auth-krb5.c (98684) | auth-krb5.c (98941) |
---|---|
1/* 2 * Kerberos v5 authentication and ticket-passing routines. 3 * | 1/* 2 * Kerberos v5 authentication and ticket-passing routines. 3 * |
4 * $FreeBSD: head/crypto/openssh/auth-krb5.c 98684 2002-06-23 16:09:08Z des $ | 4 * $FreeBSD: head/crypto/openssh/auth-krb5.c 98941 2002-06-27 22:42:11Z des $ |
5 */ 6/* 7 * Copyright (c) 2002 Daniel Kouril. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include "includes.h" 31RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $"); | 5 */ 6/* 7 * Copyright (c) 2002 Daniel Kouril. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include "includes.h" 31RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $"); |
32RCSID("$FreeBSD: head/crypto/openssh/auth-krb5.c 98684 2002-06-23 16:09:08Z des $"); | |
33 34#include "ssh.h" 35#include "ssh1.h" 36#include "packet.h" 37#include "xmalloc.h" 38#include "log.h" 39#include "servconf.h" 40#include "uidswap.h" 41#include "auth.h" 42 43#ifdef KRB5 44#include <krb5.h> | 32 33#include "ssh.h" 34#include "ssh1.h" 35#include "packet.h" 36#include "xmalloc.h" 37#include "log.h" 38#include "servconf.h" 39#include "uidswap.h" 40#include "auth.h" 41 42#ifdef KRB5 43#include <krb5.h> |
44#ifndef HEIMDAL 45#define krb5_get_err_text(context,code) error_message(code) 46#endif /* !HEIMDAL */ |
|
45 46extern ServerOptions options; 47 48static int 49krb5_init(void *context) 50{ 51 Authctxt *authctxt = (Authctxt *)context; 52 krb5_error_code problem; --- 36 unchanged lines hidden (view full) --- 89 goto err; 90 91 problem = krb5_auth_con_init(authctxt->krb5_ctx, 92 &authctxt->krb5_auth_ctx); 93 if (problem) 94 goto err; 95 96 fd = packet_get_connection_in(); | 47 48extern ServerOptions options; 49 50static int 51krb5_init(void *context) 52{ 53 Authctxt *authctxt = (Authctxt *)context; 54 krb5_error_code problem; --- 36 unchanged lines hidden (view full) --- 91 goto err; 92 93 problem = krb5_auth_con_init(authctxt->krb5_ctx, 94 &authctxt->krb5_auth_ctx); 95 if (problem) 96 goto err; 97 98 fd = packet_get_connection_in(); |
99#ifdef HEIMDAL |
|
97 problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx, 98 authctxt->krb5_auth_ctx, &fd); | 100 problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx, 101 authctxt->krb5_auth_ctx, &fd); |
102#else 103 problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, 104 authctxt->krb5_auth_ctx,fd, 105 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | 106 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); 107#endif |
|
99 if (problem) 100 goto err; 101 102 problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL , 103 KRB5_NT_SRV_HST, &server); 104 if (problem) 105 goto err; 106 107 problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx, 108 auth, server, NULL, NULL, &ticket); 109 if (problem) 110 goto err; 111 | 108 if (problem) 109 goto err; 110 111 problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL , 112 KRB5_NT_SRV_HST, &server); 113 if (problem) 114 goto err; 115 116 problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx, 117 auth, server, NULL, NULL, &ticket); 118 if (problem) 119 goto err; 120 |
121#ifdef HEIMDAL |
|
112 problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client, 113 &authctxt->krb5_user); | 122 problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client, 123 &authctxt->krb5_user); |
124#else 125 problem = krb5_copy_principal(authctxt->krb5_ctx, 126 ticket->enc_part2->client, 127 &authctxt->krb5_user); 128#endif |
|
114 if (problem) 115 goto err; 116 117 /* if client wants mutual auth */ 118 problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, 119 &reply); 120 if (problem) 121 goto err; --- 34 unchanged lines hidden (view full) --- 156} 157 158int 159auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt) 160{ 161 krb5_error_code problem; 162 krb5_ccache ccache = NULL; 163 char *pname; | 129 if (problem) 130 goto err; 131 132 /* if client wants mutual auth */ 133 problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, 134 &reply); 135 if (problem) 136 goto err; --- 34 unchanged lines hidden (view full) --- 171} 172 173int 174auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt) 175{ 176 krb5_error_code problem; 177 krb5_ccache ccache = NULL; 178 char *pname; |
179 krb5_creds **creds; |
|
164 165 if (authctxt->pw == NULL || authctxt->krb5_user == NULL) 166 return (0); 167 168 temporarily_use_uid(authctxt->pw); 169 | 180 181 if (authctxt->pw == NULL || authctxt->krb5_user == NULL) 182 return (0); 183 184 temporarily_use_uid(authctxt->pw); 185 |
186#ifdef HEIMDAL |
|
170 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache); | 187 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache); |
188#else 189{ 190 char ccname[40]; 191 int tmpfd; 192 193 snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); 194 195 if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { 196 log("mkstemp(): %.100s", strerror(errno)); 197 problem = errno; 198 goto fail; 199 } 200 if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { 201 log("fchmod(): %.100s", strerror(errno)); 202 close(tmpfd); 203 problem = errno; 204 goto fail; 205 } 206 close(tmpfd); 207 problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache); 208} 209#endif |
|
171 if (problem) 172 goto fail; 173 174 problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache, 175 authctxt->krb5_user); 176 if (problem) 177 goto fail; 178 | 210 if (problem) 211 goto fail; 212 213 problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache, 214 authctxt->krb5_user); 215 if (problem) 216 goto fail; 217 |
