static void
krb5_start_session (void)
{
krb5_error_code ret;
char *estr;
ret = krb5_cc_resolve (context, tkfile, &ccache2);
if (ret) {
estr = krb5_get_error_string(context);
syslog(LOG_WARNING, "resolve cred cache %s: %s",
tkfile,
estr ? estr : krb5_get_err_text(context, ret));
free(estr);
krb5_cc_destroy(context, ccache);
return;
}
ret = krb5_cc_copy_cache (context, ccache, ccache2);
if (ret) {
estr = krb5_get_error_string(context);
syslog(LOG_WARNING, "storing credentials: %s",
estr ? estr : krb5_get_err_text(context, ret));
free(estr);
krb5_cc_destroy(context, ccache);
return ;
}
krb5_cc_close(context, ccache2);
krb5_cc_destroy(context, ccache);
return;
}
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
const char *errmsg;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
NULL, &ccache)) != 0) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_new_unique(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_cc_destroy(krb_context, ccache);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_initialize(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
client->store.envvar = "KRB5CCNAME";
client->store.envval = xstrdup(client->store.filename);
krb5_cc_close(krb_context, ccache);
return;
}
static void
test_mcache(krb5_context context)
{
krb5_error_code ret;
krb5_ccache id, id2;
const char *nc, *tc;
char *c;
krb5_principal p, p2;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, id, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
nc = krb5_cc_get_name(context, id);
if (nc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
tc = krb5_cc_get_type(context, id);
if (tc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
if (asprintf(&c, "%s:%s", tc, nc) < 0 || c == NULL)
errx(1, "malloc");
krb5_cc_close(context, id);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
if (krb5_principal_compare(context, p, p2) == FALSE)
krb5_errx(context, 1, "p != p2");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret == 0)
krb5_errx(context, 1, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
free(c);
}
VOID
LwTaskFreeCreds(
PLW_TASK_CREDS pCreds /* IN OUT */
)
{
if (pCreds->pKrb5Creds != NULL)
{
LwIoDeleteCreds(pCreds->pKrb5Creds);
}
if (pCreds->pszRestoreCache)
{
LwKrb5SetDefaultCachePath(pCreds->pszRestoreCache, NULL);
LwFreeString(pCreds->pszRestoreCache);
}
if (pCreds->ctx != NULL)
{
if (pCreds->cc != NULL)
{
krb5_cc_destroy(pCreds->ctx, pCreds->cc);
}
krb5_free_context(pCreds->ctx);
}
LwFreeMemory(pCreds);
}
DWORD
SMBKrb5DestroyCache(
PCSTR pszCachePath
)
{
DWORD dwError = 0;
krb5_error_code ret = 0;
krb5_context ctx = NULL;
krb5_ccache cc = NULL;
ret = krb5_init_context(&ctx);
BAIL_ON_LWIO_KRB_ERROR(ctx, ret);
/* use krb5_cc_resolve to get an alternate cache */
ret = krb5_cc_resolve(ctx, pszCachePath, &cc);
BAIL_ON_LWIO_KRB_ERROR(ctx, ret);
ret = krb5_cc_destroy(ctx, cc);
if (ret != 0) {
if (ret != KRB5_FCC_NOFILE) {
BAIL_ON_LWIO_KRB_ERROR(ctx, ret);
} else {
ret = 0;
}
}
error:
if (ctx)
{
krb5_free_context(ctx);
}
return(dwError);
}
DWORD
VMCALogOutPrivate(
)
/*
Executes Kdestroy and clears out the TGT cache.
