PyObject *creds_change_password(krb5CredsObject *self, PyObject *args)
{
krb5_error_code ret;
char *newpw;
int result_code;
krb5_data result_code_string;
krb5_data result_string;
int error = 0;
if (!PyArg_ParseTuple(args, "s", &newpw))
return NULL;
// principal is set to NULL -> set_password uses the default principal in set case
ret = krb5_set_password(self->context, &self->creds, newpw, NULL, &result_code,
&result_code_string, &result_string);
if (ret) {
error = 1;
krb5_exception(NULL, ret);
goto out;
}
krb5_data_free(&result_code_string);
krb5_data_free(&result_string);
out:
if (error)
return NULL;
else {
Py_RETURN_NONE;
}
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_set_password_using_ccache(krb5_context context,
krb5_ccache ccache,
char *newpw,
krb5_principal targprinc,
int *result_code,
krb5_data *result_code_string,
krb5_data *result_string)
{
krb5_creds creds, *credsp;
krb5_error_code ret;
krb5_principal principal = NULL;
*result_code = KRB5_KPASSWD_MALFORMED;
result_code_string->data = result_string->data = NULL;
result_code_string->length = result_string->length = 0;
memset(&creds, 0, sizeof(creds));
if (targprinc == NULL) {
ret = krb5_cc_get_principal(context, ccache, &principal);
if (ret)
return ret;
} else
principal = targprinc;
ret = krb5_make_principal(context, &creds.server,
krb5_principal_get_realm(context, principal),
"kadmin", "changepw", NULL);
if (ret)
goto out;
ret = krb5_cc_get_principal(context, ccache, &creds.client);
if (ret) {
krb5_free_principal(context, creds.server);
goto out;
}
ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
krb5_free_principal(context, creds.server);
krb5_free_principal(context, creds.client);
if (ret)
goto out;
ret = krb5_set_password(context,
credsp,
newpw,
principal,
result_code,
result_code_string,
result_string);
krb5_free_creds(context, credsp);
return ret;
out:
if (targprinc == NULL)
krb5_free_principal(context, principal);
return ret;
}
mit_krb5_error_code KRB5_CALLCONV
krb5_change_password(mit_krb5_context context,
mit_krb5_creds *creds,
char *newpw,
int *result_code,
mit_krb5_data *result_code_string,
mit_krb5_data *result_string)
{
LOG_ENTRY();
return krb5_set_password(context, creds, newpw, NULL, result_code, result_code_string, result_string);
}
/*
* call-seq:
* set_password(new_password)
*
* Call krb5_set_password() to set the password for this credential to
* new_password.
*
* This method requires that the credential for kadmin/changepw@REALM has
* already been fetched using Krb5#get_init_creds_password or
* Krb5#get_init_creds_keytab.
*
* Returns true on success, raises Krb5Auth::Krb5::Exception on failure.
*--
* TODO: This method does not work at the moment.
*/
static VALUE Krb5_set_password(VALUE self, VALUE _newpass)
{
Check_Type(_newpass,T_STRING);
char *newpass = StringValueCStr(_newpass);
struct ruby_krb5 *kerb;
krb5_error_code krbret;
int pw_result;
krb5_data pw_res_string, res_string;
Data_Get_Struct(self, struct ruby_krb5, kerb);
if(!kerb){
NOSTRUCT_EXCEPT();
return Qfalse;
}
// TODO: get kadmin/changepw credentials here.
