k5login.c revision 1.1
1 /*- 2 * Copyright (c) 1990 The Regents of the University of California. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #ifndef lint 35 /*static char sccsid[] = "from: @(#)klogin.c 5.11 (Berkeley) 7/12/92";*/ 36 static char rcsid[] = "$Id: k5login.c,v 1.1 1994/07/25 21:11:09 brezak Exp $"; 37 #endif /* not lint */ 38 39 #ifdef KERBEROS5 40 #include <sys/param.h> 41 #include <sys/syslog.h> 42 #include <com_err.h> 43 #include <krb5/krb5.h> 44 #include <krb5/ext-proto.h> 45 #include <krb5/los-proto.h> 46 #include <pwd.h> 47 #include <netdb.h> 48 #include <stdio.h> 49 #include <string.h> 50 #include <unistd.h> 51 52 #define KRB5_DEFAULT_OPTIONS 0 53 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 54 55 krb5_data tgtname = { 56 KRB5_TGS_NAME_SIZE, 57 KRB5_TGS_NAME 58 }; 59 60 /* 61 * Try no preauthentication first; then try the encrypted timestamp 62 */ 63 int preauth_search_list[] = { 64 0, 65 KRB5_PADATA_ENC_TIMESTAMP, 66 -1 67 }; 68 69 extern int notickets; 70 extern char *krbtkfile_env; 71 extern char *tty; 72 73 static char tkt_location[MAXPATHLEN]; 74 75 /* 76 * Attempt to log the user in using Kerberos authentication 77 * 78 * return 0 on success (will be logged in) 79 * 1 if Kerberos failed (try local password in login) 80 */ 81 int 82 klogin(pw, instance, localhost, password) 83 struct passwd *pw; 84 char *instance, *localhost, *password; 85 { 86 krb5_error_code kerror; 87 krb5_address **my_addresses; 88 krb5_principal me, server; 89 krb5_creds my_creds; 90 krb5_timestamp now; 91 krb5_ccache ccache = NULL; 92 int preauth_type = -1; 93 long lifetime = KRB5_DEFAULT_LIFE; 94 int options = KRB5_DEFAULT_OPTIONS; 95 int i; 96 char *realm, *client_name; 97 char *principal; 98 99 #ifdef SKEY 100 /* 101 * We don't do s/key challenge and Kerberos at the same time 102 */ 103 if (strcasecmp(password, "s/key") == 0) { 104 return (1); 105 } 106 #endif 107 108 krb5_init_ets(); 109 110 /* 111 * Root logins don't use Kerberos. 112 * If we have a realm, try getting a ticket-granting ticket 113 * and using it to authenticate. Otherwise, return 114 * failure so that we can try the normal passwd file 115 * for a password. If that's ok, log the user in 116 * without issuing any tickets. 117 */ 118 if (strcmp(pw->pw_name, "root") == 0 || 119 krb5_get_default_realm(&realm)) 120 return (1); 121 122 /* 123 * get TGT for local realm 124 * tickets are stored in a file named TKT_ROOT plus uid 125 * except for user.root tickets. 126 */ 127 128 if (strcmp(instance, "root") != 0) 129 (void)sprintf(tkt_location, "FILE:/tmp/krb5cc_%d.%s", 130 pw->pw_uid, tty); 131 else 132 (void)sprintf(tkt_location, "FILE:/tmp/krb5cc_root_%d.%s", 133 pw->pw_uid, tty); 134 krbtkfile_env = tkt_location; 135 136 principal = malloc(strlen(pw->pw_name)+strlen(instance)+2); 137 strcpy(principal, pw->pw_name); 138 if (strlen(instance)) { 139 strcat(principal, "/"); 140 strcat(principal, instance); 141 } 142 143 if (kerror = krb5_cc_resolve(tkt_location, &ccache)) { 144 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 145 error_message(kerror)); 146 return(1); 147 } 148 149 if (kerror = krb5_parse_name(principal, &me)) { 150 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 151 error_message(kerror), principal); 152 return(1); 153 } 154 155 if (kerror = krb5_unparse_name(me, &client_name)) { 156 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 157 error_message(kerror), principal); 158 return(1); 159 } 160 161 kerror = krb5_cc_initialize (ccache, me); 162 if (kerror != 0) { 163 syslog(LOG_NOTICE, "%s when initializing cache %s", 164 error_message(kerror), tkt_location); 165 return(1); 166 } 167 168 memset((char *)&my_creds, 0, sizeof(my_creds)); 169 170 my_creds.client = me; 171 172 if (kerror = krb5_build_principal_ext(&server, 173 krb5_princ_realm(me)->length, 174 krb5_princ_realm(me)->data, 175 tgtname.length, tgtname.data, 176 krb5_princ_realm(me)->length, 177 krb5_princ_realm(me)->data, 178 0)) { 179 syslog(LOG_NOTICE, "%s while building server name", 180 error_message(kerror)); 181 return(1); 182 } 183 184 my_creds.server = server; 185 186 kerror = krb5_os_localaddr(&my_addresses); 187 if (kerror != 0) { 188 syslog(LOG_NOTICE, "%s when getting my address", 189 error_message(kerror)); 190 return(1); 191 } 192 193 if (kerror = krb5_timeofday(&now)) { 194 syslog(LOG_NOTICE, "%s while getting time of day", 195 error_message(kerror)); 196 return(1); 197 } 198 my_creds.times.starttime = 0; /* start timer when request 199 gets to KDC */ 200 my_creds.times.endtime = now + lifetime; 201 my_creds.times.renew_till = 0; 202 203 for (i=0; preauth_search_list[i] >= 0; i++) { 204 kerror = krb5_get_in_tkt_with_password(options, my_addresses, 205 preauth_search_list[i], 206 ETYPE_DES_CBC_CRC, 207 KEYTYPE_DES, 208 password, 209 ccache, 210 &my_creds, 0); 211 if (kerror != KRB5KDC_PREAUTH_FAILED && 212 kerror != KRB5KRB_ERR_GENERIC) 213 break; 214 } 215 216 krb5_free_principal(server); 217 krb5_free_addresses(my_addresses); 218 219 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 220 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 221 222 if (kerror) { 223 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 224 printf("%s: Kerberos Password incorrect\n", principal); 225 else 226 printf("%s while getting initial credentials\n", error_message(kerror)); 227 228 return(1); 229 } 230 231 /* Success */ 232 notickets = 0; 233 return(0); 234 } 235 236 /* 237 * Remove any credentials 238 */ 239 void 240 kdestroy() 241 { 242 krb5_error_code code; 243 krb5_ccache ccache = NULL; 244 245 if (krbtkfile_env == NULL) 246 return; 247 248 code = krb5_cc_resolve(krbtkfile_env, &ccache); 249 if (!code) { 250 code = krb5_cc_destroy(ccache); 251 if (!code) { 252 krb5_cc_close(ccache); 253 } 254 } 255 } 256 #endif 257
Indexes created Fri Sep 26 08:10:20 GMT 2025