2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. 2N/A * set KRB5CCNAME shell var 2N/A "PAM-KRB5 (password): password: finalize" 2N/A " ccname env, login_result =%d, env ='%s'",
2N/A * Put ccname into the pamh so that login 2N/A * apps can pick this up when they run 2N/A /* should not happen but... */ 2N/A "PAM-KRB5 (password):" 2N/A " pam_putenv failed: result: %d",
2N/A /* for lack of a Solaris unputenv() */ 2N/A * do a krb5 login to get and set krb5 creds (needed after a pw change 2N/A * on pw expire on login) 2N/A * if pw has expired, get/set krb5 creds ala auth mod 2N/A * pwchange verified user sufficiently, so don't request strict 2N/A * tgt verification (will cause rcache perm issues possibly anyways) 2N/A "PAM-KRB5 (password): get_set_creds: login_result= %d",
2N/A * the krb5 login should not fail, but if so, 2N/A * warn the user they have to kinit(1) 2N/A "Could not cache Kerberos" 2N/A " credentials, please run " 2N/A "kinit(1) or re-login\n"));
2N/A * This is the PAM Kerberos Password Change module 2N/A "PAM-KRB5 (password): illegal option %s",
2N/A "PAM-KRB5 (password): start: flags = %x",
2N/A "PAM-KRB5 (auth): wrong" 2N/A "repository found (%s), returning " 2N/A /* Nothing to do here */ 2N/A "PAM-KRB5 (password): prelim check");
2N/A /* make sure PAM framework is telling us to update passwords */ 2N/A "PAM-KRB5 (password): bad flags: %d",
2N/A "PAM-KRB5 (password): get mod data failed %d",
2N/A /* let's make sure we know the krb5 pw has expired */ 2N/A "PAM-KRB5 (password): kmd age status %d",
2N/A "PAM-KRB5 (password): username is empty");
2N/A "PAM-KRB5 (password): can't get uid for %s",
user);
2N/A * if root key exists in the keytab, it's a random key so no 2N/A * need to prompt for pw and we just return IGNORE 2N/A "PAM-KRB5 (password): " 2N/A "key for '%s' in keytab, returning IGNORE",
user);
2N/A * If the preauth type done didn't use a passwd just ignore the error. 2N/A * If it's a bad password or general failure, we are done. 2N/A * if the preauth type done didn't use a passwd just ignore the 2N/A "Old Kerberos password incorrect\n"));
2N/A * If the old password verifies try to change it regardless of the 2N/A * preauth type and do not ignore the error. 2N/A "Kerberos password successfully changed\n"));
2N/A "PAM-KRB5 (password): out: returns %d",
2N/A /* Need to get a krb5_principal struct */ 2N/A "PAM-KRB5 (password): unable to get host based " 2N/A "service name for realm %s\n",
2N/A "PAM-KRB5: krb5_verifypw: init_with_pw" 2N/A * Function: krb5_changepw 2N/A * Purpose: Initialize and call lower level routines to change a password 2N/A * princ_str principal name to use, optional 2N/A * old_password old password 2N/A * new_password new password 2N/A * exit status of PAM_SUCCESS for success 2N/A * else returns PAM failure 2N/A * Passwords cannot be more than 255 characters long. 2N/A * Changes the principal's password. 2N/A /* Need to get a krb5_principal struct */ 2N/A "PAM-KRB5 (password):unable to get host based " 2N/A "service name for realm %s\n",
2N/A "PAM-KRB5 (password): changepw: " 2N/A "Kerberos password not changed: "));
2N/A "PAM-KRB5 (password): changepw: end %d",
code);