PyObject *creds_change_password(krb5CredsObject *self, PyObject *args) { krb5_error_code ret; char *newpw; int result_code; krb5_data result_code_string; krb5_data result_string; int error = 0; if (!PyArg_ParseTuple(args, "s", &newpw)) return NULL; // principal is set to NULL -> set_password uses the default principal in set case ret = krb5_set_password(self->context, &self->creds, newpw, NULL, &result_code, &result_code_string, &result_string); if (ret) { error = 1; krb5_exception(NULL, ret); goto out; } krb5_data_free(&result_code_string); krb5_data_free(&result_string); out: if (error) return NULL; else { Py_RETURN_NONE; } }
krb5_error_code KRB5_LIB_FUNCTION krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, char *newpw, krb5_principal targprinc, int *result_code, krb5_data *result_code_string, krb5_data *result_string) { krb5_creds creds, *credsp; krb5_error_code ret; krb5_principal principal = NULL; *result_code = KRB5_KPASSWD_MALFORMED; result_code_string->data = result_string->data = NULL; result_code_string->length = result_string->length = 0; memset(&creds, 0, sizeof(creds)); if (targprinc == NULL) { ret = krb5_cc_get_principal(context, ccache, &principal); if (ret) return ret; } else principal = targprinc; ret = krb5_make_principal(context, &creds.server, krb5_principal_get_realm(context, principal), "kadmin", "changepw", NULL); if (ret) goto out; ret = krb5_cc_get_principal(context, ccache, &creds.client); if (ret) { krb5_free_principal(context, creds.server); goto out; } ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp); krb5_free_principal(context, creds.server); krb5_free_principal(context, creds.client); if (ret) goto out; ret = krb5_set_password(context, credsp, newpw, principal, result_code, result_code_string, result_string); krb5_free_creds(context, credsp); return ret; out: if (targprinc == NULL) krb5_free_principal(context, principal); return ret; }
mit_krb5_error_code KRB5_CALLCONV krb5_change_password(mit_krb5_context context, mit_krb5_creds *creds, char *newpw, int *result_code, mit_krb5_data *result_code_string, mit_krb5_data *result_string) { LOG_ENTRY(); return krb5_set_password(context, creds, newpw, NULL, result_code, result_code_string, result_string); }
/* * call-seq: * set_password(new_password) * * Call krb5_set_password() to set the password for this credential to * new_password. * * This method requires that the credential for kadmin/changepw@REALM has * already been fetched using Krb5#get_init_creds_password or * Krb5#get_init_creds_keytab. * * Returns true on success, raises Krb5Auth::Krb5::Exception on failure. *-- * TODO: This method does not work at the moment. */ static VALUE Krb5_set_password(VALUE self, VALUE _newpass) { Check_Type(_newpass,T_STRING); char *newpass = StringValueCStr(_newpass); struct ruby_krb5 *kerb; krb5_error_code krbret; int pw_result; krb5_data pw_res_string, res_string; Data_Get_Struct(self, struct ruby_krb5, kerb); if(!kerb){ NOSTRUCT_EXCEPT(); return Qfalse; } // TODO: get kadmin/changepw credentials here. krbret = krb5_set_password( kerb->ctx, &kerb->creds, newpass, NULL, &pw_result, &pw_res_string, &res_string ); if(krbret){ Krb5_register_error(krbret); return Qfalse; } if(pw_result){ Krb5_register_error(pw_result); return Qfalse; } return Qtrue; }
krb5_error_code KRB5_CALLCONV krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, char *newpw, krb5_principal change_password_for, int *result_code, krb5_data *result_code_string, krb5_data *result_string ) { krb5_creds creds; krb5_creds *credsp; krb5_error_code code; /* ** get the proper creds for use with krb5_set_password - */ memset (&creds, 0, sizeof(creds)); /* ** first get the principal for the password service - */ code = krb5_cc_get_principal (context, ccache, &creds.client); if (!code) { code = krb5_build_principal(context, &creds.server, change_password_for->realm.length, change_password_for->realm.data, "kadmin", "changepw", NULL); if (!code) { code = krb5_get_credentials(context, 0, ccache, &creds, &credsp); if (!code) { code = krb5_set_password(context, credsp, newpw, change_password_for, result_code, result_code_string, result_string); krb5_free_creds(context, credsp); } } krb5_free_cred_contents(context, &creds); } return code; }
