krb5_passwd.c revision 1.18
1 1.18 mlelstv /* $NetBSD: krb5_passwd.c,v 1.18 2009/04/18 09:04:34 mlelstv Exp $ */ 2 1.2 thorpej 3 1.8 thorpej /* 4 1.13 thorpej * Copyright (c) 2000, 2005 The NetBSD Foundation, Inc. 5 1.1 brezak * All rights reserved. 6 1.1 brezak * 7 1.13 thorpej * This code is derived from software contributed to The NetBSD Foundation 8 1.13 thorpej * by Johan Danielsson; and by Jason R. Thorpe. 9 1.8 thorpej * 10 1.8 thorpej * Redistribution and use in source and binary forms, with or without 11 1.8 thorpej * modification, are permitted provided that the following conditions 12 1.8 thorpej * are met: 13 1.8 thorpej * 14 1.8 thorpej * 1. Redistributions of source code must retain the above copyright 15 1.8 thorpej * notice, this list of conditions and the following disclaimer. 16 1.8 thorpej * 2. Redistributions in binary form must reproduce the above copyright 17 1.8 thorpej * notice, this list of conditions and the following disclaimer in the 18 1.8 thorpej * documentation and/or other materials provided with the distribution. 19 1.8 thorpej * 20 1.8 thorpej * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 21 1.8 thorpej * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22 1.8 thorpej * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23 1.8 thorpej * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 24 1.8 thorpej * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 1.8 thorpej * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 1.8 thorpej * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 1.8 thorpej * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 1.8 thorpej * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 1.8 thorpej * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 1.8 thorpej * POSSIBILITY OF SUCH DAMAGE. 31 1.1 brezak */ 32 1.1 brezak 33 1.8 thorpej /* uses the `Kerberos Change Password Protocol' */ 34 1.8 thorpej 35 1.1 brezak #include <stdio.h> 36 1.5 lukem #include <stdlib.h> 37 1.1 brezak #include <string.h> 38 1.8 thorpej #include <err.h> 39 1.13 thorpej #include <errno.h> 40 1.9 ad #include <pwd.h> 41 1.13 thorpej #include <unistd.h> 42 1.1 brezak 43 1.11 itojun #include <openssl/ui.h> 44 1.8 thorpej #include <krb5.h> 45 1.1 brezak 46 1.8 thorpej #include "extern.h" 47 1.1 brezak 48 1.13 thorpej #ifdef USE_PAM 49 1.13 thorpej 50 1.13 thorpej void 51 1.13 thorpej pwkrb5_usage(const char *prefix) 52 1.13 thorpej { 53 1.13 thorpej 54 1.13 thorpej (void) fprintf(stderr, "%s %s [-d krb5 | -k] [principal]\n", 55 1.13 thorpej prefix, getprogname()); 56 1.13 thorpej } 57 1.13 thorpej 58 1.13 thorpej void 59 1.13 thorpej pwkrb5_argv0_usage(const char *prefix) 60 1.13 thorpej { 61 1.13 thorpej 62 1.13 thorpej (void) fprintf(stderr, "%s %s [principal]\n", 63 1.13 thorpej prefix, getprogname()); 64 1.13 thorpej } 65 1.13 thorpej 66 1.13 thorpej void 67 1.13 thorpej pwkrb5_process(const char *username, int argc, char **argv) 68 1.13 thorpej { 69 1.13 thorpej krb5_context context; 70 1.13 thorpej krb5_error_code ret; 71 1.13 thorpej krb5_get_init_creds_opt opt; 72 1.13 thorpej krb5_principal principal; 73 1.13 thorpej krb5_creds cred; 74 1.13 thorpej int result_code; 75 1.13 