k5login.c revision 1.16
1 /* $NetBSD: k5login.c,v 1.16 2000/10/28 03:51:26 aidan Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 /* 37 * Copyright (c) 1980, 1987, 1988 The Regents of the University of California. 38 * All rights reserved. 39 * 40 * Redistribution and use in source and binary forms are permitted 41 * provided that the above copyright notice and this paragraph are 42 * duplicated in all such forms and that any documentation, 43 * advertising materials, and other materials related to such 44 * distribution and use acknowledge that the software was developed 45 * by the University of California, Berkeley. The name of the 46 * University may not be used to endorse or promote products derived 47 * from this software without specific prior written permission. 48 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 49 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 50 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 51 */ 52 53 #include <sys/cdefs.h> 54 #ifndef lint 55 #if 0 56 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 57 #endif 58 __RCSID("$NetBSD: k5login.c,v 1.16 2000/10/28 03:51:26 aidan Exp $"); 59 #endif /* not lint */ 60 61 #ifdef KERBEROS5 62 #include <sys/param.h> 63 #include <sys/syslog.h> 64 #include <krb5/krb5.h> 65 #include <com_err.h> 66 #include <pwd.h> 67 #include <netdb.h> 68 #include <stdio.h> 69 #include <stdlib.h> 70 #include <string.h> 71 #include <unistd.h> 72 #include <errno.h> 73 74 #define KRB5_DEFAULT_OPTIONS 0 75 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 76 77 krb5_context kcontext; 78 79 int notickets; 80 int krb5_configured; 81 char *krb5tkfile_env; 82 extern char *tty; 83 extern int login_krb5_forwardable_tgt; 84 extern int has_ccache; 85 86 static char tkt_location[MAXPATHLEN]; 87 static krb5_creds forw_creds; 88 int have_forward; 89 static krb5_principal me, server; 90 91 int k5_read_creds __P((char *)); 92 int k5_write_creds __P((void)); 93 int k5_verify_creds __P((krb5_context, krb5_ccache)); 94 int k5login __P((struct passwd *, char *, char *, char *)); 95 void k5destroy __P((void)); 96 97 #ifndef krb5_realm_length 98 #define krb5_realm_length(r) ((r).length) 99 #endif 100 #ifndef krb5_realm_data 101 #define krb5_realm_data(r) ((r).data) 102 #endif 103 104 /* 105 * Verify the Kerberos ticket-granting ticket just retrieved for the 106 * user. If the Kerberos server doesn't respond, assume the user is 107 * trying to fake us out (since we DID just get a TGT from what is 108 * supposedly our KDC). If the host/<host> service is unknown (i.e., 109 * the local keytab doesn't have it), let her in. 110 * 111 * Returns 1 for confirmation, -1 for failure, 0 for uncertainty. 112 */ 113 int 114 k5_verify_creds(c, ccache) 115 krb5_context c; 116 krb5_ccache ccache; 117 { 118 char phost[MAXHOSTNAMELEN]; 119 int retval, have_keys; 120 krb5_principal princ; 121 krb5_keyblock *kb = 0; 122 krb5_error_code kerror; 123 krb5_data packet; 124 krb5_auth_context auth_context = NULL; 125 krb5_ticket *ticket = NULL; 126 127 kerror = krb5_sname_to_principal(c, 0, 0, KRB5_NT_SRV_HST, &princ); 128 if (kerror) { 129 com_err("login", kerror, "constructing local service name"); 130 return (-1); 131 } 132 133 /* Do we have host/<host> keys? */ 134 /* (use default keytab, kvno IGNORE_VNO to get the first match, 135 * and default enctype.) */ 136 kerror = krb5_kt_read_service_key(c, NULL, princ, 0, 0, &kb); 137 if (kb) 138 krb5_free_keyblock(c, kb); 139 /* any failure means we don't have keys at all. */ 140 have_keys = kerror ? 0 : 1; 141 142 /* XXX there should be a krb5 function like mk_req, but taking a full 143 * principal, instead of a service/hostname. (Did I miss one?) */ 144 gethostname(phost, sizeof(phost)); 145 phost[sizeof(phost) - 1] = '\0'; 146 147 /* talk to the kdc and construct the ticket */ 148 kerror = krb5_mk_req(c, &auth_context, 0, "host", phost, 149 0, ccache, &packet); 150 /* wipe the auth context for rd_req */ 151 if (auth_context) { 152 krb5_auth_con_free(c, auth_context); 153 auth_context = NULL; 154 } 155 if (kerror == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { 156 /* we have a service key, so something should be 157 * in the database, therefore this error packet could 158 * have come from an attacker. */ 159 if (have_keys) { 160 retval = -1; 161 goto EGRESS; 162 } 163 /* but if it is unknown