add krb5 support
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@5876 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska H<>gskolan
|
||||
* Copyright (c) 1995-1999 Kungliga Tekniska H<>gskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@@ -43,13 +43,146 @@ RCSID("$Id$");
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
#include <pwd.h>
|
||||
#ifdef KRB5
|
||||
#include <krb5.h>
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
#include <krb.h>
|
||||
#include <kafs.h>
|
||||
#endif
|
||||
#include <roken.h>
|
||||
|
||||
/*
|
||||
*
|
||||
*/
|
||||
#if 0
|
||||
static char krb5ccname[128];
|
||||
#endif
|
||||
static char krbtkfile[128];
|
||||
|
||||
#ifdef KRB4
|
||||
static void
|
||||
set_krbtkfile(uid_t uid)
|
||||
{
|
||||
snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
|
||||
krb_set_tkt_string (krbtkfile);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef KRB5
|
||||
static int
|
||||
verify_krb5(struct passwd *pwd,
|
||||
char *password,
|
||||
int32_t *exp,
|
||||
int quiet)
|
||||
{
|
||||
krb5_context context;
|
||||
krb5_error_code ret;
|
||||
char ticket[128];
|
||||
krb5_ccache ccache;
|
||||
krb5_principal principal;
|
||||
krb5_realm realm;
|
||||
|
||||
krb5_init_context(&context);
|
||||
|
||||
krb5_get_default_realm(context, &realm);
|
||||
krb5_make_principal(context, &principal, realm, pwd->pw_name, NULL);
|
||||
|
||||
if(!krb5_kuserok(context, principal, pwd->pw_name)) {
|
||||
syslog(LOG_AUTH|LOG_DEBUG, "krb5_kuserok failed");
|
||||
goto out;
|
||||
}
|
||||
/* XXX this has to be the default cache name, since the KRB5CCNAME
|
||||
environment variable isn't exported by login/xdm
|
||||
*/
|
||||
snprintf(ticket, sizeof(ticket), "FILE:/tmp/krb5cc_%d", pwd->pw_uid);
|
||||
ret = krb5_cc_resolve(context, ticket, &ccache);
|
||||
if(ret) {
|
||||
syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = krb5_verify_user(context,
|
||||
principal,
|
||||
ccache,
|
||||
password,
|
||||
TRUE,
|
||||
NULL);
|
||||
if(ret) {
|
||||
syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
goto out;
|
||||
}
|
||||
if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) {
|
||||
syslog(LOG_AUTH|LOG_DEBUG, "chown: %s",
|
||||
krb5_get_err_text(context, errno));
|
||||
goto out;
|
||||
}
|
||||
|
||||
#ifdef KRB4
|
||||
{
|
||||
CREDENTIALS c;
|
||||
krb5_creds mcred, cred;
|
||||
|
||||
krb5_make_principal(context, &mcred.server, realm,
|
||||
"krbtgt",
|
||||
realm,
|
||||
NULL);
|
||||
ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
|
||||
if(ret == 0) {
|
||||
ret = krb524_convert_creds_kdc(context, &cred, &c);
|
||||
if(ret)
|
||||
krb5_warn(context, ret, "converting creds");
|
||||
else {
|
||||
set_krbtkfile(pwd->pw_uid);
|
||||
tf_setup(&c, c.pname, c.pinst);
|
||||
}
|
||||
memset(&c, 0, sizeof(c));
|
||||
krb5_free_creds_contents(context, &cred);
|
||||
} else
|
||||
syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s",
|
||||
krb5_get_err_text(context, ret));
|
||||
|
||||
krb5_free_principal(context, mcred.server);
|
||||
}
|
||||
if (k_hasafs()) {
|
||||
k_setpag();
|
||||
krb5_afslog_uid_home(context, ccache, NULL, NULL,
|
||||
pwd->pw_uid, pwd->pw_dir);
|
||||
}
|
||||
#endif
|
||||
|
||||
out:
|
||||
if(ret && !quiet)
|
||||
printf ("%s\n", krb5_get_err_text (context, ret));
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef KRB4
|
||||
static int
|
||||
verify_krb4(struct passwd *pwd,
|
||||
char *password,
|
||||
int32_t *exp,
|
||||
int quiet)
|
||||
{
|
||||
int ret = 1;
|
||||
char lrealm[REALM_SZ];
|
||||
|
||||
if (krb_get_lrealm (lrealm, 1) != KFAILURE) {
|
||||
set_krbtkfile(pwd->pw_uid);
|
||||
ret = krb_verify_user (pwd->pw_name, "", lrealm, password,
|
||||
KRB_VERIFY_SECURE, NULL);
|
||||
if (ret == KSUCCESS) {
|
||||
if (k_hasafs()) {
|
||||
k_setpag ();
|
||||
krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
|
||||
}
|
||||
} else if (!quiet)
|
||||
printf ("%s\n", krb_get_err_text (ret));
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
int
|
||||
afs_verify(char *name,
|
||||
@@ -57,35 +190,24 @@ afs_verify(char *name,
|
||||
int32_t *exp,
|
||||
int quiet)
|
||||
{
|
||||
int ret = 1;
|
||||
char lrealm[REALM_SZ];
|
||||
char tkt_string[MaxPathLen];
|
||||
struct passwd *pwd;
|
||||
|
||||
if (krb_get_lrealm (lrealm, 1) != KFAILURE &&
|
||||
(pwd = k_getpwnam (name)) != NULL) {
|
||||
snprintf (tkt_string, sizeof(tkt_string),
|
||||
"%s%d_%d", TKT_ROOT,
|
||||
(unsigned)pwd->pw_uid, (unsigned)getpid());
|
||||
krb_set_tkt_string (tkt_string);
|
||||
ret = krb_verify_user (name, "", lrealm, password,
|
||||
KRB_VERIFY_SECURE, NULL);
|
||||
if (ret == KSUCCESS) {
|
||||
if (k_hasafs()) {
|
||||
k_setpag ();
|
||||
krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
|
||||
}
|
||||
} else if (!quiet)
|
||||
printf ("%s\n", krb_get_err_text (ret));
|
||||
}
|
||||
if (ret)
|
||||
ret = unix_verify_user (name, password);
|
||||
|
||||
return ret;
|
||||
int ret = 1;
|
||||
struct passwd *pwd = k_getpwnam (name);
|
||||
if(pwd == NULL)
|
||||
return 1;
|
||||
#ifdef KRB5
|
||||
ret = verify_krb5(pwd, password, exp, quiet);
|
||||
#endif
|
||||
#ifdef KRB4
|
||||
if(ret)
|
||||
ret = verify_krb4(pwd, password, exp, quiet);
|
||||
#endif
|
||||
if (ret)
|
||||
ret = unix_verify_user (name, password);
|
||||
return ret;
|
||||
}
|
||||
|
||||
char *
|
||||
afs_gettktstring (void)
|
||||
{
|
||||
return tkt_string ();
|
||||
return krbtkfile;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user