k5login.c revision 1.24
1 /* $NetBSD: k5login.c,v 1.24 2003/08/07 11:14:24 agc Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 /* 33 * Copyright (c) 1980, 1987, 1988 The Regents of the University of California. 34 * All rights reserved. 35 * 36 * Redistribution and use in source and binary forms are permitted 37 * provided that the above copyright notice and this paragraph are 38 * duplicated in all such forms and that any documentation, 39 * advertising materials, and other materials related to such 40 * distribution and use acknowledge that the software was developed 41 * by the University of California, Berkeley. The name of the 42 * University may not be used to endorse or promote products derived 43 * from this software without specific prior written permission. 44 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 45 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 46 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 47 */ 48 49 #include <sys/cdefs.h> 50 #ifndef lint 51 #if 0 52 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 53 #endif 54 __RCSID("$NetBSD: k5login.c,v 1.24 2003/08/07 11:14:24 agc Exp $"); 55 #endif /* not lint */ 56 57 #ifdef KERBEROS5 58 #include <sys/param.h> 59 #include <sys/syslog.h> 60 #include <krb5/krb5.h> 61 #include <kerberosIV/krb.h> 62 #include <pwd.h> 63 #include <netdb.h> 64 #include <stdio.h> 65 #include <stdlib.h> 66 #include <string.h> 67 #include <unistd.h> 68 #include <errno.h> 69 70 #define KRB5_DEFAULT_OPTIONS 0 71 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 72 73 krb5_context kcontext; 74 75 int notickets; 76 int krb5_configured; 77 char *krb5tkfile_env; 78 extern char *tty; 79 extern int login_krb5_forwardable_tgt; 80 extern int has_ccache; 81 82 static char tkt_location[MAXPATHLEN]; 83 #ifdef KERBEROS 84 char krb4tkfile[MAXPATHLEN]; 85 #endif 86 static krb5_creds forw_creds; 87 int have_forward; 88 static krb5_principal me, server; 89 90 int k5_read_creds(char *); 91 int k5_write_creds(void); 92 int k5_verify_creds(krb5_context, krb5_ccache); 93 int k5login(struct passwd *, char *, char *, char *); 94 void k5destroy(void); 95 96 #ifdef KERBEROS 97 static krb5_error_code 98 krb5_to4 (struct passwd *pw, krb5_context context, krb5_ccache id); 99 #endif 100 101 #ifndef krb5_realm_length 102 #define krb5_realm_length(r) ((r).length) 103 #endif 104 #ifndef krb5_realm_data 105 #define krb5_realm_data(r) ((r).data) 106 #endif 107 108 /* 109 * Verify the Kerberos ticket-granting ticket just retrieved for the 110 * user. If the Kerberos server doesn't respond, assume the user is 111 * trying to fake us out (since we DID just get a TGT from what is 112 * supposedly our KDC). If the host/<host> service is unknown (i.e., 113 * the local keytab doesn't have it), let her in. 114 * 115 * Returns 1 for confirmation, -1 for failure, 0 for uncertainty. 116 */ 117 int 118 k5_verify_creds(c, ccache) 119 krb5_context c; 120 krb5_ccache ccache; 121 { 122 char phost[MAXHOSTNAMELEN]; 123 int retval, have_keys; 124 krb5_principal princ; 125 krb5_keyblock *kb = 0; 126 krb5_error_code kerror; 127 krb5_data packet; 128 krb5_auth_context auth_context = NULL; 129 krb5_ticket *ticket = NULL; 130 131 kerror = krb5_sname_to_principal(c, 0, 0, KRB5_NT_SRV_HST, &princ); 132 if (kerror) { 133 krb5_warn(kcontext, kerror, "constructing local service name"); 134 return (-1); 135 } 136 137 /* Do we have host/<host> keys? */ 138 /* (use default keytab, kvno IGNORE_VNO to get the first match, 139 * and default enctype.) */ 140 kerror = krb5_kt_read_service_key(c, NULL, princ, 0, 0, &kb); 141 if (kb) 142 krb5_free_keyblock(c, kb); 143 /* any failure means we don't have keys at all. */ 144 have_keys = kerror ? 