r18022@luminous: jaltman | 2006-05-19 05:18:37 -0400

[krb5.git] / doc / kadmin / kadmin.protocol

This document references, accompanies and extends the password changing
protocol document, "A Proposal for a Standardized Kerberos Password
Changing Protocol" by Theodore Ts'o.

Administrative Command Extensions to the Password Changing Protocol
===================================================================
The following commands and their accompanying definitions are an
extension to the password changing protocol which allow remote
administrative clients to perform functions analogous to those which
are performed using the local database editing utility. These
commands are encoded in the "command request" PDU described in the
password changing protocol, and the server's responses to these
commands are encoded in the "command reply" PDU.

These commands are (optional commands are marked with an asterisk, new
or changed commands are marked with a plus sign):
        ADD-PRINCIPAL
        DELETE-PRINCIPAL
        RENAME-PRINCIPAL
        MODIFY-PRINCIPAL
        OTHER-CHANGEPW
        OTHER-RANDOM-CHANGEPW
        INQUIRE-PRINCIPAL
        EXTRACT-KEY             (*+)
        ADD-KEY                 (+)
        DELETE-KEY              (+)

In order to support these additional commands, the following additional
status codes are also defined:

Number  Symbolic Name           Meaning
64      P_ALREADY_EXISTS        The specified principal already exists.
65      P_DOES_NOT_EXIST        The specified principal does not exist.
66      NOT_AUTHORIZED          The access control list on the server prevents
                                this operation.
67      BAD_OPTION              Either: 1) A bad option was specified; 2) A
                                conflicting set of options would result from
                                this operation; or 3) Existing options prevent
                                this type of operation.
68      VALUE_REQUIRED          The specified option requires a value.
69      SYSTEM_ERROR            A system error occurred while processing a
                                request.
70(+)   KEY_ALREADY_EXISTS      The specified key already exists.
71(+)   KEY_DOES_NOT_EXIST      The specified key does not exist.

The add principal operation
---------------------------
o Command String                "ADD-PRINCIPAL"
o Arguments
        <new-principal-string>  - name of new principal
        <keyword-value-pair>    - either "KEYWORD=value" or "KEYWORD".
        .
        .
        .
o Returns
        SUCCESS                 - operation successful
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not allowed to perform this
        P_ALREADY_EXISTS        - new principal already exists
        BAD_OPTION              - bad option supplied
        VALUE_REQUIRED          - value required with keyword
o Supplemental Returns
        NONE                    - if successful
        error message text      - if failure
o Description
        If the specified principal does not exist, the arguments parse
        correctly, and the arguments when combined with defaulted values
        do not produce a conflicting set of options then add the specified
        principal with the specified attributes.  See below for the list of
        settable attributes.
o Access Required
        Client principal must have ADD_PRINCIPAL permission.

The delete principal operation
------------------------------
o Command String                "DELETE-PRINCIPAL"
o Argument
        <principal-string>      - principal to delete
o Returns
        SUCCESS                 - operation successful
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not allowed to perform this
        P_DOES_NOT_EXIST        - old principal does not exist
o Supplemental returns
        NONE                    - if successful
        error message text      - if failure
o Description
        If the specified principal exists, then delete it from the database.
o Access Required
        Client principal must have DELETE_PRINCIPAL permission.

The rename principal operation
------------------------------
o Command String                "RENAME-PRINCIPAL"
o Arguments
        <orig-principal-string> - original name
        <new-principal-string>  - new name
o Returns
        SUCCESS                 - operation successful
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not allowed to perform this
        P_DOES_NOT_EXIST        - old principal does not exist
        P_ALREADY_EXISTS        - new principal already exists
o Supplemental Returns
        NONE                    - if successful
        error message text      - if failure
o Description
        If the original principal exists and the new principal name does not
        exist, rename the original principal to the specified name.
o Access Required
        Client principal must have ADD_PRINCIPAL and DELETE_PRINCIPAL
        permission.

The modify principal operation
------------------------------
o Command String                "MODIFY-PRINCIPAL"
o Arguments
        <principal-string>      - name of principal
        <keyword-value-pair>    - either KEYWORD=value or KEYWORD.
        .
        .
        .
o Returns
        SUCCESS                 - operation successful
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not allowed to perform this
        P_DOES_NOT_EXIST        - principal doesn't exist
        BAD_OPTION              - bad option supplied
        VALUE_REQUIRED          - value required with keyword
o Supplemental returns
        NONE                    - if successful
        error message text      - if failure
o Description
        If the specified principal exists, the arguments parse correctly, and
        the arguments when combined with existing values do not produce a
        conflicting set of options, then modify the specified principal with
        the specified attributes.  See below for the list of settable
        attributes.
o Access Required
        Client principal must have MODIFY_PRINCIPAL permission.

