search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
This commit was manufactured by cvs2svn to create tag
[heimdal.git] / appl / telnet / libtelnet / kerberos5.c
blob5229b65298c4b2ad27564d1690a6aefd6ab57c64
1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
36 *
37 * Export of this software from the United States of America may
38 * require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
41 *
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
52 */
53
54 #include <config.h>
55
56 RCSID("$Id$");
57
58 #ifdef KRB5
59
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <unistd.h>
65 #include <netdb.h>
66 #include <ctype.h>
67 #include <pwd.h>
68 #define Authenticator k5_Authenticator
69 #include <krb5.h>
70 #undef Authenticator
71 #include <roken.h>
72 #ifdef SOCKS
73 #include <socks.h>
74 #endif
75
76
77 #include "encrypt.h"
78 #include "auth.h"
79 #include "misc.h"
80
81 #if defined(DCE)
82 int dfsk5ok = 0;
83 int dfspag = 0;
84 int dfsfwd = 0;
85 #endif
86
87 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
88
89 int forward(int);
90 int forwardable(int);
91
92 /* These values need to be the same as those defined in telnet/main.c. */
93 /* Either define them in both places, or put in some common header file. */
94 #define OPTS_FORWARD_CREDS 0x00000002
95 #define OPTS_FORWARDABLE_CREDS 0x00000001
96
97
98 void kerberos5_forward (Authenticator *);
99
100 static unsigned char str_data[4] = { IAC, SB, TELOPT_AUTHENTICATION, 0 };
101
102 #define KRB_AUTH 0 /* Authentication data follows */
103 #define KRB_REJECT 1 /* Rejected (reason might follow) */
104 #define KRB_ACCEPT 2 /* Accepted */
105 #define KRB_RESPONSE 3 /* Response for mutual auth. */
106
107 #define KRB_FORWARD 4 /* Forwarded credentials follow */
108 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
109 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
110
111 static krb5_data auth;
112 static krb5_ticket *ticket;
113
114 static krb5_context context;
115 static krb5_auth_context auth_context;
116
117 static int
118 Data(Authenticator *ap, int type, void *d, int c)
119 {
120 unsigned char *cd = (unsigned char *)d;
121 unsigned char *p0, *p;
122 size_t len = sizeof(str_data) + 3 + 2;
123 int ret;
124
125 if (c == -1)
126 c = strlen((char*)cd);
127
128 for (p = cd; p - cd < c; p++, len++)
129 if (*p == IAC)
130 len++;
131
132 p0 = malloc(len);
133 if (p0 == NULL)
134 return 0;
135
136 memcpy(p0, str_data, sizeof(str_data));
137 p = p0 + sizeof(str_data);
138
139 if (auth_debug_mode) {
140 printf("%s:%d: [%d] (%d)",
141 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
142 str_data[3],
143 type, c);
144 printd(d, c);
145 printf("\r\n");
146 }
147 *p++ = ap->type;
148 *p++ = ap->way;
149 *p++ = type;
150 while (c-- > 0) {
151 if ((*p++ = *cd++) == IAC)
152 *p++ = IAC;
153 }
154 *p++ = IAC;
155 *p++ = SE;
156 if (str_data[3] == TELQUAL_IS)
157 printsub('>', &p0[2], len - 2);
158 ret = telnet_net_write(p0, len);
159 free(p0);
160 return ret;
161 }
162
163 int
164 kerberos5_init(Authenticator *ap, int server)
165 {
166 krb5_error_code ret;
167
168 ret = krb5_init_context(&context);
169 if (ret)
170 return 0;
171 if (server) {
172 krb5_keytab kt;
173 krb5_kt_cursor cursor;
174
175 ret = krb5_kt_default(context, &kt);
176 if (ret)
177 return 0;
178
179 ret = krb5_kt_start_seq_get (context, kt, &cursor);
180 if (ret) {
