diff options
Diffstat (limited to 'crypto/kerberosIV/lib/auth')
-rw-r--r-- | crypto/kerberosIV/lib/auth/ChangeLog | 31 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in | 5 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/afskauthlib/verify.c | 143 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/pam/Makefile.in | 13 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/pam/README | 10 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/pam/pam.c | 23 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/pam/pam.conf.add | 63 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/sia/Makefile.in | 5 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/sia/README | 4 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf | 9 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf | 9 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/sia/sia.c | 29 |
12 files changed, 254 insertions, 90 deletions
diff --git a/crypto/kerberosIV/lib/auth/ChangeLog b/crypto/kerberosIV/lib/auth/ChangeLog index ce2eccc..f9c948c 100644 --- a/crypto/kerberosIV/lib/auth/ChangeLog +++ b/crypto/kerberosIV/lib/auth/ChangeLog @@ -1,3 +1,34 @@ +1999-11-15 Assar Westerlund <assar@sics.se> + + * */lib/Makefile.in: set LIBNAME. From Enrico Scholz + <Enrico.Scholz@informatik.tu-chemnitz.de> + +1999-10-17 Assar Westerlund <assar@sics.se> + + * afskauthlib/verify.c (verify_krb5): need realm for v5 -> v4 + +1999-10-03 Assar Westerlund <assar@sics.se> + + * afskauthlib/verify.c (verify_krb5): update to new + krb524_convert_creds_kdc + +1999-09-28 Assar Westerlund <assar@sics.se> + + * sia/sia.c (doauth): use krb5_get_local_realms and + krb5_verify_user_lrealm + + * afskauthlib/verify.c (verify_krb5): remove krb5_kuserok. use + krb5_verify_user_lrealm + +1999-08-11 Johan Danielsson <joda@pdc.kth.se> + + * afskauthlib/verify.c: make this compile w/o krb4 + +1999-08-04 Assar Westerlund <assar@sics.se> + + * afskauthlib/verify.c: incorporate patches from Miroslav Ruda + <ruda@ics.muni.cz> + Thu Apr 8 14:35:34 1999 Johan Danielsson <joda@hella.pdc.kth.se> * sia/sia.c: remove definition of KRB_VERIFY_USER (moved to diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in index dc09a13..2eb2576 100644 --- a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in +++ b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in @@ -1,5 +1,5 @@ # -# $Id: Makefile.in,v 1.24 1999/03/10 19:01:14 joda Exp $ +# $Id: Makefile.in,v 1.25 1999/11/15 10:20:46 assar Exp $ # SHELL = /bin/sh @@ -36,7 +36,8 @@ LDSHARED = @LDSHARED@ SHLIBEXT = @REAL_SHLIBEXT@ LD_FLAGS = @REAL_LD_FLAGS@ -LIB = afskauthlib.$(SHLIBEXT) +LIBNAME = afskauthlib +LIB = $(LIBNAME).$(SHLIBEXT) SOURCES = verify.c diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c index f7db523..1c23119 100644 --- a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c +++ b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c @@ -14,12 +14,7 @@ * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors + * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * @@ -38,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$Id: verify.c,v 1.13 1999/04/08 12:36:16 joda Exp $"); +RCSID("$Id: verify.c,v 1.20 1999/12/02 16:58:37 joda Exp $"); #endif #include <unistd.h> #include <sys/types.h> @@ -52,10 +47,24 @@ RCSID("$Id: verify.c,v 1.13 1999/04/08 12:36:16 joda Exp $"); #endif #include <roken.h> -#if 0 +#ifdef KRB5 static char krb5ccname[128]; #endif +#ifdef