2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
37 * Export of this software from the United States of America may
38 * require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
60 #include <arpa/telnet.h>
68 #define Authenticator k5_Authenticator
87 int forward_flags
= 0; /* Flags get set in telnet/main.c on -f and -F */
92 /* These values need to be the same as those defined in telnet/main.c. */
93 /* Either define them in both places, or put in some common header file. */
94 #define OPTS_FORWARD_CREDS 0x00000002
95 #define OPTS_FORWARDABLE_CREDS 0x00000001
98 void kerberos5_forward (Authenticator
*);
100 static unsigned char str_data
[4] = { IAC
, SB
, TELOPT_AUTHENTICATION
, 0 };
102 #define KRB_AUTH 0 /* Authentication data follows */
103 #define KRB_REJECT 1 /* Rejected (reason might follow) */
104 #define KRB_ACCEPT 2 /* Accepted */
105 #define KRB_RESPONSE 3 /* Response for mutual auth. */
107 #define KRB_FORWARD 4 /* Forwarded credentials follow */
108 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
109 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
111 static krb5_data auth
;
112 static krb5_ticket
*ticket
;
114 static krb5_context context
;
115 static krb5_auth_context auth_context
;
118 Data(Authenticator
*ap
, int type
, const void *d
, int c
)
120 const unsigned char *cp
, *cd
= d
;
121 unsigned char *p0
, *p
;
122 size_t len
= sizeof(str_data
) + 3 + 2;
126 c
= strlen((const char*)cd
);
128 for (cp
= cd
; cp
- cd
< c
; cp
++, len
++)
136 memcpy(p0
, str_data
, sizeof(str_data
));
137 p
= p0
+ sizeof(str_data
);
139 if (auth_debug_mode
) {
140 printf("%s:%d: [%d] (%d)",
141 str_data
[3] == TELQUAL_IS
? ">>>IS" : ">>>REPLY",
151 if ((*p
++ = *cd
++) == IAC
)
156 if (str_data
[3] == TELQUAL_IS
)
157 printsub('>', &p0
[2], len
- 2);
158 ret
= telnet_net_write(p0
, len
);
164 kerberos5_init(Authenticator
*ap
, int server
)
168 ret
= krb5_init_context(&context
);
173 krb5_kt_cursor cursor
;
175 ret
= krb5_kt_default(context
, &kt
);
179 ret
= krb5_kt_start_seq_get (context
, kt
, &cursor
);
181 krb5_kt_close (context
, kt
);
184 krb5_kt_end_seq_get (context
, kt
, &cursor
);
185 krb5_kt_close (context
, kt
);
187 str_data
[3] = TELQUAL_REPLY
;
189 str_data
[3] = TELQUAL_IS
;
195 kerberos5_send(char *name
, Authenticator
*ap
)
200 krb5_data cksum_data
;
204 if (!UserNameRequested
) {
205 if (auth_debug_mode
) {
206 printf("Kerberos V5: no user name supplied\r\n");
211 ret
= krb5_cc_default(context
, &ccache
);
213 if (auth_debug_mode
) {
214 estr
= krb5_get_error_message (context
, ret
);
215 printf("Kerberos V5: could not get default ccache: %s\r\n", estr
);
216 krb5_free_error_message(context
, estr
);
221 if ((ap
->way
& AUTH_HOW_MASK
) == AUTH_HOW_MUTUAL
)
222 ap_opts
= AP_OPTS_MUTUAL_REQUIRED
;
226 ap_opts
|= AP_OPTS_USE_SUBKEY
;
228 ret
= krb5_auth_con_init (context
, &auth_context
);
230 if (auth_debug_mode
) {
231 estr
= krb5_get_error_message (context
, ret
);
232 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", estr
);
233 krb5_free_error_message(context
, estr
);
238 ret
= krb5_auth_con_setaddrs_from_fd (context
,
242 if (auth_debug_mode
) {
243 estr
= krb5_get_error_message (context
, ret
);
