv)
memset (&ent, 0, sizeof(ent)); memset (&ent, 0, sizeof(ent));
mask |= KADM5_PRINCIPAL; mask |= KADM5_PRINCIPAL;
krb5_make_principal(context, &ent.principal, realm,
"default", NULL);
mask |= KADM5_MAX_LIFE; mask |= KADM5_MAX_LIFE;
ent.max_life = 24 * 60 * 60;
mask |= KADM5_MAX_RLIFE; mask |= KADM5_MAX_RLIFE;
mask |= KADM5_ATTRIBUTES;
ent.max_life = 24 * 60 * 60;
ent.max_renewable_life = 7 * ent.max_life; ent.max_renewable_life = 7 * ent.max_life;
ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX; ent.attributes = KRB5_KDB_DISALLOW_ALL_TIX;
mask |= KADM5_ATTRIBUTES; ret = krb5_make_principal(context, &ent.principal, realm,
"default", NULL);
ret = kadm5_create_principal(kadm_handle, &ent, mask, ""); if (ret == 0)
if (ret) ret = kadm5_create_principal(kadm_handle, &ent, mask, "");
krb5_err (context, 1, ret, "kadm5_create_principal"); if (ret) {
krb5_warn(context, ret, "Failed to create default@%s", realm);
return 1;
}
krb5_free_principal(context, ent.principal); krb5_free_principal(context, ent.principal);
} }