kerberos5.c revision 1.9
1 1.9 joda /* $NetBSD: kerberos5.c,v 1.9 2002/09/20 14:45:29 joda Exp $ */ 2 1.4 thorpej 3 1.1 cgd /*- 4 1.4 thorpej * Copyright (c) 1991, 1993 5 1.4 thorpej * The Regents of the University of California. All rights reserved. 6 1.1 cgd * 7 1.1 cgd * Redistribution and use in source and binary forms, with or without 8 1.1 cgd * modification, are permitted provided that the following conditions 9 1.1 cgd * are met: 10 1.1 cgd * 1. Redistributions of source code must retain the above copyright 11 1.1 cgd * notice, this list of conditions and the following disclaimer. 12 1.1 cgd * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 cgd * notice, this list of conditions and the following disclaimer in the 14 1.1 cgd * documentation and/or other materials provided with the distribution. 15 1.1 cgd * 3. All advertising materials mentioning features or use of this software 16 1.1 cgd * must display the following acknowledgement: 17 1.1 cgd * This product includes software developed by the University of 18 1.1 cgd * California, Berkeley and its contributors. 19 1.1 cgd * 4. Neither the name of the University nor the names of its contributors 20 1.1 cgd * may be used to endorse or promote products derived from this software 21 1.1 cgd * without specific prior written permission. 22 1.1 cgd * 23 1.1 cgd * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 1.1 cgd * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 1.1 cgd * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 1.1 cgd * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 1.1 cgd * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 1.1 cgd * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 1.1 cgd * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 1.1 cgd * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 1.1 cgd * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 1.1 cgd * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 1.1 cgd * SUCH DAMAGE. 34 1.1 cgd */ 35 1.1 cgd 36 1.1 cgd /* 37 1.1 cgd * Copyright (C) 1990 by the Massachusetts Institute of Technology 38 1.1 cgd * 39 1.4 thorpej * Export of this software from the United States of America may 40 1.4 thorpej * require a specific license from the United States Government. 41 1.1 cgd * It is the responsibility of any person or organization contemplating 42 1.1 cgd * export to obtain such a license before exporting. 43 1.1 cgd * 44 1.1 cgd * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 45 1.1 cgd * distribute this software and its documentation for any purpose and 46 1.1 cgd * without fee is hereby granted, provided that the above copyright 47 1.1 cgd * notice appear in all copies and that both that copyright notice and 48 1.1 cgd * this permission notice appear in supporting documentation, and that 49 1.1 cgd * the name of M.I.T. not be used in advertising or publicity pertaining 50 1.1 cgd * to distribution of the software without specific, written prior 51 1.1 cgd * permission. M.I.T. makes no representations about the suitability of 52 1.1 cgd * this software for any purpose. It is provided "as is" without express 53 1.1 cgd * or implied warranty. 