93 94#ifdef FORWARD 95int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ 96 97/* These values need to be the same as those defined in telnet/main.c. */ 98/* Either define them in both places, or put in some common header file. */ 99#define OPTS_FORWARD_CREDS 0x00000002 100#define OPTS_FORWARDABLE_CREDS 0x00000001 101 102void kerberos5_forward(); 103 104#endif /* FORWARD */ 105 106static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, 107 AUTHTYPE_KERBEROS_V5, }; 108/*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 109 TELQUAL_NAME, };*/ 110 111#define KRB_AUTH 0 /* Authentication data follows */ 112#define KRB_REJECT 1 /* Rejected (reason might follow) */ 113#define KRB_ACCEPT 2 /* Accepted */ 114#define KRB_RESPONSE 3 /* Response for mutual auth. */ 115 116#ifdef FORWARD 117#define KRB_FORWARD 4 /* Forwarded credentials follow */ 118#define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 119#define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 120#endif /* FORWARD */ 121 122static krb5_data auth; 123 /* telnetd gets session key from here */ 124static krb5_tkt_authent *authdat = NULL; 125/* telnet matches the AP_REQ and AP_REP with this */ 126static krb5_authenticator authenticator; 127 128/* some compilers can't hack void *, so we use the Kerberos krb5_pointer, 129 which is either void * or char *, depending on the compiler. */ 130 131#define Voidptr krb5_pointer 132 133Block session_key; 134 135 static int 136Data(ap, type, d, c) 137 Authenticator *ap; 138 int type; 139 Voidptr d; 140 int c; 141{ 142 unsigned char *p = str_data + 4; 143 unsigned char *cd = (unsigned char *)d; 144 145 if (c == -1) 146 c = strlen((char *)cd); 147 148 if (auth_debug_mode) { 149 printf("%s:%d: [%d] (%d)", 150 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 151 str_data[3], 152 type, c); 153 printd(d, c); 154 printf("\r\n"); 155 } 156 *p++ = ap->type; 157 *p++ = ap->way; 158 *p++ = type; 159 while (c-- > 0) { 160 if ((*p++ = *cd++) == IAC) 161 *p++ = IAC; 162 } 163 *p++ = IAC; 164 *p++ = SE; 165 if (str_data[3] == TELQUAL_IS) 166 printsub('>', &str_data[2], p - &str_data[2]); 167 return(net_write(str_data, p - str_data)); 168} 169 170 int 171kerberos5_init(ap, server) 172 Authenticator *ap; 173 int server; 174{ 175 if (server) 176 str_data[3] = TELQUAL_REPLY; 177 else 178 str_data[3] = TELQUAL_IS; 179 krb5_init_ets(); 180 return(1); 181} 182 183 int 184kerberos5_send(ap) 185 Authenticator *ap; 186{ 187 char **realms; 188 char *name; 189 char *p1, *p2; 190 krb5_checksum ksum; 191 krb5_octet sum[CRC32_CKSUM_LENGTH]; 192 krb5_principal server; 193 krb5_error_code r; 194 krb5_ccache ccache; 195 krb5_creds creds; /* telnet gets session key from here */ 196 extern krb5_flags krb5_kdc_default_options; 197 int ap_opts; 198 199#ifdef ENCRYPTION 200 krb5_keyblock *newkey = 0; 201#endif /* ENCRYPTION */ 202 203 ksum.checksum_type = CKSUMTYPE_CRC32; 204 ksum.contents = sum; 205 ksum.length = sizeof(sum); 206 memset((Voidptr )sum, 0, sizeof(sum)); 207 208 if (!UserNameRequested) { 209 if (auth_debug_mode) { 210 printf("Kerberos V5: no user name supplied\r\n"); 211 } 212 return(0); 213 } 214 215 if (r = krb5_cc_default(&ccache)) { 216 if (auth_debug_mode) { 217 printf("Kerberos V5: could not get default ccache\r\n"); 218 } 219 return(0); 220 } 221 222 if ((name = malloc(strlen(RemoteHostName)+1)) == NULL) { 223 if (auth_debug_mode) 224 printf("Out of memory for hostname in Kerberos V5\r\n"); 225 return(0); 226 } 227 228 if (r = krb5_get_host_realm(RemoteHostName, &realms)) { 229 if (auth_debug_mode) 230 printf("Kerberos V5: no realm for %s\r\n", RemoteHostName); 231 free(name); 232 return(0); 233 } 234 235 p1 = RemoteHostName; 236 p2 = name; 237 238 while (*p2 = *p1++) { 239 if (isupper(*p2)) 240 *p2 |= 040; 241 ++p2; 242 } 243 244 if (r = krb5_build_principal_ext(&server, 245 strlen(realms[0]), realms[0], 246 4, "host", 247 p2 - name, name, 248 0)) { 249 if (auth_debug_mode) { 250 printf("Kerberos V5: failure setting up principal (%s)\r\n", 251 error_message(r)); 252 } 253 free(name); 254 krb5_free_host_realm(realms); 255 return(0); 256 } 257 258 259 memset((char *)&creds, 0, sizeof(creds)); 260 creds.server = server; 261 262 if (r = krb5_cc_get_principal(ccache, &creds.client)) { 263 if (auth_debug_mode) { 264 printf("Kerberos V5: failure on principal (%s)\r\n", 265 error_message(r)); 