Annotation of src/usr.bin/ssh/auth-krb5.c, Revision 1.15.8.1
1.1 dugsong 1: /*
2: * Kerberos v5 authentication and ticket-passing routines.
1.8 markus 3: *
1.1 dugsong 4: * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
5: */
1.7 stevesk 6: /*
7: * Copyright (c) 2002 Daniel Kouril. All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: *
18: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28: */
1.1 dugsong 29:
30: #include "includes.h"
1.15.8.1! brad 31: RCSID("$OpenBSD: auth-krb5.c,v 1.16 2005/11/21 09:42:10 dtucker Exp $");
1.6 stevesk 32:
1.1 dugsong 33: #include "ssh.h"
34: #include "ssh1.h"
35: #include "packet.h"
36: #include "xmalloc.h"
37: #include "log.h"
38: #include "servconf.h"
39: #include "uidswap.h"
40: #include "auth.h"
41:
42: #ifdef KRB5
43: #include <krb5.h>
44:
45: extern ServerOptions options;
46:
47: static int
48: krb5_init(void *context)
49: {
50: Authctxt *authctxt = (Authctxt *)context;
51: krb5_error_code problem;
1.3 deraadt 52:
1.1 dugsong 53: if (authctxt->krb5_ctx == NULL) {
54: problem = krb5_init_context(&authctxt->krb5_ctx);
55: if (problem)
56: return (problem);
57: krb5_init_ets(authctxt->krb5_ctx);
58: }
59: return (0);
60: }
61:
62: int
63: auth_krb5_password(Authctxt *authctxt, const char *password)
64: {
65: krb5_error_code problem;
1.11 markus 66: krb5_ccache ccache = NULL;
1.3 deraadt 67:
1.1 dugsong 68: temporarily_use_uid(authctxt->pw);
1.3 deraadt 69:
1.1 dugsong 70: problem = krb5_init(authctxt);
71: if (problem)
72: goto out;
1.3 deraadt 73:
1.1 dugsong 74: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
75: &authctxt->krb5_user);
76: if (problem)
77: goto out;
1.3 deraadt 78:
1.11 markus 79: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
1.1 dugsong 80: if (problem)
81: goto out;
1.3 deraadt 82:
1.15 djm 83: problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
1.11 markus 84: authctxt->krb5_user);
1.1 dugsong 85: if (problem)
86: goto out;
1.3 deraadt 87:
1.4 markus 88: restore_uid();
1.11 markus 89:
1.1 dugsong 90: problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
1.11 markus 91: ccache, password, 1, NULL);
92:
1.4 markus 93: temporarily_use_uid(authctxt->pw);
94:
1.1 dugsong 95: if (problem)
96: goto out;
1.3 deraadt 97:
1.15 djm 98: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
1.11 markus 99: &authctxt->krb5_fwd_ccache);
100: if (problem)
101: goto out;
102:
103: problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
104: authctxt->krb5_fwd_ccache);
105: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
106: ccache = NULL;
107: if (problem)
108: goto out;
109:
1.12 markus 110: authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
111: authctxt->krb5_fwd_ccache);
1.3 deraadt 112:
1.1 dugsong 113: out:
114: restore_uid();
1.3 deraadt 115:
1.1 dugsong 116: if (problem) {
1.11 markus 117: if (ccache)
118: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
119:
1.5 markus 120: if (authctxt->krb5_ctx != NULL)
121: debug("Kerberos password authentication failed: %s",
122: krb5_get_err_text(authctxt->krb5_ctx, problem));
123: else
124: debug("Kerberos password authentication failed: %d",
125: problem);
1.3 deraadt 126:
1.1 dugsong 127: krb5_cleanup_proc(authctxt);
1.3 deraadt 128:
1.1 dugsong 129: if (options.kerberos_or_local_passwd)
130: return (-1);
131: else
132: return (0);
133: }
1.15.8.1! brad 134: return (authctxt->valid ? 1 : 0);
1.1 dugsong 135: }
136:
137: void
1.13 markus 138: krb5_cleanup_proc(Authctxt *authctxt)
1.1 dugsong 139: {
140: debug("krb5_cleanup_proc called");
141: if (authctxt->krb5_fwd_ccache) {
142: krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
143: authctxt->krb5_fwd_ccache = NULL;
144: }
145: if (authctxt->krb5_user) {
146: krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
147: authctxt->krb5_user = NULL;
148: }
149: if (authctxt->krb5_ctx) {
150: krb5_free_context(authctxt->krb5_ctx);
151: authctxt->krb5_ctx = NULL;
152: }
153: }
154:
155: #endif /* KRB5 */