This is equivalent to kdestroy
*/
{
DWORD dwError = 0;
krb5_context context = NULL;
krb5_ccache ccache = NULL;
dwError = krb5_init_context(&context);
BAIL_ON_ERROR(dwError);
dwError = krb5_cc_default(
context,
&ccache);
BAIL_ON_ERROR(dwError);
krb5_cc_destroy(context, ccache);
error:
if(context != NULL){
krb5_free_context(context);
}
return dwError;
}
static int mod_authn_gssapi_store_krb5_creds(server *srv, connection *con, plugin_data *p,
krb5_context kcontext, krb5_ccache delegated_cred)
{
krb5_error_code problem;
krb5_principal princ = NULL;
krb5_ccache ccache = NULL;
problem = krb5_cc_get_principal(kcontext, delegated_cred, &princ);
if (problem) {
mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_get_principal", NULL, kcontext, problem);
goto end;
}
if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, kcontext, princ, &ccache)) {
goto end;
}
problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache);
if (problem) {
mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_copy_creds", NULL, kcontext, problem);
goto end;
}
krb5_free_principal(kcontext, princ);
krb5_cc_close(kcontext, ccache);
return 0;
end:
if (princ)
krb5_free_principal(kcontext, princ);
if (ccache)
krb5_cc_destroy(kcontext, ccache);
return -1;
}
static void
cockpit_creds_free (gpointer data)
{
CockpitCreds *creds = data;
cockpit_creds_poison (creds);
g_list_free_full (creds->bytes, (GDestroyNotify)g_bytes_unref);
g_free (creds->user);
g_free (creds->application);
g_free (creds->rhost);
g_free (creds->gssapi_creds);
g_free (creds->csrf_token);
if (creds->krb5_ctx)
{
if (creds->krb5_ccache)
krb5_cc_destroy (creds->krb5_ctx, creds->krb5_ccache);
if (creds->krb5_ccache_name)
krb5_free_string (creds->krb5_ctx, creds->krb5_ccache_name);
krb5_free_context (creds->krb5_ctx);
}
if (creds->login_data)
json_object_unref (creds->login_data);
g_free (creds);
}
OM_uint32 gss_release_cred
(OM_uint32 * minor_status,
gss_cred_id_t * cred_handle
)
{
*minor_status = 0;
if (*cred_handle == GSS_C_NO_CREDENTIAL) {
return GSS_S_COMPLETE;
}
GSSAPI_KRB5_INIT ();
HEIMDAL_MUTEX_lock(&(*cred_handle)->cred_id_mutex);
if ((*cred_handle)->principal != NULL)
krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
if ((*cred_handle)->keytab != NULL)
krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
if ((*cred_handle)->ccache != NULL) {
const krb5_cc_ops *ops;
ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache);
if (ops == &krb5_mcc_ops)
krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache);
else
krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache);
}
gss_release_oid_set(NULL, &(*cred_handle)->mechanisms);
HEIMDAL_MUTEX_unlock(&(*cred_handle)->cred_id_mutex);
HEIMDAL_MUTEX_destroy(&(*cred_handle)->cred_id_mutex);
memset(*cred_handle, 0, sizeof(**cred_handle));
free(*cred_handle);
*cred_handle = GSS_C_NO_CREDENTIAL;
return GSS_S_COMPLETE;
}
void krb5_cleanup() {
if (kparam.context) {
if (kparam.cc)
krb5_cc_destroy(kparam.context,kparam.cc);
krb5_free_context(kparam.context);
}
}
kadm5_ret_t
kadm5_destroy(void *server_handle)
{
krb5_ccache ccache = NULL;
int code = KADM5_OK;
kadm5_server_handle_t handle =
(kadm5_server_handle_t) server_handle;
CHECK_HANDLE(server_handle);
if (handle->destroy_cache && handle->cache_name) {
if ((code = krb5_cc_resolve(handle->context,
handle->cache_name, &ccache)) == 0)
code = krb5_cc_destroy (handle->context, ccache);
}
if (handle->cache_name)
free(handle->cache_name);
if (handle->clnt && handle->clnt->cl_auth)
AUTH_DESTROY(handle->clnt->cl_auth);
if (handle->clnt)
clnt_destroy(handle->clnt);
if (handle->client_socket != -1)
close(handle->client_socket);
if (handle->lhandle)
