xref: /csrg-svn/usr.bin/login/klogin.c (revision 54548) 
143310Skfall /*-
243310Skfall  * Copyright (c) 1990 The Regents of the University of California.
343310Skfall  * All rights reserved.
443310Skfall  *
543310Skfall  * %sccs.include.redist.c%
643310Skfall  */
743310Skfall 
843310Skfall #ifndef lint
9*54548Sbostic static char sccsid[] = "@(#)klogin.c	5.10 (Berkeley) 06/29/92";
1043310Skfall #endif /* not lint */
1143310Skfall 
1243310Skfall #ifdef KERBEROS
1343310Skfall #include <sys/param.h>
1443310Skfall #include <sys/syslog.h>
1543310Skfall #include <kerberosIV/des.h>
1643310Skfall #include <kerberosIV/krb.h>
1743310Skfall #include <pwd.h>
1843310Skfall #include <netdb.h>
19*54548Sbostic #include <stdio.h>
20*54548Sbostic #include <string.h>
21*54548Sbostic #include <unistd.h>
2243310Skfall 
2343310Skfall #define	INITIAL_TICKET	"krbtgt"
2443310Skfall #define	VERIFY_SERVICE	"rcmd"
2543310Skfall 
2643310Skfall extern int notickets;
2749958Skarels extern char *krbtkfile_env;
2843310Skfall 
2943310Skfall /*
3043367Skfall  * Attempt to log the user in using Kerberos authentication
3143367Skfall  *
3243367Skfall  * return 0 on success (will be logged in)
3343367Skfall  *	  1 if Kerberos failed (try local password in login)
3443310Skfall  */
35*54548Sbostic int
3649956Skarels klogin(pw, instance, localhost, password)
3743310Skfall 	struct passwd *pw;
3849956Skarels 	char *instance, *localhost, *password;
3943310Skfall {
4043310Skfall 	int kerror;
4143310Skfall 	AUTH_DAT authdata;
4243310Skfall 	KTEXT_ST ticket;
4343310Skfall 	struct hostent *hp;
4443310Skfall 	unsigned long faddr;
4543367Skfall 	char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
4643367Skfall 	char tkt_location[MAXPATHLEN];
4743310Skfall 
4843310Skfall 	/*
4949956Skarels 	 * Root logins don't use Kerberos.
5049956Skarels 	 * If we have a realm, try getting a ticket-granting ticket
5149956Skarels 	 * and using it to authenticate.  Otherwise, return
5249956Skarels 	 * failure so that we can try the normal passwd file
5349956Skarels 	 * for a password.  If that's ok, log the user in
5449956Skarels 	 * without issuing any tickets.
5543310Skfall 	 */
5649956Skarels 	if (strcmp(pw->pw_name, "root") == 0 ||
5749956Skarels 	    krb_get_lrealm(realm, 0) != KSUCCESS)
5849956Skarels 		return (1);
5943310Skfall 
6043310Skfall 	/*
6143367Skfall 	 * get TGT for local realm
6249956Skarels 	 * tickets are stored in a file named TKT_ROOT plus uid
6349958Skarels 	 * except for user.root tickets.
6443310Skfall 	 */
6543310Skfall 
6649958Skarels 	if (strcmp(instance, "root") != 0)
6749958Skarels 		(void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid);
6849958Skarels 	else {
6949958Skarels 		(void)sprintf(tkt_location, "%s_root_%d", TKT_ROOT, pw->pw_uid);
7049958Skarels 		krbtkfile_env = tkt_location;
7149958Skarels 	}
7243367Skfall 	(void)krb_set_tkt_string(tkt_location);
7343310Skfall 
7449958Skarels 	/*
7549958Skarels 	 * Set real as well as effective ID to 0 for the moment,
7649958Skarels 	 * to make the kerberos library do the right thing.
