X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/6490a5d579f7eaf838834c13e99ee31ba8bcdcdc..HEAD:/auth-krb5.c diff --git a/auth-krb5.c b/auth-krb5.c index a728ebac..d019fe20 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -1,3 +1,4 @@ +/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */ /* * Kerberos v5 authentication and ticket-passing routines. * @@ -28,18 +29,27 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $"); +#include +#include +#include + +#include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "packet.h" -#include "xmalloc.h" #include "log.h" +#include "buffer.h" #include "servconf.h" #include "uidswap.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #ifdef KRB5 +#include +#include +#include #include extern ServerOptions options; @@ -54,9 +64,6 @@ krb5_init(void *context) problem = krb5_init_context(&authctxt->krb5_ctx); if (problem) return (problem); -#ifdef KRB5_INIT_ETS - krb5_init_ets(authctxt->krb5_ctx); -#endif } return (0); } @@ -67,15 +74,15 @@ auth_krb5_password(Authctxt *authctxt, const char *password) #ifndef HEIMDAL krb5_creds creds; krb5_principal server; - char ccname[40]; - int tmpfd; #endif krb5_error_code problem; krb5_ccache ccache = NULL; int len; + char *client, *platform_client; - if (!authctxt->valid) - return (0); + /* get platform-specific kerberos client principal name (if it exists) */ + platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name); + client = platform_client ? platform_client : authctxt->pw->pw_name; temporarily_use_uid(authctxt->pw); @@ -83,7 +90,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; - problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name, + problem = krb5_parse_name(authctxt->krb5_ctx, client, &authctxt->krb5_user); if (problem) goto out; @@ -139,29 +146,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, - authctxt->pw->pw_name)) { + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { problem = -1; goto out; } - snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); - - if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { - logit("mkstemp(): %.100s", strerror(errno)); - problem = errno; - goto out; - } - - if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { - logit("fchmod(): %.100s", strerror(errno)); - close(tmpfd); - problem = errno; - goto out; - } - close(tmpfd); - - problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache); + problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); if (problem) goto out; @@ -183,8 +173,16 @@ auth_krb5_password(Authctxt *authctxt, const char *password) snprintf(authctxt->krb5_ccname, len, "FILE:%s", authctxt->krb5_ticket_file); +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname); +#endif + out: restore_uid(); + + if (platform_client != NULL) + xfree(platform_client); if (problem) { if (ccache) @@ -204,7 +202,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) else return (0); } - return (1); + return (authctxt->valid ? 1 : 0); } void @@ -225,4 +223,34 @@ krb5_cleanup_proc(Authctxt *authctxt) } } +#ifndef HEIMDAL +krb5_error_code +ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { + int tmpfd, ret; + char ccname[40]; + mode_t old_umask; + + ret = snprintf(ccname, sizeof(ccname), + "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); + if (ret < 0 || (size_t)ret >= sizeof(ccname)) + return ENOMEM; + + old_umask = umask(0177); + tmpfd = mkstemp(ccname + strlen("FILE:")); + umask(old_umask); + if (tmpfd == -1) { + logit("mkstemp(): %.100s", strerror(errno)); + return errno; + } + + if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { + logit("fchmod(): %.100s", strerror(errno)); + close(tmpfd); + return errno; + } + close(tmpfd); + + return (krb5_cc_resolve(ctx, ccname, ccache)); +} +#endif /* !HEIMDAL */ #endif /* KRB5 */