266 } 267 free(name); 268 krb5_free_principal(server); 269 krb5_free_host_realm(realms); 270 return(0); 271 } 272 273 if (r = krb5_get_credentials(krb5_kdc_default_options, ccache, &creds)) { 274 if (auth_debug_mode) { 275 printf("Kerberos V5: failure on credentials(%d)\r\n",r); 276 } 277 free(name); 278 krb5_free_host_realm(realms); 279 krb5_free_principal(server); 280 return(0); 281 } 282 283 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 284 ap_opts = AP_OPTS_MUTUAL_REQUIRED; 285 else 286 ap_opts = 0; 287 288 r = krb5_mk_req_extended(ap_opts, &ksum, krb5_kdc_default_options, 0, 289#ifdef ENCRYPTION 290 &newkey, 291#else /* ENCRYPTION */ 292 0, 293#endif /* ENCRYPTION */ 294 ccache, &creds, &authenticator, &auth); 295 /* don't let the key get freed if we clean up the authenticator */ 296 authenticator.subkey = 0; 297 298 free(name); 299 krb5_free_host_realm(realms); 300 krb5_free_principal(server); 301#ifdef ENCRYPTION 302 if (newkey) { 303 /* keep the key in our private storage, but don't use it 304 yet---see kerberos5_reply() below */ 305 if (newkey->keytype != KEYTYPE_DES) { 306 if (creds.keyblock.keytype == KEYTYPE_DES) 307 /* use the session key in credentials instead */ 308 memmove((char *)session_key, 309 (char *)creds.keyblock.contents, sizeof(Block)); 310 else 311 /* XXX ? */; 312 } else { 313 memmove((char *)session_key, (char *)newkey->contents, 314 sizeof(Block)); 315 } 316 krb5_free_keyblock(newkey); 317 } 318#endif /* ENCRYPTION */ 319 if (r) { 320 if (auth_debug_mode) { 321 printf("Kerberos V5: mk_req failed (%s)\r\n", 322 error_message(r)); 323 } 324 return(0); 325 } 326 327 if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) { 328 if (auth_debug_mode) 329 printf("Not enough room for user name\r\n"); 330 return(0); 331 } 332 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 333 if (auth_debug_mode) 334 printf("Not enough room for authentication data\r\n"); 335 return(0); 336 } 337 if (auth_debug_mode) { 338 printf("Sent Kerberos V5 credentials to server\r\n"); 339 } 340 return(1); 341} 342 343 void 344kerberos5_is(ap, data, cnt) 345 Authenticator *ap; 346 unsigned char *data; 347 int cnt; 348{ 349 int r; 350 struct hostent *hp; 351 char *p1, *p2; 352 static char *realm = NULL; 353 krb5_principal server; 354 krb5_ap_rep_enc_part reply; 355 krb5_data outbuf; 356#ifdef ENCRYPTION 357 Session_Key skey; 358#endif /* ENCRYPTION */ 359 char *name; 360 char *getenv(); 361 krb5_data inbuf; 362 363 if (cnt-- < 1) 364 return; 365 switch (*data++) { 366 case KRB_AUTH: 367 auth.data = (char *)data; 368 auth.length = cnt; 369 370 if (!(hp = gethostbyname(LocalHostName))) { 371 if (auth_debug_mode) 372 printf("Cannot resolve local host name\r\n"); 373 Data(ap, KRB_REJECT, "Unknown local hostname.", -1); 374 auth_finished(ap, AUTH_REJECT); 375 return; 376 } 377 378 if (!realm && (krb5_get_default_realm(&realm))) { 379 if (auth_debug_mode) 380 printf("Could not get default realm\r\n"); 381 Data(ap, KRB_REJECT, "Could not get default realm.", -1); 382 auth_finished(ap, AUTH_REJECT); 383 return; 384 } 385 386 if ((name = malloc(strlen(hp->h_name)+1)) == NULL) { 387 if (auth_debug_mode) 388 printf("Out of memory for hostname in Kerberos V5\r\n"); 389 Data(ap, KRB_REJECT, "Out of memory.", -1); 390 auth_finished(ap, AUTH_REJECT); 391 return; 392 } 393 394 p1 = hp->h_name; 395 p2 = name; 396 397 while (*p2 = *p1++) { 398 if (isupper(*p2)) 399 *p2 |= 040; 400 ++p2; 401 } 402 403 if (authdat) 404 krb5_free_tkt_authent(authdat); 405 406 r = krb5_build_principal_ext(&server, 407 strlen(realm), realm, 408 4, "host", 409 p2 - name, name, 410 0); 411 if (!r) { 412 r = krb5_rd_req_simple(&auth, server, 0, &authdat); 413 krb5_free_principal(server); 414 } 415 if (r) { 416 char errbuf[128]; 417 418 errout: 419 authdat = 0; 420 (void) strcpy(errbuf, "Read req failed: "); 421 (void) strcat(errbuf, error_message(r)); 422 Data(ap, KRB_REJECT, errbuf, -1); 423 if (auth_debug_mode) 424 printf("%s\r\n", errbuf); 425 return; 426 } 427 free(name); 428 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 429 /* do ap_rep stuff here */ 430 reply.ctime = authdat->authenticator->ctime; 431 reply.cusec = authdat->authenticator->cusec; 432 reply.subkey = 0; /* use the one he gave us, so don't 433 need to return one here */ 434 reply.seq_number = 0; /* we don't do seq #'s. */ 435 436 if (r = krb5_mk_rep(&reply, 437 authdat->authenticator->subkey ? 