openssh/gss-serv-krb5.c

   1 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
   2
   3 /*
   4  * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in the
  13  *    documentation and/or other materials provided with the distribution.
  14  *
  15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
  16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25  */
  26
  27 #include "includes.h"
  28
  29 #ifdef GSSAPI
  30 #ifdef KRB5
  31
  32 #include <sys/types.h>
  33
  34 #include <stdarg.h>
  35 #include <string.h>
  36
  37 #include "xmalloc.h"
  38 #include "key.h"
  39 #include "hostfile.h"
  40 #include "auth.h"
  41 #include "log.h"
  42 #include "servconf.h"
  43
  44 #include "buffer.h"
  45 #include "ssh-gss.h"
  46
  47 extern ServerOptions options;
  48
  49 #ifdef HEIMDAL
  50 # include <krb5.h>
  51 #elif !defined(MECHGLUE)
  52 # ifdef HAVE_GSSAPI_KRB5_H
  53 #  include <gssapi_krb5.h>
  54 # elif HAVE_GSSAPI_GSSAPI_KRB5_H
  55 #  include <gssapi/gssapi_krb5.h>
  56 # endif
  57 #endif
  58
  59 static krb5_context krb_context = NULL;
  60 static int ssh_gssapi_krb5_init();
  61 static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name);
  62 static int ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user);
  63 static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client);
  64 static int ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
  65                                        ssh_gssapi_client *client);
  66
  67 ssh_gssapi_mech gssapi_kerberos_mech = {
  68         "toWM5Slw5Ew8Mqkay+al2g==",
  69         "Kerberos",
  70         {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
  71         NULL,
  72         &ssh_gssapi_krb5_userok,
  73         &ssh_gssapi_krb5_localname,
  74         &ssh_gssapi_krb5_storecreds,
  75         &ssh_gssapi_krb5_updatecreds
  76 };
  77
  78 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
  79
  80 static int
  81 ssh_gssapi_krb5_init(void)
  82 {
  83         krb5_error_code problem;
  84
  85         if (krb_context != NULL)
  86                 return 1;
  87
  88         problem = krb5_init_context(&krb_context);
  89         if (problem) {
  90                 logit("Cannot initialize krb5 context");
  91                 return 0;
  92         }
  93
  94         return 1;
  95 }
  96
  97 /* Check if this user is OK to login. This only works with krb5 - other
  98  * GSSAPI mechanisms will need their own.
  99  * Returns true if the user is OK to log in, otherwise returns 0
 100  */
 101
 102 static int
 103 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 104 {
 105         krb5_principal princ;
 106         int retval;
 107
 108         if (ssh_gssapi_krb5_init() == 0)
 109                 return 0;
 110
 111         if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
 112             &princ))) {
 113                 logit("krb5_parse_name(): %.100s",
 114                     krb5_get_err_text(krb_context, retval));
 115                 return 0;
 116         }
 117         if (krb5_kuserok(krb_context, princ, name)) {
 118                 retval = 1;
 119                 logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
 120                     name, (char *)client->displayname.value);
 121         } else
 122                 retval = 0;
 123
 124         krb5_free_principal(krb_context, princ);
 125         return retval;
 126 }
 127
 128
 129 /* Retrieve the local username associated with a set of Kerberos
 130  * credentials. Hopefully we can use this for the 'empty' username
 131  * logins discussed in the draft  */
 132 static int
 133 ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) {
 134         krb5_principal princ;
 135         int retval;
 136
 137         if (ssh_gssapi_krb5_init() == 0)
 138                 return 0;
 139
 140         if ((retval=krb5_parse_name(krb_context, client->displayname.value,
 141                                     &princ))) {
 142                 logit("krb5_parse_name(): %.100s",
 143                         krb5_get_err_text(krb_context,retval));
 144                 return 0;
 145         }
 146
 147         /* We've got to return a malloc'd string */
 148         *user = (char *)xmalloc(256);
 149         if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
 150                 xfree(*user);
 151                 *user = NULL;
 152                 return(0);
 153         }
 154
 155         return(1);
 156 }
 157
 158 /* This writes out any forwarded credentials from the structure populated
 159  * during userauth. Called after we have setuid to the user */
 160
 161 static void
 162 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 163 {
 164         krb5_ccache ccache;
 165         krb5_error_code problem;
 166         krb5_principal princ;
 167         OM_uint32 maj_status, min_status;
 168         gss_cred_id_t krb5_cred_handle;
 169         int len;
 170         const char *new_ccname;
 171
 172         if (client->creds == NULL) {
 173                 debug("No credentials stored");
 174                 return;
 175         }
 176
 177         if (ssh_gssapi_krb5_init() == 0)
