1/*- 2 * Copyright (c) 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34/* 35 * Copyright (C) 1990 by the Massachusetts Institute of Technology 36 * 37 * Export of this software from the United States of America may 38 * require a specific license from the United States Government. 39 * It is the responsibility of any person or organization contemplating 40 * export to obtain such a license before exporting. 41 * 42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 43 * distribute this software and its documentation for any purpose and 44 * without fee is hereby granted, provided that the above copyright 45 * notice appear in all copies and that both that copyright notice and 46 * this permission notice appear in supporting documentation, and that 47 * the name of M.I.T. not be used in advertising or publicity pertaining 48 * to distribution of the software without specific, written prior 49 * permission. M.I.T. makes no representations about the suitability of 50 * this software for any purpose. It is provided "as is" without express 51 * or implied warranty. 52 */ 53 54#include <sys/cdefs.h> 55 56__FBSDID("$FreeBSD$"); 57 58#ifdef KRB5 59 60#include <arpa/telnet.h> 61#include <stdio.h> 62#include <stdlib.h> 63#include <string.h> 64#include <unistd.h> 65#include <netdb.h> 66#include <ctype.h> 67#include <pwd.h> 68#define Authenticator k5_Authenticator 69#include <krb5.h> 70#undef Authenticator 71 72#include "encrypt.h" 73#include "auth.h" 74#include "misc.h" 75 76int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ 77 78/* These values need to be the same as those defined in telnet/main.c. */ 79/* Either define them in both places, or put in some common header file. */ 80#define OPTS_FORWARD_CREDS 0x00000002 81#define OPTS_FORWARDABLE_CREDS 0x00000001 82 83void kerberos5_forward (Authenticator *); 84 85static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, 86 AUTHTYPE_KERBEROS_V5, }; 87 88#define KRB_AUTH 0 /* Authentication data follows */ 89#define KRB_REJECT 1 /* Rejected (reason might follow) */ 90#define KRB_ACCEPT 2 /* Accepted */ 91#define KRB_RESPONSE 3 /* Response for mutual auth. */ 92 93#define KRB_FORWARD 4 /* Forwarded credentials follow */ 94#define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 95#define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 96 97static krb5_data auth; 98static krb5_ticket *ticket; 99 100static krb5_context context; 101static krb5_auth_context auth_context; 102 103static void 104print_krb5_error(krb5_context context, krb5_error_code code, const char *msg) 105{ 106 const char *error_message; 107 108 error_message = krb5_get_error_message(context, code); 109 printf(msg, error_message); 110 krb5_free_error_message(context, error_message); 111} 112 113static int 114Data(Authenticator *ap, int type, const char *d, int c) 115{ 116 unsigned char *p = str_data + 4; 117 const unsigned char *cd = d; 118 119 if (c == -1) 120 c = strlen(cd); 121 122 if (auth_debug_mode) { 123 printf("%s:%d: [%d] (%d)", 124 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 125 str_data[3], 126 type, c); 127 printd(d, c); 128 printf("\r\n"); 129 } 130 *p++ = ap->type; 131 *p++ = ap->way; 132 *p++ = type; 133 while (c-- > 0) { 134 if ((*p++ = *cd++) == IAC) 135 *p++ = IAC; 136 } 137 *p++ = IAC; 138 *p++ = SE; 139 if (str_data[3] == TELQUAL_IS) 140 printsub('>', &str_data[2], p - &str_data[2]); 141 return(net_write(str_data, p - str_data)); 142} 143 144int 145kerberos5_init(Authenticator *ap __unused, int server) 146{ 147 krb5_error_code ret; 148 149 ret = krb5_init_context(&context); 150 if (ret) 151 return 0; 152 if (server) { 153 krb5_keytab kt; 154 krb5_kt_cursor cursor; 155 156 ret = krb5_kt_default(context, &kt); 157 if (ret) 158 return 0; 159 160 ret = krb5_kt_start_seq_get (context, kt, &cursor); 161 if (ret) { 162 krb5_kt_close (context, kt); 163 return 0; 164 } 165 krb5_kt_end_seq_get (context, kt, &cursor); 166 krb5_kt_close (context, kt); 167 168 str_data[3] = TELQUAL_REPLY; 169 } else 170 str_data[3] = TELQUAL_IS; 171 return(1); 172} 173 174extern int net; 175 176static int 177kerberos5_send(const char *name, Authenticator *ap) 178{ 179 krb5_error_code ret; 180 krb5_ccache ccache; 181 int ap_opts; 182 krb5_data cksum_data; 183 char foo[2]; 184 185 if (!UserNameRequested) { 186 if (auth_debug_mode) { 187 printf("Kerberos V5: no user name supplied\r\n"); 188 } 189 return(0); 190 } 191 192 ret = krb5_cc_default(context, &ccache); 193 if (ret) { 194 if (auth_debug_mode) { 195 print_krb5_error(context, ret, "Kerberos V5: could not get default ccache: %s\r\n"); 196 } 197 return 0; 198 } 199 200 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 201 ap_opts = AP_OPTS_MUTUAL_REQUIRED; 202 else 203 ap_opts = 0; 204 ap_opts |= AP_OPTS_USE_SUBKEY; 205 206 ret = krb5_auth_con_init (context, &auth_context); 207 if (ret) { 208 if (auth_debug_mode) { 209 print_krb5_error(context, ret, "Kerberos V5: krb5_auth_con_init failed (%s)\r\n"); 210 } 211 return(0); 212 } 213 214 ret = krb5_auth_con_setaddrs_from_fd (context, 215 auth_context, 216 &net); 217 if (ret) { 218 if (auth_debug_mode) { 219 print_krb5_error(context, ret, "Kerberos V5:" 220 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n"); 221 } 222 return(0); 223 } 224 225 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES); 226 227 foo[0] = ap->type; 228 foo[1] = ap->way; 229 230 cksum_data.length = sizeof(foo); 231 cksum_data.data = foo; 232 233 234 { 235 krb5_principal service; 236 char sname[128]; 237 238 239 ret = krb5_sname_to_principal (context, 240 RemoteHostName, 241 NULL, 242 KRB5_NT_SRV_HST, 243 &service); 244 if(ret) { 245 if (auth_debug_mode) { 246 const char *err_str; 247 248 err_str = krb5_get_error_message(context, ret); 249 printf("Kerberosr V5:" 250 " krb5_sname_to_principal(%s) failed (%s)\r\n", 251 RemoteHostName, err_str); 252 krb5_free_error_message(context, err_str); 253 } 254 return 0; 255 } 256 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname)); 257 if(ret) { 258 if (auth_debug_mode) { 259 print_krb5_error(context, ret, "Kerberos V5:" 260 " krb5_unparse_name_fixed failed (%s)\r\n"); 261 } 262 return 0; 263 } 264 printf("[ Trying %s (%s)... ]\r\n", name, sname); 265 ret = krb5_mk_req_exact(context, &auth_context, ap_opts, 266 service, 267 &cksum_data, ccache, &auth); 268 krb5_free_principal (context, service); 269 270 } 271 if (ret) { 272 if (1 || auth_debug_mode) { 273 print_krb5_error(context, ret, "Kerberos V5: mk_req failed (%s)\r\n"); 274 } 275 return(0); 276 } 277 278 if (!auth_sendname((unsigned char *)UserNameRequested, 279 strlen(UserNameRequested))) { 280 if (auth_debug_mode) 281 printf("Not enough room for user name\r\n"); 282 return(0); 283 } 284 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 