gic_pwd.c revision 2
2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2N/A * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A/* Solaris Kerberos begin */ 2N/A/* Solaris Kerberos end */ 2N/A * See the function's definition for the description of this interface. 2N/A /* If there's already a key of the correct etype, we're done. 2N/A If the etype is wrong, free the existing key, and make 2N/A XXX This was the old behavior, and was wrong in hw preauth 2N/A cases. Is this new behavior -- always asking -- correct in all 2N/A /* PROMPTER_INVOCATION */ 2N/A * We call our own private function that returns the as_reply back to 2N/A * the caller. This structure contains information, such as 2N/A * key-expiration and last-req fields. Entities such as pam_krb5 can 2N/A * The original "prompter" interface is not granular enough for PAM, 2N/A * as it will perform all passes w/o coordination with other modules. 2N/A * See krb5_get_init_creds_password()'s comments for the justification of this 2N/A * private function. Caller must free ptr_as_reply if non-NULL. 2N/A /* krb5_get_init_creds_opt *chpw_opts = NULL; */ /* Solaris Kerberos */ 2N/A /* Solaris Kerberos begin */ 2N/A /* Solaris Kerberos end */ 2N/A /* first try: get the requested tkt from any kdc */ 2N/A /* check for success */ 2N/A /* If all the kdc's are unavailable, or if the error was due to a 2N/A user interrupt, fail */ 2N/A /* if the reply did not come from the master kdc, try again with 2N/A /* Solaris Kerberos */ 2N/A /* if the master is unreachable, return the error from the 2N/A slave we were able to contact or reset the use_master flag */ 2N/A /* Solaris - if 2nd try failed, reset 1st err msg */ 2N/A goto cleanup;
/* Login library will deal appropriately with this error */ 2N/A /* at this point, we have an error from the master. if the error 2N/A is not password expired, or if it is but there's no prompter, 2N/A return this error */ 2N/A /* historically the default has been to prompt for password change. 2N/A * if the change password prompt option has not been set, we continue 2N/A * to prompt. Prompting is only disabled if the option has been set 2N/A * and the value has been set to false. 2N/A /* ok, we have an expired password. Give the user a few chances 2N/A /* use a minimal set of options */ 2N/A /* PROMPTER_INVOCATION */ 2N/A /* the change succeeded. go on */ 2N/A /* set this in case the retry loop falls through */ 2N/A /* the error was soft, so try again */ 2N/A /* 100 is I happen to know that no code_string will be longer 2N/A /* the password change was successful. Get an initial ticket 2N/A from the master. this is the last try. the return from this 2N/A /* Solaris Kerberos */ 2N/A /* if getting the password was successful, then check to see if the 2N/A password is about to expire, and warn if so */ 2N/A /* XXX 7 days should be configurable. This is all pretty ad hoc, 2N/A and could probably be improved if I was willing to screw around 2N/A with timezones, etc. */ 2N/A "Warning: Your password will expire in less than one hour.");
2N/A "Warning: Your password will expire in %d hour%s.",
2N/A "Warning: Your password will expire in %d days.",
2N/A /* ignore an error here */ 2N/A /* PROMPTER_INVOCATION */ 2N/A * Check the last_req fields 2N/A "Warning: Your password will expire in less than one hour on %s",
2N/A "Warning: Your password will expire in %d hour%s on %s",
2N/A "Warning: Your password will expire in %d days on %s",
2N/A /* ignore an error here */ 2N/A /* PROMPTER_INVOCATION */ 2N/A /* Solaris Kerberos begin */ 2N/A /* if (chpw_opts) */ 2N/A /* krb5_get_init_creds_opt_free(context, chpw_opts); */ 2N/A /* Solaris Kerberos end */ 2N/A * Argument, ptr_as_reply, being returned to caller if success and non-NULL. Rewrites get_in_tkt in terms of newer get_init_creds API. Attempts to get an initial ticket for creds->client to use server creds->server, (realm is taken from creds->client), with options options, and using creds->times.starttime, creds->times.endtime, creds->times.renew_till as from, till, and rtime. creds->times.renew_till is ignored unless the RENEWABLE option is requested. If addrs is non-NULL, it is used for the addresses requested. If it is null, the system standard addresses are used. If password is non-NULL, it is converted using the cryptosystem entry point for a string conversion routine, seeded with the client's name. If password is passed as NULL, the password is read from the terminal, and then converted into a key. A succesful call will place the ticket in the credentials cache ccache. returns system errors, encryption errors /* store it in the ccache! */