diff options
Diffstat (limited to 'source4/heimdal')
| -rw-r--r-- | source4/heimdal/kdc/config.c | 359 | ||||
| -rw-r--r-- | source4/heimdal/kdc/default_config.c | 316 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kdc_locl.h | 14 |
3 files changed, 685 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/config.c b/source4/heimdal/kdc/config.c new file mode 100644 index 0000000000..3c855607a4 --- /dev/null +++ b/source4/heimdal/kdc/config.c @@ -0,0 +1,359 @@ +/* + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kdc_locl.h" +#include <getarg.h> +#include <parse_bytes.h> + +RCSID("$Id: config.c,v 1.82 2007/01/03 18:52:45 lha Exp $"); + +struct dbinfo { + char *realm; + char *dbname; + char *mkey_file; + struct dbinfo *next; +}; + +static const char *config_file; /* location of kdc config file */ +static char *max_request_str; /* `max_request' as a string */ + +static int builtin_hdb_flag; +static int help_flag; +static int version_flag; + +static struct getarg_strings addresses_str; /* addresses to listen on */ + +static struct getargs args[] = { + { + "config-file", 'c', arg_string, &config_file, + "location of config file", "file" + }, + { + "require-preauth", 'p', arg_negative_flag, &require_preauth, + "don't require pa-data in as-reqs" + }, + { + "max-request", 0, arg_string, &max_request, + "max size for a kdc-request", "size" + }, + { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" }, + { "524", 0, arg_negative_flag, &enable_524, + "don't respond to 524 requests" + }, + { + "kaserver", 'K', arg_flag, &enable_kaserver, + "enable kaserver support" + }, + { "kerberos4", 0, arg_flag, &enable_v4, + "respond to kerberos 4 requests" + }, + { + "v4-realm", 'r', arg_string, &v4_realm, + "realm to serve v4-requests for" + }, + { "kerberos4-cross-realm", 0, arg_flag, + &enable_v4_cross_realm, + "respond to kerberos 4 requests from foreign realms" + }, + { "ports", 'P', arg_string, &port_str, + "ports to listen to", "portspec" + }, +#if DETACH_IS_DEFAULT + { + "detach", 'D', arg_negative_flag, &detach_from_console, + "don't detach from console" + }, +#else + { + "detach", 0 , arg_flag, &detach_from_console, + "detach from console" + }, +#endif + { "addresses", 0, arg_strings, &addresses_str, + "addresses to listen on", "list of addresses" }, + { "disable-des", 0, arg_flag, &disable_des, + "disable DES" }, + { "builtin-hdb", 0, arg_flag, &builtin_hdb_flag, + "list builtin hdb backends"}, + { "help", 'h', arg_flag, &help_flag }, + { "version", 'v', arg_flag, &version_flag } +}; + +static int num_args = sizeof(args) / sizeof(args[0]); + +static void +usage(int ret) +{ + arg_printusage (args, num_args, NULL, ""); + exit (ret); +} + +static void +get_dbinfo(krb5_context context, krb5_kdc_configuration *config) +{ + const krb5_config_binding *top_binding = NULL; + const krb5_config_binding *db_binding; + const krb5_config_binding *default_binding = NULL; + struct dbinfo *di, **dt; + const char *default_dbname = HDB_DEFAULT_DB; + const char *default_mkey = HDB_DB_DIR "/m-key"; + const char *p; + krb5_error_code ret; + + struct dbinfo *databases = NULL; + + dt = &databases; + while((db_binding = (const krb5_config_binding *) + krb5_config_get_next(context, NULL, &top_binding, + krb5_config_list, + "kdc", + "database", + NULL))) { + p = krb5_config_get_string(context, db_binding, "realm", NULL); + if(p == NULL) { + if(default_binding) { + krb5_warnx(context, "WARNING: more than one realm-less " + "database specification"); + krb5_warnx(context, "WARNING: using the first encountered"); + } else + default_binding = db_binding; + continue; + } + di = calloc(1, sizeof(*di)); + di->realm = strdup(p); + p = krb5_config_get_string(context, db_binding, "dbname", NULL); + if(p) + di->dbname = strdup(p); + p = krb5_config_get_string(context, db_binding, "mkey_file", NULL); + if(p) + di->mkey_file = strdup(p); + *dt = di; + dt = &di->next; + } + if(default_binding) { + di = calloc(1, sizeof(*di)); + p = krb5_config_get_string(context, default_binding, "dbname", NULL); + if(p) { + di->dbname = strdup(p); + default_dbname = p; + } + p = krb5_config_get_string(context, default_binding, "mkey_file", NULL); + if(p) { + di->mkey_file = strdup(p); + default_mkey = p; + } + *dt = di; + dt = &di->next; + } else if(databases == NULL) { + /* if there are none specified, use some default */ + di = calloc(1, sizeof(*di)); + di->dbname = strdup(default_dbname); + di->mkey_file = strdup(default_mkey); + *dt = di; + dt = &di->next; + } + for(di = databases; di; di = di->next) { + if(di->dbname == NULL) + di->dbname = strdup(default_dbname); + if(di->mkey_file == NULL) { + p = strrchr(di->dbname, '.'); + if(p == NULL || strchr(p, '/') != NULL) + /* final pathname component does not contain a . */ + asprintf(&di->mkey_file, "%s.mkey", di->dbname); + else + /* the filename is something.else, replace .else with + .mkey */ + asprintf(&di->mkey_file, "%.