char *source_user;
char *target_user;
krb5_ccache cc_source;
- opt_info *options;
+ krb5_get_init_creds_opt *options;
char *cmd;
char *hostname;
krb5_principal *client;
*path_out = 0;
/* -n option was specified client is set we are done */
- if (options->princ)
+ if (*client != NULL)
return 0;
if (ks_ccache_is_initialized(context, cc_source)) {
void plain_dump_principal ();
-/*
- * Try no preauthentication first; then try the encrypted timestamp
- */
-krb5_preauthtype * preauth_ptr = NULL;
-
-
-
krb5_boolean krb5_auth_check(context, client_pname, hostname, options,
target_user, cc, path_passwd, target_uid)
krb5_context context;
krb5_principal client_pname;
char *hostname;
- opt_info *options;
+ krb5_get_init_creds_opt *options;
char *target_user;
uid_t target_uid;
krb5_ccache cc;
fprintf(stderr, _(" in remotely using an unsecure "
"(non-encrypted) channel. \n"));
- /*get the ticket granting ticket, via passwd(promt for passwd)*/
- if (krb5_get_tkt_via_passwd (context, &cc, client, tgtq.server,
- options, & zero_password) == FALSE){
+ /*get the ticket granting ticket, via passwd(prompt for passwd)*/
+ if (ksu_get_tgt_via_passwd(context, client, options, &zero_password,
+ &tgt) == FALSE) {
krb5_seteuid(0);
return FALSE;
return (TRUE);
}
-krb5_boolean krb5_get_tkt_via_passwd (context, ccache, client, server,
- options, zero_password)
+krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,
+ creds_out)
krb5_context context;
- krb5_ccache *ccache;
krb5_principal client;
- krb5_principal server;
- opt_info *options;
+ krb5_get_init_creds_opt *options;
krb5_boolean *zero_password;
+ krb5_creds *creds_out;
{
krb5_error_code code;
- krb5_creds my_creds;
+ krb5_creds creds;
krb5_timestamp now;
unsigned int pwsize;
char password[255], *client_name, prompt[255];
int result;
*zero_password = FALSE;
+ if (creds_out != NULL)
+ memset(creds_out, 0, sizeof(*creds_out));
if ((code = krb5_unparse_name(context, client, &client_name))) {
com_err (prog_name, code, _("when unparsing name"));
return (FALSE);
}
- memset(&my_creds, 0, sizeof(my_creds));
-
- if ((code = krb5_copy_principal(context, client, &my_creds.client))){
- com_err (prog_name, code, _("while copying principal"));
- return (FALSE);
- }
-
- if ((code = krb5_copy_principal(context, server, &my_creds.server))){
- com_err (prog_name, code, _("while copying principal"));
- return (FALSE);
- }
+ memset(&creds, 0, sizeof(creds));
if ((code = krb5_timeofday(context, &now))) {
com_err(prog_name, code, _("while getting time of day"));
return (FALSE);
}
- my_creds.times.starttime = 0; /* start timer when request
- gets to KDC */
-
- my_creds.times.endtime = now + options->lifetime;
- if (options->opt & KDC_OPT_RENEWABLE) {
- my_creds.times.renew_till = now + options->rlife;
- } else
- my_creds.times.renew_till = 0;
-
result = snprintf(prompt, sizeof(prompt), _("Kerberos password for %s: "),
client_name);
if (SNPRINTF_OVERFLOW(result, sizeof(prompt))) {
return (FALSE);
}
- code = krb5_get_in_tkt_with_password(context, options->opt,
- 0, NULL, preauth_ptr,
- password, *ccache, &my_creds, 0);
+ code = krb5_get_init_creds_password(context, &creds, client, password,
+ NULL, NULL, 0, NULL, options);
memset(password, 0, sizeof(password));
com_err(prog_name, code, _("while getting initial credentials"));
return (FALSE);
}
+ if (creds_out != NULL)
+ *creds_out = creds;
+ else
+ krb5_free_cred_contents(context, &creds);
return (TRUE);
}
extern char * gb_err;
/***********/
-typedef struct opt_info{
- int opt;
- krb5_deltat lifetime;
- krb5_deltat rlife;
- int princ;
-}opt_info;
-
/* krb_auth_su.c */
extern krb5_boolean krb5_auth_check
-(krb5_context, krb5_principal, char *, opt_info *,
+(krb5_context, krb5_principal, char *, krb5_get_init_creds_opt *,
char *, krb5_ccache, int *, uid_t);
extern krb5_boolean krb5_fast_auth
(krb5_context, krb5_principal, krb5_principal, char *,
krb5_ccache);
-extern krb5_boolean krb5_get_tkt_via_passwd
-(krb5_context, krb5_ccache *, krb5_principal,
- krb5_principal, opt_info *, krb5_boolean *);
+extern krb5_boolean ksu_get_tgt_via_passwd
+(krb5_context,
+ krb5_principal, krb5_get_init_creds_opt *, krb5_boolean *, krb5_creds *);
extern void dump_principal
(krb5_context, char *, krb5_principal);
