]> andersk Git - gssapi-openssh.git/blame_incremental - openssh/auth2-gss.c
andersk / gssapi-openssh.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
merged OpenSSH 5.3p1 to trunk
[gssapi-openssh.git] / openssh / auth2-gss.c
... / ...
CommitLineData
1/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
2
3/*
4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "includes.h"
28
29#ifdef GSSAPI
30
31#include <sys/types.h>
32
33#include <stdarg.h>
34
35#include "xmalloc.h"
36#include "key.h"
37#include "hostfile.h"
38#include "auth.h"
39#include "ssh2.h"
40#include "log.h"
41#include "dispatch.h"
42#include "buffer.h"
43#include "servconf.h"
44#include "packet.h"
45#include "ssh-gss.h"
46#include "monitor_wrap.h"
47
48extern ServerOptions options;
49
50static void ssh_gssapi_userauth_error(Gssctxt *ctxt);
51static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
52static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
53static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
54static void input_gssapi_errtok(int, u_int32_t, void *);
55
56static int gssapi_with_mic = 1; /* flag to toggle "gssapi-with-mic" vs.
57 "gssapi" */
58
59static int
60userauth_external(Authctxt *authctxt)
61{
62 packet_check_eom();
63
64 if (authctxt->valid && authctxt->user && authctxt->user[0]) {
65 return(PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)));
66 }
67 return 0;
68}
69
70/*
71 * The 'gssapi_keyex' userauth mechanism.
72 */
73static int
74userauth_gsskeyex(Authctxt *authctxt)
75{
76 int authenticated = 0;
77 Buffer b, b2;
78 gss_buffer_desc mic, gssbuf, gssbuf2;
79 u_int len;
80
81 mic.value = packet_get_string(&len);
82 mic.length = len;
83
84 packet_check_eom();
85
86 ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
87 "gssapi-keyex");
88
89 gssbuf.value = buffer_ptr(&b);
90 gssbuf.length = buffer_len(&b);
91
92 /* client may have used empty username to determine target
93 name from GSSAPI context */
94 ssh_gssapi_buildmic(&b2, "", authctxt->service, "gssapi-keyex");
95
96 gssbuf2.value = buffer_ptr(&b2);
97 gssbuf2.length = buffer_len(&b2);
98
99 /* gss_kex_context is NULL with privsep, so we can't check it here */
100 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
101 &gssbuf, &mic))) ||
102 !GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
103 &gssbuf2, &mic)))) {
104 if (authctxt->valid && authctxt->user && authctxt->user[0]) {
105 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
106 authctxt->pw));
107 }
108 }
109
110 buffer_free(&b);
111 buffer_free(&b2);
112 xfree(mic.value);
113
114 return (authenticated);
115}
116
117/*
118 * We only support those mechanisms that we know about (ie ones that we know
119 * how to check local user kuserok and the like)
120 */
121static int
122userauth_gssapi(Authctxt *authctxt)
123{
124 gss_OID_desc goid = {0, NULL};
125 Gssctxt *ctxt = NULL;
126 int mechs;
127 gss_OID_set supported;
128 int present;
129 OM_uint32 ms;
130 u_int len;
131 u_char *doid = NULL;
132
133 /* authctxt->valid may be 0 if we haven't yet determined
134 username from gssapi context. */
135
136 if (authctxt->user == NULL)
137 return (0);
138
139 mechs = packet_get_int();
140 if (mechs == 0) {
141 debug("Mechanism negotiation is not supported");
142 return (0);
143 }
144
145 ssh_gssapi_supported_oids(&supported);
146 do {
147 mechs--;
148
149 if (doid)
150 xfree(doid);
151
152 present = 0;
153 doid = packet_get_string(&len);
154
155 if (len > 2 && doid[0] == SSH_GSS_OIDTYPE &&
156 doid[1] == len - 2) {
157 goid.elements = doid + 2;
158 goid.length = len - 2;
159 gss_test_oid_set_member(&ms, &goid, supported,
160 &present);
161 } else {
162 logit("Badly formed OID received");
163 }
164 } while (mechs > 0 && !present);
165
166 gss_release_oid_set(&ms, &supported);
167
168 if (!present) {
169 xfree(doid);
170 authctxt->server_caused_failure = 1;
171 return (0);
172 }
173
174 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
175 if (ctxt != NULL)
176 ssh_gssapi_delete_ctx(&ctxt);
177 xfree(doid);
