krb5_get_init_creds_opt_set_change_password_prompt is a new
gic option that permits the prompter code to be skipped
when the password has expired. This option is meant to
be used by credential managers such as NetIDMgr and
Kerberos.app that have their own built in password change
dialogs.
This patch adds the new function, exports it on Windows,
and makes use of it within the Krb5 identity provider
for NetIDMgr.
The patch is written to ensure that no changes to the
krb5_get_init_creds_opt structure are required and
to ensure that the default behavior, prompting, is
maintained.
The export lists for UNIX and KFM must still be updated.
The function prototype was committed as part of ticket 3642.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18954
dc483132-0cff-0310-8789-
dd5450dbe970
void KRB5_CALLCONV
krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
{
- opt->flags = 0;
+ opt->flags = KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
}
void KRB5_CALLCONV
opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT;
opt->salt = salt;
}
+
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, int prompt)
+{
+ if (prompt)
+ opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
+ else
+ opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT;
+}
(prompter == NULL))
goto cleanup;
- /* ok, we have an expired password. Give the user a few chances
+ /* historically the default has been to prompt for password change.
+ * if the change password prompt option has not been set, we continue
+ * to prompt. Prompting is only disabled if the option has been set
+ * and the value has been set to false.
+ */
+ if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+ goto cleanup;
+
+ /* ok, we have an expired password. Give the user a few chances
to change it */
/* use a minimal set of options */
krb5_get_init_creds_opt_set_address_list
krb5_get_init_creds_opt_set_etype_list
krb5_get_init_creds_opt_set_forwardable
+ krb5_get_init_creds_opt_set_change_password_prompt
krb5_get_init_creds_opt_set_preauth_list
krb5_get_init_creds_opt_set_proxiable
krb5_get_init_creds_opt_set_renew_life
DECL_FUNC_PTR(krb5_get_init_creds_opt_set_forwardable);\r
DECL_FUNC_PTR(krb5_get_init_creds_opt_set_proxiable);\r
DECL_FUNC_PTR(krb5_get_init_creds_opt_set_address_list);\r
+DECL_FUNC_PTR(krb5_get_init_creds_opt_set_change_password_prompt);\r
DECL_FUNC_PTR(krb5_get_init_creds_password);\r
DECL_FUNC_PTR(krb5_get_prompt_types);\r
DECL_FUNC_PTR(krb5_build_principal_ext);\r
MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_forwardable),\r
MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_proxiable),\r
MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_address_list),\r
+ MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_change_password_prompt),\r
MAKE_FUNC_INFO(krb5_get_init_creds_password),\r
MAKE_FUNC_INFO(krb5_get_prompt_types),\r
MAKE_FUNC_INFO(krb5_build_principal_ext),\r
extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_proxiable);\r
extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_renew_life);\r
extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_address_list);\r
+extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_change_password_prompt);\r
extern DECL_FUNC_PTR(krb5_get_init_creds_password);\r
extern DECL_FUNC_PTR(krb5_get_prompt_types);\r
extern DECL_FUNC_PTR(krb5_build_principal_ext);\r
_reportf(L"In khm_krb5_kinit");\r
\r
pkrb5_get_init_creds_opt_init(&options);\r
+ pkrb5_get_init_creds_opt_set_change_password_prompt(&options, 0);\r
+\r
memset(&my_creds, 0, sizeof(my_creds));\r
\r
if (alt_ctx) {\r