static int
save_krb5_creds (int s,
krb5_auth_context auth_context,
krb5_principal client)
{
int ret;
krb5_data remote_cred;
krb5_data_zero (&remote_cred);
ret= krb5_read_message (context, (void *)&s, &remote_cred);
if (ret) {
krb5_data_free(&remote_cred);
return 0;
}
if (remote_cred.length == 0)
return 0;
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache);
if (ret) {
krb5_data_free(&remote_cred);
return 0;
}
krb5_cc_initialize(context,ccache,client);
ret = krb5_rd_cred2(context, auth_context, ccache, &remote_cred);
if(ret != 0)
syslog(LOG_INFO|LOG_AUTH,
"reading creds: %s", krb5_get_err_text(context, ret));
krb5_data_free (&remote_cred);
if (ret)
return 0;
return 1;
}
void ceo_krb5_auth(char *principal) {
krb5_error_code retval;
krb5_creds creds;
krb5_principal princ;
krb5_ccache cache;
krb5_get_init_creds_opt options;
krb5_get_init_creds_opt_init(&options);
memset(&creds, 0, sizeof(creds));
debug("krb5: getting TGT using keytab for %s", principal);
if ((retval = krb5_parse_name(context, principal, &princ)))
com_err(prog, retval, "while resolving user %s", principal);
if ((retval = krb5_cc_default(context, &cache)))
com_err(prog, retval, "while resolving credentials cache");
if ((retval = krb5_get_init_creds_keytab(context, &creds, princ, NULL, 0, NULL, &options)))
com_err(prog, retval, "while getting initial credentials");
if ((retval = krb5_cc_initialize(context, cache, princ)))
com_err(prog, retval, "while initializing credentials cache");
if ((retval = krb5_cc_store_cred(context, cache, &creds)))
com_err(prog, retval, "while storing credentials");
krb5_free_cred_contents(context, &creds);
krb5_free_principal(context, princ);
krb5_cc_close(context, cache);
}
static krb5_error_code
krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options,
krb5_ccache ccache, krb5_creds *in_creds,
krb5_creds **out_creds, int which)
{
krb5_error_code retval;
krb5_principal tmp;
krb5_creds **tgts = 0;
switch(which) {
case INT_GC_VALIDATE:
retval = krb5_get_cred_from_kdc_validate(context, ccache,
in_creds, out_creds, &tgts);
break;
case INT_GC_RENEW:
retval = krb5_get_cred_from_kdc_renew(context, ccache,
in_creds, out_creds, &tgts);
break;
default:
/* Should never happen */
retval = 255;
break;
}
if (retval) return retval;
if (tgts) krb5_free_tgt_creds(context, tgts);
retval = krb5_cc_get_principal(context, ccache, &tmp);
if (retval) return retval;
retval = krb5_cc_initialize(context, ccache, tmp);
if (retval) return retval;
retval = krb5_cc_store_cred(context, ccache, *out_creds);
return retval;
}
/* Store the v5 TGT in $KRB5CCNAME. */
static int
sly_v5(krb5_context ctx, const char *v5ccname,
struct _pam_krb5_user_info *userinfo, struct _pam_krb5_stash *stash)
{
krb5_ccache ccache;
krb5_principal princ;
int i;
ccache = NULL;
i = krb5_cc_resolve(ctx, v5ccname, &ccache);
if (i == 0) {
princ = NULL;
if (krb5_cc_get_principal(ctx, ccache, &princ) == 0) {
if (krb5_principal_compare(ctx, princ,
userinfo->principal_name) == FALSE) {
krb5_free_principal(ctx, princ);
krb5_cc_close(ctx, ccache);
return PAM_SERVICE_ERR;
}
krb5_free_principal(ctx, princ);
}
i = krb5_cc_initialize(ctx, ccache, userinfo->principal_name);
if (i == 0) {
i = krb5_cc_store_cred(ctx, ccache, &stash->v5creds);
}
krb5_cc_close(ctx, ccache);
}
return PAM_SUCCESS;
}
void KRB5CCache::initialize(KRB5Principal &principal)
{
krb5_error_code ret = krb5_cc_initialize(g_context.get(), m_ccache, principal.get());
if (ret) {
throw KRB5Exception("krb5_cc_initialize", ret);
}
}
/*
* call-seq:
* cache([cache_name])
*
* Call krb5_cc_store_cred to store credentials in a cachefile. With no parameters, it stores the credentials in the default cachefile. With one parameter, it stores the credentials in the named cachefile. This requires that the credentials have already been fetched via Krb5.get_init_creds_password or Krb5.get_init_creds_keytab. Returns true on success, raises Krb5Auth::Krb5::Exception on failure.
