search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
This commit was manufactured by cvs2svn to create tag
[heimdal.git] / appl / telnet / libtelnet / kerberos5.c
blob192d4acfd356c5bc4d53b663c2af8b5cf765989a
1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
36 *
37 * Export of this software from the United States of America may
38 * require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
41 *
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
52 */
53
54 #include <config.h>
55
56 RCSID("$Id$");
57
58 #ifdef KRB5
59
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <unistd.h>
65 #include <netdb.h>
66 #include <ctype.h>
67 #include <pwd.h>
68 #define Authenticator k5_Authenticator
69 #include <krb5.h>
70 #undef Authenticator
71 #include <roken.h>
72 #ifdef SOCKS
73 #include <socks.h>
74 #endif
75
76
77 #include "encrypt.h"
78 #include "auth.h"
79 #include "misc.h"
80
81 #if defined(DCE)
82 int dfsk5ok = 0;
83 int dfspag = 0;
84 int dfsfwd = 0;
85 #endif
86
87 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
88
89 int forward(int);
90 int forwardable(int);
91
92 /* These values need to be the same as those defined in telnet/main.c. */
93 /* Either define them in both places, or put in some common header file. */
94 #define OPTS_FORWARD_CREDS 0x00000002
95 #define OPTS_FORWARDABLE_CREDS 0x00000001
96
97
98 void kerberos5_forward (Authenticator *);
99
100 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
101 AUTHTYPE_KERBEROS_V5, };
102
103 #define KRB_AUTH 0 /* Authentication data follows */
104 #define KRB_REJECT 1 /* Rejected (reason might follow) */
105 #define KRB_ACCEPT 2 /* Accepted */
106 #define KRB_RESPONSE 3 /* Response for mutual auth. */
107
108 #define KRB_FORWARD 4 /* Forwarded credentials follow */
109 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
110 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
111
112 static krb5_data auth;
113 static krb5_ticket *ticket;
114
115 static krb5_context context;
116 static krb5_auth_context auth_context;
117
118 static int
119 Data(Authenticator *ap, int type, void *d, int c)
120 {
121 unsigned char *p = str_data + 4;
122 unsigned char *cd = (unsigned char *)d;
123
124 if (c == -1)
125 c = strlen((char*)cd);
126
127 if (auth_debug_mode) {
128 printf("%s:%d: [%d] (%d)",
129 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
130 str_data[3],
131 type, c);
132 printd(d, c);
133 printf("\r\n");
134 }
135 *p++ = ap->type;
136 *p++ = ap->way;
137 *p++ = type;
138 while (c-- > 0) {
139 if ((*p++ = *cd++) == IAC)
140 *p++ = IAC;
141 }
142 *p++ = IAC;
143 *p++ = SE;
144 if (str_data[3] == TELQUAL_IS)
145 printsub('>', &str_data[2], p - &str_data[2]);
146 return(telnet_net_write(str_data, p - str_data));
147 }
148
149 int
150 kerberos5_init(Authenticator *ap, int server)
151 {
152 krb5_error_code ret;
153
154 ret = krb5_init_context(&context);
155 if (ret)
156 return 0;
157 if (server) {
158 krb5_keytab kt;
159 krb5_kt_cursor cursor;
160
161 ret = krb5_kt_default(context, &kt);
162 if (ret)
163 return 0;
164
165 ret = krb5_kt_start_seq_get (context, kt, &cursor);
166 if (ret) {
167 krb5_kt_close (context, kt);
168 return 0;
169 }
170 krb5_kt_end_seq_get (context, kt, &cursor);
171 krb5_kt_close (context, kt);
172
173 str_data[3] = TELQUAL_REPLY;
174 } else
175 str_data[3] = TELQUAL_IS;
