auth-krb5.c

   1 /*
   2  *    Kerberos v5 authentication and ticket-passing routines.
   3  *
   4  * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
   5  */
   6 /*
   7  * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  *
  18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  21  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  28  */
  29
  30 #include "includes.h"
  31 RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
  32
  33 #include "ssh.h"
  34 #include "ssh1.h"
  35 #include "packet.h"
  36 #include "xmalloc.h"
  37 #include "log.h"
  38 #include "servconf.h"
  39 #include "uidswap.h"
  40 #include "auth.h"
  41
  42 #ifdef KRB5
  43 #include <krb5.h>
  44
  45 extern ServerOptions     options;
  46
  47 static int
  48 krb5_init(void *context)
  49 {
  50         Authctxt *authctxt = (Authctxt *)context;
  51         krb5_error_code problem;
  52
  53         if (authctxt->krb5_ctx == NULL) {
  54                 problem = krb5_init_context(&authctxt->krb5_ctx);
  55                 if (problem)
  56                         return (problem);
  57 #ifdef KRB5_INIT_ETS
  58                 krb5_init_ets(authctxt->krb5_ctx);
  59 #endif
  60         }
  61         return (0);
  62 }
  63
  64 int
  65 auth_krb5_password(Authctxt *authctxt, const char *password)
  66 {
  67 #ifndef HEIMDAL
  68         krb5_creds creds;
  69         krb5_principal server;
  70         char ccname[40];
  71         int tmpfd;
  72 #endif
  73         krb5_error_code problem;
  74         krb5_ccache ccache = NULL;
  75
  76         if (!authctxt->valid)
  77                 return (0);
  78
  79         temporarily_use_uid(authctxt->pw);
  80
  81         problem = krb5_init(authctxt);
  82         if (problem)
  83                 goto out;
  84
  85         problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
  86                     &authctxt->krb5_user);
  87         if (problem)
  88                 goto out;
  89
  90 #ifdef HEIMDAL
  91         problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
  92         if (problem)
  93                 goto out;
  94
  95         problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
  96                 authctxt->krb5_user);
  97         if (problem)
  98                 goto out;
  99
 100         restore_uid();
 101
 102         problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
 103             ccache, password, 1, NULL);
 104
 105         temporarily_use_uid(authctxt->pw);
 106
 107         if (problem)
 108                 goto out;
 109
 110         problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
 111             &authctxt->krb5_fwd_ccache);
 112         if (problem)
 113                 goto out;
 114
 115         problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
 116             authctxt->krb5_fwd_ccache);
 117         krb5_cc_destroy(authctxt->krb5_ctx, ccache);
 118         ccache = NULL;
 119         if (problem)
 120                 goto out;
 121
 122 #else
 123         problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
 124             authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
 125         if (problem)
 126                 goto out;
 127
 128         problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
 129             KRB5_NT_SRV_HST, &server);
 130         if (problem)
 131                 goto out;
 132
 133         restore_uid();
 134         problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
 135             NULL, NULL, NULL);
 136         krb5_free_principal(authctxt->krb5_ctx, server);
 137         temporarily_use_uid(authctxt->pw);
 138         if (problem)
 139                 goto out;
 140
 141         if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
 142                           authctxt->pw->pw_name)) {
 143                 problem = -1;
 144                 goto out;
 145         }
 146
 147         snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
 148
 149         if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
 150                 logit("mkstemp(): %.100s", strerror(errno));
 151                 problem = errno;
 152                 goto out;
 153         }
 154
 155         if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
 156                 logit("fchmod(): %.100s", strerror(errno));
 157                 close(tmpfd);
 158                 problem = errno;
 159                 goto out;
 160         }
 161         close(tmpfd);
 162
 163         problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
 164         if (problem)
 165                 goto out;
 166
 167         problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 168                                      authctxt->krb5_user);
 169         if (problem)
 170                 goto out;
 171
 172         problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 173                                  &creds);
 174         if (problem)
 175                 goto out;
 176 #endif
 177
 178         authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 179
 180  out:
 181         restore_uid();
 182
 183         if (problem) {
 184                 if (ccache)
 185                         krb5_cc_destroy(authctxt->krb5_ctx, ccache);
 186
 187                 if (authctxt->krb5_ctx != NULL && problem!=-1)
 188                         debug("Kerberos password authentication failed: %s",
 189                             krb5_get_err_text(authctxt->krb5_ctx, problem));
 190                 else
 191                         debug("Kerberos password authentication failed: %d",
 192                             problem);
 193
 194                 krb5_cleanup_proc(authctxt);
 195
 196                 if (options.kerberos_or_local_passwd)
 197                         return (-1);
 198                 else
 199                         return (0);
 200         }
 201         return (1);
 202 }
 203
 204 void
 205 krb5_cleanup_proc(Authctxt *authctxt)
 206 {
 207         debug("krb5_cleanup_proc called");
 208         if (authctxt->krb5_fwd_ccache) {
 209                 krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 210                 authctxt->krb5_fwd_ccache = NULL;
 211         }
 212         if (authctxt->krb5_user) {
 213                 krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
 214                 authctxt->krb5_user = NULL;
 215         }
 216         if (authctxt->krb5_ctx) {
 217                 krb5_free_context(authctxt->krb5_ctx);
 218                 authctxt->krb5_ctx = NULL;
 219         }
 220 }
 221
 222 #endif /* KRB5 */