*/
static VALUE Krb5_cache_creds(int argc, VALUE *argv, VALUE self)
{
VALUE cache_val;
struct ruby_krb5 *kerb;
krb5_error_code krbret;
char *cache_name;
krb5_ccache cc;
rb_scan_args(argc, argv, "01", &cache_val);
cache_name = get_string_or_nil(cache_val);
Data_Get_Struct(self, struct ruby_krb5, kerb);
if (!kerb) {
NOSTRUCT_EXCEPT();
return Qfalse;
}
if (!kerb->princ) {
// OK, it looks like they are trying to cache credentials that they don't
// yet have; just throw an exception so we don't segfault later
rb_raise(cKrb5_Exception, "%s", "Attempting to cache before obtaining credentials");
return Qfalse;
}
if (cache_name == NULL) {
krbret = krb5_cc_default(kerb->ctx, &cc);
}
else {
krbret = krb5_cc_resolve(kerb->ctx, cache_name, &cc);
}
if (krbret) {
goto fail_cache;
}
krbret = krb5_cc_initialize(kerb->ctx, cc, kerb->princ);
if (krbret) {
goto fail_free_cc;
}
krbret = krb5_cc_store_cred(kerb->ctx, cc, &kerb->creds);
if (krbret) {
goto fail_free_cc;
}
krb5_cc_close(kerb->ctx, cc);
return Qtrue;
fail_free_cc:
krb5_cc_close(kerb->ctx, cc);
fail_cache:
Krb5_register_error(krbret);
// we will never reach here, since Krb5_register_error will rb_raise(). just
// leave it to shut the compiler up
return Qfalse;
}
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
const char *errmsg;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
NULL, &ccache)) != 0) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_new_unique(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_cc_destroy(krb_context, ccache);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_initialize(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
client->store.envvar = "KRB5CCNAME";
client->store.envval = xstrdup(client->store.filename);
krb5_cc_close(krb_context, ccache);
return;
}
static void
test_mcache(krb5_context context)
{
krb5_error_code ret;
krb5_ccache id, id2;
const char *nc, *tc;
char *c;
krb5_principal p, p2;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, id, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
nc = krb5_cc_get_name(context, id);
if (nc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
tc = krb5_cc_get_type(context, id);
if (tc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
if (asprintf(&c, "%s:%s", tc, nc) < 0 || c == NULL)
errx(1, "malloc");
krb5_cc_close(context, id);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
if (krb5_principal_compare(context, p, p2) == FALSE)
krb5_errx(context, 1, "p != p2");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret == 0)
krb5_errx(context, 1, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
free(c);
}
static void
test_move(krb5_context context, const char *type)
{
const krb5_cc_ops *ops;
krb5_ccache fromid, toid;
krb5_error_code ret;
krb5_principal p, p2;
ops = krb5_cc_get_prefix_ops(context, type);
if (ops == NULL)
return;
ret = krb5_cc_new_unique(context, type, NULL, &fromid);
if (ret == KRB5_CC_NOSUPP)
return;
else if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_initialize(context, fromid, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_new_unique(context, type, NULL, &toid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, toid, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_get_principal(context, toid, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
if (krb5_principal_compare(context, p, p2) == FALSE)
krb5_errx(context, 1, "p != p2");
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
krb5_cc_destroy(context, toid);
krb5_cc_destroy(context, fromid);
}
void ccache::setPrincipal(principal& me){
principal* pme=getPrincipal();
if(pme){
if(krb5_principal_compare(ctx(),(*pme)(),me()))
return;
}
kerror = krb5_cc_initialize(ctx(), _cc, me());
}
void ccache::store(creds& creds){
principal* pme=getPrincipal();
if(pme){
kerror = krb5_cc_initialize(ctx(), _cc, (*pme)());
if(kerror) return;
kerror = krb5_cc_store_cred(ctx(), _cc, creds());
}
}
uint32_t gpp_store_remote_creds(uint32_t *min, gssx_cred *creds)
{
krb5_context ctx = NULL;
krb5_ccache ccache = NULL;
krb5_creds cred;
krb5_error_code ret;
XDR xdrctx;
bool xdrok;
*min = 0;
if (creds == NULL) return GSS_S_CALL_INACCESSIBLE_READ;
memset(&cred, 0, sizeof(cred));
