/* * Determine if the user is a member of 'identifier' * Returns one of: * 0 User does not match identifier * 1 identifier matches everybody * 2 User is in the group that is identifier * 3 User is identifer */ static int mymemberof(const struct auth_state *auth_state, const char *identifier) { char aname[ANAME_SZ]; char inst[INST_SZ]; char realm[REALM_SZ]; if (!auth_state) auth_state = &auth_anonymous; if (strcmp(identifier, "anyone") == 0) return 1; if (strcmp(identifier, auth_state->userid) == 0) return 3; /* "anonymous" is not a member of any group */ if (strcmp(auth_state->userid, "anonymous") == 0) return 0; aname[0] = inst[0] = realm[0] = '\0'; if (kname_parse(aname, inst, realm, (char *) identifier) != 0) { return 0; } if (strcmp(aname, auth_state->aname) != 0 && strcmp(aname, "*") != 0) { return 0; } if (strcmp(inst, auth_state->inst) != 0 && strcmp(inst, "*") != 0) { return 0; } if (strcmp(realm, auth_state->realm) != 0 && strcmp(realm, "*") != 0) { return 0; } return 2; }
/* * Convert 'identifier' into canonical form. * Returns a pointer to a static buffer containing the canonical form * or NULL if 'identifier' is invalid. */ static char *afspts_canonifyid(const char *identifier, size_t len) { static char retbuf[MAX_K_NAME_SZ+1]; char aname[ANAME_SZ]; char inst[INST_SZ]; char realm[REALM_SZ]; char lrealm[REALM_SZ]; char krbhst[MAX_HSTNM]; char *canon_buf; char *p; if(!len) len = strlen(identifier); canon_buf = xmalloc(len + 1); memcpy(canon_buf, identifier, len); canon_buf[len] = '\0'; aname[0] = inst[0] = realm[0] = '\0'; if (kname_parse(aname, inst, realm, canon_buf) != 0) { free(canon_buf); return 0; } free(canon_buf); /* Upcase realm name */ for (p = realm; *p; p++) { if (Uislower(*p)) *p = toupper(*p); } if (*realm) { if (krb_get_lrealm(lrealm,1) == 0 && strcmp(lrealm, realm) == 0) { *realm = 0; } else if (krb_get_krbhst(krbhst, realm, 1)) { return 0; /* Unknown realm */ } } /* Check for krb.equiv remappings. */ p = auth_map_krbid(aname, inst, realm); if (p) { strcpy(retbuf, p); return retbuf; } strcpy(retbuf, aname); if (*inst) { strcat(retbuf, "."); strcat(retbuf, inst); } if (*realm && !is_local_realm(realm)) { strcat(retbuf, "@"); strcat(retbuf, realm); } return retbuf; }
/* * Function: Intialize name fields in the Kerberos dialog. * * Parameters: * hwnd - the window recieving the message. * * fullname - the full kerberos name to initialize with */ void kwin_init_name(HWND hwnd, char *fullname) { char name[ANAME_SZ]; char instance[INST_SZ]; char realm[REALM_SZ]; int krc; #ifdef KRB5 krb5_error_code code; char *ptr; #endif if (fullname == NULL || fullname[0] == 0) { #ifdef KRB4 strcpy(name, krb_get_default_user()); strcpy(instance, cns_res.instance); krc = krb_get_lrealm(realm, 1); if (krc != KSUCCESS) realm[0] = 0; strcpy(realm, cns_res.realm); #endif /* KRB4 */ #ifdef KRB5 strcpy(name, cns_res.name); *realm = '\0'; code = krb5_get_default_realm(k5_context, &ptr); if (!code) { strcpy(realm, ptr); /* free(ptr); XXX */ } strcpy(realm, cns_res.realm); #endif /* KRB5 */ } else { #ifdef KRB4 kname_parse(name, instance, realm, fullname); SetDlgItemText(hwnd, IDD_LOGIN_INSTANCE, instance); #endif #ifdef KRB5 krc = k5_kname_parse(name, realm, fullname); *instance = '\0'; #endif } SetDlgItemText(hwnd, IDD_LOGIN_NAME, name); SetDlgItemText(hwnd, IDD_LOGIN_REALM, realm); }
