diff --git a/kdc/config.c b/kdc/config.c index 2150ec989..a62b31eef 100644 --- a/kdc/config.c +++ b/kdc/config.c @@ -46,14 +46,26 @@ struct dbinfo { }; static const char *config_file; /* location of kdc config file */ + +static int require_preauth = -1; /* 1 == require preauth for all principals */ static char *max_request_str; /* `max_request' as a string */ +static const char *trpolicy_str; + +static int disable_des = -1; +static int enable_v4 = -1; +static int enable_kaserver = -1; +static int enable_524 = -1; +static int enable_v4_cross_realm = -1; + static int builtin_hdb_flag; static int help_flag; static int version_flag; static struct getarg_strings addresses_str; /* addresses to listen on */ +static char *v4_realm; + static struct getargs args[] = { { "config-file", 'c', arg_string, &config_file, @@ -245,11 +257,17 @@ add_one_address (krb5_context context, const char *str, int first) krb5_kdc_configuration * configure(krb5_context context, int argc, char **argv) { - const char *p; - krb5_kdc_configuration *config; + krb5_kdc_configuration *config = malloc(sizeof(*config)); krb5_error_code ret; int optidx = 0; + const char *p; + if (!config) { + return NULL; + } + + krb5_kdc_default_config(config); + while(getarg(args, num_args, argc, argv, &optidx)) warnx("error at argument `%s'", argv[optidx]); @@ -293,6 +311,10 @@ configure(krb5_context context, int argc, char **argv) krb5_err(context, 1, ret, "reading configuration files"); } + kdc_openlog(context, config); + + get_dbinfo(context, config); + if(max_request_str) max_request = parse_bytes(max_request_str, NULL); @@ -306,8 +328,14 @@ configure(krb5_context context, int argc, char **argv) max_request = parse_bytes(p, NULL); } - if(max_request == 0) - max_request = 64 * 1024; + if(require_preauth == -1) { + config->require_preauth = krb5_config_get_bool_default(context, NULL, + config->require_preauth, + "kdc", + "require-preauth", NULL); + } else { + config->require_preauth = require_preauth; + } if(port_str == NULL){ p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL); @@ -315,9 +343,6 @@ configure(krb5_context context, int argc, char **argv) port_str = strdup(p); } - if (port_str == NULL) - port_str = "+"; - explicit_addresses.len = 0; if (addresses_str.num_strings) { @@ -337,23 +362,299 @@ configure(krb5_context context, int argc, char **argv) } } + if(enable_v4 == -1) { + config->enable_v4 = krb5_config_get_bool_default(context, NULL, + config->enable_v4, + "kdc", + "enable-kerberos4", + NULL); + } else { + config->enable_v4 = enable_v4; + } + + if(enable_v4_cross_realm == -1) { + config->enable_v4_cross_realm = + krb5_config_get_bool_default(context, NULL, + config->enable_v4_cross_realm, + "kdc", + "enable-kerberos4-cross-realm", + NULL); + } else { + config->enable_v4_cross_realm = enable_v4_cross_realm; + } + + if(enable_524 == -1) { + config->enable_524 = krb5_config_get_bool_default(context, NULL, + config->enable_v4, + "kdc", "enable-524", + NULL); + } else { + config->enable_524 = enable_524; + } + if(enable_http == -1) enable_http = krb5_config_get_bool(context, NULL, "kdc", "enable-http", NULL); - config = malloc(sizeof(*config)); + config->enable_digest = + krb5_config_get_bool_default(context, NULL, + FALSE, + "kdc", + "enable-digest", NULL); - if (!config) { - return NULL; + { + const char *digests; + + digests = krb5_config_get_string(context, NULL, + "kdc", + "digests_allowed", NULL); + if (digests == NULL) + digests = "ntlm-v2"; + config->digests_allowed = parse_flags(digests, + _kdc_digestunits, + 0); + if (config->digests_allowed == -1) { + kdc_log(context, config, 0, + "unparsable digest units (%s), turning off digest", + digests); + config->enable_digest = 0; + } else if (config->digests_allowed == 0) { + kdc_log(context, config, 0, + "no digest enable, turning digest off", + digests); + config->enable_digest = 0; + } } - - krb5_kdc_default_config(config); - kdc_openlog(context, config); + config->enable_kx509 = + krb5_config_get_bool_default(context, NULL, + FALSE, + "kdc", + "enable-kx509", NULL); - get_dbinfo(context, config); + if (config->enable_kx509) { + config->kx509_template = krb5_config_get_string(context, NULL, + "kdc", + "kx509_template", + NULL); + config->kx509_ca = krb5_config_get_string(context, NULL, + "kdc", + "kx509_ca", + NULL); + if (config->kx509_ca == NULL || config->kx509_template == NULL) { + kdc_log(context, config, 0, + "missing kx509 configuration, turning off"); + config->enable_kx509 = FALSE; + } + } + + config->check_ticket_addresses = + krb5_config_get_bool_default(context, NULL, + config->check_ticket_addresses, + "kdc", + "check-ticket-addresses", NULL); + config->allow_null_ticket_addresses = + krb5_config_get_bool_default(context, NULL, + config->allow_null_ticket_addresses, + "kdc", + "allow-null-ticket-addresses", NULL); + + config->allow_anonymous = + krb5_config_get_bool_default(context, NULL, + config->allow_anonymous, + "kdc", + "allow-anonymous", NULL); + + config->max_datagram_reply_length = + krb5_config_get_int_default(context, + NULL, + 1400, + "kdc", + "max-kdc-datagram-reply-length", + NULL); + + trpolicy_str = + krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", + "transited-policy", NULL); + if(strcasecmp(trpolicy_str, "always-check") == 0) { + config->trpolicy = TRPOLICY_ALWAYS_CHECK; + } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) { + config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; + } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) { + config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; + } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { + /* default */ + } else { + kdc_log(context, config, + 0, "unknown transited-policy: %s, reverting to default (always-check)", + trpolicy_str); + } + + if (krb5_config_get_string(context, NULL, "kdc", + "enforce-transited-policy", NULL)) + krb5_errx(context, 1, "enforce-transited-policy deprecated, " + "use [kdc]transited-policy instead"); + + if(v4_realm == NULL){ + p = krb5_config_get_string (context, NULL, + "kdc", + "v4-realm", + NULL); + if(p != NULL) { + config->v4_realm = strdup(p); + if (config->v4_realm == NULL) + krb5_errx(context, 1, "out of memory"); + } else { + config->v4_realm = NULL; + } + } else { + config->v4_realm = v4_realm; + } + + if (enable_kaserver == -1) { + config->enable_kaserver = + krb5_config_get_bool_default(context, + NULL, + config->enable_kaserver, + "kdc", + "enable-kaserver", + NULL); + } else { + config->enable_kaserver = enable_kaserver; + } + + config->encode_as_rep_as_tgs_rep = + krb5_config_get_bool_default(context, NULL, + config->encode_as_rep_as_tgs_rep, + "kdc", + "encode_as_rep_as_tgs_rep", + NULL); + + config->kdc_warn_pwexpire = + krb5_config_get_time_default (context, NULL, + config->kdc_warn_pwexpire, + "kdc", + "kdc_warn_pwexpire", + NULL); + + if(detach_from_console == -1) + detach_from_console = krb5_config_get_bool_default(context, NULL, + DETACH_IS_DEFAULT, + "kdc", + "detach", NULL); + + if(max_request == 0) + max_request = 64 * 1024; + + if(require_preauth != -1) { + config->require_preauth = require_preauth; + } + if (port_str == NULL) + port_str = "+"; + +#ifdef PKINIT + config->enable_pkinit = + krb5_config_get_bool_default(context, + NULL, + config->enable_pkinit, + "kdc", + "enable-pkinit", + NULL); + if (config->enable_pkinit) { + const char *user_id, *anchors, *ocsp_file; + char **pool_list, **revoke_list; + + user_id = krb5_config_get_string(context, NULL, + "kdc", + "pkinit_identity", + NULL); + if (user_id == NULL) + krb5_errx(context, 1, "pkinit enabled but no identity"); + + anchors = krb5_config_get_string(context, NULL, + "kdc", + "pkinit_anchors", + NULL); + if (anchors == NULL) + krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); + + pool_list = krb5_config_get_strings(context, NULL, + "kdc", + "pkinit_pool", + NULL); + + revoke_list = krb5_config_get_strings(context, NULL, + "kdc", + "pkinit_revoke", + NULL); + + ocsp_file = + krb5_config_get_string(context, NULL, + "kdc", + "pkinit_kdc_ocsp", + NULL); + if (ocsp_file) { + config->pkinit_kdc_ocsp_file = strdup(ocsp_file); + if (config->pkinit_kdc_ocsp_file == NULL) + krb5_errx(context, 1, "out of memory"); + } + _kdc_pk_initialize(context, config, user_id, anchors, + pool_list, revoke_list); + + krb5_config_free_strings(pool_list); + krb5_config_free_strings(revoke_list); + + config->enable_pkinit_princ_in_cert = + krb5_config_get_bool_default(context, + NULL, + config->enable_pkinit_princ_in_cert, + "kdc", + "pkinit_principal_in_certificate", + NULL); + } + + config->pkinit_dh_min_bits = + krb5_config_get_int_default(context, + NULL, + 0, + "kdc", + "pkinit_dh_min_bits", + NULL); + +#endif + + if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){ +#ifdef KRB4 + config->v4_realm = malloc(40); /* REALM_SZ */ + if (config->v4_realm == NULL) + krb5_errx(context, 1, "out of memory"); + krb_get_lrealm(config->v4_realm, 1); +#else + krb5_errx(context, 1, "No Kerberos 4 realm configured"); +#endif + } + if(disable_des == -1) + disable_des = krb5_config_get_bool_default(context, NULL, + FALSE, + "kdc", + "disable-des", NULL); + if(disable_des) { + krb5_enctype_disable(context, ETYPE_DES_CBC_CRC); + krb5_enctype_disable(context, ETYPE_DES_CBC_MD4); + krb5_enctype_disable(context, ETYPE_DES_CBC_MD5); + krb5_enctype_disable(context, ETYPE_DES_CBC_NONE); + krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); + krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); + + kdc_log(context, config, + 0, "DES was disabled, turned off Kerberos V4, 524 " + "and kaserver"); + config->enable_v4 = 0; + config->enable_524 = 0; + config->enable_kaserver = 0; + } + + _kdc_windc_init(context); - krb5_kdc_configure(context, config); - return config; } diff --git a/kdc/default_config.c b/kdc/default_config.c index 2352020d8..c4d9f51fd 100644 --- a/kdc/default_config.c +++ b/kdc/default_config.c @@ -1,7 +1,6 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * + * Copyright (c) 2005 Andrew Bartlett + * * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -15,14 +14,10 @@ * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) @@ -34,19 +29,6 @@ #include "kdc_locl.h" -int require_preauth = -1; /* 1 == require preauth for all principals */ - -const char *trpolicy_str; - -int disable_des = -1; -int enable_v4 = -1; -int enable_kaserver = -1; -int enable_524 = -1; -int enable_v4_cross_realm = -1; -int detach_from_console = -1; - -char *v4_realm; - /* * Setup some of the defaults for the KDC configuration. * @@ -78,293 +60,3 @@ krb5_kdc_default_config(krb5_kdc_configuration *config) config->num_db = 0; config->logf = NULL; } - - -/* - * Setup some valudes for the KDC configuration, from the config file - * - * Note: Caller must also fill in: - * - db - * - num_db - * - logf - * -*/ - -void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config) -{ - const char *p; - if(require_preauth == -1) { - config->require_preauth = krb5_config_get_bool_default(context, NULL, - config->require_preauth, - "kdc", - "require-preauth", NULL); - } else { - config->require_preauth = require_preauth; - } - - if(enable_v4 == -1) { - config->enable_v4 = krb5_config_get_bool_default(context, NULL, - config->enable_v4, - "kdc", - "enable-kerberos4", - NULL); - } else { - config->enable_v4 = enable_v4; - } - - if(enable_v4_cross_realm == -1) { - config->enable_v4_cross_realm = - krb5_config_get_bool_default(context, NULL, - config->enable_v4_cross_realm, - "kdc", - "enable-kerberos4-cross-realm", - NULL); - } else { - config->enable_v4_cross_realm = enable_v4_cross_realm; - } - - if(enable_524 == -1) { - config->enable_524 = krb5_config_get_bool_default(context, NULL, - config->enable_v4, - "kdc", "enable-524", - NULL); - } else { - config->enable_524 = enable_524; - } - - config->enable_digest = - krb5_config_get_bool_default(context, NULL, - FALSE, - "kdc", - "enable-digest", NULL); - - { - const char *digests; - - digests = krb5_config_get_string(context, NULL, - "kdc", - "digests_allowed", NULL); - if (digests == NULL) - digests = "ntlm-v2"; - config->digests_allowed = parse_flags(digests, - _kdc_digestunits, - 0); - if (config->digests_allowed == -1) { - kdc_log(context, config, 0, - "unparsable digest units (%s), turning off digest", - digests); - config->enable_digest = 0; - } else if (config->digests_allowed == 0) { - kdc_log(context, config, 0, - "no digest enable, turning digest off", - digests); - config->enable_digest = 0; - } - } - - config->enable_kx509 = - krb5_config_get_bool_default(context, NULL, - FALSE, - "kdc", - "enable-kx509", NULL); - - config->check_ticket_addresses = - krb5_config_get_bool_default(context, NULL, - config->check_ticket_addresses, - "kdc", - "check-ticket-addresses", NULL); - config->allow_null_ticket_addresses = - krb5_config_get_bool_default(context, NULL, - config->allow_null_ticket_addresses, - "kdc", - "allow-null-ticket-addresses", NULL); - - config->allow_anonymous = - krb5_config_get_bool_default(context, NULL, - config->allow_anonymous, - "kdc", - "allow-anonymous", NULL); - - config->max_datagram_reply_length = - krb5_config_get_int_default(context, - NULL, - 1400, - "kdc", - "max-kdc-datagram-reply-length", - NULL); - - trpolicy_str = - krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", - "transited-policy", NULL); - if(strcasecmp(trpolicy_str, "always-check") == 0) { - config->trpolicy = TRPOLICY_ALWAYS_CHECK; - } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) { - config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; - } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) { - config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; - } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { - /* default */ - } else { - kdc_log(context, config, - 0, "unknown transited-policy: %s, reverting to default (always-check)", - trpolicy_str); - } - - if (krb5_config_get_string(context, NULL, "kdc", - "enforce-transited-policy", NULL)) - krb5_errx(context, 1, "enforce-transited-policy deprecated, " - "use [kdc]transited-policy instead"); - - if(v4_realm == NULL){ - p = krb5_config_get_string (context, NULL, - "kdc", - "v4-realm", - NULL); - if(p != NULL) { - config->v4_realm = strdup(p); - if (config->v4_realm == NULL) - krb5_errx(context, 1, "out of memory"); - } else { - config->v4_realm = NULL; - } - } else { - config->v4_realm = v4_realm; - } - - if (enable_kaserver == -1) { - config->enable_kaserver = - krb5_config_get_bool_default(context, - NULL, - config->enable_kaserver, - "kdc", - "enable-kaserver", - NULL); - } else { - config->enable_kaserver = enable_kaserver; - } - - config->encode_as_rep_as_tgs_rep = - krb5_config_get_bool_default(context, NULL, - config->encode_as_rep_as_tgs_rep, - "kdc", - "encode_as_rep_as_tgs_rep", - NULL); - - config->kdc_warn_pwexpire = - krb5_config_get_time_default (context, NULL, - config->kdc_warn_pwexpire, - "kdc", - "kdc_warn_pwexpire", - NULL); - - if(detach_from_console == -1) - detach_from_console = krb5_config_get_bool_default(context, NULL, - DETACH_IS_DEFAULT, - "kdc", - "detach", NULL); - -#ifdef PKINIT - config->enable_pkinit = - krb5_config_get_bool_default(context, - NULL, - config->enable_pkinit, - "kdc", - "enable-pkinit", - NULL); - if (config->enable_pkinit) { - const char *user_id, *anchors, *ocsp_file; - char **pool_list, **revoke_list; - - user_id = krb5_config_get_string(context, NULL, - "kdc", - "pkinit_identity", - NULL); - if (user_id == NULL) - krb5_errx(context, 1, "pkinit enabled but no identity"); - - anchors = krb5_config_get_string(context, NULL, - "kdc", - "pkinit_anchors", - NULL); - if (anchors == NULL) - krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); - - pool_list = krb5_config_get_strings(context, NULL, - "kdc", - "pkinit_pool", - NULL); - - revoke_list = krb5_config_get_strings(context, NULL, - "kdc", - "pkinit_revoke", - NULL); - - ocsp_file = - krb5_config_get_string(context, NULL, - "kdc", - "pkinit_kdc_ocsp", - NULL); - if (ocsp_file) { - config->pkinit_kdc_ocsp_file = strdup(ocsp_file); - if (config->pkinit_kdc_ocsp_file == NULL) - krb5_errx(context, 1, "out of memory"); - } - _kdc_pk_initialize(context, config, user_id, anchors, - pool_list, revoke_list); - - krb5_config_free_strings(pool_list); - krb5_config_free_strings(revoke_list); - - config->enable_pkinit_princ_in_cert = - krb5_config_get_bool_default(context, - NULL, - config->enable_pkinit_princ_in_cert, - "kdc", - "pkinit_principal_in_certificate", - NULL); - } - - config->pkinit_dh_min_bits = - krb5_config_get_int_default(context, - NULL, - 0, - "kdc", - "pkinit_dh_min_bits", - NULL); - -#endif - - if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){ -#ifdef KRB4 - config->v4_realm = malloc(40); /* REALM_SZ */ - if (config->v4_realm == NULL) - krb5_errx(context, 1, "out of memory"); - krb_get_lrealm(config->v4_realm, 1); -#else - krb5_errx(context, 1, "No Kerberos 4 realm configured"); -#endif - } - if(disable_des == -1) - disable_des = krb5_config_get_bool_default(context, NULL, - FALSE, - "kdc", - "disable-des", NULL); - if(disable_des) { - krb5_enctype_disable(context, ETYPE_DES_CBC_CRC); - krb5_enctype_disable(context, ETYPE_DES_CBC_MD4); - krb5_enctype_disable(context, ETYPE_DES_CBC_MD5); - krb5_enctype_disable(context, ETYPE_DES_CBC_NONE); - krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); - krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); - - kdc_log(context, config, - 0, "DES was disabled, turned off Kerberos V4, 524 " - "and kaserver"); - config->enable_v4 = 0; - config->enable_524 = 0; - config->enable_kaserver = 0; - } - - _kdc_windc_init(context); -} - diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h index 41f75f3ce..8efbe8d2e 100644 --- a/kdc/kdc_locl.h +++ b/kdc/kdc_locl.h @@ -55,18 +55,6 @@ extern int enable_http; extern int detach_from_console; -extern int require_preauth; /* 1 == require preauth for all principals */ - -extern const char *trpolicy_str; - -extern int disable_des; -extern int enable_v4; -extern int enable_kaserver; -extern int enable_524; -extern int enable_v4_cross_realm; - -extern char *v4_realm; - extern const struct units _kdc_digestunits[]; #define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf" @@ -81,6 +69,4 @@ loop(krb5_context context, krb5_kdc_configuration *config); krb5_kdc_configuration * configure(krb5_context context, int argc, char **argv); -void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config); - #endif /* __KDC_LOCL_H__ */ diff --git a/kdc/main.c b/kdc/main.c index 2161314de..0ddacbb0a 100644 --- a/kdc/main.c +++ b/kdc/main.c @@ -40,6 +40,8 @@ RCSID("$Id$"); sig_atomic_t exit_flag = 0; +int detach_from_console = -1; + static RETSIGTYPE sigterm(int sig) {