and we've got no key, we don't 164 * have any security anyhow, so it is ok. */ 165 else { 166 retval = 0; 167 goto EGRESS; 168 } 169 } 170 else if (kerror) { 171 com_err("login", kerror, 172 "Unable to verify Kerberos V5 TGT: %s", phost); 173 syslog(LOG_NOTICE|LOG_AUTH, "Kerberos V5 TGT bad: %s", 174 krb5_get_err_text(kcontext, kerror)); 175 retval = -1; 176 goto EGRESS; 177 } 178 /* got ticket, try to use it */ 179 kerror = krb5_rd_req(c, &auth_context, &packet, 180 princ, NULL, NULL, &ticket); 181 if (kerror) { 182 if (!have_keys) { 183 /* The krb5 errors aren't specified well, but I think 184 * these values cover the cases we expect. */ 185 switch (kerror) { 186 case ENOENT: /* no keytab */ 187 case KRB5_KT_NOTFOUND: 188 retval = 0; 189 break; 190 default: 191 /* unexpected error: fail */ 192 retval = -1; 193 break; 194 } 195 } 196 else { 197 /* we have keys, so if we got any error, we could be 198 * under attack. */ 199 retval = -1; 200 } 201 com_err("login", kerror, "Unable to verify host ticket"); 202 syslog(LOG_NOTICE|LOG_AUTH, "can't verify v5 ticket: %s; %s\n", 203 krb5_get_err_text(kcontext, kerror), 204 retval 205 ? "keytab found, assuming failure" 206 : "no keytab found, assuming success"); 207 goto EGRESS; 208 } 209 /* 210 * The host/<host> ticket has been received _and_ verified. 211 */ 212 retval = 1; 213 214 /* do cleanup and return */ 215 EGRESS: 216 if (auth_context) 217 krb5_auth_con_free(c, auth_context); 218 krb5_free_principal(c, princ); 219 /* possibly ticket and packet need freeing here as well */ 220 return (retval); 221 } 222 223 /* 224 * Attempt to read forwarded kerberos creds 225 * 226 * return 0 on success (forwarded creds in memory) 227 * 1 if no forwarded creds. 228 */ 229 int 230 k5_read_creds(username) 231 char *username; 232 { 233 krb5_error_code code; 234 krb5_creds mcreds; 235 krb5_ccache ccache; 236 237 have_forward = 0; 238 memset((char*) &mcreds, 0, sizeof(forw_creds)); 239 memset((char*) &forw_creds, 0, sizeof(forw_creds)); 240 241 code = krb5_cc_default(kcontext, &ccache); 242 if (code) { 243 com_err("login", code, "while getting default ccache"); 244 return(1); 245 } 246 247 code = krb5_parse_name(kcontext, username, &me); 248 if (code) { 249 com_err("login", code, "when parsing name %s", username); 250 return(1); 251 } 252 253 mcreds.client = me; 254 code = krb5_build_principal_ext(kcontext, &mcreds.server, 255 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 256 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 257 KRB5_TGS_NAME_SIZE, 258 KRB5_TGS_NAME, 259 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 260 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 261 0); 262 if (code) { 263 com_err("login", code, "while building server name"); 264 goto nuke_ccache; 265 } 266 267 code = krb5_cc_retrieve_cred(kcontext, ccache, 0, 268 &mcreds, &forw_creds); 269 if (code) { 270 com_err("login", code, "while retrieving V5 initial ticket for copy"); 271 goto nuke_ccache; 272 } 273 have_forward = 1; 274 275 strcpy(tkt_location, getenv("KRB5CCNAME")); 276 krb5tkfile_env = tkt_location; 277 has_ccache = 1; 278 notickets = 0; 279 280 nuke_ccache: 281 krb5_cc_destroy(kcontext, ccache); 282 return(!have_forward); 283 } 284 285 int 286 k5_write_creds() 287 { 288 krb5_error_code code; 289 krb5_ccache ccache; 290 291 if (!have_forward) 292 return(1); 293 code = krb5_cc_default(kcontext, &ccache); 294 if (code) { 295 com_err("login", code, "while getting default ccache"); 296 return(1); 297 } 298 299 code = krb5_cc_initialize(kcontext, ccache, me); 300 if (code) { 301 com_err("login", code, "while re-initializing V5 ccache as user"); 302 goto nuke_ccache_contents; 303 } 304 305 code = krb5_cc_store_cred(kcontext, ccache, &forw_creds); 306 if (code) { 307 com_err("login", code, "while re-storing V5 ccache as user"); 308 goto nuke_ccache_contents; 309 } 310 311 nuke_ccache_contents: 312 krb5_free_cred_contents(kcontext, &forw_creds); 313 return(code != 0); 314 } 315 316 /* 317 * Attempt to log the user in using Kerberos authentication 318 * 319 * return 0 on success (will be logged in) 320 * 1 if Kerberos failed (try local password in login) 321 */ 322 int 323 k5login(pw, instance, localhost, password) 324 struct passwd *pw; 325 char *instance, *localhost, *password; 326 { 327 krb5_error_code kerror; 328 krb5_creds my_creds; 329 krb5_timestamp now; 330 krb5_ccache ccache = NULL; 331 long lifetime = KRB5_DEFAULT_LIFE; 332 int options = KRB5_DEFAULT_OPTIONS; 333 char *realm, *client_name; 334 char *principal; 335 336 krb5_configured = 1; 337 338 if (login_krb5_forwardable_tgt) 339 options |= KDC_OPT_FORWARDABLE; 340 341 /* 342 * Root logins don't use Kerberos. 