[gssapi-openssh.git] / openssh / gss-serv-krb5.c

/*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef GSSAPI
#ifdef KRB5

#include "auth.h"
#include "auth-pam.h"
#include "xmalloc.h"
#include "log.h"
#include "servconf.h"

#include "ssh-gss.h"

extern ServerOptions options;

#ifdef HEIMDAL
#include <krb5.h>
#else
#include <gssapi_krb5.h>
#define krb5_get_err_text(context,code) error_message(code)
#endif

static int ssh_gssapi_krb5_init();
static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name);
static int ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user);
static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client);

static krb5_context krb_context = NULL;

/* We've been using a wrongly encoded mechanism ID for yonks */

ssh_gssapi_mech gssapi_kerberos_mech_old = {
	"Se3H81ismmOC3OE+FwYCiQ==",
	"Kerberos",
	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
	&ssh_gssapi_krb5_init,
	&ssh_gssapi_krb5_userok,
	&ssh_gssapi_krb5_localname,
	&ssh_gssapi_krb5_storecreds
};

ssh_gssapi_mech gssapi_kerberos_mech = {
	"toWM5Slw5Ew8Mqkay+al2g==",
	"Kerberos",
	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
	NULL,
	&ssh_gssapi_krb5_userok,
	&ssh_gssapi_krb5_localname,
	&ssh_gssapi_krb5_storecreds
};
	
/* Initialise the krb5 library, so we can use it for those bits that
 * GSSAPI won't do */

static int 
ssh_gssapi_krb5_init() {
	krb5_error_code problem;
	
	if (krb_context !=NULL)
		return 1;
		
	problem = krb5_init_context(&krb_context);
	if (problem) {
		log("Cannot initialize krb5 context");
		return 0;
	}
	krb5_init_ets(krb_context);

	return 1;	
}			

/* Check if this user is OK to login. This only works with krb5 - other 
 * GSSAPI mechanisms will need their own.
 * Returns true if the user is OK to log in, otherwise returns 0
 */

static int
ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) {
	krb5_principal princ;
	int retval;

	if (ssh_gssapi_krb5_init() == 0)
		return 0;
		
	if ((retval=krb5_parse_name(krb_context, client->name.value, 
				    &princ))) {
		log("krb5_parse_name(): %.100s", 
			krb5_get_err_text(krb_context,retval));
		return 0;
	}
	if (krb5_kuserok(krb_context, princ, name)) {
		retval = 1;
		log("Authorized to %s, krb5 principal %s (krb5_kuserok)",name,
		    (char *)client->name.value);
	}
	else
		retval = 0;
	
	krb5_free_principal(krb_context, princ);
	return retval;
}

/* Retrieve the local username associated with a set of Kerberos 
 * credentials. Hopefully we can use this for the 'empty' username
 * logins discussed in the draft  */
static int
ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) {
	krb5_principal princ;
	int retval;
	
	if (ssh_gssapi_krb5_init() == 0)
		return 0;

	if ((retval=krb5_parse_name(krb_context, client->name.value, 
				    &princ))) {
		log("krb5_parse_name(): %.100s", 
			krb5_get_err_text(krb_context,retval));
		return 0;
	}
	
	/* We've got to return a malloc'd string */
	*user = (char *)xmalloc(256);
	if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
		xfree(*user);
		*user = NULL;
		return(0);
	}
	
	return(1);
}
	
/* Make sure that this is called _after_ we've setuid to the user */

/* This writes out any forwarded credentials. Its specific to the Kerberos
 * GSSAPI mechanism
 *
 * We assume that our caller has made sure that the user has selected
 * delegated credentials, and that the client_creds structure is correctly
 * populated.
 */

static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) {
	krb5_ccache ccache;
	krb5_error_code problem;
	krb5_principal princ;
	char ccname[35];
	static char name[40];
	int tmpfd;
	OM_uint32 maj_status,min_status;
	gss_cred_id_t krb5_cred_handle;

	if (client->creds==NULL) {
		debug("No credentials stored"); 
		return;
	}
		
	if (ssh_gssapi_krb5_init() == 0)
		return;

	if (options.gss_use_session_ccache) {
        	snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d_XXXXXX",geteuid());
       
        	if ((tmpfd = mkstemp(ccname))==-1) {
                	log("mkstemp(): %.100s", strerror(errno));
                	return;
        	}
	        if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
	               	log("fchmod(): %.100s", strerror(errno));
	               	close(tmpfd);
	               	return;
	        }
        } else {
        	snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d",geteuid());
        	tmpfd = open(ccname, O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
        	if (tmpfd == -1) {
        		log("open(): %.100s", strerror(errno));
        		return;
        	}
        }

       	close(tmpfd);
        snprintf(name, sizeof(name), "FILE:%s",ccname);
 
        if ((problem = krb5_cc_resolve(krb_context, name, &ccache))) {
                log("krb5_cc_default(): %.100s", 
                	krb5_get_err_text(krb_context,problem));
                return;
        }

	if ((problem = krb5_parse_name(krb_context, client->name.value, 
				       &princ))) {
		log("krb5_parse_name(): %.100s", 
			krb5_get_err_text(krb_context,problem));
		krb5_cc_destroy(krb_context,ccache);
		return;
	}
	
