auth-krb4.c

   1 /*
   2  *    Dug Song <dugsong@UMICH.EDU>
   3  *    Kerberos v4 authentication and ticket-passing routines.
   4  */
   5
   6 #include "includes.h"
   7 #include "packet.h"
   8 #include "xmalloc.h"
   9 #include "ssh.h"
  10 #include "servconf.h"
  11
  12 RCSID("$OpenBSD: auth-krb4.c,v 1.15 2000/06/22 23:54:59 djm Exp $");
  13
  14 #ifdef KRB4
  15 char *ticket = NULL;
  16
  17 extern ServerOptions options;
  18
  19 /*
  20  * try krb4 authentication,
  21  * return 1 on success, 0 on failure, -1 if krb4 is not available
  22  */
  23
  24 int
  25 auth_krb4_password(struct passwd * pw, const char *password)
  26 {
  27         AUTH_DAT adata;
  28         KTEXT_ST tkt;
  29         struct hostent *hp;
  30         unsigned long faddr;
  31         char localhost[MAXHOSTNAMELEN];
  32         char phost[INST_SZ];
  33         char realm[REALM_SZ];
  34         int r;
  35
  36         /*
  37          * Try Kerberos password authentication only for non-root
  38          * users and only if Kerberos is installed.
  39          */
  40         if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
  41
  42                 /* Set up our ticket file. */
  43                 if (!krb4_init(pw->pw_uid)) {
  44                         log("Couldn't initialize Kerberos ticket file for %s!",
  45                             pw->pw_name);
  46                         goto kerberos_auth_failure;
  47                 }
  48                 /* Try to get TGT using our password. */
  49                 r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
  50                     realm, "krbtgt", realm,
  51                     DEFAULT_TKT_LIFE, (char *) password);
  52                 if (r != INTK_OK) {
  53                         packet_send_debug("Kerberos V4 password "
  54                             "authentication for %s failed: %s",
  55                             pw->pw_name, krb_err_txt[r]);
  56                         goto kerberos_auth_failure;
  57                 }
  58                 /* Successful authentication. */
  59                 chown(tkt_string(), pw->pw_uid, pw->pw_gid);
  60
  61                 /*
  62                  * Now that we have a TGT, try to get a local
  63                  * "rcmd" ticket to ensure that we are not talking
  64                  * to a bogus Kerberos server.
  65                  */
  66                 (void) gethostname(localhost, sizeof(localhost));
  67                 (void) strlcpy(phost, (char *) krb_get_phost(localhost),
  68                     INST_SZ);
  69                 r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
  70
  71                 if (r == KSUCCESS) {
  72                         if (!(hp = gethostbyname(localhost))) {
  73                                 log("Couldn't get local host address!");
  74                                 goto kerberos_auth_failure;
  75                         }
  76                         memmove((void *) &faddr, (void *) hp->h_addr,
  77                             sizeof(faddr));
  78
  79                         /* Verify our "rcmd" ticket. */
  80                         r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
  81                             faddr, &adata, "");
  82                         if (r == RD_AP_UNDEC) {
  83                                 /*
  84                                  * Probably didn't have a srvtab on
  85                                  * localhost. Allow login.
  86                                  */
  87                                 log("Kerberos V4 TGT for %s unverifiable, "
  88                                     "no srvtab installed? krb_rd_req: %s",
  89                                     pw->pw_name, krb_err_txt[r]);
  90                         } else if (r != KSUCCESS) {
  91                                 log("Kerberos V4 %s ticket unverifiable: %s",
  92                                     KRB4_SERVICE_NAME, krb_err_txt[r]);
  93                                 goto kerberos_auth_failure;
  94                         }
  95                 } else if (r == KDC_PR_UNKNOWN) {
  96                         /*
  97                          * Allow login if no rcmd service exists, but
  98                          * log the error.
  99                          */
 100                         log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
 101                             "not registered, or srvtab is wrong?", pw->pw_name,
 102                         krb_err_txt[r], KRB4_SERVICE_NAME, phost);
 103                 } else {
 104                         /*
 105                          * TGT is bad, forget it. Possibly spoofed!