static krb5_error_code change_pw(krb5_context context, kcm_ccache ccache, char *cpn, char *newpw) { krb5_error_code ret; krb5_creds cpw_cred; int result_code; krb5_data result_code_string; krb5_data result_string; krb5_get_init_creds_opt options; memset(&cpw_cred, 0, sizeof(cpw_cred)); krb5_get_init_creds_opt_init(&options); krb5_get_init_creds_opt_set_tkt_life(&options, 60); krb5_get_init_creds_opt_set_forwardable(&options, FALSE); krb5_get_init_creds_opt_set_proxiable(&options, FALSE); krb5_data_zero(&result_code_string); krb5_data_zero(&result_string); ret = krb5_get_init_creds_keytab(context, &cpw_cred, ccache->client, ccache->key.keytab, 0, "kadmin/changepw", &options); if (ret) { kcm_log(0, "Failed to acquire password change credentials " "for principal %s: %s", cpn, krb5_get_err_text(context, ret)); goto out; } ret = krb5_set_password(context, &cpw_cred, newpw, ccache->client, &result_code, &result_code_string, &result_string); if (ret) { kcm_log(0, "Failed to change password for principal %s: %s", cpn, krb5_get_err_text(context, ret)); goto out; } if (result_code) { kcm_log(0, "Failed to change password for principal %s: %.*s", cpn, (int)result_string.length, result_string.length > 0 ? (char *)result_string.data : ""); goto out; } out: krb5_data_free(&result_string); krb5_data_free(&result_code_string); krb5_free_cred_contents(context, &cpw_cred); return ret; }
static void generate_requests (const char *filename, unsigned nreq) { krb5_context context; krb5_error_code ret; int i; char **words; unsigned nwords; ret = krb5_init_context (&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); nwords = read_words (filename, &words); for (i = 0; i < nreq; ++i) { char *name = words[rand() % nwords]; krb5_get_init_creds_opt *opt; krb5_creds cred; krb5_principal principal; int result_code; krb5_data result_code_string, result_string; char *old_pwd, *new_pwd; int aret; krb5_get_init_creds_opt_alloc (context, &opt); krb5_get_init_creds_opt_set_tkt_life (opt, 300); krb5_get_init_creds_opt_set_forwardable (opt, FALSE); krb5_get_init_creds_opt_set_proxiable (opt, FALSE); ret = krb5_parse_name (context, name, &principal); if (ret) krb5_err (context, 1, ret, "krb5_parse_name %s", name); aret = asprintf (&old_pwd, "%s", name); if (aret == -1) krb5_errx(context, 1, "out of memory"); aret = asprintf (&new_pwd, "%s2", name); if (aret == -1) krb5_errx(context, 1, "out of memory"); ret = krb5_get_init_creds_password (context, &cred, principal, old_pwd, nop_prompter, NULL, 0, "kadmin/changepw", opt); if( ret == KRB5KRB_AP_ERR_BAD_INTEGRITY || ret == KRB5KRB_AP_ERR_MODIFIED) { char *tmp; tmp = new_pwd; new_pwd = old_pwd; old_pwd = tmp; ret = krb5_get_init_creds_password (context, &cred, principal, old_pwd, nop_prompter, NULL, 0, "kadmin/changepw", opt); } if (ret) krb5_err (context, 1, ret, "krb5_get_init_creds_password"); krb5_free_principal (context, principal); ret = krb5_set_password (context, &cred, new_pwd, NULL, &result_code, &result_code_string, &result_string); if (ret) krb5_err (context, 1, ret, "krb5_change_password"); free (old_pwd); free (new_pwd); krb5_free_cred_contents (context, &cred); krb5_get_init_creds_opt_free(context, opt); } }
OM_uint32 _gsskrb5_appl_change_password(OM_uint32 *minor_status, gss_name_t name, const char *oldpw, const char *newpw) { krb5_data result_code_string, result_string; krb5_get_init_creds_opt *opt = NULL; krb5_context context; krb5_principal principal = (krb5_principal)name; krb5_creds kcred; krb5_error_code ret; int result_code; GSSAPI_KRB5_INIT (&context); memset(&kcred, 0, sizeof(kcred)); ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) goto out; krb5_get_init_creds_opt_set_tkt_life(opt, 300); krb5_get_init_creds_opt_set_forwardable(opt, FALSE); krb5_get_init_creds_opt_set_proxiable(opt, FALSE); ret = krb5_get_init_creds_password(context, &kcred, principal, oldpw, NULL, NULL, 0, "kadmin/changepw", opt); if (ret) goto out; ret = krb5_set_password(context, &kcred, newpw, NULL, &result_code, &result_code_string, &result_string); if (ret) goto out; krb5_data_free(&result_string); krb5_data_free(&result_code_string); if (result_code) { krb5_set_error_message(context, KRB5KRB_AP_ERR_BAD_INTEGRITY, "Failed to change invalid password: %d", result_code); ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; goto out; } out: if (opt) krb5_get_init_creds_opt_free(context, opt); krb5_free_cred_contents(context, &kcred); *minor_status = ret; return ret ? GSS_S_FAILURE : GSS_S_COMPLETE; }
