This document references, accompanies and extends the password changing protocol document, "A Proposal for a Standardized Kerberos Password Changing Protocol" by Theodore Ts'o. Administrative Command Extensions to the Password Changing Protocol =================================================================== The following commands and their accompanying definitions are an extension to the password changing protocol which allow remote administrative clients to perform functions analogous to those which are performed using the local database editing utility. These commands are encoded in the "command request" PDU described in the password changing protocol, and the server's responses to these commands are encoded in the "command reply" PDU. These commands are (optional commands are marked with an asterisk, new or changed commands are marked with a plus sign): ADD-PRINCIPAL DELETE-PRINCIPAL RENAME-PRINCIPAL MODIFY-PRINCIPAL OTHER-CHANGEPW OTHER-RANDOM-CHANGEPW INQUIRE-PRINCIPAL EXTRACT-KEY (*+) ADD-KEY (+) DELETE-KEY (+) In order to support these additional commands, the following additional status codes are also defined: Number Symbolic Name Meaning 64 P_ALREADY_EXISTS The specified principal already exists. 65 P_DOES_NOT_EXIST The specified principal does not exist. 66 NOT_AUTHORIZED The access control list on the server prevents this operation. 67 BAD_OPTION Either: 1) A bad option was specified; 2) A conflicting set of options would result from this operation; or 3) Existing options prevent this type of operation. 68 VALUE_REQUIRED The specified option requires a value. 69 SYSTEM_ERROR A system error occurred while processing a request. 70(+) KEY_ALREADY_EXISTS The specified key already exists. 71(+) KEY_DOES_NOT_EXIST The specified key does not exist. The add principal operation --------------------------- o Command String "ADD-PRINCIPAL" o Arguments - name of new principal - either "KEYWORD=value" or "KEYWORD". . . . o Returns SUCCESS - operation successful SYSTEM_ERROR - system error NOT_AUTHORIZED - not allowed to perform this P_ALREADY_EXISTS - new principal already exists BAD_OPTION - bad option supplied VALUE_REQUIRED - value required with keyword o Supplemental Returns NONE - if successful error message text - if failure o Description If the specified principal does not exist, the arguments parse correctly, and the arguments when combined with defaulted values do not produce a conflicting set of options then add the specified principal with the specified attributes. See below for the list of settable attributes. o Access Required Client principal must have ADD_PRINCIPAL permission. The delete principal operation ------------------------------ o Command String "DELETE-PRINCIPAL" o Argument - principal to delete o Returns SUCCESS - operation successful SYSTEM_ERROR - system error NOT_AUTHORIZED - not allowed to perform this P_DOES_NOT_EXIST - old principal does not exist o Supplemental returns NONE - if successful error message text - if failure o Description If the specified principal exists, then delete it from the database. o Access Required Client principal must have DELETE_PRINCIPAL permission. The rename principal operation ------------------------------ o Command String "RENAME-PRINCIPAL" o Arguments - original name - new name o Returns SUCCESS - operation successful SYSTEM_ERROR - system error NOT_AUTHORIZED - not allowed to perform this P_DOES_NOT_EXIST - old principal does not exist P_ALREADY_EXISTS - new principal already exists o Supplemental Returns NONE - if successful error message text - if failure o Description If the original principal exists and the new principal name does not exist, rename the original principal to the specified name. o Access Required Client principal must have ADD_PRINCIPAL and DELETE_PRINCIPAL permission. The modify principal operation ------------------------------ o Command String "MODIFY-PRINCIPAL" o Arguments - name of principal - either KEYWORD=value or KEYWORD. . . . o Returns SUCCESS - operation successful SYSTEM_ERROR - system error NOT_AUTHORIZED - not allowed to perform this P_DOES_NOT_EXIST - principal doesn't exist BAD_OPTION - bad option supplied VALUE_REQUIRED - value required with keyword o Supplemental returns NONE - if successful error message text - if failure o Description If the specified principal exists, the arguments parse correctly, and the arguments when combined with existing values do not produce a conflicting set of options, then modify the specified principal with the specified attributes. See below for the list of settable attributes. o Access Required Client principal must have MODIFY_PRINCIPAL permission. The change password operation ----------------------------- o Command String "OTHER-CHANGEPW" o Arguments - principal to change password for - new password o Returns SUCCESS - operation successful PW_UNACCEPT - specified password is bad SYSTEM_ERROR - system error NOT_AUTHORIZED - not allowed to perform this P_DOES_NOT_EXIST - old principal does not exist BAD_OPTION - principal has a random key o Supplemental returns NONE - if successful error message text - if failure o Description If the specified principal exists, and does not have a random key, then change the password to the specified password. The original password is NOT required. o Access Required Client principal must have CHANGEPW permission. The change random password command ---------------------------------- o Command String "OTHER-RANDOM-CHANGEPW" o Argument - principal to change password for o Returns SUCCESS - operation successful SYSTEM_ERROR - system error NOT_AUTHORIZED - not allowed to perform this P_DOES_NOT_EXIST - old principal does not exist BAD_OPTION - principal does not have a random key o Supplemental Returns NONE - if successful error message text - if failure o Description If the specified principal exists, and has a random key, then generate a new random password. The original password is NOT required. o Access Required Client principal must have CHANGEPW permission. The inquire principal command ----------------------------- o Command String "INQUIRE-PRINCIPAL" o Argument - name of principal or null argument o Returns SUCCESS - operation successful SYSTEM_ERROR - system error NOT_AUTHORIZED - not allowed to perform this P_DOES_NOT_EXIST - principal