[openssh.git] / auth-krb4.c

/*

   auth-kerberos.c

   Dug Song <dugsong@UMICH.EDU>

   Kerberos v4 authentication and ticket-passing routines.

   $Id$
*/

#include "includes.h"
#include "packet.h"
#include "xmalloc.h"
#include "ssh.h"

#ifdef KRB4
char *ticket = NULL;

void
krb4_cleanup_proc(void *ignore)
{
  debug("krb4_cleanup_proc called");
  
  if (ticket) {
    (void) dest_tkt();
    xfree(ticket);
    ticket = NULL;
  }
}

int krb4_init(uid_t uid)
{
  static int cleanup_registered = 0;
  char *tkt_root = TKT_ROOT;
  struct stat st;
  int fd;

  if (!ticket) {
    /* Set unique ticket string manually since we're still root. */
    ticket = xmalloc(MAXPATHLEN);
#ifdef AFS
    if (lstat("/ticket", &st) != -1)
      tkt_root = "/ticket/";
#endif /* AFS */
    snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
    (void) krb_set_tkt_string(ticket);
  }
  /* Register ticket cleanup in case of fatal error. */
  if (!cleanup_registered) {
    fatal_add_cleanup(krb4_cleanup_proc, NULL);
    cleanup_registered = 1;
  }
  /* Try to create our ticket file. */
  if ((fd = mkstemp(ticket)) != -1) {
    close(fd);
    return 1;
  }
  /* Ticket file exists - make sure user owns it (just passed ticket). */
  if (lstat(ticket, &st) != -1) {
    if (st.st_mode == (S_IFREG|S_IRUSR|S_IWUSR) && st.st_uid == uid)
      return 1;
  }
  /* Failure - cancel cleanup function, leaving bad ticket for inspection. */
  log("WARNING: bad ticket file %s", ticket);
  fatal_remove_cleanup(krb4_cleanup_proc, NULL);
  cleanup_registered = 0;
  xfree(ticket);
  ticket = NULL;
  
  return 0;
}

int auth_krb4(const char *server_user, KTEXT auth, char **client)
{
  AUTH_DAT adat   = { 0 };
  KTEXT_ST reply;
  char instance[INST_SZ];
  int r, s;
  u_int cksum;
  Key_schedule schedule;
  struct sockaddr_in local, foreign;
  
  s = packet_get_connection_in();
  
  r = sizeof(local);
  memset(&local, 0, sizeof(local));
  if (getsockname(s, (struct sockaddr *) &local, &r) < 0)
    debug("getsockname failed: %.100s", strerror(errno));
  r = sizeof(foreign);
  memset(&foreign, 0, sizeof(foreign));
  if (getpeername(s, (struct sockaddr *)&foreign, &r) < 0)
    debug("getpeername failed: %.100s", strerror(errno));
  
  instance[0] = '*'; instance[1] = 0;
  
  /* Get the encrypted request, challenge, and session key. */
  if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
    packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
    return 0;
  }
  des_key_sched((des_cblock *)adat.session, schedule);
  
  *client = xmalloc(MAX_K_NAME_SZ);
  (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
                  *adat.pinst ? "." : "", adat.pinst, adat.prealm);

  /* Check ~/.klogin authorization now. */
  if (kuserok(&adat, (char *)server_user) != KSUCCESS) {
    packet_send_debug("Kerberos V4 .klogin authorization failed!");
    log("Kerberos V4 .klogin authorization failed for %s to account %s",
	*client, server_user);
    return 0;
  }
  /* Increment the checksum, and return it encrypted with the session key. */
  cksum = adat.checksum + 1;
  cksum = htonl(cksum);
  
  /* If we can't successfully encrypt the checksum, we send back an empty
     message, admitting our failure. */
  if ((r = krb_mk_priv((u_char *)&cksum, reply.dat, sizeof(cksum)+1,
		       schedule, &adat.session, &local, &foreign)) < 0) {
    packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
    reply.dat[0] = 0;
    reply.length = 0;
  }
  else reply.length = r;
  