/* * Credentials file -> realm mapping * * Determine the realm by opening the named cache and parsing realm from the principal */ int KRB5_CALLCONV krb_get_tf_realm ( const char* ticket_file, char* realm) { cc_string_t principal; char pname [ANAME_SZ]; char pinst [INST_SZ]; char prealm [REALM_SZ]; int kerr = KSUCCESS; cc_int32 cc_err = ccNoError; cc_context_t cc_context = NULL; cc_int32 cc_version = 0; cc_ccache_t ccache = NULL; cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); if (cc_err == ccNoError) { cc_err = cc_context_open_ccache (cc_context, ticket_file, &ccache); } if (cc_err == ccNoError) { cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal); } if (cc_err == ccNoError) { /* found cache. get princiapl and parse it */ kerr = kname_parse (pname, pinst, prealm, (char*) principal -> data); cc_string_release (principal); } if ((cc_err == ccNoError) && (kerr == KSUCCESS)) { strcpy (realm, prealm); } if (ccache != NULL) cc_ccache_release (ccache); if (cc_context != NULL) cc_context_release (cc_context); if (kerr != KSUCCESS) return kerr; if (cc_err != ccNoError) return GC_NOTKT; else return KSUCCESS; }
/* * Credentials file -> name, instance, realm mapping */ int KRB5_CALLCONV krb_get_tf_fullname ( const char* ticket_file, char* name, char* instance, char* realm) { cc_string_t principal; int kerr = KSUCCESS; cc_int32 cc_err = ccNoError; cc_context_t cc_context = NULL; cc_int32 cc_version; cc_ccache_t ccache = NULL; cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); if (cc_err == ccNoError) { cc_err = cc_context_open_ccache (cc_context, ticket_file, &ccache); } if (cc_err == ccNoError) { /* found cache. get principal and parse it */ cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal); } if (cc_err == ccNoError) { kerr = kname_parse (name, instance, realm, (char*) principal -> data); cc_string_release (principal); } if (ccache != NULL) cc_ccache_release (ccache); if (cc_context != NULL) cc_context_release (cc_context); if (kerr != KSUCCESS) return kerr; if (cc_err != ccNoError) return GC_NOTKT; else return KSUCCESS; }
int main(int argc, char **argv) { struct afsconf_dir *tdir; afs_int32 code; if (argc == 1) { printf("bos_util: usage is 'bos_util <opcode> options, e.g.\n"); printf(" bos_util add <kvno>\n"); printf(" bos_util adddes <kvno>\n"); #ifdef KERBEROS printf(" bos_util srvtab2keyfile <kvno> <keyfile> <princ>\n"); #endif printf(" bos_util delete <kvno>\n"); printf(" bos_util list\n"); exit(1); } tdir = afsconf_Open(AFSDIR_SERVER_ETC_DIR); if (!tdir) { printf("bos_util: can't initialize conf dir '%s'\n", AFSDIR_SERVER_ETC_DIR); exit(1); } if (strcmp(argv[1], "add") == 0) { struct ktc_encryptionKey tkey; int kvno; char buf[BUFSIZ], ver[BUFSIZ]; char *tcell = NULL; if (argc != 3) { printf("bos_util add: usage is 'bos_util add <kvno>\n"); exit(1); } kvno = atoi(argv[2]); memset(&tkey, 0, sizeof(struct ktc_encryptionKey)); /* prompt for key */ code = des_read_pw_string(buf, sizeof(buf), "input key: ", 0); if (code || strlen(buf) == 0) { printf("Bad key: \n"); exit(1); } code = des_read_pw_string(ver, sizeof(ver), "Retype input key: ", 0); if (code || strlen(ver) == 0) { printf("Bad key: \n"); exit(1); } if (strcmp(ver, buf) != 0) { printf("\nInput key mismatch\n"); exit(1); } ka_StringToKey(buf, tcell, &tkey); code = afsconf_AddKey(tdir, kvno, ktc_to_charptr(&tkey), 0); if (code) { printf("bos_util: failed to set key, code %d.