[openssh.git] / auth-krb4.c

/*
 *    Dug Song <dugsong@UMICH.EDU>
 *    Kerberos v4 authentication and ticket-passing routines.
 */

#include "includes.h"
#include "packet.h"
#include "xmalloc.h"
#include "ssh.h"

#ifdef KRB4
char *ticket = NULL;

void
krb4_cleanup_proc(void *ignore)
{
	debug("krb4_cleanup_proc called");
	if (ticket) {
		(void) dest_tkt();
		xfree(ticket);
		ticket = NULL;
	}
}

int 
krb4_init(uid_t uid)
{
	static int cleanup_registered = 0;
	char *tkt_root = TKT_ROOT;
	struct stat st;
	int fd;

	if (!ticket) {
		/* Set unique ticket string manually since we're still root. */
		ticket = xmalloc(MAXPATHLEN);
#ifdef AFS
		if (lstat("/ticket", &st) != -1)
			tkt_root = "/ticket/";
#endif /* AFS */
		snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
		(void) krb_set_tkt_string(ticket);
	}
	/* Register ticket cleanup in case of fatal error. */
	if (!cleanup_registered) {
		fatal_add_cleanup(krb4_cleanup_proc, NULL);
		cleanup_registered = 1;
	}
	/* Try to create our ticket file. */
	if ((fd = mkstemp(ticket)) != -1) {
		close(fd);
		return 1;
	}
	/* Ticket file exists - make sure user owns it (just passed ticket). */
	if (lstat(ticket, &st) != -1) {
		if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
		    st.st_uid == uid)
			return 1;
	}
	/* Failure - cancel cleanup function, leaving bad ticket for inspection. */
	log("WARNING: bad ticket file %s", ticket);
	fatal_remove_cleanup(krb4_cleanup_proc, NULL);
	cleanup_registered = 0;
	xfree(ticket);
	ticket = NULL;

	return 0;
}

int 
auth_krb4(const char *server_user, KTEXT auth, char **client)
{
	AUTH_DAT adat = {0};
	KTEXT_ST reply;
	char instance[INST_SZ];
	int r, s;
	u_int cksum;
	Key_schedule schedule;
	struct sockaddr_in local, foreign;

	s = packet_get_connection_in();

	r = sizeof(local);
	memset(&local, 0, sizeof(local));
	if (getsockname(s, (struct sockaddr *) & local, &r) < 0)
		debug("getsockname failed: %.100s", strerror(errno));
	r = sizeof(foreign);
	memset(&foreign, 0, sizeof(foreign));
	if (getpeername(s, (struct sockaddr *) & foreign, &r) < 0) {
		debug("getpeername failed: %.100s", strerror(errno));
		fatal_cleanup();
	}
	instance[0] = '*';
	instance[1] = 0;

	/* Get the encrypted request, challenge, and session key. */
	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
		packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
		return 0;
	}
	des_key_sched((des_cblock *) adat.session, schedule);

	*client = xmalloc(MAX_K_NAME_SZ);
	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
	    *adat.pinst ? "." : "", adat.pinst, adat.prealm);

	/* Check ~/.klogin authorization now. */
	if (kuserok(&adat, (char *) server_user) != KSUCCESS) {
		packet_send_debug("Kerberos V4 .klogin authorization failed!");
		log("Kerberos V4 .klogin authorization failed for %s to account %s",
		    *client, server_user);
		xfree(*client);
		return 0;
	}
	/* Increment the checksum, and return it encrypted with the
	   session key. */
	cksum = adat.checksum + 1;
	cksum = htonl(cksum);

	/* If we can't successfully encrypt the checksum, we send back an
	   empty message, admitting our failure. */
	if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
	    schedule, &adat.session, &local, &foreign)) < 0) {
		packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
		reply.dat[0] = 0;
		reply.length = 0;
	} else
		reply.length = r;

	/* Clear session key. */
	memset(&adat.session, 0, sizeof(&adat.session));

