auth-krb4.c

   1 /*
   2  *    Dug Song <dugsong@UMICH.EDU>
   3  *    Kerberos v4 authentication and ticket-passing routines.
   4  */
   5
   6 #include "includes.h"
   7 #include "packet.h"
   8 #include "xmalloc.h"
   9 #include "ssh.h"
  10 #include "servconf.h"
  11
  12 #ifdef KRB4
  13 char *ticket = NULL;
  14
  15 extern ServerOptions options;
  16
  17 /*
  18  * try krb4 authentication,
  19  * return 1 on success, 0 on failure, -1 if krb4 is not available
  20  */
  21
  22 int
  23 auth_krb4_password(struct passwd * pw, const char *password)
  24 {
  25         AUTH_DAT adata;
  26         KTEXT_ST tkt;
  27         struct hostent *hp;
  28         unsigned long faddr;
  29         char localhost[MAXHOSTNAMELEN];
  30         char phost[INST_SZ];
  31         char realm[REALM_SZ];
  32         int r;
  33
  34         /*
  35          * Try Kerberos password authentication only for non-root
  36          * users and only if Kerberos is installed.
  37          */
  38         if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
  39
  40                 /* Set up our ticket file. */
  41                 if (!krb4_init(pw->pw_uid)) {
  42                         log("Couldn't initialize Kerberos ticket file for %s!",
  43                             pw->pw_name);
  44                         goto kerberos_auth_failure;
  45                 }
  46                 /* Try to get TGT using our password. */
  47                 r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
  48                     realm, "krbtgt", realm,
  49                     DEFAULT_TKT_LIFE, (char *) password);
  50                 if (r != INTK_OK) {
  51                         packet_send_debug("Kerberos V4 password "
  52                             "authentication for %s failed: %s",
  53                             pw->pw_name, krb_err_txt[r]);
  54                         goto kerberos_auth_failure;
  55                 }
  56                 /* Successful authentication. */
  57                 chown(tkt_string(), pw->pw_uid, pw->pw_gid);
  58
  59                 /*
  60                  * Now that we have a TGT, try to get a local
  61                  * "rcmd" ticket to ensure that we are not talking
  62                  * to a bogus Kerberos server.
  63                  */
  64                 (void) gethostname(localhost, sizeof(localhost));
  65                 (void) strlcpy(phost, (char *) krb_get_phost(localhost),
  66                     INST_SZ);
  67                 r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
  68
  69                 if (r == KSUCCESS) {
  70                         if (!(hp = gethostbyname(localhost))) {
  71                                 log("Couldn't get local host address!");
  72                                 goto kerberos_auth_failure;
  73                         }
  74                         memmove((void *) &faddr, (void *) hp->h_addr,
  75                             sizeof(faddr));
  76
  77                         /* Verify our "rcmd" ticket. */
  78                         r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
  79                             faddr, &adata, "");
  80                         if (r == RD_AP_UNDEC) {
  81                                 /*
  82                                  * Probably didn't have a srvtab on
  83                                  * localhost. Allow login.
  84                                  */
  85                                 log("Kerberos V4 TGT for %s unverifiable, "
  86                                     "no srvtab installed? krb_rd_req: %s",
  87                                     pw->pw_name, krb_err_txt[r]);
  88                         } else if (r != KSUCCESS) {
  89                                 log("Kerberos V4 %s ticket unverifiable: %s",
  90                                     KRB4_SERVICE_NAME, krb_err_txt[r]);
  91                                 goto kerberos_auth_failure;
  92                         }
  93                 } else if (r == KDC_PR_UNKNOWN) {
  94                         /*
  95                          * Allow login if no rcmd service exists, but
  96                          * log the error.
  97                          */
  98                         log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
  99                             "not registered, or srvtab is wrong?", pw->pw_name,
 100                         krb_err_txt[r], KRB4_SERVICE_NAME, phost);
 101                 } else {
 102                         /*
 103                          * TGT is bad, forget it. Possibly spoofed!
