[gssapi-openssh.git] / openssh / auth2-gss.c

/*
 * Copyright (c) 2001,2002 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef GSSAPI
#include "auth.h"
#include "ssh2.h"
#include "ssh1.h"
#include "xmalloc.h"
#include "log.h"
#include "dispatch.h"
#include "servconf.h"
#include "compat.h"
#include "packet.h"
#include "monitor_wrap.h"

#include "ssh-gss.h"

extern ServerOptions options;
extern unsigned char ssh1_key_digest[16];

static int
userauth_external(Authctxt *authctxt)
{
        packet_check_eom();

        return(PRIVSEP(ssh_gssapi_userok(authctxt->user)));
}

static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

/* We only support those mechanisms that we know about (ie ones that we know
 * how to check local user kuserok and the like
 */
static int
userauth_gssapi(Authctxt *authctxt)
{
        gss_OID_desc    oid= {0,NULL};
        Gssctxt         *ctxt = NULL;
        int             mechs;
        gss_OID_set     supported;
        int             present;
        OM_uint32       ms;
        u_int           len;
        
        if (!authctxt->valid || authctxt->user == NULL)
                return 0;
                
        if (datafellows & SSH_OLD_GSSAPI) {
                debug("Early drafts of GSSAPI userauth not supported");
                return 0;
        }
        
        mechs=packet_get_int();
        if (mechs==0) {
                debug("Mechanism negotiation is not supported");
                return 0;
        }

        ssh_gssapi_supported_oids(&supported);
        do {
                if (oid.elements)
                        xfree(oid.elements);
                oid.elements = packet_get_string(&len);
                oid.length = len;
                gss_test_oid_set_member(&ms, &oid, supported, &present);
                mechs--;
        } while (mechs>0 && !present);
        
        if (!present) {
                xfree(oid.elements);
                return(0);
        }
                
	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt,&oid))))
		return(0);
	
        authctxt->methoddata=(void *)ctxt;

        /* Send SSH_MSG_USERAUTH_GSSAPI_RESPONSE */

	if (!compat20)
        packet_start(SSH_SMSG_AUTH_GSSAPI_RESPONSE);
	else
	packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
        packet_put_string(oid.elements,oid.length);
        packet_send();
        packet_write_wait();
        xfree(oid.elements);

 	if (!compat20)
 	dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN,
 				&input_gssapi_token);
 	else
	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, 
		     &input_gssapi_token);
        authctxt->postponed = 1;
        
        return 0;
}

static void
input_gssapi_token(int type, u_int32_t plen, void *ctxt)
{
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
        gss_buffer_desc send_tok,recv_tok;
        OM_uint32 maj_status, min_status;
	int len;
        
        if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
                fatal("No authentication or GSSAPI context");
                
        gssctxt=authctxt->methoddata;
        recv_tok.value=packet_get_string(&len);
	recv_tok.length=len; /* int vs. size_t */
        
        maj_status=PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 
        					 &send_tok, NULL));
        packet_check_eom();
        
        if (GSS_ERROR(maj_status)) {
                /* Failure <sniff> */
		ssh_gssapi_send_error(gssctxt->oid,maj_status,min_status);
                authctxt->postponed = 0;
		dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL);
                dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
                userauth_finish(authctxt, 0, "gssapi");
        }
                        
        if (send_tok.length != 0) {
                /* Send a packet back to the client */
		if (!compat20)
		packet_start(SSH_MSG_AUTH_GSSAPI_TOKEN);
		else
	        packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
                packet_put_string(send_tok.value,send_tok.length);
                packet_send();
                packet_write_wait();
                gss_release_buffer(&min_status, &send_tok);        
        }
        
        if (maj_status == GSS_S_COMPLETE) {
		dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL);
                dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,NULL);
		/* ssh1 does not have an extra message here */
		if (!compat20)
		input_gssapi_exchange_complete(0, 0, ctxt);
		else
  		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
  			     &input_gssapi_exchange_complete);
        }
}

/* This is called when the client thinks we've completed authentication.
 * It should only be enabled in the dispatch handler by the function above,
 * which only enables it once the GSSAPI exchange is complete.
 */
 
static void
input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
{
        Authctxt *authctxt = ctxt;
        Gssctxt *gssctxt;
        int authenticated;
        
	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
                fatal("No authentication or GSSAPI context");
                
	if ((strcmp(authctxt->user, "") == 0) && (authctxt->pw == NULL)) {
	    char *lname = NULL;
	    PRIVSEP(ssh_gssapi_localname(&lname));
	    if (lname && lname[0] != '\0') {
		xfree(authctxt->user);
		authctxt->user = lname;
		debug("set username to %s from gssapi context", lname);
		authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
	    } else {
		debug("failed to set username from gssapi context");
	    }
	}
	if (authctxt->pw) {
#ifdef USE_PAM
	    PRIVSEP(start_pam(authctxt->pw->pw_name));
#endif
	} else {
	    authctxt->valid = 0;
	    authenticated = 0;
	    goto finish;
	}

        gssctxt=authctxt->methoddata;

