int main(int argc, char **argv) { krb5_context context; krb5_ccache ccache; krb5_principal p; char *name; char *pw; if (argc != 2) usage(); #ifdef HAVE_ALARM alarm( TIMEOUT ); #endif name = argv[1]; pw = read_pw(stdin); if (!pw) die("No proper password provided."); if (!strcmp(name, "root")) /* In this case, heimdal's su.c creates a principal for the * current uid, but I don't quite understand why. */ die("Won't log in root."); if (krb5_init_context (&context)) die("krb5_init_context failed."); if (krb5_make_principal(context, &p, NULL, name, NULL)) die("krb5_make_principal failed."); if (!krb5_kuserok(context, p, name)) die("krb5_kuserok doesn't know the user."); if (krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache)) die("krb5_cc_gen_new failed."); if (krb5_verify_user_lrealm(context, p, ccache, pw, TRUE, NULL)) die("krb5_verify_user_lrealm failed."); /* Authentication successful. */ /* TODO: Keep the credential cache in some way. Perhaps write it to * disk, and, write the file name used to stdout. */ return EXIT_SUCCESS; }
static int krb5_verify(struct passwd *pwd, const char *password) { krb5_error_code ret; krb5_principal princ; ret = krb5_parse_name(context, pwd->pw_name, &princ); if(ret) return 1; ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id); if(ret) { krb5_free_principal(context, princ); return 1; } ret = krb5_verify_user_lrealm(context, princ, id, password, 1, NULL); krb5_free_principal(context, princ); return ret; }
int krb5_login(char *username, char *invokinguser, char *password, int login, int tickets) { int return_code = AUTH_FAILED; if (username == NULL || password == NULL) return (AUTH_FAILED); if (strcmp(__progname, "krb5-or-pwd") == 0 && strcmp(username,"root") == 0 && invokinguser[0] == '\0') return (AUTH_FAILED); ret = krb5_init_context(&context); if (ret != 0) { krb5_syslog(context, LOG_ERR, ret, "krb5_init_context"); exit(1); } ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache); if (ret != 0) { krb5_syslog(context, LOG_ERR, ret, "krb5_cc_gen_new"); exit(1); } if (strcmp(username, "root") == 0 && invokinguser[0] != '\0') { char *tmp; ret = asprintf(&tmp, "%s/root", invokinguser); if (ret == -1) { krb5_syslog(context, LOG_ERR, ret, "asprintf"); exit(1); } ret = krb5_parse_name(context, tmp, &princ); free(tmp); } else ret = krb5_parse_name(context, username, &princ); if (ret != 0) { krb5_syslog(context, LOG_ERR, ret, "krb5_parse_name"); exit(1); } ret = krb5_verify_user_lrealm(context, princ, ccache, password, 1, NULL); switch (ret) { case 0: { struct passwd *pwd; pwd = getpwnam(username); if (pwd == NULL) { krb5_syslog(context, LOG_ERR, ret, "%s: no such user", username); return (AUTH_FAILED); } fprintf(back, BI_AUTH "\n"); store_tickets(pwd, login && tickets, login && tickets, login); return_code = AUTH_OK; break; } case KRB5KRB_AP_ERR_MODIFIED: /* XXX syslog here? */ case KRB5KRB_AP_ERR_BAD_INTEGRITY: break; default: krb5_syslog(context, LOG_ERR, ret, "verify"); break; } krb5_free_context(context); krb5_free_principal(context, princ); krb5_cc_close(context, ccache); return (return_code); }
static int verify_krb5(struct passwd *pwd, char *password, int32_t *exp, int quiet) { krb5_context context; krb5_error_code ret; krb5_ccache ccache; krb5_principal principal; ret = krb5_init_context(&context); if (ret) { syslog(LOG_AUTH|LOG_DEBUG, "krb5_init_context failed: %d", ret); goto out; } ret = krb5_parse_name (context, pwd->pw_name, &principal); if (ret) { syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s", krb5_get_err_text(context, ret)); goto out; } set_krb5ccname(pwd->pw_uid); ret = krb5_cc_resolve(context, krb5ccname, &ccache); if(ret) { syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", krb5_get_err_text(context, ret)); goto out; } ret = krb5_verify_user_lrealm(context, principal, ccache, password, TRUE, NULL); if(ret) { syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", krb5_get_err_text(context, ret)); goto out; } if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) { syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", krb5_get_err_text(context, errno)); goto out; } #ifdef KRB4 { krb5_realm realm = NULL; krb5_boolean get_v4_tgt; krb5_get_default_realm(context, &realm); krb5_appdefault_boolean(context, "afskauthlib", realm, "krb4_get_tickets", FALSE, &get_v4_tgt); if (get_v4_tgt) { CREDENTIALS c; krb5_creds mcred, cred; krb5_cc_clear_mcred(&mcred); krb5_make_principal(context, &mcred.server, realm, "krbtgt", realm, NULL); ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); if(ret == 0) { ret = krb524_convert_creds_kdc_ccache(context, ccache, &cred, &c); if(ret) krb5_warn(context, ret, "converting creds"); else { set_krbtkfile(pwd->pw_uid); tf_setup(&c, c.pname, c.pinst); } memset(&c, 0, sizeof(c)); krb5_free_cred_contents(context, &cred); } else syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", krb5_get_err_text(context, ret)); krb5_free_principal(context, mcred.server); } free (realm); if (!pag_set && k_hasafs()) { k_setpag(); pag_set = 1; } if (pag_set) krb5_afslog_uid_home(context, ccache, NULL, NULL, pwd->pw_uid, pwd->pw_dir); } #endif out: if(ret && !quiet) printf ("%s\n", krb5_get_err_text (context, ret)); return ret; }