Class: Kerberos::Krb5

Inherits:

Object

• Object
• Kerberos::Krb5

Defined in:

ext/rkerberos/rkerberos.c

Defined Under Namespace

Classes: Context, CredentialsCache, Exception, Keytab, Principal

Constant Summary

VERSION =

The version of the custom rkerberos library

0.1.0

ENCTYPE_NULL =

None

0

ENCTYPE_DES_CBC_CRC =

DES cbc mode with CRC-32

1

ENCTYPE_DES_CBC_MD4 =

DES cbc mode with RSA-MD4

2

ENCTYPE_DES_CBC_MD5 =

DES cbc mode with RSA-MD5

3

ENCTYPE_DES_CBC_RAW =

DES cbc mode raw

4

ENCTYPE_DES3_CBC_SHA =

DES-3 cbc mode with NIST-SHA

5

ENCTYPE_DES3_CBC_RAW =

DES-3 cbc mode raw

6

ENCTYPE_DES_HMAC_SHA1 =

HMAC SHA1

8

ENCTYPE_DSA_SHA1_CMS =

DSA with SHA1, CMS signature

9

ENCTYPE_MD5_RSA_CMS =

MD5 with RSA, CMS signature

10

ENCTYPE_SHA1_RSA_CMS =

SHA1 with RSA, CMS signature

11

ENCTYPE_RC2_CBC_ENV =

RC2 cbc mode, CMS enveloped data

12

ENCTYPE_RSA_ENV =

RSA encryption, CMS enveloped data

13

ENCTYPE_RSA_ES_OAEP_ENV =

RSA w/OEAP encryption, CMS enveloped data

14

ENCTYPE_DES3_CBC_ENV =

DES-3 cbc mode, CMS enveloped data

15

ENCTYPE_DES3_CBC_SHA1 =

DES3 CBC SHA1

16

ENCTYPE_AES128_CTS_HMAC_SHA1_96 =

AES128 CTS HMAC SHA1 96

17

ENCTYPE_AES256_CTS_HMAC_SHA1_96 =

AES256 CTS HMAC SHA1 96

18

ENCTYPE_ARCFOUR_HMAC =

ARCFOUR HMAC

23

ENCTYPE_ARCFOUR_HMAC_EXP =

ARCFOUR HMAC EXP

24

ENCTYPE_UNKNOWN =

Unknown

511

Instance Method Summary

• #change_password(old, new) ⇒ Object

  Changes the password for the principal from old to new.

• #close ⇒ Object

  Handles cleanup of the Krb5 object, freeing any credentials, principal or context associated with the object.

• #get_default_principal ⇒ Object (also: #default_principal)

  Returns the default principal for the current realm based on the current credentials cache.

• #get_default_realm ⇒ Object (also: #default_realm)

  Returns the default Kerberos realm on your system.

• #get_init_creds_keytab(principal = nil, keytab = nil, service = nil, ccache = nil) ⇒ Object

  Acquire credentials for principal from keytab using service.

• #get_init_creds_password(user, password, service = nil) ⇒ Object

  Authenticates the credentials of user using password against service, and has the effect of setting the principal and context internally.

• #get_permitted_enctypes ⇒ Object

  Returns a hash containing the permitted encoding types.

• #Kerberos::Krb5.new ⇒ Object constructor

  Creates and returns a new Kerberos::Krb5 object.

• #set_default_realm(realm = nil) ⇒ Object

  Sets the default realm to realm.

Constructor Details

#Kerberos::Krb5.new ⇒ Object

Creates and returns a new Kerberos::Krb5 object. This initializes the context for future method calls on that object.

# File 'ext/rkerberos/rkerberos.c', line 56

static VALUE rkrb5_initialize(VALUE self){
  RUBY_KRB5* ptr;
  krb5_error_code kerror;

  Data_Get_Struct(self, RUBY_KRB5, ptr); 

  kerror = krb5_init_context(&ptr->ctx); 

  if(kerror)
    rb_raise(cKrb5Exception, "krb5_init_context: %s", error_message(kerror));

  if(rb_block_given_p()){
    rb_ensure(rb_yield, self, rkrb5_close, self);
    return Qnil;
  }

  return self;
}

Instance Method Details

#change_password(old, new) ⇒ Object

Changes the password for the principal from old to new. The principal is defined as whoever the last principal was authenticated via the Krb5#get_init_creds_password method.

Attempting to change a password before a principal has been established will raise an error.

