k5login.c revision 1.8
1 /* $NetBSD: k5login.c,v 1.8 1999/08/25 19:58:15 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 #ifndef lint 38 #if 0 39 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 40 #endif 41 __RCSID("$NetBSD: k5login.c,v 1.8 1999/08/25 19:58:15 christos Exp $"); 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 #include <sys/param.h> 46 #include <sys/syslog.h> 47 #include <krb5/krb5.h> 48 #include <kerberosIV/com_err.h> 49 #include <pwd.h> 50 #include <netdb.h> 51 #include <stdio.h> 52 #include <stdlib.h> 53 #include <string.h> 54 #include <unistd.h> 55 56 #define KRB5_DEFAULT_OPTIONS 0 57 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 58 59 krb5_data tgtname = { 60 0, 61 KRB5_TGS_NAME_SIZE, 62 KRB5_TGS_NAME 63 }; 64 65 krb5_context kcontext; 66 67 extern int notickets; 68 extern char *krbtkfile_env; 69 extern char *tty; 70 71 static char tkt_location[MAXPATHLEN]; 72 static krb5_creds forw_creds; 73 int have_forward; 74 static krb5_principal me, server; 75 76 int k5_read_creds __P((char *)); 77 int k5_write_creds __P((void)); 78 int klogin __P((struct passwd *, char *, char *, char *)); 79 void kdestroy __P((void)); 80 81 /* 82 * Attempt to read forwarded kerberos creds 83 * 84 * return 0 on success (forwarded creds in memory) 85 * 1 if no forwarded creds. 86 */ 87 int 88 k5_read_creds(username) 89 char *username; 90 { 91 krb5_error_code code; 92 krb5_creds mcreds; 93 krb5_ccache ccache; 94 95 have_forward = 0; 96 memset((char*) &mcreds, 0, sizeof(forw_creds)); 97 memset((char*) &forw_creds, 0, sizeof(forw_creds)); 98 99 code = krb5_cc_default(kcontext, &ccache); 100 if (code) { 101 com_err("login", code, "while getting default ccache"); 102 return(1); 103 } 104 105 code = krb5_parse_name(kcontext, username, &me); 106 if (code) { 107 com_err("login", code, "when parsing name %s", username); 108 return(1); 109 } 110 111 mcreds.client = me; 112 code = krb5_build_principal_ext(kcontext, &mcreds.server, 113 krb5_princ_realm(kcontext, me)->length, 114 krb5_princ_realm(kcontext, me)->data, 115 tgtname.length, tgtname.data, 116 krb5_princ_realm(kcontext, me)->length, 117 krb5_princ_realm(kcontext, me)->data, 118 0); 119 if (code) { 120 com_err("login", code, "while building server name"); 121 goto nuke_ccache; 122 } 123 124 code = krb5_cc_retrieve_cred(kcontext, ccache, 0, 125 &mcreds, &forw_creds); 126 if (code) { 127 com_err("login", code, "while retrieving V5 initial ticket for copy"); 128 goto nuke_ccache; 129 } 130 have_forward = 1; 131 132 strcpy(tkt_location, getenv("KRB5CCNAME")); 133 krbtkfile_env = tkt_location; 134 notickets = 0; 135 136 nuke_ccache: 137 krb5_cc_destroy(kcontext, ccache); 138 return(!have_forward); 139 } 140 141 int 142 k5_write_creds() 143 { 144 krb5_error_code code; 145 krb5_ccache ccache; 146 147 if (!have_forward) 148 return(1); 149 code = krb5_cc_default(kcontext, &ccache); 150 if (code) { 151 com_err("login", code, "while getting default ccache"); 152 return(1); 153 } 154 155 code = krb5_cc_initialize(kcontext, ccache, me); 156 if (code) { 157 com_err("login", code, "while re-initializing V5 ccache as user"); 158 goto nuke_ccache_contents; 159 } 160 161 code = krb5_cc_store_cred(kcontext, ccache, &forw_creds); 162 if (code) { 163 com_err("login", code, "while re-storing V5 ccache as user"); 164 goto nuke_ccache_contents; 165 } 166 167 nuke_ccache_contents: 168 krb5_free_cred_contents(kcontext, &forw_creds); 169 return(code != 0); 170 } 171 172 /* 173 * Attempt to log the user in using Kerberos authentication 174 * 175 * return 0 on success (will be logged in) 176 * 1 if Kerberos failed (try local password in login) 177 */ 178 int 179 klogin(pw, instance, localhost, password) 180 struct passwd *pw; 181 char *instance, *localhost, *password; 182 { 183 krb5_error_code kerror; 184 krb5_address **my_addresses; 185 krb5_creds my_creds; 186 krb5_timestamp now; 187 krb5_ccache ccache = NULL; 188 long lifetime = KRB5_DEFAULT_LIFE; 189 int options = KRB5_DEFAULT_OPTIONS; 190 char *realm, *client_name; 191 char *principal; 192 193 /* 194 * Root logins don't use Kerberos. 