Example #1
0
static krb5_error_code
v5_convert(krb5_context context, krb5_ccache id,
	   krb5_creds *cred, uid_t uid,
	   const char *cell,
	   struct kafs_token *kt)
{
    krb5_error_code ret;
    char *c, *val;

    c = strdup(cell);
    if (c == NULL)
	return ENOMEM;
    _kafs_foldup(c, c);
    krb5_appdefault_string (context, "libkafs",
			    c,
			    "afs-use-524", "2b", &val);
    free(c);

    if (strcasecmp(val, "local") == 0 ||
	strcasecmp(val, "2b") == 0)
	ret = v5_to_kt(cred, uid, kt, 1);
    else if(strcasecmp(val, "yes") == 0 ||
	    strcasecmp(val, "true") == 0 ||
	    atoi(val)) {
	struct credentials cred4;
	
	if (id == NULL)
	    ret = krb524_convert_creds_kdc(context, cred, &cred4);
	else
	    ret = krb524_convert_creds_kdc_ccache(context, id, cred, &cred4);
	if (ret)
	    goto out;

	ret = _kafs_v4_to_kt(&cred4, uid, kt);
    } else
	ret = v5_to_kt(cred, uid, kt, 0);

 out:
    free(val);
    return ret;
}
Example #2
0
int
v4_get_creds(krb5_context ctx,
	     pam_handle_t *pamh,
	     struct _pam_krb5_stash *stash,
	     struct _pam_krb5_user_info *userinfo,
	     struct _pam_krb5_options *options,
	     char *password,
	     int *result)
{
	int i;
#if defined(HAVE_KRB5_524_CONVERT_CREDS) || \
    defined(HAVE_KRB524_CONVERT_CREDS_KDC)
	krb5_creds *v4_compat_creds, *in_creds;

	v4_compat_creds = NULL;

	if (options->v4_use_524) {
		if (options->debug) {
			debug("obtaining v4-compatible key");
		}
		/* We need a DES-CBC-CRC v5 credential to convert to a proper v4
		 * credential. */
		i = v5_get_creds_etype(ctx, userinfo, options, &stash->v5creds,
				       ENCTYPE_DES_CBC_CRC, &v4_compat_creds);
		if (i == 0) {
			if (options->debug) {
				debug("obtained des-cbc-crc v5 creds");
			}
			in_creds = v4_compat_creds;
		} else {
			if (options->debug) {
				debug("failed to obtain des-cbc-crc v5 creds: "
				      "%d (%s)", i, v5_error_message(i));
			}
			in_creds = NULL;
			if (v5_creds_check_initialized(ctx,
						       &stash->v5creds) == 0) {
				krb5_copy_creds(ctx, &stash->v5creds,
						&in_creds);
			}
		}
#ifdef HAVE_KRB5_524_CONVERT_CREDS
		if (options->debug) {
			debug("converting v5 creds to v4 creds (etype = %d)",
			      in_creds ? v5_creds_get_etype(in_creds) : 0);
		}
		if ((in_creds != NULL) &&
		    (v5_creds_check_initialized(ctx, in_creds) == 0)) {
			i = krb5_524_convert_creds(ctx, in_creds,
						   &stash->v4creds);
			if (i == 0) {
				if (options->debug) {
					debug("conversion succeeded");
				}
				stash->v4present = 1;
				if (result) {
					*result = i;
				}
				krb5_free_creds(ctx, in_creds);
				return PAM_SUCCESS;
			} else {
				if (options->debug) {
					debug("conversion failed: %d (%s)",
					      i, v5_error_message(i));
				}
			}
		}
#else
#ifdef HAVE_KRB524_CONVERT_CREDS_KDC
		if (options->debug) {
			debug("converting v5 creds to v4 creds (etype = %d)",
			      in_creds ? v5_creds_get_etype(in_creds) : 0);
		}
		if ((in_creds != NULL) &&
		    (v5_creds_check_initialized(ctx, in_creds) == 0)) {
			i = krb524_convert_creds_kdc(ctx, in_creds,
						     &stash->v4creds);
			if (i == 0) {
				if (options->debug) {
					debug("conversion succeeded");
				}
				stash->v4present = 1;
				if (result) {
					*result = i;
				}
				krb5_free_creds(ctx, in_creds);
				return PAM_SUCCESS;
			} else {
				if (options->debug) {
					debug("conversion failed: %d (%s)",
					      i, v5_error_message(i));
				}
			}
		}
#endif
#endif
		if ((in_creds != NULL) &&
		    (v5_creds_check_initialized(ctx, in_creds) == 0)) {
			krb5_free_creds(ctx, in_creds);
		}
	}
#endif
	if ((password != NULL) && (options->v4_use_as_req)) {
		if (options->debug) {
			debug("attempting to obtain initial v4 creds");
		}
		i = _pam_krb5_v4_init(ctx, stash, userinfo, options,
				      KRB5_TGS_NAME, NULL, password, result);
		if (i == PAM_SUCCESS) {
			if (options->debug) {
				debug("initial v4 creds obtained");
			}
			stash->v4present = 1;
			return PAM_SUCCESS;
		}
		if (options->debug) {
			debug("could not obtain initial v4 creds: %d (%s)",
			      i, v5_error_message(i));
		}
	}
	return PAM_AUTH_ERR;
}