xref: /openbsd-src/usr.bin/ssh/auth-krb5.c (revision 43003dfe3ad45d1698bed8a37f2b0f5b14f20d4f) 
1 /* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
2 /*
3  *    Kerberos v5 authentication and ticket-passing routines.
4  *
5  * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
6  */
7 /*
8  * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29  */
30 
31 #include <sys/types.h>
32 #include <pwd.h>
33 #include <stdarg.h>
34 
35 #include "xmalloc.h"
36 #include "ssh.h"
37 #include "ssh1.h"
38 #include "packet.h"
39 #include "log.h"
40 #include "buffer.h"
41 #include "servconf.h"
42 #include "uidswap.h"
43 #include "key.h"
44 #include "hostfile.h"
45 #include "auth.h"
46 
47 #ifdef KRB5
48 #include <krb5.h>
49 
50 extern ServerOptions	 options;
51 
52 static int
53 krb5_init(void *context)
54 {
55 	Authctxt *authctxt = (Authctxt *)context;
56 	krb5_error_code problem;
57 
58 	if (authctxt->krb5_ctx == NULL) {
59 		problem = krb5_init_context(&authctxt->krb5_ctx);
60 		if (problem)
61 			return (problem);
62 		krb5_init_ets(authctxt->krb5_ctx);
63 	}
64 	return (0);
65 }
66 
67 int
68 auth_krb5_password(Authctxt *authctxt, const char *password)
69 {
70 	krb5_error_code problem;
71 	krb5_ccache ccache = NULL;
72 
73 	temporarily_use_uid(authctxt->pw);
74 
75 	problem = krb5_init(authctxt);
76 	if (problem)
77 		goto out;
78 
79 	problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
80 		    &authctxt->krb5_user);
81 	if (problem)
82 		goto out;
83 
84 	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
85 	if (problem)
86 		goto out;
87 
88 	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
89 		authctxt->krb5_user);
90 	if (problem)
91 		goto out;
92 
93 	restore_uid();
94 
95 	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
96 	    ccache, password, 1, NULL);
97 
98 	temporarily_use_uid(authctxt->pw);
99 
100 	if (problem)
101 		goto out;
102 
103 	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
104 	    &authctxt->krb5_fwd_ccache);
105 	if (problem)
106 		goto out;
107 
108 	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
109 	    authctxt->krb5_fwd_ccache);
110 	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
111 	ccache = NULL;
112 	if (problem)
113 		goto out;
114 
115 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
116 	    authctxt->krb5_fwd_ccache);
117 
118  out:
119 	restore_uid();
120 
121 	if (problem) {
122 		if (ccache)
123 			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
124 
125 		if (authctxt->krb5_ctx != NULL)
126 			debug("Kerberos password authentication failed: %s",
127 			    krb5_get_err_text(authctxt->krb5_ctx, problem));
128 		else
129 			debug("Kerberos password authentication failed: %d",
130 			    problem);
131 
132 		krb5_cleanup_proc(authctxt);
133 
134 		if (options.kerberos_or_local_passwd)
135 			return (-1);
136 		else
137 			return (0);
138 	}
139 	return (authctxt->valid ? 1 : 0);
140 }
141 
142 void
143 krb5_cleanup_proc(Authctxt *authctxt)
144 {
145 	debug("krb5_cleanup_proc called");
146 	if (authctxt->krb5_fwd_ccache) {
147 		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
148 		authctxt->krb5_fwd_ccache = NULL;
149 	}
150 	if (authctxt->krb5_user) {
151 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
152 		authctxt->krb5_user = NULL;
153 	}
154 	if (authctxt->krb5_ctx) {
155 		krb5_free_context(authctxt->krb5_ctx);
156 		authctxt->krb5_ctx = NULL;
157 	}
158 }
159 
160 #endif /* KRB5 */
161