]>
Commit | Line | Data |
---|---|---|
30460aeb | 1 | /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ |
7cac2b65 | 2 | |
f4b9ce42 | 3 | /* |
f97edba6 | 4 | * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. |
f4b9ce42 | 5 | * |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | |
14 | * | |
15 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR | |
16 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
25 | */ | |
26 | ||
27 | #include "includes.h" | |
28 | ||
29 | #ifdef GSSAPI | |
30 | #ifdef KRB5 | |
31 | ||
30460aeb | 32 | #include <sys/types.h> |
33 | ||
34 | #include <stdarg.h> | |
35 | #include <string.h> | |
36 | ||
f4b9ce42 | 37 | #include "xmalloc.h" |
30460aeb | 38 | #include "key.h" |
39 | #include "hostfile.h" | |
40 | #include "auth.h" | |
f4b9ce42 | 41 | #include "log.h" |
42 | #include "servconf.h" | |
43 | ||
30460aeb | 44 | #include "buffer.h" |
f4b9ce42 | 45 | #include "ssh-gss.h" |
46 | ||
47 | extern ServerOptions options; | |
48 | ||
49 | #ifdef HEIMDAL | |
540d72c3 | 50 | # include <krb5.h> |
48a25c13 | 51 | #elif !defined(MECHGLUE) |
fe4ad273 | 52 | # ifdef HAVE_GSSAPI_KRB5_H |
540d72c3 | 53 | # include <gssapi_krb5.h> |
fe4ad273 | 54 | # elif HAVE_GSSAPI_GSSAPI_KRB5_H |
540d72c3 | 55 | # include <gssapi/gssapi_krb5.h> |
56 | # endif | |
f4b9ce42 | 57 | #endif |
58 | ||
59 | static krb5_context krb_context = NULL; | |
83059c7b | 60 | static int ssh_gssapi_krb5_init(); |
61 | static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name); | |
62 | static int ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user); | |
63 | static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client); | |
fe53310b | 64 | static int ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, |
65 | ssh_gssapi_client *client); | |
83059c7b | 66 | |
67 | ssh_gssapi_mech gssapi_kerberos_mech = { | |
68 | "toWM5Slw5Ew8Mqkay+al2g==", | |
69 | "Kerberos", | |
70 | {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"}, | |
71 | NULL, | |
72 | &ssh_gssapi_krb5_userok, | |
73 | &ssh_gssapi_krb5_localname, | |
c7931c9a | 74 | &ssh_gssapi_krb5_storecreds, |
75 | &ssh_gssapi_krb5_updatecreds | |
83059c7b | 76 | }; |
77 | ||
7cac2b65 | 78 | /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ |
f4b9ce42 | 79 | |
540d72c3 | 80 | static int |
7e82606e | 81 | ssh_gssapi_krb5_init(void) |
7cac2b65 | 82 | { |
f4b9ce42 | 83 | krb5_error_code problem; |
7cac2b65 | 84 | |
85 | if (krb_context != NULL) | |
f4b9ce42 | 86 | return 1; |
7cac2b65 | 87 | |
f4b9ce42 | 88 | problem = krb5_init_context(&krb_context); |
89 | if (problem) { | |
7cac2b65 | 90 | logit("Cannot initialize krb5 context"); |
f4b9ce42 | 91 | return 0; |
92 | } | |
f4b9ce42 | 93 | |
7cac2b65 | 94 | return 1; |
95 | } | |
f4b9ce42 | 96 | |
7cac2b65 | 97 | /* Check if this user is OK to login. This only works with krb5 - other |
f4b9ce42 | 98 | * GSSAPI mechanisms will need their own. |
99 | * Returns true if the user is OK to log in, otherwise returns 0 | |
100 | */ | |
101 | ||
102 | static int | |
7cac2b65 | 103 | ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) |
104 | { | |
f4b9ce42 | 105 | krb5_principal princ; |
106 | int retval; | |
107 | ||
108 | if (ssh_gssapi_krb5_init() == 0) | |
109 | return 0; | |
7cac2b65 | 110 | |
111 | if ((retval = krb5_parse_name(krb_context, client->exportedname.value, | |
112 | &princ))) { | |
113 | logit("krb5_parse_name(): %.100s", | |
114 | krb5_get_err_text(krb_context, retval)); | |
f4b9ce42 | 115 | return 0; |
116 | } | |
117 | if (krb5_kuserok(krb_context, princ, name)) { | |