free (handle->lhandle);
kadm5_free_config_params(handle->context, &handle->params);
handle->magic_number = 0;
free(handle);
return code;
}
int destroy_credentials(const char * cache_name) {
krb5_error_code ret;
krb5_ccache ccache;
if (cache_name) {
ret = krb5_cc_resolve(this->ctx, cache_name, &ccache);
if (ret) {
LOG(LOG_ERR, "ERREUR Resolving Cache Name");
}
}
else {
ret = krb5_cc_default(this->ctx, &ccache);
if (ret) {
LOG(LOG_ERR, "ERREUR CC Default resolve ");
}
}
ret = krb5_cc_destroy(this->ctx, ccache);
if (ret) {
if (ret != KRB5_FCC_NOFILE) {
LOG(LOG_ERR, "ERREUR Destroying Cache");
} else {
LOG(LOG_INFO, "No Credential cache to destroy");
}
} else {
LOG(LOG_INFO, "Credentials Cache Succesfully destroyed");
}
return ret;
}
static void
test_move(krb5_context context, const char *type)
{
const krb5_cc_ops *ops;
krb5_ccache fromid, toid;
krb5_error_code ret;
krb5_principal p, p2;
ops = krb5_cc_get_prefix_ops(context, type);
if (ops == NULL)
return;
ret = krb5_cc_new_unique(context, type, NULL, &fromid);
if (ret == KRB5_CC_NOSUPP)
return;
else if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_initialize(context, fromid, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_new_unique(context, type, NULL, &toid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, toid, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_get_principal(context, toid, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
if (krb5_principal_compare(context, p, p2) == FALSE)
krb5_errx(context, 1, "p != p2");
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
krb5_cc_destroy(context, toid);
krb5_cc_destroy(context, fromid);
}
/* Convert a JSON value to a ccache handle or to NULL. Set *new_out to true if
* the ccache handle is a newly created memory ccache, false otherwise. */
static int
json_to_ccache(krb5_context context, k5_json_value v, krb5_ccache *ccache_out,
krb5_boolean *new_out)
{
krb5_error_code ret;
krb5_ccache ccache = NULL;
krb5_principal princ;
krb5_creds creds;
k5_json_array array;
size_t i, len;
*ccache_out = NULL;
*new_out = FALSE;
if (k5_json_get_tid(v) == K5_JSON_TID_NULL)
return 0;
if (k5_json_get_tid(v) == K5_JSON_TID_STRING) {
/* We got a reference to an external ccache; just resolve it. */
return krb5_cc_resolve(context, k5_json_string_utf8(v), ccache_out) ?
-1 : 0;
}
/* We got the contents of a memory ccache. */
if (k5_json_get_tid(v) != K5_JSON_TID_ARRAY)
return -1;
array = v;
len = k5_json_array_length(array);
if (len < 1)
return -1;
/* Initialize a new memory ccache using the principal in the first array
* entry.*/
if (krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))
return -1;
if (json_to_principal(context, k5_json_array_get(array, 0), &princ))
goto invalid;
ret = krb5_cc_initialize(context, ccache, princ);
krb5_free_principal(context, princ);
if (ret)
goto invalid;
/* Add remaining array entries to the ccache as credentials. */
for (i = 1; i < len; i++) {
if (json_to_creds(context, k5_json_array_get(array, 1), &creds))
goto invalid;
ret = krb5_cc_store_cred(context, ccache, &creds);
krb5_free_cred_contents(context, &creds);
if (ret)
goto invalid;
}
*ccache_out = ccache;
*new_out = TRUE;
return 0;
invalid:
(void)krb5_cc_destroy(context, ccache);
return -1;
}
/*
* The default unset code path depends on the underlying ccache implementation
* knowing how to remove a credential, which most types don't actually support,
* so we have to jump through some hoops to ensure that when we set a value for
* a key, it'll be the only value for that key that'll be found later. The
* ccache portions of libkrb5 will currently duplicate some of the actual
* tickets.