	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
		log("krb5_cc_initialize(): %.100s", 
			krb5_get_err_text(krb_context,problem));
		krb5_free_principal(krb_context,princ);
		krb5_cc_destroy(krb_context,ccache);
		return;
	}
	
	krb5_free_principal(krb_context,princ);

#ifdef MECHGLUE
	krb5_cred_handle =
	    __gss_get_mechanism_cred(client->creds,
				     &(gssapi_kerberos_mech.oid));
#else
	krb5_cred_handle = gssapi_client_creds;
#endif

	if ((maj_status = gss_krb5_copy_ccache(&min_status, 
					       client->creds, 
					       ccache))) {
		log("gss_krb5_copy_ccache() failed");
		krb5_cc_destroy(krb_context,ccache);
		return;
	}
	
	krb5_cc_close(krb_context,ccache);

#ifdef USE_PAM
	do_pam_putenv("KRB5CCNAME",name);
#endif

	client->store.filename=strdup(ccname);
	client->store.envvar="KRB5CCNAME";
	client->store.envval=strdup(name);

	return;
}

#endif /* KRB5 */

#endif /* GSSAPI */
Commit	Line	Data
f4b9ce42	1	/*
	2	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
	26
	27	#ifdef GSSAPI
	28	#ifdef KRB5
	29
	30	#include "auth.h"
	31	#include "auth-pam.h"
	32	#include "xmalloc.h"
	33	#include "log.h"
	34	#include "servconf.h"
	35
	36	#include "ssh-gss.h"
	37
	38	extern ServerOptions options;
	39
	40	#ifdef HEIMDAL
	41	#include <krb5.h>
	42	#else
	43	#include <gssapi_krb5.h>
	44	#define krb5_get_err_text(context,code) error_message(code)
	45	#endif
	46
81d08144	47	static int ssh_gssapi_krb5_init();
	48	static int ssh_gssapi_krb5_userok(ssh_gssapi_client client, char name);
	49	static int ssh_gssapi_krb5_localname(ssh_gssapi_client client, char *user);
	50	static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client);
	51
f4b9ce42	52	static krb5_context krb_context = NULL;
f4b9ce42	53
81d08144	54	/* We've been using a wrongly encoded mechanism ID for yonks */
	55
	56	ssh_gssapi_mech gssapi_kerberos_mech_old = {
	57	"Se3H81ismmOC3OE+FwYCiQ==",
	58	"Kerberos",
	59	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
	60	&ssh_gssapi_krb5_init,
	61	&ssh_gssapi_krb5_userok,
	62	&ssh_gssapi_krb5_localname,
	63	&ssh_gssapi_krb5_storecreds
	64	};
	65
	66	ssh_gssapi_mech gssapi_kerberos_mech = {
	67	"toWM5Slw5Ew8Mqkay+al2g==",
	68	"Kerberos",
	69	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
	70	NULL,
	71	&ssh_gssapi_krb5_userok,
	72	&ssh_gssapi_krb5_localname,
	73	&ssh_gssapi_krb5_storecreds
	74	};
	75
f4b9ce42	76	/* Initialise the krb5 library, so we can use it for those bits that
	77	* GSSAPI won't do */
	78
	79	static int
	80	ssh_gssapi_krb5_init() {
	81	krb5_error_code problem;
	82
	83	if (krb_context !=NULL)
	84	return 1;
	85
	86	problem = krb5_init_context(&krb_context);
	87	if (problem) {
	88	log("Cannot initialize krb5 context");
	89	return 0;
	90	}
	91	krb5_init_ets(krb_context);
	92
	93	return 1;
	94	}
	95
	96	/* Check if this user is OK to login. This only works with krb5 - other
	97	* GSSAPI mechanisms will need their own.
	98	* Returns true if the user is OK to log in, otherwise returns 0
	99	*/
	100
	101	static int
	102	ssh_gssapi_krb5_userok(ssh_gssapi_client client, char name) {
	103	krb5_principal princ;
	104	int retval;
	105
	106	if (ssh_gssapi_krb5_init() == 0)
	107	return 0;
	108
	109	if ((retval=krb5_parse_name(krb_context, client->name.value,
	110	&princ))) {
	111	log("krb5_parse_name(): %.100s",
	112	krb5_get_err_text(krb_context,retval));
	113	return 0;
	114	}
	115	if (krb5_kuserok(krb_context, princ, name)) {
	116	retval = 1;
	117	log("Authorized to %s, krb5 principal %s (krb5_kuserok)",name,
	118	(char *)client->name.value);
	119	}
	120	else
	121	retval = 0;
	122
	123	krb5_free_principal(krb_context, princ);
	124	return retval;
	125	}
	126
	127	/* Retrieve the local username associated with a set of Kerberos
