]>
Commit | Line | Data |
---|---|---|
f4b9ce42 | 1 | /* |
2 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | |
3 | * | |
4 | * Redistribution and use in source and binary forms, with or without | |
5 | * modification, are permitted provided that the following conditions | |
6 | * are met: | |
7 | * 1. Redistributions of source code must retain the above copyright | |
8 | * notice, this list of conditions and the following disclaimer. | |
9 | * 2. Redistributions in binary form must reproduce the above copyright | |
10 | * notice, this list of conditions and the following disclaimer in the | |
11 | * documentation and/or other materials provided with the distribution. | |
12 | * | |
13 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR | |
14 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
15 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
16 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
17 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
18 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
19 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
20 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
23 | */ | |
24 | ||
25 | #include "includes.h" | |
26 | ||
27 | #ifdef GSSAPI | |
28 | #ifdef KRB5 | |
29 | ||
30 | #include "auth.h" | |
31 | #include "auth-pam.h" | |
32 | #include "xmalloc.h" | |
33 | #include "log.h" | |
34 | #include "servconf.h" | |
35 | ||
36 | #include "ssh-gss.h" | |
37 | ||
38 | extern ServerOptions options; | |
39 | ||
40 | #ifdef HEIMDAL | |
41 | #include <krb5.h> | |
42 | #else | |
43 | #include <gssapi_krb5.h> | |
44 | #define krb5_get_err_text(context,code) error_message(code) | |
45 | #endif | |
46 | ||
81d08144 | 47 | static int ssh_gssapi_krb5_init(); |
48 | static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name); | |
49 | static int ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user); | |
50 | static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client); | |
51 | ||
f4b9ce42 | 52 | static krb5_context krb_context = NULL; |
53 | ||
81d08144 | 54 | /* We've been using a wrongly encoded mechanism ID for yonks */ |
55 | ||
56 | ssh_gssapi_mech gssapi_kerberos_mech_old = { | |
57 | "Se3H81ismmOC3OE+FwYCiQ==", | |
58 | "Kerberos", | |
59 | {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, | |
60 | &ssh_gssapi_krb5_init, | |
61 | &ssh_gssapi_krb5_userok, | |
62 | &ssh_gssapi_krb5_localname, | |
63 | &ssh_gssapi_krb5_storecreds | |
64 | }; | |
65 | ||
66 | ssh_gssapi_mech gssapi_kerberos_mech = { | |
67 | "toWM5Slw5Ew8Mqkay+al2g==", | |
68 | "Kerberos", | |
69 | {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, | |
70 | NULL, | |
71 | &ssh_gssapi_krb5_userok, | |
72 | &ssh_gssapi_krb5_localname, | |
73 | &ssh_gssapi_krb5_storecreds | |
74 | }; | |
75 | ||
f4b9ce42 | 76 | /* Initialise the krb5 library, so we can use it for those bits that |
77 | * GSSAPI won't do */ | |
78 | ||
79 | static int | |
80 | ssh_gssapi_krb5_init() { | |
81 | krb5_error_code problem; | |
82 | ||
83 | if (krb_context !=NULL) | |
84 | return 1; | |
85 | ||
86 | problem = krb5_init_context(&krb_context); | |
87 | if (problem) { | |
88 | log("Cannot initialize krb5 context"); | |
89 | return 0; | |
90 | } | |
91 | krb5_init_ets(krb_context); | |
92 | ||
93 | return 1; | |
94 | } | |
95 | ||
96 | /* Check if this user is OK to login. This only works with krb5 - other | |
97 | * GSSAPI mechanisms will need their own. | |
98 | * Returns true if the user is OK to log in, otherwise returns 0 | |
99 | */ | |
100 | ||
101 | static int | |
102 | ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) { | |
103 | krb5_principal princ; | |
104 | int retval; | |
105 | ||
106 | if (ssh_gssapi_krb5_init() == 0) | |
107 | return 0; | |
108 | ||
109 | if ((retval=krb5_parse_name(krb_context, client->name.value, | |
110 | &princ))) { | |
111 | log("krb5_parse_name(): %.100s", | |
112 | krb5_get_err_text(krb_context,retval)); | |
113 | return 0; | |
114 | } | |
115 | if (krb5_kuserok(krb_context, princ, name)) { | |
116 | retval = 1; | |
117 | log("Authorized to %s, krb5 principal %s (krb5_kuserok)",name, | |
118 | (char *)client->name.value); | |
119 | } | |
120 | else | |
121 | retval = 0; | |
122 | ||
123 | krb5_free_principal(krb_context, princ); | |
124 | return retval; | |
125 | } | |
126 | ||
127 | /* Retrieve the local username associated with a set of Kerberos | |
