]>
Commit | Line | Data |
---|---|---|
8efc0c15 | 1 | /* |
bcbf86ec | 2 | * Copyright (c) 1999 Dug Song. All rights reserved. |
3 | * | |
4 | * Redistribution and use in source and binary forms, with or without | |
5 | * modification, are permitted provided that the following conditions | |
6 | * are met: | |
7 | * 1. Redistributions of source code must retain the above copyright | |
8 | * notice, this list of conditions and the following disclaimer. | |
9 | * 2. Redistributions in binary form must reproduce the above copyright | |
10 | * notice, this list of conditions and the following disclaimer in the | |
11 | * documentation and/or other materials provided with the distribution. | |
12 | * | |
13 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
14 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
15 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
16 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
17 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
18 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
19 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
20 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
21 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
22 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
5260325f | 23 | */ |
8efc0c15 | 24 | |
25 | #include "includes.h" | |
53a24016 | 26 | RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $"); |
42f11eb2 | 27 | |
42f11eb2 | 28 | #include "ssh.h" |
29 | #include "ssh1.h" | |
8efc0c15 | 30 | #include "packet.h" |
31 | #include "xmalloc.h" | |
42f11eb2 | 32 | #include "log.h" |
57112b5a | 33 | #include "servconf.h" |
42f11eb2 | 34 | #include "auth.h" |
53a24016 | 35 | |
36 | #ifdef AFS | |
42f11eb2 | 37 | #include "radix.h" |
53a24016 | 38 | #endif |
8efc0c15 | 39 | |
53a24016 | 40 | #ifdef KRB4 |
6a17f9c2 | 41 | char *ticket = NULL; |
42 | ||
57112b5a | 43 | extern ServerOptions options; |
44 | ||
45 | /* | |
46 | * try krb4 authentication, | |
47 | * return 1 on success, 0 on failure, -1 if krb4 is not available | |
48 | */ | |
49 | ||
6ae2364d | 50 | int |
57112b5a | 51 | auth_krb4_password(struct passwd * pw, const char *password) |
52 | { | |
53 | AUTH_DAT adata; | |
54 | KTEXT_ST tkt; | |
55 | struct hostent *hp; | |
1e3b8b07 | 56 | u_long faddr; |
57112b5a | 57 | char localhost[MAXHOSTNAMELEN]; |
58 | char phost[INST_SZ]; | |
59 | char realm[REALM_SZ]; | |
60 | int r; | |
61 | ||
62 | /* | |
63 | * Try Kerberos password authentication only for non-root | |
64 | * users and only if Kerberos is installed. | |
65 | */ | |
66 | if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { | |
67 | ||
68 | /* Set up our ticket file. */ | |
69 | if (!krb4_init(pw->pw_uid)) { | |
70 | log("Couldn't initialize Kerberos ticket file for %s!", | |
71 | pw->pw_name); | |
72 | goto kerberos_auth_failure; | |
73 | } | |
74 | /* Try to get TGT using our password. */ | |
75 | r = krb_get_pw_in_tkt((char *) pw->pw_name, "", | |
76 | realm, "krbtgt", realm, | |
77 | DEFAULT_TKT_LIFE, (char *) password); | |
78 | if (r != INTK_OK) { | |
79 | packet_send_debug("Kerberos V4 password " | |
80 | "authentication for %s failed: %s", | |
81 | pw->pw_name, krb_err_txt[r]); | |
82 | goto kerberos_auth_failure; | |
83 | } | |
84 | /* Successful authentication. */ | |
85 | chown(tkt_string(), pw->pw_uid, pw->pw_gid); | |
86 | ||
87 | /* | |
88 | * Now that we have a TGT, try to get a local | |
89 | * "rcmd" ticket to ensure that we are not talking | |
90 | * to a bogus Kerberos server. | |
91 | */ | |
92 | (void) gethostname(localhost, sizeof(localhost)); | |
93 | (void) strlcpy(phost, (char *) krb_get_phost(localhost), | |
94 | INST_SZ); | |
95 | r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); | |