181 krb5_kt_close (context, kt);
182 return 0;
183 }
184 krb5_kt_end_seq_get (context, kt, &cursor);
185 krb5_kt_close (context, kt);
186
187 str_data[3] = TELQUAL_REPLY;
188 } else
189 str_data[3] = TELQUAL_IS;
190 return(1);
191 }
192
193 extern int net;
194 static int
195 kerberos5_send(char *name, Authenticator *ap)
196 {
197 krb5_error_code ret;
198 krb5_ccache ccache;
199 int ap_opts;
200 krb5_data cksum_data;
201 char foo[2];
202
203 if (!UserNameRequested) {
204 if (auth_debug_mode) {
205 printf("Kerberos V5: no user name supplied\r\n");
206 }
207 return(0);
208 }
209
210 ret = krb5_cc_default(context, &ccache);
211 if (ret) {
212 if (auth_debug_mode) {
213 printf("Kerberos V5: could not get default ccache: %s\r\n",
214 krb5_get_err_text (context, ret));
215 }
216 return 0;
217 }
218
219 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
220 ap_opts = AP_OPTS_MUTUAL_REQUIRED;
221 else
222 ap_opts = 0;
223
224 ap_opts |= AP_OPTS_USE_SUBKEY;
225
226 ret = krb5_auth_con_init (context, &auth_context);
227 if (ret) {
228 if (auth_debug_mode) {
229 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
230 krb5_get_err_text(context, ret));
231 }
232 return(0);
233 }
234
235 ret = krb5_auth_con_setaddrs_from_fd (context,
236 auth_context,
237 &net);
238 if (ret) {
239 if (auth_debug_mode) {
240 printf ("Kerberos V5:"
241 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
242 krb5_get_err_text(context, ret));
243 }
244 return(0);
245 }
246
247 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
248
249 foo[0] = ap->type;
250 foo[1] = ap->way;
251
252 cksum_data.length = sizeof(foo);
253 cksum_data.data = foo;
254
255
256 {
257 krb5_principal service;
258 char sname[128];
259
260
261 ret = krb5_sname_to_principal (context,
262 RemoteHostName,
263 NULL,
264 KRB5_NT_SRV_HST,
265 &service);
266 if(ret) {
267 if (auth_debug_mode) {
268 printf ("Kerberos V5:"
269 " krb5_sname_to_principal(%s) failed (%s)\r\n",
270 RemoteHostName, krb5_get_err_text(context, ret));
271 }
272 return 0;
273 }
274 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
275 if(ret) {
276 if (auth_debug_mode) {
277 printf ("Kerberos V5:"
278 " krb5_unparse_name_fixed failed (%s)\r\n",
279 krb5_get_err_text(context, ret));
280 }
281 return 0;
282 }
283 printf("[ Trying %s (%s)... ]\r\n", name, sname);
284 ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
285 service,
286 &cksum_data, ccache, &auth);
287 krb5_free_principal (context, service);
288
289 }
290 if (ret) {
291 if (1 || auth_debug_mode) {
292 printf("Kerberos V5: mk_req failed (%s)\r\n",
293 krb5_get_err_text(context, ret));
294 }
295 return(0);
296 }
297
298 if (!auth_sendname((unsigned char *)UserNameRequested,
299 strlen(UserNameRequested))) {
300 if (auth_debug_mode)
301 printf("Not enough room for user name\r\n");
302 return(0);
303 }
304 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
305 if (auth_debug_mode)
306 printf("Not enough room for authentication data\r\n");
307 return(0);
308 }
309 if (auth_debug_mode) {
310 printf("Sent Kerberos V5 credentials to server\r\n");
311 }
312 return(1);
313 }
314
315 int
316 kerberos5_send_mutual(Authenticator *ap)
317 {
318 return kerberos5_send("mutual KERBEROS5", ap);
319 }
320
321 int
322 kerberos5_send_oneway(Authenticator *ap)
323 {
324 return kerberos5_send("KERBEROS5", ap);
325 }
326
327 void
328 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
