Blame - auth-krb4.c - platform/external/openssh

blob: b86ce7e49e57d557b9a6833de84d8926a6cd2677 [file] [log] [blame]

Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	1	/*
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	2	* Copyright (c) 1999 Dug Song. All rights reserved.
				3	*
				4	* Redistribution and use in source and binary forms, with or without
				5	* modification, are permitted provided that the following conditions
				6	* are met:
				7	* 1. Redistributions of source code must retain the above copyright
				8	* notice, this list of conditions and the following disclaimer.
				9	* 2. Redistributions in binary form must reproduce the above copyright
				10	* notice, this list of conditions and the following disclaimer in the
				11	* documentation and/or other materials provided with the distribution.
				12	*
				13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	23	*/
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	24
				25	#include "includes.h"
Damien Miller	d94e549	2002-09-27 13:25:58 +1000	[diff] [blame]	26	RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $");
Damien Miller	bf7f466	2000-06-23 10:16:38 +1000	[diff] [blame]	27
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	28	#include "ssh.h"
				29	#include "ssh1.h"
				30	#include "packet.h"
				31	#include "xmalloc.h"
				32	#include "log.h"
				33	#include "servconf.h"
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	34	#include "uidswap.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	35	#include "auth.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	36
Ben Lindstrom	b1985f7	2001-01-23 00:19:15 +0000	[diff] [blame]	37	#ifdef AFS
				38	#include "radix.h"
				39	#endif
				40
				41	#ifdef KRB4
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	42	extern ServerOptions options;
				43
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	44	static int
				45	krb4_init(void *context)
				46	{
				47	static int cleanup_registered = 0;
				48	Authctxt authctxt = (Authctxt )context;
				49	const char *tkt_root = TKT_ROOT;
				50	struct stat st;
				51	int fd;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	52
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	53	if (!authctxt->krb4_ticket_file) {
				54	/* Set unique ticket string manually since we're still root. */
				55	authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
				56	#ifdef AFS
				57	if (lstat("/ticket", &st) != -1)
				58	tkt_root = "/ticket/";
				59	#endif /* AFS */
Ben Lindstrom	ce0f634	2002-06-11 16:42:49 +0000	[diff] [blame]	60	snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld",
				61	tkt_root, authctxt->pw->pw_uid, (long)getpid());
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	62	krb_set_tkt_string(authctxt->krb4_ticket_file);
				63	}
				64	/* Register ticket cleanup in case of fatal error. */
				65	if (!cleanup_registered) {
				66	fatal_add_cleanup(krb4_cleanup_proc, authctxt);
				67	cleanup_registered = 1;
				68	}
				69	/* Try to create our ticket file. */
				70	if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
				71	close(fd);
				72	return (1);
				73	}
				74	/* Ticket file exists - make sure user owns it (just passed ticket). */
				75	if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
				76	if (st.st_mode == (S_IFREG \| S_IRUSR \| S_IWUSR) &&
				77	st.st_uid == authctxt->pw->pw_uid)
				78	return (1);
				79	}
				80	/* Failure - cancel cleanup function, leaving ticket for inspection. */
				81	log("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	82
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	83	fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
				84	cleanup_registered = 0;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	85
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	86	xfree(authctxt->krb4_ticket_file);
				87	authctxt->krb4_ticket_file = NULL;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	88
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	89	return (0);
				90	}
				91
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	92	/*
				93	* try krb4 authentication,
				94	* return 1 on success, 0 on failure, -1 if krb4 is not available
				95	*/
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	96	int
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	97	auth_krb4_password(Authctxt authctxt, const char password)
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	98	{
				99	AUTH_DAT adata;
				100	KTEXT_ST tkt;
				101	struct hostent *hp;
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	102	struct passwd *pw;
				103	char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
				104	u_int32_t faddr;
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	105	int r;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	106
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	107	if ((pw = authctxt->pw) == NULL)
				108	return (0);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	109
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	110	/*
				111	* Try Kerberos password authentication only for non-root
				112	* users and only if Kerberos is installed.
				113	*/
				114	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	115	/* Set up our ticket file. */
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	116	if (!krb4_init(authctxt)) {
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	117	log("Couldn't initialize Kerberos ticket file for %s!",
				118	pw->pw_name);
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	119	goto failure;
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	120	}
				121	/* Try to get TGT using our password. */
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	122	r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
				123	"krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	124	if (r != INTK_OK) {
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	125	debug("Kerberos v4 password authentication for %s "
				126	"failed: %s", pw->pw_name, krb_err_txt[r]);
				127	goto failure;
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	128	}
				129	/* Successful authentication. */
				130	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	131
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	132	/*
				133	* Now that we have a TGT, try to get a local
				134	* "rcmd" ticket to ensure that we are not talking
				135	* to a bogus Kerberos server.
