+/* $OpenBSD: gss-serv-krb5.c,v 1.3 2004/07/21 10:36:23 djm Exp $ */
+
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
*
#ifdef KRB5
#include "auth.h"
-#include "auth-pam.h"
#include "xmalloc.h"
#include "log.h"
#include "servconf.h"
extern ServerOptions options;
#ifdef HEIMDAL
-#include <krb5.h>
+# include <krb5.h>
#else
-#include <gssapi_krb5.h>
-#define krb5_get_err_text(context,code) error_message(code)
+# ifdef HAVE_GSSAPI_KRB5
+# include <gssapi_krb5.h>
+# elif HAVE_GSSAPI_GSSAPI_KRB5
+# include <gssapi/gssapi_krb5.h>
+# endif
#endif
static krb5_context krb_context = NULL;
+static int ssh_gssapi_krb5_init();
+static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name);
+static int ssh_gssapi_krb5_localname(ssh_gssapi_client *client, char **user);
+static void ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client);
-/* Initialise the krb5 library, so we can use it for those bits that
- * GSSAPI won't do */
+ssh_gssapi_mech gssapi_kerberos_mech = {
+ "toWM5Slw5Ew8Mqkay+al2g==",
+ "Kerberos",
+ {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
+ NULL,
+ &ssh_gssapi_krb5_userok,
+ &ssh_gssapi_krb5_localname,
+ &ssh_gssapi_krb5_storecreds
+};
+
+/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-static int
-ssh_gssapi_krb5_init() {
+static int
+ssh_gssapi_krb5_init(void)
+{
krb5_error_code problem;
-
- if (krb_context !=NULL)
+
+ if (krb_context != NULL)
return 1;
-
+
problem = krb5_init_context(&krb_context);
if (problem) {
- log("Cannot initialize krb5 context");
+ logit("Cannot initialize krb5 context");
return 0;
}
+#ifdef KRB5_INIT_ETS
krb5_init_ets(krb_context);
+#endif
- return 1;
-}
+ return 1;
+}
-/* Check if this user is OK to login. This only works with krb5 - other
+/* Check if this user is OK to login. This only works with krb5 - other
* GSSAPI mechanisms will need their own.
* Returns true if the user is OK to log in, otherwise returns 0
*/
static int
-ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) {
+ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+{
krb5_principal princ;
int retval;
if (ssh_gssapi_krb5_init() == 0)
return 0;
-
- if ((retval=krb5_parse_name(krb_context, client->name.value,
- &princ))) {
- log("krb5_parse_name(): %.100s",
- krb5_get_err_text(krb_context,retval));
+
+ if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
+ &princ))) {
+ logit("krb5_parse_name(): %.100s",
+ krb5_get_err_text(krb_context, retval));
return 0;
}
if (krb5_kuserok(krb_context, princ, name)) {
retval = 1;
- log("Authorized to %s, krb5 principal %s (krb5_kuserok)",name,
- (char *)client->name.value);
- }
- else
+ logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
+ name, (char *)client->displayname.value);
+ } else
retval = 0;
-
+
krb5_free_principal(krb_context, princ);
return retval;
}
+
/* Retrieve the local username associated with a set of Kerberos
* credentials. Hopefully we can use this for the 'empty' username
* logins discussed in the draft */
if (ssh_gssapi_krb5_init() == 0)
return 0;
- if ((retval=krb5_parse_name(krb_context, client->name.value,
+ if ((retval=krb5_parse_name(krb_context, client->displayname.value,
&princ))) {
- log("krb5_parse_name(): %.100s",
+ logit("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context,retval));
return 0;
}
return(1);
}
-/* Make sure that this is called _after_ we've setuid to the user */
-
-/* This writes out any forwarded credentials. Its specific to the Kerberos
- * GSSAPI mechanism
- *
- * We assume that our caller has made sure that the user has selected
- * delegated credentials, and that the client_creds structure is correctly
- * populated.