329 {
330 krb5_error_code ret;
331 krb5_data outbuf;
332 krb5_keyblock *key_block;
333 char *name;
334 krb5_principal server;
335 int zero = 0;
336
337 if (cnt-- < 1)
338 return;
339 switch (*data++) {
340 case KRB_AUTH:
341 auth.data = (char *)data;
342 auth.length = cnt;
343
344 auth_context = NULL;
345
346 ret = krb5_auth_con_init (context, &auth_context);
347 if (ret) {
348 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
349 auth_finished(ap, AUTH_REJECT);
350 if (auth_debug_mode)
351 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
352 krb5_get_err_text(context, ret));
353 return;
354 }
355
356 ret = krb5_auth_con_setaddrs_from_fd (context,
357 auth_context,
358 &zero);
359 if (ret) {
360 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
361 auth_finished(ap, AUTH_REJECT);
362 if (auth_debug_mode)
363 printf("Kerberos V5: "
364 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
365 krb5_get_err_text(context, ret));
366 return;
367 }
368
369 ret = krb5_sock_to_principal (context,
370 0,
371 "host",
372 KRB5_NT_SRV_HST,
373 &server);
374 if (ret) {
375 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
376 auth_finished(ap, AUTH_REJECT);
377 if (auth_debug_mode)
378 printf("Kerberos V5: "
379 "krb5_sock_to_principal failed (%s)\r\n",
380 krb5_get_err_text(context, ret));
381 return;
382 }
383
384 ret = krb5_rd_req(context,
385 &auth_context,
386 &auth,
387 server,
388 NULL,
389 NULL,
390 &ticket);
391
392 krb5_free_principal (context, server);
393 if (ret) {
394 char *errbuf;
395
396 asprintf(&errbuf,
397 "Read req failed: %s",
398 krb5_get_err_text(context, ret));
399 Data(ap, KRB_REJECT, errbuf, -1);
400 if (auth_debug_mode)
401 printf("%s\r\n", errbuf);
402 free (errbuf);
403 return;
404 }
405
406 {
407 char foo[2];
408
409 foo[0] = ap->type;
410 foo[1] = ap->way;
411
412 ret = krb5_verify_authenticator_checksum(context,
413 auth_context,
414 foo,
415 sizeof(foo));
416
417 if (ret) {
418 char *errbuf;
419 asprintf(&errbuf, "Bad checksum: %s",
420 krb5_get_err_text(context, ret));
421 Data(ap, KRB_REJECT, errbuf, -1);
422 if (auth_debug_mode)
423 printf ("%s\r\n", errbuf);
424 free(errbuf);
425 return;
426 }
427 }
428 ret = krb5_auth_con_getremotesubkey (context,
429 auth_context,
430 &key_block);
431
432 if (ret) {
433 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
434 auth_finished(ap, AUTH_REJECT);
435 if (auth_debug_mode)
436 printf("Kerberos V5: "
437 "krb5_auth_con_getremotesubkey failed (%s)\r\n",
438 krb5_get_err_text(context, ret));
439 return;
440 }
441
442 if (key_block == NULL) {
443 ret = krb5_auth_con_getkey(context,
444 auth_context,
445 &key_block);
446 }
447 if (ret) {
448 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
449 auth_finished(ap, AUTH_REJECT);
450 if (auth_debug_mode)
451 printf("Kerberos V5: "
452 "krb5_auth_con_getkey failed (%s)\r\n",
453 krb5_get_err_text(context, ret));
454 return;
455 }
456 if (key_block == NULL) {
457 Data(ap, KRB_REJECT, "no subkey received", -1);
458 auth_finished(ap, AUTH_REJECT);
459 if (auth_debug_mode)
460 printf("Kerberos V5: "
461 "krb5_auth_con_getremotesubkey returned NULL key\r\n");
462 return;
463 }
464
465 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
466 ret = krb5_mk_rep(context, auth_context, &outbuf);
467 if (ret) {
468 Data(ap, KRB_REJECT,
469 "krb5_mk_rep failed", -1);