	/* ssh1 needs to exchange the hash of the keys */
	if (!compat20) {

		OM_uint32 min_status;
		gss_buffer_desc dummy, msg_tok;

		/* ssh1 wraps the keys, in the monitor */

		dummy.value=malloc(sizeof(ssh1_key_digest));
		memcpy(dummy.value,ssh1_key_digest,sizeof(ssh1_key_digest));
		dummy.length=sizeof(ssh1_key_digest);
		if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(gssctxt,&dummy,&msg_tok))))
		    fatal("Couldn't wrap keys");
 
		packet_start(SSH_SMSG_AUTH_GSSAPI_HASH);
		packet_put_string((char *)msg_tok.value,msg_tok.length);
		packet_send();
		packet_write_wait();
		gss_release_buffer(&min_status,&msg_tok);
	}

  
	/* We don't need to check the status, because the stored credentials
	 * which userok uses are only populated once the context init step
	 * has returned complete.
	 */

        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

finish:
        authctxt->postponed = 0;
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
        userauth_finish(authctxt, authenticated, "gssapi");
}

Authmethod method_external = {
	"external-keyx",
	userauth_external,
	&options.gss_authentication
};
	
Authmethod method_gssapi = {
        "gssapi",
        userauth_gssapi,
        &options.gss_authentication
};

