xref: /csrg-svn/usr.bin/login/klogin.c (revision 63061) 
143310Skfall /*-
2*63061Sbostic  * Copyright (c) 1990, 1993
3*63061Sbostic  *	The Regents of the University of California.  All rights reserved.
443310Skfall  *
543310Skfall  * %sccs.include.redist.c%
643310Skfall  */
743310Skfall 
843310Skfall #ifndef lint
9*63061Sbostic static char sccsid[] = "@(#)klogin.c	8.1 (Berkeley) 06/09/93";
1043310Skfall #endif /* not lint */
1143310Skfall 
1243310Skfall #ifdef KERBEROS
1343310Skfall #include <sys/param.h>
1443310Skfall #include <sys/syslog.h>
1543310Skfall #include <kerberosIV/des.h>
1643310Skfall #include <kerberosIV/krb.h>
1743310Skfall #include <pwd.h>
1843310Skfall #include <netdb.h>
1954548Sbostic #include <stdio.h>
2054548Sbostic #include <string.h>
2154548Sbostic #include <unistd.h>
2243310Skfall 
2343310Skfall #define	INITIAL_TICKET	"krbtgt"
2443310Skfall #define	VERIFY_SERVICE	"rcmd"
2543310Skfall 
2643310Skfall extern int notickets;
2749958Skarels extern char *krbtkfile_env;
2843310Skfall 
2943310Skfall /*
3043367Skfall  * Attempt to log the user in using Kerberos authentication
3143367Skfall  *
3243367Skfall  * return 0 on success (will be logged in)
3343367Skfall  *	  1 if Kerberos failed (try local password in login)
3443310Skfall  */
3554548Sbostic int
3649956Skarels klogin(pw, instance, localhost, password)
3743310Skfall 	struct passwd *pw;
3849956Skarels 	char *instance, *localhost, *password;
3943310Skfall {
4043310Skfall 	int kerror;
4143310Skfall 	AUTH_DAT authdata;
4243310Skfall 	KTEXT_ST ticket;
4343310Skfall 	struct hostent *hp;
4443310Skfall 	unsigned long faddr;
4543367Skfall 	char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
4643367Skfall 	char tkt_location[MAXPATHLEN];
4755046Sbostic 	char *krb_get_phost();
4843310Skfall 
4943310Skfall 	/*
5049956Skarels 	 * Root logins don't use Kerberos.
5149956Skarels 	 * If we have a realm, try getting a ticket-granting ticket
5249956Skarels 	 * and using it to authenticate.  Otherwise, return
5349956Skarels 	 * failure so that we can try the normal passwd file
5449956Skarels 	 * for a password.  If that's ok, log the user in
5549956Skarels 	 * without issuing any tickets.
5643310Skfall 	 */
5749956Skarels 	if (strcmp(pw->pw_name, "root") == 0 ||
5849956Skarels 	    krb_get_lrealm(realm, 0) != KSUCCESS)
5949956Skarels 		return (1);
6043310Skfall 
6143310Skfall 	/*
6243367Skfall 	 * get TGT for local realm
6349956Skarels 	 * tickets are stored in a file named TKT_ROOT plus uid
6449958Skarels 	 * except for user.root tickets.
6543310Skfall 	 */
6643310Skfall 
6749958Skarels 	if (strcmp(instance, "root") != 0)
6849958Skarels 		(void)sprintf(tkt_location, "%s%d", TKT_ROOT, pw->pw_uid);
6949958Skarels 	else {
7049958Skarels 		(void)sprintf(tkt_location, "%s_root_%d", TKT_ROOT, pw->pw_uid);
7149958Skarels 		krbtkfile_env = tkt_location;
7249958Skarels 	}
7343367Skfall 	(void)krb_set_tkt_string(tkt_location);
7443310Skfall 
7549958Skarels 	/*
7649958Skarels 	 * Set real as well as effective ID to 0 for the moment,
7749958Skarels 	 * to make the kerberos library do the right thing.
7849958Skarels 	 */
7949958Skarels 	if (setuid(0) < 0) {
8049958Skarels 		perror("login: setuid");
8149958Skarels 		return (1);
8249958Skarels 	}
8349956Skarels 	kerror = krb_get_pw_in_tkt(pw->pw_name, instance,
8443367Skfall 		    realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password);
8543310Skfall 	/*
8643310Skfall 	 * If we got a TGT, get a local "rcmd" ticket and check it so as to
8743310Skfall 	 * ensure that we are not talking to a bogus Kerberos server.
