krb5_get_init_creds_opt_set_change_password_prompt
authorJeffrey Altman <jaltman@secure-endpoints.com>
Thu, 14 Dec 2006 23:33:53 +0000 (23:33 +0000)
committerJeffrey Altman <jaltman@secure-endpoints.com>
Thu, 14 Dec 2006 23:33:53 +0000 (23:33 +0000)
     krb5_get_init_creds_opt_set_change_password_prompt is a new
     gic option that permits the prompter code to be skipped
     when the password has expired.  This option is meant to
     be used by credential managers such as NetIDMgr and
     Kerberos.app that have their own built in password change
     dialogs.

     This patch adds the new function, exports it on Windows,
     and makes use of it within the Krb5 identity provider
     for NetIDMgr.

     The patch is written to ensure that no changes to the
     krb5_get_init_creds_opt structure are required and
     to ensure that the default behavior, prompting, is
     maintained.

     The export lists for UNIX and KFM must still be updated.

     The function prototype was committed as part of ticket 3642.

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18954 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/krb/gic_opt.c
src/lib/krb5/krb/gic_pwd.c
src/lib/krb5_32.def
src/windows/identity/plugins/common/dynimport.c
src/windows/identity/plugins/common/dynimport.h
src/windows/identity/plugins/krb5/krb5funcs.c

index 58d07b03db538d6002bc2a4b69f7aa9c989dc7f6..3ec59e8aab160972fe89f5e36cf3445eca756b88 100644 (file)
@@ -3,7 +3,7 @@
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
 {
-   opt->flags = 0;
+   opt->flags = KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
 }
 
 void KRB5_CALLCONV
@@ -63,3 +63,12 @@ krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt)
    opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT;
    opt->salt = salt;
 }
+
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, int prompt)
+{
+   if (prompt)
+     opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
+   else
+     opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
+}
index 40288b9ed50a1577af897ae939baf3ba6da28c21..f7f62f47a97aa7cdd9ab22eb5928ec8e394dd1a9 100644 (file)
@@ -184,7 +184,15 @@ krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_princ
        (prompter == NULL))
       goto cleanup;
 
-   /* ok, we have an expired password.  Give the user a few chances
+    /* historically the default has been to prompt for password change.
+     * if the change password prompt option has not been set, we continue
+     * to prompt.  Prompting is only disabled if the option has been set
+     * and the value has been set to false.
+     */
+    if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+       goto cleanup;
+
+    /* ok, we have an expired password.  Give the user a few chances
       to change it */
 
    /* use a minimal set of options */
index 6a9060bf8a3c714d0b41bb0422fc3e2f2a5bdc6c..f767c6de1e87d48179e637416d73dbb2f81b3bbd 100644 (file)
@@ -159,6 +159,7 @@ krb5_c_string_to_key_with_params
        krb5_get_init_creds_opt_set_address_list
        krb5_get_init_creds_opt_set_etype_list
        krb5_get_init_creds_opt_set_forwardable
+       krb5_get_init_creds_opt_set_change_password_prompt
        krb5_get_init_creds_opt_set_preauth_list
        krb5_get_init_creds_opt_set_proxiable
        krb5_get_init_creds_opt_set_renew_life
index 9c93213f3c3ab72b716bf8c9f7878194dac8b9ca..311e4cf9336870e813bbcc84a185b07445aaa45c 100644 (file)
@@ -87,6 +87,7 @@ DECL_FUNC_PTR(krb5_get_init_creds_opt_set_renew_life);
 DECL_FUNC_PTR(krb5_get_init_creds_opt_set_forwardable);\r
 DECL_FUNC_PTR(krb5_get_init_creds_opt_set_proxiable);\r
 DECL_FUNC_PTR(krb5_get_init_creds_opt_set_address_list);\r
+DECL_FUNC_PTR(krb5_get_init_creds_opt_set_change_password_prompt);\r
 DECL_FUNC_PTR(krb5_get_init_creds_password);\r
 DECL_FUNC_PTR(krb5_get_prompt_types);\r
 DECL_FUNC_PTR(krb5_build_principal_ext);\r
@@ -231,6 +232,7 @@ FUNC_INFO k5_fi[] = {
     MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_forwardable),\r
     MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_proxiable),\r
     MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_address_list),\r
+    MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_change_password_prompt),\r
     MAKE_FUNC_INFO(krb5_get_init_creds_password),\r
     MAKE_FUNC_INFO(krb5_get_prompt_types),\r
     MAKE_FUNC_INFO(krb5_build_principal_ext),\r
index 778bff324b7a25d8f26be57d83b7811d5af75a50..a9561bc86a3b00b530bc3664b8a4746f2344367e 100644 (file)
@@ -199,6 +199,7 @@ extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_forwardable);
 extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_proxiable);\r
 extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_renew_life);\r
 extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_address_list);\r
+extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_change_password_prompt);\r
 extern DECL_FUNC_PTR(krb5_get_init_creds_password);\r
 extern DECL_FUNC_PTR(krb5_get_prompt_types);\r
 extern DECL_FUNC_PTR(krb5_build_principal_ext);\r
index 85cad117575fd0e1c64b95548626397b3c4c8c57..3bd090f4ee6bdc3ed9e23b766d9bc170189cab82 100644 (file)
@@ -1123,6 +1123,8 @@ khm_krb5_kinit(krb5_context       alt_ctx,
     _reportf(L"In khm_krb5_kinit");\r
 \r
     pkrb5_get_init_creds_opt_init(&options);\r
+    pkrb5_get_init_creds_opt_set_change_password_prompt(&options, 0);\r
+\r
     memset(&my_creds, 0, sizeof(my_creds));\r
 \r
     if (alt_ctx) {\r