thorpej krb5_data result_code_string, result_string; 76 1.13 thorpej char pwbuf[BUFSIZ]; 77 1.13 thorpej int ch; 78 1.13 thorpej 79 1.13 thorpej while ((ch = getopt(argc, argv, "5ku:")) != -1) { 80 1.13 thorpej switch (ch) { 81 1.13 thorpej case '5': 82 1.13 thorpej /* 83 1.13 thorpej * Compatibility option that historically 84 1.13 thorpej * specified to use Kerberos 5. Silently 85 1.13 thorpej * ignore it. 86 1.13 thorpej */ 87 1.13 thorpej break; 88 1.13 thorpej 89 1.13 thorpej case 'k': 90 1.13 thorpej /* 91 1.13 thorpej * Absorb the -k that may have gotten us here. 92 1.13 thorpej */ 93 1.13 thorpej break; 94 1.13 thorpej 95 1.13 thorpej case 'u': 96 1.13 thorpej /* 97 1.13 thorpej * Historical option to specify principal. 98 1.13 thorpej */ 99 1.13 thorpej username = optarg; 100 1.13 thorpej break; 101 1.13 thorpej 102 1.13 thorpej default: 103 1.13 thorpej usage(); 104 1.13 thorpej /* NOTREACHED */ 105 1.13 thorpej } 106 1.13 thorpej } 107 1.13 thorpej 108 1.13 thorpej argc -= optind; 109 1.13 thorpej argv += optind; 110 1.13 thorpej 111 1.13 thorpej switch (argc) { 112 1.13 thorpej case 0: 113 1.13 thorpej /* username already provided */ 114 1.13 thorpej break; 115 1.13 thorpej case 1: 116 1.13 thorpej /* overrides -u <principal> */ 117 1.13 thorpej username = argv[0]; 118 1.13 thorpej break; 119 1.13 thorpej default: 120 1.13 thorpej usage(); 121 1.13 thorpej /* NOTREACHED */ 122 1.13 thorpej } 123 1.13 thorpej 124 1.13 thorpej ret = krb5_init_context(&context); 125 1.13 thorpej if (ret != 0) { 126 1.13 thorpej if (ret == ENXIO) 127 1.13 thorpej errx(1, "Kerberos 5 not in use."); 128 1.13 thorpej warnx("Unable to initialize Kerberos 5: %s", 129 1.13 thorpej krb5_get_err_text(context, ret)); 130 1.13 thorpej goto bad; 131 1.13 thorpej } 132 1.13 thorpej 133 1.13 thorpej krb5_get_init_creds_opt_init(&opt); 134 1.13 thorpej 135 1.14 christos krb5_get_init_creds_opt_set_tkt_life(&opt, 300L); 136 1.13 thorpej krb5_get_init_creds_opt_set_forwardable(&opt, FALSE); 137 1.13 thorpej krb5_get_init_creds_opt_set_proxiable(&opt, FALSE); 138 1.13 thorpej 139 1.13 thorpej ret = krb5_parse_name(context, username, &principal); 140 1.13 thorpej if (ret) { 141 1.13 thorpej warnx("failed to parse principal: %s", 142 1.13 thorpej krb5_get_err_text(context, ret)); 143 1.13 thorpej goto bad; 144 1.13 thorpej } 145 1.13 thorpej 146 1.13 thorpej ret = krb5_get_init_creds_password(context, 147 1.13 thorpej &cred, 148 1.13 thorpej principal, 149 1.13 thorpej NULL, 150 1.13 thorpej krb5_prompter_posix, 151 1.13 thorpej NULL, 152 1.14 christos 0L, 153 1.13 thorpej "kadmin/changepw", 154 1.13 thorpej &opt); 155 1.13 thorpej 156 1.13 thorpej 157 1.13 thorpej switch (ret) { 158 1.13 thorpej case 0: 159 1.13 thorpej break; 160 1.13 thorpej 161 1.13 thorpej case KRB5_LIBOS_PWDINTR : 162 1.13 thorpej /* XXX */ 163 1.13 thorpej goto bad; 164 1.13 thorpej 165 1.13 thorpej case KRB5KRB_AP_ERR_BAD_INTEGRITY : 166 1.13 thorpej case KRB5KRB_AP_ERR_MODIFIED : 167 1.13 thorpej fprintf(stderr, "Password incorrect\n"); 168 1.13 thorpej goto bad; 169 1.13 thorpej 170 1.13 thorpej default: 171 1.13 thorpej warnx("failed to get credentials: %s", 172 1.13 thorpej