285 if (auth_debug_mode) 286 printf("Not enough room for authentication data\r\n"); 287 return(0); 288 } 289 if (auth_debug_mode) { 290 printf("Sent Kerberos V5 credentials to server\r\n"); 291 } 292 return(1); 293} 294 295int 296kerberos5_send_mutual(Authenticator *ap) 297{ 298 return kerberos5_send("mutual KERBEROS5", ap); 299} 300 301int 302kerberos5_send_oneway(Authenticator *ap) 303{ 304 return kerberos5_send("KERBEROS5", ap); 305} 306 307void 308kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) 309{ 310 krb5_error_code ret; 311 krb5_data outbuf; 312 krb5_keyblock *key_block; 313 char *name; 314 krb5_principal server; 315 int zero = 0; 316 317 if (cnt-- < 1) 318 return; 319 switch (*data++) { 320 case KRB_AUTH: 321 auth.data = (char *)data; 322 auth.length = cnt; 323 324 auth_context = NULL; 325 326 ret = krb5_auth_con_init (context, &auth_context); 327 if (ret) { 328 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); 329 auth_finished(ap, AUTH_REJECT); 330 if (auth_debug_mode) 331 print_krb5_error(context, ret, "Kerberos V5: krb5_auth_con_init failed (%s)\r\n"); 332 return; 333 } 334 335 ret = krb5_auth_con_setaddrs_from_fd (context, 336 auth_context, 337 &zero); 338 if (ret) { 339 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); 340 auth_finished(ap, AUTH_REJECT); 341 if (auth_debug_mode) 342 print_krb5_error(context, ret, "Kerberos V5: " 343 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n"); 344 return; 345 } 346 347 ret = krb5_sock_to_principal (context, 348 0, 349 "host", 350 KRB5_NT_SRV_HST, 351 &server); 352 if (ret) { 353 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); 354 auth_finished(ap, AUTH_REJECT); 355 if (auth_debug_mode) 356 print_krb5_error(context, ret, "Kerberos V5: " 357 "krb5_sock_to_principal failed (%s)\r\n"); 358 return; 359 } 360 361 ret = krb5_rd_req(context, 362 &auth_context, 363 &auth, 364 server, 365 NULL, 366 NULL, 367 &ticket); 368 369 krb5_free_principal (context, server); 370 if (ret) { 371 char *errbuf; 372 const char *err_str; 373 374 err_str = krb5_get_error_message(context, ret); 375 asprintf(&errbuf, 376 "Read req failed: %s", err_str); 377 krb5_free_error_message(context, err_str); 378 Data(ap, KRB_REJECT, errbuf, -1); 379 if (auth_debug_mode) 380 printf("%s\r\n", errbuf); 381 free (errbuf); 382 return; 383 } 384 385 { 386 char foo[2]; 387 388 foo[0] = ap->type; 389 foo[1] = ap->way; 390 391 ret = krb5_verify_authenticator_checksum(context, 392 auth_context, 393 foo, 394 sizeof(foo)); 395 396 if (ret) { 397 char *errbuf; 398 const char *err_str; 399 400 err_str = krb5_get_error_message(context, ret); 401 asprintf(&errbuf, "Bad checksum: %s", err_str); 402 krb5_free_error_message(context, err_str); 403 Data(ap, KRB_REJECT, errbuf, -1); 404 if (auth_debug_mode) 405 printf ("%s\r\n", errbuf); 406 free(errbuf); 407 return; 408 } 409 } 410 ret = krb5_auth_con_getremotesubkey (context, 411 auth_context, 412 &key_block); 413 414 if (ret) { 415 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); 416 auth_finished(ap, AUTH_REJECT); 417 if (auth_debug_mode) 418 print_krb5_error(context, ret, "Kerberos V5: " 419 "krb5_auth_con_getremotesubkey failed (%s)\r\n"); 420 return; 421 } 422 423 if (key_block == NULL) { 424 ret = krb5_auth_con_getkey(context, 425 auth_context, 426 &key_block); 427 } 428 if (ret) { 429 