/* * Set up cred to be an S4U2Proxy credential by copying in the impersonator's * creds, setting a cache config variable with the impersonator principal name, * and saving the impersonator principal name in the cred structure. */ static krb5_error_code make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred, krb5_gss_cred_id_t impersonator_cred) { krb5_error_code code; krb5_data data; char *str; code = krb5_cc_copy_creds(context, impersonator_cred->ccache, cred->ccache); if (code) return code; code = krb5_unparse_name(context, impersonator_cred->name->princ, &str); if (code) return code; data = string2data(str); code = krb5_cc_set_config(context, cred->ccache, NULL, KRB5_CONF_PROXY_IMPERSONATOR, &data); krb5_free_unparsed_name(context, str); if (code) return code; return krb5_copy_principal(context, impersonator_cred->name->princ, &cred->impersonator); }
static int mod_authn_gssapi_store_krb5_creds(server *srv, connection *con, plugin_data *p, krb5_context kcontext, krb5_ccache delegated_cred) { krb5_error_code problem; krb5_principal princ = NULL; krb5_ccache ccache = NULL; problem = krb5_cc_get_principal(kcontext, delegated_cred, &princ); if (problem) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_get_principal", NULL, kcontext, problem); goto end; } if (mod_authn_gssapi_create_krb5_ccache(srv, con, p, kcontext, princ, &ccache)) { goto end; } problem = krb5_cc_copy_creds(kcontext, delegated_cred, ccache); if (problem) { mod_authn_gssapi_log_krb5_error(srv, __FILE__, __LINE__, "krb5_cc_copy_creds", NULL, kcontext, problem); goto end; } krb5_free_principal(kcontext, princ); krb5_cc_close(kcontext, ccache); return 0; end: if (princ) krb5_free_principal(kcontext, princ); if (ccache) krb5_cc_destroy(kcontext, ccache); return -1; }
/* * The default unset code path depends on the underlying ccache implementation * knowing how to remove a credential, which most types don't actually support, * so we have to jump through some hoops to ensure that when we set a value for * a key, it'll be the only value for that key that'll be found later. The * ccache portions of libkrb5 will currently duplicate some of the actual * tickets. */ static void unset_config(krb5_context context, krb5_ccache ccache, krb5_principal server, const char *key) { krb5_ccache tmp1, tmp2; krb5_cc_cursor cursor; krb5_creds mcreds, creds; memset(&mcreds, 0, sizeof(mcreds)); memset(&creds, 0, sizeof(creds)); bail_on_err(context, "Error while deriving configuration principal names", k5_build_conf_principals(context, ccache, server, key, &mcreds)); bail_on_err(context, "Error resolving first in-memory ccache", krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1)); bail_on_err(context, "Error initializing first in-memory ccache", krb5_cc_initialize(context, tmp1, mcreds.client)); bail_on_err(context, "Error resolving second in-memory ccache", krb5_cc_resolve(context, "MEMORY:tmp2", &tmp2)); bail_on_err(context, "Error initializing second in-memory ccache", krb5_cc_initialize(context, tmp2, mcreds.client)); bail_on_err(context, "Error copying credentials to first in-memory ccache", krb5_cc_copy_creds(context, ccache, tmp1)); bail_on_err(context, "Error starting traversal of first in-memory ccache", krb5_cc_start_seq_get(context, tmp1, &cursor)); while (krb5_cc_next_cred(context, tmp1, &cursor, &creds) == 0) { if (!krb5_is_config_principal(context, creds.server) || !krb5_principal_compare(context, mcreds.server, creds.server) || !krb5_principal_compare(context, mcreds.client, creds.client)) { bail_on_err(context, "Error storing non-config item to in-memory ccache", krb5_cc_store_cred(context, tmp2, &creds)); } } bail_on_err(context, "Error ending traversal of first in-memory ccache", krb5_cc_end_seq_get(context, tmp1, &cursor)); bail_on_err(context, "Error clearing ccache", krb5_cc_initialize(context, ccache, mcreds.client)); bail_on_err(context, "Error storing creds to the ccache", krb5_cc_copy_creds(context, tmp2, ccache)); bail_on_err(context, "Error cleaning up first in-memory ccache", krb5_cc_destroy(context, tmp1)); bail_on_err(context, "Error cleaning up second in-memory ccache", krb5_cc_destroy(context, tmp2)); }
