2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2N/A * Copyright 1990,1993,2007 by the Massachusetts Institute of Technology. 2N/A * All Rights Reserved. 2N/A * Export of this software from the United States of America may 2N/A * require a specific license from the United States Government. 2N/A * It is the responsibility of any person or organization contemplating 2N/A * export to obtain such a license before exporting. 2N/A * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 2N/A * distribute this software and its documentation for any purpose and 2N/A * without fee is hereby granted, provided that the above copyright 2N/A * notice appear in all copies and that both that copyright notice and 2N/A * this permission notice appear in supporting documentation, and that 2N/A * the name of M.I.T. not be used in advertising or publicity pertaining 2N/A * to distribution of the software without specific, written prior 2N/A * permission. Furthermore if you modify this software you must label 2N/A * your software as modified software and not distribute it in such a 2N/A * fashion that it might be confused with the original M.I.T. software. 2N/A * M.I.T. makes no representations about the suitability of 2N/A * this software for any purpose. It is provided "as is" without express 2N/A * or implied warranty. 2N/A * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A#
if !
defined(
_WIN32)
/* Not yet for Windows */ 2N/A/* Solaris Kerberos */ 2N/A/* xlc has a bug with "const" */ 2N/A/* Solaris Kerberos */ 2N/A/* Solaris Kerberos */ 2N/A * This means that there was no forwarding 2N/A * creds have been forwarded and stored in 2N/A * KRB5_ENV_CCNAME and now we need to store it 2N/A "V5 krbtgt principal "),
2N/A * reset the env variable and recreate the 2N/A * cache using the default cache name 2N/A "ownership of cache file, " 2N/A "possible security breach\n"));
2N/A * krb5_gsscred: Given a kerberos principal try to find the corresponding 2N/A * local uid via the gss cred table. Return TRUE if the uid was found in the 2N/A * cred table, otherwise return FALSE. 2N/A * Convert the kerb principal in to a gss name 2N/A * Get the uid mapping from the gsscred table. 2N/A * (but set flag to not call back into this mech as we do krb5 2N/A * auth_to_local name mapping from this module). 2N/A * Given a Kerberos principal "principal", and a local username "luser", 2N/A * determine whether user is authorized to login according to the 2N/A * authorization file ("~luser/.k5login" by default). Returns TRUE 2N/A * if authorized, FALSE if not authorized. 2N/A * If there is no account for "luser" on the local machine, returns 2N/A * FALSE. If there is no authorization file, and the given Kerberos 2N/A * name "server" translates to the same name as "luser" (using 2N/A * krb5_aname_to_lname()), returns TRUE. Otherwise, if the authorization file 2N/A * can't be accessed, returns FALSE. Otherwise, the file is read for 2N/A * a matching principal name, instance, and realm. If one is found, 2N/A * returns TRUE, if none is found, returns FALSE. 2N/A * The file entries are in the format produced by krb5_unparse_name(), 2N/A * one entry per line. 2N/A /* Solaris Kerberos */ 2N/A /* no account => no access */ 2N/A * if he's trying to log in as himself, and there is no .k5login file, 2N/A * let him. First, have krb5 check it's rules. If no success search 2N/A * the gsscred table (the sequence here should be consistent with the 2N/A * uid mappings done for gssd). To find out, call 2N/A * krb5_aname_to_localname to convert the principal to a name 2N/A * which we can string compare. 2N/A /* Solaris Kerberos */ 2N/A /* Solaris Kerberos */ 2N/A return(
FALSE);
/* no hope of matching */ 2N/A /* open ~/.k5login */ 2N/A /* Solaris Kerberos > 256 file descriptor enhancement */ 2N/A * For security reasons, the .k5login file must be owned either by 2N/A * the user himself, or by root. Otherwise, don't grant access. 2N/A /* check each line */ 2N/A /* null-terminate the input string */ 2N/A /* nuke the newline if it exists */ 2N/A /* Solaris Kerberos */ 2N/A /* clean up the rest of the line if necessary */ 2N/A/* Solaris Kerberos */ 2N/A * If the given Kerberos name "server" translates to the same name as "luser" 2N/A * (using * krb5_aname_to_lname()), returns TRUE.