]>
Commit | Line | Data |
---|---|---|
1b56ff3d | 1 | /* $OpenBSD: gss-serv-krb5.c,v 1.3 2004/07/21 10:36:23 djm Exp $ */ |
70791e56 | 2 | |
88928908 | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | |
14 | * | |
15 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR | |
16 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
25 | */ | |
26 | ||
27 | #include "includes.h" | |
28 | ||
29 | #ifdef GSSAPI | |
30 | #ifdef KRB5 | |
31 | ||
32 | #include "auth.h" | |
88928908 | 33 | #include "xmalloc.h" |
34 | #include "log.h" | |
35 | #include "servconf.h" | |
36 | ||
37 | #include "ssh-gss.h" | |
38 | ||
39 | extern ServerOptions options; | |
40 | ||
41 | #ifdef HEIMDAL | |
416fd2a8 | 42 | # include <krb5.h> |
88928908 | 43 | #else |
416fd2a8 | 44 | # ifdef HAVE_GSSAPI_KRB5 |
45 | # include <gssapi_krb5.h> | |
46 | # elif HAVE_GSSAPI_GSSAPI_KRB5 | |
47 | # include <gssapi/gssapi_krb5.h> | |
48 | # endif | |
88928908 | 49 | #endif |
50 | ||
88928908 | 51 | static krb5_context krb_context = NULL; |
2a304a95 | 52 | static int ssh_gssapi_krb5_init(); |
53 | static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name); | |
54 | static int ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user); | |
55 | static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client); | |
56 | ||
57 | ssh_gssapi_mech gssapi_kerberos_mech = { | |
58 | "toWM5Slw5Ew8Mqkay+al2g==", | |
59 | "Kerberos", | |
60 | {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, | |
61 | NULL, | |
62 | &ssh_gssapi_krb5_userok, | |
63 | &ssh_gssapi_krb5_localname, | |
64 | &ssh_gssapi_krb5_storecreds | |
65 | }; | |
66 | ||
67 | ssh_gssapi_mech gssapi_kerberos_mech_old = { | |
68 | "Se3H81ismmOC3OE+FwYCiQ==", | |
69 | "Kerberos", | |
70 | {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, | |
71 | &ssh_gssapi_krb5_init, | |
72 | &ssh_gssapi_krb5_userok, | |
73 | &ssh_gssapi_krb5_localname, | |
74 | &ssh_gssapi_krb5_storecreds | |
75 | }; | |
88928908 | 76 | |
70791e56 | 77 | /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ |
88928908 | 78 | |
416fd2a8 | 79 | static int |
1b56ff3d | 80 | ssh_gssapi_krb5_init(void) |
70791e56 | 81 | { |
88928908 | 82 | krb5_error_code problem; |
70791e56 | 83 | |
84 | if (krb_context != NULL) | |
88928908 | 85 | return 1; |
70791e56 | 86 | |
88928908 | 87 | problem = krb5_init_context(&krb_context); |
88 | if (problem) { | |
70791e56 | 89 | logit("Cannot initialize krb5 context"); |
88928908 | 90 | return 0; |
91 | } | |
2a304a95 | 92 | #ifdef KRB5_INIT_ETS |
88928908 | 93 | krb5_init_ets(krb_context); |
2a304a95 | 94 | #endif |
88928908 | 95 | |
70791e56 | 96 | return 1; |
97 | } | |
88928908 | 98 | |
70791e56 | 99 | /* Check if this user is OK to login. This only works with krb5 - other |
88928908 | 100 | * GSSAPI mechanisms will need their own. |
101 | * Returns true if the user is OK to log in, otherwise returns 0 | |
102 | */ | |
103 | ||
104 | static int | |
70791e56 | 105 | ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) |
106 | { | |
88928908 | 107 | krb5_principal princ; |
108 | int retval; | |
109 | ||
110 | if (ssh_gssapi_krb5_init() == 0) | |
111 | return 0; | |
70791e56 | 112 | |
113 | if ((retval = krb5_parse_name(krb_context, client->exportedname.value, | |
114 | &princ))) { | |
115 | logit("krb5_parse_name(): %.100s", | |
116 | krb5_get_err_text(krb_context, retval)); | |
88928908 | 117 | return 0; |
118 | } | |
119 | if (krb5_kuserok(krb_context, princ, name)) { | |
120 | retval = 1; | |
70791e56 | 121 | logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", |
122 | name, (char *)client->displayname.value); | |
123 | } else | |
88928908 | 124 | retval = 0; |
70791e56 | 125 | |
88928908 | 126 | krb5_free_principal(krb_context, princ); |
127 | return retval; | |
128 | } | |
129 | ||
70791e56 | 130 | |
88928908 | 131 | /* Retrieve the local username associated with a set of Kerberos |
132 | * credentials. Hopefully we can use this for the 'empty' username | |
133 | * logins discussed in the draft */ | |
134 | static int | |
135 | ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) { | |
136 | krb5_principal princ; | |
137 | int retval; | |
138 | ||
139 | if (ssh_gssapi_krb5_init() == 0) | |
140 | return 0; | |
141 | ||
70791e56 | 142 | if ((retval=krb5_parse_name(krb_context, client->displayname.value, |
88928908 | 143 | &princ))) { |
