static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions ) { krb5_preauthtype preauth[] = { KRB5_PADATA_ENC_TIMESTAMP }; krb5_enctype etypes[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC}; krb5_get_init_creds_opt_set_address_list(outOptions, NULL); krb5_get_init_creds_opt_set_etype_list( outOptions, etypes, sizeof(etypes)/sizeof(krb5_enctype) ); krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth, sizeof(preauth)/sizeof(krb5_preauthtype) ); }
static void get_creds(krb5_context context, krb5_ccache *cache) { krb5_keytab keytab; krb5_principal client; krb5_error_code ret; krb5_get_init_creds_opt *init_opts; krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP; krb5_creds creds; ret = krb5_kt_register(context, &hdb_kt_ops); if(ret) krb5_err(context, 1, ret, "krb5_kt_register"); ret = krb5_kt_resolve(context, ktname, &keytab); if(ret) krb5_err(context, 1, ret, "krb5_kt_resolve"); ret = krb5_make_principal(context, &client, NULL, "kadmin", HPROP_NAME, NULL); if(ret) krb5_err(context, 1, ret, "krb5_make_principal"); ret = krb5_get_init_creds_opt_alloc(context, &init_opts); if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); krb5_get_init_creds_opt_set_preauth_list(init_opts, &preauth, 1); ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, init_opts); if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds"); krb5_get_init_creds_opt_free(context, init_opts); ret = krb5_kt_close(context, keytab); if(ret) krb5_err(context, 1, ret, "krb5_kt_close"); ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, cache); if(ret) krb5_err(context, 1, ret, "krb5_cc_new_unique"); ret = krb5_cc_initialize(context, *cache, client); if(ret) krb5_err(context, 1, ret, "krb5_cc_initialize"); krb5_free_principal(context, client); ret = krb5_cc_store_cred(context, *cache, &creds); if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred"); krb5_free_cred_contents(context, &creds); }
int main(int argc, char **argv) { krb5_context context; krb5_error_code ret; krb5_creds cred; krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; krb5_get_init_creds_opt *get_options; krb5_verify_init_creds_opt verify_options; krb5_principal principal = NULL; int optidx = 0; setprogname (argv[0]); if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) usage(1); if (help_flag) usage (0); if(version_flag) { print_version(NULL); exit(0); } argc -= optidx; argv += optidx; ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); ret = krb5_get_init_creds_opt_alloc (context, &get_options); if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); krb5_get_init_creds_opt_set_preauth_list (get_options, pre_auth_types, 1); krb5_verify_init_creds_opt_init (&verify_options); if (argc) { ret = krb5_parse_name(context, argv[0], &principal); if (ret) krb5_err(context, 1, ret, "krb5_parse_name: %s", argv[0]); } else { ret = krb5_get_default_principal(context, &principal); if (ret) krb5_err(context, 1, ret, "krb5_get_default_principal"); } ret = krb5_get_init_creds_password (context, &cred, principal, NULL, krb5_prompter_posix, NULL, 0, NULL, get_options); if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds"); ret = krb5_verify_init_creds (context, &cred, NULL, NULL, NULL, &verify_options); if (ret) krb5_err(context, 1, ret, "krb5_verify_init_creds"); krb5_free_cred_contents (context, &cred); krb5_free_context (context); return 0; }