ret = krb5_init_context(&ctx);
if (ret) return ret;
ret = krb5_cc_default(ctx, &ccache);
if (ret) goto done;
ret = krb5_parse_name(ctx,
creds->desired_name.display_name.octet_string_val,
&cred.client);
if (ret) goto done;
ret = krb5_parse_name(ctx, GPKRB_SRV_NAME, &cred.server);
if (ret) goto done;
cred.ticket.data = malloc(GPKRB_MAX_CRED_SIZE);
xdrmem_create(&xdrctx, cred.ticket.data, GPKRB_MAX_CRED_SIZE, XDR_ENCODE);
xdrok = xdr_gssx_cred(&xdrctx, creds);
if (!xdrok) {
ret = ENOSPC;
goto done;
}
cred.ticket.length = xdr_getpos(&xdrctx);
ret = krb5_cc_store_cred(ctx, ccache, &cred);
if (ret == KRB5_FCC_NOFILE) {
/* If a ccache does not exit, try to create one */
ret = krb5_cc_initialize(ctx, ccache, cred.client);
if (ret) goto done;
/* and try again to store the cred */
ret = krb5_cc_store_cred(ctx, ccache, &cred);
}
done:
if (ctx) {
krb5_free_cred_contents(ctx, &cred);
if (ccache) krb5_cc_close(ctx, ccache);
krb5_free_context(ctx);
}
*min = ret;
return ret ? GSS_S_FAILURE : GSS_S_COMPLETE;
}
int
v5::renewCredential(krb5_context kcontext, krb5_principal kprincipal, krb5_timestamp *tgtEndtime)
{
krb5_error_code retval;
krb5_creds my_creds;
krb5_ccache ccache;
krb5_get_init_creds_opt opts;
qDebug("renew called");
if (kprincipal == NULL)
{
qDebug("No principal name");
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
}
krb5_get_init_creds_opt_init(&opts);
if (getTgtFromCcache (kcontext, &my_creds))
{
qDebug("got tgt from ccache");
//setOptionsUsingCreds(kcontext, &my_creds, &opts);
*tgtEndtime = my_creds.times.endtime;
krb5_free_cred_contents(kcontext, &my_creds);
}
else
{
qDebug("TGT expired");
*tgtEndtime = 0;
}
retval = krb5_cc_default(kcontext, &ccache);
if (retval)
return retval;
retval = krb5_get_renewed_creds(kcontext, &my_creds, kprincipal, ccache,
NULL);
qDebug("krb5_get_renewed_creds returned: %d", retval);
if (retval)
goto out;
retval = krb5_cc_initialize(kcontext, ccache, kprincipal);
if (retval)
goto out;
retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
if (retval)
goto out;
*tgtEndtime = my_creds.times.endtime;
out:
krb5_free_cred_contents(kcontext, &my_creds);
krb5_cc_close (kcontext, ccache);
return retval;
}
/* Convert a JSON value to a ccache handle or to NULL. Set *new_out to true if
* the ccache handle is a newly created memory ccache, false otherwise. */
static int
json_to_ccache(krb5_context context, k5_json_value v, krb5_ccache *ccache_out,
krb5_boolean *new_out)
{
krb5_error_code ret;
krb5_ccache ccache = NULL;
krb5_principal princ;
krb5_creds creds;
k5_json_array array;
size_t i, len;
*ccache_out = NULL;
*new_out = FALSE;
if (k5_json_get_tid(v) == K5_JSON_TID_NULL)
return 0;
if (k5_json_get_tid(v) == K5_JSON_TID_STRING) {
/* We got a reference to an external ccache; just resolve it. */
return krb5_cc_resolve(context, k5_json_string_utf8(v), ccache_out) ?
-1 : 0;
}
/* We got the contents of a memory ccache. */
if (k5_json_get_tid(v) != K5_JSON_TID_ARRAY)
return -1;
array = v;
len = k5_json_array_length(array);
if (len < 1)
return -1;
/* Initialize a new memory ccache using the principal in the first array
* entry.*/
if (krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))
return -1;
if (json_to_principal(context, k5_json_array_get(array, 0), &princ))
goto invalid;
ret = krb5_cc_initialize(context, ccache, princ);
krb5_free_principal(context, princ);
if (ret)
goto invalid;
/* Add remaining array entries to the ccache as credentials. */
for (i = 1; i < len; i++) {
if (json_to_creds(context, k5_json_array_get(array, 1), &creds))
goto invalid;
ret = krb5_cc_store_cred(context, ccache, &creds);
krb5_free_cred_contents(context, &creds);
if (ret)
goto invalid;
}
*ccache_out = ccache;
*new_out = TRUE;
return 0;
invalid:
(void)krb5_cc_destroy(context, ccache);
return -1;
}
/*
* The default unset code path depends on the underlying ccache implementation
* knowing how to remove a credential, which most types don't actually support,
* so we have to jump through some hoops to ensure that when we set a value for
* a key, it'll be the only value for that key that'll be found later. The
* ccache portions of libkrb5 will currently duplicate some of the actual
* tickets.