  /* Clear session key. */
  memset(&adat.session, 0, sizeof(&adat.session));
  
  packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
  packet_put_string((char *) reply.dat, reply.length);
  packet_send();
  packet_write_wait();
  return 1;
}
#endif /* KRB4 */

#ifdef AFS
int auth_kerberos_tgt(struct passwd *pw, const char *string)
{
  CREDENTIALS creds;
  
  if (!radix_to_creds(string, &creds)) {
    log("Protocol error decoding Kerberos V4 tgt");
    packet_send_debug("Protocol error decoding Kerberos V4 tgt");
    goto auth_kerberos_tgt_failure;
  }
  if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
    strlcpy(creds.service, "krbtgt", sizeof creds.service);
  
  if (strcmp(creds.service, "krbtgt")) {
    log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
	creds.pinst[0] ? "." : "", creds.pinst, creds.realm, pw->pw_name);
    packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
		      creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
		      creds.realm, pw->pw_name);
    goto auth_kerberos_tgt_failure;
  }
  if (!krb4_init(pw->pw_uid))
    goto auth_kerberos_tgt_failure;

  if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
    goto auth_kerberos_tgt_failure;
  
  if (save_credentials(creds.service, creds.instance, creds.realm,
		       creds.session, creds.lifetime, creds.kvno,
		       &creds.ticket_st, creds.issue_date) != KSUCCESS) {
    packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
    goto auth_kerberos_tgt_failure;
  }
  /* Successful authentication, passed all checks. */
  chown(tkt_string(), pw->pw_uid, pw->pw_gid);
  
  packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
		    creds.service, creds.instance, creds.realm, creds.pname,
		    creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
  memset(&creds, 0, sizeof(creds));
  packet_start(SSH_SMSG_SUCCESS);
  packet_send();
  packet_write_wait();
  return 1;
  
 auth_kerberos_tgt_failure:
  krb4_cleanup_proc(NULL);
  memset(&creds, 0, sizeof(creds));
  packet_start(SSH_SMSG_FAILURE);
  packet_send();
  packet_write_wait();
  return 0;
}

int auth_afs_token(struct passwd *pw, const char *token_string)
{
  CREDENTIALS creds;
  uid_t uid = pw->pw_uid;

  if (!radix_to_creds(token_string, &creds)) {
    log("Protocol error decoding AFS token");
    packet_send_debug("Protocol error decoding AFS token");
    packet_start(SSH_SMSG_FAILURE);
    packet_send();
    packet_write_wait();
    return 0;
  }
  if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
    strlcpy(creds.service, "afs", sizeof creds.service);
  
  if (strncmp(creds.pname, "AFS ID ", 7) == 0)
    uid = atoi(creds.pname + 7);
  