438 authdat->authenticator->subkey : 439 authdat->ticket->enc_part2->session, 440 &outbuf)) { 441 goto errout; 442 } 443 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 444 } 445 if (krb5_unparse_name(authdat->ticket->enc_part2 ->client, 446 &name)) 447 name = 0; 448 Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 449 if (auth_debug_mode) { 450 printf("Kerberos5 identifies him as ``%s''\r\n", 451 name ? name : ""); 452 } 453 auth_finished(ap, AUTH_USER); 454 455 free(name); 456 if (authdat->authenticator->subkey && 457 authdat->authenticator->subkey->keytype == KEYTYPE_DES) { 458 memmove((Voidptr )session_key, 459 (Voidptr )authdat->authenticator->subkey->contents, 460 sizeof(Block)); 461 } else if (authdat->ticket->enc_part2->session->keytype == 462 KEYTYPE_DES) { 463 memmove((Voidptr )session_key, 464 (Voidptr )authdat->ticket->enc_part2->session->contents, 465 sizeof(Block)); 466 } else 467 break; 468 469#ifdef ENCRYPTION 470 skey.type = SK_DES; 471 skey.length = 8; 472 skey.data = session_key; 473 encrypt_session_key(&skey, 1); 474#endif /* ENCRYPTION */ 475 break; 476#ifdef FORWARD 477 case KRB_FORWARD: 478 inbuf.data = (char *)data; 479 inbuf.length = cnt; 480 if (r = rd_and_store_for_creds(&inbuf, authdat->ticket, 481 UserNameRequested)) { 482 char errbuf[128]; 483 484 (void) strcpy(errbuf, "Read forwarded creds failed: "); 485 (void) strcat(errbuf, error_message(r)); 486 Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 487 if (auth_debug_mode) 488 printf("Could not read forwarded credentials\r\n"); 489 } 490 else 491 Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 492 if (auth_debug_mode) 493 printf("Forwarded credentials obtained\r\n"); 494 break; 495#endif /* FORWARD */ 496 default: 497 if (auth_debug_mode) 498 printf("Unknown Kerberos option %d\r\n", data[-1]); 499 Data(ap, KRB_REJECT, 0, 0); 500 break; 501 } 502} 503 504 void 505kerberos5_reply(ap, data, cnt) 506 Authenticator *ap; 507 unsigned char *data; 508 int cnt; 509{ 510 Session_Key skey; 511 static int mutual_complete = 0; 512 513 if (cnt-- < 1) 514 return; 515 switch (*data++) { 516 case KRB_REJECT: 517 if (cnt > 0) { 518 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 519 cnt, data); 520 } else 521 printf("[ Kerberos V5 refuses authentication ]\r\n"); 522 auth_send_retry(); 523 return; 524 case KRB_ACCEPT: 525 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 526 !mutual_complete) { 527 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\n"); 528 auth_send_retry(); 529 return; 530 } 531 if (cnt) 532 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\n", cnt, data); 533 else 534 printf("[ Kerberos V5 accepts you ]\n"); 535 auth_finished(ap, AUTH_USER); 536#ifdef FORWARD 537 if (forward_flags & OPTS_FORWARD_CREDS) 538 kerberos5_forward(ap); 539#endif /* FORWARD */ 540 break; 541 case KRB_RESPONSE: 542 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 543 /* the rest of the reply should contain a krb_ap_rep */ 544 krb5_ap_rep_enc_part *reply; 545 krb5_data inbuf; 546 krb5_error_code r; 547 krb5_keyblock tmpkey; 548 549 inbuf.length = cnt; 550 inbuf.data = (char *)data; 551 552 tmpkey.keytype = KEYTYPE_DES; 553 tmpkey.contents = session_key; 554 tmpkey.length = sizeof(Block); 555 556 if (r = krb5_rd_rep(&inbuf, &tmpkey, &reply)) { 557 printf("[ Mutual authentication failed: %s ]\n", 558 error_message(r)); 559 auth_send_retry(); 560 return; 561 } 562 if (reply->ctime != authenticator.ctime || 563 reply->cusec != authenticator.cusec) { 564 printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\n"); 565 auth_send_retry(); 566 return; 567 } 568 krb5_free_ap_rep_enc_part(reply); 569#ifdef ENCRYPTION 570 skey.type = SK_DES; 571 skey.length = 8; 572 skey.data = session_key; 573 encrypt_session_key(&skey, 0); 574#endif /* ENCRYPTION */ 575 mutual_complete = 1; 576 } 577 return; 578#ifdef FORWARD 579 case KRB_FORWARD_ACCEPT: 580 printf("[ Kerberos V5 accepted forwarded credentials ]\n"); 581 return; 582 case KRB_FORWARD_REJECT: 583 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 584 cnt, data); 585 return; 586#endif /* FORWARD */ 587 default: 588 if (auth_debug_mode) 589 printf("Unknown Kerberos option %d\r\n", data[-1]); 590 return; 591 } 592} 593 594 int 595kerberos5_status(ap, name, level) 596 Authenticator *ap; 597 char *name; 598 int level; 599{ 600 if (level < AUTH_USER) 601 return(level); 602 603 if (UserNameRequested && 604 krb5_kuserok(authdat->ticket->enc_part2->client, UserNameRequested)) 605 { 606 strcpy(name, UserNameRequested); 607 return(AUTH_VALID); 608 } else 609 return(AUTH_USER); 610} 611 612#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 613#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 614 615 void 616kerberos5_printsub(data, cnt, buf, buflen) 617 unsigned char *data, *buf; 618 int cnt, buflen; 619{ 620 char lbuf[32]; 621 register int i; 622 623 buf[buflen-1] = '\0'; /* make sure its NULL terminated */ 624 buflen -= 1; 625 626 switch(data[3]) { 627 case KRB_REJECT: /* Rejected (reason might follow) */ 628 strncpy((char *)buf, " REJECT ", buflen); 629 goto common; 630 631 case KRB_ACCEPT: /* Accepted (name might follow) */ 632 strncpy((char *)buf, " ACCEPT ", buflen); 633 common: 634 BUMP(buf, buflen); 635 if (cnt <= 4) 636 break; 637 ADDC(buf, buflen, '"'); 638 for (i = 4; i < cnt; i++) 639 ADDC(buf, buflen, data[i]); 640 ADDC(buf, buflen, '"'); 641 ADDC(buf, buflen, '\0'); 642 break; 643 644 645 case KRB_AUTH: /* Authentication data follows */ 646 strncpy((char *)buf, " AUTH", buflen); 647 goto common2; 648 649 case KRB_RESPONSE: 650 strncpy((char *)buf, " RESPONSE", buflen); 651 goto common2; 652 653#ifdef FORWARD 654 case KRB_FORWARD: /* Forwarded credentials follow */ 655 strncpy((char *)buf, " FORWARD", buflen); 656 goto common2; 657 658 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 659 strncpy((char *)buf, " FORWARD_ACCEPT", buflen); 660 goto common2; 661 662 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 663 /* (reason might follow) */ 664 strncpy((char *)buf, " FORWARD_REJECT", buflen); 665 goto common2; 666#endif /* FORWARD */ 667 668 default: 669 sprintf(lbuf, " %d (unknown)", data[3]); 670 strncpy((char *)buf, lbuf, buflen); 671 common2: 672 BUMP(buf, buflen); 673 for (i = 4; i < cnt; i++) { 674 sprintf(lbuf, " %d", data[i]); 675 strncpy((char *)buf, lbuf, buflen); 676 BUMP(buf, buflen); 677 } 678 break; 679 } 680} 681 682#ifdef FORWARD 683 void 684kerberos5_forward(ap) 685 Authenticator *ap; 686{ 687 struct hostent *hp; 688 krb5_creds *local_creds; 689 krb5_error_code r; 690 krb5_data forw_creds; 691 extern krb5_cksumtype krb5_kdc_req_sumtype; 692 krb5_ccache ccache; 693 int i; 694 695 if (!(local_creds = (krb5_creds *) 696 calloc(1, sizeof(*local_creds)))) { 697 if (auth_debug_mode) 698 printf("Kerberos V5: could not allocate memory for credentials\r\n"); 699 return; 700 } 701 702 if (r = krb5_sname_to_principal(RemoteHostName, "host", 1, 703 &local_creds->server)) { 704 if (auth_debug_mode) 705 printf("Kerberos V5: could not build server name - %s\r\n", 706 error_message(r)); 707 krb5_free_creds(local_creds); 708 return; 709 } 710 711 if (r = krb5_cc_default(&ccache)) { 712 if (auth_debug_mode) 713 printf("Kerberos V5: could not get default ccache - %s\r\n", 714 error_message(r)); 715 krb5_free_creds(local_creds); 716 return; 717 } 718 719 if (r = krb5_cc_get_principal(ccache, &local_creds->client)) { 720 if (auth_debug_mode) 721 printf("Kerberos V5: could not get default principal - %s\r\n", 722 error_message(r)); 723 krb5_free_creds(local_creds); 724 return; 725 } 726 727 /* Get ticket from credentials cache */ 728 if (r = krb5_get_credentials(KRB5_GC_CACHED, ccache, local_creds)) { 729 if (auth_debug_mode) 730 printf("Kerberos V5: could not obtain credentials - %s\r\n", 731 error_message(r)); 732 krb5_free_creds(local_creds); 733 return; 734 } 735 736 if (r = get_for_creds(ETYPE_DES_CBC_CRC, 737 krb5_kdc_req_sumtype, 738 RemoteHostName, 739 local_creds->client, 740 &local_creds->keyblock, 741 forward_flags & OPTS_FORWARDABLE_CREDS, 742 &forw_creds)) { 743 if (auth_debug_mode) 744 printf("Kerberos V5: error getting forwarded creds - %s\r\n", 745 error_message(r)); 746 krb5_free_creds(local_creds); 747 return; 748 } 749 750 /* Send forwarded credentials */ 751 if (!Data(ap, KRB_FORWARD, forw_creds.data, forw_creds.length)) { 752 if (auth_debug_mode) 753 printf("Not enough room for authentication data\r\n"); 754 } 755 else { 756 if (auth_debug_mode) 757 printf("Forwarded local Kerberos V5 credentials to server\r\n"); 758 } 759 760 krb5_free_creds(local_creds); 761} 762#endif /* FORWARD */ 763 764#endif /* KRB5 */
