diff options
author | Tom Yu <tlyu@mit.edu> | 2007-01-30 21:38:47 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2007-01-30 21:38:47 +0000 |
commit | 1f857634ae3b549e8c328727adbdaa9e9f403d4f (patch) | |
tree | b844c1d94274f80180c4c439d1a2bdf75115be08 /src/clients | |
parent | ebcf51877b1a69217830ebfe4047bc8a27fe4436 (diff) | |
download | krb5-1f857634ae3b549e8c328727adbdaa9e9f403d4f.zip krb5-1f857634ae3b549e8c328727adbdaa9e9f403d4f.tar.gz krb5-1f857634ae3b549e8c328727adbdaa9e9f403d4f.tar.bz2 |
get_init_creds_opt extensibility
r18922@cathode-dark-space: coffman | 2006-12-04 18:30:15 -0500
First cut at making the get_init_creds_opt structure extendable
and adding library functions to set options for preauthentication
plugins.
This does *not* include a compatibility function to work like
Heimdal's krb5_get_init_creds_opt_set_pkinit() function.
Hopefully, the test code that doesn't belong in kinit.c is
obvious.
r18929@cathode-dark-space: coffman | 2006-12-07 10:01:20 -0500
Remove extra "user_id" parameter.
Add function which duplicates the Heimdal interface (if we can agree on
what the matching attribute names should be).
r18934@cathode-dark-space: coffman | 2006-12-08 15:28:03 -0500
Update to use the simplified interface for krb5_get_init_creds_opt_set_pa()
Add code in kinit to process "-X" options as preauth options and pass
them along.
r18936@cathode-dark-space: coffman | 2006-12-11 12:04:26 -0500
Move prototypes for get_init_creds_opt_get_pa() and
krb5_get_init_creds_opt_free_pa() into the
preauth_plugin.h header rather than krb5.hin.
ticket: new
status: open
component: krb5-libs
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19127 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/clients')
-rw-r--r-- | src/clients/kinit/kinit.c | 108 | ||||
-rw-r--r-- | src/clients/kpasswd/kpasswd.c | 22 | ||||
-rw-r--r-- | src/clients/kpasswd/ksetpwd.c | 23 |
3 files changed, 123 insertions, 30 deletions
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index 452d98c..f8e5b77 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -38,6 +38,7 @@ #include <string.h> #include <stdio.h> #include <time.h> +#include <errno.h> #include <com_err.h> #ifdef GETOPT_LONG @@ -143,6 +144,9 @@ struct k_opts char* k4_cache_name; action_type action; + + int num_pa_opts; + krb5_gic_opt_pa_data *pa_opts; }; struct k5_data @@ -283,6 +287,37 @@ static void extended_com_err_fn (const char *myprog, errcode_t code, fprintf (stderr, "\n"); } +static int +add_preauth_opt(struct k_opts *opts, char *av) +{ + char *sep, *v; + krb5_gic_opt_pa_data *p, *x; + + if (opts->num_pa_opts == 0) { + opts->pa_opts = malloc(sizeof(krb5_gic_opt_pa_data)); + if (opts->pa_opts == NULL) + return ENOMEM; + } else { + size_t newsize = (opts->num_pa_opts + 1) * sizeof(krb5_gic_opt_pa_data); + x = realloc(opts->pa_opts, newsize); + if (x == NULL) + return ENOMEM; + opts->pa_opts = x; + } + p = &opts->pa_opts[opts->num_pa_opts]; + sep = strchr(av, '='); + if (sep) { + *sep = '\0'; + v = ++sep; + p->value = v; + } else { + p->value = "yes"; + } + p->attr = av; + opts->num_pa_opts++; + return 0; +} + static char * parse_options(argc, argv, opts, progname) int argc; @@ -296,7 +331,7 @@ parse_options(argc, argv, opts, progname) int use_k5 = 0; int i; - while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:v")) + while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:")) != -1) { switch (i) { case 'V': @@ -380,6 +415,14 @@ parse_options(argc, argv, opts, progname) opts->k5_cache_name = optarg; } break; + case 'X': + code = add_preauth_opt(opts, optarg); + if (code) + { + com_err(progname, code, "while adding preauth option"); + errflg++; + } + break; #if 0 /* A little more work is needed before we can enable this @@ -752,12 +795,15 @@ k5_kinit(opts, k5) krb5_keytab keytab = 0; krb5_creds my_creds; krb5_error_code code = 0; - krb5_get_init_creds_opt options; + krb5_get_init_creds_opt *options = NULL; + int i; if (!got_k5) return 0; - krb5_get_init_creds_opt_init(&options); + code = krb5_get_init_creds_opt_alloc(k5->ctx, &options); + if (code) + goto cleanup; memset(&my_creds, 0, sizeof(my_creds)); /* @@ -766,17 +812,17 @@ k5_kinit(opts, k5) */ if (opts->lifetime) - krb5_get_init_creds_opt_set_tkt_life(&options, opts->lifetime); + krb5_get_init_creds_opt_set_tkt_life(options, opts->lifetime); if (opts->rlife) - krb5_get_init_creds_opt_set_renew_life(&options, opts->rlife); + krb5_get_init_creds_opt_set_renew_life(options, opts->rlife); if (opts->forwardable) - krb5_get_init_creds_opt_set_forwardable(&options, 1); + krb5_get_init_creds_opt_set_forwardable(options, 1); if (opts->not_forwardable) - krb5_get_init_creds_opt_set_forwardable(&options, 0); + krb5_get_init_creds_opt_set_forwardable(options, 0); if (opts->proxiable) - krb5_get_init_creds_opt_set_proxiable(&options, 1); + krb5_get_init_creds_opt_set_proxiable(options, 1); if (opts->not_proxiable) - krb5_get_init_creds_opt_set_proxiable(&options, 0); + krb5_get_init_creds_opt_set_proxiable(options, 0); if (opts->addresses) { krb5_address **addresses = NULL; @@ -785,10 +831,10 @@ k5_kinit(opts, k5) com_err(progname, code, "getting local addresses"); goto cleanup; } - krb5_get_init_creds_opt_set_address_list(&options, addresses); + krb5_get_init_creds_opt_set_address_list(options, addresses); } if (opts->no_addresses) - krb5_get_init_creds_opt_set_address_list(&options, NULL); + krb5_get_init_creds_opt_set_address_list(options, NULL); if ((opts->action == INIT_KT) && opts->keytab_name) { @@ -800,20 +846,49 @@ k5_kinit(opts, k5) } } + for (i = 0; i < opts->num_pa_opts; i++) { + code = krb5_get_init_creds_opt_set_pa(k5->ctx, options, + opts->pa_opts[i].attr, + opts->pa_opts[i].value); + if (code != 0) { + com_err(progname, code, "while setting '%s'='%s'", + opts->pa_opts[i].attr, opts->pa_opts[i].value); + goto cleanup; + } + } + +#if 0 /* XXX Testing... */ + code = krb5_get_init_creds_opt_set_pkinit( + k5->ctx, /* context */ + options, /* get_init_creds_opt */ + NULL, /* principal */ + "/tmp/x509up_u20010", /* X509_user_identity */ + "/etc/grid-security/certificates", /* X509_anchors */ + NULL, /* X509_chain_list */ + NULL, /* X509_revoke_list */ + 0, /* flags */ + NULL, /* prompter_fct */ + NULL, /* prompter_data */ + NULL); /* password */ + if (code) { + com_err(progname, code, "while setting pkinit options"); + goto cleanup; + } +#endif switch (opts->action) { case INIT_PW: code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, 0, kinit_prompter, 0, opts->starttime, opts->service_name, - &options); + options); break; case INIT_KT: code = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me, keytab, opts->starttime, opts->service_name, - &options); + options); break; case VALIDATE: code = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->cc, @@ -876,9 +951,16 @@ k5_kinit(opts, k5) notix = 0; cleanup: + if (options) + krb5_get_init_creds_opt_free(k5->ctx, options); if (my_creds.client == k5->me) { my_creds.client = 0; } + if (opts->pa_opts) { + free(opts->pa_opts); + opts->pa_opts = NULL; + opts->num_pa_opts = 0; + } krb5_free_cred_contents(k5->ctx, &my_creds); if (keytab) krb5_kt_close(k5->ctx, keytab); diff --git a/src/clients/kpasswd/kpasswd.c b/src/clients/kpasswd/kpasswd.c index 95e33ff..204a8bf 100644 --- a/src/clients/kpasswd/kpasswd.c +++ b/src/clients/kpasswd/kpasswd.c @@ -49,7 +49,7 @@ int main(int argc, char *argv[]) krb5_principal princ; char *pname; krb5_ccache ccache; - krb5_get_init_creds_opt