KLStatus
KLAcquireInitialTicketsWithPassword(KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
const char *inPassword,
char **outCredCacheName)
{
KLStatus ret;
KLBoolean ValidTickets;
ret = KLCacheHasValidTickets(inPrincipal,
kerberosVersion_V5,
&ValidTickets,
NULL,
outCredCacheName);
if (ret == 0) {
if (ValidTickets)
return klNoErr; /* done */
/* get credential */
if (outCredCacheName)
free(*outCredCacheName);
}
return KLAcquireNewInitialTicketsWithPassword(inPrincipal,
inLoginOptions,
inPassword,
outCredCacheName);
}
KLStatus
KLAcquireNewTicketsWithPassword (KLPrincipal inPrincipal,
KLLoginOptions inLoginOptions,
const char *inPassword,
char **outCredCacheName)
{
LOG_ENTRY();
return KLAcquireNewInitialTicketsWithPassword (inPrincipal,
inLoginOptions,
inPassword,
outCredCacheName);
}
void TestHighLevelAPI (void)
{
KLStatus err;
KLPrincipal inPrincipal, outPrincipal, outPrincipal2;
char *outCredCacheName, *outCredCacheName2;
KLTime expirationTime;
char* principalString;
char timeString[256];
KLBoolean valid;
err = KLCreatePrincipalFromTriplet ("grail", "", "TESTV5-KERBEROS-1.3.1", &inPrincipal);
printf ("KLCreatePrincipalFromTriplet([email protected]) (err = %d)\n", err);
if (err == klNoErr) {
err = KLAcquireNewInitialTicketsWithPassword (inPrincipal, NULL, "liarg", &outCredCacheName);
if (err != klNoErr) {
printf ("KLAcquireNewInitialTicketsWithPassword() returned err = %d\n", err);
} else {
printf ("KLAcquireNewInitialTicketsWithPassword() returned '%s'\n", outCredCacheName);
KLDisposeString (outCredCacheName);
}
KLDisposePrincipal (inPrincipal);
}
err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &inPrincipal);
printf ("KLCreatePrincipalFromTriplet([email protected]) (err = %d)\n", err);
if (err == klNoErr) {
err = KLAcquireNewInitialTicketsWithPassword (inPrincipal, NULL, "ydobon", &outCredCacheName);
if (err != klNoErr) {
printf ("KLAcquireNewInitialTicketsWithPassword() returned err = %d\n", err);
} else {
printf ("KLAcquireNewInitialTicketsWithPassword() returned '%s'\n", outCredCacheName);
KLDisposeString (outCredCacheName);
}
KLDisposePrincipal (inPrincipal);
}
err = KLAcquireNewInitialTickets (NULL, NULL, &inPrincipal, &outCredCacheName);
printf ("KLAcquireNewInitialTickets() (err = %d)\n", err);
if (err == klNoErr) {
KLDisposeString (outCredCacheName);
err = KLAcquireInitialTickets (inPrincipal, NULL, &outPrincipal, &outCredCacheName);
printf ("KLAcquireInitialTickets() (err = %d)\n", err);
if (err == klNoErr) {
KLDisposeString (outCredCacheName);
KLDisposePrincipal (outPrincipal);
}
KLDisposePrincipal (inPrincipal);
}
err = KLSetDefaultLoginOption (loginOption_LoginName, "testname", 3);
printf ("KLSetDefaultLoginOption(loginOption_LoginName) to testname (err = %d)\n", err);
if (err == klNoErr) {
err = KLSetDefaultLoginOption (loginOption_LoginInstance, "testinstance", 6);
printf ("KLSetDefaultLoginOption(loginOption_LoginInstance) to testinstance (err = %d)\n", err);
}
err = KLAcquireNewInitialTickets (NULL, NULL, &inPrincipal, &outCredCacheName);
printf ("KLAcquireNewInitialTickets() (err = %d)\n", err);
if (err == klNoErr) {
KLDisposeString (outCredCacheName);
KLDisposePrincipal (inPrincipal);
}
// Principal == NULL
while (KLAcquireNewInitialTickets (NULL, NULL, &outPrincipal, &outCredCacheName) == klNoErr) {
err = KLTicketExpirationTime (outPrincipal, kerberosVersion_All, &expirationTime);
err = KLCacheHasValidTickets (outPrincipal, kerberosVersion_All, &valid, &outPrincipal2, &outCredCacheName2);
if (err == klNoErr) {
err = KLGetStringFromPrincipal (outPrincipal2, kerberosVersion_V4, &principalString);
if (err == klNoErr) {
printf ("KLGetStringFromPrincipal returned string '%s'\n", principalString);
KLDisposeString (principalString);
}
KLDisposePrincipal (outPrincipal2);
KLDisposeString (outCredCacheName2);
err = KLCacheHasValidTickets (outPrincipal, kerberosVersion_All, &valid, NULL, NULL);
if (err != klNoErr) {
printf ("KLCacheHasValidTickets returned error = %d\n", err);
}
}
