WebAuth::Krb5(3pm) | User Contributed Perl Documentation | WebAuth::Krb5(3pm) |
WebAuth::Krb5 - WebAuth context for Kerberos calls
use WebAuth qw(:const); use WebAuth::Krb5; my $wa = WebAuth->new; eval { my $krb5 = WebAuth::Krb5->new ($wa); $krb5->init_via_keytab ($path); print $krb5->get_principal (WA_KRB5_CANON_LOCAL); } if ($@) { # ... handle exception ... }
This Perl context represents a WebAuth Kerberos context. This context is used to make all Kerberos-related calls and can also store a Kerberos identity and its corresponding ticket cache. A context is normally initiated with credentials from a username and password, a keytab, an existing ticket cache, or an exported credential.
As with WebAuth module functions, failures are signaled by throwing WebAuth::Exception rather than by return status.
As with WebAuth module functions, failures are signaled by throwing WebAuth::Exception rather than by return status.
By default, the kpasswd protocol is used to do the password change. This behavior can be modified using the optional ARGS argument which, if present, should be a reference to a hash with one or more of the following keys:
If this principal disallows TGS-REQ authentications, credentials for this principal must already be present in the WebAuth::Krb5 object before making this call since they cannot be retrieved from the KDC without additional authentication credentials.
An example of doing a password change via the remctl protocol, using "kadmin/changepw" as the service principal and taking the other options from global configuration, with a ten-second timeout:
my $wa = WebAuth->new; my $krb5 = WebAuth::Krb5->new ($wa); $krb5->init_via_password ('user', 'password', 'kadmin/changepw'); my $args = { protocol => 'remctl', host => $PASSWORD_CHANGE_SERVER, port => $PASSWORD_CHANGE_PORT, identity => 'kadmin/changepw', command => $PASSWORD_CHANGE_COMMAND, subcommand => $PASSWORD_CHANGE_SUBCOMMAND, timeout => 10, }; $krb5->change_password ('new-password', $args);
For the "remctl" protocol, the server must expose a command and subcommand that takes a single argument, the new password, and changes the password of the authenticated user.
If WA_KRB5_CANON_LOCAL is specified but krb5_aname_to_localname returns an error, the fully-qualified principal will be returned.
If CANON is not specified, WA_KRB5_CANON_NONE is the default behavior.
PRINC specifies the principal for which to get tickets. If it is not specified, the first principal found in KEYTAB will be used.
If SPRINC is given, it specifies the principal in KEYTAB to use for the validation. If it is not specified, undef, or the empty string, the first principal found in KEYTAB will be used.
If PRINC is given and defined, obtain credentials for that principal rather than a TGT. This is normally used to get a context with a "kadmin/changepw" service ticket to use to change the user's password. If this is specified, the validity of the acquired credentials will not be verified.
If KEYTAB is not given, the validity of the returned tickets are not verified. This should only be used when obtaining "kadmin/changepw" service tickets to change a password. Skipping this validation step otherwise opens one up to KDC impersonation attacks.
Returns the server principal used to verify the TGT if KEYTAB is given and PRINC is not given. Otherwise, returns undef.
In a scalar context, returns the authenticator as binary data. In a list context, when DATA is given, returns a two-element list consisting of the authenticator and the encrypted DATA.
The returned client principal is canonicalized following the rule specified in CANON, following the same rules as in get_principal(). If CANON is not specified, WA_KRB5_CANON_NONE is the default behavior.
If EDATA is provided, it is decrypted with krb5_rd_priv, and the return value in a list context will be a two-element list containing the principal and the decrypted data.
A WebAuth::Krb5 object will retain a reference to the WebAuth object that was used to create it and will prevent the WebAuth context from being freed until the WebAuth::Krb5 object can be freed. This ensures that objects don't disappear at inappropriate times, but it also means that no memory allocated in the WebAuth context, even if unrelated to the WebAuth::Krb5 object, will be freed until all objects created from it are freed. Creating and holding on to references to WebAuth::Krb5 objects for long periods may therefore result in unexpected memory usage.
Russ Allbery <eagle@eyrie.org>
This module is part of WebAuth. The current version is available from <http://webauth.stanford.edu/>.
2020-12-21 | perl v5.32.0 |