0 : 1; 145 146 /* XXX there should be a krb5 function like mk_req, but taking a full 147 * principal, instead of a service/hostname. (Did I miss one?) */ 148 gethostname(phost, sizeof(phost)); 149 phost[sizeof(phost) - 1] = '\0'; 150 151 /* talk to the kdc and construct the ticket */ 152 kerror = krb5_mk_req(c, &auth_context, 0, "host", phost, 153 0, ccache, &packet); 154 /* wipe the auth context for rd_req */ 155 if (auth_context) { 156 krb5_auth_con_free(c, auth_context); 157 auth_context = NULL; 158 } 159 if (kerror == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { 160 /* we have a service key, so something should be 161 * in the database, therefore this error packet could 162 * have come from an attacker. */ 163 if (have_keys) { 164 retval = -1; 165 goto EGRESS; 166 } 167 /* but if it is unknown and we've got no key, we don't 168 * have any security anyhow, so it is ok. */ 169 else { 170 retval = 0; 171 goto EGRESS; 172 } 173 } 174 else if (kerror) { 175 krb5_warn(kcontext, kerror, 176 "Unable to verify Kerberos V5 TGT: %s", phost); 177 syslog(LOG_NOTICE, "Kerberos V5 TGT bad: %s", 178 krb5_get_err_text(kcontext, kerror)); 179 retval = -1; 180 goto EGRESS; 181 } 182 /* got ticket, try to use it */ 183 kerror = krb5_rd_req(c, &auth_context, &packet, 184 princ, NULL, NULL, &ticket); 185 if (kerror) { 186 if (!have_keys) { 187 /* The krb5 errors aren't specified well, but I think 188 * these values cover the cases we expect. */ 189 switch (kerror) { 190 case ENOENT: /* no keytab */ 191 case KRB5_KT_NOTFOUND: 192 retval = 0; 193 break; 194 default: 195 /* unexpected error: fail */ 196 retval = -1; 197 break; 198 } 199 } 200 else { 201 /* we have keys, so if we got any error, we could be 202 * under attack. */ 203 retval = -1; 204 } 205 krb5_warn(kcontext, kerror, "Unable to verify host ticket"); 206 syslog(LOG_NOTICE, "can't verify v5 ticket: %s; %s\n", 207 krb5_get_err_text(kcontext, kerror), 208 retval 209 ? "keytab found, assuming failure" 210 : "no keytab found, assuming success"); 211 goto EGRESS; 212 } 213 /* 214 * The host/<host> ticket has been received _and_ verified. 215 */ 216 retval = 1; 217 218 /* do cleanup and return */ 219 EGRESS: 220 if (auth_context) 221 krb5_auth_con_free(c, auth_context); 222 krb5_free_principal(c, princ); 223 /* possibly ticket and packet need freeing here as well */ 224 return (retval); 225 } 226 227 /* 228 * Attempt to read forwarded kerberos creds 229 * 230 * return 0 on success (forwarded creds in memory) 231 * 1 if no forwarded creds. 232 */ 233 int 234 k5_read_creds(username) 235 char *username; 236 { 237 krb5_error_code kerror; 238 krb5_creds mcreds; 239 krb5_ccache ccache; 240 241 have_forward = 0; 242 memset((char*) &mcreds, 0, sizeof(forw_creds)); 243 memset((char*) &forw_creds, 0, sizeof(forw_creds)); 244 245 kerror = krb5_cc_default(kcontext, &ccache); 246 if (kerror) { 247 krb5_warn(kcontext, kerror, "while getting default ccache"); 248 return(1); 249 } 250 251 kerror = krb5_parse_name(kcontext, username, &me); 252 if (kerror) { 253 krb5_warn(kcontext, kerror, "when parsing name %s", username); 254 return(1); 255 } 256 257 mcreds.client = me; 258 kerror = krb5_build_principal_ext(kcontext, &mcreds.server, 259 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 260 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 261 KRB5_TGS_NAME_SIZE, 262 KRB5_TGS_NAME, 263 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 264 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 265 0); 266 if (kerror) { 267 krb5_warn(kcontext, kerror, "while building server name"); 268 goto nuke_ccache; 269 } 270 271 kerror = krb5_cc_retrieve_cred(kcontext, ccache, 