178 authctxt->server_caused_failure = 1;
179 return (0);
180 }
181
182 authctxt->methoddata = (void *)ctxt;
183
184 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
185
186 /* Return the OID that we received */
187 packet_put_string(doid, len);
188
189 packet_send();
190 xfree(doid);
191
192 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
193 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
194 authctxt->postponed = 1;
195
196 return (0);
197}
198
199static void
200input_gssapi_token(int type, u_int32_t plen, void *ctxt)
201{
202 Authctxt *authctxt = ctxt;
203 Gssctxt *gssctxt;
204 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
205 gss_buffer_desc recv_tok;
206 OM_uint32 maj_status, min_status, flags=0;
207 u_int len;
208
209 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
210 fatal("No authentication or GSSAPI context");
211
212 gssctxt = authctxt->methoddata;
213 recv_tok.value = packet_get_string(&len);
214 recv_tok.length = len; /* u_int vs. size_t */
215
216 packet_check_eom();
217
218 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
219 &send_tok, &flags));
220
221 xfree(recv_tok.value);
222
223 if (GSS_ERROR(maj_status)) {
224 ssh_gssapi_userauth_error(gssctxt);
225 if (send_tok.length != 0) {
226 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
227 packet_put_string(send_tok.value, send_tok.length);
228 packet_send();
229 }
230 authctxt->postponed = 0;
231 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
232 userauth_finish(authctxt, 0,
233 gssapi_with_mic ? "gssapi-with-mic" :
234 "gssapi");
235 } else {
236 if (send_tok.length != 0) {
237 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
238 packet_put_string(send_tok.value, send_tok.length);
239 packet_send();
240 }
241 if (maj_status == GSS_S_COMPLETE) {
242 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
243 if (flags & GSS_C_INTEG_FLAG && gssapi_with_mic)
244 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
245 &input_gssapi_mic);
246 else
247 dispatch_set(
248 SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
249 &input_gssapi_exchange_complete);
250 }
251 }
252
253 gss_release_buffer(&min_status, &send_tok);
254}
255
256static void
257input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
258{
259 Authctxt *authctxt = ctxt;
260 Gssctxt *gssctxt;
261 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
262 gss_buffer_desc recv_tok;
263 OM_uint32 maj_status;
264 u_int len;
265
266 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
267 fatal("No authentication or GSSAPI context");
268
269 gssctxt = authctxt->methoddata;
270 recv_tok.value = packet_get_string(&len);
271 recv_tok.length = len;
272
273 packet_check_eom();
274
275 /* Push the error token into GSSAPI to see what it says */
276 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
277 &send_tok, NULL));
278
279 xfree(recv_tok.value);
280
281 /* We can't return anything to the client, even if we wanted to */
282 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
283 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
284
285 /* The client will have already moved on to the next auth */
286
287 gss_release_buffer(&maj_status, &send_tok);
288}
289
290static void
291gssapi_set_username(Authctxt *authctxt)
292{
293 char *lname = NULL;
294
295 if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) {
296 PRIVSEP(ssh_gssapi_localname(&lname));
297 if (lname && lname[0] != '\0') {
298 if (authctxt->user) xfree(authctxt->user);
299 authctxt->user = lname;
300 debug("set username to %s from gssapi context", lname);
301 authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
302 if (authctxt->pw) {
303 authctxt->valid = 1;
304#ifdef USE_PAM
305 if (options.use_pam)
306 PRIVSEP(start_pam(authctxt));
307#endif
308 }
309 } else {
310 debug("failed to set username from gssapi context");
311 packet_send_debug("failed to set username from gssapi context");
312 }
313 }
314}
315
316/*
317 * This is called when the client thinks we've completed authentication.
