Annotation of src/usr.bin/ssh/auth-krb5.c, Revision 1.22
1.22 ! markus 1: /* $OpenBSD: auth-krb5.c,v 1.21 2016/01/27 06:44:58 djm Exp $ */
1.1 dugsong 2: /*
3: * Kerberos v5 authentication and ticket-passing routines.
1.8 markus 4: *
1.21 djm 5: * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
1.1 dugsong 6: */
1.7 stevesk 7: /*
8: * Copyright (c) 2002 Daniel Kouril. All rights reserved.
9: *
10: * Redistribution and use in source and binary forms, with or without
11: * modification, are permitted provided that the following conditions
12: * are met:
13: * 1. Redistributions of source code must retain the above copyright
14: * notice, this list of conditions and the following disclaimer.
15: * 2. Redistributions in binary form must reproduce the above copyright
16: * notice, this list of conditions and the following disclaimer in the
17: * documentation and/or other materials provided with the distribution.
18: *
19: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29: */
1.1 dugsong 30:
1.19 deraadt 31: #include <sys/types.h>
32: #include <pwd.h>
33: #include <stdarg.h>
1.6 stevesk 34:
1.19 deraadt 35: #include "xmalloc.h"
1.1 dugsong 36: #include "ssh.h"
37: #include "packet.h"
38: #include "log.h"
1.19 deraadt 39: #include "buffer.h"
1.1 dugsong 40: #include "servconf.h"
41: #include "uidswap.h"
1.19 deraadt 42: #include "key.h"
43: #include "hostfile.h"
1.1 dugsong 44: #include "auth.h"
45:
46: #ifdef KRB5
47: #include <krb5.h>
48:
49: extern ServerOptions options;
50:
51: static int
52: krb5_init(void *context)
53: {
54: Authctxt *authctxt = (Authctxt *)context;
55: krb5_error_code problem;
1.3 deraadt 56:
1.1 dugsong 57: if (authctxt->krb5_ctx == NULL) {
58: problem = krb5_init_context(&authctxt->krb5_ctx);
59: if (problem)
60: return (problem);
61: krb5_init_ets(authctxt->krb5_ctx);
62: }
63: return (0);
64: }
65:
66: int
67: auth_krb5_password(Authctxt *authctxt, const char *password)
68: {
69: krb5_error_code problem;
1.11 markus 70: krb5_ccache ccache = NULL;
1.20 djm 71: const char *errmsg;
1.3 deraadt 72:
1.1 dugsong 73: temporarily_use_uid(authctxt->pw);
1.3 deraadt 74:
1.1 dugsong 75: problem = krb5_init(authctxt);
76: if (problem)
77: goto out;
1.3 deraadt 78:
1.1 dugsong 79: problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
80: &authctxt->krb5_user);
81: if (problem)
82: goto out;
1.3 deraadt 83:
1.20 djm 84: problem = krb5_cc_new_unique(authctxt->krb5_ctx,
85: krb5_mcc_ops.prefix, NULL, &ccache);
1.1 dugsong 86: if (problem)
87: goto out;
1.3 deraadt 88:
1.15 djm 89: problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
1.11 markus 90: authctxt->krb5_user);
1.1 dugsong 91: if (problem)
92: goto out;
1.3 deraadt 93:
1.4 markus 94: restore_uid();
1.11 markus 95:
1.1 dugsong 96: problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
1.11 markus 97: ccache, password, 1, NULL);
98:
1.4 markus 99: temporarily_use_uid(authctxt->pw);
100:
1.1 dugsong 101: if (problem)
102: goto out;
1.3 deraadt 103:
1.20 djm 104: problem = krb5_cc_new_unique(authctxt->krb5_ctx,
105: krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
1.11 markus 106: if (problem)
107: goto out;
108:
109: problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
110: authctxt->krb5_fwd_ccache);
111: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
112: ccache = NULL;
113: if (problem)
114: goto out;
115:
1.12 markus 116: authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
117: authctxt->krb5_fwd_ccache);
1.3 deraadt 118:
1.1 dugsong 119: out:
120: restore_uid();
1.3 deraadt 121:
1.1 dugsong 122: if (problem) {
1.11 markus 123: if (ccache)
124: krb5_cc_destroy(authctxt->krb5_ctx, ccache);
125:
1.20 djm 126: if (authctxt->krb5_ctx != NULL) {
127: errmsg = krb5_get_error_message(authctxt->krb5_ctx,
128: problem);
1.5 markus 129: debug("Kerberos password authentication failed: %s",
1.20 djm 130: errmsg);
131: krb5_free_error_message(authctxt->krb5_ctx, errmsg);
132: } else
1.5 markus 133: debug("Kerberos password authentication failed: %d",
134: problem);
1.3 deraadt 135:
1.1 dugsong 136: krb5_cleanup_proc(authctxt);
1.3 deraadt 137:
1.1 dugsong 138: if (options.kerberos_or_local_passwd)
139: return (-1);
140: else
141: return (0);
142: }
1.16 dtucker 143: return (authctxt->valid ? 1 : 0);
1.1 dugsong 144: }
145:
146: void
1.13 markus 147: krb5_cleanup_proc(Authctxt *authctxt)
1.1 dugsong 148: {
149: debug("krb5_cleanup_proc called");
150: if (authctxt->krb5_fwd_ccache) {
151: krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
152: authctxt->krb5_fwd_ccache = NULL;
153: }
154: if (authctxt->krb5_user) {
155: krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
156: authctxt->krb5_user = NULL;
157: }
158: if (authctxt->krb5_ctx) {
159: krb5_free_context(authctxt->krb5_ctx);
160: authctxt->krb5_ctx = NULL;
161: }
162: }
163:
164: #endif /* KRB5 */