470 auth_finished(ap, AUTH_REJECT);
471 if (auth_debug_mode)
472 printf("Kerberos V5: "
473 "krb5_mk_rep failed (%s)\r\n",
474 krb5_get_err_text(context, ret));
475 return;
476 }
477 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
478 }
479 if (krb5_unparse_name(context, ticket->client, &name))
480 name = 0;
481
482 if(UserNameRequested && krb5_kuserok(context,
483 ticket->client,
484 UserNameRequested)) {
485 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
486 if (auth_debug_mode) {
487 printf("Kerberos5 identifies him as ``%s''\r\n",
488 name ? name : "");
489 }
490
491 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
492 key_block->keytype == ETYPE_DES_CBC_MD4 ||
493 key_block->keytype == ETYPE_DES_CBC_CRC) {
494 Session_Key skey;
495
496 skey.type = SK_DES;
497 skey.length = 8;
498 skey.data = key_block->keyvalue.data;
499 encrypt_session_key(&skey, 0);
500 }
501
502 } else {
503 char *msg;
504
505 asprintf (&msg, "user `%s' is not authorized to "
506 "login as `%s'",
507 name ? name : "<unknown>",
508 UserNameRequested ? UserNameRequested : "<nobody>");
509 if (msg == NULL)
510 Data(ap, KRB_REJECT, NULL, 0);
511 else {
512 Data(ap, KRB_REJECT, (void *)msg, -1);
513 free(msg);
514 }
515 auth_finished (ap, AUTH_REJECT);
516 krb5_free_keyblock_contents(context, key_block);
517 break;
518 }
519 auth_finished(ap, AUTH_USER);
520 krb5_free_keyblock_contents(context, key_block);
521
522 break;
523 case KRB_FORWARD: {
524 struct passwd *pwd;
525 char ccname[1024]; /* XXX */
526 krb5_data inbuf;
527 krb5_ccache ccache;
528 inbuf.data = (char *)data;
529 inbuf.length = cnt;
530
531 pwd = getpwnam (UserNameRequested);
532 if (pwd == NULL)
533 break;
534
535 snprintf (ccname, sizeof(ccname),
536 "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
537
538 ret = krb5_cc_resolve (context, ccname, &ccache);
539 if (ret) {
540 if (auth_debug_mode)
541 printf ("Kerberos V5: could not get ccache: %s\r\n",
542 krb5_get_err_text(context, ret));
543 break;
544 }
545
546 ret = krb5_cc_initialize (context,
547 ccache,
548 ticket->client);
549 if (ret) {
550 if (auth_debug_mode)
551 printf ("Kerberos V5: could not init ccache: %s\r\n",
552 krb5_get_err_text(context, ret));
553 break;
554 }
555
556 #if defined(DCE)
557 esetenv("KRB5CCNAME", ccname, 1);
558 #endif
559 ret = krb5_rd_cred2 (context,
560 auth_context,
561 ccache,
562 &inbuf);
563 if(ret) {
564 char *errbuf;
565
566 asprintf (&errbuf,
567 "Read forwarded creds failed: %s",
568 krb5_get_err_text (context, ret));
569 if(errbuf == NULL)
570 Data(ap, KRB_FORWARD_REJECT, NULL, 0);
571 else
572 Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
573 if (auth_debug_mode)
574 printf("Could not read forwarded credentials: %s\r\n",
575 errbuf);
576 free (errbuf);
577 } else {
578 Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
579 #if defined(DCE)
580 dfsfwd = 1;
581 #endif
582 }
583 chown (ccname + 5, pwd->pw_uid, -1);
584 if (auth_debug_mode)
585 printf("Forwarded credentials obtained\r\n");
586 break;
587 }
588 default:
589 if (auth_debug_mode)
590 printf("Unknown Kerberos option %d\r\n", data[-1]);
591 Data(ap, KRB_REJECT, 0, 0);
592 break;
593 }
594 }
595
596 void
597 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
598 {
599 static int mutual_complete = 0;
600
601 if (cnt-- < 1)
602 return;
603 switch (*data++) {
604 case KRB_REJECT:
605 if (cnt > 0) {
