kerberos5.c revision 1.14
1 1.14 christos /* $NetBSD: kerberos5.c,v 1.14 2005/04/19 03:19:46 christos Exp $ */ 2 1.4 thorpej 3 1.1 cgd /*- 4 1.4 thorpej * Copyright (c) 1991, 1993 5 1.4 thorpej * The Regents of the University of California. All rights reserved. 6 1.1 cgd * 7 1.1 cgd * Redistribution and use in source and binary forms, with or without 8 1.1 cgd * modification, are permitted provided that the following conditions 9 1.1 cgd * are met: 10 1.1 cgd * 1. Redistributions of source code must retain the above copyright 11 1.1 cgd * notice, this list of conditions and the following disclaimer. 12 1.1 cgd * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 cgd * notice, this list of conditions and the following disclaimer in the 14 1.1 cgd * documentation and/or other materials provided with the distribution. 15 1.12 agc * 3. Neither the name of the University nor the names of its contributors 16 1.1 cgd * may be used to endorse or promote products derived from this software 17 1.1 cgd * without specific prior written permission. 18 1.1 cgd * 19 1.1 cgd * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 1.1 cgd * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 1.1 cgd * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 1.1 cgd * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 1.1 cgd * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 1.1 cgd * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 1.1 cgd * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 1.1 cgd * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 1.1 cgd * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 1.1 cgd * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 1.1 cgd * SUCH DAMAGE. 30 1.1 cgd */ 31 1.1 cgd 32 1.1 cgd /* 33 1.1 cgd * Copyright (C) 1990 by the Massachusetts Institute of Technology 34 1.1 cgd * 35 1.4 thorpej * Export of this software from the United States of America may 36 1.4 thorpej * require a specific license from the United States Government. 37 1.1 cgd * It is the responsibility of any person or organization contemplating 38 1.1 cgd * export to obtain such a license before exporting. 39 1.1 cgd * 40 1.1 cgd * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 41 1.1 cgd * distribute this software and its documentation for any purpose and 42 1.1 cgd * without fee is hereby granted, provided that the above copyright 43 1.1 cgd * notice appear in all copies and that both that copyright notice and 44 1.1 cgd * this permission notice appear in supporting documentation, and that 45 1.1 cgd * the name of M.I.T. not be used in advertising or publicity pertaining 46 1.1 cgd * to distribution of the software without specific, written prior 47 1.1 cgd * permission. M.I.T. makes no representations about the suitability of 48 1.1 cgd * this software for any purpose. It is provided "as is" without express 49 1.1 cgd * or implied warranty. 50 1.1 cgd */ 51 1.1 cgd 52 1.1 cgd #ifdef KRB5 53 1.1 cgd #include <arpa/telnet.h> 54 1.1 cgd #include <stdio.h> 55 1.4 thorpej #include <stdlib.h> 56 1.4 thorpej #include <string.h> 57 1.4 thorpej #include <unistd.h> 58 1.1 cgd #include <netdb.h> 59 1.1 cgd #include <ctype.h> 60 1.4 thorpej #include <pwd.h> 61 1.4 thorpej #define Authenticator k5_Authenticator 62 1.4 thorpej #include <krb5.h> 63 1.4 thorpej #undef Authenticator 64 1.4 thorpej /* #include <roken.h> */ 65 1.1 cgd 66 1.1 cgd #include "encrypt.h" 67 1.1 cgd #include "auth.h" 68 1.1 cgd #include "misc.h" 69 1.1 cgd 70 1.6 christos extern int net; 71 1.6 christos 72 1.4 thorpej int forward_flags; /* Flags get set in telnet/main.c on -f and -F */ 73 1.4 thorpej int got_forwarded_creds;/* Tell telnetd to pass -F or -f to login. */ 74 1.1 cgd 75 1.4 thorpej int require_hwpreauth; 76 1.1 cgd 77 1.4 thorpej void kerberos5_forward(Authenticator *); 78 1.4 thorpej 79 1.4 thorpej static unsigned char str_data[1024] = {IAC, SB, TELOPT_AUTHENTICATION, 0, 80 1.4 thorpej AUTHTYPE_KERBEROS_V5,}; 81 1.4 thorpej 82 1.4 thorpej #define KRB_AUTH 0 /* Authentication data follows */ 83 1.4 thorpej #define KRB_REJECT 1 /* Rejected (reason might follow) */ 84 1.4 thorpej #define KRB_ACCEPT 2 /* Accepted */ 85 1.4 thorpej #define KRB_RESPONSE 3 /* Response for mutual auth. */ 86 1.4 thorpej 87 1.4 thorpej #define KRB_FORWARD 4 /* Forwarded credentials follow */ 88 1.4 thorpej #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 89 1.4 thorpej #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 90 1.4 thorpej 91 1.4 thorpej static krb5_data auth; 92 1.4 thorpej static krb5_ticket *ticket; 93 1.4 thorpej 94 1.4 thorpej krb5_context telnet_context; 95 1.4 thorpej static krb5_auth_context auth_context; 96 1.4 thorpej 97 1.4 thorpej static int 98 1.4 thorpej Data(Authenticator *ap, int type, void *d, int c) 99 1.1 cgd { 100 1.4 thorpej unsigned char *p = str_data + 4; 101 1.4 thorpej unsigned char *cd = (unsigned char *) d; 102 1.1 cgd 103 1.1 cgd if (c == -1) 104 1.4 thorpej c = strlen(cd); 105 1.1 cgd 106 1.4 thorpej if (auth_debug_mode) { 107 1.4 thorpej printf("%s:%d: [%d] (%d)", 108 1.4 thorpej str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 109 1.4 thorpej str_data[3], 110 1.4 thorpej type, c); 111 1.4 thorpej printd(d, c); 112 1.4 thorpej printf("\r\n"); 113 1.4 thorpej } 114 1.1 cgd *p++ = ap->type; 115 1.1 cgd *p++ = ap->way; 116 1.1 cgd *p++ = type; 117 1.4 thorpej while (c-- > 0) { 118 1.4 thorpej if ((*p++ = *cd++) == IAC) 119 1.4 thorpej *p++ = IAC; 120 1.4 thorpej } 121 1.4 thorpej *p++ = IAC; 122 1.4 thorpej *p++ = SE; 123 1.1 cgd if (str_data[3] == TELQUAL_IS) 124 1.1 cgd printsub('>', &str_data[2], p - &str_data[2]); 125 1.4 thorpej return (telnet_net_write(str_data, p - str_data)); 126 1.1 cgd } 127 1.1 cgd 128 1.4 thorpej int 129 1.4 thorpej kerberos5_init(Authenticator *ap, int server) 130 1.1 cgd { 131 1.5 thorpej krb5_error_code ret; 132 1.4 thorpej 133 1.5 thorpej if (telnet_context == 0) { 134 1.5 thorpej ret = krb5_init_context(&telnet_context); 135 1.5 thorpej if (ret) 136 1.5 thorpej return 0; 137 1.5 thorpej } 138 1.4 thorpej 139 1.4 thorpej if (server) { 140 1.4 thorpej krb5_keytab kt; 141 1.4 thorpej krb5_kt_cursor cursor; 142 1.4 thorpej 143 1.4 thorpej ret = krb5_kt_default(telnet_context, &kt); 144 1.4 thorpej if (ret) 145 1.4 thorpej return 0; 146 1.4 thorpej 147 1.4 thorpej ret = krb5_kt_start_seq_get(telnet_context, kt, &cursor); 148 1.4 thorpej if (ret) { 149 1.4 thorpej krb5_kt_close(telnet_context, kt); 150 1.4 thorpej return 0; 151 1.4 thorpej } 152 1.4 thorpej krb5_kt_end_seq_get(telnet_context, kt, &cursor); 153 1.4 thorpej krb5_kt_close(telnet_context, kt); 154 1.4 thorpej 155 1.1 cgd str_data[3] = TELQUAL_REPLY; 156 1.4 thorpej } else 157 1.1 cgd str_data[3] = TELQUAL_IS; 158 1.4 thorpej return (1); 159 1.1 cgd } 160 1.1 cgd 161 1.4 thorpej int 162 1.4 thorpej kerberos5_send(Authenticator *ap) 163 1.1 cgd { 164 1.4 thorpej krb5_error_code ret; 165 1.1 cgd krb5_ccache ccache; 166 1.4 