krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_password(krb5_context context,
krb5_creds *creds,
krb5_principal client,
const char *password,
krb5_prompter_fct prompter,
void *data,
krb5_deltat start_time,
const char *in_tkt_service,
krb5_get_init_creds_opt *options)
{
krb5_error_code ret, ret2;
int use_master;
krb5_kdc_rep *as_reply;
int tries;
krb5_creds chpw_creds;
krb5_get_init_creds_opt *chpw_opts = NULL;
krb5_data pw0, pw1;
char banner[1024], pw0array[1024], pw1array[1024];
krb5_prompt prompt[2];
krb5_prompt_type prompt_types[sizeof(prompt)/sizeof(prompt[0])];
char *message;
use_master = 0;
as_reply = NULL;
memset(&chpw_creds, 0, sizeof(chpw_creds));
pw0.data = pw0array;
if (password && password[0]) {
if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) {
ret = EINVAL;
goto cleanup;
}
pw0.length = strlen(password);
} else {
pw0.data[0] = '\0';
pw0.length = sizeof(pw0array);
}
pw1.data = pw1array;
pw1.data[0] = '\0';
pw1.length = sizeof(pw1array);
/* first try: get the requested tkt from any kdc */
ret = krb5int_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
&use_master, &as_reply);
/* check for success */
if (ret == 0)
goto cleanup;
/* If all the kdc's are unavailable, or if the error was due to a
user interrupt, fail */
if ((ret == KRB5_KDC_UNREACH) ||
(ret == KRB5_LIBOS_PWDINTR) ||
(ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
/* if the reply did not come from the master kdc, try again with
the master kdc */
if (!use_master) {
TRACE_GIC_PWD_MASTER(context);
use_master = 1;
if (as_reply) {
krb5_free_kdc_rep( context, as_reply);
as_reply = NULL;
}
ret2 = krb5int_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
&use_master, &as_reply);
if (ret2 == 0) {
ret = 0;
goto cleanup;
}
/* if the master is unreachable, return the error from the
slave we were able to contact or reset the use_master flag */
if ((ret2 != KRB5_KDC_UNREACH) &&
(ret2 != KRB5_REALM_CANT_RESOLVE) &&
(ret2 != KRB5_REALM_UNKNOWN))
ret = ret2;
else
use_master = 0;
}
/* at this point, we have an error from the master. if the error
is not password expired, or if it is but there's no prompter,
return this error */
if ((ret != KRB5KDC_ERR_KEY_EXP) ||
(prompter == NULL))
goto cleanup;
/* historically the default has been to prompt for password change.
* if the change password prompt option has not been set, we continue
* to prompt. Prompting is only disabled if the option has been set
* and the value has been set to false.
*/
if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
goto cleanup;
TRACE_GIC_PWD_EXPIRED(context);
/* ok, we have an expired password. Give the user a few chances
to change it */
/* use a minimal set of options */
ret = krb5_get_init_creds_opt_alloc(context, &chpw_opts);
if (ret)
goto cleanup;
krb5_get_init_creds_opt_set_tkt_life(chpw_opts, 5*60);
krb5_get_init_creds_opt_set_renew_life(chpw_opts, 0);
krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0);
krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0);
if ((ret = krb5int_get_init_creds(context, &chpw_creds, client,
prompter, data,
start_time, "kadmin/changepw", chpw_opts,
krb5_get_as_key_password, (void *) &pw0,
&use_master, NULL)))
goto cleanup;
prompt[0].prompt = _("Enter new password");
prompt[0].hidden = 1;
prompt[0].reply = &pw0;
prompt_types[0] = KRB5_PROMPT_TYPE_NEW_PASSWORD;
prompt[1].prompt = _("Enter it again");
prompt[1].hidden = 1;
prompt[1].reply = &pw1;
prompt_types[1] = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN;
strlcpy(banner, _("Password expired. You must change it now."),
sizeof(banner));
for (tries = 3; tries; tries--) {
TRACE_GIC_PWD_CHANGEPW(context, tries);
pw0.length = sizeof(pw0array);
pw1.length = sizeof(pw1array);
/* PROMPTER_INVOCATION */
krb5int_set_prompt_types(context, prompt_types);
ret = (*prompter)(context, data, 0, banner,
sizeof(prompt)/sizeof(prompt[0]), prompt);
krb5int_set_prompt_types(context, 0);
if (ret)
goto cleanup;
if (strcmp(pw0.data, pw1.data) != 0) {
