[gssapi-openssh.git] / openssh / auth2-gss.c

/*
 * Copyright (c) 2001,2002 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef GSSAPI
#include "auth.h"
#include "ssh2.h"
#include "ssh1.h"
#include "xmalloc.h"
#include "log.h"
#include "dispatch.h"
#include "servconf.h"
#include "compat.h"
#include "packet.h"
#include "monitor_wrap.h"

#include "ssh-gss.h"

extern ServerOptions options;
extern unsigned char ssh1_key_digest[16];

static int
userauth_external(Authctxt *authctxt)
{
        packet_check_eom();

        return(PRIVSEP(ssh_gssapi_userok(authctxt->user)));
}

static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

/* We only support those mechanisms that we know about (ie ones that we know
 * how to check local user kuserok and the like
 */
static int
userauth_gssapi(Authctxt *authctxt)
{
        gss_OID_desc    oid= {0,NULL};
        Gssctxt         *ctxt = NULL;
        int             mechs;
        gss_OID_set     supported;
        int             present;
        OM_uint32       ms;
        u_int           len;
        
        if (!authctxt->valid || authctxt->user == NULL)
                return 0;
                
        if (datafellows & SSH_OLD_GSSAPI) {
                debug("Early drafts of GSSAPI userauth not supported");
                return 0;
        }
        
        mechs=packet_get_int();
        if (mechs==0) {
                debug("Mechanism negotiation is not supported");
                return 0;
        }

        ssh_gssapi_supported_oids(&supported);
        do {
                if (oid.elements)
                        xfree(oid.elements);
                oid.elements = packet_get_string(&len);
                oid.length = len;
                gss_test_oid_set_member(&ms, &oid, supported, &present);
                mechs--;
        } while (mechs>0 && !present);
        
        if (!present) {
                xfree(oid.elements);
                return(0);
        }
                
	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt,&oid))))
		return(0);
	
        authctxt->methoddata=(void *)ctxt;

        /* Send SSH_MSG_USERAUTH_GSSAPI_RESPONSE */

	if (!compat20)
        packet_start(SSH_SMSG_AUTH_GSSAPI_RESPONSE);
	else
	packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
        packet_put_string(oid.elements,oid.length);
        packet_send();
        packet_write_wait();
        xfree(oid.elements);

 	if (!compat20)
 	dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN,
 				&input_gssapi_token);
 	else
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, 
		     &input_gssapi_token);
        authctxt->postponed = 1;
        
        return 0;
}

static void
input_gssapi_token(int type, u_int32_t plen, void *ctxt)
{
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
        gss_buffer_desc send_tok,recv_tok;
        OM_uint32 maj_status, min_status;
	int len;
        
        if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
                fatal("No authentication or GSSAPI context");
                
        gssctxt=authctxt->methoddata;
        recv_tok.value=packet_get_string(&len);
	recv_tok.length=len; /* int vs. size_t */
        
        maj_status=PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 
        					 &send_tok, NULL));
        packet_check_eom();
        
        if (send_tok.length != 0) {
                /* Send a packet back to the client */
		if (!compat20)
		packet_start(SSH_MSG_AUTH_GSSAPI_TOKEN);
		else
	        packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
                packet_put_string(send_tok.value,send_tok.length);
                packet_send();
                packet_write_wait();
                gss_release_buffer(&min_status, &send_tok);        
        }
        
        if (GSS_ERROR(maj_status)) {
                /* Failure <sniff> */
		if (gssctxt) {	/* may be NULL under privsep */
		    ssh_gssapi_send_error(gssctxt->oid,maj_status,min_status);
		} else {
		    ssh_gssapi_send_error(GSS_C_NO_OID,maj_status,min_status);
		}
                authctxt->postponed = 0;
		dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL);
                dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
                userauth_finish(authctxt, 0, "gssapi");
        }
                        
        if (maj_status == GSS_S_COMPLETE) {
		dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL);
                dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,NULL);
		/* ssh1 does not have an extra message here */
		if (!compat20)
		input_gssapi_exchange_complete(0, 0, ctxt);
		else
  		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
  			     &input_gssapi_exchange_complete);
        }
}

/* This is called when the client thinks we've completed authentication.
 * It should only be enabled in the dispatch handler by the function above,
 * which only enables it once the GSSAPI exchange is complete.
 */
 
static void
input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
{
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
        int authenticated;
        
	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
                fatal("No authentication or GSSAPI context");
                
	if ((strcmp(authctxt->user, "") == 0) && (authctxt->pw == NULL)) {
	    char *lname = NULL;
	    PRIVSEP(ssh_gssapi_localname(&lname));
	    if (lname && lname[0] != '\0') {
		xfree(authctxt->user);
		authctxt->user = lname;
		debug("set username to %s from gssapi context", lname);
		authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
	    } else {
		debug("failed to set username from gssapi context");
	    }
	}
	if (authctxt->pw) {
#ifdef USE_PAM
	    PRIVSEP(start_pam(authctxt->pw->pw_name));
#endif
	} else {
	    authctxt->valid = 0;
	    authenticated = 0;
	    goto finish;
	}

        gssctxt=authctxt->methoddata;