thorpej int ap_opts; 167 1.4 thorpej krb5_data cksum_data; 168 1.4 thorpej char foo[2]; 169 1.1 cgd 170 1.4 thorpej printf("[ Trying KERBEROS5 ... ]\r\n"); 171 1.1 cgd 172 1.4 thorpej if (!UserNameRequested) { 173 1.1 cgd if (auth_debug_mode) { 174 1.4 thorpej printf("Kerberos V5: no user name supplied\r\n"); 175 1.1 cgd } 176 1.4 thorpej return (0); 177 1.1 cgd } 178 1.4 thorpej ret = krb5_cc_default(telnet_context, &ccache); 179 1.4 thorpej if (ret) { 180 1.1 cgd if (auth_debug_mode) { 181 1.4 thorpej printf( 182 1.4 thorpej "Kerberos V5: could not get default ccache: %s\r\n", 183 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 184 1.1 cgd } 185 1.4 thorpej return (0); 186 1.1 cgd } 187 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 188 1.4 thorpej ap_opts = AP_OPTS_MUTUAL_REQUIRED; 189 1.4 thorpej else 190 1.4 thorpej ap_opts = 0; 191 1.1 cgd 192 1.9 joda ap_opts |= AP_OPTS_USE_SUBKEY; 193 1.9 joda 194 1.4 thorpej ret = krb5_auth_con_init(telnet_context, &auth_context); 195 1.4 thorpej if (ret) { 196 1.1 cgd if (auth_debug_mode) { 197 1.4 thorpej printf( 198 1.4 thorpej "Kerberos V5: krb5_auth_con_init failed: %s\r\n", 199 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 200 1.4 thorpej } 201 1.4 thorpej return (0); 202 1.4 thorpej } 203 1.4 thorpej ret = krb5_auth_con_setaddrs_from_fd(telnet_context, 204 1.4 thorpej auth_context, &net); 205 1.4 thorpej if (ret) { 206 1.4 thorpej if (auth_debug_mode) { 207 1.4 thorpej printf("Kerberos V5: " 208 1.4 thorpej "krb5_auth_con_setaddrs_from_fd failed: %s\r\n", 209 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 210 1.1 cgd } 211 1.4 thorpej return (0); 212 1.1 cgd } 213 1.8 assar krb5_auth_con_setkeytype(telnet_context, auth_context, KEYTYPE_DES); 214 1.1 cgd 215 1.4 thorpej foo[0] = ap->type; 216 1.4 thorpej foo[1] = ap->way; 217 1.1 cgd 218 1.4 thorpej cksum_data.length = sizeof(foo); 219 1.4 thorpej cksum_data.data = foo; 220 1.4 thorpej ret = krb5_mk_req(telnet_context, &auth_context, ap_opts, "host", 221 1.4 thorpej RemoteHostName, &cksum_data, ccache, &auth); 222 1.4 thorpej if (ret) { 223 1.4 thorpej if (1 || auth_debug_mode) { 224 1.4 thorpej printf("Kerberos V5: mk_req failed (%s)\r\n", 225 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 226 1.1 cgd } 227 1.4 thorpej return (0); 228 1.1 cgd } 229 1.1 cgd 230 1.4 thorpej if (!auth_sendname((unsigned char *) UserNameRequested, 231 1.4 thorpej strlen(UserNameRequested))) { 232 1.4 thorpej if (auth_debug_mode) 233 1.4 thorpej printf("Not enough room for user name\r\n"); 234 1.4 thorpej return (0); 235 1.4 thorpej } 236 1.1 cgd if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 237 1.1 cgd if (auth_debug_mode) 238 1.1 cgd printf("Not enough room for authentication data\r\n"); 239 1.4 thorpej return (0); 240 1.1 cgd } 241 1.1 cgd if (auth_debug_mode) { 242 1.1 cgd printf("Sent Kerberos V5 credentials to server\r\n"); 243 1.1 cgd } 244 1.4 thorpej return (1); 245 1.1 cgd } 246 1.1 cgd 247 1.4 thorpej void 248 1.4 thorpej kerberos5_is(Authenticator * ap, unsigned char *data, int cnt) 249 1.1 cgd { 250 1.4 thorpej krb5_error_code ret; 251 1.4 thorpej krb5_data outbuf; 252 1.4 thorpej krb5_keyblock *key_block; 253 1.1 cgd char *name; 254 1.4 thorpej krb5_principal server; 255 1.4 thorpej int zero = 0; 256 1.1 cgd 257 1.1 cgd if (cnt-- < 1) 258 1.1 cgd return; 259 1.1 cgd switch (*data++) { 260 1.1 cgd case KRB_AUTH: 261 1.4 thorpej auth.data = (char *) data; 262 1.1 cgd auth.length = cnt; 263 