96 | ||
97 | if (r == KSUCCESS) { | |
98 | if (!(hp = gethostbyname(localhost))) { | |
99 | log("Couldn't get local host address!"); | |
100 | goto kerberos_auth_failure; | |
101 | } | |
102 | memmove((void *) &faddr, (void *) hp->h_addr, | |
103 | sizeof(faddr)); | |
104 | ||
105 | /* Verify our "rcmd" ticket. */ | |
106 | r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, | |
107 | faddr, &adata, ""); | |
108 | if (r == RD_AP_UNDEC) { | |
109 | /* | |
110 | * Probably didn't have a srvtab on | |
c345cf9d | 111 | * localhost. Disallow login. |
57112b5a | 112 | */ |
113 | log("Kerberos V4 TGT for %s unverifiable, " | |
114 | "no srvtab installed? krb_rd_req: %s", | |
115 | pw->pw_name, krb_err_txt[r]); | |
c345cf9d | 116 | goto kerberos_auth_failure; |
57112b5a | 117 | } else if (r != KSUCCESS) { |
118 | log("Kerberos V4 %s ticket unverifiable: %s", | |
119 | KRB4_SERVICE_NAME, krb_err_txt[r]); | |
120 | goto kerberos_auth_failure; | |
121 | } | |
122 | } else if (r == KDC_PR_UNKNOWN) { | |
123 | /* | |
c345cf9d | 124 | * Disallow login if no rcmd service exists, and |
57112b5a | 125 | * log the error. |
126 | */ | |
127 | log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " | |
128 | "not registered, or srvtab is wrong?", pw->pw_name, | |
129 | krb_err_txt[r], KRB4_SERVICE_NAME, phost); | |
c345cf9d | 130 | goto kerberos_auth_failure; |
57112b5a | 131 | } else { |
132 | /* | |
133 | * TGT is bad, forget it. Possibly spoofed! | |
134 | */ | |
135 | packet_send_debug("WARNING: Kerberos V4 TGT " | |
136 | "possibly spoofed for %s: %s", | |
137 | pw->pw_name, krb_err_txt[r]); | |
138 | goto kerberos_auth_failure; | |
139 | } | |
140 | ||
141 | /* Authentication succeeded. */ | |
142 | return 1; | |
143 | ||
144 | kerberos_auth_failure: | |
145 | krb4_cleanup_proc(NULL); | |
146 | ||
147 | if (!options.kerberos_or_local_passwd) | |
148 | return 0; | |
149 | } else { | |
150 | /* Logging in as root or no local Kerberos realm. */ | |
151 | packet_send_debug("Unable to authenticate to Kerberos."); | |
152 | } | |
153 | /* Fall back to ordinary passwd authentication. */ | |
154 | return -1; | |
155 | } | |
156 | ||
6a17f9c2 | 157 | void |
158 | krb4_cleanup_proc(void *ignore) | |
159 | { | |
5260325f | 160 | debug("krb4_cleanup_proc called"); |
161 | if (ticket) { | |
162 | (void) dest_tkt(); | |
163 | xfree(ticket); | |
164 | ticket = NULL; | |
165 | } | |
6a17f9c2 | 166 | } |
167 | ||
6ae2364d | 168 | int |
5260325f | 169 | krb4_init(uid_t uid) |
8efc0c15 | 170 | { |
5260325f | 171 | static int cleanup_registered = 0; |
4fe2af09 | 172 | const char *tkt_root = TKT_ROOT; |
5260325f | 173 | struct stat st; |
174 | int fd; | |
175 | ||
176 | if (!ticket) { | |
177 | /* Set unique ticket string manually since we're still root. */ | |
178 | ticket = xmalloc(MAXPATHLEN); | |
8efc0c15 | 179 | #ifdef AFS |
5260325f | 180 | if (lstat("/ticket", &st) != -1) |
181 | tkt_root = "/ticket/"; | |
8efc0c15 | 182 | #endif /* AFS */ |
14a9a859 | 183 | snprintf(ticket, MAXPATHLEN, "%s%u_%d", tkt_root, uid, getpid()); |
5260325f | 184 | (void) krb_set_tkt_string(ticket); |
185 | } | |
186 | /* Register ticket cleanup in case of fatal error. */ | |
187 | if (!cleanup_registered) { | |
188 | fatal_add_cleanup(krb4_cleanup_proc, NULL); | |
189 | cleanup_registered = 1; | |
190 | } | |
191 | /* Try to create our ticket file. */ | |
192 | if ((fd = mkstemp(ticket)) != -1) { | |
193 | close(fd); | |
194 | return 1; | |
195 | } | |
196 | /* Ticket file exists - make sure user owns it (just passed ticket). */ | |
197 | if (lstat(ticket, &st) != -1) { | |
198 | if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) && | |
199 | st.st_uid == uid) | |
200 | return 1; | |
