Class: Kerberos::Krb5
- Inherits:
-
Object
- Object
- Kerberos::Krb5
- Defined in:
- ext/rkerberos/rkerberos.c
Defined Under Namespace
Classes: Context, CredentialsCache, Exception, Keytab, Principal
Constant Summary collapse
- VERSION =
The version of the custom rkerberos library
0.1.0
- ENCTYPE_NULL =
None
0
- ENCTYPE_DES_CBC_CRC =
DES cbc mode with CRC-32
1
- ENCTYPE_DES_CBC_MD4 =
DES cbc mode with RSA-MD4
2
- ENCTYPE_DES_CBC_MD5 =
DES cbc mode with RSA-MD5
3
- ENCTYPE_DES_CBC_RAW =
DES cbc mode raw
4
- ENCTYPE_DES3_CBC_SHA =
DES-3 cbc mode with NIST-SHA
5
- ENCTYPE_DES3_CBC_RAW =
DES-3 cbc mode raw
6
- ENCTYPE_DES_HMAC_SHA1 =
HMAC SHA1
8
- ENCTYPE_DSA_SHA1_CMS =
DSA with SHA1, CMS signature
9
- ENCTYPE_MD5_RSA_CMS =
MD5 with RSA, CMS signature
10
- ENCTYPE_SHA1_RSA_CMS =
SHA1 with RSA, CMS signature
11
- ENCTYPE_RC2_CBC_ENV =
RC2 cbc mode, CMS enveloped data
12
- ENCTYPE_RSA_ENV =
RSA encryption, CMS enveloped data
13
- ENCTYPE_RSA_ES_OAEP_ENV =
RSA w/OEAP encryption, CMS enveloped data
14
- ENCTYPE_DES3_CBC_ENV =
DES-3 cbc mode, CMS enveloped data
15
- ENCTYPE_DES3_CBC_SHA1 =
DES3 CBC SHA1
16
- ENCTYPE_AES128_CTS_HMAC_SHA1_96 =
AES128 CTS HMAC SHA1 96
17
- ENCTYPE_AES256_CTS_HMAC_SHA1_96 =
AES256 CTS HMAC SHA1 96
18
- ENCTYPE_ARCFOUR_HMAC =
ARCFOUR HMAC
23
- ENCTYPE_ARCFOUR_HMAC_EXP =
ARCFOUR HMAC EXP
24
- ENCTYPE_UNKNOWN =
Unknown
511
Instance Method Summary collapse
-
#change_password(old, new) ⇒ Object
Changes the password for the principal from
old
tonew
. -
#close ⇒ Object
Handles cleanup of the Krb5 object, freeing any credentials, principal or context associated with the object.
-
#get_default_principal ⇒ Object
(also: #default_principal)
Returns the default principal for the current realm based on the current credentials cache.
-
#get_default_realm ⇒ Object
(also: #default_realm)
Returns the default Kerberos realm on your system.
-
#get_init_creds_keytab(principal = nil, keytab = nil, service = nil) ⇒ Object
Acquire credentials for
principal
fromkeytab
usingservice
. -
#get_init_creds_password(user, password) ⇒ Object
Authenticates the credentials of
user
usingpassword
, and has the effect of setting the principal and context internally. -
#get_permitted_enctypes ⇒ Object
Returns a hash containing the permitted encoding types.
-
#Kerberos::Krb5.new ⇒ Object
constructor
Creates and returns a new Kerberos::Krb5 object.
-
#set_default_realm(realm = nil) ⇒ Object
Sets the default realm to
realm
.
Constructor Details
#Kerberos::Krb5.new ⇒ Object
Creates and returns a new Kerberos::Krb5 object. This initializes the context for future method calls on that object.
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
# File 'ext/rkerberos/rkerberos.c', line 56
static VALUE rkrb5_initialize(VALUE self){
RUBY_KRB5* ptr;
krb5_error_code kerror;
Data_Get_Struct(self, RUBY_KRB5, ptr);
kerror = krb5_init_context(&ptr->ctx);
if(kerror)
rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));
if(rb_block_given_p()){
rb_ensure(rb_yield, self, rkrb5_close, self);
return Qnil;
}
return self;
}
|
Instance Method Details
#change_password(old, new) ⇒ Object
Changes the password for the principal from old
to new
. The principal is defined as whoever the last principal was authenticated via the Krb5#get_init_creds_password method.
Attempting to change a password before a principal has been established will raise an error.