 106                          */
 107                         packet_send_debug("WARNING: Kerberos V4 TGT "
 108                             "possibly spoofed for %s: %s",
 109                             pw->pw_name, krb_err_txt[r]);
 110                         goto kerberos_auth_failure;
 111                 }
 112
 113                 /* Authentication succeeded. */
 114                 return 1;
 115
 116 kerberos_auth_failure:
 117                 krb4_cleanup_proc(NULL);
 118
 119                 if (!options.kerberos_or_local_passwd)
 120                         return 0;
 121         } else {
 122                 /* Logging in as root or no local Kerberos realm. */
 123                 packet_send_debug("Unable to authenticate to Kerberos.");
 124         }
 125         /* Fall back to ordinary passwd authentication. */
 126         return -1;
 127 }
 128
 129 void
 130 krb4_cleanup_proc(void *ignore)
 131 {
 132         debug("krb4_cleanup_proc called");
 133         if (ticket) {
 134                 (void) dest_tkt();
 135                 xfree(ticket);
 136                 ticket = NULL;
 137         }
 138 }
 139
 140 int
 141 krb4_init(uid_t uid)
 142 {
 143         static int cleanup_registered = 0;
 144         const char *tkt_root = TKT_ROOT;
 145         struct stat st;
 146         int fd;
 147
 148         if (!ticket) {
 149                 /* Set unique ticket string manually since we're still root. */
 150                 ticket = xmalloc(MAXPATHLEN);
 151 #ifdef AFS
 152                 if (lstat("/ticket", &st) != -1)
 153                         tkt_root = "/ticket/";
 154 #endif /* AFS */
 155                 snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
 156                 (void) krb_set_tkt_string(ticket);
 157         }
 158         /* Register ticket cleanup in case of fatal error. */
 159         if (!cleanup_registered) {
 160                 fatal_add_cleanup(krb4_cleanup_proc, NULL);
 161                 cleanup_registered = 1;
 162         }
 163         /* Try to create our ticket file. */
 164         if ((fd = mkstemp(ticket)) != -1) {
 165                 close(fd);
 166                 return 1;
 167         }
 168         /* Ticket file exists - make sure user owns it (just passed ticket). */
 169         if (lstat(ticket, &st) != -1) {
 170                 if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
 171                     st.st_uid == uid)
 172                         return 1;
 173         }
 174         /* Failure - cancel cleanup function, leaving bad ticket for inspection. */
 175         log("WARNING: bad ticket file %s", ticket);
 176         fatal_remove_cleanup(krb4_cleanup_proc, NULL);
 177         cleanup_registered = 0;
 178         xfree(ticket);
 179         ticket = NULL;
 180
 181         return 0;
 182 }
 183
 184 int
 185 auth_krb4(const char *server_user, KTEXT auth, char **client)
 186 {
 187         AUTH_DAT adat = {0};
 188         KTEXT_ST reply;
 189         char instance[INST_SZ];
 190         int r, s;
 191         socklen_t slen;
 192         u_int cksum;
 193         Key_schedule schedule;
 194         struct sockaddr_in local, foreign;
 195
 196         s = packet_get_connection_in();
 197
 198         slen = sizeof(local);
 199         memset(&local, 0, sizeof(local));
 200         if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
 201                 debug("getsockname failed: %.100s", strerror(errno));
 202         slen = sizeof(foreign);
 203         memset(&foreign, 0, sizeof(foreign));
 204         if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
 205                 debug("getpeername failed: %.100s", strerror(errno));
 206                 fatal_cleanup();
 207         }
 208         instance[0] = '*';
 209         instance[1] = 0;
 210
 211         /* Get the encrypted request, challenge, and session key. */
 212         if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
 213                 packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
 214                 return 0;
 215         }
 216         des_key_sched((des_cblock *) adat.session, schedule);
 217
 218         *client = xmalloc(MAX_K_NAME_SZ);
 219         (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
 220             *adat.pinst ? "." : "", adat.pinst, adat.prealm);
 221
 222         /* Check ~/.klogin authorization now. */
 223         if (kuserok(&adat, (char *) server_user) != KSUCCESS) {
 224                 packet_send_debug("Kerberos V4 .klogin authorization failed!");
 225                 log("Kerberos V4 .klogin authorization failed for %s to account %s",
 226                     *client, server_user);
 227                 xfree(*client);
 228                 return 0;
 229         }
 230         /* Increment the checksum, and return it encrypted with the
 231            session key. */
 232         cksum = adat.checksum + 1;
 233         cksum = htonl(cksum);
 234
