auth-krb5.c

   1 /*
   2  *    Kerberos v5 authentication and ticket-passing routines.
   3  *
   4  * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
   5  */
   6 /*
   7  * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  *
  18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  21  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  28  */
  29
  30 #include "includes.h"
  31 RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
  32
  33 #include "ssh.h"
  34 #include "ssh1.h"
  35 #include "packet.h"
  36 #include "xmalloc.h"
  37 #include "log.h"
  38 #include "servconf.h"
  39 #include "uidswap.h"
  40 #include "auth.h"
  41
  42 #ifdef KRB5
  43
  44 #include <krb5.h>
  45
  46 extern ServerOptions     options;
  47
  48 static int
  49 krb5_init(void *context)
  50 {
  51         Authctxt *authctxt = (Authctxt *)context;
  52         krb5_error_code problem;
  53
  54         if (authctxt->krb5_ctx == NULL) {
  55                 problem = krb5_init_context(&authctxt->krb5_ctx);
  56                 if (problem)
  57                         return (problem);
  58                 krb5_init_ets(authctxt->krb5_ctx);
  59         }
  60         return (0);
  61 }
  62
  63 int
  64 auth_krb5_password(Authctxt *authctxt, const char *password)
  65 {
  66 #ifndef HEIMDAL
  67         krb5_creds creds;
  68         krb5_principal server;
  69         char ccname[40];
  70         int tmpfd;
  71 #endif
  72         krb5_error_code problem;
  73         krb5_ccache ccache = NULL;
  74
  75         if (!authctxt->valid)
  76                 return (0);
  77
  78         temporarily_use_uid(authctxt->pw);
  79
  80         problem = krb5_init(authctxt);
  81         if (problem)
  82                 goto out;
  83
  84         problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
  85                     &authctxt->krb5_user);
  86         if (problem)
  87                 goto out;
  88
  89 #ifdef HEIMDAL
  90         problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
  91         if (problem)
  92                 goto out;
  93
  94         problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
  95                 authctxt->krb5_user);
  96         if (problem)
  97                 goto out;
  98
  99         restore_uid();
 100
 101         problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
 102             ccache, password, 1, NULL);
 103
 104         temporarily_use_uid(authctxt->pw);
 105
 106         if (problem)
 107                 goto out;
 108         problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
 109             &authctxt->krb5_fwd_ccache);
 110         if (problem)
 111                 goto out;
 112
 113         problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
 114             authctxt->krb5_fwd_ccache);
 115         krb5_cc_destroy(authctxt->krb5_ctx, ccache);
 116         ccache = NULL;
 117         if (problem)
 118                 goto out;
 119
 120 #else
 121         problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
 122             authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
 123         if (problem)
 124                 goto out;
 125
 126         problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
 127             KRB5_NT_SRV_HST, &server);
 128         if (problem)
 129                 goto out;
 130
 131         restore_uid();
 132         problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
 133             NULL, NULL, NULL);
 134         krb5_free_principal(authctxt->krb5_ctx, server);
 135         temporarily_use_uid(authctxt->pw);
 136         if (problem)
 137                 goto out;
 138
 139         if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
 140                           authctxt->pw->pw_name)) {
 141                 problem = -1;
 142                 goto out;
 143         }
 144
 145         snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
 146
 147         if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
 148                 logit("mkstemp(): %.100s", strerror(errno));
 149                 problem = errno;
 150                 goto out;
 151         }
 152
 153         if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
 154                 logit("fchmod(): %.100s", strerror(errno));
 155                 close(tmpfd);
 156                 problem = errno;
 157                 goto out;
 158         }
 159         close(tmpfd);
 160
 161         problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
 162         if (problem)
 163                 goto out;
 164
 165         problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 166                                      authctxt->krb5_user);
 167         if (problem)
 168                 goto out;
 169
 170         problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
 171                                  &creds);
 172         if (problem)
 173                 goto out;
 174 #endif
 175
 176         authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 177
 178  out:
 179         restore_uid();
 180
 181         if (problem) {
 182                 if (ccache)
 183                         krb5_cc_destroy(authctxt->krb5_ctx, ccache);
 184
 185                 if (authctxt->krb5_ctx != NULL && problem!=-1)
 186                         debug("Kerberos password authentication failed: %s",
 187                             krb5_get_err_text(authctxt->krb5_ctx, problem));
 188                 else
 189                         debug("Kerberos password authentication failed: %d",
 190                             problem);
 191
 192                 krb5_cleanup_proc(authctxt);
 193
 194                 if (options.kerberos_or_local_passwd)
 195                         return (-1);
 196                 else
 197                         return (0);
 198         }
 199         return (1);
 200 }
 201
 202 void
 203 krb5_cleanup_proc(Authctxt *authctxt)
 204 {
 205         debug("krb5_cleanup_proc called");
 206         if (authctxt->krb5_fwd_ccache) {
 207                 krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 208                 authctxt->krb5_fwd_ccache = NULL;
 209         }
 210         if (authctxt->krb5_user) {
 211                 krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
 212                 authctxt->krb5_user = NULL;
 213         }
 214         if (authctxt->krb5_ctx) {
 215                 krb5_free_context(authctxt->krb5_ctx);
 216                 authctxt->krb5_ctx = NULL;
 217         }
 218 }
 219
 220 #endif /* KRB5 */