Example:
krb5.get_init_creds_password(‘foo’, ‘XXXXXX’) # Authenticate ‘foo’ user krb5.change_password(‘XXXXXX’, ‘YYYYYY’) # Change password for ‘foo’
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 |
# File 'ext/rkerberos/rkerberos.c', line 243
static VALUE rkrb5_change_password(VALUE self, VALUE v_old, VALUE v_new){
Check_Type(v_old, T_STRING);
Check_Type(v_new, T_STRING);
RUBY_KRB5* ptr;
krb5_data result_string;
krb5_data pw_result_string;
krb5_error_code kerror;
int pw_result;
char* old_passwd = StringValuePtr(v_old);
char* new_passwd = StringValuePtr(v_new);
Data_Get_Struct(self, RUBY_KRB5, ptr);
if(!ptr->ctx)
rb_raise(cKrb5Exception, "no context has been established");
if(!ptr->princ)
rb_raise(cKrb5Exception, "no principal has been established");
kerror = krb5_get_init_creds_password(
ptr->ctx,
&ptr->creds,
ptr->princ,
old_passwd,
NULL,
NULL,
0,
"kadmin/changepw",
NULL
);
if(kerror)
rb_raise(cKrb5Exception, "krb5_get_init_creds_password: %s", error_message(kerror));
kerror = krb5_change_password(
ptr->ctx,
&ptr->creds,
new_passwd,
&pw_result,
&pw_result_string,
&result_string
);
if(kerror)
rb_raise(cKrb5Exception, "krb5_change_password: %s", error_message(kerror));
return Qtrue;
}
|
#close ⇒ Object
Handles cleanup of the Krb5 object, freeing any credentials, principal or context associated with the object.
346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 |
# File 'ext/rkerberos/rkerberos.c', line 346
static VALUE rkrb5_close(VALUE self){
RUBY_KRB5* ptr;
Data_Get_Struct(self, RUBY_KRB5, ptr);
if(ptr->ctx)
krb5_free_cred_contents(ptr->ctx, &ptr->creds);
if(ptr->princ)
krb5_free_principal(ptr->ctx, ptr->princ);
if(ptr->ctx)
krb5_free_context(ptr->ctx);
ptr->ctx = NULL;
ptr->princ = NULL;
return Qtrue;
}
|
#get_default_principal ⇒ Object Also known as: default_principal
Returns the default principal for the current realm based on the current credentials cache.
If no credentials cache is found then an error is raised.
375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 |
# File 'ext/rkerberos/rkerberos.c', line 375
static VALUE rkrb5_get_default_principal(VALUE self){
char* princ_name;
RUBY_KRB5* ptr;
krb5_ccache ccache;
krb5_error_code kerror;
Data_Get_Struct(self, RUBY_KRB5, ptr);
if(!ptr->ctx)
rb_raise(cKrb5Exception, "no context has been established");
// Get the default credentials cache
kerror = krb5_cc_default(ptr->ctx, &ccache);
if(kerror)
rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror));
kerror = krb5_cc_get_principal(ptr->ctx, ccache, &ptr->princ);
if(kerror){
krb5_cc_close(ptr->ctx, ccache);
rb_raise(cKrb5Exception, "krb5_cc_get_principal: %s", error_message(kerror));
}
krb5_cc_close(ptr->ctx, ccache);
kerror = krb5_unparse_name(ptr->ctx, ptr->princ, &princ_name);
if(kerror)
rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror));
return rb_str_new2(princ_name);
}
|
#get_default_realm ⇒ Object Also known as: default_realm
Returns the default Kerberos realm on your system.
81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'ext/rkerberos/rkerberos.c', line 81
static VALUE rkrb5_get_default_realm(VALUE self){
RUBY_KRB5* ptr;
char* realm;
krb5_error_code kerror;
Data_Get_Struct(self, RUBY_KRB5, ptr);
kerror = krb5_get_default_realm(ptr->ctx, &realm);
if(kerror)
rb_raise(cKrb5Exception, "krb5_get_default_realm: %s", error_message(kerror));
return rb_str_new2(realm);
}
|
#get_init_creds_keytab(principal = nil, keytab = nil, service = nil) ⇒ Object
Acquire credentials for principal
from keytab
using service
. If no principal is specified, then a principal is derived from the service name. If no service name is specified, kerberos defaults to “host”.
If no keytab file is provided, the default keytab file is used. This is typically /etc/krb5.keytab.
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 |
# File 'ext/rkerberos/rkerberos.c', line 139
static VALUE rkrb5_get_init_creds_keytab(int argc, VALUE* argv, VALUE self){
RUBY_KRB5* ptr;
VALUE v_user, v_keytab_name, v_service;
char* user;
char* service;
char keytab_name[MAX_KEYTAB_NAME_LEN];
krb5_error_code kerror;
krb5_get_init_creds_opt opt;
krb5_creds cred;
Data_Get_Struct(self, RUBY_KRB5, ptr);
if(!ptr->ctx)
rb_raise(cKrb5Exception, "no context has been established");
rb_scan_args(argc, argv, "03", &v_user, &v_keytab_name, &v_service);
// We need the service information for later.
if(NIL_P(v_service)){
service = NULL;
}
else{
Check_Type(v_service, T_STRING);
service = StringValuePtr(v_service);
}
// Convert the name (or service name) to a kerberos principal.
if(NIL_P(v_user)){
kerror = krb5_sname_to_principal(
ptr->ctx,
NULL,
service,
KRB5_NT_SRV_HST,
&ptr->princ
);
if(kerror)
rb_raise(cKrb5Exception, "krb5_sname_to_principal: %s", error_message(kerror));
}
else{
Check_Type(v_user, T_STRING);
user = StringValuePtr(v_user);
kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
if(kerror)
rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));
}
// Use the default keytab if none is specified.