	128	* credentials. Hopefully we can use this for the 'empty' username
	129	* logins discussed in the draft */
	130	static int
	131	ssh_gssapi_krb5_localname(ssh_gssapi_client client, char *user) {
	132	krb5_principal princ;
	133	int retval;
	134
	135	if (ssh_gssapi_krb5_init() == 0)
	136	return 0;
	137
	138	if ((retval=krb5_parse_name(krb_context, client->name.value,
	139	&princ))) {
140	log("krb5_parse_name(): %.100s",
141	krb5_get_err_text(krb_context,retval));
142	return 0;
143	}
144
145	/* We've got to return a malloc'd string */
146	user = (char )xmalloc(256);
147	if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
148	xfree(*user);
149	*user = NULL;
150	return(0);
151	}
152
153	return(1);
154	}
155
156	/* Make sure that this is called _after_ we've setuid to the user */
157
158	/* This writes out any forwarded credentials. Its specific to the Kerberos
159	* GSSAPI mechanism
160	*
161	* We assume that our caller has made sure that the user has selected
162	* delegated credentials, and that the client_creds structure is correctly
163	* populated.
164	*/
165
166	static void
167	ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) {
168	krb5_ccache ccache;
169	krb5_error_code problem;
170	krb5_principal princ;
171	char ccname[35];
172	static char name[40];
173	int tmpfd;
174	OM_uint32 maj_status,min_status;
81d08144	175	gss_cred_id_t krb5_cred_handle;
f4b9ce42	176
	177	if (client->creds==NULL) {
	178	debug("No credentials stored");
	179	return;
	180	}
	181
	182	if (ssh_gssapi_krb5_init() == 0)
	183	return;
	184
	185	if (options.gss_use_session_ccache) {
	186	snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d_XXXXXX",geteuid());
	187
	188	if ((tmpfd = mkstemp(ccname))==-1) {
	189	log("mkstemp(): %.100s", strerror(errno));
	190	return;
	191	}
	192	if (fchmod(tmpfd, S_IRUSR \| S_IWUSR) == -1) {
	193	log("fchmod(): %.100s", strerror(errno));
	194	close(tmpfd);
	195	return;
	196	}
	197	} else {
	198	snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d",geteuid());
	199	tmpfd = open(ccname, O_TRUNC \| O_CREAT, S_IRUSR \| S_IWUSR);
	200	if (tmpfd == -1) {
	201	log("open(): %.100s", strerror(errno));
	202	return;
	203	}
	204	}
	205
	206	close(tmpfd);
	207	snprintf(name, sizeof(name), "FILE:%s",ccname);
	208
	209	if ((problem = krb5_cc_resolve(krb_context, name, &ccache))) {
	210	log("krb5_cc_default(): %.100s",
	211	krb5_get_err_text(krb_context,problem));
	212	return;
	213	}
	214
	215	if ((problem = krb5_parse_name(krb_context, client->name.value,
	216	&princ))) {
	217	log("krb5_parse_name(): %.100s",
	218	krb5_get_err_text(krb_context,problem));
	219	krb5_cc_destroy(krb_context,ccache);
	220	return;
	221	}
	222
	223	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
	224	log("krb5_cc_initialize(): %.100s",
	225	krb5_get_err_text(krb_context,problem));
	226	krb5_free_principal(krb_context,princ);
	227	krb5_cc_destroy(krb_context,ccache);
	228	return;
	229	}
	230
	231	krb5_free_principal(krb_context,princ);
	232
81d08144	233	#ifdef MECHGLUE
	234	krb5_cred_handle =
	235	__gss_get_mechanism_cred(client->creds,
	236	&(gssapi_kerberos_mech.oid));
	237	#else
	238	krb5_cred_handle = gssapi_client_creds;
	239	#endif
	240
f4b9ce42	241	if ((maj_status = gss_krb5_copy_ccache(&min_status,
	242	client->creds,
	243	ccache))) {
	244	log("gss_krb5_copy_ccache() failed");
	245	krb5_cc_destroy(krb_context,ccache);
	246	return;
	247	}
f4b9ce42	248
	249	krb5_cc_close(krb_context,ccache);
	250
	251	#ifdef USE_PAM
	252	do_pam_putenv("KRB5CCNAME",name);
	253	#endif
	254
	255	client->store.filename=strdup(ccname);
	256	client->store.envvar="KRB5CCNAME";
	257	client->store.envval=strdup(name);
	258
	259	return;
	260	}
	261
f4b9ce42	262	#endif /* KRB5 */
	263
	264	#endif /* GSSAPI */