54 1.1 cgd */ 55 1.1 cgd 56 1.1 cgd #ifdef KRB5 57 1.1 cgd #include <arpa/telnet.h> 58 1.1 cgd #include <stdio.h> 59 1.4 thorpej #include <stdlib.h> 60 1.4 thorpej #include <string.h> 61 1.4 thorpej #include <unistd.h> 62 1.1 cgd #include <netdb.h> 63 1.1 cgd #include <ctype.h> 64 1.4 thorpej #include <pwd.h> 65 1.4 thorpej #define Authenticator k5_Authenticator 66 1.4 thorpej #include <krb5.h> 67 1.4 thorpej #undef Authenticator 68 1.4 thorpej /* #include <roken.h> */ 69 1.1 cgd 70 1.1 cgd #include "encrypt.h" 71 1.1 cgd #include "auth.h" 72 1.1 cgd #include "misc.h" 73 1.1 cgd 74 1.6 christos extern int net; 75 1.6 christos 76 1.4 thorpej int forward_flags; /* Flags get set in telnet/main.c on -f and -F */ 77 1.4 thorpej int got_forwarded_creds;/* Tell telnetd to pass -F or -f to login. */ 78 1.1 cgd 79 1.4 thorpej int require_hwpreauth; 80 1.1 cgd 81 1.4 thorpej void kerberos5_forward(Authenticator *); 82 1.4 thorpej 83 1.4 thorpej static unsigned char str_data[1024] = {IAC, SB, TELOPT_AUTHENTICATION, 0, 84 1.4 thorpej AUTHTYPE_KERBEROS_V5,}; 85 1.4 thorpej 86 1.4 thorpej #define KRB_AUTH 0 /* Authentication data follows */ 87 1.4 thorpej #define KRB_REJECT 1 /* Rejected (reason might follow) */ 88 1.4 thorpej #define KRB_ACCEPT 2 /* Accepted */ 89 1.4 thorpej #define KRB_RESPONSE 3 /* Response for mutual auth. */ 90 1.4 thorpej 91 1.4 thorpej #define KRB_FORWARD 4 /* Forwarded credentials follow */ 92 1.4 thorpej #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 93 1.4 thorpej #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 94 1.4 thorpej 95 1.4 thorpej static krb5_data auth; 96 1.4 thorpej static krb5_ticket *ticket; 97 1.4 thorpej 98 1.4 thorpej krb5_context telnet_context; 99 1.4 thorpej static krb5_auth_context auth_context; 100 1.4 thorpej 101 1.4 thorpej static int 102 1.4 thorpej Data(Authenticator *ap, int type, void *d, int c) 103 1.1 cgd { 104 1.4 thorpej unsigned char *p = str_data + 4; 105 1.4 thorpej unsigned char *cd = (unsigned char *) d; 106 1.1 cgd 107 1.1 cgd if (c == -1) 108 1.4 thorpej c = strlen(cd); 109 1.1 cgd 110 1.4 thorpej if (auth_debug_mode) { 111 1.4 thorpej printf("%s:%d: [%d] (%d)", 112 1.4 thorpej str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 113 1.4 thorpej str_data[3], 114 1.4 thorpej type, c); 115 1.4 thorpej printd(d, c); 116 1.4 thorpej printf("\r\n"); 117 1.4 thorpej } 118 1.1 cgd *p++ = ap->type; 119 1.1 cgd *p++ = ap->way; 120 1.1 cgd *p++ = type; 121 1.4 thorpej while (c-- > 0) { 122 1.4 thorpej if ((*p++ = *cd++) == IAC) 123 1.4 thorpej *p++ = IAC; 124 1.4 thorpej } 125 1.4 thorpej *p++ = IAC; 126 1.4 thorpej *p++ = SE; 127 1.1 cgd if (str_data[3] == TELQUAL_IS) 128 1.1 cgd printsub('>', &str_data[2], p - &str_data[2]); 129 1.4 thorpej return (telnet_net_write(str_data, p - str_data)); 130 1.1 cgd } 131 1.1 cgd 132 1.4 thorpej int 133 1.4 thorpej kerberos5_init(Authenticator *ap, int server) 134 1.1 cgd { 135 1.5 thorpej krb5_error_code ret; 136 1.4 thorpej 137 1.5 thorpej if (telnet_context == 0) { 138 1.5 thorpej ret = krb5_init_context(&telnet_context); 139 1.5 thorpej if (ret) 140 1.5 thorpej return 0; 141 1.5 thorpej } 142 1.4 thorpej 143 1.4 thorpej if (server) { 144 1.4 thorpej krb5_keytab kt; 145 1.4 thorpej krb5_kt_cursor cursor; 146 1.4 thorpej 147 1.4 thorpej ret = krb5_kt_default(telnet_context, &kt); 148 1.4 thorpej if (ret) 149 1.4 thorpej return 0; 150 1.4 thorpej 151 1.4 thorpej ret = krb5_kt_start_seq_get(telnet_context, kt, &cursor); 152 1.4 thorpej if (ret) { 153 1.4 thorpej krb5_kt_close(telnet_context, kt); 154 1.4 thorpej return 0; 155 1.4 thorpej } 156 1.4 thorpej krb5_kt_end_seq_get(telnet_context, kt, &cursor); 157 1.4 thorpej krb5_kt_close(telnet_context, kt); 158 1.4 thorpej 159 1.1 cgd str_data[3] = TELQUAL_REPLY; 160 1.4 thorpej } else 161 1.1 cgd str_data[3] = TELQUAL_IS; 