| blob | 7d79d4ccbaabc6cf1f512b50dae9f2548405f04e |
1 /*
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
7 /*
8 * lib/krb5/os/changepw.c
9 *
10 * Copyright 1990,1999 by the Massachusetts Institute of Technology.
11 * All Rights Reserved.
12 *
13 * Export of this software from the United States of America may
14 * require a specific license from the United States Government.
15 * It is the responsibility of any person or organization contemplating
16 * export to obtain such a license before exporting.
17 *
18 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
19 * distribute this software and its documentation for any purpose and
20 * without fee is hereby granted, provided that the above copyright
21 * notice appear in all copies and that both that copyright notice and
22 * this permission notice appear in supporting documentation, and that
23 * the name of M.I.T. not be used in advertising or publicity pertaining
24 * to distribution of the software without specific, written prior
25 * permission. Furthermore if you modify this software you must label
26 * your software as modified software and not distribute it in such a
27 * fashion that it might be confused with the original M.I.T. software.
28 * M.I.T. makes no representations about the suitability of
29 * this software for any purpose. It is provided "as is" without express
30 * or implied warranty.
31 *
32 */
34 #define NEED_SOCKETS
35 #include <k5-int.h>
36 #include <kadm5/admin.h>
37 #include <client_internal.h>
38 #include <gssapi/gssapi.h>
39 #include <gssapi_krb5.h>
40 #include <gssapiP_krb5.h>
41 #include <krb5.h>
43 /* #include "adm_err.h" */
44 #include <stdio.h>
45 #include <errno.h>
48 krb5_auth_context auth_context,
53 krb5_auth_context auth_context,
57 /*
58 * _kadm5_get_kpasswd_protocol
59 *
60 * returns the password change protocol value to the caller.
61 * Since the 'handle' is an opaque value to higher up callers,
62 * this method is needed to provide a way for them to get a peek
63 * at the protocol being used without having to expose the entire
64 * handle structure.
65 */
66 krb5_chgpwd_prot
68 {
72 }
74 /*
75 * krb5_change_password
76 *
77 * Prepare and send a CHANGEPW request to a password server
78 * using UDP datagrams. This is only used for sending to
79 * non-SEAM servers which support the Marc Horowitz defined
80 * protocol (1998) for password changing.
81 *
82 * SUNW14resync - added _local as it conflicts with one in krb5.h
83 */
84 static krb5_error_code
86 srvr_msg)
87 krb5_context context;
93 {
94 krb5_auth_context auth_context;
108 /* Initialize values so that cleanup call can safely check for NULL */
115 /* initialize auth_context so that we know we have to free it */
120 AP_OPTS_USE_SUBKEY,
124 /*
125 * find the address of the kpasswd_server.
126 */
134 }
143 /*
144 * this is really obscure. s1 is used for all communications. it
145 * is left unconnected in case the server is multihomed and routes
146 * are asymmetric. s2 is connected to resolve routes and get
147 * addresses. this is the *only* way to get proper addresses for
148 * multihomed hosts if routing is asymmetric.
149 *
150 * A related problem in the server, but not the client, is that
151 * many os's have no way to disconnect a connected udp socket, so
152 * the s2 socket needs to be closed and recreated for each
153 * request. The s1 socket must not be closed, or else queued
154 * requests will be lost.
155 *
156 * A "naive" client implementation (one socket, no connect,
157 * hostname resolution to get the local ip addr) will work and
158 * interoperate if the client is single-homed.
159 */
162 {
165 }
168 {
171 }
174 {
175 fd_set fdset;
179 SOCKET_ERROR)
180 {
187 }
192 {
199 }
201 /*
202 * some brain-dead OS's don't return useful information from
203 * the getsockname call. Namely, windows and solaris.
204 */
206 {
213 }
214 else
215 {
228 }
232 {
239 }
247 /*
248 * mk_priv requires that the local address be set.
249 * getsockname is used for this. rd_priv requires that the
250 * remote address be set. recvfrom is used for this. If
251 * rd_priv is given a local address, and the message has the
252 * recipient addr in it, this will be checked. However, there
253 * is simply no way to know ahead of time what address the
254 * message will be delivered *to*. Therefore, it is important
255 * that either no recipient address is in the messages when
256 * mk_priv is called, or that no local address is passed to
257 * rd_priv. Both is a better idea, and I have done that. In
258 * summary, when mk_priv is called, *only* a local address is
259 * specified. when rd_priv is called, *only* a remote address
260 * is specified. Are we having fun yet?
261 */
265 {
268 }
272 {
275 }
280 {
287 }
292 /* XXX need a timeout/retry loop here */
305 /* fall through */
306 ;
307 }
312 {
315 }
337 }
341 cleanup:
359 }
362 /*
363 * kadm5_chpass_principal_v2
364 *
365 * New function used to prepare to make the change password request to a
366 * non-SEAM admin server. The protocol used in this case is not based on
367 * RPCSEC_GSS, it simply makes the request to port 464 (udp and tcp).
368 * This is the same way that MIT KRB5 1.2.1 changes passwords.
369 */
370 kadm5_ret_t
372 krb5_principal princ,
376 {
377 kadm5_ret_t code;
379 krb5_error_code result;
380 krb5_creds mcreds;
381 krb5_creds ncreds;
382 krb5_ccache ccache;
386 /*
387 * The credentials have already been stored in the cache in the
388 * initialization step earlier, but we dont have direct access to it
389 * at this level. Derive the cache and fetch the credentials to use for
390 * sending the request.
391 */
397 /* set the client principal in the credential match structure */
400 /*
401 * set the server principal (kadmin/changepw@REALM) in the credential
402 * match struct
403 */
409 }
414 /* generate the server principal from the name string we generated */
419 }
421 /* Find the credentials in the cache */
426 }
428 /* Now we have all we need to make the change request. */
431 srvr_rsp_code,
432 srvr_msg);
436 }