- krb5_init_ets(authctxt->krb5_ctx);
- }
- if (!cleanup_registered) {
- fatal_add_cleanup(krb5_cleanup_proc, authctxt);
- cleanup_registered = 1;
- }
- return (0);
-}
-
-/*
- * Try krb5 authentication. server_user is passed for logging purposes
- * only, in auth is received ticket, in client is returned principal
- * from the ticket
- */
-int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
-{
- krb5_error_code problem;
- krb5_principal server;
- krb5_ticket *ticket;
- int fd, ret;
-
- ret = 0;
- server = NULL;
- ticket = NULL;
- reply->length = 0;
-
- problem = krb5_init(authctxt);
- if (problem)
- goto err;
-
- problem = krb5_auth_con_init(authctxt->krb5_ctx,
- &authctxt->krb5_auth_ctx);
- if (problem)
- goto err;
-
- fd = packet_get_connection_in();
-#ifdef HEIMDAL
- problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
- authctxt->krb5_auth_ctx, &fd);
-#else
- problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
- authctxt->krb5_auth_ctx,fd,
- KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
- KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
-#endif
- if (problem)
- goto err;
-
- problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
- KRB5_NT_SRV_HST, &server);
- if (problem)
- goto err;
-
- problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
- auth, server, NULL, NULL, &ticket);
- if (problem)
- goto err;
-
-#ifdef HEIMDAL
- problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
- &authctxt->krb5_user);
-#else
- problem = krb5_copy_principal(authctxt->krb5_ctx,
- ticket->enc_part2->client,
- &authctxt->krb5_user);
-#endif
- if (problem)
- goto err;
-
- /* if client wants mutual auth */
- problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
- reply);
- if (problem)
- goto err;
-
- /* Check .k5login authorization now. */
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
- authctxt->pw->pw_name))
- goto err;
-
- if (client)
- krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
- client);
-
- ret = 1;
- err:
- if (server)
- krb5_free_principal(authctxt->krb5_ctx, server);
- if (ticket)
- krb5_free_ticket(authctxt->krb5_ctx, ticket);
- if (!ret && reply->length) {
- xfree(reply->data);
- memset(reply, 0, sizeof(*reply));
- }
-
- if (problem) {
- if (authctxt->krb5_ctx != NULL)
- debug("Kerberos v5 authentication failed: %s",
- krb5_get_err_text(authctxt->krb5_ctx, problem));
- else
- debug("Kerberos v5 authentication failed: %d",
- problem);