KRB4 static char krbtkfile[128]; +#endif + +/* + In some cases is afs_gettktstring called twice (once before + afs_verify and once after afs_verify). + In some cases (rlogin with access allowed via .rhosts) + afs_verify is not called! + So we can't rely on correct value in krbtkfile in some + cases! +*/ + +static int correct_tkfilename=0; +static int pag_set=0; #ifdef KRB4 static void @@ -63,9 +72,44 @@ set_krbtkfile(uid_t uid) { snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid); krb_set_tkt_string (krbtkfile); + correct_tkfilename = 1; } #endif +/* XXX this has to be the default cache name, since the KRB5CCNAME + * environment variable isn't exported by login/xdm + */ + +#ifdef KRB5 +static void +set_krb5ccname(uid_t uid) +{ + snprintf (krb5ccname, sizeof(krb5ccname), "FILE:/tmp/krb5cc_%d", uid); +#ifdef KRB4 + snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid); +#endif + correct_tkfilename = 1; +} +#endif + +static void +set_spec_krbtkfile(void) +{ + int fd; +#ifdef KRB4 + snprintf (krbtkfile, sizeof(krbtkfile), "%s_XXXXXX", TKT_ROOT); + fd = mkstemp(krbtkfile); + close(fd); + unlink(krbtkfile); + krb_set_tkt_string (krbtkfile); +#endif +#ifdef KRB5 + snprintf(krb5ccname, sizeof(krb5ccname),"FILE:/tmp/krb5cc_XXXXXX"); + fd=mkstemp(krb5ccname+5); + close(fd); + unlink(krb5ccname+5); +#endif +} #ifdef KRB5 static int @@ -76,42 +120,38 @@ verify_krb5(struct passwd *pwd, { krb5_context context; krb5_error_code ret; - char ticket[128]; krb5_ccache ccache; krb5_principal principal; - krb5_realm realm; krb5_init_context(&context); - krb5_get_default_realm(context, &realm); - krb5_make_principal(context, &principal, realm, pwd->pw_name, NULL); - - if(!krb5_kuserok(context, principal, pwd->pw_name)) { - syslog(LOG_AUTH|LOG_DEBUG, "krb5_kuserok failed"); + ret = krb5_parse_name (context, pwd->pw_name, &principal); + if (ret) { + syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s", + krb5_get_err_text(context, ret)); goto out; } - /* XXX this has to be the default cache name, since the KRB5CCNAME - environment variable isn't exported by login/xdm - */ - snprintf(ticket, sizeof(ticket), "FILE:/tmp/krb5cc_%d", pwd->pw_uid); - ret = krb5_cc_resolve(context, ticket, &ccache); + + set_krb5ccname(pwd->pw_uid); + ret = krb5_cc_resolve(context, krb5ccname, &ccache); if(ret) { syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", krb5_get_err_text(context, ret)); goto out; } - ret = krb5_verify_user(context, - principal, - ccache, - password, - TRUE, - NULL); + ret = krb5_verify_user_lrealm(context, + principal, + ccache, + password, + TRUE, + NULL); if(ret) { syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", krb5_get_err_text(context, ret)); goto out; } + if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) { syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", krb5_get_err_text(context, errno)); @@ -119,17 +159,23 @@ verify_krb5(struct passwd *pwd, } #ifdef KRB4 - { + if (krb5_config_get_bool(context, NULL, + "libdefaults", + "krb4_get_tickets", + NULL)) { CREDENTIALS c; krb5_creds mcred, cred; + krb5_realm realm; + krb5_get_default_realm(context, &realm); krb5_make_principal(context, &mcred.server, realm, "krbtgt", realm, NULL); + free (realm); ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); if(ret == 0) { - ret = krb524_convert_creds_kdc(context, &cred, &c); + ret = krb524_convert_creds_kdc(context, ccache, &cred, &c); if(ret) krb5_warn(context, ret, "converting