118 | retval = 1; | |
7cac2b65 | 119 | logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", |
120 | name, (char *)client->displayname.value); | |
121 | } else | |
f4b9ce42 | 122 | retval = 0; |
7cac2b65 | 123 | |
f4b9ce42 | 124 | krb5_free_principal(krb_context, princ); |
125 | return retval; | |
126 | } | |
127 | ||
7cac2b65 | 128 | |
f4b9ce42 | 129 | /* Retrieve the local username associated with a set of Kerberos |
130 | * credentials. Hopefully we can use this for the 'empty' username | |
131 | * logins discussed in the draft */ | |
132 | static int | |
133 | ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) { | |
134 | krb5_principal princ; | |
135 | int retval; | |
136 | ||
137 | if (ssh_gssapi_krb5_init() == 0) | |
138 | return 0; | |
139 | ||
7cac2b65 | 140 | if ((retval=krb5_parse_name(krb_context, client->displayname.value, |
f4b9ce42 | 141 | &princ))) { |
7cac2b65 | 142 | logit("krb5_parse_name(): %.100s", |
f4b9ce42 | 143 | krb5_get_err_text(krb_context,retval)); |
144 | return 0; | |
145 | } | |
146 | ||
147 | /* We've got to return a malloc'd string */ | |
148 | *user = (char *)xmalloc(256); | |
149 | if (krb5_aname_to_localname(krb_context, princ, 256, *user)) { | |
150 | xfree(*user); | |
151 | *user = NULL; | |
152 | return(0); | |
153 | } | |
154 | ||
155 | return(1); | |
156 | } | |
157 | ||
7cac2b65 | 158 | /* This writes out any forwarded credentials from the structure populated |
159 | * during userauth. Called after we have setuid to the user */ | |
f4b9ce42 | 160 | |
161 | static void | |
7cac2b65 | 162 | ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
163 | { | |
f4b9ce42 | 164 | krb5_ccache ccache; |
165 | krb5_error_code problem; | |
166 | krb5_principal princ; | |
7cac2b65 | 167 | OM_uint32 maj_status, min_status; |
81d08144 | 168 | gss_cred_id_t krb5_cred_handle; |
540d72c3 | 169 | int len; |
0b90ac93 | 170 | const char *new_ccname; |
7cac2b65 | 171 | |
172 | if (client->creds == NULL) { | |
173 | debug("No credentials stored"); | |
f4b9ce42 | 174 | return; |
175 | } | |
7cac2b65 | 176 | |
f4b9ce42 | 177 | if (ssh_gssapi_krb5_init() == 0) |
178 | return; | |
179 | ||
7cac2b65 | 180 | #ifdef HEIMDAL |
181 | if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) { | |
182 | logit("krb5_cc_gen_new(): %.100s", | |
183 | krb5_get_err_text(krb_context, problem)); | |
f4b9ce42 | 184 | return; |
185 | } | |
7cac2b65 | 186 | #else |
2ce0bfe4 | 187 | if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) { |
188 | logit("ssh_krb5_cc_gen(): %.100s", | |
189 | krb5_get_err_text(krb_context, problem)); | |
190 | return; | |
7cac2b65 | 191 | } |
192 | #endif /* #ifdef HEIMDAL */ | |
193 | ||
540d72c3 | 194 | if ((problem = krb5_parse_name(krb_context, |
7cac2b65 | 195 | client->exportedname.value, &princ))) { |
196 | logit("krb5_parse_name(): %.100s", | |
197 | krb5_get_err_text(krb_context, problem)); | |
198 | krb5_cc_destroy(krb_context, ccache); | |
199 | return; | |
200 | } | |
201 | ||
f4b9ce42 | 202 | if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) { |
7cac2b65 | 203 | logit("krb5_cc_initialize(): %.100s", |
204 | krb5_get_err_text(krb_context, problem)); | |
205 | krb5_free_principal(krb_context, princ); | |
206 | krb5_cc_destroy(krb_context, ccache); | |
f4b9ce42 | 207 | return; |
208 | } | |
7cac2b65 | 209 | |
210 | krb5_free_principal(krb_context, princ); | |
f4b9ce42 | 211 | |
81d08144 | 212 | #ifdef MECHGLUE |
213 | krb5_cred_handle = | |
214 | __gss_get_mechanism_cred(client->creds, | |
