static void krb5_start_session (void) { krb5_error_code ret; char *estr; ret = krb5_cc_resolve (context, tkfile, &ccache2); if (ret) { estr = krb5_get_error_string(context); syslog(LOG_WARNING, "resolve cred cache %s: %s", tkfile, estr ? estr : krb5_get_err_text(context, ret)); free(estr); krb5_cc_destroy(context, ccache); return; } ret = krb5_cc_copy_cache (context, ccache, ccache2); if (ret) { estr = krb5_get_error_string(context); syslog(LOG_WARNING, "storing credentials: %s", estr ? estr : krb5_get_err_text(context, ret)); free(estr); krb5_cc_destroy(context, ccache); return ; } krb5_cc_close(context, ccache2); krb5_cc_destroy(context, ccache); return; }
static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) { krb5_ccache ccache; krb5_error_code problem; krb5_principal princ; OM_uint32 maj_status, min_status; const char *errmsg; if (client->creds == NULL) { debug("No credentials stored"); return; } if (ssh_gssapi_krb5_init() == 0) return; if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix, NULL, &ccache)) != 0) { errmsg = krb5_get_error_message(krb_context, problem); logit("krb5_cc_new_unique(): %.100s", errmsg); krb5_free_error_message(krb_context, errmsg); return; } if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { errmsg = krb5_get_error_message(krb_context, problem); logit("krb5_parse_name(): %.100s", errmsg); krb5_free_error_message(krb_context, errmsg); krb5_cc_destroy(krb_context, ccache); return; } if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { errmsg = krb5_get_error_message(krb_context, problem); logit("krb5_cc_initialize(): %.100s", errmsg); krb5_free_error_message(krb_context, errmsg); krb5_free_principal(krb_context, princ); krb5_cc_destroy(krb_context, ccache); return; } krb5_free_principal(krb_context, princ); if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, ccache))) { logit("gss_krb5_copy_ccache() failed"); krb5_cc_destroy(krb_context, ccache); return; } client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); client->store.envvar = "KRB5CCNAME"; client->store.envval = xstrdup(client->store.filename); krb5_cc_close(krb_context, ccache); return; }
static void test_mcache(krb5_context context) { krb5_error_code ret; krb5_ccache id, id2; const char *nc, *tc; char *c; krb5_principal p, p2; ret = krb5_parse_name(context, "*****@*****.**", &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id); if (ret) krb5_err(context, 1, ret, "krb5_cc_new_unique"); ret = krb5_cc_initialize(context, id, p); if (ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); nc = krb5_cc_get_name(context, id); if (nc == NULL) krb5_errx(context, 1, "krb5_cc_get_name"); tc = krb5_cc_get_type(context, id); if (tc == NULL) krb5_errx(context, 1, "krb5_cc_get_name"); if (asprintf(&c, "%s:%s", tc, nc) < 0 || c == NULL) errx(1, "malloc"); krb5_cc_close(context, id); ret = krb5_cc_resolve(context, c, &id2); if (ret) krb5_err(context, 1, ret, "krb5_cc_resolve"); ret = krb5_cc_get_principal(context, id2, &p2); if (ret) krb5_err(context, 1, ret, "krb5_cc_get_principal"); if (krb5_principal_compare(context, p, p2) == FALSE) krb5_errx(context, 1, "p != p2"); krb5_cc_destroy(context, id2); krb5_free_principal(context, p); krb5_free_principal(context, p2); ret = krb5_cc_resolve(context, c, &id2); if (ret) krb5_err(context, 1, ret, "krb5_cc_resolve"); ret = krb5_cc_get_principal(context, id2, &p2); if (ret == 0) krb5_errx(context, 1, "krb5_cc_get_principal"); krb5_cc_destroy(context, id2); free(c); }
VOID LwTaskFreeCreds( PLW_TASK_CREDS pCreds /* IN OUT */ ) { if (pCreds->pKrb5Creds != NULL) { LwIoDeleteCreds(pCreds->pKrb5Creds); } if (pCreds->pszRestoreCache) { LwKrb5SetDefaultCachePath(pCreds->pszRestoreCache, NULL); LwFreeString(pCreds->pszRestoreCache); } if (pCreds->ctx != NULL) { if (pCreds->cc != NULL) { krb5_cc_destroy(pCreds->ctx, pCreds->cc); } krb5_free_context(pCreds->ctx); } LwFreeMemory(pCreds); }