creds"); else { @@ -144,13 +190,13 @@ verify_krb5(struct passwd *pwd, krb5_free_principal(context, mcred.server); } - if (k_hasafs()) { + if (!pag_set && k_hasafs()) { k_setpag(); + pag_set = 1; krb5_afslog_uid_home(context, ccache, NULL, NULL, pwd->pw_uid, pwd->pw_dir); } #endif - out: if(ret && !quiet) printf ("%s\n", krb5_get_err_text (context, ret)); @@ -173,8 +219,9 @@ verify_krb4(struct passwd *pwd, ret = krb_verify_user (pwd->pw_name, "", lrealm, password, KRB_VERIFY_SECURE, NULL); if (ret == KSUCCESS) { - if (k_hasafs()) { + if (!pag_set && k_hasafs()) { k_setpag (); + pag_set = 1; krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir); } } else if (!quiet) @@ -192,22 +239,50 @@ afs_verify(char *name, { int ret = 1; struct passwd *pwd = k_getpwnam (name); + if(pwd == NULL) return 1; + if (ret) + ret = unix_verify_user (name, password); #ifdef KRB5 - ret = verify_krb5(pwd, password, exp, quiet); + if (ret) + ret = verify_krb5(pwd, password, exp, quiet); #endif #ifdef KRB4 if(ret) ret = verify_krb4(pwd, password, exp, quiet); #endif - if (ret) - ret = unix_verify_user (name, password); return ret; } char * afs_gettktstring (void) { + char *ptr; + struct passwd *pwd; + + if (!correct_tkfilename) { + ptr = getenv("LOGNAME"); + if (ptr != NULL && ((pwd = getpwnam(ptr)) != NULL)) { + set_krb5ccname(pwd->pw_uid); +#ifdef KRB4 + set_krbtkfile(pwd->pw_uid); + if (!pag_set && k_hasafs()) { + k_setpag(); + pag_set=1; + } +#endif + } else { + set_spec_krbtkfile(); + } + } +#ifdef KRB5 + setenv("KRB5CCNAME",krb5ccname,1); +#endif +#ifdef KRB4 + setenv("KRBTKFILE",krbtkfile,1); return krbtkfile; +#else + return ""; +#endif } diff --git a/crypto/kerberosIV/lib/auth/pam/Makefile.in b/crypto/kerberosIV/lib/auth/pam/Makefile.in index f338fbf..b012fcd 100644 --- a/crypto/kerberosIV/lib/auth/pam/Makefile.in +++ b/crypto/kerberosIV/lib/auth/pam/Makefile.in @@ -1,5 +1,5 @@ # -# $Id: Makefile.in,v 1.20 1999/03/10 19:01:14 joda Exp $ +# $Id: Makefile.in,v 1.25 1999/11/15 10:20:48 assar Exp $ # SHELL = /bin/sh @@ -27,12 +27,17 @@ PICFLAGS = @REAL_PICFLAGS@ LDSHARED = @LDSHARED@ SHLIBEXT = @REAL_SHLIBEXT@ LD_FLAGS = @REAL_LD_FLAGS@ + +LIB_res_search = @LIB_res_search@ +LIB_dn_expand = @LIB_dn_expand@ -@lib_deps_yes@LIB_DEPS = -L../../kafs -L../../krb -L../../des -L../../roken \ -@lib_deps_yes@ -lkafs -lkrb -ldes -lroken -lc +@lib_deps_yes@LIB_DEPS = -L../../kafs -L../../krb -L../../des \ +@lib_deps_yes@ -lkafs -lkrb -ldes \ +@lib_deps_yes@ $(LIB_res_search) $(LIB_dn_expand) -lpam -lc @lib_deps_no@LIB_DEPS = -LIB = pam_krb4.$(SHLIBEXT) +LIBNAME = pam_krb4 +LIB = $(LIBNAME).$(SHLIBEXT) SOURCES = pam.c diff --git a/crypto/kerberosIV/lib/auth/pam/README b/crypto/kerberosIV/lib/auth/pam/README index 9505699..2c45a53 100644 --- a/crypto/kerberosIV/lib/auth/pam/README +++ b/crypto/kerberosIV/lib/auth/pam/README @@ -3,9 +3,8 @@ PAM --- The PAM module was written more out of curiosity that anything else. It -has not been updated for quite a while, since none of us are using -Linux, and Solaris does not support PAM yet. We've had positive reports -from at least one person using the module, though. +has not been updated for quite a while, but it seems to mostly work on +both Linux and Solaris. To use this module you should: @@ -20,6 +19,7 @@ There is currently no support for changing kerberos passwords. Use kpasswd instead. See also Derrick J Brashear's `<shadow@dementia.org>' Kerberos PAM -module at `ftp://ftp.dementia.org/pub/pam'. It has a lot more features, -and it is also more in line with other PAM modules. +module at +<ftp://ftp.dementia.org/pub/pam>. It has a lot more features, and it is +also more in line with other PAM modules. diff --git a/crypto/kerberosIV/lib/auth/pam/pam.c b/crypto/kerberosIV/lib/auth/pam/pam.c index 37a125e..d919bf8 100644 --- a/crypto/kerberosIV/lib/auth/pam/pam.c +++ b/crypto/kerberosIV/lib/auth/pam/pam.c @@ -14,12 +14,7 @@ * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors + * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * @@ -42,7 +37,7 @@ #ifdef HAVE_CONFIG_H #include<config.h> -RCSID("$Id: pam.c,v 1.18 1999/03/17 22:37:10 assar Exp $"); +RCSID("$Id: pam.c,v 1.22 1999/12/02 16:58:37 joda Exp $"); #endif #include <stdio.h> @@ -150,10 +145,10 @@ auth_su(pam_handle_t *pamh, int flags, char *user, struct pam_conv *conv) pw = getpwuid(getuid()); if(strcmp(user, "root") == 0){ - strcpy_truncate(pr.name, pw->pw_name, sizeof(pr.name)); - strcpy_truncate(pr.instance, "root", sizeof(pr.instance)); + strlcpy(pr.name, pw->pw_name, sizeof(pr.name)); + strlcpy(pr.instance, "root", sizeof(pr.instance)); }else{ - strcpy_truncate(pr.name, user, sizeof(pr.name)); + strlcpy(pr.name, user, sizeof(pr.name)); pr.instance[0] = 0; } pmsg = &msg; @@ -212,7 +207,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { - char *tkt; + char *tkt, *var; void *user; const char *homedir = NULL; @@ -225,7 +220,11 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) } pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt); - setenv("KRBTKFILE", tkt, 1); + var = malloc(strlen("KRBTKFILE=") + strlen(tkt) + 1); + strcpy(var, "KRBTKFILE="); + strcat(var, tkt); + putenv(var); + pam_putenv(pamh, var); if(k_hasafs()){ k_setpag(); krb_afslog_home(0, 0, homedir); diff --git a/crypto/kerberosIV/lib/auth/pam/pam.conf.add b/crypto/kerberosIV/lib/auth/pam/pam.conf.add index 1bfb30e..42497d2 100644 --- a/crypto/kerberosIV/lib/auth/pam/pam.conf.add +++ b/crypto/kerberosIV/lib/auth/pam/pam.conf.add @@ -1,3 +1,66 @@ +To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch: + +--- /etc/pam.conf.DIST Mon Jul 20 15:37:46 1998 ++++ /etc/pam.conf Tue Nov 30 18:47:22 1999 +@@ -4,12 +4,14 @@ + # + # Authentication management + # ++login auth sufficient /usr/athena/lib/pam_krb4.so + login auth required /usr/lib/security/pam_unix.so.1 + login auth required /usr/lib/security/pam_dial_auth.so.1 + # + rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 + rlogin auth required /usr/lib/security/pam_unix.so.1 + # ++dtlogin auth sufficient /usr/athena/lib/pam_krb4.so + dtlogin auth required /usr/lib/security/pam_unix.so.1 + # + rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 +@@ -24,6 +26,8 @@ + # + # Session management + # ++dtlogin session required /usr/athena/lib/pam_krb4.so ++login session required /usr/athena/lib/pam_krb4.so + other session required /usr/lib/security/pam_unix.so.1 + # + # Password management +--------------------------------------------------------------------------- +To enable PAM in /bin/login and xdm under Red Hat 6.1 apply these patches: + +--- /etc/pam.d/login~ Thu Jul 8 00:14:02 1999 ++++ /etc/pam.d/login Mon Aug 30 14:33:12 1999 +@@ -1,9 +1,12 @@ + #%PAM-1.0 ++# Updated to work with kerberos ++auth sufficient /lib/security/pam_krb4.so + auth required /lib/security/pam_securetty.so + auth