Annotation of src/usr.bin/ssh/auth-krb5.c, Revision 1.10.2.2
1.1 dugsong 1: /*
2: * Kerberos v5 authentication and ticket-passing routines.
1.8 markus 3: *
1.1 dugsong 4: * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
5: */
1.7 stevesk 6: /*
7: * Copyright (c) 2002 Daniel Kouril. All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: *
18: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28: */
1.1 dugsong 29:
30: #include "includes.h"
1.10.2.2! brad 31: RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
1.6 stevesk 32:
1.1 dugsong 33: #include "ssh.h"
34: #include "ssh1.h"
35: #include "packet.h"
36: #include "xmalloc.h"
37: #include "log.h"
38: #include "servconf.h"
39: #include "uidswap.h"
40: #include "auth.h"
41:
42: #ifdef KRB5
43: #include <krb5.h>
44:
45: extern ServerOptions options;
46:
47: static int
48: krb5_init(void *context)
49: {
50: Authctxt *authctxt = (Authctxt *)context;
51: krb5_error_code problem;
1.3 deraadt 52:
1.1 dugsong 53: if (authctxt->krb5_ctx == NULL) {
54: problem = krb5_init_context(&authctxt->krb5_ctx);
55: if (problem)
56: return (problem);
57: krb5_init_ets(authctxt->krb5_ctx);
58: }
59: return (0);
60: }
61:
62: int
63: auth_krb5_password(Authctxt *authctxt, const char *password)
64: {
65: krb5_error_code problem;
1.10.2.1 brad 66: krb5_ccache ccache = NULL;
1.3 deraadt 67:
1.10.2.2! brad 68: if (!authctxt->valid)
1.1 dugsong 69: return (0);
1.3 deraadt 70:
1.1 dugsong 71: temporarily_use_uid(authctxt->pw);
1.3 deraadt 72:
1.1 dugsong 73: problem = krb5_init(authctxt);
74: if (problem)
75: goto out;
1.3 deraadt 76:
1.1 dugsong 77: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
78: &authctxt->krb5_user);
79: if (problem)
80: goto out;
1.3 deraadt 81:
1.10.2.1 brad 82: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
1.1 dugsong 83: if (problem)
84: goto out;
1.3 deraadt 85:
1.10.2.2! brad 86: problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
1.10.2.1 brad 87: authctxt->krb5_user);
1.1 dugsong 88: if (problem)
89: goto out;
1.3 deraadt 90:
1.4 markus 91: restore_uid();
1.10.2.1 brad 92:
1.1 dugsong 93: problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
1.10.2.1 brad 94: ccache, password, 1, NULL);
95:
1.4 markus 96: temporarily_use_uid(authctxt->pw);
97:
1.1 dugsong 98: if (problem)
99: goto out;
1.3 deraadt 100:
1.10.2.2! brad 101: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
1.10.2.1 brad 102: &authctxt->krb5_fwd_ccache);
103: if (problem)
104: goto out;
105:
106: problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
107: authctxt->krb5_fwd_ccache);
108: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
109: ccache = NULL;
110: if (problem)
111: goto out;
112:
113: authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
114: authctxt->krb5_fwd_ccache);
1.3 deraadt 115:
1.1 dugsong 116: out:
117: restore_uid();
1.3 deraadt 118:
1.1 dugsong 119: if (problem) {
1.10.2.1 brad 120: if (ccache)
121: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
122:
1.5 markus 123: if (authctxt->krb5_ctx != NULL)
124: debug("Kerberos password authentication failed: %s",
125: krb5_get_err_text(authctxt->krb5_ctx, problem));
126: else
127: debug("Kerberos password authentication failed: %d",
128: problem);
1.3 deraadt 129:
1.1 dugsong 130: krb5_cleanup_proc(authctxt);
1.3 deraadt 131:
1.1 dugsong 132: if (options.kerberos_or_local_passwd)
133: return (-1);
134: else
135: return (0);
136: }
137: return (1);
138: }
139:
140: void
1.10.2.2! brad 141: krb5_cleanup_proc(Authctxt *authctxt)
1.1 dugsong 142: {
143: debug("krb5_cleanup_proc called");
144: if (authctxt->krb5_fwd_ccache) {
145: krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
146: authctxt->krb5_fwd_ccache = NULL;
147: }
148: if (authctxt->krb5_user) {
149: krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
150: authctxt->krb5_user = NULL;
151: }
152: if (authctxt->krb5_ctx) {
153: krb5_free_context(authctxt->krb5_ctx);
154: authctxt->krb5_ctx = NULL;
155: }
156: }
157:
158: #endif /* KRB5 */