Subversion Repositories

?revision_form?Rev ?revision_input??revision_submit??revision_endform?

Blame | Last modification | View Log | RSS feed

Description: Modify lsh-krb-checkpw to work with MIT Kerberos instead of Heimdal.
 Building with the latest release of Heimdal (as of February 2016)
 fails and their maintainers want to orphan it.
Bug: https://bugs.debian.org/812813

--- a/configure.ac
+++ b/configure.ac
@@ -475,7 +475,7 @@ if test x$enable_kerberos = xyes; then
   LSH_CHECK_KRB_LIB(asn1, der_get_octet_string)
   # Check for krb5_cc_gen_new too?
   # krb5_verify_user_lrealm seems to be unique to heimdal
-  LSH_CHECK_KRB_LIB(krb5, krb5_verify_user_lrealm,, [enable_kerberos=no])
+  LSH_CHECK_KRB_LIB(krb5, krb5_get_init_creds_password,, [enable_kerberos=no])
 fi
 
 AH_TEMPLATE([WITH_KERBEROS], [For kerberos])
--- a/src/lsh-krb-checkpw.c
+++ b/src/lsh-krb-checkpw.c
@@ -97,6 +97,8 @@ main(int argc, char **argv)
   krb5_context context;
   krb5_ccache ccache;
   krb5_principal p;
+  krb5_creds creds;
+  krb5_principal server;
   char *name;
   char *pw;
   
@@ -121,18 +123,31 @@ main(int argc, char **argv)
   if (krb5_init_context (&context))
     die("krb5_init_context failed.");
 
-  if (krb5_make_principal(context, &p, NULL, name, NULL))
-    die("krb5_make_principal failed.");
+  if (krb5_parse_name(context, name, &p)) {
+    die("krb5_parse_name failed.");
+  }
+  
+  if (krb5_get_init_creds_password(context, &creds, p, pw,
+                                  NULL, NULL, 0, NULL, NULL)) {
+      die("krb5_get_init_creds_password failed.");
+  }
+
+  if (krb5_verify_init_creds(context, &creds, server,
+                            NULL, NULL, NULL)) {
+      die("krb5_verify_init_creds failed");
+  }
   
   if (!krb5_kuserok(context, p, name))
     die("krb5_kuserok doesn't know the user.");
 
+  /*
   if (krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache))
     die("krb5_cc_gen_new failed.");
 
   if (krb5_verify_user_lrealm(context, p, ccache, pw, TRUE, NULL))
     die("krb5_verify_user_lrealm failed.");
 
+  */
   /* Authentication successful. */
 
   /* TODO: Keep the credential cache in some way. Perhaps write it to