70791e56 | 144 | logit("krb5_parse_name(): %.100s", |
88928908 | 145 | krb5_get_err_text(krb_context,retval)); |
146 | return 0; | |
147 | } | |
148 | ||
149 | /* We've got to return a malloc'd string */ | |
150 | *user = (char *)xmalloc(256); | |
151 | if (krb5_aname_to_localname(krb_context, princ, 256, *user)) { | |
152 | xfree(*user); | |
153 | *user = NULL; | |
154 | return(0); | |
155 | } | |
156 | ||
157 | return(1); | |
158 | } | |
159 | ||
70791e56 | 160 | /* This writes out any forwarded credentials from the structure populated |
161 | * during userauth. Called after we have setuid to the user */ | |
88928908 | 162 | |
163 | static void | |
70791e56 | 164 | ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
165 | { | |
88928908 | 166 | krb5_ccache ccache; |
167 | krb5_error_code problem; | |
168 | krb5_principal princ; | |
70791e56 | 169 | OM_uint32 maj_status, min_status; |
88928908 | 170 | gss_cred_id_t krb5_cred_handle; |
416fd2a8 | 171 | int len; |
70791e56 | 172 | |
173 | if (client->creds == NULL) { | |
174 | debug("No credentials stored"); | |
88928908 | 175 | return; |
176 | } | |
70791e56 | 177 | |
88928908 | 178 | if (ssh_gssapi_krb5_init() == 0) |
179 | return; | |
180 | ||
70791e56 | 181 | #ifdef HEIMDAL |
182 | if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { | |
183 | logit("krb5_cc_gen_new(): %.100s", | |
184 | krb5_get_err_text(krb_context, problem)); | |
88928908 | 185 | return; |
186 | } | |
70791e56 | 187 | #else |
188 | { | |
189 | int tmpfd; | |
190 | char ccname[40]; | |
1b56ff3d | 191 | mode_t old_umask; |
416fd2a8 | 192 | |
193 | snprintf(ccname, sizeof(ccname), | |
70791e56 | 194 | "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid()); |
416fd2a8 | 195 | |
1b56ff3d | 196 | old_umask = umask(0177); |
197 | tmpfd = mkstemp(ccname + strlen("FILE:")); | |
198 | umask(old_umask); | |
199 | if (tmpfd == -1) { | |
70791e56 | 200 | logit("mkstemp(): %.100s", strerror(errno)); |
201 | problem = errno; | |
202 | return; | |
203 | } | |
204 | if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) { | |
205 | logit("fchmod(): %.100s", strerror(errno)); | |
206 | close(tmpfd); | |
207 | problem = errno; | |
208 | return; | |
209 | } | |
210 | close(tmpfd); | |
211 | if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) { | |
212 | logit("krb5_cc_resolve(): %.100s", | |
213 | krb5_get_err_text(krb_context, problem)); | |
214 | return; | |
215 | } | |
216 | } | |
217 | #endif /* #ifdef HEIMDAL */ | |
218 | ||
416fd2a8 | 219 | if ((problem = krb5_parse_name(krb_context, |
70791e56 | 220 | client->exportedname.value, &princ))) { |
221 | logit("krb5_parse_name(): %.100s", | |
222 | krb5_get_err_text(krb_context, problem)); | |
223 | krb5_cc_destroy(krb_context, ccache); | |
224 | return; | |
225 | } | |
226 | ||
88928908 | 227 | if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { |
70791e56 | 228 | logit("krb5_cc_initialize(): %.100s", |
229 | krb5_get_err_text(krb_context, problem)); | |
230 | krb5_free_principal(krb_context, princ); | |
231 | krb5_cc_destroy(krb_context, ccache); | |
88928908 | 232 | return; |
233 | } | |
70791e56 | 234 | |
235 | krb5_free_principal(krb_context, princ); | |
88928908 | 236 | |
237 | #ifdef MECHGLUE | |
238 | krb5_cred_handle = | |
239 | __gss_get_mechanism_cred(client->creds, | |
240 | &(gssapi_kerberos_mech.oid)); | |
241 | #else | |
242 | krb5_cred_handle = client->creds; | |
243 | #endif | |
244 | ||
245 | if ((maj_status = gss_krb5_copy_ccache(&min_status, | |
70791e56 | 246 | krb5_cred_handle, ccache))) { |
247 | logit("gss_krb5_copy_ccache() failed"); | |
248 | krb5_cc_destroy(krb_context, ccache); | |
88928908 | 249 | return; |
250 | } | |
70791e56 | 251 | |
252 | client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); | |
253 | client->store.envvar = "KRB5CCNAME"; | |
416fd2a8 | 254 | len = strlen(client->store.filename) + 6; |
255 | client->store.envval = xmalloc(len); | |
256 | snprintf(client->store.envval, len, "FILE:%s", client->store.filename); | |
88928908 | 257 | |
258 | #ifdef USE_PAM | |
70791e56 | 259 | if (options.use_pam) |
416fd2a8 | 260 | do_pam_putenv(client->store.envvar, client->store.envval); |
88928908 | 261 | #endif |
262 | ||
70791e56 | 263 | krb5_cc_close(krb_context, ccache); |
88928908 | 264 | |
265 | return; | |
266 | } | |
267 | ||
268 | #endif /* KRB5 */ | |
269 | ||
270 | #endif /* GSSAPI */ |