static krb5_boolean
match_local_principals(krb5_context context,
krb5_principal principal,
const char *luser)
{
krb5_error_code ret;
krb5_realm *realms, *r;
krb5_boolean result = FALSE;
/* multi-component principals can never match */
if(krb5_principal_get_comp_string(context, principal, 1) != NULL)
return FALSE;
ret = krb5_get_default_realms (context, &realms);
if (ret)
return FALSE;
for (r = realms; *r != NULL; ++r) {
if(strcmp(krb5_principal_get_realm(context, principal),
*r) != 0)
continue;
if(strcmp(krb5_principal_get_comp_string(context, principal, 0),
luser) == 0) {
result = TRUE;
break;
}
}
krb5_free_host_realm (context, realms);
return result;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verify_user_opt(krb5_context context,
krb5_principal principal,
const char *password,
krb5_verify_opt *opt)
{
krb5_error_code ret;
if(opt && (opt->flags & KRB5_VERIFY_LREALMS)) {
krb5_realm *realms, *r;
ret = krb5_get_default_realms (context, &realms);
if (ret)
return ret;
ret = KRB5_CONFIG_NODEFREALM;
for (r = realms; *r != NULL && ret != 0; ++r) {
ret = krb5_principal_set_realm(context, principal, *r);
if (ret) {
krb5_free_host_realm (context, realms);
return ret;
}
ret = verify_user_opt_int(context, principal, password, opt);
}
krb5_free_host_realm (context, realms);
if(ret)
return ret;
} else
ret = verify_user_opt_int(context, principal, password, opt);
return ret;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_aname_to_localname (krb5_context context,
krb5_const_principal aname,
size_t lnsize,
char *lname)
{
krb5_error_code ret;
krb5_realm *lrealms, *r;
int valid;
size_t len;
const char *res;
ret = krb5_get_default_realms (context, &lrealms);
if (ret)
return ret;
valid = 0;
for (r = lrealms; *r != NULL; ++r) {
if (strcmp (*r, aname->realm) == 0) {
valid = 1;
break;
}
}
krb5_free_host_realm (context, lrealms);
if (valid == 0)
return KRB5_NO_LOCALNAME;
if (aname->name.name_string.len == 1)
res = aname->name.name_string.val[0];
else if (aname->name.name_string.len == 2
&& strcmp (aname->name.name_string.val[1], "root") == 0) {
krb5_principal rootprinc;
krb5_boolean userok;
res = "root";
ret = krb5_copy_principal(context, aname, &rootprinc);
if (ret)
return ret;
userok = krb5_kuserok(context, rootprinc, res);
krb5_free_principal(context, rootprinc);
if (!userok)
return KRB5_NO_LOCALNAME;
} else
return KRB5_NO_LOCALNAME;
len = strlen (res);
if (len >= lnsize)
return ERANGE;
strlcpy (lname, res, lnsize);
return 0;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_host_realm(krb5_context context,
const char *targethost,
krb5_realm **realms)
{
const char *host = targethost;
char hostname[MAXHOSTNAMELEN];
krb5_error_code ret;
int use_dns;
if (host == NULL) {
if (gethostname (hostname, sizeof(hostname))) {
*realms = NULL;
return errno;
}
host = hostname;
}
/*
* If our local hostname is without components, don't even try to dns.
*/
use_dns = (strchr(host, '.') != NULL);
ret = _krb5_get_host_realm_int (context, host, use_dns, realms);
if (ret && targethost != NULL) {
/*
* If there was no realm mapping for the host (and we wasn't
* looking for ourself), guess at the local realm, maybe our
* KDC knows better then we do and we get a referral back.
*/
ret = krb5_get_default_realms(context, realms);
if (ret) {
krb5_set_error_message(context, KRB5_ERR_HOST_REALM_UNKNOWN,
N_("Unable to find realm of host %s", ""),
host);
return KRB5_ERR_HOST_REALM_UNKNOWN;
}
}
return ret;
}
static krb5_error_code
LDAP_principal2message(krb5_context context, HDB * db,
krb5_principal princ, LDAPMessage ** msg)
{
char *name, *name_short = NULL;
krb5_error_code ret;
krb5_realm *r, *r0;
*msg = NULL;
ret = krb5_unparse_name(context, princ, &name);
if (ret)
return ret;
ret = krb5_get_default_realms(context, &r0);
if(ret) {
free(name);
return ret;
}
for (r = r0; *r != NULL; r++) {
if(strcmp(krb5_principal_get_realm(context, princ), *r) == 0) {
ret = krb5_unparse_name_short(context, princ, &name_short);
if (ret) {
krb5_free_host_realm(context, r0);
free(name);
return ret;
}
break;
}
}
krb5_free_host_realm(context, r0);
ret = LDAP__lookup_princ(context, db, name, name_short, msg);
free(name);
free(name_short);
return ret;
}
static int
princ_realm_is_default(krb5_context context,
krb5_const_principal aname)
{
krb5_error_code ret;
krb5_realm *lrealms = NULL;
krb5_realm *r;
int valid;
ret = krb5_get_default_realms(context, &lrealms);
if (ret)
return 0;
valid = 0;
for (r = lrealms; *r != NULL; ++r) {
if (strcmp (*r, aname->realm) == 0) {
valid = 1;
break;
}
}
krb5_free_host_realm (context, lrealms);
return valid;
}
static int
krb5_verify(const struct passwd *login_info,
const struct passwd *su_info,
const char *instance)
{
krb5_error_code ret;