ret = KRB5_LIBOS_BADPWDMATCH;
snprintf(banner, sizeof(banner),
_("%s. Please try again."), error_message(ret));
} else if (pw0.length == 0) {
ret = KRB5_CHPW_PWDNULL;
snprintf(banner, sizeof(banner),
_("%s. Please try again."), error_message(ret));
} else {
int result_code;
krb5_data code_string;
krb5_data result_string;
if ((ret = krb5_change_password(context, &chpw_creds, pw0array,
&result_code, &code_string,
&result_string)))
goto cleanup;
/* the change succeeded. go on */
if (result_code == 0) {
free(result_string.data);
break;
}
/* set this in case the retry loop falls through */
ret = KRB5_CHPW_FAIL;
if (result_code != KRB5_KPASSWD_SOFTERROR) {
free(result_string.data);
goto cleanup;
}
/* the error was soft, so try again */
if (krb5_chpw_message(context, &result_string, &message) != 0)
message = NULL;
/* 100 is I happen to know that no code_string will be longer
than 100 chars */
if (message != NULL && strlen(message) > (sizeof(banner) - 100))
message[sizeof(banner) - 100] = '\0';
snprintf(banner, sizeof(banner),
_("%.*s%s%s. Please try again.\n"),
(int) code_string.length, code_string.data,
message ? ": " : "", message ? message : "");
free(message);
free(code_string.data);
free(result_string.data);
}
}
if (ret)
goto cleanup;
/* the password change was successful. Get an initial ticket
from the master. this is the last try. the return from this
is final. */
TRACE_GIC_PWD_CHANGED(context);
ret = krb5int_get_init_creds(context, creds, client, prompter, data,
start_time, in_tkt_service, options,
krb5_get_as_key_password, (void *) &pw0,
&use_master, &as_reply);
if (ret)
goto cleanup;
cleanup:
if (ret == 0)
warn_pw_expiry(context, options, prompter, data, in_tkt_service,
as_reply);
if (chpw_opts)
krb5_get_init_creds_opt_free(context, chpw_opts);
memset(pw0array, 0, sizeof(pw0array));
memset(pw1array, 0, sizeof(pw1array));
krb5_free_cred_contents(context, &chpw_creds);
if (as_reply)
krb5_free_kdc_rep(context, as_reply);
return(ret);
}
int
main(void)
{
krb5_context context;
char *msg;
setlocale(LC_MESSAGES, "C");
check(krb5_init_context(&context));
/* Valid utf-8 data in the result should be returned as is */
check(krb5_chpw_message(context, &result_utf8, &msg));
printf(" UTF8 valid: %s\n", msg);
check_msg(msg, "This is a valid string.");
free(msg);
/* Invalid data should have a generic message. */
check(krb5_chpw_message(context, &result_invalid_utf8, &msg));
printf(" UTF8 invalid: %s\n", msg);
check_msg(msg, "contact your administrator");
free(msg);
/* AD data with complex data requirement */
check(krb5_chpw_message(context, &result_ad_complex, &msg));
printf(" AD complex: %s\n", msg);
check_msg(msg, "The password must include numbers or symbols.");
check_msg(msg, "Don't include any part of your name in the password.");
free(msg);
/* AD data with min password length */
check(krb5_chpw_message(context, &result_ad_length, &msg));
printf(" AD length: %s\n", msg);
check_msg(msg, "The password must contain at least 13 characters.");
free(msg);
/* AD data with history requirements */
check(krb5_chpw_message(context, &result_ad_history, &msg));
printf(" AD history: %s\n", msg);
check_msg(msg, "The password must be different from the previous 9 "
"passwords.");
free(msg);
/* AD data with minimum age */
check(krb5_chpw_message(context, &result_ad_age, &msg));
printf(" AD min age: %s\n", msg);
check_msg(msg, "The password can only be changed every 2 days.");
free(msg);
/* AD data with all */
check(krb5_chpw_message(context, &result_ad_all, &msg));
printf(" AD all: %s\n", msg);
check_msg(msg, "The password can only be changed once a day.");
check_msg(msg, "The password must be different from the previous 13 "
"passwords.");
check_msg(msg, "The password must contain at least 5 characters.");
check_msg(msg, "The password must include numbers or symbols.");
check_msg(msg, "Don't include any part of your name in the password.");
free(msg);
krb5_free_context(context);
exit(0);
}