*s.mkey", + (int)(p - di->dbname), di->dbname); + } + } + + if (databases == NULL) { + config->db = malloc(sizeof(*config->db)); + config->num_db = 1; + ret = hdb_create(context, &config->db[0], NULL); + if(ret) + krb5_err(context, 1, ret, "hdb_create %s", HDB_DEFAULT_DB); + ret = hdb_set_master_keyfile(context, config->db[0], NULL); + if (ret) + krb5_err(context, 1, ret, "hdb_set_master_keyfile"); + } else { + struct dbinfo *d; + int i; + /* count databases */ + for(d = databases, i = 0; d; d = d->next, i++); + config->db = malloc(i * sizeof(*config->db)); + for(d = databases, config->num_db = 0; d; d = d->next, config->num_db++) { + ret = hdb_create(context, &config->db[config->num_db], d->dbname); + if(ret) + krb5_err(context, 1, ret, "hdb_create %s", d->dbname); + ret = hdb_set_master_keyfile(context, config->db[config->num_db], d->mkey_file); + if (ret) + krb5_err(context, 1, ret, "hdb_set_master_keyfile"); + } + } + +} + +static void +add_one_address (krb5_context context, const char *str, int first) +{ + krb5_error_code ret; + krb5_addresses tmp; + + ret = krb5_parse_address (context, str, &tmp); + if (ret) + krb5_err (context, 1, ret, "parse_address `%s'", str); + if (first) + krb5_copy_addresses(context, &tmp, &explicit_addresses); + else + krb5_append_addresses(context, &explicit_addresses, &tmp); + krb5_free_addresses (context, &tmp); +} + +krb5_kdc_configuration * +configure(krb5_context context, int argc, char **argv) +{ + const char *p; + krb5_kdc_configuration *config; + krb5_error_code ret; + int optidx = 0; + + while(getarg(args, num_args, argc, argv, &optidx)) + warnx("error at argument `%s'", argv[optidx]); + + if(help_flag) + usage (0); + + if (version_flag) { + print_version(NULL); + exit(0); + } + + if (builtin_hdb_flag) { + char *list; + ret = hdb_list_builtin(context, &list); + if (ret) + krb5_err(context, 1, ret, "listing builtin hdb backends"); + printf("builtin hdb backends: %s\n", list); + free(list); + exit(0); + } + + argc -= optidx; + argv += optidx; + + if (argc != 0) + usage(1); + + { + char **files; + + if(config_file == NULL) + config_file = _PATH_KDC_CONF; + + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if(ret) + krb5_err(context, 1, ret, "reading configuration files"); + } + + if(max_request_str) + max_request = parse_bytes(max_request_str, NULL); + + if(max_request == 0){ + p = krb5_config_get_string (context, + NULL, + "kdc", + "max-request", + NULL); + if(p) + max_request = parse_bytes(p, NULL); + } + + if(max_request == 0) + max_request = 64 * 1024; + + if(port_str == NULL){ + p = krb5_config_get_string(context, NULL, "kdc", "ports", NULL); + if (p != NULL) + port_str = strdup(p); + } + + if (port_str == NULL) + port_str = "+"; + + explicit_addresses.len = 0; + + if (addresses_str.num_strings) { + int i; + + for (i = 0; i < addresses_str.num_strings; ++i) + add_one_address (context, addresses_str.strings[i], i == 0); + free_getarg_strings (&addresses_str); + } else { + char **foo = krb5_config_get_strings (context, NULL, + "kdc", "addresses", NULL); + + if (foo != NULL) { + add_one_address (context, *foo++, TRUE); + while (*foo) + add_one_address (context, *foo++, FALSE); + } + } + + if(enable_http == -1) + enable_http = krb5_config_get_bool(context, NULL, "kdc", + "enable-http", NULL); + + config = malloc(sizeof(*config)); + + if (!config) { + return NULL; + } + + krb5_kdc_default_config(config); + + kdc_openlog(context, config); + + get_dbinfo(context, config); + + krb5_kdc_configure(context, config); + + return config; +} diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c index c4d9f51fd0..2352020d86 100644 --- a/source4/heimdal/kdc/default_config.c +++ b/source4/heimdal/kdc/default_config.c @@ -1,6 +1,7 @@ /* - * Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org> - * + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -14,10 +15,14 @@ * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) @@ -29,6 +34,19 @@ #include "kdc_locl.h" +int require_preauth = -1; /* 1 == require preauth for all principals */ + +const char *trpolicy_str; + +int disable_des = -1; +int enable_v4 = -1; +int enable_kaserver = -1; +int enable_524 = -1; +int enable_v4_cross_realm = -1; +int detach_from_console = -1; + +char *v4_realm; + /* * Setup some of the defaults for the KDC configuration. * @@ -60,3 +78,293 @@ krb5_kdc_default_config(krb5_kdc_configuration *config) config->num_db = 0; config->logf = NULL; } + + +/* + * Setup some valudes for the KDC configuration, from the config file + * + * Note: Caller must also fill in: + * - db + * - num_db + * - logf + * +*/ + +void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config) +{ + const char *p; + if(require_preauth == -1) { + config->require_preauth = krb5_config_get_bool_default(context, NULL, + config->require_preauth, + "kdc", + "require-preauth", NULL); + } else { + config->require_preauth = require_preauth; + } + + if(enable_v4 == -1) { + config->enable_v4 = krb5_config_get_bool_default(context, NULL, + config->enable_v4, + "kdc", + "enable-kerberos4", + NULL); + } else { + config->enable_v4 = enable_v4; + } + + if(enable_v4_cross_realm == -1) { + config->enable_v4_cross_realm = + krb5_config_get_bool_default(context, NULL, + config->enable_v4_cross_realm, + "kdc", + "enable-kerberos4-cross-realm", + NULL); + } else { + config->enable_v4_cross_realm = enable_v4_cross_realm; + } + + if(enable_524 == -1) { + config->enable_524 = krb5_config_get_bool_default(context, NULL, + config->enable_v4, + "kdc", "enable-524", + NULL); + } else { + config->enable_524 = enable_524; + } + + config->enable_digest = + krb5_config_get_bool_default(context, NULL, + FALSE, + "kdc", + "enable-digest", NULL); + + { + const char *digests; + + digests = krb5_config_get_string(context, NULL, + "kdc", + "digests_allowed", NULL); + if (digests == NULL) + digests = "ntlm-v2"; + config->digests_allowed = parse_flags(digests, + _kdc_digestunits, + 0); + if (config->digests_allowed == -1) { + kdc_log(context, config, 0, + "unparsable digest units (%s), turning off digest", + digests); + config->enable_digest = 0; + } else if (config->digests_allowed == 0) { + kdc_log(context, config, 0, + "no digest enable, turning digest off", + digests); + config->enable_digest = 0; + } + } + + config->enable_kx509 = + krb5_config_get_bool_default(context, NULL, + FALSE, + "kdc", + "enable-kx509", NULL); + + config->check_ticket_addresses = + krb5_config_get_bool_default(context, NULL, + config->check_ticket_addresses, + "kdc", + "check-ticket-addresses", NULL); + config->allow_null_ticket_addresses = + krb5_config_get_bool_default(context, NULL, + config->allow_null_ticket_addresses, + "kdc", + "allow-null-ticket-addresses", NULL); + + config->allow_anonymous = + krb5_config_get_bool_default(context, NULL, + config->allow_anonymous, + "kdc", + "allow-anonymous", NULL); + + config->max_datagram_reply_length = + krb5_config_get_int_default(context, + NULL, + 1400, + "kdc", + "max-kdc-datagram-reply-length", + NULL); + + trpolicy_str = + krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc", + "transited-policy", NULL); + if(strcasecmp(trpolicy_str, "always-check") == 0) { + config->trpolicy = TRPOLICY_ALWAYS_CHECK; + } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) { + config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL; + } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) { + config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST; + } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) { + /* default */ + } else { + kdc_log(context, config, + 0, "unknown transited-policy: %s, reverting to default (always-check)", + trpolicy_str); + } + + if (krb5_config_get_string(context, NULL, "kdc", + "enforce-transited-policy", NULL)) + krb5_errx(context, 1, "enforce-transited-policy deprecated, " + "use [kdc]transited-policy instead"); + + if(v4_realm == NULL){ + p = krb5_config_get_string (context, NULL, + "kdc", + "v4-realm", + NULL); + if(p != NULL) { + config->v4_realm = strdup(p); + if (config->v4_realm == NULL) + krb5_errx(context, 1, "out of memory"); + } else { + config->v4_realm = NULL; + } + } else { + config->v4_realm = v4_realm; + } + + if (enable_kaserver == -1) { + config->enable_kaserver = + krb5_config_get_bool_default(context, + NULL, + config->enable_kaserver, + "kdc", + "enable-kaserver", + NULL); + } else { + config->enable_kaserver = enable_kaserver; + } + + config->encode_as_rep_as_tgs_rep = + krb5_config_get_bool_default(context, NULL, + config->encode_as_rep_as_tgs_rep, + "kdc", + "encode_as_rep_as_tgs_rep", + NULL); + + config->kdc_warn_pwexpire = + krb5_config_get_time_default (context, NULL, + config->kdc_warn_pwexpire, + "kdc", + "kdc_warn_pwexpire", + NULL); + + if(detach_from_console == -1) + detach_from_console = krb5_config_get_bool_default(context, NULL, + DETACH_IS_DEFAULT, + "kdc", + "detach", NULL); + +#ifdef PKINIT + config->enable_pkinit = + krb5_config_get_bool_default(context, + NULL, + config->enable_pkinit, + "kdc", + "enable-pkinit", + NULL); + if (config->enable_pkinit) { + const char *user_id, *anchors, *ocsp_file; + char **pool_list, **revoke_list; + + user_id = krb5_config_get_string(context, NULL, + "kdc", + "pkinit_identity", + NULL); + if (user_id == NULL) + krb5_errx(context, 1, "pkinit enabled but no identity"); + + anchors = krb5_config_get_string(context, NULL, + "kdc", + "pkinit_anchors", + NULL); + if (anchors == NULL) + krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); + + pool_list = krb5_config_get_strings(context, NULL, + "kdc", + "pkinit_pool", + NULL); + + revoke_list = krb5_config_get_strings(context, NULL, + "kdc", + "pkinit_revoke", + NULL); + + ocsp_file = + krb5_config_get_string(context, NULL, + "kdc", + "pkinit_kdc_ocsp", + NULL); + if (ocsp_file) { + config->pkinit_kdc_ocsp_file = strdup(ocsp_file); + if (config->pkinit_kdc_ocsp_file == NULL) + krb5_errx(context, 1, "out of memory"); + } + _kdc_pk_initialize(context, config, user_id, anchors, + pool_list, revoke_list); + + krb5_config_free_strings(pool_list); + krb5_config_free_strings(revoke_list); + + config->enable_pkinit_princ_in_cert = + krb5_config_get_bool_default(context, + NULL, + config->enable_pkinit_princ_in_cert, + "kdc", + "pkinit_principal_in_certificate", + NULL); + } + + config->pkinit_dh_min_bits = + krb5_config_get_int_default(context, + NULL, + 0, + "kdc", + "pkinit_dh_min_bits", + NULL); + +#endif + + if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){ +#ifdef KRB4 + config->v4_realm = malloc(40); /* REALM_SZ */ + if (config->v4_realm == NULL) + krb5_errx(context, 1, "out of memory"); + krb_get_lrealm(config->v4_realm, 1); +#else + krb5_errx(context, 1, "No Kerberos 4 realm configured"); +#endif + } + if(disable_des == -1) + disable_des = krb5_config_get_bool_default(context, NULL, + FALSE, + "kdc", + "disable-des", NULL); + if(disable_des) { + krb5_enctype_disable(context, ETYPE_DES_CBC_CRC); + krb5_enctype_disable(context, ETYPE_DES_CBC_MD4); + krb5_enctype_disable(context, ETYPE_DES_CBC_MD5); + krb5_enctype_disable(context, ETYPE_DES_CBC_NONE); + krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); + krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); + + kdc_log(context, config, + 0, "DES was disabled, turned off Kerberos V4, 524 " + "and kaserver"); + config->enable_v4 = 0; + config->enable_524 = 0; + config->enable_kaserver = 0; + } + + _kdc_windc_init(context); +} + diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h index ed3010b673..ae3b6584a5 100644 --- a/source4/heimdal/kdc/kdc_locl.h +++ b/source4/heimdal/kdc/kdc_locl.h @@ -55,6 +55,18 @@ extern int enable_http; extern int detach_from_console; +extern int require_preauth; /* 1 == require preauth for all principals */ + +extern const char *trpolicy_str; + +extern int disable_des; +extern int enable_v4; +extern int enable_kaserver; +extern int enable_524; +extern int enable_v4_cross_realm; + +extern char *v4_realm; + extern const struct units _kdc_digestunits[]; #define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf" @@ -69,4 +81,6 @@ loop(krb5_context context, krb5_kdc_configuration *config); krb5_kdc_configuration * configure(krb5_context context, int argc, char **argv); +void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config); + #endif /* __KDC_LOCL_H__ */ |