xref: /netbsd-src/crypto/external/bsd/openssh/dist/gss-serv-krb5.c (revision b757af438b42b93f8c6571f026d8b8ef3eaf5fc9) 
1 /*	$NetBSD: gss-serv-krb5.c,v 1.5 2011/07/25 03:03:10 christos Exp $	*/
2 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
3 
4 /*
5  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26  */
27 
28 #include "includes.h"
29 __RCSID("$NetBSD: gss-serv-krb5.c,v 1.5 2011/07/25 03:03:10 christos Exp $");
30 #ifdef GSSAPI
31 #ifdef KRB5
32 
33 #include <sys/types.h>
34 
35 #include <stdarg.h>
36 #include <string.h>
37 
38 #include "xmalloc.h"
39 #include "key.h"
40 #include "hostfile.h"
41 #include "auth.h"
42 #include "log.h"
43 
44 #include "buffer.h"
45 #include "servconf.h"
46 #include "ssh-gss.h"
47 
48 extern ServerOptions options;
49 
50 #ifdef HEIMDAL
51 # include <gssapi/gssapi_krb5.h>
52 #else
53 # ifdef HAVE_GSSAPI_KRB5_H
54 #  include <gssapi_krb5.h>
55 # elif HAVE_GSSAPI_GSSAPI_KRB5_H
56 #  include <gssapi/gssapi_krb5.h>
57 # endif
58 #endif
59 
60 static krb5_context krb_context = NULL;
61 
62 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
63 
64 static int
65 ssh_gssapi_krb5_init(void)
66 {
67 	krb5_error_code problem;
68 
69 	if (krb_context != NULL)
70 		return 1;
71 
72 	problem = krb5_init_context(&krb_context);
73 	if (problem) {
74 		logit("Cannot initialize krb5 context");
75 		return 0;
76 	}
77 #ifdef isneeded
78 	krb5_init_ets(krb_context);
79 #endif
80 
81 	return 1;
82 }
83 
84 /* Check if this user is OK to login. This only works with krb5 - other
85  * GSSAPI mechanisms will need their own.
86  * Returns true if the user is OK to log in, otherwise returns 0
87  */
88 
89 static int
90 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
91 {
92 	krb5_principal princ;
93 	int retval;
94 	const char *errtxt;
95 
96 	if (ssh_gssapi_krb5_init() == 0)
97 		return 0;
98 
99 	if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
100 	    &princ))) {
101 		errtxt = krb5_get_error_message(krb_context, retval);
102 		if (errtxt) {
103 			logit("krb5_parse_name(): %.100s", errtxt);
104 			krb5_free_error_message(krb_context, errtxt);
105 		} else
106 			logit("krb5_parse_name(): %d", retval);
107 		return 0;
108 	}
109 	if (krb5_kuserok(krb_context, princ, name)) {
110 		retval = 1;
111 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
112 		    name, (char *)client->displayname.value);
113 	} else
114 		retval = 0;
115 
116 	krb5_free_principal(krb_context, princ);
117 	return retval;
118 }
119 
120 
121 /* This writes out any forwarded credentials from the structure populated
122  * during userauth. Called after we have setuid to the user */
123 
124 static void
125 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
126 {
127 	krb5_ccache ccache;
128 	krb5_error_code problem;
129 	krb5_principal princ;
130 	OM_uint32 maj_status, min_status;
131 	int len;
132 	const char *errtxt;
133 
134 	if (client->creds == NULL) {
135 		debug("No credentials stored");
136 		return;
137 	}
138 
139 	if (ssh_gssapi_krb5_init() == 0)
140 		return;
141 
142 #ifdef HEIMDAL
143 	problem = krb5_cc_new_unique(krb_context, "FILE", NULL, &ccache);
144 	if (problem != 0) {
145 		errtxt = krb5_get_error_message(krb_context, problem);
146 		if (errtxt != NULL) {
147 			logit("krb5_cc_new_unique(): %.100s", errtxt);
148 			krb5_free_error_message(krb_context, errtxt);
149 		} else
150 			logit("krb5_cc_new_unique(): %d", problem);
151 		return;
152 	}
153 #else
154 	if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
155 		logit("ssh_krb5_cc_gen(): %.100s",
156 		    krb5_get_err_text(krb_context, problem));
157 		return;
158 	}
159 #endif	/* #ifdef HEIMDAL */
160 
161 	if ((problem = krb5_parse_name(krb_context,
162 	    client->exportedname.value, &princ))) {
163 		errtxt = krb5_get_error_message(krb_context, problem);
164 		if (errtxt != NULL) {
165 			logit("krb5_parse_name(): %.100s", errtxt);
166 			krb5_free_error_message(krb_context, errtxt);
167 		} else
168 			logit("krb5_parse_name(): %d", problem);
169 		krb5_cc_destroy(krb_context, ccache);
170 		return;
171 	}
172 
173 	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
174 		errtxt = krb5_get_error_message(krb_context, problem);
175 		if (errtxt != NULL) {
176 			logit("krb5_cc_initialize(): %.100s", errtxt);
177 			krb5_free_error_message(krb_context, errtxt);
178 		} else
179 			logit("krb5_cc_initialize(): %d", problem);
180 		krb5_free_principal(krb_context, princ);
181 		krb5_cc_destroy(krb_context, ccache);
182 		return;
183 	}
184 
185 	krb5_free_principal(krb_context, princ);
186 
187 	if ((maj_status = gss_krb5_copy_ccache(&min_status,
188 	    client->creds, ccache))) {
189 		logit("gss_krb5_copy_ccache() failed");
190 		krb5_cc_destroy(krb_context, ccache);
191 		return;
192 	}
193 
194 	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
195 	client->store.envvar = __UNCONST("KRB5CCNAME");
196 	len = strlen(client->store.filename) + 6;
197 	client->store.envval = xmalloc(len);
198 	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
199 
200 #ifdef USE_PAM
201 	if (options.use_pam)
202 		do_pam_putenv(client->store.envvar, client->store.envval);
203 #endif
204 
205 	krb5_cc_close(krb_context, ccache);
206 
207 	return;
208 }
209 
210 ssh_gssapi_mech gssapi_kerberos_mech = {
211 	"toWM5Slw5Ew8Mqkay+al2g==",
212 	"Kerberos",
213 	{9, __UNCONST("\x2A\x86\x48\x86\xF7\x12\x01\x02\x02")},
214 	NULL,
215 	&ssh_gssapi_krb5_userok,
216 	NULL,
217 	&ssh_gssapi_krb5_storecreds
218 };
219 
220 #endif /* KRB5 */
221 
222 #endif /* GSSAPI */
223