- */
+/* This writes out any forwarded credentials from the structure populated
+ * during userauth. Called after we have setuid to the user */
static void
-ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) {
+ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
- char ccname[35];
- static char name[40];
- int tmpfd;
- OM_uint32 maj_status,min_status;
+ OM_uint32 maj_status, min_status;
+ gss_cred_id_t krb5_cred_handle;
+ int len;
- if (client->creds==NULL) {
- debug("No credentials stored");
+ if (client->creds == NULL) {
+ debug("No credentials stored");
return;
}
-
+
if (ssh_gssapi_krb5_init() == 0)
return;
- if (options.gss_use_session_ccache) {
- snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d_XXXXXX",geteuid());
-
- if ((tmpfd = mkstemp(ccname))==-1) {
- log("mkstemp(): %.100s", strerror(errno));
- return;
- }
- if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
- log("fchmod(): %.100s", strerror(errno));
- close(tmpfd);
- return;
- }
- } else {
- snprintf(ccname,sizeof(ccname),"/tmp/krb5cc_%d",geteuid());
- tmpfd = open(ccname, O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
- if (tmpfd == -1) {
- log("open(): %.100s", strerror(errno));
- return;
- }
- }
-
- close(tmpfd);
- snprintf(name, sizeof(name), "FILE:%s",ccname);
-
- if ((problem = krb5_cc_resolve(krb_context, name, &ccache))) {
- log("krb5_cc_default(): %.100s",
- krb5_get_err_text(krb_context,problem));
- return;
- }
-
- if ((problem = krb5_parse_name(krb_context, client->name.value,
- &princ))) {
- log("krb5_parse_name(): %.100s",
- krb5_get_err_text(krb_context,problem));
- krb5_cc_destroy(krb_context,ccache);
+#ifdef HEIMDAL
+ if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
+ logit("krb5_cc_gen_new(): %.100s",
+ krb5_get_err_text(krb_context, problem));
return;
}
-
- if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
- log("krb5_cc_initialize(): %.100s",
- krb5_get_err_text(krb_context,problem));
- krb5_free_principal(krb_context,princ);
- krb5_cc_destroy(krb_context,ccache);
+#else
+ {
+ int tmpfd;
+ char ccname[40];
+ mode_t old_umask;
+
+ snprintf(ccname, sizeof(ccname),
+ "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
+
+ old_umask = umask(0177);
+ tmpfd = mkstemp(ccname + strlen("FILE:"));
+ umask(old_umask);
+ if (tmpfd == -1) {
+ logit("mkstemp(): %.100s", strerror(errno));
+ problem = errno;
+ return;
+ }
+ if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
+ logit("fchmod(): %.100s", strerror(errno));
+ close(tmpfd);
+ problem = errno;
+ return;
+ }
+ close(tmpfd);
+ if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
+ logit("krb5_cc_resolve(): %.100s",
+ krb5_get_err_text(krb_context, problem));
+ return;
+ }
+ }
+#endif /* #ifdef HEIMDAL */
+
+ if ((problem = krb5_parse_name(krb_context,
+ client->exportedname.value, &princ))) {
+ logit("krb5_parse_name(): %.100s",
+ krb5_get_err_text(krb_context, problem));
+ krb5_cc_destroy(krb_context, ccache);
return;
}
-
- krb5_free_principal(krb_context,princ);
-
- #ifdef HEIMDAL
- if ((problem = krb5_cc_copy_cache(krb_context,
- client->creds->ccache,
- ccache))) {
- log("krb5_cc_copy_cache(): %.100s",
- krb5_get_err_text(krb_context,problem));
- krb5_cc_destroy(krb_context,ccache);
+
+ if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
+ logit("krb5_cc_initialize(): %.100s",
+ krb5_get_err_text(krb_context, problem));
+ krb5_free_principal(krb_context, princ);
+ krb5_cc_destroy(krb_context, ccache);
return;
}
- #else
+
+ krb5_free_principal(krb_context, princ);
+
+#ifdef MECHGLUE
+ krb5_cred_handle =
+ __gss_get_mechanism_cred(client->creds,
+ &(gssapi_kerberos_mech.oid));
+#else
+ krb5_cred_handle = client->creds;
+#endif
+
if ((maj_status = gss_krb5_copy_ccache(&min_status,
- client->creds,
- ccache))) {
- log("gss_krb5_copy_ccache() failed");
- krb5_cc_destroy(krb_context,ccache);
+ krb5_cred_handle, ccache))) {
+ logit("gss_krb5_copy_ccache() failed");
+ krb5_cc_destroy(krb_context, ccache);
return;
}
- #endif
-
- krb5_cc_close(krb_context,ccache);
+
+ client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
+ client->store.envvar = "KRB5CCNAME";
+ len = strlen(client->store.filename) + 6;
+ client->store.envval = xmalloc(len);
+ snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
#ifdef USE_PAM
- do_pam_putenv("KRB5CCNAME",name);
+ if (options.use_pam)
+ do_pam_putenv(client->store.envvar, client->store.envval);
#endif
- client->store.filename=strdup(ccname);
- client->store.envvar="KRB5CCNAME";
- client->store.envval=strdup(name);
+ krb5_cc_close(krb_context, ccache);
return;
}
-/* We've been using a wrongly encoded mechanism ID for yonks */
-
-ssh_gssapi_mech gssapi_kerberos_mech_old = {
- "Se3H81ismmOC3OE+FwYCiQ==",
- "Kerberos",
- {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
- &ssh_gssapi_krb5_init,
- &ssh_gssapi_krb5_userok,
- &ssh_gssapi_krb5_localname,
- &ssh_gssapi_krb5_storecreds
-};
-
-ssh_gssapi_mech gssapi_kerberos_mech = {
- "toWM5Slw5Ew8Mqkay+al2g==",
- "Kerberos",
- {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
- NULL,
- &ssh_gssapi_krb5_userok,
- &ssh_gssapi_krb5_localname,
- &ssh_gssapi_krb5_storecreds
-};
-
#endif /* KRB5 */
#endif /* GSSAPI */
andersk / gssapi-openssh.git / blobdiff