0, 272 &mcreds, &forw_creds); 273 if (kerror) { 274 krb5_warn(kcontext, kerror, 275 "while retrieving V5 initial ticket for copy"); 276 goto nuke_ccache; 277 } 278 279 have_forward = 1; 280 281 strlcpy(tkt_location, getenv("KRB5CCNAME"), sizeof(tkt_location)); 282 krb5tkfile_env = tkt_location; 283 has_ccache = 1; 284 notickets = 0; 285 286 nuke_ccache: 287 krb5_cc_destroy(kcontext, ccache); 288 return(!have_forward); 289 } 290 291 int 292 k5_write_creds() 293 { 294 krb5_error_code kerror; 295 krb5_ccache ccache; 296 297 if (!have_forward) 298 return (1); 299 300 kerror = krb5_cc_default(kcontext, &ccache); 301 if (kerror) { 302 krb5_warn(kcontext, kerror, "while getting default ccache"); 303 return (1); 304 } 305 306 kerror = krb5_cc_initialize(kcontext, ccache, me); 307 if (kerror) { 308 krb5_warn(kcontext, kerror, 309 "while re-initializing V5 ccache as user"); 310 goto nuke_ccache_contents; 311 } 312 313 kerror = krb5_cc_store_cred(kcontext, ccache, &forw_creds); 314 if (kerror) { 315 krb5_warn(kcontext, kerror, 316 "while re-storing V5 ccache as user"); 317 goto nuke_ccache_contents; 318 } 319 320 nuke_ccache_contents: 321 krb5_free_cred_contents(kcontext, &forw_creds); 322 return (kerror != 0); 323 } 324 325 /* 326 * Get krb4 credentials if needed 327 */ 328 #ifdef KERBEROS 329 static krb5_error_code 330 krb5_to4 (struct passwd *pw, krb5_context context, krb5_ccache id) 331 { 332 if (krb5_config_get_bool(context, NULL, 333 "libdefaults", 334 "krb4_get_tickets", 335 NULL)) { 336 CREDENTIALS c; 337 krb5_creds mcred, cred; 338 krb5_error_code ret; 339 krb5_principal princ; 340 341 ret = krb5_cc_get_principal (context, id, &princ); 342 if (ret) 343 return ret; 344 345 ret = krb5_make_principal(context, &mcred.server, 346 princ->realm, 347 "krbtgt", 348 princ->realm, 349 NULL); 350 krb5_free_principal (context, princ); 351 if (ret) 352 return ret; 353 354 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); 355 if(ret == 0) { 356 ret = krb524_convert_creds_kdc_ccache(context, id, 357 &cred, &c); 358 if(ret == 0) { 359 snprintf(krb4tkfile, sizeof(krb4tkfile), 360 "%s%d",TKT_ROOT, pw->pw_uid); 361 krb_set_tkt_string(krb4tkfile); 362 tf_setup(&c, c.pname, c.pinst); 363 if (chown(krb4tkfile, pw->pw_uid, 364 pw->pw_gid) < 0) 365 syslog(LOG_ERR, 366 "chown tkfile (%s): %m", 367 krb4tkfile); 368 } 369 memset(&c, 0, sizeof(c)); 370 krb5_free_creds_contents(context, &cred); 371 } 372 krb5_free_principal(context, mcred.server); 373 } 374 return 0; 375 } 376 #endif /* KERBEROS */ 377 378 /* 379 * Attempt to log the user in using Kerberos authentication 380 * 381 * return 0 on success (will be logged in) 382 * 1 if Kerberos failed (try local password in login) 383 */ 384 int 385 k5login(pw, instance, localhost, password) 386 struct passwd *pw; 387 char *instance, *localhost, *password; 388 { 389 krb5_error_code kerror; 390 krb5_creds my_creds; 391 krb5_timestamp now; 392 krb5_ccache ccache = NULL; 393 long lifetime = KRB5_DEFAULT_LIFE; 394 int options = KRB5_DEFAULT_OPTIONS; 395 char *realm, *client_name; 396 char *principal; 397 398 krb5_configured = 1; 399 400 if (login_krb5_forwardable_tgt) 401 options |= KDC_OPT_FORWARDABLE; 402 403 /* 404 * Root logins don't use Kerberos. 405 * If we have a realm, try getting a ticket-granting ticket 406 * and using it to authenticate. Otherwise, return 407 * failure so that we can try the normal passwd file 408 * for a password. If that's ok, log the user in 409 * without issuing any tickets. 410 */ 411 if (strcmp(pw->pw_name, "root") == 0 || 412 krb5_get_default_realm(kcontext, &realm)) { 413 krb5_configured = 0; 414 return (1); 415 } 416 417 /* 418 * get TGT for local realm 419 * tickets are stored in a file named TKT_ROOT plus uid 420 * except for user.root tickets. 