if(NIL_P(v_keytab_name)){
kerror = krb5_kt_default_name(ptr->ctx, keytab_name, MAX_KEYTAB_NAME_LEN);
if(kerror)
rb_raise(cKrb5Exception, "krb5_kt_default_name: %s", error_message(kerror));
}
else{
Check_Type(v_keytab_name, T_STRING);
strncpy(keytab_name, StringValuePtr(v_keytab_name), MAX_KEYTAB_NAME_LEN);
}
kerror = krb5_kt_resolve(
ptr->ctx,
keytab_name,
&ptr->keytab
);
if(kerror)
rb_raise(cKrb5Exception, "krb5_kt_resolve: %s", error_message(kerror));
krb5_get_init_creds_opt_init(&opt);
kerror = krb5_get_init_creds_keytab(
ptr->ctx,
&cred,
ptr->princ,
ptr->keytab,
0,
service,
&opt
);
if(kerror)
rb_raise(cKrb5Exception, "krb5_get_init_creds_keytab: %s", error_message(kerror));
return self;
}
|
#get_init_creds_password(user, password) ⇒ Object
Authenticates the credentials of user
using password
, and has the effect of setting the principal and context internally. This method must typically be called before using other methods.
302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 |
# File 'ext/rkerberos/rkerberos.c', line 302
static VALUE rkrb5_get_init_creds_passwd(VALUE self, VALUE v_user, VALUE v_pass){
Check_Type(v_user, T_STRING);
Check_Type(v_pass, T_STRING);
RUBY_KRB5* ptr;
char* user = StringValuePtr(v_user);
char* pass = StringValuePtr(v_pass);
krb5_error_code kerror;
Data_Get_Struct(self, RUBY_KRB5, ptr);
if(!ptr->ctx)
rb_raise(cKrb5Exception, "no context has been established");
kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ);
if(kerror)
rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));
kerror = krb5_get_init_creds_password(
ptr->ctx,
&ptr->creds,
ptr->princ,
pass,
0,
NULL,
0,
NULL,
NULL
);
if(kerror)
rb_raise(cKrb5Exception, "krb5_get_init_creds_password: %s", error_message(kerror));
return Qtrue;
}
|
#get_permitted_enctypes ⇒ Object
Returns a hash containing the permitted encoding types. The key is the numeric constant, with a string description as its value.
Example:
krb.get_permitted_enctypes
# Results:
{
1 => "DES cbc mode with CRC-32",
2 => "DES cbc mode with RSA-MD4",
3 => "DES cbc mode with RSA-MD5"}
16 => "Triple DES cbc mode with HMAC/sha1",
17 => "AES-128 CTS mode with 96-bit SHA-1 HMAC",
18 => "AES-256 CTS mode with 96-bit SHA-1 HMAC",
23 => "ArcFour with HMAC/md5"
}
431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 |
# File 'ext/rkerberos/rkerberos.c', line 431
static VALUE rkrb5_get_permitted_enctypes(VALUE self){
RUBY_KRB5* ptr;
VALUE v_enctypes;
krb5_enctype* ktypes;
krb5_error_code kerror;
Data_Get_Struct(self, RUBY_KRB5, ptr);
if(!ptr->ctx)
rb_raise(cKrb5Exception, "no context has been established");
kerror = krb5_get_permitted_enctypes(ptr->ctx, &ktypes);
if(kerror){
rb_raise(cKrb5Exception, "krb5_get_permitted_types: %s", error_message(kerror));
}
else{
int i;
char encoding[128];
v_enctypes = rb_hash_new();
for(i = 0; ktypes[i]; i++){
if(krb5_enctype_to_string(ktypes[i], encoding, 128)){
rb_raise(cKrb5Exception, "krb5_enctype_to_string: %s", error_message(kerror));
}
rb_hash_aset(v_enctypes, INT2FIX(ktypes[i]), rb_str_new2(encoding));
}
}
return v_enctypes;
}
|
#set_default_realm(realm = nil) ⇒ Object
Sets the default realm to realm
. If no argument is provided, then the default realm in your krb5.conf file is used.
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
# File 'ext/rkerberos/rkerberos.c', line 103
static VALUE rkrb5_set_default_realm(int argc, VALUE* argv, VALUE self){
RUBY_KRB5* ptr;
VALUE v_realm;
char* realm;
krb5_error_code kerror;
Data_Get_Struct(self, RUBY_KRB5, ptr);
rb_scan_args(argc, argv, "01", &v_realm);
if(NIL_P(v_realm)){
realm = NULL;
}
else{
Check_Type(v_realm, T_STRING);
realm = StringValuePtr(v_realm);
}
kerror = krb5_set_default_realm(ptr->ctx, realm);
if(kerror)
rb_raise(cKrb5Exception, "krb5_set_default_realm: %s", error_message(kerror));
return self;
}
|