Example:

krb5.get_init_creds_password(‘foo’, ‘XXXXXX’) # Authenticate ‘foo’ user krb5.change_password(‘XXXXXX’, ‘YYYYYY’) # Change password for ‘foo’

# File 'ext/rkerberos/rkerberos.c', line 272

static VALUE rkrb5_change_password(VALUE self, VALUE v_old, VALUE v_new){

  RUBY_KRB5* ptr;
  krb5_data result_string;
  krb5_data pw_result_string;
  krb5_error_code kerror;
  char *old_passwd;
  char *new_passwd;

  int pw_result;

  Check_Type(v_old, T_STRING);
  Check_Type(v_new, T_STRING);

  old_passwd = StringValueCStr(v_old);
  new_passwd = StringValueCStr(v_new);

  Data_Get_Struct(self, RUBY_KRB5, ptr); 

  if(!ptr->ctx)
    rb_raise(cKrb5Exception, "no context has been established"); 

  if(!ptr->princ)
    rb_raise(cKrb5Exception, "no principal has been established"); 

  kerror = krb5_get_init_creds_password(
    ptr->ctx,
    &ptr->creds,
    ptr->princ,
    old_passwd,
    NULL,
    NULL,
    0,
    "kadmin/changepw",
    NULL
  );

  if(kerror)
    rb_raise(cKrb5Exception, "krb5_get_init_creds_password: %s", error_message(kerror));

  kerror = krb5_change_password(
    ptr->ctx,
    &ptr->creds,
    new_passwd,
    &pw_result,
    &pw_result_string,
    &result_string
  );

  if(kerror)
    rb_raise(cKrb5Exception, "krb5_change_password: %s", error_message(kerror));

  return Qtrue;
}

#close ⇒ Object

Handles cleanup of the Krb5 object, freeing any credentials, principal or context associated with the object.

# File 'ext/rkerberos/rkerberos.c', line 393

static VALUE rkrb5_close(VALUE self){
  RUBY_KRB5* ptr;

  Data_Get_Struct(self, RUBY_KRB5, ptr);

  if(ptr->ctx)
    krb5_free_cred_contents(ptr->ctx, &ptr->creds);

  if(ptr->princ)
    krb5_free_principal(ptr->ctx, ptr->princ);

  if(ptr->ctx)
    krb5_free_context(ptr->ctx);

  ptr->ctx = NULL;
  ptr->princ = NULL;

  return Qtrue;
}

#get_default_principal ⇒ Object Also known as: default_principal

Returns the default principal for the current realm based on the current credentials cache.

If no credentials cache is found then an error is raised.

# File 'ext/rkerberos/rkerberos.c', line 422

static VALUE rkrb5_get_default_principal(VALUE self){
  char* princ_name;
  RUBY_KRB5* ptr;
  krb5_ccache ccache;  
  krb5_error_code kerror;

  Data_Get_Struct(self, RUBY_KRB5, ptr); 

  if(!ptr->ctx)
    rb_raise(cKrb5Exception, "no context has been established");

  // Get the default credentials cache
  kerror = krb5_cc_default(ptr->ctx, &ccache);

  if(kerror)
    rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror));

  kerror = krb5_cc_get_principal(ptr->ctx, ccache, &ptr->princ);

  if(kerror){
    krb5_cc_close(ptr->ctx, ccache);
    rb_raise(cKrb5Exception, "krb5_cc_get_principal: %s", error_message(kerror));
  }

  krb5_cc_close(ptr->ctx, ccache);

  kerror = krb5_unparse_name(ptr->ctx, ptr->princ, &princ_name);

  if(kerror)
    rb_raise(cKrb5Exception, "krb5_cc_default: %s", error_message(kerror));

  return rb_str_new2(princ_name);
}

#get_default_realm ⇒ Object Also known as: default_realm

Returns the default Kerberos realm on your system.

# File 'ext/rkerberos/rkerberos.c', line 81

static VALUE rkrb5_get_default_realm(VALUE self){
  RUBY_KRB5* ptr;
  char* realm;
  krb5_error_code kerror;

  Data_Get_Struct(self, RUBY_KRB5, ptr); 

  kerror = krb5_get_default_realm(ptr->ctx, &realm);

  if(kerror)
    rb_raise(cKrb5Exception, "krb5_get_default_realm: %s", error_message(kerror));

  return rb_str_new2(realm);
}

#get_init_creds_keytab(principal = nil, keytab = nil, service = nil, ccache = nil) ⇒ Object

Acquire credentials for principal from keytab using service. If no principal is specified, then a principal is derived from the service name. If no service name is specified, kerberos defaults to “host”.

