Blame - auth-krb5.c - platform/external/openssh

blob: b04c6649b128c62aaa954c777b7848d3e3438fd2 [file] [log] [blame]

Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	1	/*
				2	* Kerberos v5 authentication and ticket-passing routines.
Ben Lindstrom	6328ab3	2002-03-22 02:54:23 +0000	[diff] [blame]	3	*
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	4	* $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	5	*/
Ben Lindstrom	eacc71b	2002-03-22 01:22:27 +0000	[diff] [blame]	6	/*
				7	* Copyright (c) 2002 Daniel Kouril. All rights reserved.
				8	*
				9	* Redistribution and use in source and binary forms, with or without
				10	* modification, are permitted provided that the following conditions
				11	* are met:
				12	* 1. Redistributions of source code must retain the above copyright
				13	* notice, this list of conditions and the following disclaimer.
				14	* 2. Redistributions in binary form must reproduce the above copyright
				15	* notice, this list of conditions and the following disclaimer in the
				16	* documentation and/or other materials provided with the distribution.
				17	*
				18	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				19	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				20	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				21	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				22	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				23	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				24	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				25	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				26	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				27	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
				28	*/
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	29
				30	#include "includes.h"
Darren Tucker	ec0943a	2003-08-11 22:55:36 +1000	[diff] [blame^]	31	RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $");
Ben Lindstrom	05764b9	2002-03-05 01:53:02 +0000	[diff] [blame]	32
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	33	#include "ssh.h"
				34	#include "ssh1.h"
				35	#include "packet.h"
				36	#include "xmalloc.h"
				37	#include "log.h"
				38	#include "servconf.h"
				39	#include "uidswap.h"
				40	#include "auth.h"
				41
				42	#ifdef KRB5
Damien Miller	9c61769	2003-05-14 14:31:11 +1000	[diff] [blame]	43
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	44	#include <krb5.h>
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	45	#ifndef HEIMDAL
				46	#define krb5_get_err_text(context,code) error_message(code)
				47	#endif /* !HEIMDAL */
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	48
				49	extern ServerOptions options;
				50
				51	static int
				52	krb5_init(void *context)
				53	{
				54	Authctxt authctxt = (Authctxt )context;
				55	krb5_error_code problem;
				56	static int cleanup_registered = 0;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	57
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	58	if (authctxt->krb5_ctx == NULL) {
				59	problem = krb5_init_context(&authctxt->krb5_ctx);
				60	if (problem)
				61	return (problem);
				62	krb5_init_ets(authctxt->krb5_ctx);
				63	}
				64	if (!cleanup_registered) {
				65	fatal_add_cleanup(krb5_cleanup_proc, authctxt);
				66	cleanup_registered = 1;
				67	}
				68	return (0);
				69	}
				70
				71	/*
				72	* Try krb5 authentication. server_user is passed for logging purposes
				73	* only, in auth is received ticket, in client is returned principal
				74	* from the ticket
				75	*/
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	76	int
Damien Miller	25162f2	2002-09-12 09:47:29 +1000	[diff] [blame]	77	auth_krb5(Authctxt authctxt, krb5_data auth, char *client, krb5_data reply)
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	78	{
				79	krb5_error_code problem;
				80	krb5_principal server;
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	81	krb5_ticket *ticket;
Damien Miller	61b05cf	2001-11-14 00:02:10 +1100	[diff] [blame]	82	int fd, ret;
				83
				84	ret = 0;
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	85	server = NULL;
				86	ticket = NULL;
Damien Miller	25162f2	2002-09-12 09:47:29 +1000	[diff] [blame]	87	reply->length = 0;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	88
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	89	problem = krb5_init(authctxt);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	90	if (problem)
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	91	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	92
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	93	problem = krb5_auth_con_init(authctxt->krb5_ctx,
				94	&authctxt->krb5_auth_ctx);
				95	if (problem)
				96	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	97
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	98	fd = packet_get_connection_in();
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	99	#ifdef HEIMDAL
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	100	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
				101	authctxt->krb5_auth_ctx, &fd);
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	102	#else
				103	problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
				104	authctxt->krb5_auth_ctx,fd,
				105	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
				106	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
				107	#endif
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	108	if (problem)
				109	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	110
Ben Lindstrom	93576d9	2002-12-23 02:06:19 +0000	[diff] [blame]	111	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	112	KRB5_NT_SRV_HST, &server);
				113	if (problem)
				114	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	115
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	116	problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
				117	auth, server, NULL, NULL, &ticket);
				118	if (problem)
				119	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	120
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	121	#ifdef HEIMDAL
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	122	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
				123	&authctxt->krb5_user);
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	124	#else
				125	problem = krb5_copy_principal(authctxt->krb5_ctx,
				126	ticket->enc_part2->client,
				127	&authctxt->krb5_user);