 235         /* If we can't successfully encrypt the checksum, we send back an
 236            empty message, admitting our failure. */
 237         if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
 238             schedule, &adat.session, &local, &foreign)) < 0) {
 239                 packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
 240                 reply.dat[0] = 0;
 241                 reply.length = 0;
 242         } else
 243                 reply.length = r;
 244
 245         /* Clear session key. */
 246         memset(&adat.session, 0, sizeof(&adat.session));
 247
 248         packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
 249         packet_put_string((char *) reply.dat, reply.length);
 250         packet_send();
 251         packet_write_wait();
 252         return 1;
 253 }
 254 #endif /* KRB4 */
 255
 256 #ifdef AFS
 257 int
 258 auth_kerberos_tgt(struct passwd *pw, const char *string)
 259 {
 260         CREDENTIALS creds;
 261
 262         if (!radix_to_creds(string, &creds)) {
 263                 log("Protocol error decoding Kerberos V4 tgt");
 264                 packet_send_debug("Protocol error decoding Kerberos V4 tgt");
 265                 goto auth_kerberos_tgt_failure;
 266         }
 267         if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
 268                 strlcpy(creds.service, "krbtgt", sizeof creds.service);
 269
 270         if (strcmp(creds.service, "krbtgt")) {
 271                 log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
 272                     creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
 273                     pw->pw_name);
 274                 packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
 275                     creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
 276                     creds.realm, pw->pw_name);
 277                 goto auth_kerberos_tgt_failure;
 278         }
 279         if (!krb4_init(pw->pw_uid))
 280                 goto auth_kerberos_tgt_failure;
 281
 282         if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
 283                 goto auth_kerberos_tgt_failure;
 284
 285         if (save_credentials(creds.service, creds.instance, creds.realm,
 286             creds.session, creds.lifetime, creds.kvno,
 287             &creds.ticket_st, creds.issue_date) != KSUCCESS) {
 288                 packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
 289                 goto auth_kerberos_tgt_failure;
 290         }
 291         /* Successful authentication, passed all checks. */
 292         chown(tkt_string(), pw->pw_uid, pw->pw_gid);
 293
 294         packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
 295             creds.service, creds.instance, creds.realm, creds.pname,
 296             creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
 297         memset(&creds, 0, sizeof(creds));
 298         packet_start(SSH_SMSG_SUCCESS);
 299         packet_send();
 300         packet_write_wait();
 301         return 1;
 302
 303 auth_kerberos_tgt_failure:
 304         krb4_cleanup_proc(NULL);
 305         memset(&creds, 0, sizeof(creds));
 306         packet_start(SSH_SMSG_FAILURE);
 307         packet_send();
 308         packet_write_wait();
 309         return 0;
 310 }
 311
 312 int
 313 auth_afs_token(struct passwd *pw, const char *token_string)
 314 {
 315         CREDENTIALS creds;
 316         uid_t uid = pw->pw_uid;
 317
 318         if (!radix_to_creds(token_string, &creds)) {
 319                 log("Protocol error decoding AFS token");
 320                 packet_send_debug("Protocol error decoding AFS token");
 321                 packet_start(SSH_SMSG_FAILURE);
 322                 packet_send();
 323                 packet_write_wait();
 324                 return 0;
 325         }
 326         if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
 327                 strlcpy(creds.service, "afs", sizeof creds.service);
 328
 329         if (strncmp(creds.pname, "AFS ID ", 7) == 0)
 330                 uid = atoi(creds.pname + 7);
 331
 332         if (kafs_settoken(creds.realm, uid, &creds)) {
 333                 log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
 334                     pw->pw_name);
 335                 packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
 336                     creds.realm, pw->pw_name);
 337                 memset(&creds, 0, sizeof(creds));
 338                 packet_start(SSH_SMSG_FAILURE);
 339                 packet_send();
 340                 packet_write_wait();
 341                 return 0;
 342         }
 343         packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
 344             creds.realm, creds.pname, creds.realm);
 345         memset(&creds, 0, sizeof(creds));
 346         packet_start(SSH_SMSG_SUCCESS);
 347         packet_send();
 348         packet_write_wait();
 349         return 1;
 350 }
 351 #endif /* AFS */