k5login.c revision 1.9
1 /* $NetBSD: k5login.c,v 1.9 1999/12/05 23:39:11 aidan Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 #ifndef lint 38 #if 0 39 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 40 #endif 41 __RCSID("$NetBSD: k5login.c,v 1.9 1999/12/05 23:39:11 aidan Exp $"); 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 #include <sys/param.h> 46 #include <sys/syslog.h> 47 #include <krb5/krb5.h> 48 #include <kerberosIV/com_err.h> 49 #include <pwd.h> 50 #include <netdb.h> 51 #include <stdio.h> 52 #include <stdlib.h> 53 #include <string.h> 54 #include <unistd.h> 55 56 #define KRB5_DEFAULT_OPTIONS 0 57 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 58 59 krb5_data tgtname = { 60 0, 61 KRB5_TGS_NAME_SIZE, 62 KRB5_TGS_NAME 63 }; 64 65 krb5_context kcontext; 66 67 int notickets; 68 char *krbtkfile_env; 69 extern char *tty; 70 71 static char tkt_location[MAXPATHLEN]; 72 static krb5_creds forw_creds; 73 int have_forward; 74 static krb5_principal me, server; 75 int use_krb5; 76 77 int k5_read_creds __P((char *)); 78 int k5_write_creds __P((void)); 79 int klogin __P((struct passwd *, char *, char *, char *)); 80 void kdestroy __P((void)); 81 82 /* 83 * Attempt to read forwarded kerberos creds 84 * 85 * return 0 on success (forwarded creds in memory) 86 * 1 if no forwarded creds. 87 */ 88 int 89 k5_read_creds(username) 90 char *username; 91 { 92 krb5_error_code code; 93 krb5_creds mcreds; 94 krb5_ccache ccache; 95 96 if (! use_krb5) 97 return(1); 98 99 have_forward = 0; 100 memset((char*) &mcreds, 0, sizeof(forw_creds)); 101 memset((char*) &forw_creds, 0, sizeof(forw_creds)); 102 103 code = krb5_cc_default(kcontext, &ccache); 104 if (code) { 105 com_err("login", code, "while getting default ccache"); 106 return(1); 107 } 108 109 code = krb5_parse_name(kcontext, username, &me); 110 if (code) { 111 com_err("login", code, "when parsing name %s", username); 112 return(1); 113 } 114 115 mcreds.client = me; 116 code = krb5_build_principal_ext(kcontext, &mcreds.server, 117 krb5_princ_realm(kcontext, me)->length, 118 krb5_princ_realm(kcontext, me)->data, 119 tgtname.length, tgtname.data, 120 krb5_princ_realm(kcontext, me)->length, 121 krb5_princ_realm(kcontext, me)->data, 122 0); 123 if (code) { 124 com_err("login", code, "while building server name"); 125 goto nuke_ccache; 126 } 127 128 code = krb5_cc_retrieve_cred(kcontext, ccache, 0, 129 &mcreds, &forw_creds); 130 if (code) { 131 com_err("login", code, "while retrieving V5 initial ticket for copy"); 132 goto nuke_ccache; 133 } 134 have_forward = 1; 135 136 strcpy(tkt_location, getenv("KRB5CCNAME")); 137 krbtkfile_env = tkt_location; 138 notickets = 0; 139 140 nuke_ccache: 141 krb5_cc_destroy(kcontext, ccache); 142 return(!have_forward); 143 } 144 145 int 146 k5_write_creds() 147 { 148 krb5_error_code code; 149 krb5_ccache ccache; 150 151 if (! use_krb5) 152 return(1); 153 if (!have_forward) 154 return(1); 155 code = krb5_cc_default(kcontext, &ccache); 156 if (code) { 157 com_err("login", code, "while getting default ccache"); 158 return(1); 159 } 160 161 code = krb5_cc_initialize(kcontext, ccache, me); 162 if (code) { 163 com_err("login", code, "while re-initializing V5 ccache as user"); 164 goto nuke_ccache_contents; 165 } 166 167 code = krb5_cc_store_cred(kcontext, ccache, &forw_creds); 168 if (code) { 169 com_err("login", code, "while re-storing V5 ccache as user"); 170 goto nuke_ccache_contents; 171 } 172 173 nuke_ccache_contents: 174 krb5_free_cred_contents(kcontext, &forw_creds); 175 return(code != 0); 176 } 177 178 /* 179 * Attempt to log the user in using Kerberos authentication 180 * 181 * return 0 on success (will be logged in) 182 * 1 if Kerberos failed (try local password in login) 183 */ 184 int 185 klogin(pw, instance, localhost, password) 186 struct passwd *pw; 187 char *instance, *localhost, *password; 188 { 189 krb5_error_code kerror; 190 krb5_address **my_addresses; 191 krb5_creds my_creds; 192 krb5_timestamp now; 193 krb5_ccache ccache = NULL; 194 long lifetime = KRB5_DEFAULT_LIFE; 195 int options = KRB5_DEFAULT_OPTIONS; 196 char *realm, *client_name; 197 char *principal; 198 199 /* 200 * Root logins don't use Kerberos. 