static krb5_error_code change_password (krb5_context context, krb5_principal client, const char *password, char *newpw, size_t newpw_sz, krb5_prompter_fct prompter, void *data, krb5_get_init_creds_opt *old_options) { krb5_prompt prompts[2]; krb5_error_code ret; krb5_creds cpw_cred; char buf1[BUFSIZ], buf2[BUFSIZ]; krb5_data password_data[2]; int result_code; krb5_data result_code_string; krb5_data result_string; char *p; krb5_get_init_creds_opt *options; memset (&cpw_cred, 0, sizeof(cpw_cred)); ret = krb5_get_init_creds_opt_alloc(context, &options); if (ret) return ret; krb5_get_init_creds_opt_set_tkt_life (options, 60); krb5_get_init_creds_opt_set_forwardable (options, FALSE); krb5_get_init_creds_opt_set_proxiable (options, FALSE); if (old_options && old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) krb5_get_init_creds_opt_set_preauth_list (options, old_options->preauth_list, old_options->preauth_list_length); krb5_data_zero (&result_code_string); krb5_data_zero (&result_string); ret = krb5_get_init_creds_password (context, &cpw_cred, client, password, prompter, data, 0, "kadmin/changepw", options); krb5_get_init_creds_opt_free(context, options); if (ret) goto out; for(;;) { password_data[0].data = buf1; password_data[0].length = sizeof(buf1); prompts[0].hidden = 1; prompts[0].prompt = "New password: "******"Repeat new password: "******"Changing password", 2, prompts); if (ret) { memset (buf1, 0, sizeof(buf1)); memset (buf2, 0, sizeof(buf2)); goto out; } if (strcmp (buf1, buf2) == 0) break; memset (buf1, 0, sizeof(buf1)); memset (buf2, 0, sizeof(buf2)); } ret = krb5_set_password (context, &cpw_cred, buf1, client, &result_code, &result_code_string, &result_string); if (ret) goto out; asprintf (&p, "%s: %.*s\n", result_code ? "Error" : "Success", (int)result_string.length, result_string.length > 0 ? (char*)result_string.data : ""); /* return the result */ (*prompter) (context, data, NULL, p, 0, NULL); free (p); if (result_code == 0) { strlcpy (newpw, buf1, newpw_sz); ret = 0; } else { ret = ENOTTY; krb5_set_error_message(context, ret, N_("failed changing password", "")); } out: memset (buf1, 0, sizeof(buf1)); memset (buf2, 0, sizeof(buf2)); krb5_data_free (&result_string); krb5_data_free (&result_code_string); krb5_free_cred_contents (context, &cpw_cred); return ret; }
kim_error kim_identity_change_password_with_credential (kim_identity in_identity, kim_credential in_credential, kim_string in_new_password, kim_ui_context *in_ui_context, kim_error *out_rejected_err, kim_string *out_rejected_message, kim_string *out_rejected_description) { kim_error err = KIM_NO_ERROR; krb5_creds *creds = NULL; int rejected_err = 0; krb5_data message_data; krb5_data description_data; if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_new_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !in_ui_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err && !out_rejected_err) { err = check_error (KIM_NULL_PARAMETER_ERR); } if (!err) { err = kim_credential_get_krb5_creds (in_credential, in_identity->context, &creds); } if (!err) { if (krb5_principal_compare (in_identity->context, in_identity->principal, creds->client)) { /* Same principal, change the password normally */ err = krb5_error (in_identity->context, krb5_change_password (in_identity->context, creds, (char *) in_new_password, &rejected_err, &message_data, &description_data)); } else { /* Different principal, use set change password protocol */ err = krb5_error (in_identity->context, krb5_set_password (in_identity->context, creds, (char *) in_new_password, in_identity->principal, &rejected_err, &message_data, &description_data)); } } if (!err && rejected_err) { kim_string rejected_message = NULL; kim_string rejected_description = NULL; if (message_data.data && message_data.length > 0) { err = kim_string_create_from_buffer (&rejected_message, message_data.data, message_data.length); } else { err = kim_os_string_create_localized (&rejected_message, "Kerberos Change Password Failed:"); } if (!err) { if (description_data.data && description_data.length > 0) { err = kim_string_create_from_buffer (&rejected_description, description_data.data, description_data.length); } else { err = kim_os_string_create_localized (&rejected_description, "New password rejected."); } } if (!err && in_ui_context->type != kim_ui_type_cli) { char *c; // replace all \n and \r characters with spaces for (c = (char *) rejected_message; *c != '\0'; c++) { if ((*c == '\n') || (*c == '\r')) { *c = ' '; } } for (c = (char *) rejected_description; *c != '\0'; c++) { if ((*c == '\n') || (*c == '\r')) { *c = ' '; } } } if (!err) { if (out_rejected_message) { *out_rejected_message = rejected_message; rejected_message = NULL; } if (out_rejected_description) { *out_rejected_description = rejected_description; rejected_description = NULL; } } kim_string_free (&rejected_message); kim_string_free (&rejected_description); krb5_free_data_contents (in_identity->context, &message_data); krb5_free_data_contents (in_identity->context, &description_data); } if (!err) { /* do this after reporting errors so we don't double report rejection */ *out_rejected_err = rejected_err; } if (creds) { krb5_free_creds (in_identity->context, creds); } return check_error (err); }