static int get_v5cred(krb5_context context, char *name, char *inst, char *realm, CREDENTIALS *c, krb5_creds **creds) { krb5_creds increds; krb5_error_code r; static krb5_principal client_principal = 0; if (client_principal) { krb5_free_principal(context, client_principal); client_principal = 0; } memset(&increds, 0, sizeof(increds)); if ((r = krb5_build_principal(context, &increds.server, (int)strlen(realm), realm, name, (inst && strlen(inst)) ? inst : 0, 0))) { return((int)r); } if (!_krb425_ccache) { if ((r = krb5_cc_default(context, &_krb425_ccache))) return ((int)r); } if (!client_principal) { if ((r = krb5_cc_get_principal(context, _krb425_ccache, &client_principal))) { krb5_cc_close(context, _krb425_ccache); return ((int)r); } } increds.client = client_principal; increds.times.endtime = 0; /* Ask for DES since that is what V4 understands */ if (c != NULL) increds.session.keytype = ENCTYPE_DES_CBC_CRC; r = krb5_get_credentials(context, 0, _krb425_ccache, &increds, creds); if (r) { return((int)r); } #ifdef HAVE_KRB4 /* This requires krb524d to be running with the KDC */ if (c != NULL) r = krb5_524_convert_creds(context, *creds, c); #endif return((int)r); }
int KRB5_CALLCONV_WRONG krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, struct credentials *v4creds) { return(krb5_524_convert_creds(context,v5creds,v4creds)); }
int v4_get_creds(krb5_context ctx, pam_handle_t *pamh, struct _pam_krb5_stash *stash, struct _pam_krb5_user_info *userinfo, struct _pam_krb5_options *options, char *password, int *result) { int i; #if defined(HAVE_KRB5_524_CONVERT_CREDS) || \ defined(HAVE_KRB524_CONVERT_CREDS_KDC) krb5_creds *v4_compat_creds, *in_creds; v4_compat_creds = NULL; if (options->v4_use_524) { if (options->debug) { debug("obtaining v4-compatible key"); } /* We need a DES-CBC-CRC v5 credential to convert to a proper v4 * credential. */ i = v5_get_creds_etype(ctx, userinfo, options, &stash->v5creds, ENCTYPE_DES_CBC_CRC, &v4_compat_creds); if (i == 0) { if (options->debug) { debug("obtained des-cbc-crc v5 creds"); } in_creds = v4_compat_creds; } else { if (options->debug) { debug("failed to obtain des-cbc-crc v5 creds: " "%d (%s)", i, v5_error_message(i)); } in_creds = NULL; if (v5_creds_check_initialized(ctx, &stash->v5creds) == 0) { krb5_copy_creds(ctx, &stash->v5creds, &in_creds); } } #ifdef HAVE_KRB5_524_CONVERT_CREDS if (options->debug) { debug("converting v5 creds to v4 creds (etype = %d)", in_creds ? v5_creds_get_etype(in_creds) : 0); } if ((in_creds != NULL) && (v5_creds_check_initialized(ctx, in_creds) == 0)) { i = krb5_524_convert_creds(ctx, in_creds, &stash->v4creds); if (i == 0) { if (options->debug) { debug("conversion succeeded"); } stash->v4present = 1; if (result) { *result = i; } krb5_free_creds(ctx, in_creds); return PAM_SUCCESS; } else { if (options->debug) { debug("conversion failed: %d (%s)", i, v5_error_message(i)); } } } #else #ifdef HAVE_KRB524_CONVERT_CREDS_KDC if (options->debug) { debug("converting v5 creds to v4 creds (etype = %d)", in_creds ? v5_creds_get_etype(in_creds) : 0); } if ((in_creds != NULL) && (v5_creds_check_initialized(ctx, in_creds) == 0)) { i = krb524_convert_creds_kdc(ctx, in_creds, &stash->v4creds); if (i == 0) { if (options->debug) { debug("conversion succeeded"); } stash->v4present = 1; if (result) { *result = i; } krb5_free_creds(ctx, in_creds); return PAM_SUCCESS; } else { if (options->debug) { debug("conversion failed: %d (%s)", i, v5_error_message(i)); } } } #endif #endif if ((in_creds != NULL) && (v5_creds_check_initialized(ctx, in_creds) == 0)) { krb5_free_creds(ctx, in_creds); } } #endif if ((password != NULL) && (options->v4_use_as_req)) { if (options->debug) { debug("attempting to obtain initial v4 creds"); } i = _pam_krb5_v4_init(ctx, stash, userinfo, options, KRB5_TGS_NAME, NULL, password, result); if (i == PAM_SUCCESS) { if (options->debug) { debug("initial v4 creds obtained"); } stash->v4present = 1; return PAM_SUCCESS; } if (options->debug) { debug("could not obtain initial v4 creds: %d (%s)", i, v5_error_message(i)); } } return PAM_AUTH_ERR; }