*/
static void
unset_config(krb5_context context, krb5_ccache ccache,
krb5_principal server, const char *key)
{
krb5_ccache tmp1, tmp2;
krb5_cc_cursor cursor;
krb5_creds mcreds, creds;
memset(&mcreds, 0, sizeof(mcreds));
memset(&creds, 0, sizeof(creds));
bail_on_err(context, "Error while deriving configuration principal names",
k5_build_conf_principals(context, ccache, server, key,
&mcreds));
bail_on_err(context, "Error resolving first in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1));
bail_on_err(context, "Error initializing first in-memory ccache",
krb5_cc_initialize(context, tmp1, mcreds.client));
bail_on_err(context, "Error resolving second in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp2", &tmp2));
bail_on_err(context, "Error initializing second in-memory ccache",
krb5_cc_initialize(context, tmp2, mcreds.client));
bail_on_err(context, "Error copying credentials to first in-memory ccache",
krb5_cc_copy_creds(context, ccache, tmp1));
bail_on_err(context, "Error starting traversal of first in-memory ccache",
krb5_cc_start_seq_get(context, tmp1, &cursor));
while (krb5_cc_next_cred(context, tmp1, &cursor, &creds) == 0) {
if (!krb5_is_config_principal(context, creds.server) ||
!krb5_principal_compare(context, mcreds.server, creds.server) ||
!krb5_principal_compare(context, mcreds.client, creds.client)) {
bail_on_err(context,
"Error storing non-config item to in-memory ccache",
krb5_cc_store_cred(context, tmp2, &creds));
}
}
bail_on_err(context, "Error ending traversal of first in-memory ccache",
krb5_cc_end_seq_get(context, tmp1, &cursor));
bail_on_err(context, "Error clearing ccache",
krb5_cc_initialize(context, ccache, mcreds.client));
bail_on_err(context, "Error storing creds to the ccache",
krb5_cc_copy_creds(context, tmp2, ccache));
bail_on_err(context, "Error cleaning up first in-memory ccache",
krb5_cc_destroy(context, tmp1));
bail_on_err(context, "Error cleaning up second in-memory ccache",
krb5_cc_destroy(context, tmp2));
}
int init_krb5_cc(){
krb5_ccache cc = NULL;
krb5_context ctx;
krb5_error_code err;
krb5_principal princ;
krb5_creds creds;
char name[64];
char *pass;
err = krb5_init_context(&ctx);
if (err) {
printf("krb5_init_context: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
printf("Username: "******"%s", name);
err = krb5_parse_name(ctx, name, &princ);
if (err) {
printf("krb5_parse_name: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
err = krb5_cc_default(ctx, &cc);
if (err) {
printf("krb5_cc_default: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
err = krb5_cc_initialize(ctx, cc, princ);
if (err) {
printf("krb5_cc_initialize: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
pass = getpass("Password: "******"krb5_get_init_creds_password: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
err = krb5_cc_store_cred(ctx, cc, &creds);
if (err) {
printf("krb5_cc_store_cred: %d: %s\n", err,
krb5_get_error_message(ctx, err));
return -1;
}
return 0;
}
static void
get_creds(krb5_context context, const char *keytab_str,
krb5_ccache *cache, const char *serverhost)
{
krb5_keytab keytab;
krb5_principal client;
krb5_error_code ret;
krb5_get_init_creds_opt *init_opts;
krb5_creds creds;
char *server;
char keytab_buf[256];
int aret;
if (keytab_str == NULL) {
ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
if (ret)
krb5_err (context, 1, ret, "krb5_kt_default_name");
keytab_str = keytab_buf;
}
ret = krb5_kt_resolve(context, keytab_str, &keytab);
if(ret)
krb5_err(context, 1, ret, "%s", keytab_str);
ret = krb5_sname_to_principal (context, slave_str, IPROP_NAME,
KRB5_NT_SRV_HST, &client);
if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal");
ret = krb5_get_init_creds_opt_alloc(context, &init_opts);
if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
aret = asprintf (&server, "%s/%s", IPROP_NAME, serverhost);
if (aret == -1 || server == NULL)
krb5_errx (context, 1, "malloc: no memory");
ret = krb5_get_init_creds_keytab(context, &creds, client, keytab,
0, server, init_opts);
free (server);
krb5_get_init_creds_opt_free(context, init_opts);
if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
ret = krb5_kt_close(context, keytab);
if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, cache);
if(ret) krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, *cache, client);
if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_store_cred(context, *cache, &creds);
if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
krb5_free_cred_contents(context, &creds);
krb5_free_principal(context, client);
}
/*