176 return(1);
177 }
178
179 extern int net;
180 static int
181 kerberos5_send(char *name, Authenticator *ap)
182 {
183 krb5_error_code ret;
184 krb5_ccache ccache;
185 int ap_opts;
186 krb5_data cksum_data;
187 char foo[2];
188
189 if (!UserNameRequested) {
190 if (auth_debug_mode) {
191 printf("Kerberos V5: no user name supplied\r\n");
192 }
193 return(0);
194 }
195
196 ret = krb5_cc_default(context, &ccache);
197 if (ret) {
198 if (auth_debug_mode) {
199 printf("Kerberos V5: could not get default ccache: %s\r\n",
200 krb5_get_err_text (context, ret));
201 }
202 return 0;
203 }
204
205 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
206 ap_opts = AP_OPTS_MUTUAL_REQUIRED;
207 else
208 ap_opts = 0;
209
210 ap_opts |= AP_OPTS_USE_SUBKEY;
211
212 ret = krb5_auth_con_init (context, &auth_context);
213 if (ret) {
214 if (auth_debug_mode) {
215 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
216 krb5_get_err_text(context, ret));
217 }
218 return(0);
219 }
220
221 ret = krb5_auth_con_setaddrs_from_fd (context,
222 auth_context,
223 &net);
224 if (ret) {
225 if (auth_debug_mode) {
226 printf ("Kerberos V5:"
227 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
228 krb5_get_err_text(context, ret));
229 }
230 return(0);
231 }
232
233 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
234
235 foo[0] = ap->type;
236 foo[1] = ap->way;
237
238 cksum_data.length = sizeof(foo);
239 cksum_data.data = foo;
240
241
242 {
243 krb5_principal service;
244 char sname[128];
245
246
247 ret = krb5_sname_to_principal (context,
248 RemoteHostName,
249 NULL,
250 KRB5_NT_SRV_HST,
251 &service);
252 if(ret) {
253 if (auth_debug_mode) {
254 printf ("Kerberos V5:"
255 " krb5_sname_to_principal(%s) failed (%s)\r\n",
256 RemoteHostName, krb5_get_err_text(context, ret));
257 }
258 return 0;
259 }
260 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
261 if(ret) {
262 if (auth_debug_mode) {
263 printf ("Kerberos V5:"
264 " krb5_unparse_name_fixed failed (%s)\r\n",
265 krb5_get_err_text(context, ret));
266 }
267 return 0;
268 }
269 printf("[ Trying %s (%s)... ]\r\n", name, sname);
270 ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
271 service,
272 &cksum_data, ccache, &auth);
273 krb5_free_principal (context, service);
274
275 }
276 if (ret) {
277 if (1 || auth_debug_mode) {
278 printf("Kerberos V5: mk_req failed (%s)\r\n",
279 krb5_get_err_text(context, ret));
280 }
281 return(0);
282 }
283
284 if (!auth_sendname((unsigned char *)UserNameRequested,
285 strlen(UserNameRequested))) {
286 if (auth_debug_mode)
287 printf("Not enough room for user name\r\n");
288 return(0);
289 }
290 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
291 if (auth_debug_mode)
292 printf("Not enough room for authentication data\r\n");
293 return(0);
294 }
295 if (auth_debug_mode) {
296 printf("Sent Kerberos V5 credentials to server\r\n");
297 }
298 return(1);
299 }
300
301 int
302 kerberos5_send_mutual(Authenticator *ap)
303 {
304 return kerberos5_send("mutual KERBEROS5", ap);
305 }
306
307 int
308 kerberos5_send_oneway(Authenticator *ap)
309 {
310 return kerberos5_send("KERBEROS5", ap);
311 }
312
313 void
314 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
315 {
316 krb5_error_code ret;
317 krb5_data outbuf;
318 krb5_keyblock *key_block;
319 char *name;
320 krb5_principal server;
321 int zero = 0;
