pyceo/src/krb5.c

#include <stdio.h>

#include <krb5.h>
#include <syslog.h>

#include "krb5.h"
#include "util.h"
#include "config.h"

extern char *prog;

krb5_context context;

static void com_err_hk(const char *whoami, long code, const char *fmt, va_list args) {
    char message[4096];
    char *msgp = message;

    msgp += snprintf(msgp, sizeof(message) - 2 - (msgp - message), "%s ", error_message(code));
    if (msgp - message > sizeof(message) - 2)
        fatal("error message overflowed");

    msgp += vsnprintf(msgp, sizeof(message) - 2 - (msgp - message), fmt, args);
    if (msgp - message > sizeof(message) - 2)
        fatal("error message overflowed");

    *msgp++ = '\n';
    *msgp++ = '\0';

    logmsg(LOG_ERR, "fatal: %s", message);
    exit(1);
}

void ceo_krb5_init() {
    krb5_error_code retval;

    set_com_err_hook(com_err_hk);

    retval = krb5_init_context(&context);
    if (retval)
        com_err(prog, retval, "while initializing krb5");

    retval = krb5_set_default_realm(context, realm);
    if (retval)
        com_err(prog, retval, "while setting default realm");
}

void ceo_krb5_auth(char *principal) {
    krb5_error_code retval;
    krb5_creds creds;
    krb5_principal princ;
    krb5_ccache cache;
    krb5_get_init_creds_opt options;

    krb5_get_init_creds_opt_init(&options);
    memset(&creds, 0, sizeof(creds));

    if ((retval = krb5_parse_name(context, principal, &princ)))
        com_err(prog, retval, "while resolving user %s", admin_bind_userid);

    if ((retval = krb5_cc_default(context, &cache)))
        com_err(prog, retval, "while resolving credentials cache");

    if ((retval = krb5_get_init_creds_keytab(context, &creds, princ, NULL, 0, NULL, &options)))
        com_err(prog, retval, "while getting initial credentials");

    if ((retval = krb5_cc_initialize(context, cache, princ)))
        com_err(prog, retval, "while initializing credentials cache");

    if ((retval = krb5_cc_store_cred(context, cache, &creds)))
        com_err(prog, retval, "while storing credentials");

    krb5_free_cred_contents(context, &creds);
    krb5_free_principal(context, princ);
    krb5_cc_close(context, cache);
}

void ceo_krb5_deauth() {
    krb5_error_code retval;
    krb5_ccache cache;

    if ((retval = krb5_cc_default(context, &cache)))
        com_err(prog, retval, "while resolving credentials cache");

    if ((retval = krb5_cc_destroy(context, cache)))
        com_err(prog, retval, "while destroying credentials cache");
}

void ceo_krb5_cleanup() {
    krb5_free_context(context);
}

int ceo_read_password(char *password, unsigned int size, int use_stdin) {
    int tries = 0;
    unsigned int len;

    do {
        if (use_stdin) {
            if (fgets(password, size, stdin) == NULL)
                fatal("eof while reading password");

            size = strlen(password);

            if (password[size - 1] == '\n')
                password[size - 1] = '\0';
        } else {
            len = size;
            int retval = krb5_read_password(context, "New password", "Confirm password", password, &len);
            if (retval == KRB5_LIBOS_PWDINTR) {
                error("interrupted");
                return -1;
            } else if (retval == KRB5_LIBOS_BADPWDMATCH) {
                fputs("Passwords do not match.\n", stderr);
            } else if (!password || !*password) {
                fputs("Please enter a password.\n", stderr);
            }
        }
    } while (++tries < 3 && !*password);

    if (!*password) {
        error("maximum tries exceeded reading password");
        return -1;
    }

    return 0;
}
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`#include <stdio.h>`
Remove keytab configuration Instead we'll always use the default keytab, which is /etc/krb5.keytab or the KRB5_KTNAME environment variable. 2009-07-25 04:19:29 -04:00
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`#include <krb5.h>`
			`#include <syslog.h>`

			`#include "krb5.h"`
			`#include "util.h"`
			`#include "config.h"`

			`extern char *prog;`

			`krb5_context context;`

			`static void com_err_hk(const char whoami, long code, const char fmt, va_list args) {`
			`char message[4096];`
			`char *msgp = message;`

			`msgp += snprintf(msgp, sizeof(message) - 2 - (msgp - message), "%s ", error_message(code));`
			`if (msgp - message > sizeof(message) - 2)`
			`fatal("error message overflowed");`

