kerberos5.c revision 1.19
1 1.19 christos /* $NetBSD: kerberos5.c,v 1.19 2012/01/09 15:25:33 christos Exp $ */ 2 1.4 thorpej 3 1.1 cgd /*- 4 1.4 thorpej * Copyright (c) 1991, 1993 5 1.4 thorpej * The Regents of the University of California. All rights reserved. 6 1.1 cgd * 7 1.1 cgd * Redistribution and use in source and binary forms, with or without 8 1.1 cgd * modification, are permitted provided that the following conditions 9 1.1 cgd * are met: 10 1.1 cgd * 1. Redistributions of source code must retain the above copyright 11 1.1 cgd * notice, this list of conditions and the following disclaimer. 12 1.1 cgd * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 cgd * notice, this list of conditions and the following disclaimer in the 14 1.1 cgd * documentation and/or other materials provided with the distribution. 15 1.12 agc * 3. Neither the name of the University nor the names of its contributors 16 1.1 cgd * may be used to endorse or promote products derived from this software 17 1.1 cgd * without specific prior written permission. 18 1.1 cgd * 19 1.1 cgd * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 1.1 cgd * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 1.1 cgd * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 1.1 cgd * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 1.1 cgd * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 1.1 cgd * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 1.1 cgd * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 1.1 cgd * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 1.1 cgd * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 1.1 cgd * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 1.1 cgd * SUCH DAMAGE. 30 1.1 cgd */ 31 1.1 cgd 32 1.1 cgd /* 33 1.1 cgd * Copyright (C) 1990 by the Massachusetts Institute of Technology 34 1.1 cgd * 35 1.4 thorpej * Export of this software from the United States of America may 36 1.4 thorpej * require a specific license from the United States Government. 37 1.1 cgd * It is the responsibility of any person or organization contemplating 38 1.1 cgd * export to obtain such a license before exporting. 39 1.1 cgd * 40 1.1 cgd * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 41 1.1 cgd * distribute this software and its documentation for any purpose and 42 1.1 cgd * without fee is hereby granted, provided that the above copyright 43 1.1 cgd * notice appear in all copies and that both that copyright notice and 44 1.1 cgd * this permission notice appear in supporting documentation, and that 45 1.1 cgd * the name of M.I.T. not be used in advertising or publicity pertaining 46 1.1 cgd * to distribution of the software without specific, written prior 47 1.1 cgd * permission. M.I.T. makes no representations about the suitability of 48 1.1 cgd * this software for any purpose. It is provided "as is" without express 49 1.1 cgd * or implied warranty. 50 1.1 cgd */ 51 1.1 cgd 52 1.1 cgd #ifdef KRB5 53 1.1 cgd #include <arpa/telnet.h> 54 1.1 cgd #include <stdio.h> 55 1.4 thorpej #include <stdlib.h> 56 1.4 thorpej #include <string.h> 57 1.4 thorpej #include <unistd.h> 58 1.1 cgd #include <netdb.h> 59 1.1 cgd #include <ctype.h> 60 1.4 thorpej #include <pwd.h> 61 1.4 thorpej #define Authenticator k5_Authenticator 62 1.4 thorpej #include <krb5.h> 63 1.4 thorpej #undef Authenticator 64 1.4 thorpej /* #include <roken.h> */ 65 1.1 cgd 66 1.1 cgd #include "encrypt.h" 67 1.1 cgd #include "auth.h" 68 1.1 cgd #include "misc.h" 69 1.1 cgd 70 1.6 christos extern int net; 71 1.6 christos 72 1.4 