1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
package main
import (
"fmt"
"gopkg.in/jcmturner/gokrb5.v5/client"
"gopkg.in/jcmturner/gokrb5.v5/config"
"log"
"os/exec"
)
var suffixMap map[string]string = map[string]string{
"SSO": "",
"EDUROAM": "/ppp",
"TACACS": "/net",
}
func CheckDuplicatePw(username, password string) error {
for suffix, _ := range suffixMap {
err := checkKerberosDuplicatePw(suffix, username, password)
if err != nil {
return err
}
}
return nil
}
func checkKerberosDuplicatePw(suffix, username, password string) error {
principal := username + suffixMap[suffix]
config, err := config.Load(pwman.Krb5Conf)
kclient := client.NewClientWithPassword(principal, "NORDU.NET", password)
kclient.WithConfig(config)
err = kclient.Login()
if err != nil {
// error either means bad password or no connection etc.
if containsEither(err.Error(), "KDC_ERR_PREAUTH", "Decrypting_Error", "KDC_ERR_C_PRINCIPAL_UNKNOWN") {
// Password did not match
return nil
}
fmt.Println("ERROR", err)
return fmt.Errorf("Error while checking %s password for duplicate, got error: %v", suffix, err)
}
return fmt.Errorf("Password already used with: %s account", suffix)
}
func ChangeKerberosPw(suffix, username, new_password string) error {
kerberos_uid := fmt.Sprintf("%s%s", username, suffixMap[suffix])
// call script
cmd := exec.Command(pwman.ChangePwScript)
stdin, err := cmd.StdinPipe()
if err != nil {
return fmt.Errorf("Unable to open pipe for kerberos script: %v", err)
}
go func() {
defer stdin.Close()
fmt.Fprintf(stdin, "%s@NORDU.NET %s", kerberos_uid, new_password)
}()
out, err := cmd.CombinedOutput()
if err != nil {
log.Println("ERROR", "Error running change password script, got error:", err, "with script output:", string(out))
return fmt.Errorf("Error running change password script, got error: %v", err)
}
return nil
}
|
