auth-krb5.c revision 323129 
1/* $OpenBSD: auth-krb5.c,v 1.22 2016/05/04 14:22:33 markus Exp $ */
2/*
3 *    Kerberos v5 authentication and ticket-passing routines.
4 *
5 * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
6 */
7/*
8 * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include "includes.h"
32
33#include <sys/types.h>
34#include <pwd.h>
35#include <stdarg.h>
36
37#include "xmalloc.h"
38#include "ssh.h"
39#include "packet.h"
40#include "log.h"
41#include "buffer.h"
42#include "misc.h"
43#include "servconf.h"
44#include "uidswap.h"
45#include "key.h"
46#include "hostfile.h"
47#include "auth.h"
48
49#ifdef KRB5
50#include <errno.h>
51#include <unistd.h>
52#include <string.h>
53#include <krb5.h>
54
55extern ServerOptions	 options;
56
57static int
58krb5_init(void *context)
59{
60	Authctxt *authctxt = (Authctxt *)context;
61	krb5_error_code problem;
62
63	if (authctxt->krb5_ctx == NULL) {
64		problem = krb5_init_context(&authctxt->krb5_ctx);
65		if (problem)
66			return (problem);
67	}
68	return (0);
69}
70
71int
72auth_krb5_password(Authctxt *authctxt, const char *password)
73{
74#ifndef HEIMDAL
75	krb5_creds creds;
76	krb5_principal server;
77#endif
78	krb5_error_code problem;
79	krb5_ccache ccache = NULL;
80	int len;
81	char *client, *platform_client;
82	const char *errmsg;
83
84	/* get platform-specific kerberos client principal name (if it exists) */
85	platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
86	client = platform_client ? platform_client : authctxt->pw->pw_name;
87
88	temporarily_use_uid(authctxt->pw);
89
90	problem = krb5_init(authctxt);
91	if (problem)
92		goto out;
93
94	problem = krb5_parse_name(authctxt->krb5_ctx, client,
95		    &authctxt->krb5_user);
96	if (problem)
97		goto out;
98
99#ifdef HEIMDAL
100# ifdef HAVE_KRB5_CC_NEW_UNIQUE
101	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
102	     krb5_mcc_ops.prefix, NULL, &ccache);
103# else
104	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
105# endif
106	if (problem)
107		goto out;
108
109	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
110		authctxt->krb5_user);
111	if (problem)
112		goto out;
113
114	restore_uid();
115
116	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
117	    ccache, password, 1, NULL);
118
119	temporarily_use_uid(authctxt->pw);
120
121	if (problem)
122		goto out;
123
124# ifdef HAVE_KRB5_CC_NEW_UNIQUE
125	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
126	     krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
127# else
128	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
129	    &authctxt->krb5_fwd_ccache);
130# endif
131	if (problem)
132		goto out;
133
134	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
135	    authctxt->krb5_fwd_ccache);
136	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
137	ccache = NULL;
138	if (problem)
139		goto out;
140
141#else
142	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
143	    authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
144	if (problem)
145		goto out;
146
147	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
148	    KRB5_NT_SRV_HST, &server);
149	if (problem)
150		goto out;
151
152	restore_uid();
153	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
154	    NULL, NULL, NULL);
155	krb5_free_principal(authctxt->krb5_ctx, server);
156	temporarily_use_uid(authctxt->pw);
157	if (problem)
158		goto out;
159
160	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
161	    authctxt->pw->pw_name)) {
162		problem = -1;
163		goto out;
164	}
165
166	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
167	if (problem)
168		goto out;
169
170	problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
171				     authctxt->krb5_user);
172	if (problem)
173		goto out;
174
175	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
176				 &creds);
177	if (problem)
178		goto out;
179#endif
180
181	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
182
183	len = strlen(authctxt->krb5_ticket_file) + 6;
184	authctxt->krb5_ccname = xmalloc(len);
185	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
186	    authctxt->krb5_ticket_file);
187
188#ifdef USE_PAM
189	if (options.use_pam)
190		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
191#endif
192
193 out:
194	restore_uid();
195
196	free(platform_client);
197
198	if (problem) {
199		if (ccache)
200			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
201
202		if (authctxt->krb5_ctx != NULL && problem!=-1) {
203			errmsg = krb5_get_error_message(authctxt->krb5_ctx,
204			    problem);
205 			debug("Kerberos password authentication failed: %s",
206			    errmsg);
207			krb5_free_error_message(authctxt->krb5_ctx, errmsg);
208		} else
209			debug("Kerberos password authentication failed: %d",
210			    problem);
211
212		krb5_cleanup_proc(authctxt);
213
214		if (options.kerberos_or_local_passwd)
215			return (-1);
216		else
217			return (0);
218	}
219	return (authctxt->valid ? 1 : 0);
220}
221
222void
223krb5_cleanup_proc(Authctxt *authctxt)
224{
225	debug("krb5_cleanup_proc called");
226	if (authctxt->krb5_fwd_ccache) {
227		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
228		authctxt->krb5_fwd_ccache = NULL;
229	}
230	if (authctxt->krb5_user) {
231		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
232		authctxt->krb5_user = NULL;
233	}
234	if (authctxt->krb5_ctx) {
235		krb5_free_context(authctxt->krb5_ctx);
236		authctxt->krb5_ctx = NULL;
237	}
238}
239
240#ifndef HEIMDAL
241krb5_error_code
242ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
243	int tmpfd, ret, oerrno;
244	char ccname[40];
245	mode_t old_umask;
246
247	ret = snprintf(ccname, sizeof(ccname),
248	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
249	if (ret < 0 || (size_t)ret >= sizeof(ccname))
250		return ENOMEM;
251
252	old_umask = umask(0177);
253	tmpfd = mkstemp(ccname + strlen("FILE:"));
254	oerrno = errno;
255	umask(old_umask);
256	if (tmpfd == -1) {
257		logit("mkstemp(): %.100s", strerror(oerrno));
258		return oerrno;
259	}
260
261	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
262		oerrno = errno;
263		logit("fchmod(): %.100s", strerror(oerrno));
264		close(tmpfd);
265		return oerrno;
266	}
267	close(tmpfd);
268
269	return (krb5_cc_resolve(ctx, ccname, ccache));
270}
271#endif /* !HEIMDAL */
272#endif /* KRB5 */
273