				136	*/
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	137	gethostname(localhost, sizeof(localhost));
				138	strlcpy(phost, (char *)krb_get_phost(localhost),
				139	sizeof(phost));
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	140	r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	141
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	142	if (r == KSUCCESS) {
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	143	if ((hp = gethostbyname(localhost)) == NULL) {
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	144	log("Couldn't get local host address!");
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	145	goto failure;
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	146	}
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	147	memmove((void )&faddr, (void )hp->h_addr,
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	148	sizeof(faddr));
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	149
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	150	/* Verify our "rcmd" ticket. */
				151	r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
				152	faddr, &adata, "");
				153	if (r == RD_AP_UNDEC) {
				154	/*
				155	* Probably didn't have a srvtab on
Damien Miller	942da03	2000-08-18 13:59:06 +1000	[diff] [blame]	156	* localhost. Disallow login.
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	157	*/
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	158	log("Kerberos v4 TGT for %s unverifiable, "
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	159	"no srvtab installed? krb_rd_req: %s",
				160	pw->pw_name, krb_err_txt[r]);
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	161	goto failure;
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	162	} else if (r != KSUCCESS) {
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	163	log("Kerberos v4 %s ticket unverifiable: %s",
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	164	KRB4_SERVICE_NAME, krb_err_txt[r]);
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	165	goto failure;
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	166	}
				167	} else if (r == KDC_PR_UNKNOWN) {
				168	/*
Damien Miller	942da03	2000-08-18 13:59:06 +1000	[diff] [blame]	169	* Disallow login if no rcmd service exists, and
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	170	* log the error.
				171	*/
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	172	log("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	173	"not registered, or srvtab is wrong?", pw->pw_name,
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	174	krb_err_txt[r], KRB4_SERVICE_NAME, phost);
				175	goto failure;
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	176	} else {
				177	/*
				178	* TGT is bad, forget it. Possibly spoofed!
				179	*/
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	180	debug("WARNING: Kerberos v4 TGT possibly spoofed "
				181	"for %s: %s", pw->pw_name, krb_err_txt[r]);
				182	goto failure;
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	183	}
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	184	/* Authentication succeeded. */
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	185	return (1);
				186	} else
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	187	/* Logging in as root or no local Kerberos realm. */
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	188	debug("Unable to authenticate to Kerberos.");
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	189
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	190	failure:
				191	krb4_cleanup_proc(authctxt);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	192
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	193	if (!options.kerberos_or_local_passwd)
				194	return (0);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	195
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	196	/* Fall back to ordinary passwd authentication. */
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	197	return (-1);
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	198	}
				199
Damien Miller	5ce662a	1999-11-11 17:57:39 +1100	[diff] [blame]	200	void
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	201	krb4_cleanup_proc(void *context)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	202	{
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	203	Authctxt authctxt = (Authctxt )context;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	204	debug("krb4_cleanup_proc called");
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	205	if (authctxt->krb4_ticket_file) {
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	206	(void) dest_tkt();
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	207	xfree(authctxt->krb4_ticket_file);
				208	authctxt->krb4_ticket_file = NULL;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	209	}
Damien Miller	5ce662a	1999-11-11 17:57:39 +1100	[diff] [blame]	210	}
				211
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	212	int
Damien Miller	d94e549	2002-09-27 13:25:58 +1000	[diff] [blame]	213	auth_krb4(Authctxt authctxt, KTEXT auth, char *client, KTEXT reply)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	214	{
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	215	AUTH_DAT adat = {0};
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	216	Key_schedule schedule;
				217	struct sockaddr_in local, foreign;
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	218	char instance[INST_SZ];
				219	socklen_t slen;
				220	u_int cksum;
				221	int r, s;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	222
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	223	s = packet_get_connection_in();
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	224
Damien Miller	7684ee1	2000-03-17 23:40:15 +1100	[diff] [blame]	225	slen = sizeof(local);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	226	memset(&local, 0, sizeof(local));
Damien Miller	7684ee1	2000-03-17 23:40:15 +1100	[diff] [blame]	227	if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	228	debug("getsockname failed: %.100s", strerror(errno));
Damien Miller	7684ee1	2000-03-17 23:40:15 +1100	[diff] [blame]	229	slen = sizeof(foreign);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	230	memset(&foreign, 0, sizeof(foreign));
Damien Miller	7684ee1	2000-03-17 23:40:15 +1100	[diff] [blame]	231	if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) {
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	232	debug("getpeername failed: %.100s", strerror(errno));
				233	fatal_cleanup();
				234	}
				235	instance[0] = '*';
				236	instance[1] = 0;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	237
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	238	/* Get the encrypted request, challenge, and session key. */
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	239	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
				240	0, &adat, ""))) {
				241	debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
				242	return (0);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	243	}
				244	des_key_sched((des_cblock *) adat.session, schedule);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	245
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	246	*client = xmalloc(MAX_K_NAME_SZ);
				247	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
				248	*adat.pinst ? "." : "", adat.pinst, adat.prealm);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	249
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	250	/* Check ~/.klogin authorization now. */
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	251	if (kuserok(&adat, authctxt->user) != KSUCCESS) {
