source: trunk/third/openssh/auth-krb5.c @ 22574

Revision 22574, 6.3 KB checked in by ghudson, 18 years ago (diff)
Merge with OpenSSH 4.2p1. Merge work was done in the svn repository in /afs/dev.mit.edu/project/openssh, and was based on patches from Simon Wilkinson and the krb5 team to add GSSAPI key exchange support and compatibility with OpenSSH 3.5.
Line 
1/*
2 *    Kerberos v5 authentication and ticket-passing routines.
3 *
4 * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
5 */
6/*
7 * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30#include "includes.h"
31RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
32
33#include "ssh.h"
34#include "ssh1.h"
35#include "packet.h"
36#include "xmalloc.h"
37#include "log.h"
38#include "servconf.h"
39#include "uidswap.h"
40#include "auth.h"
41
42#ifdef KRB5
43#include <krb5.h>
44#include <com_err.h>
45
46extern ServerOptions     options;
47
48static int
49krb5_init(void *context)
50{
51        Authctxt *authctxt = (Authctxt *)context;
52        krb5_error_code problem;
53
54        if (authctxt->krb5_ctx == NULL) {
55                problem = krb5_init_context(&authctxt->krb5_ctx);
56                if (problem)
57                        return (problem);
58        }
59        return (0);
60}
61
62int
63auth_krb5_password(Authctxt *authctxt, const char *password)
64{
65#ifndef HEIMDAL
66        krb5_creds creds;
67        krb5_principal server;
68#endif
69        krb5_error_code problem;
70        krb5_ccache ccache = NULL;
71        int len;
72
73        if (!authctxt->valid)
74                return (0);
75
76        temporarily_use_uid(authctxt->pw);
77
78        problem = krb5_init(authctxt);
79        if (problem)
80                goto out;
81
82        problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
83                    &authctxt->krb5_user);
84        if (problem)
85                goto out;
86
87#ifdef HEIMDAL
88        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
89        if (problem)
90                goto out;
91
92        problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
93                authctxt->krb5_user);
94        if (problem)
95                goto out;
96
97        restore_uid();
98
99        problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
100            ccache, password, 1, NULL);
101
102        temporarily_use_uid(authctxt->pw);
103
104        if (problem)
105                goto out;
106
107        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
108            &authctxt->krb5_fwd_ccache);
109        if (problem)
110                goto out;
111
112        problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
113            authctxt->krb5_fwd_ccache);
114        krb5_cc_destroy(authctxt->krb5_ctx, ccache);
115        ccache = NULL;
116        if (problem)
117                goto out;
118
119#else
120        problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
121            authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
122        if (problem)
123                goto out;
124
125        problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
126            KRB5_NT_SRV_HST, &server);
127        if (problem)
128                goto out;
129
130        restore_uid();
131        problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
132            NULL, NULL, NULL);
133        krb5_free_principal(authctxt->krb5_ctx, server);
134        temporarily_use_uid(authctxt->pw);
135        if (problem)
136                goto out;
137
138        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
139                          authctxt->pw->pw_name)) {
140                problem = -1;
141                goto out;
142        }
143
144        problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
145        if (problem)
146                goto out;
147
148        problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
149                                     authctxt->krb5_user);
150        if (problem)
151                goto out;
152
153        problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
154                                 &creds);
155        if (problem)
156                goto out;
157#endif
158
159        authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
160
161        len = strlen(authctxt->krb5_ticket_file) + 6;
162        authctxt->krb5_ccname = xmalloc(len);
163#ifdef USE_CCAPI
164        snprintf(authctxt->krb5_ccname, len, "API:%s",
165                authctxt->krb5_ticket_file);
166#else
167        snprintf(authctxt->krb5_ccname, len, "FILE:%s",
168            authctxt->krb5_ticket_file);
169#endif
170
171#ifdef USE_PAM
172        if (options.use_pam)
173                do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
174#endif
175
176 out:
177        restore_uid();
178
179        if (problem) {
180                if (ccache)
181                        krb5_cc_destroy(authctxt->krb5_ctx, ccache);
182
183                if (authctxt->krb5_ctx != NULL && problem!=-1)
184                        debug("Kerberos password authentication failed: %s",
185                            krb5_get_err_text(authctxt->krb5_ctx, problem));
186                else
187                        debug("Kerberos password authentication failed: %d",
188                            problem);
189
190                krb5_cleanup_proc(authctxt);
191
192                if (options.kerberos_or_local_passwd)
193                        return (-1);
194                else
195                        return (0);
196        }
197        return (1);
198}
199
200void
201krb5_cleanup_proc(Authctxt *authctxt)
202{
203        debug("krb5_cleanup_proc called");
204        if (authctxt->krb5_fwd_ccache) {
205                krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
206                authctxt->krb5_fwd_ccache = NULL;
207        }
208        if (authctxt->krb5_user) {
209                krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
210                authctxt->krb5_user = NULL;
211        }
212        if (authctxt->krb5_ctx) {
213                krb5_free_context(authctxt->krb5_ctx);
214                authctxt->krb5_ctx = NULL;
215        }
216}
217
218#ifndef HEIMDAL
219krb5_error_code
220ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
221        int ret;
222        char ccname[40];
223#ifndef USE_CCAPI
224        int tmpfd;
225        mode_t old_umask;
226#endif
227
228#ifdef USE_CCAPI
229        ret = snprintf(ccname,sizeof(ccname),"API:krb5cc_%d",geteuid());
230#else   
231        ret = snprintf(ccname, sizeof(ccname),
232            "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
233#endif
234        if (ret == -1 || ret >= sizeof(ccname))
235                return ENOMEM;
236
237#ifndef USE_CCAPI
238        old_umask = umask(0177);
239        tmpfd = mkstemp(ccname + strlen("FILE:"));
240        umask(old_umask);
241        if (tmpfd == -1) {
242                logit("mkstemp(): %.100s", strerror(errno));
243                return errno;
244        }
245
246        if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
247                logit("fchmod(): %.100s", strerror(errno));
248                close(tmpfd);
249                return errno;
250        }
251        close(tmpfd);
252#endif
253
254        return (krb5_cc_resolve(ctx, ccname, ccache));
255}
256#endif /* !HEIMDAL */
257#endif /* KRB5 */
Note: See TracBrowser for help on using the repository browser.