search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
<sys/bus.h>: Fix wording.
[dragonfly.git] / lib / libtelnet / kerberos5.c
blobdff9678854da3375d4c7546d96803214412408c0
1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 * $FreeBSD: src/crypto/telnet/libtelnet/kerberos5.c,v 1.1.1.1.8.2 2003/04/24 19:13:59 nectar Exp $
34 */
35
36 /*
37 * Copyright (C) 1990 by the Massachusetts Institute of Technology
38 *
39 * Export of this software from the United States of America may
40 * require a specific license from the United States Government.
41 * It is the responsibility of any person or organization contemplating
42 * export to obtain such a license before exporting.
43 *
44 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
45 * distribute this software and its documentation for any purpose and
46 * without fee is hereby granted, provided that the above copyright
47 * notice appear in all copies and that both that copyright notice and
48 * this permission notice appear in supporting documentation, and that
49 * the name of M.I.T. not be used in advertising or publicity pertaining
50 * to distribution of the software without specific, written prior
51 * permission. M.I.T. makes no representations about the suitability of
52 * this software for any purpose. It is provided "as is" without express
53 * or implied warranty.
54 */
55
56 #ifdef KRB5
57
58 #include <arpa/telnet.h>
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62 #include <unistd.h>
63 #include <netdb.h>
64 #include <ctype.h>
65 #include <pwd.h>
66 #define Authenticator k5_Authenticator
67 #include <krb5.h>
68 #undef Authenticator
69
70 #include "encrypt.h"
71 #include "auth.h"
72 #include "misc.h"
73
74 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
75
76 /* These values need to be the same as those defined in telnet/main.c. */
77 /* Either define them in both places, or put in some common header file. */
78 #define OPTS_FORWARD_CREDS 0x00000002
79 #define OPTS_FORWARDABLE_CREDS 0x00000001
80
81 void kerberos5_forward (Authenticator *);
82
83 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
84 AUTHTYPE_KERBEROS_V5, };
85
86 #define KRB_AUTH 0 /* Authentication data follows */
87 #define KRB_REJECT 1 /* Rejected (reason might follow) */
88 #define KRB_ACCEPT 2 /* Accepted */
89 #define KRB_RESPONSE 3 /* Response for mutual auth. */
90
91 #define KRB_FORWARD 4 /* Forwarded credentials follow */
92 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
93 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
94
95 static krb5_data auth;
96 static krb5_ticket *ticket;
97
98 static krb5_context context;
99 static krb5_auth_context auth_context;
100
101 static int
102 Data(Authenticator *ap, int type, const char *d, int c)
103 {
104 unsigned char *p = str_data + 4;
105 const unsigned char *cd = d;
106
107 if (c == -1)
108 c = strlen(cd);
109
110 if (auth_debug_mode) {
111 printf("%s:%d: [%d] (%d)",
112 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
113 str_data[3],
114 type, c);
115 printd(d, c);
116 printf("\r\n");
117 }
118 *p++ = ap->type;
119 *p++ = ap->way;
120 *p++ = type;
121 while (c-- > 0) {
122 if ((*p++ = *cd++) == IAC)
123 *p++ = IAC;
124 }
125 *p++ = IAC;
126 *p++ = SE;
127 if (str_data[3] == TELQUAL_IS)
128 printsub('>', &str_data[2], p - &str_data[2]);
129 return(net_write(str_data, p - str_data));
130 }
131
132 int
133 kerberos5_init(Authenticator *ap __unused, int server)
134 {
135 krb5_error_code ret;
136
137 ret = krb5_init_context(&context);
138 if (ret)
139 return 0;
140 if (server) {
141 krb5_keytab kt;
142 krb5_kt_cursor cursor;
143
144 ret = krb5_kt_default(context, &kt);
145 if (ret)
146 return 0;
147
148 ret = krb5_kt_start_seq_get (context, kt, &cursor);
149 if (ret) {
150 krb5_kt_close (context, kt);
151 return 0;
152 }
153 krb5_kt_end_seq_get (context, kt, &cursor);
154 krb5_kt_close (context, kt);
155
156 str_data[3] = TELQUAL_REPLY;
157 } else
158 str_data[3] = TELQUAL_IS;
159 return(1);
160 }
161
162 extern int net;
163
