search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Windows: must use backslash for makefile exist test
[heimdal.git] / appl / telnet / libtelnet / kerberos5.c
blobb8ab7c8c9a402dba77dcc494ec0c22c6556bcb6c
1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
36 *
37 * Export of this software from the United States of America may
38 * require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
41 *
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
52 */
53
54 #include <config.h>
55
56 RCSID("$Id$");
57
58 #ifdef KRB5
59
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <unistd.h>
65 #include <netdb.h>
66 #include <ctype.h>
67 #include <pwd.h>
68 #define Authenticator k5_Authenticator
69 #include <krb5.h>
70 #undef Authenticator
71 #include <roken.h>
72 #ifdef SOCKS
73 #include <socks.h>
74 #endif
75
76
77 #include "encrypt.h"
78 #include "auth.h"
79 #include "misc.h"
80
81 #if defined(DCE)
82 int dfsk5ok = 0;
83 int dfspag = 0;
84 int dfsfwd = 0;
85 #endif
86
87 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
88
89 int forward(int);
90 int forwardable(int);
91
92 /* These values need to be the same as those defined in telnet/main.c. */
93 /* Either define them in both places, or put in some common header file. */
94 #define OPTS_FORWARD_CREDS 0x00000002
95 #define OPTS_FORWARDABLE_CREDS 0x00000001
96
97
98 void kerberos5_forward (Authenticator *);
99
100 static unsigned char str_data[4] = { IAC, SB, TELOPT_AUTHENTICATION, 0 };
101
102 #define KRB_AUTH 0 /* Authentication data follows */
103 #define KRB_REJECT 1 /* Rejected (reason might follow) */
104 #define KRB_ACCEPT 2 /* Accepted */
105 #define KRB_RESPONSE 3 /* Response for mutual auth. */
106
107 #define KRB_FORWARD 4 /* Forwarded credentials follow */
108 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
109 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
110
111 static krb5_data auth;
112 static krb5_ticket *ticket;
113
114 static krb5_context context;
115 static krb5_auth_context auth_context;
116
117 static int
118 Data(Authenticator *ap, int type, const void *d, int c)
119 {
120 const unsigned char *cp, *cd = d;
121 unsigned char *p0, *p;
122 size_t len = sizeof(str_data) + 3 + 2;
123 int ret;
124
125 if (c == -1)
126 c = strlen((const char*)cd);
127
128 for (cp = cd; cp - cd < c; cp++, len++)
129 if (*cp == IAC)
130 len++;
131
132 p0 = malloc(len);
133 if (p0 == NULL)
134 return 0;
135
136 memcpy(p0, str_data, sizeof(str_data));
137 p = p0 + sizeof(str_data);
138
139 if (auth_debug_mode) {
140 printf("%s:%d: [%d] (%d)",
141 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
142 str_data[3],
143 type, c);
144 printd(d, c);
145 printf("\r\n");
146 }
147 *p++ = ap->type;
148 *p++ = ap->way;
149 *p++ = type;
150 while (c-- > 0) {
151 if ((*p++ = *cd++) == IAC)
152 *p++ = IAC;
153 }
154 *p++ = IAC;
155 *p++ = SE;
156 if (str_data[3] == TELQUAL_IS)
157 printsub('>', &p0[2], len - 2);
158 ret = telnet_net_write(p0, len);
159 free(p0);
160 return ret;
161 }
162
163 int
164 kerberos5_init(Authenticator *ap, int server)
165 {
166 krb5_error_code ret;
167
168 ret = krb5_init_context(&context);
169 if (ret)
170 return 0;
171 if (server) {
172 krb5_keytab kt;
173 krb5_kt_cursor cursor;
174
175 ret = krb5_kt_default(context, &kt);
176 if (ret)
177 return 0;
178
179 ret = krb5_kt_start_seq_get (context, kt, &cursor);
180 if (ret) {
181 krb5_kt_close (context, kt);
182 return 0;
183 }
184 krb5_kt_end_seq_get (context, kt, &cursor);
185 krb5_kt_close (context, kt);
186
187 str_data[3] = TELQUAL_REPLY;
188 } else
189 str_data[3] = TELQUAL_IS;
190 return(1);
191 }