322
323 if (cnt-- < 1)
324 return;
325 switch (*data++) {
326 case KRB_AUTH:
327 auth.data = (char *)data;
328 auth.length = cnt;
329
330 auth_context = NULL;
331
332 ret = krb5_auth_con_init (context, &auth_context);
333 if (ret) {
334 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
335 auth_finished(ap, AUTH_REJECT);
336 if (auth_debug_mode)
337 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
338 krb5_get_err_text(context, ret));
339 return;
340 }
341
342 ret = krb5_auth_con_setaddrs_from_fd (context,
343 auth_context,
344 &zero);
345 if (ret) {
346 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
347 auth_finished(ap, AUTH_REJECT);
348 if (auth_debug_mode)
349 printf("Kerberos V5: "
350 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
351 krb5_get_err_text(context, ret));
352 return;
353 }
354
355 ret = krb5_sock_to_principal (context,
356 0,
357 "host",
358 KRB5_NT_SRV_HST,
359 &server);
360 if (ret) {
361 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
362 auth_finished(ap, AUTH_REJECT);
363 if (auth_debug_mode)
364 printf("Kerberos V5: "
365 "krb5_sock_to_principal failed (%s)\r\n",
366 krb5_get_err_text(context, ret));
367 return;
368 }
369
370 ret = krb5_rd_req(context,
371 &auth_context,
372 &auth,
373 server,
374 NULL,
375 NULL,
376 &ticket);
377
378 krb5_free_principal (context, server);
379 if (ret) {
380 char *errbuf;
381
382 asprintf(&errbuf,
383 "Read req failed: %s",
384 krb5_get_err_text(context, ret));
385 Data(ap, KRB_REJECT, errbuf, -1);
386 if (auth_debug_mode)
387 printf("%s\r\n", errbuf);
388 free (errbuf);
389 return;
390 }
391
392 {
393 char foo[2];
394
395 foo[0] = ap->type;
396 foo[1] = ap->way;
397
398 ret = krb5_verify_authenticator_checksum(context,
399 auth_context,
400 foo,
401 sizeof(foo));
402
403 if (ret) {
404 char *errbuf;
405 asprintf(&errbuf, "Bad checksum: %s",
406 krb5_get_err_text(context, ret));
407 Data(ap, KRB_REJECT, errbuf, -1);
408 if (auth_debug_mode)
409 printf ("%s\r\n", errbuf);
410 free(errbuf);
411 return;
412 }
413 }
414 ret = krb5_auth_con_getremotesubkey (context,
415 auth_context,
416 &key_block);
417
418 if (ret) {
419 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
420 auth_finished(ap, AUTH_REJECT);
421 if (auth_debug_mode)
422 printf("Kerberos V5: "
423 "krb5_auth_con_getremotesubkey failed (%s)\r\n",
424 krb5_get_err_text(context, ret));
425 return;
426 }
427
428 if (key_block == NULL) {
429 ret = krb5_auth_con_getkey(context,
430 auth_context,
431 &key_block);
432 }
433 if (ret) {
434 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
435 auth_finished(ap, AUTH_REJECT);
436 if (auth_debug_mode)
437 printf("Kerberos V5: "
438 "krb5_auth_con_getkey failed (%s)\r\n",
439 krb5_get_err_text(context, ret));
440 return;
441 }
442 if (key_block == NULL) {
443 Data(ap, KRB_REJECT, "no subkey received", -1);
444 auth_finished(ap, AUTH_REJECT);
445 if (auth_debug_mode)
446 printf("Kerberos V5: "
447 "krb5_auth_con_getremotesubkey returned NULL key\r\n");
448 return;
449 }
450
451 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
452 ret = krb5_mk_rep(context, auth_context, &outbuf);
453 if (ret) {
454 Data(ap, KRB_REJECT,
455 "krb5_mk_rep failed", -1);
456 auth_finished(ap, AUTH_REJECT);
457 if (auth_debug_mode)
458 printf("Kerberos V5: "
459 "krb5_mk_rep failed (%s)\r\n",