606 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
607 cnt, data);
608 } else
609 printf("[ Kerberos V5 refuses authentication ]\r\n");
610 auth_send_retry();
611 return;
612 case KRB_ACCEPT: {
613 krb5_error_code ret;
614 Session_Key skey;
615 krb5_keyblock *keyblock;
616
617 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
618 !mutual_complete) {
619 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
620 auth_send_retry();
621 return;
622 }
623 if (cnt)
624 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
625 else
626 printf("[ Kerberos V5 accepts you ]\r\n");
627
628 ret = krb5_auth_con_getlocalsubkey (context,
629 auth_context,
630 &keyblock);
631 if (ret)
632 ret = krb5_auth_con_getkey (context,
633 auth_context,
634 &keyblock);
635 if(ret) {
636 printf("[ krb5_auth_con_getkey: %s ]\r\n",
637 krb5_get_err_text(context, ret));
638 auth_send_retry();
639 return;
640 }
641
642 skey.type = SK_DES;
643 skey.length = 8;
644 skey.data = keyblock->keyvalue.data;
645 encrypt_session_key(&skey, 0);
646 krb5_free_keyblock_contents (context, keyblock);
647 auth_finished(ap, AUTH_USER);
648 if (forward_flags & OPTS_FORWARD_CREDS)
649 kerberos5_forward(ap);
650 break;
651 }
652 case KRB_RESPONSE:
653 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
654 /* the rest of the reply should contain a krb_ap_rep */
655 krb5_ap_rep_enc_part *reply;
656 krb5_data inbuf;
657 krb5_error_code ret;
658
659 inbuf.length = cnt;
660 inbuf.data = (char *)data;
661
662 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
663 if (ret) {
664 printf("[ Mutual authentication failed: %s ]\r\n",
665 krb5_get_err_text (context, ret));
666 auth_send_retry();
667 return;
668 }
669 krb5_free_ap_rep_enc_part(context, reply);
670 mutual_complete = 1;
671 }
672 return;
673 case KRB_FORWARD_ACCEPT:
674 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
675 return;
676 case KRB_FORWARD_REJECT:
677 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
678 cnt, data);
679 return;
680 default:
681 if (auth_debug_mode)
682 printf("Unknown Kerberos option %d\r\n", data[-1]);
683 return;
684 }
685 }
686
687 int
688 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
689 {
690 if (level < AUTH_USER)
691 return(level);
692
693 if (UserNameRequested &&
694 krb5_kuserok(context,
695 ticket->client,
696 UserNameRequested))
697 {
698 strlcpy(name, UserNameRequested, name_sz);
699 #if defined(DCE)
700 dfsk5ok = 1;
701 #endif
702 return(AUTH_VALID);
703 } else
704 return(AUTH_USER);
705 }
706
707 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
708 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
709
710 void
711 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
712 {
713 int i;
714
715 buf[buflen-1] = '\0'; /* make sure its NULL terminated */
716 buflen -= 1;
717
718 switch(data[3]) {
719 case KRB_REJECT: /* Rejected (reason might follow) */
720 strlcpy((char *)buf, " REJECT ", buflen);
721 goto common;
722
723 case KRB_ACCEPT: /* Accepted (name might follow) */
724 strlcpy((char *)buf, " ACCEPT ", buflen);
725 common:
726 BUMP(buf, buflen);
727 if (cnt <= 4)
728 break;
729 ADDC(buf, buflen, '"');
730 for (i = 4; i < cnt; i++)
731 ADDC(buf, buflen, data[i]);
732 ADDC(buf, buflen, '"');
733 ADDC(buf, buflen, '\0');
734 break;
735
736
737 case KRB_AUTH: /* Authentication data follows */
738 strlcpy((char *)buf, " AUTH", buflen);