1.1 cgd 264 1.4 thorpej auth_context = NULL; 265 1.4 thorpej 266 1.4 thorpej ret = krb5_auth_con_init(telnet_context, &auth_context); 267 1.4 thorpej if (ret) { 268 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); 269 1.4 thorpej auth_finished(ap, AUTH_REJECT); 270 1.1 cgd if (auth_debug_mode) 271 1.4 thorpej printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 272 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 273 1.4 thorpej return; 274 1.4 thorpej } 275 1.4 thorpej ret = krb5_auth_con_setaddrs_from_fd(telnet_context, 276 1.4 thorpej auth_context, &zero); 277 1.4 thorpej if (ret) { 278 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); 279 1.1 cgd auth_finished(ap, AUTH_REJECT); 280 1.4 thorpej if (auth_debug_mode) 281 1.4 thorpej printf("Kerberos V5: " 282 1.4 thorpej "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 283 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 284 1.1 cgd return; 285 1.1 cgd } 286 1.4 thorpej ret = krb5_sock_to_principal(telnet_context, 0, "host", 287 1.4 thorpej KRB5_NT_SRV_HST, &server); 288 1.4 thorpej if (ret) { 289 1.4 thorpej Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); 290 1.4 thorpej auth_finished(ap, AUTH_REJECT); 291 1.1 cgd if (auth_debug_mode) 292 1.4 thorpej printf("Kerberos V5: " 293 1.4 thorpej "krb5_sock_to_principal failed (%s)\r\n", 294 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 295 1.1 cgd return; 296 1.1 cgd } 297 1.4 thorpej ret = krb5_rd_req(telnet_context, &auth_context, &auth, 298 1.4 thorpej server, NULL, NULL, &ticket); 299 1.4 thorpej krb5_free_principal(telnet_context, server); 300 1.4 thorpej 301 1.4 thorpej if (ret) { 302 1.4 thorpej char *errbuf; 303 1.4 thorpej 304 1.4 thorpej asprintf(&errbuf, 305 1.4 thorpej "Read req failed: %s", 306 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 307 1.4 thorpej Data(ap, KRB_REJECT, errbuf, -1); 308 1.1 cgd if (auth_debug_mode) 309 1.4 thorpej printf("%s\r\n", errbuf); 310 1.4 thorpej free(errbuf); 311 1.1 cgd return; 312 1.4 thorpej } { 313 1.4 thorpej char foo[2]; 314 1.4 thorpej 315 1.4 thorpej foo[0] = ap->type; 316 1.4 thorpej foo[1] = ap->way; 317 1.4 thorpej 318 1.4 thorpej ret = krb5_verify_authenticator_checksum(telnet_context, 319 1.4 thorpej auth_context, foo, sizeof(foo)); 320 1.4 thorpej 321 1.4 thorpej if (ret) { 322 1.4 thorpej char *errbuf; 323 1.4 thorpej asprintf(&errbuf, "Bad checksum: %s", 324 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 325 1.4 thorpej Data(ap, KRB_REJECT, errbuf, -1); 326 1.4 thorpej if (auth_debug_mode) 327 1.4 thorpej printf("%s\r\n", errbuf); 328 1.4 thorpej free(errbuf); 329 1.4 thorpej return; 330 1.4 thorpej } 331 1.1 cgd } 332 1.4 thorpej ret = krb5_auth_con_getremotesubkey(telnet_context, 333 1.4 thorpej auth_context, &key_block); 334 1.1 cgd 335 1.4 thorpej if (ret) { 336 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); 337 1.4 thorpej auth_finished(ap, AUTH_REJECT); 338 1.1 cgd if (auth_debug_mode) 339 1.4 thorpej printf("Kerberos V5: " 340 1.4 thorpej "krb5_auth_con_getremotesubkey failed (%s)\r\n", 341 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 342 1.9 joda return; 343 1.9 joda } 344 1.9 joda if (key_block == NULL) { 345 1.10 thorpej ret = krb5_auth_con_getkey(telnet_context, 346 1.9 joda auth_context, 347 1.9 joda &key_block); 348 1.9 joda } 349 1.9 joda if (ret) { 350 1.9 joda Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); 351 1.9 joda auth_finished(ap, AUTH_REJECT); 352 1.9 