thorpej int forward_flags; /* Flags get set in telnet/main.c on -f and -F */ 73 1.4 thorpej int got_forwarded_creds;/* Tell telnetd to pass -F or -f to login. */ 74 1.1 cgd 75 1.4 thorpej int require_hwpreauth; 76 1.1 cgd 77 1.18 elric const char *get_krb5_err_text(krb5_context, krb5_error_code); 78 1.4 thorpej void kerberos5_forward(Authenticator *); 79 1.4 thorpej 80 1.4 thorpej static unsigned char str_data[1024] = {IAC, SB, TELOPT_AUTHENTICATION, 0, 81 1.4 thorpej AUTHTYPE_KERBEROS_V5,}; 82 1.4 thorpej 83 1.4 thorpej #define KRB_AUTH 0 /* Authentication data follows */ 84 1.4 thorpej #define KRB_REJECT 1 /* Rejected (reason might follow) */ 85 1.4 thorpej #define KRB_ACCEPT 2 /* Accepted */ 86 1.4 thorpej #define KRB_RESPONSE 3 /* Response for mutual auth. */ 87 1.4 thorpej 88 1.4 thorpej #define KRB_FORWARD 4 /* Forwarded credentials follow */ 89 1.4 thorpej #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 90 1.4 thorpej #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 91 1.4 thorpej 92 1.4 thorpej static krb5_data auth; 93 1.4 thorpej static krb5_ticket *ticket; 94 1.4 thorpej 95 1.4 thorpej krb5_context telnet_context; 96 1.4 thorpej static krb5_auth_context auth_context; 97 1.4 thorpej 98 1.4 thorpej static int 99 1.19 christos Data(Authenticator *ap, int type, const void *d, int c) 100 1.1 cgd { 101 1.4 thorpej unsigned char *p = str_data + 4; 102 1.19 christos const unsigned char *cd = (const unsigned char *) d; 103 1.1 cgd 104 1.1 cgd if (c == -1) 105 1.4 thorpej c = strlen(cd); 106 1.1 cgd 107 1.4 thorpej if (auth_debug_mode) { 108 1.4 thorpej printf("%s:%d: [%d] (%d)", 109 1.4 thorpej str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 110 1.4 thorpej str_data[3], 111 1.4 thorpej type, c); 112 1.4 thorpej printd(d, c); 113 1.4 thorpej printf("\r\n"); 114 1.4 thorpej } 115 1.1 cgd *p++ = ap->type; 116 1.1 cgd *p++ = ap->way; 117 1.1 cgd *p++ = type; 118 1.4 thorpej while (c-- > 0) { 119 1.4 thorpej if ((*p++ = *cd++) == IAC) 120 1.4 thorpej *p++ = IAC; 121 1.4 thorpej } 122 1.4 thorpej *p++ = IAC; 123 1.4 thorpej *p++ = SE; 124 1.1 cgd if (str_data[3] == TELQUAL_IS) 125 1.1 cgd printsub('>', &str_data[2], p - &str_data[2]); 126 1.4 thorpej return (telnet_net_write(str_data, p - str_data)); 127 1.1 cgd } 128 1.1 cgd 129 1.18 elric const char * 130 1.18 elric get_krb5_err_text(krb5_context ctx, krb5_error_code ret) 131 1.18 elric { 132 1.18 elric static const char *str = NULL; 133 1.18 elric 134 1.18 elric if (str) 135 1.18 elric krb5_free_error_message(ctx, str); 136 1.18 elric 137 1.18 elric str = krb5_get_error_message(ctx, ret); 138 1.18 elric 139 1.18 elric if (str != NULL) 140 1.18 elric return str; 141 1.18 elric 142 1.18 elric return "unknown"; 143 1.18 elric } 144 1.18 elric 145 1.4 thorpej int 146 1.4 thorpej kerberos5_init(Authenticator *ap, int server) 147 1.1 cgd { 148 1.5 thorpej krb5_error_code ret; 149 1.4 thorpej 150 1.5 thorpej if (telnet_context == 0) { 151 1.5 thorpej ret = krb5_init_context(&telnet_context); 152 1.5 thorpej if (ret) 153 1.5 thorpej return 0; 154 1.5 thorpej } 155 1.4 thorpej 156 1.4 thorpej if (server) { 157 1.4 thorpej krb5_keytab kt; 158 1.4 thorpej krb5_kt_cursor cursor; 159 1.4 thorpej 160 1.4 thorpej ret = krb5_kt_default(telnet_context, &kt); 161 1.4 thorpej if (ret) 162 1.4 thorpej return 0; 163 1.4 thorpej 164 1.4 thorpej ret = krb5_kt_start_seq_get(telnet_context, kt, &cursor); 165 1.4 thorpej if (ret) { 166 1.4 thorpej krb5_kt_close(telnet_context, kt); 167 1.4 thorpej return 0; 168 1.4 thorpej } 169 1.4 thorpej