*/
static void
unset_config(krb5_context context, krb5_ccache ccache,
krb5_principal server, const char *key)
{
krb5_ccache tmp1, tmp2;
krb5_cc_cursor cursor;
krb5_creds mcreds, creds;
memset(&mcreds, 0, sizeof(mcreds));
memset(&creds, 0, sizeof(creds));
bail_on_err(context, "Error while deriving configuration principal names",
k5_build_conf_principals(context, ccache, server, key,
&mcreds));
bail_on_err(context, "Error resolving first in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1));
bail_on_err(context, "Error initializing first in-memory ccache",
krb5_cc_initialize(context, tmp1, mcreds.client));
bail_on_err(context, "Error resolving second in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp2", &tmp2));
bail_on_err(context, "Error initializing second in-memory ccache",
krb5_cc_initialize(context, tmp2, mcreds.client));
bail_on_err(context, "Error copying credentials to first in-memory ccache",
krb5_cc_copy_creds(context, ccache, tmp1));
bail_on_err(context, "Error starting traversal of first in-memory ccache",
krb5_cc_start_seq_get(context, tmp1, &cursor));
while (krb5_cc_next_cred(context, tmp1, &cursor, &creds) == 0) {
if (!krb5_is_config_principal(context, creds.server) ||
!krb5_principal_compare(context, mcreds.server, creds.server) ||
!krb5_principal_compare(context, mcreds.client, creds.client)) {
bail_on_err(context,
"Error storing non-config item to in-memory ccache",
krb5_cc_store_cred(context, tmp2, &creds));
}
}
bail_on_err(context, "Error ending traversal of first in-memory ccache",
krb5_cc_end_seq_get(context, tmp1, &cursor));
bail_on_err(context, "Error clearing ccache",
krb5_cc_initialize(context, ccache, mcreds.client));
bail_on_err(context, "Error storing creds to the ccache",
krb5_cc_copy_creds(context, tmp2, ccache));
bail_on_err(context, "Error cleaning up first in-memory ccache",
krb5_cc_destroy(context, tmp1));
bail_on_err(context, "Error cleaning up second in-memory ccache",
krb5_cc_destroy(context, tmp2));
}
Krb5CCache::~Krb5CCache() {
if (ccache_) {
if (destroy_) {
krb5_cc_destroy(context_.get(), ccache_);
} else {
krb5_cc_close(context_.get(), ccache_);
}
}
}
/*
* Push a password change to Active Directory. Takes the module
* configuration, a Kerberos context, the principal whose password is being
* changed (we will have to change the realm), and the new password and its
* length. Returns a Kerberos error code.
*/
krb5_error_code
sync_ad_chpass(kadm5_hook_modinfo *config, krb5_context ctx,
krb5_principal principal, const char *password)
{
krb5_error_code code;
char *target = NULL;
krb5_ccache ccache;
krb5_principal ad_principal = NULL;
int result_code;
krb5_data result_code_string, result_string;
/* Ensure the configuration is sane. */
CHECK_CONFIG(ad_realm);
/* Get the credentials we'll use to make the change in AD. */
code = get_creds(config, ctx, &ccache);
if (code != 0)
return code;
/* Get the corresponding AD principal. */
code = get_ad_principal(config, ctx, principal, &ad_principal);
if (code != 0)
goto done;
/* This is just for logging purposes. */
code = krb5_unparse_name(ctx, ad_principal, &target);
if (code != 0)
goto done;
/* Do the actual password change and record any error. */
code = krb5_set_password_using_ccache(ctx, ccache, (char *) password,
ad_principal, &result_code,
&result_code_string, &result_string);
if (code != 0)
goto done;
if (result_code != 0) {
code = sync_error_generic(ctx, "password change failed for %s: (%d)"