	/* ssh1 needs to exchange the hash of the keys */
	if (!compat20) {

		OM_uint32 min_status;
		gss_buffer_desc dummy, msg_tok;

		/* ssh1 wraps the keys, in the monitor */

		dummy.value=malloc(sizeof(ssh1_key_digest));
		memcpy(dummy.value,ssh1_key_digest,sizeof(ssh1_key_digest));
		dummy.length=sizeof(ssh1_key_digest);
		if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(gssctxt,&dummy,&msg_tok))))
		    fatal("Couldn't wrap keys");
 
		packet_start(SSH_SMSG_AUTH_GSSAPI_HASH);
		packet_put_string((char *)msg_tok.value,msg_tok.length);
		packet_send();
		packet_write_wait();
		gss_release_buffer(&min_status,&msg_tok);
	}

  
	/* We don't need to check the status, because the stored credentials
	 * which userok uses are only populated once the context init step
	 * has returned complete.
	 */

        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

finish:
        authctxt->postponed = 0;
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
        userauth_finish(authctxt, authenticated, "gssapi");
}

Authmethod method_external = {
	"external-keyx",
	userauth_external,
	&options.gss_authentication
};
	
Authmethod method_gssapi = {
        "gssapi",
        userauth_gssapi,
        &options.gss_authentication
};