244 printf ("Kerberos V5:"
245 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", estr
);
246 krb5_free_error_message(context
, estr
);
251 krb5_auth_con_setkeytype (context
, auth_context
, KRB5_ENCTYPE_DES_CBC_CRC
);
253 ap_msg
[0] = ap
->type
;
256 cksum_data
.length
= sizeof(ap_msg
);
257 cksum_data
.data
= ap_msg
;
261 krb5_principal service
;
265 ret
= krb5_sname_to_principal (context
,
271 if (auth_debug_mode
) {
272 estr
= krb5_get_error_message (context
, ret
);
273 printf ("Kerberos V5:"
274 " krb5_sname_to_principal(%s) failed (%s)\r\n",
275 RemoteHostName
, estr
);
276 krb5_free_error_message(context
, estr
);
280 ret
= krb5_unparse_name_fixed(context
, service
, sname
, sizeof(sname
));
282 if (auth_debug_mode
) {
283 estr
= krb5_get_error_message (context
, ret
);
284 printf ("Kerberos V5:"
285 " krb5_unparse_name_fixed failed (%s)\r\n", estr
);
286 krb5_free_error_message(context
, estr
);
290 printf("[ Trying %s (%s)... ]\r\n", name
, sname
);
291 ret
= krb5_mk_req_exact(context
, &auth_context
, ap_opts
,
293 &cksum_data
, ccache
, &auth
);
294 krb5_free_principal (context
, service
);
298 if (1 || auth_debug_mode
) {
299 estr
= krb5_get_error_message (context
, ret
);
300 printf("Kerberos V5: mk_req failed (%s)\r\n", estr
);
301 krb5_free_error_message(context
, estr
);
306 if (!auth_sendname((unsigned char *)UserNameRequested
,
307 strlen(UserNameRequested
))) {
309 printf("Not enough room for user name\r\n");
312 if (!Data(ap
, KRB_AUTH
, auth
.data
, auth
.length
)) {
314 printf("Not enough room for authentication data\r\n");
317 if (auth_debug_mode
) {
318 printf("Sent Kerberos V5 credentials to server\r\n");
324 kerberos5_send_mutual(Authenticator
*ap
)
326 return kerberos5_send("mutual KERBEROS5", ap
);
330 kerberos5_send_oneway(Authenticator
*ap
)
332 return kerberos5_send("KERBEROS5", ap
);
335 static void log_message(const char *fmt
, ...)
339 if (auth_debug_mode
) {
341 vfprintf(stdout
, fmt
, ap
);
343 fprintf(stdout
, "\r\n");
346 vsyslog(LOG_NOTICE
, fmt
, ap
);
351 kerberos5_is(Authenticator
*ap
, unsigned char *data
, int cnt
)
355 krb5_keyblock
*key_block
;
358 krb5_principal server
;
365 auth
.data
= (char *)data
;
370 ret
= krb5_auth_con_init (context
, &auth_context
);
372 Data(ap
, KRB_REJECT
, "krb5_auth_con_init failed", -1);
373 auth_finished(ap
, AUTH_REJECT
);
374 estr
= krb5_get_error_message (context
, ret
);
375 log_message("Kerberos V5: krb5_auth_con_init failed (%s)", estr
);
376 krb5_free_error_message(context
, estr
);
380 ret
= krb5_auth_con_setaddrs_from_fd (context
,
384 Data(ap
, KRB_REJECT
, "krb5_auth_con_setaddrs_from_fd failed", -1);
385 auth_finished(ap
, AUTH_REJECT
);
386 estr
= krb5_get_error_message (context
, ret
);
387 log_message("Kerberos V5: "
388 "krb5_auth_con_setaddrs_from_fd failed (%s)", estr
);
389 krb5_free_error_message(context
, estr
);
393 ret
= krb5_sock_to_principal (context
,
399 Data(ap
, KRB_REJECT
, "krb5_sock_to_principal failed", -1);
400 auth_finished(ap
, AUTH_REJECT
);
401 estr
= krb5_get_error_message (context
, ret
);
402 log_message("Kerberos V5: "
403 "krb5_sock_to_principal failed (%s)", estr
);
404 krb5_free_error_message(context
, estr
);
408 ret