joda if (auth_debug_mode) 353 1.9 joda printf("Kerberos V5: " 354 1.9 joda "krb5_auth_con_getkey failed (%s)\r\n", 355 1.10 thorpej krb5_get_err_text(telnet_context, ret)); 356 1.9 joda return; 357 1.9 joda } 358 1.9 joda if (key_block == NULL) { 359 1.9 joda Data(ap, KRB_REJECT, "no subkey received", -1); 360 1.9 joda auth_finished(ap, AUTH_REJECT); 361 1.9 joda if (auth_debug_mode) 362 1.9 joda printf("Kerberos V5: " 363 1.9 joda "krb5_auth_con_getremotesubkey returned NULL key\r\n"); 364 1.1 cgd return; 365 1.1 cgd } 366 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 367 1.4 thorpej ret = krb5_mk_rep(telnet_context, 368 1.7 assar auth_context, &outbuf); 369 1.4 thorpej if (ret) { 370 1.4 thorpej Data(ap, KRB_REJECT, 371 1.4 thorpej "krb5_mk_rep failed", -1); 372 1.4 thorpej auth_finished(ap, AUTH_REJECT); 373 1.4 thorpej if (auth_debug_mode) 374 1.4 thorpej printf("Kerberos V5: " 375 1.4 thorpej "krb5_mk_rep failed (%s)\r\n", 376 1.4 thorpej krb5_get_err_text(telnet_context, 377 1.4 thorpej ret)); 378 1.4 thorpej return; 379 1.4 thorpej } 380 1.4 thorpej Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 381 1.4 thorpej } 382 1.4 thorpej if (krb5_unparse_name(telnet_context, ticket->client, &name)) 383 1.1 cgd name = 0; 384 1.4 thorpej 385 1.4 thorpej if (UserNameRequested && krb5_kuserok(telnet_context, 386 1.4 thorpej ticket->client, UserNameRequested)) { 387 1.4 thorpej Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 388 1.4 thorpej if (auth_debug_mode) { 389 1.4 thorpej printf("Kerberos5 identifies him as ``%s''\r\n", 390 1.4 thorpej name ? name : ""); 391 1.4 thorpej } 392 1.4 thorpej if (key_block->keytype == ETYPE_DES_CBC_MD5 || 393 1.4 thorpej key_block->keytype == ETYPE_DES_CBC_MD4 || 394 1.4 thorpej key_block->keytype == ETYPE_DES_CBC_CRC) { 395 1.4 thorpej Session_Key skey; 396 1.4 thorpej 397 1.4 thorpej skey.type = SK_DES; 398 1.4 thorpej skey.length = 8; 399 1.4 thorpej skey.data = key_block->keyvalue.data; 400 1.4 thorpej encrypt_session_key(&skey, 0); 401 1.4 thorpej } 402 1.4 thorpej } else { 403 1.4 thorpej char *msg; 404 1.4 thorpej 405 1.4 thorpej asprintf(&msg, "user `%s' is not authorized to " 406 1.4 thorpej "login as `%s'", 407 1.4 thorpej name ? name : "<unknown>", 408 1.4 thorpej UserNameRequested ? UserNameRequested : "<nobody>"); 409 1.4 thorpej if (msg == NULL) 410 1.4 thorpej Data(ap, KRB_REJECT, NULL, 0); 411 1.4 thorpej else { 412 1.4 thorpej Data(ap, KRB_REJECT, (void *) msg, -1); 413 1.4 thorpej free(msg); 414 1.4 thorpej } 415 1.4 thorpej auth_finished(ap, AUTH_REJECT); 416 1.4 thorpej krb5_free_keyblock_contents(telnet_context, key_block); 417 1.4 thorpej break; 418 1.1 cgd } 419 1.4 thorpej auth_finished(ap, AUTH_USER); 420 1.4 thorpej krb5_free_keyblock_contents(telnet_context, key_block); 421 1.4 thorpej 422 1.1 cgd break; 423 1.4 thorpej case KRB_FORWARD:{ 424 1.13 christos struct passwd pws, *pwd; 425 1.13 christos char pwbuf[1024]; 426 1.4 thorpej char ccname[1024]; /* XXX */ 427 1.4 thorpej krb5_data inbuf; 428 1.4 thorpej krb5_ccache ccache; 429 1.4 thorpej inbuf.data = (char *) data; 430 1.4 thorpej inbuf.length = cnt; 431 1.4 thorpej 432 1.13 christos if (getpwnam_r(UserNameRequested, &pws, pwbuf, 433 1.14 christos sizeof(pwbuf), &pwd) != 0 || pwd == NULL) 434 1.4 thorpej break; 435 1.1 cgd 436 1.4 thorpej snprintf(ccname, sizeof(ccname), 437 1.4 thorpej "FILE:/tmp/krb5cc_%u", pwd->pw_uid); 438 1.1 cgd 439 1.4 thorpej ret = krb5_cc_resolve(telnet_context, ccname, &ccache); 