| 92 93#ifdef FORWARD 94int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ 95 96/* These values need to be the same as those defined in telnet/main.c. */ 97/* Either define them in both places, or put in some common header file. */ 98#define OPTS_FORWARD_CREDS 0x00000002 99#define OPTS_FORWARDABLE_CREDS 0x00000001 100 101void kerberos5_forward(); 102 103#endif /* FORWARD */ 104 105static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, 106 AUTHTYPE_KERBEROS_V5, }; 107/*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 108 TELQUAL_NAME, };*/ 109 110#define KRB_AUTH 0 /* Authentication data follows */ 111#define KRB_REJECT 1 /* Rejected (reason might follow) */ 112#define KRB_ACCEPT 2 /* Accepted */ 113#define KRB_RESPONSE 3 /* Response for mutual auth. */ 114 115#ifdef FORWARD 116#define KRB_FORWARD 4 /* Forwarded credentials follow */ 117#define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 118#define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 119#endif /* FORWARD */ 120 121static krb5_data auth; 122 /* telnetd gets session key from here */ 123static krb5_tkt_authent *authdat = NULL; 124/* telnet matches the AP_REQ and AP_REP with this */ 125static krb5_authenticator authenticator; 126 127/* some compilers can't hack void *, so we use the Kerberos krb5_pointer, 128 which is either void * or char *, depending on the compiler. */ 129 130#define Voidptr krb5_pointer 131 132Block session_key; 133 134 static int 135Data(ap, type, d, c) 136 Authenticator *ap; 137 int type; 138 Voidptr d; 139 int c; 140{ 141 unsigned char *p = str_data + 4; 142 unsigned char *cd = (unsigned char *)d; 143 144 if (c == -1) 145 c = strlen((char *)cd); 146 147 if (auth_debug_mode) { 148 printf("%s:%d: [%d] (%d)", 149 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 150 str_data[3], 151 type, c); 152 printd(d, c); 153 printf("\r\n"); 154 } 155 *p++ = ap->type; 156 *p++ = ap->way; 157 *p++ = type; 158 while (c-- > 0) { 159 if ((*p++ = *cd++) == IAC) 160 *p++ = IAC; 161 } 162 *p++ = IAC; 163 *p++ = SE; 164 if (str_data[3] == TELQUAL_IS) 165 printsub('>', &str_data[2], p - &str_data[2]); 166 return(net_write(str_data, p - str_data)); 167} 168 169 int 170kerberos5_init(ap, server) 171 Authenticator *ap; 172 int server; 173{ 174 if (server) 175 str_data[3] = TELQUAL_REPLY; 176 else 177 str_data[3] = TELQUAL_IS; 178 krb5_init_ets(); 179 return(1); 180} 181 182 int 183kerberos5_send(ap) 184 Authenticator *ap; 185{ 186 char **realms; 187 char *name; 188 char *p1, *p2; 189 krb5_checksum ksum; 190 krb5_octet sum[CRC32_CKSUM_LENGTH]; 191 krb5_principal server; 192 krb5_error_code r; 193 krb5_ccache ccache; 194 krb5_creds creds; /* telnet gets session key from here */ 195 extern krb5_flags krb5_kdc_default_options; 196 int ap_opts; 197 198#ifdef ENCRYPTION 199 krb5_keyblock *newkey = 0; 200#endif /* ENCRYPTION */ 201 202 ksum.checksum_type = CKSUMTYPE_CRC32; 203 ksum.contents = sum; 204 ksum.length = sizeof(sum); 205 memset((Voidptr )sum, 0, sizeof(sum)); 206 207 if (!UserNameRequested) { 208 if (auth_debug_mode) { 209 printf("Kerberos V5: no user name supplied\r\n"); 210 } 211 return(0); 212 } 213 214 if (r = krb5_cc_default(&ccache)) { 215 if (auth_debug_mode) { 216 printf("Kerberos V5: could not get default ccache\r\n"); 217 } 218 return(0); 219 } 220 221 if ((name = malloc(strlen(RemoteHostName)+1)) == NULL) { 222 if (auth_debug_mode) 223 printf("Out of memory for hostname in Kerberos V5\r\n"); 224 return(0); 225 } 226 227 if (r = krb5_get_host_realm(RemoteHostName, &realms)) { 228 if (auth_debug_mode) 229 printf("Kerberos V5: no realm for %s\r\n", RemoteHostName); 230 free(name); 231 return(0); 232 } 233 234 p1 = RemoteHostName; 235 p2 = name; 236 237 while (*p2 = *p1++) { 238 if (isupper(*p2)) 239 *p2 |= 040; 240 ++p2; 241 } 242 243 if (r = krb5_build_principal_ext(&server, 244 strlen(realms[0]), realms[0], 245 4, "host", 246 p2 - name, name, 247 0)) { 248 if (auth_debug_mode) { 249 printf("Kerberos V5: failure setting up principal (%s)\r\n", 250 error_message(r)); 251 } 252 free(name); 253 krb5_free_host_realm(realms); 254 return(0); 255 } 256 257 258 memset((char *)&creds, 0, sizeof(creds)); 259 creds.server = server; 260 261 if (r = krb5_cc_get_principal(ccache, &creds.client)) { 262 if (auth_debug_mode) { 263 printf("Kerberos V5: failure on principal (%s)\r\n", 264 error_message(r)); 