k5login.c revision 1.14
1 /* $NetBSD: k5login.c,v 1.14 2000/08/09 17:44:18 thorpej Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 #ifndef lint 38 #if 0 39 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 40 #endif 41 __RCSID("$NetBSD: k5login.c,v 1.14 2000/08/09 17:44:18 thorpej Exp $"); 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 #include <sys/param.h> 46 #include <sys/syslog.h> 47 #include <krb5/krb5.h> 48 #include <com_err.h> 49 #include <pwd.h> 50 #include <netdb.h> 51 #include <stdio.h> 52 #include <stdlib.h> 53 #include <string.h> 54 #include <unistd.h> 55 56 #define KRB5_DEFAULT_OPTIONS 0 57 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 58 59 krb5_context kcontext; 60 61 int notickets; 62 int krb5_configured; 63 char *krb5tkfile_env; 64 extern char *tty; 65 extern int login_krb5_forwardable_tgt; 66 extern int has_ccache; 67 68 static char tkt_location[MAXPATHLEN]; 69 static krb5_creds forw_creds; 70 int have_forward; 71 static krb5_principal me, server; 72 73 int k5_read_creds __P((char *)); 74 int k5_write_creds __P((void)); 75 int k5login __P((struct passwd *, char *, char *, char *)); 76 void k5destroy __P((void)); 77 78 #ifndef krb5_realm_length 79 #define krb5_realm_length(r) ((r).length) 80 #endif 81 #ifndef krb5_realm_data 82 #define krb5_realm_data(r) ((r).data) 83 #endif 84 85 /* 86 * Attempt to read forwarded kerberos creds 87 * 88 * return 0 on success (forwarded creds in memory) 89 * 1 if no forwarded creds. 90 */ 91 int 92 k5_read_creds(username) 93 char *username; 94 { 95 krb5_error_code code; 96 krb5_creds mcreds; 97 krb5_ccache ccache; 98 99 have_forward = 0; 100 memset((char*) &mcreds, 0, sizeof(forw_creds)); 101 memset((char*) &forw_creds, 0, sizeof(forw_creds)); 102 103 code = krb5_cc_default(kcontext, &ccache); 104 if (code) { 105 com_err("login", code, "while getting default ccache"); 106 return(1); 107 } 108 109 code = krb5_parse_name(kcontext, username, &me); 110 if (code) { 111 com_err("login", code, "when parsing name %s", username); 112 return(1); 113 } 114 115 mcreds.client = me; 116 code = krb5_build_principal_ext(kcontext, &mcreds.server, 117 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 118 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 119 KRB5_TGS_NAME_SIZE, 120 KRB5_TGS_NAME, 121 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 122 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 123 0); 124 if (code) { 125 com_err("login", code, "while building server name"); 126 goto nuke_ccache; 127 } 128 129 code = krb5_cc_retrieve_cred(kcontext, ccache, 0, 130 &mcreds, &forw_creds); 131 if (code) { 132 com_err("login", code, "while retrieving V5 initial ticket for copy"); 133 goto nuke_ccache; 134 } 135 have_forward = 1; 136 137 strcpy(tkt_location, getenv("KRB5CCNAME")); 138 krb5tkfile_env = tkt_location; 139 has_ccache = 1; 140 notickets = 0; 141 142 nuke_ccache: 143 krb5_cc_destroy(kcontext, ccache); 144 return(!have_forward); 145 } 146 147 int 148 k5_write_creds() 149 { 150 krb5_error_code code; 151 krb5_ccache ccache; 152 153 if (!have_forward) 154 return(1); 155 code = krb5_cc_default(kcontext, &ccache); 156 if (code) { 157 com_err("login", code, "while getting default ccache"); 158 return(1); 159 } 160 161 code = krb5_cc_initialize(kcontext, ccache, me); 162 if (code) { 163 com_err("login", code, "while re-initializing V5 ccache as user"); 164 goto nuke_ccache_contents; 165 } 166 167 code = krb5_cc_store_cred(kcontext, ccache, &forw_creds); 168 if (code) { 169 com_err("login", code, "while re-storing V5 ccache as user"); 170 goto nuke_ccache_contents; 171 } 172 173 nuke_ccache_contents: 174 krb5_free_cred_contents(kcontext, &forw_creds); 175 return(code != 0); 176 } 177 178 /* 179 * Attempt to log the user in using Kerberos authentication 180 * 181 * return 0 on success (will be logged in) 182 * 1 if Kerberos failed (try local password in login) 183 */ 184 int 185 k5login(pw, instance, localhost, password) 186 struct passwd *pw; 187 char *instance, *localhost, *password; 188 { 189 krb5_error_code kerror; 190 krb5_creds my_creds; 191 krb5_timestamp now; 192 krb5_ccache ccache = NULL; 193 long lifetime = KRB5_DEFAULT_LIFE; 194 int options = KRB5_DEFAULT_OPTIONS; 195 char *realm, *client_name; 196 char *principal; 197 198 krb5_configured = 1; 199 200 if (login_krb5_forwardable_tgt) 201 options |= KDC_OPT_FORWARDABLE; 202 203 /* 204 * Root logins don't use Kerberos. 