k5login.c revision 1.11.2.1
1 /* $NetBSD: k5login.c,v 1.11.2.1 2000/06/23 16:30:34 minoura Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 #ifndef lint 38 #if 0 39 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 40 #endif 41 __RCSID("$NetBSD: k5login.c,v 1.11.2.1 2000/06/23 16:30:34 minoura Exp $"); 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 #include <sys/param.h> 46 #include <sys/syslog.h> 47 #include <krb5/krb5.h> 48 #include <com_err.h> 49 #include <pwd.h> 50 #include <netdb.h> 51 #include <stdio.h> 52 #include <stdlib.h> 53 #include <string.h> 54 #include <unistd.h> 55 56 #define KRB5_DEFAULT_OPTIONS 0 57 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 58 59 krb5_context kcontext; 60 61 int notickets; 62 char *krb5tkfile_env; 63 extern char *tty; 64 extern int login_krb5_forwardable_tgt; 65 extern int has_ccache; 66 67 static char tkt_location[MAXPATHLEN]; 68 static krb5_creds forw_creds; 69 int have_forward; 70 static krb5_principal me, server; 71 72 int k5_read_creds __P((char *)); 73 int k5_write_creds __P((void)); 74 int k5login __P((struct passwd *, char *, char *, char *)); 75 void k5destroy __P((void)); 76 77 #ifndef krb5_realm_length 78 #define krb5_realm_length(r) ((r).length) 79 #endif 80 #ifndef krb5_realm_data 81 #define krb5_realm_data(r) ((r).data) 82 #endif 83 84 /* 85 * Attempt to read forwarded kerberos creds 86 * 87 * return 0 on success (forwarded creds in memory) 88 * 1 if no forwarded creds. 89 */ 90 int 91 k5_read_creds(username) 92 char *username; 93 { 94 krb5_error_code code; 95 krb5_creds mcreds; 96 krb5_ccache ccache; 97 98 have_forward = 0; 99 memset((char*) &mcreds, 0, sizeof(forw_creds)); 100 memset((char*) &forw_creds, 0, sizeof(forw_creds)); 101 102 code = krb5_cc_default(kcontext, &ccache); 103 if (code) { 104 com_err("login", code, "while getting default ccache"); 105 return(1); 106 } 107 108 code = krb5_parse_name(kcontext, username, &me); 109 if (code) { 110 com_err("login", code, "when parsing name %s", username); 111 return(1); 112 } 113 114 mcreds.client = me; 115 code = krb5_build_principal_ext(kcontext, &mcreds.server, 116 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 117 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 118 KRB5_TGS_NAME_SIZE, 119 KRB5_TGS_NAME, 120 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 121 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 122 0); 123 if (code) { 124 com_err("login", code, "while building server name"); 125 goto nuke_ccache; 126 } 127 128 code = krb5_cc_retrieve_cred(kcontext, ccache, 0, 129 &mcreds, &forw_creds); 130 if (code) { 131 com_err("login", code, "while retrieving V5 initial ticket for copy"); 132 goto nuke_ccache; 133 } 134 have_forward = 1; 135 136 strcpy(tkt_location, getenv("KRB5CCNAME")); 137 krb5tkfile_env = tkt_location; 138 has_ccache = 1; 139 notickets = 0; 140 141 nuke_ccache: 142 krb5_cc_destroy(kcontext, ccache); 143 return(!have_forward); 144 } 145 146 int 147 k5_write_creds() 148 { 149 krb5_error_code code; 150 krb5_ccache ccache; 151 152 if (!have_forward) 153 return(1); 154 code = krb5_cc_default(kcontext, &ccache); 155 if (code) { 156 com_err("login", code, "while getting default ccache"); 157 return(1); 158 } 159 160 code = krb5_cc_initialize(kcontext, ccache, me); 161 if (code) { 162 com_err("login", code, "while re-initializing V5 ccache as user"); 163 goto nuke_ccache_contents; 164 } 165 166 code = krb5_cc_store_cred(kcontext, ccache, &forw_creds); 167 if (code) { 168 com_err("login", code, "while re-storing V5 ccache as user"); 169 goto nuke_ccache_contents; 170 } 171 172 nuke_ccache_contents: 173 krb5_free_cred_contents(kcontext, &forw_creds); 174 return(code != 0); 175 } 176 177 /* 178 * Attempt to log the user in using Kerberos authentication 179 * 180 * return 0 on success (will be logged in) 181 * 1 if Kerberos failed (try local password in login) 182 */ 183 int 184 k5login(pw, instance, localhost, password) 185 struct passwd *pw; 186 char *instance, *localhost, *password; 187 { 188 krb5_error_code kerror; 189 krb5_creds my_creds; 190 krb5_timestamp now; 191 krb5_ccache ccache = NULL; 192 long lifetime = KRB5_DEFAULT_LIFE; 193 int options = KRB5_DEFAULT_OPTIONS; 194 char *realm, *client_name; 195 char *principal; 196 197 if (login_krb5_forwardable_tgt) 198 options |= KDC_OPT_FORWARDABLE; 199 200 /* 201 * Root logins don't use Kerberos. 