k5login.c revision 1.5
1 /* $NetBSD: k5login.c,v 1.5 1997/08/19 17:26:14 mycroft Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 #ifndef lint 38 #if 0 39 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 40 #endif 41 __RCSID("$NetBSD: k5login.c,v 1.5 1997/08/19 17:26:14 mycroft Exp $"); 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 #include <sys/param.h> 46 #include <sys/syslog.h> 47 #include <krb5.h> 48 #include <pwd.h> 49 #include <netdb.h> 50 #include <stdio.h> 51 #include <string.h> 52 #include <unistd.h> 53 54 #define KRB5_DEFAULT_OPTIONS 0 55 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 56 57 krb5_data tgtname = { 58 0, 59 KRB5_TGS_NAME_SIZE, 60 KRB5_TGS_NAME 61 }; 62 63 krb5_context kcontext; 64 65 extern int notickets; 66 extern char *krbtkfile_env; 67 extern char *tty; 68 69 static char tkt_location[MAXPATHLEN]; 70 71 /* 72 * Attempt to log the user in using Kerberos authentication 73 * 74 * return 0 on success (will be logged in) 75 * 1 if Kerberos failed (try local password in login) 76 */ 77 int 78 klogin(pw, instance, localhost, password) 79 struct passwd *pw; 80 char *instance, *localhost, *password; 81 { 82 krb5_error_code kerror; 83 krb5_address **my_addresses; 84 krb5_principal me, server; 85 krb5_creds my_creds; 86 krb5_timestamp now; 87 krb5_ccache ccache = NULL; 88 int preauth_type = -1; 89 long lifetime = KRB5_DEFAULT_LIFE; 90 int options = KRB5_DEFAULT_OPTIONS; 91 int i; 92 char *realm, *client_name; 93 char *principal; 94 95 #ifdef SKEY 96 /* 97 * We don't do s/key challenge and Kerberos at the same time 98 */ 99 if (strcasecmp(password, "s/key") == 0) { 100 return (1); 101 } 102 #endif 103 104 krb5_init_ets(kcontext); 105 106 /* 107 * Root logins don't use Kerberos. 108 * If we have a realm, try getting a ticket-granting ticket 109 * and using it to authenticate. Otherwise, return 110 * failure so that we can try the normal passwd file 111 * for a password. If that's ok, log the user in 112 * without issuing any tickets. 113 */ 114 if (strcmp(pw->pw_name, "root") == 0 || 115 krb5_get_default_realm(kcontext, &realm)) 116 return (1); 117 118 /* 119 * get TGT for local realm 120 * tickets are stored in a file named TKT_ROOT plus uid 121 * except for user.root tickets. 122 */ 123 124 if (strcmp(instance, "root") != 0) 125 (void)snprintf(tkt_location, sizeof tkt_location, 126 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 127 else 128 (void)snprintf(tkt_location, sizeof tkt_location, 129 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 130 krbtkfile_env = tkt_location; 131 132 principal = (char *)malloc(strlen(pw->pw_name)+strlen(instance)+2); 133 strcpy(principal, pw->pw_name); /* XXX strcpy is safe */ 134 if (strlen(instance)) { 135 strcat(principal, "/"); /* XXX strcat is safe */ 136 strcat(principal, instance); /* XXX strcat is safe */ 137 } 138 139 if (kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) { 140 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 141 error_message(kerror)); 142 return(1); 143 } 144 145 if (kerror = krb5_parse_name(kcontext, principal, &me)) { 146 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 147 error_message(kerror), principal); 148 return(1); 149 } 150 151 if (kerror = krb5_unparse_name(kcontext, me, &client_name)) { 152 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 153 error_message(kerror), principal); 154 return(1); 155 } 156 157 kerror = krb5_cc_initialize(kcontext, ccache, me); 158 if (kerror != 0) { 159 syslog(LOG_NOTICE, "%s when initializing cache %s", 160 error_message(kerror), tkt_location); 161 return(1); 162 } 163 164 memset((char *)&my_creds, 0, sizeof(my_creds)); 165 166 my_creds.client = me; 167 168 if (kerror = krb5_build_principal_ext(kcontext, 169 &server, 170 krb5_princ_realm(kcontext, me)->length, 171 krb5_princ_realm(kcontext, me)->data, 172 tgtname.length, tgtname.data, 173 krb5_princ_realm(kcontext, me)->length, 174 krb5_princ_realm(kcontext, me)->data, 175 0)) { 176 syslog(LOG_NOTICE, "%s while building server name", 177 error_message(kerror)); 178 return(1); 179 } 180 181 my_creds.server = server; 182 183 kerror = krb5_os_localaddr(kcontext, &my_addresses); 184 if (kerror != 0) { 185 syslog(LOG_NOTICE, "%s when getting my address", 186 error_message(kerror)); 187 return(1); 188 } 189 190 if (kerror = krb5_timeofday(kcontext, &now)) { 191 syslog(LOG_NOTICE, "%s while getting time of day", 192 error_message(kerror)); 193 return(1); 194 } 195 my_creds.times.starttime = 0; /* start timer when request 196 gets to KDC */ 197 my_creds.times.endtime = now + lifetime; 198 my_creds.times.renew_till = 0; 199 200 kerror = krb5_get_in_tkt_with_password(kcontext, options, 201 my_addresses, 202 NULL, 203 NULL, 204 password, 205 ccache, 206 &my_creds, 0); 207 208 krb5_free_principal(kcontext, server); 209 krb5_free_addresses(kcontext, my_addresses); 210 211 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 212 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 213 214 if (kerror) { 215 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 216 printf("%s: Kerberos Password incorrect\n", principal); 217 else 218 printf("%s while getting initial credentials\n", error_message(kerror)); 219 220 return(1); 221 } 222 223 /* Success */ 224 notickets = 0; 225 return(0); 226 } 227 228 /* 229 * Remove any credentials 230 */ 231 void 232 kdestroy() 233 { 234 krb5_error_code code; 235 krb5_ccache ccache = NULL; 236 237 if (krbtkfile_env == NULL) 238 return; 239 240 code = krb5_cc_resolve(kcontext, krbtkfile_env, &ccache); 241 if (!code) { 242 code = krb5_cc_destroy(kcontext, ccache); 243 if (!code) { 244 krb5_cc_close(kcontext, ccache); 245 } 246 } 247 } 248 #endif 249
Indexes created Thu Sep 25 08:09:54 GMT 2025