rev |
line source |
yuuji@0
|
1 /* ========================================================================
|
yuuji@0
|
2 * Copyright 1988-2006 University of Washington
|
yuuji@0
|
3 *
|
yuuji@0
|
4 * Licensed under the Apache License, Version 2.0 (the "License");
|
yuuji@0
|
5 * you may not use this file except in compliance with the License.
|
yuuji@0
|
6 * You may obtain a copy of the License at
|
yuuji@0
|
7 *
|
yuuji@0
|
8 * http://www.apache.org/licenses/LICENSE-2.0
|
yuuji@0
|
9 *
|
yuuji@0
|
10 *
|
yuuji@0
|
11 * ========================================================================
|
yuuji@0
|
12 */
|
yuuji@0
|
13
|
yuuji@0
|
14 /*
|
yuuji@0
|
15 * Program: MIT Kerberos routines
|
yuuji@0
|
16 *
|
yuuji@0
|
17 * Author: Mark Crispin
|
yuuji@0
|
18 * Networks and Distributed Computing
|
yuuji@0
|
19 * Computing & Communications
|
yuuji@0
|
20 * University of Washington
|
yuuji@0
|
21 * Administration Building, AG-44
|
yuuji@0
|
22 * Seattle, WA 98195
|
yuuji@0
|
23 * Internet: MRC@CAC.Washington.EDU
|
yuuji@0
|
24 *
|
yuuji@0
|
25 * Date: 4 March 2003
|
yuuji@0
|
26 * Last Edited: 30 August 2006
|
yuuji@0
|
27 */
|
yuuji@0
|
28
|
yuuji@0
|
29 #define PROTOTYPE(x) x
|
yuuji@0
|
30 #include <gssapi/gssapi_generic.h>
|
yuuji@0
|
31 #include <gssapi/gssapi_krb5.h>
|
yuuji@0
|
32
|
yuuji@0
|
33
|
yuuji@0
|
34 long kerberos_server_valid (void);
|
yuuji@0
|
35 long kerberos_try_kinit (OM_uint32 error);
|
yuuji@0
|
36 char *kerberos_login (char *user,char *authuser,int argc,char *argv[]);
|
yuuji@0
|
37
|
yuuji@0
|
38 /* Kerberos server valid check
|
yuuji@0
|
39 * Returns: T if have keytab, NIL otherwise
|
yuuji@0
|
40 *
|
yuuji@0
|
41 * Note that this routine will probably return T only if the process is root.
|
yuuji@0
|
42 * This is alright since the server is probably still root at this point.
|
yuuji@0
|
43 */
|
yuuji@0
|
44
|
yuuji@0
|
45 long kerberos_server_valid ()
|
yuuji@0
|
46 {
|
yuuji@0
|
47 krb5_context ctx;
|
yuuji@0
|
48 krb5_keytab kt;
|
yuuji@0
|
49 krb5_kt_cursor csr;
|
yuuji@0
|
50 long ret = NIL;
|
yuuji@0
|
51 /* make a context */
|
yuuji@0
|
52 if (!krb5_init_context (&ctx)) {
|
yuuji@0
|
53 /* get default keytab */
|
yuuji@0
|
54 if (!krb5_kt_default (ctx,&kt)) {
|
yuuji@0
|
55 /* can do server if have good keytab */
|
yuuji@0
|
56 if (!krb5_kt_start_seq_get (ctx,kt,&csr) &&
|
yuuji@0
|
57 !krb5_kt_end_seq_get (ctx,kt,&csr)) ret = LONGT;
|
yuuji@0
|
58 krb5_kt_close (ctx,kt); /* finished with keytab */
|
yuuji@0
|
59 }
|
yuuji@0
|
60 krb5_free_context (ctx); /* finished with context */
|
yuuji@0
|
61 }
|
yuuji@0
|
62 return ret;
|
yuuji@0
|
63 }
|
yuuji@0
|
64
|
yuuji@0
|
65
|
yuuji@0
|
66 /* Kerberos check for missing or expired credentials
|
yuuji@0
|
67 * Returns: T if should suggest running kinit, NIL otherwise
|
yuuji@0
|
68 */
|
yuuji@0
|
69
|
yuuji@0
|
70 long kerberos_try_kinit (OM_uint32 error)
|
yuuji@0
|
71 {
|
yuuji@0
|
72 switch (error) {
|
yuuji@0
|
73 case KRB5KRB_AP_ERR_TKT_EXPIRED:
|
yuuji@0
|
74 case KRB5_FCC_NOFILE: /* MIT */
|
yuuji@0
|
75 case KRB5_CC_NOTFOUND: /* Heimdal */
|
yuuji@0
|
76 return LONGT;
|
yuuji@0
|
77 }
|
yuuji@0
|
78 return NIL;
|
yuuji@0
|
79 }
|
yuuji@0
|
80
|
yuuji@0
|
81 /* Kerberos server log in
|
yuuji@0
|
82 * Accepts: authorization ID as user name
|
yuuji@0
|
83 * authentication ID as Kerberos principal
|
yuuji@0
|
84 * argument count
|
yuuji@0
|
85 * argument vector
|
yuuji@0
|
86 * Returns: logged in user name if logged in, NIL otherwise
|
yuuji@0
|
87 */
|
yuuji@0
|
88
|
yuuji@0
|
89 char *kerberos_login (char *user,char *authuser,int argc,char *argv[])
|
yuuji@0
|
90 {
|
yuuji@0
|
91 krb5_context ctx;
|
yuuji@0
|
92 krb5_principal prnc;
|
yuuji@0
|
93 char kuser[NETMAXUSER];
|
yuuji@0
|
94 char *ret = NIL;
|
yuuji@0
|
95 /* make a context */
|
yuuji@0
|
96 if (!krb5_init_context (&ctx)) {
|
yuuji@0
|
97 /* build principal */
|
yuuji@0
|
98 if (!krb5_parse_name (ctx,authuser,&prnc)) {
|
yuuji@0
|
99 /* can get local name for this principal? */
|
yuuji@0
|
100 if (!krb5_aname_to_localname (ctx,prnc,NETMAXUSER-1,kuser)) {
|
yuuji@0
|
101 /* yes, local name permitted login as user? */
|
yuuji@0
|
102 if (authserver_login (user,kuser,argc,argv) ||
|
yuuji@0
|
103 authserver_login (lcase (user),kuser,argc,argv))
|
yuuji@0
|
104 ret = myusername (); /* yes, return user name */
|
yuuji@0
|
105 }
|
yuuji@0
|
106 krb5_free_principal (ctx,prnc);
|
yuuji@0
|
107 }
|
yuuji@0
|
108 krb5_free_context (ctx); /* finished with context */
|
yuuji@0
|
109 }
|
yuuji@0
|
110 return ret;
|
yuuji@0
|
111 }
|