Blame - auth-krb5.c - platform/external/openssh

blob: 512f70b7861221f3018d67c0313ff7848dc58399 [file] [log] [blame]

Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	1	/*
				2	* Kerberos v5 authentication and ticket-passing routines.
Ben Lindstrom	6328ab3	2002-03-22 02:54:23 +0000	[diff] [blame]	3	*
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	4	* $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	5	*/
Ben Lindstrom	eacc71b	2002-03-22 01:22:27 +0000	[diff] [blame]	6	/*
				7	* Copyright (c) 2002 Daniel Kouril. All rights reserved.
				8	*
				9	* Redistribution and use in source and binary forms, with or without
				10	* modification, are permitted provided that the following conditions
				11	* are met:
				12	* 1. Redistributions of source code must retain the above copyright
				13	* notice, this list of conditions and the following disclaimer.
				14	* 2. Redistributions in binary form must reproduce the above copyright
				15	* notice, this list of conditions and the following disclaimer in the
				16	* documentation and/or other materials provided with the distribution.
				17	*
				18	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				19	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				20	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				21	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				22	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				23	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				24	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				25	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				26	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				27	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
				28	*/
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	29
				30	#include "includes.h"
Damien Miller	25162f2	2002-09-12 09:47:29 +1000	[diff] [blame]	31	RCSID("$OpenBSD: auth-krb5.c,v 1.9 2002/09/09 06:48:06 itojun Exp $");
Ben Lindstrom	05764b9	2002-03-05 01:53:02 +0000	[diff] [blame]	32
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	33	#include "ssh.h"
				34	#include "ssh1.h"
				35	#include "packet.h"
				36	#include "xmalloc.h"
				37	#include "log.h"
				38	#include "servconf.h"
				39	#include "uidswap.h"
				40	#include "auth.h"
				41
				42	#ifdef KRB5
				43	#include <krb5.h>
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	44	#ifndef HEIMDAL
				45	#define krb5_get_err_text(context,code) error_message(code)
				46	#endif /* !HEIMDAL */
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	47
				48	extern ServerOptions options;
				49
				50	static int
				51	krb5_init(void *context)
				52	{
				53	Authctxt authctxt = (Authctxt )context;
				54	krb5_error_code problem;
				55	static int cleanup_registered = 0;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	56
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	57	if (authctxt->krb5_ctx == NULL) {
				58	problem = krb5_init_context(&authctxt->krb5_ctx);
				59	if (problem)
				60	return (problem);
				61	krb5_init_ets(authctxt->krb5_ctx);
				62	}
				63	if (!cleanup_registered) {
				64	fatal_add_cleanup(krb5_cleanup_proc, authctxt);
				65	cleanup_registered = 1;
				66	}
				67	return (0);
				68	}
				69
				70	/*
				71	* Try krb5 authentication. server_user is passed for logging purposes
				72	* only, in auth is received ticket, in client is returned principal
				73	* from the ticket
				74	*/
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	75	int
Damien Miller	25162f2	2002-09-12 09:47:29 +1000	[diff] [blame]	76	auth_krb5(Authctxt authctxt, krb5_data auth, char *client, krb5_data reply)
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	77	{
				78	krb5_error_code problem;
				79	krb5_principal server;
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	80	krb5_ticket *ticket;
Damien Miller	61b05cf	2001-11-14 00:02:10 +1100	[diff] [blame]	81	int fd, ret;
				82
				83	ret = 0;
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	84	server = NULL;
				85	ticket = NULL;
Damien Miller	25162f2	2002-09-12 09:47:29 +1000	[diff] [blame]	86	reply->length = 0;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	87
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	88	problem = krb5_init(authctxt);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	89	if (problem)
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	90	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	91
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	92	problem = krb5_auth_con_init(authctxt->krb5_ctx,
				93	&authctxt->krb5_auth_ctx);
				94	if (problem)
				95	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	96
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	97	fd = packet_get_connection_in();
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	98	#ifdef HEIMDAL
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	99	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
				100	authctxt->krb5_auth_ctx, &fd);
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	101	#else
				102	problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
				103	authctxt->krb5_auth_ctx,fd,
				104	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
				105	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
				106	#endif
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	107	if (problem)
				108	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	109
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	110	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL ,
				111	KRB5_NT_SRV_HST, &server);
				112	if (problem)
				113	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	114
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	115	problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
				116	auth, server, NULL, NULL, &ticket);
				117	if (problem)
				118	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	119
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	120	#ifdef HEIMDAL
