add krb5 support

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@5876 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/auth/afskauthlib/verify.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 1995-1999 Kungliga Tekniska H<>gskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -43,13 +43,146 @@ RCSID("$Id$");
 #include <unistd.h>
 #include <sys/types.h>
 #include <pwd.h>
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
 #include <krb.h>
 #include <kafs.h>
+#endif
 #include <roken.h>
 
-/*
+#if 0
- *
+static char krb5ccname[128];
- */
+#endif
+static char krbtkfile[128];
+
+#ifdef KRB4
+static void
+set_krbtkfile(uid_t uid)
+{
+    snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
+    krb_set_tkt_string (krbtkfile);
+}
+#endif
+
+
+#ifdef KRB5
+static int
+verify_krb5(struct passwd *pwd,
+	    char *password,
+	    int32_t *exp,
+	    int quiet)
+{
+    krb5_context context;
+    krb5_error_code ret;
+    char ticket[128];
+    krb5_ccache ccache;
+    krb5_principal principal;
+    krb5_realm realm;
+    
+    krb5_init_context(&context);
+
+    krb5_get_default_realm(context, &realm);
+    krb5_make_principal(context, &principal, realm, pwd->pw_name, NULL);
+
+    if(!krb5_kuserok(context, principal, pwd->pw_name)) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_kuserok failed");
+	goto out;
+    }
+    /* XXX this has to be the default cache name, since the KRB5CCNAME
+       environment variable isn't exported by login/xdm
+       */
+    snprintf(ticket, sizeof(ticket), "FILE:/tmp/krb5cc_%d", pwd->pw_uid);
+    ret = krb5_cc_resolve(context, ticket, &ccache);
+    if(ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+
+    ret = krb5_verify_user(context,
+			   principal,
+			   ccache,
+			   password,
+			   TRUE,
+			   NULL);
+    if(ret) {
+	syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", 
+	       krb5_get_err_text(context, ret));
+	goto out;
+    }
+    if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) {
+	syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", 
+	       krb5_get_err_text(context, errno));
+	goto out;
+    }
+
+#ifdef KRB4
+    {
+	CREDENTIALS c;
+	krb5_creds mcred, cred;
+
+	krb5_make_principal(context, &mcred.server, realm,
+			    "krbtgt",
+			    realm,
+			    NULL);
+	ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
+	if(ret == 0) {
+	    ret = krb524_convert_creds_kdc(context, &cred, &c);
+	    if(ret)
+		krb5_warn(context, ret, "converting creds");
+	    else {
+		set_krbtkfile(pwd->pw_uid);
+		tf_setup(&c, c.pname, c.pinst); 
+	    }
+	    memset(&c, 0, sizeof(c));
+	    krb5_free_creds_contents(context, &cred);
+	} else
+	    syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", 
+		   krb5_get_err_text(context, ret));
+	    
+	krb5_free_principal(context, mcred.server);
+    }
+    if (k_hasafs()) {
+	k_setpag();
+	krb5_afslog_uid_home(context, ccache, NULL, NULL, 
+			     pwd->pw_uid, pwd->pw_dir);
+    }
+#endif
+    
+out:
+    if(ret && !quiet)
+	printf ("%s\n", krb5_get_err_text (context, ret));
+    return ret;
+}
+#endif
+
+#ifdef KRB4
+static int
+verify_krb4(struct passwd *pwd,
+	    char *password,
+	    int32_t *exp,
+	    int quiet)
+{
+    int ret = 1;
+    char lrealm[REALM_SZ];
+    
+    if (krb_get_lrealm (lrealm, 1) != KFAILURE) {
+	set_krbtkfile(pwd->pw_uid);
+	ret = krb_verify_user (pwd->pw_name, "", lrealm, password,
+			       KRB_VERIFY_SECURE, NULL);
+	if (ret == KSUCCESS) {
+	    if (k_hasafs()) {
+		k_setpag ();
+		krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
+	    }
+	} else if (!quiet)
+	    printf ("%s\n", krb_get_err_text (ret));
+    }
+    return ret;
+}
+#endif
 
 int
 afs_verify(char *name,
@@ -57,35 +190,24 @@ afs_verify(char *name,
 	   int32_t *exp,
 	   int quiet)
 {
-  int ret = 1;
+    int ret = 1;
-  char lrealm[REALM_SZ];
+    struct passwd *pwd = k_getpwnam (name);
-  char tkt_string[MaxPathLen];
+    if(pwd == NULL)
-  struct passwd *pwd;
+	return 1;
-
+#ifdef KRB5
-  if (krb_get_lrealm (lrealm, 1) != KFAILURE &&
+    ret = verify_krb5(pwd, password, exp, quiet);
-      (pwd = k_getpwnam (name)) != NULL) {
+#endif
-    snprintf (tkt_string, sizeof(tkt_string),
+#ifdef KRB4
-	      "%s%d_%d", TKT_ROOT,
+    if(ret)
-	      (unsigned)pwd->pw_uid, (unsigned)getpid());
+	ret = verify_krb4(pwd, password, exp, quiet);
-    krb_set_tkt_string (tkt_string);
+#endif
-    ret = krb_verify_user (name, "", lrealm, password,
+    if (ret)
-			   KRB_VERIFY_SECURE, NULL);
+	ret = unix_verify_user (name, password);
-    if (ret == KSUCCESS) {
+    return ret;
-      if (k_hasafs()) {
-	k_setpag ();
-	krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
-      }
-    } else if (!quiet)
-      printf ("%s\n", krb_get_err_text (ret));
-  }
-  if (ret)
-    ret = unix_verify_user (name, password);
-
-  return ret;
 }
 
 char *
 afs_gettktstring (void)
 {
-  return tkt_string ();
+    return krbtkfile;
 }