/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
*
* Copyright 1990,1993,2007 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*/
/*
*/
/*
* krb5_kuserok()
*/
#include "k5-int.h"
#if !defined(_WIN32) /* Not yet for Windows */
#include <stdio.h>
/* Solaris Kerberos */
#include <string.h>
#include <stdlib.h>
#include <pwd.h>
#include <libintl.h>
#include <gssapi/gssapi_ext.h>
#include <gssapi_krb5.h>
#include <gssapiP_krb5.h>
#include <syslog.h>
/* xlc has a bug with "const" */
#endif
#else
#endif
/* Solaris Kerberos */
extern void
extern OM_uint32
extern int
extern const char *error_message(long);
0,
};
/* Solaris Kerberos */
static krb5_error_code
{
char *name = 0;
if (name == 0)
/*
* This means that there was no forwarding
* of creds
*/
return (0);
else {
/*
* creds have been forwarded and stored in
* KRB5_ENV_CCNAME and now we need to store it
* under uid
*/
0);
if (retval) {
gettext("KRB5: %s while creating"
"V5 krbtgt principal "),
return (retval);
}
mcreds.ticket_flags = 0;
if (retval) {
gettext("KRB5: %s while getting "
"default cache "),
return (retval);
}
0,
&mcreds, &save_v5creds);
if (retval) {
gettext("KRB5: %s while retrieving "
"cerdentials "),
return (retval);
}
/*
* reset the env variable and recreate the
* cache using the default cache name
*/
if (retval) {
gettext("KRB5: %s while destroying cache "),
return (retval);
}
if (retval) {
gettext("KRB5: %s while resolving cache "),
return (retval);
}
if (retval) {
gettext("KRB5: %s while initializing cache "),
return (retval);
}
if (retval) {
gettext("KRB5: %s while storing creds "),
return (retval);
}
gettext("KRB5: Can not change "
"ownership of cache file, "
"possible security breach\n"));
}
}
return (0);
}
/*
* Solaris Kerberos:
* krb5_gsscred: Given a kerberos principal try to find the corresponding
* local uid via the gss cred table. Return TRUE if the uid was found in the
* cred table, otherwise return FALSE.
*/
static krb5_boolean
{
/*
* Convert the kerb principal in to a gss name
*/
if (major != GSS_S_COMPLETE)
return (FALSE);
/*
* Get the uid mapping from the gsscred table.
* (but set flag to not call back into this mech as we do krb5
* auth_to_local name mapping from this module).
*/
uid, 0, 0, 0, 0);
if (major != GSS_S_COMPLETE)
return (FALSE);
return (TRUE);
}
/*
* Given a Kerberos principal "principal", and a local username "luser",
* determine whether user is authorized to login according to the
* authorization file ("~luser/.k5login" by default). Returns TRUE
* if authorized, FALSE if not authorized.
*
* If there is no account for "luser" on the local machine, returns
* FALSE. If there is no authorization file, and the given Kerberos
* name "server" translates to the same name as "luser" (using
* krb5_aname_to_lname()), returns TRUE. Otherwise, if the authorization file
* can't be accessed, returns FALSE. Otherwise, the file is read for
* a matching principal name, instance, and realm. If one is found,
* returns TRUE, if none is found, returns FALSE.
*
* The file entries are in the format produced by krb5_unparse_name(),
* one entry per line.
*
*/
{
char *princname;
char *newline;
/* Solaris Kerberos */
int gobble;
int result;
/* no account => no access */
return(FALSE);
return(FALSE);
/*
* if he's trying to log in as himself, and there is no .k5login file,
* let him. First, have krb5 check it's rules. If no success search
* the gsscred table (the sequence here should be consistent with the
* uid mappings done for gssd). To find out, call
* krb5_aname_to_localname to convert the principal to a name
* which we can string compare.
*/
/* Solaris Kerberos */
return (FALSE);
return(TRUE);
}
/* Solaris Kerberos */
#ifdef DEBUG
char *princname;
#endif
return (FALSE);
return (TRUE);
}
}
}
return(FALSE); /* no hope of matching */
/* open ~/.k5login */
/* Solaris Kerberos > 256 file descriptor enhancement */
return(FALSE);
}
/*
* For security reasons, the .k5login file must be owned either by
* the user himself, or by root. Otherwise, don't grant access.
*/
return(FALSE);
}
return(FALSE);
}
/* check each line */
/* null-terminate the input string */
/* nuke the newline if it exists */
*newline = '\0';
/* Solaris Kerberos */
return (FALSE);
continue;
}
/* clean up the rest of the line if necessary */
if (!newline)
}
return(isok);
}
/* Solaris Kerberos */
const gss_name_t pname,
const char *user,
int *user_ok)
{
return (GSS_S_CALL_INACCESSIBLE_READ);
return (GSS_S_CALL_INACCESSIBLE_WRITE);
*user_ok = 0;
if (kret) {
return (GSS_S_FAILURE);
}
if (! kg_validate_name(pname)) {
return (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME);
}
*user_ok = 1;
}
return (GSS_S_COMPLETE);
}
#else /* _WIN32 */
/*
* If the given Kerberos name "server" translates to the same name as "luser"
* (using * krb5_aname_to_lname()), returns TRUE.
*/
const char *luser;
{
return FALSE;
return TRUE;
return FALSE;
}
#endif /* _WIN32 */