DWORD SMBKrb5DestroyCache( PCSTR pszCachePath ) { DWORD dwError = 0; krb5_error_code ret = 0; krb5_context ctx = NULL; krb5_ccache cc = NULL; ret = krb5_init_context(&ctx); BAIL_ON_LWIO_KRB_ERROR(ctx, ret); /* use krb5_cc_resolve to get an alternate cache */ ret = krb5_cc_resolve(ctx, pszCachePath, &cc); BAIL_ON_LWIO_KRB_ERROR(ctx, ret); ret = krb5_cc_destroy(ctx, cc); if (ret != 0) { if (ret != KRB5_FCC_NOFILE) { BAIL_ON_LWIO_KRB_ERROR(ctx, ret); } else { ret = 0; } } error: if (ctx) { krb5_free_context(ctx); } return(dwError); }
DWORD VMCALogOutPrivate( ) /* Executes Kdestroy and clears out the TGT cache. This is equivalent to kdestroy */ { DWORD dwError = 0; krb5_context context = NULL; krb5_ccache ccache = NULL; dwError = krb5_init_context(&context); BAIL_ON_ERROR(dwError); dwError = krb5_cc_default( context, &ccache); BAIL_ON_ERROR(dwError); krb5_cc_destroy(context, ccache); error: if(context != NULL){ krb5_free_context(context); } return dwError; }
static int mod_authn_gssapi_store_krb5_creds(server *srv, connection *con, plugin_data *p, krb5_context kcontext, krb5_ccache delegated_cred) { krb5_error_code problem; krb5_principal princ = NULL; krb5_ccache ccache = NULL; problem = krb5_cc_get_principal(kcontext, delegated_cred, &princ); if (problem) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_get_principal", NULL, kcontext, problem); goto end; } if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, kcontext, princ, &ccache)) { goto end; } problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache); if (problem) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_copy_creds", NULL, kcontext, problem); goto end; } krb5_free_principal(kcontext, princ); krb5_cc_close(kcontext, ccache); return 0; end: if (princ) krb5_free_principal(kcontext, princ); if (ccache) krb5_cc_destroy(kcontext, ccache); return -1; }
static void cockpit_creds_free (gpointer data) { CockpitCreds *creds = data; cockpit_creds_poison (creds); g_list_free_full (creds->bytes, (GDestroyNotify)g_bytes_unref); g_free (creds->user); g_free (creds->application); g_free (creds->rhost); g_free (creds->gssapi_creds); g_free (creds->csrf_token); if (creds->krb5_ctx) { if (creds->krb5_ccache) krb5_cc_destroy (creds->krb5_ctx, creds->krb5_ccache); if (creds->krb5_ccache_name) krb5_free_string (creds->krb5_ctx, creds->krb5_ccache_name); krb5_free_context (creds->krb5_ctx); } if (creds->login_data) json_object_unref (creds->login_data); g_free (creds); }
OM_uint32 gss_release_cred (OM_uint32 * minor_status, gss_cred_id_t * cred_handle ) { *minor_status = 0; if (*cred_handle == GSS_C_NO_CREDENTIAL) { return GSS_S_COMPLETE; } GSSAPI_KRB5_INIT (); HEIMDAL_MUTEX_lock(&(*cred_handle)->cred_id_mutex); if ((*cred_handle)->principal != NULL) krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); if ((*cred_handle)->keytab != NULL) krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); if ((*cred_handle)->ccache != NULL) { const krb5_cc_ops *ops; ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache); if (ops == &krb5_mcc_ops) krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache); else krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); } gss_release_oid_set(NULL, &(*cred_handle)->mechanisms); HEIMDAL_MUTEX_unlock(&(*cred_handle)->cred_id_mutex); HEIMDAL_MUTEX_destroy(&(*cred_handle)->cred_id_mutex); memset(*cred_handle, 0, sizeof(**cred_handle)); free(*cred_handle); *cred_handle = GSS_C_NO_CREDENTIAL; return GSS_S_COMPLETE; }
void krb5_cleanup() { if (kparam.context) { if (kparam.cc) krb5_cc_destroy(kparam.context,kparam.cc); krb5_free_context(kparam.context); } }
