Annotation of src/usr.bin/ssh/auth-krb5.c, Revision 1.16.2.1
1.16.2.1! brad 1: /* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
1.1 dugsong 2: /*
3: * Kerberos v5 authentication and ticket-passing routines.
1.8 markus 4: *
1.1 dugsong 5: * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
6: */
1.7 stevesk 7: /*
8: * Copyright (c) 2002 Daniel Kouril. All rights reserved.
9: *
10: * Redistribution and use in source and binary forms, with or without
11: * modification, are permitted provided that the following conditions
12: * are met:
13: * 1. Redistributions of source code must retain the above copyright
14: * notice, this list of conditions and the following disclaimer.
15: * 2. Redistributions in binary form must reproduce the above copyright
16: * notice, this list of conditions and the following disclaimer in the
17: * documentation and/or other materials provided with the distribution.
18: *
19: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29: */
1.1 dugsong 30:
1.16.2.1! brad 31: #include <sys/types.h>
! 32: #include <pwd.h>
! 33: #include <stdarg.h>
1.6 stevesk 34:
1.16.2.1! brad 35: #include "xmalloc.h"
1.1 dugsong 36: #include "ssh.h"
37: #include "ssh1.h"
38: #include "packet.h"
39: #include "log.h"
1.16.2.1! brad 40: #include "buffer.h"
1.1 dugsong 41: #include "servconf.h"
42: #include "uidswap.h"
1.16.2.1! brad 43: #include "key.h"
! 44: #include "hostfile.h"
1.1 dugsong 45: #include "auth.h"
46:
47: #ifdef KRB5
48: #include <krb5.h>
49:
50: extern ServerOptions options;
51:
52: static int
53: krb5_init(void *context)
54: {
55: Authctxt *authctxt = (Authctxt *)context;
56: krb5_error_code problem;
1.3 deraadt 57:
1.1 dugsong 58: if (authctxt->krb5_ctx == NULL) {
59: problem = krb5_init_context(&authctxt->krb5_ctx);
60: if (problem)
61: return (problem);
62: krb5_init_ets(authctxt->krb5_ctx);
63: }
64: return (0);
65: }
66:
67: int
68: auth_krb5_password(Authctxt *authctxt, const char *password)
69: {
70: krb5_error_code problem;
1.11 markus 71: krb5_ccache ccache = NULL;
1.3 deraadt 72:
1.1 dugsong 73: temporarily_use_uid(authctxt->pw);
1.3 deraadt 74:
1.1 dugsong 75: problem = krb5_init(authctxt);
76: if (problem)
77: goto out;
1.3 deraadt 78:
1.1 dugsong 79: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
80: &authctxt->krb5_user);
81: if (problem)
82: goto out;
1.3 deraadt 83:
1.11 markus 84: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
1.1 dugsong 85: if (problem)
86: goto out;
1.3 deraadt 87:
1.15 djm 88: problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
1.11 markus 89: authctxt->krb5_user);
1.1 dugsong 90: if (problem)
91: goto out;
1.3 deraadt 92:
1.4 markus 93: restore_uid();
1.11 markus 94:
1.1 dugsong 95: problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
1.11 markus 96: ccache, password, 1, NULL);
97:
1.4 markus 98: temporarily_use_uid(authctxt->pw);
99:
1.1 dugsong 100: if (problem)
101: goto out;
1.3 deraadt 102:
1.15 djm 103: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
1.11 markus 104: &authctxt->krb5_fwd_ccache);
105: if (problem)
106: goto out;
107:
108: problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
109: authctxt->krb5_fwd_ccache);
110: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
111: ccache = NULL;
112: if (problem)
113: goto out;
114:
1.12 markus 115: authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
116: authctxt->krb5_fwd_ccache);
1.3 deraadt 117:
1.1 dugsong 118: out:
119: restore_uid();
1.3 deraadt 120:
1.1 dugsong 121: if (problem) {
1.11 markus 122: if (ccache)
123: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
124:
1.5 markus 125: if (authctxt->krb5_ctx != NULL)
126: debug("Kerberos password authentication failed: %s",
127: krb5_get_err_text(authctxt->krb5_ctx, problem));
128: else
129: debug("Kerberos password authentication failed: %d",
130: problem);
1.3 deraadt 131:
1.1 dugsong 132: krb5_cleanup_proc(authctxt);
1.3 deraadt 133:
1.1 dugsong 134: if (options.kerberos_or_local_passwd)
135: return (-1);
136: else
137: return (0);
138: }
1.16 dtucker 139: return (authctxt->valid ? 1 : 0);
1.1 dugsong 140: }
141:
142: void
1.13 markus 143: krb5_cleanup_proc(Authctxt *authctxt)
1.1 dugsong 144: {
145: debug("krb5_cleanup_proc called");
146: if (authctxt->krb5_fwd_ccache) {
147: krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
148: authctxt->krb5_fwd_ccache = NULL;
149: }
150: if (authctxt->krb5_user) {
151: krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
152: authctxt->krb5_user = NULL;
153: }
154: if (authctxt->krb5_ctx) {
155: krb5_free_context(authctxt->krb5_ctx);
156: authctxt->krb5_ctx = NULL;
157: }
158: }
159:
160: #endif /* KRB5 */