" %.*s%s%.*s", target, result_code,
(int) result_code_string.length,
(char *) result_code_string.data,
result_string.length ? ": " : "",
(int) result_string.length,
(char *) result_string.data);
goto done;
}
free(result_string.data);
free(result_code_string.data);
sync_syslog_info(config, "krb5-sync: %s password changed", target);
done:
krb5_cc_destroy(ctx, ccache);
if (target != NULL)
krb5_free_unparsed_name(ctx, target);
if (ad_principal != NULL)
krb5_free_principal(ctx, ad_principal);
return code;
}
KLStatus
KLAcquireNewInitialTicketsWithPassword(KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
const char *inPassword,
char **outCredCacheName)
{
krb5_context context = mshim_ctx();
krb5_error_code ret;
krb5_ccache cache;
krb5_creds creds;
char *service = NULL;
krb5_get_init_creds_opt *opt = NULL;
LOG_ENTRY();
if (inLoginOptions) {
service = inLoginOptions->service;
opt = inLoginOptions->opt;
}
ret = heim_krb5_get_init_creds_password(context, &creds,
inPrincipal, inPassword,
NULL, NULL, 0,
service,
opt);
if (ret)
return ret;
ret = heim_krb5_cc_cache_match(context, inPrincipal, &cache);
if (ret)
ret = heim_krb5_cc_new_unique(context, NULL, NULL, &cache);
if (ret)
goto out;
ret = heim_krb5_cc_initialize(context, cache, creds.client);
if(ret)
goto out;
ret = heim_krb5_cc_store_cred(context, cache, &creds);
if (ret)
goto out;
if (outCredCacheName)
*outCredCacheName = strdup(heim_krb5_cc_get_name(context, cache));
out:
if (cache) {
if (ret)
krb5_cc_destroy((mit_krb5_context)context, (mit_krb5_ccache)cache);
else
heim_krb5_cc_close(context, cache);
}
heim_krb5_free_cred_contents(context, &creds);
return ret;
}
/*
* Serialize krb5_ccache
*/
static krb5_error_code
ser_ccache_test(krb5_context kcontext, int verbose)
{
krb5_error_code kret;
char ccname[128];
char princname[256];
krb5_ccache ccache;
krb5_principal principal;
snprintf(ccname, sizeof(ccname), "temp_cc_%d", (int) getpid());
snprintf(princname, sizeof(princname),
"zowie%d/instance%[email protected]",
(int) getpid(), (int) getpid());
if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) &&
!(kret = ser_data(verbose, "> Resolved default ccache",
(krb5_pointer) ccache, KV5M_CCACHE)) &&
!(kret = krb5_parse_name(kcontext, princname, &principal)) &&
!(kret = krb5_cc_initialize(kcontext, ccache, principal)) &&
!(kret = ser_data(verbose, "> Initialized default ccache",
(krb5_pointer) ccache, KV5M_CCACHE)) &&
!(kret = krb5_cc_destroy(kcontext, ccache))) {
krb5_free_principal(kcontext, principal);
snprintf(ccname, sizeof(ccname), "FILE:temp_cc_%d", (int) getpid());
snprintf(princname, sizeof(princname), "xxx%d/i%[email protected]",
(int) getpid(), (int) getpid());
if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) &&
!(kret = ser_data(verbose, "> Resolved FILE ccache",
(krb5_pointer) ccache, KV5M_CCACHE)) &&
!(kret = krb5_parse_name(kcontext, princname, &principal)) &&
!(kret = krb5_cc_initialize(kcontext, ccache, principal)) &&
!(kret = ser_data(verbose, "> Initialized FILE ccache",
(krb5_pointer) ccache, KV5M_CCACHE)) &&
!(kret = krb5_cc_destroy(kcontext, ccache))) {
krb5_free_principal(kcontext, principal);
if (verbose)
printf("* ccache test succeeded\n");
}
}
if (kret)
printf("* krb5_ccache test failed\n");
return(kret);
}
/** Frees libkrb5 resources associated with the handle
*
* Must not be called directly.
*
* @param conn to free.
* @return 0 (always indicates success).