kadm5_ret_t kadm5_destroy(void *server_handle) { krb5_ccache ccache = NULL; int code = KADM5_OK; kadm5_server_handle_t handle = (kadm5_server_handle_t) server_handle; CHECK_HANDLE(server_handle); if (handle->destroy_cache && handle->cache_name) { if ((code = krb5_cc_resolve(handle->context, handle->cache_name, &ccache)) == 0) code = krb5_cc_destroy (handle->context, ccache); } if (handle->cache_name) free(handle->cache_name); if (handle->clnt && handle->clnt->cl_auth) AUTH_DESTROY(handle->clnt->cl_auth); if (handle->clnt) clnt_destroy(handle->clnt); if (handle->client_socket != -1) close(handle->client_socket); if (handle->lhandle) free (handle->lhandle); kadm5_free_config_params(handle->context, &handle->params); handle->magic_number = 0; free(handle); return code; }
int destroy_credentials(const char * cache_name) { krb5_error_code ret; krb5_ccache ccache; if (cache_name) { ret = krb5_cc_resolve(this->ctx, cache_name, &ccache); if (ret) { LOG(LOG_ERR, "ERREUR Resolving Cache Name"); } } else { ret = krb5_cc_default(this->ctx, &ccache); if (ret) { LOG(LOG_ERR, "ERREUR CC Default resolve "); } } ret = krb5_cc_destroy(this->ctx, ccache); if (ret) { if (ret != KRB5_FCC_NOFILE) { LOG(LOG_ERR, "ERREUR Destroying Cache"); } else { LOG(LOG_INFO, "No Credential cache to destroy"); } } else { LOG(LOG_INFO, "Credentials Cache Succesfully destroyed"); } return ret; }
static void test_move(krb5_context context, const char *type) { const krb5_cc_ops *ops; krb5_ccache fromid, toid; krb5_error_code ret; krb5_principal p, p2; ops = krb5_cc_get_prefix_ops(context, type); if (ops == NULL) return; ret = krb5_cc_new_unique(context, type, NULL, &fromid); if (ret == KRB5_CC_NOSUPP) return; else if (ret) krb5_err(context, 1, ret, "krb5_cc_new_unique"); ret = krb5_parse_name(context, "*****@*****.**", &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); ret = krb5_cc_initialize(context, fromid, p); if (ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); ret = krb5_cc_new_unique(context, type, NULL, &toid); if (ret) krb5_err(context, 1, ret, "krb5_cc_new_unique"); ret = krb5_cc_initialize(context, toid, p); if (ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); ret = krb5_cc_get_principal(context, toid, &p2); if (ret) krb5_err(context, 1, ret, "krb5_cc_get_principal"); if (krb5_principal_compare(context, p, p2) == FALSE) krb5_errx(context, 1, "p != p2"); krb5_free_principal(context, p); krb5_free_principal(context, p2); krb5_cc_destroy(context, toid); krb5_cc_destroy(context, fromid); }
/* Convert a JSON value to a ccache handle or to NULL. Set *new_out to true if * the ccache handle is a newly created memory ccache, false otherwise. */ static int json_to_ccache(krb5_context context, k5_json_value v, krb5_ccache *ccache_out, krb5_boolean *new_out) { krb5_error_code ret; krb5_ccache ccache = NULL; krb5_principal princ; krb5_creds creds; k5_json_array array; size_t i, len; *ccache_out = NULL; *new_out = FALSE; if (k5_json_get_tid(v) == K5_JSON_TID_NULL) return 0; if (k5_json_get_tid(v) == K5_JSON_TID_STRING) { /* We got a reference to an external ccache; just resolve it. */ return krb5_cc_resolve(context, k5_json_string_utf8(v), ccache_out) ? -1 : 0; } /* We got the contents of a memory ccache. */ if (k5_json_get_tid(v) != K5_JSON_TID_ARRAY) return -1; array = v; len = k5_json_array_length(array); if (len < 1) return -1; /* Initialize a new memory ccache using the principal in the first array * entry.*/ if (krb5_cc_new_unique(context, "MEMORY", NULL, &ccache)) return -1; if (json_to_principal(context, k5_json_array_get(array, 0), &princ)) goto invalid; ret = krb5_cc_initialize(context, ccache, princ); krb5_free_principal(context, princ); if (ret) goto invalid; /* Add remaining array entries to the ccache as credentials. */ for (i = 1; i < len; i++) { if (json_to_creds(context, k5_json_array_get(array, 1), &creds)) goto invalid; ret = krb5_cc_store_cred(context, ccache, &creds); krb5_free_cred_contents(context, &creds); if (ret) goto invalid; } *ccache_out = ccache; *new_out = TRUE; return 0; invalid: (void)krb5_cc_destroy(context, ccache); return -1; }
