1*1c7715ddSchristos /* $NetBSD: auth2-krb5.c,v 1.11 2024/07/08 22:33:43 christos Exp $ */
2313c6c94Schristos /*
3313c6c94Schristos * Copyright (c) 2003 Markus Friedl. All rights reserved.
4313c6c94Schristos *
5313c6c94Schristos * Redistribution and use in source and binary forms, with or without
6313c6c94Schristos * modification, are permitted provided that the following conditions
7313c6c94Schristos * are met:
8313c6c94Schristos * 1. Redistributions of source code must retain the above copyright
9313c6c94Schristos * notice, this list of conditions and the following disclaimer.
10313c6c94Schristos * 2. Redistributions in binary form must reproduce the above copyright
11313c6c94Schristos * notice, this list of conditions and the following disclaimer in the
12313c6c94Schristos * documentation and/or other materials provided with the distribution.
13313c6c94Schristos *
14313c6c94Schristos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15313c6c94Schristos * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16313c6c94Schristos * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17313c6c94Schristos * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18313c6c94Schristos * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19313c6c94Schristos * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20313c6c94Schristos * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21313c6c94Schristos * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22313c6c94Schristos * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23313c6c94Schristos * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24313c6c94Schristos */
25313c6c94Schristos
26313c6c94Schristos #include "includes.h"
27*1c7715ddSchristos __RCSID("$NetBSD: auth2-krb5.c,v 1.11 2024/07/08 22:33:43 christos Exp $");
28313c6c94Schristos
29313c6c94Schristos #include <krb5.h>
30313c6c94Schristos #include <stdio.h>
31313c6c94Schristos
32313c6c94Schristos #include "ssh2.h"
33313c6c94Schristos #include "xmalloc.h"
34313c6c94Schristos #include "packet.h"
35313c6c94Schristos #include "log.h"
36313c6c94Schristos #include "hostfile.h"
37313c6c94Schristos #include "auth.h"
38313c6c94Schristos #ifdef GSSAPI
39313c6c94Schristos #include "ssh-gss.h"
40313c6c94Schristos #endif
417a183406Schristos #include "ssherr.h"
42313c6c94Schristos #include "monitor_wrap.h"
438a4530f9Schristos #include "misc.h"
44313c6c94Schristos #include "servconf.h"
45313c6c94Schristos
46313c6c94Schristos /* import */
47313c6c94Schristos extern ServerOptions options;
48*1c7715ddSchristos extern struct authmethod_cfg methodcfg_krb5;
49313c6c94Schristos
50313c6c94Schristos static int
userauth_kerberos(struct ssh * ssh,const char * method)51a03ec00cSchristos userauth_kerberos(struct ssh *ssh, const char *method)
52313c6c94Schristos {
53313c6c94Schristos krb5_data tkt, reply;
547a183406Schristos size_t dlen;
557a183406Schristos char *passwd;
56313c6c94Schristos char *client = NULL;
577a183406Schristos int authenticated = 0, r;
58313c6c94Schristos
597a183406Schristos if ((r = sshpkt_get_cstring(ssh, &passwd, &dlen)) != 0 ||
607a183406Schristos (r = sshpkt_get_end(ssh)) != 0)
617a183406Schristos fatal("%s: %s", __func__, ssh_err(r));
627a183406Schristos
637a183406Schristos tkt.data = passwd;
64313c6c94Schristos tkt.length = dlen;
65*1c7715ddSchristos if (mm_auth_krb5(ssh, &tkt, &client, &reply)) {
66313c6c94Schristos authenticated = 1;
67313c6c94Schristos if (reply.length)
6800a838c4Schristos free(reply.data);
69313c6c94Schristos }
70313c6c94Schristos if (client)
7100a838c4Schristos free(client);
7200a838c4Schristos free(tkt.data);
73313c6c94Schristos return (authenticated);
74313c6c94Schristos }
75313c6c94Schristos
76313c6c94Schristos Authmethod method_kerberos = {
77*1c7715ddSchristos &methodcfg_krb5,
78313c6c94Schristos userauth_kerberos,
79313c6c94Schristos };
80