krb5_kt_end_seq_get(telnet_context, kt, &cursor); 170 1.4 thorpej krb5_kt_close(telnet_context, kt); 171 1.4 thorpej 172 1.1 cgd str_data[3] = TELQUAL_REPLY; 173 1.4 thorpej } else 174 1.1 cgd str_data[3] = TELQUAL_IS; 175 1.4 thorpej return (1); 176 1.1 cgd } 177 1.1 cgd 178 1.4 thorpej int 179 1.4 thorpej kerberos5_send(Authenticator *ap) 180 1.1 cgd { 181 1.4 thorpej krb5_error_code ret; 182 1.1 cgd krb5_ccache ccache; 183 1.4 thorpej int ap_opts; 184 1.4 thorpej krb5_data cksum_data; 185 1.4 thorpej char foo[2]; 186 1.1 cgd 187 1.4 thorpej printf("[ Trying KERBEROS5 ... ]\r\n"); 188 1.1 cgd 189 1.4 thorpej if (!UserNameRequested) { 190 1.1 cgd if (auth_debug_mode) { 191 1.4 thorpej printf("Kerberos V5: no user name supplied\r\n"); 192 1.1 cgd } 193 1.4 thorpej return (0); 194 1.1 cgd } 195 1.4 thorpej ret = krb5_cc_default(telnet_context, &ccache); 196 1.4 thorpej if (ret) { 197 1.1 cgd if (auth_debug_mode) { 198 1.4 thorpej printf( 199 1.4 thorpej "Kerberos V5: could not get default ccache: %s\r\n", 200 1.18 elric get_krb5_err_text(telnet_context, ret)); 201 1.1 cgd } 202 1.4 thorpej return (0); 203 1.1 cgd } 204 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 205 1.4 thorpej ap_opts = AP_OPTS_MUTUAL_REQUIRED; 206 1.4 thorpej else 207 1.4 thorpej ap_opts = 0; 208 1.1 cgd 209 1.9 joda ap_opts |= AP_OPTS_USE_SUBKEY; 210 1.9 joda 211 1.4 thorpej ret = krb5_auth_con_init(telnet_context, &auth_context); 212 1.4 thorpej if (ret) { 213 1.1 cgd if (auth_debug_mode) { 214 1.4 thorpej printf( 215 1.4 thorpej "Kerberos V5: krb5_auth_con_init failed: %s\r\n", 216 1.18 elric get_krb5_err_text(telnet_context, ret)); 217 1.4 thorpej } 218 1.4 thorpej return (0); 219 1.4 thorpej } 220 1.4 thorpej ret = krb5_auth_con_setaddrs_from_fd(telnet_context, 221 1.4 thorpej auth_context, &net); 222 1.4 thorpej if (ret) { 223 1.4 thorpej if (auth_debug_mode) { 224 1.4 thorpej printf("Kerberos V5: " 225 1.4 thorpej "krb5_auth_con_setaddrs_from_fd failed: %s\r\n", 226 1.18 elric get_krb5_err_text(telnet_context, ret)); 227 1.1 cgd } 228 1.4 thorpej return (0); 229 1.1 cgd } 230 1.8 assar krb5_auth_con_setkeytype(telnet_context, auth_context, KEYTYPE_DES); 231 1.1 cgd 232 1.4 thorpej foo[0] = ap->type; 233 1.4 thorpej foo[1] = ap->way; 234 1.1 cgd 235 1.4 thorpej cksum_data.length = sizeof(foo); 236 1.4 thorpej cksum_data.data = foo; 237 1.4 thorpej ret = krb5_mk_req(telnet_context, &auth_context, ap_opts, "host", 238 1.4 thorpej RemoteHostName, &cksum_data, ccache, &auth); 239 1.4 thorpej if (ret) { 240 1.4 thorpej if (1 || auth_debug_mode) { 241 1.4 thorpej printf("Kerberos V5: mk_req failed (%s)\r\n", 242 1.18 elric get_krb5_err_text(telnet_context, ret)); 243 1.1 cgd } 244 1.4 thorpej return (0); 245 1.1 cgd } 246 1.1 cgd 247 1.4 thorpej if (!auth_sendname((unsigned char *) UserNameRequested, 248 1.4 thorpej strlen(UserNameRequested))) { 249 1.4 thorpej if (auth_debug_mode) 250 1.4 thorpej printf("Not enough room for user name\r\n"); 251 1.4 thorpej return (0); 252 1.4 thorpej } 253 1.1 cgd if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 254 1.1 cgd if (auth_debug_mode) 255 1.1 cgd printf("Not enough room for authentication data\r\n"); 256 1.4 thorpej return (0); 257 1.1 cgd } 258 1.1 cgd if (auth_debug_mode) { 259 1.1 cgd printf("Sent Kerberos V5 credentials to server\r\n"); 260 1.1 cgd } 261 1.4 thorpej return (1); 262 1.1 cgd } 263 1.1 cgd 264 1.4 thorpej void 265 1.4 thorpej kerberos5_is(Authenticator * ap, unsigned char *data, int cnt) 266 1.1 cgd { 267 1.4 thorpej krb5_error_code ret; 268 1.4 