162 1.4 thorpej return (1); 163 1.1 cgd } 164 1.1 cgd 165 1.4 thorpej int 166 1.4 thorpej kerberos5_send(Authenticator *ap) 167 1.1 cgd { 168 1.4 thorpej krb5_error_code ret; 169 1.1 cgd krb5_ccache ccache; 170 1.4 thorpej int ap_opts; 171 1.4 thorpej krb5_data cksum_data; 172 1.4 thorpej char foo[2]; 173 1.1 cgd 174 1.4 thorpej printf("[ Trying KERBEROS5 ... ]\r\n"); 175 1.1 cgd 176 1.4 thorpej if (!UserNameRequested) { 177 1.1 cgd if (auth_debug_mode) { 178 1.4 thorpej printf("Kerberos V5: no user name supplied\r\n"); 179 1.1 cgd } 180 1.4 thorpej return (0); 181 1.1 cgd } 182 1.4 thorpej ret = krb5_cc_default(telnet_context, &ccache); 183 1.4 thorpej if (ret) { 184 1.1 cgd if (auth_debug_mode) { 185 1.4 thorpej printf( 186 1.4 thorpej "Kerberos V5: could not get default ccache: %s\r\n", 187 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 188 1.1 cgd } 189 1.4 thorpej return (0); 190 1.1 cgd } 191 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 192 1.4 thorpej ap_opts = AP_OPTS_MUTUAL_REQUIRED; 193 1.4 thorpej else 194 1.4 thorpej ap_opts = 0; 195 1.1 cgd 196 1.9 joda ap_opts |= AP_OPTS_USE_SUBKEY; 197 1.9 joda 198 1.4 thorpej ret = krb5_auth_con_init(telnet_context, &auth_context); 199 1.4 thorpej if (ret) { 200 1.1 cgd if (auth_debug_mode) { 201 1.4 thorpej printf( 202 1.4 thorpej "Kerberos V5: krb5_auth_con_init failed: %s\r\n", 203 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 204 1.4 thorpej } 205 1.4 thorpej return (0); 206 1.4 thorpej } 207 1.4 thorpej ret = krb5_auth_con_setaddrs_from_fd(telnet_context, 208 1.4 thorpej auth_context, &net); 209 1.4 thorpej if (ret) { 210 1.4 thorpej if (auth_debug_mode) { 211 1.4 thorpej printf("Kerberos V5: " 212 1.4 thorpej "krb5_auth_con_setaddrs_from_fd failed: %s\r\n", 213 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 214 1.1 cgd } 215 1.4 thorpej return (0); 216 1.1 cgd } 217 1.8 assar krb5_auth_con_setkeytype(telnet_context, auth_context, KEYTYPE_DES); 218 1.1 cgd 219 1.4 thorpej foo[0] = ap->type; 220 1.4 thorpej foo[1] = ap->way; 221 1.1 cgd 222 1.4 thorpej cksum_data.length = sizeof(foo); 223 1.4 thorpej cksum_data.data = foo; 224 1.4 thorpej ret = krb5_mk_req(telnet_context, &auth_context, ap_opts, "host", 225 1.4 thorpej RemoteHostName, &cksum_data, ccache, &auth); 226 1.4 thorpej if (ret) { 227 1.4 thorpej if (1 || auth_debug_mode) { 228 1.4 thorpej printf("Kerberos V5: mk_req failed (%s)\r\n", 229 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 230 1.1 cgd } 231 1.4 thorpej return (0); 232 1.1 cgd } 233 1.1 cgd 234 1.4 thorpej if (!auth_sendname((unsigned char *) UserNameRequested, 235 1.4 thorpej strlen(UserNameRequested))) { 236 1.4 thorpej if (auth_debug_mode) 237 1.4 thorpej printf("Not enough room for user name\r\n"); 238 1.4 thorpej return (0); 239 1.4 thorpej } 240 1.1 cgd if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 241 1.1 cgd if (auth_debug_mode) 242 1.1 cgd printf("Not enough room for authentication data\r\n"); 243 1.4 thorpej return (0); 244 1.1 cgd } 245 1.1 cgd if (auth_debug_mode) { 246 1.1 cgd printf("Sent Kerberos V5 credentials to server\r\n"); 247 1.1 cgd } 248 1.4 thorpej return (1); 249 1.1 cgd } 250 1.1 cgd 251 1.4 thorpej void 252 1.4 thorpej kerberos5_is(Authenticator * ap, unsigned char *data, int cnt) 253 1.1 cgd { 254 1.4 thorpej krb5_error_code ret; 255 1.4 thorpej krb5_data outbuf; 256 1.4 thorpej krb5_keyblock *key_block; 257 1.1 cgd char *name; 258 1.4 thorpej krb5_principal server; 259 1.4 thorpej int