Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 85221b281886467c0a647a78b5b744ebc89057ea / . / auth-krb5.c
blob: bf24120800989b02ef11e211fefe8766fdcf5c92 [file] [log] [blame]
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]1/*
2 * Kerberos v5 authentication and ticket-passing routines.
3 *
4 * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]5 * $OpenBSD: auth-krb5.c,v 1.4 2002/01/27 15:12:09 markus Exp $
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]6 */
7
8#include "includes.h"
9#include "ssh.h"
10#include "ssh1.h"
11#include "packet.h"
12#include "xmalloc.h"
13#include "log.h"
14#include "servconf.h"
15#include "uidswap.h"
16#include "auth.h"
17
18#ifdef KRB5
19#include <krb5.h>
20
21extern ServerOptions options;
22
23static int
24krb5_init(void *context)
25{
26 Authctxt *authctxt = (Authctxt *)context;
27 krb5_error_code problem;
28 static int cleanup_registered = 0;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]29
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]30 if (authctxt->krb5_ctx == NULL) {
31 problem = krb5_init_context(&authctxt->krb5_ctx);
32 if (problem)
33 return (problem);
34 krb5_init_ets(authctxt->krb5_ctx);
35 }
36 if (!cleanup_registered) {
37 fatal_add_cleanup(krb5_cleanup_proc, authctxt);
38 cleanup_registered = 1;
39 }
40 return (0);
41}
42
43/*
44 * Try krb5 authentication. server_user is passed for logging purposes
45 * only, in auth is received ticket, in client is returned principal
46 * from the ticket
47 */
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]48int
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]49auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
50{
51 krb5_error_code problem;
52 krb5_principal server;
53 krb5_data reply;
54 krb5_ticket *ticket;
Damien Miller61b05cf2001-11-14 00:02:10 +1100[diff] [blame]55 int fd, ret;
56
57 ret = 0;
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]58 server = NULL;
59 ticket = NULL;
60 reply.length = 0;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]61
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]62 problem = krb5_init(authctxt);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]63 if (problem)
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]64 goto err;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]65
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]66 problem = krb5_auth_con_init(authctxt->krb5_ctx,
67 &authctxt->krb5_auth_ctx);
68 if (problem)
69 goto err;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]70
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]71 fd = packet_get_connection_in();
72 problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
73 authctxt->krb5_auth_ctx, &fd);
74 if (problem)
75 goto err;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]76
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]77 problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL ,
78 KRB5_NT_SRV_HST, &server);
79 if (problem)
80 goto err;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]81
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]82 problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
83 auth, server, NULL, NULL, &ticket);
84 if (problem)
85 goto err;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]86
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]87 problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
88 &authctxt->krb5_user);
89 if (problem)
90 goto err;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]91
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]92 /* if client wants mutual auth */
93 problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
94 &reply);
95 if (problem)
96 goto err;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]97
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]98 /* Check .k5login authorization now. */
99 if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
100 authctxt->pw->pw_name))
101 goto err;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]102
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]103 if (client)
104 krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
105 client);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]106
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]107 packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
108 packet_put_string((char *) reply.data, reply.length);
109 packet_send();
110 packet_write_wait();
Damien Miller61b05cf2001-11-14 00:02:10 +1100[diff] [blame]111
112 ret = 1;
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]113 err:
114 if (server)
115 krb5_free_principal(authctxt->krb5_ctx, server);
116 if (ticket)
117 krb5_free_ticket(authctxt->krb5_ctx, ticket);
118 if (reply.length)
119 xfree(reply.data);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]120
Damien Miller61b05cf2001-11-14 00:02:10 +1100[diff] [blame]121 if (problem)
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]122 debug("Kerberos v5 authentication failed: %s",
123 krb5_get_err_text(authctxt->krb5_ctx, problem));
Damien Miller61b05cf2001-11-14 00:02:10 +1100[diff] [blame]124
125 return (ret);
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]126}
127
128int
129auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
130{
131 krb5_error_code problem;
132 krb5_ccache ccache = NULL;
133 char *pname;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]134
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]135 if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
136 return (0);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]137
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]138 temporarily_use_uid(authctxt->pw);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]139
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]140 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
141 if (problem)
142 goto fail;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]143
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]144 problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
145 authctxt->krb5_user);
146 if (problem)
147 goto fail;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]148
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]149 problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
150 ccache, tgt);
151 if (problem)
152 goto fail;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]153
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]154 authctxt->krb5_fwd_ccache = ccache;
155 ccache = NULL;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]156
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]157 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]158
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]159 problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
160 &pname);
161 if (problem)
162 goto fail;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]163
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]164 debug("Kerberos v5 TGT accepted (%s)", pname);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]165
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]166 restore_uid();
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]167
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]168 return (1);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]169
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]170 fail:
171 if (problem)
172 debug("Kerberos v5 TGT passing failed: %s",
173 krb5_get_err_text(authctxt->krb5_ctx, problem));
174 if (ccache)
175 krb5_cc_destroy(authctxt->krb5_ctx, ccache);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]176
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]177 restore_uid();
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]178
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]179 return (0);
180}
181
182int
183auth_krb5_password(Authctxt *authctxt, const char *password)
184{
185 krb5_error_code problem;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]186
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]187 if (authctxt->pw == NULL)
188 return (0);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]189
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]190 temporarily_use_uid(authctxt->pw);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]191
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]192 problem = krb5_init(authctxt);
193 if (problem)
194 goto out;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]195
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]196 problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
197 &authctxt->krb5_user);
198 if (problem)
199 goto out;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]200
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]201 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
202 &authctxt->krb5_fwd_ccache);
203 if (problem)
204 goto out;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]205
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]206 problem = krb5_cc_initialize(authctxt->krb5_ctx,
207 authctxt->krb5_fwd_ccache, authctxt->krb5_user);
208 if (problem)
209 goto out;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]210
211 restore_uid();
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]212 problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
213 authctxt->krb5_fwd_ccache, password, 1, NULL);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]214 temporarily_use_uid(authctxt->pw);
215
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]216 if (problem)
217 goto out;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]218
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]219 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]220
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]221 out:
222 restore_uid();
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]223
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]224 if (problem) {
225 debug("Kerberos password authentication failed: %s",
226 krb5_get_err_text(authctxt->krb5_ctx, problem));
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]227
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]228 krb5_cleanup_proc(authctxt);
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]229
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]230 if (options.kerberos_or_local_passwd)
231 return (-1);
232 else
233 return (0);
234 }
235 return (1);
236}
237
238void
239krb5_cleanup_proc(void *context)
240{
241 Authctxt *authctxt = (Authctxt *)context;
Damien Millerdb95e4e2002-02-13 16:56:44 +1100[diff] [blame]242
Damien Miller964fed52001-09-25 12:58:23 +1000[diff] [blame]243 debug("krb5_cleanup_proc called");
244 if (authctxt->krb5_fwd_ccache) {
245 krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
246 authctxt->krb5_fwd_ccache = NULL;
247 }
248 if (authctxt->krb5_user) {
249 krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
250 authctxt->krb5_user = NULL;
251 }
252 if (authctxt->krb5_auth_ctx) {
253 krb5_auth_con_free(authctxt->krb5_ctx,
254 authctxt->krb5_auth_ctx);
255 authctxt->krb5_auth_ctx = NULL;
256 }
257 if (authctxt->krb5_ctx) {
258 krb5_free_context(authctxt->krb5_ctx);
259 authctxt->krb5_ctx = NULL;
260 }
261}
262
263#endif /* KRB5 */