265 } 266 free(name); 267 krb5_free_principal(server); 268 krb5_free_host_realm(realms); 269 return(0); 270 } 271 272 if (r = krb5_get_credentials(krb5_kdc_default_options, ccache, &creds)) { 273 if (auth_debug_mode) { 274 printf("Kerberos V5: failure on credentials(%d)\r\n",r); 275 } 276 free(name); 277 krb5_free_host_realm(realms); 278 krb5_free_principal(server); 279 return(0); 280 } 281 282 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 283 ap_opts = AP_OPTS_MUTUAL_REQUIRED; 284 else 285 ap_opts = 0; 286 287 r = krb5_mk_req_extended(ap_opts, &ksum, krb5_kdc_default_options, 0, 288#ifdef ENCRYPTION 289 &newkey, 290#else /* ENCRYPTION */ 291 0, 292#endif /* ENCRYPTION */ 293 ccache, &creds, &authenticator, &auth); 294 /* don't let the key get freed if we clean up the authenticator */ 295 authenticator.subkey = 0; 296 297 free(name); 298 krb5_free_host_realm(realms); 299 krb5_free_principal(server); 300#ifdef ENCRYPTION 301 if (newkey) { 302 /* keep the key in our private storage, but don't use it 303 yet---see kerberos5_reply() below */ 304 if (newkey->keytype != KEYTYPE_DES) { 305 if (creds.keyblock.keytype == KEYTYPE_DES) 306 /* use the session key in credentials instead */ 307 memmove((char *)session_key, 308 (char *)creds.keyblock.contents, sizeof(Block)); 309 else 310 /* XXX ? */; 311 } else { 312 memmove((char *)session_key, (char *)newkey->contents, 313 sizeof(Block)); 314 } 315 krb5_free_keyblock(newkey); 316 } 317#endif /* ENCRYPTION */ 318 if (r) { 319 if (auth_debug_mode) { 320 printf("Kerberos V5: mk_req failed (%s)\r\n", 321 error_message(r)); 322 } 323 return(0); 324 } 325 326 if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) { 327 if (auth_debug_mode) 328 printf("Not enough room for user name\r\n"); 329 return(0); 330 } 331 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 332 if (auth_debug_mode) 333 printf("Not enough room for authentication data\r\n"); 334 return(0); 335 } 336 if (auth_debug_mode) { 337 printf("Sent Kerberos V5 credentials to server\r\n"); 338 } 339 return(1); 340} 341 342 void 343kerberos5_is(ap, data, cnt) 344 Authenticator *ap; 345 unsigned char *data; 346 int cnt; 347{ 348 int r; 349 struct hostent *hp; 350 char *p1, *p2; 351 static char *realm = NULL; 352 krb5_principal server; 353 krb5_ap_rep_enc_part reply; 354 krb5_data outbuf; 355#ifdef ENCRYPTION 356 Session_Key skey; 357#endif /* ENCRYPTION */ 358 char *name; 359 char *getenv(); 360 krb5_data inbuf; 361 362 if (cnt-- < 1) 363 return; 364 switch (*data++) { 365 case KRB_AUTH: 366 auth.data = (char *)data; 367 auth.length = cnt; 368 369 if (!(hp = gethostbyname(LocalHostName))) { 370 if (auth_debug_mode) 371 printf("Cannot resolve local host name\r\n"); 372 Data(ap, KRB_REJECT, "Unknown local hostname.", -1); 373 auth_finished(ap, AUTH_REJECT); 374 return; 375 } 376 377 if (!realm && (krb5_get_default_realm(&realm))) { 378 if (auth_debug_mode) 379 printf("Could not get default realm\r\n"); 380 Data(ap, KRB_REJECT, "Could not get default realm.", -1); 381 auth_finished(ap, AUTH_REJECT); 382 return; 383 } 384 385 if ((name = malloc(strlen(hp->h_name)+1)) == NULL) { 386 if (auth_debug_mode) 387 printf("Out of memory for hostname in Kerberos V5\r\n"); 388 Data(ap, KRB_REJECT, "Out of memory.", -1); 389 auth_finished(ap, AUTH_REJECT); 390 return; 391 } 392 393 p1 = hp->h_name; 394 p2 = name; 395 396 while (*p2 = *p1++) { 397 if (isupper(*p2)) 398 *p2 |= 040; 399 ++p2; 400 } 401 402 if (authdat) 403 krb5_free_tkt_authent(authdat); 404 405 r = krb5_build_principal_ext(&server, 406 strlen(realm), realm, 407 4, "host", 408 p2 - name, name, 409 0); 410 if (!r) { 411 r = krb5_rd_req_simple(&auth, server, 0, &authdat); 412 krb5_free_principal(server); 413 } 414 if (r) { 415 char errbuf[128]; 416 417 errout: 418 authdat = 0; 419 (void) strcpy(errbuf, "Read req failed: "); 420 (void) strcat(errbuf, error_message(r)); 421 Data(ap, KRB_REJECT, errbuf, -1); 422 if (auth_debug_mode) 423 printf("%s\r\n", errbuf); 424 return; 425 } 426 free(name); 427 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 428 /* do ap_rep stuff here */ 429 reply.ctime = authdat->authenticator->ctime; 430 reply.cusec = authdat->authenticator->cusec; 431 reply.subkey = 0; /* use the one he gave us, so don't 432 need to return one here */ 433 reply.seq_number = 0; /* we don't do seq #'s. */ 434 435 if (r = krb5_mk_rep(&reply, 436 authdat->authenticator->subkey ? 