thorpej krb5_data outbuf; 269 1.4 thorpej krb5_keyblock *key_block; 270 1.1 cgd char *name; 271 1.4 thorpej krb5_principal server; 272 1.4 thorpej int zero = 0; 273 1.1 cgd 274 1.1 cgd if (cnt-- < 1) 275 1.1 cgd return; 276 1.1 cgd switch (*data++) { 277 1.1 cgd case KRB_AUTH: 278 1.4 thorpej auth.data = (char *) data; 279 1.1 cgd auth.length = cnt; 280 1.1 cgd 281 1.4 thorpej auth_context = NULL; 282 1.4 thorpej 283 1.4 thorpej ret = krb5_auth_con_init(telnet_context, &auth_context); 284 1.4 thorpej if (ret) { 285 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); 286 1.4 thorpej auth_finished(ap, AUTH_REJECT); 287 1.1 cgd if (auth_debug_mode) 288 1.4 thorpej printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 289 1.18 elric get_krb5_err_text(telnet_context, ret)); 290 1.4 thorpej return; 291 1.4 thorpej } 292 1.4 thorpej ret = krb5_auth_con_setaddrs_from_fd(telnet_context, 293 1.4 thorpej auth_context, &zero); 294 1.4 thorpej if (ret) { 295 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); 296 1.1 cgd auth_finished(ap, AUTH_REJECT); 297 1.4 thorpej if (auth_debug_mode) 298 1.4 thorpej printf("Kerberos V5: " 299 1.4 thorpej "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 300 1.18 elric get_krb5_err_text(telnet_context, ret)); 301 1.1 cgd return; 302 1.1 cgd } 303 1.4 thorpej ret = krb5_sock_to_principal(telnet_context, 0, "host", 304 1.4 thorpej KRB5_NT_SRV_HST, &server); 305 1.4 thorpej if (ret) { 306 1.4 thorpej Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); 307 1.4 thorpej auth_finished(ap, AUTH_REJECT); 308 1.1 cgd if (auth_debug_mode) 309 1.4 thorpej printf("Kerberos V5: " 310 1.4 thorpej "krb5_sock_to_principal failed (%s)\r\n", 311 1.18 elric get_krb5_err_text(telnet_context, ret)); 312 1.1 cgd return; 313 1.1 cgd } 314 1.4 thorpej ret = krb5_rd_req(telnet_context, &auth_context, &auth, 315 1.4 thorpej server, NULL, NULL, &ticket); 316 1.4 thorpej krb5_free_principal(telnet_context, server); 317 1.4 thorpej 318 1.4 thorpej if (ret) { 319 1.4 thorpej char *errbuf; 320 1.4 thorpej 321 1.4 thorpej asprintf(&errbuf, 322 1.4 thorpej "Read req failed: %s", 323 1.18 elric get_krb5_err_text(telnet_context, ret)); 324 1.4 thorpej Data(ap, KRB_REJECT, errbuf, -1); 325 1.1 cgd if (auth_debug_mode) 326 1.4 thorpej printf("%s\r\n", errbuf); 327 1.4 thorpej free(errbuf); 328 1.1 cgd return; 329 1.4 thorpej } { 330 1.4 thorpej char foo[2]; 331 1.4 thorpej 332 1.4 thorpej foo[0] = ap->type; 333 1.4 thorpej foo[1] = ap->way; 334 1.4 thorpej 335 1.4 thorpej ret = krb5_verify_authenticator_checksum(telnet_context, 336 1.4 thorpej auth_context, foo, sizeof(foo)); 337 1.4 thorpej 338 1.4 thorpej if (ret) { 339 1.4 thorpej char *errbuf; 340 1.4 thorpej asprintf(&errbuf, "Bad checksum: %s", 341 1.18 elric get_krb5_err_text(telnet_context, ret)); 342 1.4 thorpej Data(ap, KRB_REJECT, errbuf, -1); 343 1.4 thorpej if (auth_debug_mode) 344 1.4 thorpej printf("%s\r\n", errbuf); 345 1.4 thorpej free(errbuf); 346 1.4 thorpej return; 347 1.4 thorpej } 348 1.1 cgd } 349 1.4 thorpej ret = krb5_auth_con_getremotesubkey(telnet_context, 350 1.4 thorpej auth_context, &key_block); 351 1.1 cgd 352 1.4 thorpej if (ret) { 353 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); 354 1.4 thorpej auth_finished(ap, AUTH_REJECT); 355 1.1 cgd if (auth_debug_mode) 356 1.4 thorpej printf("Kerberos V5: " 357 1.4 thorpej "krb5_auth_con_getremotesubkey failed (%s)\r\n", 358 1.18 elric get_krb5_err_text(telnet_context, ret)); 359 1.9 joda return; 360 1.9 joda } 361 1.9 joda if (key_block == NULL) { 