zero = 0; 260 1.1 cgd 261 1.1 cgd if (cnt-- < 1) 262 1.1 cgd return; 263 1.1 cgd switch (*data++) { 264 1.1 cgd case KRB_AUTH: 265 1.4 thorpej auth.data = (char *) data; 266 1.1 cgd auth.length = cnt; 267 1.1 cgd 268 1.4 thorpej auth_context = NULL; 269 1.4 thorpej 270 1.4 thorpej ret = krb5_auth_con_init(telnet_context, &auth_context); 271 1.4 thorpej if (ret) { 272 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); 273 1.4 thorpej auth_finished(ap, AUTH_REJECT); 274 1.1 cgd if (auth_debug_mode) 275 1.4 thorpej printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 276 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 277 1.4 thorpej return; 278 1.4 thorpej } 279 1.4 thorpej ret = krb5_auth_con_setaddrs_from_fd(telnet_context, 280 1.4 thorpej auth_context, &zero); 281 1.4 thorpej if (ret) { 282 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); 283 1.1 cgd auth_finished(ap, AUTH_REJECT); 284 1.4 thorpej if (auth_debug_mode) 285 1.4 thorpej printf("Kerberos V5: " 286 1.4 thorpej "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 287 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 288 1.1 cgd return; 289 1.1 cgd } 290 1.4 thorpej ret = krb5_sock_to_principal(telnet_context, 0, "host", 291 1.4 thorpej KRB5_NT_SRV_HST, &server); 292 1.4 thorpej if (ret) { 293 1.4 thorpej Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); 294 1.4 thorpej auth_finished(ap, AUTH_REJECT); 295 1.1 cgd if (auth_debug_mode) 296 1.4 thorpej printf("Kerberos V5: " 297 1.4 thorpej "krb5_sock_to_principal failed (%s)\r\n", 298 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 299 1.1 cgd return; 300 1.1 cgd } 301 1.4 thorpej ret = krb5_rd_req(telnet_context, &auth_context, &auth, 302 1.4 thorpej server, NULL, NULL, &ticket); 303 1.4 thorpej krb5_free_principal(telnet_context, server); 304 1.4 thorpej 305 1.4 thorpej if (ret) { 306 1.4 thorpej char *errbuf; 307 1.4 thorpej 308 1.4 thorpej asprintf(&errbuf, 309 1.4 thorpej "Read req failed: %s", 310 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 311 1.4 thorpej Data(ap, KRB_REJECT, errbuf, -1); 312 1.1 cgd if (auth_debug_mode) 313 1.4 thorpej printf("%s\r\n", errbuf); 314 1.4 thorpej free(errbuf); 315 1.1 cgd return; 316 1.4 thorpej } { 317 1.4 thorpej char foo[2]; 318 1.4 thorpej 319 1.4 thorpej foo[0] = ap->type; 320 1.4 thorpej foo[1] = ap->way; 321 1.4 thorpej 322 1.4 thorpej ret = krb5_verify_authenticator_checksum(telnet_context, 323 1.4 thorpej auth_context, foo, sizeof(foo)); 324 1.4 thorpej 325 1.4 thorpej if (ret) { 326 1.4 thorpej char *errbuf; 327 1.4 thorpej asprintf(&errbuf, "Bad checksum: %s", 328 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 329 1.4 thorpej Data(ap, KRB_REJECT, errbuf, -1); 330 1.4 thorpej if (auth_debug_mode) 331 1.4 thorpej printf("%s\r\n", errbuf); 332 1.4 thorpej free(errbuf); 333 1.4 thorpej return; 334 1.4 thorpej } 335 1.1 cgd } 336 1.4 thorpej ret = krb5_auth_con_getremotesubkey(telnet_context, 337 1.4 thorpej auth_context, &key_block); 338 1.1 cgd 339 1.4 thorpej if (ret) { 340 1.4 thorpej Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); 341 1.4 thorpej auth_finished(ap, AUTH_REJECT); 342 1.1 cgd if (auth_debug_mode) 343 1.4 thorpej printf("Kerberos V5: " 344 1.4 thorpej "krb5_auth_con_getremotesubkey failed (%s)\r\n", 345 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 346 1.9 joda return; 347 1.9 joda } 348 1.9 joda if (key_block == NULL) { 349 1.9 joda ret = krb5_auth_con_getkey(context, 350 1.9 joda auth_context, 351 