err = KLCacheHasValidTickets (outPrincipal, kerberosVersion_All, &valid, NULL, NULL);
KLDisposeString (outCredCacheName);
KLDisposePrincipal (outPrincipal);
}
err = KLAcquireNewInitialTickets (NULL, NULL, &outPrincipal, &outCredCacheName);
if (err == klNoErr) {
KLDisposeString (outCredCacheName);
KLDisposePrincipal (outPrincipal);
}
err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &inPrincipal);
printf ("KLCreatePrincipalFromTriplet([email protected]) (err = %d)\n", err);
if (err == klNoErr) {
err = KLAcquireNewInitialTickets (inPrincipal, NULL, &outPrincipal, &outCredCacheName);
printf ("KLAcquireNewInitialTickets([email protected]) (err = %d)\n", err);
if (err == klNoErr) {
KLDisposeString (outCredCacheName);
KLDisposePrincipal (outPrincipal);
}
err = KLDestroyTickets (inPrincipal);
KLDisposePrincipal (inPrincipal);
}
err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &inPrincipal);
printf ("KLCreatePrincipalFromTriplet([email protected]) (err = %d)\n", err);
if (err == klNoErr) {
err = KLAcquireInitialTickets (inPrincipal, NULL, &outPrincipal, &outCredCacheName);
printf ("KLAcquireInitialTickets([email protected]) (err = %d)\n", err);
if (err == klNoErr) {
KLDisposeString (outCredCacheName);
KLDisposePrincipal (outPrincipal);
}
err = KLAcquireNewInitialTickets (inPrincipal, NULL, &outPrincipal, &outCredCacheName);
if (err == klNoErr) {
err = KLGetStringFromPrincipal (outPrincipal, kerberosVersion_V5, &principalString);
if (err == klNoErr) {
err = KLTicketExpirationTime (outPrincipal, kerberosVersion_All, &expirationTime);
printf ("Tickets for principal '%s' expire on %s\n",
principalString, TimeToString(timeString, expirationTime));
KLDisposeString (principalString);
}
KLDisposeString (outCredCacheName);
KLDisposePrincipal (outPrincipal);
}
err = KLChangePassword (inPrincipal);
printf ("KLChangePassword() (err = %d)\n", err);
err = KLDestroyTickets (inPrincipal);
printf ("KLDestroyTickets() (err = %d)\n", err);
KLDisposePrincipal (inPrincipal);
}
}
/* Called to see if the user's typed password is valid. We do this by asking
the kerberos server for a ticket and checking to see if it gave us one.
We need to move the ticketfile first, or otherwise we end up updating the
user's tkfile with new tickets. This would break services like zephyr that
like to stay authenticated, and it would screw with AFS authentication at
some sites. So, we do a quick, painful hack with a tmpfile.
*/
Bool
kerberos_passwd_valid_p (const char *typed_passwd, Bool verbose_p)
{
# ifdef HAVE_DARWIN
return (klNoErr ==
KLAcquireNewInitialTicketsWithPassword (princ, NULL,
typed_passwd, NULL));
# else /* !HAVE_DARWIN */
/* See comments in kerberos_lock_init -- should we do it the Mac Way
on all systems?
*/
C_Block mitkey;
Bool success;
char *newtkfile;
int fh = -1;
/* temporarily switch to a new ticketfile.
I'm not using tmpnam() because it isn't entirely portable.
this could probably be fixed with autoconf. */
newtkfile = malloc(80 * sizeof(char));
memset(newtkfile, 0, sizeof(newtkfile));
sprintf(newtkfile, "/tmp/xscrn-%i.XXXXXX", getpid());
if( (fh = mkstemp(newtkfile)) < 0)
{
free(newtkfile);
return(False);
}
if( fchmod(fh, 0600) < 0)
{
free(newtkfile);
return(False);
}
krb_set_tkt_string(newtkfile);
/* encrypt the typed password. if you have an AFS password instead
of a kerberos one, you lose *right here*. If you want to use AFS
passwords, you can use ka_StringToKey() instead. As always, ymmv. */
des_string_to_key(typed_passwd, mitkey);
if (krb_get_in_tkt(name, inst, realm, "krbtgt", realm, DEFAULT_TKT_LIFE,
key_to_key, NULL, (char *) mitkey) != 0) {
success = False;
} else {
success = True;
}
/* quickly block out the tempfile and password to prevent snooping,
then restore the old ticketfile and cleean up a bit. */
dest_tkt();
krb_set_tkt_string(tk_file);
free(newtkfile);
memset(mitkey, 0, sizeof(mitkey));
close(fh); /* #### tom: should the file be removed? */
/* Did we verify successfully? */
return success;
# endif /* !HAVE_DARWIN */
}