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); 430 auth_finished(ap, AUTH_REJECT); 431 if (auth_debug_mode) 432 print_krb5_error(context, ret, "Kerberos V5: " 433 "krb5_auth_con_getkey failed (%s)\r\n"); 434 return; 435 } 436 if (key_block == NULL) { 437 Data(ap, KRB_REJECT, "no subkey received", -1); 438 auth_finished(ap, AUTH_REJECT); 439 if (auth_debug_mode) 440 printf("Kerberos V5: " 441 "krb5_auth_con_getremotesubkey returned NULL key\r\n"); 442 return; 443 } 444 445 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 446 ret = krb5_mk_rep(context, auth_context, &outbuf); 447 if (ret) { 448 Data(ap, KRB_REJECT, 449 "krb5_mk_rep failed", -1); 450 auth_finished(ap, AUTH_REJECT); 451 if (auth_debug_mode) 452 print_krb5_error(context, ret, "Kerberos V5: " 453 "krb5_mk_rep failed (%s)\r\n"); 454 return; 455 } 456 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 457 } 458 if (krb5_unparse_name(context, ticket->client, &name)) 459 name = 0; 460 461 if(UserNameRequested && krb5_kuserok(context, 462 ticket->client, 463 UserNameRequested)) { 464 Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 465 if (auth_debug_mode) { 466 printf("Kerberos5 identifies him as ``%s''\r\n", 467 name ? name : ""); 468 } 469 470 if(key_block->keytype == ETYPE_DES_CBC_MD5 || 471 key_block->keytype == ETYPE_DES_CBC_MD4 || 472 key_block->keytype == ETYPE_DES_CBC_CRC) { 473 Session_Key skey; 474 475 skey.type = SK_DES; 476 skey.length = 8; 477 skey.data = key_block->keyvalue.data; 478 encrypt_session_key(&skey, 0); 479 } 480 481 } else { 482 char *msg; 483 484 asprintf (&msg, "user `%s' is not authorized to " 485 "login as `%s'", 486 name ? name : "<unknown>", 487 UserNameRequested ? UserNameRequested : "<nobody>"); 488 if (msg == NULL) 489 Data(ap, KRB_REJECT, NULL, 0); 490 else { 491 Data(ap, KRB_REJECT, (void *)msg, -1); 492 free(msg); 493 } 494 auth_finished (ap, AUTH_REJECT); 495 krb5_free_keyblock_contents(context, key_block); 496 break; 497 } 498 auth_finished(ap, AUTH_USER); 499 krb5_free_keyblock_contents(context, key_block); 500 501 break; 502 case KRB_FORWARD: { 503 struct passwd *pwd; 504 char ccname[1024]; /* XXX */ 505 krb5_data inbuf; 506 krb5_ccache ccache; 507 inbuf.data = (char *)data; 508 inbuf.length = cnt; 509 510 pwd = getpwnam (UserNameRequested); 511 if (pwd == NULL) 512 break; 513 514 snprintf (ccname, sizeof(ccname), 515 "FILE:/tmp/krb5cc_%u", pwd->pw_uid); 516 517 ret = krb5_cc_resolve (context, ccname, &ccache); 518 if (ret) { 519 if (auth_debug_mode) 520 print_krb5_error(context, ret, "Kerberos V5: could not get ccache: %s\r\n"); 521 break; 522 } 523 524 ret = krb5_cc_initialize (context, 525 ccache, 526 ticket->client); 527 if (ret) { 528 if (auth_debug_mode) 529 print_krb5_error(context, ret, "Kerberos V5: could not init ccache: %s\r\n"); 530 break; 531 } 532 533#if defined(DCE) 534 esetenv("KRB5CCNAME", ccname, 1); 535#endif 536 ret = krb5_rd_cred2 (context, 537 auth_context, 538 ccache, 539 &inbuf); 540 if(ret) { 541 char *errbuf; 542 const char *err_str; 543 544 err_str = krb5_get_error_message(context, ret); 545 asprintf (&errbuf, 546 "Read forwarded creds failed: %s", err_str); 547 krb5_free_error_message(context, err_str); 548 if(errbuf == NULL) 549 Data(ap, KRB_FORWARD_REJECT, NULL, 0); 550 else 551 Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 552 if (auth_debug_mode) 553 printf("Could not read forwarded