gss-serv-krb5.c

   1 /*      $OpenBSD: gss-serv-krb5.c,v 1.2 2003/11/21 11:57:03 djm Exp $   */
   2
   3 /*
   4  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in the
  13  *    documentation and/or other materials provided with the distribution.
  14  *
  15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
  16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25  */
  26
  27 #include "includes.h"
  28
  29 #ifdef GSSAPI
  30 #ifdef KRB5
  31
  32 #include "auth.h"
  33 #include "xmalloc.h"
  34 #include "log.h"
  35 #include "servconf.h"
  36
  37 #include "ssh-gss.h"
  38
  39 extern ServerOptions options;
  40
  41 #ifdef HEIMDAL
  42 # include <krb5.h>
  43 #else
  44 # ifdef HAVE_GSSAPI_KRB5
  45 #  include <gssapi_krb5.h>
  46 # elif HAVE_GSSAPI_GSSAPI_KRB5
  47 #  include <gssapi/gssapi_krb5.h>
  48 # endif
  49 #endif
  50
  51 static krb5_context krb_context = NULL;
  52
  53 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
  54
  55 static int
  56 ssh_gssapi_krb5_init()
  57 {
  58         krb5_error_code problem;
  59
  60         if (krb_context != NULL)
  61                 return 1;
  62
  63         problem = krb5_init_context(&krb_context);
  64         if (problem) {
  65                 logit("Cannot initialize krb5 context");
  66                 return 0;
  67         }
  68         krb5_init_ets(krb_context);
  69
  70         return 1;
  71 }
  72
  73 /* Check if this user is OK to login. This only works with krb5 - other
  74  * GSSAPI mechanisms will need their own.
  75  * Returns true if the user is OK to log in, otherwise returns 0
  76  */
  77
  78 static int
  79 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
  80 {
  81         krb5_principal princ;
  82         int retval;
  83
  84         if (ssh_gssapi_krb5_init() == 0)
  85                 return 0;
  86
  87         if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
  88             &princ))) {
  89                 logit("krb5_parse_name(): %.100s",
  90                     krb5_get_err_text(krb_context, retval));
  91                 return 0;
  92         }
  93         if (krb5_kuserok(krb_context, princ, name)) {
  94                 retval = 1;
  95                 logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
  96                     name, (char *)client->displayname.value);
  97         } else
  98                 retval = 0;
  99
 100         krb5_free_principal(krb_context, princ);
 101         return retval;
 102 }
 103
 104
 105 /* This writes out any forwarded credentials from the structure populated
 106  * during userauth. Called after we have setuid to the user */
 107
 108 static void
 109 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 110 {
 111         krb5_ccache ccache;
 112         krb5_error_code problem;
 113         krb5_principal princ;
 114         OM_uint32 maj_status, min_status;
 115         int len;
 116
 117         if (client->creds == NULL) {
 118                 debug("No credentials stored");
 119                 return;
 120         }
 121
 122         if (ssh_gssapi_krb5_init() == 0)
 123                 return;
 124
 125 #ifdef HEIMDAL
 126         if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
 127                 logit("krb5_cc_gen_new(): %.100s",
 128                     krb5_get_err_text(krb_context, problem));
 129                 return;
 130         }
 131 #else
 132         {
 133                 int tmpfd;
 134                 char ccname[40];
 135
 136                 snprintf(ccname, sizeof(ccname),
 137                     "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
 138
 139                 if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
 140                         logit("mkstemp(): %.100s", strerror(errno));
 141                         problem = errno;
 142                         return;
 143                 }
 144                 if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
 145                         logit("fchmod(): %.100s", strerror(errno));
 146                         close(tmpfd);
 147                         problem = errno;
 148                         return;
 149                 }
 150                 close(tmpfd);
 151                 if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
 152                         logit("krb5_cc_resolve(): %.100s",
 153                             krb5_get_err_text(krb_context, problem));
 154                         return;
 155                 }
 156         }
 157 #endif  /* #ifdef HEIMDAL */
 158
 159         if ((problem = krb5_parse_name(krb_context,
 160             client->exportedname.value, &princ))) {
 161                 logit("krb5_parse_name(): %.100s",
 162                     krb5_get_err_text(krb_context, problem));
 163                 krb5_cc_destroy(krb_context, ccache);
 164                 return;
 165         }
 166
 167         if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
 168                 logit("krb5_cc_initialize(): %.100s",
 169                     krb5_get_err_text(krb_context, problem));
 170                 krb5_free_principal(krb_context, princ);
 171                 krb5_cc_destroy(krb_context, ccache);
 172                 return;
 173         }
 174
 175         krb5_free_principal(krb_context, princ);
 176
 177         if ((maj_status = gss_krb5_copy_ccache(&min_status,
 178             client->creds, ccache))) {
 179                 logit("gss_krb5_copy_ccache() failed");
 180                 krb5_cc_destroy(krb_context, ccache);
 181                 return;
 182         }
 183
 184         client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
 185         client->store.envvar = "KRB5CCNAME";
 186         len = strlen(client->store.filename) + 6;
 187         client->store.envval = xmalloc(len);
 188         snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
 189
 190 #ifdef USE_PAM
 191         if (options.use_pam)
 192                 do_pam_putenv(client->store.envvar, client->store.envval);
 193 #endif
 194
 195         krb5_cc_close(krb_context, ccache);
 196
 197         return;
 198 }
 199
 200 ssh_gssapi_mech gssapi_kerberos_mech = {
 201         "toWM5Slw5Ew8Mqkay+al2g==",
 202         "Kerberos",
 203         {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
 204         NULL,
 205         &ssh_gssapi_krb5_userok,
 206         NULL,
 207         &ssh_gssapi_krb5_storecreds
 208 };
 209
 210 #endif /* KRB5 */
 211
 212 #endif /* GSSAPI */