kerberos5.c revision 1.6
1 1.6 christos /* $NetBSD: kerberos5.c,v 1.6 2001/01/06 23:36:37 christos Exp $ */ 2 1.4 thorpej 3 1.1 cgd /*- 4 1.4 thorpej * Copyright (c) 1991, 1993 5 1.4 thorpej * The Regents of the University of California. All rights reserved. 6 1.1 cgd * 7 1.1 cgd * Redistribution and use in source and binary forms, with or without 8 1.1 cgd * modification, are permitted provided that the following conditions 9 1.1 cgd * are met: 10 1.1 cgd * 1. Redistributions of source code must retain the above copyright 11 1.1 cgd * notice, this list of conditions and the following disclaimer. 12 1.1 cgd * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 cgd * notice, this list of conditions and the following disclaimer in the 14 1.1 cgd * documentation and/or other materials provided with the distribution. 15 1.1 cgd * 3. All advertising materials mentioning features or use of this software 16 1.1 cgd * must display the following acknowledgement: 17 1.1 cgd * This product includes software developed by the University of 18 1.1 cgd * California, Berkeley and its contributors. 19 1.1 cgd * 4. Neither the name of the University nor the names of its contributors 20 1.1 cgd * may be used to endorse or promote products derived from this software 21 1.1 cgd * without specific prior written permission. 22 1.1 cgd * 23 1.1 cgd * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 1.1 cgd * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 1.1 cgd * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 1.1 cgd * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 1.1 cgd * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 1.1 cgd * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 1.1 cgd * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 1.1 cgd * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 1.1 cgd * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 1.1 cgd * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 1.1 cgd * SUCH DAMAGE. 34 1.1 cgd */ 35 1.1 cgd 36 1.1 cgd /* 37 1.1 cgd * Copyright (C) 1990 by the Massachusetts Institute of Technology 38 1.1 cgd * 39 1.4 thorpej * Export of this software from the United States of America may 40 1.4 thorpej * require a specific license from the United States Government. 41 1.1 cgd * It is the responsibility of any person or organization contemplating 42 1.1 cgd * export to obtain such a license before exporting. 43 1.1 cgd * 44 1.1 cgd * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 45 1.1 cgd * distribute this software and its documentation for any purpose and 46 1.1 cgd * without fee is hereby granted, provided that the above copyright 47 1.1 cgd * notice appear in all copies and that both that copyright notice and 48 1.1 cgd * this permission notice appear in supporting documentation, and that 49 1.1 cgd * the name of M.I.T. not be used in advertising or publicity pertaining 50 1.1 cgd * to distribution of the software without specific, written prior 51 1.1 cgd * permission. M.I.T. makes no representations about the suitability of 52 1.1 cgd * this software for any purpose. It is provided "as is" without express 53 1.1 cgd * or implied warranty. 