1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
/* ========================================================================
* Copyright 1988-2006 University of Washington
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
*
* ========================================================================
*/
/*
* Program: MIT Kerberos routines
*
* Author: Mark Crispin
* Networks and Distributed Computing
* Computing & Communications
* University of Washington
* Administration Building, AG-44
* Seattle, WA 98195
* Internet: MRC@CAC.Washington.EDU
*
* Date: 4 March 2003
* Last Edited: 30 August 2006
*/
#define PROTOTYPE(x) x
#include <gssapi/gssapi_generic.h>
#include <gssapi/gssapi_krb5.h>
long kerberos_server_valid (void);
long kerberos_try_kinit (OM_uint32 error);
char *kerberos_login (char *user,char *authuser,int argc,char *argv[]);
�
/* Kerberos server valid check
* Returns: T if have keytab, NIL otherwise
*
* Note that this routine will probably return T only if the process is root.
* This is alright since the server is probably still root at this point.
*/
long kerberos_server_valid ()
{
krb5_context ctx;
krb5_keytab kt;
krb5_kt_cursor csr;
long ret = NIL;
/* make a context */
if (!krb5_init_context (&ctx)) {
/* get default keytab */
if (!krb5_kt_default (ctx,&kt)) {
/* can do server if have good keytab */
if (!krb5_kt_start_seq_get (ctx,kt,&csr) &&
!krb5_kt_end_seq_get (ctx,kt,&csr)) ret = LONGT;
krb5_kt_close (ctx,kt); /* finished with keytab */
}
krb5_free_context (ctx); /* finished with context */
}
return ret;
}
/* Kerberos check for missing or expired credentials
* Returns: T if should suggest running kinit, NIL otherwise
*/
long kerberos_try_kinit (OM_uint32 error)
{
switch (error) {
case KRB5KRB_AP_ERR_TKT_EXPIRED:
case KRB5_FCC_NOFILE: /* MIT */
case KRB5_CC_NOTFOUND: /* Heimdal */
return LONGT;
}
return NIL;
}
�
/* Kerberos server log in
* Accepts: authorization ID as user name
* authentication ID as Kerberos principal
* argument count
* argument vector
* Returns: logged in user name if logged in, NIL otherwise
*/
char *kerberos_login (char *user,char *authuser,int argc,char *argv[])
{
krb5_context ctx;
krb5_principal prnc;
char kuser[NETMAXUSER];
char *ret = NIL;
/* make a context */
if (!krb5_init_context (&ctx)) {
/* build principal */
if (!krb5_parse_name (ctx,authuser,&prnc)) {
/* can get local name for this principal? */
if (!krb5_aname_to_localname (ctx,prnc,NETMAXUSER-1,kuser)) {
/* yes, local name permitted login as user? */
if (authserver_login (user,kuser,argc,argv) ||
authserver_login (lcase (user),kuser,argc,argv))
ret = myusername (); /* yes, return user name */
}
krb5_free_principal (ctx,prnc);
}
krb5_free_context (ctx); /* finished with context */
}
return ret;
}
|
