Annotation of src/usr.bin/ssh/auth-krb5.c, Revision 1.17
1.1 dugsong 1: /*
2: * Kerberos v5 authentication and ticket-passing routines.
1.8 markus 3: *
1.1 dugsong 4: * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
5: */
1.7 stevesk 6: /*
7: * Copyright (c) 2002 Daniel Kouril. All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: *
18: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28: */
1.1 dugsong 29:
30: #include "includes.h"
1.6 stevesk 31:
1.1 dugsong 32: #include "ssh.h"
33: #include "ssh1.h"
34: #include "packet.h"
35: #include "xmalloc.h"
36: #include "log.h"
37: #include "servconf.h"
38: #include "uidswap.h"
39: #include "auth.h"
40:
41: #ifdef KRB5
42: #include <krb5.h>
43:
44: extern ServerOptions options;
45:
46: static int
47: krb5_init(void *context)
48: {
49: Authctxt *authctxt = (Authctxt *)context;
50: krb5_error_code problem;
1.3 deraadt 51:
1.1 dugsong 52: if (authctxt->krb5_ctx == NULL) {
53: problem = krb5_init_context(&authctxt->krb5_ctx);
54: if (problem)
55: return (problem);
56: krb5_init_ets(authctxt->krb5_ctx);
57: }
58: return (0);
59: }
60:
61: int
62: auth_krb5_password(Authctxt *authctxt, const char *password)
63: {
64: krb5_error_code problem;
1.11 markus 65: krb5_ccache ccache = NULL;
1.3 deraadt 66:
1.1 dugsong 67: temporarily_use_uid(authctxt->pw);
1.3 deraadt 68:
1.1 dugsong 69: problem = krb5_init(authctxt);
70: if (problem)
71: goto out;
1.3 deraadt 72:
1.1 dugsong 73: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
74: &authctxt->krb5_user);
75: if (problem)
76: goto out;
1.3 deraadt 77:
1.11 markus 78: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
1.1 dugsong 79: if (problem)
80: goto out;
1.3 deraadt 81:
1.15 djm 82: problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
1.11 markus 83: authctxt->krb5_user);
1.1 dugsong 84: if (problem)
85: goto out;
1.3 deraadt 86:
1.4 markus 87: restore_uid();
1.11 markus 88:
1.1 dugsong 89: problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
1.11 markus 90: ccache, password, 1, NULL);
91:
1.4 markus 92: temporarily_use_uid(authctxt->pw);
93:
1.1 dugsong 94: if (problem)
95: goto out;
1.3 deraadt 96:
1.15 djm 97: problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
1.11 markus 98: &authctxt->krb5_fwd_ccache);
99: if (problem)
100: goto out;
101:
102: problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
103: authctxt->krb5_fwd_ccache);
104: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
105: ccache = NULL;
106: if (problem)
107: goto out;
108:
1.12 markus 109: authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
110: authctxt->krb5_fwd_ccache);
1.3 deraadt 111:
1.1 dugsong 112: out:
113: restore_uid();
1.3 deraadt 114:
1.1 dugsong 115: if (problem) {
1.11 markus 116: if (ccache)
117: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
118:
1.5 markus 119: if (authctxt->krb5_ctx != NULL)
120: debug("Kerberos password authentication failed: %s",
121: krb5_get_err_text(authctxt->krb5_ctx, problem));
122: else
123: debug("Kerberos password authentication failed: %d",
124: problem);
1.3 deraadt 125:
1.1 dugsong 126: krb5_cleanup_proc(authctxt);
1.3 deraadt 127:
1.1 dugsong 128: if (options.kerberos_or_local_passwd)
129: return (-1);
130: else
131: return (0);
132: }
1.16 dtucker 133: return (authctxt->valid ? 1 : 0);
1.1 dugsong 134: }
135:
136: void
1.13 markus 137: krb5_cleanup_proc(Authctxt *authctxt)
1.1 dugsong 138: {
139: debug("krb5_cleanup_proc called");
140: if (authctxt->krb5_fwd_ccache) {
141: krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
142: authctxt->krb5_fwd_ccache = NULL;
143: }
144: if (authctxt->krb5_user) {
145: krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
146: authctxt->krb5_user = NULL;
147: }
148: if (authctxt->krb5_ctx) {
149: krb5_free_context(authctxt->krb5_ctx);
150: authctxt->krb5_ctx = NULL;
151: }
152: }
153:
154: #endif /* KRB5 */