krb5_passwd.c revision 1.20
1 1.20 christos /* $NetBSD: krb5_passwd.c,v 1.20 2012/04/22 23:43:51 christos Exp $ */ 2 1.2 thorpej 3 1.8 thorpej /* 4 1.13 thorpej * Copyright (c) 2000, 2005 The NetBSD Foundation, Inc. 5 1.1 brezak * All rights reserved. 6 1.1 brezak * 7 1.13 thorpej * This code is derived from software contributed to The NetBSD Foundation 8 1.13 thorpej * by Johan Danielsson; and by Jason R. Thorpe. 9 1.8 thorpej * 10 1.8 thorpej * Redistribution and use in source and binary forms, with or without 11 1.8 thorpej * modification, are permitted provided that the following conditions 12 1.8 thorpej * are met: 13 1.8 thorpej * 14 1.8 thorpej * 1. Redistributions of source code must retain the above copyright 15 1.8 thorpej * notice, this list of conditions and the following disclaimer. 16 1.8 thorpej * 2. Redistributions in binary form must reproduce the above copyright 17 1.8 thorpej * notice, this list of conditions and the following disclaimer in the 18 1.8 thorpej * documentation and/or other materials provided with the distribution. 19 1.8 thorpej * 20 1.8 thorpej * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 21 1.8 thorpej * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22 1.8 thorpej * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23 1.8 thorpej * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 24 1.8 thorpej * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 1.8 thorpej * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 1.8 thorpej * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 1.8 thorpej * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 1.8 thorpej * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 1.8 thorpej * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 1.8 thorpej * POSSIBILITY OF SUCH DAMAGE. 31 1.1 brezak */ 32 1.1 brezak 33 1.8 thorpej /* uses the `Kerberos Change Password Protocol' */ 34 1.8 thorpej 35 1.1 brezak #include <stdio.h> 36 1.5 lukem #include <stdlib.h> 37 1.1 brezak #include <string.h> 38 1.8 thorpej #include <err.h> 39 1.13 thorpej #include <errno.h> 40 1.9 ad #include <pwd.h> 41 1.13 thorpej #include <unistd.h> 42 1.1 brezak 43 1.11 itojun #include <openssl/ui.h> 44 1.8 thorpej #include <krb5.h> 45 1.1 brezak 46 1.8 thorpej #include "extern.h" 47 1.1 brezak 48 1.20 christos static void 49 1.20 christos pwkrb5_warn(const char *msg, krb5_context context, krb5_error_code ret) 50 1.20 christos { 51 1.20 christos const char *errtxt = krb5_get_error_message(context, ret); 52 1.20 christos if (errtxt != NULL) { 53 1.20 christos warnx("%s: %s", msg, errtxt); 54 1.20 christos krb5_free_error_message(context, errtxt); 55 1.20 christos } else 56 1.20 christos warnx("%s: %d", msg, ret); 57 1.20 christos } 58 1.20 christos 59 1.13 thorpej #ifdef USE_PAM 60 1.13 thorpej 61 1.13 thorpej void 62 1.13 thorpej pwkrb5_usage(const char *prefix) 63 1.13 thorpej { 64 1.13 thorpej 65 1.13 thorpej (void) fprintf(stderr, "%s %s [-d krb5 | -k] [principal]\n", 66 1.13 thorpej prefix, getprogname()); 67 1.13 thorpej } 68 1.13 thorpej 69 1.13 thorpej void 70 1.13 thorpej pwkrb5_argv0_usage(const char *prefix) 71 1.13 thorpej { 72 1.13 thorpej 73 1.13 thorpej (void) fprintf(stderr, "%s %s [principal]\n", 74 1.13 thorpej prefix, getprogname()); 75 1.13 thorpej } 76 1.13 thorpej 77 1.13 thorpej void 78 1.13 thorpej pwkrb5_process(const char *username, int