57 58#ifdef KRB5 59 60#include <arpa/telnet.h> 61#include <stdio.h> 62#include <stdlib.h> 63#include <string.h> 64#include <unistd.h> 65#include <netdb.h> 66#include <ctype.h> 67#include <pwd.h> 68#define Authenticator k5_Authenticator 69#include <krb5.h> 70#undef Authenticator 71#include <roken.h> 72#ifdef SOCKS 73#include <socks.h> 74#endif 75 76 77#include "encrypt.h" 78#include "auth.h" 79#include "misc.h" 80 81#if defined(DCE) 82int dfsk5ok = 0; 83int dfspag = 0; 84int dfsfwd = 0; 85#endif 86 87int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ 88 89int forward(int); 90int forwardable(int); 91 92/* These values need to be the same as those defined in telnet/main.c. */ 93/* Either define them in both places, or put in some common header file. */ 94#define OPTS_FORWARD_CREDS 0x00000002 95#define OPTS_FORWARDABLE_CREDS 0x00000001 96 97 98void kerberos5_forward (Authenticator *); 99 100static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, 101 AUTHTYPE_KERBEROS_V5, }; 102 103#define KRB_AUTH 0 /* Authentication data follows */ 104#define KRB_REJECT 1 /* Rejected (reason might follow) */ 105#define KRB_ACCEPT 2 /* Accepted */ 106#define KRB_RESPONSE 3 /* Response for mutual auth. */ 107 108#define KRB_FORWARD 4 /* Forwarded credentials follow */ 109#define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 110#define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 111 112static krb5_data auth; 113static krb5_ticket *ticket; 114 115static krb5_context context; 116static krb5_auth_context auth_context; 117 118static int 119Data(Authenticator *ap, int type, void *d, int c) 120{ 121 unsigned char *p = str_data + 4; 122 unsigned char *cd = (unsigned char *)d; 123 124 if (c == -1) 125 c = strlen((char*)cd); 126 127 if (auth_debug_mode) { 128 printf("%s:%d: [%d] (%d)", 129 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 130 str_data[3], 131 type, c); 132 printd(d, c); 133 printf("\r\n"); 134 } 135 *p++ = ap->type; 136 *p++ = ap->way; 137 *p++ = type; 138 while (c-- > 0) { 139 if ((*p++ = *cd++) == IAC) 140 *p++ = IAC; 141 } 142 *p++ = IAC; 143 *p++ = SE; 144 if (str_data[3] == TELQUAL_IS) 145 printsub('>', &str_data[2], p - &str_data[2]); 146 return(telnet_net_write(str_data, p - str_data)); 147} 148 149int 150kerberos5_init(Authenticator *ap, int server) 151{ 152 krb5_error_code ret; 153 154 ret = krb5_init_context(&context); 155 if (ret) 156 return 0; 157 if (server) { 158 krb5_keytab kt; 159 krb5_kt_cursor cursor; 160 161 ret = krb5_kt_default(context, &kt); 162 if (ret) 163 return 0; 164 165 ret = krb5_kt_start_seq_get (context, kt, &cursor); 166 if (ret) { 167 krb5_kt_close (context, kt); 168 return 0; 169 } 170 krb5_kt_end_seq_get (context, kt, &cursor); 171 krb5_kt_close (context, kt); 172 173 str_data[3] = TELQUAL_REPLY; 174 } else 175 str_data[3] = TELQUAL_IS; 176 return(1); 177} 178 179extern int net; 180static int 181kerberos5_send(char *name, Authenticator *ap) 182{ 183 krb5_error_code ret; 184 krb5_ccache ccache; 185 int ap_opts; 186 krb5_data cksum_data; 187 char foo[2]; 188 189 if (!UserNameRequested) { 190 if (auth_debug_mode) { 191 printf("Kerberos V5: no user name supplied\r\n"); 192 } 193 return(0); 194 } 195 196 ret = krb5_cc_default(context, &ccache); 197 if (ret) { 198 if (auth_debug_mode) { 199 printf("Kerberos V5: could not get default ccache: %s\r\n", 200 krb5_get_err_text (context, ret)); 201 } 202 return 0; 203 } 204 205 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 206 ap_opts = AP_OPTS_MUTUAL_REQUIRED; 207 else 208 ap_opts = 0; 209 210 ap_opts |= AP_OPTS_USE_SUBKEY; 211 212 ret = krb5_auth_con_init (context, &auth_context); 213 if (ret) { 214 if (auth_debug_mode) { 215 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 216 krb5_get_err_text(context, ret)); 217 } 218 return(0); 219 } 220 221 ret = krb5_auth_con_setaddrs_from_fd (context, 222 auth_context, 223 &net); 224 if (ret) { 225 if (auth_debug_mode) { 226 printf ("Kerberos V5:" 227 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 228 krb5_get_err_text(context, ret)); 229 } 230 return(0); 231 } 232 233 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES); 234 235 foo[0] = ap->type; 236 foo[1] = ap->way; 237 238 cksum_data.length = sizeof(foo); 239 cksum_data.data = foo; 240 241 242 { 243 krb5_principal service; 244 char sname[128]; 245 246 247 ret = krb5_sname_to_principal (context, 248 RemoteHostName, 249 NULL, 250 KRB5_NT_SRV_HST, 251 &service); 252 if(ret) { 253 if (auth_debug_mode) { 254 printf ("Kerberos V5:" 255 " krb5_sname_to_principal(%s) failed (%s)\r\n", 256 RemoteHostName, krb5_get_err_text(context, ret)); 257 } 258 return 0; 259 } 260 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname)); 261 if(ret) { 262 if (auth_debug_mode) { 263 printf ("Kerberos V5:" 264 " krb5_unparse_name_fixed failed (%s)\r\n", 265 krb5_get_err_text(context, ret)); 