195 * If we have a realm, try getting a ticket-granting ticket 196 * and using it to authenticate. Otherwise, return 197 * failure so that we can try the normal passwd file 198 * for a password. If that's ok, log the user in 199 * without issuing any tickets. 200 */ 201 if (strcmp(pw->pw_name, "root") == 0 || 202 krb5_get_default_realm(kcontext, &realm)) 203 return (1); 204 205 /* 206 * get TGT for local realm 207 * tickets are stored in a file named TKT_ROOT plus uid 208 * except for user.root tickets. 209 */ 210 211 if (strcmp(instance, "root") != 0) 212 (void)snprintf(tkt_location, sizeof tkt_location, 213 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 214 else 215 (void)snprintf(tkt_location, sizeof tkt_location, 216 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 217 krbtkfile_env = tkt_location; 218 219 principal = (char *)malloc(strlen(pw->pw_name)+strlen(instance)+2); 220 strcpy(principal, pw->pw_name); /* XXX strcpy is safe */ 221 if (strlen(instance)) { 222 strcat(principal, "/"); /* XXX strcat is safe */ 223 strcat(principal, instance); /* XXX strcat is safe */ 224 } 225 226 if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { 227 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 228 error_message(kerror)); 229 return(1); 230 } 231 232 if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { 233 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 234 error_message(kerror), principal); 235 return(1); 236 } 237 238 if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { 239 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 240 error_message(kerror), principal); 241 return(1); 242 } 243 244 kerror = krb5_cc_initialize(kcontext, ccache, me); 245 if (kerror != 0) { 246 syslog(LOG_NOTICE, "%s when initializing cache %s", 247 error_message(kerror), tkt_location); 248 return(1); 249 } 250 251 memset((char *)&my_creds, 0, sizeof(my_creds)); 252 253 my_creds.client = me; 254 255 if ((kerror = krb5_build_principal_ext(kcontext, 256 &server, 257 krb5_princ_realm(kcontext, me)->length, 258 krb5_princ_realm(kcontext, me)->data, 259 tgtname.length, tgtname.data, 260 krb5_princ_realm(kcontext, me)->length, 261 krb5_princ_realm(kcontext, me)->data, 262 0)) != 0) { 263 syslog(LOG_NOTICE, "%s while building server name", 264 error_message(kerror)); 265 return(1); 266 } 267 268 my_creds.server = server; 269 270 kerror = krb5_os_localaddr(kcontext, &my_addresses); 271 if (kerror != 0) { 272 syslog(LOG_NOTICE, "%s when getting my address", 273 error_message(kerror)); 274 return(1); 275 } 276 277 if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { 278 syslog(LOG_NOTICE, "%s while getting time of day", 279 error_message(kerror)); 280 return(1); 281 } 282 my_creds.times.starttime = 0; /* start timer when request 283 gets to KDC */ 284 my_creds.times.endtime = now + lifetime; 285 my_creds.times.renew_till = 0; 286 287 kerror = krb5_get_in_tkt_with_password(kcontext, options, 288 my_addresses, 289 NULL, 290 NULL, 291 password, 292 ccache, 293 &my_creds, 0); 294 295 krb5_free_principal(kcontext, server); 296 krb5_free_addresses(kcontext, my_addresses); 297 298 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 299 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 300 301 if (kerror) { 302 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 303 printf("%s: Kerberos Password incorrect\n", principal); 304 else 305 printf("%s while getting initial credentials\n", error_message(kerror)); 306 307 return(1); 308 } 309 310 /* Success */ 311 notickets = 0; 312 return(0); 313 } 314 315 /* 316 * Remove any credentials 317 */ 318 void 319 kdestroy() 320 { 321 krb5_error_code code; 322 krb5_ccache ccache = NULL; 323 324 if (krbtkfile_env == NULL) 325 return; 326 327 code = krb5_cc_resolve(kcontext, krbtkfile_env, &ccache); 328 if (!code) { 329 code = krb5_cc_destroy(kcontext, ccache); 330 if (!code) { 331 krb5_cc_close(kcontext, ccache); 332 } 333 } 334 } 335 #endif 336
Indexes created Thu Sep 25 16:09:42 GMT 2025