char *
krb5_createprinc(krb5_context ctx, kadm5_handle hndl,
kadm5_principal_ent_rec p, long mask,
int n_ks_tuple, krb5_key_salt_tuple *ks_tuple,
char *passwd)
{
kadm5_ret_t ret;
char croakstr[2048] = "";
if (passwd)
passwd = strdup(passwd);
else
passwd = random_passwd(ctx, HUMAN_PASSWD_SIZE);
if (!passwd)
croak("Out of memory.");
mask |= KADM5_PRINCIPAL;
K5BAIL(kadm5_create_principal_3(hndl, &p, mask, n_ks_tuple, ks_tuple,
passwd));
done:
if (ret) {
free(passwd);
croak("%s", croakstr);
}
return passwd;
}
static krb5_error_code
create_hist(kadm5_server_handle_t handle)
{
kadm5_ret_t ret;
krb5_key_salt_tuple ks[1];
kadm5_principal_ent_rec ent;
long mask = KADM5_PRINCIPAL | KADM5_MAX_LIFE | KADM5_ATTRIBUTES;
/* Create the history principal. */
memset(&ent, 0, sizeof(ent));
ent.principal = hist_princ;
ent.max_life = KRB5_KDB_DISALLOW_ALL_TIX;
ent.attributes = 0;
ks[0].ks_enctype = handle->params.enctype;
ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
ret = kadm5_create_principal_3(handle, &ent, mask, 1, ks, NULL);
if (ret)
return ret;
/* For better compatibility with pre-1.8 libkadm5 code, we want the
* initial history kvno to be 2, so re-randomize it. */
return kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks,
NULL, NULL);
}
/*
* Function: kdb_init_hist
*
* Purpose: Initializes the global history variables.
*
* Arguments:
*
* handle (r) kadm5 api server handle
* r (r) realm of history principal to use, or NULL
*
* Effects: This function sets the value of the following global
* variables:
*
* hist_princ krb5_principal holding the history principal
* hist_db krb5_db_entry of the history principal
* hist_key krb5_keyblock holding the history principal's key
* hist_encblock krb5_encrypt_block holding the procssed hist_key
* hist_kvno the version number of the history key
*
* If the history principal does not already exist, this function
* attempts to create it with kadm5_create_principal. WARNING!
* If the history principal is deleted and this function is executed
* (by kadmind, or kadmin.local, or anything else with permission),
* the principal will be assigned a new random key and all existing
* password history information will become useless.
*/
krb5_error_code kdb_init_hist(kadm5_server_handle_t handle, char *r)
{
int ret = 0;
char *realm, *hist_name;
krb5_key_data *key_data;
krb5_key_salt_tuple ks[1];
if (r == NULL) {
if ((ret = krb5_get_default_realm(handle->context, &realm)))
return ret;
} else {
realm = r;
}
if ((hist_name = (char *) malloc(strlen(KADM5_HIST_PRINCIPAL) +
strlen(realm) + 2)) == NULL)
goto done;
(void) sprintf(hist_name, "%s@%s", KADM5_HIST_PRINCIPAL, realm);
if ((ret = krb5_parse_name(handle->context, hist_name, &hist_princ)))
goto done;
if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL))) {
kadm5_principal_ent_rec ent;
if (ret != KADM5_UNK_PRINC)
goto done;
/* try to create the principal */
memset(&ent, 0, sizeof(ent));
ent.principal = hist_princ;
ent.max_life = KRB5_KDB_DISALLOW_ALL_TIX;
ent.attributes = 0;
/* this uses hist_kvno. So we set it to 2, which will be the
correct value once the principal is created and randomized.
Of course, it doesn't make sense to keep a history for the
history principal, anyway. */
hist_kvno = 2;
ks[0].ks_enctype = handle->params.enctype;
ks[0].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL;
ret = kadm5_create_principal_3(handle, &ent,
(KADM5_PRINCIPAL |
KADM5_MAX_LIFE |
KADM5_ATTRIBUTES),
1, ks,
"to-be-random");
if (ret)
goto done;
/* this won't let us randomize the hist_princ. So we cheat. */
hist_princ = NULL;
ret = kadm5_randkey_principal_3(handle, ent.principal, 0, 1, ks,
NULL, NULL);
hist_princ = ent.principal;
if (ret)
goto done;
/* now read the newly-created kdb record out of the
database. */
if ((ret = kdb_get_entry(handle, hist_princ, &hist_db, NULL)))
goto done;
}
ret = krb5_dbe_find_enctype(handle->context, &hist_db,
handle->params.enctype, -1, -1, &key_data);
if (ret)
goto done;
ret = krb5_dbekd_decrypt_key_data(handle->context,
&handle->master_keyblock, key_data, &hist_key, NULL);
if (ret)
goto done;
hist_kvno = key_data->key_data_kvno;
done:
free(hist_name);
if (r == NULL)
free(realm);
return ret;
}