54 1.1 cgd */ 55 1.1 cgd 56 1.1 cgd #ifdef KRB5 57 1.1 cgd #include <arpa/telnet.h> 58 1.1 cgd #include <stdio.h> 59 1.4 thorpej #include <stdlib.h> 60 1.4 thorpej #include <string.h> 61 1.4 thorpej #include <unistd.h> 62 1.1 cgd #include <netdb.h> 63 1.1 cgd #include <ctype.h> 64 1.4 thorpej #include <pwd.h> 65 1.4 thorpej #define Authenticator k5_Authenticator 66 1.4 thorpej #include <krb5.h> 67 1.4 thorpej #undef Authenticator 68 1.4 thorpej /* #include <roken.h> */ 69 1.1 cgd 70 1.1 cgd #include "encrypt.h" 71 1.1 cgd #include "auth.h" 72 1.1 cgd #include "misc.h" 73 1.1 cgd 74 1.6 christos extern int net; 75 1.6 christos 76 1.4 thorpej int forward_flags; /* Flags get set in telnet/main.c on -f and -F */ 77 1.4 thorpej int got_forwarded_creds;/* Tell telnetd to pass -F or -f to login. */ 78 1.1 cgd 79 1.4 thorpej int require_hwpreauth; 80 1.1 cgd 81 1.4 thorpej void kerberos5_forward(Authenticator *); 82 1.4 thorpej 83 1.4 thorpej static unsigned char str_data[1024] = {IAC, SB, TELOPT_AUTHENTICATION, 0, 84 1.4 thorpej AUTHTYPE_KERBEROS_V5,}; 85 1.4 thorpej 86 1.4 thorpej #define KRB_AUTH 0 /* Authentication data follows */ 87 1.4 thorpej #define KRB_REJECT 1 /* Rejected (reason might follow) */ 88 1.4 thorpej #define KRB_ACCEPT 2 /* Accepted */ 89 1.4 thorpej #define KRB_RESPONSE 3 /* Response for mutual auth. */ 90 1.4 thorpej 91 1.4 thorpej #define KRB_FORWARD 4 /* Forwarded credentials follow */ 92 1.4 thorpej #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 93 1.4 thorpej #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 94 1.4 thorpej 95 1.4 thorpej static krb5_data auth; 96 1.4 thorpej static krb5_ticket *ticket; 97 1.4 thorpej 98 1.4 thorpej krb5_context telnet_context; 99 1.4 thorpej static krb5_auth_context auth_context; 100 1.4 thorpej 101 1.4 thorpej static int 102 1.4 thorpej Data(Authenticator *ap, int type, void *d, int c) 103 1.1 cgd { 104 1.4 thorpej unsigned char *p = str_data + 4; 105 1.4 thorpej unsigned char *cd = (unsigned char *) d; 106 1.1 cgd 107 1.1 cgd if (c == -1) 108 1.4 thorpej c = strlen(cd); 109 1.1 cgd 110 1.4 thorpej if (auth_debug_mode) { 111 1.4 thorpej printf("%s:%d: [%d] (%d)", 112 1.4 thorpej str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 113 1.4 thorpej str_data[3], 114 1.4 thorpej type, c); 115 1.4 thorpej printd(d, c); 116 1.4 thorpej printf("\r\n"); 117 1.4 thorpej } 118 1.1 cgd *p++ = ap->type; 119 1.1 cgd *p++ = ap->way; 120 1.1 cgd *p++ = type; 121 1.4 thorpej while (c-- > 0) { 122 1.4 thorpej if ((*p++ = *cd++) == IAC) 123 1.4 thorpej *p++ = IAC; 124 1.4 thorpej } 125 1.4 thorpej *p++ = IAC; 126 1.4 thorpej *p++ = SE; 127 1.1 cgd if (str_data[3] == TELQUAL_IS) 128 1.1 cgd printsub('>', &str_data[2], p - &str_data[2]); 129 1.4 thorpej return (telnet_net_write(str_data, p - str_data)); 130 1.1 cgd } 131 1.1 cgd 132 1.4 thorpej int 133 1.4 thorpej kerberos5_init(Authenticator *ap, int server) 134 1.1 cgd { 135 1.5 thorpej krb5_error_code ret; 136 1.4 thorpej 137 1.5 thorpej if (telnet_context == 0) { 138 1.5 thorpej ret = krb5_init_context(&telnet_context); 139 1.5 thorpej if (ret) 140 1.5 thorpej return 0; 141 1.5 thorpej } 142 1.4 thorpej 143 1.4 thorpej if (server) { 144 1.4 thorpej krb5_keytab kt; 145 1.4 thorpej krb5_kt_cursor cursor; 146 1.4 thorpej 147 1.4 thorpej ret = krb5_kt_default(telnet_context, &kt); 148 1.4 thorpej if (ret) 149 1.4 thorpej return 0; 150 1.4 thorpej 151 1.4 thorpej ret = krb5_kt_start_seq_get(telnet_context, kt, &cursor); 152 1.4 thorpej if (ret) { 153 1.4 thorpej krb5_kt_close(telnet_context, kt); 154 1.4 thorpej return 0; 155 1.4 thorpej } 156 1.4 thorpej krb5_kt_end_seq_get(telnet_context, kt, &cursor); 157 1.4 thorpej krb5_kt_close(telnet_context, kt); 158 1.4 thorpej 159 1.1 cgd str_data[3] = TELQUAL_REPLY; 160 1.4 thorpej } else 161 1.1 cgd str_data[3] = TELQUAL_IS; 162 1.4 thorpej return (1); 163 1.1 cgd } 164 1.1 cgd 165 1.4 thorpej int 166 1.4 thorpej kerberos5_send(Authenticator *ap) 167 1.1 cgd { 168 1.4 thorpej krb5_error_code ret; 169 1.1 cgd krb5_ccache ccache; 170 1.4 thorpej int ap_opts; 171 1.4 thorpej krb5_data cksum_data; 172 1.4 thorpej char foo[2]; 173 1.1 cgd 174 1.4 thorpej printf("[ Trying KERBEROS5 ... ]\r\n"); 175 1.1 cgd 176 1.4 thorpej if (!UserNameRequested) { 177 1.1 cgd if (auth_debug_mode) { 178 1.4 thorpej printf("Kerberos V5: no user name supplied\r\n"); 179 1.1 cgd } 180 1.4 thorpej return (0); 181 1.1 cgd } 182 1.4 thorpej ret = krb5_cc_default(telnet_context, &ccache); 183 1.4 thorpej if (ret) { 184 1.1 cgd if (auth_debug_mode) { 185 1.4 thorpej printf( 186 1.4 thorpej "Kerberos V5: could not get default ccache: %s\r\n", 187 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 188 1.1 cgd } 189 1.4 thorpej return (0); 190 1.1 cgd } 191 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 192 1.4 thorpej ap_opts = AP_OPTS_MUTUAL_REQUIRED; 193 1.4 thorpej else 194 1.4 thorpej ap_opts = 0; 195 1.1 cgd 196 1.4 thorpej ret = krb5_auth_con_init(telnet_context, &auth_context); 197 1.4 thorpej if (ret) { 198 1.1 cgd if (auth_debug_mode) { 199 1.4 thorpej printf( 200 1.4 thorpej "Kerberos V5: krb5_auth_con_init failed: %s\r\n", 201 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 202 1.4 thorpej } 203 1.4 thorpej return (0); 204 1.4 thorpej } 205 1.4 thorpej ret = krb5_auth_con_setaddrs_from_fd(telnet_context, 206 1.4 thorpej auth_context, &net); 207 1.4 thorpej if (ret) { 208 1.4 thorpej if (auth_debug_mode) { 209 1.4 thorpej printf("Kerberos V5: " 210 1.4 thorpej "krb5_auth_con_setaddrs_from_fd failed: %s\r\n", 211 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 212 1.1 cgd } 213 1.4 thorpej return (0); 214 1.1 cgd } 215 1.4 thorpej krb5_auth_setkeytype(telnet_context, auth_context, KEYTYPE_DES); 216 1.1 cgd 217 1.4 thorpej foo[0] = ap->type; 218 1.4 thorpej foo[1] = ap->way; 219 1.1 cgd 220 1.4 thorpej cksum_data.length = sizeof(foo); 221 1.4 thorpej cksum_data.data = foo; 222 1.4 thorpej ret = krb5_mk_req(telnet_context, &auth_context, ap_opts, "host", 223 1.4 thorpej RemoteHostName, &cksum_data, ccache, &auth); 224 1.4 thorpej if (ret) { 225 1.4 thorpej if (1 || auth_debug_mode) { 226 1.4 thorpej printf("Kerberos V5: mk_req failed (%s)\r\n", 227 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 228 1.1 cgd } 229 1.4 thorpej return (0); 230 1.1 cgd } 231 1.1 cgd 232 1.4 thorpej if (!auth_sendname((unsigned char *) UserNameRequested, 233 1.4 thorpej strlen(UserNameRequested))) { 234 1.4 thorpej if (auth_debug_mode) 235 1.4 thorpej printf("Not enough room for user name\r\n"); 236 1.4 thorpej return (0); 237 1.4 thorpej } 238 1.1 cgd if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 239 1.1 cgd if (auth_debug_mode) 240 1.1 cgd printf("Not enough room for authentication data\r\n"); 241 1.4 thorpej return (0); 242 1.1 cgd } 243 1.1 cgd if (auth_debug_mode) { 244 1.1 cgd printf("Sent Kerberos V5 credentials to server\r\n"); 245 1.1 cgd } 246 1.4 thorpej return (1); 247 1.1 cgd } 248 1.1 cgd 249 1.4 thorpej void 250 1.4 