static int krb5_verify_password (POP *p) { krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; krb5_get_init_creds_opt *get_options; krb5_verify_init_creds_opt verify_options; krb5_error_code ret; krb5_principal client, server; krb5_creds creds; const char *estr; ret = krb5_get_init_creds_opt_alloc (p->context, &get_options); if (ret) { estr = krb5_get_error_message(p->context, ret); pop_log(p, POP_PRIORITY, "krb5_get_init_creds_opt_alloc: %s", estr); krb5_free_error_message(p->context, estr); return 1; } krb5_get_init_creds_opt_set_preauth_list (get_options, pre_auth_types, 1); krb5_verify_init_creds_opt_init (&verify_options); ret = krb5_parse_name (p->context, p->user, &client); if (ret) { krb5_get_init_creds_opt_free(p->context, get_options); estr = krb5_get_error_message(p->context, ret); pop_log(p, POP_PRIORITY, "krb5_parse_name: %s", estr); krb5_free_error_message(p->context, estr); return 1; } ret = krb5_get_init_creds_password (p->context, &creds, client, p->pop_parm[1], NULL, NULL, 0, NULL, get_options); krb5_get_init_creds_opt_free(p->context, get_options); if (ret) { estr = krb5_get_error_message(p->context, ret); pop_log(p, POP_PRIORITY, "krb5_get_init_creds_password: %s", estr); krb5_free_error_message(p->context, estr); return 1; } ret = krb5_sname_to_principal (p->context, p->myhost, "pop", KRB5_NT_SRV_HST, &server); if (ret) { estr = krb5_get_error_message(p->context, ret); pop_log(p, POP_PRIORITY, "krb5_get_init_creds_password: %s", estr); krb5_free_error_message(p->context, estr); return 1; } ret = krb5_verify_init_creds (p->context, &creds, server, NULL, NULL, &verify_options); krb5_free_principal (p->context, client); krb5_free_principal (p->context, server); krb5_free_cred_contents (p->context, &creds); return ret; }
int main(int argc, char **argv) { krb5_context context; krb5_error_code ret; krb5_creds cred; krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; krb5_get_init_creds_opt *get_options; krb5_verify_init_creds_opt verify_options; int optind = 0; if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) usage(1); if (help_flag) usage (0); if(version_flag) { print_version(NULL); exit(0); } ret = krb5_init_context(&context); if (ret) errx (1, "krb5_init_context failed: %d", ret); ret = krb5_get_init_creds_opt_alloc (context, &get_options); if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); krb5_get_init_creds_opt_set_preauth_list (get_options, pre_auth_types, 1); krb5_verify_init_creds_opt_init (&verify_options); ret = krb5_get_init_creds_password (context, &cred, NULL, NULL, krb5_prompter_posix, NULL, 0, NULL, get_options); if (ret) errx (1, "krb5_get_init_creds: %s", krb5_get_err_text(context, ret)); ret = krb5_verify_init_creds (context, &cred, NULL, NULL, NULL, &verify_options); if (ret) errx (1, "krb5_verify_init_creds: %s", krb5_get_err_text(context, ret)); krb5_free_cred_contents (context, &cred); krb5_free_context (context); return 0; }
static krb5_error_code change_password (krb5_context context, krb5_principal client, const char *password, char *newpw, size_t newpw_sz, krb5_prompter_fct prompter, void *data, krb5_get_init_creds_opt *old_options) { krb5_prompt prompts[2]; krb5_error_code ret; krb5_creds cpw_cred; char buf1[BUFSIZ], buf2[BUFSIZ]; krb5_data password_data[2]; int result_code; krb5_data result_code_string; krb5_data result_string; char *p; krb5_get_init_creds_opt *options; memset (&cpw_cred, 0, sizeof(cpw_cred)); ret = krb5_get_init_creds_opt_alloc(context, &options); if (ret) return ret; krb5_get_init_creds_opt_set_tkt_life (options, 60); krb5_get_init_creds_opt_set_forwardable (options, FALSE); krb5_get_init_creds_opt_set_proxiable (options, FALSE); if (old_options && old_options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) krb5_get_init_creds_opt_set_preauth_list (options, old_options->preauth_list, old_options->preauth_list_length); krb5_data_zero (&result_code_string); krb5_data_zero (&result_string); ret = krb5_get_init_creds_password (context, &cpw_cred, client, password, prompter, data, 0, "kadmin/changepw", options); krb5_get_init_creds_opt_free(context, options); if (ret) goto out; for(;;) { password_data[0].data = buf1; password_data[0].length = sizeof(buf1); prompts[0].hidden = 1; prompts[0].prompt = "New password: "******"Repeat new password: "******"Changing password", 2, prompts); if (ret) { memset (buf1, 0, sizeof(buf1)); memset (buf2, 0, sizeof(buf2)); goto out; } if (strcmp (buf1, buf2) == 0) break; memset (buf1, 0, sizeof(buf1)); memset (buf2, 0, sizeof(buf2)); } ret = krb5_set_password (context, &cpw_cred, buf1, client, &result_code, &result_code_string, &result_string); if (ret) goto out; asprintf (&p, "%s: %.