				252	log("Kerberos v4 .klogin authorization failed for %s to "
				253	"account %s", *client, authctxt->user);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	254	xfree(*client);
Ben Lindstrom	abf3144	2002-03-22 01:30:40 +0000	[diff] [blame]	255	*client = NULL;
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	256	return (0);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	257	}
				258	/* Increment the checksum, and return it encrypted with the
				259	session key. */
				260	cksum = adat.checksum + 1;
				261	cksum = htonl(cksum);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	262
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	263	/* If we can't successfully encrypt the checksum, we send back an
				264	empty message, admitting our failure. */
Damien Miller	d94e549	2002-09-27 13:25:58 +1000	[diff] [blame]	265	if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1,
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	266	schedule, &adat.session, &local, &foreign)) < 0) {
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	267	debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
Damien Miller	d94e549	2002-09-27 13:25:58 +1000	[diff] [blame]	268	reply->dat[0] = 0;
				269	reply->length = 0;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	270	} else
Damien Miller	d94e549	2002-09-27 13:25:58 +1000	[diff] [blame]	271	reply->length = r;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	272
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	273	/* Clear session key. */
				274	memset(&adat.session, 0, sizeof(&adat.session));
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	275	return (1);
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	276	}
				277	#endif /* KRB4 */
				278
				279	#ifdef AFS
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	280	int
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	281	auth_krb4_tgt(Authctxt authctxt, const char string)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	282	{
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	283	CREDENTIALS creds;
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	284	struct passwd *pw;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	285
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	286	if ((pw = authctxt->pw) == NULL)
				287	goto failure;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	288
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	289	temporarily_use_uid(pw);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	290
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	291	if (!radix_to_creds(string, &creds)) {
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	292	log("Protocol error decoding Kerberos v4 TGT");
				293	goto failure;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	294	}
				295	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
				296	strlcpy(creds.service, "krbtgt", sizeof creds.service);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	297
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	298	if (strcmp(creds.service, "krbtgt")) {
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	299	log("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	300	creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
				301	creds.realm, pw->pw_name);
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	302	goto failure;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	303	}
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	304	if (!krb4_init(authctxt))
				305	goto failure;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	306
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	307	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	308	goto failure;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	309
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	310	if (save_credentials(creds.service, creds.instance, creds.realm,
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	311	creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
				312	creds.issue_date) != KSUCCESS) {
				313	debug("Kerberos v4 TGT refused: couldn't save credentials");
				314	goto failure;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	315	}
				316	/* Successful authentication, passed all checks. */
				317	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	318
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	319	debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
				320	creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	321	memset(&creds, 0, sizeof(creds));
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	322
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	323	restore_uid();
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	324
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	325	return (1);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	326
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	327	failure:
				328	krb4_cleanup_proc(authctxt);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	329	memset(&creds, 0, sizeof(creds));
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	330	restore_uid();
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	331
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	332	return (0);
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	333	}
				334
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	335	int
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	336	auth_afs_token(Authctxt authctxt, const char token_string)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	337	{
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	338	CREDENTIALS creds;
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	339	struct passwd *pw;
Damien Miller	874d77b	2000-10-14 16:23:11 +1100	[diff] [blame]	340	uid_t uid;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	341
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	342	if ((pw = authctxt->pw) == NULL)
				343	return (0);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	344
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	345	if (!radix_to_creds(token_string, &creds)) {
				346	log("Protocol error decoding AFS token");
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	347	return (0);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	348	}
				349	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
				350	strlcpy(creds.service, "afs", sizeof creds.service);
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	351
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	352	if (strncmp(creds.pname, "AFS ID ", 7) == 0)
				353	uid = atoi(creds.pname + 7);
Damien Miller	874d77b	2000-10-14 16:23:11 +1100	[diff] [blame]	354	else
				355	uid = pw->pw_uid;
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	356
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	357	if (kafs_settoken(creds.realm, uid, &creds)) {
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	358	log("AFS token (%s@%s) rejected for %s",
				359	creds.pname, creds.realm, pw->pw_name);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	360	memset(&creds, 0, sizeof(creds));
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	361	return (0);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	362	}
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	363	debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	364	memset(&creds, 0, sizeof(creds));
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	365
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	366	return (1);
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	367	}
				368	#endif /* AFS */