Attachment 581 Details for Bug 819 – updated patch

[patch] updated patch

kerberos_passwd_change.patch.1 (text/plain), 5.52 KB, created by Buck Huppmann on 2004-03-31 01:09:33 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Buck Huppmann

Created: 2004-03-31 01:09:33 AEST

Size: 5.52 KB

patch

obsolete

>diff -ur openssh-3.8p1/acconfig.h openssh-3.8p1.new/acconfig.h
>--- openssh-3.8p1/acconfig.h	Fri Feb  6 00:24:31 2004
>+++ openssh-3.8p1.new/acconfig.h	Tue Mar  2 10:55:38 2004
>@@ -256,6 +256,9 @@
> /* Define if you want Kerberos 5 support */
> #undef KRB5
> 
>+/* Full path of your "kpasswd" program */
>+#undef _PATH_KPASSWD_PROG
>+
> /* Define this if you are using the Heimdal version of Kerberos V5 */
> #undef HEIMDAL
> 
>diff -ur openssh-3.8p1/auth-krb5.c openssh-3.8p1.new/auth-krb5.c
>--- openssh-3.8p1/auth-krb5.c	Fri Nov 21 20:11:06 2003
>+++ openssh-3.8p1.new/auth-krb5.c	Tue Mar 30 08:35:36 2004
>@@ -42,6 +42,10 @@
> #ifdef KRB5
> #include <krb5.h>
> 
>+#ifdef HEIMDAL
>+#define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED
>+#endif
>+
> extern ServerOptions	 options;
> 
> static int
>@@ -59,6 +63,52 @@
> 	return (0);
> }
> 
>+static int
>+try_get_cpw_ticket(Authctxt *authctxt, const char *password)
>+{
>+	char *realm;
>+	size_t cpwprinclen;
>+	char *cpwprinc;
>+	krb5_error_code problem;
>+	krb5_creds creds;
>+	krb5_get_init_creds_opt opts;
>+	memset(&creds, 0, sizeof(creds));
>+	problem = krb5_get_default_realm(authctxt->krb5_ctx, &realm);
>+	if (problem)
>+		return (problem);
>+	cpwprinclen = strlen("kadmin/changepw") + 1 + strlen(realm) + 1;
>+	cpwprinc = (char *)xmalloc(cpwprinclen);
>+	strlcpy(cpwprinc, "kadmin/changepw", cpwprinclen);
>+	strlcat(cpwprinc, "@", cpwprinclen);
>+	strlcat(cpwprinc, realm, cpwprinclen);
>+	/* the MIT libraries seem to require that options incompatible
>+	 * with a password-change-service ticket request be reset,
>+	 * whereas Heimdal seems to figure this out for itself if
>+	 * given a NULL options argument. anyway, do what should work
>+	 * for both, now and into the future (hopefully), as MIT's
>+	 * kpasswd does */
>+	krb5_get_init_creds_opt_init(&opts);
>+	krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
>+	krb5_get_init_creds_opt_set_renew_life(&opts, 0);
>+	krb5_get_init_creds_opt_set_forwardable(&opts, 0);
>+	krb5_get_init_creds_opt_set_proxiable(&opts, 0);
>+
>+	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
>+					       authctxt->krb5_user,
>+					       (char *)password,
>+					       NULL, NULL, 0, cpwprinc, &opts);
>+	free(cpwprinc);
>+	free(realm);
>+	if (problem) {
>+		return (problem);
>+	}
>+	krb5_free_cred_contents(authctxt->krb5_ctx, &creds);
>+	disable_forwarding();
>+	authctxt->force_pwchange = 1;
>+	authctxt->krb5_force_pwchange = 1;
>+	return (0);
>+}
>+
> int
> auth_krb5_password(Authctxt *authctxt, const char *password)
> {
>@@ -102,6 +152,33 @@
> 
> 	temporarily_use_uid(authctxt->pw);
> 
>+#ifdef _PATH_KPASSWD_PROG
>+	if (problem == KRB5KDC_ERR_KEY_EXP) {
>+	}
>+	else {
>+		krb5_creds creds;
>+		int kret = krb5_get_init_creds_password(authctxt->krb5_ctx,
