openssh/auth-krb5.c

   1 /*
   2  *    Kerberos v5 authentication and ticket-passing routines.
   3  *
   4  * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
   5  */
   6
   7 #include "includes.h"
   8 RCSID("$OpenBSD: auth-krb5.c,v 1.6 2002/03/04 17:27:39 stevesk Exp $");
   9
  10 #include "ssh.h"
  11 #include "ssh1.h"
  12 #include "packet.h"
  13 #include "xmalloc.h"
  14 #include "log.h"
  15 #include "servconf.h"
  16 #include "uidswap.h"
  17 #include "auth.h"
  18
  19 #ifdef KRB5
  20 #include <krb5.h>
  21 #ifndef HEIMDAL
  22 #define krb5_get_err_text(context,code) error_message(code)
  23 #endif /* !HEIMDAL */
  24
  25 extern ServerOptions     options;
  26
  27 static int
  28 krb5_init(void *context)
  29 {
  30         Authctxt *authctxt = (Authctxt *)context;
  31         krb5_error_code problem;
  32         static int cleanup_registered = 0;
  33
  34         if (authctxt->krb5_ctx == NULL) {
  35                 problem = krb5_init_context(&authctxt->krb5_ctx);
  36                 if (problem)
  37                         return (problem);
  38                 krb5_init_ets(authctxt->krb5_ctx);
  39         }
  40         if (!cleanup_registered) {
  41                 fatal_add_cleanup(krb5_cleanup_proc, authctxt);
  42                 cleanup_registered = 1;
  43         }
  44         return (0);
  45 }
  46
  47 /*
  48  * Try krb5 authentication. server_user is passed for logging purposes
  49  * only, in auth is received ticket, in client is returned principal
  50  * from the ticket
  51  */
  52 int
  53 auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
  54 {
  55         krb5_error_code problem;
  56         krb5_principal server;
  57         krb5_data reply;
  58         krb5_ticket *ticket;
  59         int fd, ret;
  60
  61         ret = 0;
  62         server = NULL;
  63         ticket = NULL;
  64         reply.length = 0;
  65
  66         problem = krb5_init(authctxt);
  67         if (problem)
  68                 goto err;
  69
  70         problem = krb5_auth_con_init(authctxt->krb5_ctx,
  71             &authctxt->krb5_auth_ctx);
  72         if (problem)
  73                 goto err;
  74
  75         fd = packet_get_connection_in();
  76 #ifdef HEIMDAL
  77         problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
  78             authctxt->krb5_auth_ctx, &fd);
  79 #else
  80         problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
  81             authctxt->krb5_auth_ctx,fd,
  82             KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
  83             KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
  84 #endif
  85         if (problem)
  86                 goto err;
  87
  88         problem = krb5_sname_to_principal(authctxt->krb5_ctx,  NULL, NULL ,
  89             KRB5_NT_SRV_HST, &server);
  90         if (problem)
  91                 goto err;
  92
  93         problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
  94             auth, server, NULL, NULL, &ticket);
  95         if (problem)
  96                 goto err;
  97
  98 #ifdef HEIMDAL
  99         problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
 100             &authctxt->krb5_user);
 101 #else
 102         problem = krb5_copy_principal(authctxt->krb5_ctx,
 103                                       ticket->enc_part2->client,
 104                                       &authctxt->krb5_user);
 105 #endif
 106         if (problem)
 107                 goto err;
 108
 109         /* if client wants mutual auth */
 110         problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
 111             &reply);
 112         if (problem)
 113                 goto err;
 114
 115         /* Check .k5login authorization now. */
 116         if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
 117             authctxt->pw->pw_name))
 118                 goto err;
 119
 120         if (client)
 121                 krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
 122                     client);
 123
 124         packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
 125         packet_put_string((char *) reply.data, reply.length);
 126         packet_send();
 127         packet_write_wait();
 128
 129         ret = 1;
 130  err:
 131         if (server)
 132                 krb5_free_principal(authctxt->krb5_ctx, server);
 133         if (ticket)
 134                 krb5_free_ticket(authctxt->krb5_ctx, ticket);
 135         if (reply.length)
 136                 xfree(reply.data);
 137
 138         if (problem) {
 139                 if (authctxt->krb5_ctx != NULL)
 140                         debug("Kerberos v5 authentication failed: %s",
 141                             krb5_get_err_text(authctxt->krb5_ctx, problem));
 142                 else
 143                         debug("Kerberos v5 authentication failed: %d",
 144                             problem);
 145         }
 146
 147         return (ret);
 148 }
 149
 150 int
 151 auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
 152 {
 153         krb5_error_code problem;
 154         krb5_ccache ccache = NULL;
 155         char *pname;
 156         krb5_creds **creds;
 157
 158         if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
 159                 return (0);
 160
 161         temporarily_use_uid(authctxt->pw);
 162
 163 #ifdef HEIMDAL
 164         problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
 165 #else
 166 {
 167         char ccname[40];
 168         int tmpfd;
 169
 170         snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
 171
 172         if ((tmpfd = mkstemp(ccname))==-1) {
 173                 log("mkstemp(): %.100s", strerror(errno));
 174                 problem = errno;
 175                 goto fail;
 176         }
 177         if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
 178                 log("fchmod(): %.100s", strerror(errno));
 179                 close(tmpfd);
 180                 problem = errno;
 181                 goto fail;
 182         }
 183         close(tmpfd);