argc, char **argv) 79 1.13 thorpej { 80 1.13 thorpej krb5_context context; 81 1.13 thorpej krb5_error_code ret; 82 1.19 elric krb5_get_init_creds_opt *opt; 83 1.13 thorpej krb5_principal principal; 84 1.13 thorpej krb5_creds cred; 85 1.13 thorpej int result_code; 86 1.13 thorpej krb5_data result_code_string, result_string; 87 1.13 thorpej char pwbuf[BUFSIZ]; 88 1.13 thorpej int ch; 89 1.13 thorpej 90 1.13 thorpej while ((ch = getopt(argc, argv, "5ku:")) != -1) { 91 1.13 thorpej switch (ch) { 92 1.13 thorpej case '5': 93 1.13 thorpej /* 94 1.13 thorpej * Compatibility option that historically 95 1.13 thorpej * specified to use Kerberos 5. Silently 96 1.13 thorpej * ignore it. 97 1.13 thorpej */ 98 1.13 thorpej break; 99 1.13 thorpej 100 1.13 thorpej case 'k': 101 1.13 thorpej /* 102 1.13 thorpej * Absorb the -k that may have gotten us here. 103 1.13 thorpej */ 104 1.13 thorpej break; 105 1.13 thorpej 106 1.13 thorpej case 'u': 107 1.13 thorpej /* 108 1.13 thorpej * Historical option to specify principal. 109 1.13 thorpej */ 110 1.13 thorpej username = optarg; 111 1.13 thorpej break; 112 1.13 thorpej 113 1.13 thorpej default: 114 1.13 thorpej usage(); 115 1.13 thorpej /* NOTREACHED */ 116 1.13 thorpej } 117 1.13 thorpej } 118 1.13 thorpej 119 1.13 thorpej argc -= optind; 120 1.13 thorpej argv += optind; 121 1.13 thorpej 122 1.13 thorpej switch (argc) { 123 1.13 thorpej case 0: 124 1.13 thorpej /* username already provided */ 125 1.13 thorpej break; 126 1.13 thorpej case 1: 127 1.13 thorpej /* overrides -u <principal> */ 128 1.13 thorpej username = argv[0]; 129 1.13 thorpej break; 130 1.13 thorpej default: 131 1.13 thorpej usage(); 132 1.13 thorpej /* NOTREACHED */ 133 1.13 thorpej } 134 1.13 thorpej 135 1.13 thorpej ret = krb5_init_context(&context); 136 1.13 thorpej if (ret != 0) { 137 1.13 thorpej if (ret == ENXIO) 138 1.13 thorpej errx(1, "Kerberos 5 not in use."); 139 1.19 elric errx(1, "Unable to initialize Kerberos 5: %s", strerror(ret)); 140 1.19 elric } 141 1.19 elric 142 1.19 elric ret = krb5_get_init_creds_opt_alloc(context, &opt); 143 1.19 elric if (ret) { 144 1.20 christos pwkrb5_warn("failed to allocate opts", context, ret); 145 1.13 thorpej goto bad; 146 1.13 thorpej } 147 1.13 thorpej 148 1.19 elric krb5_get_init_creds_opt_set_tkt_life(opt, 300L); 149 1.19 elric krb5_get_init_creds_opt_set_forwardable(opt, FALSE); 150 1.19 elric krb5_get_init_creds_opt_set_proxiable(opt, FALSE); 151 1.13 thorpej 152 1.13 thorpej ret = krb5_parse_name(context, username, &principal); 153 1.13 thorpej if (ret) { 154 1.20 christos krb5_get_init_creds_opt_free(context, opt); 155 1.20 christos pwkrb5_warn("failed to parse principal", context, ret); 156 1.13 thorpej goto bad; 157 1.13 thorpej } 158 1.13 thorpej 159 1.13 thorpej ret = krb5_get_init_creds_password(context, 160 1.13 thorpej &cred, 161 1.13 thorpej principal, 162 1.13 thorpej NULL, 163 1.13 thorpej krb5_prompter_posix, 164 1.13 thorpej NULL, 165 1.14 christos 0L, 166 1.13 thorpej "kadmin/changepw", 167 1.19 elric opt); 168 1.13 thorpej 169 1.20 christos krb5_get_init_creds_opt_free(context, opt); 170 1.13 thorpej switch (ret) { 171 1.13 thorpej case 0: 172 1.13 thorpej break; 173 1.13 thorpej 174 1.13 thorpej case KRB5_LIBOS_PWDINTR : 175 1.13 thorpej /* XXX */ 176 1.13 thorpej goto bad; 177 1.13 thorpej 178 1.13 thorpej case KRB5KRB_AP_ERR_BAD_INTEGRITY : 179 1.13 thorpej