440 1.4 thorpej if (ret) { 441 1.4 thorpej if (auth_debug_mode) 442 1.4 thorpej printf("Kerberos V5: could not get ccache: %s\r\n", 443 1.4 thorpej krb5_get_err_text(telnet_context, 444 1.4 thorpej ret)); 445 1.4 thorpej break; 446 1.4 thorpej } 447 1.4 thorpej ret = krb5_cc_initialize(telnet_context, ccache, 448 1.4 thorpej ticket->client); 449 1.4 thorpej if (ret) { 450 1.4 thorpej if (auth_debug_mode) 451 1.4 thorpej printf("Kerberos V5: could not init ccache: %s\r\n", 452 1.4 thorpej krb5_get_err_text(telnet_context, 453 1.4 thorpej ret)); 454 1.1 cgd break; 455 1.4 thorpej } 456 1.7 assar ret = krb5_rd_cred2(telnet_context, auth_context, 457 1.4 thorpej ccache, &inbuf); 458 1.4 thorpej if (ret) { 459 1.4 thorpej char *errbuf; 460 1.4 thorpej 461 1.4 thorpej asprintf(&errbuf, 462 1.4 thorpej "Read forwarded creds failed: %s", 463 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 464 1.4 thorpej if (errbuf == NULL) 465 1.4 thorpej Data(ap, KRB_FORWARD_REJECT, NULL, 0); 466 1.4 thorpej else 467 1.4 thorpej Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 468 1.4 thorpej if (auth_debug_mode) 469 1.4 thorpej printf("Could not read forwarded credentials: %s\r\n", 470 1.4 thorpej errbuf); 471 1.4 thorpej free(errbuf); 472 1.4 thorpej } else 473 1.4 thorpej Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 474 1.4 thorpej chown(ccname + 5, pwd->pw_uid, -1); 475 1.4 thorpej if (auth_debug_mode) 476 1.4 thorpej printf("Forwarded credentials obtained\r\n"); 477 1.4 thorpej break; 478 1.1 cgd } 479 1.1 cgd default: 480 1.1 cgd if (auth_debug_mode) 481 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 482 1.1 cgd Data(ap, KRB_REJECT, 0, 0); 483 1.1 cgd break; 484 1.1 cgd } 485 1.1 cgd } 486 1.1 cgd 487 1.4 thorpej void 488 1.4 thorpej kerberos5_reply(Authenticator * ap, unsigned char *data, int cnt) 489 1.1 cgd { 490 1.4 thorpej static int mutual_complete = 0; 491 1.1 cgd 492 1.1 cgd if (cnt-- < 1) 493 1.1 cgd return; 494 1.1 cgd switch (*data++) { 495 1.1 cgd case KRB_REJECT: 496 1.1 cgd if (cnt > 0) { 497 1.1 cgd printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 498 1.4 thorpej cnt, data); 499 1.1 cgd } else 500 1.1 cgd printf("[ Kerberos V5 refuses authentication ]\r\n"); 501 1.1 cgd auth_send_retry(); 502 1.1 cgd return; 503 1.4 thorpej case KRB_ACCEPT:{ 504 1.4 thorpej krb5_error_code ret; 505 1.4 thorpej Session_Key skey; 506 1.4 thorpej krb5_keyblock *keyblock; 507 1.4 thorpej 508 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 509 1.4 thorpej !mutual_complete) { 510 1.4 thorpej printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); 511 1.4 thorpej auth_send_retry(); 512 1.4 thorpej return; 513 1.4 thorpej } 514 1.4 thorpej if (cnt) 515 1.4 thorpej printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); 516 1.4 thorpej else 517 1.4 thorpej printf("[ Kerberos V5 accepts you ]\r\n"); 518 1.4 thorpej 519 1.4 thorpej ret = krb5_auth_con_getlocalsubkey(telnet_context, 520 1.4 thorpej auth_context, &keyblock); 521 1.4 thorpej if (ret) 522 1.4 thorpej ret = krb5_auth_con_getkey(telnet_context, 523 1.4 thorpej auth_context, &keyblock); 524 1.4 thorpej if (ret) { 525 1.4 thorpej printf("[ krb5_auth_con_getkey: %s ]\r\n", 526 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 527 1.4 thorpej auth_send_retry(); 528 1.4 thorpej return; 529 1.4 thorpej } 530 1.1 cgd skey.type = SK_DES; 531 1.1 cgd skey.length = 8; 532 1.4 thorpej skey.data = keyblock->keyvalue.data; 533 1.1 