credentials: %s\r\n", 554 errbuf); 555 free (errbuf); 556 } else { 557 Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 558#if defined(DCE) 559 dfsfwd = 1; 560#endif 561 } 562 chown (ccname + 5, pwd->pw_uid, -1); 563 if (auth_debug_mode) 564 printf("Forwarded credentials obtained\r\n"); 565 break; 566 } 567 default: 568 if (auth_debug_mode) 569 printf("Unknown Kerberos option %d\r\n", data[-1]); 570 Data(ap, KRB_REJECT, 0, 0); 571 break; 572 } 573} 574 575void 576kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) 577{ 578 static int mutual_complete = 0; 579 580 if (cnt-- < 1) 581 return; 582 switch (*data++) { 583 case KRB_REJECT: 584 if (cnt > 0) { 585 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 586 cnt, data); 587 } else 588 printf("[ Kerberos V5 refuses authentication ]\r\n"); 589 auth_send_retry(); 590 return; 591 case KRB_ACCEPT: { 592 krb5_error_code ret; 593 Session_Key skey; 594 krb5_keyblock *keyblock; 595 596 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 597 !mutual_complete) { 598 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); 599 auth_send_retry(); 600 return; 601 } 602 if (cnt) 603 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); 604 else 605 printf("[ Kerberos V5 accepts you ]\r\n"); 606 607 ret = krb5_auth_con_getlocalsubkey (context, 608 auth_context, 609 &keyblock); 610 if (ret) 611 ret = krb5_auth_con_getkey (context, 612 auth_context, 613 &keyblock); 614 if(ret) { 615 print_krb5_error(context, ret, "[ krb5_auth_con_getkey: %s ]\r\n"); 616 auth_send_retry(); 617 return; 618 } 619 620 skey.type = SK_DES; 621 skey.length = 8; 622 skey.data = keyblock->keyvalue.data; 623 encrypt_session_key(&skey, 0); 624 krb5_free_keyblock_contents (context, keyblock); 625 auth_finished(ap, AUTH_USER); 626 if (forward_flags & OPTS_FORWARD_CREDS) 627 kerberos5_forward(ap); 628 break; 629 } 630 case KRB_RESPONSE: 631 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 632 /* the rest of the reply should contain a krb_ap_rep */ 633 krb5_ap_rep_enc_part *reply; 634 krb5_data inbuf; 635 krb5_error_code ret; 636 637 inbuf.length = cnt; 638 inbuf.data = (char *)data; 639 640 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply); 641 if (ret) { 642 print_krb5_error(context, ret, "[ Mutual authentication failed: %s ]\r\n"); 643 auth_send_retry(); 644 return; 645 } 646 krb5_free_ap_rep_enc_part(context, reply); 647 mutual_complete = 1; 648 } 649 return; 650 case KRB_FORWARD_ACCEPT: 651 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); 652 return; 653 case KRB_FORWARD_REJECT: 654 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 655 cnt, data); 656 return; 657 default: 658 if (auth_debug_mode) 659 printf("Unknown Kerberos option %d\r\n", data[-1]); 660 return; 661 } 662} 663 664int 665kerberos5_status(Authenticator *ap __unused, char *name, int level) 666{ 667 if (level < AUTH_USER) 668 return(level); 669 670 if (UserNameRequested && 671 krb5_kuserok(context, 672 ticket->client, 673 UserNameRequested)) 674 { 675 strcpy(name, UserNameRequested); 676 return(AUTH_VALID); 677 } else 678 return(AUTH_USER); 679} 680 681#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 682#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 683 684void 685kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 686{ 687 int i; 688 689 buf[buflen-1] = '\0'; /* make sure its NULL terminated */ 690 buflen -= 1; 691 692 switch(data[3]) { 693 case KRB_REJECT: /* Rejected (reason might follow) */ 694 strlcpy((char *)buf, " REJECT ", buflen); 695 goto common; 696 697 case KRB_ACCEPT: /* Accepted (name might follow) */ 698 strlcpy((char *)buf, " ACCEPT ", buflen); 699 common: 700 BUMP(buf, buflen); 701 if (cnt <= 4) 702 break; 703 ADDC(buf, buflen, '"'); 704 for (i = 4; i < cnt; i++) 705 ADDC(buf, buflen, data[i]); 706 ADDC(buf, buflen, '"'); 707 ADDC(buf, buflen, '\0'); 708 break; 709 710 711 case KRB_AUTH: /* Authentication data follows */ 712 strlcpy((char *)buf, " AUTH", buflen); 713 goto common2; 714 715 case KRB_RESPONSE: 716 strlcpy((char *)buf, " RESPONSE", buflen); 717 goto common2; 718 719 case KRB_FORWARD: /* Forwarded credentials follow */ 720 strlcpy((char *)buf, " FORWARD", buflen); 721 goto common2; 722 723 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 724 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen); 725 goto common2; 726 727 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 728 /* (reason might follow) */ 729 strlcpy((char *)buf, " FORWARD_REJECT", buflen); 730 goto common2; 731 732 default: 733 snprintf(buf, buflen, " %d (unknown)", data[3]); 734 common2: 735 BUMP(buf, buflen); 736 for (i = 4; i < cnt; i++) { 737 snprintf(buf, buflen, " %d", data[i]); 738 BUMP(buf, buflen); 739 } 740 break; 741 } 742} 743 744void 745kerberos5_forward(Authenticator *ap) 746{ 747 krb5_error_code ret; 748 krb5_ccache ccache; 749 krb5_creds creds; 750 krb5_kdc_flags flags; 751 krb5_data out_data; 752 krb5_principal principal; 753 754 ret = krb5_cc_default (context, &ccache); 755 if (ret) { 756 if (auth_debug_mode) 757 print_krb5_error(context, ret, "KerberosV5: could not get default ccache: %s\r\n"); 758 return; 759 } 760 761 ret = krb5_cc_get_principal (context, ccache, &principal); 762 if (ret) { 763 if (auth_debug_mode) 764 print_krb5_error(context, ret, "KerberosV5: could not get principal: %s\r\n"); 765 return; 766 } 767 768 memset (&creds, 0, sizeof(creds)); 769 770 creds.client = principal; 771 772 ret = krb5_build_principal (context, 773 &creds.server, 774 strlen(principal->realm), 775 principal->realm, 776 "krbtgt", 777 principal->realm, 778 NULL); 779 780 if (ret) { 781 if (auth_debug_mode) 782 print_krb5_error(context, ret, "KerberosV5: could not get principal: %s\r\n"); 783 return; 784 } 785 786 creds.times.endtime = 0; 787 788 flags.i = 0; 789 flags.b.forwarded = 1; 790 if (forward_flags & OPTS_FORWARDABLE_CREDS) 791 flags.b.forwardable = 1; 792 793 ret = krb5_get_forwarded_creds (context, 794 auth_context, 795 ccache, 796 flags.i, 797 RemoteHostName, 798 &creds, 799 &out_data); 800 if (ret) { 801 if (auth_debug_mode) 802 print_krb5_error(context, ret, "Kerberos V5: error getting forwarded creds: %s\r\n"); 803 return; 804 } 805 806 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { 807 if (auth_debug_mode) 808 printf("Not enough room for authentication data\r\n"); 809 } else { 810 if (auth_debug_mode) 811 printf("Forwarded local Kerberos V5 credentials to server\r\n"); 812 } 813} 814 815#if defined(DCE) 816/* if this was a K5 authentication try and join a PAG for the user. */ 817void 818kerberos5_dfspag(void) 819{ 820 if (dfsk5ok) { 821 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client, 822 UserNameRequested); 823 } 824} 825#endif 826 827#endif /* KRB5 */ 828