k5login.c revision 1.4
1 /* $NetBSD: k5login.c,v 1.4 1997/08/16 13:50:44 lukem Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 #ifndef lint 38 #if 0 39 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 40 #endif 41 __RCSID("$NetBSD: k5login.c,v 1.4 1997/08/16 13:50:44 lukem Exp $"); 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 #include <sys/param.h> 46 #include <sys/syslog.h> 47 #include <com_err.h> 48 #include <krb5/krb5.h> 49 #include <krb5/ext-proto.h> 50 #include <krb5/los-proto.h> 51 #include <pwd.h> 52 #include <netdb.h> 53 #include <stdio.h> 54 #include <string.h> 55 #include <unistd.h> 56 57 #define KRB5_DEFAULT_OPTIONS 0 58 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 59 60 krb5_data tgtname = { 61 KRB5_TGS_NAME_SIZE, 62 KRB5_TGS_NAME 63 }; 64 65 /* 66 * Try no preauthentication first; then try the encrypted timestamp 67 */ 68 int preauth_search_list[] = { 69 0, 70 KRB5_PADATA_ENC_TIMESTAMP, 71 -1 72 }; 73 74 extern int notickets; 75 extern char *krbtkfile_env; 76 extern char *tty; 77 78 static char tkt_location[MAXPATHLEN]; 79 80 /* 81 * Attempt to log the user in using Kerberos authentication 82 * 83 * return 0 on success (will be logged in) 84 * 1 if Kerberos failed (try local password in login) 85 */ 86 int 87 klogin(pw, instance, localhost, password) 88 struct passwd *pw; 89 char *instance, *localhost, *password; 90 { 91 krb5_error_code kerror; 92 krb5_address **my_addresses; 93 krb5_principal me, server; 94 krb5_creds my_creds; 95 krb5_timestamp now; 96 krb5_ccache ccache = NULL; 97 int preauth_type = -1; 98 long lifetime = KRB5_DEFAULT_LIFE; 99 int options = KRB5_DEFAULT_OPTIONS; 100 int i; 101 char *realm, *client_name; 102 char *principal; 103 104 #ifdef SKEY 105 /* 106 * We don't do s/key challenge and Kerberos at the same time 107 */ 108 if (strcasecmp(password, "s/key") == 0) { 109 return (1); 110 } 111 #endif 112 113 krb5_init_ets(); 114 115 /* 116 * Root logins don't use Kerberos. 117 * If we have a realm, try getting a ticket-granting ticket 118 * and using it to authenticate. Otherwise, return 119 * failure so that we can try the normal passwd file 120 * for a password. If that's ok, log the user in 121 * without issuing any tickets. 122 */ 123 if (strcmp(pw->pw_name, "root") == 0 || 124 krb5_get_default_realm(&realm)) 125 return (1); 126 127 /* 128 * get TGT for local realm 129 * tickets are stored in a file named TKT_ROOT plus uid 130 * except for user.root tickets. 131 */ 132 133 if (strcmp(instance, "root") != 0) 134 (void)snprintf(tkt_location, sizeof tkt_location, 135 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 136 else 137 (void)snprintf(tkt_location, sizeof tkt_location, 138 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 139 krbtkfile_env = tkt_location; 140 141 principal = malloc(strlen(pw->pw_name)+strlen(instance)+2); 142 strcpy(principal, pw->pw_name); /* XXX strcpy is safe */ 143 if (strlen(instance)) { 144 strcat(principal, "/"); /* XXX strcat is safe */ 145 strcat(principal, instance); /* XXX strcat is safe */ 146 } 147 148 if (kerror = krb5_cc_resolve(tkt_location, &ccache)) { 149 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 150 error_message(kerror)); 151 return(1); 152 } 153 154 if (kerror = krb5_parse_name(principal, &me)) { 155 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 156 error_message(kerror), principal); 157 return(1); 158 } 159 160 if (kerror = krb5_unparse_name(me, &client_name)) { 161 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 162 error_message(kerror), principal); 163 return(1); 164 } 165 166 kerror = krb5_cc_initialize (ccache, me); 167 if (kerror != 0) { 168 syslog(LOG_NOTICE, "%s when initializing cache %s", 169 error_message(kerror), tkt_location); 170 return(1); 171 } 172 173 memset((char *)&my_creds, 0, sizeof(my_creds)); 174 175 my_creds.client = me; 176 177 if (kerror = krb5_build_principal_ext(&server, 178 krb5_princ_realm(me)->length, 179 krb5_princ_realm(me)->data, 180 tgtname.length, tgtname.data, 181 krb5_princ_realm(me)->length, 182 krb5_princ_realm(me)->data, 183 0)) { 184 syslog(LOG_NOTICE, "%s while building server name", 185 error_message(kerror)); 186 return(1); 187 } 188 189 my_creds.server = server; 190 191 kerror = krb5_os_localaddr(&my_addresses); 192 if (kerror != 0) { 193 syslog(LOG_NOTICE, "%s when getting my address", 194 error_message(kerror)); 195 return(1); 196 } 197 198 if (kerror = krb5_timeofday(&now)) { 199 syslog(LOG_NOTICE, "%s while getting time of day", 200 error_message(kerror)); 201 return(1); 202 } 203 my_creds.times.starttime = 0; /* start timer when request 204 gets to KDC */ 205 my_creds.times.endtime = now + lifetime; 206 my_creds.times.renew_till = 0; 207 208 for (i=0; preauth_search_list[i] >= 0; i++) { 209 kerror = krb5_get_in_tkt_with_password(options, my_addresses, 210 preauth_search_list[i], 211 ETYPE_DES_CBC_CRC, 212 KEYTYPE_DES, 213 password, 214 ccache, 215 &my_creds, 0); 216 if (kerror != KRB5KDC_PREAUTH_FAILED && 217 kerror != KRB5KRB_ERR_GENERIC) 218 break; 219 } 220 221 krb5_free_principal(server); 222 krb5_free_addresses(my_addresses); 223 224 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 225 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 226 227 if (kerror) { 228 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 229 printf("%s: Kerberos Password incorrect\n", principal); 230 else 231 printf("%s while getting initial credentials\n", error_message(kerror)); 232 233 return(1); 234 } 235 236 /* Success */ 237 notickets = 0; 238 return(0); 239 } 240 241 /* 242 * Remove any credentials 243 */ 244 void 245 kdestroy() 246 { 247 krb5_error_code code; 248 krb5_ccache ccache = NULL; 249 250 if (krbtkfile_env == NULL) 251 return; 252 253 code = krb5_cc_resolve(krbtkfile_env, &ccache); 254 if (!code) { 255 code = krb5_cc_destroy(ccache); 256 if (!code) { 257 krb5_cc_close(ccache); 258 } 259 } 260 } 261 #endif 262
Indexes created Wed Sep 24 05:09:52 GMT 2025