doesn't exist o Supplemental Returns If the return is SUCCESS - name of next principal in database - KEYWORD=value list . . . Otherwise error message text - if failure o Description If a principal is specified, then the database is searched for that particular principal and its attributes are returned as keyword-value pairs. If no principal is specified, then the first database entry is returned. The name of the next principal in the database is always returned to allow for scanning. See below for the list of attributes that can be returned. o Access Required Client principal must have INQUIRE_PRINCIPAL permission. The OPTIONAL extract service key table entry command ---------------------------------------------------- o Command String "EXTRACT-KEY" o Arguments - instance to extract for - name to extract for o Returns SUCCESS - operation successful CMD_UNKNOWN - operation not supported by server SYSTEM_ERROR - system error NOT_AUTHORIZED - not allowed to perform this P_DOES_NOT_EXIST - principal does not exist o Supplemental Returns - if successful error message text - if failure o Description If the specified name/instance exists in the database, then extract the service key entry and return it in . The description of follows below. o Access Required Client principal must have EXTRACT permission. The add key operation --------------------- o Command String "ADD-KEY" o Arguments - name of the principal - current password value - name of the key in the form :. . . . o Returns SUCCESS - operation successful SYSTEM_ERROR - system error NOT_AUTHORIZED - not authorized to perform this KEY_ALREADY_EXISTS - one or more of the specified keytypes already exist. BAD_OPTION - bad keytype:saltype specified BAD_PW - supplied password is incorrect o Supplemental Returns NONE - if successful error message text - if failure o Description If the specified principal exists, the keyname(s) parse correctly the specified password is successfully verified against the existing key(s), and the specified keyname(s) do not exist, then these keytype(s) are added to the principal. o Access Required Client principal must have MODIFY_PRINCIPAL permission. The delete key operation ------------------------ o Command String "DELETE-KEY" o Arguments - name of the principal - current password value - name of the key in the form :, or name of the key in the form :: . . . o Returns SUCCESS - operation successful SYSTEM_ERROR - system error NOT_AUTHORIZED - not authorized to perform this KEY_DOES_NOT_EXIST - one or more of the specified keytypes do not exist. BAD_OPTION - bad keytype:saltype specified BAD_PW - supplied password is incorrect o Supplemental Returns NONE - if successful error message text - if failure o Description If the specified principal exists, the keyname(s) parse correctly the specified password is successfully verified against the existing key(s), and the specified keyname(s) exist, then they are deleted from the principal. o Access Required Client principal must have MODIFY_PRINCIPAL permission. Keywords -------- The following list of keywords are used for the ADD-PRINCIPAL and MODIFY-PRINCIPAL commands and are returned from the INQUIRE-PRINCIPAL command. Valid Keyword Value Type Value ------- --------------- --------------- -------------------------------------- (S) PASSWORD New password. (SR) MAXLIFE The maximum lifetime of tickets for this principal in seconds. (SR) MAXRENEWLIFE The maximum renewable lifetime of tickets for this principal in seconds. (SR) EXPIRATION When the new principal expires. (SR) PWEXPIRATION When the password expires for this principal. (SR) RANDOMKEY Specifies that this is to have a random key generated for it. (SR) FLAGS Specifies flag value for this principal's attributes field in the database. (R) LASTSUCCESS Last successful password entry. (R) LASTFAILED Last failed password attempt. (R) FAILCOUNT Number of failed password attempts. (SR) AUXDATA Tagged auxiliary value (see below) (R) KEYDATA Key value (see below) (SR) EXTRADATA Extra data (see below) The valid field indicates whether an attribute is Settable (e.g. appropriate for use with ADD-PRINCIPAL, et. al.; Returnable (e.g. returned by INQUIRE-PRINCIPAL); or both Settable and Returnable. o The type denotes data which is stored in the database as a tagged value. The protocol representation consists of a 4-byte network order integer to denote the tag with the remaining data providing the value. If encoded data is to be encapsulated, it must be in network order. In summary: AUXDATA= For example, to encode the value for tag 1 with a 4-byte value of 32 71 1e 30 in network order, the encoding would be: AUXDATA=00 00 00 01 32 71 1e 30 o The type denotes data which is stored in the database on a per-key basis. The protocol representation is consists of a 4-byte network order integer to denote a particular key. This integer is implementation dependent and is only used to correlate different entries. This integer is followed by a 4-byte network order integer which denotes the attribute type. Currently, only three are supported: -1 denotes the key version; 1 denotes the key type and 2 denotes the salt type. This attribute type integer is followed by the attribute value and an optional per-attribute value. In summary: KEYDATA=[] For example, to encode the value of a key with keytype 3, salttype 5, with key version number 32, key data of 12 34 56 78 90 ab cd ef and salt data of f0 e1 d2 c3 b4 a5 96 87, the encoding would be (using key-tag de ad be ef): (key version number 32) KEYDATA=de ad be ef ff ff ff ff 00 00 00 20 (key keytype 3, value 1234567890abcdef) KEYDATA=de ad be ef 00 00 00 01 00 00 00 03 12 34 56 78 90 ab cd ef (key salttype 5, value f0e1d2c3b4a59687) KEYDATA=de ad be ef 00 00 00 02 00 00 00 05 f0 e1 d2 c3 b4 a5 96 87 o The type is exactly that. Unspecified. Any data may be encoded here without restriction. Keytab Entry ------------ If the EXTRACT SERVICE KEY function is supported, then the successful response to this command is the key entry. This is a series of 6 reply components as follows: component type value --------- --------------- ----------------------------------------- 1 Principal name 2 Key entry timestamp 3 Key's version number. 4 Key's keytype. 5 Key's encryption type. 6 Key's key value. All of these components are mandatory.