Annotation of src/usr.bin/login/k5login.c, Revision 1.2
1.2 ! deraadt 1: /* $OpenBSD: k5login.c,v 1.2 1994/12/23 06:52:58 jtc Exp $ */
1.1 deraadt 2: /* $NetBSD: k5login.c,v 1.2 1994/12/23 06:52:58 jtc Exp $ */
3:
4: /*-
5: * Copyright (c) 1990 The Regents of the University of California.
6: * All rights reserved.
7: *
8: * Redistribution and use in source and binary forms, with or without
9: * modification, are permitted provided that the following conditions
10: * are met:
11: * 1. Redistributions of source code must retain the above copyright
12: * notice, this list of conditions and the following disclaimer.
13: * 2. Redistributions in binary form must reproduce the above copyright
14: * notice, this list of conditions and the following disclaimer in the
15: * documentation and/or other materials provided with the distribution.
16: * 3. All advertising materials mentioning features or use of this software
17: * must display the following acknowledgement:
18: * This product includes software developed by the University of
19: * California, Berkeley and its contributors.
20: * 4. Neither the name of the University nor the names of its contributors
21: * may be used to endorse or promote products derived from this software
22: * without specific prior written permission.
23: *
24: * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
25: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27: * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
28: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34: * SUCH DAMAGE.
35: */
36:
37: #ifndef lint
38: #if 0
39: static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92";
40: #endif
1.2 ! deraadt 41: static char rcsid[] = "$OpenBSD: k5login.c,v 1.2 1994/12/23 06:52:58 jtc Exp $";
1.1 deraadt 42: #endif /* not lint */
43:
44: #ifdef KERBEROS5
45: #include <sys/param.h>
46: #include <sys/syslog.h>
47: #include <com_err.h>
48: #include <krb5/krb5.h>
49: #include <krb5/ext-proto.h>
50: #include <krb5/los-proto.h>
51: #include <pwd.h>
52: #include <netdb.h>
53: #include <stdio.h>
54: #include <string.h>
55: #include <unistd.h>
56:
57: #define KRB5_DEFAULT_OPTIONS 0
58: #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
59:
60: krb5_data tgtname = {
61: KRB5_TGS_NAME_SIZE,
62: KRB5_TGS_NAME
63: };
64:
65: /*
66: * Try no preauthentication first; then try the encrypted timestamp
67: */
68: int preauth_search_list[] = {
69: 0,
70: KRB5_PADATA_ENC_TIMESTAMP,
71: -1
72: };
73:
74: extern int notickets;
75: extern char *krbtkfile_env;
76: extern char *tty;
77:
78: static char tkt_location[MAXPATHLEN];
79:
80: /*
81: * Attempt to log the user in using Kerberos authentication
82: *
83: * return 0 on success (will be logged in)
84: * 1 if Kerberos failed (try local password in login)
85: */
86: int
87: klogin(pw, instance, localhost, password)
88: struct passwd *pw;
89: char *instance, *localhost, *password;
90: {
91: krb5_error_code kerror;
92: krb5_address **my_addresses;
93: krb5_principal me, server;
94: krb5_creds my_creds;
95: krb5_timestamp now;
96: krb5_ccache ccache = NULL;
97: int preauth_type = -1;
98: long lifetime = KRB5_DEFAULT_LIFE;
99: int options = KRB5_DEFAULT_OPTIONS;
100: int i;
101: char *realm, *client_name;
102: char *principal;
103:
104: #ifdef SKEY
105: /*
106: * We don't do s/key challenge and Kerberos at the same time
107: */
108: if (strcasecmp(password, "s/key") == 0) {
109: return (1);
110: }
111: #endif
112:
113: krb5_init_ets();
114:
115: /*
116: * Root logins don't use Kerberos.
117: * If we have a realm, try getting a ticket-granting ticket
118: * and using it to authenticate. Otherwise, return
119: * failure so that we can try the normal passwd file
120: * for a password. If that's ok, log the user in
121: * without issuing any tickets.
122: */
123: if (strcmp(pw->pw_name, "root") == 0 ||
124: krb5_get_default_realm(&realm))
125: return (1);
126:
127: /*
128: * get TGT for local realm
129: * tickets are stored in a file named TKT_ROOT plus uid
130: * except for user.root tickets.