201 | } | |
202 | /* Failure - cancel cleanup function, leaving bad ticket for inspection. */ | |
203 | log("WARNING: bad ticket file %s", ticket); | |
204 | fatal_remove_cleanup(krb4_cleanup_proc, NULL); | |
205 | cleanup_registered = 0; | |
206 | xfree(ticket); | |
207 | ticket = NULL; | |
208 | ||
209 | return 0; | |
8efc0c15 | 210 | } |
211 | ||
6ae2364d | 212 | int |
5260325f | 213 | auth_krb4(const char *server_user, KTEXT auth, char **client) |
8efc0c15 | 214 | { |
5260325f | 215 | AUTH_DAT adat = {0}; |
216 | KTEXT_ST reply; | |
217 | char instance[INST_SZ]; | |
218 | int r, s; | |
610cd5c6 | 219 | socklen_t slen; |
5260325f | 220 | u_int cksum; |
221 | Key_schedule schedule; | |
222 | struct sockaddr_in local, foreign; | |
223 | ||
224 | s = packet_get_connection_in(); | |
225 | ||
610cd5c6 | 226 | slen = sizeof(local); |
5260325f | 227 | memset(&local, 0, sizeof(local)); |
610cd5c6 | 228 | if (getsockname(s, (struct sockaddr *) & local, &slen) < 0) |
5260325f | 229 | debug("getsockname failed: %.100s", strerror(errno)); |
610cd5c6 | 230 | slen = sizeof(foreign); |
5260325f | 231 | memset(&foreign, 0, sizeof(foreign)); |
610cd5c6 | 232 | if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) { |
5260325f | 233 | debug("getpeername failed: %.100s", strerror(errno)); |
234 | fatal_cleanup(); | |
235 | } | |
236 | instance[0] = '*'; | |
237 | instance[1] = 0; | |
238 | ||
239 | /* Get the encrypted request, challenge, and session key. */ | |
240 | if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) { | |
241 | packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]); | |
242 | return 0; | |
243 | } | |
244 | des_key_sched((des_cblock *) adat.session, schedule); | |
245 | ||
246 | *client = xmalloc(MAX_K_NAME_SZ); | |
247 | (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname, | |
248 | *adat.pinst ? "." : "", adat.pinst, adat.prealm); | |
249 | ||
250 | /* Check ~/.klogin authorization now. */ | |
251 | if (kuserok(&adat, (char *) server_user) != KSUCCESS) { | |
252 | packet_send_debug("Kerberos V4 .klogin authorization failed!"); | |
253 | log("Kerberos V4 .klogin authorization failed for %s to account %s", | |
254 | *client, server_user); | |
255 | xfree(*client); | |
256 | return 0; | |
257 | } | |
258 | /* Increment the checksum, and return it encrypted with the | |
259 | session key. */ | |
260 | cksum = adat.checksum + 1; | |
261 | cksum = htonl(cksum); | |
262 | ||
263 | /* If we can't successfully encrypt the checksum, we send back an | |
264 | empty message, admitting our failure. */ | |
265 | if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1, | |
266 | schedule, &adat.session, &local, &foreign)) < 0) { | |
267 | packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]); | |
268 | reply.dat[0] = 0; | |
269 | reply.length = 0; | |
270 | } else | |
271 | reply.length = r; | |
272 | ||
273 | /* Clear session key. */ | |
274 | memset(&adat.session, 0, sizeof(&adat.session)); | |
275 | ||
276 | packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); | |
277 | packet_put_string((char *) reply.dat, reply.length); | |
278 | packet_send(); | |
279 | packet_write_wait(); | |
280 | return 1; | |
8efc0c15 | 281 | } |
282 | #endif /* KRB4 */ | |
283 | ||
284 | #ifdef AFS | |
6ae2364d | 285 | int |
5260325f | 286 | auth_kerberos_tgt(struct passwd *pw, const char *string) |
8efc0c15 | 287 | { |
5260325f | 288 | CREDENTIALS creds; |
289 | ||
94ec8c6b | 290 | if (pw == NULL) |
291 | goto auth_kerberos_tgt_failure; | |
5260325f | 292 | if (!radix_to_creds(string, &creds)) { |
293 | log("Protocol error decoding Kerberos V4 tgt"); | |
294 | packet_send_debug("Protocol error decoding Kerberos V4 tgt"); | |
295 | goto auth_kerberos_tgt_failure; | |