*/
static int _mod_conn_free(rlm_krb5_handle_t *conn) {
krb5_free_context(conn->context);
if (conn->keytab) krb5_kt_close(conn->context, conn->keytab);
#ifdef HEIMDAL_KRB5
if (conn->ccache) krb5_cc_destroy(conn->context, conn->ccache);
#endif
return 0;
}
static void
test_init_vs_destroy(krb5_context context, const char *type)
{
krb5_error_code ret;
krb5_ccache id, id2;
krb5_principal p, p2;
char *n = NULL;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_new_unique(context, type, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
if (asprintf(&n, "%s:%s",
krb5_cc_get_type(context, id),
krb5_cc_get_name(context, id)) < 0 || n == NULL)
errx(1, "malloc");
ret = krb5_cc_resolve(context, n, &id2);
free(n);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
krb5_cc_destroy(context, id);
ret = krb5_cc_initialize(context, id2, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
}
void ceo_krb5_deauth() {
krb5_error_code retval;
krb5_ccache cache;
debug("krb5: destroying credentials");
if ((retval = krb5_cc_default(context, &cache)))
com_err(prog, retval, "while resolving credentials cache");
if ((retval = krb5_cc_destroy(context, cache)))
com_err(prog, retval, "while destroying credentials cache");
}
static int
krb5_start_session (const struct passwd *pwd)
{
krb5_error_code ret;
char residual[64];
/* copy credentials to file cache */
snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u",
(unsigned)pwd->pw_uid);
krb5_cc_resolve(context, residual, &id2);
ret = krb5_cc_copy_cache(context, id, id2);
if (ret == 0)
add_env("KRB5CCNAME", residual);
else {
krb5_cc_destroy (context, id2);
return ret;
}
krb5_cc_close(context, id2);
krb5_cc_destroy(context, id);
return 0;
}
void
SessionExit (struct display *d, int status, int removeAuth)
{
#ifdef USE_PAM
pam_handle_t *pamh = thepamh();
#endif
#ifdef USE_PAM
if (pamh) {
/* shutdown PAM session */
pam_close_session(pamh, 0);
pam_end(pamh, PAM_SUCCESS);
pamh = NULL;
}
#endif
/* make sure the server gets reset after the session is over */
if (d->serverPid >= 2 && d->resetSignal)
kill (d->serverPid, d->resetSignal);
else
ResetServer (d);
if (removeAuth)
{
setgid (verify.gid);
setuid (verify.uid);
RemoveUserAuthorization (d, &verify);
#ifdef K5AUTH
/* do like "kdestroy" program */
{
krb5_error_code code;
krb5_ccache ccache;
code = Krb5DisplayCCache(d->name, &ccache);
if (code)
LogError("%s while getting Krb5 ccache to destroy\n",
error_message(code));
else {
code = krb5_cc_destroy(ccache);
if (code) {
if (code == KRB5_FCC_NOFILE) {
Debug ("No Kerberos ccache file found to destroy\n");
} else
LogError("%s while destroying Krb5 credentials cache\n",
error_message(code));
} else
Debug ("Kerberos ccache destroyed\n");
krb5_cc_close(ccache);
}
}
#endif /* K5AUTH */
}
Debug ("Display %s exiting with status %d\n", d->name, status);
exit (status);
}
static void
test_copy(krb5_context context, const char *from, const char *to)
{
krb5_ccache fromid, toid;
krb5_error_code ret;
krb5_principal p, p2;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_new_unique(context, from, NULL, &fromid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, fromid, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_new_unique(context, to, NULL, &toid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_gen_new");
ret = krb5_cc_copy_cache(context, fromid, toid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_copy_cache");
ret = krb5_cc_get_principal(context, toid, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
if (krb5_principal_compare(context, p, p2) == FALSE)
krb5_errx(context, 1, "p != p2");
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
krb5_cc_destroy(context, fromid);
krb5_cc_destroy(context, toid);
}
static gss_client_response *create_krb5_ccache(gss_server_state *state, krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache)
{
char *ccname = NULL;
int fd;
krb5_error_code problem;
krb5_ccache tmp_ccache = NULL;
gss_client_response *error = NULL;
// TODO: mod_auth_kerb used a temp file under /run/httpd/krbcache. what can we do?
