KLStatus KLAcquireInitialTicketsWithPassword(KLPrincipal inPrincipal, KLLoginOptions inLoginOptions, const char *inPassword, char **outCredCacheName) { KLStatus ret; KLBoolean ValidTickets; ret = KLCacheHasValidTickets(inPrincipal, kerberosVersion_V5, &ValidTickets, NULL, outCredCacheName); if (ret == 0) { if (ValidTickets) return klNoErr; /* done */ /* get credential */ if (outCredCacheName) free(*outCredCacheName); } return KLAcquireNewInitialTicketsWithPassword(inPrincipal, inLoginOptions, inPassword, outCredCacheName); }
KLStatus KLAcquireNewTicketsWithPassword (KLPrincipal inPrincipal, KLLoginOptions inLoginOptions, const char *inPassword, char **outCredCacheName) { LOG_ENTRY(); return KLAcquireNewInitialTicketsWithPassword (inPrincipal, inLoginOptions, inPassword, outCredCacheName); }
void TestHighLevelAPI (void) { KLStatus err; KLPrincipal inPrincipal, outPrincipal, outPrincipal2; char *outCredCacheName, *outCredCacheName2; KLTime expirationTime; char* principalString; char timeString[256]; KLBoolean valid; err = KLCreatePrincipalFromTriplet ("grail", "", "TESTV5-KERBEROS-1.3.1", &inPrincipal); printf ("KLCreatePrincipalFromTriplet([email protected]) (err = %d)\n", err); if (err == klNoErr) { err = KLAcquireNewInitialTicketsWithPassword (inPrincipal, NULL, "liarg", &outCredCacheName); if (err != klNoErr) { printf ("KLAcquireNewInitialTicketsWithPassword() returned err = %d\n", err); } else { printf ("KLAcquireNewInitialTicketsWithPassword() returned '%s'\n", outCredCacheName); KLDisposeString (outCredCacheName); } KLDisposePrincipal (inPrincipal); } err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &inPrincipal); printf ("KLCreatePrincipalFromTriplet([email protected]) (err = %d)\n", err); if (err == klNoErr) { err = KLAcquireNewInitialTicketsWithPassword (inPrincipal, NULL, "ydobon", &outCredCacheName); if (err != klNoErr) { printf ("KLAcquireNewInitialTicketsWithPassword() returned err = %d\n", err); } else { printf ("KLAcquireNewInitialTicketsWithPassword() returned '%s'\n", outCredCacheName); KLDisposeString (outCredCacheName); } KLDisposePrincipal (inPrincipal); } err = KLAcquireNewInitialTickets (NULL, NULL, &inPrincipal, &outCredCacheName); printf ("KLAcquireNewInitialTickets() (err = %d)\n", err); if (err == klNoErr) { KLDisposeString (outCredCacheName); err = KLAcquireInitialTickets (inPrincipal, NULL, &outPrincipal, &outCredCacheName); printf ("KLAcquireInitialTickets() (err = %d)\n", err); if (err == klNoErr) { KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } KLDisposePrincipal (inPrincipal); } err = KLSetDefaultLoginOption (loginOption_LoginName, "testname", 3); printf ("KLSetDefaultLoginOption(loginOption_LoginName) to testname (err = %d)\n", err); if (err == klNoErr) { err = KLSetDefaultLoginOption (loginOption_LoginInstance, "testinstance", 6); printf ("KLSetDefaultLoginOption(loginOption_LoginInstance) to testinstance (err = %d)\n", err); } err = KLAcquireNewInitialTickets (NULL, NULL, &inPrincipal, &outCredCacheName); printf ("KLAcquireNewInitialTickets() (err = %d)\n", err); if (err == klNoErr) { KLDisposeString (outCredCacheName); KLDisposePrincipal (inPrincipal); } // Principal == NULL while (KLAcquireNewInitialTickets (NULL, NULL, &outPrincipal, &outCredCacheName) == klNoErr) { err = KLTicketExpirationTime (outPrincipal, kerberosVersion_All, &expirationTime); err = KLCacheHasValidTickets (outPrincipal, kerberosVersion_All, &valid, &outPrincipal2, &outCredCacheName2); if (err == klNoErr) { err = KLGetStringFromPrincipal (outPrincipal2, kerberosVersion_V4, &principalString); if (err == klNoErr) { printf ("KLGetStringFromPrincipal returned string '%s'\n", principalString); KLDisposeString (principalString); } KLDisposePrincipal (outPrincipal2); KLDisposeString (outCredCacheName2); err = KLCacheHasValidTickets (outPrincipal, kerberosVersion_All, &valid, NULL, NULL); if (err != klNoErr) { printf ("KLCacheHasValidTickets