std::unique_ptr<Krb5CCache> Krb5CredentialsCacheManager::readInCache() { auto mem = folly::make_unique<Krb5CCache>( Krb5CCache::makeNewUnique(ctx_.get(), "MEMORY")); // Get the default local cache Krb5CCache file_cache = Krb5CCache::makeDefault(ctx_.get()); Krb5Principal client = file_cache.getClientPrincipal(); // Copy the cache into memory krb5_error_code code = krb5_cc_initialize( ctx_.get(), mem->get(), client.get()); raiseIf(code, "initializing memory ccache"); code = krb5_cc_copy_creds(ctx_.get(), file_cache.get(), mem->get()); raiseIf(code, "copying to memory cache"); auto service_list = mem->getServicePrincipalList(); for (auto& service : service_list) { incUsedService(folly::to<string>(service)); } return mem; }
static PyObject * k5_cc_copy_creds(PyObject *self, PyObject *args) { krb5_context ctx; char *namein, *nameout; krb5_error_code code; krb5_ccache ccin, ccout; krb5_principal principal; if (!PyArg_ParseTuple( args, "ss", &namein, &nameout)) return NULL; code = krb5_init_context(&ctx); RETURN_ON_ERROR("krb5_init_context()", code); code = krb5_cc_resolve(ctx, namein, &ccin); RETURN_ON_ERROR("krb5_cc_resolve()", code); code = krb5_cc_get_principal(ctx, ccin, &principal); RETURN_ON_ERROR("krb5_cc_get_principal()", code); code = krb5_cc_resolve(ctx, nameout, &ccout); RETURN_ON_ERROR("krb5_cc_resolve()", code); code = krb5_cc_initialize(ctx, ccout, principal); RETURN_ON_ERROR("krb5_cc_get_initialize()", code); code = krb5_cc_copy_creds(ctx, ccin, ccout); RETURN_ON_ERROR("krb5_cc_copy_creds()", code); code = krb5_cc_close(ctx, ccin); RETURN_ON_ERROR("krb5_cc_close()", code); code = krb5_cc_close(ctx, ccout); RETURN_ON_ERROR("krb5_cc_close()", code); krb5_free_principal(ctx, principal); krb5_free_context(ctx); Py_INCREF(Py_None); return Py_None; }
static OM_uint32 copy_initiator_creds(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred) { OM_uint32 major_status; krb5_error_code code; krb5_gss_cred_id_t kcred = NULL; krb5_context context = NULL; krb5_ccache ccache = NULL; if (!default_cred) { *minor_status = G_STORE_NON_DEFAULT_CRED_NOSUPP; major_status = GSS_S_FAILURE; goto cleanup; } code = krb5_gss_init_context(&context); if (code != 0) { *minor_status = code; major_status = GSS_S_FAILURE; goto cleanup; } major_status = krb5_gss_validate_cred_1(minor_status, input_cred_handle, context); if (GSS_ERROR(major_status)) goto cleanup; kcred = (krb5_gss_cred_id_t)input_cred_handle; if (kcred->ccache == NULL || kcred->proxy_cred) { *minor_status = KG_CCACHE_NOMATCH; major_status = GSS_S_DEFECTIVE_CREDENTIAL; goto cleanup; } if (!overwrite_cred && has_unexpired_creds(kcred, desired_mech, default_cred)) { major_status = GSS_S_DUPLICATE_ELEMENT; goto cleanup; } code = krb5int_cc_default(context, &ccache); if (code != 0) { *minor_status = code; major_status = GSS_S_FAILURE; goto cleanup; } code = krb5_cc_copy_creds(context, kcred->ccache, ccache); if (code != 0) { *minor_status = code; major_status = GSS_S_FAILURE; goto cleanup; } *minor_status = 0; major_status = GSS_S_COMPLETE; cleanup: if (kcred != NULL) k5_mutex_unlock(&kcred->lock); if (ccache != NULL) krb5_cc_close(context, ccache); krb5_free_context(context); return major_status; }