215 | &(gssapi_kerberos_mech.oid)); | |
216 | #else | |
2af4b8d5 | 217 | krb5_cred_handle = client->creds; |
81d08144 | 218 | #endif |
219 | ||
f4b9ce42 | 220 | if ((maj_status = gss_krb5_copy_ccache(&min_status, |
7cac2b65 | 221 | krb5_cred_handle, ccache))) { |
222 | logit("gss_krb5_copy_ccache() failed"); | |
223 | krb5_cc_destroy(krb_context, ccache); | |
f4b9ce42 | 224 | return; |
225 | } | |
7cac2b65 | 226 | |
f713db99 | 227 | new_ccname = krb5_cc_get_name(krb_context, ccache); |
228 | ||
7cac2b65 | 229 | client->store.envvar = "KRB5CCNAME"; |
f713db99 | 230 | #ifdef USE_CCAPI |
231 | xasprintf(&client->store.envval, "API:%s", new_ccname); | |
232 | client->store.filename = NULL; | |
233 | #else | |
234 | xasprintf(&client->store.envval, "FILE:%s", new_ccname); | |
235 | client->store.filename = xstrdup(new_ccname); | |
236 | #endif | |
f4b9ce42 | 237 | |
238 | #ifdef USE_PAM | |
7cac2b65 | 239 | if (options.use_pam) |
540d72c3 | 240 | do_pam_putenv(client->store.envvar, client->store.envval); |
f4b9ce42 | 241 | #endif |
242 | ||
7cac2b65 | 243 | krb5_cc_close(krb_context, ccache); |
f4b9ce42 | 244 | |
245 | return; | |
246 | } | |
247 | ||
fe53310b | 248 | static int |
f97edba6 | 249 | ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, |
250 | ssh_gssapi_client *client) | |
251 | { | |
252 | krb5_ccache ccache = NULL; | |
253 | krb5_principal principal = NULL; | |
254 | char *name = NULL; | |
255 | krb5_error_code problem; | |
256 | OM_uint32 maj_status, min_status; | |
257 | ||
258 | if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { | |
259 | logit("krb5_cc_resolve(): %.100s", | |
260 | krb5_get_err_text(krb_context, problem)); | |
261 | return 0; | |
262 | } | |
263 | ||
264 | /* Find out who the principal in this cache is */ | |
265 | if ((problem = krb5_cc_get_principal(krb_context, ccache, | |
266 | &principal))) { | |
267 | logit("krb5_cc_get_principal(): %.100s", | |
268 | krb5_get_err_text(krb_context, problem)); | |
269 | krb5_cc_close(krb_context, ccache); | |
270 | return 0; | |
271 | } | |
272 | ||
273 | if ((problem = krb5_unparse_name(krb_context, principal, &name))) { | |
274 | logit("krb5_unparse_name(): %.100s", | |
275 | krb5_get_err_text(krb_context, problem)); | |
276 | krb5_free_principal(krb_context, principal); | |
277 | krb5_cc_close(krb_context, ccache); | |
278 | return 0; | |
279 | } | |
280 | ||
281 | ||
282 | if (strcmp(name,client->exportedname.value)!=0) { | |
283 | debug("Name in local credentials cache differs. Not storing"); | |
284 | krb5_free_principal(krb_context, principal); | |
285 | krb5_cc_close(krb_context, ccache); | |
286 | krb5_free_unparsed_name(krb_context, name); | |
287 | return 0; | |
288 | } | |
289 | krb5_free_unparsed_name(krb_context, name); | |
290 | ||
291 | /* Name matches, so lets get on with it! */ | |
292 | ||
293 | if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { | |
294 | logit("krb5_cc_initialize(): %.100s", | |
295 | krb5_get_err_text(krb_context, problem)); | |
296 | krb5_free_principal(krb_context, principal); | |
297 | krb5_cc_close(krb_context, ccache); | |
298 | return 0; | |
299 | } | |
300 | ||
301 | krb5_free_principal(krb_context, principal); | |
302 | ||
303 | if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, | |
304 | ccache))) { | |
305 | logit("gss_krb5_copy_ccache() failed. Sorry!"); | |
306 | krb5_cc_close(krb_context, ccache); | |
307 | return 0; | |
308 | } | |
309 | ||
310 | return 1; | |
311 | } | |
312 | ||
f4b9ce42 | 313 | #endif /* KRB5 */ |
314 | ||
315 | #endif /* GSSAPI */ |