 104                          */
 105                         packet_send_debug("WARNING: Kerberos V4 TGT "
 106                             "possibly spoofed for %s: %s",
 107                             pw->pw_name, krb_err_txt[r]);
 108                         goto kerberos_auth_failure;
 109                 }
 110
 111                 /* Authentication succeeded. */
 112                 return 1;
 113
 114 kerberos_auth_failure:
 115                 krb4_cleanup_proc(NULL);
 116
 117                 if (!options.kerberos_or_local_passwd)
 118                         return 0;
 119         } else {
 120                 /* Logging in as root or no local Kerberos realm. */
 121                 packet_send_debug("Unable to authenticate to Kerberos.");
 122         }
 123         /* Fall back to ordinary passwd authentication. */
 124         return -1;
 125 }
 126
 127 void
 128 krb4_cleanup_proc(void *ignore)
 129 {
 130         debug("krb4_cleanup_proc called");
 131         if (ticket) {
 132                 (void) dest_tkt();
 133                 xfree(ticket);
 134                 ticket = NULL;
 135         }
 136 }
 137
 138 int
 139 krb4_init(uid_t uid)
 140 {
 141         static int cleanup_registered = 0;
 142         const char *tkt_root = TKT_ROOT;
 143         struct stat st;
 144         int fd;
 145
 146         if (!ticket) {
 147                 /* Set unique ticket string manually since we're still root. */
 148                 ticket = xmalloc(MAXPATHLEN);
 149 #ifdef AFS
 150                 if (lstat("/ticket", &st) != -1)
 151                         tkt_root = "/ticket/";
 152 #endif /* AFS */
 153                 snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid());
 154                 (void) krb_set_tkt_string(ticket);
 155         }
 156         /* Register ticket cleanup in case of fatal error. */
 157         if (!cleanup_registered) {
 158                 fatal_add_cleanup(krb4_cleanup_proc, NULL);
 159                 cleanup_registered = 1;
 160         }
 161         /* Try to create our ticket file. */
 162         if ((fd = mkstemp(ticket)) != -1) {
 163                 close(fd);
 164                 return 1;
 165         }
 166         /* Ticket file exists - make sure user owns it (just passed ticket). */
 167         if (lstat(ticket, &st) != -1) {
 168                 if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
 169                     st.st_uid == uid)
 170                         return 1;
 171         }
 172         /* Failure - cancel cleanup function, leaving bad ticket for inspection. */
 173         log("WARNING: bad ticket file %s", ticket);
 174         fatal_remove_cleanup(krb4_cleanup_proc, NULL);
 175         cleanup_registered = 0;
 176         xfree(ticket);
 177         ticket = NULL;
 178
 179         return 0;
 180 }
 181
 182 int
 183 auth_krb4(const char *server_user, KTEXT auth, char **client)
 184 {
 185         AUTH_DAT adat = {0};
 186         KTEXT_ST reply;
 187         char instance[INST_SZ];
 188         int r, s;
 189         socklen_t slen;
 190         u_int cksum;
 191         Key_schedule schedule;
 192         struct sockaddr_in local, foreign;
 193
 194         s = packet_get_connection_in();
 195
 196         slen = sizeof(local);
 197         memset(&local, 0, sizeof(local));
 198         if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
 199                 debug("getsockname failed: %.100s", strerror(errno));
 200         slen = sizeof(foreign);
 201         memset(&foreign, 0, sizeof(foreign));
 202         if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
 203                 debug("getpeername failed: %.100s", strerror(errno));
 204                 fatal_cleanup();
 205         }
 206         instance[0] = '*';
 207         instance[1] = 0;
 208
 209         /* Get the encrypted request, challenge, and session key. */
 210         if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
 211                 packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
 212                 return 0;
 213         }
 214         des_key_sched((des_cblock *) adat.session, schedule);
 215
 216         *client = xmalloc(MAX_K_NAME_SZ);
 217         (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
 218             *adat.pinst ? "." : "", adat.pinst, adat.prealm);
 219
 220         /* Check ~/.klogin authorization now. */
 221         if (kuserok(&adat, (char *) server_user) != KSUCCESS) {
 222                 packet_send_debug("Kerberos V4 .klogin authorization failed!");
 223                 log("Kerberos V4 .klogin authorization failed for %s to account %s",
 224                     *client, server_user);
 225                 xfree(*client);
 226                 return 0;
 227         }
 228         /* Increment the checksum, and return it encrypted with the
 229            session key. */
 230         cksum = adat.checksum + 1;
 231         cksum = htonl(cksum);
 232