421 */ 422 423 if (strcmp(instance, "root") != 0) 424 (void)snprintf(tkt_location, sizeof tkt_location, 425 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 426 else 427 (void)snprintf(tkt_location, sizeof tkt_location, 428 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 429 krb5tkfile_env = tkt_location; 430 has_ccache = 1; 431 432 if (strlen(instance)) 433 asprintf(&principal, "%s/%s", pw->pw_name, instance); 434 else 435 principal = strdup(pw->pw_name); 436 if (!principal) { 437 syslog(LOG_NOTICE, "fatal: %s", strerror(errno)); 438 return (1); 439 } 440 441 if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { 442 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 443 krb5_get_err_text(kcontext, kerror)); 444 return (1); 445 } 446 447 if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { 448 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 449 krb5_get_err_text(kcontext, kerror), principal); 450 return (1); 451 } 452 453 if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { 454 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 455 krb5_get_err_text(kcontext, kerror), principal); 456 return (1); 457 } 458 459 kerror = krb5_cc_initialize(kcontext, ccache, me); 460 if (kerror != 0) { 461 syslog(LOG_NOTICE, "%s when initializing cache %s", 462 krb5_get_err_text(kcontext, kerror), tkt_location); 463 return (1); 464 } 465 466 memset((char *)&my_creds, 0, sizeof(my_creds)); 467 468 my_creds.client = me; 469 470 if ((kerror = krb5_build_principal_ext(kcontext, 471 &server, 472 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 473 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 474 KRB5_TGS_NAME_SIZE, 475 KRB5_TGS_NAME, 476 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 477 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 478 0)) != 0) { 479 syslog(LOG_NOTICE, "%s while building server name", 480 krb5_get_err_text(kcontext, kerror)); 481 return (1); 482 } 483 484 my_creds.server = server; 485 486 if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { 487 syslog(LOG_NOTICE, "%s while getting time of day", 488 krb5_get_err_text(kcontext, kerror)); 489 return (1); 490 } 491 492 my_creds.times.starttime = 0; /* start timer when request 493 gets to KDC */ 494 my_creds.times.endtime = now + lifetime; 495 my_creds.times.renew_till = 0; 496 497 kerror = krb5_get_in_tkt_with_password(kcontext, options, 498 NULL, 499 NULL, 500 NULL, 501 password, 502 ccache, 503 &my_creds, 0); 504 505 if (my_creds.server != NULL) 506 krb5_free_principal(kcontext, my_creds.server); 507 508 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 509 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 510 511 if (kerror) { 512 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 513 printf("%s: Kerberos Password incorrect\n", principal); 514 else 515 krb5_warn(kcontext, kerror, 516 "while getting initial credentials"); 517 518 return (1); 519 } 520 521 if (k5_verify_creds(kcontext, ccache) < 0) 522 return (1); 523 524 #ifdef KERBEROS 525 if ((kerror = krb5_to4(pw, kcontext, ccache)) != 0) 526 krb5_warn(kcontext, kerror, "error converting krb4 creds"); 527 #endif 528 529 /* Success */ 530 notickets = 0; 531 return (0); 532 } 533 534 /* 535 * Remove any credentials 536 */ 537 void 538 k5destroy() 539 { 540 krb5_error_code kerror; 541 krb5_ccache ccache = NULL; 542 543 if (krb5tkfile_env == NULL) 544 return; 545 546 kerror = krb5_cc_resolve(kcontext, krb5tkfile_env, &ccache); 547 if (kerror == 0) 548 (void)krb5_cc_destroy(kcontext, ccache); 549 } 550 #endif /* KERBEROS5 */ 551
Indexes created Wed Sep 24 05:09:52 GMT 2025