1 /* $OpenBSD: gss-serv-krb5.c,v 1.2 2003/11/21 11:57:03 djm Exp $ */
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 extern ServerOptions options;
44 # ifdef HAVE_GSSAPI_KRB5
45 # include <gssapi_krb5.h>
46 # elif HAVE_GSSAPI_GSSAPI_KRB5
47 # include <gssapi/gssapi_krb5.h>
51 static krb5_context krb_context = NULL;
52 static int ssh_gssapi_krb5_init();
53 static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name);
54 static int ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user);
55 static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client);
57 ssh_gssapi_mech gssapi_kerberos_mech = {
58 "toWM5Slw5Ew8Mqkay+al2g==",
60 {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
62 &ssh_gssapi_krb5_userok,
63 &ssh_gssapi_krb5_localname,
64 &ssh_gssapi_krb5_storecreds
67 ssh_gssapi_mech gssapi_kerberos_mech_old = {
68 "Se3H81ismmOC3OE+FwYCiQ==",
70 {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
71 &ssh_gssapi_krb5_init,
72 &ssh_gssapi_krb5_userok,
73 &ssh_gssapi_krb5_localname,
74 &ssh_gssapi_krb5_storecreds
77 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
80 ssh_gssapi_krb5_init()
82 krb5_error_code problem;
84 if (krb_context != NULL)
87 problem = krb5_init_context(&krb_context);
89 logit("Cannot initialize krb5 context");
93 krb5_init_ets(krb_context);
99 /* Check if this user is OK to login. This only works with krb5 - other
100 * GSSAPI mechanisms will need their own.
101 * Returns true if the user is OK to log in, otherwise returns 0
105 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
107 krb5_principal princ;
110 if (ssh_gssapi_krb5_init() == 0)
113 if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
115 logit("krb5_parse_name(): %.100s",
116 krb5_get_err_text(krb_context, retval));
119 if (krb5_kuserok(krb_context, princ, name)) {
121 logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
122 name, (char *)client->displayname.value);
126 krb5_free_principal(krb_context, princ);
131 /* Retrieve the local username associated with a set of Kerberos
132 * credentials. Hopefully we can use this for the 'empty' username
133 * logins discussed in the draft */
135 ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user) {
136 krb5_principal princ;
139 if (ssh_gssapi_krb5_init() == 0)
142 if ((retval=krb5_parse_name(krb_context, client->displayname.value,
144 logit("krb5_parse_name(): %.100s",
145 krb5_get_err_text(krb_context,retval));
149 /* We've got to return a malloc'd string */
150 *user = (char *)xmalloc(256);
151 if (krb5_aname_to_localname(krb_context, princ, 256, *user)) {
160 /* This writes out any forwarded credentials from the structure populated
161 * during userauth. Called after we have setuid to the user */
164 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
167 krb5_error_code problem;
168 krb5_principal princ;
169 OM_uint32 maj_status, min_status;
170 gss_cred_id_t krb5_cred_handle;
173 if (client->creds == NULL) {
174 debug("No credentials stored");
178 if (ssh_gssapi_krb5_init() == 0)
182 if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
183 logit("krb5_cc_gen_new(): %.100s",
184 krb5_get_err_text(krb_context, problem));
192 snprintf(ccname, sizeof(ccname),
193 "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
195 if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
196 logit("mkstemp(): %.100s", strerror(errno));
200 if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
201 logit("fchmod(): %.100s", strerror(errno));
207 if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
208 logit("krb5_cc_resolve(): %.100s",
209 krb5_get_err_text(krb_context, problem));
213 #endif /* #ifdef HEIMDAL */
215 if ((problem = krb5_parse_name(krb_context,
216 client->exportedname.value, &princ))) {
217 logit("krb5_parse_name(): %.100s",
218 krb5_get_err_text(krb_context, problem));
219 krb5_cc_destroy(krb_context, ccache);
223 if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
224 logit("krb5_cc_initialize(): %.100s",
225 krb5_get_err_text(krb_context, problem));
226 krb5_free_principal(krb_context, princ);
227 krb5_cc_destroy(krb_context, ccache);
231 krb5_free_principal(krb_context, princ);
235 __gss_get_mechanism_cred(client->creds,
236 &(gssapi_kerberos_mech.oid));
238 krb5_cred_handle = client->creds;
241 if ((maj_status = gss_krb5_copy_ccache(&min_status,
242 krb5_cred_handle, ccache))) {
243 logit("gss_krb5_copy_ccache() failed");
244 krb5_cc_destroy(krb_context, ccache);
248 client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
249 client->store.envvar = "KRB5CCNAME";
250 len = strlen(client->store.filename) + 6;
251 client->store.envval = xmalloc(len);
252 snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
256 do_pam_putenv(client->store.envvar, client->store.envval);
259 krb5_cc_close(krb_context, ccache);