143310Skfall /*-
2*66654Spendry * Copyright (c) 1990, 1993, 1994
363061Sbostic * The Regents of the University of California. All rights reserved.
443310Skfall *
543310Skfall * %sccs.include.redist.c%
643310Skfall */
743310Skfall
843310Skfall #ifndef lint
9*66654Spendry static char sccsid[] = "@(#)klogin.c 8.3 (Berkeley) 04/02/94";
1043310Skfall #endif /* not lint */
1143310Skfall
1243310Skfall #ifdef KERBEROS
1343310Skfall #include <sys/param.h>
1443310Skfall #include <sys/syslog.h>
1543310Skfall #include <kerberosIV/des.h>
1643310Skfall #include <kerberosIV/krb.h>
1766623Spendry
1866623Spendry #include <err.h>
1966623Spendry #include <netdb.h>
2043310Skfall #include <pwd.h>
2154548Sbostic #include <stdio.h>
2266623Spendry #include <stdlib.h>
2354548Sbostic #include <string.h>
2454548Sbostic #include <unistd.h>
2543310Skfall
2643310Skfall #define INITIAL_TICKET "krbtgt"
2743310Skfall #define VERIFY_SERVICE "rcmd"
2843310Skfall
2943310Skfall extern int notickets;
3049958Skarels extern char *krbtkfile_env;
3143310Skfall
3243310Skfall /*
3343367Skfall * Attempt to log the user in using Kerberos authentication
3443367Skfall *
3543367Skfall * return 0 on success (will be logged in)
3643367Skfall * 1 if Kerberos failed (try local password in login)
3743310Skfall */
3854548Sbostic int
klogin(pw,instance,localhost,password)3949956Skarels klogin(pw, instance, localhost, password)
4043310Skfall struct passwd *pw;
4149956Skarels char *instance, *localhost, *password;
4243310Skfall {
4343310Skfall int kerror;
4443310Skfall AUTH_DAT authdata;
4543310Skfall KTEXT_ST ticket;
4643310Skfall struct hostent *hp;
4743310Skfall unsigned long faddr;
4843367Skfall char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
4943367Skfall char tkt_location[MAXPATHLEN];
5055046Sbostic char *krb_get_phost();
5143310Skfall
5243310Skfall /*
5349956Skarels * Root logins don't use Kerberos.
5449956Skarels * If we have a realm, try getting a ticket-granting ticket
5549956Skarels * and using it to authenticate. Otherwise, return
5649956Skarels * failure so that we can try the normal passwd file
5749956Skarels * for a password. If that's ok, log the user in
5849956Skarels * without issuing any tickets.
5943310Skfall */
6049956Skarels if (strcmp(pw->pw_name, "root") == 0 ||
6149956Skarels krb_get_lrealm(realm, 0) != KSUCCESS)
6249956Skarels return (1);
6343310Skfall
6443310Skfall /*
6543367Skfall * get TGT for local realm
6649956Skarels * tickets are stored in a file named TKT_ROOT plus uid
6749958Skarels * except for user.root tickets.
6843310Skfall */
6943310Skfall
7049958Skarels if (strcmp(instance, "root") != 0)
7149958Skarels (void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid);
7249958Skarels else {
7349958Skarels (void)sprintf(tkt_location, "%s_root_%d", TKT_ROOT, pw->pw_uid);
7449958Skarels krbtkfile_env = tkt_location;
7549958Skarels }
7643367Skfall (void)krb_set_tkt_string(tkt_location);
7743310Skfall
7849958Skarels /*
7949958Skarels * Set real as well as effective ID to 0 for the moment,
8049958Skarels * to make the kerberos library do the right thing.
8149958Skarels */
8249958Skarels if (setuid(0) < 0) {
8366623Spendry warnx("setuid");
8449958Skarels return (1);
8549958Skarels }
8649956Skarels kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
8743367Skfall realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
8843310Skfall /*
8943310Skfall * If we got a TGT, get a local "rcmd" ticket and check it so as to
9043310Skfall * ensure that we are not talking to a bogus Kerberos server.
9143310Skfall *
9243310Skfall * There are 2 cases where we still allow a login:
9343310Skfall * 1: the VERIFY_SERVICE doesn't exist in the KDC
9443310Skfall * 2: local host has no srvtab, as (hopefully) indicated by a
9543310Skfall * return value of RD_AP_UNDEC from krb_rd_req().
9643310Skfall */
9743310Skfall if (kerror != INTK_OK) {
9849956Skarels if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) {
9943310Skfall syslog(LOG_ERR, "Kerberos intkt error: %s",
10043310Skfall krb_err_txt[kerror]);
10147683Skfall dest_tkt();
10247683Skfall }
10349956Skarels return (1);
10443310Skfall }
10543310Skfall
10643367Skfall if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0)
10743367Skfall syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE);
10843310Skfall
10943310Skfall (void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
11043310Skfall savehost[sizeof(savehost)-1] = NULL;
11143310Skfall
11243310Skfall /*
11343310Skfall * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
11443310Skfall * still allow login with tickets, but log the error condition.
11543310Skfall */
11643367Skfall
11743367Skfall kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33);
11843310Skfall if (kerror == KDC_PR_UNKNOWN) {
11949956Skarels syslog(LOG_NOTICE,
12049956Skarels "warning: TGT not verified (%s); %s.%s not registered, or srvtab is wrong?",
12149956Skarels krb_err_txt[kerror], VERIFY_SERVICE, savehost);
12243310Skfall notickets = 0;
12366623Spendry return (0);
12443310Skfall }
12543310Skfall
12643310Skfall if (kerror != KSUCCESS) {
12766623Spendry warnx("unable to use TGT: (%s)", krb_err_txt[kerror]);
12843310Skfall syslog(LOG_NOTICE, "unable to use TGT: (%s)",
12943310Skfall krb_err_txt[kerror]);
13043310Skfall dest_tkt();
13166623Spendry return (1);
13243310Skfall }
13343310Skfall
13443310Skfall if (!(hp = gethostbyname(localhost))) {
13543310Skfall syslog(LOG_ERR, "couldn't get local host address");
13643367Skfall dest_tkt();
13766623Spendry return (1);
13843310Skfall }
13943367Skfall
14066623Spendry memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr));
14143310Skfall
14243310Skfall kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr,
14343310Skfall &authdata, "");
14443367Skfall
14543310Skfall if (kerror == KSUCCESS) {
14643310Skfall notickets = 0;
14766623Spendry return (0);
14843310Skfall }
14943367Skfall
15043367Skfall /* undecipherable: probably didn't have a srvtab on the local host */
15143310Skfall if (kerror = RD_AP_UNDEC) {
15243310Skfall syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_err_txt[kerror]);
15343367Skfall dest_tkt();
15466623Spendry return (1);
15543310Skfall }
15643367Skfall /* failed for some other reason */
15766623Spendry warnx("unable to verify %s ticket: (%s)", VERIFY_SERVICE,
15843310Skfall krb_err_txt[kerror]);
15943310Skfall syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE,
16043310Skfall krb_err_txt[kerror]);
16143367Skfall dest_tkt();
16266623Spendry return (1);
16343310Skfall }
16443310Skfall #endif
165