* Serialize krb5_ccache
*/
static krb5_error_code
ser_ccache_test(krb5_context kcontext, int verbose)
{
krb5_error_code kret;
char ccname[128];
char princname[256];
krb5_ccache ccache;
krb5_principal principal;
snprintf(ccname, sizeof(ccname), "temp_cc_%d", (int) getpid());
snprintf(princname, sizeof(princname),
"zowie%d/instance%[email protected]",
(int) getpid(), (int) getpid());
if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) &&
!(kret = ser_data(verbose, "> Resolved default ccache",
(krb5_pointer) ccache, KV5M_CCACHE)) &&
!(kret = krb5_parse_name(kcontext, princname, &principal)) &&
!(kret = krb5_cc_initialize(kcontext, ccache, principal)) &&
!(kret = ser_data(verbose, "> Initialized default ccache",
(krb5_pointer) ccache, KV5M_CCACHE)) &&
!(kret = krb5_cc_destroy(kcontext, ccache))) {
krb5_free_principal(kcontext, principal);
snprintf(ccname, sizeof(ccname), "FILE:temp_cc_%d", (int) getpid());
snprintf(princname, sizeof(princname), "xxx%d/i%[email protected]",
(int) getpid(), (int) getpid());
if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) &&
!(kret = ser_data(verbose, "> Resolved FILE ccache",
(krb5_pointer) ccache, KV5M_CCACHE)) &&
!(kret = krb5_parse_name(kcontext, princname, &principal)) &&
!(kret = krb5_cc_initialize(kcontext, ccache, principal)) &&
!(kret = ser_data(verbose, "> Initialized FILE ccache",
(krb5_pointer) ccache, KV5M_CCACHE)) &&
!(kret = krb5_cc_destroy(kcontext, ccache))) {
krb5_free_principal(kcontext, principal);
if (verbose)
printf("* ccache test succeeded\n");
}
}
if (kret)
printf("* krb5_ccache test failed\n");
return(kret);
}
/* simulate a kinit, putting the tgt in the default cache location [email protected] */ int kerberos_kinit_password(const char *principal, const char *password, int time_offset) { krb5_context ctx; krb5_error_code code = 0; krb5_ccache cc; krb5_principal me; krb5_creds my_creds; if ((code = krb5_init_context(&ctx))) return code; if (time_offset != 0) { krb5_set_real_time(ctx, time(NULL) + time_offset, 0); } if ((code = krb5_cc_default(ctx, &cc))) { krb5_free_context(ctx); return code; } if ((code = krb5_parse_name(ctx, principal, &me))) { krb5_free_context(ctx); return code; } if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, NULL, kerb_prompter, password, 0, NULL, NULL))) { krb5_free_principal(ctx, me); krb5_free_context(ctx); return code; } if ((code = krb5_cc_initialize(ctx, cc, me))) { krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); krb5_free_context(ctx); return code; } if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) { krb5_cc_close(ctx, cc); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); krb5_free_context(ctx); return code; } krb5_cc_close(ctx, cc); krb5_free_cred_contents(ctx, &my_creds); krb5_free_principal(ctx, me); krb5_free_context(ctx); return 0; }
void Krb5CredentialsCacheManager::writeOutCache(size_t limit) {
auto cc_mem = getCache();
if (cc_mem == nullptr) {
throw std::runtime_error("Trying to persist an empty cache");
}
// Get a default file cache and empty it out
Krb5CCache file_cache = Krb5CCache::makeDefault(ctx_.get());
Krb5Principal client = cc_mem->getClientPrincipal();
krb5_error_code code = krb5_cc_initialize(
ctx_.get(), file_cache.get(), client.get());
raiseIf(code, "Failed initializing file credentials cache");
// Put 'limit' number of most frequently used credentials into the
// top_services set.
vector<pair<string, uint64_t>> count_vector;
ReadLock readLock(&serviceCountLock_);
for (auto& element : serviceCountMap_) {
count_vector.push_back(pair<string, uint64_t>(
element.first, element.second->getCount()));
}
readLock.reset();
sort(count_vector.begin(), count_vector.end(), serviceCountCompare);
std::set<string> top_services;
int count = 0;
for (auto& element : count_vector) {
if (count >= limit) {
break;
}
top_services.insert(element.first);
count++;
}
// Iterate through the cc
for (auto it = cc_mem->begin(true); it != cc_mem->end(); ++it) {
krb5_principal borrowed_server = it->server;
Krb5Principal server(ctx_.get(), std::move(borrowed_server));
const string princ_string = folly::to<string>(server);
SCOPE_EXIT { server.release(); }; // give back borrowed_server
// Always persist config and tgt principals. And only persist
// top 'limit' services.
if (!it.isConfigEntry() && !server.isTgt() &&
top_services.count(princ_string) == 0) {
continue;
}
// Store the cred into a file
code = krb5_cc_store_cred(ctx_.get(), file_cache.get(), &(*it));
// Erase from top_services struct so we don't persist the same
// principal more than once.