case KRB5KRB_AP_ERR_MODIFIED : 180 1.13 thorpej fprintf(stderr, "Password incorrect\n"); 181 1.13 thorpej goto bad; 182 1.13 thorpej 183 1.13 thorpej default: 184 1.20 christos pwkrb5_warn("failed to get credentials", context, ret); 185 1.13 thorpej goto bad; 186 1.13 thorpej } 187 1.13 thorpej 188 1.13 thorpej krb5_data_zero(&result_code_string); 189 1.13 thorpej krb5_data_zero(&result_string); 190 1.13 thorpej 191 1.13 thorpej /* XXX use getpass? It has a broken interface. */ 192 1.13 thorpej if (UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), 193 1.13 thorpej "New password: ", 1) != 0) 194 1.13 thorpej goto bad; 195 1.13 thorpej 196 1.13 thorpej ret = krb5_set_password(context, &cred, pwbuf, NULL, 197 1.13 thorpej &result_code, 198 1.13 thorpej &result_code_string, 199 1.13 thorpej &result_string); 200 1.13 thorpej if (ret) { 201 1.20 christos pwkrb5_warn("unable to set password", context, ret); 202 1.13 thorpej goto bad; 203 1.13 thorpej } 204 1.13 thorpej 205 1.13 thorpej printf("%s%s%.*s\n", 206 1.13 thorpej krb5_passwd_result_to_string(context, result_code), 207 1.13 thorpej result_string.length > 0 ? " : " : "", 208 1.13 thorpej (int)result_string.length, 209 1.13 thorpej result_string.length > 0 ? (char *)result_string.data : ""); 210 1.13 thorpej 211 1.13 thorpej krb5_data_free(&result_code_string); 212 1.13 thorpej krb5_data_free(&result_string); 213 1.13 thorpej 214 1.15 mlelstv krb5_free_cred_contents(context, &cred); 215 1.13 thorpej krb5_free_context(context); 216 1.13 thorpej if (result_code) 217 1.13 thorpej exit(1); 218 1.13 thorpej return; 219 1.13 thorpej 220 1.13 thorpej bad: 221 1.13 thorpej krb5_free_context(context); 222 1.13 thorpej exit(1); 223 1.13 thorpej } 224 1.13 thorpej 225 1.13 thorpej #else /* ! USE_PAM */ 226 1.13 thorpej 227 1.18 mlelstv static krb5_context defcontext; 228 1.8 thorpej static krb5_principal defprinc; 229 1.13 thorpej static int kusage = PW_USE; 230 1.1 brezak 231 1.3 tls int 232 1.8 thorpej krb5_init(const char *progname) 233 1.1 brezak { 234 1.18 mlelstv return krb5_init_context(&defcontext); 235 1.8 thorpej } 236 1.1 brezak 237 1.8 thorpej int 238 1.18 mlelstv krb5_arg (char ch, const char *opt) 239 1.1 brezak { 240 1.8 thorpej krb5_error_code ret; 241 1.8 thorpej switch(ch) { 242 1.8 thorpej case '5': 243 1.8 thorpej case 'k': 244 1.13 thorpej kusage = PW_USE_FORCE; 245 1.8 thorpej return 1; 246 1.8 thorpej case 'u': 247 1.18 mlelstv ret = krb5_parse_name(defcontext, opt, &defprinc); 248 1.8 thorpej if(ret) { 249 1.18 mlelstv krb5_warn(defcontext, ret, "%s", opt); 250 1.8 thorpej return 0; 251 1.1 brezak } 252 1.8 thorpej return 1; 253 1.1 brezak } 254 1.8 thorpej return 0; 255 1.1 brezak } 256 1.1 brezak 257 1.8 thorpej int 258 1.8 thorpej krb5_arg_end(void) 259 1.1 brezak { 260 1.13 thorpej return kusage; 261 1.1 brezak } 262 1.1 brezak 263 1.8 thorpej void 264 1.8 thorpej krb5_end(void) 265 1.1 brezak { 266 1.18 mlelstv if (defcontext == NULL) 267 1.10 fvdl return; 268 1.8 thorpej if(defprinc) 269 1.18 mlelstv krb5_free_principal(defcontext, defprinc); 270 1.18 mlelstv krb5_free_context(defcontext); 271 1.1 brezak } 272 1.1 brezak 273 1.8 thorpej int 274 1.8 thorpej krb5_chpw(const char *username) 275 1.1 brezak { 276 1.8 thorpej krb5_error_code ret; 277 1.8 thorpej krb5_context context; 278 1.8 thorpej krb5_principal principal; 279 1.20 christos