krb5_passwd.c revision 1.13
1 1.13 thorpej /* $NetBSD: krb5_passwd.c,v 1.13 2005/02/26 07:19:25 thorpej Exp $ */ 2 1.2 thorpej 3 1.8 thorpej /* 4 1.13 thorpej * Copyright (c) 2000, 2005 The NetBSD Foundation, Inc. 5 1.1 brezak * All rights reserved. 6 1.1 brezak * 7 1.13 thorpej * This code is derived from software contributed to The NetBSD Foundation 8 1.13 thorpej * by Johan Danielsson; and by Jason R. Thorpe. 9 1.8 thorpej * 10 1.8 thorpej * Redistribution and use in source and binary forms, with or without 11 1.8 thorpej * modification, are permitted provided that the following conditions 12 1.8 thorpej * are met: 13 1.8 thorpej * 14 1.8 thorpej * 1. Redistributions of source code must retain the above copyright 15 1.8 thorpej * notice, this list of conditions and the following disclaimer. 16 1.8 thorpej * 2. Redistributions in binary form must reproduce the above copyright 17 1.8 thorpej * notice, this list of conditions and the following disclaimer in the 18 1.8 thorpej * documentation and/or other materials provided with the distribution. 19 1.13 thorpej * 3. All advertising materials mentioning features or use of this software 20 1.13 thorpej * must display the following acknowledgement: 21 1.13 thorpej * This product includes software developed by the NetBSD 22 1.13 thorpej * Foundation, Inc. and its contributors. 23 1.13 thorpej * 4. Neither the name of The NetBSD Foundation nor the names of its 24 1.8 thorpej * contributors may be used to endorse or promote products derived 25 1.8 thorpej * from this software without specific prior written permission. 26 1.8 thorpej * 27 1.8 thorpej * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 28 1.8 thorpej * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 29 1.8 thorpej * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 30 1.8 thorpej * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 31 1.8 thorpej * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 32 1.8 thorpej * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 33 1.8 thorpej * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 34 1.8 thorpej * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 35 1.8 thorpej * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 36 1.8 thorpej * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 37 1.8 thorpej * POSSIBILITY OF SUCH DAMAGE. 38 1.1 brezak */ 39 1.1 brezak 40 1.8 thorpej /* uses the `Kerberos Change Password Protocol' */ 41 1.8 thorpej 42 1.1 brezak #include <stdio.h> 43 1.5 lukem #include <stdlib.h> 44 1.1 brezak #include <string.h> 45 1.8 thorpej #include <err.h> 46 1.13 thorpej #include <errno.h> 47 1.9 ad #include <pwd.h> 48 1.13 thorpej #include <unistd.h> 49 1.1 brezak 50 1.11 itojun #include <openssl/ui.h> 51 1.8 thorpej #include <krb5.h> 52 1.1 brezak 53 1.8 thorpej #include "extern.h" 54 1.1 brezak 55 1.13 thorpej #ifdef USE_PAM 56 1.13 thorpej 57 1.13 thorpej void 58 1.13 thorpej pwkrb5_usage(const char *prefix) 59 1.13 thorpej { 60 1.13 thorpej 61 1.13 thorpej (void) fprintf(stderr, "%s %s [-d krb5 | -k] [principal]\n", 62 1.13 thorpej prefix, getprogname()); 63 1.13 thorpej } 64 1.13 thorpej 65 1.13 thorpej void 66 1.13 thorpej pwkrb5_argv0_usage(const char *prefix) 67 1.13 thorpej { 68 1.13 thorpej 69 1.13 thorpej (void) fprintf(stderr, "%s %s [principal]\n", 70 1.13 thorpej