opts; + krb5_get_init_creds_opt *opts = NULL; krb5_creds creds; char pw[1024]; @@ -102,26 +102,31 @@ int main(int argc, char *argv[]) get_name_from_passwd_file(argv[0], context, &princ); } - krb5_get_init_creds_opt_init(&opts); - krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60); - krb5_get_init_creds_opt_set_renew_life(&opts, 0); - krb5_get_init_creds_opt_set_forwardable(&opts, 0); - krb5_get_init_creds_opt_set_proxiable(&opts, 0); + if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { + com_err(argv[0], ret, "allocating krb5_get_init_creds_opt"); + exit(1); + } + krb5_get_init_creds_opt_set_tkt_life(opts, 5*60); + krb5_get_init_creds_opt_set_renew_life(opts, 0); + krb5_get_init_creds_opt_set_forwardable(opts, 0); + krb5_get_init_creds_opt_set_proxiable(opts, 0); if ((ret = krb5_get_init_creds_password(context, &creds, princ, NULL, krb5_prompter_posix, NULL, - 0, "kadmin/changepw", &opts))) { + 0, "kadmin/changepw", opts))) { if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) com_err(argv[0], 0, "Password incorrect while getting initial ticket"); else com_err(argv[0], ret, "getting initial ticket"); + krb5_get_init_creds_opt_free(context, opts); exit(1); } pwlen = sizeof(pw); if ((ret = krb5_read_password(context, P1, P2, pw, &pwlen))) { com_err(argv[0], ret, "while reading password"); + krb5_get_init_creds_opt_free(context, opts); exit(1); } @@ -129,6 +134,7 @@ int main(int argc, char *argv[]) &result_code, &result_code_string, &result_string))) { com_err(argv[0], ret, "changing password"); + krb5_get_init_creds_opt_free(context, opts); exit(1); } @@ -138,6 +144,7 @@ int main(int argc, char *argv[]) result_string.length?": ":"", (int) result_string.length, result_string.data ? result_string.data : ""); + krb5_get_init_creds_opt_free(context, opts); exit(2); } @@ -145,6 +152,7 @@ int main(int argc, char *argv[]) free(result_string.data); if (result_code_string.data != NULL) free(result_code_string.data); + krb5_get_init_creds_opt_free(context, opts); printf("Password changed.\n"); exit(0); diff --git a/src/clients/kpasswd/ksetpwd.c b/src/clients/kpasswd/ksetpwd.c index 148e686..2eec397 100644 --- a/src/clients/kpasswd/ksetpwd.c +++ b/src/clients/kpasswd/ksetpwd.c @@ -34,8 +34,6 @@ static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions ) { krb5_preauthtype preauth[] = { KRB5_PADATA_ENC_TIMESTAMP }; krb5_enctype etypes[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC}; - memset( outOptions, 0, sizeof(*outOptions) ); - krb5_get_init_creds_opt_init(outOptions); krb5_get_init_creds_opt_set_address_list(outOptions, NULL); krb5_get_init_creds_opt_set_etype_list( outOptions, etypes, sizeof(etypes)/sizeof(krb5_enctype) ); krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth, sizeof(preauth)/sizeof(krb5_preauthtype) ); @@ -128,17 +126,21 @@ static kbrccache_t userinitcontext( } if( kres != 0 || have_credentials == 0 ) { - krb5_get_init_creds_opt options; - get_init_creds_opt_init(&options); + krb5_get_init_creds_opt *options = NULL; + kres = krb5_get_init_creds_opt_alloc(kcontext, &options); + if ( kres == 0 ) + { + get_init_creds_opt_init(options); /* ** no valid credentials - get new ones */ - kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass, - NULL /*prompter*/, - NULL /*data*/, - 0 /*starttime*/, - 0 /*in_tkt_service*/, - &options /*options*/ ); + kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass, + NULL /*prompter*/, + NULL /*data*/, + 0 /*starttime*/, + 0 /*in_tkt_service*/, + options /*options*/ ); + } if( kres == 0 ) { if( numCreds <= 0 ) @@ -148,6 +150,7 @@ static kbrccache_t userinitcontext( if( kres == 0 ) have_credentials = 1; } + krb5_get_init_creds_opt_free(kcontext, options); } #ifdef NOTUSED if( have_credentials ) |