	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
	packet_put_string((char *) reply.dat, reply.length);
	packet_send();
	packet_write_wait();
	return 1;
}
#endif /* KRB4 */

#ifdef AFS
int 
auth_kerberos_tgt(struct passwd *pw, const char *string)
{
	CREDENTIALS creds;

	if (!radix_to_creds(string, &creds)) {
		log("Protocol error decoding Kerberos V4 tgt");
		packet_send_debug("Protocol error decoding Kerberos V4 tgt");
		goto auth_kerberos_tgt_failure;
	}
	if (strncmp(creds.service, "", 1) == 0)	/* backward compatibility */
		strlcpy(creds.service, "krbtgt", sizeof creds.service);

	if (strcmp(creds.service, "krbtgt")) {
		log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
		    creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
		    pw->pw_name);
		packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
		    creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
		    creds.realm, pw->pw_name);
		goto auth_kerberos_tgt_failure;
	}
	if (!krb4_init(pw->pw_uid))
		goto auth_kerberos_tgt_failure;

	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
		goto auth_kerberos_tgt_failure;

	if (save_credentials(creds.service, creds.instance, creds.realm,
	    creds.session, creds.lifetime, creds.kvno,
	    &creds.ticket_st, creds.issue_date) != KSUCCESS) {
		packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
		goto auth_kerberos_tgt_failure;
	}
	/* Successful authentication, passed all checks. */
	chown(tkt_string(), pw->pw_uid, pw->pw_gid);

	packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
	    creds.service, creds.instance, creds.realm, creds.pname,
	    creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
	memset(&creds, 0, sizeof(creds));
	packet_start(SSH_SMSG_SUCCESS);
	packet_send();
	packet_write_wait();
	return 1;

auth_kerberos_tgt_failure:
	krb4_cleanup_proc(NULL);
	memset(&creds, 0, sizeof(creds));
	packet_start(SSH_SMSG_FAILURE);
	packet_send();
	packet_write_wait();
	return 0;
}

int 
auth_afs_token(struct passwd *pw, const char *token_string)
{
	CREDENTIALS creds;
	uid_t uid = pw->pw_uid;

	if (!radix_to_creds(token_string, &creds)) {
		log("Protocol error decoding AFS token");
		packet_send_debug("Protocol error decoding AFS token");
		packet_start(SSH_SMSG_FAILURE);
		packet_send();
		packet_write_wait();
		return 0;
	}
	if (strncmp(creds.service, "", 1) == 0)	/* backward compatibility */
		strlcpy(creds.service, "afs", sizeof creds.service);

	if (strncmp(creds.pname, "AFS ID ", 7) == 0)
		uid = atoi(creds.pname + 7);