= krb5_rd_req(context
,
416 krb5_free_principal (context
, server
);
418 const char *errbuf2
= "Read req failed";
422 estr
= krb5_get_error_message (context
, ret
);
423 ret2
= asprintf(&errbuf
, "Read req failed: %s", estr
);
424 krb5_free_error_message(context
, estr
);
427 Data(ap
, KRB_REJECT
, errbuf2
, -1);
428 log_message("%s", errbuf2
);
437 ap_msg
[0] = ap
->type
;
440 ret
= krb5_verify_authenticator_checksum(context
,
446 const char *errbuf2
= "Bad checksum";
450 estr
= krb5_get_error_message (context
, ret
);
451 ret2
= asprintf(&errbuf
, "Bad checksum: %s", estr
);
452 krb5_free_error_message(context
, estr
);
455 Data(ap
, KRB_REJECT
, errbuf2
, -1);
456 log_message("%s", errbuf2
);
462 ret
= krb5_auth_con_getremotesubkey (context
,
467 Data(ap
, KRB_REJECT
, "krb5_auth_con_getremotesubkey failed", -1);
468 auth_finished(ap
, AUTH_REJECT
);
469 estr
= krb5_get_error_message (context
, ret
);
470 log_message("Kerberos V5: "
471 "krb5_auth_con_getremotesubkey failed (%s)", estr
);
472 krb5_free_error_message(context
, estr
);
476 if (key_block
== NULL
) {
477 ret
= krb5_auth_con_getkey(context
,
482 Data(ap
, KRB_REJECT
, "krb5_auth_con_getkey failed", -1);
483 auth_finished(ap
, AUTH_REJECT
);
484 estr
= krb5_get_error_message (context
, ret
);
485 log_message("Kerberos V5: "
486 "krb5_auth_con_getkey failed (%s)", estr
);
487 krb5_free_error_message(context
, estr
);
490 if (key_block
== NULL
) {
491 Data(ap
, KRB_REJECT
, "no subkey received", -1);
492 auth_finished(ap
, AUTH_REJECT
);
493 log_message("Kerberos V5: "
494 "krb5_auth_con_getremotesubkey returned NULL key");
498 if ((ap
->way
& AUTH_HOW_MASK
) == AUTH_HOW_MUTUAL
) {
499 ret
= krb5_mk_rep(context
, auth_context
, &outbuf
);
502 "krb5_mk_rep failed", -1);
503 auth_finished(ap
, AUTH_REJECT
);
504 estr
= krb5_get_error_message (context
, ret
);
505 log_message("Kerberos V5: "
506 "krb5_mk_rep failed (%s)", estr
);
507 krb5_free_error_message(context
, estr
);
508 krb5_free_keyblock(context
, key_block
);
511 Data(ap
, KRB_RESPONSE
, outbuf
.data
, outbuf
.length
);
513 if (krb5_unparse_name(context
, ticket
->client
, &name
))
516 if(UserNameRequested
&& krb5_kuserok(context
,
518 UserNameRequested
)) {
519 Data(ap
, KRB_ACCEPT
, name
, name
? -1 : 0);
520 log_message("%s accepted as user %s from %s",
521 name
? name
: "<unknown>",
522 UserNameRequested
? UserNameRequested
: "<unknown>",
523 RemoteHostName
? RemoteHostName
: "<unknown>");
525 if(key_block
->keytype
== ETYPE_DES_CBC_MD5
||
526 key_block
->keytype
== ETYPE_DES_CBC_MD4
||
527 key_block
->keytype
== ETYPE_DES_CBC_CRC
) {
532 skey
.data
= key_block
->keyvalue
.data
;
533 encrypt_session_key(&skey
, 0);
537 const char *msg2
= "user is not authorized to login";
540 ret
= asprintf (&msg
, "user `%s' is not authorized to "
542 name
? name
: "<unknown>",
543 UserNameRequested
? UserNameRequested
: "<nobody>");
546 Data(ap
, KRB_REJECT
, (void *)msg2
, -1);
549 auth_finished (ap
, AUTH_REJECT
);
550 krb5_free_keyblock(context
, key_block
);
553 auth_finished(ap
, AUTH_USER
);
554 krb5_free_keyblock(context
, key_block
);
559 char ccname
[1024]; /* XXX */
562 inbuf
.data
= (char *)data
;
565 pwd
= getpwnam (UserNameRequested