*s\n", result_code ? "Error" : "Success", (int)result_string.length, result_string.length > 0 ? (char*)result_string.data : ""); /* return the result */ (*prompter) (context, data, NULL, p, 0, NULL); free (p); if (result_code == 0) { strlcpy (newpw, buf1, newpw_sz); ret = 0; } else { ret = ENOTTY; krb5_set_error_message(context, ret, N_("failed changing password", "")); } out: memset (buf1, 0, sizeof(buf1)); memset (buf2, 0, sizeof(buf2)); krb5_data_free (&result_string); krb5_data_free (&result_code_string); krb5_free_cred_contents (context, &cpw_cred); return ret; }
static int chk_kerberos( const struct berval *sc, const struct berval * passwd, const struct berval * cred, const char **text ) { unsigned int i; int rtn; for( i=0; i<cred->bv_len; i++) { if(cred->bv_val[i] == '\0') { return LUTIL_PASSWD_ERR; /* NUL character in password */ } } if( cred->bv_val[i] != '\0' ) { return LUTIL_PASSWD_ERR; /* cred must behave like a string */ } for( i=0; i<passwd->bv_len; i++) { if(passwd->bv_val[i] == '\0') { return LUTIL_PASSWD_ERR; /* NUL character in password */ } } if( passwd->bv_val[i] != '\0' ) { return LUTIL_PASSWD_ERR; /* passwd must behave like a string */ } rtn = LUTIL_PASSWD_ERR; #ifdef HAVE_KRB5 /* HAVE_HEIMDAL_KRB5 */ { /* Portions: * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska H\xf6gskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ krb5_context context; krb5_error_code ret; krb5_creds creds; krb5_get_init_creds_opt get_options; krb5_verify_init_creds_opt verify_options; krb5_principal client, server; #ifdef notdef krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; #endif ret = krb5_init_context( &context ); if (ret) { return LUTIL_PASSWD_ERR; } #ifdef notdef krb5_get_init_creds_opt_set_preauth_list(&get_options, pre_auth_types, 1); #endif krb5_get_init_creds_opt_init( &get_options ); krb5_verify_init_creds_opt_init( &verify_options ); ret = krb5_parse_name( context, passwd->bv_val, &client ); if (ret) { krb5_free_context( context ); return LUTIL_PASSWD_ERR; } ret = krb5_get_init_creds_password( context, &creds, client, cred->bv_val, NULL, NULL, 0, NULL, &get_options ); if (ret) { krb5_free_principal( context, client ); krb5_free_context( context ); return LUTIL_PASSWD_ERR; } { char *host = ldap_pvt_get_fqdn( NULL ); if( host == NULL ) { krb5_free_principal( context, client ); krb5_free_context( context ); return LUTIL_PASSWD_ERR; } ret = krb5_sname_to_principal( context, host, "ldap", KRB5_NT_SRV_HST, &server ); ber_memfree( host ); } if (ret) { krb5_free_principal( context, client ); krb5_free_context( context ); return LUTIL_PASSWD_ERR; } ret = krb5_verify_init_creds( context, &creds, server, NULL, NULL, &verify_options ); krb5_free_principal( context, client ); krb5_free_principal( context, server ); krb5_free_cred_contents( context, &creds ); krb5_free_context( context ); rtn = ret ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; } #elif defined(HAVE_KRB4) { /* Borrowed from Heimdal kpopper */ /* Portions: * Copyright (c) 1989 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ int status; char lrealm[REALM_SZ]; char tkt[MAXHOSTNAMELEN]; status = krb_get_lrealm(lrealm,1); if (status == KFAILURE) { return LUTIL_PASSWD_ERR; } snprintf(tkt, sizeof(tkt), "%s_slapd.%u", TKT_ROOT, (unsigned)getpid()); krb_set_tkt_string (tkt); status = krb_verify_user( passwd->bv_val, "", lrealm, cred->bv_val, 1, "ldap"); dest_tkt(); /* no point in keeping the tickets */ return status == KFAILURE ? LUTIL_PASSWD_ERR : LUTIL_PASSWD_OK; } #endif return rtn; }