krbret = krb5_set_password(
kerb->ctx,
&kerb->creds,
newpass,
NULL,
&pw_result,
&pw_res_string,
&res_string
);
if(krbret){
Krb5_register_error(krbret);
return Qfalse;
}
if(pw_result){
Krb5_register_error(pw_result);
return Qfalse;
}
return Qtrue;
}
krb5_error_code KRB5_CALLCONV
krb5_set_password_using_ccache(krb5_context context,
krb5_ccache ccache,
char *newpw,
krb5_principal change_password_for,
int *result_code,
krb5_data *result_code_string,
krb5_data *result_string
)
{
krb5_creds creds;
krb5_creds *credsp;
krb5_error_code code;
/*
** get the proper creds for use with krb5_set_password -
*/
memset (&creds, 0, sizeof(creds));
/*
** first get the principal for the password service -
*/
code = krb5_cc_get_principal (context, ccache, &creds.client);
if (!code) {
code = krb5_build_principal(context, &creds.server,
change_password_for->realm.length,
change_password_for->realm.data,
"kadmin", "changepw", NULL);
if (!code) {
code = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
if (!code) {
code = krb5_set_password(context, credsp, newpw, change_password_for,
result_code, result_code_string,
result_string);
krb5_free_creds(context, credsp);
}
}
krb5_free_cred_contents(context, &creds);
}
return code;
}
static krb5_error_code
change_pw(krb5_context context,
kcm_ccache ccache,
char *cpn,
char *newpw)
{
krb5_error_code ret;
krb5_creds cpw_cred;
int result_code;
krb5_data result_code_string;
krb5_data result_string;
krb5_get_init_creds_opt options;
memset(&cpw_cred, 0, sizeof(cpw_cred));
krb5_get_init_creds_opt_init(&options);
krb5_get_init_creds_opt_set_tkt_life(&options, 60);
krb5_get_init_creds_opt_set_forwardable(&options, FALSE);
krb5_get_init_creds_opt_set_proxiable(&options, FALSE);
krb5_data_zero(&result_code_string);
krb5_data_zero(&result_string);
ret = krb5_get_init_creds_keytab(context,
&cpw_cred,
ccache->client,
ccache->key.keytab,
0,
"kadmin/changepw",
&options);
if (ret) {
kcm_log(0, "Failed to acquire password change credentials "
"for principal %s: %s",
cpn, krb5_get_err_text(context, ret));
goto out;
}
ret = krb5_set_password(context,
&cpw_cred,
newpw,
ccache->client,
&result_code,
&result_code_string,
&result_string);
if (ret) {
kcm_log(0, "Failed to change password for principal %s: %s",
cpn, krb5_get_err_text(context, ret));
goto out;
}
if (result_code) {
kcm_log(0, "Failed to change password for principal %s: %.*s",
cpn,
(int)result_string.length,
result_string.length > 0 ? (char *)result_string.data : "");
goto out;
}
out:
krb5_data_free(&result_string);
krb5_data_free(&result_code_string);
krb5_free_cred_contents(context, &cpw_cred);
return ret;
}
static void
generate_requests (const char *filename, unsigned nreq)
{
krb5_context context;
krb5_error_code ret;
int i;
char **words;
unsigned nwords;
ret = krb5_init_context (&context);
if (ret)
errx (1, "krb5_init_context failed: %d", ret);
nwords = read_words (filename, &words);
for (i = 0; i < nreq; ++i) {
char *name = words[rand() % nwords];
krb5_get_init_creds_opt *opt;
krb5_creds cred;
krb5_principal principal;
int result_code;
krb5_data result_code_string, result_string;
char *old_pwd, *new_pwd;
int aret;
krb5_get_init_creds_opt_alloc (context, &opt);
krb5_get_init_creds_opt_set_tkt_life (opt, 300);
krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
ret = krb5_parse_name (context, name, &principal);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name %s", name);
aret = asprintf (&old_pwd, "%s", name);
if (aret == -1)
krb5_errx(context, 1, "out of memory");
aret = asprintf (&new_pwd, "%s2", name);
if (aret == -1)
krb5_errx(context, 1, "out of memory");
ret = krb5_get_init_creds_password (context,
&cred,
principal,
old_pwd,
nop_prompter,
