Annotation of src/usr.bin/ssh/auth-krb5.c, Revision 1.12
1.1 dugsong 1: /*
2: * Kerberos v5 authentication and ticket-passing routines.
1.8 markus 3: *
1.1 dugsong 4: * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
5: */
1.7 stevesk 6: /*
7: * Copyright (c) 2002 Daniel Kouril. All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: *
18: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28: */
1.1 dugsong 29:
30: #include "includes.h"
1.12 ! markus 31: RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
1.6 stevesk 32:
1.1 dugsong 33: #include "ssh.h"
34: #include "ssh1.h"
35: #include "packet.h"
36: #include "xmalloc.h"
37: #include "log.h"
38: #include "servconf.h"
39: #include "uidswap.h"
40: #include "auth.h"
41:
42: #ifdef KRB5
43: #include <krb5.h>
44:
45: extern ServerOptions options;
46:
47: static int
48: krb5_init(void *context)
49: {
50: Authctxt *authctxt = (Authctxt *)context;
51: krb5_error_code problem;
52: static int cleanup_registered = 0;
1.3 deraadt 53:
1.1 dugsong 54: if (authctxt->krb5_ctx == NULL) {
55: problem = krb5_init_context(&authctxt->krb5_ctx);
56: if (problem)
57: return (problem);
58: krb5_init_ets(authctxt->krb5_ctx);
59: }
60: if (!cleanup_registered) {
61: fatal_add_cleanup(krb5_cleanup_proc, authctxt);
62: cleanup_registered = 1;
63: }
64: return (0);
65: }
66:
67: int
68: auth_krb5_password(Authctxt *authctxt, const char *password)
69: {
70: krb5_error_code problem;
1.11 markus 71: krb5_ccache ccache = NULL;
1.3 deraadt 72:
1.1 dugsong 73: if (authctxt->pw == NULL)
74: return (0);
1.3 deraadt 75:
1.1 dugsong 76: temporarily_use_uid(authctxt->pw);
1.3 deraadt 77:
1.1 dugsong 78: problem = krb5_init(authctxt);
79: if (problem)
80: goto out;
1.3 deraadt 81:
1.1 dugsong 82: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
83: &authctxt->krb5_user);
84: if (problem)
85: goto out;
1.3 deraadt 86:
1.11 markus 87: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
1.1 dugsong 88: if (problem)
89: goto out;
1.3 deraadt 90:
1.11 markus 91: problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
92: authctxt->krb5_user);
1.1 dugsong 93: if (problem)
94: goto out;
1.3 deraadt 95:
1.4 markus 96: restore_uid();
1.11 markus 97:
1.1 dugsong 98: problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
1.11 markus 99: ccache, password, 1, NULL);
100:
1.4 markus 101: temporarily_use_uid(authctxt->pw);
102:
1.1 dugsong 103: if (problem)
104: goto out;
1.3 deraadt 105:
1.11 markus 106: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
107: &authctxt->krb5_fwd_ccache);
108: if (problem)
109: goto out;
110:
111: problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
112: authctxt->krb5_fwd_ccache);
113: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
114: ccache = NULL;
115: if (problem)
116: goto out;
117:
1.12 ! markus 118: authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
! 119: authctxt->krb5_fwd_ccache);
1.3 deraadt 120:
1.1 dugsong 121: out:
122: restore_uid();
1.3 deraadt 123:
1.1 dugsong 124: if (problem) {
1.11 markus 125: if (ccache)
126: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
127:
1.5 markus 128: if (authctxt->krb5_ctx != NULL)
129: debug("Kerberos password authentication failed: %s",
130: krb5_get_err_text(authctxt->krb5_ctx, problem));
131: else
132: debug("Kerberos password authentication failed: %d",
133: problem);
1.3 deraadt 134:
1.1 dugsong 135: krb5_cleanup_proc(authctxt);
1.3 deraadt 136:
1.1 dugsong 137: if (options.kerberos_or_local_passwd)
138: return (-1);
139: else
140: return (0);
141: }
142: return (1);
143: }
144:
145: void
146: krb5_cleanup_proc(void *context)
147: {
148: Authctxt *authctxt = (Authctxt *)context;
1.3 deraadt 149:
1.1 dugsong 150: debug("krb5_cleanup_proc called");
151: if (authctxt->krb5_fwd_ccache) {
152: krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
153: authctxt->krb5_fwd_ccache = NULL;
154: }
155: if (authctxt->krb5_user) {
156: krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
157: authctxt->krb5_user = NULL;
158: }
159: if (authctxt->krb5_ctx) {
160: krb5_free_context(authctxt->krb5_ctx);
161: authctxt->krb5_ctx = NULL;
162: }
163: }
164:
165: #endif /* KRB5 */