739 goto common2;
740
741 case KRB_RESPONSE:
742 strlcpy((char *)buf, " RESPONSE", buflen);
743 goto common2;
744
745 case KRB_FORWARD: /* Forwarded credentials follow */
746 strlcpy((char *)buf, " FORWARD", buflen);
747 goto common2;
748
749 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
750 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
751 goto common2;
752
753 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
754 /* (reason might follow) */
755 strlcpy((char *)buf, " FORWARD_REJECT", buflen);
756 goto common2;
757
758 default:
759 snprintf((char*)buf, buflen, " %d (unknown)", data[3]);
760 common2:
761 BUMP(buf, buflen);
762 for (i = 4; i < cnt; i++) {
763 snprintf((char*)buf, buflen, " %d", data[i]);
764 BUMP(buf, buflen);
765 }
766 break;
767 }
768 }
769
770 void
771 kerberos5_forward(Authenticator *ap)
772 {
773 krb5_error_code ret;
774 krb5_ccache ccache;
775 krb5_creds creds;
776 krb5_kdc_flags flags;
777 krb5_data out_data;
778 krb5_principal principal;
779
780 ret = krb5_cc_default (context, &ccache);
781 if (ret) {
782 if (auth_debug_mode)
783 printf ("KerberosV5: could not get default ccache: %s\r\n",
784 krb5_get_err_text (context, ret));
785 return;
786 }
787
788 ret = krb5_cc_get_principal (context, ccache, &principal);
789 if (ret) {
790 if (auth_debug_mode)
791 printf ("KerberosV5: could not get principal: %s\r\n",
792 krb5_get_err_text (context, ret));
793 return;
794 }
795
796 memset (&creds, 0, sizeof(creds));
797
798 creds.client = principal;
799
800 ret = krb5_build_principal (context,
801 &creds.server,
802 strlen(principal->realm),
803 principal->realm,
804 "krbtgt",
805 principal->realm,
806 NULL);
807
808 if (ret) {
809 if (auth_debug_mode)
810 printf ("KerberosV5: could not get principal: %s\r\n",
811 krb5_get_err_text (context, ret));
812 return;
813 }
814
815 creds.times.endtime = 0;
816
817 flags.i = 0;
818 flags.b.forwarded = 1;
819 if (forward_flags & OPTS_FORWARDABLE_CREDS)
820 flags.b.forwardable = 1;
821
822 ret = krb5_get_forwarded_creds (context,
823 auth_context,
824 ccache,
825 flags.i,
826 RemoteHostName,
827 &creds,
828 &out_data);
829 if (ret) {
830 if (auth_debug_mode)
831 printf ("Kerberos V5: error getting forwarded creds: %s\r\n",
832 krb5_get_err_text (context, ret));
833 return;
834 }
835
836 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
837 if (auth_debug_mode)
838 printf("Not enough room for authentication data\r\n");
839 } else {
840 if (auth_debug_mode)
841 printf("Forwarded local Kerberos V5 credentials to server\r\n");
842 }
843 }
844
845 #if defined(DCE)
846 /* if this was a K5 authentication try and join a PAG for the user. */
847 void
848 kerberos5_dfspag(void)
849 {
850 if (dfsk5ok) {
851 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
852 UserNameRequested);
853 }
854 }
855 #endif
856
857 int
858 kerberos5_set_forward(int on)
859 {
860 if(on == 0)
861 forward_flags &= ~OPTS_FORWARD_CREDS;
862 if(on == 1)
863 forward_flags |= OPTS_FORWARD_CREDS;
864 if(on == -1)
865 forward_flags ^= OPTS_FORWARD_CREDS;
866 return 0;
867 }
868
869 int
870 kerberos5_set_forwardable(int on)
871 {
872 if(on == 0)
873 forward_flags &= ~OPTS_FORWARDABLE_CREDS;
874 if(on == 1)
875 forward_flags |= OPTS_FORWARDABLE_CREDS;
876 if(on == -1)
877 forward_flags ^= OPTS_FORWARDABLE_CREDS;
878 return 0;
879 }
880
881 #endif /* KRB5 */
Heimdal