8843310Skfall 	 *
8943310Skfall 	 * There are 2 cases where we still allow a login:
9043310Skfall 	 *	1: the VERIFY_SERVICE doesn't exist in the KDC
9143310Skfall 	 *	2: local host has no srvtab, as (hopefully) indicated by a
9243310Skfall 	 *	   return value of RD_AP_UNDEC from krb_rd_req().
9343310Skfall 	 */
9443310Skfall 	if (kerror != INTK_OK) {
9549956Skarels 		if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) {
9643310Skfall 			syslog(LOG_ERR, "Kerberos intkt error: %s",
9743310Skfall 			    krb_err_txt[kerror]);
9847683Skfall 			dest_tkt();
9947683Skfall 		}
10049956Skarels 		return (1);
10143310Skfall 	}
10243310Skfall 
10343367Skfall 	if (chown(TKT_FILE, pw->pw_uid, pw->pw_gid) < 0)
10443367Skfall 		syslog(LOG_ERR, "chown tkfile (%s): %m", TKT_FILE);
10543310Skfall 
10643310Skfall 	(void)strncpy(savehost, krb_get_phost(localhost), sizeof(savehost));
10743310Skfall 	savehost[sizeof(savehost)-1] = NULL;
10843310Skfall 
10943310Skfall 	/*
11043310Skfall 	 * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host,
11143310Skfall 	 * still allow login with tickets, but log the error condition.
11243310Skfall 	 */
11343367Skfall 
11443367Skfall 	kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33);
11543310Skfall 	if (kerror == KDC_PR_UNKNOWN) {
11649956Skarels 		syslog(LOG_NOTICE,
11749956Skarels     		    "warning: TGT not verified (%s); %s.%s not registered, or srvtab is wrong?",
11849956Skarels 		    krb_err_txt[kerror], VERIFY_SERVICE, savehost);
11943310Skfall 		notickets = 0;
12043310Skfall 		return(0);
12143310Skfall 	}
12243310Skfall 
12343310Skfall 	if (kerror != KSUCCESS) {
12443310Skfall 		(void)printf("unable to use TGT: (%s)\n", krb_err_txt[kerror]);
12543310Skfall 		syslog(LOG_NOTICE, "unable to use TGT: (%s)",
12643310Skfall 		    krb_err_txt[kerror]);
12743310Skfall 		dest_tkt();
12843367Skfall 		return(1);
12943310Skfall 	}
13043310Skfall 
13143310Skfall 	if (!(hp = gethostbyname(localhost))) {
13243310Skfall 		syslog(LOG_ERR, "couldn't get local host address");
13343367Skfall 		dest_tkt();
13443367Skfall 		return(1);
13543310Skfall 	}
13643367Skfall 
13743310Skfall 	bcopy((void *)hp->h_addr, (void *)&faddr, sizeof(faddr));
13843310Skfall 
13943310Skfall 	kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr,
14043310Skfall 	    &authdata, "");
14143367Skfall 
14243310Skfall 	if (kerror == KSUCCESS) {
14343310Skfall 		notickets = 0;
14443310Skfall 		return(0);
14543310Skfall 	}
14643367Skfall 
14743367Skfall 	/* undecipherable: probably didn't have a srvtab on the local host */
14843310Skfall 	if (kerror = RD_AP_UNDEC) {
14943310Skfall 		syslog(LOG_NOTICE, "krb_rd_req: (%s)\n", krb_err_txt[kerror]);
15043367Skfall 		dest_tkt();
15143367Skfall 		return(1);
15243310Skfall 	}
15343367Skfall 	/* failed for some other reason */
15443310Skfall 	(void)printf("unable to verify %s ticket: (%s)\n", VERIFY_SERVICE,
15543310Skfall 	    krb_err_txt[kerror]);
15643310Skfall 	syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE,
15743310Skfall 	    krb_err_txt[kerror]);
15843367Skfall 	dest_tkt();
15943367Skfall 	return(1);
16043310Skfall }
16143310Skfall #endif
162