362 1.10 thorpej ret = krb5_auth_con_getkey(telnet_context, 363 1.9 joda auth_context, 364 1.9 joda &key_block); 365 1.9 joda } 366 1.9 joda if (ret) { 367 1.9 joda Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); 368 1.9 joda auth_finished(ap, AUTH_REJECT); 369 1.9 joda if (auth_debug_mode) 370 1.9 joda printf("Kerberos V5: " 371 1.9 joda "krb5_auth_con_getkey failed (%s)\r\n", 372 1.18 elric get_krb5_err_text(telnet_context, ret)); 373 1.9 joda return; 374 1.9 joda } 375 1.9 joda if (key_block == NULL) { 376 1.9 joda Data(ap, KRB_REJECT, "no subkey received", -1); 377 1.9 joda auth_finished(ap, AUTH_REJECT); 378 1.9 joda if (auth_debug_mode) 379 1.9 joda printf("Kerberos V5: " 380 1.9 joda "krb5_auth_con_getremotesubkey returned NULL key\r\n"); 381 1.1 cgd return; 382 1.1 cgd } 383 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 384 1.4 thorpej ret = krb5_mk_rep(telnet_context, 385 1.7 assar auth_context, &outbuf); 386 1.4 thorpej if (ret) { 387 1.4 thorpej Data(ap, KRB_REJECT, 388 1.4 thorpej "krb5_mk_rep failed", -1); 389 1.4 thorpej auth_finished(ap, AUTH_REJECT); 390 1.4 thorpej if (auth_debug_mode) 391 1.4 thorpej printf("Kerberos V5: " 392 1.4 thorpej "krb5_mk_rep failed (%s)\r\n", 393 1.18 elric get_krb5_err_text(telnet_context, 394 1.4 thorpej ret)); 395 1.17 christos krb5_free_keyblock(telnet_context, key_block); 396 1.4 thorpej return; 397 1.4 thorpej } 398 1.4 thorpej Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 399 1.4 thorpej } 400 1.4 thorpej if (krb5_unparse_name(telnet_context, ticket->client, &name)) 401 1.1 cgd name = 0; 402 1.4 thorpej 403 1.4 thorpej if (UserNameRequested && krb5_kuserok(telnet_context, 404 1.4 thorpej ticket->client, UserNameRequested)) { 405 1.16 christos Data(ap, KRB_ACCEPT, name ? name : "", name ? -1 : 0); 406 1.4 thorpej if (auth_debug_mode) { 407 1.4 thorpej printf("Kerberos5 identifies him as ``%s''\r\n", 408 1.4 thorpej name ? name : ""); 409 1.4 thorpej } 410 1.4 thorpej if (key_block->keytype == ETYPE_DES_CBC_MD5 || 411 1.4 thorpej key_block->keytype == ETYPE_DES_CBC_MD4 || 412 1.4 thorpej key_block->keytype == ETYPE_DES_CBC_CRC) { 413 1.4 thorpej Session_Key skey; 414 1.4 thorpej 415 1.4 thorpej skey.type = SK_DES; 416 1.4 thorpej skey.length = 8; 417 1.4 thorpej skey.data = key_block->keyvalue.data; 418 1.4 thorpej encrypt_session_key(&skey, 0); 419 1.4 thorpej } 420 1.4 thorpej } else { 421 1.4 thorpej char *msg; 422 1.4 thorpej 423 1.4 thorpej asprintf(&msg, "user `%s' is not authorized to " 424 1.4 thorpej "login as `%s'", 425 1.4 thorpej name ? name : "<unknown>", 426 1.4 thorpej UserNameRequested ? UserNameRequested : "<nobody>"); 427 1.4 thorpej if (msg == NULL) 428 1.4 thorpej Data(ap, KRB_REJECT, NULL, 0); 429 1.4 thorpej else { 430 1.4 thorpej Data(ap, KRB_REJECT, (void *) msg, -1); 431 1.4 thorpej free(msg); 432 1.4 thorpej } 433 1.4 thorpej auth_finished(ap, AUTH_REJECT); 434 1.17 christos krb5_free_keyblock(telnet_context, key_block); 435 1.4 thorpej break; 436 1.1 cgd } 437 1.4 thorpej auth_finished(ap, AUTH_USER); 438 1.17 christos krb5_free_keyblock(telnet_context, key_block); 439 1.1 cgd break; 440 1.4 thorpej case KRB_FORWARD:{ 441 1.13 christos struct passwd pws, *pwd; 442 1.13 christos char pwbuf[1024]; 443 1.4 thorpej char ccname[1024]; /* XXX */ 444 1.4 thorpej krb5_data inbuf; 445 1.4 thorpej krb5_ccache ccache; 446 1.4 thorpej inbuf.data = (char *) data; 447 1.4 thorpej inbuf.length = cnt; 448 1.4 thorpej 449 1.13 christos if (getpwnam_r(UserNameRequested, &pws, pwbuf, 450 1.14 christos