k5login.c revision 1.25
1 /* $NetBSD: k5login.c,v 1.25 2004/12/22 01:28:56 lha Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 /* 33 * Copyright (c) 1980, 1987, 1988 The Regents of the University of California. 34 * All rights reserved. 35 * 36 * Redistribution and use in source and binary forms are permitted 37 * provided that the above copyright notice and this paragraph are 38 * duplicated in all such forms and that any documentation, 39 * advertising materials, and other materials related to such 40 * distribution and use acknowledge that the software was developed 41 * by the University of California, Berkeley. The name of the 42 * University may not be used to endorse or promote products derived 43 * from this software without specific prior written permission. 44 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 45 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 46 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 47 */ 48 49 #include <sys/cdefs.h> 50 #ifndef lint 51 #if 0 52 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 53 #endif 54 __RCSID("$NetBSD: k5login.c,v 1.25 2004/12/22 01:28:56 lha Exp $"); 55 #endif /* not lint */ 56 57 #ifdef KERBEROS5 58 #include <sys/param.h> 59 #include <sys/syslog.h> 60 #include <krb5/krb5.h> 61 #ifdef KERBEROS 62 #include <kerberosIV/krb.h> 63 #endif 64 #include <pwd.h> 65 #include <netdb.h> 66 #include <stdio.h> 67 #include <stdlib.h> 68 #include <string.h> 69 #include <unistd.h> 70 #include <errno.h> 71 72 #define KRB5_DEFAULT_OPTIONS 0 73 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 74 75 krb5_context kcontext; 76 77 int notickets; 78 int krb5_configured; 79 char *krb5tkfile_env; 80 extern char *tty; 81 extern int login_krb5_forwardable_tgt; 82 extern int has_ccache; 83 84 static char tkt_location[MAXPATHLEN]; 85 #ifdef KERBEROS 86 char krb4tkfile[MAXPATHLEN]; 87 #endif 88 static krb5_creds forw_creds; 89 int have_forward; 90 static krb5_principal me, server; 91 92 int k5_read_creds(char *); 93 int k5_write_creds(void); 94 int k5_verify_creds(krb5_context, krb5_ccache); 95 int k5login(struct passwd *, char *, char *, char *); 96 void k5destroy(void); 97 98 #ifdef KERBEROS 99 static krb5_error_code 100 krb5_to4 (struct passwd *pw, krb5_context context, krb5_ccache id); 101 #endif 102 103 #ifndef krb5_realm_length 104 #define krb5_realm_length(r) ((r).length) 105 #endif 106 #ifndef krb5_realm_data 107 #define krb5_realm_data(r) ((r).data) 108 #endif 109 110 /* 111 * Verify the Kerberos ticket-granting ticket just retrieved for the 112 * user. If the Kerberos server doesn't respond, assume the user is 113 * trying to fake us out (since we DID just get a TGT from what is 114 * supposedly our KDC). If the host/<host> service is unknown (i.e., 115 * the local keytab doesn't have it), let her in. 116 * 117 * Returns 1 for confirmation, -1 for failure, 0 for uncertainty. 118 */ 119 int 120 k5_verify_creds(c, ccache) 121 krb5_context c; 122 krb5_ccache ccache; 123 { 124 char phost[MAXHOSTNAMELEN]; 125 int retval, have_keys; 126 krb5_principal princ; 127 krb5_keyblock *kb = 0; 128 krb5_error_code kerror; 129 krb5_data packet; 130 krb5_auth_context auth_context = NULL; 131 krb5_ticket *ticket = NULL; 132 133 kerror = krb5_sname_to_principal(c, 0, 0, KRB5_NT_SRV_HST, &princ); 134 if (kerror) { 135 krb5_warn(kcontext, kerror, "constructing local service name"); 136 return (-1); 137 } 138 139 /* Do we have host/<host> keys? */ 140 /* (use default keytab, kvno IGNORE_VNO to get the first match, 141 * and default enctype.) */ 142 kerror = krb5_kt_read_service_key(c, NULL, princ, 0, 0, &kb); 143 if (kb) 144 krb5_free_keyblock(c, kb); 145 /* any failure means we don't have keys at all. */ 146 have_keys = kerror ? 