returned error = %d\n", err); } } err = KLCacheHasValidTickets (outPrincipal, kerberosVersion_All, &valid, NULL, NULL); KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } err = KLAcquireNewInitialTickets (NULL, NULL, &outPrincipal, &outCredCacheName); if (err == klNoErr) { KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &inPrincipal); printf ("KLCreatePrincipalFromTriplet([email protected]) (err = %d)\n", err); if (err == klNoErr) { err = KLAcquireNewInitialTickets (inPrincipal, NULL, &outPrincipal, &outCredCacheName); printf ("KLAcquireNewInitialTickets([email protected]) (err = %d)\n", err); if (err == klNoErr) { KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } err = KLDestroyTickets (inPrincipal); KLDisposePrincipal (inPrincipal); } err = KLCreatePrincipalFromTriplet ("nobody", "", "TEST-KERBEROS-1.3.1", &inPrincipal); printf ("KLCreatePrincipalFromTriplet([email protected]) (err = %d)\n", err); if (err == klNoErr) { err = KLAcquireInitialTickets (inPrincipal, NULL, &outPrincipal, &outCredCacheName); printf ("KLAcquireInitialTickets([email protected]) (err = %d)\n", err); if (err == klNoErr) { KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } err = KLAcquireNewInitialTickets (inPrincipal, NULL, &outPrincipal, &outCredCacheName); if (err == klNoErr) { err = KLGetStringFromPrincipal (outPrincipal, kerberosVersion_V5, &principalString); if (err == klNoErr) { err = KLTicketExpirationTime (outPrincipal, kerberosVersion_All, &expirationTime); printf ("Tickets for principal '%s' expire on %s\n", principalString, TimeToString(timeString, expirationTime)); KLDisposeString (principalString); } KLDisposeString (outCredCacheName); KLDisposePrincipal (outPrincipal); } err = KLChangePassword (inPrincipal); printf ("KLChangePassword() (err = %d)\n", err); err = KLDestroyTickets (inPrincipal); printf ("KLDestroyTickets() (err = %d)\n", err); KLDisposePrincipal (inPrincipal); } }
/* Called to see if the user's typed password is valid. We do this by asking the kerberos server for a ticket and checking to see if it gave us one. We need to move the ticketfile first, or otherwise we end up updating the user's tkfile with new tickets. This would break services like zephyr that like to stay authenticated, and it would screw with AFS authentication at some sites. So, we do a quick, painful hack with a tmpfile. */ Bool kerberos_passwd_valid_p (const char *typed_passwd, Bool verbose_p) { # ifdef HAVE_DARWIN return (klNoErr == KLAcquireNewInitialTicketsWithPassword (princ, NULL, typed_passwd, NULL)); # else /* !HAVE_DARWIN */ /* See comments in kerberos_lock_init -- should we do it the Mac Way on all systems? */ C_Block mitkey; Bool success; char *newtkfile; int fh = -1; /* temporarily switch to a new ticketfile. I'm not using tmpnam() because it isn't entirely portable. this could probably be fixed with autoconf. */ newtkfile = malloc(80 * sizeof(char)); memset(newtkfile, 0, sizeof(newtkfile)); sprintf(newtkfile, "/tmp/xscrn-%i.XXXXXX", getpid()); if( (fh = mkstemp(newtkfile)) < 0) { free(newtkfile); return(False); } if( fchmod(fh, 0600) < 0) { free(newtkfile); return(False); } krb_set_tkt_string(newtkfile); /* encrypt the typed password. if you have an AFS password instead of a kerberos one, you lose *right here*. If you want to use AFS passwords, you can use ka_StringToKey() instead. As always, ymmv. */ des_string_to_key(typed_passwd, mitkey); if (krb_get_in_tkt(name, inst, realm, "krbtgt", realm, DEFAULT_TKT_LIFE, key_to_key, NULL, (char *) mitkey) != 0) { success = False; } else { success = True; } /* quickly block out the tempfile and password to prevent snooping, then restore the old ticketfile and cleean up a bit. */ dest_tkt(); krb_set_tkt_string(tk_file); free(newtkfile); memset(mitkey, 0, sizeof(mitkey)); close(fh); /* #### tom: should the file be removed? */ /* Did we verify successfully? */ return success; # endif /* !HAVE_DARWIN */ }