460 krb5_get_err_text(context, ret));
461 return;
462 }
463 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
464 }
465 if (krb5_unparse_name(context, ticket->client, &name))
466 name = 0;
467
468 if(UserNameRequested && krb5_kuserok(context,
469 ticket->client,
470 UserNameRequested)) {
471 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
472 if (auth_debug_mode) {
473 printf("Kerberos5 identifies him as ``%s''\r\n",
474 name ? name : "");
475 }
476
477 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
478 key_block->keytype == ETYPE_DES_CBC_MD4 ||
479 key_block->keytype == ETYPE_DES_CBC_CRC) {
480 Session_Key skey;
481
482 skey.type = SK_DES;
483 skey.length = 8;
484 skey.data = key_block->keyvalue.data;
485 encrypt_session_key(&skey, 0);
486 }
487
488 } else {
489 char *msg;
490
491 asprintf (&msg, "user `%s' is not authorized to "
492 "login as `%s'",
493 name ? name : "<unknown>",
494 UserNameRequested ? UserNameRequested : "<nobody>");
495 if (msg == NULL)
496 Data(ap, KRB_REJECT, NULL, 0);
497 else {
498 Data(ap, KRB_REJECT, (void *)msg, -1);
499 free(msg);
500 }
501 auth_finished (ap, AUTH_REJECT);
502 krb5_free_keyblock_contents(context, key_block);
503 break;
504 }
505 auth_finished(ap, AUTH_USER);
506 krb5_free_keyblock_contents(context, key_block);
507
508 break;
509 case KRB_FORWARD: {
510 struct passwd *pwd;
511 char ccname[1024]; /* XXX */
512 krb5_data inbuf;
513 krb5_ccache ccache;
514 inbuf.data = (char *)data;
515 inbuf.length = cnt;
516
517 pwd = getpwnam (UserNameRequested);
518 if (pwd == NULL)
519 break;
520
521 snprintf (ccname, sizeof(ccname),
522 "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
523
524 ret = krb5_cc_resolve (context, ccname, &ccache);
525 if (ret) {
526 if (auth_debug_mode)
527 printf ("Kerberos V5: could not get ccache: %s\r\n",
528 krb5_get_err_text(context, ret));
529 break;
530 }
531
532 ret = krb5_cc_initialize (context,
533 ccache,
534 ticket->client);
535 if (ret) {
536 if (auth_debug_mode)
537 printf ("Kerberos V5: could not init ccache: %s\r\n",
538 krb5_get_err_text(context, ret));
539 break;
540 }
541
542 #if defined(DCE)
543 esetenv("KRB5CCNAME", ccname, 1);
544 #endif
545 ret = krb5_rd_cred2 (context,
546 auth_context,
547 ccache,
548 &inbuf);
549 if(ret) {
550 char *errbuf;
551
552 asprintf (&errbuf,
553 "Read forwarded creds failed: %s",
554 krb5_get_err_text (context, ret));
555 if(errbuf == NULL)
556 Data(ap, KRB_FORWARD_REJECT, NULL, 0);
557 else
558 Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
559 if (auth_debug_mode)
560 printf("Could not read forwarded credentials: %s\r\n",
561 errbuf);
562 free (errbuf);
563 } else {
564 Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
565 #if defined(DCE)
566 dfsfwd = 1;
567 #endif
568 }
569 chown (ccname + 5, pwd->pw_uid, -1);
570 if (auth_debug_mode)
571 printf("Forwarded credentials obtained\r\n");
572 break;
573 }
574 default:
575 if (auth_debug_mode)
576 printf("Unknown Kerberos option %d\r\n", data[-1]);
577 Data(ap, KRB_REJECT, 0, 0);
578 break;
579 }
580 }
581
582 void
583 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
584 {
585 static int mutual_complete = 0;
586
587 if (cnt-- < 1)
588 return;
589 switch (*data++) {
590 case KRB_REJECT:
591 if (cnt > 0) {
592 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
593 cnt, data);
