int
main(int argc, char **argv)
{
krb5_context context;
krb5_ccache ccache;
krb5_principal p;
char *name;
char *pw;
if (argc != 2)
usage();
#ifdef HAVE_ALARM
alarm( TIMEOUT );
#endif
name = argv[1];
pw = read_pw(stdin);
if (!pw)
die("No proper password provided.");
if (!strcmp(name, "root"))
/* In this case, heimdal's su.c creates a principal for the
* current uid, but I don't quite understand why. */
die("Won't log in root.");
if (krb5_init_context (&context))
die("krb5_init_context failed.");
if (krb5_make_principal(context, &p, NULL, name, NULL))
die("krb5_make_principal failed.");
if (!krb5_kuserok(context, p, name))
die("krb5_kuserok doesn't know the user.");
if (krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache))
die("krb5_cc_gen_new failed.");
if (krb5_verify_user_lrealm(context, p, ccache, pw, TRUE, NULL))
die("krb5_verify_user_lrealm failed.");
/* Authentication successful. */
/* TODO: Keep the credential cache in some way. Perhaps write it to
* disk, and, write the file name used to stdout. */
return EXIT_SUCCESS;
}
static int
krb5_verify(struct passwd *pwd, const char *password)
{
krb5_error_code ret;
krb5_principal princ;
ret = krb5_parse_name(context, pwd->pw_name, &princ);
if(ret)
return 1;
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id);
if(ret) {
krb5_free_principal(context, princ);
return 1;
}
ret = krb5_verify_user_lrealm(context,
princ,
id,
password,
1,
NULL);
krb5_free_principal(context, princ);
return ret;
}
int
krb5_login(char *username, char *invokinguser, char *password, int login,
int tickets)
{
int return_code = AUTH_FAILED;
if (username == NULL || password == NULL)
return (AUTH_FAILED);
if (strcmp(__progname, "krb5-or-pwd") == 0 &&
strcmp(username,"root") == 0 && invokinguser[0] == '\0')
return (AUTH_FAILED);
ret = krb5_init_context(&context);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret, "krb5_init_context");
exit(1);
}
ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret, "krb5_cc_gen_new");
exit(1);
}
if (strcmp(username, "root") == 0 && invokinguser[0] != '\0') {
char *tmp;
ret = asprintf(&tmp, "%s/root", invokinguser);
if (ret == -1) {
krb5_syslog(context, LOG_ERR, ret, "asprintf");
exit(1);
}
ret = krb5_parse_name(context, tmp, &princ);
free(tmp);
} else
ret = krb5_parse_name(context, username, &princ);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret, "krb5_parse_name");
exit(1);
}
ret = krb5_verify_user_lrealm(context, princ, ccache,
password, 1, NULL);
switch (ret) {
case 0: {
struct passwd *pwd;
pwd = getpwnam(username);
if (pwd == NULL) {
krb5_syslog(context, LOG_ERR, ret,
"%s: no such user", username);
return (AUTH_FAILED);
}
fprintf(back, BI_AUTH "\n");
store_tickets(pwd, login && tickets, login && tickets, login);
return_code = AUTH_OK;
break;
}
case KRB5KRB_AP_ERR_MODIFIED:
/* XXX syslog here? */
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
break;
default:
krb5_syslog(context, LOG_ERR, ret, "verify");
break;
}
krb5_free_context(context);
krb5_free_principal(context, princ);
krb5_cc_close(context, ccache);
return (return_code);
}
static int
verify_krb5(struct passwd *pwd,
char *password,
int32_t *exp,
int quiet)
{
krb5_context context;
krb5_error_code ret;
krb5_ccache ccache;
krb5_principal principal;
ret = krb5_init_context(&context);
if (ret) {
syslog(LOG_AUTH|LOG_DEBUG, "krb5_init_context failed: %d", ret);
goto out;
}
ret = krb5_parse_name (context, pwd->pw_name, &principal);
if (ret) {
syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s",
krb5_get_err_text(context, ret));
goto out;
}
set_krb5ccname(pwd->pw_uid);
ret = krb5_cc_resolve(context, krb5ccname, &ccache);
if(ret) {
syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s",
krb5_get_err_text(context, ret));
goto out;
}
ret = krb5_verify_user_lrealm(context,
principal,
ccache,
password,
TRUE,
NULL);
if(ret) {
syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s",
krb5_get_err_text(context, ret));
goto out;
}
if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) {
syslog(LOG_AUTH|LOG_DEBUG, "chown: %s",
krb5_get_err_text(context, errno));
goto out;
}
#ifdef KRB4
{
krb5_realm realm = NULL;
krb5_boolean get_v4_tgt;
krb5_get_default_realm(context, &realm);
krb5_appdefault_boolean(context, "afskauthlib",
realm,
"krb4_get_tickets", FALSE, &get_v4_tgt);
if (get_v4_tgt) {
CREDENTIALS c;
krb5_creds mcred, cred;
krb5_cc_clear_mcred(&mcred);
krb5_make_principal(context, &mcred.server, realm,
"krbtgt",
realm,
NULL);
ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
if(ret == 0) {
ret = krb524_convert_creds_kdc_ccache(context, ccache, &cred, &c);
if(ret)
krb5_warn(context, ret, "converting creds");
else {
set_krbtkfile(pwd->pw_uid);
tf_setup(&c, c.pname, c.pinst);
}
memset(&c, 0, sizeof(c));
krb5_free_cred_contents(context, &cred);
} else
syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s",
krb5_get_err_text(context, ret));
krb5_free_principal(context, mcred.server);
}
free (realm);
if (!pag_set && k_hasafs()) {
k_setpag();
pag_set = 1;
}
if (pag_set)
krb5_afslog_uid_home(context, ccache, NULL, NULL,
pwd->pw_uid, pwd->pw_dir);
}
#endif
out:
if(ret && !quiet)
printf ("%s\n", krb5_get_err_text (context, ret));
return ret;
}
