1 /* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
3 * Kerberos v5 authentication and ticket-passing routines.
5 * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
8 * Copyright (c) 2002 Daniel Kouril. All rights reserved.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #include <sys/types.h>
56 extern ServerOptions options
;
59 krb5_init(void *context
)
61 Authctxt
*authctxt
= (Authctxt
*)context
;
62 krb5_error_code problem
;
64 if (authctxt
->krb5_ctx
== NULL
) {
65 problem
= krb5_init_context(&authctxt
->krb5_ctx
);
73 auth_krb5_password(Authctxt
*authctxt
, const char *password
)
77 krb5_principal server
;
79 krb5_error_code problem
;
80 krb5_ccache ccache
= NULL
;
82 char *client
, *platform_client
;
85 /* get platform-specific kerberos client principal name (if it exists) */
86 platform_client
= platform_krb5_get_principal_name(authctxt
->pw
->pw_name
);
87 client
= platform_client
? platform_client
: authctxt
->pw
->pw_name
;
89 temporarily_use_uid(authctxt
->pw
);
91 problem
= krb5_init(authctxt
);
95 problem
= krb5_parse_name(authctxt
->krb5_ctx
, client
,
96 &authctxt
->krb5_user
);
101 # ifdef HAVE_KRB5_CC_NEW_UNIQUE
102 problem
= krb5_cc_new_unique(authctxt
->krb5_ctx
,
103 krb5_mcc_ops
.prefix
, NULL
, &ccache
);
105 problem
= krb5_cc_gen_new(authctxt
->krb5_ctx
, &krb5_mcc_ops
, &ccache
);
110 problem
= krb5_cc_initialize(authctxt
->krb5_ctx
, ccache
,
111 authctxt
->krb5_user
);
117 problem
= krb5_verify_user(authctxt
->krb5_ctx
, authctxt
->krb5_user
,
118 ccache
, password
, 1, NULL
);
120 temporarily_use_uid(authctxt
->pw
);
125 # ifdef HAVE_KRB5_CC_NEW_UNIQUE
126 problem
= krb5_cc_new_unique(authctxt
->krb5_ctx
,
127 krb5_fcc_ops
.prefix
, NULL
, &authctxt
->krb5_fwd_ccache
);
129 problem
= krb5_cc_gen_new(authctxt
->krb5_ctx
, &krb5_fcc_ops
,
130 &authctxt
->krb5_fwd_ccache
);
135 problem
= krb5_cc_copy_cache(authctxt
->krb5_ctx
, ccache
,
136 authctxt
->krb5_fwd_ccache
);
137 krb5_cc_destroy(authctxt
->krb5_ctx
, ccache
);
143 problem
= krb5_get_init_creds_password(authctxt
->krb5_ctx
, &creds
,
144 authctxt
->krb5_user
, (char *)password
, NULL
, NULL
, 0, NULL
, NULL
);
148 problem
= krb5_sname_to_principal(authctxt
->krb5_ctx
, NULL
, NULL
,
149 KRB5_NT_SRV_HST
, &server
);
154 problem
= krb5_verify_init_creds(authctxt
->krb5_ctx
, &creds
, server
,
156 krb5_free_principal(authctxt
->krb5_ctx
, server
);
157 temporarily_use_uid(authctxt
->pw
);
161 if (!krb5_kuserok(authctxt
->krb5_ctx
, authctxt
->krb5_user
,
162 authctxt
->pw
->pw_name
)) {
167 problem
= ssh_krb5_cc_gen(authctxt
->krb5_ctx
, &authctxt
->krb5_fwd_ccache
);
171 problem
= krb5_cc_initialize(authctxt
->krb5_ctx
, authctxt
->krb5_fwd_ccache
,
172 authctxt
->krb5_user
);
176 problem
= krb5_cc_store_cred(authctxt
->krb5_ctx
, authctxt
->krb5_fwd_ccache
,
182 authctxt
->krb5_ticket_file
= (char *)krb5_cc_get_name(authctxt
->krb5_ctx
, authctxt
->krb5_fwd_ccache
);
184 len
= strlen(authctxt
->krb5_ticket_file
) + 6;
185 authctxt
->krb5_ccname
= xmalloc(len
);
186 snprintf(authctxt
->krb5_ccname
, len
, "FILE:%s",
187 authctxt
->krb5_ticket_file
);
191 do_pam_putenv("KRB5CCNAME", authctxt
->krb5_ccname
);
197 free(platform_client
);
201 krb5_cc_destroy(authctxt
->krb5_ctx
, ccache
);
203 if (authctxt
->krb5_ctx
!= NULL
&& problem
!=-1) {
204 errmsg
= krb5_get_error_message(authctxt
->krb5_ctx
,
206 debug("Kerberos password authentication failed: %s",
208 krb5_free_error_message(authctxt
->krb5_ctx
, errmsg
);
210 debug("Kerberos password authentication failed: %d",
213 krb5_cleanup_proc(authctxt
);
215 if (options
.kerberos_or_local_passwd
)
220 return (authctxt
->valid
? 1 : 0);
224 krb5_cleanup_proc(Authctxt
*authctxt
)
226 debug("krb5_cleanup_proc called");
227 if (authctxt
->krb5_fwd_ccache
) {
228 krb5_cc_destroy(authctxt
->krb5_ctx
, authctxt
->krb5_fwd_ccache
);
229 authctxt
->krb5_fwd_ccache
= NULL
;
231 if (authctxt
->krb5_user
) {
232 krb5_free_principal(authctxt
->krb5_ctx
, authctxt
->krb5_user
);
233 authctxt
->krb5_user
= NULL
;
235 if (authctxt
->krb5_ctx
) {
236 krb5_free_context(authctxt
->krb5_ctx
);
237 authctxt
->krb5_ctx
= NULL
;
243 ssh_krb5_cc_gen(krb5_context ctx
, krb5_ccache
*ccache
) {
244 int tmpfd
, ret
, oerrno
;
248 ret
= snprintf(ccname
, sizeof(ccname
),
249 "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
250 if (ret
< 0 || (size_t)ret
>= sizeof(ccname
))
253 old_umask
= umask(0177);
254 tmpfd
= mkstemp(ccname
+ strlen("FILE:"));
258 logit("mkstemp(): %.100s", strerror(oerrno
));
262 if (fchmod(tmpfd
,S_IRUSR
| S_IWUSR
) == -1) {
264 logit("fchmod(): %.100s", strerror(oerrno
));
270 return (krb5_cc_resolve(ctx
, ccname
, ccache
));
272 #endif /* !HEIMDAL */