Rev 135 | Details | Compare with Previous | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 135 | magnus | 1 | Description: Modify lsh-krb-checkpw to work with MIT Kerberos instead of Heimdal. |
| 2 | Building with the latest release of Heimdal (as of February 2016) |
||
| 3 | fails and their maintainers want to orphan it. |
||
| 4 | Bug: https://bugs.debian.org/812813 |
||
| 5 | |||
| 6 | --- a/configure.ac |
||
| 7 | +++ b/configure.ac |
||
| 8 | @@ -475,7 +475,7 @@ if test x$enable_kerberos = xyes; then |
||
| 9 | LSH_CHECK_KRB_LIB(asn1, der_get_octet_string) |
||
| 10 | # Check for krb5_cc_gen_new too? |
||
| 11 | # krb5_verify_user_lrealm seems to be unique to heimdal |
||
| 12 | - LSH_CHECK_KRB_LIB(krb5, krb5_verify_user_lrealm,, [enable_kerberos=no]) |
||
| 13 | + LSH_CHECK_KRB_LIB(krb5, krb5_get_init_creds_password,, [enable_kerberos=no]) |
||
| 14 | fi |
||
| 15 | |||
| 16 | AH_TEMPLATE([WITH_KERBEROS], [For kerberos]) |
||
| 17 | --- a/src/lsh-krb-checkpw.c |
||
| 18 | +++ b/src/lsh-krb-checkpw.c |
||
| 19 | @@ -97,6 +97,8 @@ main(int argc, char **argv) |
||
| 20 | krb5_context context; |
||
| 21 | krb5_ccache ccache; |
||
| 22 | krb5_principal p; |
||
| 23 | + krb5_creds creds; |
||
| 24 | + krb5_principal server; |
||
| 25 | char *name; |
||
| 26 | char *pw; |
||
| 27 | |||
| 28 | @@ -121,18 +123,31 @@ main(int argc, char **argv) |
||
| 29 | if (krb5_init_context (&context)) |
||
| 30 | die("krb5_init_context failed."); |
||
| 31 | |||
| 32 | - if (krb5_make_principal(context, &p, NULL, name, NULL)) |
||
| 33 | - die("krb5_make_principal failed."); |
||
| 34 | + if (krb5_parse_name(context, name, &p)) { |
||
| 35 | + die("krb5_parse_name failed."); |
||
| 36 | + } |
||
| 37 | + |
||
| 38 | + if (krb5_get_init_creds_password(context, &creds, p, pw, |
||
| 39 | + NULL, NULL, 0, NULL, NULL)) { |
||
| 40 | + die("krb5_get_init_creds_password failed."); |
||
| 41 | + } |
||
| 42 | + |
||
| 43 | + if (krb5_verify_init_creds(context, &creds, server, |
||
| 44 | + NULL, NULL, NULL)) { |
||
| 45 | + die("krb5_verify_init_creds failed"); |
||
| 46 | + } |
||
| 47 | |||
| 48 | if (!krb5_kuserok(context, p, name)) |
||
| 49 | die("krb5_kuserok doesn't know the user."); |
||
| 50 | |||
| 51 | + /* |
||
| 52 | if (krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache)) |
||
| 53 | die("krb5_cc_gen_new failed."); |
||
| 54 | |||
| 55 | if (krb5_verify_user_lrealm(context, p, ccache, pw, TRUE, NULL)) |
||
| 56 | die("krb5_verify_user_lrealm failed."); |
||
| 57 | |||
| 58 | + */ |
||
| 59 | /* Authentication successful. */ |
||
| 60 | |||
| 61 | /* TODO: Keep the credential cache in some way. Perhaps write it to |