131: */
132:
133: if (strcmp(instance, "root") != 0)
134: (void)sprintf(tkt_location, "FILE:/tmp/krb5cc_%d.%s",
135: pw->pw_uid, tty);
136: else
137: (void)sprintf(tkt_location, "FILE:/tmp/krb5cc_root_%d.%s",
138: pw->pw_uid, tty);
139: krbtkfile_env = tkt_location;
140:
141: principal = malloc(strlen(pw->pw_name)+strlen(instance)+2);
142: strcpy(principal, pw->pw_name);
143: if (strlen(instance)) {
144: strcat(principal, "/");
145: strcat(principal, instance);
146: }
147:
148: if (kerror = krb5_cc_resolve(tkt_location, &ccache)) {
149: syslog(LOG_NOTICE, "warning: %s while getting default ccache",
150: error_message(kerror));
151: return(1);
152: }
153:
154: if (kerror = krb5_parse_name(principal, &me)) {
155: syslog(LOG_NOTICE, "warning: %s when parsing name %s",
156: error_message(kerror), principal);
157: return(1);
158: }
159:
160: if (kerror = krb5_unparse_name(me, &client_name)) {
161: syslog(LOG_NOTICE, "warning: %s when unparsing name %s",
162: error_message(kerror), principal);
163: return(1);
164: }
165:
166: kerror = krb5_cc_initialize (ccache, me);
167: if (kerror != 0) {
168: syslog(LOG_NOTICE, "%s when initializing cache %s",
169: error_message(kerror), tkt_location);
170: return(1);
171: }
172:
173: memset((char *)&my_creds, 0, sizeof(my_creds));
174:
175: my_creds.client = me;
176:
177: if (kerror = krb5_build_principal_ext(&server,
178: krb5_princ_realm(me)->length,
179: krb5_princ_realm(me)->data,
180: tgtname.length, tgtname.data,
181: krb5_princ_realm(me)->length,
182: krb5_princ_realm(me)->data,
183: 0)) {
184: syslog(LOG_NOTICE, "%s while building server name",
185: error_message(kerror));
186: return(1);
187: }
188:
189: my_creds.server = server;
190:
191: kerror = krb5_os_localaddr(&my_addresses);
192: if (kerror != 0) {
193: syslog(LOG_NOTICE, "%s when getting my address",
194: error_message(kerror));
195: return(1);
196: }
197:
198: if (kerror = krb5_timeofday(&now)) {
199: syslog(LOG_NOTICE, "%s while getting time of day",
200: error_message(kerror));
201: return(1);
202: }
203: my_creds.times.starttime = 0; /* start timer when request
204: gets to KDC */
205: my_creds.times.endtime = now + lifetime;
206: my_creds.times.renew_till = 0;
207:
208: for (i=0; preauth_search_list[i] >= 0; i++) {
209: kerror = krb5_get_in_tkt_with_password(options, my_addresses,
210: preauth_search_list[i],
211: ETYPE_DES_CBC_CRC,
212: KEYTYPE_DES,
213: password,
214: ccache,
215: &my_creds, 0);
216: if (kerror != KRB5KDC_PREAUTH_FAILED &&
217: kerror != KRB5KRB_ERR_GENERIC)
218: break;
219: }
220:
221: krb5_free_principal(server);
222: krb5_free_addresses(my_addresses);
223:
224: if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0)
225: syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]);
226:
227: if (kerror) {
228: if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY)
229: printf("%s: Kerberos Password incorrect\n", principal);
230: else
231: printf("%s while getting initial credentials\n", error_message(kerror));
232:
233: return(1);
234: }
235:
236: /* Success */
237: notickets = 0;
238: return(0);
239: }
240:
241: /*
242: * Remove any credentials
243: */
244: void
245: kdestroy()
246: {
247: krb5_error_code code;
248: krb5_ccache ccache = NULL;
249:
250: if (krbtkfile_env == NULL)
251: return;
252:
253: code = krb5_cc_resolve(krbtkfile_env, &ccache);
254: if (!code) {
255: code = krb5_cc_destroy(ccache);
256: if (!code) {
257: krb5_cc_close(ccache);
258: }
259: }
260: }
261: #endif