Add the ability to lock down principal keys

A new attribute named KRB5_KDC_LOCKDOWN_KEYS can be set on principals.
This flag prevents keys for the principal from being extracted or set
to a known value by the kadmin protocol.  Principals with this flag
cannot be deleted or renamed, and cannot have keys set by setkey or
chpass.  chrand operations are allowed, but keys are not returned.
This attribute can be set via the modify operation but cannot be
reset; an authorization error is resturned if an attempt to reset it
is performed.

When creating a KDB, set the lockdown flag on the krbtgt and kadmin
principals.

[ghudson@mit.edu: squash with t_kadmin_acl.py commit; condense commit
message]

ticket: 8365 (new)

1 files changed, 3 insertions, 0 deletions

diff --git a/src/util/princflags.py b/src/util/princflags.py
index 16485c5..f568dd2 100644
--- a/src/util/princflags.py
+++ b/src/util/princflags.py
@@ -26,6 +26,7 @@ KRB5_KDB_NEW_PRINC              = 0x00008000
 KRB5_KDB_OK_AS_DELEGATE         = 0x00100000
 KRB5_KDB_OK_TO_AUTH_AS_DELEGATE = 0x00200000
 KRB5_KDB_NO_AUTH_DATA_REQUIRED  = 0x00400000
+KRB5_KDB_LOCKDOWN_KEYS          = 0x00800000
 
 # Input tables -- list of tuples of the form (name, flag, invert)
 
@@ -47,6 +48,7 @@ _kadmin_pflags = [
     ("ok_as_delegate",          KRB5_KDB_OK_AS_DELEGATE,        False),
     ("ok_to_auth_as_delegate",  KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, False),
     ("no_auth_data_required",   KRB5_KDB_NO_AUTH_DATA_REQUIRED, False),
+    ("lockdown_keys",           KRB5_KDB_LOCKDOWN_KEYS,         False),
 ]
 
 # Input forms from lib/kadm5/str_conv.c
@@ -67,6 +69,7 @@ _strconv_pflags = [
     ("md5",                     KRB5_KDB_SUPPORT_DESMD5,        False),
     ("ok-to-auth-as-delegate",  KRB5_KDB_OK_TO_AUTH_AS_DELEGATE, False),
     ("no-auth-data-required",   KRB5_KDB_NO_AUTH_DATA_REQUIRED, False),
+    ("lockdown-keys",           KRB5_KDB_LOCKDOWN_KEYS,         False),
 ]
 
 # kdb.h symbol prefix