prefix, getprogname()); 71 1.13 thorpej } 72 1.13 thorpej 73 1.13 thorpej void 74 1.13 thorpej pwkrb5_process(const char *username, int argc, char **argv) 75 1.13 thorpej { 76 1.13 thorpej krb5_context context; 77 1.13 thorpej krb5_error_code ret; 78 1.13 thorpej krb5_get_init_creds_opt opt; 79 1.13 thorpej krb5_principal principal; 80 1.13 thorpej krb5_creds cred; 81 1.13 thorpej int result_code; 82 1.13 thorpej krb5_data result_code_string, result_string; 83 1.13 thorpej char pwbuf[BUFSIZ]; 84 1.13 thorpej int ch; 85 1.13 thorpej 86 1.13 thorpej while ((ch = getopt(argc, argv, "5ku:")) != -1) { 87 1.13 thorpej switch (ch) { 88 1.13 thorpej case '5': 89 1.13 thorpej /* 90 1.13 thorpej * Compatibility option that historically 91 1.13 thorpej * specified to use Kerberos 5. Silently 92 1.13 thorpej * ignore it. 93 1.13 thorpej */ 94 1.13 thorpej break; 95 1.13 thorpej 96 1.13 thorpej case 'k': 97 1.13 thorpej /* 98 1.13 thorpej * Absorb the -k that may have gotten us here. 99 1.13 thorpej */ 100 1.13 thorpej break; 101 1.13 thorpej 102 1.13 thorpej case 'u': 103 1.13 thorpej /* 104 1.13 thorpej * Historical option to specify principal. 105 1.13 thorpej */ 106 1.13 thorpej username = optarg; 107 1.13 thorpej break; 108 1.13 thorpej 109 1.13 thorpej default: 110 1.13 thorpej usage(); 111 1.13 thorpej /* NOTREACHED */ 112 1.13 thorpej } 113 1.13 thorpej } 114 1.13 thorpej 115 1.13 thorpej argc -= optind; 116 1.13 thorpej argv += optind; 117 1.13 thorpej 118 1.13 thorpej switch (argc) { 119 1.13 thorpej case 0: 120 1.13 thorpej /* username already provided */ 121 1.13 thorpej break; 122 1.13 thorpej case 1: 123 1.13 thorpej /* overrides -u <principal> */ 124 1.13 thorpej username = argv[0]; 125 1.13 thorpej break; 126 1.13 thorpej default: 127 1.13 thorpej usage(); 128 1.13 thorpej /* NOTREACHED */ 129 1.13 thorpej } 130 1.13 thorpej 131 1.13 thorpej ret = krb5_init_context(&context); 132 1.13 thorpej if (ret != 0) { 133 1.13 thorpej if (ret == ENXIO) 134 1.13 thorpej errx(1, "Kerberos 5 not in use."); 135 1.13 thorpej warnx("Unable to initialize Kerberos 5: %s", 136 1.13 thorpej krb5_get_err_text(context, ret)); 137 1.13 thorpej goto bad; 138 1.13 thorpej } 139 1.13 thorpej 140 1.13 thorpej krb5_get_init_creds_opt_init(&opt); 141 1.13 thorpej 142 1.13 thorpej krb5_get_init_creds_opt_set_tkt_life(&opt, 300); 143 1.13 thorpej krb5_get_init_creds_opt_set_forwardable(&opt, FALSE); 144 1.13 thorpej krb5_get_init_creds_opt_set_proxiable(&opt, FALSE); 145 1.13 thorpej 146 1.13 thorpej ret = krb5_parse_name(context, username, &principal); 147 1.13 thorpej if (ret) { 148 1.13 thorpej warnx("failed to parse principal: %s", 149 1.13 thorpej krb5_get_err_text(context, ret)); 150 1.13 thorpej goto bad; 151 1.13 thorpej } 152 1.13 thorpej 153 1.13 thorpej ret = krb5_get_init_creds_password(context, 154 1.13 thorpej &cred, 155 1.13 thorpej principal, 156 1.13 thorpej NULL, 157 1.13 thorpej krb5_prompter_posix, 158 1.13 thorpej NULL, 159 1.13 thorpej 0, 160 1.13 thorpej "kadmin/changepw", 161 1.13 thorpej &opt); 162 1.13 thorpej 163 1.13 thorpej 164 1.13 thorpej switch (ret) { 165 1.13 thorpej case 0: 166 1.13 thorpej break; 167 1.13 thorpej 168 1.13 thorpej case KRB5_LIBOS_PWDINTR : 169 1.13 thorpej /* XXX */ 170 1.13 thorpej goto bad; 171 1.13 thorpej 172 1.13 thorpej case KRB5KRB_AP_ERR_BAD_INTEGRITY : 173 1.13 thorpej case KRB5KRB_AP_ERR_MODIFIED : 174 1.13 thorpej fprintf(stderr, "Password incorrect\n"); 175 1.13 thorpej goto bad; 176 1.13 thorpej break; 177 1.13 thorpej 178 1.13 thorpej default: 179 1.13 thorpej warnx("failed to get credentials: %s", 180 1.13 thorpej krb5_get_err_text(context, ret)); 181 1.13 thorpej goto bad; 182 1.13 thorpej } 183 1.13 thorpej 184 1.13 thorpej krb5_data_zero(&result_code_string); 185 1.13 thorpej krb5_data_zero(&result_string); 186 1.13 thorpej 187 1.13 thorpej /* XXX use getpass? It has a broken interface. */ 188 1.13 thorpej if (UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), 189 1.13 thorpej "New password: ", 1) != 0) 190 1.13 thorpej goto bad; 191 1.13 thorpej 192 1.13 thorpej ret = krb5_set_password(context, &cred, pwbuf, NULL, 193 1.13 thorpej &result_code, 194 1.13 thorpej &result_code_string, 195 1.13 thorpej &result_string); 196 1.13 thorpej if (ret) { 197 1.13 thorpej warnx("unable to set password: %s", 198 1.13 thorpej krb5_get_err_text(context, ret)); 199 1.13 thorpej goto bad; 200 1.13 thorpej } 201 1.13 thorpej 202 1.13 thorpej printf("%s%s%.*s\n", 203 1.13 thorpej krb5_passwd_result_to_string(context, result_code), 204 1.13 thorpej result_string.length > 0 ? " : " : "", 205 1.13 thorpej (int)result_string.length, 206 1.13 thorpej result_string.length > 0 ? (char *)result_string.data : ""); 207 1.13 thorpej 208 1.13 thorpej krb5_data_free(&result_code_string); 209 1.13 thorpej krb5_data_free(&result_string); 210 1.13 thorpej 211 1.13 thorpej krb5_free_creds_contents(context, &cred); 212 1.13 thorpej krb5_free_context(context); 213 1.13 thorpej if (result_code) 214 1.13 thorpej exit(1); 215 1.13 thorpej return; 216 1.13 thorpej 217 1.13 thorpej bad: 218 1.13 thorpej krb5_free_context(context); 219 1.13 thorpej exit(1); 220 1.13 thorpej } 221 1.13 thorpej 222 1.13 thorpej #else /* ! USE_PAM */ 223 1.13 thorpej 224 1.8 thorpej static krb5_context context; 225 1.8 thorpej static krb5_principal defprinc; 226 1.13 thorpej static int kusage = PW_USE; 227 1.1 brezak 228 1.3 tls int 229 1.8 thorpej krb5_init(const char *progname) 230 1.1 brezak { 231 1.8 thorpej return krb5_init_context(&context); 232 1.8 thorpej } 233 1.1 brezak 234 1.8 thorpej int 235 1.8 thorpej krb5_arg (char ch, const char *optarg) 236 1.1 brezak { 237 1.8 thorpej krb5_error_code ret; 238 1.8 thorpej switch(ch) { 239 1.8 thorpej case '5': 240 1.8 thorpej case 'k': 241 1.13 thorpej kusage = PW_USE_FORCE; 242 1.8 thorpej return 1; 243 1.8 thorpej case 'u': 244 1.8 thorpej ret = krb5_parse_name(context, optarg, &defprinc); 245 1.8 thorpej if(ret) { 246 1.8 thorpej krb5_warn(context, ret, "%s", optarg); 247 1.8 thorpej return 0; 248 1.1 brezak } 249 1.8 thorpej return 1; 250 1.1 brezak } 251 1.8 thorpej return 0; 252 1.1 brezak } 253 1.1 brezak 254 1.8 thorpej int 255 1.8 thorpej krb5_arg_end(void) 256 1.1 brezak { 257 1.13 thorpej return kusage; 258 1.1 brezak } 259 1.1 brezak 260 1.8 thorpej void 261 1.8 thorpej krb5_end(void) 262 1.1 brezak { 263 1.10 fvdl if (context == NULL) 264 1.10 fvdl return; 265 1.8 thorpej if(defprinc) 266 1.8 thorpej krb5_free_principal(context, defprinc); 267 1.8 thorpej krb5_free_context(context); 268 1.1 brezak } 269 1.1 brezak 270 1.1 brezak 271 1.8 thorpej int 272 1.8 thorpej krb5_chpw(const char *username) 