192
193 extern int net;
194 static int
195 kerberos5_send(char *name, Authenticator *ap)
196 {
197 krb5_error_code ret;
198 krb5_ccache ccache;
199 int ap_opts;
200 krb5_data cksum_data;
201 const char *estr;
202 char ap_msg[2];
203
204 if (!UserNameRequested) {
205 if (auth_debug_mode) {
206 printf("Kerberos V5: no user name supplied\r\n");
207 }
208 return(0);
209 }
210
211 ret = krb5_cc_default(context, &ccache);
212 if (ret) {
213 if (auth_debug_mode) {
214 estr = krb5_get_error_message (context, ret);
215 printf("Kerberos V5: could not get default ccache: %s\r\n", estr);
216 krb5_free_error_message(context, estr);
217 }
218 return 0;
219 }
220
221 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
222 ap_opts = AP_OPTS_MUTUAL_REQUIRED;
223 else
224 ap_opts = 0;
225
226 ap_opts |= AP_OPTS_USE_SUBKEY;
227
228 ret = krb5_auth_con_init (context, &auth_context);
229 if (ret) {
230 if (auth_debug_mode) {
231 estr = krb5_get_error_message (context, ret);
232 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", estr);
233 krb5_free_error_message(context, estr);
234 }
235 return(0);
236 }
237
238 ret = krb5_auth_con_setaddrs_from_fd (context,
239 auth_context,
240 &net);
241 if (ret) {
242 if (auth_debug_mode) {
243 estr = krb5_get_error_message (context, ret);
244 printf ("Kerberos V5:"
245 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", estr);
246 krb5_free_error_message(context, estr);
247 }
248 return(0);
249 }
250
251 krb5_auth_con_setkeytype (context, auth_context, KRB5_ENCTYPE_DES_CBC_CRC);
252
253 ap_msg[0] = ap->type;
254 ap_msg[1] = ap->way;
255
256 cksum_data.length = sizeof(ap_msg);
257 cksum_data.data = ap_msg;
258
259
260 {
261 krb5_principal service;
262 char sname[128];
263
264
265 ret = krb5_sname_to_principal (context,
266 RemoteHostName,
267 NULL,
268 KRB5_NT_SRV_HST,
269 &service);
270 if(ret) {
271 if (auth_debug_mode) {
272 estr = krb5_get_error_message (context, ret);
273 printf ("Kerberos V5:"
274 " krb5_sname_to_principal(%s) failed (%s)\r\n",
275 RemoteHostName, estr);
276 krb5_free_error_message(context, estr);
277 }
278 return 0;
279 }
280 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
281 if(ret) {
282 if (auth_debug_mode) {
283 estr = krb5_get_error_message (context, ret);
284 printf ("Kerberos V5:"
285 " krb5_unparse_name_fixed failed (%s)\r\n", estr);
286 krb5_free_error_message(context, estr);
287 }
288 return 0;
289 }
290 printf("[ Trying %s (%s)... ]\r\n", name, sname);
291 ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
292 service,
293 &cksum_data, ccache, &auth);
294 krb5_free_principal (context, service);
295
296 }
297 if (ret) {
298 if (1 || auth_debug_mode) {
299 estr = krb5_get_error_message (context, ret);
300 printf("Kerberos V5: mk_req failed (%s)\r\n", estr);
301 krb5_free_error_message(context, estr);
302 }
303 return(0);
304 }
305
306 if (!auth_sendname((unsigned char *)UserNameRequested,
307 strlen(UserNameRequested))) {
308 if (auth_debug_mode)
309 printf("Not enough room for user name\r\n");
310 return(0);
311 }
312 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
313 if (auth_debug_mode)
314 printf("Not enough room for authentication data\r\n");
315 return(0);
316 }
317 if (auth_debug_mode) {
318 printf("Sent Kerberos V5 credentials to server\r\n");
319 }
320 return(1);
321 }
322
323 int
324 kerberos5_send_mutual(Authenticator *ap)
325 {
326 return kerberos5_send("mutual KERBEROS5", ap);
327 }
328
329 int
330 kerberos5_send_oneway(Authenticator *ap)
331 {
332 return kerberos5_send("KERBEROS5", ap);
333 }
334
335 static void log_message(const char *fmt, ...)