krb5_get_err_text(context, ret)); 173 1.13 thorpej goto bad; 174 1.13 thorpej } 175 1.13 thorpej 176 1.13 thorpej krb5_data_zero(&result_code_string); 177 1.13 thorpej krb5_data_zero(&result_string); 178 1.13 thorpej 179 1.13 thorpej /* XXX use getpass? It has a broken interface. */ 180 1.13 thorpej if (UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), 181 1.13 thorpej "New password: ", 1) != 0) 182 1.13 thorpej goto bad; 183 1.13 thorpej 184 1.13 thorpej ret = krb5_set_password(context, &cred, pwbuf, NULL, 185 1.13 thorpej &result_code, 186 1.13 thorpej &result_code_string, 187 1.13 thorpej &result_string); 188 1.13 thorpej if (ret) { 189 1.13 thorpej warnx("unable to set password: %s", 190 1.13 thorpej krb5_get_err_text(context, ret)); 191 1.13 thorpej goto bad; 192 1.13 thorpej } 193 1.13 thorpej 194 1.13 thorpej printf("%s%s%.*s\n", 195 1.13 thorpej krb5_passwd_result_to_string(context, result_code), 196 1.13 thorpej result_string.length > 0 ? " : " : "", 197 1.13 thorpej (int)result_string.length, 198 1.13 thorpej result_string.length > 0 ? (char *)result_string.data : ""); 199 1.13 thorpej 200 1.13 thorpej krb5_data_free(&result_code_string); 201 1.13 thorpej krb5_data_free(&result_string); 202 1.13 thorpej 203 1.15 mlelstv krb5_free_cred_contents(context, &cred); 204 1.13 thorpej krb5_free_context(context); 205 1.13 thorpej if (result_code) 206 1.13 thorpej exit(1); 207 1.13 thorpej return; 208 1.13 thorpej 209 1.13 thorpej bad: 210 1.13 thorpej krb5_free_context(context); 211 1.13 thorpej exit(1); 212 1.13 thorpej } 213 1.13 thorpej 214 1.13 thorpej #else /* ! USE_PAM */ 215 1.13 thorpej 216 1.18 mlelstv static krb5_context defcontext; 217 1.8 thorpej static krb5_principal defprinc; 218 1.13 thorpej static int kusage = PW_USE; 219 1.1 brezak 220 1.3 tls int 221 1.8 thorpej krb5_init(const char *progname) 222 1.1 brezak { 223 1.18 mlelstv return krb5_init_context(&defcontext); 224 1.8 thorpej } 225 1.1 brezak 226 1.8 thorpej int 227 1.18 mlelstv krb5_arg (char ch, const char *opt) 228 1.1 brezak { 229 1.8 thorpej krb5_error_code ret; 230 1.8 thorpej switch(ch) { 231 1.8 thorpej case '5': 232 1.8 thorpej case 'k': 233 1.13 thorpej kusage = PW_USE_FORCE; 234 1.8 thorpej return 1; 235 1.8 thorpej case 'u': 236 1.18 mlelstv ret = krb5_parse_name(defcontext, opt, &defprinc); 237 1.8 thorpej if(ret) { 238 1.18 mlelstv krb5_warn(defcontext, ret, "%s", opt); 239 1.8 thorpej return 0; 240 1.1 brezak } 241 1.8 thorpej return 1; 242 1.1 brezak } 243 1.8 thorpej return 0; 244 1.1 brezak } 245 1.1 brezak 246 1.8 thorpej int 247 1.8 thorpej krb5_arg_end(void) 248 1.1 brezak { 249 1.13 thorpej return kusage; 250 1.1 brezak } 251 1.1 brezak 252 1.8 thorpej void 253 1.8 thorpej krb5_end(void) 254 1.1 brezak { 255 1.18 mlelstv if (defcontext == NULL) 256 1.10 fvdl return; 257 1.8 thorpej if(defprinc) 258 1.18 mlelstv krb5_free_principal(defcontext, defprinc); 259 1.18 mlelstv krb5_free_context(defcontext); 260 1.1 brezak } 261 1.1 brezak 262 1.1 brezak 263 1.8 thorpej int 264 1.8 thorpej krb5_chpw(const char *username) 265 1.1 brezak { 266 1.8 thorpej krb5_error_code ret; 267 1.8 thorpej krb5_context context; 268 1.8 thorpej krb5_principal principal; 269 