module KerberosAuthenticator
Constants
- VERSION
Public Class Methods
Authenticates a user using their password. @param username [String] a string representation of the user's principal @param password [String] the user's password @raise [Error] if Kerberos can't understand the principal or contact any KDCs for the principal's realm @raise [Error] if preauthentication fails (usually meaning that the user's password was incorrect) @raise [Error] if the KDC cannot find the user @return [TrueClass] always returns true if authentication succeeds without any error @see web.mit.edu/kerberos/krb5-1.14/doc/appdev/init_creds.html Initial credentials
# File lib/kerberos_authenticator.rb, line 28 def self.authenticate!(username, password) user = Krb5::Principal.new_with_name(username) creds = user.initial_creds_with_password(password, service) with_keytab do |kt| creds.verify!(server_princ, kt) end true end
Change a user's password by authenticating with their current one. @raise [Error] if the attempt to change the password fails @return [TrueClass] always returns true if no error was raised
# File lib/kerberos_authenticator.rb, line 42 def self.change_password!(username, old_password, new_password) user = Krb5::Principal.new_with_name(username) user.change_password(old_password, new_password) end
# File lib/kerberos_authenticator.rb, line 87 def self.keytab_base64 @keytab_base64 end
# File lib/kerberos_authenticator.rb, line 91 def self.keytab_base64=(v) @keytab_base64 = v end
# File lib/kerberos_authenticator.rb, line 95 def self.keytab_path @keytab_path end
# File lib/kerberos_authenticator.rb, line 99 def self.keytab_path=(v) @keytab_path = v end
A convenience method to access the Krb5
module when using the setup method. @return [Krb5]
# File lib/kerberos_authenticator.rb, line 11 def self.krb5 Krb5 end
# File lib/kerberos_authenticator.rb, line 76 def self.server @server end
# File lib/kerberos_authenticator.rb, line 80 def self.server=(v) @server = v end
# File lib/kerberos_authenticator.rb, line 66 def self.service @service end
# File lib/kerberos_authenticator.rb, line 70 def self.service=(v) @service = v end
Supports setting KerberosAuthenticator
up using a block.
# File lib/kerberos_authenticator.rb, line 16 def self.setup yield self end
Private Class Methods
# File lib/kerberos_authenticator.rb, line 107 def self.new_kt_tmp_file return nil unless keytab_base64 kt_tmp_file = Tempfile.new('krb5_kt', encoding: 'binary') kt_tmp_file.write(Base64.decode64(keytab_base64)) kt_tmp_file.close kt_tmp_file end
# File lib/kerberos_authenticator.rb, line 103 def self.server_princ server ? Krb5::Principal.new_with_name(server) : nil end
# File lib/kerberos_authenticator.rb, line 117 def self.with_keytab if keytab_base64 kt_tmp_file = new_kt_tmp_file kt = Krb5::Keytab.new_with_name("FILE:#{kt_tmp_file.path}") elsif keytab_path kt = Krb5::Keytab.new_with_name("FILE:#{keytab_path}") else kt = Krb5::Keytab.default end # FIXME: This seems to protect against segfaults in OS X Kerberos as of 10.9.5 # when the keytab isn't accessible or doesn't exist. # It probably indicates an underlying memory management mistake. # # REVIEW: It's hard to say whether calling this or leaving it out produces # better error messages. kt.assert_has_content begin yield kt ensure kt_tmp_file.close! if kt_tmp_file end end