If no keytab file is provided, the default keytab file is used. This is typically /etc/krb5.keytab.

If ccache is supplied and is a Kerberos::Krb5::CredentialsCache, the resulting credentials will be stored in the credential cache.

# File 'ext/rkerberos/rkerberos.c', line 142

static VALUE rkrb5_get_init_creds_keytab(int argc, VALUE* argv, VALUE self){
  RUBY_KRB5* ptr;
  VALUE v_user, v_keytab_name, v_service, v_ccache;
  char* user;
  char* service;
  char keytab_name[MAX_KEYTAB_NAME_LEN];

  krb5_error_code kerror;
  krb5_get_init_creds_opt* opt;
  krb5_creds cred;

  Data_Get_Struct(self, RUBY_KRB5, ptr); 

  if(!ptr->ctx)
    rb_raise(cKrb5Exception, "no context has been established");

  kerror = krb5_get_init_creds_opt_alloc(ptr->ctx, &opt);
  if(kerror)
    rb_raise(cKrb5Exception, "krb5_get_init_creds_opt_alloc: %s", error_message(kerror));

  rb_scan_args(argc, argv, "04", &v_user, &v_keytab_name, &v_service, &v_ccache);

  // We need the service information for later.
  if(NIL_P(v_service)){
    service = NULL;
  }
  else{
    Check_Type(v_service, T_STRING);
    service = StringValueCStr(v_service);
  }

  // Convert the name (or service name) to a kerberos principal.
  if(NIL_P(v_user)){
    kerror = krb5_sname_to_principal(
      ptr->ctx,
      NULL,
      service,
      KRB5_NT_SRV_HST,
      &ptr->princ
    );

    if(kerror) {
      krb5_get_init_creds_opt_free(ptr->ctx, opt);
      rb_raise(cKrb5Exception, "krb5_sname_to_principal: %s", error_message(kerror));
    }
  }
  else{
    Check_Type(v_user, T_STRING);
    user = StringValueCStr(v_user);

    kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ); 

    if(kerror) {
      krb5_get_init_creds_opt_free(ptr->ctx, opt);
      rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));
    }
  }

  // Use the default keytab if none is specified.
  if(NIL_P(v_keytab_name)){
    kerror = krb5_kt_default_name(ptr->ctx, keytab_name, MAX_KEYTAB_NAME_LEN);

    if(kerror) {
      krb5_get_init_creds_opt_free(ptr->ctx, opt);
      rb_raise(cKrb5Exception, "krb5_kt_default_name: %s", error_message(kerror));
    }
  }
  else{
    Check_Type(v_keytab_name, T_STRING);
    strncpy(keytab_name, StringValueCStr(v_keytab_name), MAX_KEYTAB_NAME_LEN);
  }

  kerror = krb5_kt_resolve(
    ptr->ctx,
    keytab_name,
    &ptr->keytab
  );

  if(kerror) {
    krb5_get_init_creds_opt_free(ptr->ctx, opt);
    rb_raise(cKrb5Exception, "krb5_kt_resolve: %s", error_message(kerror));
  }

  // Set the credential cache from the supplied Kerberos::Krb5::CredentialsCache
  if(!NIL_P(v_ccache)){
    RUBY_KRB5_CCACHE* ccptr;
    Data_Get_Struct(v_ccache, RUBY_KRB5_CCACHE, ccptr);

    kerror = krb5_get_init_creds_opt_set_out_ccache(ptr->ctx, opt, ccptr->ccache);
    if(kerror) {
      krb5_get_init_creds_opt_free(ptr->ctx, opt);
      rb_raise(cKrb5Exception, "krb5_get_init_creds_opt_set_out_ccache: %s", error_message(kerror));
    }
  }

  kerror = krb5_get_init_creds_keytab(
    ptr->ctx,
    &cred,
    ptr->princ,
    ptr->keytab,
    0,
    service,
    opt
  );

  if(kerror) {
    krb5_get_init_creds_opt_free(ptr->ctx, opt);
    rb_raise(cKrb5Exception, "krb5_get_init_creds_keytab: %s", error_message(kerror));
  }

  krb5_get_init_creds_opt_free(ptr->ctx, opt);

  return self; 
}

#get_init_creds_password(user, password, service = nil) ⇒ Object

Authenticates the credentials of user using password against service, and has the effect of setting the principal and context internally. This method must typically be called before using other methods.