0 : 1; 147 148 /* XXX there should be a krb5 function like mk_req, but taking a full 149 * principal, instead of a service/hostname. (Did I miss one?) */ 150 gethostname(phost, sizeof(phost)); 151 phost[sizeof(phost) - 1] = '\0'; 152 153 /* talk to the kdc and construct the ticket */ 154 kerror = krb5_mk_req(c, &auth_context, 0, "host", phost, 155 0, ccache, &packet); 156 /* wipe the auth context for rd_req */ 157 if (auth_context) { 158 krb5_auth_con_free(c, auth_context); 159 auth_context = NULL; 160 } 161 if (kerror == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { 162 /* we have a service key, so something should be 163 * in the database, therefore this error packet could 164 * have come from an attacker. */ 165 if (have_keys) { 166 retval = -1; 167 goto EGRESS; 168 } 169 /* but if it is unknown and we've got no key, we don't 170 * have any security anyhow, so it is ok. */ 171 else { 172 retval = 0; 173 goto EGRESS; 174 } 175 } 176 else if (kerror) { 177 krb5_warn(kcontext, kerror, 178 "Unable to verify Kerberos V5 TGT: %s", phost); 179 syslog(LOG_NOTICE, "Kerberos V5 TGT bad: %s", 180 krb5_get_err_text(kcontext, kerror)); 181 retval = -1; 182 goto EGRESS; 183 } 184 /* got ticket, try to use it */ 185 kerror = krb5_rd_req(c, &auth_context, &packet, 186 princ, NULL, NULL, &ticket); 187 if (kerror) { 188 if (!have_keys) { 189 /* The krb5 errors aren't specified well, but I think 190 * these values cover the cases we expect. */ 191 switch (kerror) { 192 case ENOENT: /* no keytab */ 193 case KRB5_KT_NOTFOUND: 194 retval = 0; 195 break; 196 default: 197 /* unexpected error: fail */ 198 retval = -1; 199 break; 200 } 201 } 202 else { 203 /* we have keys, so if we got any error, we could be 204 * under attack. */ 205 retval = -1; 206 } 207 krb5_warn(kcontext, kerror, "Unable to verify host ticket"); 208 syslog(LOG_NOTICE, "can't verify v5 ticket: %s; %s\n", 209 krb5_get_err_text(kcontext, kerror), 210 retval 211 ? "keytab found, assuming failure" 212 : "no keytab found, assuming success"); 213 goto EGRESS; 214 } 215 /* 216 * The host/<host> ticket has been received _and_ verified. 217 */ 218 retval = 1; 219 220 /* do cleanup and return */ 221 EGRESS: 222 if (auth_context) 223 krb5_auth_con_free(c, auth_context); 224 krb5_free_principal(c, princ); 225 /* possibly ticket and packet need freeing here as well */ 226 return (retval); 227 } 228 229 /* 230 * Attempt to read forwarded kerberos creds 231 * 232 * return 0 on success (forwarded creds in memory) 233 * 1 if no forwarded creds. 234 */ 235 int 236 k5_read_creds(username) 237 char *username; 238 { 239 krb5_error_code kerror; 240 krb5_creds mcreds; 241 krb5_ccache ccache; 242 243 have_forward = 0; 244 memset((char*) &mcreds, 0, sizeof(forw_creds)); 245 memset((char*) &forw_creds, 0, sizeof(forw_creds)); 246 247 kerror = krb5_cc_default(kcontext, &ccache); 248 if (kerror) { 249 krb5_warn(kcontext, kerror, "while getting default ccache"); 250 return(1); 251 } 252 253 kerror = krb5_parse_name(kcontext, username, &me); 254 if (kerror) { 255 krb5_warn(kcontext, kerror, "when parsing name %s", username); 256 return(1); 257 } 258 259 mcreds.client = me; 260 kerror = krb5_build_principal_ext(kcontext, &mcreds.server, 261 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 262 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 263 KRB5_TGS_NAME_SIZE, 264 KRB5_TGS_NAME, 265 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 266 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 267 0); 268 if (kerror) { 269 krb5_warn(kcontext, kerror, "while building server name"); 270 goto nuke_ccache; 271 } 272 273 kerror = krb5_cc_retrieve_cred(kcontext, ccache, 