594 } else
595 printf("[ Kerberos V5 refuses authentication ]\r\n");
596 auth_send_retry();
597 return;
598 case KRB_ACCEPT: {
599 krb5_error_code ret;
600 Session_Key skey;
601 krb5_keyblock *keyblock;
602
603 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
604 !mutual_complete) {
605 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
606 auth_send_retry();
607 return;
608 }
609 if (cnt)
610 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
611 else
612 printf("[ Kerberos V5 accepts you ]\r\n");
613
614 ret = krb5_auth_con_getlocalsubkey (context,
615 auth_context,
616 &keyblock);
617 if (ret)
618 ret = krb5_auth_con_getkey (context,
619 auth_context,
620 &keyblock);
621 if(ret) {
622 printf("[ krb5_auth_con_getkey: %s ]\r\n",
623 krb5_get_err_text(context, ret));
624 auth_send_retry();
625 return;
626 }
627
628 skey.type = SK_DES;
629 skey.length = 8;
630 skey.data = keyblock->keyvalue.data;
631 encrypt_session_key(&skey, 0);
632 krb5_free_keyblock_contents (context, keyblock);
633 auth_finished(ap, AUTH_USER);
634 if (forward_flags & OPTS_FORWARD_CREDS)
635 kerberos5_forward(ap);
636 break;
637 }
638 case KRB_RESPONSE:
639 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
640 /* the rest of the reply should contain a krb_ap_rep */
641 krb5_ap_rep_enc_part *reply;
642 krb5_data inbuf;
643 krb5_error_code ret;
644
645 inbuf.length = cnt;
646 inbuf.data = (char *)data;
647
648 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
649 if (ret) {
650 printf("[ Mutual authentication failed: %s ]\r\n",
651 krb5_get_err_text (context, ret));
652 auth_send_retry();
653 return;
654 }
655 krb5_free_ap_rep_enc_part(context, reply);
656 mutual_complete = 1;
657 }
658 return;
659 case KRB_FORWARD_ACCEPT:
660 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
661 return;
662 case KRB_FORWARD_REJECT:
663 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
664 cnt, data);
665 return;
666 default:
667 if (auth_debug_mode)
668 printf("Unknown Kerberos option %d\r\n", data[-1]);
669 return;
670 }
671 }
672
673 int
674 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
675 {
676 if (level < AUTH_USER)
677 return(level);
678
679 if (UserNameRequested &&
680 krb5_kuserok(context,
681 ticket->client,
682 UserNameRequested))
683 {
684 strlcpy(name, UserNameRequested, name_sz);
685 #if defined(DCE)
686 dfsk5ok = 1;
687 #endif
688 return(AUTH_VALID);
689 } else
690 return(AUTH_USER);
691 }
692
693 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
694 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
695
696 void
697 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
698 {
699 int i;
700
701 buf[buflen-1] = '\0'; /* make sure its NULL terminated */
702 buflen -= 1;
703
704 switch(data[3]) {
705 case KRB_REJECT: /* Rejected (reason might follow) */
706 strlcpy((char *)buf, " REJECT ", buflen);
707 goto common;
708
709 case KRB_ACCEPT: /* Accepted (name might follow) */
710 strlcpy((char *)buf, " ACCEPT ", buflen);
711 common:
712 BUMP(buf, buflen);
713 if (cnt <= 4)
714 break;
715 ADDC(buf, buflen, '"');
716 for (i = 4; i < cnt; i++)
717 ADDC(buf, buflen, data[i]);
718 ADDC(buf, buflen, '"');
719 ADDC(buf, buflen, '\0');
720 break;
721
722
723 case KRB_AUTH: /* Authentication data follows */
724 strlcpy((char *)buf, " AUTH", buflen);
725 goto common2;
726
