/*
- * Copyright (c) 1999-2005, 2007-2008, 2010-2011
+ * Copyright (c) 1999-2005, 2007-2008, 2010-2012
* Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
} sudo_krb5_data = { NULL, NULL, NULL };
typedef struct _sudo_krb5_data *sudo_krb5_datap;
+#ifdef SUDO_KRB5_INSTANCE
+static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
+#else
+static const char *sudo_krb5_instance = NULL;
+#endif
+
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
static krb5_error_code
krb5_get_init_creds_opt_alloc(krb5_context context,
#endif
int
-kerb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
+sudo_krb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
{
static char *krb5_prompt;
+ debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
if (krb5_prompt == NULL) {
krb5_context sudo_context;
log_error(NO_EXIT|NO_MAIL,
_("%s: unable to unparse princ ('%s'): %s"), auth->name,
pw->pw_name, error_message(error));
- return AUTH_FAILURE;
+ debug_return_int(AUTH_FAILURE);
}
/* Only rewrite prompt if user didn't specify their own. */
}
*promptp = krb5_prompt;
- return AUTH_SUCCESS;
+ debug_return_int(AUTH_SUCCESS);
}
int
-kerb5_init(struct passwd *pw, sudo_auth *auth)
+sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
{
krb5_context sudo_context;
- krb5_ccache ccache;
- krb5_principal princ;
krb5_error_code error;
- char cache_name[64];
+ char cache_name[64], *pname = pw->pw_name;
+ debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
+ if (sudo_krb5_instance != NULL) {
+ easprintf(&pname, "%s%s%s", pw->pw_name,
+ sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
+ }
+
#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
#else
error = krb5_init_context(&(sudo_krb5_data.sudo_context));
#endif
if (error)
- return AUTH_FAILURE;
+ goto done;
sudo_context = sudo_krb5_data.sudo_context;
- if ((error = krb5_parse_name(sudo_context, pw->pw_name,
- &(sudo_krb5_data.princ)))) {
+ error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
+ if (error) {
log_error(NO_EXIT|NO_MAIL,
- _("%s: unable to parse '%s': %s"), auth->name, pw->pw_name,
+ _("%s: unable to parse '%s': %s"), auth->name, pname,
error_message(error));
- return AUTH_FAILURE;
+ goto done;
}
- princ = sudo_krb5_data.princ;
(void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
(long) getpid());
log_error(NO_EXIT|NO_MAIL,
_("%s: unable to resolve ccache: %s"), auth->name,
error_message(error));
- return AUTH_FAILURE;
+ goto done;
}
- ccache = sudo_krb5_data.ccache;
- return AUTH_SUCCESS;
+done:
+ if (sudo_krb5_instance != NULL)
+ efree(pname);
+ debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
}
#ifdef HAVE_KRB5_VERIFY_USER
int
-kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
+sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
{
krb5_context sudo_context;
krb5_principal princ;
krb5_ccache ccache;
krb5_error_code error;
+ debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
princ = ((sudo_krb5_datap) auth->data)->princ;
ccache = ((sudo_krb5_datap) auth->data)->ccache;
error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
- return error ? AUTH_FAILURE : AUTH_SUCCESS;
+ debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
}
#else
int
-kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
+sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
{
krb5_context sudo_context;
krb5_principal princ;
krb5_ccache ccache;
krb5_error_code error;
krb5_get_init_creds_opt *opts = NULL;
+ debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
princ = ((sudo_krb5_datap) auth->data)->princ;
}
if (creds)
krb5_free_cred_contents(sudo_context, creds);
- return error ? AUTH_FAILURE : AUTH_SUCCESS;
+ debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
}
#endif
int
-kerb5_cleanup(struct passwd *pw, sudo_auth *auth)
+sudo_krb5_cleanup(struct passwd *pw, sudo_auth *auth)
{
krb5_context sudo_context;
krb5_principal princ;
krb5_ccache ccache;
+ debug_decl(sudo_krb5_cleanup, SUDO_DEBUG_AUTH)
sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
princ = ((sudo_krb5_datap) auth->data)->princ;
krb5_free_context(sudo_context);
}
- return AUTH_SUCCESS;
+ debug_return_int(AUTH_SUCCESS);
}
#ifndef HAVE_KRB5_VERIFY_USER
krb5_error_code error;
krb5_principal server;
krb5_verify_init_creds_opt vopt;
+ debug_decl(verify_krb_v5_tgt, SUDO_DEBUG_AUTH)
/*
* Get the server principal for the local host.
log_error(NO_EXIT|NO_MAIL,
_("%s: unable to get host principal: %s"), auth_name,
error_message(error));
- return -1;
+ debug_return_int(-1);
}
/* Initialize verify opts and set secure mode */
log_error(NO_EXIT|NO_MAIL,
_("%s: Cannot verify TGT! Possible attack!: %s"),
auth_name, error_message(error));
- return error;
+ debug_return_int(error);
}
#endif