top_services.erase(princ_string);
raiseIf(code, "Failed storing a credential into a file");
}
}
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[])
{
char svrnam[MAILTMPLEN],cltnam[MAILTMPLEN];
krb5_context ctx;
krb5_timestamp now;
krb5_principal service;
krb5_ccache ccache;
krb5_error_code code;
krb5_creds *crd = (krb5_creds *) memset (fs_get (sizeof (krb5_creds)),0,
sizeof (krb5_creds));
struct passwd *ret = NIL;
if (*pass) { /* only if password non-empty */
/* make service name */
sprintf (svrnam,"%.80s@%.512s",
(char *) mail_parameters (NIL,GET_SERVICENAME,NIL),
tcp_serverhost ());
/* make client name with principal */
sprintf (cltnam,"%.80s/%.80s",pw->pw_name,
(char *) mail_parameters (NIL,GET_SERVICENAME,NIL));
/* get a context */
if (!krb5_init_context (&ctx)) {
/* get time, client and server principals */
if (!krb5_timeofday (ctx,&now) &&
/* Normally, kerb_cp_svr_name (defined/set in env_unix.c) is NIL, so
* only the user name is used as a client principal. A few sites want
* to have separate client principals for different services, but many
* other sites vehemently object...
*/
!krb5_parse_name (ctx,kerb_cp_svr_name ? cltnam : pw->pw_name,
&crd->client) &&
!krb5_parse_name (ctx,svrnam,&service) &&
!krb5_build_principal_ext(ctx,&crd->server,
krb5_princ_realm (ctx,crd->client)->length,
krb5_princ_realm (ctx,crd->client)->data,
KRB5_TGS_NAME_SIZE,KRB5_TGS_NAME,
krb5_princ_realm (ctx,crd->client)->length,
krb5_princ_realm (ctx,crd->client)->data,
0)) {
/* expire in 3 minutes */
crd->times.endtime = now + (3 * 60);
if (krb5_cc_resolve (ctx,"MEMORY:pwk",&ccache) ||
krb5_cc_initialize (ctx,ccache,crd->client)) ccache = 0;
if (!krb5_get_in_tkt_with_password (ctx,NIL,NIL,NIL,NIL,pass,ccache,
crd,0) &&
!krb5_verify_init_creds (ctx,crd,service,0,ccache ? &ccache : 0,0))
ret = pw;
krb5_free_creds (ctx,crd);/* flush creds and service principal */
krb5_free_principal (ctx,service);
}
krb5_free_context (ctx); /* don't need context any more */
}
}
return ret;
}
static gss_client_response *create_krb5_ccache(gss_server_state *state, krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache)
{
char *ccname = NULL;
int fd;
krb5_error_code problem;
krb5_ccache tmp_ccache = NULL;
gss_client_response *error = NULL;
// TODO: mod_auth_kerb used a temp file under /run/httpd/krbcache. what can we do?
ccname = strdup("FILE:/tmp/krb5cc_nodekerberos_XXXXXX");
if (!ccname) die1("Memory allocation failed");
fd = mkstemp(ccname + strlen("FILE:"));
if (fd < 0) {
error = other_error("mkstemp() failed: %s", strerror(errno));
goto end;
}
close(fd);
problem = krb5_cc_resolve(kcontext, ccname, &tmp_ccache);
if (problem) {
error = krb5_ctx_error(kcontext, problem);
goto end;
}
problem = krb5_cc_initialize(kcontext, tmp_ccache, princ);
if (problem) {
error = krb5_ctx_error(kcontext, problem);
goto end;
}
state->delegated_credentials_cache = strdup(ccname);
// TODO: how/when to cleanup the creds cache file?
// TODO: how to expose the credentials expiration time?