318 * It should only be enabled in the dispatch handler by the function above,
319 * which only enables it once the GSSAPI exchange is complete.
320 */
321
322static void
323input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
324{
325 Authctxt *authctxt = ctxt;
326 Gssctxt *gssctxt;
327 int authenticated;
328
329 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
330 fatal("No authentication or GSSAPI context");
331
332 gssapi_set_username(authctxt);
333
334 gssctxt = authctxt->methoddata;
335
336 /*
337 * We don't need to check the status, because we're only enabled in
338 * the dispatcher once the exchange is complete
339 */
340
341 packet_check_eom();
342
343 /* user should be set if valid but we double-check here */
344 if (authctxt->valid && authctxt->user && authctxt->user[0]) {
345 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
346 authctxt->pw));
347 } else {
348 authenticated = 0;
349 }
350
351 authctxt->postponed = 0;
352 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
353 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
354 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
355 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
356 userauth_finish(authctxt, authenticated,
357 gssapi_with_mic ? "gssapi-with-mic" : "gssapi");
358}
359
360static int
361userauth_gssapi_with_mic(Authctxt *authctxt)
362{
363 gssapi_with_mic = 1;
364 return userauth_gssapi(authctxt);
365}
366
367static int
368userauth_gssapi_without_mic(Authctxt *authctxt)
369{
370 gssapi_with_mic = 0;
371 return userauth_gssapi(authctxt);
372}
373
374static void
375input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
376{
377 Authctxt *authctxt = ctxt;
378 Gssctxt *gssctxt;
379 int authenticated = 0;
380 Buffer b;
381 gss_buffer_desc mic, gssbuf;
382 u_int len;
383
384 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
385 fatal("No authentication or GSSAPI context");
386
387 gssctxt = authctxt->methoddata;
388
389 mic.value = packet_get_string(&len);
390 mic.length = len;
391
392 ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
393 "gssapi-with-mic");
394
395 gssbuf.value = buffer_ptr(&b);
396 gssbuf.length = buffer_len(&b);
397
398 gssapi_set_username(authctxt);
399
400 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
401 if (authctxt->valid && authctxt->user && authctxt->user[0]) {
402 authenticated =
403 PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
404 } else {
405 authenticated = 0;
406 }
407 else
408 logit("GSSAPI MIC check failed");
409
410 buffer_free(&b);
411 xfree(mic.value);
412
413 authctxt->postponed = 0;
414 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
415 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
416 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
417 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
418 userauth_finish(authctxt, authenticated, "gssapi-with-mic");
419}
420
421static void ssh_gssapi_userauth_error(Gssctxt *ctxt) {
422 char *errstr;
423 OM_uint32 maj,min;
424
425 errstr=PRIVSEP(ssh_gssapi_last_error(ctxt,&maj,&min));
426 if (errstr) {
427 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERROR);
428 packet_put_int(maj);
429 packet_put_int(min);
430 packet_put_cstring(errstr);
431 packet_put_cstring("");
432 packet_send();
433 packet_write_wait();
434 xfree(errstr);
435 }
436}
437
438Authmethod method_external = {
439 "external-keyx",
440 userauth_external,
441 &options.gss_authentication
442};
443
444Authmethod method_gsskeyex = {
445 "gssapi-keyex",
446 userauth_gsskeyex,
447 &options.gss_authentication
448};
449
450Authmethod method_gssapi = {
451 "gssapi-with-mic",
452 userauth_gssapi_with_mic,
453 &options.gss_authentication
454};
455
456Authmethod method_gssapi_compat = {
457 "gssapi",
458 userauth_gssapi_without_mic,
459 &options.gss_authentication
460};
461
462#endif /* GSSAPI */
git-cvsimport mirror of GSI OpenSSH
This page took 0.039045 seconds and 5 git commands to generate.