164 static int
165 kerberos5_send(const char *name, Authenticator *ap)
166 {
167 krb5_error_code ret;
168 krb5_ccache ccache;
169 int ap_opts;
170 krb5_data cksum_data;
171 char foo[2];
172
173 if (!UserNameRequested) {
174 if (auth_debug_mode) {
175 printf("Kerberos V5: no user name supplied\r\n");
176 }
177 return(0);
178 }
179
180 ret = krb5_cc_default(context, &ccache);
181 if (ret) {
182 if (auth_debug_mode) {
183 printf("Kerberos V5: could not get default ccache: %s\r\n",
184 krb5_get_err_text (context, ret));
185 }
186 return 0;
187 }
188
189 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
190 ap_opts = AP_OPTS_MUTUAL_REQUIRED;
191 else
192 ap_opts = 0;
193 ap_opts |= AP_OPTS_USE_SUBKEY;
194
195 ret = krb5_auth_con_init (context, &auth_context);
196 if (ret) {
197 if (auth_debug_mode) {
198 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
199 krb5_get_err_text(context, ret));
200 }
201 return(0);
202 }
203
204 ret = krb5_auth_con_setaddrs_from_fd (context,
205 auth_context,
206 &net);
207 if (ret) {
208 if (auth_debug_mode) {
209 printf ("Kerberos V5:"
210 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
211 krb5_get_err_text(context, ret));
212 }
213 return(0);
214 }
215
216 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
217
218 foo[0] = ap->type;
219 foo[1] = ap->way;
220
221 cksum_data.length = sizeof(foo);
222 cksum_data.data = foo;
223
224
225 {
226 krb5_principal service;
227 char sname[128];
228
229
230 ret = krb5_sname_to_principal (context,
231 RemoteHostName,
232 NULL,
233 KRB5_NT_SRV_HST,
234 &service);
235 if(ret) {
236 if (auth_debug_mode) {
237 printf ("Kerberos V5:"
238 " krb5_sname_to_principal(%s) failed (%s)\r\n",
239 RemoteHostName, krb5_get_err_text(context, ret));
240 }
241 return 0;
242 }
243 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
244 if(ret) {
245 if (auth_debug_mode) {
246 printf ("Kerberos V5:"
247 " krb5_unparse_name_fixed failed (%s)\r\n",
248 krb5_get_err_text(context, ret));
249 }
250 return 0;
251 }
252 printf("[ Trying %s (%s)... ]\r\n", name, sname);
253 ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
254 service,
255 &cksum_data, ccache, &auth);
256 krb5_free_principal (context, service);
257
258 }
259 if (ret) {
260 if (1 || auth_debug_mode) {
261 printf("Kerberos V5: mk_req failed (%s)\r\n",
262 krb5_get_err_text(context, ret));
263 }
264 return(0);
265 }
266
267 if (!auth_sendname((unsigned char *)UserNameRequested,
268 strlen(UserNameRequested))) {
269 if (auth_debug_mode)
270 printf("Not enough room for user name\r\n");
271 return(0);
272 }
273 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
274 if (auth_debug_mode)
275 printf("Not enough room for authentication data\r\n");
276 return(0);
277 }
278 if (auth_debug_mode) {
279 printf("Sent Kerberos V5 credentials to server\r\n");
280 }
281 return(1);
282 }
283
284 int
285 kerberos5_send_mutual(Authenticator *ap)
286 {
287 return kerberos5_send("mutual KERBEROS5", ap);
288 }
289
290 int
291 kerberos5_send_oneway(Authenticator *ap)
292 {
293 return kerberos5_send("KERBEROS5", ap);
294 }
295
296 void
297 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
298 {
299 krb5_error_code ret;
300 krb5_data outbuf;
301 krb5_keyblock *key_block;
302 char *name;
303 krb5_principal server;
304 int zero = 0;
305
306 if (cnt-- < 1)
307 return;
308 switch (*data++) {
309 case KRB_AUTH:
310 auth.data = (char *)data;
311 auth.length = cnt;
312
313 auth_context = NULL;
314
315 ret = krb5_auth_con_init (context, &auth_context);
316 if (ret) {
317 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
318 auth_finished(ap, AUTH_REJECT);
319 if (auth_debug_mode)
320 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
321 krb5_get_err_text(context, ret));
322 return;
323 }
324
325 ret = krb5_auth_con_setaddrs_from_fd (context,
326 auth_context,
327 &zero);
328 if (ret) {
329 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
330 auth_finished(ap, AUTH_REJECT);
331 if (auth_debug_mode)
332 printf("Kerberos V5: "