336 {
337 va_list ap;
338 va_start(ap, fmt);
339 if (auth_debug_mode) {
340 va_start(ap, fmt);
341 vfprintf(stdout, fmt, ap);
342 va_end(ap);
343 fprintf(stdout, "\r\n");
344 }
345 va_start(ap, fmt);
346 vsyslog(LOG_NOTICE, fmt, ap);
347 va_end(ap);
348 }
349
350 void
351 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
352 {
353 krb5_error_code ret;
354 krb5_data outbuf;
355 krb5_keyblock *key_block;
356 const char *estr;
357 char *name;
358 krb5_principal server;
359 int zero = 0;
360
361 if (cnt-- < 1)
362 return;
363 switch (*data++) {
364 case KRB_AUTH:
365 auth.data = (char *)data;
366 auth.length = cnt;
367
368 auth_context = NULL;
369
370 ret = krb5_auth_con_init (context, &auth_context);
371 if (ret) {
372 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
373 auth_finished(ap, AUTH_REJECT);
374 estr = krb5_get_error_message (context, ret);
375 log_message("Kerberos V5: krb5_auth_con_init failed (%s)", estr);
376 krb5_free_error_message(context, estr);
377 return;
378 }
379
380 ret = krb5_auth_con_setaddrs_from_fd (context,
381 auth_context,
382 &zero);
383 if (ret) {
384 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
385 auth_finished(ap, AUTH_REJECT);
386 estr = krb5_get_error_message (context, ret);
387 log_message("Kerberos V5: "
388 "krb5_auth_con_setaddrs_from_fd failed (%s)", estr);
389 krb5_free_error_message(context, estr);
390 return;
391 }
392
393 ret = krb5_sock_to_principal (context,
394 0,
395 "host",
396 KRB5_NT_SRV_HST,
397 &server);
398 if (ret) {
399 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
400 auth_finished(ap, AUTH_REJECT);
401 estr = krb5_get_error_message (context, ret);
402 log_message("Kerberos V5: "
403 "krb5_sock_to_principal failed (%s)", estr);
404 krb5_free_error_message(context, estr);
405 return;
406 }
407
408 ret = krb5_rd_req(context,
409 &auth_context,
410 &auth,
411 server,
412 NULL,
413 NULL,
414 &ticket);
415
416 krb5_free_principal (context, server);
417 if (ret) {
418 const char *errbuf2 = "Read req failed";
419 char *errbuf;
420 int ret2;
421
422 estr = krb5_get_error_message (context, ret);
423 ret2 = asprintf(&errbuf, "Read req failed: %s", estr);
424 krb5_free_error_message(context, estr);
425 if (ret2 != -1)
426 errbuf2 = errbuf;
427 Data(ap, KRB_REJECT, errbuf2, -1);
428 log_message("%s", errbuf2);
429 if (ret2 != -1)
430 free (errbuf);
431 return;
432 }
433
434 {
435 char ap_msg[2];
436
437 ap_msg[0] = ap->type;
438 ap_msg[1] = ap->way;
439
440 ret = krb5_verify_authenticator_checksum(context,
441 auth_context,
442 ap_msg,
443 sizeof(ap_msg));
444
445 if (ret) {
446 const char *errbuf2 = "Bad checksum";
447 char *errbuf;
448 int ret2;
449
450 estr = krb5_get_error_message (context, ret);
451 ret2 = asprintf(&errbuf, "Bad checksum: %s", estr);
452 krb5_free_error_message(context, estr);
453 if (ret2 != -1)
454 errbuf2 = errbuf;
455 Data(ap, KRB_REJECT, errbuf2, -1);
456 log_message("%s", errbuf2);
457 if (ret2 != -1)
458 free(errbuf);
459 return;
460 }
461 }
462 ret = krb5_auth_con_getremotesubkey (context,
463 auth_context,
464 &key_block);
465
466 if (ret) {
467 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
468 auth_finished(ap, AUTH_REJECT);
469 estr = krb5_get_error_message (context, ret);
470 log_message("Kerberos V5: "
471 "krb5_auth_con_getremotesubkey failed (%s)", estr);
472 krb5_free_error_message(context, estr);
473 return;
474 }
475
476 if (key_block == NULL) {
477 ret = krb5_auth_con_getkey(context,
478 auth_context,
479 &key_block);
480 }
481 if (ret) {
482 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
483 auth_finished(ap, AUTH_REJECT);
484 estr = krb5_get_error_message (context, ret);
485 log_message("Kerberos V5: "
486 "krb5_auth_con_getkey failed (%s)", estr);
487 krb5_free_error_message(context, estr);
