From 08935f4cd9ef1422ea7693526599e307de04c516 Mon Sep 17 00:00:00 2001 From: christos Date: Mon, 23 Apr 2012 20:57:04 +0000 Subject: [PATCH] make kerberos work again: 1. make notickets external 2. don't use the tty as part of the credential cache, since pts/1 will not work. 3. Attempt to use the newer functions, but punt for now since it does not work yet. --- usr.bin/login/k5login.c | 35 +++++++++++++++++++++++++++-------- usr.bin/login/login.c | 6 +++--- 2 files changed, 30 insertions(+), 11 deletions(-) diff --git a/usr.bin/login/k5login.c b/usr.bin/login/k5login.c index c503fff566dc..ffa4d389161b 100644 --- a/usr.bin/login/k5login.c +++ b/usr.bin/login/k5login.c @@ -1,4 +1,4 @@ -/* $NetBSD: k5login.c,v 1.29 2012/04/23 15:07:02 christos Exp $ */ +/* $NetBSD: k5login.c,v 1.30 2012/04/23 20:57:04 christos Exp $ */ /*- * Copyright (c) 1990 The Regents of the University of California. @@ -51,7 +51,7 @@ #if 0 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; #endif -__RCSID("$NetBSD: k5login.c,v 1.29 2012/04/23 15:07:02 christos Exp $"); +__RCSID("$NetBSD: k5login.c,v 1.30 2012/04/23 20:57:04 christos Exp $"); #endif /* not lint */ #ifdef KERBEROS5 @@ -71,7 +71,7 @@ __RCSID("$NetBSD: k5login.c,v 1.29 2012/04/23 15:07:02 christos Exp $"); krb5_context kcontext; -int notickets; +extern int notickets; int krb5_configured; char *krb5tkfile_env; extern char *tty; @@ -335,14 +335,11 @@ k5login(struct passwd *pw, char *instance, char *localhost, char *password) krb5_timestamp now; krb5_ccache ccache = NULL; long lifetime = KRB5_DEFAULT_LIFE; - int options = KRB5_DEFAULT_OPTIONS; char *realm, *client_name; char *principal; krb5_configured = 1; - if (login_krb5_forwardable_tgt) - options |= KDC_OPT_FORWARDABLE; /* * Root logins don't use Kerberos. @@ -366,10 +363,10 @@ k5login(struct passwd *pw, char *instance, char *localhost, char *password) if (strcmp(instance, "root") != 0) (void)snprintf(tkt_location, sizeof tkt_location, - "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); + "FILE:/tmp/krb5cc_%d", pw->pw_uid); else (void)snprintf(tkt_location, sizeof tkt_location, - "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); + "FILE:/tmp/krb5cc_root_%d", pw->pw_uid); krb5tkfile_env = tkt_location; has_ccache = 1; @@ -433,8 +430,30 @@ k5login(struct passwd *pw, char *instance, char *localhost, char *password) my_creds.times.endtime = now + lifetime; my_creds.times.renew_till = 0; +#if 1 + int options = KRB5_DEFAULT_OPTIONS; + + if (login_krb5_forwardable_tgt) + options |= KDC_OPT_FORWARDABLE; + kerror = krb5_get_in_tkt_with_password(kcontext, options, NULL, NULL, NULL, password, ccache, &my_creds, 0); +#else + /* This does not work yet */ + krb5_get_init_creds_opt *opt; + + if ((kerror = krb5_get_init_creds_opt_alloc(kcontext, &opt)) != 0) { + k5_log(kcontext, kerror, "while getting options"); + return (1); + } + if (login_krb5_forwardable_tgt) + krb5_get_init_creds_opt_set_forwardable(opt, 1); + + kerror = krb5_get_init_creds_password(kcontext, &my_creds, me, password, + NULL, NULL, 0, NULL, opt); + + krb5_get_init_creds_opt_free(kcontext, opt); +#endif if (my_creds.server != NULL) krb5_free_principal(kcontext, my_creds.server); diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c index 50fd8728de48..1d6b570bbe1d 100644 --- a/usr.bin/login/login.c +++ b/usr.bin/login/login.c @@ -1,4 +1,4 @@ -/* $NetBSD: login.c,v 1.100 2012/04/23 18:27:15 christos Exp $ */ +/* $NetBSD: login.c,v 1.101 2012/04/23 20:57:04 christos Exp $ */ /*- * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 @@ -39,7 +39,7 @@ __COPYRIGHT("@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\ #if 0 static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; #endif -__RCSID("$NetBSD: login.c,v 1.100 2012/04/23 18:27:15 christos Exp $"); +__RCSID("$NetBSD: login.c,v 1.101 2012/04/23 20:57:04 christos Exp $"); #endif /* not lint */ /* @@ -118,7 +118,7 @@ static void usage(void); #if defined(KERBEROS5) int has_ccache = 0; -static int notickets = 1; +int notickets = 1; extern krb5_context kcontext; extern int have_forward; extern char *krb5tkfile_env;