openssh/gss-serv-krb5.c

   1 /*      $OpenBSD: gss-serv-krb5.c,v 1.3 2004/07/21 10:36:23 djm Exp $   */
   2
   3 /*
   4  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in the
  13  *    documentation and/or other materials provided with the distribution.
  14  *
  15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
  16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25  */
  26
  27 #include "includes.h"
  28
  29 #ifdef GSSAPI
  30 #ifdef KRB5
  31
  32 #include "auth.h"
  33 #include "xmalloc.h"
  34 #include "log.h"
  35 #include "servconf.h"
  36
  37 #include "ssh-gss.h"
  38
  39 extern ServerOptions options;
  40
  41 #ifdef HEIMDAL
  42 # include <krb5.h>
  43 #else
  44 # ifdef HAVE_GSSAPI_KRB5
  45 #  include <gssapi_krb5.h>
  46 # elif HAVE_GSSAPI_GSSAPI_KRB5
  47 #  include <gssapi/gssapi_krb5.h>
  48 # endif
  49 #endif
  50
  51 static krb5_context krb_context = NULL;
  52 static int ssh_gssapi_krb5_init();
  53 static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name);
  54 static int ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user);
  55 static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client);
  56
  57 ssh_gssapi_mech gssapi_kerberos_mech = {
  58         "toWM5Slw5Ew8Mqkay+al2g==",
  59         "Kerberos",
  60         {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
  61         NULL,
  62         &ssh_gssapi_krb5_userok,
  63         &ssh_gssapi_krb5_localname,
  64         &ssh_gssapi_krb5_storecreds
  65 };
  66
  67 ssh_gssapi_mech gssapi_kerberos_mech_old = {
  68         "Se3H81ismmOC3OE+FwYCiQ==",
  69         "Kerberos",
  70         {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
  71         &ssh_gssapi_krb5_init,
  72         &ssh_gssapi_krb5_userok,
  73         &ssh_gssapi_krb5_localname,
  74         &ssh_gssapi_krb5_storecreds
  75 };
  76
  77 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
  78
  79 static int
  80 ssh_gssapi_krb5_init(void)
  81 {
  82         krb5_error_code problem;
  83
  84         if (krb_context != NULL)
  85                 return 1;
  86
  87         problem = krb5_init_context(&krb_context);
  88         if (problem) {
  89                 logit("Cannot initialize krb5 context");
  90                 return 0;
  91         }
  92 #ifdef KRB5_INIT_ETS
  93         krb5_init_ets(krb_context);
  94 #endif
  95
  96         return 1;
  97 }
  98
  99 /* Check if this user is OK to login. This only works with krb5 - other
 100  * GSSAPI mechanisms will need their own.
 101  * Returns true if the user is OK to log in, otherwise returns 0
 102  */
 103
 104 static int
 105 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 106 {
 107         krb5_principal princ;
 108         int retval;
 109
 110         if (ssh_gssapi_krb5_init() == 0)
 111                 return 0;
 112
 113         if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
 114             &princ))) {
 115                 logit("krb5_parse_name(): %.100s",
 116                     krb5_get_err_text(krb_context, retval));
 117                 return 0;
 118         }
 119         if (krb5_kuserok(krb_context, princ, name)) {
 120                 retval = 1;
 121                 logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
 122                     name, (char *)client->displayname.value);
 123         } else
 124                 retval = 0;
 125
 126         krb5_free_principal(krb_context, princ);
 127         return retval;
 128 }
 129
 130
 131 /* Retrieve the local username associated with a set of Kerberos
 132  * credentials. Hopefully we can use this for the 'empty' username
 133  * logins discussed in the draft  */
 134 static int
 135 ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) {
 136         krb5_principal princ;
 137         int retval;
 138
 139         if (ssh_gssapi_krb5_init() == 0)
 140                 return 0;
 141
 142         if ((retval=krb5_parse_name(krb_context, client->displayname.value,
 143                                     &princ))) {
 144                 logit("krb5_parse_name(): %.100s",
 145                         krb5_get_err_text(krb_context,retval));
 146                 return 0;
 147         }
 148
 149         /* We've got to return a malloc'd string */
 150         *user = (char *)xmalloc(256);
