int
krb_get_pw_in_tkt(
LPSTR user,
LPSTR instance,
LPSTR realm,
LPSTR service,
LPSTR sinstance,
int life,
LPSTR password
)
{
/* In spite of the comments above, we don't allow that path here,
to simplify coding the non-UNIX clients. The only code that now
depends on this behavior is the preauth support, which has a
seperate function without this trap. Strictly speaking, this
is an API change.
Imported from krb5 tree for kfw 2.6.
*/
if (password == 0)
return INTK_PW_NULL;
return(krb_get_in_tkt(user,instance,realm,service,sinstance,life,
passwd_to_key, (int(*))NULL, password));
}
int get_tickets(int version)
{
rkinit_info info;
AUTH_DAT auth_dat;
int status;
char errmsg[BUFSIZ]; /* error message for client */
rkinitd_intkt_info rii;
SBCLEAR(info);
SBCLEAR(auth_dat);
BCLEAR(errmsg);
SBCLEAR(rii);
rpc_get_rkinit_info(&info);
/*
* The validate_user routine makes sure that the principal in question
* is allowed to log in as username, and if so, does a setuid(localuid).
* If there is an access violation or an error in setting the uid,
* an error is returned and the string errmsg is initialized with
* an error message that will be sent back to the client.
*/
status = validate_user(info.aname, info.inst, info.realm,
info.username, errmsg);
if (status != RKINIT_SUCCESS) {
rpc_send_error(errmsg);
exit(0);
}
else
rpc_send_success();
/*
* If the name of a ticket file was specified, set it; otherwise,
* just use the default.
*/
if (strlen(info.tktfilename))
krb_set_tkt_string(info.tktfilename);
/*
* Call internal kerberos library routine so that we can supply
* our own ticket decryption routine.
*/
/*
* We need a setjmp here because krb_get_in_tkt ignores the
* return value of decrypt_tkt. Thus if we want any of its
* return values to reach the client, we have to jump out of
* the routine.
*/
if (setjmp(rii.env) == 0) {
status = krb_get_in_tkt(info.aname, info.inst, info.realm,
info.sname, info.sinst, info.lifetime,
NULL, decrypt_tkt, (char *)&rii);
if (status) {
strcpy(errmsg, krb_err_txt[status]);
rpc_send_error(errmsg);
}
else
rpc_send_success();
}
else
rpc_send_error(errbuf);
return(RKINIT_SUCCESS);
}
/* Called to see if the user's typed password is valid. We do this by asking
the kerberos server for a ticket and checking to see if it gave us one.
We need to move the ticketfile first, or otherwise we end up updating the
user's tkfile with new tickets. This would break services like zephyr that
like to stay authenticated, and it would screw with AFS authentication at
some sites. So, we do a quick, painful hack with a tmpfile.
*/
Bool
kerberos_passwd_valid_p (const char *typed_passwd, Bool verbose_p)
{
# ifdef HAVE_DARWIN
return (klNoErr ==
KLAcquireNewInitialTicketsWithPassword (princ, NULL,
typed_passwd, NULL));
# else /* !HAVE_DARWIN */
/* See comments in kerberos_lock_init -- should we do it the Mac Way
on all systems?
*/
C_Block mitkey;
Bool success;
char *newtkfile;
int fh = -1;
/* temporarily switch to a new ticketfile.
I'm not using tmpnam() because it isn't entirely portable.
this could probably be fixed with autoconf. */
newtkfile = malloc(80 * sizeof(char));
memset(newtkfile, 0, sizeof(newtkfile));
sprintf(newtkfile, "/tmp/xscrn-%i.XXXXXX", getpid());
if( (fh = mkstemp(newtkfile)) < 0)
{
free(newtkfile);
return(False);
}
if( fchmod(fh, 0600) < 0)
{
free(newtkfile);
return(False);
}
krb_set_tkt_string(newtkfile);
/* encrypt the typed password. if you have an AFS password instead
of a kerberos one, you lose *right here*. If you want to use AFS
passwords, you can use ka_StringToKey() instead. As always, ymmv. */
des_string_to_key(typed_passwd, mitkey);
if (krb_get_in_tkt(name, inst, realm, "krbtgt", realm, DEFAULT_TKT_LIFE,
key_to_key, NULL, (char *) mitkey) != 0) {
success = False;
} else {
success = True;
}
/* quickly block out the tempfile and password to prevent snooping,
then restore the old ticketfile and cleean up a bit. */
dest_tkt();
krb_set_tkt_string(tk_file);
free(newtkfile);
memset(mitkey, 0, sizeof(mitkey));
close(fh); /* #### tom: should the file be removed? */
/* Did we verify successfully? */
return success;
# endif /* !HAVE_DARWIN */
}