128 | * credentials. Hopefully we can use this for the 'empty' username | |
129 | * logins discussed in the draft */ | |
130 | static int | |
131 | ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) { | |
132 | krb5_principal princ; | |
133 | int retval; | |
134 | ||
135 | if (ssh_gssapi_krb5_init() == 0) | |
136 | return 0; | |
137 | ||
138 | if ((retval=krb5_parse_name(krb_context, client->name.value, | |
139 | &princ))) { | |
140 | log("krb5_parse_name(): %.100s", | |
141 | krb5_get_err_text(krb_context,retval)); | |
142 | return 0; | |
143 | } | |
144 | ||
145 | /* We've got to return a malloc'd string */ | |
146 | *user = (char *)xmalloc(256); | |
147 | if (krb5_aname_to_localname(krb_context, princ, 256, *user)) { | |
148 | xfree(*user); | |
149 | *user = NULL; | |
150 | return(0); | |
151 | } | |
152 | ||
153 | return(1); | |
154 | } | |
155 | ||
156 | /* Make sure that this is called _after_ we've setuid to the user */ | |
157 | ||
158 | /* This writes out any forwarded credentials. Its specific to the Kerberos | |
159 | * GSSAPI mechanism | |
160 | * | |
161 | * We assume that our caller has made sure that the user has selected | |
162 | * delegated credentials, and that the client_creds structure is correctly | |
163 | * populated. | |
164 | */ | |
165 | ||
166 | static void | |
167 | ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) { | |
168 | krb5_ccache ccache; | |
169 | krb5_error_code problem; | |
170 | krb5_principal princ; | |
171 | char ccname[35]; | |
172 | static char name[40]; | |
173 | int tmpfd; | |
174 | OM_uint32 maj_status,min_status; | |
81d08144 | 175 | gss_cred_id_t krb5_cred_handle; |
f4b9ce42 | 176 | |
177 | if (client->creds==NULL) { | |
178 | debug("No credentials stored"); | |
179 | return; | |
180 | } | |
181 | ||
182 | if (ssh_gssapi_krb5_init() == 0) | |
183 | return; | |
184 | ||
185 | if (options.gss_use_session_ccache) { | |
186 | snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d_XXXXXX",geteuid()); | |
187 | ||
188 | if ((tmpfd = mkstemp(ccname))==-1) { | |
189 | log("mkstemp(): %.100s", strerror(errno)); | |
190 | return; | |
191 | } | |
192 | if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) { | |
193 | log("fchmod(): %.100s", strerror(errno)); | |
194 | close(tmpfd); | |
195 | return; | |
196 | } | |
197 | } else { | |
198 | snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d",geteuid()); | |
199 | tmpfd = open(ccname, O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); | |
200 | if (tmpfd == -1) { | |
201 | log("open(): %.100s", strerror(errno)); | |
202 | return; | |
203 | } | |
204 | } | |
205 | ||
206 | close(tmpfd); | |
207 | snprintf(name, sizeof(name), "FILE:%s",ccname); | |
208 | ||
209 | if ((problem = krb5_cc_resolve(krb_context, name, &ccache))) { | |
210 | log("krb5_cc_default(): %.100s", | |
211 | krb5_get_err_text(krb_context,problem)); | |
212 | return; | |
213 | } | |
214 | ||
215 | if ((problem = krb5_parse_name(krb_context, client->name.value, | |
216 | &princ))) { | |
217 | log("krb5_parse_name(): %.100s", | |
218 | krb5_get_err_text(krb_context,problem)); | |
219 | krb5_cc_destroy(krb_context,ccache); | |
220 | return; | |
221 | } | |
222 | ||
223 | if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { | |
224 | log("krb5_cc_initialize(): %.100s", | |
225 | krb5_get_err_text(krb_context,problem)); | |
226 | krb5_free_principal(krb_context,princ); | |
227 | krb5_cc_destroy(krb_context,ccache); | |
228 | return; | |
229 | } | |
230 | ||
231 | krb5_free_principal(krb_context,princ); | |
232 | ||
81d08144 | 233 | #ifdef MECHGLUE |
234 | krb5_cred_handle = | |
235 | __gss_get_mechanism_cred(client->creds, | |
236 | &(gssapi_kerberos_mech.oid)); | |
237 | #else | |
238 | krb5_cred_handle = gssapi_client_creds; | |
239 | #endif | |
240 | ||
f4b9ce42 | 241 | if ((maj_status = gss_krb5_copy_ccache(&min_status, |
242 | client->creds, | |
243 | ccache))) { | |
244 | log("gss_krb5_copy_ccache() failed"); | |
245 | krb5_cc_destroy(krb_context,ccache); | |
246 | return; | |
247 | } | |
f4b9ce42 | 248 | |
249 | krb5_cc_close(krb_context,ccache); | |
250 | ||
251 | #ifdef USE_PAM | |
252 | do_pam_putenv("KRB5CCNAME",name); | |
253 | #endif | |
254 | ||
255 | client->store.filename=strdup(ccname); | |
256 | client->store.envvar="KRB5CCNAME"; | |
257 | client->store.envval=strdup(name); | |
258 | ||
259 | return; | |
260 | } | |
261 | ||
f4b9ce42 | 262 | #endif /* KRB5 */ |
263 | ||
264 | #endif /* GSSAPI */ |