1.9 joda &key_block); 352 1.9 joda } 353 1.9 joda if (ret) { 354 1.9 joda Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); 355 1.9 joda auth_finished(ap, AUTH_REJECT); 356 1.9 joda if (auth_debug_mode) 357 1.9 joda printf("Kerberos V5: " 358 1.9 joda "krb5_auth_con_getkey failed (%s)\r\n", 359 1.9 joda krb5_get_err_text(context, ret)); 360 1.9 joda return; 361 1.9 joda } 362 1.9 joda if (key_block == NULL) { 363 1.9 joda Data(ap, KRB_REJECT, "no subkey received", -1); 364 1.9 joda auth_finished(ap, AUTH_REJECT); 365 1.9 joda if (auth_debug_mode) 366 1.9 joda printf("Kerberos V5: " 367 1.9 joda "krb5_auth_con_getremotesubkey returned NULL key\r\n"); 368 1.1 cgd return; 369 1.1 cgd } 370 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 371 1.4 thorpej ret = krb5_mk_rep(telnet_context, 372 1.7 assar auth_context, &outbuf); 373 1.4 thorpej if (ret) { 374 1.4 thorpej Data(ap, KRB_REJECT, 375 1.4 thorpej "krb5_mk_rep failed", -1); 376 1.4 thorpej auth_finished(ap, AUTH_REJECT); 377 1.4 thorpej if (auth_debug_mode) 378 1.4 thorpej printf("Kerberos V5: " 379 1.4 thorpej "krb5_mk_rep failed (%s)\r\n", 380 1.4 thorpej krb5_get_err_text(telnet_context, 381 1.4 thorpej ret)); 382 1.4 thorpej return; 383 1.4 thorpej } 384 1.4 thorpej Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 385 1.4 thorpej } 386 1.4 thorpej if (krb5_unparse_name(telnet_context, ticket->client, &name)) 387 1.1 cgd name = 0; 388 1.4 thorpej 389 1.4 thorpej if (UserNameRequested && krb5_kuserok(telnet_context, 390 1.4 thorpej ticket->client, UserNameRequested)) { 391 1.4 thorpej Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 392 1.4 thorpej if (auth_debug_mode) { 393 1.4 thorpej printf("Kerberos5 identifies him as ``%s''\r\n", 394 1.4 thorpej name ? name : ""); 395 1.4 thorpej } 396 1.4 thorpej if (key_block->keytype == ETYPE_DES_CBC_MD5 || 397 1.4 thorpej key_block->keytype == ETYPE_DES_CBC_MD4 || 398 1.4 thorpej key_block->keytype == ETYPE_DES_CBC_CRC) { 399 1.4 thorpej Session_Key skey; 400 1.4 thorpej 401 1.4 thorpej skey.type = SK_DES; 402 1.4 thorpej skey.length = 8; 403 1.4 thorpej skey.data = key_block->keyvalue.data; 404 1.4 thorpej encrypt_session_key(&skey, 0); 405 1.4 thorpej } 406 1.4 thorpej } else { 407 1.4 thorpej char *msg; 408 1.4 thorpej 409 1.4 thorpej asprintf(&msg, "user `%s' is not authorized to " 410 1.4 thorpej "login as `%s'", 411 1.4 thorpej name ? name : "<unknown>", 412 1.4 thorpej UserNameRequested ? UserNameRequested : "<nobody>"); 413 1.4 thorpej if (msg == NULL) 414 1.4 thorpej Data(ap, KRB_REJECT, NULL, 0); 415 1.4 thorpej else { 416 1.4 thorpej Data(ap, KRB_REJECT, (void *) msg, -1); 417 1.4 thorpej free(msg); 418 1.4 thorpej } 419 1.4 thorpej auth_finished(ap, AUTH_REJECT); 420 1.4 thorpej krb5_free_keyblock_contents(telnet_context, key_block); 421 1.4 thorpej break; 422 1.1 cgd } 423 1.4 thorpej auth_finished(ap, AUTH_USER); 424 1.4 thorpej krb5_free_keyblock_contents(telnet_context, key_block); 425 1.4 thorpej 426 1.1 cgd break; 427 1.4 thorpej case KRB_FORWARD:{ 428 1.4 thorpej struct passwd *pwd; 429 1.4 thorpej char ccname[1024]; /* XXX */ 430 1.4 thorpej krb5_data inbuf; 431 1.4 thorpej krb5_ccache ccache; 432 1.4 thorpej inbuf.data = (char *) data; 433 1.4 thorpej inbuf.length = cnt; 434 1.4 thorpej 435 1.4 thorpej pwd = getpwnam(UserNameRequested); 436 1.4 thorpej if (pwd == NULL) 437 1.4 thorpej break; 438 1.1 cgd 439 1.4 thorpej snprintf(ccname, sizeof(ccname), 440 1.4 thorpej "FILE:/tmp/krb5cc_%u", pwd->pw_uid); 441 