diff options
| author | Russ Allbery <rra@stanford.edu> | 2008-01-19 01:20:38 +0000 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2008-01-19 01:20:38 +0000 |
| commit | cf71c7dac06561b14c8be3383fdb2ca4f3a318d9 (patch) | |
| tree | d6b05a005c67710a6d2831abba193923f2070f93 /client/krb5.c | |
| parent | b4f2b5bf10e32777b1fcfa8417aa190755247815 (diff) | |
The wallet client now supports a -u option, saying to obtain Kerberos
credentials for the given user and use those for authentication rather
than using an existing ticket cache.
Diffstat (limited to 'client/krb5.c')
| -rw-r--r-- | client/krb5.c | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/client/krb5.c b/client/krb5.c new file mode 100644 index 0000000..606cbb9 --- /dev/null +++ b/client/krb5.c @@ -0,0 +1,64 @@ +/* $Id$ +** +** Kerberos support functions for the wallet client. +** +** Currently, the only function here is one to obtain a ticket cache for a +** given principal and store it in memory for use by the rest of the wallet +** client. +** +** Written by Russ Allbery <rra@stanford.edu> +** Copyright 2007, 2008 Board of Trustees, Leland Stanford Jr. University +*/ + +#include <config.h> +#include <system.h> + +#include <krb5.h> + +#include <client/internal.h> +#include <util/util.h> + +/* The memory cache used for wallet authentication. */ +#define CACHE_NAME "MEMORY:wallet" + + +/* +** Given a Kerberos context and a principal name, authenticate as that user +** and store the TGT in a memory ticket cache for later use by remctl. Dies +** on failure. +*/ +void +kinit(krb5_context ctx, const char *principal) +{ + krb5_principal princ; + krb5_ccache ccache; + krb5_creds creds; + krb5_get_init_creds_opt opts; + krb5_error_code status; + + /* Obtain a TGT. */ + status = krb5_parse_name(ctx, principal, &princ); + if (status != 0) + die_krb5(ctx, status, "invalid Kerberos principal %s", principal); + krb5_get_init_creds_opt_init(&opts); + memset(&creds, 0, sizeof(creds)); + status = krb5_get_init_creds_password(ctx, &creds, princ, NULL, + krb5_prompter_posix, NULL, 0, NULL, &opts); + if (status != 0) + die_krb5(ctx, status, "authentication failed"); + + /* Put the new credentials into a memory cache. */ + status = krb5_cc_resolve(ctx, CACHE_NAME, &ccache); + if (status != 0) + die_krb5(ctx, status, "cannot create cache %s", CACHE_NAME); + status = krb5_cc_initialize(ctx, ccache, princ); + if (status != 0) + die_krb5(ctx, status, "cannot initialize cache %s", CACHE_NAME); + krb5_free_principal(ctx, princ); + status = krb5_cc_store_cred(ctx, ccache, &creds); + if (status != 0) + die_krb5(ctx, status, "cannot store credentials"); + krb5_cc_close(ctx, ccache); + if (putenv((char *) "KRB5CCNAME=" CACHE_NAME) != 0) + sysdie("cannot set KRB5CCNAME"); +} |