From 85d7c0e62a2d6f273e18c6fd99852e95ed4e70df Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Fri, 24 Dec 1993 22:42:29 +0000 Subject: [PATCH] Lots of cleanup Added preauthentication search list, to control which preauthentication methods to try first. CVS:---------------------------------------------------------------------- git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3276 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/kpasswd/kpasswd.c | 66 ++++++++++++++++++++++++++++-------- 1 file changed, 51 insertions(+), 15 deletions(-) diff --git a/src/kadmin/kpasswd/kpasswd.c b/src/kadmin/kpasswd/kpasswd.c index 637b0466e..3a8ac420b 100644 --- a/src/kadmin/kpasswd/kpasswd.c +++ b/src/kadmin/kpasswd/kpasswd.c @@ -77,6 +77,15 @@ krb5_creds my_creds; extern char *krb5_default_pwd_prompt1; +/* + * Try no preauthentication first; then try the encrypted timestamp + */ +int preauth_search_list[] = { + 0, + KRB5_PADATA_ENC_TIMESTAMP, + -1 + }; + main(argc,argv) int argc; char *argv[]; @@ -503,18 +512,38 @@ main(argc,argv) goto finish; } - memcpy(&rd_priv_resp.appl_code, msg_data.data, 1); - memcpy(&rd_priv_resp.oper_code, msg_data.data + 1, 1); - memcpy(&rd_priv_resp.retn_code, msg_data.data + 2, 1); + rd_priv_resp.appl_code = msg_data.data[0]; + rd_priv_resp.oper_code = msg_data.data[1]; + rd_priv_resp.retn_code = msg_data.data[2]; + if (msg_data.length > 3 && msg_data.data[3]) { + rd_priv_resp.message = malloc(msg_data.length - 2); + if (rd_priv_resp.message) { + memcpy(rd_priv_resp.message, msg_data.data + 3, + msg_data.length - 3); + rd_priv_resp.message[msg_data.length - 3] = 0; + } + } else + rd_priv_resp.message = NULL; + free(inbuf.data); free(msg_data.data); - if (!((rd_priv_resp.appl_code == KPASSWD) && - (rd_priv_resp.oper_code == CHGOPER) && - (rd_priv_resp.retn_code == KADMGOOD))) { - fprintf(stderr, "Generic Error During kpasswd!\n"); - retval = 1; - } + if (rd_priv_resp.appl_code == KPASSWD) { + if (rd_priv_resp.retn_code == KPASSGOOD) + printf("\n\nPassword changed.\n\n"); + else if (rd_priv_resp.retn_code == KPASSBAD) { + if (rd_priv_resp.message) + fprintf(stderr, "%s\n", rd_priv_resp.message); + else + fprintf(stderr, "Server returned KPASSBAD.\n"); + } else + fprintf(stderr, "Server returned unknown kerberos code.\n"); + } else + fprintf(stderr, "Server returned bad application code %d\n", + rd_priv_resp.appl_code); + + if (rd_priv_resp.message) + free(rd_priv_resp.message); finish: @@ -525,12 +554,11 @@ main(argc,argv) if (cksum_alloc) free(send_cksum.contents); if (retval) { - fprintf(stderr, "\n\nProtocol Failure - %s\n\n", - kadmind_kpasswd_response[1]); + fprintf(stderr, "\n\nProtocol Failure - Password NOT changed\n\n"); exit(1); } - printf("\n\n%s.\n\n", kadmind_kpasswd_response[0]); + printf("\n\nPassword changed.\n\n"); exit(0); } @@ -554,6 +582,7 @@ OLDDECLARG(krb5_principal, client) int pword_length = sizeof(pword); char *old_password; int old_pwsize; + int i; krb5_address **my_addresses; @@ -608,17 +637,24 @@ OLDDECLARG(krb5_principal, client) } /* Build Request for Initial Credentials */ - if ((retval = krb5_get_in_tkt_with_password( + for (i=0; preauth_search_list[i] >= 0; i++) { + retval = krb5_get_in_tkt_with_password( 0, /* options */ my_addresses, /* do random preauth */ - KRB5_PADATA_ENC_TIMESTAMP, + preauth_search_list[i], ETYPE_DES_CBC_CRC, /* etype */ KEYTYPE_DES, old_password, cache, &my_creds, - 0 ))) { + 0); + if (retval != KRB5KDC_PREAUTH_FAILED && + retval != KRB5KRB_ERR_GENERIC) + break; + } + + if (retval) { fprintf(stderr, "\nUnable to Get Initial Credentials : %s %d\n", error_message(retval),retval); } -- 2.26.2