Bugzilla – Attachment 581 Details for
Bug 819
patch to add kerberos password-changing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated patch
kerberos_passwd_change.patch.1 (text/plain), 5.52 KB, created by
Buck Huppmann
on 2004-03-31 01:09:33 AEST
(
hide
)
Description:
updated patch
Filename:
MIME Type:
Creator:
Buck Huppmann
Created:
2004-03-31 01:09:33 AEST
Size:
5.52 KB
patch
obsolete
>diff -ur openssh-3.8p1/acconfig.h openssh-3.8p1.new/acconfig.h >--- openssh-3.8p1/acconfig.h Fri Feb 6 00:24:31 2004 >+++ openssh-3.8p1.new/acconfig.h Tue Mar 2 10:55:38 2004 >@@ -256,6 +256,9 @@ > /* Define if you want Kerberos 5 support */ > #undef KRB5 > >+/* Full path of your "kpasswd" program */ >+#undef _PATH_KPASSWD_PROG >+ > /* Define this if you are using the Heimdal version of Kerberos V5 */ > #undef HEIMDAL > >diff -ur openssh-3.8p1/auth-krb5.c openssh-3.8p1.new/auth-krb5.c >--- openssh-3.8p1/auth-krb5.c Fri Nov 21 20:11:06 2003 >+++ openssh-3.8p1.new/auth-krb5.c Tue Mar 30 08:35:36 2004 >@@ -42,6 +42,10 @@ > #ifdef KRB5 > #include <krb5.h> > >+#ifdef HEIMDAL >+#define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED >+#endif >+ > extern ServerOptions options; > > static int >@@ -59,6 +63,52 @@ > return (0); > } > >+static int >+try_get_cpw_ticket(Authctxt *authctxt, const char *password) >+{ >+ char *realm; >+ size_t cpwprinclen; >+ char *cpwprinc; >+ krb5_error_code problem; >+ krb5_creds creds; >+ krb5_get_init_creds_opt opts; >+ memset(&creds, 0, sizeof(creds)); >+ problem = krb5_get_default_realm(authctxt->krb5_ctx, &realm); >+ if (problem) >+ return (problem); >+ cpwprinclen = strlen("kadmin/changepw") + 1 + strlen(realm) + 1; >+ cpwprinc = (char *)xmalloc(cpwprinclen); >+ strlcpy(cpwprinc, "kadmin/changepw", cpwprinclen); >+ strlcat(cpwprinc, "@", cpwprinclen); >+ strlcat(cpwprinc, realm, cpwprinclen); >+ /* the MIT libraries seem to require that options incompatible >+ * with a password-change-service ticket request be reset, >+ * whereas Heimdal seems to figure this out for itself if >+ * given a NULL options argument. anyway, do what should work >+ * for both, now and into the future (hopefully), as MIT's >+ * kpasswd does */ >+ krb5_get_init_creds_opt_init(&opts); >+ krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60); >+ krb5_get_init_creds_opt_set_renew_life(&opts, 0); >+ krb5_get_init_creds_opt_set_forwardable(&opts, 0); >+ krb5_get_init_creds_opt_set_proxiable(&opts, 0); >+ >+ problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, >+ authctxt->krb5_user, >+ (char *)password, >+ NULL, NULL, 0, cpwprinc, &opts); >+ free(cpwprinc); >+ free(realm); >+ if (problem) { >+ return (problem); >+ } >+ krb5_free_cred_contents(authctxt->krb5_ctx, &creds); >+ disable_forwarding(); >+ authctxt->force_pwchange = 1; >+ authctxt->krb5_force_pwchange = 1; >+ return (0); >+} >+ > int > auth_krb5_password(Authctxt *authctxt, const char *password) > { >@@ -102,6 +152,33 @@ > > temporarily_use_uid(authctxt->pw); > >+#ifdef _PATH_KPASSWD_PROG >+ if (problem == KRB5KDC_ERR_KEY_EXP) { >+ } >+ else { >+ krb5_creds creds; >+ int kret = krb5_get_init_creds_password(authctxt->krb5_ctx, >+ &creds, >+ authctxt->krb5_user, >+ (char *)password, >+ NULL, NULL, 0, >+ NULL, NULL); >+ if (!kret) { /* ?!?!!? */ >+ krb5_free_cred_contents(authctxt->krb5_ctx, &creds); >+ goto not_expired; >+ } >+ else if (kret != KRB5KDC_ERR_KEY_EXP) >+ goto not_expired; >+ } >+ >+ problem = try_get_cpw_ticket(authctxt, password); >+ /* if that worked, flag for special handling below */ >+ if (!problem) >+ problem = KRB5KDC_ERR_KEY_EXP; >+ >+not_expired: >+#endif /* _PATH_KPASSWD_PROG */ >+ > if (problem) > goto out; > >@@ -120,6 +197,14 @@ > #else > problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, > authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL); >+#ifdef _PATH_KPASSWD_PROG >+ if (problem == KRB5KDC_ERR_KEY_EXP) { >+ problem = try_get_cpw_ticket(authctxt, password); >+ /* if that worked, flag for special handling below */ >+ if (!problem) >+ problem = KRB5KDC_ERR_KEY_EXP; >+ } >+#endif /* _PATH_KPASSWD_PROG */ > if (problem) > goto out; > >@@ -191,7 +276,12 @@ > > krb5_cleanup_proc(authctxt); > >+ if (problem == KRB5KDC_ERR_KEY_EXP) >+ /* return with authctxt->force_pwchange set, so we >+ * drop straight into kpasswd */ >+ return (1); > if (options.kerberos_or_local_passwd) >+ > return (-1); > else > return (0); >diff -ur openssh-3.8p1/auth.h openssh-3.8p1.new/auth.h >--- openssh-3.8p1/auth.h Tue Mar 2 15:51:19 2004 >+++ openssh-3.8p1.new/auth.h Tue Mar 2 11:12:14 2004 >@@ -67,6 +67,9 @@ > krb5_ccache krb5_fwd_ccache; > krb5_principal krb5_user; > char *krb5_ticket_file; >+#ifdef _PATH_KPASSWD_PROG >+ int krb5_force_pwchange; >+#endif /* _PATH_KPASSWD_PROG */ > #endif > void *methoddata; > }; >diff -ur openssh-3.8p1/configure.ac openssh-3.8p1.new/configure.ac >--- openssh-3.8p1/configure.ac Tue Mar 2 15:51:19 2004 >+++ openssh-3.8p1.new/configure.ac Tue Mar 2 11:00:29 2004 >@@ -2079,6 +2079,13 @@ > AC_DEFINE(KRB5) > KRB5_MSG="yes" > >+ TestPath="${KRB5ROOT}/bin${PATH_SEPARATOR}$PATH" >+ >+ AC_PATH_PROG(PATH_KPASSWD_PROG, kpasswd,, $TestPath) >+ if test ! -z "$PATH_KPASSWD_PROG" ; then >+ AC_DEFINE_UNQUOTED(_PATH_KPASSWD_PROG, "$PATH_KPASSWD_PROG") >+ fi >+ > AC_MSG_CHECKING(for krb5-config) > if test -x $KRB5ROOT/bin/krb5-config ; then > KRB5CONF=$KRB5ROOT/bin/krb5-config >diff -ur openssh-3.8p1/session.c openssh-3.8p1.new/session.c >--- openssh-3.8p1/session.c Mon Feb 23 08:01:27 2004 >+++ openssh-3.8p1.new/session.c Tue Mar 2 15:34:05 2004 >@@ -1306,7 +1306,13 @@ > if (s->ttyfd != -1) { > fprintf(stderr, > "You must change your password now and login again!\n"); >- execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL); >+#ifdef _PATH_KPASSWD_PROG >+ if (options.kerberos_authentication == 1 && >+ s->authctxt->krb5_force_pwchange) >+ execl(_PATH_KPASSWD_PROG, "kpasswd", (char *)NULL); >+ else >+#endif /* _PATH_KPASSWD_PROG */ >+ execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL); > perror("passwd"); > } else { > fprintf(stderr,
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 819
:
576
| 581