sizeof(pwbuf), &pwd) != 0 || pwd == NULL) 451 1.4 thorpej break; 452 1.1 cgd 453 1.4 thorpej snprintf(ccname, sizeof(ccname), 454 1.4 thorpej "FILE:/tmp/krb5cc_%u", pwd->pw_uid); 455 1.1 cgd 456 1.4 thorpej ret = krb5_cc_resolve(telnet_context, ccname, &ccache); 457 1.4 thorpej if (ret) { 458 1.4 thorpej if (auth_debug_mode) 459 1.4 thorpej printf("Kerberos V5: could not get ccache: %s\r\n", 460 1.18 elric get_krb5_err_text(telnet_context, 461 1.4 thorpej ret)); 462 1.4 thorpej break; 463 1.4 thorpej } 464 1.4 thorpej ret = krb5_cc_initialize(telnet_context, ccache, 465 1.4 thorpej ticket->client); 466 1.4 thorpej if (ret) { 467 1.4 thorpej if (auth_debug_mode) 468 1.4 thorpej printf("Kerberos V5: could not init ccache: %s\r\n", 469 1.18 elric get_krb5_err_text(telnet_context, 470 1.4 thorpej ret)); 471 1.1 cgd break; 472 1.4 thorpej } 473 1.7 assar ret = krb5_rd_cred2(telnet_context, auth_context, 474 1.4 thorpej ccache, &inbuf); 475 1.4 thorpej if (ret) { 476 1.4 thorpej char *errbuf; 477 1.4 thorpej 478 1.4 thorpej asprintf(&errbuf, 479 1.4 thorpej "Read forwarded creds failed: %s", 480 1.18 elric get_krb5_err_text(telnet_context, ret)); 481 1.4 thorpej if (errbuf == NULL) 482 1.4 thorpej Data(ap, KRB_FORWARD_REJECT, NULL, 0); 483 1.4 thorpej else 484 1.4 thorpej Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 485 1.4 thorpej if (auth_debug_mode) 486 1.4 thorpej printf("Could not read forwarded credentials: %s\r\n", 487 1.4 thorpej errbuf); 488 1.4 thorpej free(errbuf); 489 1.4 thorpej } else 490 1.4 thorpej Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 491 1.4 thorpej chown(ccname + 5, pwd->pw_uid, -1); 492 1.4 thorpej if (auth_debug_mode) 493 1.4 thorpej printf("Forwarded credentials obtained\r\n"); 494 1.4 thorpej break; 495 1.1 cgd } 496 1.1 cgd default: 497 1.1 cgd if (auth_debug_mode) 498 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 499 1.1 cgd Data(ap, KRB_REJECT, 0, 0); 500 1.1 cgd break; 501 1.1 cgd } 502 1.1 cgd } 503 1.1 cgd 504 1.4 thorpej void 505 1.4 thorpej kerberos5_reply(Authenticator * ap, unsigned char *data, int cnt) 506 1.1 cgd { 507 1.4 thorpej static int mutual_complete = 0; 508 1.1 cgd 509 1.1 cgd if (cnt-- < 1) 510 1.1 cgd return; 511 1.1 cgd switch (*data++) { 512 1.1 cgd case KRB_REJECT: 513 1.1 cgd if (cnt > 0) { 514 1.1 cgd printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 515 1.4 thorpej cnt, data); 516 1.1 cgd } else 517 1.1 cgd printf("[ Kerberos V5 refuses authentication ]\r\n"); 518 1.1 cgd auth_send_retry(); 519 1.1 cgd return; 520 1.4 thorpej case KRB_ACCEPT:{ 521 1.4 thorpej krb5_error_code ret; 522 1.4 thorpej Session_Key skey; 523 1.4 thorpej krb5_keyblock *keyblock; 524 1.4 thorpej 525 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 526 1.4 thorpej !mutual_complete) { 527 1.4 thorpej printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); 528 1.4 thorpej auth_send_retry(); 529 1.4 thorpej return; 530 1.4 thorpej } 531 1.4 thorpej if (cnt) 532 1.4 thorpej printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); 533 1.4 thorpej else 534 1.4 thorpej printf("[ Kerberos V5 accepts you ]\r\n"); 535 1.4 thorpej 536 1.4 thorpej ret = krb5_auth_con_getlocalsubkey(telnet_context, 537 1.4 thorpej auth_context, &keyblock); 538 1.4 thorpej if (ret) 539 1.4 thorpej ret = krb5_auth_con_getkey(telnet_context, 540 1.4 thorpej auth_context, &keyblock); 541 1.4 thorpej if (ret) { 542 1.4 thorpej printf("[ krb5_auth_con_getkey: %s ]\r\n", 543 1.18 elric get_krb5_err_text(telnet_context, ret)); 544 1.4 thorpej auth_send_retry(); 545 