diff options
Diffstat (limited to 'server/keytab-backend')
| -rwxr-xr-x | server/keytab-backend | 245 |
1 files changed, 0 insertions, 245 deletions
diff --git a/server/keytab-backend b/server/keytab-backend deleted file mode 100755 index 6e47331..0000000 --- a/server/keytab-backend +++ /dev/null @@ -1,245 +0,0 @@ -#!/usr/bin/perl -# -# Extract keytabs from the KDC without changing the key. -# -# This is a remctl backend that extracts existing keys from a KDC database -# using kadmin.local. It requires a patched version of kadmin.local that -# supports the -norandkey option. It expects a configuration file in -# /etc/krb5kdc/allow-extract that contains a list of regexes, one per line, -# matching principals that may be extracted in this fashion. (Generally you -# do not want to list user principals here.) It also expects to be able to -# write to a directory named /var/lib/keytabs; that's where it puts the -# keytabs temporarily before sending them back to via remctl. -# -# remctl should handle authorization restrictions on this script. It doesn't -# do any additional authorization checks itself. -# -# The keytab for the extracted principal will be printed to standard output. - -use 5.008; -use strict; -use warnings; - -use Sys::Syslog qw(openlog syslog); - -# Path to configuration file listing principals that may be extracted. -our $CONFIG = '/etc/krb5kdc/allow-extract'; - -# The full path to a kadmin.local that supports -norandkey. -our $KADMIN = '/usr/sbin/kadmin.local'; - -# A temporary area into which keytabs should be written. -our $TMP = '/var/lib/keytabs'; - -# Set to zero to suppress syslog logging, which is used only for testing. Set -# to a reference to a string to append messages to that string instead. -our $SYSLOG; -$SYSLOG = 1 unless defined $SYSLOG; - -############################################################################## -# Logging -############################################################################## - -# Initialize logging. -sub log_init { - if (ref $SYSLOG) { - $$SYSLOG = ''; - } elsif ($SYSLOG) { - openlog ('keytab-backend', 'pid', 'auth'); - } -} - -# Log a failure message to both syslog and to stderr and exit with a non-zero -# status. -sub error { - my $message = join ('', @_); - if (ref $SYSLOG) { - $$SYSLOG .= $message . "\n"; - } elsif ($SYSLOG) { - syslog ('err', '%s', $message); - } - die "keytab-backend: $message\n"; -} - -# Log a regular message, generally for success. -sub info { - my $message = join ('', @_); - if (ref $SYSLOG) { - $$SYSLOG .= $message . "\n"; - } elsif ($SYSLOG) { - syslog ('info', '%s', $message); - } -} - -############################################################################## -# Implementation -############################################################################## - -# Check and download the keytab. This is in a subroutine call for easier -# testing. We separately log actions unless $SYSLOG is set to 0. remctld -# keeps some logs, but it won't tell us whether the download is successful or -# not. -sub download { - my (@args) = @_; - log_init; - - # Set up a default identity if run from the command line. - $ENV{REMOTE_USER} = getpwnam ($<) || 'UNKNOWN' unless $ENV{REMOTE_USER}; - - # Read the regexes of valid principals into memory. - open (CONFIG, '<', $CONFIG) or error "cannot open $CONFIG: $!"; - my @valid; - while (<CONFIG>) { - next if /^\s*\#/; - next if /^\s*$/; - s/^\s+//; - s/\s+$//; - s/\s*\#.*//; - push (@valid, qr/$_/); - } - close CONFIG; - - # The first argument will be the remctl service, so skip it. - if (@args == 2) { - shift @args; - } - if (@args != 1) { - error "invalid arguments: @args"; - } - my $principal = $args[0]; - - # Ensure that we're allowed to retrieve this principal. - unless ($principal =~ m%^[\w-]+(?:/[\w.-]+)?\@[\w.