krb5_principal p;
krb5_realm *realms, *r;
char *login_name = NULL;
int user_ok = 0;
#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
login_name = getlogin();
#endif
ret = krb5_init_context (&context);
if (ret) {
#if 0
warnx("krb5_init_context failed: %d", ret);
#endif
return 1;
}
ret = krb5_get_default_realms(context, &realms);
if (ret)
return 1;
/* Check all local realms */
for (r = realms; *r != NULL && !user_ok; r++) {
if (login_name == NULL || strcmp (login_name, "root") == 0)
login_name = login_info->pw_name;
if (strcmp (su_info->pw_name, "root") == 0)
ret = krb5_make_principal(context, &p, *r,
login_name,
instance,
NULL);
else
ret = krb5_make_principal(context, &p, *r,
su_info->pw_name,
NULL);
if (ret) {
krb5_free_host_realm(context, realms);
return 1;
}
/* if we are su-ing too root, check with krb5_kuserok */
if (su_info->pw_uid == 0 && !krb5_kuserok(context, p, su_info->pw_name))
continue;
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache);
if(ret) {
krb5_free_host_realm(context, realms);
krb5_free_principal (context, p);
return 1;
}
ret = krb5_verify_user(context, p, ccache, NULL, TRUE, NULL);
krb5_free_principal (context, p);
switch (ret) {
case 0:
user_ok = 1;
break;
case KRB5_LIBOS_PWDINTR :
krb5_cc_destroy(context, ccache);
break;
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
krb5_cc_destroy(context, ccache);
krb5_warnx(context, "Password incorrect");
break;
default :
krb5_cc_destroy(context, ccache);
krb5_warn(context, ret, "krb5_verify_user");
break;
}
}
krb5_free_host_realm(context, realms);
if (!user_ok)
return 1;
return 0;
}
static int
doit (krb5_keytab keytab, int port)
{
krb5_error_code ret;
int *sockets;
int maxfd;
krb5_realm *realms;
krb5_addresses addrs;
krb5_address *my_addrp;
unsigned n, i;
fd_set real_fdset;
struct sockaddr_storage __ss;
struct sockaddr *sa = (struct sockaddr *)&__ss;
#ifdef INETD_SUPPORT
int fdz;
int from_inetd;
socklen_t fromlen;
krb5_address my_addr;
struct sockaddr_storage __local;
struct sockaddr *localsa = (struct sockaddr *)&__local;
#endif
ret = krb5_get_default_realms(context, &realms);
if (ret)
krb5_err (context, 1, ret, "krb5_get_default_realms");
#ifdef INETD_SUPPORT
fromlen = sizeof __ss;
from_inetd = (getsockname(0, sa, &fromlen) == 0);
if (!from_inetd) {
#endif
if (explicit_addresses.len) {
addrs = explicit_addresses;
} else {
ret = krb5_get_all_server_addrs (context, &addrs);
if (ret)
krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
}
n = addrs.len;
sockets = malloc (n * sizeof(*sockets));
if (sockets == NULL)
krb5_errx (context, 1, "out of memory");
maxfd = -1;
FD_ZERO(&real_fdset);
for (i = 0; i < n; ++i) {
krb5_socklen_t sa_size = sizeof(__ss);
krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
if (sockets[i] < 0)
krb5_err (context, 1, errno, "socket");
if (bind (sockets[i], sa, sa_size) < 0) {
char str[128];
size_t len;
int save_errno = errno;
ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
if (ret)
strlcpy(str, "unknown address", sizeof(str));
krb5_warn (context, save_errno, "bind(%s)", str);
continue;
}
maxfd = max (maxfd, sockets[i]);
if (maxfd >= FD_SETSIZE)
krb5_errx (context, 1, "fd too large");
FD_SET(sockets[i], &real_fdset);
}
#ifdef INETD_SUPPORT
} else {
n = 1;
maxfd = 0;
fdz = 0;
sockets = &fdz;
FD_ZERO(&real_fdset);
FD_SET(0, &real_fdset);
}
#endif
if (maxfd == -1)
krb5_errx (context, 1, "No sockets!");
while(exit_flag == 0) {
krb5_ssize_t retx;
fd_set fdset = real_fdset;
retx = select (maxfd + 1, &fdset, NULL, NULL, NULL);
if (retx < 0) {
if (errno == EINTR)
continue;
else
krb5_err (context, 1, errno, "select");
}
for (i = 0; i < n; ++i)
if (FD_ISSET(sockets[i], &fdset)) {
u_char buf[BUFSIZ];
socklen_t addrlen = sizeof(__ss);
retx = recvfrom(sockets[i], buf, sizeof(buf), 0,
sa, &addrlen);
if (retx < 0) {
if(errno == EINTR)
break;
else
krb5_err (context, 1, errno, "recvfrom");
}
#ifdef INETD_SUPPORT
if (from_inetd) {
socklen_t loclen = sizeof(__local);
int ret2;
ret2 = get_local_addr(sa, addrlen, localsa, &loclen);
if (ret2 < 0)
krb5_errx (context, errno, "get_local_addr");
ret2 = krb5_sockaddr2address(context, localsa,
&my_addr);
if (ret2)
krb5_errx (context, ret2,
"krb5_sockaddr2address");
my_addrp = &my_addr;
} else
#endif
my_addrp = &addrs.val[i];
process (realms, keytab, sockets[i],
my_addrp,
sa, addrlen,
buf, retx);
#ifdef INETD_SUPPORT
if (from_inetd) {
krb5_free_address(context, &my_addr);
}
#endif
}
#ifdef INETD_SUPPORT
if (from_inetd)
break;
#endif
}
for (i = 0; i < n; ++i)
close(sockets[i]);
free(sockets);
#ifdef INETD_SUPPORT
if (!from_inetd)
#endif
krb5_free_addresses (context, &addrs);
krb5_free_host_realm (context, realms);
krb5_free_context (context);
return 0;
}