333 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
334 krb5_get_err_text(context, ret));
335 return;
336 }
337
338 ret = krb5_sock_to_principal (context,
339 0,
340 "host",
341 KRB5_NT_SRV_HST,
342 &server);
343 if (ret) {
344 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
345 auth_finished(ap, AUTH_REJECT);
346 if (auth_debug_mode)
347 printf("Kerberos V5: "
348 "krb5_sock_to_principal failed (%s)\r\n",
349 krb5_get_err_text(context, ret));
350 return;
351 }
352
353 ret = krb5_rd_req(context,
354 &auth_context,
355 &auth,
356 server,
357 NULL,
358 NULL,
359 &ticket);
360
361 krb5_free_principal (context, server);
362 if (ret) {
363 char *errbuf;
364
365 asprintf(&errbuf,
366 "Read req failed: %s",
367 krb5_get_err_text(context, ret));
368 Data(ap, KRB_REJECT, errbuf, -1);
369 if (auth_debug_mode)
370 printf("%s\r\n", errbuf);
371 free (errbuf);
372 return;
373 }
374
375 {
376 char foo[2];
377
378 foo[0] = ap->type;
379 foo[1] = ap->way;
380
381 ret = krb5_verify_authenticator_checksum(context,
382 auth_context,
383 foo,
384 sizeof(foo));
385
386 if (ret) {
387 char *errbuf;
388 asprintf(&errbuf, "Bad checksum: %s",
389 krb5_get_err_text(context, ret));
390 Data(ap, KRB_REJECT, errbuf, -1);
391 if (auth_debug_mode)
392 printf ("%s\r\n", errbuf);
393 free(errbuf);
394 return;
395 }
396 }
397 ret = krb5_auth_con_getremotesubkey (context,
398 auth_context,
399 &key_block);
400
401 if (ret) {
402 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
403 auth_finished(ap, AUTH_REJECT);
404 if (auth_debug_mode)
405 printf("Kerberos V5: "
406 "krb5_auth_con_getremotesubkey failed (%s)\r\n",
407 krb5_get_err_text(context, ret));
408 return;
409 }
410
411 if (key_block == NULL) {
412 ret = krb5_auth_con_getkey(context,
413 auth_context,
414 &key_block);
415 }
416 if (ret) {
417 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
418 auth_finished(ap, AUTH_REJECT);
419 if (auth_debug_mode)
420 printf("Kerberos V5: "
421 "krb5_auth_con_getkey failed (%s)\r\n",
422 krb5_get_err_text(context, ret));
423 return;
424 }
425 if (key_block == NULL) {
426 Data(ap, KRB_REJECT, "no subkey received", -1);
427 auth_finished(ap, AUTH_REJECT);
428 if (auth_debug_mode)
429 printf("Kerberos V5: "
430 "krb5_auth_con_getremotesubkey returned NULL key\r\n");
431 return;
432 }
433
434 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
435 ret = krb5_mk_rep(context, auth_context, &outbuf);
436 if (ret) {
437 Data(ap, KRB_REJECT,
438 "krb5_mk_rep failed", -1);
439 auth_finished(ap, AUTH_REJECT);
440 if (auth_debug_mode)
441 printf("Kerberos V5: "
442 "krb5_mk_rep failed (%s)\r\n",
443 krb5_get_err_text(context, ret));
444 return;
445 }
446 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
447 }
448 if (krb5_unparse_name(context, ticket->client, &name))
449 name = NULL;
450
451 if(UserNameRequested && krb5_kuserok(context,
452 ticket->client,
453 UserNameRequested)) {
454 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
455 if (auth_debug_mode) {
456 printf("Kerberos5 identifies him as ``%s''\r\n",
457 name ? name : "");
458 }
459
460 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
461 key_block->keytype == ETYPE_DES_CBC_MD4 ||
462 key_block->keytype == ETYPE_DES_CBC_CRC) {
463 Session_Key skey;
464
465 skey.type = SK_DES;
466 skey.length = 8;
467 skey.data = key_block->keyvalue.data;
468 encrypt_session_key(&skey, 0);
469 }
470
471 } else {
472 char *msg;
473
474 asprintf (&msg, "user `%s' is not authorized to "
475 "login as `%s'",
476 name ? name : "<unknown>",
477 UserNameRequested ? UserNameRequested : "<nobody>");
478 if (msg == NULL)
479 Data(ap, KRB_REJECT, NULL, 0);
480 else {
481 Data(ap, KRB_REJECT, (void *)msg, -1);
482 free(msg);
483 }
484 auth_finished (ap, AUTH_REJECT);
485 krb5_free_keyblock_contents(context, key_block);
486 break;
487 }
488 auth_finished(ap, AUTH_USER);
489 krb5_free_keyblock_contents(context, key_block);
490
491 break;
492 case KRB_FORWARD: {
493 struct passwd *pwd;
494 char ccname[1024]; /* XXX */
495 krb5_data inbuf;