thorpej kerberos5_is(Authenticator * ap, unsigned char *data, int cnt) 251 1.1 cgd { 252 1.4 thorpej krb5_error_code ret; 253 1.4 thorpej krb5_data outbuf; 254 1.4 thorpej krb5_keyblock *key_block; 255 1.1 cgd char *name; 256 1.4 thorpej krb5_principal server; 257 1.4 thorpej int zero = 0; 258 1.1 cgd 259 1.1 cgd if (cnt-- < 1) 260 1.1 cgd return; 261 1.1 cgd switch (*data++) { 262 1.1 cgd case KRB_AUTH: 263 1.4 thorpej auth.data = (char *) data; 264 1.1 cgd auth.length = cnt; 265 1.1 cgd 266 1.4 thorpej auth_context = NULL; 267 1.4 thorpej 268 1.4 thorpej ret = krb5_auth_con_init(telnet_context, &auth_context); 269 1.4 thorpej if (ret) { 270 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); 271 1.4 thorpej auth_finished(ap, AUTH_REJECT); 272 1.1 cgd if (auth_debug_mode) 273 1.4 thorpej printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 274 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 275 1.4 thorpej return; 276 1.4 thorpej } 277 1.4 thorpej ret = krb5_auth_con_setaddrs_from_fd(telnet_context, 278 1.4 thorpej auth_context, &zero); 279 1.4 thorpej if (ret) { 280 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); 281 1.1 cgd auth_finished(ap, AUTH_REJECT); 282 1.4 thorpej if (auth_debug_mode) 283 1.4 thorpej printf("Kerberos V5: " 284 1.4 thorpej "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 285 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 286 1.1 cgd return; 287 1.1 cgd } 288 1.4 thorpej ret = krb5_sock_to_principal(telnet_context, 0, "host", 289 1.4 thorpej KRB5_NT_SRV_HST, &server); 290 1.4 thorpej if (ret) { 291 1.4 thorpej Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); 292 1.4 thorpej auth_finished(ap, AUTH_REJECT); 293 1.1 cgd if (auth_debug_mode) 294 1.4 thorpej printf("Kerberos V5: " 295 1.4 thorpej "krb5_sock_to_principal failed (%s)\r\n", 296 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 297 1.1 cgd return; 298 1.1 cgd } 299 1.4 thorpej ret = krb5_rd_req(telnet_context, &auth_context, &auth, 300 1.4 thorpej server, NULL, NULL, &ticket); 301 1.4 thorpej krb5_free_principal(telnet_context, server); 302 1.4 thorpej 303 1.4 thorpej if (ret) { 304 1.4 thorpej char *errbuf; 305 1.4 thorpej 306 1.4 thorpej asprintf(&errbuf, 307 1.4 thorpej "Read req failed: %s", 308 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 309 1.4 thorpej Data(ap, KRB_REJECT, errbuf, -1); 310 1.1 cgd if (auth_debug_mode) 311 1.4 thorpej printf("%s\r\n", errbuf); 312 1.4 thorpej free(errbuf); 313 1.1 cgd return; 314 1.4 thorpej } { 315 1.4 thorpej char foo[2]; 316 1.4 thorpej 317 1.4 thorpej foo[0] = ap->type; 318 1.4 thorpej foo[1] = ap->way; 319 1.4 thorpej 320 1.4 thorpej ret = krb5_verify_authenticator_checksum(telnet_context, 321 1.4 thorpej auth_context, foo, sizeof(foo)); 322 1.4 thorpej 323 1.4 thorpej if (ret) { 324 1.4 thorpej char *errbuf; 325 1.4 thorpej asprintf(&errbuf, "Bad checksum: %s", 326 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 327 1.4 thorpej Data(ap, KRB_REJECT, errbuf, -1); 328 1.4 thorpej if (auth_debug_mode) 329 1.4 thorpej printf("%s\r\n", errbuf); 330 1.4 thorpej free(errbuf); 331 1.4 thorpej return; 332 1.4 thorpej } 333 1.1 cgd } 334 1.4 thorpej ret = krb5_auth_con_getremotesubkey(telnet_context, 335 1.4 thorpej auth_context, &key_block); 336 1.1 cgd 337 1.4 thorpej if (ret) { 338 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); 339 1.4 thorpej