rev |
line source |
yuuji@0
|
1 /* ========================================================================
|
yuuji@0
|
2 * Copyright 1988-2007 University of Washington
|
yuuji@0
|
3 *
|
yuuji@0
|
4 * Licensed under the Apache License, Version 2.0 (the "License");
|
yuuji@0
|
5 * you may not use this file except in compliance with the License.
|
yuuji@0
|
6 * You may obtain a copy of the License at
|
yuuji@0
|
7 *
|
yuuji@0
|
8 * http://www.apache.org/licenses/LICENSE-2.0
|
yuuji@0
|
9 *
|
yuuji@0
|
10 *
|
yuuji@0
|
11 * ========================================================================
|
yuuji@0
|
12 */
|
yuuji@0
|
13
|
yuuji@0
|
14 /*
|
yuuji@0
|
15 * Program: Kerberos 5 check password
|
yuuji@0
|
16 *
|
yuuji@0
|
17 * Author: Mark Crispin
|
yuuji@0
|
18 * Networks and Distributed Computing
|
yuuji@0
|
19 * Computing & Communications
|
yuuji@0
|
20 * University of Washington
|
yuuji@0
|
21 * Administration Building, AG-44
|
yuuji@0
|
22 * Seattle, WA 98195
|
yuuji@0
|
23 * Internet: MRC@CAC.Washington.EDU
|
yuuji@0
|
24 *
|
yuuji@0
|
25 * Date: 1 August 1988
|
yuuji@0
|
26 * Last Edited: 11 October 2007
|
yuuji@0
|
27 */
|
yuuji@0
|
28
|
yuuji@0
|
29 /* Check password
|
yuuji@0
|
30 * Accepts: login passwd struct
|
yuuji@0
|
31 * password string
|
yuuji@0
|
32 * argument count
|
yuuji@0
|
33 * argument vector
|
yuuji@0
|
34 * Returns: passwd struct if password validated, NIL otherwise
|
yuuji@0
|
35 */
|
yuuji@0
|
36
|
yuuji@0
|
37 struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[])
|
yuuji@0
|
38 {
|
yuuji@0
|
39 char svrnam[MAILTMPLEN],cltnam[MAILTMPLEN];
|
yuuji@0
|
40 krb5_context ctx;
|
yuuji@0
|
41 krb5_timestamp now;
|
yuuji@0
|
42 krb5_principal service;
|
yuuji@0
|
43 krb5_ccache ccache;
|
yuuji@0
|
44 krb5_error_code code;
|
yuuji@0
|
45 krb5_creds *crd = (krb5_creds *) memset (fs_get (sizeof (krb5_creds)),0,
|
yuuji@0
|
46 sizeof (krb5_creds));
|
yuuji@0
|
47 struct passwd *ret = NIL;
|
yuuji@0
|
48 if (*pass) { /* only if password non-empty */
|
yuuji@0
|
49 /* make service name */
|
yuuji@0
|
50 sprintf (svrnam,"%.80s@%.512s",
|
yuuji@0
|
51 (char *) mail_parameters (NIL,GET_SERVICENAME,NIL),
|
yuuji@0
|
52 tcp_serverhost ());
|
yuuji@0
|
53 /* make client name with principal */
|
yuuji@0
|
54 sprintf (cltnam,"%.80s/%.80s",pw->pw_name,
|
yuuji@0
|
55 (char *) mail_parameters (NIL,GET_SERVICENAME,NIL));
|
yuuji@0
|
56 /* get a context */
|
yuuji@0
|
57 if (!krb5_init_context (&ctx)) {
|
yuuji@0
|
58 /* get time, client and server principals */
|
yuuji@0
|
59 if (!krb5_timeofday (ctx,&now) &&
|
yuuji@0
|
60 /* Normally, kerb_cp_svr_name (defined/set in env_unix.c) is NIL, so
|
yuuji@0
|
61 * only the user name is used as a client principal. A few sites want
|
yuuji@0
|
62 * to have separate client principals for different services, but many
|
yuuji@0
|
63 * other sites vehemently object...
|
yuuji@0
|
64 */
|
yuuji@0
|
65 !krb5_parse_name (ctx,kerb_cp_svr_name ? cltnam : pw->pw_name,
|
yuuji@0
|
66 &crd->client) &&
|
yuuji@0
|
67 !krb5_parse_name (ctx,svrnam,&service) &&
|
yuuji@0
|
68 !krb5_build_principal_ext(ctx,&crd->server,
|
yuuji@0
|
69 krb5_princ_realm (ctx,crd->client)->length,
|
yuuji@0
|
70 krb5_princ_realm (ctx,crd->client)->data,
|
yuuji@0
|
71 KRB5_TGS_NAME_SIZE,KRB5_TGS_NAME,
|
yuuji@0
|
72 krb5_princ_realm (ctx,crd->client)->length,
|
yuuji@0
|
73 krb5_princ_realm (ctx,crd->client)->data,
|
yuuji@0
|
74 0)) {
|
yuuji@0
|
75 /* expire in 3 minutes */
|
yuuji@0
|
76 crd->times.endtime = now + (3 * 60);
|
yuuji@0
|
77 if (krb5_cc_resolve (ctx,"MEMORY:pwk",&ccache) ||
|
yuuji@0
|
78 krb5_cc_initialize (ctx,ccache,crd->client)) ccache = 0;
|
yuuji@0
|
79 if (!krb5_get_in_tkt_with_password (ctx,NIL,NIL,NIL,NIL,pass,ccache,
|
yuuji@0
|
80 crd,0) &&
|
yuuji@0
|
81 !krb5_verify_init_creds (ctx,crd,service,0,ccache ? &ccache : 0,0))
|
yuuji@0
|
82 ret = pw;
|
yuuji@0
|
83 krb5_free_creds (ctx,crd);/* flush creds and service principal */
|
yuuji@0
|
84 krb5_free_principal (ctx,service);
|
yuuji@0
|
85 }
|
yuuji@0
|
86 krb5_free_context (ctx); /* don't need context any more */
|
yuuji@0
|
87 }
|
yuuji@0
|
88 }
|
yuuji@0
|
89 return ret;
|
yuuji@0
|
90 }
|