xref: /csrg-svn/usr.bin/login/klogin.c (revision 43367) 
143310Skfall /*-
243310Skfall  * Copyright (c) 1990 The Regents of the University of California.
343310Skfall  * All rights reserved.
443310Skfall  *
543310Skfall  * %sccs.include.redist.c%
643310Skfall  */
743310Skfall 
843310Skfall #ifndef lint
9*43367Skfall static char sccsid[] = "@(#)klogin.c	5.2 (Berkeley) 06/21/90";
1043310Skfall #endif /* not lint */
1143310Skfall 
1243310Skfall #ifdef KERBEROS
1343310Skfall #include <sys/param.h>
1443310Skfall #include <sys/syslog.h>
1543310Skfall #include <kerberosIV/des.h>
1643310Skfall #include <kerberosIV/krb.h>
1743310Skfall #include <pwd.h>
1843310Skfall #include <netdb.h>
1943310Skfall 
2043310Skfall #define	PRINCIPAL_NAME	pw->pw_name
2143310Skfall #define	PRINCIPAL_INST	""
2243310Skfall #define	INITIAL_TICKET	"krbtgt"
2343310Skfall #define	VERIFY_SERVICE	"rcmd"
2443310Skfall 
2543310Skfall extern int notickets;
2643310Skfall 
2743310Skfall /*
28*43367Skfall  * Attempt to log the user in using Kerberos authentication
29*43367Skfall  *
30*43367Skfall  * return 0 on success (will be logged in)
31*43367Skfall  *	  1 if Kerberos failed (try local password in login)
3243310Skfall  */
3343310Skfall 
34*43367Skfall klogin(pw, localhost, password)
3543310Skfall 	struct passwd *pw;
36*43367Skfall 	char *localhost, *password;
3743310Skfall {
3843310Skfall 	int kerror;
3943310Skfall 	AUTH_DAT authdata;
4043310Skfall 	KTEXT_ST ticket;
4143310Skfall 	struct hostent *hp;
4243310Skfall 	unsigned long faddr;
43*43367Skfall 	char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
44*43367Skfall 	char tkt_location[MAXPATHLEN];
4543310Skfall 
4643310Skfall 	/*
4743310Skfall 	 * If we aren't Kerberos-authenticated, try the normal pw file
4843310Skfall 	 * for a password.  If that's ok, log the user in without issueing
4943310Skfall 	 * any tickets.
5043310Skfall 	 */
5143310Skfall 	if (krb_get_lrealm(realm, 1) != KSUCCESS)
5243310Skfall 		return(1);
5343310Skfall 
5443310Skfall 	/*
55*43367Skfall 	 * get TGT for local realm
56*43367Skfall 	 * tickets are stored in a file determined by calling tkt_string()
5743310Skfall 	 */
5843310Skfall 
59*43367Skfall 	(void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid);
60*43367Skfall 	(void)krb_set_tkt_string(tkt_location);
61*43367Skfall 	(void)dest_tkt();
6243310Skfall 
63*43367Skfall 	kerror = krb_get_pw_in_tkt(PRINCIPAL_NAME, PRINCIPAL_INST,
64*43367Skfall 		    realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
65*43367Skfall syslog(LOG_ERR, "retval of get_pw_in_tkt: %s", krb_err_txt[kerror]);
66*43367Skfall 
6743310Skfall 	/*
6843310Skfall 	 * If we got a TGT, get a local "rcmd" ticket and check it so as to
6943310Skfall 	 * ensure that we are not talking to a bogus Kerberos server.
7043310Skfall 	 *
7143310Skfall 	 * There are 2 cases where we still allow a login:
7243310Skfall 	 *	1: the VERIFY_SERVICE doesn't exist in the KDC
7343310Skfall 	 *	2: local host has no srvtab, as (hopefully) indicated by a
7443310Skfall 	 *	   return value of RD_AP_UNDEC from krb_rd_req().
7543310Skfall 	 */
7643310Skfall 	if (kerror != INTK_OK) {
77*43367Skfall 		dest_tkt();
7843310Skfall 		if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN)
7943310Skfall 			syslog(LOG_ERR, "Kerberos intkt error: %s",
8043310Skfall 			    krb_err_txt[kerror]);
81*43367Skfall 		return(1);
8243310Skfall 	}
8343310Skfall 
84*43367Skfall 	if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0)
85*43367Skfall 		syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE);
8643310Skfall 
8743310Skfall 	(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
8843310Skfall 	savehost[sizeof(savehost)-1] = NULL;
8943310Skfall 
9043310Skfall 	/*
9143310Skfall 	 * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
9243310Skfall 	 * still allow login with tickets, but log the error condition.
9343310Skfall 	 */
94*43367Skfall 
95*43367Skfall 	kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33);
9643310Skfall 	if (kerror == KDC_PR_UNKNOWN) {
9743310Skfall 		syslog(LOG_NOTICE, "warning: TGT not verified (%s)",
9843310Skfall 		    krb_err_txt[kerror]);
9943310Skfall 		notickets = 0;
10043310Skfall 		return(0);
10143310Skfall 	}
10243310Skfall 
10343310Skfall 	if (kerror != KSUCCESS) {
10443310Skfall 		(void)printf("unable to use TGT: (%s)\n", krb_err_txt[kerror]);
10543310Skfall 		syslog(LOG_NOTICE, "unable to use TGT: (%s)",
10643310Skfall 		    krb_err_txt[kerror]);
10743310Skfall 		dest_tkt();
108*43367Skfall 		return(1);
10943310Skfall 	}
11043310Skfall 
11143310Skfall 	if (!(hp = gethostbyname(localhost))) {
11243310Skfall 		syslog(LOG_ERR, "couldn't get local host address");
113*43367Skfall 		dest_tkt();
114*43367Skfall 		return(1);
11543310Skfall 	}
116*43367Skfall 
11743310Skfall 	bcopy((void *)hp->h_addr, (void *)&faddr, sizeof(faddr));
11843310Skfall 
11943310Skfall 	kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr,
12043310Skfall 	    &authdata, "");
121*43367Skfall 
12243310Skfall 	if (kerror == KSUCCESS) {
12343310Skfall 		notickets = 0;
12443310Skfall 		return(0);
12543310Skfall 	}
126*43367Skfall 
127*43367Skfall 	/* undecipherable: probably didn't have a srvtab on the local host */
12843310Skfall 	if (kerror = RD_AP_UNDEC) {
12943310Skfall 		syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_err_txt[kerror]);
130*43367Skfall 		dest_tkt();
131*43367Skfall 		return(1);
13243310Skfall 	}
133*43367Skfall 	/* failed for some other reason */
13443310Skfall 	(void)printf("unable to verify %s ticket: (%s)\n", VERIFY_SERVICE,
13543310Skfall 	    krb_err_txt[kerror]);
13643310Skfall 	syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE,
13743310Skfall 	    krb_err_txt[kerror]);
138*43367Skfall 	dest_tkt();
139*43367Skfall 	return(1);
14043310Skfall }
14143310Skfall #endif
142