266 } 267 return 0; 268 } 269 printf("[ Trying %s (%s)... ]\r\n", name, sname); 270 ret = krb5_mk_req_exact(context, &auth_context, ap_opts, 271 service, 272 &cksum_data, ccache, &auth); 273 krb5_free_principal (context, service); 274 275 } 276 if (ret) { 277 if (1 || auth_debug_mode) { 278 printf("Kerberos V5: mk_req failed (%s)\r\n", 279 krb5_get_err_text(context, ret)); 280 } 281 return(0); 282 } 283 284 if (!auth_sendname((unsigned char *)UserNameRequested, 285 strlen(UserNameRequested))) { 286 if (auth_debug_mode) 287 printf("Not enough room for user name\r\n"); 288 return(0); 289 } 290 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 291 if (auth_debug_mode) 292 printf("Not enough room for authentication data\r\n"); 293 return(0); 294 } 295 if (auth_debug_mode) { 296 printf("Sent Kerberos V5 credentials to server\r\n"); 297 } 298 return(1); 299} 300 301int 302kerberos5_send_mutual(Authenticator *ap) 303{ 304 return kerberos5_send("mutual KERBEROS5", ap); 305} 306 307int 308kerberos5_send_oneway(Authenticator *ap) 309{ 310 return kerberos5_send("KERBEROS5", ap); 311} 312 313void 314kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) 315{ 316 krb5_error_code ret; 317 krb5_data outbuf; 318 krb5_keyblock *key_block; 319 char *name; 320 krb5_principal server; 321 int zero = 0; 322 323 if (cnt-- < 1) 324 return; 325 switch (*data++) { 326 case KRB_AUTH: 327 auth.data = (char *)data; 328 auth.length = cnt; 329 330 auth_context = NULL; 331 332 ret = krb5_auth_con_init (context, &auth_context); 333 if (ret) { 334 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); 335 auth_finished(ap, AUTH_REJECT); 336 if (auth_debug_mode) 337 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 338 krb5_get_err_text(context, ret)); 339 return; 340 } 341 342 ret = krb5_auth_con_setaddrs_from_fd (context, 343 auth_context, 344 &zero); 345 if (ret) { 346 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); 347 auth_finished(ap, AUTH_REJECT); 348 if (auth_debug_mode) 349 printf("Kerberos V5: " 350 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 351 krb5_get_err_text(context, ret)); 352 return; 353 } 354 355 ret = krb5_sock_to_principal (context, 356 0, 357 "host", 358 KRB5_NT_SRV_HST, 359 &server); 360 if (ret) { 361 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); 362 auth_finished(ap, AUTH_REJECT); 363 if (auth_debug_mode) 364 printf("Kerberos V5: " 365 "krb5_sock_to_principal failed (%s)\r\n", 366 krb5_get_err_text(context, ret)); 367 return; 368 } 369 370 ret = krb5_rd_req(context, 371 &auth_context, 372 &auth, 373 server, 374 NULL, 375 NULL, 376 &ticket); 377 378 krb5_free_principal (context, server); 379 if (ret) { 380 char *errbuf; 381 382 asprintf(&errbuf, 383 "Read req failed: %s", 384 krb5_get_err_text(context, ret)); 385 Data(ap, KRB_REJECT, errbuf, -1); 386 if (auth_debug_mode) 387 printf("%s\r\n", errbuf); 388 free (errbuf); 389 return; 390 } 391 392 { 393 char foo[2]; 394 395 foo[0] = ap->type; 396 foo[1] = ap->way; 397 398 ret = krb5_verify_authenticator_checksum(context, 399 auth_context, 400 foo, 401 sizeof(foo)); 402 403 if (ret) { 404 char *errbuf; 405 asprintf(&errbuf, "Bad checksum: %s", 406 krb5_get_err_text(context, ret)); 407 Data(ap, KRB_REJECT, errbuf, -1); 408 if (auth_debug_mode) 409 printf ("%s\r\n", errbuf); 410 free(errbuf); 411 return; 412 } 413 } 414 ret = krb5_auth_con_getremotesubkey (context, 415 auth_context, 416 &key_block); 417 418 if (ret) { 419 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); 420 auth_finished(ap, AUTH_REJECT); 421 if (auth_debug_mode) 422 printf("Kerberos V5: " 423 "krb5_auth_con_getremotesubkey failed (%s)\r\n", 424 krb5_get_err_text(context, ret)); 425 return; 426 } 427 428 if (key_block == NULL) { 429 ret = krb5_auth_con_getkey(context, 430 auth_context, 431 &key_block); 432 } 433 if (ret) { 434 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); 435 auth_finished(ap, AUTH_REJECT); 436 if (auth_debug_mode) 437 printf("Kerberos V5: " 438 "krb5_auth_con_getkey failed (%s)\r\n", 439 krb5_get_err_text(context, ret)); 440 return; 441 } 442 if (key_block == NULL) { 443 Data(ap, KRB_REJECT, "no subkey received", -1); 444 auth_finished(ap, AUTH_REJECT); 445 if (auth_debug_mode) 446 printf("Kerberos V5: " 447 "krb5_auth_con_getremotesubkey returned NULL key\r\n"); 448 return; 449 } 450 451 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 452 ret = krb5_mk_rep(context, auth_context, &outbuf); 453 if (ret) { 454 Data(ap, KRB_REJECT, 455 "krb5_mk_rep failed", -1); 456 auth_finished(ap, AUTH_REJECT); 457 if (auth_debug_mode) 458 printf("Kerberos V5: " 459 "krb5_mk_rep failed (%s)\r\n", 460 krb5_get_err_text(context, ret)); 461 return; 462 } 463 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 464 } 465 if (krb5_unparse_name(context, ticket->client, &name)) 466 name = 0; 467 468 if(UserNameRequested && krb5_kuserok(context, 469 ticket->client, 470 UserNameRequested)) { 471 Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 472 if (auth_debug_mode) { 473 printf("Kerberos5 identifies him as ``%s''\r\n", 474 name ? name : ""); 475 } 476 477 if(key_block->keytype == ETYPE_DES_CBC_MD5 || 478 key_block->keytype == ETYPE_DES_CBC_MD4 || 479 key_block->keytype == ETYPE_DES_CBC_CRC) { 480 Session_Key skey; 481 482 skey.type = SK_DES; 483 skey.length = 8; 484 skey.data = key_block->keyvalue.data; 485 encrypt_session_key(&skey, 0); 486 } 487 488 } else { 489 char *msg; 490 491 asprintf (&msg, "user `%s' is not authorized to " 492 "login as `%s'", 493 name ? name : "<unknown>", 494 UserNameRequested ? UserNameRequested : "<nobody>"); 495 if (msg == NULL) 496 Data(ap, KRB_REJECT, NULL, 0); 497 else { 498 Data(ap, KRB_REJECT, (void *)msg, -1); 499 free(msg); 500 } 501 auth_finished (ap, AUTH_REJECT); 502 krb5_free_keyblock_contents(context, key_block); 503 break; 504 } 505 auth_finished(ap, AUTH_USER); 506 krb5_free_keyblock_contents(context, key_block); 507 508 break; 509 case KRB_FORWARD: { 510 struct passwd *pwd; 511 char ccname[1024]; /* XXX */ 512 krb5_data inbuf; 513 krb5_ccache ccache; 514 inbuf.data = (char *)data; 515 inbuf.length = cnt; 516 517 pwd = getpwnam (UserNameRequested); 518 if (pwd == NULL) 519 break; 520 521 snprintf (ccname, sizeof(ccname), 522 "FILE:/tmp/krb5cc_%u", pwd->pw_uid); 523 524 ret = krb5_cc_resolve (context, ccname, &ccache); 525 if (ret) { 526 if (auth_debug_mode) 527 printf ("Kerberos V5: could not get ccache: %s\r\n", 528 krb5_get_err_text(context, ret)); 529 break; 530 } 531 532 ret = krb5_cc_initialize (context, 533 ccache, 534 ticket->client); 535 if (ret) { 536 if (auth_debug_mode) 537 printf ("Kerberos V5: could not init ccache: %s\r\n", 538 krb5_get_err_text(context, ret)); 539 break; 540 } 541 542#if defined(DCE) 543 esetenv("KRB5CCNAME", ccname, 1); 544#endif 545 ret = krb5_rd_cred2 (context, 546 auth_context, 547 ccache, 548 &inbuf); 549 if(ret) { 550 char *errbuf; 551 552 asprintf (&errbuf, 553 "Read forwarded creds failed: %s", 554 krb5_get_err_text (context, ret)); 555 if(errbuf == NULL) 556 Data(ap, KRB_FORWARD_REJECT, NULL, 0); 557 else 558 Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 559 if (auth_debug_mode) 560 printf("Could not read forwarded credentials: %s\r\n", 561 errbuf); 562 free (errbuf); 563 } else { 564 Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 565#if defined(DCE) 566 dfsfwd = 1; 567#endif 568 } 569 chown (ccname + 5, pwd->pw_uid, -1); 570 if (auth_debug_mode) 571 printf("Forwarded credentials obtained\r\n"); 572 break; 573 } 574 default: 575 if (auth_debug_mode) 576 printf("Unknown Kerberos option %d\r\n", data[-1]); 577 Data(ap, KRB_REJECT, 0, 0); 578 break; 579 } 580} 581 582void 583kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) 584{ 585 static int mutual_complete = 0; 586 587 if (cnt-- < 1) 588 return; 589 switch (*data++) { 590 case KRB_REJECT: 591 if (cnt > 0) { 592 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 593 cnt, data); 594 } else 595 printf("[ Kerberos V5 refuses authentication ]\r\n"); 596 auth_send_retry(); 597 return; 598 case KRB_ACCEPT: { 599 krb5_error_code ret; 600 Session_Key skey; 601 krb5_keyblock *keyblock; 602 603 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 604 !mutual_complete) { 605 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); 606 auth_send_retry(); 607 return; 608 } 609 if (cnt) 610 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); 611 else 612 printf("[ Kerberos V5 accepts you ]\r\n"); 613 614 ret = krb5_auth_con_getlocalsubkey (context, 615 auth_context, 616 &keyblock); 617 if (ret) 618 ret = krb5_auth_con_getkey (context, 619 auth_context, 620 &keyblock); 621 if(ret) { 622 printf("[ krb5_auth_con_getkey: %s ]\r\n", 623 krb5_get_err_text(context, ret)); 624 auth_send_retry(); 625 return; 626 } 627 628 skey.type = SK_DES; 629 skey.length = 8; 630 skey.data = keyblock->keyvalue.data; 631 encrypt_session_key(&skey, 0); 632 krb5_free_keyblock_contents (context, keyblock); 633 auth_finished(ap, AUTH_USER); 634 if (forward_flags & OPTS_FORWARD_CREDS) 635 kerberos5_forward(ap); 636 break; 637 } 638 case KRB_RESPONSE: 639 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 640 /* the rest of the reply should contain a krb_ap_rep */ 641 krb5_ap_rep_enc_part *reply; 642 krb5_data inbuf; 643 krb5_error_code ret; 644 645 inbuf.length = cnt; 646 inbuf.data = (char *)data; 647 648 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply); 649 if (ret) { 650 printf("[ Mutual authentication failed: %s ]\r\n", 651 krb5_get_err_text (context, ret)); 652 auth_send_retry(); 653 return; 654 } 655 krb5_free_ap_rep_enc_part(context, reply); 656 mutual_complete = 1; 657 } 658 return; 659 case KRB_FORWARD_ACCEPT: 660 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); 