required /lib/security/pam_pwdb.so shadow nullok + auth required /lib/security/pam_nologin.so + account required /lib/security/pam_pwdb.so + password required /lib/security/pam_cracklib.so + password required /lib/security/pam_pwdb.so nullok use_authtok shadow ++session required /lib/security/pam_krb4.so + session required /lib/security/pam_pwdb.so + session optional /lib/security/pam_console.so +--- /etc/pam.d/xdm~ Mon Jun 14 17:39:05 1999 ++++ /etc/pam.d/xdm Mon Aug 30 14:54:51 1999 +@@ -1,8 +1,10 @@ + #%PAM-1.0 ++auth sufficient /lib/security/pam_krb4.so + auth required /lib/security/pam_pwdb.so shadow nullok + auth required /lib/security/pam_nologin.so + account required /lib/security/pam_pwdb.so + password required /lib/security/pam_cracklib.so + password required /lib/security/pam_pwdb.so shadow nullok use_authtok ++session required /lib/security/pam_krb4.so + session required /lib/security/pam_pwdb.so + session optional /lib/security/pam_console.so +-------------------------------------------------------------------------- + +This stuff may work under some other system. + # To get this to work, you will have to add entries to /etc/pam.conf # # To make login kerberos-aware, you might change pam.conf to look diff --git a/crypto/kerberosIV/lib/auth/sia/Makefile.in b/crypto/kerberosIV/lib/auth/sia/Makefile.in index 7abc8f0..69858bd 100644 --- a/crypto/kerberosIV/lib/auth/sia/Makefile.in +++ b/crypto/kerberosIV/lib/auth/sia/Makefile.in @@ -1,5 +1,5 @@ # -# $Id: Makefile.in,v 1.29 1999/03/21 17:11:58 joda Exp $ +# $Id: Makefile.in,v 1.30 1999/11/15 10:20:50 assar Exp $ # SHELL = /bin/sh @@ -39,7 +39,8 @@ LD_FLAGS = @REAL_LD_FLAGS@ @lib_deps_yes@ -lc @lib_deps_no@LIB_DEPS = -LIB = libsia_krb4.$(SHLIBEXT) +LIBNAME = libsia_krb4 +LIB = $(LIBNAME).$(SHLIBEXT) SOURCES = sia.c posix_getpw.c diff --git a/crypto/kerberosIV/lib/auth/sia/README b/crypto/kerberosIV/lib/auth/sia/README index aa7383e..6595734 100644 --- a/crypto/kerberosIV/lib/auth/sia/README +++ b/crypto/kerberosIV/lib/auth/sia/README @@ -59,7 +59,7 @@ following. the default entry `/usr/tcb/bin/edauth -dd default', and add a `d_accept_alternate_vouching' capability, if not already present. - * For each user that does *not* have a local C2 password, you should + * For each user that does _not_ have a local C2 password, you should set the password expiration field to zero. You can do this for each user, or in the `default' table. To do this use `edauth' to set (or change) the `u_exp' capability to `u_exp#0'. @@ -78,7 +78,7 @@ Also, kerberised ftp will not work with C2 passwords. You can solve this by using both Digital's ftpd and our on different ports. *Remember*, if you do these changes you will get a system that most -certainly does *not* fulfill the requirements of a C2 system. If C2 is +certainly does _not_ fulfill the requirements of a C2 system. If C2 is what you want, for instance if someone else is forcing you to use it, you're out of luck. If you use enhanced security because you want a system that is more secure than it would otherwise be, you probably got diff --git a/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf index b664d3d..4b90e02 100644 --- a/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf +++ b/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf @@ -13,12 +13,7 @@ # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # -# 3. All advertising materials mentioning features or