 184         problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
 185 }
 186 #endif
 187         if (problem)
 188                 goto fail;
 189
 190         problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
 191             authctxt->krb5_user);
 192         if (problem)
 193                 goto fail;
 194
 195 #ifdef HEIMDAL
 196         problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
 197             ccache, tgt);
 198         if (problem)
 199                 goto fail;
 200 #else
 201         problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
 202             tgt, &creds, NULL);
 203         if (problem)
 204                 goto fail;
 205         problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
 206         if (problem)
 207                 goto fail;
 208 #endif
 209
 210         authctxt->krb5_fwd_ccache = ccache;
 211         ccache = NULL;
 212
 213         authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 214
 215         problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
 216             &pname);
 217         if (problem)
 218                 goto fail;
 219
 220         debug("Kerberos v5 TGT accepted (%s)", pname);
 221
 222         restore_uid();
 223
 224         return (1);
 225
 226  fail:
 227         if (problem)
 228                 debug("Kerberos v5 TGT passing failed: %s",
 229                     krb5_get_err_text(authctxt->krb5_ctx, problem));
 230         if (ccache)
 231                 krb5_cc_destroy(authctxt->krb5_ctx, ccache);
 232
 233         restore_uid();
 234
 235         return (0);
 236 }
 237
 238 int
 239 auth_krb5_password(Authctxt *authctxt, const char *password)
 240 {
 241 #ifndef HEIMDAL
 242         krb5_creds creds;
 243         krb5_principal server;
 244 #endif
 245         krb5_error_code problem;
 246
 247         if (authctxt->pw == NULL)
 248                 return (0);
 249
 250         temporarily_use_uid(authctxt->pw);
 251
 252         problem = krb5_init(authctxt);
 253         if (problem)
 254                 goto out;
 255
 256         problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
 257                     &authctxt->krb5_user);
 258         if (problem)
 259                 goto out;
 260
 261 #ifdef HEIMDAL
 262         problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
 263             &authctxt->krb5_fwd_ccache);
 264 #else
 265         problem = krb5_cc_resolve(authctxt->krb5_ctx, "MEMORY:",
 266             &authctxt->krb5_fwd_ccache);
 267 #endif
 268         if (problem)
 269                 goto out;
 270
 271         problem = krb5_cc_initialize(authctxt->krb5_ctx,
 272             authctxt->krb5_fwd_ccache, authctxt->krb5_user);
 273         if (problem)
 274                 goto out;
 275
 276         restore_uid();
 277
 278 #ifdef HEIMDAL
 279         problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
 280             authctxt->krb5_fwd_ccache, password, 1, NULL);
 281         if (problem) {
 282                 temporarily_use_uid(authctxt->pw);
 283                 goto out;
 284         }
 285 #else
 286         problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
 287             authctxt->krb5_user, password, NULL, NULL, 0, NULL, NULL);
 288         if (problem) {
 289                 temporarily_use_uid(authctxt->pw);
 290                 goto out;
 291         }
 292
 293         problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
 294             KRB5_NT_SRV_HST, &server);
 295         if (problem) {
 296                 temporarily_use_uid(authctxt->pw);
 297                 goto out;
 298         }
 299
 300         problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
 301             NULL, NULL, NULL);
 302
 303         krb5_free_principal(authctxt->krb5_ctx, server);
 304
 305         temporarily_use_uid(authctxt->pw);
 306         if (problem) {
 307                 goto out;
 308         }
 309
 310         problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 311                                  &creds);
 312         if (problem) {
 313                 temporarily_use_uid(authctxt->pw);
 314                 goto out;
 315         }
 316 #endif
 317         temporarily_use_uid(authctxt->pw);
 318
 319         if (problem)
 320                 goto out;
 321
 322         authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 323
 324  out:
 325         restore_uid();
 326
 327         if (problem) {
 328                 if (authctxt->krb5_ctx != NULL)
 329                         debug("Kerberos password authentication failed: %s",
 330                             krb5_get_err_text(authctxt->krb5_ctx, problem));
 331                 else
 332                         debug("Kerberos password authentication failed: %d",
 333                             problem);
 334
 335                 krb5_cleanup_proc(authctxt);
 336
 337                 if (options.kerberos_or_local_passwd)
 338                         return (-1);
 339                 else
 340                         return (0);
 341         }
 342         return (1);
 343 }
 344
 345 void
 346 krb5_cleanup_proc(void *context)
 347 {
 348         Authctxt *authctxt = (Authctxt *)context;
 349
 350         debug("krb5_cleanup_proc called");
 351         if (authctxt->krb5_fwd_ccache) {
 352                 krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 353                 authctxt->krb5_fwd_ccache = NULL;
 354         }
 355         if (authctxt->krb5_user) {
 356                 krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
 357                 authctxt->krb5_user = NULL;
 358         }
 359         if (authctxt->krb5_auth_ctx) {
 360                 krb5_auth_con_free(authctxt->krb5_ctx,
 361                     authctxt->krb5_auth_ctx);
 362                 authctxt->krb5_auth_ctx = NULL;
 363         }
 364         if (authctxt->krb5_ctx) {
 365                 krb5_free_context(authctxt->krb5_ctx);
 366                 authctxt->krb5_ctx = NULL;
 367         }
 368 }
 369
 370 #endif /* KRB5 */