k5login.c revision 1.7
1 /* $NetBSD: k5login.c,v 1.7 1999/07/12 21:36:10 aidan Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 #ifndef lint 38 #if 0 39 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 40 #endif 41 __RCSID("$NetBSD: k5login.c,v 1.7 1999/07/12 21:36:10 aidan Exp $"); 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 #include <sys/param.h> 46 #include <sys/syslog.h> 47 #include <krb5.h> 48 #include <pwd.h> 49 #include <netdb.h> 50 #include <stdio.h> 51 #include <stdlib.h> 52 #include <string.h> 53 #include <unistd.h> 54 55 #define KRB5_DEFAULT_OPTIONS 0 56 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 57 58 krb5_data tgtname = { 59 0, 60 KRB5_TGS_NAME_SIZE, 61 KRB5_TGS_NAME 62 }; 63 64 krb5_context kcontext; 65 66 extern int notickets; 67 extern char *krbtkfile_env; 68 extern char *tty; 69 70 static char tkt_location[MAXPATHLEN]; 71 static krb5_creds forw_creds; 72 int have_forward; 73 static krb5_principal me, server; 74 75 /* 76 * Attempt to read forwarded kerberos creds 77 * 78 * return 0 on success (forwarded creds in memory) 79 * 1 if no forwarded creds. 80 */ 81 int 82 k5_read_creds(username) 83 char *username; 84 { 85 krb5_error_code code; 86 krb5_creds mcreds; 87 krb5_ccache ccache; 88 89 have_forward = 0; 90 memset((char*) &mcreds, 0, sizeof(forw_creds)); 91 memset((char*) &forw_creds, 0, sizeof(forw_creds)); 92 93 code = krb5_cc_default(kcontext, &ccache); 94 if (code) { 95 com_err("login", code, "while getting default ccache"); 96 return(1); 97 } 98 99 code = krb5_parse_name(kcontext, username, &me); 100 if (code) { 101 com_err("login", code, "when parsing name %s", username); 102 return(1); 103 } 104 105 mcreds.client = me; 106 code = krb5_build_principal_ext(kcontext, &mcreds.server, 107 krb5_princ_realm(kcontext, me)->length, 108 krb5_princ_realm(kcontext, me)->data, 109 tgtname.length, tgtname.data, 110 krb5_princ_realm(kcontext, me)->length, 111 krb5_princ_realm(kcontext, me)->data, 112 0); 113 if (code) { 114 com_err("login", code, "while building server name"); 115 goto nuke_ccache; 116 } 117 118 code = krb5_cc_retrieve_cred(kcontext, ccache, 0, 119 &mcreds, &forw_creds); 120 if (code) { 121 com_err("login", code, "while retrieving V5 initial ticket for copy"); 122 goto nuke_ccache; 123 } 124 have_forward = 1; 125 126 strcpy(tkt_location, getenv("KRB5CCNAME")); 127 krbtkfile_env = tkt_location; 128 notickets = 0; 129 130 nuke_ccache: 131 krb5_cc_destroy(kcontext, ccache); 132 return(!have_forward); 133 } 134 135 int 136 k5_write_creds() 137 { 138 krb5_error_code code; 139 krb5_ccache ccache; 140 char buf[256]; 141 142 if (!have_forward) 143 return(1); 144 code = krb5_cc_default(kcontext, &ccache); 145 if (code) { 146 com_err("login", code, "while getting default ccache"); 147 return(1); 148 } 149 150 code = krb5_cc_initialize(kcontext, ccache, me); 151 if (code) { 152 com_err("login", code, "while re-initializing V5 ccache as user"); 153 goto nuke_ccache_contents; 154 } 155 156 code = krb5_cc_store_cred(kcontext, ccache, &forw_creds); 157 if (code) { 158 com_err("login", code, "while re-storing V5 ccache as user"); 159 goto nuke_ccache_contents; 160 } 161 162 nuke_ccache_contents: 163 krb5_free_cred_contents(kcontext, &forw_creds); 164 return(code != 0); 165 } 166 167 /* 168 * Attempt to log the user in using Kerberos authentication 169 * 170 * return 0 on success (will be logged in) 171 * 1 if Kerberos failed (try local password in login) 172 */ 173 int 174 klogin(pw, instance, localhost, password) 175 struct passwd *pw; 176 char *instance, *localhost, *password; 177 { 178 krb5_error_code kerror; 179 krb5_address **my_addresses; 180 krb5_creds my_creds; 181 krb5_timestamp now; 182 krb5_ccache ccache = NULL; 183 int preauth_type = -1; 184 long lifetime = KRB5_DEFAULT_LIFE; 185 int options = KRB5_DEFAULT_OPTIONS; 186 int i; 187 char *realm, *client_name; 188 char *principal; 189 190 /* 191 * Root logins don't use Kerberos. 