 178                 return;
 179
 180 #ifdef HEIMDAL
 181         if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
 182                 logit("krb5_cc_gen_new(): %.100s",
 183                     krb5_get_err_text(krb_context, problem));
 184                 return;
 185         }
 186 #else
 187         if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
 188                 logit("ssh_krb5_cc_gen(): %.100s",
 189                     krb5_get_err_text(krb_context, problem));
 190                 return;
 191         }
 192 #endif  /* #ifdef HEIMDAL */
 193
 194         if ((problem = krb5_parse_name(krb_context,
 195             client->exportedname.value, &princ))) {
 196                 logit("krb5_parse_name(): %.100s",
 197                     krb5_get_err_text(krb_context, problem));
 198                 krb5_cc_destroy(krb_context, ccache);
 199                 return;
 200         }
 201
 202         if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
 203                 logit("krb5_cc_initialize(): %.100s",
 204                     krb5_get_err_text(krb_context, problem));
 205                 krb5_free_principal(krb_context, princ);
 206                 krb5_cc_destroy(krb_context, ccache);
 207                 return;
 208         }
 209
 210         krb5_free_principal(krb_context, princ);
 211
 212 #ifdef MECHGLUE
 213         krb5_cred_handle =
 214             __gss_get_mechanism_cred(client->creds,
 215                                      &(gssapi_kerberos_mech.oid));
 216 #else
 217         krb5_cred_handle = client->creds;
 218 #endif
 219
 220         if ((maj_status = gss_krb5_copy_ccache(&min_status,
 221             krb5_cred_handle, ccache))) {
 222                 logit("gss_krb5_copy_ccache() failed");
 223                 krb5_cc_destroy(krb_context, ccache);
 224                 return;
 225         }
 226
 227         new_ccname = krb5_cc_get_name(krb_context, ccache);
 228
 229         client->store.envvar = "KRB5CCNAME";
 230 #ifdef USE_CCAPI
 231         xasprintf(&client->store.envval, "API:%s", new_ccname);
 232         client->store.filename = NULL;
 233 #else
 234         xasprintf(&client->store.envval, "FILE:%s", new_ccname);
 235         client->store.filename = xstrdup(new_ccname);
 236 #endif
 237
 238 #ifdef USE_PAM
 239         if (options.use_pam)
 240                 do_pam_putenv(client->store.envvar, client->store.envval);
 241 #endif
 242
 243         krb5_cc_close(krb_context, ccache);
 244
 245         return;
 246 }
 247
 248 static int
 249 ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
 250     ssh_gssapi_client *client)
 251 {
 252         krb5_ccache ccache = NULL;
 253         krb5_principal principal = NULL;
 254         char *name = NULL;
 255         krb5_error_code problem;
 256         OM_uint32 maj_status, min_status;
 257
 258         if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
 259                 logit("krb5_cc_resolve(): %.100s",
 260                     krb5_get_err_text(krb_context, problem));
 261                 return 0;
 262         }
 263
 264         /* Find out who the principal in this cache is */
 265         if ((problem = krb5_cc_get_principal(krb_context, ccache,
 266             &principal))) {
 267                 logit("krb5_cc_get_principal(): %.100s",
 268                     krb5_get_err_text(krb_context, problem));
 269                 krb5_cc_close(krb_context, ccache);
 270                 return 0;
 271         }
 272
 273         if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
 274                 logit("krb5_unparse_name(): %.100s",
 275                     krb5_get_err_text(krb_context, problem));
 276                 krb5_free_principal(krb_context, principal);
 277                 krb5_cc_close(krb_context, ccache);
 278                 return 0;
 279         }
 280
 281
 282         if (strcmp(name,client->exportedname.value)!=0) {
 283                 debug("Name in local credentials cache differs. Not storing");
 284                 krb5_free_principal(krb_context, principal);
 285                 krb5_cc_close(krb_context, ccache);
 286                 krb5_free_unparsed_name(krb_context, name);
 287                 return 0;
 288         }
 289         krb5_free_unparsed_name(krb_context, name);
 290
 291         /* Name matches, so lets get on with it! */
 292
 293         if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
 294                 logit("krb5_cc_initialize(): %.100s",
 295                     krb5_get_err_text(krb_context, problem));
 296                 krb5_free_principal(krb_context, principal);
 297                 krb5_cc_close(krb_context, ccache);
 298                 return 0;
 299         }
 300
 301         krb5_free_principal(krb_context, principal);
 302
 303         if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
 304             ccache))) {
 305                 logit("gss_krb5_copy_ccache() failed. Sorry!");
 306                 krb5_cc_close(krb_context, ccache);
 307                 return 0;
 308         }
 309
 310         return 1;
 311 }
 312
 313 #endif /* KRB5 */
 314
 315 #endif /* GSSAPI */