/* * The default unset code path depends on the underlying ccache implementation * knowing how to remove a credential, which most types don't actually support, * so we have to jump through some hoops to ensure that when we set a value for * a key, it'll be the only value for that key that'll be found later. The * ccache portions of libkrb5 will currently duplicate some of the actual * tickets. */ static void unset_config(krb5_context context, krb5_ccache ccache, krb5_principal server, const char *key) { krb5_ccache tmp1, tmp2; krb5_cc_cursor cursor; krb5_creds mcreds, creds; memset(&mcreds, 0, sizeof(mcreds)); memset(&creds, 0, sizeof(creds)); bail_on_err(context, "Error while deriving configuration principal names", k5_build_conf_principals(context, ccache, server, key, &mcreds)); bail_on_err(context, "Error resolving first in-memory ccache", krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1)); bail_on_err(context, "Error initializing first in-memory ccache", krb5_cc_initialize(context, tmp1, mcreds.client)); bail_on_err(context, "Error resolving second in-memory ccache", krb5_cc_resolve(context, "MEMORY:tmp2", &tmp2)); bail_on_err(context, "Error initializing second in-memory ccache", krb5_cc_initialize(context, tmp2, mcreds.client)); bail_on_err(context, "Error copying credentials to first in-memory ccache", krb5_cc_copy_creds(context, ccache, tmp1)); bail_on_err(context, "Error starting traversal of first in-memory ccache", krb5_cc_start_seq_get(context, tmp1, &cursor)); while (krb5_cc_next_cred(context, tmp1, &cursor, &creds) == 0) { if (!krb5_is_config_principal(context, creds.server) || !krb5_principal_compare(context, mcreds.server, creds.server) || !krb5_principal_compare(context, mcreds.client, creds.client)) { bail_on_err(context, "Error storing non-config item to in-memory ccache", krb5_cc_store_cred(context, tmp2, &creds)); } } bail_on_err(context, "Error ending traversal of first in-memory ccache", krb5_cc_end_seq_get(context, tmp1, &cursor)); bail_on_err(context, "Error clearing ccache", krb5_cc_initialize(context, ccache, mcreds.client)); bail_on_err(context, "Error storing creds to the ccache", krb5_cc_copy_creds(context, tmp2, ccache)); bail_on_err(context, "Error cleaning up first in-memory ccache", krb5_cc_destroy(context, tmp1)); bail_on_err(context, "Error cleaning up second in-memory ccache", krb5_cc_destroy(context, tmp2)); }
Krb5CCache::~Krb5CCache() { if (ccache_) { if (destroy_) { krb5_cc_destroy(context_.get(), ccache_); } else { krb5_cc_close(context_.get(), ccache_); } } }
/* * Push a password change to Active Directory. Takes the module * configuration, a Kerberos context, the principal whose password is being * changed (we will have to change the realm), and the new password and its * length. Returns a Kerberos error code. */ krb5_error_code sync_ad_chpass(kadm5_hook_modinfo *config, krb5_context ctx, krb5_principal principal, const char *password) { krb5_error_code code; char *target = NULL; krb5_ccache ccache; krb5_principal ad_principal = NULL; int result_code; krb5_data result_code_string, result_string; /* Ensure the configuration is sane. */ CHECK_CONFIG(ad_realm); /* Get the credentials we'll use to make the change in AD. */ code = get_creds(config, ctx, &ccache); if (code != 0) return code; /* Get the corresponding AD principal. */ code = get_ad_principal(config, ctx, principal, &ad_principal); if (code != 0) goto done; /* This is just for logging purposes. */ code = krb5_unparse_name(ctx, ad_principal, &target); if (code != 0) goto done; /* Do the actual password change and record any error. */ code = krb5_set_password_using_ccache(ctx, ccache, (char *) password, ad_principal, &result_code, &result_code_string, &result_string); if (code != 0) goto done; if (result_code != 0) { code = sync_error_generic(ctx, "password change failed for %s: (%d)" " %.