xref: /csrg-svn/usr.bin/login/klogin.c (revision 49956) 
143310Skfall /*-
243310Skfall  * Copyright (c) 1990 The Regents of the University of California.
343310Skfall  * All rights reserved.
443310Skfall  *
543310Skfall  * %sccs.include.redist.c%
643310Skfall  */
743310Skfall 
843310Skfall #ifndef lint
9*49956Skarels static char sccsid[] = "@(#)klogin.c	5.8 (Berkeley) 06/01/91";
1043310Skfall #endif /* not lint */
1143310Skfall 
1243310Skfall #ifdef KERBEROS
1343310Skfall #include <sys/param.h>
1443310Skfall #include <sys/syslog.h>
1543310Skfall #include <kerberosIV/des.h>
1643310Skfall #include <kerberosIV/krb.h>
1743310Skfall #include <pwd.h>
1843310Skfall #include <netdb.h>
1943310Skfall 
2043310Skfall #define	INITIAL_TICKET	"krbtgt"
2143310Skfall #define	VERIFY_SERVICE	"rcmd"
2243310Skfall 
2343310Skfall extern int notickets;
2443310Skfall 
2543310Skfall /*
2643367Skfall  * Attempt to log the user in using Kerberos authentication
2743367Skfall  *
2843367Skfall  * return 0 on success (will be logged in)
2943367Skfall  *	  1 if Kerberos failed (try local password in login)
3043310Skfall  */
3143310Skfall 
32*49956Skarels klogin(pw, instance, localhost, password)
3343310Skfall 	struct passwd *pw;
34*49956Skarels 	char *instance, *localhost, *password;
3543310Skfall {
3643310Skfall 	int kerror;
3743310Skfall 	AUTH_DAT authdata;
3843310Skfall 	KTEXT_ST ticket;
3943310Skfall 	struct hostent *hp;
4043310Skfall 	unsigned long faddr;
4143367Skfall 	char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
4243367Skfall 	char tkt_location[MAXPATHLEN];
4343310Skfall 
4443310Skfall 	/*
45*49956Skarels 	 * Root logins don't use Kerberos.
46*49956Skarels 	 * If we have a realm, try getting a ticket-granting ticket
47*49956Skarels 	 * and using it to authenticate.  Otherwise, return
48*49956Skarels 	 * failure so that we can try the normal passwd file
49*49956Skarels 	 * for a password.  If that's ok, log the user in
50*49956Skarels 	 * without issuing any tickets.
5143310Skfall 	 */
52*49956Skarels 	if (strcmp(pw->pw_name, "root") == 0 ||
53*49956Skarels 	    krb_get_lrealm(realm, 0) != KSUCCESS)
54*49956Skarels 		return (1);
5543310Skfall 
5643310Skfall 	/*
5743367Skfall 	 * get TGT for local realm
58*49956Skarels 	 * tickets are stored in a file named TKT_ROOT plus uid
5943310Skfall 	 */
6043310Skfall 
6143367Skfall 	(void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid);
6243367Skfall 	(void)krb_set_tkt_string(tkt_location);
6343310Skfall 
64*49956Skarels 	kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
6543367Skfall 		    realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
6643310Skfall 	/*
6743310Skfall 	 * If we got a TGT, get a local "rcmd" ticket and check it so as to
6843310Skfall 	 * ensure that we are not talking to a bogus Kerberos server.
6943310Skfall 	 *
7043310Skfall 	 * There are 2 cases where we still allow a login:
7143310Skfall 	 *	1: the VERIFY_SERVICE doesn't exist in the KDC
7243310Skfall 	 *	2: local host has no srvtab, as (hopefully) indicated by a
7343310Skfall 	 *	   return value of RD_AP_UNDEC from krb_rd_req().
7443310Skfall 	 */
7543310Skfall 	if (kerror != INTK_OK) {
76*49956Skarels 		if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) {
7743310Skfall 			syslog(LOG_ERR, "Kerberos intkt error: %s",
7843310Skfall 			    krb_err_txt[kerror]);
7947683Skfall 			dest_tkt();
8047683Skfall 		}
81*49956Skarels 		return (1);
8243310Skfall 	}
8343310Skfall 
8443367Skfall 	if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0)
8543367Skfall 		syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE);
8643310Skfall 
8743310Skfall 	(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
8843310Skfall 	savehost[sizeof(savehost)-1] = NULL;
8943310Skfall 
9043310Skfall 	/*
9143310Skfall 	 * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
9243310Skfall 	 * still allow login with tickets, but log the error condition.
9343310Skfall 	 */
9443367Skfall 
9543367Skfall 	kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33);
9643310Skfall 	if (kerror == KDC_PR_UNKNOWN) {
97*49956Skarels 		syslog(LOG_NOTICE,
98*49956Skarels     		    "warning: TGT not verified (%s); %s.%s not registered, or srvtab is wrong?",
99*49956Skarels 		    krb_err_txt[kerror], VERIFY_SERVICE, savehost);
10043310Skfall 		notickets = 0;
10143310Skfall 		return(0);
10243310Skfall 	}
10343310Skfall 
10443310Skfall 	if (kerror != KSUCCESS) {
10543310Skfall 		(void)printf("unable to use TGT: (%s)\n", krb_err_txt[kerror]);
10643310Skfall 		syslog(LOG_NOTICE, "unable to use TGT: (%s)",
10743310Skfall 		    krb_err_txt[kerror]);
10843310Skfall 		dest_tkt();
10943367Skfall 		return(1);
11043310Skfall 	}
11143310Skfall 
11243310Skfall 	if (!(hp = gethostbyname(localhost))) {
11343310Skfall 		syslog(LOG_ERR, "couldn't get local host address");
11443367Skfall 		dest_tkt();
11543367Skfall 		return(1);
11643310Skfall 	}
11743367Skfall 
11843310Skfall 	bcopy((void *)hp->h_addr, (void *)&faddr, sizeof(faddr));
11943310Skfall 
12043310Skfall 	kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr,
12143310Skfall 	    &authdata, "");
12243367Skfall 
12343310Skfall 	if (kerror == KSUCCESS) {
12443310Skfall 		notickets = 0;
12543310Skfall 		return(0);
12643310Skfall 	}
12743367Skfall 
12843367Skfall 	/* undecipherable: probably didn't have a srvtab on the local host */
12943310Skfall 	if (kerror = RD_AP_UNDEC) {
13043310Skfall 		syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_err_txt[kerror]);
13143367Skfall 		dest_tkt();
13243367Skfall 		return(1);
13343310Skfall 	}
13443367Skfall 	/* failed for some other reason */
13543310Skfall 	(void)printf("unable to verify %s ticket: (%s)\n", VERIFY_SERVICE,
13643310Skfall 	    krb_err_txt[kerror]);
13743310Skfall 	syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE,
13843310Skfall 	    krb_err_txt[kerror]);
13943367Skfall 	dest_tkt();
14043367Skfall 	return(1);
14143310Skfall }
14243310Skfall #endif
143