The change password operation
-----------------------------
o Command String                "OTHER-CHANGEPW"
o Arguments
        <principal-string>      - principal to change password for
        <new-password>          - new password
o Returns
        SUCCESS                 - operation successful
        PW_UNACCEPT             - specified password is bad
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not allowed to perform this
        P_DOES_NOT_EXIST        - old principal does not exist
        BAD_OPTION              - principal has a random key
o Supplemental returns
        NONE                    - if successful
        error message text      - if failure
o Description
        If the specified principal exists, and does not have a random key,
        then change the password to the specified password.  The original
        password is NOT required.
o Access Required
        Client principal must have CHANGEPW permission.

The change random password command
----------------------------------
o Command String                "OTHER-RANDOM-CHANGEPW"
o Argument
        <principal-string>      - principal to change password for
o Returns
        SUCCESS                 - operation successful
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not allowed to perform this
        P_DOES_NOT_EXIST        - old principal does not exist
        BAD_OPTION              - principal does not have a random key
o Supplemental Returns
        NONE                    - if successful
        error message text      - if failure
o Description
        If the specified principal exists, and has a random key, then
        generate a new random password. The original password is NOT
        required.
o Access Required
        Client principal must have CHANGEPW permission.

The inquire principal command
-----------------------------
o Command String                "INQUIRE-PRINCIPAL"
o Argument
        <principal-string>      - name of principal or null argument
o Returns
        SUCCESS                 - operation successful
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not allowed to perform this
        P_DOES_NOT_EXIST        - principal doesn't exist
o Supplemental Returns
    If the return is SUCCESS
        <next-principal-string> - name of next principal in database
        <keyword-value-pair>    - KEYWORD=value list
        .
        .
        .
    Otherwise
        error message text      - if failure
o Description
        If a principal is specified, then the database is searched for that
        particular principal and its attributes are returned as keyword-value
        pairs.  If no principal is specified, then the first database entry
        is returned.  The name of the next principal in the database is always
        returned to allow for scanning.  See below for the list of attributes
        that can be returned.
o Access Required
        Client principal must have INQUIRE_PRINCIPAL permission.

The OPTIONAL extract service key table entry command
----------------------------------------------------
o Command String                "EXTRACT-KEY"
o Arguments
        <instance-string>       - instance to extract for
        <name-string>           - name to extract for
o Returns
        SUCCESS                 - operation successful
        CMD_UNKNOWN             - operation not supported by server
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not allowed to perform this
        P_DOES_NOT_EXIST        - principal does not exist
o Supplemental Returns
        <keytab-entry>          - if successful
        error message text      - if failure
o Description
        If the specified name/instance exists in the database, then
        extract the service key entry and return it in <keytab-entry>.
        The description of <keytab-entry> follows below.
o Access Required
        Client principal must have EXTRACT permission.

The add key operation
---------------------
o Command String                "ADD-KEY"
o Arguments
        <principal-string>      - name of the principal
        <password>              - current password value
        <keyname>               - name of the key in the form
                                  <keytype>:<salttype>.
        .
        .
        .
o Returns
        SUCCESS                 - operation successful
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not authorized to perform this
        KEY_ALREADY_EXISTS      - one or more of the specified
                                  keytypes already exist.
        BAD_OPTION              - bad keytype:saltype specified
        BAD_PW                  - supplied password is incorrect
o Supplemental Returns
        NONE                    - if successful
        error message text      - if failure
o Description
        If the specified principal exists, the keyname(s) parse
        correctly the specified password is successfully verified
        against the existing key(s), and the specified keyname(s) do
        not exist, then these keytype(s) are added to the principal.
o Access Required
        Client principal must have MODIFY_PRINCIPAL permission.

The delete key operation
------------------------
o Command String                "DELETE-KEY"
o Arguments
        <principal-string>      - name of the principal
        <password>              - current password value
        <keyname>               - name of the key in the form
                                  <keytype>:<salttype>, or name of the
                                  key in the form <keytype>:<salttype>:
                                  <key-version>
        .
        .
        .
o Returns
        SUCCESS                 - operation successful
        SYSTEM_ERROR            - system error
        NOT_AUTHORIZED          - not authorized to perform this
        KEY_DOES_NOT_EXIST      - one or more of the specified
                                  keytypes do not exist.
        BAD_OPTION              - bad keytype:saltype specified
        BAD_PW                  - supplied password is incorrect
o Supplemental Returns
        NONE                    - if successful
        error message text      - if failure
o Description
        If the specified principal exists, the keyname(s) parse
        correctly the specified password is successfully verified
        against the existing key(s), and the specified keyname(s) 
        exist, then they are deleted from the principal.
o Access Required
        Client principal must have MODIFY_PRINCIPAL permission.