auth_finished(ap, AUTH_REJECT); 340 1.1 cgd if (auth_debug_mode) 341 1.4 thorpej printf("Kerberos V5: " 342 1.4 thorpej "krb5_auth_con_getremotesubkey failed (%s)\r\n", 343 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 344 1.1 cgd return; 345 1.1 cgd } 346 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 347 1.4 thorpej ret = krb5_mk_rep(telnet_context, 348 1.4 thorpej &auth_context, &outbuf); 349 1.4 thorpej if (ret) { 350 1.4 thorpej Data(ap, KRB_REJECT, 351 1.4 thorpej "krb5_mk_rep failed", -1); 352 1.4 thorpej auth_finished(ap, AUTH_REJECT); 353 1.4 thorpej if (auth_debug_mode) 354 1.4 thorpej printf("Kerberos V5: " 355 1.4 thorpej "krb5_mk_rep failed (%s)\r\n", 356 1.4 thorpej krb5_get_err_text(telnet_context, 357 1.4 thorpej ret)); 358 1.4 thorpej return; 359 1.4 thorpej } 360 1.4 thorpej Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 361 1.4 thorpej } 362 1.4 thorpej if (krb5_unparse_name(telnet_context, ticket->client, &name)) 363 1.1 cgd name = 0; 364 1.4 thorpej 365 1.4 thorpej if (UserNameRequested && krb5_kuserok(telnet_context, 366 1.4 thorpej ticket->client, UserNameRequested)) { 367 1.4 thorpej Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 368 1.4 thorpej if (auth_debug_mode) { 369 1.4 thorpej printf("Kerberos5 identifies him as ``%s''\r\n", 370 1.4 thorpej name ? name : ""); 371 1.4 thorpej } 372 1.4 thorpej if (key_block->keytype == ETYPE_DES_CBC_MD5 || 373 1.4 thorpej key_block->keytype == ETYPE_DES_CBC_MD4 || 374 1.4 thorpej key_block->keytype == ETYPE_DES_CBC_CRC) { 375 1.4 thorpej Session_Key skey; 376 1.4 thorpej 377 1.4 thorpej skey.type = SK_DES; 378 1.4 thorpej skey.length = 8; 379 1.4 thorpej skey.data = key_block->keyvalue.data; 380 1.4 thorpej encrypt_session_key(&skey, 0); 381 1.4 thorpej } 382 1.4 thorpej } else { 383 1.4 thorpej char *msg; 384 1.4 thorpej 385 1.4 thorpej asprintf(&msg, "user `%s' is not authorized to " 386 1.4 thorpej "login as `%s'", 387 1.4 thorpej name ? name : "<unknown>", 388 1.4 thorpej UserNameRequested ? UserNameRequested : "<nobody>"); 389 1.4 thorpej if (msg == NULL) 390 1.4 thorpej Data(ap, KRB_REJECT, NULL, 0); 391 1.4 thorpej else { 392 1.4 thorpej Data(ap, KRB_REJECT, (void *) msg, -1); 393 1.4 thorpej free(msg); 394 1.4 thorpej } 395 1.4 thorpej auth_finished(ap, AUTH_REJECT); 396 1.4 thorpej krb5_free_keyblock_contents(telnet_context, key_block); 397 1.4 thorpej break; 398 1.1 cgd } 399 1.4 thorpej auth_finished(ap, AUTH_USER); 400 1.4 thorpej krb5_free_keyblock_contents(telnet_context, key_block); 401 1.4 thorpej 402 1.1 cgd break; 403 1.4 thorpej case KRB_FORWARD:{ 404 1.4 thorpej struct passwd *pwd; 405 1.4 thorpej char ccname[1024]; /* XXX */ 406 1.4 thorpej krb5_data inbuf; 407 1.4 thorpej krb5_ccache ccache; 408 1.4 thorpej inbuf.data = (char *) data; 409 1.4 thorpej inbuf.length = cnt; 410 1.4 thorpej 411 1.4 thorpej pwd = getpwnam(UserNameRequested); 412 1.4 thorpej if (pwd == NULL) 413 1.4 thorpej break; 414 1.1 cgd 415 1.4 thorpej snprintf(ccname, sizeof(ccname), 416 1.4 thorpej "FILE:/tmp/krb5cc_%u", pwd->pw_uid); 417 1.1 cgd 418 1.4 thorpej ret = krb5_cc_resolve(telnet_context, ccname, &ccache); 419 1.4 thorpej if (ret) { 420 1.4 thorpej if (auth_debug_mode) 421 1.4 thorpej printf("Kerberos V5: could not get ccache: %s\r\n", 422 1.4 thorpej krb5_get_err_text(telnet_context, 423 1.4 thorpej ret)); 424 1.4 thorpej break; 425 1.4 