496 krb5_ccache ccache;
497 inbuf.data = (char *)data;
498 inbuf.length = cnt;
499
500 pwd = getpwnam (UserNameRequested);
501 if (pwd == NULL)
502 break;
503
504 snprintf (ccname, sizeof(ccname),
505 "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
506
507 ret = krb5_cc_resolve (context, ccname, &ccache);
508 if (ret) {
509 if (auth_debug_mode)
510 printf ("Kerberos V5: could not get ccache: %s\r\n",
511 krb5_get_err_text(context, ret));
512 break;
513 }
514
515 ret = krb5_cc_initialize (context,
516 ccache,
517 ticket->client);
518 if (ret) {
519 if (auth_debug_mode)
520 printf ("Kerberos V5: could not init ccache: %s\r\n",
521 krb5_get_err_text(context, ret));
522 break;
523 }
524
525 #if defined(DCE)
526 esetenv("KRB5CCNAME", ccname, 1);
527 #endif
528 ret = krb5_rd_cred2 (context,
529 auth_context,
530 ccache,
531 &inbuf);
532 if(ret) {
533 char *errbuf;
534
535 asprintf (&errbuf,
536 "Read forwarded creds failed: %s",
537 krb5_get_err_text (context, ret));
538 if(errbuf == NULL)
539 Data(ap, KRB_FORWARD_REJECT, NULL, 0);
540 else
541 Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
542 if (auth_debug_mode)
543 printf("Could not read forwarded credentials: %s\r\n",
544 errbuf);
545 free (errbuf);
546 } else {
547 Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
548 #if defined(DCE)
549 dfsfwd = 1;
550 #endif
551 }
552 chown (ccname + 5, pwd->pw_uid, -1);
553 if (auth_debug_mode)
554 printf("Forwarded credentials obtained\r\n");
555 break;
556 }
557 default:
558 if (auth_debug_mode)
559 printf("Unknown Kerberos option %d\r\n", data[-1]);
560 Data(ap, KRB_REJECT, 0, 0);
561 break;
562 }
563 }
564
565 void
566 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
567 {
568 static int mutual_complete = 0;
569
570 if (cnt-- < 1)
571 return;
572 switch (*data++) {
573 case KRB_REJECT:
574 if (cnt > 0) {
575 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
576 cnt, data);
577 } else
578 printf("[ Kerberos V5 refuses authentication ]\r\n");
579 auth_send_retry();
580 return;
581 case KRB_ACCEPT: {
582 krb5_error_code ret;
583 Session_Key skey;
584 krb5_keyblock *keyblock;
585
586 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
587 !mutual_complete) {
588 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
589 auth_send_retry();
590 return;
591 }
592 if (cnt)
593 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
594 else
595 printf("[ Kerberos V5 accepts you ]\r\n");
596
597 ret = krb5_auth_con_getlocalsubkey (context,
598 auth_context,
599 &keyblock);
600 if (ret)
601 ret = krb5_auth_con_getkey (context,
602 auth_context,
603 &keyblock);
604 if(ret) {
605 printf("[ krb5_auth_con_getkey: %s ]\r\n",
606 krb5_get_err_text(context, ret));
607 auth_send_retry();
608 return;
609 }
610
611 skey.type = SK_DES;
612 skey.length = 8;
613 skey.data = keyblock->keyvalue.data;
614 encrypt_session_key(&skey, 0);
615 krb5_free_keyblock_contents (context, keyblock);
616 auth_finished(ap, AUTH_USER);
617 if (forward_flags & OPTS_FORWARD_CREDS)
618 kerberos5_forward(ap);
619 break;
620 }
621 case KRB_RESPONSE:
622 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
623 /* the rest of the reply should contain a krb_ap_rep */
624 krb5_ap_rep_enc_part *reply;
625 krb5_data inbuf;
626 krb5_error_code ret;
627
628 inbuf.length = cnt;
629 inbuf.data = (char *)data;
630
631 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
632 if (ret) {
633 printf("[ Mutual authentication failed: %s ]\r\n",
634 krb5_get_err_text (context, ret));
635 auth_send_retry();
636 return;
637 }
638 krb5_free_ap_rep_enc_part(context, reply);
639 mutual_complete = 1;
640 }
641 return;
642 case KRB_FORWARD_ACCEPT:
643 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
644 return;
645 case KRB_FORWARD_REJECT:
646 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
647 cnt, data);
648 return;
649 default:
650 if (auth_debug_mode)
651 printf("Unknown Kerberos option %d\r\n", data[-1]);
652 return;
653 }
654 }
655
656 int