krb5_get_init_creds_opt *opt; 280 1.8 thorpej krb5_creds cred; 281 1.8 thorpej int result_code; 282 1.8 thorpej krb5_data result_code_string, result_string; 283 1.8 thorpej char pwbuf[BUFSIZ]; 284 1.8 thorpej 285 1.8 thorpej ret = krb5_init_context (&context); 286 1.8 thorpej if (ret) { 287 1.20 christos pwkrb5_warn("failed kerberos initialisation", context, ret); 288 1.8 thorpej return 1; 289 1.8 thorpej } 290 1.8 thorpej 291 1.20 christos ret = krb5_get_init_creds_opt_alloc (context, &opt); 292 1.20 christos if (ret) { 293 1.20 christos pwkrb5_warn("failed to allocate credential opt", context, ret); 294 1.20 christos return 1; 295 1.20 christos } 296 1.8 thorpej 297 1.20 christos krb5_get_init_creds_opt_set_tkt_life (opt, 300); 298 1.20 christos krb5_get_init_creds_opt_set_forwardable (opt, FALSE); 299 1.20 christos krb5_get_init_creds_opt_set_proxiable (opt, FALSE); 300 1.8 thorpej 301 1.8 thorpej if(username != NULL) { 302 1.8 thorpej ret = krb5_parse_name (context, username, &principal); 303 1.8 thorpej if (ret) { 304 1.20 christos krb5_get_init_creds_opt_free (context, opt); 305 1.20 christos pwkrb5_warn("failed to parse principal", context, ret); 306 1.8 thorpej return 1; 307 1.1 brezak } 308 1.8 thorpej } else 309 1.8 thorpej principal = defprinc; 310 1.1 brezak 311 1.8 thorpej ret = krb5_get_init_creds_password (context, 312 1.8 thorpej &cred, 313 1.8 thorpej principal, 314 1.8 thorpej NULL, 315 1.8 thorpej krb5_prompter_posix, 316 1.8 thorpej NULL, 317 1.8 thorpej 0, 318 1.8 thorpej "kadmin/changepw", 319 1.20 christos opt); 320 1.8 thorpej 321 1.20 christos krb5_get_init_creds_opt_free (context, opt); 322 1.8 thorpej switch (ret) { 323 1.8 thorpej case 0: 324 1.8 thorpej break; 325 1.8 thorpej case KRB5_LIBOS_PWDINTR : 326 1.8 thorpej /* XXX */ 327 1.8 thorpej return 1; 328 1.8 thorpej case KRB5KRB_AP_ERR_BAD_INTEGRITY : 329 1.8 thorpej case KRB5KRB_AP_ERR_MODIFIED : 330 1.8 thorpej fprintf(stderr, "Password incorrect\n"); 331 1.8 thorpej return 1; 332 1.8 thorpej break; 333 1.8 thorpej default: 334 1.20 christos pwkrb5_warn("failed to get credentials", context, ret); 335 1.8 thorpej return 1; 336 1.8 thorpej } 337 1.8 thorpej krb5_data_zero (&result_code_string); 338 1.8 thorpej krb5_data_zero (&result_string); 339 1.8 thorpej 340 1.8 thorpej /* XXX use getpass? It has a broken interface. */ 341 1.11 itojun if(UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), "New password: ", 1) != 0) 342 1.8 thorpej return 1; 343 1.8 thorpej 344 1.12 lha ret = krb5_set_password (context, &cred, pwbuf, NULL, 345 1.12 lha &result_code, 346 1.12 lha &result_code_string, 347 1.12 lha &result_string); 348 1.8 thorpej if (ret) 349 1.12 lha krb5_err (context, 1, ret, "krb5_set_password"); 350 1.8 thorpej 351 1.12 lha printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, result_code), 352 1.12 lha result_string.length > 0 ? " : " : "", 353 1.12 lha (int)result_string.length, 354 1.12 lha result_string.length > 0 ? (char *)result_string.data : ""); 355 1.8 thorpej 356 1.8 thorpej krb5_data_free (&result_code_string); 357 1.8 thorpej krb5_data_free (&result_string); 358 1.8 thorpej 359 1.16 veego krb5_free_cred_contents (context, &cred); 360 1.8 thorpej krb5_free_context (context); 361 1.8 thorpej return result_code; 362 1.1 brezak } 363 1.13 thorpej 364 1.13 thorpej #endif /* USE_PAM */ 365
Indexes created Tue Sep 30 07:10:03 GMT 2025