661 return; 662 case KRB_FORWARD_REJECT: 663 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 664 cnt, data); 665 return; 666 default: 667 if (auth_debug_mode) 668 printf("Unknown Kerberos option %d\r\n", data[-1]); 669 return; 670 } 671} 672 673int 674kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level) 675{ 676 if (level < AUTH_USER) 677 return(level); 678 679 if (UserNameRequested && 680 krb5_kuserok(context, 681 ticket->client, 682 UserNameRequested)) 683 { 684 strlcpy(name, UserNameRequested, name_sz); 685#if defined(DCE) 686 dfsk5ok = 1; 687#endif 688 return(AUTH_VALID); 689 } else 690 return(AUTH_USER); 691} 692 693#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 694#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 695 696void 697kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 698{ 699 int i; 700 701 buf[buflen-1] = '\0'; /* make sure its NULL terminated */ 702 buflen -= 1; 703 704 switch(data[3]) { 705 case KRB_REJECT: /* Rejected (reason might follow) */ 706 strlcpy((char *)buf, " REJECT ", buflen); 707 goto common; 708 709 case KRB_ACCEPT: /* Accepted (name might follow) */ 710 strlcpy((char *)buf, " ACCEPT ", buflen); 711 common: 712 BUMP(buf, buflen); 713 if (cnt <= 4) 714 break; 715 ADDC(buf, buflen, '"'); 716 for (i = 4; i < cnt; i++) 717 ADDC(buf, buflen, data[i]); 718 ADDC(buf, buflen, '"'); 719 ADDC(buf, buflen, '\0'); 720 break; 721 722 723 case KRB_AUTH: /* Authentication data follows */ 724 strlcpy((char *)buf, " AUTH", buflen); 725 goto common2; 726 727 case KRB_RESPONSE: 728 strlcpy((char *)buf, " RESPONSE", buflen); 729 goto common2; 730 731 case KRB_FORWARD: /* Forwarded credentials follow */ 732 strlcpy((char *)buf, " FORWARD", buflen); 733 goto common2; 734 735 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 736 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen); 737 goto common2; 738 739 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 740 /* (reason might follow) */ 741 strlcpy((char *)buf, " FORWARD_REJECT", buflen); 742 goto common2; 743 744 default: 745 snprintf((char*)buf, buflen, " %d (unknown)", data[3]); 746 common2: 747 BUMP(buf, buflen); 748 for (i = 4; i < cnt; i++) { 749 snprintf((char*)buf, buflen, " %d", data[i]); 750 BUMP(buf, buflen); 751 } 752 break; 753 } 754} 755 756void 757kerberos5_forward(Authenticator *ap) 758{ 759 krb5_error_code ret; 760 krb5_ccache ccache; 761 krb5_creds creds; 762 krb5_kdc_flags flags; 763 krb5_data out_data; 764 krb5_principal principal; 765 766 ret = krb5_cc_default (context, &ccache); 767 if (ret) { 768 if (auth_debug_mode) 769 printf ("KerberosV5: could not get default ccache: %s\r\n", 770 krb5_get_err_text (context, ret)); 771 return; 772 } 773 774 ret = krb5_cc_get_principal (context, ccache, &principal); 775 if (ret) { 776 if (auth_debug_mode) 777 printf ("KerberosV5: could not get principal: %s\r\n", 778 krb5_get_err_text (context, ret)); 779 return; 780 } 781 782 memset (&creds, 0, sizeof(creds)); 783 784 creds.client = principal; 785 786 ret = krb5_build_principal (context, 787 &creds.server, 788 strlen(principal->realm), 789 principal->realm, 790 "krbtgt", 791 principal->realm, 792 NULL); 793 794 if (ret) { 795 if (auth_debug_mode) 796 printf ("KerberosV5: could not get principal: %s\r\n", 797 krb5_get_err_text (context, ret)); 798 return; 799 } 800 801 creds.times.endtime = 0; 802 803 flags.i = 0; 804 flags.b.forwarded = 1; 805 if (forward_flags & OPTS_FORWARDABLE_CREDS) 806 flags.b.forwardable = 1; 807 808 ret = krb5_get_forwarded_creds (context, 809 auth_context, 810 ccache, 811 flags.i, 812 RemoteHostName, 813 &creds, 814 &out_data); 815 if (ret) { 816 if (auth_debug_mode) 817 printf ("Kerberos V5: error getting forwarded creds: %s\r\n", 818 krb5_get_err_text (context, ret)); 819 return; 820 } 821 822 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { 823 if (auth_debug_mode) 824 printf("Not enough room for authentication data\r\n"); 825 } else { 826 if (auth_debug_mode) 827 printf("Forwarded local Kerberos V5 credentials to server\r\n"); 828 } 829} 830 831#if defined(DCE) 832/* if this was a K5 authentication try and join a PAG for the user. */ 833void 834kerberos5_dfspag(void) 835{ 836 if (dfsk5ok) { 837 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client, 838 UserNameRequested); 839 } 840} 841#endif 842 843int 844kerberos5_set_forward(int on) 845{ 846 if(on == 0) 847 forward_flags &= ~OPTS_FORWARD_CREDS; 848 if(on == 1) 849 forward_flags |= OPTS_FORWARD_CREDS; 850 if(on == -1) 851 forward_flags ^= OPTS_FORWARD_CREDS; 852 return 0; 853} 854 855int 856kerberos5_set_forwardable(int on) 857{ 858 if(on == 0) 859 forward_flags &= ~OPTS_FORWARDABLE_CREDS; 860 if(on == 1) 861 forward_flags |= OPTS_FORWARDABLE_CREDS; 862 if(on == -1) 863 forward_flags ^= OPTS_FORWARDABLE_CREDS; 864 return 0; 865} 866 867#endif /* KRB5 */