273 1.1 brezak { 274 1.8 thorpej krb5_error_code ret; 275 1.8 thorpej krb5_context context; 276 1.8 thorpej krb5_principal principal; 277 1.8 thorpej krb5_get_init_creds_opt opt; 278 1.8 thorpej krb5_creds cred; 279 1.8 thorpej int result_code; 280 1.8 thorpej krb5_data result_code_string, result_string; 281 1.8 thorpej char pwbuf[BUFSIZ]; 282 1.8 thorpej 283 1.8 thorpej ret = krb5_init_context (&context); 284 1.8 thorpej if (ret) { 285 1.8 thorpej warnx("failed kerberos initialisation: %s", 286 1.8 thorpej krb5_get_err_text(context, ret)); 287 1.8 thorpej return 1; 288 1.8 thorpej } 289 1.8 thorpej 290 1.8 thorpej krb5_get_init_creds_opt_init (&opt); 291 1.8 thorpej 292 1.8 thorpej krb5_get_init_creds_opt_set_tkt_life (&opt, 300); 293 1.8 thorpej krb5_get_init_creds_opt_set_forwardable (&opt, FALSE); 294 1.8 thorpej krb5_get_init_creds_opt_set_proxiable (&opt, FALSE); 295 1.8 thorpej 296 1.8 thorpej if(username != NULL) { 297 1.8 thorpej ret = krb5_parse_name (context, username, &principal); 298 1.8 thorpej if (ret) { 299 1.8 thorpej warnx("failed to parse principal: %s", 300 1.8 thorpej krb5_get_err_text(context, ret)); 301 1.8 thorpej return 1; 302 1.1 brezak } 303 1.8 thorpej } else 304 1.8 thorpej principal = defprinc; 305 1.1 brezak 306 1.8 thorpej ret = krb5_get_init_creds_password (context, 307 1.8 thorpej &cred, 308 1.8 thorpej principal, 309 1.8 thorpej NULL, 310 1.8 thorpej krb5_prompter_posix, 311 1.8 thorpej NULL, 312 1.8 thorpej 0, 313 1.8 thorpej "kadmin/changepw", 314 1.8 thorpej &opt); 315 1.8 thorpej 316 1.8 thorpej switch (ret) { 317 1.8 thorpej case 0: 318 1.8 thorpej break; 319 1.8 thorpej case KRB5_LIBOS_PWDINTR : 320 1.8 thorpej /* XXX */ 321 1.8 thorpej return 1; 322 1.8 thorpej case KRB5KRB_AP_ERR_BAD_INTEGRITY : 323 1.8 thorpej case KRB5KRB_AP_ERR_MODIFIED : 324 1.8 thorpej fprintf(stderr, "Password incorrect\n"); 325 1.8 thorpej return 1; 326 1.8 thorpej break; 327 1.8 thorpej default: 328 1.8 thorpej warnx("failed to get credentials: %s", 329 1.8 thorpej krb5_get_err_text(context, ret)); 330 1.8 thorpej return 1; 331 1.8 thorpej } 332 1.8 thorpej krb5_data_zero (&result_code_string); 333 1.8 thorpej krb5_data_zero (&result_string); 334 1.8 thorpej 335 1.8 thorpej /* XXX use getpass? It has a broken interface. */ 336 1.11 itojun if(UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), "New password: ", 1) != 0) 337 1.8 thorpej return 1; 338 1.8 thorpej 339 1.12 lha ret = krb5_set_password (context, &cred, pwbuf, NULL, 340 1.12 lha &result_code, 341 1.12 lha &result_code_string, 342 1.12 lha &result_string); 343 1.8 thorpej if (ret) 344 1.12 lha krb5_err (context, 1, ret, "krb5_set_password"); 345 1.8 thorpej 346 1.12 lha printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, result_code), 347 1.12 lha result_string.length > 0 ? " : " : "", 348 1.12 lha (int)result_string.length, 349 1.12 lha result_string.length > 0 ? (char *)result_string.data : ""); 350 1.8 thorpej 351 1.8 thorpej krb5_data_free (&result_code_string); 352 1.8 thorpej krb5_data_free (&result_string); 353 1.8 thorpej 354 1.8 thorpej krb5_free_creds_contents (context, &cred); 355 1.8 thorpej krb5_free_context (context); 356 1.8 thorpej return result_code; 357 1.1 brezak } 358 1.13 thorpej 359 1.13 thorpej #endif /* USE_PAM */ 360
Indexes created Mon Sep 29 03:10:08 GMT 2025