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	121	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
				122	&authctxt->krb5_user);
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	123	#else
				124	problem = krb5_copy_principal(authctxt->krb5_ctx,
				125	ticket->enc_part2->client,
				126	&authctxt->krb5_user);
				127	#endif
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	128	if (problem)
				129	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	130
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	131	/* if client wants mutual auth */
				132	problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
Damien Miller	25162f2	2002-09-12 09:47:29 +1000	[diff] [blame]	133	reply);
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	134	if (problem)
				135	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	136
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	137	/* Check .k5login authorization now. */
				138	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
				139	authctxt->pw->pw_name))
				140	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	141
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	142	if (client)
				143	krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
				144	client);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	145
Damien Miller	61b05cf	2001-11-14 00:02:10 +1100	[diff] [blame]	146	ret = 1;
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	147	err:
				148	if (server)
				149	krb5_free_principal(authctxt->krb5_ctx, server);
				150	if (ticket)
				151	krb5_free_ticket(authctxt->krb5_ctx, ticket);
Damien Miller	25162f2	2002-09-12 09:47:29 +1000	[diff] [blame]	152	if (!ret && reply->length) {
				153	xfree(reply->data);
				154	memset(reply, 0, sizeof(*reply));
				155	}
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	156
Ben Lindstrom	b855028	2002-02-26 17:46:11 +0000	[diff] [blame]	157	if (problem) {
				158	if (authctxt->krb5_ctx != NULL)
				159	debug("Kerberos v5 authentication failed: %s",
				160	krb5_get_err_text(authctxt->krb5_ctx, problem));
				161	else
				162	debug("Kerberos v5 authentication failed: %d",
				163	problem);
				164	}
Damien Miller	61b05cf	2001-11-14 00:02:10 +1100	[diff] [blame]	165
				166	return (ret);
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	167	}
				168
				169	int
				170	auth_krb5_tgt(Authctxt authctxt, krb5_data tgt)
				171	{
				172	krb5_error_code problem;
				173	krb5_ccache ccache = NULL;
				174	char *pname;
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	175	krb5_creds **creds;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	176
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	177	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)
				178	return (0);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	179
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	180	temporarily_use_uid(authctxt->pw);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	181
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	182	#ifdef HEIMDAL
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	183	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	184	#else
				185	{
				186	char ccname[40];
				187	int tmpfd;
				188
				189	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
				190
				191	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
				192	log("mkstemp(): %.100s", strerror(errno));
				193	problem = errno;
				194	goto fail;
				195	}
				196	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
				197	log("fchmod(): %.100s", strerror(errno));
				198	close(tmpfd);
				199	problem = errno;
				200	goto fail;
				201	}
				202	close(tmpfd);
				203	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
				204	}
				205	#endif
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	206	if (problem)
				207	goto fail;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	208
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	209	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
				210	authctxt->krb5_user);
				211	if (problem)
				212	goto fail;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	213
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	214	#ifdef HEIMDAL
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	215	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
				216	ccache, tgt);
				217	if (problem)
				218	goto fail;
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	219	#else
				220	problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
				221	tgt, &creds, NULL);
				222	if (problem)
				223	goto fail;
				224	problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
				225	if (problem)
				226	goto fail;
				227	#endif
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	228
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	229	authctxt->krb5_fwd_ccache = ccache;
				230	ccache = NULL;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	231
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	232	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	233
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	234	problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
				235	&pname);
				236	if (problem)
				237	goto fail;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	238
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	239	debug("Kerberos v5 TGT accepted (%s)", pname);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	240
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	241	restore_uid();
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	242
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	243	return (1);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	244
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	245	fail:
				246	if (problem)
				247	debug("Kerberos v5 TGT passing failed: %s",
				248	krb5_get_err_text(authctxt->krb5_ctx, problem));
				249	if (ccache)
				250	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	251
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	252	restore_uid();
