1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
#!/usr/bin/perl
our $ID = q$Id$;
#
# keytab-backend -- Extract keytabs from the KDC without changing the key.
#
# This is a remctl backend that extracts existing keys from a KDC database
# using kadmin.local. It requires a patched version of kadmin.local that
# supports the -norandkey option. It expects a configuration file in
# /etc/krb5kdc/allow-extract that contains a list of regexes, one per line,
# matching principals that may be extracted in this fashion. (Generally you
# do not want to list user principals here.) It also expects to be able to
# write to a directory named /var/lib/keytabs; that's where it puts the
# keytabs temporarily before sending them back to via remctl.
#
# remctl should handle authorization restrictions on this script. It doesn't
# do any additional authorization checks itself.
#
# The keytab for the extracted principal will be printed to standard output.
#
# Written by Russ Allbery <rra@stanford.edu>
# Copyright 2006, 2007 Board of Trustees, Leland Stanford Jr. University
#
# See LICENSE for licensing terms.
##############################################################################
# Declarations and site configuration
##############################################################################
# Do not use our here to permit overrides when testing.
use strict;
use vars qw($CONFIG $KADMIN $SYSLOG $TMP);
use Sys::Syslog qw(openlog syslog);
# Path to configuration file listing principals that may be extracted.
$CONFIG = '/etc/krb5kdc/allow-extract';
# The full path to a kadmin.local that supports -norandkey.
$KADMIN = '/usr/sbin/kadmin.local';
# A temporary area into which keytabs should be written.
$TMP = '/var/lib/keytabs';
# Set to zero to suppress syslog logging, which is used only for testing.
$SYSLOG = 1 unless defined $SYSLOG;
##############################################################################
# Logging
##############################################################################
# Log a failure message to both syslog and to stderr and exit with a non-zero
# status.
sub error {
my $message = join ('', @_);
syslog ('err', '%s', $message) if $SYSLOG;
die "keytab-backend: $message\n";
}
##############################################################################
# Implementation
##############################################################################
# Check and download the keytab. This is in a subroutine call for easier
# testing. We separately log actions unless $SYSLOG is set to 0. remctld
# keeps some logs, but it won't tell us whether the download is successful or
# not.
sub download {
my (@args) = @_;
openlog ('keytab-backend', 'pid', 'auth') if $SYSLOG;
# Set up a default identity if run from the command line.
$ENV{REMOTE_USER} = getpwnam ($<) || 'UNKNOWN' unless $ENV{REMOTE_USER};
# Read the regexes of valid principals into memory.
open (CONFIG, '<', $CONFIG) or error "cannot open $CONFIG: $!";
my @valid;
while (<CONFIG>) {
next if /^\s*\#/;
next if /^\s*$/;
s/^\s+//;
s/\s+$//;
s/\s*\#.*//;
push (@valid, qr/$_/);
}
close CONFIG;
# The first argument will be the remctl service, so skip it.
if (@args == 2) {
shift @args;
}
if (@args != 1) {
error "invalid arguments: @args";
}
my $principal = $args[0];
# Ensure that we're allowed to retrieve this principal.
unless ($principal =~ m%^[\w-]+(?:/[\w.-]+)?\@[\w.-]+\z%) {
error "bad principal name $principal";
}
my $okay;
for my $regex (@valid) {
if ($principal =~ /$regex/) {
$okay = 1;
last;
}
}
unless ($okay) {
error "permission denied: $ENV{REMOTE_USER} may not retrieve"
. " $principal";
}
# Do the actual work.
my $filename = "$TMP/keytab$$";
my $command = "ktadd -q -norandkey -k $filename $principal";
my $output = `$KADMIN -q '$command' 2>&1`;
if ($? != 0) {
my $status = ($? >> 8);
warn $output;
error "retrieve of $principal failed for $ENV{REMOTE_USER}:"
. " kadmin.local exited with status $status";
}
open (KEYTAB, '<', $filename)
or error "cannot open temporary keytab $filename: $!";
print while <KEYTAB>;
close KEYTAB;
unlink $filename;
syslog ('info', '%s', "keytab $principal retrieved by $ENV{REMOTE_USER}")
if $SYSLOG;
}
download (@ARGV);
__END__
##############################################################################
# Documentation
##############################################################################
=head1 NAME
keytab-backend - Extract keytabs from the KDC without changing the key
=head1 SYNOPSIS
B<keytab-backend> retrieve I<principal>
=head1 DESCRIPTION
B<keytab-backend> retrieves a keytab for an existing principal from the KDC
database without changing the current key. It allows generation of a keytab
for a service without rekeying that service. It requires a B<kadmin.local>
patched to support the B<-norandkey> option to B<ktadd>.
This script is intended to run under B<remctld>. On success, it prints the
keytab to standard output, logs a success message to syslog (facility auth,
priority info), and exits with status 0. On failure, it prints out an error
message, logs an error to syslog (facility auth, priority err), and exits
with a non-zero status.
The principal is checked for basic sanity (only accepting alphanumerics,
C<_>, and C<-> with an optional instance and then only alphanumerics, C<_>,
C<->, and C<.> in the realm) and then checked against a configuration file
that lists regexes of principals that can be retrieved. When deploying this
software, limit as tightly as possible which principals can be downloaded in
this fashion. Generally only shared service principals used on multiple
systems should be made available in this way.
B<keytab-backend> does not do any authorization checks. Those should be done
by B<remctld> before it is called.
=head1 FILES
=over 4
=item F</etc/krb5kdc/allow-extract>
The configuration file that controls which principals can have their keytabs
retrieved. Blank lines and lines starting with C<#>, as well as anything
after C<#> on a line, are ignored. All other lines should be Perl regular
expressions, one per line, that match principals whose keytabs can be
retrieved by B<keytab-backend>. Any principal that does not match one of
those regular expressions cannot be retrieved.
=item F</var/lib/keytabs>
The temporary directory used for creating keytabs. B<keytab-backend> will
create the keytab in this directory, make sure that was successful, and then
delete the temporary file after the results have been sent to standard
output.
=back
=head1 SEE ALSO
kadmin.local(8), remctld(8)
This program is part of the wallet system. The current version is available
from L<http://www.eyrie.org/~eagle/software/wallet/>.
=head1 AUTHOR
Russ Allbery <rra@stanford.edu>
=cut
|