0, 274 &mcreds, &forw_creds); 275 if (kerror) { 276 krb5_warn(kcontext, kerror, 277 "while retrieving V5 initial ticket for copy"); 278 goto nuke_ccache; 279 } 280 281 have_forward = 1; 282 283 strlcpy(tkt_location, getenv("KRB5CCNAME"), sizeof(tkt_location)); 284 krb5tkfile_env = tkt_location; 285 has_ccache = 1; 286 notickets = 0; 287 288 nuke_ccache: 289 krb5_cc_destroy(kcontext, ccache); 290 return(!have_forward); 291 } 292 293 int 294 k5_write_creds() 295 { 296 krb5_error_code kerror; 297 krb5_ccache ccache; 298 299 if (!have_forward) 300 return (1); 301 302 kerror = krb5_cc_default(kcontext, &ccache); 303 if (kerror) { 304 krb5_warn(kcontext, kerror, "while getting default ccache"); 305 return (1); 306 } 307 308 kerror = krb5_cc_initialize(kcontext, ccache, me); 309 if (kerror) { 310 krb5_warn(kcontext, kerror, 311 "while re-initializing V5 ccache as user"); 312 goto nuke_ccache_contents; 313 } 314 315 kerror = krb5_cc_store_cred(kcontext, ccache, &forw_creds); 316 if (kerror) { 317 krb5_warn(kcontext, kerror, 318 "while re-storing V5 ccache as user"); 319 goto nuke_ccache_contents; 320 } 321 322 nuke_ccache_contents: 323 krb5_free_cred_contents(kcontext, &forw_creds); 324 return (kerror != 0); 325 } 326 327 /* 328 * Get krb4 credentials if needed 329 */ 330 #ifdef KERBEROS 331 static krb5_error_code 332 krb5_to4 (struct passwd *pw, krb5_context context, krb5_ccache id) 333 { 334 if (krb5_config_get_bool(context, NULL, 335 "libdefaults", 336 "krb4_get_tickets", 337 NULL)) { 338 CREDENTIALS c; 339 krb5_creds mcred, cred; 340 krb5_error_code ret; 341 krb5_principal princ; 342 343 ret = krb5_cc_get_principal (context, id, &princ); 344 if (ret) 345 return ret; 346 347 ret = krb5_make_principal(context, &mcred.server, 348 princ->realm, 349 "krbtgt", 350 princ->realm, 351 NULL); 352 krb5_free_principal (context, princ); 353 if (ret) 354 return ret; 355 356 ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); 357 if(ret == 0) { 358 ret = krb524_convert_creds_kdc_ccache(context, id, 359 &cred, &c); 360 if(ret == 0) { 361 snprintf(krb4tkfile, sizeof(krb4tkfile), 362 "%s%d",TKT_ROOT, pw->pw_uid); 363 krb_set_tkt_string(krb4tkfile); 364 tf_setup(&c, c.pname, c.pinst); 365 if (chown(krb4tkfile, pw->pw_uid, 366 pw->pw_gid) < 0) 367 syslog(LOG_ERR, 368 "chown tkfile (%s): %m", 369 krb4tkfile); 370 } 371 memset(&c, 0, sizeof(c)); 372 krb5_free_creds_contents(context, &cred); 373 } 374 krb5_free_principal(context, mcred.server); 375 } 376 return 0; 377 } 378 #endif /* KERBEROS */ 379 380 /* 381 * Attempt to log the user in using Kerberos authentication 382 * 383 * return 0 on success (will be logged in) 384 * 1 if Kerberos failed (try local password in login) 385 */ 386 int 387 k5login(pw, instance, localhost, password) 388 struct passwd *pw; 389 char *instance, *localhost, *password; 390 { 391 krb5_error_code kerror; 392 krb5_creds my_creds; 393 krb5_timestamp now; 394 krb5_ccache ccache = NULL; 395 long lifetime = KRB5_DEFAULT_LIFE; 396 int options = KRB5_DEFAULT_OPTIONS; 397 char *realm, *client_name; 398 char *principal; 399 400 krb5_configured = 1; 401 402 if (login_krb5_forwardable_tgt) 403 options |= KDC_OPT_FORWARDABLE; 404 405 /* 406 * Root logins don't use Kerberos. 407 * If we have a realm, try getting a ticket-granting ticket 408 * and using it to authenticate. Otherwise, return 409 * failure so that we can try the normal passwd file 410 * for a password. If that's ok, log the user in 411 * without issuing any tickets. 412 */ 413 if (strcmp(pw->pw_name, "root") == 0 || 414 krb5_get_default_realm(kcontext, &realm)) { 415 krb5_configured = 0; 416 return (1); 417 } 418 419 /* 420 * get TGT for local realm 421 * tickets are stored in a file named TKT_ROOT plus uid 422 * except for user.root tickets. 