	if (kafs_settoken(creds.realm, uid, &creds)) {
		log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
		    pw->pw_name);
		packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
		    creds.realm, pw->pw_name);
		memset(&creds, 0, sizeof(creds));
		packet_start(SSH_SMSG_FAILURE);
		packet_send();
		packet_write_wait();
		return 0;
	}
	packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
	    creds.realm, creds.pname, creds.realm);
	memset(&creds, 0, sizeof(creds));
	packet_start(SSH_SMSG_SUCCESS);
	packet_send();
	packet_write_wait();
	return 1;
}
#endif /* AFS */
Commit	Line	Data
8efc0c15	1	/*
5260325f	2	* Dug Song <dugsong@UMICH.EDU>
	3	* Kerberos v4 authentication and ticket-passing routines.
	4	*/
8efc0c15	5
	6	#include "includes.h"
	7	#include "packet.h"
	8	#include "xmalloc.h"
	9	#include "ssh.h"
	10
	11	#ifdef KRB4
6a17f9c2	12	char *ticket = NULL;
	13
	14	void
	15	krb4_cleanup_proc(void *ignore)
	16	{
5260325f	17	debug("krb4_cleanup_proc called");
	18	if (ticket) {
	19	(void) dest_tkt();
	20	xfree(ticket);
	21	ticket = NULL;
	22	}
6a17f9c2	23	}
6a17f9c2	24
5260325f	25	int
5260325f	26	krb4_init(uid_t uid)
8efc0c15	27	{
5260325f	28	static int cleanup_registered = 0;
	29	char *tkt_root = TKT_ROOT;
	30	struct stat st;
	31	int fd;
	32
	33	if (!ticket) {
	34	/* Set unique ticket string manually since we're still root. */
	35	ticket = xmalloc(MAXPATHLEN);
8efc0c15	36	#ifdef AFS
5260325f	37	if (lstat("/ticket", &st) != -1)
5260325f	38	tkt_root = "/ticket/";
8efc0c15	39	#endif /* AFS */
5260325f	40	snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
	41	(void) krb_set_tkt_string(ticket);
	42	}
	43	/* Register ticket cleanup in case of fatal error. */
	44	if (!cleanup_registered) {
	45	fatal_add_cleanup(krb4_cleanup_proc, NULL);
	46	cleanup_registered = 1;
	47	}
	48	/* Try to create our ticket file. */
	49	if ((fd = mkstemp(ticket)) != -1) {
	50	close(fd);
	51	return 1;
	52	}
	53	/* Ticket file exists - make sure user owns it (just passed ticket). */
	54	if (lstat(ticket, &st) != -1) {
	55	if (st.st_mode == (S_IFREG \| S_IRUSR \| S_IWUSR) &&
	56	st.st_uid == uid)
	57	return 1;
	58	}
	59	/* Failure - cancel cleanup function, leaving bad ticket for inspection. */
	60	log("WARNING: bad ticket file %s", ticket);
	61	fatal_remove_cleanup(krb4_cleanup_proc, NULL);
	62	cleanup_registered = 0;
	63	xfree(ticket);
	64	ticket = NULL;
	65
	66	return 0;
8efc0c15	67	}
8efc0c15	68
5260325f	69	int
5260325f	70	auth_krb4(const char server_user, KTEXT auth, char *client)
8efc0c15	71	{
5260325f	72	AUTH_DAT adat = {0};
	73	KTEXT_ST reply;
	74	char instance[INST_SZ];
	75	int r, s;
	76	u_int cksum;
	77	Key_schedule schedule;
	78	struct sockaddr_in local, foreign;
	79
	80	s = packet_get_connection_in();
	81
	82	r = sizeof(local);
	83	memset(&local, 0, sizeof(local));
	84	if (getsockname(s, (struct sockaddr *) & local, &r) < 0)
	85	debug("getsockname failed: %.100s", strerror(errno));
	86	r = sizeof(foreign);
	87	memset(&foreign, 0, sizeof(foreign));
	88	if (getpeername(s, (struct sockaddr *) & foreign, &r) < 0) {
	89	debug("getpeername failed: %.100s", strerror(errno));
	90	fatal_cleanup();
	91	}
	92	instance[0] = '*';
	93	instance[1] = 0;
	94
	95	/* Get the encrypted request, challenge, and session key. */
	96	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
	97	packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
	98	return 0;
	99	}
	100	des_key_sched((des_cblock *) adat.session, schedule);
	101
	102	*client = xmalloc(MAX_K_NAME_SZ);
	103	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
	104	*adat.pinst ? "." : "", adat.pinst, adat.prealm);
	105
	106	/* Check ~/.klogin authorization now. */
	107	if (kuserok(&adat, (char *) server_user) != KSUCCESS) {
	108	packet_send_debug("Kerberos V4 .klogin authorization failed!");
	109	log("Kerberos V4 .klogin authorization failed for %s to account %s",
	110	*client, server_user);
	111	xfree(*client);
	112	return 0;
	113	}
	114	/* Increment the checksum, and return it encrypted with the
	115	session key. */
	116	cksum = adat.checksum + 1;