);
569 snprintf (ccname
, sizeof(ccname
),
570 "FILE:/tmp/krb5cc_%lu", (unsigned long)pwd
->pw_uid
);
572 ret
= krb5_cc_resolve (context
, ccname
, &ccache
);
574 estr
= krb5_get_error_message (context
, ret
);
575 log_message("Kerberos V5: could not get ccache: %s", estr
);
576 krb5_free_error_message(context
, estr
);
580 ret
= krb5_cc_initialize (context
,
584 estr
= krb5_get_error_message (context
, ret
);
585 log_message("Kerberos V5: could not init ccache: %s", estr
);
586 krb5_free_error_message(context
, estr
);
591 esetenv("KRB5CCNAME", ccname
, 1);
593 ret
= krb5_rd_cred2 (context
,
598 const char *errbuf2
= "Read forwarded creds failed";
602 estr
= krb5_get_error_message (context
, ret
);
603 ret2
= asprintf (&errbuf
, "Read forwarded creds failed: %s", estr
);
604 krb5_free_error_message(context
, estr
);
607 Data(ap
, KRB_FORWARD_REJECT
, errbuf
, -1);
608 log_message("Could not read forwarded credentials: %s", errbuf2
);
613 Data(ap
, KRB_FORWARD_ACCEPT
, 0, 0);
618 chown (ccname
+ 5, pwd
->pw_uid
, -1);
619 log_message("Forwarded credentials obtained");
623 log_message("Unknown Kerberos option %d", data
[-1]);
624 Data(ap
, KRB_REJECT
, 0, 0);
630 kerberos5_reply(Authenticator
*ap
, unsigned char *data
, int cnt
)
632 static int mutual_complete
= 0;
640 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
643 printf("[ Kerberos V5 refuses authentication ]\r\n");
649 krb5_keyblock
*keyblock
;
651 if ((ap
->way
& AUTH_HOW_MASK
) == AUTH_HOW_MUTUAL
&&
653 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
658 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt
, data
);
660 printf("[ Kerberos V5 accepts you ]\r\n");
662 ret
= krb5_auth_con_getlocalsubkey (context
,
666 ret
= krb5_auth_con_getkey (context
,
670 estr
= krb5_get_error_message (context
, ret
);
671 printf("[ krb5_auth_con_getkey: %s ]\r\n", estr
);
672 krb5_free_error_message(context
, estr
);
679 skey
.data
= keyblock
->keyvalue
.data
;
680 encrypt_session_key(&skey
, 0);
681 krb5_free_keyblock (context
, keyblock
);
682 auth_finished(ap
, AUTH_USER
);
683 if (forward_flags
& OPTS_FORWARD_CREDS
)
684 kerberos5_forward(ap
);
688 if ((ap
->way
& AUTH_HOW_MASK
) == AUTH_HOW_MUTUAL
) {
689 /* the rest of the reply should contain a krb_ap_rep */
690 krb5_ap_rep_enc_part
*reply
;
695 inbuf
.data
= (char *)data
;
697 ret
= krb5_rd_rep(context
, auth_context
, &inbuf
, &reply
);
699 estr
= krb5_get_error_message (context
, ret
);
700 printf("[ Mutual authentication failed: %s ]\r\n", estr
);
701 krb5_free_error_message(context
, estr
);
705 krb5_free_ap_rep_enc_part(context
, reply
);
709 case KRB_FORWARD_ACCEPT
:
710 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
712 case KRB_FORWARD_REJECT
:
713 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
718 printf("Unknown Kerberos option %d\r\n", data
[-1]);
724 kerberos5_status(Authenticator
*ap
, char *name
, size_t name_sz
, int level
)
726 if (level
< AUTH_USER
)
729 if (UserNameRequested
&&
730 krb5_kuserok(context
,
734 strlcpy(name
, UserNameRequested
, name_sz
);
743 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
744 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
747 kerberos5_printsub(unsigned char *data
