1 /* $OpenBSD: gss-serv-krb5.c,v 1.1 2003/08/22 10:56:09 markus Exp $ */
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 extern ServerOptions options;
44 #include <gssapi_krb5.h>
47 static krb5_context krb_context = NULL;
49 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
52 ssh_gssapi_krb5_init()
54 krb5_error_code problem;
56 if (krb_context != NULL)
59 problem = krb5_init_context(&krb_context);
61 logit("Cannot initialize krb5 context");
64 krb5_init_ets(krb_context);
69 /* Check if this user is OK to login. This only works with krb5 - other
70 * GSSAPI mechanisms will need their own.
71 * Returns true if the user is OK to log in, otherwise returns 0
75 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
80 if (ssh_gssapi_krb5_init() == 0)
83 if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
85 logit("krb5_parse_name(): %.100s",
86 krb5_get_err_text(krb_context, retval));
89 if (krb5_kuserok(krb_context, princ, name)) {
91 logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
92 name, (char *)client->displayname.value);
96 krb5_free_principal(krb_context, princ);
101 /* Retrieve the local username associated with a set of Kerberos
102 * credentials. Hopefully we can use this for the 'empty' username
103 * logins discussed in the draft */
105 ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) {
106 krb5_principal princ;
109 if (ssh_gssapi_krb5_init() == 0)
112 if ((retval=krb5_parse_name(krb_context, client->displayname.value,
114 logit("krb5_parse_name(): %.100s",
115 krb5_get_err_text(krb_context,retval));
119 /* We've got to return a malloc'd string */
120 *user = (char *)xmalloc(256);
121 if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
130 /* This writes out any forwarded credentials from the structure populated
131 * during userauth. Called after we have setuid to the user */
134 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
137 krb5_error_code problem;
138 krb5_principal princ;
139 OM_uint32 maj_status, min_status;
140 gss_cred_id_t krb5_cred_handle;
143 if (client->creds == NULL) {
144 debug("No credentials stored");
148 if (ssh_gssapi_krb5_init() == 0)
152 if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
153 logit("krb5_cc_gen_new(): %.100s",
154 krb5_get_err_text(krb_context, problem));
162 snprintf(ccname, sizeof(ccname),
163 "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
165 if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
166 logit("mkstemp(): %.100s", strerror(errno));
170 if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
171 logit("fchmod(): %.100s", strerror(errno));
177 if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
178 logit("krb5_cc_resolve(): %.100s",
179 krb5_get_err_text(krb_context, problem));
183 #endif /* #ifdef HEIMDAL */
185 if ((problem = krb5_parse_name(krb_context,
186 client->exportedname.value, &princ))) {
187 logit("krb5_parse_name(): %.100s",
188 krb5_get_err_text(krb_context, problem));
189 krb5_cc_destroy(krb_context, ccache);
193 if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
194 logit("krb5_cc_initialize(): %.100s",
195 krb5_get_err_text(krb_context, problem));
196 krb5_free_principal(krb_context, princ);
197 krb5_cc_destroy(krb_context, ccache);
201 krb5_free_principal(krb_context, princ);
205 __gss_get_mechanism_cred(client->creds,
206 &(gssapi_kerberos_mech.oid));
208 krb5_cred_handle = client->creds;
211 if ((maj_status = gss_krb5_copy_ccache(&min_status,
212 krb5_cred_handle, ccache))) {
213 logit("gss_krb5_copy_ccache() failed");
214 krb5_cc_destroy(krb_context, ccache);
218 client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
219 client->store.envvar = "KRB5CCNAME";
220 client->store.envval = xstrdup(client->store.filename);
224 do_pam_putenv(client->store.envvar,client->store.envval);
227 krb5_cc_close(krb_context, ccache);
232 ssh_gssapi_mech gssapi_kerberos_mech = {
233 "toWM5Slw5Ew8Mqkay+al2g==",
235 {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
237 &ssh_gssapi_krb5_userok,
238 &ssh_gssapi_krb5_localname,
239 &ssh_gssapi_krb5_storecreds
242 ssh_gssapi_mech gssapi_kerberos_mech_old = {
243 "Se3H81ismmOC3OE+FwYCiQ==",
245 {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
246 &ssh_gssapi_krb5_init,
247 &ssh_gssapi_krb5_userok,
248 &ssh_gssapi_krb5_localname,
249 &ssh_gssapi_krb5_storecreds