\n", code); exit(1); } } else if (strcmp(argv[1], "adddes") == 0) { struct ktc_encryptionKey tkey; int kvno; afs_int32 code; char buf[BUFSIZ], ver[BUFSIZ]; if (argc != 3) { printf("bos_util adddes: usage is 'bos_util adddes <kvno>\n"); exit(1); } kvno = atoi(argv[2]); memset(&tkey, 0, sizeof(struct ktc_encryptionKey)); /* prompt for key */ code = des_read_pw_string(buf, sizeof(buf), "input key: ", 0); if (code || strlen(buf) == 0) { printf("Bad key: \n"); exit(1); } code = des_read_pw_string(ver, sizeof(ver), "Retype input key: ", 0); if (code || strlen(ver) == 0) { printf("Bad key: \n"); exit(1); } if (strcmp(ver, buf) != 0) { printf("\nInput key mismatch\n"); exit(1); } des_string_to_key(buf, ktc_to_cblockptr(&tkey)); code = afsconf_AddKey(tdir, kvno, ktc_to_charptr(&tkey), 0); if (code) { printf("bos_util: failed to set key, code %d.\n", code); exit(1); } } #ifdef KERBEROS else if (strcmp(argv[1], "srvtab2keyfile") == 0) { char tkey[8], name[255], inst[255], realm[255]; int kvno; if (argc != 5) { printf ("bos_util add: usage is 'bos_util srvtab2keyfile <kvno> <keyfile> <princ>\n"); exit(1); } kvno = atoi(argv[2]); bzero(tkey, sizeof(tkey)); code = kname_parse(name, inst, realm, argv[4]); if (code != 0) { printf("Invalid kerberos name\n"); exit(1); } code = read_service_key(name, inst, realm, kvno, argv[3], tkey); if (code != 0) { printf("Can't find key in %s\n", argv[3]); exit(1); } code = afsconf_AddKey(tdir, kvno, tkey, 0); if (code) { printf("bos_util: failed to set key, code %d.\n", code); exit(1); } } #endif else if (strcmp(argv[1], "delete") == 0) { long kvno; if (argc != 3) { printf("bos_util delete: usage is 'bos_util delete <kvno>\n"); exit(1); } kvno = atoi(argv[2]); code = afsconf_DeleteKey(tdir, kvno); if (code) { printf("bos_util: failed to delete key %ld, (code %d)\n", kvno, code); exit(1); } } else if (strcmp(argv[1], "list") == 0) { struct afsconf_keys tkeys; int i; unsigned char tbuffer[9]; code = afsconf_GetKeys(tdir, &tkeys); if (code) { printf("bos_util: failed to get keys, code %d\n", code); exit(1); } for (i = 0; i < tkeys.nkeys; i++) { if (tkeys.key[i].kvno != -1) { int count; unsigned char x[8]; memcpy(tbuffer, tkeys.key[i].key, 8); tbuffer[8] = 0; printf("kvno %4d: key is '%s' '", tkeys.key[i].kvno, tbuffer); strcpy((char *)x, (char *)tbuffer); for (count = 0; count < 8; count++) printf("\\%03o", x[count]); printf("'\n"); } } printf("All done.\n"); } else { printf ("bos_util: unknown operation '%s', type 'bos_util' for assistance\n", argv[1]); exit(1); } exit(0); }