NULL,
0,
"kadmin/changepw",
opt);
if( ret == KRB5KRB_AP_ERR_BAD_INTEGRITY
|| ret == KRB5KRB_AP_ERR_MODIFIED) {
char *tmp;
tmp = new_pwd;
new_pwd = old_pwd;
old_pwd = tmp;
ret = krb5_get_init_creds_password (context,
&cred,
principal,
old_pwd,
nop_prompter,
NULL,
0,
"kadmin/changepw",
opt);
}
if (ret)
krb5_err (context, 1, ret, "krb5_get_init_creds_password");
krb5_free_principal (context, principal);
ret = krb5_set_password (context,
&cred,
new_pwd,
NULL,
&result_code,
&result_code_string,
&result_string);
if (ret)
krb5_err (context, 1, ret, "krb5_change_password");
free (old_pwd);
free (new_pwd);
krb5_free_cred_contents (context, &cred);
krb5_get_init_creds_opt_free(context, opt);
}
}
OM_uint32
_gsskrb5_appl_change_password(OM_uint32 *minor_status,
gss_name_t name,
const char *oldpw,
const char *newpw)
{
krb5_data result_code_string, result_string;
krb5_get_init_creds_opt *opt = NULL;
krb5_context context;
krb5_principal principal = (krb5_principal)name;
krb5_creds kcred;
krb5_error_code ret;
int result_code;
GSSAPI_KRB5_INIT (&context);
memset(&kcred, 0, sizeof(kcred));
ret = krb5_get_init_creds_opt_alloc(context, &opt);
if (ret)
goto out;
krb5_get_init_creds_opt_set_tkt_life(opt, 300);
krb5_get_init_creds_opt_set_forwardable(opt, FALSE);
krb5_get_init_creds_opt_set_proxiable(opt, FALSE);
ret = krb5_get_init_creds_password(context,
&kcred,
principal,
oldpw,
NULL,
NULL,
0,
"kadmin/changepw",
opt);
if (ret)
goto out;
ret = krb5_set_password(context, &kcred, newpw, NULL,
&result_code, &result_code_string, &result_string);
if (ret)
goto out;
krb5_data_free(&result_string);
krb5_data_free(&result_code_string);
if (result_code) {
krb5_set_error_message(context, KRB5KRB_AP_ERR_BAD_INTEGRITY,
"Failed to change invalid password: %d", result_code);
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
goto out;
}
out:
if (opt)
krb5_get_init_creds_opt_free(context, opt);
krb5_free_cred_contents(context, &kcred);
*minor_status = ret;
return ret ? GSS_S_FAILURE : GSS_S_COMPLETE;
}
static krb5_error_code
change_password (krb5_context context,
krb5_principal client,
const char *password,
char *newpw,
size_t newpw_sz,
krb5_prompter_fct prompter,
void *data,
krb5_get_init_creds_opt *old_options)
{
krb5_prompt prompts[2];
krb5_error_code ret;
krb5_creds cpw_cred;
char buf1[BUFSIZ], buf2[BUFSIZ];
krb5_data password_data[2];
int result_code;
krb5_data result_code_string;
krb5_data result_string;
char *p;
krb5_get_init_creds_opt *options;
memset (&cpw_cred, 0, sizeof(cpw_cred));
ret = krb5_get_init_creds_opt_alloc(context, &options);
if (ret)
return ret;
krb5_get_init_creds_opt_set_tkt_life (options, 60);
krb5_get_init_creds_opt_set_forwardable (options, FALSE);
krb5_get_init_creds_opt_set_proxiable (options, FALSE);
if (old_options && old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)
krb5_get_init_creds_opt_set_preauth_list (options,
old_options->preauth_list,
old_options->preauth_list_length);
krb5_data_zero (&result_code_string);
krb5_data_zero (&result_string);
ret = krb5_get_init_creds_password (context,
&cpw_cred,
client,
password,
prompter,
data,
0,
"kadmin/changepw",
options);
krb5_get_init_creds_opt_free(context, options);
if (ret)
goto out;
for(;;) {
password_data[0].data = buf1;
password_data[0].length = sizeof(buf1);
prompts[0].hidden = 1;
prompts[0].prompt = "New password: "******"Repeat new password: "******"Changing password",
2, prompts);
if (ret) {
memset (buf1, 0, sizeof(buf1));
memset (buf2, 0, sizeof(buf2));
goto out;
}
if (strcmp (buf1, buf2) == 0)
break;
memset (buf1, 0, sizeof(buf1));
memset (buf2, 0, sizeof(buf2));
}
ret = krb5_set_password (context,
&cpw_cred,
buf1,
client,
&result_code,
&result_code_string,