use of this software -# must display the following acknowledgement: -# This product includes software developed by Kungliga Tekniska -# Högskolan and its contributors. -# -# 4. Neither the name of the Institute nor the names of its contributors +# 3. Neither the name of the Institute nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # @@ -34,7 +29,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. -# $Id: krb4+c2_matrix.conf,v 1.3 1998/06/30 15:14:31 assar Exp $ +# $Id: krb4+c2_matrix.conf,v 1.4 1999/12/02 16:58:37 joda Exp $ # sia matrix configuration file (Kerberos 4 + C2) diff --git a/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf index 9f78850..4f55a81 100644 --- a/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf +++ b/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf @@ -13,12 +13,7 @@ # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # -# 3. All advertising materials mentioning features or use of this software -# must display the following acknowledgement: -# This product includes software developed by Kungliga Tekniska -# Högskolan and its contributors. -# -# 4. Neither the name of the Institute nor the names of its contributors +# 3. Neither the name of the Institute nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # @@ -34,7 +29,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. -# $Id: krb4_matrix.conf,v 1.5 1998/01/29 02:54:11 joda Exp $ +# $Id: krb4_matrix.conf,v 1.6 1999/12/02 16:58:37 joda Exp $ # sia matrix configuration file (Kerberos 4 + BSD) diff --git a/crypto/kerberosIV/lib/auth/sia/sia.c b/crypto/kerberosIV/lib/auth/sia/sia.c index 8d35b41..73cd53e 100644 --- a/crypto/kerberosIV/lib/auth/sia/sia.c +++ b/crypto/kerberosIV/lib/auth/sia/sia.c @@ -33,7 +33,7 @@ #include "sia_locl.h" -RCSID("$Id: sia.c,v 1.30 1999/04/08 13:07:38 joda Exp $"); +RCSID("$Id: sia.c,v 1.32 1999/10/03 15:49:36 joda Exp $"); int siad_init(void) @@ -105,7 +105,7 @@ doauth(SIAENTITY *entity, int pkgind, char *name) char pwbuf[1024]; struct state *s = (struct state*)entity->mech[pkgind]; #ifdef SIA_KRB5 - char *realm; + krb5_realm *realms, *r; krb5_principal principal; krb5_ccache ccache; krb5_error_code ret; @@ -125,23 +125,22 @@ doauth(SIAENTITY *entity, int pkgind, char *name) } #ifdef SIA_KRB5 - ret = krb5_get_default_realm(s->context, &realm); - krb5_build_principal(s->context, &principal, - strlen(realm), - realm, - entity->name, - NULL); + ret = krb5_get_default_realms(s->context, &realms); - - if(!krb5_kuserok(s->context, principal, entity->name)) + for (r = realms; *r != NULL; ++r) { + krb5_make_principal (s->context, &principal, *r, entity->name, NULL); + + if(krb5_kuserok(s->context, principal, entity->name)) + break; + } + krb5_free_host_realm (s->context, realms); + if (*r == NULL) return SIADFAIL; + sprintf(s->ticket, "FILE:/tmp/krb5_cc%d_%d", pwd->pw_uid, getpid()); ret = krb5_cc_resolve(s->context, s->ticket, &ccache); if(ret) return SIADFAIL; - ret = krb5_cc_initialize(s->context, ccache, principal); - if(ret) - return SIADFAIL; #endif #ifdef SIA_KRB4 @@ -181,8 +180,8 @@ doauth(SIAENTITY *entity, int pkgind, char *name) } #endif #ifdef SIA_KRB5 - ret = krb5_verify_user(s->context, principal, ccache, - entity->password, 1, NULL); + ret = krb5_verify_user_lrealm(s->context, principal, ccache, + entity->password, 1, NULL); if(ret){ /* if this is most likely a local user (such as root), just silently return failure when the |