kpasswd: if a credential cache is present, use FAST

If a credentials cache is available, use it as an armor cache to enable FAST negotiation for kpasswd. This requires an attacker to attack both the user's long-term key for the old password as well as the ticket used for the armor cache in order to attack the password change. Depending on how the armor ticket is obtained, this may provide limited value. However, it provides users an easy option if they are concerned about their current password. Users can kinit with one principal to help protect changing the password of another principal.

* krb5_get_init_creds_opt_set_fast_ccache: new API to set fast ccache based on a krb5_ccache object rather than a resolvable string

* kpasswd: always open the current credential cache even if not needed
  for determining the principal. If the cache has tickets, use it as
  an armor cache.

* tests/dejagnu/krb-standalone/kadmin.exp: Arrange to test new code path

ticket: 6786

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24359 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 24 insertions, 0 deletions

diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c
index 36f4f00a1f..dc7095bdc3 100644
--- a/src/lib/krb5/krb/gic_opt.c
+++ b/src/lib/krb5/krb/gic_opt.c
@@ -1,6 +1,7 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
 #include "k5-int.h"
 #include "int-proto.h"
+#include "k5-buf.h"
 
 static void
 init_common(krb5_get_init_creds_opt *opt)
@@ -431,6 +432,28 @@ krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
 }
 
 krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_fast_ccache(
+    krb5_context context,
+    krb5_get_init_creds_opt *opt,
+    krb5_ccache ccache)
+{
+    krb5_error_code retval = 0;
+    struct k5buf buf;
+    char *cc_name;
+    krb5int_buf_init_dynamic(&buf);
+    krb5int_buf_add(&buf, krb5_cc_get_type(context, ccache));
+    krb5int_buf_add(&buf, ":");
+    krb5int_buf_add(&buf, krb5_cc_get_name(context, ccache));
+    cc_name = krb5int_buf_data(&buf);
+    if (cc_name)
+        retval =  krb5_get_init_creds_opt_set_fast_ccache_name(context, opt, cc_name);
+    else retval = ENOMEM;
+        krb5int_free_buf(&buf);
+    return retval;
+}
+
+
+krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
                                        krb5_get_init_creds_opt *opt,
                                        krb5_ccache ccache)
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 413339b2a2..b64a7dd0ed 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -352,6 +352,7 @@ krb5_get_init_creds_opt_set_canonicalize
 krb5_get_init_creds_opt_set_change_password_prompt
 krb5_get_init_creds_opt_set_etype_list
 krb5_get_init_creds_opt_set_expire_callback
+krb5_get_init_creds_opt_set_fast_ccache
 krb5_get_init_creds_opt_set_fast_ccache_name
 krb5_get_init_creds_opt_set_fast_flags
 krb5_get_init_creds_opt_set_forwardable