cgd encrypt_session_key(&skey, 0); 534 1.4 thorpej krb5_free_keyblock_contents(telnet_context, keyblock); 535 1.4 thorpej auth_finished(ap, AUTH_USER); 536 1.4 thorpej if (forward_flags & OPTS_FORWARD_CREDS) 537 1.4 thorpej kerberos5_forward(ap); 538 1.4 thorpej break; 539 1.1 cgd } 540 1.1 cgd case KRB_RESPONSE: 541 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 542 1.4 thorpej /* the rest of the reply should contain a krb_ap_rep */ 543 1.4 thorpej krb5_ap_rep_enc_part *reply; 544 1.4 thorpej krb5_data inbuf; 545 1.4 thorpej krb5_error_code ret; 546 1.4 thorpej 547 1.4 thorpej inbuf.length = cnt; 548 1.4 thorpej inbuf.data = (char *) data; 549 1.4 thorpej 550 1.4 thorpej ret = krb5_rd_rep(telnet_context, 551 1.4 thorpej auth_context, &inbuf, &reply); 552 1.4 thorpej if (ret) { 553 1.4 thorpej printf("[ Mutual authentication failed: %s ]\r\n", 554 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 555 1.4 thorpej auth_send_retry(); 556 1.4 thorpej return; 557 1.4 thorpej } 558 1.4 thorpej krb5_free_ap_rep_enc_part(telnet_context, reply); 559 1.4 thorpej mutual_complete = 1; 560 1.1 cgd } 561 1.4 thorpej return; 562 1.4 thorpej case KRB_FORWARD_ACCEPT: 563 1.4 thorpej printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); 564 1.4 thorpej return; 565 1.4 thorpej case KRB_FORWARD_REJECT: 566 1.4 thorpej printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 567 1.4 thorpej cnt, data); 568 1.4 thorpej return; 569 1.1 cgd default: 570 1.1 cgd if (auth_debug_mode) 571 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 572 1.1 cgd return; 573 1.1 cgd } 574 1.1 cgd } 575 1.1 cgd 576 1.4 thorpej int 577 1.11 itojun kerberos5_status(Authenticator *ap, char *name, size_t l, int level) 578 1.1 cgd { 579 1.1 cgd if (level < AUTH_USER) 580 1.4 thorpej return (level); 581 1.1 cgd 582 1.1 cgd if (UserNameRequested && 583 1.4 thorpej krb5_kuserok(telnet_context, ticket->client, UserNameRequested)) { 584 1.11 itojun strlcpy(name, UserNameRequested, l); 585 1.4 thorpej return (AUTH_VALID); 586 1.1 cgd } else 587 1.4 thorpej return (AUTH_USER); 588 1.1 cgd } 589 1.1 cgd #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 590 1.4 thorpej #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 591 1.1 cgd 592 1.4 thorpej void 593 1.4 thorpej kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 594 1.1 cgd { 595 1.4 thorpej int i; 596 1.1 cgd 597 1.4 thorpej buf[buflen - 1] = '\0'; /* make sure its NULL terminated */ 598 1.1 cgd buflen -= 1; 599 1.1 cgd 600 1.4 thorpej switch (data[3]) { 601 1.4 thorpej case KRB_REJECT: /* Rejected (reason might follow) */ 602 1.4 thorpej strlcpy((char *) buf, " REJECT ", buflen); 603 1.1 cgd goto common; 604 1.1 cgd 605 1.4 thorpej case KRB_ACCEPT: /* Accepted (name might follow) */ 606 1.4 thorpej strlcpy((char *) buf, " ACCEPT ", buflen); 607 1.4 thorpej common: 608 1.1 cgd BUMP(buf, buflen); 609 1.1 cgd if (cnt <= 4) 610 1.1 cgd break; 611 1.1 cgd ADDC(buf, buflen, '"'); 612 1.1 cgd for (i = 4; i < cnt; i++) 613 1.1 cgd ADDC(buf, buflen, data[i]); 614 1.1 cgd ADDC(buf, buflen, '"'); 615 1.1 cgd ADDC(buf, buflen, '\0'); 616 1.1 cgd break; 617 1.1 cgd 618 1.4 thorpej 619 1.4 thorpej case KRB_AUTH: /* Authentication data follows */ 620 1.4 thorpej strlcpy((char *) buf, " AUTH", buflen); 621 1.4 thorpej goto common2; 622 1.4 thorpej 623 1.4 thorpej case KRB_RESPONSE: 624 1.4 thorpej strlcpy((char *) buf, " RESPONSE", buflen); 625 1.1 cgd goto common2; 626 1.1 cgd 627 1.4 thorpej case