1.1 cgd 442 1.4 thorpej ret = krb5_cc_resolve(telnet_context, ccname, &ccache); 443 1.4 thorpej if (ret) { 444 1.4 thorpej if (auth_debug_mode) 445 1.4 thorpej printf("Kerberos V5: could not get ccache: %s\r\n", 446 1.4 thorpej krb5_get_err_text(telnet_context, 447 1.4 thorpej ret)); 448 1.4 thorpej break; 449 1.4 thorpej } 450 1.4 thorpej ret = krb5_cc_initialize(telnet_context, ccache, 451 1.4 thorpej ticket->client); 452 1.4 thorpej if (ret) { 453 1.4 thorpej if (auth_debug_mode) 454 1.4 thorpej printf("Kerberos V5: could not init ccache: %s\r\n", 455 1.4 thorpej krb5_get_err_text(telnet_context, 456 1.4 thorpej ret)); 457 1.1 cgd break; 458 1.4 thorpej } 459 1.7 assar ret = krb5_rd_cred2(telnet_context, auth_context, 460 1.4 thorpej ccache, &inbuf); 461 1.4 thorpej if (ret) { 462 1.4 thorpej char *errbuf; 463 1.4 thorpej 464 1.4 thorpej asprintf(&errbuf, 465 1.4 thorpej "Read forwarded creds failed: %s", 466 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 467 1.4 thorpej if (errbuf == NULL) 468 1.4 thorpej Data(ap, KRB_FORWARD_REJECT, NULL, 0); 469 1.4 thorpej else 470 1.4 thorpej Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 471 1.4 thorpej if (auth_debug_mode) 472 1.4 thorpej printf("Could not read forwarded credentials: %s\r\n", 473 1.4 thorpej errbuf); 474 1.4 thorpej free(errbuf); 475 1.4 thorpej } else 476 1.4 thorpej Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 477 1.4 thorpej chown(ccname + 5, pwd->pw_uid, -1); 478 1.4 thorpej if (auth_debug_mode) 479 1.4 thorpej printf("Forwarded credentials obtained\r\n"); 480 1.4 thorpej break; 481 1.1 cgd } 482 1.1 cgd default: 483 1.1 cgd if (auth_debug_mode) 484 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 485 1.1 cgd Data(ap, KRB_REJECT, 0, 0); 486 1.1 cgd break; 487 1.1 cgd } 488 1.1 cgd } 489 1.1 cgd 490 1.4 thorpej void 491 1.4 thorpej kerberos5_reply(Authenticator * ap, unsigned char *data, int cnt) 492 1.1 cgd { 493 1.4 thorpej static int mutual_complete = 0; 494 1.1 cgd 495 1.1 cgd if (cnt-- < 1) 496 1.1 cgd return; 497 1.1 cgd switch (*data++) { 498 1.1 cgd case KRB_REJECT: 499 1.1 cgd if (cnt > 0) { 500 1.1 cgd printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 501 1.4 thorpej cnt, data); 502 1.1 cgd } else 503 1.1 cgd printf("[ Kerberos V5 refuses authentication ]\r\n"); 504 1.1 cgd auth_send_retry(); 505 1.1 cgd return; 506 1.4 thorpej case KRB_ACCEPT:{ 507 1.4 thorpej krb5_error_code ret; 508 1.4 thorpej Session_Key skey; 509 1.4 thorpej krb5_keyblock *keyblock; 510 1.4 thorpej 511 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 512 1.4 thorpej !mutual_complete) { 513 1.4 thorpej printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); 514 1.4 thorpej auth_send_retry(); 515 1.4 thorpej return; 516 1.4 thorpej } 517 1.4 thorpej if (cnt) 518 1.4 thorpej printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); 519 1.4 thorpej else 520 1.4 thorpej printf("[ Kerberos V5 accepts you ]\r\n"); 521 1.4 thorpej 522 1.4 thorpej ret = krb5_auth_con_getlocalsubkey(telnet_context, 523 1.4 thorpej auth_context, &keyblock); 524 1.4 thorpej if (ret) 525 1.4 thorpej ret = krb5_auth_con_getkey(telnet_context, 526 1.4 thorpej auth_context, &keyblock); 527 1.4 thorpej if (ret) { 528 1.4 thorpej printf("[ krb5_auth_con_getkey: %s ]\r\n", 529 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 530 1.4 thorpej auth_send_retry(); 531 1.4 thorpej return; 532 1.4 thorpej } 533 1.1 cgd skey.type = SK_DES; 534 1.1 cgd skey.length = 8; 535 1.4 thorpej