437 authdat->authenticator->subkey : 438 authdat->ticket->enc_part2->session, 439 &outbuf)) { 440 goto errout; 441 } 442 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 443 } 444 if (krb5_unparse_name(authdat->ticket->enc_part2 ->client, 445 &name)) 446 name = 0; 447 Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 448 if (auth_debug_mode) { 449 printf("Kerberos5 identifies him as ``%s''\r\n", 450 name ? name : ""); 451 } 452 auth_finished(ap, AUTH_USER); 453 454 free(name); 455 if (authdat->authenticator->subkey && 456 authdat->authenticator->subkey->keytype == KEYTYPE_DES) { 457 memmove((Voidptr )session_key, 458 (Voidptr )authdat->authenticator->subkey->contents, 459 sizeof(Block)); 460 } else if (authdat->ticket->enc_part2->session->keytype == 461 KEYTYPE_DES) { 462 memmove((Voidptr )session_key, 463 (Voidptr )authdat->ticket->enc_part2->session->contents, 464 sizeof(Block)); 465 } else 466 break; 467 468#ifdef ENCRYPTION 469 skey.type = SK_DES; 470 skey.length = 8; 471 skey.data = session_key; 472 encrypt_session_key(&skey, 1); 473#endif /* ENCRYPTION */ 474 break; 475#ifdef FORWARD 476 case KRB_FORWARD: 477 inbuf.data = (char *)data; 478 inbuf.length = cnt; 479 if (r = rd_and_store_for_creds(&inbuf, authdat->ticket, 480 UserNameRequested)) { 481 char errbuf[128]; 482 483 (void) strcpy(errbuf, "Read forwarded creds failed: "); 484 (void) strcat(errbuf, error_message(r)); 485 Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 486 if (auth_debug_mode) 487 printf("Could not read forwarded credentials\r\n"); 488 } 489 else 490 Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 491 if (auth_debug_mode) 492 printf("Forwarded credentials obtained\r\n"); 493 break; 494#endif /* FORWARD */ 495 default: 496 if (auth_debug_mode) 497 printf("Unknown Kerberos option %d\r\n", data[-1]); 498 Data(ap, KRB_REJECT, 0, 0); 499 break; 500 } 501} 502 503 void 504kerberos5_reply(ap, data, cnt) 505 Authenticator *ap; 506 unsigned char *data; 507 int cnt; 508{ 509 Session_Key skey; 510 static int mutual_complete = 0; 511 512 if (cnt-- < 1) 513 return; 514 switch (*data++) { 515 case KRB_REJECT: 516 if (cnt > 0) { 517 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 518 cnt, data); 519 } else 520 printf("[ Kerberos V5 refuses authentication ]\r\n"); 521 auth_send_retry(); 522 return; 523 case KRB_ACCEPT: 524 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 525 !mutual_complete) { 526 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\n"); 527 auth_send_retry(); 528 return; 529 } 530 if (cnt) 531 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\n", cnt, data); 532 else 533 printf("[ Kerberos V5 accepts you ]\n"); 534 auth_finished(ap, AUTH_USER); 535#ifdef FORWARD 536 if (forward_flags & OPTS_FORWARD_CREDS) 537 kerberos5_forward(ap); 538#endif /* FORWARD */ 539 break; 540 case KRB_RESPONSE: 541 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 542 /* the rest of the reply should contain a krb_ap_rep */ 543 krb5_ap_rep_enc_part *reply; 544 krb5_data inbuf; 545 krb5_error_code r; 546 krb5_keyblock tmpkey; 547 548 inbuf.length = cnt; 549 inbuf.data = (char *)data; 550 551 tmpkey.keytype = KEYTYPE_DES; 552 tmpkey.contents = session_key; 553 tmpkey.length = sizeof(Block); 554 555 if (r = krb5_rd_rep(&inbuf, &tmpkey, &reply)) { 556 printf("[ Mutual authentication failed: %s ]\n", 557 error_message(r)); 558 auth_send_retry(); 559 return; 560 } 561 if (reply->ctime != authenticator.ctime || 562 reply->cusec != authenticator.cusec) { 563 printf("[ Mutual authentication failed (mismatched KRB_AP_REP) ]\n"); 564 auth_send_retry(); 565 return; 566 } 567 krb5_free_ap_rep_enc_part(reply); 568#ifdef ENCRYPTION 569 skey.type = SK_DES; 570 skey.length = 8; 571 skey.data = session_key; 572 encrypt_session_key(&skey, 0); 573#endif /* ENCRYPTION */ 574 mutual_complete = 1; 575 } 576 return; 577#ifdef FORWARD 578 case KRB_FORWARD_ACCEPT: 579 printf("[ Kerberos V5 accepted forwarded credentials ]\n"); 580 return; 581 case KRB_FORWARD_REJECT: 582 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 583 cnt, data); 584 return; 585#endif /* FORWARD */ 586 default: 587 if (auth_debug_mode) 588 printf("Unknown Kerberos option %d\r\n", data[-1]); 589 return; 590 } 591} 592 593 int 594kerberos5_status(ap, name, level) 595 