| 57 58#ifdef KRB5 59 60#include <arpa/telnet.h> 61#include <stdio.h> 62#include <stdlib.h> 63#include <string.h> 64#include <unistd.h> 65#include <netdb.h> 66#include <ctype.h> 67#include <pwd.h> 68#define Authenticator k5_Authenticator 69#include <krb5.h> 70#undef Authenticator 71#include <roken.h> 72#ifdef SOCKS 73#include <socks.h> 74#endif 75 76 77#include "encrypt.h" 78#include "auth.h" 79#include "misc.h" 80 81#if defined(DCE) 82int dfsk5ok = 0; 83int dfspag = 0; 84int dfsfwd = 0; 85#endif 86 87int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ 88 89int forward(int); 90int forwardable(int); 91 92/* These values need to be the same as those defined in telnet/main.c. */ 93/* Either define them in both places, or put in some common header file. */ 94#define OPTS_FORWARD_CREDS 0x00000002 95#define OPTS_FORWARDABLE_CREDS 0x00000001 96 97 98void kerberos5_forward (Authenticator *); 99 100static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, 101 AUTHTYPE_KERBEROS_V5, }; 102 103#define KRB_AUTH 0 /* Authentication data follows */ 104#define KRB_REJECT 1 /* Rejected (reason might follow) */ 105#define KRB_ACCEPT 2 /* Accepted */ 106#define KRB_RESPONSE 3 /* Response for mutual auth. */ 107 108#define KRB_FORWARD 4 /* Forwarded credentials follow */ 109#define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 110#define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 111 112static krb5_data auth; 113static krb5_ticket *ticket; 114 115static krb5_context context; 116static krb5_auth_context auth_context; 117 118static int 119Data(Authenticator *ap, int type, void *d, int c) 120{ 121 unsigned char *p = str_data + 4; 122 unsigned char *cd = (unsigned char *)d; 123 124 if (c == -1) 125 c = strlen((char*)cd); 126 127 if (auth_debug_mode) { 128 printf("%s:%d: [%d] (%d)", 129 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 130 str_data[3], 131 type, c); 132 printd(d, c); 133 printf("\r\n"); 134 } 135 *p++ = ap->type; 136 *p++ = ap->way; 137 *p++ = type; 138 while (c-- > 0) { 139 if ((*p++ = *cd++) == IAC) 140 *p++ = IAC; 141 } 142 *p++ = IAC; 143 *p++ = SE; 144 if (str_data[3] == TELQUAL_IS) 145 printsub('>', &str_data[2], p - &str_data[2]); 146 return(telnet_net_write(str_data, p - str_data)); 147} 148 149int 150kerberos5_init(Authenticator *ap, int server) 151{ 152 krb5_error_code ret; 153 154 ret = krb5_init_context(&context); 155 if (ret) 156 return 0; 157 if (server) { 158 krb5_keytab kt; 159 krb5_kt_cursor cursor; 160 161 ret = krb5_kt_default(context, &kt); 162 if (ret) 163 return 0; 164 165 ret = krb5_kt_start_seq_get (context, kt, &cursor); 166 if (ret) { 167 krb5_kt_close (context, kt); 168 return 0; 169 } 170 krb5_kt_end_seq_get (context, kt, &cursor); 171 krb5_kt_close (context, kt); 172 173 str_data[3] = TELQUAL_REPLY; 174 } else 175 str_data[3] = TELQUAL_IS; 176 return(1); 177} 178 179extern int net; 180static int 181kerberos5_send(char *name, Authenticator *ap) 182{ 183 krb5_error_code ret; 184 krb5_ccache ccache; 185 int ap_opts; 186 krb5_data cksum_data; 187 char foo[2]; 188 189 if (!UserNameRequested) { 190 if (auth_debug_mode) { 191 printf("Kerberos V5: no user name supplied\r\n"); 192 } 193 return(0); 194 } 195 196 ret = krb5_cc_default(context, &ccache); 197 if (ret) { 198 if (auth_debug_mode) { 199 printf("Kerberos V5: could not get default ccache: %s\r\n", 200 krb5_get_err_text (context, ret)); 201 } 202 return 0; 203 } 204 205 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 206 ap_opts = AP_OPTS_MUTUAL_REQUIRED; 207 else 208 ap_opts = 0; 209 210 ap_opts |= AP_OPTS_USE_SUBKEY; 211 212 ret = krb5_auth_con_init (context, &auth_context); 213 if (ret) { 214 if (auth_debug_mode) { 215 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 216 krb5_get_err_text(context, ret)); 217 } 218 return(0); 219 } 220 221 ret = krb5_auth_con_setaddrs_from_fd (context, 222 auth_context, 223 &net); 224 if (ret) { 225 if (auth_debug_mode) { 226 printf ("Kerberos V5:" 227 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 228 krb5_get_err_text(context, ret)); 229 } 230 return(0); 231 } 232 233 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES); 234 235 foo[0] = ap->type; 236 foo[1] = ap->way; 237 238 cksum_data.length = sizeof(foo); 239 cksum_data.data = foo; 240 241 242 { 243 krb5_principal service; 244 char sname[128]; 245 246 247 ret = krb5_sname_to_principal (context, 248 RemoteHostName, 249 NULL, 250 KRB5_NT_SRV_HST, 251 &service); 252 if(ret) { 253 if (auth_debug_mode) { 254 printf ("Kerberos V5:" 255 " krb5_sname_to_principal(%s) failed (%s)\r\n", 256 RemoteHostName, krb5_get_err_text(context, ret)); 257 } 258 return 0; 259 } 260 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname)); 261 if(ret) { 262 if (auth_debug_mode) { 263 printf ("Kerberos V5:" 264 " krb5_unparse_name_fixed failed (%s)\r\n", 265 krb5_get_err_text(context, ret)); 