KRB_FORWARD: /* Forwarded credentials follow */ 628 1.4 thorpej strlcpy((char *) buf, " FORWARD", buflen); 629 1.1 cgd goto common2; 630 1.1 cgd 631 1.4 thorpej case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 632 1.4 thorpej strlcpy((char *) buf, " FORWARD_ACCEPT", buflen); 633 1.4 thorpej goto common2; 634 1.4 thorpej 635 1.4 thorpej case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 636 1.4 thorpej /* (reason might follow) */ 637 1.4 thorpej strlcpy((char *) buf, " FORWARD_REJECT", buflen); 638 1.1 cgd goto common2; 639 1.1 cgd 640 1.1 cgd default: 641 1.4 thorpej snprintf(buf, buflen, " %d (unknown)", data[3]); 642 1.4 thorpej common2: 643 1.1 cgd BUMP(buf, buflen); 644 1.1 cgd for (i = 4; i < cnt; i++) { 645 1.4 thorpej snprintf(buf, buflen, " %d", data[i]); 646 1.1 cgd BUMP(buf, buflen); 647 1.1 cgd } 648 1.1 cgd break; 649 1.1 cgd } 650 1.1 cgd } 651 1.4 thorpej 652 1.4 thorpej void 653 1.4 thorpej kerberos5_forward(Authenticator * ap) 654 1.4 thorpej { 655 1.4 thorpej krb5_error_code ret; 656 1.4 thorpej krb5_ccache ccache; 657 1.4 thorpej krb5_creds creds; 658 1.4 thorpej krb5_kdc_flags flags; 659 1.4 thorpej krb5_data out_data; 660 1.4 thorpej krb5_principal principal; 661 1.4 thorpej 662 1.4 thorpej ret = krb5_cc_default(telnet_context, &ccache); 663 1.4 thorpej if (ret) { 664 1.4 thorpej if (auth_debug_mode) 665 1.4 thorpej printf("KerberosV5: could not get default ccache: %s\r\n", 666 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 667 1.4 thorpej return; 668 1.4 thorpej } 669 1.4 thorpej ret = krb5_cc_get_principal(telnet_context, ccache, &principal); 670 1.4 thorpej if (ret) { 671 1.4 thorpej if (auth_debug_mode) 672 1.4 thorpej printf("KerberosV5: could not get principal: %s\r\n", 673 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 674 1.4 thorpej return; 675 1.4 thorpej } 676 1.4 thorpej memset(&creds, 0, sizeof(creds)); 677 1.4 thorpej 678 1.4 thorpej creds.client = principal; 679 1.4 thorpej 680 1.4 thorpej ret = krb5_build_principal(telnet_context, &creds.server, 681 1.4 thorpej strlen(principal->realm), principal->realm, "krbtgt", 682 1.4 thorpej principal->realm, NULL); 683 1.4 thorpej 684 1.4 thorpej if (ret) { 685 1.4 thorpej if (auth_debug_mode) 686 1.4 thorpej printf("KerberosV5: could not get principal: %s\r\n", 687 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 688 1.4 thorpej return; 689 1.4 thorpej } 690 1.4 thorpej creds.times.endtime = 0; 691 1.4 thorpej 692 1.4 thorpej flags.i = 0; 693 1.4 thorpej flags.b.forwarded = 1; 694 1.4 thorpej if (forward_flags & OPTS_FORWARDABLE_CREDS) 695 1.4 thorpej flags.b.forwardable = 1; 696 1.4 thorpej 697 1.4 thorpej ret = krb5_get_forwarded_creds(telnet_context, auth_context, 698 1.4 thorpej ccache, flags.i, RemoteHostName, &creds, &out_data); 699 1.4 thorpej if (ret) { 700 1.4 thorpej if (auth_debug_mode) 701 1.4 thorpej printf("Kerberos V5: error getting forwarded creds: %s\r\n", 702 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 703 1.4 thorpej return; 704 1.4 thorpej } 705 1.4 thorpej if (!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { 706 1.4 thorpej if (auth_debug_mode) 707 1.4 thorpej printf("Not enough room for authentication data\r\n"); 708 1.4 thorpej } else { 709 1.4 thorpej if (auth_debug_mode) 710 1.4 thorpej printf("Forwarded local Kerberos V5 credentials to server\r\n"); 711 1.4 thorpej } 712 1.4 thorpej } 713 1.4 thorpej #endif /* KRB5 */ 714
Indexes created Mon Sep 22 13:09:51 GMT 2025