657 kerberos5_status(Authenticator *ap __unused, char *name, int level)
658 {
659 if (level < AUTH_USER)
660 return(level);
661
662 if (UserNameRequested &&
663 krb5_kuserok(context,
664 ticket->client,
665 UserNameRequested))
666 {
667 strcpy(name, UserNameRequested);
668 return(AUTH_VALID);
669 } else
670 return(AUTH_USER);
671 }
672
673 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
674 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
675
676 void
677 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
678 {
679 int i;
680
681 buf[buflen-1] = '\0'; /* make sure its NULL terminated */
682 buflen -= 1;
683
684 switch(data[3]) {
685 case KRB_REJECT: /* Rejected (reason might follow) */
686 strlcpy((char *)buf, " REJECT ", buflen);
687 goto common;
688
689 case KRB_ACCEPT: /* Accepted (name might follow) */
690 strlcpy((char *)buf, " ACCEPT ", buflen);
691 common:
692 BUMP(buf, buflen);
693 if (cnt <= 4)
694 break;
695 ADDC(buf, buflen, '"');
696 for (i = 4; i < cnt; i++)
697 ADDC(buf, buflen, data[i]);
698 ADDC(buf, buflen, '"');
699 ADDC(buf, buflen, '\0');
700 break;
701
702
703 case KRB_AUTH: /* Authentication data follows */
704 strlcpy((char *)buf, " AUTH", buflen);
705 goto common2;
706
707 case KRB_RESPONSE:
708 strlcpy((char *)buf, " RESPONSE", buflen);
709 goto common2;
710
711 case KRB_FORWARD: /* Forwarded credentials follow */
712 strlcpy((char *)buf, " FORWARD", buflen);
713 goto common2;
714
715 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
716 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
717 goto common2;
718
719 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
720 /* (reason might follow) */
721 strlcpy((char *)buf, " FORWARD_REJECT", buflen);
722 goto common2;
723
724 default:
725 snprintf(buf, buflen, " %d (unknown)", data[3]);
726 common2:
727 BUMP(buf, buflen);
728 for (i = 4; i < cnt; i++) {
729 snprintf(buf, buflen, " %d", data[i]);
730 BUMP(buf, buflen);
731 }
732 break;
733 }
734 }
735
736 void
737 kerberos5_forward(Authenticator *ap)
738 {
739 krb5_error_code ret;
740 krb5_ccache ccache;
741 krb5_creds creds;
742 krb5_kdc_flags flags;
743 krb5_data out_data;
744 krb5_principal principal;
745
746 ret = krb5_cc_default (context, &ccache);
747 if (ret) {
748 if (auth_debug_mode)
749 printf ("KerberosV5: could not get default ccache: %s\r\n",
750 krb5_get_err_text (context, ret));
751 return;
752 }
753
754 ret = krb5_cc_get_principal (context, ccache, &principal);
755 if (ret) {
756 if (auth_debug_mode)
757 printf ("KerberosV5: could not get principal: %s\r\n",
758 krb5_get_err_text (context, ret));
759 return;
760 }
761
762 memset (&creds, 0, sizeof(creds));
763
764 creds.client = principal;
765
766 ret = krb5_build_principal (context,
767 &creds.server,
768 strlen(principal->realm),
769 principal->realm,
770 "krbtgt",
771 principal->realm,
772 NULL);
773
774 if (ret) {
775 if (auth_debug_mode)
776 printf ("KerberosV5: could not get principal: %s\r\n",
777 krb5_get_err_text (context, ret));
778 return;
779 }
780
781 creds.times.endtime = 0;
782
783 flags.i = 0;
784 flags.b.forwarded = 1;
785 if (forward_flags & OPTS_FORWARDABLE_CREDS)
786 flags.b.forwardable = 1;
787
788 ret = krb5_get_forwarded_creds (context,
789 auth_context,
790 ccache,
791 flags.i,
792 RemoteHostName,
793 &creds,
794 &out_data);
795 if (ret) {
796 if (auth_debug_mode)
797 printf ("Kerberos V5: error getting forwarded creds: %s\r\n",
798 krb5_get_err_text (context, ret));
799 return;
800 }
801
802 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
803 if (auth_debug_mode)
804 printf("Not enough room for authentication data\r\n");
805 } else {
806 if (auth_debug_mode)
807 printf("Forwarded local Kerberos V5 credentials to server\r\n");
808 }
809 }
810
811 #if defined(DCE)
812 /* if this was a K5 authentication try and join a PAG for the user. */
813 void
814 kerberos5_dfspag(void)
815 {
816 if (dfsk5ok) {
817 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
818 UserNameRequested);
819 }
820 }
821 #endif
822
823 #endif /* KRB5 */
DragonFly BSD