Keywords
--------
The following list of keywords are used for the ADD-PRINCIPAL and
MODIFY-PRINCIPAL commands and are returned from the
INQUIRE-PRINCIPAL command.

Valid   Keyword         Value Type      Value
------- --------------- --------------- --------------------------------------
  (S)   PASSWORD        <string>        New password.
  (SR)  MAXLIFE         <integer>       The maximum lifetime of tickets for
                                        this principal in seconds.
  (SR)  MAXRENEWLIFE    <integer>       The maximum renewable lifetime of
                                        tickets for this principal in seconds.
  (SR)  EXPIRATION      <general-time>  When the new principal expires.
  (SR)  PWEXPIRATION    <general-time>  When the password expires for this
                                        principal.
  (SR)  RANDOMKEY       <integer>       Specifies that this is to have a
                                        random key generated for it.
  (SR)  FLAGS           <integer>       Specifies flag value for this
                                        principal's attributes field in the
                                        database.
  (R)   LASTSUCCESS     <general-time>  Last successful password entry.
  (R)   LASTFAILED      <general-time>  Last failed password attempt.
  (R)   FAILCOUNT       <integer>       Number of failed password attempts.
  (SR)  AUXDATA         <tagged-value>  Tagged auxiliary value (see below)
  (R)   KEYDATA         <key-value>     Key value (see below)
  (SR)  EXTRADATA       <unspecified>   Extra data (see below)

The valid field indicates whether an attribute is Settable (e.g. appropriate
for use with ADD-PRINCIPAL, et. al.; Returnable (e.g. returned by
INQUIRE-PRINCIPAL); or both Settable and Returnable.

o <tagged-value>
The <tagged-value> type denotes data which is stored in the database as a
tagged value.  The protocol representation consists of a 4-byte network order
integer to denote the tag with the remaining data providing the value.  If
encoded data is to be encapsulated, it must be in network order.  In summary:
        AUXDATA=<tag><value>
For example, to encode the value for tag 1 with a 4-byte value of 32 71 1e 30
in network order, the encoding would be:
        AUXDATA=00 00 00 01 32 71 1e 30

o <key-value>
The <key-value> type denotes data which is stored in the database on a per-key
basis.  The protocol representation is consists of a 4-byte network order
integer to denote a particular key.  This integer is implementation dependent
and is only used to correlate different <key-value> entries.  This integer
is followed by a 4-byte network order integer which denotes the attribute type.
Currently, only three are supported: -1 denotes the key version; 1 denotes the
key type and 2 denotes the salt type.  This attribute type integer is followed
by the attribute value and an optional per-attribute value.  In summary:
        KEYDATA=<key-tag><attribute><attribute-value>[<per-attribute-value>]
For example, to encode the value of a key with keytype 3, salttype 5, with key
version number 32, key data of 12 34 56 78 90 ab cd ef and salt data of f0 e1
d2 c3 b4 a5 96 87, the encoding would be (using key-tag de ad be ef):
        (key version number 32)
        KEYDATA=de ad be ef ff ff ff ff 00 00 00 20
        (key keytype 3, value 1234567890abcdef)
        KEYDATA=de ad be ef 00 00 00 01 00 00 00 03 12 34 56 78 90 ab cd ef
        (key salttype 5, value f0e1d2c3b4a59687)
        KEYDATA=de ad be ef 00 00 00 02 00 00 00 05 f0 e1 d2 c3 b4 a5 96 87

o <unspecified>
The <unspecified> type is exactly that.  Unspecified.  Any data may be encoded
here without restriction.

Keytab Entry
------------
If the EXTRACT SERVICE KEY function is supported, then the successful
response to this command is the key entry.  This is a series of 6
reply components as follows:

component       type            value
---------       --------------- -----------------------------------------
        1       <string>        Principal name
        2       <integer>       Key entry timestamp
        3       <integer>       Key's version number.
        4       <integer>       Key's keytype.
        5       <integer>       Key's encryption type.
        6       <octet-string>  Key's key value.

All of these components are mandatory.