*ccache = tmp_ccache;
tmp_ccache = NULL;
end:
if (tmp_ccache)
krb5_cc_destroy(kcontext, tmp_ccache);
if (ccname && error)
unlink(ccname);
if (ccname)
free(ccname);
return error;
}
static PyObject *
k5_get_init_creds_keytab(PyObject *self, PyObject *args)
{
char *name, *ktname;
krb5_context ctx;
krb5_error_code code;
krb5_keytab keytab;
krb5_ccache ccache;
krb5_principal principal;
krb5_get_init_creds_opt options;
krb5_creds creds;
if (!PyArg_ParseTuple(args, "sz", &name, &ktname))
return NULL;
/* Initialize parameters. */
code = krb5_init_context(&ctx);
RETURN_ON_ERROR("krb5_init_context()", code);
code = krb5_parse_name(ctx, name, &principal);
RETURN_ON_ERROR("krb5_parse_name()", code);
krb5_get_init_creds_opt_init(&options);
memset(&creds, 0, sizeof (creds));
/* Resolve keytab */
if (ktname)
{
code = krb5_kt_resolve(ctx, ktname, &keytab);
RETURN_ON_ERROR("krb5_kt_resolve()", code);
} else
{
code = krb5_kt_default(ctx, &keytab);
RETURN_ON_ERROR("krb5_kt_resolve()", code);
}
/* Get the credentials. */
code = krb5_get_init_creds_keytab(ctx, &creds, principal,
keytab, 0, NULL, &options);
RETURN_ON_ERROR("krb5_get_init_creds_keytab()", code);
/* Store the credential in the credential cache. */
code = krb5_cc_default(ctx, &ccache);
RETURN_ON_ERROR("krb5_cc_default()", code);
code = krb5_cc_initialize(ctx, ccache, principal);
RETURN_ON_ERROR("krb5_cc_initialize()", code);
code = krb5_cc_store_cred(ctx, ccache, &creds);
RETURN_ON_ERROR("krb5_cc_store_creds()", code);
krb5_cc_close(ctx, ccache);
Py_INCREF(Py_None);
return Py_None;
}
static void
put_creds_in_ccache(char *name, gss_cred_id_t creds)
{
OM_uint32 maj_stat, min_stat;
krb5_context context;
krb5_principal me;
krb5_ccache ccache;
krb5_error_code retval;
char buf[1024];
maj_stat = krb5_init_context(&context);
if (maj_stat != GSS_S_COMPLETE) {
gsslib_display_status(MSG_GSS_PRINTERROR_GETTINGKRB5CONTEXT, maj_stat,
GSS_S_COMPLETE);
return;
}
/* Set up ccache */
if ((retval = krb5_parse_name(context, name, &me))) {
snprintf(buf, sizeof buf, MSG_GSS_PRINTERROR_KRB5PARSENAMERETURNEDX_I, retval);
gsslib_print_error(buf);
return;
}
/* Use default ccache */
if ((retval = krb5_cc_default(context, &ccache))) {
snprintf(buf, sizeof buf, MSG_GSS_PRINTERROR_KRB5CCDEFAULTRETURNEDX_I, retval);
gsslib_print_error(buf);
return;
}
if ((retval = krb5_cc_initialize(context, ccache, me))) {
snprintf(buf, sizeof buf, MSG_GSS_PRINTERROR_KRB5CCINITIALIZERETURNEDX_I, retval);
gsslib_print_error(buf);
return;
}
/* Copy GSS creds into ccache */
maj_stat = gss_krb5_copy_ccache(&min_stat, creds, ccache);
if (maj_stat != GSS_S_COMPLETE) {
gsslib_display_status(MSG_GSS_PRINTERROR_COPYINGDELEGATEDCREDSTOCC,
maj_stat, min_stat);
goto cleanup;
}
return;
cleanup:
krb5_cc_destroy(context, ccache);
}
static int mod_authn_gssapi_create_krb5_ccache(server *srv, connection *con, plugin_data *p, krb5_context kcontext, krb5_principal princ, krb5_ccache *ccache)
{
buffer * const kccname = buffer_init_string("FILE:/tmp/krb5cc_gssapi_XXXXXX");
char * const ccname = kccname->ptr + sizeof("FILE:")-1;
const size_t ccnamelen = buffer_string_length(kccname)-(sizeof("FILE:")-1);
/*(future: might consider using server.upload-dirs instead of /tmp)*/
/* coverity[secure_temp : FALSE] */
int fd = mkstemp(ccname);
if (fd < 0) {
log_error_write(srv, __FILE__, __LINE__, "ss", "mkstemp():", strerror(errno));
buffer_free(kccname);
return -1;
}
close(fd);
do {
krb5_error_code problem;
problem = krb5_cc_resolve(kcontext, kccname->ptr, ccache);
if (problem) {
mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_resolve", NULL, kcontext, problem);
break;
}
problem = krb5_cc_initialize(kcontext, *ccache, princ);
if (problem) {
mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_initialize", kccname->ptr, kcontext, problem);
break;
}
con->plugin_ctx[p->id] = kccname;
array_set_key_value(con->environment, CONST_STR_LEN("KRB5CCNAME"), ccname, ccnamelen);
array_set_key_value(con->request.headers, CONST_STR_LEN("X-Forwarded-Keytab"), ccname, ccnamelen);
return 0;
} while (0);
if (*ccache) {
krb5_cc_destroy(kcontext, *ccache);
*ccache = NULL;
}
unlink(ccname);
buffer_free(kccname);
return -1;
}
static krb5_error_code
verify_common (krb5_context context,
krb5_principal principal,
krb5_ccache ccache,
krb5_keytab keytab,
krb5_boolean secure,
const char *service,
krb5_creds cred)
{
krb5_error_code ret;
krb5_principal server;
krb5_verify_init_creds_opt vopt;
krb5_ccache id;