*s%s%.*s", target, result_code, (int) result_code_string.length, (char *) result_code_string.data, result_string.length ? ": " : "", (int) result_string.length, (char *) result_string.data); goto done; } free(result_string.data); free(result_code_string.data); sync_syslog_info(config, "krb5-sync: %s password changed", target); done: krb5_cc_destroy(ctx, ccache); if (target != NULL) krb5_free_unparsed_name(ctx, target); if (ad_principal != NULL) krb5_free_principal(ctx, ad_principal); return code; }
KLStatus KLAcquireNewInitialTicketsWithPassword(KLPrincipal inPrincipal, KLLoginOptions inLoginOptions, const char *inPassword, char **outCredCacheName) { krb5_context context = mshim_ctx(); krb5_error_code ret; krb5_ccache cache; krb5_creds creds; char *service = NULL; krb5_get_init_creds_opt *opt = NULL; LOG_ENTRY(); if (inLoginOptions) { service = inLoginOptions->service; opt = inLoginOptions->opt; } ret = heim_krb5_get_init_creds_password(context, &creds, inPrincipal, inPassword, NULL, NULL, 0, service, opt); if (ret) return ret; ret = heim_krb5_cc_cache_match(context, inPrincipal, &cache); if (ret) ret = heim_krb5_cc_new_unique(context, NULL, NULL, &cache); if (ret) goto out; ret = heim_krb5_cc_initialize(context, cache, creds.client); if(ret) goto out; ret = heim_krb5_cc_store_cred(context, cache, &creds); if (ret) goto out; if (outCredCacheName) *outCredCacheName = strdup(heim_krb5_cc_get_name(context, cache)); out: if (cache) { if (ret) krb5_cc_destroy((mit_krb5_context)context, (mit_krb5_ccache)cache); else heim_krb5_cc_close(context, cache); } heim_krb5_free_cred_contents(context, &creds); return ret; }
/* * Serialize krb5_ccache */ static krb5_error_code ser_ccache_test(krb5_context kcontext, int verbose) { krb5_error_code kret; char ccname[128]; char princname[256]; krb5_ccache ccache; krb5_principal principal; snprintf(ccname, sizeof(ccname), "temp_cc_%d", (int) getpid()); snprintf(princname, sizeof(princname), "zowie%d/instance%[email protected]", (int) getpid(), (int) getpid()); if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) && !(kret = ser_data(verbose, "> Resolved default ccache", (krb5_pointer) ccache, KV5M_CCACHE)) && !(kret = krb5_parse_name(kcontext, princname, &principal)) && !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && !(kret = ser_data(verbose, "> Initialized default ccache", (krb5_pointer) ccache, KV5M_CCACHE)) && !(kret = krb5_cc_destroy(kcontext, ccache))) { krb5_free_principal(kcontext, principal); snprintf(ccname, sizeof(ccname), "FILE:temp_cc_%d", (int) getpid()); snprintf(princname, sizeof(princname), "xxx%d/i%[email protected]", (int) getpid(), (int) getpid()); if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) && !(kret = ser_data(verbose, "> Resolved FILE ccache", (krb5_pointer) ccache, KV5M_CCACHE)) && !(kret = krb5_parse_name(kcontext, princname, &principal)) && !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && !(kret = ser_data(verbose, "> Initialized FILE ccache", (krb5_pointer) ccache, KV5M_CCACHE)) && !(kret = krb5_cc_destroy(kcontext, ccache))) { krb5_free_principal(kcontext, principal); if (verbose) printf("* ccache test succeeded\n"); } } if (kret) printf("* krb5_ccache test failed\n"); return(kret); }
/** Frees libkrb5 resources associated with the handle * * Must not be called directly. * * @param conn to free. * @return 0 (always indicates success). */ static int _mod_conn_free(rlm_krb5_handle_t *conn) { krb5_free_context(conn->context); if (conn->keytab) krb5_kt_close(conn->context, conn->keytab); #ifdef HEIMDAL_KRB5 if (conn->ccache) krb5_cc_destroy(conn->context, conn->ccache); #endif return 0; }