  if (kafs_settoken(creds.realm, uid, &creds)) {
    log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
	pw->pw_name);
    packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
		      creds.realm, pw->pw_name);
    memset(&creds, 0, sizeof(creds));
    packet_start(SSH_SMSG_FAILURE);
    packet_send();
    packet_write_wait();
    return 0;
  }
  packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
		    creds.realm, creds.pname, creds.realm);
  memset(&creds, 0, sizeof(creds));
  packet_start(SSH_SMSG_SUCCESS);
  packet_send();
  packet_write_wait();
  return 1;
}
#endif /* AFS */
Commit	Line	Data
8efc0c15	1	/*
	2
	3	auth-kerberos.c
	4
	5	Dug Song <dugsong@UMICH.EDU>
	6
	7	Kerberos v4 authentication and ticket-passing routines.
	8
	9	$Id$
	10	*/
	11
	12	#include "includes.h"
	13	#include "packet.h"
	14	#include "xmalloc.h"
	15	#include "ssh.h"
	16
	17	#ifdef KRB4
6a17f9c2	18	char *ticket = NULL;
	19
	20	void
	21	krb4_cleanup_proc(void *ignore)
	22	{
	23	debug("krb4_cleanup_proc called");
	24
	25	if (ticket) {
	26	(void) dest_tkt();
	27	xfree(ticket);
	28	ticket = NULL;
	29	}
	30	}
	31
	32	int krb4_init(uid_t uid)
8efc0c15	33	{
6a17f9c2	34	static int cleanup_registered = 0;
8efc0c15	35	char *tkt_root = TKT_ROOT;
	36	struct stat st;
	37	int fd;
6a17f9c2	38
	39	if (!ticket) {
	40	/* Set unique ticket string manually since we're still root. */
	41	ticket = xmalloc(MAXPATHLEN);
8efc0c15	42	#ifdef AFS
6a17f9c2	43	if (lstat("/ticket", &st) != -1)
6a17f9c2	44	tkt_root = "/ticket/";
8efc0c15	45	#endif /* AFS */
6a17f9c2	46	snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
	47	(void) krb_set_tkt_string(ticket);
	48	}
	49	/* Register ticket cleanup in case of fatal error. */
	50	if (!cleanup_registered) {
	51	fatal_add_cleanup(krb4_cleanup_proc, NULL);
	52	cleanup_registered = 1;
	53	}
	54	/* Try to create our ticket file. */
	55	if ((fd = mkstemp(ticket)) != -1) {
	56	close(fd);
	57	return 1;
8efc0c15	58	}
6a17f9c2	59	/* Ticket file exists - make sure user owns it (just passed ticket). */
6a17f9c2	60	if (lstat(ticket, &st) != -1) {
8efc0c15	61	if (st.st_mode == (S_IFREG\|S_IRUSR\|S_IWUSR) && st.st_uid == uid)
	62	return 1;
	63	}
6a17f9c2	64	/* Failure - cancel cleanup function, leaving bad ticket for inspection. */
8efc0c15	65	log("WARNING: bad ticket file %s", ticket);
6a17f9c2	66	fatal_remove_cleanup(krb4_cleanup_proc, NULL);
	67	cleanup_registered = 0;
	68	xfree(ticket);
	69	ticket = NULL;
	70
8efc0c15	71	return 0;
	72	}
	73
	74	int auth_krb4(const char server_user, KTEXT auth, char *client)
	75	{
	76	AUTH_DAT adat = { 0 };
	77	KTEXT_ST reply;
	78	char instance[INST_SZ];
	79	int r, s;
	80	u_int cksum;
	81	Key_schedule schedule;
	82	struct sockaddr_in local, foreign;
	83
	84	s = packet_get_connection_in();
	85
	86	r = sizeof(local);
	87	memset(&local, 0, sizeof(local));
	88	if (getsockname(s, (struct sockaddr *) &local, &r) < 0)
	89	debug("getsockname failed: %.100s", strerror(errno));
	90	r = sizeof(foreign);
	91	memset(&foreign, 0, sizeof(foreign));
	92	if (getpeername(s, (struct sockaddr *)&foreign, &r) < 0)
	93	debug("getpeername failed: %.100s", strerror(errno));
	94
	95	instance[0] = '*'; instance[1] = 0;
	96
	97	/* Get the encrypted request, challenge, and session key. */
	98	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
	99	packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
	100	return 0;
	101	}
	102	des_key_sched((des_cblock *)adat.session, schedule);
	103
	104	*client = xmalloc(MAX_K_NAME_SZ);
	105	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
	106	*adat.pinst ? "." : "", adat.pinst, adat.prealm);
	107
	108	/* Check ~/.klogin authorization now. */
	109	if (kuserok(&adat, (char *)server_user) != KSUCCESS) {
	110	packet_send_debug("Kerberos V4 .klogin authorization failed!");
	111	log("Kerberos V4 .klogin authorization failed for %s to account %s",
	112	*client, server_user);
	113	return 0;
	114	}
	115	/* Increment the checksum, and return it encrypted with the session key. */
	116	cksum = adat.checksum + 1;
	117	cksum = htonl(cksum);
	118