# File 'ext/rkerberos/rkerberos.c', line 335

static VALUE rkrb5_get_init_creds_passwd(int argc, VALUE* argv, VALUE self){
  RUBY_KRB5* ptr;
  VALUE v_user, v_pass, v_service;
  char* user;
  char* pass;
  char* service;
  krb5_error_code kerror;

  Data_Get_Struct(self, RUBY_KRB5, ptr); 

  if(!ptr->ctx)
    rb_raise(cKrb5Exception, "no context has been established");

  rb_scan_args(argc, argv, "21", &v_user, &v_pass, &v_service);

  Check_Type(v_user, T_STRING);
  Check_Type(v_pass, T_STRING);
  user = StringValueCStr(v_user);
  pass = StringValueCStr(v_pass);

  if(NIL_P(v_service)){
    service = NULL;
  }
  else{
    Check_Type(v_service, T_STRING);
    service = StringValueCStr(v_service);
  }

  kerror = krb5_parse_name(ptr->ctx, user, &ptr->princ); 

  if(kerror)
    rb_raise(cKrb5Exception, "krb5_parse_name: %s", error_message(kerror));

  kerror = krb5_get_init_creds_password(
    ptr->ctx,
    &ptr->creds,
    ptr->princ,
    pass,
    0,
    NULL,
    0,
    service,
    NULL
  );

  if(kerror)
    rb_raise(cKrb5Exception, "krb5_get_init_creds_password: %s", error_message(kerror));

  return Qtrue;
}

#get_permitted_enctypes ⇒ Object

Returns a hash containing the permitted encoding types. The key is the numeric constant, with a string description as its value.

Example:

krb.get_permitted_enctypes

# Results:
{
   1  => "DES cbc mode with CRC-32",
   2  => "DES cbc mode with RSA-MD4",
   3  => "DES cbc mode with RSA-MD5"}
   16 => "Triple DES cbc mode with HMAC/sha1",
   17 => "AES-128 CTS mode with 96-bit SHA-1 HMAC",
   18 => "AES-256 CTS mode with 96-bit SHA-1 HMAC",
   23 => "ArcFour with HMAC/md5"
}

# File 'ext/rkerberos/rkerberos.c', line 478

static VALUE rkrb5_get_permitted_enctypes(VALUE self){
  RUBY_KRB5* ptr;
  VALUE v_enctypes;
  krb5_enctype* ktypes;
  krb5_error_code kerror;

  Data_Get_Struct(self, RUBY_KRB5, ptr);

  if(!ptr->ctx)
    rb_raise(cKrb5Exception, "no context has been established");

  kerror = krb5_get_permitted_enctypes(ptr->ctx, &ktypes);

  if(kerror){
    rb_raise(cKrb5Exception, "krb5_get_permitted_types: %s", error_message(kerror));
  }
  else{
    int i;
    char encoding[128];
    v_enctypes = rb_hash_new();

    for(i = 0; ktypes[i]; i++){
      if(krb5_enctype_to_string(ktypes[i], encoding, 128)){
        rb_raise(cKrb5Exception, "krb5_enctype_to_string: %s", error_message(kerror));
      }
      rb_hash_aset(v_enctypes, INT2FIX(ktypes[i]), rb_str_new2(encoding));
    }
  }

  return v_enctypes;
}

#set_default_realm(realm = nil) ⇒ Object

Sets the default realm to realm. If no argument is provided, then the default realm in your krb5.conf file is used.

# File 'ext/rkerberos/rkerberos.c', line 103

static VALUE rkrb5_set_default_realm(int argc, VALUE* argv, VALUE self){
  RUBY_KRB5* ptr;
  VALUE v_realm;
  char* realm;
  krb5_error_code kerror;

  Data_Get_Struct(self, RUBY_KRB5, ptr); 

  rb_scan_args(argc, argv, "01", &v_realm); 

  if(NIL_P(v_realm)){
    realm = NULL;
  }
  else{
    Check_Type(v_realm, T_STRING);
    realm = StringValueCStr(v_realm);
  }

  kerror = krb5_set_default_realm(ptr->ctx, realm);

  if(kerror)
    rb_raise(cKrb5Exception, "krb5_set_default_realm: %s", error_message(kerror));

  return self;
}