 151         if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
 152                 xfree(*user);
 153                 *user = NULL;
 154                 return(0);
 155         }
 156
 157         return(1);
 158 }
 159
 160 /* This writes out any forwarded credentials from the structure populated
 161  * during userauth. Called after we have setuid to the user */
 162
 163 static void
 164 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 165 {
 166         krb5_ccache ccache;
 167         krb5_error_code problem;
 168         krb5_principal princ;
 169         OM_uint32 maj_status, min_status;
 170         gss_cred_id_t krb5_cred_handle;
 171         int len;
 172
 173         if (client->creds == NULL) {
 174                 debug("No credentials stored");
 175                 return;
 176         }
 177
 178         if (ssh_gssapi_krb5_init() == 0)
 179                 return;
 180
 181 #ifdef HEIMDAL
 182         if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
 183                 logit("krb5_cc_gen_new(): %.100s",
 184                     krb5_get_err_text(krb_context, problem));
 185                 return;
 186         }
 187 #else
 188         {
 189                 int tmpfd;
 190                 char ccname[40];
 191                 mode_t old_umask;
 192
 193                 snprintf(ccname, sizeof(ccname),
 194                     "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
 195
 196                 old_umask = umask(0177);
 197                 tmpfd = mkstemp(ccname + strlen("FILE:"));
 198                 umask(old_umask);
 199                 if (tmpfd == -1) {
 200                         logit("mkstemp(): %.100s", strerror(errno));
 201                         problem = errno;
 202                         return;
 203                 }
 204                 if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
 205                         logit("fchmod(): %.100s", strerror(errno));
 206                         close(tmpfd);
 207                         problem = errno;
 208                         return;
 209                 }
 210                 close(tmpfd);
 211                 if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
 212                         logit("krb5_cc_resolve(): %.100s",
 213                             krb5_get_err_text(krb_context, problem));
 214                         return;
 215                 }
 216         }
 217 #endif  /* #ifdef HEIMDAL */
 218
 219         if ((problem = krb5_parse_name(krb_context,
 220             client->exportedname.value, &princ))) {
 221                 logit("krb5_parse_name(): %.100s",
 222                     krb5_get_err_text(krb_context, problem));
 223                 krb5_cc_destroy(krb_context, ccache);
 224                 return;
 225         }
 226
 227         if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
 228                 logit("krb5_cc_initialize(): %.100s",
 229                     krb5_get_err_text(krb_context, problem));
 230                 krb5_free_principal(krb_context, princ);
 231                 krb5_cc_destroy(krb_context, ccache);
 232                 return;
 233         }
 234
 235         krb5_free_principal(krb_context, princ);
 236
 237 #ifdef MECHGLUE
 238         krb5_cred_handle =
 239             __gss_get_mechanism_cred(client->creds,
 240                                      &(gssapi_kerberos_mech.oid));
 241 #else
 242         krb5_cred_handle = client->creds;
 243 #endif
 244
 245         if ((maj_status = gss_krb5_copy_ccache(&min_status,
 246             krb5_cred_handle, ccache))) {
 247                 logit("gss_krb5_copy_ccache() failed");
 248                 krb5_cc_destroy(krb_context, ccache);
 249                 return;
 250         }
 251
 252         client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
 253         client->store.envvar = "KRB5CCNAME";
 254         len = strlen(client->store.filename) + 6;
 255         client->store.envval = xmalloc(len);
 256         snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
 257
 258 #ifdef USE_PAM
 259         if (options.use_pam)
 260                 do_pam_putenv(client->store.envvar, client->store.envval);
 261 #endif
 262
 263         krb5_cc_close(krb_context, ccache);
 264
 265         return;
 266 }
 267
 268 #endif /* KRB5 */
 269
 270 #endif /* GSSAPI */