#include "popper.h"
#ifdef KERBEROS
+#ifdef KRB4
+#ifdef KRB5
+ #error you can only use one of KRB4, KRB5
+#endif
#include <krb.h>
extern AUTH_DAT kdata;
+#endif /* KRB4 */
+#ifdef KRB5
+#include <krb5/krb5.h>
+#include <krb5/ext-proto.h>
+#include <com_err.h>
+extern krb5_principal ext_client;
+extern char *client_name;
+#endif /* KRB5 */
#endif /* KERBEROS */
#ifndef KERBEROS_PASSWD_HACK
POP * p;
{
#ifdef KERBEROS
+#ifdef KRB4
char lrealm[REALM_SZ];
int status;
+#endif /* KRB4 */
+#ifdef KRB5
+ char *lrealm;
+ krb5_error_code retval;
+#endif /* KRB5 */
#else
register struct passwd * pw;
char *crypt();
#ifdef KERBEROS
+#ifdef KRB4
if ((status = krb_get_lrealm(lrealm,1)) == KFAILURE) {
pop_log(p, POP_WARNING, "%s: (%s.%s@%s) %s", p->client, kdata.pname,
kdata.pinst, kdata.prealm, krb_err_txt[status]);
"Wrong username supplied (%s vs. %s).\n", kdata.pname,
p->user));
}
+#endif /* KRB4 */
+#ifdef KRB5
+ if (retval = krb5_get_default_realm(&lrealm)) {
+ pop_log(p, POP_WARNING, "%s: (%s) %s", p->client, client_name,
+ error_message(retval));
+ return(pop_msg(p,POP_FAILURE,
+ "Kerberos error: \"%s\".", error_message(retval)));
+ }
+
+ if (strncmp(ext_client[0]->data, lrealm, ext_client[0]->length)) {
+ pop_log(p, POP_WARNING, "%s: (%s) realm not accepted.",
+ p->client, client_name);
+ return(pop_msg(p,POP_FAILURE,
+ "Kerberos realm \"%*s\" not accepted.",
+ ext_client[0]->length, ext_client[0]->data));
+ }
+
+
+ /* only accept one-component names, i.e. realm and name only */
+ if (ext_client[2]) {
+ pop_log(p, POP_WARNING, "%s: (%s) instance not accepted.",
+ p->client, client_name);
+ return(pop_msg(p,POP_FAILURE,
+ "Must use null Kerberos(tm) \"instance\" - \"%s\" not accepted.",
+ client_name));
+ }
+
+ /*
+ * be careful! we are assuming that the instance and realm have been
+ * checked already! I used to simply copy the pname into p->user
+ * but this causes too much confusion and assumes p->user will never
+ * change. This makes me feel more comfortable.
+ */
+ if(strncmp(p->user, ext_client[1]->data, ext_client[1]->length))
+ {
+ pop_log(p, POP_WARNING, "%s: auth failed: %s vs %s",
+ p->client, client_name, p->user);
+ return(pop_msg(p,POP_FAILURE,
+ "Wrong username supplied (%*s vs. %s).\n", ext_client[1]->length,
+ ext_client[1]->data,
+ p->user));
+ }
+#endif /* KRB5 */
/* Build the name of the user's maildrop */
(void)sprintf(p->drop_name,"%s/%s",POP_MAILDIR,p->user);
+#ifdef KRB4
/*
* Check to see if the user is in the passwd file, if not get a kerberos
return(POP_SUCCESS);
}
+#endif
+#ifdef KRB5
+ #error: no passwd_hack source for V5.
+#endif
#endif /* KERBEROS_PASSWD_HACK */