, size_t cnt
,
748 unsigned char *buf
, size_t buflen
)
752 buf
[buflen
-1] = '\0'; /* make sure it's NULL terminated */
756 case KRB_REJECT
: /* Rejected (reason might follow) */
757 strlcpy((char *)buf
, " REJECT ", buflen
);
760 case KRB_ACCEPT
: /* Accepted (name might follow) */
761 strlcpy((char *)buf
, " ACCEPT ", buflen
);
766 ADDC(buf
, buflen
, '"');
767 for (i
= 4; i
< cnt
; i
++)
768 ADDC(buf
, buflen
, data
[i
]);
769 ADDC(buf
, buflen
, '"');
770 ADDC(buf
, buflen
, '\0');
774 case KRB_AUTH
: /* Authentication data follows */
775 strlcpy((char *)buf
, " AUTH", buflen
);
779 strlcpy((char *)buf
, " RESPONSE", buflen
);
782 case KRB_FORWARD
: /* Forwarded credentials follow */
783 strlcpy((char *)buf
, " FORWARD", buflen
);
786 case KRB_FORWARD_ACCEPT
: /* Forwarded credentials accepted */
787 strlcpy((char *)buf
, " FORWARD_ACCEPT", buflen
);
790 case KRB_FORWARD_REJECT
: /* Forwarded credentials rejected */
791 /* (reason might follow) */
792 strlcpy((char *)buf
, " FORWARD_REJECT", buflen
);
796 snprintf((char*)buf
, buflen
, " %d (unknown)", data
[3]);
799 for (i
= 4; i
< cnt
; i
++) {
800 snprintf((char*)buf
, buflen
, " %d", data
[i
]);
808 kerberos5_forward(Authenticator
*ap
)
815 krb5_principal principal
;
818 ret
= krb5_cc_default (context
, &ccache
);
820 if (auth_debug_mode
) {
821 estr
= krb5_get_error_message (context
, ret
);
822 printf ("KerberosV5: could not get default ccache: %s\r\n", estr
);
823 krb5_free_error_message(context
, estr
);
828 ret
= krb5_cc_get_principal (context
, ccache
, &principal
);
830 if (auth_debug_mode
) {
831 estr
= krb5_get_error_message (context
, ret
);
832 printf ("KerberosV5: could not get principal: %s\r\n", estr
);
833 krb5_free_error_message(context
, estr
);
838 memset (&creds
, 0, sizeof(creds
));
840 creds
.client
= principal
;
842 ret
= krb5_make_principal(context
,
850 if (auth_debug_mode
) {
851 estr
= krb5_get_error_message (context
, ret
);
852 printf ("KerberosV5: could not get principal: %s\r\n", estr
);
853 krb5_free_error_message(context
, estr
);
858 creds
.times
.endtime
= 0;
860 memset(&flags
, 0, sizeof(flags
));
862 if (forward_flags
& OPTS_FORWARDABLE_CREDS
)
863 flags
.forwardable
= 1;
865 ret
= krb5_get_forwarded_creds (context
,
868 KDCOptions2int(flags
),
873 if (auth_debug_mode
) {
874 estr
= krb5_get_error_message (context
, ret
);
875 printf ("Kerberos V5: error getting forwarded creds: %s\r\n", estr
);
876 krb5_free_error_message(context
, estr
);
881 if(!Data(ap
, KRB_FORWARD
, out_data
.data
, out_data
.length
)) {
883 printf("Not enough room for authentication data\r\n");
886 printf("Forwarded local Kerberos V5 credentials to server\r\n");
891 /* if this was a K5 authentication try and join a PAG for the user. */
893 kerberos5_dfspag(void)
896 dfspag
= krb5_dfs_pag(context
, dfsfwd
, ticket
->client
,
903 kerberos5_set_forward(int on
)
906 forward_flags
&= ~OPTS_FORWARD_CREDS
;
908 forward_flags
|= OPTS_FORWARD_CREDS
;
910 forward_flags
^= OPTS_FORWARD_CREDS
;
915 kerberos5_set_forwardable(int on
)
918 forward_flags
&= ~OPTS_FORWARDABLE_CREDS
;
920 forward_flags
|= OPTS_FORWARDABLE_CREDS
;
922 forward_flags
^= OPTS_FORWARDABLE_CREDS
;