 233         /* If we can't successfully encrypt the checksum, we send back an
 234            empty message, admitting our failure. */
 235         if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
 236             schedule, &adat.session, &local, &foreign)) < 0) {
 237                 packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
 238                 reply.dat[0] = 0;
 239                 reply.length = 0;
 240         } else
 241                 reply.length = r;
 242
 243         /* Clear session key. */
 244         memset(&adat.session, 0, sizeof(&adat.session));
 245
 246         packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
 247         packet_put_string((char *) reply.dat, reply.length);
 248         packet_send();
 249         packet_write_wait();
 250         return 1;
 251 }
 252 #endif /* KRB4 */
 253
 254 #ifdef AFS
 255 int
 256 auth_kerberos_tgt(struct passwd *pw, const char *string)
 257 {
 258         CREDENTIALS creds;
 259
 260         if (!radix_to_creds(string, &creds)) {
 261                 log("Protocol error decoding Kerberos V4 tgt");
 262                 packet_send_debug("Protocol error decoding Kerberos V4 tgt");
 263                 goto auth_kerberos_tgt_failure;
 264         }
 265         if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
 266                 strlcpy(creds.service, "krbtgt", sizeof creds.service);
 267
 268         if (strcmp(creds.service, "krbtgt")) {
 269                 log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
 270                     creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
 271                     pw->pw_name);
 272                 packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
 273                     creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
 274                     creds.realm, pw->pw_name);
 275                 goto auth_kerberos_tgt_failure;
 276         }
 277         if (!krb4_init(pw->pw_uid))
 278                 goto auth_kerberos_tgt_failure;
 279
 280         if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
 281                 goto auth_kerberos_tgt_failure;
 282
 283         if (save_credentials(creds.service, creds.instance, creds.realm,
 284             creds.session, creds.lifetime, creds.kvno,
 285             &creds.ticket_st, creds.issue_date) != KSUCCESS) {
 286                 packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
 287                 goto auth_kerberos_tgt_failure;
 288         }
 289         /* Successful authentication, passed all checks. */
 290         chown(tkt_string(), pw->pw_uid, pw->pw_gid);
 291
 292         packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
 293             creds.service, creds.instance, creds.realm, creds.pname,
 294             creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
 295         memset(&creds, 0, sizeof(creds));
 296         packet_start(SSH_SMSG_SUCCESS);
 297         packet_send();
 298         packet_write_wait();
 299         return 1;
 300
 301 auth_kerberos_tgt_failure:
 302         krb4_cleanup_proc(NULL);
 303         memset(&creds, 0, sizeof(creds));
 304         packet_start(SSH_SMSG_FAILURE);
 305         packet_send();
 306         packet_write_wait();
 307         return 0;
 308 }
 309
 310 int
 311 auth_afs_token(struct passwd *pw, const char *token_string)
 312 {
 313         CREDENTIALS creds;
 314         uid_t uid = pw->pw_uid;
 315
 316         if (!radix_to_creds(token_string, &creds)) {
 317                 log("Protocol error decoding AFS token");
 318                 packet_send_debug("Protocol error decoding AFS token");
 319                 packet_start(SSH_SMSG_FAILURE);
 320                 packet_send();
 321                 packet_write_wait();
 322                 return 0;
 323         }
 324         if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
 325                 strlcpy(creds.service, "afs", sizeof creds.service);
 326
 327         if (strncmp(creds.pname, "AFS ID ", 7) == 0)
 328                 uid = atoi(creds.pname + 7);
 329
 330         if (kafs_settoken(creds.realm, uid, &creds)) {
 331                 log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
 332                     pw->pw_name);
 333                 packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
 334                     creds.realm, pw->pw_name);
 335                 memset(&creds, 0, sizeof(creds));
 336                 packet_start(SSH_SMSG_FAILURE);
 337                 packet_send();
 338                 packet_write_wait();
 339                 return 0;
 340         }
 341         packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
 342             creds.realm, creds.pname, creds.realm);
 343         memset(&creds, 0, sizeof(creds));
 344         packet_start(SSH_SMSG_SUCCESS);
 345         packet_send();
 346         packet_write_wait();
 347         return 1;
 348 }
 349 #endif /* AFS */