OM_uint32 gssi_store_cred(OM_uint32 *minor_status, const gss_cred_id_t input_cred_handle, gss_cred_usage_t input_usage, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored) { struct gpp_cred_handle *cred = NULL; OM_uint32 maj, min; GSSI_TRACE(); *minor_status = 0; if (input_cred_handle == GSS_C_NO_CREDENTIAL) { return GSS_S_CALL_INACCESSIBLE_READ; } cred = (struct gpp_cred_handle *)input_cred_handle; if (cred->remote) { maj = gpp_store_remote_creds(&min, cred->remote); goto done; } maj = gss_store_cred(&min, cred->local, input_usage, gpp_special_mech(desired_mech), overwrite_cred, default_cred, elements_stored, cred_usage_stored); done: *minor_status = gpp_map_error(min); return maj; }
int gssapi_session(void *app_data, char *username) { struct gssapi_data *data = app_data; OM_uint32 major, minor; int ret = 0; if (data->delegated_cred_handle != GSS_C_NO_CREDENTIAL) { major = gss_store_cred(&minor, data->delegated_cred_handle, GSS_C_INITIATE, GSS_C_NO_OID, 1, 1, NULL, NULL); if (GSS_ERROR(major)) ret = 1; afslog(NULL, 1); } gss_release_cred(&minor, &data->delegated_cred_handle); return ret; }
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { int status; OM_uint32 major, minor; gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; gss_OID mech = GSS_C_NO_OID; if (flags && (flags & PAM_ESTABLISH_CRED) == 0) return PAM_SUCCESS; status = pam_get_data(pamh, GSS_CRED_DATA, (const void **)&cred); BAIL_ON_PAM_ERROR(status); status = pam_get_data(pamh, GSS_MECH_DATA, (const void **)&mech); BAIL_ON_PAM_ERROR(status); major = gss_store_cred(&minor, cred, GSS_C_INITIATE, mech, 1, 1, NULL, NULL); BAIL_ON_GSS_ERROR(major, minor); cleanup: return status; }
int main(int argc, char **argv) { OM_uint32 major, minor; gss_cred_id_t from_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t to_cred = GSS_C_NO_CREDENTIAL; gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; char *from_env; char *to_env; int optidx = 0; setprogname(argv[0]); if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); if (help_flag) usage (0); if (version_flag){ print_version(NULL); exit(0); } argc -= optidx; argv += optidx; if (argc < 2) errx(1, "required arguments missing"); if (argc > 2) errx(1, "too many arguments"); if (asprintf(&from_env, "KRB5CCNAME=%s", argv[0]) == -1 || from_env == NULL) err(1, "out of memory"); if (asprintf(&to_env, "KRB5CCNAME=%s", argv[1]) == -1 || to_env == NULL) err(1, "out of memory"); putenv(from_env); major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, GSS_KRB5_MECHANISM, GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, &from_cred, NULL, NULL, NULL); if (major != GSS_S_COMPLETE) gss_err(1, major, minor, GSS_KRB5_MECHANISM, "failed to acquire creds from %s", argv[0]); putenv(to_env); major = gss_store_cred(&minor, from_cred, GSS_C_INITIATE, GSS_KRB5_MECHANISM, 1, 1, NULL, NULL); if (major != GSS_S_COMPLETE) gss_err(1, major, minor, GSS_KRB5_MECHANISM, "failed to store creds into %s", argv[1]); (void) gss_release_cred(&minor, &from_cred); (void) gss_release_cred(&minor, &to_cred); major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, GSS_KRB5_MECHANISM, GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, &cred, NULL, NULL, NULL); if (major != GSS_S_COMPLETE) gss_err(1, major, minor, GSS_KRB5_MECHANISM, "failed to acquire creds from %s", argv[1]); (void) gss_release_cred(&minor, &cred); putenv("KRB5CCNAME"); free(from_env); free(to_env); return 0; }
int main(int argc, char *argv[]) { OM_uint32 minor, major; gss_cred_id_t impersonator_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t user_cred_handle = GSS_C_NO_CREDENTIAL; gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL; gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME; gss_OID_set_desc mechs; gss_OID_set actual_mechs = GSS_C_NO_OID_SET; gss_buffer_desc buf; if (argc < 2 || argc > 5) { fprintf(stderr, "Usage: %s [--spnego] [user] " "[proxy-target] [keytab]\n", argv[0]); fprintf(stderr, " proxy-target and keytab are optional\n"); exit(1); } if (strcmp(argv[1], "--spnego") == 0) { use_spnego++; argc--; argv++; } buf.value = argv[1]; buf.length = strlen((char *)buf.value); major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &user); if (GSS_ERROR(major)) { displayStatus("gss_import_name(user)", major, minor); goto out; } if (argc > 2 && strcmp(argv[2], "-")) { buf.value = argv[2]; buf.length = strlen((char *)buf.value); major = gss_import_name(&minor, &buf, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &target); if (GSS_ERROR(major)) { displayStatus("gss_import_name(target)", major, minor); goto out; } } else { target = GSS_C_NO_NAME; } mechs.elements = use_spnego ? (gss_OID)&spnego_mech : (gss_OID)gss_mech_krb5; mechs.count = 1; major = getDefaultCred(&minor, argc > 3 ? argv[3] : NULL, &mechs, &impersonator_cred_handle); if (GSS_ERROR(major)) goto out; printf("Protocol transition tests follow\n"); printf("-----------------------------------\n\n"); /* get S4U2Self cred */ major = gss_acquire_cred_impersonate_name(&minor, impersonator_cred_handle, user, GSS_C_INDEFINITE, &mechs, GSS_C_INITIATE, &user_cred_handle, &actual_mechs, NULL); if (GSS_ERROR(major)) { displayStatus("gss_acquire_cred_impersonate_name", major, minor); goto out; } /* Try to store it in default ccache */ major = gss_store_cred(&minor, user_cred_handle, GSS_C_INITIATE, &mechs.elements[0], 1, 1, NULL, NULL); if (GSS_ERROR(major)) { displayStatus("gss_store_cred", major, minor); goto out; } major = initAcceptSecContext(&minor, user_cred_handle, impersonator_cred_handle, &delegated_cred_handle); if (GSS_ERROR(major)) goto out; printf("\n"); out: (void) gss_release_name(&minor, &user); (void) gss_release_name(&minor, &target); (void) gss_release_cred(&minor, &delegated_cred_handle); (void) gss_release_cred(&minor, &impersonator_cred_handle); (void) gss_release_cred(&minor, &user_cred_handle); (void) gss_release_oid_set(&minor, &actual_mechs); return GSS_ERROR(major) ? 1 : 0; }