727 case KRB_RESPONSE:
728 strlcpy((char *)buf, " RESPONSE", buflen);
729 goto common2;
730
731 case KRB_FORWARD: /* Forwarded credentials follow */
732 strlcpy((char *)buf, " FORWARD", buflen);
733 goto common2;
734
735 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
736 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
737 goto common2;
738
739 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
740 /* (reason might follow) */
741 strlcpy((char *)buf, " FORWARD_REJECT", buflen);
742 goto common2;
743
744 default:
745 snprintf((char*)buf, buflen, " %d (unknown)", data[3]);
746 common2:
747 BUMP(buf, buflen);
748 for (i = 4; i < cnt; i++) {
749 snprintf((char*)buf, buflen, " %d", data[i]);
750 BUMP(buf, buflen);
751 }
752 break;
753 }
754 }
755
756 void
757 kerberos5_forward(Authenticator *ap)
758 {
759 krb5_error_code ret;
760 krb5_ccache ccache;
761 krb5_creds creds;
762 krb5_kdc_flags flags;
763 krb5_data out_data;
764 krb5_principal principal;
765
766 ret = krb5_cc_default (context, &ccache);
767 if (ret) {
768 if (auth_debug_mode)
769 printf ("KerberosV5: could not get default ccache: %s\r\n",
770 krb5_get_err_text (context, ret));
771 return;
772 }
773
774 ret = krb5_cc_get_principal (context, ccache, &principal);
775 if (ret) {
776 if (auth_debug_mode)
777 printf ("KerberosV5: could not get principal: %s\r\n",
778 krb5_get_err_text (context, ret));
779 return;
780 }
781
782 memset (&creds, 0, sizeof(creds));
783
784 creds.client = principal;
785
786 ret = krb5_build_principal (context,
787 &creds.server,
788 strlen(principal->realm),
789 principal->realm,
790 "krbtgt",
791 principal->realm,
792 NULL);
793
794 if (ret) {
795 if (auth_debug_mode)
796 printf ("KerberosV5: could not get principal: %s\r\n",
797 krb5_get_err_text (context, ret));
798 return;
799 }
800
801 creds.times.endtime = 0;
802
803 flags.i = 0;
804 flags.b.forwarded = 1;
805 if (forward_flags & OPTS_FORWARDABLE_CREDS)
806 flags.b.forwardable = 1;
807
808 ret = krb5_get_forwarded_creds (context,
809 auth_context,
810 ccache,
811 flags.i,
812 RemoteHostName,
813 &creds,
814 &out_data);
815 if (ret) {
816 if (auth_debug_mode)
817 printf ("Kerberos V5: error getting forwarded creds: %s\r\n",
818 krb5_get_err_text (context, ret));
819 return;
820 }
821
822 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
823 if (auth_debug_mode)
824 printf("Not enough room for authentication data\r\n");
825 } else {
826 if (auth_debug_mode)
827 printf("Forwarded local Kerberos V5 credentials to server\r\n");
828 }
829 }
830
831 #if defined(DCE)
832 /* if this was a K5 authentication try and join a PAG for the user. */
833 void
834 kerberos5_dfspag(void)
835 {
836 if (dfsk5ok) {
837 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
838 UserNameRequested);
839 }
840 }
841 #endif
842
843 int
844 kerberos5_set_forward(int on)
845 {
846 if(on == 0)
847 forward_flags &= ~OPTS_FORWARD_CREDS;
848 if(on == 1)
849 forward_flags |= OPTS_FORWARD_CREDS;
850 if(on == -1)
851 forward_flags ^= OPTS_FORWARD_CREDS;
852 return 0;
853 }
854
855 int
856 kerberos5_set_forwardable(int on)
857 {
858 if(on == 0)
859 forward_flags &= ~OPTS_FORWARDABLE_CREDS;
860 if(on == 1)
861 forward_flags |= OPTS_FORWARDABLE_CREDS;
862 if(on == -1)
863 forward_flags ^= OPTS_FORWARDABLE_CREDS;
864 return 0;
865 }
866
867 #endif /* KRB5 */
Heimdal