-]+\z%) { - error "bad principal name $principal"; - } - my $okay; - for my $regex (@valid) { - if ($principal =~ /$regex/) { - $okay = 1; - last; - } - } - unless ($okay) { - error "permission denied: $ENV{REMOTE_USER} may not retrieve" - . " $principal"; - } - - # Do the actual work. - my $filename = "$TMP/keytab$$"; - my $command = "ktadd -k $filename -q -norandkey $principal"; - my $output = `$KADMIN -q '$command' 2>&1`; - if ($? != 0) { - my $status = ($? >> 8); - warn $output; - error "retrieve of $principal failed for $ENV{REMOTE_USER}:" - . " kadmin.local exited with status $status"; - } - open (KEYTAB, '<', $filename) - or error "cannot open temporary keytab $filename: $!"; - print while <KEYTAB>; - close KEYTAB; - unlink $filename; - info ("keytab $principal retrieved by $ENV{REMOTE_USER}"); -} -download (@ARGV); -__END__ - -############################################################################## -# Documentation -############################################################################## - -=for stopwords -keytab-backend keytabs KDC keytab kadmin.local -norandkey ktadd remctld -auth Allbery rekeying MERCHANTABILITY NONINFRINGEMENT sublicense -kadmin.local. - -=head1 NAME - -keytab-backend - Extract keytabs from the KDC without changing the key - -=head1 SYNOPSIS - -B<keytab-backend> retrieve I<principal> - -=head1 DESCRIPTION - -B<keytab-backend> retrieves a keytab for an existing principal from the -KDC database without changing the current key. It allows generation of a -keytab for a service without rekeying that service. It requires a -B<kadmin.local> patched to support the B<-norandkey> option to B<ktadd>. - -This script is intended to run under B<remctld>. On success, it prints -the keytab to standard output, logs a success message to syslog (facility -auth, priority info), and exits with status 0. On failure, it prints out -an error message, logs an error to syslog (facility auth, priority err), -and exits with a non-zero status. - -The principal is checked for basic sanity (only accepting alphanumerics, -C<_>, and C<-> with an optional instance and then only alphanumerics, -C<_>, C<->, and C<.> in the realm) and then checked against a -configuration file that lists regexes of principals that can be retrieved. -When deploying this software, limit as tightly as possible which -principals can be downloaded in this fashion. Generally only shared -service principals used on multiple systems should be made available in -this way. - -B<keytab-backend> does not do any authorization checks. Those should be -done by B<remctld> before it is called. - -=head1 FILES - -=over 4 - -=item F</etc/krb5kdc/allow-extract> - -The configuration file that controls which principals can have their -keytabs retrieved. Blank lines and lines starting with C<#>, as well as -anything after C<#> on a line, are ignored. All other lines should be -Perl regular expressions, one per line, that match principals whose -keytabs can be retrieved by B<keytab-backend>. Any principal that does -not match one of those regular expressions cannot be retrieved. - -=item F</var/lib/keytabs> - -The temporary directory used for creating keytabs. B<keytab-backend> will -create the keytab in this directory, make sure that was successful, and -then delete the temporary file after the results have been sent to -standard output. - -=back - -=head1 AUTHOR - -Russ Allbery <eagle@eyrie.org> - -=head1 COPYRIGHT AND LICENSE - -Copyright 2006, 2007, 2008, 2010, 2013 The Board of Trustees of the Leland -Stanford Junior University - -Permission is hereby granted, free of charge, to any person obtaining a -copy of this software and associated documentation files (the "Software"), -to deal in the Software without restriction, including without limitation -the rights to use, copy, modify, merge, publish, distribute, sublicense, -and/or sell copies of the Software, and to permit persons to whom the -Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER -DEALINGS IN THE SOFTWARE. - -=head1 SEE ALSO - -kadmin.local(8), remctld(8) - -This program is part of the wallet system. The current version is -available from L<http://www.eyrie.org/~eagle/software/wallet/>. - -=cut |