488 return;
489 }
490 if (key_block == NULL) {
491 Data(ap, KRB_REJECT, "no subkey received", -1);
492 auth_finished(ap, AUTH_REJECT);
493 log_message("Kerberos V5: "
494 "krb5_auth_con_getremotesubkey returned NULL key");
495 return;
496 }
497
498 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
499 ret = krb5_mk_rep(context, auth_context, &outbuf);
500 if (ret) {
501 Data(ap, KRB_REJECT,
502 "krb5_mk_rep failed", -1);
503 auth_finished(ap, AUTH_REJECT);
504 estr = krb5_get_error_message (context, ret);
505 log_message("Kerberos V5: "
506 "krb5_mk_rep failed (%s)", estr);
507 krb5_free_error_message(context, estr);
508 krb5_free_keyblock(context, key_block);
509 return;
510 }
511 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
512 }
513 if (krb5_unparse_name(context, ticket->client, &name))
514 name = 0;
515
516 if(UserNameRequested && krb5_kuserok(context,
517 ticket->client,
518 UserNameRequested)) {
519 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
520 log_message("%s accepted as user %s from %s",
521 name ? name : "<unknown>",
522 UserNameRequested ? UserNameRequested : "<unknown>",
523 RemoteHostName ? RemoteHostName : "<unknown>");
524
525 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
526 key_block->keytype == ETYPE_DES_CBC_MD4 ||
527 key_block->keytype == ETYPE_DES_CBC_CRC) {
528 Session_Key skey;
529
530 skey.type = SK_DES;
531 skey.length = 8;
532 skey.data = key_block->keyvalue.data;
533 encrypt_session_key(&skey, 0);
534 }
535
536 } else {
537 const char *msg2 = "user is not authorized to login";
538 char *msg;
539
540 ret = asprintf (&msg, "user `%s' is not authorized to "
541 "login as `%s'",
542 name ? name : "<unknown>",
543 UserNameRequested ? UserNameRequested : "<nobody>");
544 if (ret != -1)
545 msg2 = msg;
546 Data(ap, KRB_REJECT, (void *)msg2, -1);
547 if (ret != -1)
548 free(msg);
549 auth_finished (ap, AUTH_REJECT);
550 krb5_free_keyblock(context, key_block);
551 break;
552 }
553 auth_finished(ap, AUTH_USER);
554 krb5_free_keyblock(context, key_block);
555
556 break;
557 case KRB_FORWARD: {
558 struct passwd *pwd;
559 char ccname[1024]; /* XXX */
560 krb5_data inbuf;
561 krb5_ccache ccache;
562 inbuf.data = (char *)data;
563 inbuf.length = cnt;
564
565 pwd = getpwnam (UserNameRequested);
566 if (pwd == NULL)
567 break;
568
569 snprintf (ccname, sizeof(ccname),
570 "FILE:/tmp/krb5cc_%lu", (unsigned long)pwd->pw_uid);
571
572 ret = krb5_cc_resolve (context, ccname, &ccache);
573 if (ret) {
574 estr = krb5_get_error_message (context, ret);
575 log_message("Kerberos V5: could not get ccache: %s", estr);
576 krb5_free_error_message(context, estr);
577 break;
578 }
579
580 ret = krb5_cc_initialize (context,
581 ccache,
582 ticket->client);
583 if (ret) {
584 estr = krb5_get_error_message (context, ret);
585 log_message("Kerberos V5: could not init ccache: %s", estr);
586 krb5_free_error_message(context, estr);
587 break;
588 }
589
590 #if defined(DCE)
591 esetenv("KRB5CCNAME", ccname, 1);
592 #endif
593 ret = krb5_rd_cred2 (context,
594 auth_context,
595 ccache,
596 &inbuf);
597 if(ret) {
598 const char *errbuf2 = "Read forwarded creds failed";
599 char *errbuf;
600 int ret2;
601
602 estr = krb5_get_error_message (context, ret);
603 ret2 = asprintf (&errbuf, "Read forwarded creds failed: %s", estr);
604 krb5_free_error_message(context, estr);
605 if (ret2 != -1)
606 errbuf2 = errbuf;
607 Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
608 log_message("Could not read forwarded credentials: %s", errbuf2);
609
610 if (ret2 != -1)
611 free (errbuf);
612 } else {
613 Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
614 #if defined(DCE)
615 dfsfwd = 1;
616 #endif
617 }
618 chown (ccname + 5, pwd->pw_uid, -1);
619 log_message("Forwarded credentials obtained");