ret = krb5_sname_to_principal (context, NULL, service, KRB5_NT_SRV_HST,
&server);
if(ret)
return ret;
krb5_verify_init_creds_opt_init(&vopt);
krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, secure);
ret = krb5_verify_init_creds(context,
&cred,
server,
keytab,
NULL,
&vopt);
krb5_free_principal(context, server);
if(ret)
return ret;
if(ccache == NULL)
ret = krb5_cc_default (context, &id);
else
id = ccache;
if(ret == 0){
ret = krb5_cc_initialize(context, id, principal);
if(ret == 0){
ret = krb5_cc_store_cred(context, id, &cred);
}
if(ccache == NULL)
krb5_cc_close(context, id);
}
krb5_free_cred_contents(context, &cred);
return ret;
}
static void
test_fcache_remove(krb5_context context)
{
krb5_error_code ret;
krb5_ccache id;
krb5_principal p;
krb5_creds cred;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_gen_new");
ret = krb5_cc_initialize(context, id, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
/* */
memset(&cred, 0, sizeof(cred));
ret = krb5_parse_name(context, "krbtgt/[email protected]", &cred.server);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_parse_name(context, "*****@*****.**", &cred.client);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_store_cred(context, id, &cred);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_store_cred");
ret = krb5_cc_remove_cred(context, id, 0, &cred);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_remove_cred");
ret = krb5_cc_destroy(context, id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_destroy");
krb5_free_principal(context, p);
krb5_free_principal(context, cred.server);
krb5_free_principal(context, cred.client);
}
static void
get_creds(krb5_context context, krb5_ccache *cache)
{
krb5_keytab keytab;
krb5_principal client;
krb5_error_code ret;
krb5_get_init_creds_opt *init_opts;
krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP;
krb5_creds creds;
ret = krb5_kt_register(context, &hdb_kt_ops);
if(ret) krb5_err(context, 1, ret, "krb5_kt_register");
ret = krb5_kt_resolve(context, ktname, &keytab);
if(ret) krb5_err(context, 1, ret, "krb5_kt_resolve");
ret = krb5_make_principal(context, &client, NULL,
"kadmin", HPROP_NAME, NULL);
if(ret) krb5_err(context, 1, ret, "krb5_make_principal");
ret = krb5_get_init_creds_opt_alloc(context, &init_opts);
if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
krb5_get_init_creds_opt_set_preauth_list(init_opts, &preauth, 1);
ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, init_opts);
if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds");
krb5_get_init_creds_opt_free(context, init_opts);
ret = krb5_kt_close(context, keytab);
if(ret) krb5_err(context, 1, ret, "krb5_kt_close");
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, cache);
if(ret) krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, *cache, client);
if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize");
krb5_free_principal(context, client);
ret = krb5_cc_store_cred(context, *cache, &creds);
if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred");
krb5_free_cred_contents(context, &creds);
}
int
v5::initCredential(krb5_context kcontext, krb5_principal kprincipal,
krb5_get_init_creds_opt *opts, const QString& password,
krb5_timestamp *tgtEndtime)
{
krb5_error_code retval;
krb5_creds my_creds;
krb5_ccache ccache;
qDebug("call initCredential");
retval = krb5_get_init_creds_password(kcontext, &my_creds, kprincipal,
password.toUtf8().data(), NULL, NULL,
0, NULL, opts);
if (retval)
{
return retval;
}
retval = krb5_cc_default(kcontext, &ccache);
if (retval)
{
goto out;
}
retval = krb5_cc_initialize(kcontext, ccache, kprincipal);
if (retval)
goto out;
retval = krb5_cc_store_cred(kcontext, ccache, &my_creds);
if (retval)
goto out;
*tgtEndtime = my_creds.times.endtime;
out:
krb5_free_cred_contents (kcontext, &my_creds);
krb5_cc_close (kcontext, ccache);
return retval;
}
static void
test_init_vs_destroy(krb5_context context, const char *type)
{
krb5_error_code ret;
krb5_ccache id, id2;
krb5_principal p, p2;
char *n = NULL;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_new_unique(context, type, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
if (asprintf(&n, "%s:%s",
krb5_cc_get_type(context, id),
krb5_cc_get_name(context, id)) < 0 || n == NULL)
errx(1, "malloc");
ret = krb5_cc_resolve(context, n, &id2);
free(n);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
krb5_cc_destroy(context, id);
ret = krb5_cc_initialize(context, id2, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
}