extern krb5_error_code get_best_princ_for_target
(krb5_context, uid_t, uid_t, char *, char *, krb5_ccache,
- opt_info *, char *, char *, krb5_principal *, int *);
+ krb5_get_init_creds_opt *, char *, char *, krb5_principal *, int *);
extern krb5_error_code ksu_tgtname (krb5_context, const krb5_data *,
const krb5_data *,
int some_rest_copy = 0;
int all_rest_copy = 0;
char *localhostname = NULL;
- opt_info options;
+ krb5_get_init_creds_opt *options = NULL;
int option=0;
int statusp=0;
krb5_error_code retval = 0;
int pargc;
char ** pargv;
krb5_boolean stored = FALSE, cc_reused = FALSE;
- krb5_principal kdc_server;
krb5_boolean zero_password;
krb5_boolean restrict_creds;
-
- options.opt = KRB5_DEFAULT_OPTIONS;
- options.lifetime = KRB5_DEFAULT_TKT_LIFE;
- options.rlife =0;
- options.princ =0;
+ krb5_deltat lifetime, rlife;
params = (char **) xcalloc (2, sizeof (char *));
params[1] = NULL;
-
unsetenv ("KRB5_CONFIG");
retval = krb5_init_secure_context(&ksu_context);
exit(1);
}
+ retval = krb5_get_init_creds_opt_alloc(ksu_context, &options);
+ if (retval) {
+ com_err(argv[0], retval, _("while initializing krb5"));
+ exit(1);
+ }
+
if (strrchr(argv[0], '/'))
argv[0] = strrchr(argv[0], '/')+1;
prog_name = argv[0];
while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){
switch (option) {
case 'r':
- options.opt |= KDC_OPT_RENEWABLE;
if (strlen (optarg) >= 14)
optarg = "bad-time";
- retval = krb5_string_to_deltat(optarg, &options.rlife);
- if (retval != 0 || options.rlife == 0) {
+ retval = krb5_string_to_deltat(optarg, &rlife);
+ if (retval != 0 || rlife == 0) {
fprintf(stderr, _("Bad lifetime value (%s hours?)\n"), optarg);
errflg++;
}
+ krb5_get_init_creds_opt_set_renew_life(options, rlife);
break;
case 'a':
/* when integrating this remember to pass in pargc, pargv and
done = 1;
break;
case 'p':
- options.opt |= KDC_OPT_PROXIABLE;
+ krb5_get_init_creds_opt_set_proxiable(options, 1);
break;
case 'f':
- options.opt |= KDC_OPT_FORWARDABLE;
+ krb5_get_init_creds_opt_set_forwardable(options, 1);
break;
case 'k':
keep_target_cache =1;
case 'l':
if (strlen (optarg) >= 14)
optarg = "bad-time";
- retval = krb5_string_to_deltat(optarg, &options.lifetime);
- if (retval != 0 || options.lifetime == 0) {
+ retval = krb5_string_to_deltat(optarg, &lifetime);
+ if (retval != 0 || lifetime == 0) {
fprintf(stderr, _("Bad lifetime value (%s hours?)\n"), optarg);
errflg++;
}
+ krb5_get_init_creds_opt_set_tkt_life(options, lifetime);
break;
case 'n':
if ((retval = krb5_parse_name(ksu_context, optarg, &client))){
com_err(prog_name, retval, _("when parsing name %s"), optarg);
errflg++;
}
-
- options.princ = 1;
-
break;
#ifdef DEBUG
case 'D':
if ((retval = get_best_princ_for_target(ksu_context, source_uid,
target_uid, source_user,
target_user, cc_source,
- &options, cmd, localhostname,
+ options, cmd, localhostname,
&client, &hp))){
com_err(prog_name,retval, _("while selecting the best principal"));
exit(1);
}
krb5_cc_close(ksu_context, cc_source);
+ krb5_get_init_creds_opt_set_out_ccache(ksu_context, options, cc_tmp);
+
/* Become root for authentication*/
if (krb5_seteuid(0)) {
if ((source_uid == 0) || (target_uid == source_uid)){
#ifdef GET_TGT_VIA_PASSWD
- if ((!all_rest_copy) && options.princ && (stored == FALSE)){
- if ((retval = ksu_tgtname(ksu_context,
- krb5_princ_realm (ksu_context, client),
- krb5_princ_realm(ksu_context, client),
- &kdc_server))){
- com_err(prog_name, retval,
- _("while creating tgt for local realm"));
- exit(1);
- }
-
+ if ((!all_rest_copy) && client != NULL && (stored == FALSE)){
fprintf(stderr, _("WARNING: Your password may be exposed if you "
"enter it here and are logged\n"));
fprintf(stderr, _(" in remotely using an unsecure "
"(non-encrypted) channel.\n"));
- if (krb5_get_tkt_via_passwd(ksu_context, &cc_tmp, client,
- kdc_server, &options,
- &zero_password) == FALSE){
+ if (ksu_get_tgt_via_passwd(ksu_context, client, options,
+ &zero_password, NULL) == FALSE) {
if (zero_password == FALSE){
fprintf(stderr, _("Goodbye\n"));
char * client_name;
auth_val = krb5_auth_check(ksu_context, client, localhostname,
- &options, target_user, cc_tmp,
+ options, target_user, cc_tmp,
&path_passwd, target_uid);
/* if Kerberos authentication failed then exit */
projects / thirdparty / krb5.git / commitdiff