620 break;
621 }
622 default:
623 log_message("Unknown Kerberos option %d", data[-1]);
624 Data(ap, KRB_REJECT, 0, 0);
625 break;
626 }
627 }
628
629 void
630 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
631 {
632 static int mutual_complete = 0;
633 const char *estr;
634
635 if (cnt-- < 1)
636 return;
637 switch (*data++) {
638 case KRB_REJECT:
639 if (cnt > 0) {
640 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
641 cnt, data);
642 } else
643 printf("[ Kerberos V5 refuses authentication ]\r\n");
644 auth_send_retry();
645 return;
646 case KRB_ACCEPT: {
647 krb5_error_code ret;
648 Session_Key skey;
649 krb5_keyblock *keyblock;
650
651 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
652 !mutual_complete) {
653 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
654 auth_send_retry();
655 return;
656 }
657 if (cnt)
658 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
659 else
660 printf("[ Kerberos V5 accepts you ]\r\n");
661
662 ret = krb5_auth_con_getlocalsubkey (context,
663 auth_context,
664 &keyblock);
665 if (ret)
666 ret = krb5_auth_con_getkey (context,
667 auth_context,
668 &keyblock);
669 if(ret) {
670 estr = krb5_get_error_message (context, ret);
671 printf("[ krb5_auth_con_getkey: %s ]\r\n", estr);
672 krb5_free_error_message(context, estr);
673 auth_send_retry();
674 return;
675 }
676
677 skey.type = SK_DES;
678 skey.length = 8;
679 skey.data = keyblock->keyvalue.data;
680 encrypt_session_key(&skey, 0);
681 krb5_free_keyblock (context, keyblock);
682 auth_finished(ap, AUTH_USER);
683 if (forward_flags & OPTS_FORWARD_CREDS)
684 kerberos5_forward(ap);
685 break;
686 }
687 case KRB_RESPONSE:
688 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
689 /* the rest of the reply should contain a krb_ap_rep */
690 krb5_ap_rep_enc_part *reply;
691 krb5_data inbuf;
692 krb5_error_code ret;
693
694 inbuf.length = cnt;
695 inbuf.data = (char *)data;
696
697 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
698 if (ret) {
699 estr = krb5_get_error_message (context, ret);
700 printf("[ Mutual authentication failed: %s ]\r\n", estr);
701 krb5_free_error_message(context, estr);
702 auth_send_retry();
703 return;
704 }
705 krb5_free_ap_rep_enc_part(context, reply);
706 mutual_complete = 1;
707 }
708 return;
709 case KRB_FORWARD_ACCEPT:
710 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
711 return;
712 case KRB_FORWARD_REJECT:
713 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
714 cnt, data);
715 return;
716 default:
717 if (auth_debug_mode)
718 printf("Unknown Kerberos option %d\r\n", data[-1]);
719 return;
720 }
721 }
722
723 int
724 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
725 {
726 if (level < AUTH_USER)
727 return(level);
728
729 if (UserNameRequested &&
730 krb5_kuserok(context,
731 ticket->client,
732 UserNameRequested))
733 {
734 strlcpy(name, UserNameRequested, name_sz);
735 #if defined(DCE)
736 dfsk5ok = 1;
737 #endif
738 return(AUTH_VALID);
739 } else
740 return(AUTH_USER);
741 }
742
743 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
744 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
745
746 void
747 kerberos5_printsub(unsigned char *data, size_t cnt,
748 unsigned char *buf, size_t buflen)
749 {
750 int i;
751
752 buf[buflen-1] = '\0'; /* make sure it's NULL terminated */
753 buflen -= 1;
754
755 switch(data[3]) {
756 case KRB_REJECT: /* Rejected (reason might follow) */
757 strlcpy((char *)buf, " REJECT ", buflen);
758 goto common;
759
760 case KRB_ACCEPT: /* Accepted (name might follow) */
761 strlcpy((char *)buf, " ACCEPT ", buflen);
762 common:
763 BUMP(buf, buflen);
764 if (cnt <= 4)
765 break;
766 ADDC(buf, buflen, '"');
767 for (i = 4; i < cnt; i++)
768 ADDC(buf, buflen, data[i]);
769 ADDC(buf, buflen, '"');
770 ADDC(buf, buflen, '\0');