205 * If we have a realm, try getting a ticket-granting ticket 206 * and using it to authenticate. Otherwise, return 207 * failure so that we can try the normal passwd file 208 * for a password. If that's ok, log the user in 209 * without issuing any tickets. 210 */ 211 if (strcmp(pw->pw_name, "root") == 0 || 212 krb5_get_default_realm(kcontext, &realm)) { 213 krb5_configured = 0; 214 return (1); 215 } 216 217 /* 218 * get TGT for local realm 219 * tickets are stored in a file named TKT_ROOT plus uid 220 * except for user.root tickets. 221 */ 222 223 if (strcmp(instance, "root") != 0) 224 (void)snprintf(tkt_location, sizeof tkt_location, 225 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 226 else 227 (void)snprintf(tkt_location, sizeof tkt_location, 228 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 229 krb5tkfile_env = tkt_location; 230 has_ccache = 1; 231 232 principal = (char *)malloc(strlen(pw->pw_name)+strlen(instance)+2); 233 strcpy(principal, pw->pw_name); /* XXX strcpy is safe */ 234 if (strlen(instance)) { 235 strcat(principal, "/"); /* XXX strcat is safe */ 236 strcat(principal, instance); /* XXX strcat is safe */ 237 } 238 239 if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { 240 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 241 error_message(kerror)); 242 return(1); 243 } 244 245 if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { 246 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 247 error_message(kerror), principal); 248 return(1); 249 } 250 251 if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { 252 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 253 error_message(kerror), principal); 254 return(1); 255 } 256 257 kerror = krb5_cc_initialize(kcontext, ccache, me); 258 if (kerror != 0) { 259 syslog(LOG_NOTICE, "%s when initializing cache %s", 260 error_message(kerror), tkt_location); 261 return(1); 262 } 263 264 memset((char *)&my_creds, 0, sizeof(my_creds)); 265 266 my_creds.client = me; 267 268 if ((kerror = krb5_build_principal_ext(kcontext, 269 &server, 270 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 271 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 272 KRB5_TGS_NAME_SIZE, 273 KRB5_TGS_NAME, 274 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 275 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 276 0)) != 0) { 277 syslog(LOG_NOTICE, "%s while building server name", 278 error_message(kerror)); 279 return(1); 280 } 281 282 my_creds.server = server; 283 284 if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { 285 syslog(LOG_NOTICE, "%s while getting time of day", 286 error_message(kerror)); 287 return(1); 288 } 289 my_creds.times.starttime = 0; /* start timer when request 290 gets to KDC */ 291 my_creds.times.endtime = now + lifetime; 292 my_creds.times.renew_till = 0; 293 294 kerror = krb5_get_in_tkt_with_password(kcontext, options, 295 NULL, 296 NULL, 297 NULL, 298 password, 299 ccache, 300 &my_creds, 0); 301 302 if (my_creds.server != NULL) 303 krb5_free_principal(kcontext, my_creds.server); 304 305 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 306 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 307 308 if (kerror) { 309 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 310 printf("%s: Kerberos Password incorrect\n", principal); 311 else 312 printf("%s while getting initial credentials\n", error_message(kerror)); 313 314 return(1); 315 } 316 317 /* Success */ 318 notickets = 0; 319 return(0); 320 } 321 322 /* 323 * Remove any credentials 324 */ 325 void 326 k5destroy() 327 { 328 krb5_error_code code; 329 krb5_ccache ccache = NULL; 330 331 if (krb5tkfile_env == NULL) 332 return; 333 334 code = krb5_cc_resolve(kcontext, krb5tkfile_env, &ccache); 335 if (!code) 336 code = krb5_cc_destroy(kcontext, ccache); 337 } 338 #endif 339
Indexes created Wed Sep 24 05:09:52 GMT 2025