343 * If we have a realm, try getting a ticket-granting ticket 344 * and using it to authenticate. Otherwise, return 345 * failure so that we can try the normal passwd file 346 * for a password. If that's ok, log the user in 347 * without issuing any tickets. 348 */ 349 if (strcmp(pw->pw_name, "root") == 0 || 350 krb5_get_default_realm(kcontext, &realm)) { 351 krb5_configured = 0; 352 return (1); 353 } 354 355 /* 356 * get TGT for local realm 357 * tickets are stored in a file named TKT_ROOT plus uid 358 * except for user.root tickets. 359 */ 360 361 if (strcmp(instance, "root") != 0) 362 (void)snprintf(tkt_location, sizeof tkt_location, 363 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 364 else 365 (void)snprintf(tkt_location, sizeof tkt_location, 366 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 367 krb5tkfile_env = tkt_location; 368 has_ccache = 1; 369 370 principal = (char *)malloc(strlen(pw->pw_name)+strlen(instance)+2); 371 strcpy(principal, pw->pw_name); /* XXX strcpy is safe */ 372 if (strlen(instance)) { 373 strcat(principal, "/"); /* XXX strcat is safe */ 374 strcat(principal, instance); /* XXX strcat is safe */ 375 } 376 377 if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { 378 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 379 krb5_get_err_text(kcontext, kerror)); 380 return(1); 381 } 382 383 if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { 384 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 385 krb5_get_err_text(kcontext, kerror), principal); 386 return(1); 387 } 388 389 if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { 390 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 391 krb5_get_err_text(kcontext, kerror), principal); 392 return(1); 393 } 394 395 kerror = krb5_cc_initialize(kcontext, ccache, me); 396 if (kerror != 0) { 397 syslog(LOG_NOTICE, "%s when initializing cache %s", 398 krb5_get_err_text(kcontext, kerror), tkt_location); 399 return(1); 400 } 401 402 memset((char *)&my_creds, 0, sizeof(my_creds)); 403 404 my_creds.client = me; 405 406 if ((kerror = krb5_build_principal_ext(kcontext, 407 &server, 408 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 409 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 410 KRB5_TGS_NAME_SIZE, 411 KRB5_TGS_NAME, 412 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 413 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 414 0)) != 0) { 415 syslog(LOG_NOTICE, "%s while building server name", 416 krb5_get_err_text(kcontext, kerror)); 417 return(1); 418 } 419 420 my_creds.server = server; 421 422 if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { 423 syslog(LOG_NOTICE, "%s while getting time of day", 424 krb5_get_err_text(kcontext, kerror)); 425 return(1); 426 } 427 my_creds.times.starttime = 0; /* start timer when request 428 gets to KDC */ 429 my_creds.times.endtime = now + lifetime; 430 my_creds.times.renew_till = 0; 431 432 kerror = krb5_get_in_tkt_with_password(kcontext, options, 433 NULL, 434 NULL, 435 NULL, 436 password, 437 ccache, 438 &my_creds, 0); 439 440 if (my_creds.server != NULL) 441 krb5_free_principal(kcontext, my_creds.server); 442 443 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 444 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 445 446 if (kerror) { 447 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 448 printf("%s: Kerberos Password incorrect\n", principal); 449 else 450 printf("%s while getting initial credentials\n", krb5_get_err_text(kcontext, kerror)); 451 452 return(1); 453 } 454 if (k5_verify_creds(kcontext, ccache) < 0) { 455 return(1); 456 } 457 458 459 /* Success */ 460 notickets = 0; 461 return(0); 462 } 463 464 /* 465 * Remove any credentials 466 */ 467 void 468 k5destroy() 469 { 470 krb5_error_code code; 471 krb5_ccache ccache = NULL; 472 473 if (krb5tkfile_env == NULL) 474 return; 475 476 code = krb5_cc_resolve(kcontext, krb5tkfile_env, &ccache); 477 if (!code) 478 code = krb5_cc_destroy(kcontext, ccache); 479 } 480 #endif 481
Indexes created Thu Sep 25 16:09:42 GMT 2025