ccname = strdup("FILE:/tmp/krb5cc_nodekerberos_XXXXXX");
if (!ccname) die1("Memory allocation failed");
fd = mkstemp(ccname + strlen("FILE:"));
if (fd < 0) {
error = other_error("mkstemp() failed: %s", strerror(errno));
goto end;
}
close(fd);
problem = krb5_cc_resolve(kcontext, ccname, &tmp_ccache);
if (problem) {
error = krb5_ctx_error(kcontext, problem);
goto end;
}
problem = krb5_cc_initialize(kcontext, tmp_ccache, princ);
if (problem) {
error = krb5_ctx_error(kcontext, problem);
goto end;
}
state->delegated_credentials_cache = strdup(ccname);
// TODO: how/when to cleanup the creds cache file?
// TODO: how to expose the credentials expiration time?
*ccache = tmp_ccache;
tmp_ccache = NULL;
end:
if (tmp_ccache)
krb5_cc_destroy(kcontext, tmp_ccache);
if (ccname && error)
unlink(ccname);
if (ccname)
free(ccname);
return error;
}
KLStatus
KLDestroyTickets(KLPrincipal inPrincipal)
{
krb5_context context = mshim_ctx();
krb5_error_code ret;
krb5_ccache id;
ret = heim_krb5_cc_cache_match(context, inPrincipal, &id);
if (ret)
return ret;
return krb5_cc_destroy((mit_krb5_context)context, (mit_krb5_ccache)id);
}
static void
test_init_vs_destroy(krb5_context context, const krb5_cc_ops *ops)
{
krb5_error_code ret;
krb5_ccache id, id2;
krb5_principal p, p2;
char *n;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_gen_new(context, ops, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_gen_new");
asprintf(&n, "%s:%s",
krb5_cc_get_type(context, id),
krb5_cc_get_name(context, id));
ret = krb5_cc_resolve(context, n, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
krb5_cc_destroy(context, id);
ret = krb5_cc_initialize(context, id2, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
}
int authenticate_store_clear(gss_store_state* state)
{
if (state->client)
krb5_free_principal(state->context, state->client);
if (state->ccache)
krb5_cc_destroy(state->context, state->ccache);
krb5_free_context(state->context);
if (state->ccache_name != NULL)
{
free(state->ccache_name);
state->ccache_name = NULL;
}
return 1;
}
static void
put_creds_in_ccache(char *name, gss_cred_id_t creds)
{
OM_uint32 maj_stat, min_stat;
krb5_context context;
krb5_principal me;
krb5_ccache ccache;
krb5_error_code retval;
char buf[1024];
maj_stat = krb5_init_context(&context);
if (maj_stat != GSS_S_COMPLETE) {
gsslib_display_status(MSG_GSS_PRINTERROR_GETTINGKRB5CONTEXT, maj_stat,
GSS_S_COMPLETE);
return;
}
/* Set up ccache */
if ((retval = krb5_parse_name(context, name, &me))) {
snprintf(buf, sizeof buf, MSG_GSS_PRINTERROR_KRB5PARSENAMERETURNEDX_I, retval);
gsslib_print_error(buf);
return;
}
/* Use default ccache */
if ((retval = krb5_cc_default(context, &ccache))) {
snprintf(buf, sizeof buf, MSG_GSS_PRINTERROR_KRB5CCDEFAULTRETURNEDX_I, retval);
gsslib_print_error(buf);
return;
}
if ((retval = krb5_cc_initialize(context, ccache, me))) {
snprintf(buf, sizeof buf, MSG_GSS_PRINTERROR_KRB5CCINITIALIZERETURNEDX_I, retval);
gsslib_print_error(buf);
return;
}
/* Copy GSS creds into ccache */
maj_stat = gss_krb5_copy_ccache(&min_stat, creds, ccache);
if (maj_stat != GSS_S_COMPLETE) {
gsslib_display_status(MSG_GSS_PRINTERROR_COPYINGDELEGATEDCREDSTOCC,
maj_stat, min_stat);
goto cleanup;
}
return;
cleanup:
krb5_cc_destroy(context, ccache);
}
