3 * Handle server side of authentication
5 * Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
6 * For copying and distribution information, please see the file
11 #include <mit-copyright.h>
12 #include "mr_server.h"
14 #include <sys/types.h>
16 #include <arpa/inet.h>
17 #include <netinet/in.h>
24 extern char *whoami, *host;
27 static int set_client(client *cl, char *kname,
28 char *name, char *inst, char *realm);
30 typedef struct _replay_cache {
33 struct _replay_cache *next;
36 replay_cache *rcache = NULL;
39 * Handle a MOIRA_AUTH RPC request.
41 * argv[0] is a kerberos authenticator. Decompose it, and if
42 * successful, store the name the user authenticated to in
46 void do_auth(client *cl)
51 replay_cache *rc, *rcnew;
54 auth.length = cl->req.mr_argl[0];
55 memcpy(auth.dat, cl->req.mr_argv[0], auth.length);
58 if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
59 cl->haddr.sin_addr.s_addr, &ad, "")))
61 status += ERROR_TABLE_BASE_krb;
62 client_reply(cl, status);
63 com_err(whoami, status, " (authentication failed)");
69 rcache = xmalloc(sizeof(replay_cache));
70 memset(rcache, 0, sizeof(replay_cache));
73 /* scan replay cache */
74 for (rc = rcache->next; rc; rc = rc->next)
76 if (auth.length == rc->auth.length &&
77 !memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
80 "Authenticator replay from %s using authenticator for %s",
81 inet_ntoa(cl->haddr.sin_addr),
82 kname_unparse(ad.pname, ad.pinst, ad.prealm));
83 com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
84 client_reply(cl, KE_RD_AP_REPEAT);
91 rcnew = xmalloc(sizeof(replay_cache));
92 memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
93 rcnew->expires = now + 2 * CLOCK_SKEW;
94 rcnew->next = rcache->next;
98 for (rc = rcnew; rc->next; )
100 if (rc->next->expires < now)
103 rc->next = rc->next->next;
110 status = set_client(cl, kname_unparse(ad.pname, ad.pinst, ad.prealm),
111 ad.pname, ad.pinst, ad.prealm);
113 strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
114 cl->entity[sizeof(cl->entity) - 1] = 0;
116 memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */
118 com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
119 cl->clname, cl->entity, cl->users_id, cl->client_id);
121 if (status != MR_SUCCESS || cl->users_id != 0)
122 client_reply(cl, status);
124 client_reply(cl, MR_USER_AUTH);
127 void do_proxy(client *cl)
129 char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
130 char kname[MAX_K_NAME_SZ];
134 com_err(whoami, MR_PERM, "Cannot re-proxy");
135 client_reply(cl, MR_PERM);
139 if (kname_parse(name, inst, realm, cl->req.mr_argv[0]) != KSUCCESS)
141 com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s",
143 client_reply(cl, KE_KNAME_FMT);
149 strcpy(realm, krb_realm);
150 sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm);
153 strcpy(kname, cl->req.mr_argv[0]);
155 if (find_member("LIST", proxy_acl, cl))
157 cl->proxy_id = cl->client_id;
158 set_client(cl, kname, name, inst, realm);
159 com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s",
160 kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]);
161 client_reply(cl, MR_SUCCESS);
165 com_err(whoami, MR_PERM, "Proxy authentication denied");
166 client_reply(cl, MR_PERM);
170 static int set_client(client *cl, char *kname,
171 char *name, char *inst, char *realm)
175 strncpy(cl->clname, kname, sizeof(cl->clname));
176 cl->clname[sizeof(cl->clname) - 1] = '\0';
178 if (inst[0] == 0 && !strcmp(realm, krb_realm))
182 /* this is in a separate function because it accesses the database */
183 return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id);