423 */ 424 425 if (strcmp(instance, "root") != 0) 426 (void)snprintf(tkt_location, sizeof tkt_location, 427 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 428 else 429 (void)snprintf(tkt_location, sizeof tkt_location, 430 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 431 krb5tkfile_env = tkt_location; 432 has_ccache = 1; 433 434 if (strlen(instance)) 435 asprintf(&principal, "%s/%s", pw->pw_name, instance); 436 else 437 principal = strdup(pw->pw_name); 438 if (!principal) { 439 syslog(LOG_NOTICE, "fatal: %s", strerror(errno)); 440 return (1); 441 } 442 443 if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { 444 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 445 krb5_get_err_text(kcontext, kerror)); 446 return (1); 447 } 448 449 if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { 450 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 451 krb5_get_err_text(kcontext, kerror), principal); 452 return (1); 453 } 454 455 if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { 456 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 457 krb5_get_err_text(kcontext, kerror), principal); 458 return (1); 459 } 460 461 kerror = krb5_cc_initialize(kcontext, ccache, me); 462 if (kerror != 0) { 463 syslog(LOG_NOTICE, "%s when initializing cache %s", 464 krb5_get_err_text(kcontext, kerror), tkt_location); 465 return (1); 466 } 467 468 memset((char *)&my_creds, 0, sizeof(my_creds)); 469 470 my_creds.client = me; 471 472 if ((kerror = krb5_build_principal_ext(kcontext, 473 &server, 474 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 475 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 476 KRB5_TGS_NAME_SIZE, 477 KRB5_TGS_NAME, 478 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 479 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 480 0)) != 0) { 481 syslog(LOG_NOTICE, "%s while building server name", 482 krb5_get_err_text(kcontext, kerror)); 483 return (1); 484 } 485 486 my_creds.server = server; 487 488 if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { 489 syslog(LOG_NOTICE, "%s while getting time of day", 490 krb5_get_err_text(kcontext, kerror)); 491 return (1); 492 } 493 494 my_creds.times.starttime = 0; /* start timer when request 495 gets to KDC */ 496 my_creds.times.endtime = now + lifetime; 497 my_creds.times.renew_till = 0; 498 499 kerror = krb5_get_in_tkt_with_password(kcontext, options, 500 NULL, 501 NULL, 502 NULL, 503 password, 504 ccache, 505 &my_creds, 0); 506 507 if (my_creds.server != NULL) 508 krb5_free_principal(kcontext, my_creds.server); 509 510 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 511 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 512 513 if (kerror) { 514 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 515 printf("%s: Kerberos Password incorrect\n", principal); 516 else 517 krb5_warn(kcontext, kerror, 518 "while getting initial credentials"); 519 520 return (1); 521 } 522 523 if (k5_verify_creds(kcontext, ccache) < 0) 524 return (1); 525 526 #ifdef KERBEROS 527 if ((kerror = krb5_to4(pw, kcontext, ccache)) != 0) 528 krb5_warn(kcontext, kerror, "error converting krb4 creds"); 529 #endif 530 531 /* Success */ 532 notickets = 0; 533 return (0); 534 } 535 536 /* 537 * Remove any credentials 538 */ 539 void 540 k5destroy() 541 { 542 krb5_error_code kerror; 543 krb5_ccache ccache = NULL; 544 545 if (krb5tkfile_env == NULL) 546 return; 547 548 kerror = krb5_cc_resolve(kcontext, krb5tkfile_env, &ccache); 549 if (kerror == 0) 550 (void)krb5_cc_destroy(kcontext, ccache); 551 } 552 #endif /* KERBEROS5 */ 553
Indexes created Sat Sep 27 14:09:57 GMT 2025