static void test_init_vs_destroy(krb5_context context, const char *type) { krb5_error_code ret; krb5_ccache id, id2; krb5_principal p, p2; char *n = NULL; ret = krb5_parse_name(context, "*****@*****.**", &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); ret = krb5_cc_new_unique(context, type, NULL, &id); if (ret) krb5_err(context, 1, ret, "krb5_cc_new_unique"); if (asprintf(&n, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id)) < 0 || n == NULL) errx(1, "malloc"); ret = krb5_cc_resolve(context, n, &id2); free(n); if (ret) krb5_err(context, 1, ret, "krb5_cc_resolve"); krb5_cc_destroy(context, id); ret = krb5_cc_initialize(context, id2, p); if (ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); ret = krb5_cc_get_principal(context, id2, &p2); if (ret) krb5_err(context, 1, ret, "krb5_cc_get_principal"); krb5_cc_destroy(context, id2); krb5_free_principal(context, p); krb5_free_principal(context, p2); }
void ceo_krb5_deauth() { krb5_error_code retval; krb5_ccache cache; debug("krb5: destroying credentials"); if ((retval = krb5_cc_default(context, &cache))) com_err(prog, retval, "while resolving credentials cache"); if ((retval = krb5_cc_destroy(context, cache))) com_err(prog, retval, "while destroying credentials cache"); }
static int krb5_start_session (const struct passwd *pwd) { krb5_error_code ret; char residual[64]; /* copy credentials to file cache */ snprintf(residual, sizeof(residual), "FILE:/tmp/krb5cc_%u", (unsigned)pwd->pw_uid); krb5_cc_resolve(context, residual, &id2); ret = krb5_cc_copy_cache(context, id, id2); if (ret == 0) add_env("KRB5CCNAME", residual); else { krb5_cc_destroy (context, id2); return ret; } krb5_cc_close(context, id2); krb5_cc_destroy(context, id); return 0; }
void SessionExit (struct display *d, int status, int removeAuth) { #ifdef USE_PAM pam_handle_t *pamh = thepamh(); #endif #ifdef USE_PAM if (pamh) { /* shutdown PAM session */ pam_close_session(pamh, 0); pam_end(pamh, PAM_SUCCESS); pamh = NULL; } #endif /* make sure the server gets reset after the session is over */ if (d->serverPid >= 2 && d->resetSignal) kill (d->serverPid, d->resetSignal); else ResetServer (d); if (removeAuth) { setgid (verify.gid); setuid (verify.uid); RemoveUserAuthorization (d, &verify); #ifdef K5AUTH /* do like "kdestroy" program */ { krb5_error_code code; krb5_ccache ccache; code = Krb5DisplayCCache(d->name, &ccache); if (code) LogError("%s while getting Krb5 ccache to destroy\n", error_message(code)); else { code = krb5_cc_destroy(ccache); if (code) { if (code == KRB5_FCC_NOFILE) { Debug ("No Kerberos ccache file found to destroy\n"); } else LogError("%s while destroying Krb5 credentials cache\n", error_message(code)); } else Debug ("Kerberos ccache destroyed\n"); krb5_cc_close(ccache); } } #endif /* K5AUTH */ } Debug ("Display %s exiting with status %d\n", d->name, status); exit (status); }
static void test_copy(krb5_context context, const char *from, const char *to) { krb5_ccache fromid, toid; krb5_error_code ret; krb5_principal p, p2; ret = krb5_parse_name(context, "*****@*****.**", &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); ret = krb5_cc_new_unique(context, from, NULL, &fromid); if (ret) krb5_err(context, 1, ret, "krb5_cc_new_unique"); ret = krb5_cc_initialize(context, fromid, p); if (ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); ret = krb5_cc_new_unique(context, to, NULL, &toid); if (ret) krb5_err(context, 1, ret, "krb5_cc_gen_new"); ret = krb5_cc_copy_cache(context, fromid, toid); if (ret) krb5_err(context, 1, ret, "krb5_cc_copy_cache"); ret = krb5_cc_get_principal(context, toid, &p2); if (ret) krb5_err(context, 1, ret, "krb5_cc_get_principal"); if (krb5_principal_compare(context, p, p2) == FALSE) krb5_errx(context, 1, "p != p2"); krb5_free_principal(context, p); krb5_free_principal(context, p2); krb5_cc_destroy(context, fromid); krb5_cc_destroy(context, toid); }