skey.data = keyblock->keyvalue.data; 536 1.1 cgd encrypt_session_key(&skey, 0); 537 1.4 thorpej krb5_free_keyblock_contents(telnet_context, keyblock); 538 1.4 thorpej auth_finished(ap, AUTH_USER); 539 1.4 thorpej if (forward_flags & OPTS_FORWARD_CREDS) 540 1.4 thorpej kerberos5_forward(ap); 541 1.4 thorpej break; 542 1.1 cgd } 543 1.1 cgd case KRB_RESPONSE: 544 1.4 thorpej if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 545 1.4 thorpej /* the rest of the reply should contain a krb_ap_rep */ 546 1.4 thorpej krb5_ap_rep_enc_part *reply; 547 1.4 thorpej krb5_data inbuf; 548 1.4 thorpej krb5_error_code ret; 549 1.4 thorpej 550 1.4 thorpej inbuf.length = cnt; 551 1.4 thorpej inbuf.data = (char *) data; 552 1.4 thorpej 553 1.4 thorpej ret = krb5_rd_rep(telnet_context, 554 1.4 thorpej auth_context, &inbuf, &reply); 555 1.4 thorpej if (ret) { 556 1.4 thorpej printf("[ Mutual authentication failed: %s ]\r\n", 557 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 558 1.4 thorpej auth_send_retry(); 559 1.4 thorpej return; 560 1.4 thorpej } 561 1.4 thorpej krb5_free_ap_rep_enc_part(telnet_context, reply); 562 1.4 thorpej mutual_complete = 1; 563 1.1 cgd } 564 1.4 thorpej return; 565 1.4 thorpej case KRB_FORWARD_ACCEPT: 566 1.4 thorpej printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); 567 1.4 thorpej return; 568 1.4 thorpej case KRB_FORWARD_REJECT: 569 1.4 thorpej printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 570 1.4 thorpej cnt, data); 571 1.4 thorpej return; 572 1.1 cgd default: 573 1.1 cgd if (auth_debug_mode) 574 1.1 cgd printf("Unknown Kerberos option %d\r\n", data[-1]); 575 1.1 cgd return; 576 1.1 cgd } 577 1.1 cgd } 578 1.1 cgd 579 1.4 thorpej int 580 1.4 thorpej kerberos5_status(Authenticator *ap, char *name, int level) 581 1.1 cgd { 582 1.1 cgd if (level < AUTH_USER) 583 1.4 thorpej return (level); 584 1.1 cgd 585 1.1 cgd if (UserNameRequested && 586 1.4 thorpej krb5_kuserok(telnet_context, ticket->client, UserNameRequested)) { 587 1.1 cgd strcpy(name, UserNameRequested); 588 1.4 thorpej return (AUTH_VALID); 589 1.1 cgd } else 590 1.4 thorpej return (AUTH_USER); 591 1.1 cgd } 592 1.1 cgd #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 593 1.4 thorpej #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 594 1.1 cgd 595 1.4 thorpej void 596 1.4 thorpej kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 597 1.1 cgd { 598 1.4 thorpej int i; 599 1.1 cgd 600 1.4 thorpej buf[buflen - 1] = '\0'; /* make sure its NULL terminated */ 601 1.1 cgd buflen -= 1; 602 1.1 cgd 603 1.4 thorpej switch (data[3]) { 604 1.4 thorpej case KRB_REJECT: /* Rejected (reason might follow) */ 605 1.4 thorpej strlcpy((char *) buf, " REJECT ", buflen); 606 1.1 cgd goto common; 607 1.1 cgd 608 1.4 thorpej case KRB_ACCEPT: /* Accepted (name might follow) */ 609 1.4 thorpej strlcpy((char *) buf, " ACCEPT ", buflen); 610 1.4 thorpej common: 611 1.1 cgd BUMP(buf, buflen); 612 1.1 cgd if (cnt <= 4) 613 1.1 cgd break; 614 1.1 cgd ADDC(buf, buflen, '"'); 615 1.1 cgd for (i = 4; i < cnt; i++) 616 1.1 cgd ADDC(buf, buflen, data[i]); 617 1.1 cgd ADDC(buf, buflen, '"'); 618 1.1 cgd ADDC(buf, buflen, '\0'); 619 1.1 cgd break; 620 1.1 cgd 621 1.4 thorpej 622 1.4 thorpej case KRB_AUTH: /* Authentication data follows */ 623 1.4 thorpej strlcpy((char *) buf, " AUTH", buflen); 624 1.4 thorpej goto common2; 625 1.4 thorpej 626 1.4 thorpej case KRB_RESPONSE: 627 1.4 thorpej strlcpy((char *) buf, " RESPONSE", buflen); 628 1.1 cgd goto common2; 629 1.1 