thorpej } 426 1.4 thorpej ret = krb5_cc_initialize(telnet_context, ccache, 427 1.4 thorpej ticket->client); 428 1.4 thorpej if (ret) { 429 1.4 thorpej if (auth_debug_mode) 430 1.4 thorpej printf("Kerberos V5: could not init ccache: %s\r\n", 431 1.4 thorpej krb5_get_err_text(telnet_context, 432 1.4 thorpej ret)); 433 1.1 cgd break; 434 1.4 thorpej } 435 1.4 thorpej ret = krb5_rd_cred(telnet_context, auth_context, 436 1.4 thorpej ccache, &inbuf); 437 1.4 thorpej if (ret) { 438 1.4 thorpej char *errbuf; 439 1.4 thorpej 440 1.4 thorpej asprintf(&errbuf, 441 1.4 thorpej "Read forwarded creds failed: %s", 442 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 443 1.4 thorpej if (errbuf == NULL) 444 1.4 thorpej Data(ap, KRB_FORWARD_REJECT, NULL, 0); 445 1.4 thorpej else 446 1.4 thorpej Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 447 1.4 thorpej if (auth_debug_mode) 448 1.4 thorpej printf("Could not read forwarded credentials: %s\r\n", 449 1.4 thorpej errbuf); 450 1.4 thorpej free(errbuf); 451 1.4 thorpej } else 452 1.4 thorpej Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 453 1.4 thorpej chown(ccname + 5, pwd->pw_uid, -1); 454 1.4 thorpej if (auth_debug_mode) 455 1.4 thorpej printf("Forwarded credentials obtained\r\n"); 456 1.4 thorpej break; 457 1.1 cgd } 458 1.1 cgd default: 459 1.1 cgd if (auth_debug_mode) 460 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 461 1.1 cgd Data(ap, KRB_REJECT, 0, 0); 462 1.1 cgd break; 463 1.1 cgd } 464 1.1 cgd } 465 1.1 cgd 466 1.4 thorpej void 467 1.4 thorpej kerberos5_reply(Authenticator * ap, unsigned char *data, int cnt) 468 1.1 cgd { 469 1.4 thorpej static int mutual_complete = 0; 470 1.1 cgd 471 1.1 cgd if (cnt-- < 1) 472 1.1 cgd return; 473 1.1 cgd switch (*data++) { 474 1.1 cgd case KRB_REJECT: 475 1.1 cgd if (cnt > 0) { 476 1.1 cgd printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 477 1.4 thorpej cnt, data); 478 1.1 cgd } else 479 1.1 cgd printf("[ Kerberos V5 refuses authentication ]\r\n"); 480 1.1 cgd auth_send_retry(); 481 1.1 cgd return; 482 1.4 thorpej case KRB_ACCEPT:{ 483 1.4 thorpej krb5_error_code ret; 484 1.4 thorpej Session_Key skey; 485 1.4 thorpej krb5_keyblock *keyblock; 486 1.4 thorpej 487 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 488 1.4 thorpej !mutual_complete) { 489 1.4 thorpej printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); 490 1.4 thorpej auth_send_retry(); 491 1.4 thorpej return; 492 1.4 thorpej } 493 1.4 thorpej if (cnt) 494 1.4 thorpej printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); 495 1.4 thorpej else 496 1.4 thorpej printf("[ Kerberos V5 accepts you ]\r\n"); 497 1.4 thorpej 498 1.4 thorpej ret = krb5_auth_con_getlocalsubkey(telnet_context, 499 1.4 thorpej auth_context, &keyblock); 500 1.4 thorpej if (ret) 501 1.4 thorpej ret = krb5_auth_con_getkey(telnet_context, 502 1.4 thorpej auth_context, &keyblock); 503 1.4 thorpej if (ret) { 504 1.4 thorpej printf("[ krb5_auth_con_getkey: %s ]\r\n", 505 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 506 1.4 thorpej auth_send_retry(); 507 1.4 thorpej return; 508 1.4 thorpej } 509 1.1 cgd skey.type = SK_DES; 510 1.1 cgd skey.length = 8; 511 1.4 thorpej skey.data = keyblock->keyvalue.data; 512 1.1 cgd encrypt_session_key(&skey, 0); 513 1.4 thorpej krb5_free_keyblock_contents(telnet_context, keyblock); 514 1.4 thorpej auth_finished(ap, AUTH_USER); 515 1.4 