201 * If we have a realm, try getting a ticket-granting ticket 202 * and using it to authenticate. Otherwise, return 203 * failure so that we can try the normal passwd file 204 * for a password. If that's ok, log the user in 205 * without issuing any tickets. 206 */ 207 if (! use_krb5 || 208 strcmp(pw->pw_name, "root") == 0 || 209 krb5_get_default_realm(kcontext, &realm)) 210 return (1); 211 212 /* 213 * get TGT for local realm 214 * tickets are stored in a file named TKT_ROOT plus uid 215 * except for user.root tickets. 216 */ 217 218 if (strcmp(instance, "root") != 0) 219 (void)snprintf(tkt_location, sizeof tkt_location, 220 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 221 else 222 (void)snprintf(tkt_location, sizeof tkt_location, 223 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 224 krbtkfile_env = tkt_location; 225 226 principal = (char *)malloc(strlen(pw->pw_name)+strlen(instance)+2); 227 strcpy(principal, pw->pw_name); /* XXX strcpy is safe */ 228 if (strlen(instance)) { 229 strcat(principal, "/"); /* XXX strcat is safe */ 230 strcat(principal, instance); /* XXX strcat is safe */ 231 } 232 233 if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { 234 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 235 error_message(kerror)); 236 return(1); 237 } 238 239 if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { 240 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 241 error_message(kerror), principal); 242 return(1); 243 } 244 245 if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { 246 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 247 error_message(kerror), principal); 248 return(1); 249 } 250 251 kerror = krb5_cc_initialize(kcontext, ccache, me); 252 if (kerror != 0) { 253 syslog(LOG_NOTICE, "%s when initializing cache %s", 254 error_message(kerror), tkt_location); 255 return(1); 256 } 257 258 memset((char *)&my_creds, 0, sizeof(my_creds)); 259 260 my_creds.client = me; 261 262 if ((kerror = krb5_build_principal_ext(kcontext, 263 &server, 264 krb5_princ_realm(kcontext, me)->length, 265 krb5_princ_realm(kcontext, me)->data, 266 tgtname.length, tgtname.data, 267 krb5_princ_realm(kcontext, me)->length, 268 krb5_princ_realm(kcontext, me)->data, 269 0)) != 0) { 270 syslog(LOG_NOTICE, "%s while building server name", 271 error_message(kerror)); 272 return(1); 273 } 274 275 my_creds.server = server; 276 277 kerror = krb5_os_localaddr(kcontext, &my_addresses); 278 if (kerror != 0) { 279 syslog(LOG_NOTICE, "%s when getting my address", 280 error_message(kerror)); 281 return(1); 282 } 283 284 if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { 285 syslog(LOG_NOTICE, "%s while getting time of day", 286 error_message(kerror)); 287 return(1); 288 } 289 my_creds.times.starttime = 0; /* start timer when request 290 gets to KDC */ 291 my_creds.times.endtime = now + lifetime; 292 my_creds.times.renew_till = 0; 293 294 kerror = krb5_get_in_tkt_with_password(kcontext, options, 295 my_addresses, 296 NULL, 297 NULL, 298 password, 299 ccache, 300 &my_creds, 0); 301 302 krb5_free_principal(kcontext, server); 303 krb5_free_addresses(kcontext, my_addresses); 304 305 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 306 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 307 308 if (kerror) { 309 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 310 printf("%s: Kerberos Password incorrect\n", principal); 311 else 312 printf("%s while getting initial credentials\n", error_message(kerror)); 313 314 return(1); 315 } 316 317 /* Success */ 318 notickets = 0; 319 return(0); 320 } 321 322 /* 323 * Remove any credentials 324 */ 325 void 326 kdestroy() 327 { 328 krb5_error_code code; 329 krb5_ccache ccache = NULL; 330 331 if (! use_krb5 || krbtkfile_env == NULL) 332 return; 333 334 code = krb5_cc_resolve(kcontext, krbtkfile_env, &ccache); 335 if (!code) { 336 code = krb5_cc_destroy(kcontext, ccache); 337 if (!code) { 338 krb5_cc_close(kcontext, ccache); 339 } 340 } 341 } 342 #endif 343
Indexes created Wed Sep 24 15:09:51 GMT 2025