#endif /* GSSAPI */
Commit	Line	Data
b59afbfe	1	/*
	2	* Copyright (c) 2001,2002 Simon Wilkinson. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
	24
	25	#include "includes.h"
	26
	27	#ifdef GSSAPI
	28	#include "auth.h"
	29	#include "ssh2.h"
	30	#include "ssh1.h"
	31	#include "xmalloc.h"
	32	#include "log.h"
	33	#include "dispatch.h"
	34	#include "servconf.h"
	35	#include "compat.h"
	36	#include "packet.h"
	37	#include "monitor_wrap.h"
	38
	39	#include "ssh-gss.h"
	40
	41	extern ServerOptions options;
	42	extern unsigned char ssh1_key_digest[16];
	43
	44	static int
	45	userauth_external(Authctxt *authctxt)
	46	{
	47	packet_check_eom();
	48
	49	return(PRIVSEP(ssh_gssapi_userok(authctxt->user)));
	50	}
	51
	52	static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
	53	static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
	54
	55	/* We only support those mechanisms that we know about (ie ones that we know
	56	* how to check local user kuserok and the like
	57	*/
	58	static int
	59	userauth_gssapi(Authctxt *authctxt)
	60	{
	61	gss_OID_desc oid= {0,NULL};
	62	Gssctxt *ctxt = NULL;
	63	int mechs;
	64	gss_OID_set supported;
65	int present;
66	OM_uint32 ms;
67	u_int len;
68
69	if (!authctxt->valid \|\| authctxt->user == NULL)
70	return 0;
71
72	if (datafellows & SSH_OLD_GSSAPI) {
73	debug("Early drafts of GSSAPI userauth not supported");
74	return 0;
75	}
76
77	mechs=packet_get_int();
78	if (mechs==0) {
79	debug("Mechanism negotiation is not supported");
80	return 0;
81	}
82
83	ssh_gssapi_supported_oids(&supported);
84	do {
85	if (oid.elements)
86	xfree(oid.elements);
87	oid.elements = packet_get_string(&len);
88	oid.length = len;
89	gss_test_oid_set_member(&ms, &oid, supported, &present);
90	mechs--;
91	} while (mechs>0 && !present);
92
93	if (!present) {
94	xfree(oid.elements);
95	return(0);
96	}
97
98	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt,&oid))))
99	return(0);
100
101	authctxt->methoddata=(void *)ctxt;
102
103	/* Send SSH_MSG_USERAUTH_GSSAPI_RESPONSE */
104
105	if (!compat20)
106	packet_start(SSH_SMSG_AUTH_GSSAPI_RESPONSE);
107	else
108	packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
109	packet_put_string(oid.elements,oid.length);
110	packet_send();
111	packet_write_wait();
112	xfree(oid.elements);
113
114	if (!compat20)
115	dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN,
116	&input_gssapi_token);
117	else
118	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,
119	&input_gssapi_token);
120	authctxt->postponed = 1;
121
122	return 0;
123	}
124
125	static void
126	input_gssapi_token(int type, u_int32_t plen, void *ctxt)
127	{
128	Authctxt *authctxt = ctxt;
129	Gssctxt *gssctxt;
130	gss_buffer_desc send_tok,recv_tok;
131	OM_uint32 maj_status, min_status;
007914b3	132	int len;
b59afbfe	133
	134	if (authctxt == NULL \|\| (authctxt->methoddata == NULL && !use_privsep))
	135	fatal("No authentication or GSSAPI context");
	136
	137	gssctxt=authctxt->methoddata;
007914b3	138	recv_tok.value=packet_get_string(&len);
007914b3	139	recv_tok.length=len; /* int vs. size_t */
b59afbfe	140
	141	maj_status=PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
	142	&send_tok, NULL));
	143	packet_check_eom();
	144
	145	if (GSS_ERROR(maj_status)) {
	146	/* Failure <sniff> */
5fa63bdc	147	ssh_gssapi_send_error(gssctxt->oid,maj_status,min_status);
b59afbfe	148	authctxt->postponed = 0;
	149	dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL);
	150	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
	151	userauth_finish(authctxt, 0, "gssapi");
	152	}
	153
	154	if (send_tok.length != 0) {
	155	/* Send a packet back to the client */
	156	if (!compat20)
	157	packet_start(SSH_MSG_AUTH_GSSAPI_TOKEN);
	158	else
	159	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
	160	packet_put_string(send_tok.value,send_tok.length);
	161	packet_send();
	162	packet_write_wait();
	163	gss_release_buffer(&min_status, &send_tok);
	164	}
	165
	166	if (maj_status == GSS_S_COMPLETE) {
	167	dispatch_set(SSH_MSG_AUTH_GSSAPI_TOKEN, NULL);
	168	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN,NULL);
	169	/* ssh1 does not have an extra message here */
	170	if (!compat20)
	171	input_gssapi_exchange_complete(0, 0, ctxt);
	172	else
	173	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
	174	&input_gssapi_exchange_complete);
	175	}
	176	}
	177
	178	/* This is called when the client thinks we've completed authentication.
	179	* It should only be enabled in the dispatch handler by the function above,
	180	* which only enables it once the GSSAPI exchange is complete.
	181	*/
	182
	183	static void
	184	input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
	185	{
	186	Authctxt *authctxt = ctxt;
	187	Gssctxt *gssctxt;
	188	int authenticated;
	189
	190	if (authctxt == NULL \|\| (authctxt->methoddata == NULL && !use_privsep))
	191	fatal("No authentication or GSSAPI context");
	192
d13dfff4	193	if ((strcmp(authctxt->user, "") == 0) && (authctxt->pw == NULL)) {
	194	char *lname = NULL;
	195	PRIVSEP(ssh_gssapi_localname(&lname));
	196	if (lname && lname[0] != '\0') {
	197	xfree(authctxt->user);
	198	authctxt->user = lname;
	199	debug("set username to %s from gssapi context", lname);
	200	authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
	201	} else {
	202	debug("failed to set username from gssapi context");
	203	}
	204	}
	205	if (authctxt->pw) {
	206	#ifdef USE_PAM
	207	PRIVSEP(start_pam(authctxt->pw->pw_name));
	208	#endif
	209	} else {
	210	authctxt->valid = 0;
	211	authenticated = 0;
	212	goto finish;
	213	}
	214
b59afbfe	215	gssctxt=authctxt->methoddata;
	216
	217	/* ssh1 needs to exchange the hash of the keys */
	218	if (!compat20) {
	219
	220	OM_uint32 min_status;
	221	gss_buffer_desc dummy, msg_tok;
	222
	223	/* ssh1 wraps the keys, in the monitor */
	224
	225	dummy.value=malloc(sizeof(ssh1_key_digest));
	226	memcpy(dummy.value,ssh1_key_digest,sizeof(ssh1_key_digest));
	227	dummy.length=sizeof(ssh1_key_digest);
	228	if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(gssctxt,&dummy,&msg_tok))))
	229	fatal("Couldn't wrap keys");
	230
	231	packet_start(SSH_SMSG_AUTH_GSSAPI_HASH);
	232	packet_put_string((char *)msg_tok.value,msg_tok.length);
	233	packet_send();
	234	packet_write_wait();
	235	gss_release_buffer(&min_status,&msg_tok);
	236	}
	237
	238
	239	/* We don't need to check the status, because the stored credentials
	240	* which userok uses are only populated once the context init step
	241	* has returned complete.
	242	*/
	243
	244	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
	245
d13dfff4	246	finish:
b59afbfe	247	authctxt->postponed = 0;
	248	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
	249	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
	250	userauth_finish(authctxt, authenticated, "gssapi");
	251	}
	252
	253	Authmethod method_external = {
	254	"external-keyx",
	255	userauth_external,
	256	&options.gss_authentication
	257	};
	258
	259	Authmethod method_gssapi = {
	260	"gssapi",
	261	userauth_gssapi,
	262	&options.gss_authentication
	263	};
	264
	265	#endif /* GSSAPI */