266 } 267 return 0; 268 } 269 printf("[ Trying %s (%s)... ]\r\n", name, sname); 270 ret = krb5_mk_req_exact(context, &auth_context, ap_opts, 271 service, 272 &cksum_data, ccache, &auth); 273 krb5_free_principal (context, service); 274 275 } 276 if (ret) { 277 if (1 || auth_debug_mode) { 278 printf("Kerberos V5: mk_req failed (%s)\r\n", 279 krb5_get_err_text(context, ret)); 280 } 281 return(0); 282 } 283 284 if (!auth_sendname((unsigned char *)UserNameRequested, 285 strlen(UserNameRequested))) { 286 if (auth_debug_mode) 287 printf("Not enough room for user name\r\n"); 288 return(0); 289 } 290 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 291 if (auth_debug_mode) 292 printf("Not enough room for authentication data\r\n"); 293 return(0); 294 } 295 if (auth_debug_mode) { 296 printf("Sent Kerberos V5 credentials to server\r\n"); 297 } 298 return(1); 299} 300 301int 302kerberos5_send_mutual(Authenticator *ap) 303{ 304 return kerberos5_send("mutual KERBEROS5", ap); 305} 306 307int 308kerberos5_send_oneway(Authenticator *ap) 309{ 310 return kerberos5_send("KERBEROS5", ap); 311} 312 313void 314kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) 315{ 316 krb5_error_code ret; 317 krb5_data outbuf; 318 krb5_keyblock *key_block; 319 char *name; 320 krb5_principal server; 321 int zero = 0; 322 323 if (cnt-- < 1) 324 return; 325 switch (*data++) { 326 case KRB_AUTH: 327 auth.data = (char *)data; 328 auth.length = cnt; 329 330 auth_context = NULL; 331 332 ret = krb5_auth_con_init (context, &auth_context); 333 if (ret) { 334 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); 335 auth_finished(ap, AUTH_REJECT); 336 if (auth_debug_mode) 337 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 338 krb5_get_err_text(context, ret)); 339 return; 340 } 341 342 ret = krb5_auth_con_setaddrs_from_fd (context, 343 auth_context, 344 &zero); 345 if (ret) { 346 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); 347 auth_finished(ap, AUTH_REJECT); 348 if (auth_debug_mode) 349 printf("Kerberos V5: " 350 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 351 krb5_get_err_text(context, ret)); 352 return; 353 } 354 355 ret = krb5_sock_to_principal (context, 356 0, 357 "host", 358 KRB5_NT_SRV_HST, 359 &server); 360 if (ret) { 361 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); 362 auth_finished(ap, AUTH_REJECT); 363 if (auth_debug_mode) 364 printf("Kerberos V5: " 365 "krb5_sock_to_principal failed (%s)\r\n", 366 krb5_get_err_text(context, ret)); 367 return; 368 } 369 370 ret = krb5_rd_req(context, 371 &auth_context, 372 &auth, 373 server, 374 NULL, 375 NULL, 376 &ticket); 377 378 krb5_free_principal (context, server); 379 if (ret) { 380 char *errbuf; 381 382 asprintf(&errbuf, 383 "Read req failed: %s", 384 krb5_get_err_text(context, ret)); 385 Data(ap, KRB_REJECT, errbuf, -1); 386 if (auth_debug_mode) 387 printf("%s\r\n", errbuf); 388 free (errbuf); 389 return; 390 } 391 392 { 393 char foo[2]; 394 395 foo[0] = ap->type; 396 foo[1] = ap->way; 397 398 ret = krb5_verify_authenticator_checksum(context, 399 auth_context, 400 foo, 401 sizeof(foo)); 402 403 if (ret) { 404 char *errbuf; 405 asprintf(&errbuf, "Bad checksum: %s", 406 krb5_get_err_text(context, ret)); 407 Data(ap, KRB_REJECT, errbuf, -1); 408 if (auth_debug_mode) 409 printf ("%s\r\n", errbuf); 410 free(errbuf); 411 return; 412 } 413 } 414 ret = krb5_auth_con_getremotesubkey (context, 415 auth_context, 416 &key_block); 417 418 if (ret) { 419 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); 420 auth_finished(ap, AUTH_REJECT); 421 if (auth_debug_mode) 422 printf("Kerberos V5: " 423 "krb5_auth_con_getremotesubkey failed (%s)\r\n", 424 krb5_get_err_text(context, ret)); 425 return; 426 } 427 428 if (key_block == NULL) { 429 ret = krb5_auth_con_getkey(context, 430 auth_context, 431 &key_block); 432 } 433 if (ret) { 434 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); 435 auth_finished(ap, AUTH_REJECT); 436 if (auth_debug_mode) 437 printf("Kerberos V5: " 438 "krb5_auth_con_getkey failed (%s)\r\n", 439 krb5_get_err_text(context, ret)); 440 return; 441 } 442 if (key_block == NULL) { 443 Data(ap, KRB_REJECT, "no subkey received", -1); 444 auth_finished(ap, AUTH_REJECT); 445 if (auth_debug_mode) 446 printf("Kerberos V5: " 447 "krb5_auth_con_getremotesubkey returned NULL key\r\n"); 448 return; 449 } 450 451 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 452 ret = krb5_mk_rep(context, auth_context, &outbuf); 453 if (ret) { 454 Data(ap, KRB_REJECT, 455 "krb5_mk_rep failed", -1); 456 auth_finished(ap, AUTH_REJECT); 457 if (auth_debug_mode) 458 printf("Kerberos V5: " 459 "krb5_mk_rep failed (%s)\r\n", 460 krb5_get_err_text(context, ret)); 461 return; 462 } 463 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 464 } 465 if (krb5_unparse_name(context, ticket->client, &name)) 466 name = 0; 467 468 if(UserNameRequested && krb5_kuserok(context, 469 ticket->client, 470 UserNameRequested)) { 471 Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 472 if (auth_debug_mode) { 473 printf("Kerberos5 identifies him as ``%s''\r\n", 474 name ? name : ""); 475 } 476 477 if(key_block->keytype == ETYPE_DES_CBC_MD5 || 478 key_block->keytype == ETYPE_DES_CBC_MD4 || 479 key_block->keytype == ETYPE_DES_CBC_CRC) { 480 Session_Key skey; 481 482 skey.type = SK_DES; 483 skey.length = 8; 484 skey.data = key_block->keyvalue.data; 485 encrypt_session_key(&skey, 0); 486 } 487 488 } else { 489 char *msg; 490 491 asprintf (&msg, "user `%s' is not authorized to " 492 "login as `%s'", 493 name ? name : "<unknown>", 494 UserNameRequested ? UserNameRequested : "<nobody>"); 495 if (msg == NULL) 496 Data(ap, KRB_REJECT, NULL, 0); 497 else { 498 Data(ap, KRB_REJECT, (void *)msg, -1); 499 free(msg); 500 } 501 auth_finished (ap, AUTH_REJECT); 502 krb5_free_keyblock_contents(context, key_block); 503 break; 504 } 505 auth_finished(ap, AUTH_USER); 506 krb5_free_keyblock_contents(context, key_block); 507 508 break; 509 case KRB_FORWARD: { 510 struct passwd *pwd; 511 char ccname[1024]; /* XXX */ 512 krb5_data inbuf; 513 krb5_ccache ccache; 514 inbuf.data = (char *)data; 515 inbuf.length = cnt; 516 517 pwd = getpwnam (UserNameRequested); 518 if (pwd == NULL) 519 break; 520 521 snprintf (ccname, sizeof(ccname), 522 "FILE:/tmp/krb5cc_%u", pwd->pw_uid); 523 524 ret = krb5_cc_resolve (context, ccname, &ccache); 525 if (ret) { 526 if (auth_debug_mode) 527 printf ("Kerberos V5: could not get ccache: %s\r\n", 528 krb5_get_err_text(context, ret)); 529 break; 530 } 531 532 ret = krb5_cc_initialize (context, 533 ccache, 534 ticket->client); 535 if (ret) { 536 if (auth_debug_mode) 537 printf ("Kerberos V5: could not init ccache: %s\r\n", 538 krb5_get_err_text(context, ret)); 539 break; 540 } 541 542#if defined(DCE) 543 esetenv("KRB5CCNAME", ccname, 1); 544#endif 545 ret = krb5_rd_cred2 (context, 546 auth_context, 547 ccache, 548 &inbuf); 549 if(ret) { 550 char *errbuf; 551 552 asprintf (&errbuf, 553 "Read forwarded creds failed: %s", 554 krb5_get_err_text (context, ret)); 555 if(errbuf == NULL) 556 Data(ap, KRB_FORWARD_REJECT, NULL, 0); 557 else 558 Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 559 if (auth_debug_mode) 560 printf("Could not read forwarded credentials: %s\r\n", 561 errbuf); 562 free (errbuf); 563 } else { 564 Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 565#if defined(DCE) 566 dfsfwd = 1; 567#endif 568 } 569 chown (ccname + 5, pwd->pw_uid, -1); 570 if (auth_debug_mode) 571 printf("Forwarded credentials obtained\r\n"); 572 break; 573 } 574 default: 575 if (auth_debug_mode) 576 printf("Unknown Kerberos option %d\r\n", data[-1]); 577 Data(ap, KRB_REJECT, 0, 0); 578 break; 579 } 580} 581 582void 583kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) 584{ 585 static int mutual_complete = 0; 586 587 if (cnt-- < 1) 588 return; 589 switch (*data++) { 590 case KRB_REJECT: 591 if (cnt > 0) { 592 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 593 cnt, data); 594 } else 595 printf("[ Kerberos V5 refuses authentication ]\r\n"); 596 auth_send_retry(); 597 return; 598 case KRB_ACCEPT: { 599 krb5_error_code ret; 600 Session_Key skey; 601 krb5_keyblock *keyblock; 602 603 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 604 !mutual_complete) { 605 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); 606 auth_send_retry(); 607 return; 608 } 609 if (cnt) 610 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); 611 else 612 printf("[ Kerberos V5 accepts you ]\r\n"); 613 614 ret = krb5_auth_con_getlocalsubkey (context, 615 auth_context, 616 &keyblock); 617 if (ret) 618 ret = krb5_auth_con_getkey (context, 619 auth_context, 620 &keyblock); 621 if(ret) { 622 printf("[ krb5_auth_con_getkey: %s ]\r\n", 623 krb5_get_err_text(context, ret)); 624 auth_send_retry(); 625 return; 626 } 627 628 skey.type = SK_DES; 629 skey.length = 8; 630 skey.data = keyblock->keyvalue.data; 631 encrypt_session_key(&skey, 0); 632 krb5_free_keyblock_contents (context, keyblock); 633 auth_finished(ap, AUTH_USER); 634 if (forward_flags & OPTS_FORWARD_CREDS) 635 kerberos5_forward(ap); 636 break; 637 } 638 case KRB_RESPONSE: 639 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 640 /* the rest of the reply should contain a krb_ap_rep */ 641 krb5_ap_rep_enc_part *reply; 642 krb5_data inbuf; 643 krb5_error_code ret; 644 645 inbuf.length = cnt; 646 inbuf.data = (char *)data; 647 648 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply); 649 if (ret) { 650 printf("[ Mutual authentication failed: %s ]\r\n", 651 krb5_get_err_text (context, ret)); 652 auth_send_retry(); 653 return; 654 } 655 krb5_free_ap_rep_enc_part(context, reply); 656 mutual_complete = 1; 657 } 658 return; 659 case KRB_FORWARD_ACCEPT: 660 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); 