Annotation of src/usr.bin/ssh/auth-krb5.c, Revision 1.21
1.21 ! djm 1: /* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
1.1 dugsong 2: /*
3: * Kerberos v5 authentication and ticket-passing routines.
1.8 markus 4: *
1.21 ! djm 5: * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
1.1 dugsong 6: */
1.7 stevesk 7: /*
8: * Copyright (c) 2002 Daniel Kouril. All rights reserved.
9: *
10: * Redistribution and use in source and binary forms, with or without
11: * modification, are permitted provided that the following conditions
12: * are met:
13: * 1. Redistributions of source code must retain the above copyright
14: * notice, this list of conditions and the following disclaimer.
15: * 2. Redistributions in binary form must reproduce the above copyright
16: * notice, this list of conditions and the following disclaimer in the
17: * documentation and/or other materials provided with the distribution.
18: *
19: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29: */
1.1 dugsong 30:
1.19 deraadt 31: #include <sys/types.h>
32: #include <pwd.h>
33: #include <stdarg.h>
1.6 stevesk 34:
1.19 deraadt 35: #include "xmalloc.h"
1.1 dugsong 36: #include "ssh.h"
37: #include "ssh1.h"
38: #include "packet.h"
39: #include "log.h"
1.19 deraadt 40: #include "buffer.h"
1.1 dugsong 41: #include "servconf.h"
42: #include "uidswap.h"
1.19 deraadt 43: #include "key.h"
44: #include "hostfile.h"
1.1 dugsong 45: #include "auth.h"
46:
47: #ifdef KRB5
48: #include <krb5.h>
49:
50: extern ServerOptions options;
51:
52: static int
53: krb5_init(void *context)
54: {
55: Authctxt *authctxt = (Authctxt *)context;
56: krb5_error_code problem;
1.3 deraadt 57:
1.1 dugsong 58: if (authctxt->krb5_ctx == NULL) {
59: problem = krb5_init_context(&authctxt->krb5_ctx);
60: if (problem)
61: return (problem);
62: krb5_init_ets(authctxt->krb5_ctx);
63: }
64: return (0);
65: }
66:
67: int
68: auth_krb5_password(Authctxt *authctxt, const char *password)
69: {
70: krb5_error_code problem;
1.11 markus 71: krb5_ccache ccache = NULL;
1.20 djm 72: const char *errmsg;
1.3 deraadt 73:
1.1 dugsong 74: temporarily_use_uid(authctxt->pw);
1.3 deraadt 75:
1.1 dugsong 76: problem = krb5_init(authctxt);
77: if (problem)
78: goto out;
1.3 deraadt 79:
1.1 dugsong 80: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
81: &authctxt->krb5_user);
82: if (problem)
83: goto out;
1.3 deraadt 84:
1.20 djm 85: problem = krb5_cc_new_unique(authctxt->krb5_ctx,
86: krb5_mcc_ops.prefix, NULL, &ccache);
1.1 dugsong 87: if (problem)
88: goto out;
1.3 deraadt 89:
1.15 djm 90: problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
1.11 markus 91: authctxt->krb5_user);
1.1 dugsong 92: if (problem)
93: goto out;
1.3 deraadt 94:
1.4 markus 95: restore_uid();
1.11 markus 96:
1.1 dugsong 97: problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
1.11 markus 98: ccache, password, 1, NULL);
99:
1.4 markus 100: temporarily_use_uid(authctxt->pw);
101:
1.1 dugsong 102: if (problem)
103: goto out;
1.3 deraadt 104:
1.20 djm 105: problem = krb5_cc_new_unique(authctxt->krb5_ctx,
106: krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
1.11 markus 107: if (problem)
108: goto out;
109:
110: problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
111: authctxt->krb5_fwd_ccache);
112: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
113: ccache = NULL;
114: if (problem)
115: goto out;
116:
1.12 markus 117: authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
118: authctxt->krb5_fwd_ccache);
1.3 deraadt 119:
1.1 dugsong 120: out:
121: restore_uid();
1.3 deraadt 122:
1.1 dugsong 123: if (problem) {
1.11 markus 124: if (ccache)
125: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
126:
1.20 djm 127: if (authctxt->krb5_ctx != NULL) {
128: errmsg = krb5_get_error_message(authctxt->krb5_ctx,
129: problem);
1.5 markus 130: debug("Kerberos password authentication failed: %s",
1.20 djm 131: errmsg);
132: krb5_free_error_message(authctxt->krb5_ctx, errmsg);
133: } else
1.5 markus 134: debug("Kerberos password authentication failed: %d",
135: problem);
1.3 deraadt 136:
1.1 dugsong 137: krb5_cleanup_proc(authctxt);
1.3 deraadt 138:
1.1 dugsong 139: if (options.kerberos_or_local_passwd)
140: return (-1);
141: else
142: return (0);
143: }
1.16 dtucker 144: return (authctxt->valid ? 1 : 0);
1.1 dugsong 145: }
146:
147: void
1.13 markus 148: krb5_cleanup_proc(Authctxt *authctxt)
1.1 dugsong 149: {
150: debug("krb5_cleanup_proc called");
151: if (authctxt->krb5_fwd_ccache) {
152: krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
153: authctxt->krb5_fwd_ccache = NULL;
154: }
155: if (authctxt->krb5_user) {
156: krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
157: authctxt->krb5_user = NULL;
158: }
159: if (authctxt->krb5_ctx) {
160: krb5_free_context(authctxt->krb5_ctx);
161: authctxt->krb5_ctx = NULL;
162: }
163: }
164:
165: #endif /* KRB5 */