1 /* ========================================================================
2 * Copyright 1988-2006 University of Washington
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
11 * ========================================================================
15 * Program: MIT Kerberos routines
17 * Author: Mark Crispin
18 * Networks and Distributed Computing
19 * Computing & Communications
20 * University of Washington
21 * Administration Building, AG-44
23 * Internet: MRC@CAC.Washington.EDU
26 * Last Edited: 30 August 2006
29 #define PROTOTYPE(x) x
30 #include <gssapi/gssapi_generic.h>
31 #include <gssapi/gssapi_krb5.h>
34 long kerberos_server_valid (void);
35 long kerberos_try_kinit (OM_uint32 error
);
36 char *kerberos_login (char *user
,char *authuser
,int argc
,char *argv
[]);
38 /* Kerberos server valid check
39 * Returns: T if have keytab, NIL otherwise
41 * Note that this routine will probably return T only if the process is root.
42 * This is alright since the server is probably still root at this point.
45 long kerberos_server_valid (void)
52 if (!krb5_init_context (&ctx
)) {
53 /* get default keytab */
54 if (!krb5_kt_default (ctx
,&kt
)) {
55 /* can do server if have good keytab */
56 if (!krb5_kt_start_seq_get (ctx
,kt
,&csr
) &&
57 !krb5_kt_end_seq_get (ctx
,kt
,&csr
)) ret
= LONGT
;
58 krb5_kt_close (ctx
,kt
); /* finished with keytab */
60 krb5_free_context (ctx
); /* finished with context */
66 /* Kerberos check for missing or expired credentials
67 * Returns: T if should suggest running kinit, NIL otherwise
70 long kerberos_try_kinit (OM_uint32 error
)
73 case KRB5KRB_AP_ERR_TKT_EXPIRED
:
74 case KRB5_FCC_NOFILE
: /* MIT */
75 case KRB5_CC_NOTFOUND
: /* Heimdal */
81 /* Kerberos server log in
82 * Accepts: authorization ID as user name
83 * authentication ID as Kerberos principal
86 * Returns: logged in user name if logged in, NIL otherwise
89 char *kerberos_login (char *user
,char *authuser
,int argc
,char *argv
[])
93 char kuser
[NETMAXUSER
];
96 if (!krb5_init_context (&ctx
)) {
98 if (!krb5_parse_name (ctx
,authuser
,&prnc
)) {
99 /* can get local name for this principal? */
100 if (!krb5_aname_to_localname (ctx
,prnc
,NETMAXUSER
-1,kuser
)) {
101 /* yes, local name permitted login as user? */
102 if (authserver_login (user
,kuser
,argc
,argv
) ||
103 authserver_login (lcase (user
),kuser
,argc
,argv
))
104 ret
= myusername (); /* yes, return user name */
106 krb5_free_principal (ctx
,prnc
);
108 krb5_free_context (ctx
); /* finished with context */