Authenticator *ap; 596 char *name; 597 int level; 598{ 599 if (level < AUTH_USER) 600 return(level); 601 602 if (UserNameRequested && 603 krb5_kuserok(authdat->ticket->enc_part2->client, UserNameRequested)) 604 { 605 strcpy(name, UserNameRequested); 606 return(AUTH_VALID); 607 } else 608 return(AUTH_USER); 609} 610 611#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 612#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 613 614 void 615kerberos5_printsub(data, cnt, buf, buflen) 616 unsigned char *data, *buf; 617 int cnt, buflen; 618{ 619 char lbuf[32]; 620 register int i; 621 622 buf[buflen-1] = '\0'; /* make sure its NULL terminated */ 623 buflen -= 1; 624 625 switch(data[3]) { 626 case KRB_REJECT: /* Rejected (reason might follow) */ 627 strncpy((char *)buf, " REJECT ", buflen); 628 goto common; 629 630 case KRB_ACCEPT: /* Accepted (name might follow) */ 631 strncpy((char *)buf, " ACCEPT ", buflen); 632 common: 633 BUMP(buf, buflen); 634 if (cnt <= 4) 635 break; 636 ADDC(buf, buflen, '"'); 637 for (i = 4; i < cnt; i++) 638 ADDC(buf, buflen, data[i]); 639 ADDC(buf, buflen, '"'); 640 ADDC(buf, buflen, '\0'); 641 break; 642 643 644 case KRB_AUTH: /* Authentication data follows */ 645 strncpy((char *)buf, " AUTH", buflen); 646 goto common2; 647 648 case KRB_RESPONSE: 649 strncpy((char *)buf, " RESPONSE", buflen); 650 goto common2; 651 652#ifdef FORWARD 653 case KRB_FORWARD: /* Forwarded credentials follow */ 654 strncpy((char *)buf, " FORWARD", buflen); 655 goto common2; 656 657 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 658 strncpy((char *)buf, " FORWARD_ACCEPT", buflen); 659 goto common2; 660 661 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 662 /* (reason might follow) */ 663 strncpy((char *)buf, " FORWARD_REJECT", buflen); 664 goto common2; 665#endif /* FORWARD */ 666 667 default: 668 sprintf(lbuf, " %d (unknown)", data[3]); 669 strncpy((char *)buf, lbuf, buflen); 670 common2: 671 BUMP(buf, buflen); 672 for (i = 4; i < cnt; i++) { 673 sprintf(lbuf, " %d", data[i]); 674 strncpy((char *)buf, lbuf, buflen); 675 BUMP(buf, buflen); 676 } 677 break; 678 } 679} 680 681#ifdef FORWARD 682 void 683kerberos5_forward(ap) 684 Authenticator *ap; 685{ 686 struct hostent *hp; 687 krb5_creds *local_creds; 688 krb5_error_code r; 689 krb5_data forw_creds; 690 extern krb5_cksumtype krb5_kdc_req_sumtype; 691 krb5_ccache ccache; 692 int i; 693 694 if (!(local_creds = (krb5_creds *) 695 calloc(1, sizeof(*local_creds)))) { 696 if (auth_debug_mode) 697 printf("Kerberos V5: could not allocate memory for credentials\r\n"); 698 return; 699 } 700 701 if (r = krb5_sname_to_principal(RemoteHostName, "host", 1, 702 &local_creds->server)) { 703 if (auth_debug_mode) 704 printf("Kerberos V5: could not build server name - %s\r\n", 705 error_message(r)); 706 krb5_free_creds(local_creds); 707 return; 708 } 709 710 if (r = krb5_cc_default(&ccache)) { 711 if (auth_debug_mode) 712 printf("Kerberos V5: could not get default ccache - %s\r\n", 713 error_message(r)); 714 krb5_free_creds(local_creds); 715 return; 716 } 717 718 if (r = krb5_cc_get_principal(ccache, &local_creds->client)) { 719 if (auth_debug_mode) 720 printf("Kerberos V5: could not get default principal - %s\r\n", 721 error_message(r)); 722 krb5_free_creds(local_creds); 723 return; 724 } 725 726 /* Get ticket from credentials cache */ 727 if (r = krb5_get_credentials(KRB5_GC_CACHED, ccache, local_creds)) { 728 if (auth_debug_mode) 729 printf("Kerberos V5: could not obtain credentials - %s\r\n", 730 error_message(r)); 731 krb5_free_creds(local_creds); 732 return; 733 } 734 735 if (r = get_for_creds(ETYPE_DES_CBC_CRC, 736 krb5_kdc_req_sumtype, 737 RemoteHostName, 738 local_creds->client, 739 &local_creds->keyblock, 740 forward_flags & OPTS_FORWARDABLE_CREDS, 741 &forw_creds)) { 742 if (auth_debug_mode) 743 printf("Kerberos V5: error getting forwarded creds - %s\r\n", 744 error_message(r)); 745 krb5_free_creds(local_creds); 746 return; 747 } 748 749 /* Send forwarded credentials */ 750 if (!Data(ap, KRB_FORWARD, forw_creds.data, forw_creds.length)) { 751 if (auth_debug_mode) 752 printf("Not enough room for authentication data\r\n"); 753 } 754 else { 755 if (auth_debug_mode) 756 printf("Forwarded local Kerberos V5 credentials to server\r\n"); 757 } 758 759 krb5_free_creds(local_creds); 760} 761#endif /* FORWARD */ 762 763#endif /* KRB5 */
|