1.4 thorpej return; 546 1.4 thorpej } 547 1.1 cgd skey.type = SK_DES; 548 1.1 cgd skey.length = 8; 549 1.4 thorpej skey.data = keyblock->keyvalue.data; 550 1.1 cgd encrypt_session_key(&skey, 0); 551 1.15 christos krb5_free_keyblock(telnet_context, keyblock); 552 1.4 thorpej auth_finished(ap, AUTH_USER); 553 1.4 thorpej if (forward_flags & OPTS_FORWARD_CREDS) 554 1.4 thorpej kerberos5_forward(ap); 555 1.4 thorpej break; 556 1.1 cgd } 557 1.1 cgd case KRB_RESPONSE: 558 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 559 1.4 thorpej /* the rest of the reply should contain a krb_ap_rep */ 560 1.4 thorpej krb5_ap_rep_enc_part *reply; 561 1.4 thorpej krb5_data inbuf; 562 1.4 thorpej krb5_error_code ret; 563 1.4 thorpej 564 1.4 thorpej inbuf.length = cnt; 565 1.4 thorpej inbuf.data = (char *) data; 566 1.4 thorpej 567 1.4 thorpej ret = krb5_rd_rep(telnet_context, 568 1.4 thorpej auth_context, &inbuf, &reply); 569 1.4 thorpej if (ret) { 570 1.4 thorpej printf("[ Mutual authentication failed: %s ]\r\n", 571 1.18 elric get_krb5_err_text(telnet_context, ret)); 572 1.4 thorpej auth_send_retry(); 573 1.4 thorpej return; 574 1.4 thorpej } 575 1.4 thorpej krb5_free_ap_rep_enc_part(telnet_context, reply); 576 1.4 thorpej mutual_complete = 1; 577 1.1 cgd } 578 1.4 thorpej return; 579 1.4 thorpej case KRB_FORWARD_ACCEPT: 580 1.4 thorpej printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); 581 1.4 thorpej return; 582 1.4 thorpej case KRB_FORWARD_REJECT: 583 1.4 thorpej printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 584 1.4 thorpej cnt, data); 585 1.4 thorpej return; 586 1.1 cgd default: 587 1.1 cgd if (auth_debug_mode) 588 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 589 1.1 cgd return; 590 1.1 cgd } 591 1.1 cgd } 592 1.1 cgd 593 1.4 thorpej int 594 1.11 itojun kerberos5_status(Authenticator *ap, char *name, size_t l, int level) 595 1.1 cgd { 596 1.1 cgd if (level < AUTH_USER) 597 1.4 thorpej return (level); 598 1.1 cgd 599 1.1 cgd if (UserNameRequested && 600 1.4 thorpej krb5_kuserok(telnet_context, ticket->client, UserNameRequested)) { 601 1.11 itojun strlcpy(name, UserNameRequested, l); 602 1.4 thorpej return (AUTH_VALID); 603 1.1 cgd } else 604 1.4 thorpej return (AUTH_USER); 605 1.1 cgd } 606 1.1 cgd #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 607 1.4 thorpej #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 608 1.1 cgd 609 1.4 thorpej void 610 1.4 thorpej kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 611 1.1 cgd { 612 1.4 thorpej int i; 613 1.1 cgd 614 1.4 thorpej buf[buflen - 1] = '\0'; /* make sure its NULL terminated */ 615 1.1 cgd buflen -= 1; 616 1.1 cgd 617 1.4 thorpej switch (data[3]) { 618 1.4 thorpej case KRB_REJECT: /* Rejected (reason might follow) */ 619 1.4 thorpej strlcpy((char *) buf, " REJECT ", buflen); 620 1.1 cgd goto common; 621 1.1 cgd 622 1.4 thorpej case KRB_ACCEPT: /* Accepted (name might follow) */ 623 1.4 thorpej strlcpy((char *) buf, " ACCEPT ", buflen); 624 1.4 thorpej common: 625 1.1 cgd BUMP(buf, buflen); 626 1.1 cgd if (cnt <= 4) 627 1.1 cgd break; 628 1.1 cgd ADDC(buf, buflen, '"'); 629 1.1 cgd for (i = 4; i < cnt; i++) 630 1.1 cgd ADDC(buf, buflen, data[i]); 631 1.1 cgd ADDC(buf, buflen, '"'); 632 1.1 cgd ADDC(buf, buflen, '\0'); 633 1.1 cgd break; 634 1.1 cgd 635 1.4 thorpej 636 1.4 thorpej case KRB_AUTH: /* Authentication data follows */ 637 1.4 thorpej strlcpy((char *) buf, " AUTH", buflen); 638 1.4 thorpej goto common2; 639 1.4 thorpej 640 1.4 thorpej case KRB_RESPONSE: 641 1.4 thorpej strlcpy((char *) buf, " RESPONSE", buflen); 642 1.1 cgd goto common2; 643 1.1 cgd 644 1.4 thorpej case KRB_FORWARD: /* Forwarded credentials follow */ 645 1.4 thorpej strlcpy((char *) buf, " FORWARD", buflen); 646 1.1 cgd goto common2; 647 1.1 cgd 648 1.4 thorpej case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 649 1.4 thorpej strlcpy((char *) buf, " FORWARD_ACCEPT", buflen); 650 1.4 thorpej goto common2; 651 1.4 thorpej 652 1.4 thorpej case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 653 1.4 thorpej /* (reason might follow) */ 654 1.4 thorpej strlcpy((char *) buf, " FORWARD_REJECT", buflen); 655 1.1 cgd goto common2; 656 1.1 cgd 657 1.1 cgd default: 658 1.4 thorpej snprintf(buf, buflen, " %d (unknown)", data[3]); 659 1.4 thorpej common2: 660 1.1 cgd BUMP(buf, buflen); 661 1.1 cgd for (i = 4; i < cnt; i++) { 662 1.4 thorpej snprintf(buf, buflen, " %d", data[i]); 663 1.1 cgd BUMP(buf, buflen); 664 1.1 cgd } 665 1.1 cgd break; 666 1.1 cgd } 667 1.1 cgd } 668 1.4 thorpej 669 1.4 thorpej void 670 1.4 thorpej kerberos5_forward(Authenticator * ap) 671 1.4 thorpej { 672 1.4 thorpej krb5_error_code ret; 673 1.4 thorpej krb5_ccache ccache; 674 1.4 thorpej krb5_creds creds; 675 1.4 thorpej krb5_kdc_flags flags; 676 1.4 thorpej krb5_data out_data; 677 1.4 thorpej krb5_principal principal; 678 1.4 thorpej 679 1.4 thorpej ret = krb5_cc_default(telnet_context, &ccache); 680 1.4 thorpej if (ret) { 681 1.4 thorpej if (auth_debug_mode) 682 1.4 thorpej printf("KerberosV5: could not get default ccache: %s\r\n", 683 1.18 elric get_krb5_err_text(telnet_context, ret)); 684 1.4 thorpej return; 685 1.4 thorpej } 686 1.4 thorpej ret = krb5_cc_get_principal(telnet_context, ccache, &principal); 687 1.4 thorpej if (ret) { 688 1.4 thorpej if (auth_debug_mode) 689 1.4 thorpej printf("KerberosV5: could not get principal: %s\r\n", 690 1.18 elric get_krb5_err_text(telnet_context, ret)); 691 1.4 thorpej return; 692 1.4 thorpej } 693 1.4 thorpej memset(&creds, 0, sizeof(creds)); 694 1.4 thorpej 695 1.4 thorpej creds.client = principal; 696 1.4 thorpej 697 1.4 thorpej ret = krb5_build_principal(telnet_context, &creds.server, 698 1.4 thorpej strlen(principal->realm), principal->realm, "krbtgt", 699 1.4 thorpej principal->realm, NULL); 700 1.4 thorpej 701 1.4 thorpej if (ret) { 702 1.4 thorpej if (auth_debug_mode) 703 1.4 thorpej printf("KerberosV5: could not get principal: %s\r\n", 704 1.18 elric get_krb5_err_text(telnet_context, ret)); 705 1.4 thorpej return; 706 1.4 thorpej } 707 1.4 thorpej creds.times.endtime = 0; 708 1.4 thorpej 709 1.4 thorpej flags.i = 0; 710 1.4 thorpej flags.b.forwarded = 1; 711 1.4 thorpej if (forward_flags & OPTS_FORWARDABLE_CREDS) 712 1.4 thorpej flags.b.forwardable = 1; 713 1.4 thorpej 714 1.4 thorpej ret = krb5_get_forwarded_creds(telnet_context, auth_context, 715 1.4 thorpej ccache, flags.i, RemoteHostName, &creds, &out_data); 716 1.4 thorpej if (ret) { 717 1.4 thorpej if (auth_debug_mode) 718 1.4 thorpej printf("Kerberos V5: error getting forwarded creds: %s\r\n", 719 1.18 elric get_krb5_err_text(telnet_context, ret)); 720 1.4 thorpej return; 721 1.4 thorpej } 722 1.4 thorpej if (!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { 723 1.4 thorpej if (auth_debug_mode) 724 1.4 thorpej printf("Not enough room for authentication data\r\n"); 725 1.4 thorpej } else { 726 1.4 thorpej if (auth_debug_mode) 727 1.4 thorpej printf("Forwarded local Kerberos V5 credentials to server\r\n"); 728 1.4 thorpej } 729 1.4 thorpej } 730 1.4 thorpej #endif /* KRB5 */ 731
Indexes created Tue Sep 23 20:09:58 GMT 2025