--- /dev/null
+/*+*************************************************************************
+**
+** k5passwd
+**
+** Changes your password in the Kerberos V5. This should have been
+** part of the kadm stuff but we're forced to build a nicer API on top
+** of the calls they provide.
+**
+***************************************************************************/
+#ifdef KRB5
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "krb5.h"
+#include "com_err.h"
+#include "adm.h"
+#include "adm_proto.h"
+
+static const char *kadm_replies[] = {
+ "Operation successful", /* KRB5_ADM_SUCCESS */
+ "Command not recognized", /* KRB5_ADM_CMD_UNKNOWN */
+ "Password unacceptable to server", /* KRB5_ADM_PW_UNACCEPT */
+ "Old password incorrect", /* KRB5_ADM_BAD_PW */
+ "Invalid ticket (TKT_FLAG_INITIAL not set)",/* KRB5_ADM_NOT_IN_TKT */
+ "Server refused password change", /* KRB5_ADM_CANT_CHANGE */
+ "Language not supported", /* KRB5_ADM_LANG_NOT_SUPPORTED */
+};
+static const char *kadm_replies_unknown = "UNKNOWN ERROR";
+static char errbuf[1024]; /* For response from kadm */
+
+/*+*************************************************************************
+**
+** get_admin_response
+**
+** Builds into a static buffer the replies sent back by the admin server.
+**
+***************************************************************************/
+static char *
+get_admin_response (
+ krb5_int32 status, // Type of error
+ krb5_int32 nreplies, // Size of reply
+ krb5_data * reply) // Buffer of messages
+{
+ char *ptr; // For building the response
+ char *end = errbuf + sizeof (errbuf); // So we don't overflow
+ int i; // Index
+ int n; // Length
+
+ if (status <= KRB5_ADM_LANG_NOT_SUPPORTED) // Is it of a known type???
+ strcpy (errbuf, kadm_replies[status]);
+ else
+ strcpy (errbuf, kadm_replies_unknown); // Unknown error type
+ ptr = errbuf + strlen (errbuf); // Point at the end
+
+ if (nreplies > 0) { // Are there more message?
+ *ptr++ = ':';
+ *ptr = '\0';
+ }
+
+ for (i = 0; i < nreplies; ++i) { // Append additional messages
+ *ptr++ = '\n';
+
+ n = reply[i].length; // Easier to work with
+ if (ptr + n + 2 >= errbuf) // Check for overflow
+ break;
+ memcpy (ptr, reply[i].data, n); // Add the message
+ ptr += n; // Point to the end
+ *ptr = '\0';
+ }
+
+ return errbuf;
+}
+/*+*************************************************************************
+**
+** keyadmin_send_recieve
+**
+** Sends a command to the key admin and reads the reply.
+**
+***************************************************************************/
+static krb5_error_code
+keyadmin_send_receive (
+ krb5_context k5context,
+ int * conn_socket,
+ krb5_auth_context * auth_context,
+ krb5_int32 nargs,
+ krb5_data * arglist,
+ krb5_int32 * cmd_stat,
+ krb5_int32 * nreplies,
+ krb5_data ** reply)
+{
+ krb5_error_code kret;
+
+ kret = krb5_send_adm_cmd (k5context, conn_socket, auth_context,
+ nargs, arglist);
+
+ if (! kret)
+ kret = krb5_read_adm_reply (k5context, conn_socket, auth_context,
+ cmd_stat, nreplies, reply);
+
+ return kret;
+}
+/*+*************************************************************************
+**
+** k5_change_password
+**
+** Bundles all the crude needed to change the password into one file.
+**
+***************************************************************************/
+krb5_error_code
+k5_change_password (
+ krb5_context k5context,
+ char *user,
+ char *realm,
+ char *opasswd,
+ char *npasswd,
+ char **text)
+{
+ krb5_error_code kret, kret2;
+ krb5_auth_context * auth_context;
+ krb5_ccache ccache;
+ int conn_socket; /* Socket for talking over */
+ krb5_int32 nreplies;
+ krb5_data data[3];
+ krb5_data * reply;
+ krb5_int32 status;
+ char * name;
+
+ *text = NULL; /* Be safe */
+ name = malloc (strlen (user) + strlen (realm) + 2);
+ if (name == NULL)
+ return ENOMEM;
+ sprintf (name, "%s@%s", user, realm);
+
+/*
+** Establish the connection.
+*/
+ kret = krb5_adm_connect (k5context, name, NULL, opasswd, &conn_socket,
+ &auth_context, &ccache);
+ if (kret)
+ goto done;
+/*
+** Check to see if it's an acceptable password
+*/
+ data[0].data = KRB5_ADM_CHECKPW_CMD;
+ data[0].length = strlen (data[0].data);
+ data[1].data = npasswd;
+ data[1].length = strlen (npasswd);
+
+ kret = keyadmin_send_receive (k5context, &conn_socket, auth_context,
+ 2, data, &status, &nreplies, &reply);
+ if (kret) /* Some external error */
+ goto cleanup;
+
+ if (status != KRB5_ADM_SUCCESS) { /* Some problem??? */
+ kret = status;
+ *text = get_admin_response (status, nreplies, reply);
+ krb5_free_adm_data (k5context, nreplies, reply);
+
+ goto quit;
+ }
+ krb5_free_adm_data (k5context, nreplies, reply);
+
+/*
+** The new password is ok, so now actually change the password
+*/
+ data[0].data = KRB5_ADM_CHANGEPW_CMD;
+ data[0].length = strlen (data[0].data);
+ data[1].data = opasswd;
+ data[1].length = strlen (opasswd);
+ data[2].data = npasswd;
+ data[2].length = strlen (npasswd);
+
+ kret = keyadmin_send_receive (k5context, &conn_socket, auth_context,
+ 3, data, &status, &nreplies, &reply);
+ if (kret)
+ goto cleanup;
+
+ if (status != KRB5_ADM_SUCCESS) {
+ kret = status;
+ *text = get_admin_response (status, nreplies, reply);
+ krb5_free_adm_data (k5context, nreplies, reply);
+
+ goto quit;
+ }
+
+ krb5_free_adm_data (k5context, nreplies, reply);
+/*+
+** Need to send quit command.
+*/
+ quit:
+ data[0].data = KRB5_ADM_QUIT_CMD;
+ data[0].length = strlen (data[0].data);
+
+ kret2 = keyadmin_send_receive (k5context, &conn_socket, auth_context,
+ 1, data, &status, &nreplies, &reply);
+ if (kret2) {
+ if (! kret)
+ kret = kret2;
+ } else if (status != KRB5_ADM_SUCCESS) {
+ if (! kret)
+ kret = status;
+ if (*text == NULL)
+ *text = get_admin_response (status, nreplies, reply);
+ }
+ krb5_free_adm_data (k5context, nreplies, reply);
+
+ cleanup:
+ krb5_adm_disconnect (k5context, &conn_socket, auth_context, ccache);
+ done:
+ free (name);
+
+ return kret;
+}
+
+#endif /* KRB5 */
projects / krb5.git / commitdiff