static int get_v5cred(krb5_context context,
char *name, char *inst, char *realm, CREDENTIALS *c,
krb5_creds **creds)
{
krb5_creds increds;
krb5_error_code r;
static krb5_principal client_principal = 0;
if (client_principal) {
krb5_free_principal(context, client_principal);
client_principal = 0;
}
memset(&increds, 0, sizeof(increds));
if ((r = krb5_build_principal(context, &increds.server,
(int)strlen(realm), realm,
name,
(inst && strlen(inst)) ? inst : 0,
0))) {
return((int)r);
}
if (!_krb425_ccache) {
if ((r = krb5_cc_default(context, &_krb425_ccache)))
return ((int)r);
}
if (!client_principal) {
if ((r = krb5_cc_get_principal(context, _krb425_ccache, &client_principal))) {
krb5_cc_close(context, _krb425_ccache);
return ((int)r);
}
}
increds.client = client_principal;
increds.times.endtime = 0;
/* Ask for DES since that is what V4 understands */
if (c != NULL)
increds.session.keytype = ENCTYPE_DES_CBC_CRC;
r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds);
if (r) {
return((int)r);
}
#ifdef HAVE_KRB4
/* This requires krb524d to be running with the KDC */
if (c != NULL)
r = krb5_524_convert_creds(context, *creds, c);
#endif
return((int)r);
}
int KRB5_CALLCONV_WRONG
krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, struct credentials *v4creds)
{
return(krb5_524_convert_creds(context,v5creds,v4creds));
}
int
v4_get_creds(krb5_context ctx,
pam_handle_t *pamh,
struct _pam_krb5_stash *stash,
struct _pam_krb5_user_info *userinfo,
struct _pam_krb5_options *options,
char *password,
int *result)
{
int i;
#if defined(HAVE_KRB5_524_CONVERT_CREDS) || \
defined(HAVE_KRB524_CONVERT_CREDS_KDC)
krb5_creds *v4_compat_creds, *in_creds;
v4_compat_creds = NULL;
if (options->v4_use_524) {
if (options->debug) {
debug("obtaining v4-compatible key");
}
/* We need a DES-CBC-CRC v5 credential to convert to a proper v4
* credential. */
i = v5_get_creds_etype(ctx, userinfo, options, &stash->v5creds,
ENCTYPE_DES_CBC_CRC, &v4_compat_creds);
if (i == 0) {
if (options->debug) {
debug("obtained des-cbc-crc v5 creds");
}
in_creds = v4_compat_creds;
} else {
if (options->debug) {
debug("failed to obtain des-cbc-crc v5 creds: "
"%d (%s)", i, v5_error_message(i));
}
in_creds = NULL;
if (v5_creds_check_initialized(ctx,
&stash->v5creds) == 0) {
krb5_copy_creds(ctx, &stash->v5creds,
&in_creds);
}
}
#ifdef HAVE_KRB5_524_CONVERT_CREDS
if (options->debug) {
debug("converting v5 creds to v4 creds (etype = %d)",
in_creds ? v5_creds_get_etype(in_creds) : 0);
}
if ((in_creds != NULL) &&
(v5_creds_check_initialized(ctx, in_creds) == 0)) {
i = krb5_524_convert_creds(ctx, in_creds,
&stash->v4creds);
if (i == 0) {
if (options->debug) {
debug("conversion succeeded");
}
stash->v4present = 1;
if (result) {
*result = i;
}
krb5_free_creds(ctx, in_creds);
return PAM_SUCCESS;
} else {
if (options->debug) {
debug("conversion failed: %d (%s)",
i, v5_error_message(i));
}
}
}
#else
#ifdef HAVE_KRB524_CONVERT_CREDS_KDC
if (options->debug) {
debug("converting v5 creds to v4 creds (etype = %d)",
in_creds ? v5_creds_get_etype(in_creds) : 0);
}
if ((in_creds != NULL) &&
(v5_creds_check_initialized(ctx, in_creds) == 0)) {
i = krb524_convert_creds_kdc(ctx, in_creds,
&stash->v4creds);
if (i == 0) {
if (options->debug) {
debug("conversion succeeded");
}
stash->v4present = 1;
if (result) {
*result = i;
}
krb5_free_creds(ctx, in_creds);
return PAM_SUCCESS;
} else {
if (options->debug) {
debug("conversion failed: %d (%s)",
i, v5_error_message(i));
}
}
}
#endif
#endif
if ((in_creds != NULL) &&
(v5_creds_check_initialized(ctx, in_creds) == 0)) {
krb5_free_creds(ctx, in_creds);
}
}
#endif
if ((password != NULL) && (options->v4_use_as_req)) {
if (options->debug) {
debug("attempting to obtain initial v4 creds");
}
i = _pam_krb5_v4_init(ctx, stash, userinfo, options,
KRB5_TGS_NAME, NULL, password, result);
if (i == PAM_SUCCESS) {
if (options->debug) {
debug("initial v4 creds obtained");
}
stash->v4present = 1;
return PAM_SUCCESS;
}
if (options->debug) {
debug("could not obtain initial v4 creds: %d (%s)",
i, v5_error_message(i));
}
}
return PAM_AUTH_ERR;
}