				128	#endif
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	129	if (problem)
				130	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	131
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	132	/* if client wants mutual auth */
				133	problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
Damien Miller	25162f2	2002-09-12 09:47:29 +1000	[diff] [blame]	134	reply);
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	135	if (problem)
				136	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	137
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	138	/* Check .k5login authorization now. */
				139	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
				140	authctxt->pw->pw_name))
				141	goto err;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	142
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	143	if (client)
				144	krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
				145	client);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	146
Damien Miller	61b05cf	2001-11-14 00:02:10 +1100	[diff] [blame]	147	ret = 1;
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	148	err:
				149	if (server)
				150	krb5_free_principal(authctxt->krb5_ctx, server);
				151	if (ticket)
				152	krb5_free_ticket(authctxt->krb5_ctx, ticket);
Damien Miller	25162f2	2002-09-12 09:47:29 +1000	[diff] [blame]	153	if (!ret && reply->length) {
				154	xfree(reply->data);
				155	memset(reply, 0, sizeof(*reply));
				156	}
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	157
Ben Lindstrom	b855028	2002-02-26 17:46:11 +0000	[diff] [blame]	158	if (problem) {
				159	if (authctxt->krb5_ctx != NULL)
				160	debug("Kerberos v5 authentication failed: %s",
				161	krb5_get_err_text(authctxt->krb5_ctx, problem));
				162	else
				163	debug("Kerberos v5 authentication failed: %d",
				164	problem);
				165	}
Damien Miller	61b05cf	2001-11-14 00:02:10 +1100	[diff] [blame]	166
				167	return (ret);
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	168	}
				169
				170	int
				171	auth_krb5_tgt(Authctxt authctxt, krb5_data tgt)
				172	{
				173	krb5_error_code problem;
				174	krb5_ccache ccache = NULL;
				175	char *pname;
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	176	krb5_creds **creds;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	177
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	178	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)
				179	return (0);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	180
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	181	temporarily_use_uid(authctxt->pw);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	182
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	183	#ifdef HEIMDAL
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	184	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	185	#else
				186	{
				187	char ccname[40];
				188	int tmpfd;
				189
				190	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
				191
				192	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	193	logit("mkstemp(): %.100s", strerror(errno));
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	194	problem = errno;
				195	goto fail;
				196	}
				197	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	198	logit("fchmod(): %.100s", strerror(errno));
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	199	close(tmpfd);
				200	problem = errno;
				201	goto fail;
				202	}
				203	close(tmpfd);
				204	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
				205	}
				206	#endif
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	207	if (problem)
				208	goto fail;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	209
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	210	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
				211	authctxt->krb5_user);
				212	if (problem)
				213	goto fail;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	214
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	215	#ifdef HEIMDAL
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	216	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
				217	ccache, tgt);
				218	if (problem)
				219	goto fail;
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	220	#else
				221	problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
				222	tgt, &creds, NULL);
				223	if (problem)
				224	goto fail;
				225	problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
				226	if (problem)
				227	goto fail;
				228	#endif
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	229
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	230	authctxt->krb5_fwd_ccache = ccache;
				231	ccache = NULL;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	232
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	233	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	234
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	235	problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
				236	&pname);
				237	if (problem)
				238	goto fail;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	239
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	240	debug("Kerberos v5 TGT accepted (%s)", pname);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	241
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	242	restore_uid();
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	243
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	244	return (1);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	245
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	246	fail:
				247	if (problem)
				248	debug("Kerberos v5 TGT passing failed: %s",
				249	krb5_get_err_text(authctxt->krb5_ctx, problem));
				250	if (ccache)
				251	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	252
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	253	restore_uid();
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	254
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	255	return (0);
				256	}
				257
				258	int
				259	auth_krb5_password(Authctxt authctxt, const char password)
				260	{
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	261	#ifndef HEIMDAL
				262	krb5_creds creds;
				263	krb5_principal server;
				264	char ccname[40];
				265	int tmpfd;
				266	#endif
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	267	krb5_error_code problem;
Darren Tucker	ec0943a	2003-08-11 22:55:36 +1000	[diff] [blame^]	268	krb5_ccache ccache = NULL;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	269