771 break;
772
773
774 case KRB_AUTH: /* Authentication data follows */
775 strlcpy((char *)buf, " AUTH", buflen);
776 goto common2;
777
778 case KRB_RESPONSE:
779 strlcpy((char *)buf, " RESPONSE", buflen);
780 goto common2;
781
782 case KRB_FORWARD: /* Forwarded credentials follow */
783 strlcpy((char *)buf, " FORWARD", buflen);
784 goto common2;
785
786 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
787 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
788 goto common2;
789
790 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
791 /* (reason might follow) */
792 strlcpy((char *)buf, " FORWARD_REJECT", buflen);
793 goto common2;
794
795 default:
796 snprintf((char*)buf, buflen, " %d (unknown)", data[3]);
797 common2:
798 BUMP(buf, buflen);
799 for (i = 4; i < cnt; i++) {
800 snprintf((char*)buf, buflen, " %d", data[i]);
801 BUMP(buf, buflen);
802 }
803 break;
804 }
805 }
806
807 void
808 kerberos5_forward(Authenticator *ap)
809 {
810 krb5_error_code ret;
811 krb5_ccache ccache;
812 krb5_creds creds;
813 KDCOptions flags;
814 krb5_data out_data;
815 krb5_principal principal;
816 const char *estr;
817
818 ret = krb5_cc_default (context, &ccache);
819 if (ret) {
820 if (auth_debug_mode) {
821 estr = krb5_get_error_message (context, ret);
822 printf ("KerberosV5: could not get default ccache: %s\r\n", estr);
823 krb5_free_error_message(context, estr);
824 }
825 return;
826 }
827
828 ret = krb5_cc_get_principal (context, ccache, &principal);
829 if (ret) {
830 if (auth_debug_mode) {
831 estr = krb5_get_error_message (context, ret);
832 printf ("KerberosV5: could not get principal: %s\r\n", estr);
833 krb5_free_error_message(context, estr);
834 }
835 return;
836 }
837
838 memset (&creds, 0, sizeof(creds));
839
840 creds.client = principal;
841
842 ret = krb5_make_principal(context,
843 &creds.server,
844 principal->realm,
845 "krbtgt",
846 principal->realm,
847 NULL);
848
849 if (ret) {
850 if (auth_debug_mode) {
851 estr = krb5_get_error_message (context, ret);
852 printf ("KerberosV5: could not get principal: %s\r\n", estr);
853 krb5_free_error_message(context, estr);
854 }
855 return;
856 }
857
858 creds.times.endtime = 0;
859
860 memset(&flags, 0, sizeof(flags));
861 flags.forwarded = 1;
862 if (forward_flags & OPTS_FORWARDABLE_CREDS)
863 flags.forwardable = 1;
864
865 ret = krb5_get_forwarded_creds (context,
866 auth_context,
867 ccache,
868 KDCOptions2int(flags),
869 RemoteHostName,
870 &creds,
871 &out_data);
872 if (ret) {
873 if (auth_debug_mode) {
874 estr = krb5_get_error_message (context, ret);
875 printf ("Kerberos V5: error getting forwarded creds: %s\r\n", estr);
876 krb5_free_error_message(context, estr);
877 }
878 return;
879 }
880
881 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
882 if (auth_debug_mode)
883 printf("Not enough room for authentication data\r\n");
884 } else {
885 if (auth_debug_mode)
886 printf("Forwarded local Kerberos V5 credentials to server\r\n");
887 }
888 }
889
890 #if defined(DCE)
891 /* if this was a K5 authentication try and join a PAG for the user. */
892 void
893 kerberos5_dfspag(void)
894 {
895 if (dfsk5ok) {
896 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
897 UserNameRequested);
898 }
899 }
900 #endif
901
902 int
903 kerberos5_set_forward(int on)
904 {
905 if(on == 0)
906 forward_flags &= ~OPTS_FORWARD_CREDS;
907 if(on == 1)
908 forward_flags |= OPTS_FORWARD_CREDS;
909 if(on == -1)
910 forward_flags ^= OPTS_FORWARD_CREDS;
911 return 0;
912 }
913
914 int
915 kerberos5_set_forwardable(int on)
916 {
917 if(on == 0)
918 forward_flags &= ~OPTS_FORWARDABLE_CREDS;
919 if(on == 1)
920 forward_flags |= OPTS_FORWARDABLE_CREDS;
921 if(on == -1)
922 forward_flags ^= OPTS_FORWARDABLE_CREDS;
923 return 0;
924 }
925
926 #endif /* KRB5 */
Heimdal