summaryrefslogtreecommitdiff
path: root/src/providers/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/krb5')
-rw-r--r--src/providers/krb5/krb5_auth.c21
-rw-r--r--src/providers/krb5/krb5_child.c29
-rw-r--r--src/providers/krb5/krb5_common.h7
3 files changed, 57 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 9dc7a2c9..974e7684 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -39,6 +39,9 @@
#include "providers/krb5/krb5_auth.h"
#include "providers/krb5/krb5_utils.h"
+#define TIME_T_MAX LONG_MAX
+#define int64_to_time_t(val) ((time_t)((val) < TIME_T_MAX ? val : TIME_T_MAX))
+
static errno_t safe_remove_old_ccache_file(const char *old_ccache_file,
const char *new_ccache_file)
{
@@ -688,6 +691,10 @@ static void krb5_child_done(struct tevent_req *subreq)
int32_t msg_status;
int32_t msg_type;
int32_t msg_len;
+ int64_t time_data;
+ struct tgt_times tgtt;
+
+ memset(&tgtt, 0, sizeof(tgtt));
ret = handle_child_recv(subreq, pd, &buf, &len);
talloc_zfree(subreq);
@@ -751,6 +758,20 @@ static void krb5_child_done(struct tevent_req *subreq)
}
}
+ if (msg_type == SSS_KRB5_INFO_TGT_LIFETIME &&
+ msg_len == 4*sizeof(int64_t)) {
+ SAFEALIGN_COPY_INT64(&time_data, buf+p, NULL);
+ tgtt.authtime = int64_to_time_t(time_data);
+ SAFEALIGN_COPY_INT64(&time_data, buf+p+sizeof(int64_t), NULL);
+ tgtt.starttime = int64_to_time_t(time_data);
+ SAFEALIGN_COPY_INT64(&time_data, buf+p+2*sizeof(int64_t), NULL);
+ tgtt.endtime = int64_to_time_t(time_data);
+ SAFEALIGN_COPY_INT64(&time_data, buf+p+3*sizeof(int64_t), NULL);
+ tgtt.renew_till = int64_to_time_t(time_data);
+ DEBUG(7, ("TGT times are [%d][%d][%d][%d].\n", tgtt.authtime,
+ tgtt.starttime, tgtt.endtime, tgtt.renew_till));
+ }
+
ret = pam_add_response(pd, msg_type, msg_len, &buf[p]);
if (ret != EOK) {
/* This is not a fatal error */
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index f29869bc..c12478f1 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -456,6 +456,25 @@ static errno_t sendresponse(int fd, krb5_error_code kerr, int pam_status,
return EOK;
}
+static errno_t add_ticket_times_to_response(struct krb5_req *kr)
+{
+ int ret;
+ int64_t t[4];
+
+ t[0] = (int64_t) kr->creds->times.authtime;
+ t[1] = (int64_t) kr->creds->times.starttime;
+ t[2] = (int64_t) kr->creds->times.endtime;
+ t[3] = (int64_t) kr->creds->times.renew_till;
+
+ ret = pam_add_response(kr->pd, SSS_KRB5_INFO_TGT_LIFETIME,
+ 4*sizeof(int64_t), (uint8_t *) t);
+ if (ret != EOK) {
+ DEBUG(1, ("pack_response_packet failed.\n"));
+ }
+
+ return ret;
+}
+
static krb5_error_code validate_tgt(struct krb5_req *kr)
{
krb5_error_code kerr;
@@ -595,6 +614,11 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
goto done;
}
+ ret = add_ticket_times_to_response(kr);
+ if (ret != EOK) {
+ DEBUG(1, ("add_ticket_times_to_response failed.\n"));
+ }
+
kerr = 0;
done:
@@ -941,6 +965,11 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr)
goto done;
}
+ ret = add_ticket_times_to_response(kr);
+ if (ret != EOK) {
+ DEBUG(1, ("add_ticket_times_to_response failed.\n"));
+ }
+
status = PAM_SUCCESS;
done:
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 01d2dbfc..68e4426a 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -62,6 +62,13 @@ enum krb5_opts {
typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type;
+struct tgt_times {
+ time_t authtime;
+ time_t starttime;
+ time_t endtime;
+ time_t renew_till;
+};
+
struct krb5_service {
char *name;
char *address;