Annotation of src/usr.bin/ssh/gss-serv-krb5.c, Revision 1.1
1.1 ! markus 1: /* $OpenBSD$ */
! 2:
! 3: /*
! 4: * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
! 5: *
! 6: * Redistribution and use in source and binary forms, with or without
! 7: * modification, are permitted provided that the following conditions
! 8: * are met:
! 9: * 1. Redistributions of source code must retain the above copyright
! 10: * notice, this list of conditions and the following disclaimer.
! 11: * 2. Redistributions in binary form must reproduce the above copyright
! 12: * notice, this list of conditions and the following disclaimer in the
! 13: * documentation and/or other materials provided with the distribution.
! 14: *
! 15: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
! 16: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
! 17: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
! 18: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
! 19: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
! 20: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
! 21: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
! 22: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
! 23: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
! 24: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 25: */
! 26:
! 27: #include "includes.h"
! 28:
! 29: #ifdef GSSAPI
! 30: #ifdef KRB5
! 31:
! 32: #include "auth.h"
! 33: #include "xmalloc.h"
! 34: #include "log.h"
! 35: #include "servconf.h"
! 36:
! 37: #include "ssh-gss.h"
! 38:
! 39: extern ServerOptions options;
! 40:
! 41: #include <krb5.h>
! 42:
! 43: static krb5_context krb_context = NULL;
! 44:
! 45: /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
! 46:
! 47: static int
! 48: ssh_gssapi_krb5_init()
! 49: {
! 50: krb5_error_code problem;
! 51:
! 52: if (krb_context != NULL)
! 53: return 1;
! 54:
! 55: problem = krb5_init_context(&krb_context);
! 56: if (problem) {
! 57: logit("Cannot initialize krb5 context");
! 58: return 0;
! 59: }
! 60: krb5_init_ets(krb_context);
! 61:
! 62: return 1;
! 63: }
! 64:
! 65: /* Check if this user is OK to login. This only works with krb5 - other
! 66: * GSSAPI mechanisms will need their own.
! 67: * Returns true if the user is OK to log in, otherwise returns 0
! 68: */
! 69:
! 70: static int
! 71: ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
! 72: {
! 73: krb5_principal princ;
! 74: int retval;
! 75:
! 76: if (ssh_gssapi_krb5_init() == 0)
! 77: return 0;
! 78:
! 79: if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
! 80: &princ))) {
! 81: logit("krb5_parse_name(): %.100s",
! 82: krb5_get_err_text(krb_context, retval));
! 83: return 0;
! 84: }
! 85: if (krb5_kuserok(krb_context, princ, name)) {
! 86: retval = 1;
! 87: logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
! 88: name, (char *)client->displayname.value);
! 89: } else
! 90: retval = 0;
! 91:
! 92: krb5_free_principal(krb_context, princ);
! 93: return retval;
! 94: }
! 95:
! 96:
! 97: /* This writes out any forwarded credentials from the structure populated
! 98: * during userauth. Called after we have setuid to the user */
! 99:
! 100: static void
! 101: ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
! 102: {
! 103: krb5_ccache ccache;
! 104: krb5_error_code problem;
! 105: krb5_principal princ;
! 106: OM_uint32 maj_status, min_status;
! 107:
! 108: if (client->creds == NULL) {
! 109: debug("No credentials stored");
! 110: return;
! 111: }
! 112:
! 113: if (ssh_gssapi_krb5_init() == 0)
! 114: return;
! 115:
! 116: if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
! 117: logit("krb5_cc_gen_new(): %.100s",
! 118: krb5_get_err_text(krb_context, problem));
! 119: return;
! 120: }
! 121:
! 122: if ((problem = krb5_parse_name(krb_context,
! 123: client->exportedname.value, &princ))) {
! 124: logit("krb5_parse_name(): %.100s",
! 125: krb5_get_err_text(krb_context, problem));
! 126: krb5_cc_destroy(krb_context, ccache);
! 127: return;
! 128: }
! 129:
! 130: if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
! 131: logit("krb5_cc_initialize(): %.100s",
! 132: krb5_get_err_text(krb_context, problem));
! 133: krb5_free_principal(krb_context, princ);
! 134: krb5_cc_destroy(krb_context, ccache);
! 135: return;
! 136: }
! 137:
! 138: krb5_free_principal(krb_context, princ);
! 139:
! 140: if ((maj_status = gss_krb5_copy_ccache(&min_status,
! 141: client->creds, ccache))) {
! 142: logit("gss_krb5_copy_ccache() failed");
! 143: krb5_cc_destroy(krb_context, ccache);
! 144: return;
! 145: }
! 146:
! 147: client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
! 148: client->store.envvar = "KRB5CCNAME";
! 149: client->store.envval = xstrdup(client->store.filename);
! 150:
! 151: krb5_cc_close(krb_context, ccache);
! 152:
! 153: return;
! 154: }
! 155:
! 156: ssh_gssapi_mech gssapi_kerberos_mech = {
! 157: "toWM5Slw5Ew8Mqkay+al2g==",
! 158: "Kerberos",
! 159: {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
! 160: NULL,
! 161: &ssh_gssapi_krb5_userok,
! 162: NULL,
! 163: &ssh_gssapi_krb5_storecreds
! 164: };
! 165:
! 166: #endif /* KRB5 */
! 167:
! 168: #endif /* GSSAPI */