661 return; 662 case KRB_FORWARD_REJECT: 663 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 664 cnt, data); 665 return; 666 default: 667 if (auth_debug_mode) 668 printf("Unknown Kerberos option %d\r\n", data[-1]); 669 return; 670 } 671} 672 673int 674kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level) 675{ 676 if (level < AUTH_USER) 677 return(level); 678 679 if (UserNameRequested && 680 krb5_kuserok(context, 681 ticket->client, 682 UserNameRequested)) 683 { 684 strlcpy(name, UserNameRequested, name_sz); 685#if defined(DCE) 686 dfsk5ok = 1; 687#endif 688 return(AUTH_VALID); 689 } else 690 return(AUTH_USER); 691} 692 693#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 694#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 695 696void 697kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 698{ 699 int i; 700 701 buf[buflen-1] = '\0'; /* make sure its NULL terminated */ 702 buflen -= 1; 703 704 switch(data[3]) { 705 case KRB_REJECT: /* Rejected (reason might follow) */ 706 strlcpy((char *)buf, " REJECT ", buflen); 707 goto common; 708 709 case KRB_ACCEPT: /* Accepted (name might follow) */ 710 strlcpy((char *)buf, " ACCEPT ", buflen); 711 common: 712 BUMP(buf, buflen); 713 if (cnt <= 4) 714 break; 715 ADDC(buf, buflen, '"'); 716 for (i = 4; i < cnt; i++) 717 ADDC(buf, buflen, data[i]); 718 ADDC(buf, buflen, '"'); 719 ADDC(buf, buflen, '\0'); 720 break; 721 722 723 case KRB_AUTH: /* Authentication data follows */ 724 strlcpy((char *)buf, " AUTH", buflen); 725 goto common2; 726 727 case KRB_RESPONSE: 728 strlcpy((char *)buf, " RESPONSE", buflen); 729 goto common2; 730 731 case KRB_FORWARD: /* Forwarded credentials follow */ 732 strlcpy((char *)buf, " FORWARD", buflen); 733 goto common2; 734 735 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 736 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen); 737 goto common2; 738 739 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 740 /* (reason might follow) */ 741 strlcpy((char *)buf, " FORWARD_REJECT", buflen); 742 goto common2; 743 744 default: 745 snprintf((char*)buf, buflen, " %d (unknown)", data[3]); 746 common2: 747 BUMP(buf, buflen); 748 for (i = 4; i < cnt; i++) { 749 snprintf((char*)buf, buflen, " %d", data[i]); 750 BUMP(buf, buflen); 751 } 752 break; 753 } 754} 755 756void 757kerberos5_forward(Authenticator *ap) 758{ 759 krb5_error_code ret; 760 krb5_ccache ccache; 761 krb5_creds creds; 762 krb5_kdc_flags flags; 763 krb5_data out_data; 764 krb5_principal principal; 765 766 ret = krb5_cc_default (context, &ccache); 767 if (ret) { 768 if (auth_debug_mode) 769 printf ("KerberosV5: could not get default ccache: %s\r\n", 770 krb5_get_err_text (context, ret)); 771 return; 772 } 773 774 ret = krb5_cc_get_principal (context, ccache, &principal); 775 if (ret) { 776 if (auth_debug_mode) 777 printf ("KerberosV5: could not get principal: %s\r\n", 778 krb5_get_err_text (context, ret)); 779 return; 780 } 781 782 memset (&creds, 0, sizeof(creds)); 783 784 creds.client = principal; 785 786 ret = krb5_build_principal (context, 787 &creds.server, 788 strlen(principal->realm), 789 principal->realm, 790 "krbtgt", 791 principal->realm, 792 NULL); 793 794 if (ret) { 795 if (auth_debug_mode) 796 printf ("KerberosV5: could not get principal: %s\r\n", 797 krb5_get_err_text (context, ret)); 798 return; 799 } 800 801 creds.times.endtime = 0; 802 803 flags.i = 0; 804 flags.b.forwarded = 1; 805 if (forward_flags & OPTS_FORWARDABLE_CREDS) 806 flags.b.forwardable = 1; 807 808 ret = krb5_get_forwarded_creds (context, 809 auth_context, 810 ccache, 811 flags.i, 812 RemoteHostName, 813 &creds, 814 &out_data); 815 if (ret) { 816 if (auth_debug_mode) 817 printf ("Kerberos V5: error getting forwarded creds: %s\r\n", 818 krb5_get_err_text (context, ret)); 819 return; 820 } 821 822 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { 823 if (auth_debug_mode) 824 printf("Not enough room for authentication data\r\n"); 825 } else { 826 if (auth_debug_mode) 827 printf("Forwarded local Kerberos V5 credentials to server\r\n"); 828 } 829} 830 831#if defined(DCE) 832/* if this was a K5 authentication try and join a PAG for the user. */ 833void 834kerberos5_dfspag(void) 835{ 836 if (dfsk5ok) { 837 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client, 838 UserNameRequested); 839 } 840} 841#endif 842 843int 844kerberos5_set_forward(int on) 845{ 846 if(on == 0) 847 forward_flags &= ~OPTS_FORWARD_CREDS; 848 if(on == 1) 849 forward_flags |= OPTS_FORWARD_CREDS; 850 if(on == -1) 851 forward_flags ^= OPTS_FORWARD_CREDS; 852 return 0; 853} 854 855int 856kerberos5_set_forwardable(int on) 857{ 858 if(on == 0) 859 forward_flags &= ~OPTS_FORWARDABLE_CREDS; 860 if(on == 1) 861 forward_flags |= OPTS_FORWARDABLE_CREDS; 862 if(on == -1) 863 forward_flags ^= OPTS_FORWARDABLE_CREDS; 864 return 0; 865} 866 867#endif /* KRB5 */
|