1.8 thorpej krb5_get_init_creds_opt opt; 270 1.8 thorpej krb5_creds cred; 271 1.8 thorpej int result_code; 272 1.8 thorpej krb5_data result_code_string, result_string; 273 1.8 thorpej char pwbuf[BUFSIZ]; 274 1.8 thorpej 275 1.8 thorpej ret = krb5_init_context (&context); 276 1.8 thorpej if (ret) { 277 1.8 thorpej warnx("failed kerberos initialisation: %s", 278 1.8 thorpej krb5_get_err_text(context, ret)); 279 1.8 thorpej return 1; 280 1.8 thorpej } 281 1.8 thorpej 282 1.8 thorpej krb5_get_init_creds_opt_init (&opt); 283 1.8 thorpej 284 1.8 thorpej krb5_get_init_creds_opt_set_tkt_life (&opt, 300); 285 1.8 thorpej krb5_get_init_creds_opt_set_forwardable (&opt, FALSE); 286 1.8 thorpej krb5_get_init_creds_opt_set_proxiable (&opt, FALSE); 287 1.8 thorpej 288 1.8 thorpej if(username != NULL) { 289 1.8 thorpej ret = krb5_parse_name (context, username, &principal); 290 1.8 thorpej if (ret) { 291 1.8 thorpej warnx("failed to parse principal: %s", 292 1.8 thorpej krb5_get_err_text(context, ret)); 293 1.8 thorpej return 1; 294 1.1 brezak } 295 1.8 thorpej } else 296 1.8 thorpej principal = defprinc; 297 1.1 brezak 298 1.8 thorpej ret = krb5_get_init_creds_password (context, 299 1.8 thorpej &cred, 300 1.8 thorpej principal, 301 1.8 thorpej NULL, 302 1.8 thorpej krb5_prompter_posix, 303 1.8 thorpej NULL, 304 1.8 thorpej 0, 305 1.8 thorpej "kadmin/changepw", 306 1.8 thorpej &opt); 307 1.8 thorpej 308 1.8 thorpej switch (ret) { 309 1.8 thorpej case 0: 310 1.8 thorpej break; 311 1.8 thorpej case KRB5_LIBOS_PWDINTR : 312 1.8 thorpej /* XXX */ 313 1.8 thorpej return 1; 314 1.8 thorpej case KRB5KRB_AP_ERR_BAD_INTEGRITY : 315 1.8 thorpej case KRB5KRB_AP_ERR_MODIFIED : 316 1.8 thorpej fprintf(stderr, "Password incorrect\n"); 317 1.8 thorpej return 1; 318 1.8 thorpej break; 319 1.8 thorpej default: 320 1.8 thorpej warnx("failed to get credentials: %s", 321 1.8 thorpej krb5_get_err_text(context, ret)); 322 1.8 thorpej return 1; 323 1.8 thorpej } 324 1.8 thorpej krb5_data_zero (&result_code_string); 325 1.8 thorpej krb5_data_zero (&result_string); 326 1.8 thorpej 327 1.8 thorpej /* XXX use getpass? It has a broken interface. */ 328 1.11 itojun if(UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), "New password: ", 1) != 0) 329 1.8 thorpej return 1; 330 1.8 thorpej 331 1.12 lha ret = krb5_set_password (context, &cred, pwbuf, NULL, 332 1.12 lha &result_code, 333 1.12 lha &result_code_string, 334 1.12 lha &result_string); 335 1.8 thorpej if (ret) 336 1.12 lha krb5_err (context, 1, ret, "krb5_set_password"); 337 1.8 thorpej 338 1.12 lha printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, result_code), 339 1.12 lha result_string.length > 0 ? " : " : "", 340 1.12 lha (int)result_string.length, 341 1.12 lha result_string.length > 0 ? (char *)result_string.data : ""); 342 1.8 thorpej 343 1.8 thorpej krb5_data_free (&result_code_string); 344 1.8 thorpej krb5_data_free (&result_string); 345 1.8 thorpej 346 1.16 veego krb5_free_cred_contents (context, &cred); 347 1.8 thorpej krb5_free_context (context); 348 1.8 thorpej return result_code; 349 1.1 brezak } 350 1.13 thorpej 351 1.13 thorpej #endif /* USE_PAM */ 352
Indexes created Tue Sep 30 07:10:03 GMT 2025