>+							&creds,
>+							authctxt->krb5_user,
>+							(char *)password,
>+							NULL, NULL, 0,
>+							NULL, NULL);
>+	  	if (!kret) { /* ?!?!!? */
>+			krb5_free_cred_contents(authctxt->krb5_ctx, &creds);
>+			goto not_expired;
>+		}
>+		else if (kret != KRB5KDC_ERR_KEY_EXP)
>+			goto not_expired;
>+	}
>+
>+	problem = try_get_cpw_ticket(authctxt, password);
>+	/* if that worked, flag for special handling below */
>+	if (!problem)
>+		problem = KRB5KDC_ERR_KEY_EXP;
>+
>+not_expired:
>+#endif /* _PATH_KPASSWD_PROG */
>+
> 	if (problem)
> 		goto out;
> 
>@@ -120,6 +197,14 @@
> #else
> 	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
> 	    authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
>+#ifdef _PATH_KPASSWD_PROG
>+	if (problem == KRB5KDC_ERR_KEY_EXP) {
>+		problem = try_get_cpw_ticket(authctxt, password);
>+		/* if that worked, flag for special handling below */
>+		if (!problem)
>+			problem = KRB5KDC_ERR_KEY_EXP;
>+	}
>+#endif /* _PATH_KPASSWD_PROG */
> 	if (problem)
> 		goto out;
> 
>@@ -191,7 +276,12 @@
> 
> 		krb5_cleanup_proc(authctxt);
> 
>+		if (problem == KRB5KDC_ERR_KEY_EXP)
>+			/* return with authctxt->force_pwchange set, so we
>+			 * drop straight into kpasswd */
>+			return (1);
> 		if (options.kerberos_or_local_passwd)
>+
> 			return (-1);
> 		else
> 			return (0);
>diff -ur openssh-3.8p1/auth.h openssh-3.8p1.new/auth.h
>--- openssh-3.8p1/auth.h	Tue Mar  2 15:51:19 2004
>+++ openssh-3.8p1.new/auth.h	Tue Mar  2 11:12:14 2004
>@@ -67,6 +67,9 @@
> 	krb5_ccache	 krb5_fwd_ccache;
> 	krb5_principal	 krb5_user;
> 	char		*krb5_ticket_file;
>+#ifdef _PATH_KPASSWD_PROG
>+	int		 krb5_force_pwchange;
>+#endif /* _PATH_KPASSWD_PROG */
> #endif
> 	void		*methoddata;
> };
>diff -ur openssh-3.8p1/configure.ac openssh-3.8p1.new/configure.ac
>--- openssh-3.8p1/configure.ac	Tue Mar  2 15:51:19 2004
>+++ openssh-3.8p1.new/configure.ac	Tue Mar  2 11:00:29 2004
>@@ -2079,6 +2079,13 @@
> 		AC_DEFINE(KRB5)
> 		KRB5_MSG="yes"
> 
>+		TestPath="${KRB5ROOT}/bin${PATH_SEPARATOR}$PATH"
>+
>+		AC_PATH_PROG(PATH_KPASSWD_PROG, kpasswd,, $TestPath)
>+		if test ! -z "$PATH_KPASSWD_PROG" ; then
>+		   AC_DEFINE_UNQUOTED(_PATH_KPASSWD_PROG, "$PATH_KPASSWD_PROG")
>+		fi
>+
> 		AC_MSG_CHECKING(for krb5-config)
> 		if test -x  $KRB5ROOT/bin/krb5-config ; then
> 			KRB5CONF=$KRB5ROOT/bin/krb5-config
>diff -ur openssh-3.8p1/session.c openssh-3.8p1.new/session.c
>--- openssh-3.8p1/session.c	Mon Feb 23 08:01:27 2004
>+++ openssh-3.8p1.new/session.c	Tue Mar  2 15:34:05 2004
>@@ -1306,7 +1306,13 @@
> 	if (s->ttyfd != -1) {
> 	    	fprintf(stderr,
> 		    "You must change your password now and login again!\n");
>-		execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
>+#ifdef _PATH_KPASSWD_PROG
>+		if (options.kerberos_authentication == 1 &&
>+		    s->authctxt->krb5_force_pwchange)
>+			execl(_PATH_KPASSWD_PROG, "kpasswd", (char *)NULL);
>+		else
>+#endif /* _PATH_KPASSWD_PROG */
>+			execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
> 		perror("passwd");
> 	} else {
> 		fprintf(stderr,

Actions: View | Diff

Attachments on bug 819: 576 | 581