&result_string);
if (ret)
goto out;
asprintf (&p, "%s: %.*s\n",
result_code ? "Error" : "Success",
(int)result_string.length,
result_string.length > 0 ? (char*)result_string.data : "");
/* return the result */
(*prompter) (context, data, NULL, p, 0, NULL);
free (p);
if (result_code == 0) {
strlcpy (newpw, buf1, newpw_sz);
ret = 0;
} else {
ret = ENOTTY;
krb5_set_error_message(context, ret,
N_("failed changing password", ""));
}
out:
memset (buf1, 0, sizeof(buf1));
memset (buf2, 0, sizeof(buf2));
krb5_data_free (&result_string);
krb5_data_free (&result_code_string);
krb5_free_cred_contents (context, &cpw_cred);
return ret;
}
kim_error kim_identity_change_password_with_credential (kim_identity in_identity,
kim_credential in_credential,
kim_string in_new_password,
kim_ui_context *in_ui_context,
kim_error *out_rejected_err,
kim_string *out_rejected_message,
kim_string *out_rejected_description)
{
kim_error err = KIM_NO_ERROR;
krb5_creds *creds = NULL;
int rejected_err = 0;
krb5_data message_data;
krb5_data description_data;
if (!err && !in_identity ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_credential ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_new_password ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !in_ui_context ) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err && !out_rejected_err) { err = check_error (KIM_NULL_PARAMETER_ERR); }
if (!err) {
err = kim_credential_get_krb5_creds (in_credential,
in_identity->context,
&creds);
}
if (!err) {
if (krb5_principal_compare (in_identity->context,
in_identity->principal,
creds->client)) {
/* Same principal, change the password normally */
err = krb5_error (in_identity->context,
krb5_change_password (in_identity->context,
creds,
(char *) in_new_password,
&rejected_err,
&message_data,
&description_data));
} else {
/* Different principal, use set change password protocol */
err = krb5_error (in_identity->context,
krb5_set_password (in_identity->context,
creds,
(char *) in_new_password,
in_identity->principal,
&rejected_err,
&message_data,
&description_data));
}
}
if (!err && rejected_err) {
kim_string rejected_message = NULL;
kim_string rejected_description = NULL;
if (message_data.data && message_data.length > 0) {
err = kim_string_create_from_buffer (&rejected_message,
message_data.data,
message_data.length);
} else {
err = kim_os_string_create_localized (&rejected_message,
"Kerberos Change Password Failed:");
}
if (!err) {
if (description_data.data && description_data.length > 0) {
err = kim_string_create_from_buffer (&rejected_description,
description_data.data,
description_data.length);
} else {
err = kim_os_string_create_localized (&rejected_description,
"New password rejected.");
}
}
if (!err && in_ui_context->type != kim_ui_type_cli) {
char *c;
// replace all \n and \r characters with spaces
for (c = (char *) rejected_message; *c != '\0'; c++) {
if ((*c == '\n') || (*c == '\r')) { *c = ' '; }
}
for (c = (char *) rejected_description; *c != '\0'; c++) {
if ((*c == '\n') || (*c == '\r')) { *c = ' '; }
}
}
if (!err) {
if (out_rejected_message) {
*out_rejected_message = rejected_message;
rejected_message = NULL;
}
if (out_rejected_description) {
*out_rejected_description = rejected_description;
rejected_description = NULL;
}
}
kim_string_free (&rejected_message);
kim_string_free (&rejected_description);
krb5_free_data_contents (in_identity->context, &message_data);
krb5_free_data_contents (in_identity->context, &description_data);
}
if (!err) {
/* do this after reporting errors so we don't double report rejection */
*out_rejected_err = rejected_err;
}
if (creds) { krb5_free_creds (in_identity->context, creds); }
return check_error (err);
}