	119	/* If we can't successfully encrypt the checksum, we send back an empty
	120	message, admitting our failure. */
	121	if ((r = krb_mk_priv((u_char *)&cksum, reply.dat, sizeof(cksum)+1,
	122	schedule, &adat.session, &local, &foreign)) < 0) {
	123	packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
	124	reply.dat[0] = 0;
	125	reply.length = 0;
	126	}
6a17f9c2	127	else reply.length = r;
8efc0c15	128
	129	/* Clear session key. */
	130	memset(&adat.session, 0, sizeof(&adat.session));
	131
	132	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
	133	packet_put_string((char *) reply.dat, reply.length);
	134	packet_send();
	135	packet_write_wait();
	136	return 1;
	137	}
	138	#endif /* KRB4 */
	139
	140	#ifdef AFS
	141	int auth_kerberos_tgt(struct passwd pw, const char string)
	142	{
	143	CREDENTIALS creds;
8efc0c15	144
	145	if (!radix_to_creds(string, &creds)) {
	146	log("Protocol error decoding Kerberos V4 tgt");
	147	packet_send_debug("Protocol error decoding Kerberos V4 tgt");
	148	goto auth_kerberos_tgt_failure;
	149	}
	150	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
	151	strlcpy(creds.service, "krbtgt", sizeof creds.service);
	152
	153	if (strcmp(creds.service, "krbtgt")) {
6a17f9c2	154	log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
	155	creds.pinst[0] ? "." : "", creds.pinst, creds.realm, pw->pw_name);
	156	packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
8efc0c15	157	creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
6a17f9c2	158	creds.realm, pw->pw_name);
8efc0c15	159	goto auth_kerberos_tgt_failure;
8efc0c15	160	}
6a17f9c2	161	if (!krb4_init(pw->pw_uid))
	162	goto auth_kerberos_tgt_failure;
	163
	164	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
	165	goto auth_kerberos_tgt_failure;
	166
	167	if (save_credentials(creds.service, creds.instance, creds.realm,
	168	creds.session, creds.lifetime, creds.kvno,
	169	&creds.ticket_st, creds.issue_date) != KSUCCESS) {
8efc0c15	170	packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
	171	goto auth_kerberos_tgt_failure;
	172	}
	173	/* Successful authentication, passed all checks. */
6a17f9c2	174	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
8efc0c15	175
6a17f9c2	176	packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
	177	creds.service, creds.instance, creds.realm, creds.pname,
	178	creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
	179	memset(&creds, 0, sizeof(creds));
8efc0c15	180	packet_start(SSH_SMSG_SUCCESS);
	181	packet_send();
	182	packet_write_wait();
	183	return 1;
6a17f9c2	184
	185	auth_kerberos_tgt_failure:
	186	krb4_cleanup_proc(NULL);
8efc0c15	187	memset(&creds, 0, sizeof(creds));
	188	packet_start(SSH_SMSG_FAILURE);
	189	packet_send();
	190	packet_write_wait();
	191	return 0;
	192	}
	193
f2effd93	194	int auth_afs_token(struct passwd pw, const char token_string)
8efc0c15	195	{
8efc0c15	196	CREDENTIALS creds;
f2effd93	197	uid_t uid = pw->pw_uid;
8efc0c15	198
f2effd93	199	if (!radix_to_creds(token_string, &creds)) {
8efc0c15	200	log("Protocol error decoding AFS token");
	201	packet_send_debug("Protocol error decoding AFS token");
	202	packet_start(SSH_SMSG_FAILURE);
	203	packet_send();
	204	packet_write_wait();
	205	return 0;
	206	}
	207	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
	208	strlcpy(creds.service, "afs", sizeof creds.service);
	209
	210	if (strncmp(creds.pname, "AFS ID ", 7) == 0)
	211	uid = atoi(creds.pname + 7);
	212
	213	if (kafs_settoken(creds.realm, uid, &creds)) {
6a17f9c2	214	log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
	215	pw->pw_name);
	216	packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
	217	creds.realm, pw->pw_name);
	218	memset(&creds, 0, sizeof(creds));
8efc0c15	219	packet_start(SSH_SMSG_FAILURE);
	220	packet_send();
	221	packet_write_wait();
	222	return 0;
	223	}
	224	packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
	225	creds.realm, creds.pname, creds.realm);
6a17f9c2	226	memset(&creds, 0, sizeof(creds));
8efc0c15	227	packet_start(SSH_SMSG_SUCCESS);
	228	packet_send();
	229	packet_write_wait();
	230	return 1;
	231	}
	232	#endif /* AFS */