cgd 630 1.4 thorpej case KRB_FORWARD: /* Forwarded credentials follow */ 631 1.4 thorpej strlcpy((char *) buf, " FORWARD", buflen); 632 1.1 cgd goto common2; 633 1.1 cgd 634 1.4 thorpej case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 635 1.4 thorpej strlcpy((char *) buf, " FORWARD_ACCEPT", buflen); 636 1.4 thorpej goto common2; 637 1.4 thorpej 638 1.4 thorpej case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 639 1.4 thorpej /* (reason might follow) */ 640 1.4 thorpej strlcpy((char *) buf, " FORWARD_REJECT", buflen); 641 1.1 cgd goto common2; 642 1.1 cgd 643 1.1 cgd default: 644 1.4 thorpej snprintf(buf, buflen, " %d (unknown)", data[3]); 645 1.4 thorpej common2: 646 1.1 cgd BUMP(buf, buflen); 647 1.1 cgd for (i = 4; i < cnt; i++) { 648 1.4 thorpej snprintf(buf, buflen, " %d", data[i]); 649 1.1 cgd BUMP(buf, buflen); 650 1.1 cgd } 651 1.1 cgd break; 652 1.1 cgd } 653 1.1 cgd } 654 1.4 thorpej 655 1.4 thorpej void 656 1.4 thorpej kerberos5_forward(Authenticator * ap) 657 1.4 thorpej { 658 1.4 thorpej krb5_error_code ret; 659 1.4 thorpej krb5_ccache ccache; 660 1.4 thorpej krb5_creds creds; 661 1.4 thorpej krb5_kdc_flags flags; 662 1.4 thorpej krb5_data out_data; 663 1.4 thorpej krb5_principal principal; 664 1.4 thorpej 665 1.4 thorpej ret = krb5_cc_default(telnet_context, &ccache); 666 1.4 thorpej if (ret) { 667 1.4 thorpej if (auth_debug_mode) 668 1.4 thorpej printf("KerberosV5: could not get default ccache: %s\r\n", 669 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 670 1.4 thorpej return; 671 1.4 thorpej } 672 1.4 thorpej ret = krb5_cc_get_principal(telnet_context, ccache, &principal); 673 1.4 thorpej if (ret) { 674 1.4 thorpej if (auth_debug_mode) 675 1.4 thorpej printf("KerberosV5: could not get principal: %s\r\n", 676 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 677 1.4 thorpej return; 678 1.4 thorpej } 679 1.4 thorpej memset(&creds, 0, sizeof(creds)); 680 1.4 thorpej 681 1.4 thorpej creds.client = principal; 682 1.4 thorpej 683 1.4 thorpej ret = krb5_build_principal(telnet_context, &creds.server, 684 1.4 thorpej strlen(principal->realm), principal->realm, "krbtgt", 685 1.4 thorpej principal->realm, NULL); 686 1.4 thorpej 687 1.4 thorpej if (ret) { 688 1.4 thorpej if (auth_debug_mode) 689 1.4 thorpej printf("KerberosV5: could not get principal: %s\r\n", 690 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 691 1.4 thorpej return; 692 1.4 thorpej } 693 1.4 thorpej creds.times.endtime = 0; 694 1.4 thorpej 695 1.4 thorpej flags.i = 0; 696 1.4 thorpej flags.b.forwarded = 1; 697 1.4 thorpej if (forward_flags & OPTS_FORWARDABLE_CREDS) 698 1.4 thorpej flags.b.forwardable = 1; 699 1.4 thorpej 700 1.4 thorpej ret = krb5_get_forwarded_creds(telnet_context, auth_context, 701 1.4 thorpej ccache, flags.i, RemoteHostName, &creds, &out_data); 702 1.4 thorpej if (ret) { 703 1.4 thorpej if (auth_debug_mode) 704 1.4 thorpej printf("Kerberos V5: error getting forwarded creds: %s\r\n", 705 1.4 thorpej krb5_get_err_text(telnet_context, ret)); 706 1.4 thorpej return; 707 1.4 thorpej } 708 1.4 thorpej if (!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { 709 1.4 thorpej if (auth_debug_mode) 710 1.4 thorpej printf("Not enough room for authentication data\r\n"); 711 1.4 thorpej } else { 712 1.4 thorpej if (auth_debug_mode) 713 1.4 thorpej printf("Forwarded local Kerberos V5 credentials to server\r\n"); 714 1.4 thorpej } 715 1.4 thorpej } 716 1.4 thorpej #endif /* KRB5 */ 717
Indexes created Tue Sep 23 20:09:58 GMT 2025