#endif /* GSSAPI */
Commit	Line	Data
b59afbfe	1	/*
	2	* Copyright (c) 2001,2002 Simon Wilkinson. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
	26
	27	#ifdef GSSAPI
	28	#include "auth.h"
	29	#include "ssh2.h"
	30	#include "ssh1.h"
	31	#include "xmalloc.h"
	32	#include "log.h"
	33	#include "dispatch.h"
	34	#include "servconf.h"
	35	#include "compat.h"
	36	#include "packet.h"
	37	#include "monitor_wrap.h"
	38
	39	#include "ssh-gss.h"
	40
	41	extern ServerOptions options;
	42	extern unsigned char ssh1_key_digest[16];
	43
	44	static int
	45	userauth_external(Authctxt *authctxt)
	46	{
	47	packet_check_eom();
	48
	49	return(PRIVSEP(ssh_gssapi_userok(authctxt->user)));
	50	}
	51
	52	static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
	53	static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
	54
	55	/* We only support those mechanisms that we know about (ie ones that we know
	56	* how to check local user kuserok and the like
	57	*/
	58	static int
	59	userauth_gssapi(Authctxt *authctxt)
	60	{
	61	gss_OID_desc oid= {0,NULL};
	62	Gssctxt *ctxt = NULL;
	63	int mechs;
	64	gss_OID_set supported;
65	int present;
66	OM_uint32 ms;
67	u_int len;
68
69	if (!authctxt->valid \|\| authctxt->user == NULL)
70	return 0;
71
72	if (datafellows & SSH_OLD_GSSAPI) {
73	debug("Early drafts of GSSAPI userauth not supported");
74	return 0;
75	}
76
77	mechs=packet_get_int();
78	if (mechs==0) {
79	debug("Mechanism negotiation is not supported");
80	return 0;
81	}
82
83	ssh_gssapi_supported_oids(&supported);
84	do {
85	if (oid.elements)
86	xfree(oid.elements);
87	oid.elements = packet_get_string(&len);
88	oid.length = len;
89	gss_test_oid_set_member(&ms, &oid, supported, &present);
90	mechs--;
91	} while (mechs>0 && !present);
92
93	if (!present) {
94	xfree(oid.elements);
95	return(0);
96	}
97
98	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt,&oid))))
99	return(0);
100
101	authctxt->methoddata=(void *)ctxt;
102
103	/* Send SSH_MSG_USERAUTH_GSSAPI_RESPONSE */
104
105	if (!compat20)
106	packet_start(SSH_SMSG_AUTH_GSSAPI_RESPONSE);
107	else
108	packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
109	packet_put_string(oid.elements,oid.length);
110	packet_send();
111	packet_write_wait();
112	xfree(oid.elements);
113
114	if (!compat20)
115	dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN,
116	&input_gssapi_token);
117	else
118	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
119	&input_gssapi_token);
120	authctxt->postponed = 1;
121
122	return 0;
123	}
124
125	static void
126	input_gssapi_token(int type, u_int32_t plen, void *ctxt)
127	{
128	Authctxt *authctxt = ctxt;
129	Gssctxt *gssctxt;
130	gss_buffer_desc send_tok,recv_tok;
131	OM_uint32 maj_status, min_status;
007914b3	132	int len;
b59afbfe	133
	134	if (authctxt == NULL \|\| (authctxt->methoddata == NULL && !use_privsep))
	135	fatal("No authentication or GSSAPI context");
	136
	137	gssctxt=authctxt->methoddata;
007914b3	138	recv_tok.value=packet_get_string(&len);
007914b3	139	recv_tok.length=len; /* int vs. size_t */
b59afbfe	140
	141	maj_status=PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
	142	&send_tok, NULL));
	143	packet_check_eom();
	144
b59afbfe	145	if (send_tok.length != 0) {
	146	/* Send a packet back to the client */
	147	if (!compat20)
	148	packet_start(SSH_MSG_AUTH_GSSAPI_TOKEN);
	149	else
	150	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
	151	packet_put_string(send_tok.value,send_tok.length);
	152	packet_send();
	153	packet_write_wait();
	154	gss_release_buffer(&min_status, &send_tok);
	155	}
	156
705f2ba4	157	if (GSS_ERROR(maj_status)) {
705f2ba4	158	/* Failure <sniff> */
e8bbb925	159	if (gssctxt) { /* may be NULL under privsep */
	160	ssh_gssapi_send_error(gssctxt->oid,maj_status,min_status);
	161	} else {
	162	ssh_gssapi_send_error(GSS_C_NO_OID,maj_status,min_status);
	163	}
705f2ba4	164	authctxt->postponed = 0;
	165	dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL);
	166	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
	167	userauth_finish(authctxt, 0, "gssapi");
	168	}
	169
b59afbfe	170	if (maj_status == GSS_S_COMPLETE) {
	171	dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL);
	172	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,NULL);
	173	/* ssh1 does not have an extra message here */
	174	if (!compat20)
	175	input_gssapi_exchange_complete(0, 0, ctxt);
	176	else
	177	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
	178	&input_gssapi_exchange_complete);
	179	}
	180	}
	181
	182	/* This is called when the client thinks we've completed authentication.
	183	* It should only be enabled in the dispatch handler by the function above,
	184	* which only enables it once the GSSAPI exchange is complete.
	185	*/
	186
	187	static void
	188	input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
	189	{
	190	Authctxt *authctxt = ctxt;
	191	Gssctxt *gssctxt;
	192	int authenticated;
	193
	194	if (authctxt == NULL \|\| (authctxt->methoddata == NULL && !use_privsep))
	195	fatal("No authentication or GSSAPI context");
	196
d13dfff4	197	if ((strcmp(authctxt->user, "") == 0) && (authctxt->pw == NULL)) {
	198	char *lname = NULL;
	199	PRIVSEP(ssh_gssapi_localname(&lname));
	200	if (lname && lname[0] != '\0') {
	201	xfree(authctxt->user);
	202	authctxt->user = lname;
	203	debug("set username to %s from gssapi context", lname);
	204	authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
	205	} else {
	206	debug("failed to set username from gssapi context");
	207	}
	208	}
	209	if (authctxt->pw) {
	210	#ifdef USE_PAM
	211	PRIVSEP(start_pam(authctxt->pw->pw_name));
	212	#endif
	213	} else {
	214	authctxt->valid = 0;
	215	authenticated = 0;
	216	goto finish;
	217	}
	218
b59afbfe	219	gssctxt=authctxt->methoddata;
	220
	221	/* ssh1 needs to exchange the hash of the keys */
	222	if (!compat20) {
	223
	224	OM_uint32 min_status;
	225	gss_buffer_desc dummy, msg_tok;
	226
	227	/* ssh1 wraps the keys, in the monitor */
	228
	229	dummy.value=malloc(sizeof(ssh1_key_digest));
	230	memcpy(dummy.value,ssh1_key_digest,sizeof(ssh1_key_digest));
	231	dummy.length=sizeof(ssh1_key_digest);
	232	if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(gssctxt,&dummy,&msg_tok))))
	233	fatal("Couldn't wrap keys");
	234
	235	packet_start(SSH_SMSG_AUTH_GSSAPI_HASH);
	236	packet_put_string((char *)msg_tok.value,msg_tok.length);
	237	packet_send();
	238	packet_write_wait();
	239	gss_release_buffer(&min_status,&msg_tok);
	240	}
	241
	242
	243	/* We don't need to check the status, because the stored credentials
	244	* which userok uses are only populated once the context init step
	245	* has returned complete.
	246	*/
	247
	248	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
	249
d13dfff4	250	finish:
b59afbfe	251	authctxt->postponed = 0;
	252	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
	253	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
	254	userauth_finish(authctxt, authenticated, "gssapi");
	255	}
	256
	257	Authmethod method_external = {
	258	"external-keyx",
	259	userauth_external,
	260	&options.gss_authentication
	261	};
	262
	263	Authmethod method_gssapi = {
	264	"gssapi",
	265	userauth_gssapi,
	266	&options.gss_authentication
	267	};
	268
	269	#endif /* GSSAPI */