diff options
Diffstat (limited to 'crypto/heimdal/kadmin/check.c')
| -rw-r--r-- | crypto/heimdal/kadmin/check.c | 238 |
1 files changed, 238 insertions, 0 deletions
diff --git a/crypto/heimdal/kadmin/check.c b/crypto/heimdal/kadmin/check.c new file mode 100644 index 000000000000..bd4f270adb77 --- /dev/null +++ b/crypto/heimdal/kadmin/check.c @@ -0,0 +1,238 @@ +/* + * Copyright (c) 2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Check database for strange configurations on default principals + */ + +#include "kadmin_locl.h" +#include "kadmin-commands.h" + +RCSID("$Id: check.c 20962 2007-06-07 05:09:24Z lha $"); + +static int +get_check_entry(const char *name, kadm5_principal_ent_rec *ent) +{ + krb5_error_code ret; + krb5_principal principal; + + ret = krb5_parse_name(context, name, &principal); + if (ret) { + krb5_warn(context, ret, "krb5_unparse_name: %s", name); + return 1; + } + + memset(ent, 0, sizeof(*ent)); + ret = kadm5_get_principal(kadm_handle, principal, ent, 0); + krb5_free_principal(context, principal); + if(ret) + return 1; + + return 0; +} + + +static int +do_check_entry(krb5_principal principal, void *data) +{ + krb5_error_code ret; + kadm5_principal_ent_rec princ; + char *name; + int i; + + ret = krb5_unparse_name(context, principal, &name); + if (ret) + return 1; + + memset (&princ, 0, sizeof(princ)); + ret = kadm5_get_principal(kadm_handle, principal, &princ, + KADM5_PRINCIPAL | KADM5_KEY_DATA); + if(ret) { + krb5_warn(context, ret, "Failed to get principal: %s", name); + free(name); + return 0; + } + + for (i = 0; i < princ.n_key_data; i++) { + size_t keysize; + ret = krb5_enctype_keysize(context, + princ.key_data[i].key_data_type[0], + &keysize); + if (ret == 0 && keysize != princ.key_data[i].key_data_length[0]) { + krb5_warnx(context, + "Principal %s enctype %d, wrong length: %lu\n", + name, princ.key_data[i].key_data_type[0], + (unsigned long)princ.key_data[i].key_data_length); + } + } + + free(name); + kadm5_free_principal_ent(kadm_handle, &princ); + + return 0; +} + +int +check(void *opt, int argc, char **argv) +{ + kadm5_principal_ent_rec ent; + krb5_error_code ret; + char *realm = NULL, *p, *p2; + int found; + + if (argc == 0) { + ret = krb5_get_default_realm(context, &realm); + if (ret) { + krb5_warn(context, ret, "krb5_get_default_realm"); + goto fail; + } + } else { + realm = strdup(argv[0]); + if (realm == NULL) { + krb5_warnx(context, "malloc"); + goto fail; + } + } + + /* + * Check krbtgt/REALM@REALM + * + * For now, just check existance + */ + + if (asprintf(&p, "%s/%s@%s", KRB5_TGS_NAME, realm, realm) == -1) { + krb5_warn(context, errno, "asprintf"); + goto fail; + } + + ret = get_check_entry(p, &ent); + if (ret) { + printf("%s doesn't exist, are you sure %s is a realm in your database", + p, realm); + free(p); + goto fail; + } + free(p); + + kadm5_free_principal_ent(kadm_handle, &ent); + + /* + * Check kadmin/admin@REALM + */ + + if (asprintf(&p, "kadmin/admin@%s", realm) == -1) { + krb5_warn(context, errno, "asprintf"); + goto fail; + } + + ret = get_check_entry(p, &ent); + if (ret) { + printf("%s doesn't exist, " + "there is no way to do remote administration", p); + free(p); + goto fail; + } + free(p); + + kadm5_free_principal_ent(kadm_handle, &ent); + + /* + * Check kadmin/changepw@REALM + */ + + if (asprintf(&p, "kadmin/changepw@%s", realm) == -1) { + krb5_warn(context, errno, "asprintf"); + goto fail; + } + + ret = get_check_entry(p, &ent); + if (ret) { + printf("%s doesn't exist, " + "there is no way to do change password", p); + free(p); + goto fail; + } + free(p); + + kadm5_free_principal_ent(kadm_handle, &ent); + + /* + * Check for duplicate afs keys + */ + + p2 = strdup(realm); + if (p2 == NULL) { + krb5_warn(context, errno, "malloc"); + free(p); + goto fail; + } + strlwr(p2); + + if (asprintf(&p, "afs/%s@%s", p2, realm) == -1) { + krb5_warn(context, errno, "asprintf"); + free(p2); + goto fail; + } + free(p2); + + ret = get_check_entry(p, &ent); + free(p); + if (ret == 0) { + kadm5_free_principal_ent(kadm_handle, &ent); + found = 1; + } else + found = 0; + + if (asprintf(&p, "afs@%s", realm) == -1) { + krb5_warn(context, errno, "asprintf"); + goto fail; + } + + ret = get_check_entry(p, &ent); + free(p); + if (ret == 0) { + kadm5_free_principal_ent(kadm_handle, &ent); + if (found) { + krb5_warnx(context, "afs@REALM and afs/cellname@REALM both exists"); + goto fail; + } + } + + foreach_principal("*", do_check_entry, "check", NULL); + + free(realm); + return 0; +fail: + free(realm); + return 1; +} |