			`msgp += vsnprintf(msgp, sizeof(message) - 2 - (msgp - message), fmt, args);`
			`if (msgp - message > sizeof(message) - 2)`
			`fatal("error message overflowed");`

			`*msgp++ = '\n';`
			`*msgp++ = '\0';`

Log Kerberos errors consistently 2009-01-31 00:11:42 -05:00			`logmsg(LOG_ERR, "fatal: %s", message);`
			`exit(1);`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`}`

			`void ceo_krb5_init() {`
			`krb5_error_code retval;`

			`set_com_err_hook(com_err_hk);`

			`retval = krb5_init_context(&context);`
Log Kerberos errors consistently 2009-01-31 00:11:42 -05:00			`if (retval)`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`com_err(prog, retval, "while initializing krb5");`

			`retval = krb5_set_default_realm(context, realm);`
Log Kerberos errors consistently 2009-01-31 00:11:42 -05:00			`if (retval)`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`com_err(prog, retval, "while setting default realm");`
			`}`

Remove keytab configuration Instead we'll always use the default keytab, which is /etc/krb5.keytab or the KRB5_KTNAME environment variable. 2009-07-25 04:19:29 -04:00			`void ceo_krb5_auth(char *principal) {`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`krb5_error_code retval;`
			`krb5_creds creds;`
			`krb5_principal princ;`
			`krb5_ccache cache;`
			`krb5_get_init_creds_opt options;`

			`krb5_get_init_creds_opt_init(&options);`
			`memset(&creds, 0, sizeof(creds));`

Log Kerberos errors consistently 2009-01-31 00:11:42 -05:00			`if ((retval = krb5_parse_name(context, principal, &princ)))`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`com_err(prog, retval, "while resolving user %s", admin_bind_userid);`

Log Kerberos errors consistently 2009-01-31 00:11:42 -05:00			`if ((retval = krb5_cc_default(context, &cache)))`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`com_err(prog, retval, "while resolving credentials cache");`

Remove keytab configuration Instead we'll always use the default keytab, which is /etc/krb5.keytab or the KRB5_KTNAME environment variable. 2009-07-25 04:19:29 -04:00			`if ((retval = krb5_get_init_creds_keytab(context, &creds, princ, NULL, 0, NULL, &options)))`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`com_err(prog, retval, "while getting initial credentials");`

Log Kerberos errors consistently 2009-01-31 00:11:42 -05:00			`if ((retval = krb5_cc_initialize(context, cache, princ)))`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`com_err(prog, retval, "while initializing credentials cache");`

Log Kerberos errors consistently 2009-01-31 00:11:42 -05:00			`if ((retval = krb5_cc_store_cred(context, cache, &creds)))`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`com_err(prog, retval, "while storing credentials");`

			`krb5_free_cred_contents(context, &creds);`
			`krb5_free_principal(context, princ);`
			`krb5_cc_close(context, cache);`
			`}`

			`void ceo_krb5_deauth() {`
			`krb5_error_code retval;`
			`krb5_ccache cache;`

Log Kerberos errors consistently 2009-01-31 00:11:42 -05:00			`if ((retval = krb5_cc_default(context, &cache)))`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`com_err(prog, retval, "while resolving credentials cache");`

Log Kerberos errors consistently 2009-01-31 00:11:42 -05:00			`if ((retval = krb5_cc_destroy(context, cache)))`
Add sources for C account creation programs 2007-12-10 00:25:14 -05:00			`com_err(prog, retval, "while destroying credentials cache");`
			`}`

			`void ceo_krb5_cleanup() {`
			`krb5_free_context(context);`
			`}`

			`int ceo_read_password(char *password, unsigned int size, int use_stdin) {`
			`int tries = 0;`
			`unsigned int len;`

			`do {`
			`if (use_stdin) {`
			`if (fgets(password, size, stdin) == NULL)`
			`fatal("eof while reading password");`

			`size = strlen(password);`

			`if (password[size - 1] == '\n')`
			`password[size - 1] = '\0';`
			`} else {`
			`len = size;`
			`int retval = krb5_read_password(context, "New password", "Confirm password", password, &len);`
			`if (retval == KRB5_LIBOS_PWDINTR) {`
			`error("interrupted");`
			`return -1;`
			`} else if (retval == KRB5_LIBOS_BADPWDMATCH) {`
			`fputs("Passwords do not match.\n", stderr);`
			`} else if (!password \|\| !*password) {`
			`fputs("Please enter a password.\n", stderr);`
			`}`
			`}`
			`} while (++tries < 3 && !*password);`

			`if (!*password) {`
			`error("maximum tries exceeded reading password");`
			`return -1;`
			`}`

			`return 0;`
			`}`