int main(int argc, char *argv[]) { krb5_context kcontext = NULL; krb5_error_code code; krb5_ccache ccache=NULL; krb5_ccache mslsa_ccache=NULL; krb5_cc_cursor cursor; krb5_creds creds; krb5_principal princ = NULL; int found_tgt = 0; int has_tickets; int option; char * ccachestr = 0; prog = strrchr(argv[0], '/'); prog = prog ? (prog + 1) : argv[0]; while ((option = getopt(argc, argv, "c:h")) != -1) { switch (option) { case 'c': ccachestr = optarg; break; case 'h': default: xusage(); break; } } if (code = krb5_init_context(&kcontext)) { com_err(argv[0], code, "while initializing kerberos library"); goto cleanup; } if (code = krb5_cc_resolve(kcontext, "MSLSA:", &mslsa_ccache)) { com_err(argv[0], code, "while opening MS LSA ccache"); goto cleanup; } /* Enumerate tickets from cache looking for a TGT */ if ((code = krb5_cc_start_seq_get(kcontext, mslsa_ccache, &cursor))) { com_err(argv[0], code, "while initiating the cred sequence of MS LSA ccache"); goto cleanup; } while (!found_tgt) { code = krb5_cc_next_cred(kcontext, mslsa_ccache, &cursor, &creds); if (code) break; /* Check if the ticket is a TGT */ if (is_local_tgt(creds.server)) found_tgt = 1; krb5_free_cred_contents(kcontext, &creds); } krb5_cc_end_seq_get(kcontext, mslsa_ccache, &cursor); if (!found_tgt) { fprintf(stderr, "%s: Initial Ticket Getting Tickets are not available from the MS LSA\n", argv[0]); /* Only set the LSA cache as the default if it actually has tickets. */ code = cc_has_tickets(kcontext, mslsa_ccache, &has_tickets); if (code) goto cleanup; if (has_tickets) code = krb5int_cc_user_set_default_name(kcontext, "MSLSA:"); goto cleanup; } if (code = krb5_cc_get_principal(kcontext, mslsa_ccache, &princ)) { com_err(argv[0], code, "while obtaining MS LSA principal"); goto cleanup; } if (ccachestr) code = krb5_cc_resolve(kcontext, ccachestr, &ccache); else code = krb5_cc_resolve(kcontext, "API:", &ccache); if (code) { com_err(argv[0], code, "while getting default ccache"); goto cleanup; } if (code = krb5_cc_initialize(kcontext, ccache, princ)) { com_err (argv[0], code, "when initializing ccache"); goto cleanup; } if (code = krb5_cc_copy_creds(kcontext, mslsa_ccache, ccache)) { com_err (argv[0], code, "while copying MS LSA ccache to default ccache"); goto cleanup; } /* Don't try and set the default cache if the cache name was specified. */ if (ccachestr == NULL) { /* On success set the default cache to API. */ code = krb5int_cc_user_set_default_name(kcontext, "API:"); if (code) { com_err(argv[0], code, "when setting default to API"); goto cleanup; } } cleanup: krb5_free_principal(kcontext, princ); if (ccache != NULL) krb5_cc_close(kcontext, ccache); if (mslsa_ccache != NULL) krb5_cc_close(kcontext, mslsa_ccache); krb5_free_context(kcontext); return code ? 1 : 0; }
static OM_uint32 copy_initiator_creds(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred, gss_const_key_value_set_t cred_store) { OM_uint32 major_status; krb5_error_code code; krb5_gss_cred_id_t kcred = NULL; krb5_context context = NULL; krb5_ccache ccache = NULL; const char *ccache_name; *minor_status = 0; if (!default_cred && cred_store == GSS_C_NO_CRED_STORE) { *minor_status = G_STORE_NON_DEFAULT_CRED_NOSUPP; major_status = GSS_S_FAILURE; goto cleanup; } code = krb5_gss_init_context(&context); if (code != 0) { *minor_status = code; major_status = GSS_S_FAILURE; goto cleanup; } major_status = krb5_gss_validate_cred_1(minor_status, input_cred_handle, context); if (GSS_ERROR(major_status)) goto cleanup; kcred = (krb5_gss_cred_id_t)input_cred_handle; if (kcred->ccache == NULL) { *minor_status = KG_CCACHE_NOMATCH; major_status = GSS_S_DEFECTIVE_CREDENTIAL; goto cleanup; } if (!overwrite_cred && has_unexpired_creds(kcred, desired_mech, default_cred, cred_store)) { major_status = GSS_S_DUPLICATE_ELEMENT; goto cleanup; } major_status = kg_value_from_cred_store(cred_store, KRB5_CS_CCACHE_URN, &ccache_name); if (GSS_ERROR(major_status)) goto cleanup; if (ccache_name != NULL) { code = krb5_cc_resolve(context, ccache_name, &ccache); if (code != 0) { *minor_status = code; major_status = GSS_S_CRED_UNAVAIL; goto cleanup; } code = krb5_cc_initialize(context, ccache, kcred->name->princ); if (code != 0) { *minor_status = code; major_status = GSS_S_CRED_UNAVAIL; goto cleanup; } } if (ccache == NULL) { if (!default_cred) { *minor_status = G_STORE_NON_DEFAULT_CRED_NOSUPP; major_status = GSS_S_FAILURE; goto cleanup; } code = krb5int_cc_default(context, &ccache); if (code != 0) { *minor_status = code; major_status = GSS_S_FAILURE; goto cleanup; } } code = krb5_cc_copy_creds(context, kcred->ccache, ccache); if (code != 0) { *minor_status = code; major_status = GSS_S_FAILURE; goto cleanup; } *minor_status = 0; major_status = GSS_S_COMPLETE; cleanup: if (kcred != NULL) k5_mutex_unlock(&kcred->lock); if (ccache != NULL) krb5_cc_close(context, ccache); krb5_free_context(context); return major_status; }
static void cc_test(krb5_context context, const char *name, krb5_flags flags) { krb5_ccache id, id2; krb5_creds creds; krb5_error_code kret; krb5_cc_cursor cursor; krb5_principal tmp; const char *c_name; char newcache[300]; char *save_type; kret = init_test_cred(context); CHECK(kret, "init_creds"); kret = krb5_cc_resolve(context, name, &id); CHECK(kret, "resolve"); kret = krb5_cc_initialize(context, id, test_creds.client); CHECK(kret, "initialize"); c_name = krb5_cc_get_name(context, id); CHECK_STR(c_name, "get_name"); c_name = krb5_cc_get_type(context, id); CHECK_STR(c_name, "get_type"); save_type=strdup(c_name); CHECK_STR(save_type, "copying type"); kret = krb5_cc_store_cred(context, id, &test_creds); CHECK(kret, "store"); kret = krb5_cc_get_principal(context, id, &tmp); CHECK(kret, "get_principal"); CHECK_BOOL(krb5_realm_compare(context, tmp, test_creds.client) != TRUE, "realms do not match", "realm_compare"); CHECK_BOOL(krb5_principal_compare(context, tmp, test_creds.client) != TRUE, "principals do not match", "principal_compare"); krb5_free_principal(context, tmp); kret = krb5_cc_set_flags (context, id, flags); CHECK(kret, "set_flags"); kret = krb5_cc_start_seq_get(context, id, &cursor); CHECK(kret, "start_seq_get"); kret = 0; while (kret != KRB5_CC_END) { if(debug) printf("Calling next_cred\n"); kret = krb5_cc_next_cred(context, id, &cursor, &creds); if(kret == KRB5_CC_END) { if(debug) printf("next_cred: ok at end\n"); } else { CHECK(kret, "next_cred"); krb5_free_cred_contents(context, &creds); } } kret = krb5_cc_end_seq_get(context, id, &cursor); CHECK(kret, "end_seq_get"); kret = krb5_cc_close(context, id); CHECK(kret, "close"); /* ------------------------------------------------- */ kret = krb5_cc_resolve(context, name, &id); CHECK(kret, "resolve2"); { /* Copy the cache test*/ snprintf(newcache, sizeof(newcache), "%s.new", name); kret = krb5_cc_resolve(context, newcache, &id2); CHECK(kret, "resolve of new cache"); /* This should fail as the new creds are not initialized */ kret = krb5_cc_copy_creds(context, id, id2); CHECK_FAIL(KRB5_FCC_NOFILE, kret, "copy_creds"); kret = krb5_cc_initialize(context, id2, test_creds.client); CHECK(kret, "initialize of id2"); kret = krb5_cc_copy_creds(context, id, id2); CHECK(kret, "copy_creds"); kret = krb5_cc_destroy(context, id2); CHECK(kret, "destroy new cache"); } /* Destroy the first cache */ kret = krb5_cc_destroy(context, id); CHECK(kret, "destroy"); /* ----------------------------------------------------- */ /* Tests the generate new code */ kret = krb5_cc_new_unique(context, save_type, NULL, &id2); CHECK(kret, "new_unique"); kret = krb5_cc_initialize(context, id2, test_creds.client); CHECK(kret, "initialize"); kret = krb5_cc_store_cred(context, id2, &test_creds); CHECK(kret, "store"); kret = krb5_cc_destroy(context, id2); CHECK(kret, "destroy id2"); free(save_type); free_test_cred(context); }