static gss_client_response *create_krb5_ccache(gss_server_state *state, krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache) { char *ccname = NULL; int fd; krb5_error_code problem; krb5_ccache tmp_ccache = NULL; gss_client_response *error = NULL; // TODO: mod_auth_kerb used a temp file under /run/httpd/krbcache. what can we do? ccname = strdup("FILE:/tmp/krb5cc_nodekerberos_XXXXXX"); if (!ccname) die1("Memory allocation failed"); fd = mkstemp(ccname + strlen("FILE:")); if (fd < 0) { error = other_error("mkstemp() failed: %s", strerror(errno)); goto end; } close(fd); problem = krb5_cc_resolve(kcontext, ccname, &tmp_ccache); if (problem) { error = krb5_ctx_error(kcontext, problem); goto end; } problem = krb5_cc_initialize(kcontext, tmp_ccache, princ); if (problem) { error = krb5_ctx_error(kcontext, problem); goto end; } state->delegated_credentials_cache = strdup(ccname); // TODO: how/when to cleanup the creds cache file? // TODO: how to expose the credentials expiration time? *ccache = tmp_ccache; tmp_ccache = NULL; end: if (tmp_ccache) krb5_cc_destroy(kcontext, tmp_ccache); if (ccname && error) unlink(ccname); if (ccname) free(ccname); return error; }
KLStatus KLDestroyTickets(KLPrincipal inPrincipal) { krb5_context context = mshim_ctx(); krb5_error_code ret; krb5_ccache id; ret = heim_krb5_cc_cache_match(context, inPrincipal, &id); if (ret) return ret; return krb5_cc_destroy((mit_krb5_context)context, (mit_krb5_ccache)id); }
static void test_init_vs_destroy(krb5_context context, const krb5_cc_ops *ops) { krb5_error_code ret; krb5_ccache id, id2; krb5_principal p, p2; char *n; ret = krb5_parse_name(context, "*****@*****.**", &p); if (ret) krb5_err(context, 1, ret, "krb5_parse_name"); ret = krb5_cc_gen_new(context, ops, &id); if (ret) krb5_err(context, 1, ret, "krb5_cc_gen_new"); asprintf(&n, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id)); ret = krb5_cc_resolve(context, n, &id2); if (ret) krb5_err(context, 1, ret, "krb5_cc_resolve"); krb5_cc_destroy(context, id); ret = krb5_cc_initialize(context, id2, p); if (ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); ret = krb5_cc_get_principal(context, id2, &p2); if (ret) krb5_err(context, 1, ret, "krb5_cc_get_principal"); krb5_cc_destroy(context, id2); krb5_free_principal(context, p); krb5_free_principal(context, p2); }
int authenticate_store_clear(gss_store_state* state) { if (state->client) krb5_free_principal(state->context, state->client); if (state->ccache) krb5_cc_destroy(state->context, state->ccache); krb5_free_context(state->context); if (state->ccache_name != NULL) { free(state->ccache_name); state->ccache_name = NULL; } return 1; }
static void put_creds_in_ccache(char *name, gss_cred_id_t creds) { OM_uint32 maj_stat, min_stat; krb5_context context; krb5_principal me; krb5_ccache ccache; krb5_error_code retval; char buf[1024]; maj_stat = krb5_init_context(&context); if (maj_stat != GSS_S_COMPLETE) { gsslib_display_status(MSG_GSS_PRINTERROR_GETTINGKRB5CONTEXT, maj_stat, GSS_S_COMPLETE); return; } /* Set up ccache */ if ((retval = krb5_parse_name(context, name, &me))) { snprintf(buf, sizeof buf, MSG_GSS_PRINTERROR_KRB5PARSENAMERETURNEDX_I, retval); gsslib_print_error(buf); return; } /* Use default ccache */ if ((retval = krb5_cc_default(context, &ccache))) { snprintf(buf, sizeof buf, MSG_GSS_PRINTERROR_KRB5CCDEFAULTRETURNEDX_I, retval); gsslib_print_error(buf); return; } if ((retval = krb5_cc_initialize(context, ccache, me))) { snprintf(buf, sizeof buf, MSG_GSS_PRINTERROR_KRB5CCINITIALIZERETURNEDX_I, retval); gsslib_print_error(buf); return; } /* Copy GSS creds into ccache */ maj_stat = gss_krb5_copy_ccache(&min_stat, creds, ccache); if (maj_stat != GSS_S_COMPLETE) { gsslib_display_status(MSG_GSS_PRINTERROR_COPYINGDELEGATEDCREDSTOCC, maj_stat, min_stat); goto cleanup; } return; cleanup: krb5_cc_destroy(context, ccache); }