296 | } | |
297 | if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ | |
298 | strlcpy(creds.service, "krbtgt", sizeof creds.service); | |
299 | ||
300 | if (strcmp(creds.service, "krbtgt")) { | |
301 | log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname, | |
302 | creds.pinst[0] ? "." : "", creds.pinst, creds.realm, | |
303 | pw->pw_name); | |
304 | packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", | |
305 | creds.pname, creds.pinst[0] ? "." : "", creds.pinst, | |
306 | creds.realm, pw->pw_name); | |
307 | goto auth_kerberos_tgt_failure; | |
308 | } | |
309 | if (!krb4_init(pw->pw_uid)) | |
310 | goto auth_kerberos_tgt_failure; | |
311 | ||
312 | if (in_tkt(creds.pname, creds.pinst) != KSUCCESS) | |
313 | goto auth_kerberos_tgt_failure; | |
314 | ||
315 | if (save_credentials(creds.service, creds.instance, creds.realm, | |
316 | creds.session, creds.lifetime, creds.kvno, | |
317 | &creds.ticket_st, creds.issue_date) != KSUCCESS) { | |
318 | packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials"); | |
319 | goto auth_kerberos_tgt_failure; | |
320 | } | |
321 | /* Successful authentication, passed all checks. */ | |
322 | chown(tkt_string(), pw->pw_uid, pw->pw_gid); | |
323 | ||
324 | packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)", | |
325 | creds.service, creds.instance, creds.realm, creds.pname, | |
326 | creds.pinst[0] ? "." : "", creds.pinst, creds.realm); | |
327 | memset(&creds, 0, sizeof(creds)); | |
328 | packet_start(SSH_SMSG_SUCCESS); | |
329 | packet_send(); | |
330 | packet_write_wait(); | |
331 | return 1; | |
332 | ||
333 | auth_kerberos_tgt_failure: | |
334 | krb4_cleanup_proc(NULL); | |
335 | memset(&creds, 0, sizeof(creds)); | |
336 | packet_start(SSH_SMSG_FAILURE); | |
337 | packet_send(); | |
338 | packet_write_wait(); | |
339 | return 0; | |
8efc0c15 | 340 | } |
341 | ||
6ae2364d | 342 | int |
5260325f | 343 | auth_afs_token(struct passwd *pw, const char *token_string) |
8efc0c15 | 344 | { |
5260325f | 345 | CREDENTIALS creds; |
94ec8c6b | 346 | uid_t uid; |
5260325f | 347 | |
94ec8c6b | 348 | if (pw == NULL) { |
349 | /* XXX fake protocol error */ | |
350 | packet_send_debug("Protocol error decoding AFS token"); | |
351 | packet_start(SSH_SMSG_FAILURE); | |
352 | packet_send(); | |
353 | packet_write_wait(); | |
354 | return 0; | |
355 | } | |
5260325f | 356 | if (!radix_to_creds(token_string, &creds)) { |
357 | log("Protocol error decoding AFS token"); | |
358 | packet_send_debug("Protocol error decoding AFS token"); | |
359 | packet_start(SSH_SMSG_FAILURE); | |
360 | packet_send(); | |
361 | packet_write_wait(); | |
362 | return 0; | |
363 | } | |
364 | if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ | |
365 | strlcpy(creds.service, "afs", sizeof creds.service); | |
366 | ||
367 | if (strncmp(creds.pname, "AFS ID ", 7) == 0) | |
368 | uid = atoi(creds.pname + 7); | |
94ec8c6b | 369 | else |
370 | uid = pw->pw_uid; | |
5260325f | 371 | |
372 | if (kafs_settoken(creds.realm, uid, &creds)) { | |
373 | log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm, | |
374 | pw->pw_name); | |
375 | packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname, | |
376 | creds.realm, pw->pw_name); | |
377 | memset(&creds, 0, sizeof(creds)); | |
378 | packet_start(SSH_SMSG_FAILURE); | |
379 | packet_send(); | |
380 | packet_write_wait(); | |
381 | return 0; | |
382 | } | |
383 | packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service, | |
384 | creds.realm, creds.pname, creds.realm); | |
385 | memset(&creds, 0, sizeof(creds)); | |
386 | packet_start(SSH_SMSG_SUCCESS); | |
387 | packet_send(); | |
388 | packet_write_wait(); | |
389 | return 1; | |
8efc0c15 | 390 | } |
391 | #endif /* AFS */ |