void main( int argc, char *argv[] ) { krb5_context kcontext; krb5_error_code code; krb5_ccache ccache=NULL; krb5_ccache mslsa_ccache=NULL; krb5_cc_cursor cursor; krb5_creds creds; krb5_principal princ; int initial_ticket = 0; int option; char * ccachestr = 0; prog = strrchr(argv[0], '/'); prog = prog ? (prog + 1) : argv[0]; while ((option = getopt(argc, argv, "c:h")) != -1) { switch (option) { case 'c': ccachestr = optarg; break; case 'h': default: xusage(); break; } } if (code = krb5_init_context(&kcontext)) { com_err(argv[0], code, "while initializing kerberos library"); exit(1); } if (code = krb5_cc_resolve(kcontext, "MSLSA:", &mslsa_ccache)) { com_err(argv[0], code, "while opening MS LSA ccache"); krb5_free_context(kcontext); exit(1); } if (code = krb5_cc_set_flags(kcontext, mslsa_ccache, KRB5_TC_NOTICKET)) { com_err(argv[0], code, "while setting KRB5_TC_NOTICKET flag"); krb5_cc_close(kcontext, mslsa_ccache); krb5_free_context(kcontext); exit(1); } /* Enumerate tickets from cache looking for an initial ticket */ if ((code = krb5_cc_start_seq_get(kcontext, mslsa_ccache, &cursor))) { com_err(argv[0], code, "while initiating the cred sequence of MS LSA ccache"); krb5_cc_close(kcontext, mslsa_ccache); krb5_free_context(kcontext); exit(1); } while (!(code = krb5_cc_next_cred(kcontext, mslsa_ccache, &cursor, &creds))) { if ( creds.ticket_flags & TKT_FLG_INITIAL ) { krb5_free_cred_contents(kcontext, &creds); initial_ticket = 1; break; } krb5_free_cred_contents(kcontext, &creds); } krb5_cc_end_seq_get(kcontext, mslsa_ccache, &cursor); if (code = krb5_cc_set_flags(kcontext, mslsa_ccache, 0)) { com_err(argv[0], code, "while clearing flags"); krb5_cc_close(kcontext, mslsa_ccache); krb5_free_context(kcontext); exit(1); } if ( !initial_ticket ) { fprintf(stderr, "%s: Initial Ticket Getting Tickets are not available from the MS LSA\n", argv[0]); krb5_cc_close(kcontext, mslsa_ccache); krb5_free_context(kcontext); exit(1); } if (code = krb5_cc_get_principal(kcontext, mslsa_ccache, &princ)) { com_err(argv[0], code, "while obtaining MS LSA principal"); krb5_cc_close(kcontext, mslsa_ccache); krb5_free_context(kcontext); exit(1); } if (ccachestr) code = krb5_cc_resolve(kcontext, ccachestr, &ccache); else code = krb5_cc_default(kcontext, &ccache); if (code) { com_err(argv[0], code, "while getting default ccache"); krb5_free_principal(kcontext, princ); krb5_cc_close(kcontext, mslsa_ccache); krb5_free_context(kcontext); exit(1); } if (code = krb5_cc_initialize(kcontext, ccache, princ)) { com_err (argv[0], code, "when initializing ccache"); krb5_free_principal(kcontext, princ); krb5_cc_close(kcontext, mslsa_ccache); krb5_cc_close(kcontext, ccache); krb5_free_context(kcontext); exit(1); } if (code = krb5_cc_copy_creds(kcontext, mslsa_ccache, ccache)) { com_err (argv[0], code, "while copying MS LSA ccache to default ccache"); krb5_free_principal(kcontext, princ); krb5_cc_close(kcontext, ccache); krb5_cc_close(kcontext, mslsa_ccache); krb5_free_context(kcontext); exit(1); } krb5_free_principal(kcontext, princ); krb5_cc_close(kcontext, ccache); krb5_cc_close(kcontext, mslsa_ccache); krb5_free_context(kcontext); return(0); }