thorpej if (forward_flags & OPTS_FORWARD_CREDS) 516 1.4 thorpej kerberos5_forward(ap); 517 1.4 thorpej break; 518 1.1 cgd } 519 1.1 cgd case KRB_RESPONSE: 520 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 521 1.4 thorpej /* the rest of the reply should contain a krb_ap_rep */ 522 1.4 thorpej krb5_ap_rep_enc_part *reply; 523 1.4 thorpej krb5_data inbuf; 524 1.4 thorpej krb5_error_code ret; 525 1.4 thorpej 526 1.4 thorpej inbuf.length = cnt; 527 1.4 thorpej inbuf.data = (char *) data; 528 1.4 thorpej 529 1.4 thorpej ret = krb5_rd_rep(telnet_context, 530 1.4 thorpej auth_context, &inbuf, &reply); 531 1.4 thorpej if (ret) { 532 1.4 thorpej printf("[ Mutual authentication failed: %s ]\r\n", 533 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 534 1.4 thorpej auth_send_retry(); 535 1.4 thorpej return; 536 1.4 thorpej } 537 1.4 thorpej krb5_free_ap_rep_enc_part(telnet_context, reply); 538 1.4 thorpej mutual_complete = 1; 539 1.1 cgd } 540 1.4 thorpej return; 541 1.4 thorpej case KRB_FORWARD_ACCEPT: 542 1.4 thorpej printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); 543 1.4 thorpej return; 544 1.4 thorpej case KRB_FORWARD_REJECT: 545 1.4 thorpej printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 546 1.4 thorpej cnt, data); 547 1.4 thorpej return; 548 1.1 cgd default: 549 1.1 cgd if (auth_debug_mode) 550 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 551 1.1 cgd return; 552 1.1 cgd } 553 1.1 cgd } 554 1.1 cgd 555 1.4 thorpej int 556 1.4 thorpej kerberos5_status(Authenticator *ap, char *name, int level) 557 1.1 cgd { 558 1.1 cgd if (level < AUTH_USER) 559 1.4 thorpej return (level); 560 1.1 cgd 561 1.1 cgd if (UserNameRequested && 562 1.4 thorpej krb5_kuserok(telnet_context, ticket->client, UserNameRequested)) { 563 1.1 cgd strcpy(name, UserNameRequested); 564 1.4 thorpej return (AUTH_VALID); 565 1.1 cgd } else 566 1.4 thorpej return (AUTH_USER); 567 1.1 cgd } 568 1.1 cgd #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 569 1.4 thorpej #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 570 1.1 cgd 571 1.4 thorpej void 572 1.4 thorpej kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 573 1.1 cgd { 574 1.4 thorpej int i; 575 1.1 cgd 576 1.4 thorpej buf[buflen - 1] = '\0'; /* make sure its NULL terminated */ 577 1.1 cgd buflen -= 1; 578 1.1 cgd 579 1.4 thorpej switch (data[3]) { 580 1.4 thorpej case KRB_REJECT: /* Rejected (reason might follow) */ 581 1.4 thorpej strlcpy((char *) buf, " REJECT ", buflen); 582 1.1 cgd goto common; 583 1.1 cgd 584 1.4 thorpej case KRB_ACCEPT: /* Accepted (name might follow) */ 585 1.4 thorpej strlcpy((char *) buf, " ACCEPT ", buflen); 586 1.4 thorpej common: 587 1.1 cgd BUMP(buf, buflen); 588 1.1 cgd if (cnt <= 4) 589 1.1 cgd break; 590 1.1 cgd ADDC(buf, buflen, '"'); 591 1.1 cgd for (i = 4; i < cnt; i++) 592 1.1 cgd ADDC(buf, buflen, data[i]); 593 1.1 cgd ADDC(buf, buflen, '"'); 594 1.1 cgd ADDC(buf, buflen, '\0'); 595 1.1 cgd break; 596 1.1 cgd 597 1.4 thorpej 598 1.4 thorpej case KRB_AUTH: /* Authentication data follows */ 599 1.4 thorpej strlcpy((char *) buf, " AUTH", buflen); 600 1.4 thorpej goto common2; 601 1.4 thorpej 602 1.4 thorpej case KRB_RESPONSE: 603 1.4 thorpej strlcpy((char *) buf, " RESPONSE", buflen); 604 1.1 cgd goto common2; 605 1.1 cgd 606 1.4 thorpej case KRB_FORWARD: /* Forwarded credentials follow */ 607 1.4 thorpej strlcpy((char *) buf, " FORWARD", buflen); 608 1.1 cgd goto common2; 609 1.1 cgd 610 1.4 thorpej case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 611 1.4 thorpej strlcpy((char *) buf, " FORWARD_ACCEPT", buflen); 612 1.4 thorpej goto common2; 613 1.4 thorpej 614 1.4 thorpej case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 615 1.4 thorpej /* (reason might follow) */ 616 1.4 thorpej strlcpy((char *) buf, " FORWARD_REJECT", buflen); 617 1.1 cgd goto common2; 618 1.1 cgd 619 1.1 cgd default: 620 1.4 thorpej snprintf(buf, buflen, " %d (unknown)", data[3]); 621 1.4 thorpej common2: 622 1.1 cgd BUMP(buf, buflen); 623 1.1 cgd for (i = 4; i < cnt; i++) { 624 1.4 thorpej snprintf(buf, buflen, " %d", data[i]); 625 1.1 cgd BUMP(buf, buflen); 626 1.1 cgd } 627 1.1 cgd break; 628 1.1 cgd } 629 1.1 cgd } 630 1.4 thorpej 631 1.4 thorpej void 632 1.4 thorpej kerberos5_forward(Authenticator * ap) 633 1.4 thorpej { 634 1.4 thorpej krb5_error_code ret; 635 1.4 thorpej krb5_ccache ccache; 636 1.4 thorpej krb5_creds creds; 637 1.4 thorpej krb5_kdc_flags flags; 638 1.4 thorpej krb5_data out_data; 639 1.4 thorpej krb5_principal principal; 640 1.4 thorpej 641 1.4 thorpej ret = krb5_cc_default(telnet_context, &ccache); 642 1.4 thorpej if (ret) { 643 1.4 thorpej if (auth_debug_mode) 644 1.4 thorpej printf("KerberosV5: could not get default ccache: %s\r\n", 645 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 646 1.4 thorpej return; 647 1.4 thorpej } 648 1.4 thorpej ret = krb5_cc_get_principal(telnet_context, ccache, &principal); 649 1.4 thorpej if (ret) { 650 1.4 thorpej if (auth_debug_mode) 651 1.4 thorpej printf("KerberosV5: could not get principal: %s\r\n", 652 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 653 1.4 thorpej return; 654 1.4 thorpej } 655 1.4 thorpej memset(&creds, 0, sizeof(creds)); 656 1.4 thorpej 657 1.4 thorpej creds.client = principal; 658 1.4 thorpej 659 1.4 thorpej ret = krb5_build_principal(telnet_context, &creds.server, 660 1.4 thorpej strlen(principal->realm), principal->realm, "krbtgt", 661 1.4 thorpej principal->realm, NULL); 662 1.4 thorpej 663 1.4 thorpej if (ret) { 664 1.4 thorpej if (auth_debug_mode) 665 1.4 thorpej printf("KerberosV5: could not get principal: %s\r\n", 666 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 667 1.4 thorpej return; 668 1.4 thorpej } 669 1.4 thorpej creds.times.endtime = 0; 670 1.4 thorpej 671 1.4 thorpej flags.i = 0; 672 1.4 thorpej flags.b.forwarded = 1; 673 1.4 thorpej if (forward_flags & OPTS_FORWARDABLE_CREDS) 674 1.4 thorpej flags.b.forwardable = 1; 675 1.4 thorpej 676 1.4 thorpej ret = krb5_get_forwarded_creds(telnet_context, auth_context, 677 1.4 thorpej ccache, flags.i, RemoteHostName, &creds, &out_data); 678 1.4 thorpej if (ret) { 679 1.4 thorpej if (auth_debug_mode) 680 1.4 thorpej printf("Kerberos V5: error getting forwarded creds: %s\r\n", 681 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 682 1.4 thorpej return; 683 1.4 thorpej } 684 1.4 thorpej if (!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { 685 1.4 thorpej if (auth_debug_mode) 686 1.4 thorpej printf("Not enough room for authentication data\r\n"); 687 1.4 thorpej } else { 688 1.4 thorpej if (auth_debug_mode) 689 1.4 thorpej printf("Forwarded local Kerberos V5 credentials to server\r\n"); 690 1.4 thorpej } 691 1.4 thorpej } 692 1.4 thorpej #endif /* KRB5 */ 693
Indexes created Tue Sep 23 07:09:52 GMT 2025