kpasswd.c revision 159d09a20817016f09b3ea28d1bdada4a336bb91
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
* Openvision retains the copyright to derivative works of
* this source code. Do *NOT* create a derivative of this
* source code before consulting with your legal department.
* Do *NOT* integrate *ANY* of this source code into another
* product before consulting with your legal department.
*
* For further information, read the top-level Openvision
* copyright which is contained in the top-level MIT Kerberos
* copyright.
*
* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
*
*/
/*
* Copyright 1993-1994 OpenVision Technologies, Inc., All Rights Reserved.
*
* $Header$
*
*
*/
#include <krb5.h>
#include "kpasswd_strings.h"
#define string_text error_message
#include "kpasswd.h"
#include <stdio.h>
#include <pwd.h>
#include <string.h>
#include <libintl.h>
extern char *whoami;
extern void display_intro_message();
extern long read_old_password();
extern long read_new_password();
#define MISC_EXIT_STATUS 6
/*
* Function: kpasswd
*
* Purpose: Initialize and call lower level routines to change a password
*
* Arguments:
*
* context (r) krb5_context to use
* read_old_password (f) function to read old password
* read_new_password (f) function to read new and change password
* display_intro_message (f) function to display intro message
* whoami (extern) argv[0]
*
* Returns:
* exit status of 0 for success
* 1 principal unknown
* 2 old password wrong
* 3 cannot initialize admin server session
* 4 new passwd mismatch or error trying to change pw
* 5 password not typed
* 6 misc error
* 7 incorrect usage
*
* Requires:
* Passwords cannot be more than 255 characters long.
*
* Effects:
*
* If argc is 2, the password for the principal specified in argv[1]
* is changed; otherwise, the principal of the default credential
* cache or username is used. display_intro_message is called with
* the arguments KPW_STR_CHANGING_PW_FOR and the principal name.
* read_old_password is then called to prompt for the old password.
* The admin system is then initialized, the principal's policy
* retrieved and explained, if appropriate, and finally
* read_new_password is called to read the new password and change the
* principal's password (presumably ovsec_kadm_chpass_principal).
* admin system is de-initialized before the function returns.
*
* Modifies:
*
* Changes the principal's password.
*
*/
int
int argc;
char *argv[];
{
krb5_principal princ = 0;
char *princ_str;
unsigned int pwsize;
void *server_handle;
char *cpw_service;
if (argc > 2) {
return(7);
/*NOTREACHED*/
}
/************************************
* Get principal name to change *
************************************/
/* Look on the command line first, followed by the default credential
cache, followed by defaulting to the Unix user name */
if (argc == 2)
else {
/* If we succeed, find who is in the credential cache */
if (code == 0) {
/* Get default principal from cache if one exists */
/* if we got a principal, unparse it, otherwise get out of the if
with an error code */
if (code == 0) {
if (code != 0) {
return(MISC_EXIT_STATUS);
}
}
}
/* this is a crock.. we want to compare against */
/* "KRB5_CC_DOESNOTEXIST" but there is no such error code, and */
/* both the file and stdio types return FCC_NOFILE. If there is */
/* ever another ccache type (or if the error codes are ever */
/* fixed), this code will have to be updated. */
return(MISC_EXIT_STATUS);
}
/* if either krb5_cc failed check the passwd file */
if (code != 0) {
return(MISC_EXIT_STATUS);
}
}
}
/* Need to get a krb5_principal, unless we started from with one from
the credential cache */
if (! princ) {
if (code != 0) {
return(MISC_EXIT_STATUS);
}
}
if (code != 0) {
return(MISC_EXIT_STATUS);
}
if (pwsize == 0) {
return(5);
}
"service name for realm %s\n"),
exit(1);
}
if (code != 0) {
if (code == KADM5_BAD_PASSWORD)
else
}
/*
* we can only check the policy if the server speaks
* RPCSEC_GSS
*/
/* Explain policy restrictions on new password if any. */
/*
* Note: copy of this exists in login
*/
if (code != 0) {
(void) kadm5_destroy(server_handle);
}
&policy_entry);
if (code != 0) {
/*
* doesn't matter which error comes back,
* there's no nice recovery or need to
* differentiate to the user
*/
(void) kadm5_destroy(server_handle);
return (MISC_EXIT_STATUS);
}
&principal_entry)) {
(void) kadm5_free_policy_ent(server_handle,
&policy_entry);
(void) kadm5_destroy(server_handle);
return (MISC_EXIT_STATUS);
}
&policy_entry)) {
(void) kadm5_destroy(server_handle);
return (MISC_EXIT_STATUS);
}
} else {
/*
* kpasswd *COULD* output something here to
* encourage the choice of good passwords,
* in the absence of an enforced policy.
*/
&principal_entry)) {
(void) kadm5_destroy(server_handle);
return (MISC_EXIT_STATUS);
}
}
} /* if protocol == KRB5_CHGPWD_RPCSEC */
if (code)
(void) kadm5_destroy(server_handle);
if (code == KRB5_LIBOS_CANTREADPWD)
return(5);
else if (code)
return(4);
else
return(0);
}