3 * Handle server side of authentication
5 * Copyright (C) 1987-1998 by the Massachusetts Institute of Technology
6 * For copying and distribution information, please see the file
11 #include <mit-copyright.h>
12 #include "mr_server.h"
14 #include <sys/types.h>
16 #include <arpa/inet.h>
17 #include <netinet/in.h>
24 extern char *whoami, *host;
26 extern krb5_context context;
28 static int set_client(client *cl, char *kname,
29 char *name, char *inst, char *realm);
32 typedef struct _replay_cache {
35 struct _replay_cache *next;
38 replay_cache *rcache = NULL;
42 * Handle a MOIRA_AUTH RPC request.
44 * argv[0] is a kerberos authenticator. Decompose it, and if
45 * successful, store the name the user authenticated to in
49 void do_auth(client *cl)
55 replay_cache *rc, *rcnew;
58 auth.length = cl->req.mr_argl[0];
59 memcpy(auth.dat, cl->req.mr_argv[0], auth.length);
62 if ((status = krb_rd_req(&auth, MOIRA_SNAME, host,
63 cl->haddr.sin_addr.s_addr, &ad, "")))
65 status += ERROR_TABLE_BASE_krb;
66 client_reply(cl, status);
67 com_err(whoami, status, " (authentication failed)");
73 rcache = xmalloc(sizeof(replay_cache));
74 memset(rcache, 0, sizeof(replay_cache));
77 /* scan replay cache */
78 for (rc = rcache->next; rc; rc = rc->next)
80 if (auth.length == rc->auth.length &&
81 !memcmp(&(auth.dat), &(rc->auth.dat), auth.length))
84 "Authenticator replay from %s using authenticator for %s",
85 inet_ntoa(cl->haddr.sin_addr),
86 mr_kname_unparse(ad.pname, ad.pinst, ad.prealm));
87 com_err(whoami, KE_RD_AP_REPEAT, " (authentication failed)");
88 client_reply(cl, KE_RD_AP_REPEAT);
95 rcnew = xmalloc(sizeof(replay_cache));
96 memcpy(&(rcnew->auth), &auth, sizeof(KTEXT_ST));
97 rcnew->expires = now + 2 * CLOCK_SKEW;
98 rcnew->next = rcache->next;
102 for (rc = rcnew; rc->next; )
104 if (rc->next->expires < now)
107 rc->next = rc->next->next;
114 status = set_client(cl, mr_kname_unparse(ad.pname, ad.pinst, ad.prealm),
115 ad.pname, ad.pinst, ad.prealm);
117 strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
118 cl->entity[sizeof(cl->entity) - 1] = 0;
120 memset(&ad, 0, sizeof(ad)); /* Clean up session key, etc. */
122 com_err(whoami, 0, "Auth to %s using %s, uid %d cid %d",
123 cl->clname, cl->entity, cl->users_id, cl->client_id);
125 if (status != MR_SUCCESS || cl->users_id != 0)
126 client_reply(cl, status);
128 client_reply(cl, MR_USER_AUTH);
130 client_reply(cl, MR_NO_KRB4);
134 void do_proxy(client *cl)
136 char name[ANAME_SZ] = "\0", inst[INST_SZ] = "\0", realm[REALM_SZ] = "\0";
137 char kname[MAX_K_NAME_SZ];
141 com_err(whoami, MR_PERM, "Cannot re-proxy");
142 client_reply(cl, MR_PERM);
146 if (mr_kname_parse(name, inst, realm, cl->req.mr_argv[0]) != 0)
148 com_err(whoami, KE_KNAME_FMT, "while parsing proxy name %s",
150 client_reply(cl, KE_KNAME_FMT);
156 strcpy(realm, krb_realm);
157 sprintf(kname, "%s@%s", cl->req.mr_argv[0], realm);
160 strcpy(kname, cl->req.mr_argv[0]);
162 if (find_member("LIST", proxy_acl, cl))
164 cl->proxy_id = cl->client_id;
165 set_client(cl, kname, name, inst, realm);
166 com_err(whoami, 0, "Proxy authentication as %s (uid %d cid %d) via %s",
167 kname, cl->users_id, cl->client_id, cl->req.mr_argv[1]);
168 client_reply(cl, MR_SUCCESS);
172 com_err(whoami, MR_PERM, "Proxy authentication denied");
173 client_reply(cl, MR_PERM);
177 static int set_client(client *cl, char *kname,
178 char *name, char *inst, char *realm)
182 strncpy(cl->clname, kname, sizeof(cl->clname));
183 cl->clname[sizeof(cl->clname) - 1] = '\0';
185 if ((!inst || inst[0] == 0) && !strcmp(realm, krb_realm))
189 /* this is in a separate function because it accesses the database */
190 return set_krb_mapping(cl->clname, name, ok, &cl->client_id, &cl->users_id);
193 void do_krb5_auth(client *cl)
196 krb5_auth_context auth_con = NULL;
197 krb5_principal server = NULL, client = NULL;
199 char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ];
204 status = krb5_auth_con_init(context, &auth_con);
207 client_reply(cl, status);
208 com_err(whoami, status, "(krb5 auth context init failed)");
212 status = krb5_sname_to_principal(context, host, MOIRA_SNAME,
213 KRB5_NT_SRV_HST, &server);
216 client_reply(cl, status);
217 com_err(whoami, status, "(krb5_sname_to_principal failed)");
221 auth.length = cl->req.mr_argl[0];
222 auth.data = cl->req.mr_argv[0];
224 status = krb5_rd_req(context, &auth_con, &auth, server, NULL, NULL,
228 client_reply(cl, status);
229 com_err(whoami, status, " (krb5 authentication failed)");
233 status = krb5_copy_principal(context, ticket->enc_part2->client, &client);
236 client_reply(cl, status);
237 com_err(whoami, status, " (krb5_copy_principal failed)");
241 /* Always convert to krb4 style principal name for now. */
242 status = krb5_524_conv_principal(context, client, name, inst, realm);
245 client_reply(cl, status);
246 com_err(whoami, status, " (krb5_524_conv_principal failed)");
249 status = set_client(cl, mr_kname_unparse(name, inst, realm), name, inst,
252 strncpy(cl->entity, cl->req.mr_argv[1], sizeof(cl->entity) - 1);
253 cl->entity[sizeof(cl->entity) - 1] = 0;
255 com_err(whoami, 0, "krb5 auth to %s using %s, uid %d cid %d",
256 cl->clname, cl->entity, cl->users_id, cl->client_id);
258 if (status != MR_SUCCESS || cl->users_id != 0)
259 client_reply(cl, status);
261 client_reply(cl, MR_USER_AUTH);
265 krb5_free_principal(context, client);
267 krb5_free_principal(context, server);
269 krb5_free_ticket(context, ticket);
271 krb5_auth_con_free(context, auth_con);