/* * Map a remote kerberos principal to a local username. If a mapping * is found, a pointer to the local username is returned. Otherwise, * a NULL pointer is returned. * Eventually, this may be more sophisticated than a simple file scan. */ static char *auth_map_krbid(const char *real_aname, const char *real_inst, const char *real_realm) { static char localuser[MAX_K_NAME_SZ + 1]; char principal[MAX_K_NAME_SZ + 1]; char aname[ANAME_SZ]; char inst[INST_SZ]; char realm[REALM_SZ]; char lrealm[REALM_SZ]; char krbhst[MAX_HSTNM]; char *p; char buf[1024]; FILE *mapfile; if (!(mapfile = fopen(KRB_MAPNAME, "r"))) { /* If the file can't be opened, don't do mappings */ return 0; } for (;;) { if (!fgets(buf, sizeof(buf), mapfile)) break; if (parse_krbequiv_line(buf, principal, localuser) == 0 || kname_parse(aname, inst, realm, principal) != 0) { /* Ignore badly formed lines */ continue; } if (!strcmp(aname, real_aname) && !strcmp(inst, real_inst) && !strcmp(realm, real_realm)) { fclose(mapfile); aname[0] = inst[0] = realm[0] = '\0'; if (kname_parse(aname, inst, realm, localuser) != 0) { return 0; } /* Upcase realm name */ for (p = realm; *p; p++) { if (Uislower(*p)) *p = toupper(*p); } if (*realm) { if (krb_get_lrealm(lrealm,1) == 0 && strcmp(lrealm, realm) == 0) { *realm = 0; } else if (krb_get_krbhst(krbhst, realm, 1)) { return 0; /* Unknown realm */ } } strcpy(localuser, aname); if (*inst) { strcat(localuser, "."); strcat(localuser, inst); } if (*realm) { strcat(localuser, "@"); strcat(localuser, realm); } return localuser; } } fclose(mapfile); return 0; }
/* * Store a ticket into the default credentials cache * cache must exist (if it didn't exist, it would have been created by in_tkt) */ int krb4int_save_credentials_addr( char* service, char* instance, char* realm, C_Block session, int lifetime, int kvno, KTEXT ticket, KRB4_32 issue_date, KRB_UINT32 local_address) { cc_int32 cc_err = ccNoError; int kerr = KSUCCESS; cc_credentials_v4_t v4creds; cc_credentials_union creds; cc_ccache_t ccache = NULL; cc_string_t principal; cc_context_t cc_context = NULL; cc_int32 cc_version; cc_err = cc_initialize (&cc_context, ccapi_version_3, &cc_version, NULL); if (cc_err == ccNoError) { /* First try existing cache */ cc_err = cc_context_open_ccache (cc_context, TKT_FILE, &ccache); } if (cc_err == ccNoError) { /* Now we have a cache. Fill out the credentials and put them in the cache. */ /* To fill out the credentials, we need the principal */ cc_err = cc_ccache_get_principal (ccache, cc_credentials_v4, &principal); } if (cc_err == ccNoError) { kerr = kname_parse (v4creds.principal, v4creds.principal_instance, v4creds.realm, (char*) principal -> data); cc_string_release (principal); } if ((cc_err == ccNoError) && (kerr == KSUCCESS)) { strncpy (v4creds.service, service, SNAME_SZ); strncpy (v4creds.service_instance, instance, INST_SZ); strncpy (v4creds.realm, realm, REALM_SZ); memmove (v4creds.session_key, session, sizeof (C_Block)); v4creds.kvno = kvno; v4creds.string_to_key_type = cc_v4_stk_unknown; v4creds.issue_date = issue_date; v4creds.address = local_address; v4creds.lifetime = lifetime; v4creds.ticket_size = ticket -> length; memmove (v4creds.ticket, ticket -> dat, ticket -> length); creds.version = cc_credentials_v4; creds.credentials.credentials_v4 = &v4creds; cc_err = cc_ccache_store_credentials (ccache, &creds); } if (ccache != NULL) cc_ccache_release (ccache); if (cc_context != NULL) cc_context_release (cc_context); if (kerr != KSUCCESS) return kerr; if (cc_err != ccNoError) return KFAILURE; else return KSUCCESS; }