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	270	if (authctxt->pw == NULL)
				271	return (0);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	272
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	273	temporarily_use_uid(authctxt->pw);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	274
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	275	problem = krb5_init(authctxt);
				276	if (problem)
				277	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	278
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	279	problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
				280	&authctxt->krb5_user);
				281	if (problem)
				282	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	283
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	284	#ifdef HEIMDAL
Darren Tucker	ec0943a	2003-08-11 22:55:36 +1000	[diff] [blame^]	285	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	286	if (problem)
				287	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	288
Darren Tucker	ec0943a	2003-08-11 22:55:36 +1000	[diff] [blame^]	289	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
				290	authctxt->krb5_user);
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	291	if (problem)
				292	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	293
				294	restore_uid();
Darren Tucker	ec0943a	2003-08-11 22:55:36 +1000	[diff] [blame^]	295
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	296	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
Darren Tucker	ec0943a	2003-08-11 22:55:36 +1000	[diff] [blame^]	297	ccache, password, 1, NULL);
				298
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	299	temporarily_use_uid(authctxt->pw);
				300
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	301	if (problem)
				302	goto out;
Darren Tucker	ec0943a	2003-08-11 22:55:36 +1000	[diff] [blame^]	303	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
				304	&authctxt->krb5_fwd_ccache);
				305	if (problem)
				306	goto out;
				307
				308	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
				309	authctxt->krb5_fwd_ccache);
				310	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
				311	ccache = NULL;
				312	if (problem)
				313	goto out;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	314
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	315	#else
				316	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
				317	authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
				318	if (problem)
				319	goto out;
				320
				321	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
				322	KRB5_NT_SRV_HST, &server);
				323	if (problem)
				324	goto out;
				325
				326	restore_uid();
				327	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
				328	NULL, NULL, NULL);
				329	krb5_free_principal(authctxt->krb5_ctx, server);
				330	temporarily_use_uid(authctxt->pw);
				331	if (problem)
				332	goto out;
				333
				334	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
				335	authctxt->pw->pw_name)) {
Ben Lindstrom	5a6abda	2002-06-09 19:41:48 +0000	[diff] [blame]	336	problem = -1;
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	337	goto out;
				338	}
				339
				340	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
				341
				342	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	343	logit("mkstemp(): %.100s", strerror(errno));
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	344	problem = errno;
				345	goto out;
				346	}
				347
				348	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
Damien Miller	996acd2	2003-04-09 20:59:48 +1000	[diff] [blame]	349	logit("fchmod(): %.100s", strerror(errno));
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	350	close(tmpfd);
				351	problem = errno;
				352	goto out;
				353	}
				354	close(tmpfd);
				355
				356	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
				357	if (problem)
				358	goto out;
				359
				360	problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
				361	authctxt->krb5_user);
				362	if (problem)
				363	goto out;
				364
				365	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
				366	&creds);
				367	if (problem)
				368	goto out;
				369	#endif
				370
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	371	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	372
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	373	out:
				374	restore_uid();
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	375
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	376	if (problem) {
Darren Tucker	ec0943a	2003-08-11 22:55:36 +1000	[diff] [blame^]	377	if (ccache)
				378	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
				379
Damien Miller	fd4c9ee	2002-04-13 11:04:40 +1000	[diff] [blame]	380	if (authctxt->krb5_ctx != NULL && problem!=-1)
Ben Lindstrom	b855028	2002-02-26 17:46:11 +0000	[diff] [blame]	381	debug("Kerberos password authentication failed: %s",
				382	krb5_get_err_text(authctxt->krb5_ctx, problem));
				383	else
				384	debug("Kerberos password authentication failed: %d",
				385	problem);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	386
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	387	krb5_cleanup_proc(authctxt);
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	388
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	389	if (options.kerberos_or_local_passwd)
				390	return (-1);
				391	else
				392	return (0);
				393	}
				394	return (1);
				395	}
				396
				397	void
				398	krb5_cleanup_proc(void *context)
				399	{
				400	Authctxt authctxt = (Authctxt )context;
Damien Miller	db95e4e	2002-02-13 16:56:44 +1100	[diff] [blame]	401
Damien Miller	964fed5	2001-09-25 12:58:23 +1000	[diff] [blame]	402	debug("krb5_cleanup_proc called");
				403	if (authctxt->krb5_fwd_ccache) {
				404	krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
				405	authctxt->krb5_fwd_ccache = NULL;
				406	}
				407	if (authctxt->krb5_user) {
				408	krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
				409	authctxt->krb5_user = NULL;
				410	}
				411	if (authctxt->krb5_auth_ctx) {
				412	krb5_auth_con_free(authctxt->krb5_ctx,
				413	authctxt->krb5_auth_ctx);
				414	authctxt->krb5_auth_ctx = NULL;
				415	}
				416	if (authctxt->krb5_ctx) {
				417	krb5_free_context(authctxt->krb5_ctx);
				418	authctxt->krb5_ctx = NULL;
				419	}
				420	}
				421
				422	#endif /* KRB5 */