192 * If we have a realm, try getting a ticket-granting ticket 193 * and using it to authenticate. Otherwise, return 194 * failure so that we can try the normal passwd file 195 * for a password. If that's ok, log the user in 196 * without issuing any tickets. 197 */ 198 if (strcmp(pw->pw_name, "root") == 0 || 199 krb5_get_default_realm(kcontext, &realm)) 200 return (1); 201 202 /* 203 * get TGT for local realm 204 * tickets are stored in a file named TKT_ROOT plus uid 205 * except for user.root tickets. 206 */ 207 208 if (strcmp(instance, "root") != 0) 209 (void)snprintf(tkt_location, sizeof tkt_location, 210 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 211 else 212 (void)snprintf(tkt_location, sizeof tkt_location, 213 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 214 krbtkfile_env = tkt_location; 215 216 principal = (char *)malloc(strlen(pw->pw_name)+strlen(instance)+2); 217 strcpy(principal, pw->pw_name); /* XXX strcpy is safe */ 218 if (strlen(instance)) { 219 strcat(principal, "/"); /* XXX strcat is safe */ 220 strcat(principal, instance); /* XXX strcat is safe */ 221 } 222 223 if (kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) { 224 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 225 error_message(kerror)); 226 return(1); 227 } 228 229 if (kerror = krb5_parse_name(kcontext, principal, &me)) { 230 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 231 error_message(kerror), principal); 232 return(1); 233 } 234 235 if (kerror = krb5_unparse_name(kcontext, me, &client_name)) { 236 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 237 error_message(kerror), principal); 238 return(1); 239 } 240 241 kerror = krb5_cc_initialize(kcontext, ccache, me); 242 if (kerror != 0) { 243 syslog(LOG_NOTICE, "%s when initializing cache %s", 244 error_message(kerror), tkt_location); 245 return(1); 246 } 247 248 memset((char *)&my_creds, 0, sizeof(my_creds)); 249 250 my_creds.client = me; 251 252 if (kerror = krb5_build_principal_ext(kcontext, 253 &server, 254 krb5_princ_realm(kcontext, me)->length, 255 krb5_princ_realm(kcontext, me)->data, 256 tgtname.length, tgtname.data, 257 krb5_princ_realm(kcontext, me)->length, 258 krb5_princ_realm(kcontext, me)->data, 259 0)) { 260 syslog(LOG_NOTICE, "%s while building server name", 261 error_message(kerror)); 262 return(1); 263 } 264 265 my_creds.server = server; 266 267 kerror = krb5_os_localaddr(kcontext, &my_addresses); 268 if (kerror != 0) { 269 syslog(LOG_NOTICE, "%s when getting my address", 270 error_message(kerror)); 271 return(1); 272 } 273 274 if (kerror = krb5_timeofday(kcontext, &now)) { 275 syslog(LOG_NOTICE, "%s while getting time of day", 276 error_message(kerror)); 277 return(1); 278 } 279 my_creds.times.starttime = 0; /* start timer when request 280 gets to KDC */ 281 my_creds.times.endtime = now + lifetime; 282 my_creds.times.renew_till = 0; 283 284 kerror = krb5_get_in_tkt_with_password(kcontext, options, 285 my_addresses, 286 NULL, 287 NULL, 288 password, 289 ccache, 290 &my_creds, 0); 291 292 krb5_free_principal(kcontext, server); 293 krb5_free_addresses(kcontext, my_addresses); 294 295 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 296 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 297 298 if (kerror) { 299 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 300 printf("%s: Kerberos Password incorrect\n", principal); 301 else 302 printf("%s while getting initial credentials\n", error_message(kerror)); 303 304 return(1); 305 } 306 307 /* Success */ 308 notickets = 0; 309 return(0); 310 } 311 312 /* 313 * Remove any credentials 314 */ 315 void 316 kdestroy() 317 { 318 krb5_error_code code; 319 krb5_ccache ccache = NULL; 320 321 if (krbtkfile_env == NULL) 322 return; 323 324 code = krb5_cc_resolve(kcontext, krbtkfile_env, &ccache); 325 if (!code) { 326 code = krb5_cc_destroy(kcontext, ccache); 327 if (!code) { 328 krb5_cc_close(kcontext, ccache); 329 } 330 } 331 } 332 #endif 333
Indexes created Wed Sep 24 15:09:51 GMT 2025