7749958Skarels 	 */
7849958Skarels 	if (setuid(0) < 0) {
7949958Skarels 		perror("login: setuid");
8049958Skarels 		return (1);
8149958Skarels 	}
8249956Skarels 	kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
8343367Skfall 		    realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
8443310Skfall 	/*
8543310Skfall 	 * If we got a TGT, get a local "rcmd" ticket and check it so as to
8643310Skfall 	 * ensure that we are not talking to a bogus Kerberos server.
8743310Skfall 	 *
8843310Skfall 	 * There are 2 cases where we still allow a login:
8943310Skfall 	 *	1: the VERIFY_SERVICE doesn't exist in the KDC
9043310Skfall 	 *	2: local host has no srvtab, as (hopefully) indicated by a
9143310Skfall 	 *	   return value of RD_AP_UNDEC from krb_rd_req().
9243310Skfall 	 */
9343310Skfall 	if (kerror != INTK_OK) {
9449956Skarels 		if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) {
9543310Skfall 			syslog(LOG_ERR, "Kerberos intkt error: %s",
9643310Skfall 			    krb_err_txt[kerror]);
9747683Skfall 			dest_tkt();
9847683Skfall 		}
9949956Skarels 		return (1);
10043310Skfall 	}
10143310Skfall 
10243367Skfall 	if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0)
10343367Skfall 		syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE);
10443310Skfall 
10543310Skfall 	(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
10643310Skfall 	savehost[sizeof(savehost)-1] = NULL;
10743310Skfall 
10843310Skfall 	/*
10943310Skfall 	 * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
11043310Skfall 	 * still allow login with tickets, but log the error condition.
11143310Skfall 	 */
11243367Skfall 
11343367Skfall 	kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33);
11443310Skfall 	if (kerror == KDC_PR_UNKNOWN) {
11549956Skarels 		syslog(LOG_NOTICE,
11649956Skarels     		    "warning: TGT not verified (%s); %s.%s not registered, or srvtab is wrong?",
11749956Skarels 		    krb_err_txt[kerror], VERIFY_SERVICE, savehost);
11843310Skfall 		notickets = 0;
11943310Skfall 		return(0);
12043310Skfall 	}
12143310Skfall 
12243310Skfall 	if (kerror != KSUCCESS) {
12343310Skfall 		(void)printf("unable to use TGT: (%s)\n", krb_err_txt[kerror]);
12443310Skfall 		syslog(LOG_NOTICE, "unable to use TGT: (%s)",
12543310Skfall 		    krb_err_txt[kerror]);
12643310Skfall 		dest_tkt();
12743367Skfall 		return(1);
12843310Skfall 	}
12943310Skfall 
13043310Skfall 	if (!(hp = gethostbyname(localhost))) {
13143310Skfall 		syslog(LOG_ERR, "couldn't get local host address");
13243367Skfall 		dest_tkt();
13343367Skfall 		return(1);
13443310Skfall 	}
13543367Skfall 
13643310Skfall 	bcopy((void *)hp->h_addr, (void *)&faddr, sizeof(faddr));
13743310Skfall 
13843310Skfall 	kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr,
13943310Skfall 	    &authdata, "");
14043367Skfall 
14143310Skfall 	if (kerror == KSUCCESS) {
14243310Skfall 		notickets = 0;
14343310Skfall 		return(0);
14443310Skfall 	}
14543367Skfall 
14643367Skfall 	/* undecipherable: probably didn't have a srvtab on the local host */
14743310Skfall 	if (kerror = RD_AP_UNDEC) {
14843310Skfall 		syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_err_txt[kerror]);
14943367Skfall 		dest_tkt();
15043367Skfall 		return(1);
15143310Skfall 	}
15243367Skfall 	/* failed for some other reason */
15343310Skfall 	(void)printf("unable to verify %s ticket: (%s)\n", VERIFY_SERVICE,
15443310Skfall 	    krb_err_txt[kerror]);
15543310Skfall 	syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE,
15643310Skfall 	    krb_err_txt[kerror]);
15743367Skfall 	dest_tkt();
15843367Skfall 	return(1);
15943310Skfall }
16043310Skfall #endif
161