202 * If we have a realm, try getting a ticket-granting ticket 203 * and using it to authenticate. Otherwise, return 204 * failure so that we can try the normal passwd file 205 * for a password. If that's ok, log the user in 206 * without issuing any tickets. 207 */ 208 if (strcmp(pw->pw_name, "root") == 0 || 209 krb5_get_default_realm(kcontext, &realm)) 210 return (1); 211 212 /* 213 * get TGT for local realm 214 * tickets are stored in a file named TKT_ROOT plus uid 215 * except for user.root tickets. 216 */ 217 218 if (strcmp(instance, "root") != 0) 219 (void)snprintf(tkt_location, sizeof tkt_location, 220 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 221 else 222 (void)snprintf(tkt_location, sizeof tkt_location, 223 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 224 krb5tkfile_env = tkt_location; 225 has_ccache = 1; 226 227 principal = (char *)malloc(strlen(pw->pw_name)+strlen(instance)+2); 228 strcpy(principal, pw->pw_name); /* XXX strcpy is safe */ 229 if (strlen(instance)) { 230 strcat(principal, "/"); /* XXX strcat is safe */ 231 strcat(principal, instance); /* XXX strcat is safe */ 232 } 233 234 if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { 235 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 236 error_message(kerror)); 237 return(1); 238 } 239 240 if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { 241 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 242 error_message(kerror), principal); 243 return(1); 244 } 245 246 if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { 247 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 248 error_message(kerror), principal); 249 return(1); 250 } 251 252 kerror = krb5_cc_initialize(kcontext, ccache, me); 253 if (kerror != 0) { 254 syslog(LOG_NOTICE, "%s when initializing cache %s", 255 error_message(kerror), tkt_location); 256 return(1); 257 } 258 259 memset((char *)&my_creds, 0, sizeof(my_creds)); 260 261 my_creds.client = me; 262 263 if ((kerror = krb5_build_principal_ext(kcontext, 264 &server, 265 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 266 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 267 KRB5_TGS_NAME_SIZE, 268 KRB5_TGS_NAME, 269 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 270 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 271 0)) != 0) { 272 syslog(LOG_NOTICE, "%s while building server name", 273 error_message(kerror)); 274 return(1); 275 } 276 277 my_creds.server = server; 278 279 if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { 280 syslog(LOG_NOTICE, "%s while getting time of day", 281 error_message(kerror)); 282 return(1); 283 } 284 my_creds.times.starttime = 0; /* start timer when request 285 gets to KDC */ 286 my_creds.times.endtime = now + lifetime; 287 my_creds.times.renew_till = 0; 288 289 kerror = krb5_get_in_tkt_with_password(kcontext, options, 290 NULL, 291 NULL, 292 NULL, 293 password, 294 ccache, 295 &my_creds, 0); 296 297 krb5_free_principal(kcontext, server); 298 299 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 300 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 301 302 if (kerror) { 303 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 304 printf("%s: Kerberos Password incorrect\n", principal); 305 else 306 printf("%s while getting initial credentials\n", error_message(kerror)); 307 308 return(1); 309 } 310 311 /* Success */ 312 notickets = 0; 313 return(0); 314 } 315 316 /* 317 * Remove any credentials 318 */ 319 void 320 k5destroy() 321 { 322 krb5_error_code code; 323 krb5_ccache ccache = NULL; 324 325 if (krb5tkfile_env == NULL) 326 return; 327 328 code = krb5_cc_resolve(kcontext, krb5tkfile_env, &ccache); 329 if (!code) 330 code = krb5_cc_destroy(kcontext, ccache); 331 } 332 #endif 333
Indexes created Mon Oct 27 08:10:08 GMT 2025