	117	cksum = htonl(cksum);
	118
	119	/* If we can't successfully encrypt the checksum, we send back an
	120	empty message, admitting our failure. */
	121	if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
	122	schedule, &adat.session, &local, &foreign)) < 0) {
	123	packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
	124	reply.dat[0] = 0;
	125	reply.length = 0;
	126	} else
	127	reply.length = r;
	128
	129	/* Clear session key. */
	130	memset(&adat.session, 0, sizeof(&adat.session));
	131
	132	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
	133	packet_put_string((char *) reply.dat, reply.length);
	134	packet_send();
	135	packet_write_wait();
136	return 1;
8efc0c15	137	}
	138	#endif /* KRB4 */
	139
	140	#ifdef AFS
5260325f	141	int
5260325f	142	auth_kerberos_tgt(struct passwd pw, const char string)
8efc0c15	143	{
5260325f	144	CREDENTIALS creds;
	145
	146	if (!radix_to_creds(string, &creds)) {
	147	log("Protocol error decoding Kerberos V4 tgt");
	148	packet_send_debug("Protocol error decoding Kerberos V4 tgt");
	149	goto auth_kerberos_tgt_failure;
	150	}
	151	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
	152	strlcpy(creds.service, "krbtgt", sizeof creds.service);
	153
	154	if (strcmp(creds.service, "krbtgt")) {
	155	log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
	156	creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
	157	pw->pw_name);
	158	packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
	159	creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
	160	creds.realm, pw->pw_name);
	161	goto auth_kerberos_tgt_failure;
	162	}
	163	if (!krb4_init(pw->pw_uid))
	164	goto auth_kerberos_tgt_failure;
	165
	166	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
	167	goto auth_kerberos_tgt_failure;
	168
	169	if (save_credentials(creds.service, creds.instance, creds.realm,
	170	creds.session, creds.lifetime, creds.kvno,
	171	&creds.ticket_st, creds.issue_date) != KSUCCESS) {
	172	packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
	173	goto auth_kerberos_tgt_failure;
	174	}
	175	/* Successful authentication, passed all checks. */
	176	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
	177
	178	packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
	179	creds.service, creds.instance, creds.realm, creds.pname,
	180	creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
	181	memset(&creds, 0, sizeof(creds));
	182	packet_start(SSH_SMSG_SUCCESS);
	183	packet_send();
	184	packet_write_wait();
	185	return 1;
	186
	187	auth_kerberos_tgt_failure:
	188	krb4_cleanup_proc(NULL);
	189	memset(&creds, 0, sizeof(creds));
	190	packet_start(SSH_SMSG_FAILURE);
	191	packet_send();
	192	packet_write_wait();
	193	return 0;
8efc0c15	194	}
8efc0c15	195
5260325f	196	int
5260325f	197	auth_afs_token(struct passwd pw, const char token_string)
8efc0c15	198	{
5260325f	199	CREDENTIALS creds;
	200	uid_t uid = pw->pw_uid;
	201
	202	if (!radix_to_creds(token_string, &creds)) {
	203	log("Protocol error decoding AFS token");
	204	packet_send_debug("Protocol error decoding AFS token");
	205	packet_start(SSH_SMSG_FAILURE);
	206	packet_send();
	207	packet_write_wait();
	208	return 0;
	209	}
	210	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
	211	strlcpy(creds.service, "afs", sizeof creds.service);
	212
	213	if (strncmp(creds.pname, "AFS ID ", 7) == 0)
	214	uid = atoi(creds.pname + 7);
	215
	216	if (kafs_settoken(creds.realm, uid, &creds)) {
	217	log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
	218	pw->pw_name);
	219	packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
	220	creds.realm, pw->pw_name);
	221	memset(&creds, 0, sizeof(creds));
	222	packet_start(SSH_SMSG_FAILURE);
	223	packet_send();
	224	packet_write_wait();
	225	return 0;
	226	}
	227	packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
	228	creds.realm, creds.pname, creds.realm);
	229	memset(&creds, 0, sizeof(creds));
	230	packet_start(SSH_SMSG_SUCCESS);
	231	packet_send();
	232	packet_write_wait();
	233	return 1;
8efc0c15	234	}
8efc0c15	235	#endif /* AFS */