218#ifdef HEIMDAL |
|
179 problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, 180 ccache, tgt); 181 if (problem) 182 goto fail; | 219 problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, 220 ccache, tgt); 221 if (problem) 222 goto fail; |
223#else 224 problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, 225 tgt, &creds, NULL); 226 if (problem) 227 goto fail; 228 problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds); 229 if (problem) 230 goto fail; 231#endif |
|
183 184 authctxt->krb5_fwd_ccache = ccache; 185 ccache = NULL; 186 187 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); 188 189 problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, 190 &pname); --- 16 unchanged lines hidden (view full) --- 207 restore_uid(); 208 209 return (0); 210} 211 212int 213auth_krb5_password(Authctxt *authctxt, const char *password) 214{ | 232 233 authctxt->krb5_fwd_ccache = ccache; 234 ccache = NULL; 235 236 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); 237 238 problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, 239 &pname); --- 16 unchanged lines hidden (view full) --- 256 restore_uid(); 257 258 return (0); 259} 260 261int 262auth_krb5_password(Authctxt *authctxt, const char *password) 263{ |
264#ifndef HEIMDAL 265 krb5_creds creds; 266 krb5_principal server; 267 char ccname[40]; 268 int tmpfd; 269#endif |
|
215 krb5_error_code problem; 216 217 if (authctxt->pw == NULL) 218 return (0); 219 220 temporarily_use_uid(authctxt->pw); 221 222 problem = krb5_init(authctxt); 223 if (problem) 224 goto out; 225 226 problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name, 227 &authctxt->krb5_user); 228 if (problem) 229 goto out; 230 | 270 krb5_error_code problem; 271 272 if (authctxt->pw == NULL) 273 return (0); 274 275 temporarily_use_uid(authctxt->pw); 276 277 problem = krb5_init(authctxt); 278 if (problem) 279 goto out; 280 281 problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name, 282 &authctxt->krb5_user); 283 if (problem) 284 goto out; 285 |
286#ifdef HEIMDAL |
|
231 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, 232 &authctxt->krb5_fwd_ccache); 233 if (problem) 234 goto out; 235 236 problem = krb5_cc_initialize(authctxt->krb5_ctx, 237 authctxt->krb5_fwd_ccache, authctxt->krb5_user); 238 if (problem) 239 goto out; 240 241 restore_uid(); 242 problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, 243 authctxt->krb5_fwd_ccache, password, 1, NULL); 244 temporarily_use_uid(authctxt->pw); 245 246 if (problem) 247 goto out; 248 | 287 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, 288 &authctxt->krb5_fwd_ccache); 289 if (problem) 290 goto out; 291 292 problem = krb5_cc_initialize(authctxt->krb5_ctx, 293 authctxt->krb5_fwd_ccache, authctxt->krb5_user); 294 if (problem) 295 goto out; 296 297 restore_uid(); 298 problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, 299 authctxt->krb5_fwd_ccache, password, 1, NULL); 300 temporarily_use_uid(authctxt->pw); 301 302 if (problem) 303 goto out; 304 |
305#else 306 problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, 307 authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL); 308 if (problem) 309 goto out; 310 311 problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, 312 KRB5_NT_SRV_HST, &server); 313 if (problem) 314 goto out; 315 316 restore_uid(); 317 problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server, 318 NULL, NULL, NULL); 319 krb5_free_principal(authctxt->krb5_ctx, server); 320 temporarily_use_uid(authctxt->pw); 321 if (problem) 322 goto out; 323 324 if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, 325 authctxt->pw->pw_name)) { 326 problem = -1; 327 goto out; 328 } 329 330 snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); 331 332 if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { 333 log("mkstemp(): %.100s", strerror(errno)); 334 problem = errno; 335 goto out; 336 } 337 338 if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { 339 log("fchmod(): %.100s", strerror(errno)); 340 close(tmpfd); 341 problem = errno; 342 goto out; 343 } 344 close(tmpfd); 345 346 problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache); 347 if (problem) 348 goto out; 349 350 problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, 351 authctxt->krb5_user); 352 if (problem) 353 goto out; 354 355 problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, 356 &creds); 357 if (problem) 358 goto out; 359#endif 360 |
|
249 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); 250 251 out: 252 restore_uid(); 253 254 if (problem) { | 361 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); 362 363 out: 364 restore_uid(); 365 366 if (problem) { |
255 if (authctxt->krb5_ctx != NULL) | 367 if (authctxt->krb5_ctx != NULL && problem!=-1) |
256 debug("Kerberos password authentication failed: %s", 257 krb5_get_err_text(authctxt->krb5_ctx, problem)); 258 else 259 debug("Kerberos password authentication failed: %d", 260 problem); 261 262 krb5_cleanup_proc(authctxt); 263 --- 34 unchanged lines hidden --- | 368 debug("Kerberos password authentication failed: %s", 369 krb5_get_err_text(authctxt->krb5_ctx, problem)); 370 else 371 debug("Kerberos password authentication failed: %d", 372 problem); 373 374 krb5_cleanup_proc(authctxt); 375 --- 34 unchanged lines hidden --- |