From: Jeffrey Altman Date: Thu, 14 Dec 2006 23:33:53 +0000 (+0000) Subject: krb5_get_init_creds_opt_set_change_password_prompt X-Git-Tag: krb5-1.7-alpha1~1402 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=0efde67fa90272b61c90b07138d0008c8432295d;p=krb5.git krb5_get_init_creds_opt_set_change_password_prompt krb5_get_init_creds_opt_set_change_password_prompt is a new gic option that permits the prompter code to be skipped when the password has expired. This option is meant to be used by credential managers such as NetIDMgr and Kerberos.app that have their own built in password change dialogs. This patch adds the new function, exports it on Windows, and makes use of it within the Krb5 identity provider for NetIDMgr. The patch is written to ensure that no changes to the krb5_get_init_creds_opt structure are required and to ensure that the default behavior, prompting, is maintained. The export lists for UNIX and KFM must still be updated. The function prototype was committed as part of ticket 3642. ticket: new git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18954 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c index 58d07b03d..3ec59e8aa 100644 --- a/src/lib/krb5/krb/gic_opt.c +++ b/src/lib/krb5/krb/gic_opt.c @@ -3,7 +3,7 @@ void KRB5_CALLCONV krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) { - opt->flags = 0; + opt->flags = KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; } void KRB5_CALLCONV @@ -63,3 +63,12 @@ krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt) opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; opt->salt = salt; } + +void KRB5_CALLCONV +krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, int prompt) +{ + if (prompt) + opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; + else + opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; +} diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 40288b9ed..f7f62f47a 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -184,7 +184,15 @@ krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_princ (prompter == NULL)) goto cleanup; - /* ok, we have an expired password. Give the user a few chances + /* historically the default has been to prompt for password change. + * if the change password prompt option has not been set, we continue + * to prompt. Prompting is only disabled if the option has been set + * and the value has been set to false. + */ + if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + goto cleanup; + + /* ok, we have an expired password. Give the user a few chances to change it */ /* use a minimal set of options */ diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index 6a9060bf8..f767c6de1 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -159,6 +159,7 @@ krb5_c_string_to_key_with_params krb5_get_init_creds_opt_set_address_list krb5_get_init_creds_opt_set_etype_list krb5_get_init_creds_opt_set_forwardable + krb5_get_init_creds_opt_set_change_password_prompt krb5_get_init_creds_opt_set_preauth_list krb5_get_init_creds_opt_set_proxiable krb5_get_init_creds_opt_set_renew_life diff --git a/src/windows/identity/plugins/common/dynimport.c b/src/windows/identity/plugins/common/dynimport.c index 9c93213f3..311e4cf93 100644 --- a/src/windows/identity/plugins/common/dynimport.c +++ b/src/windows/identity/plugins/common/dynimport.c @@ -87,6 +87,7 @@ DECL_FUNC_PTR(krb5_get_init_creds_opt_set_renew_life); DECL_FUNC_PTR(krb5_get_init_creds_opt_set_forwardable); DECL_FUNC_PTR(krb5_get_init_creds_opt_set_proxiable); DECL_FUNC_PTR(krb5_get_init_creds_opt_set_address_list); +DECL_FUNC_PTR(krb5_get_init_creds_opt_set_change_password_prompt); DECL_FUNC_PTR(krb5_get_init_creds_password); DECL_FUNC_PTR(krb5_get_prompt_types); DECL_FUNC_PTR(krb5_build_principal_ext); @@ -231,6 +232,7 @@ FUNC_INFO k5_fi[] = { MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_forwardable), MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_proxiable), MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_address_list), + MAKE_FUNC_INFO(krb5_get_init_creds_opt_set_change_password_prompt), MAKE_FUNC_INFO(krb5_get_init_creds_password), MAKE_FUNC_INFO(krb5_get_prompt_types), MAKE_FUNC_INFO(krb5_build_principal_ext), diff --git a/src/windows/identity/plugins/common/dynimport.h b/src/windows/identity/plugins/common/dynimport.h index 778bff324..a9561bc86 100644 --- a/src/windows/identity/plugins/common/dynimport.h +++ b/src/windows/identity/plugins/common/dynimport.h @@ -199,6 +199,7 @@ extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_forwardable); extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_proxiable); extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_renew_life); extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_address_list); +extern DECL_FUNC_PTR(krb5_get_init_creds_opt_set_change_password_prompt); extern DECL_FUNC_PTR(krb5_get_init_creds_password); extern DECL_FUNC_PTR(krb5_get_prompt_types); extern DECL_FUNC_PTR(krb5_build_principal_ext); diff --git a/src/windows/identity/plugins/krb5/krb5funcs.c b/src/windows/identity/plugins/krb5/krb5funcs.c index 85cad1175..3bd090f4e 100644 --- a/src/windows/identity/plugins/krb5/krb5funcs.c +++ b/src/windows/identity/plugins/krb5/krb5funcs.c @@ -1123,6 +1123,8 @@ khm_krb5_kinit(krb5_context alt_ctx, _reportf(L"In khm_krb5_kinit"); pkrb5_get_init_creds_opt_init(&options); + pkrb5_get_init_creds_opt_set_change_password_prompt(&options, 0); + memset(&my_creds, 0, sizeof(my_creds)); if (alt_ctx) {