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	253
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	254	return (0);
				255	}
				256
				257	int
				258	auth_krb5_password(Authctxt authctxt, const char password)
				259	{
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	260	#ifndef HEIMDAL
				261	krb5_creds creds;
				262	krb5_principal server;
				263	char ccname[40];
				264	int tmpfd;
				265	#endif
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	266	krb5_error_code problem;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	267
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	268	if (authctxt->pw == NULL)
				269	return (0);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	270
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	271	temporarily_use_uid(authctxt->pw);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	272
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	273	problem = krb5_init(authctxt);
				274	if (problem)
				275	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	276
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	277	problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
				278	&authctxt->krb5_user);
				279	if (problem)
				280	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	281
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	282	#ifdef HEIMDAL
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	283	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
				284	&authctxt->krb5_fwd_ccache);
				285	if (problem)
				286	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	287
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	288	problem = krb5_cc_initialize(authctxt->krb5_ctx,
				289	authctxt->krb5_fwd_ccache, authctxt->krb5_user);
				290	if (problem)
				291	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	292
				293	restore_uid();
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	294	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
				295	authctxt->krb5_fwd_ccache, password, 1, NULL);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	296	temporarily_use_uid(authctxt->pw);
				297
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	298	if (problem)
				299	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	300
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	301	#else
				302	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
				303	authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
				304	if (problem)
				305	goto out;
				306
				307	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
				308	KRB5_NT_SRV_HST, &server);
				309	if (problem)
				310	goto out;
				311
				312	restore_uid();
				313	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
				314	NULL, NULL, NULL);
				315	krb5_free_principal(authctxt->krb5_ctx, server);
				316	temporarily_use_uid(authctxt->pw);
				317	if (problem)
				318	goto out;
				319
				320	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
				321	authctxt->pw->pw_name)) {
Ben Lindstrom	5a6abda	2002-06-09 19:41:48 +0000	[diff] [blame]	322	problem = -1;
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	323	goto out;
				324	}
				325
				326	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
				327
				328	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
				329	log("mkstemp(): %.100s", strerror(errno));
				330	problem = errno;
				331	goto out;
				332	}
				333
				334	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
				335	log("fchmod(): %.100s", strerror(errno));
				336	close(tmpfd);
				337	problem = errno;
				338	goto out;
				339	}
				340	close(tmpfd);
				341
				342	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
				343	if (problem)
				344	goto out;
				345
				346	problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
				347	authctxt->krb5_user);
				348	if (problem)
				349	goto out;
				350
				351	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
				352	&creds);
				353	if (problem)
				354	goto out;
				355	#endif
				356
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	357	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	358
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	359	out:
				360	restore_uid();
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	361
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	362	if (problem) {
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	363	if (authctxt->krb5_ctx != NULL && problem!=-1)
Ben Lindstrom	b855028	2002-02-26 17:46:11 +0000	[diff] [blame]	364	debug("Kerberos password authentication failed: %s",
				365	krb5_get_err_text(authctxt->krb5_ctx, problem));
				366	else
				367	debug("Kerberos password authentication failed: %d",
				368	problem);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	369
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	370	krb5_cleanup_proc(authctxt);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	371
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	372	if (options.kerberos_or_local_passwd)
				373	return (-1);
				374	else
				375	return (0);
				376	}
				377	return (1);
				378	}
				379
				380	void
				381	krb5_cleanup_proc(void *context)
				382	{
				383	Authctxt authctxt = (Authctxt )context;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	384
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	385	debug("krb5_cleanup_proc called");
				386	if (authctxt->krb5_fwd_ccache) {
				387	krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
				388	authctxt->krb5_fwd_ccache = NULL;
				389	}
				390	if (authctxt->krb5_user) {
				391	krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
				392	authctxt->krb5_user = NULL;
				393	}
				394	if (authctxt->krb5_auth_ctx) {
				395	krb5_auth_con_free(authctxt->krb5_ctx,
				396	authctxt->krb5_auth_ctx);
				397	authctxt->krb5_auth_ctx = NULL;
				398	}
				399	if (authctxt->krb5_ctx) {
				400	krb5_free_context(authctxt->krb5_ctx);
				401	authctxt->krb5_ctx = NULL;
				402	}
				403	}
				404
				405	#endif /* KRB5 */