Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
trn
/
j-hpn-ssh
zrkadlo git://github.com/johnsonjh/j-hpn-ssh
Pridať medzi pozorované 1
Hviezda 1
Fork 0
Súbory
Branch: master
Branche Tagy
j-hpn-ssh
/
auth-krb5.c

auth-krb5.c 6.9 KB
Permanentný odkaz História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273 
  1. /* $OpenBSD: auth-krb5.c,v 1.23 2018/07/09 21:35:50 markus Exp $ */
    2. 

  2. /*
    3. 

  3.  *    Kerberos v5 authentication and ticket-passing routines.
    4. 

  4.  *
    5. 

  5.  * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
    6. 

  6.  */
    7. 

  7. /*
    8. 

  8.  * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
    9. 

  9.  *
    10. 

  10.  * Redistribution and use in source and binary forms, with or without
    11. 

  11.  * modification, are permitted provided that the following conditions
    12. 

  12.  * are met:
    13. 

  13.  * 1. Redistributions of source code must retain the above copyright
    14. 

  14.  *    notice, this list of conditions and the following disclaimer.
    15. 

  15.  * 2. Redistributions in binary form must reproduce the above copyright
    16. 

  16.  *    notice, this list of conditions and the following disclaimer in the
    17. 

  17.  *    documentation and/or other materials provided with the distribution.
    18. 

  18.  *
    19. 

  19.  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
    20. 

  20.  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
    21. 

  21.  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
    22. 

  22.  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
    23. 

  23.  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
    24. 

  24.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
    25. 

  25.  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
    26. 

  26.  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    27. 

  27.  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
    28. 

  28.  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    29. 

  29.  */
    30. 

  30. 

  31. #include "includes.h"
    32. 

  32. 

  33. #include <sys/types.h>
    34. 

  34. #include <pwd.h>
    35. 

  35. #include <stdarg.h>
    36. 

  36. 

  37. #include "xmalloc.h"
    38. 

  38. #include "ssh.h"
    39. 

  39. #include "packet.h"
    40. 

  40. #include "log.h"
    41. 

  41. #include "sshbuf.h"
    42. 

  42. #include "sshkey.h"
    43. 

  43. #include "misc.h"
    44. 

  44. #include "servconf.h"
    45. 

  45. #include "uidswap.h"
    46. 

  46. #include "hostfile.h"
    47. 

  47. #include "auth.h"
    48. 

  48. 

  49. #ifdef KRB5
    50. 

  50. #include <errno.h>
    51. 

  51. #include <unistd.h>
    52. 

  52. #include <string.h>
    53. 

  53. #include <krb5.h>
    54. 

  54. 

  55. extern ServerOptions	 options;
    56. 

  56. 

  57. static int
    58. 

  58. krb5_init(void *context)
    59. 

  59. {
    60. 

  60. 	Authctxt *authctxt = (Authctxt *)context;
    61. 

  61. 	krb5_error_code problem;
    62. 

  62. 

  63. 	if (authctxt->krb5_ctx == NULL) {
    64. 

  64. 		problem = krb5_init_context(&authctxt->krb5_ctx);
    65. 

  65. 		if (problem)
    66. 

  66. 			return (problem);
    67. 

  67. 	}
    68. 

  68. 	return (0);
    69. 

  69. }
    70. 

  70. 

  71. int
    72. 

  72. auth_krb5_password(Authctxt *authctxt, const char *password)
    73. 

  73. {
    74. 

  74. #ifndef HEIMDAL
    75. 

  75. 	krb5_creds creds;
    76. 

  76. 	krb5_principal server;
    77. 

  77. #endif
    78. 

  78. 	krb5_error_code problem;
    79. 

  79. 	krb5_ccache ccache = NULL;
    80. 

  80. 	int len;
    81. 

  81. 	char *client, *platform_client;
    82. 

  82. 	const char *errmsg;
    83. 

  83. 

  84. 	/* get platform-specific kerberos client principal name (if it exists) */
    85. 

  85. 	platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
    86. 

  86. 	client = platform_client ? platform_client : authctxt->pw->pw_name;
    87. 

  87. 

  88. 	temporarily_use_uid(authctxt->pw);
    89. 

  89. 

  90. 	problem = krb5_init(authctxt);
    91. 

  91. 	if (problem)
    92. 

  92. 		goto out;
    93. 

  93. 

  94. 	problem = krb5_parse_name(authctxt->krb5_ctx, client,
    95. 

  95. 		    &authctxt->krb5_user);
    96. 

  96. 	if (problem)
    97. 

  97. 		goto out;
    98. 

  98. 

  99. #ifdef HEIMDAL
    100. 

  100. # ifdef HAVE_KRB5_CC_NEW_UNIQUE
    101. 

  101. 	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
    102. 

  102. 	     krb5_mcc_ops.prefix, NULL, &ccache);
    103. 

  103. # else
    104. 

  104. 	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
    105. 

  105. # endif
    106. 

  106. 	if (problem)
    107. 

  107. 		goto out;
    108. 

  108. 

  109. 	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
    110. 

  110. 		authctxt->krb5_user);
    111. 

  111. 	if (problem)
    112. 

  112. 		goto out;
    113. 

  113. 

  114. 	restore_uid();
    115. 

  115. 

  116. 	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
    117. 

  117. 	    ccache, password, 1, NULL);
    118. 

  118. 

  119. 	temporarily_use_uid(authctxt->pw);
    120. 

  120. 

  121. 	if (problem)
    122. 

  122. 		goto out;
    123. 

  123. 

  124. # ifdef HAVE_KRB5_CC_NEW_UNIQUE
    125. 

  125. 	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
    126. 

  126. 	     krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
    127. 

  127. # else
    128. 

  128. 	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
    129. 

  129. 	    &authctxt->krb5_fwd_ccache);
    130. 

  130. # endif
    131. 

  131. 	if (problem)
    132. 

  132. 		goto out;
    133. 

  133. 

  134. 	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
    135. 

  135. 	    authctxt->krb5_fwd_ccache);
    136. 

  136. 	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
    137. 

  137. 	ccache = NULL;
    138. 

  138. 	if (problem)
    139. 

  139. 		goto out;
    140. 

  140. 

  141. #else
    142. 

  142. 	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
    143. 

  143. 	    authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
    144. 

  144. 	if (problem)
    145. 

  145. 		goto out;
    146. 

  146. 

  147. 	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
    148. 

  148. 	    KRB5_NT_SRV_HST, &server);
    149. 

  149. 	if (problem)
    150. 

  150. 		goto out;
    151. 

  151. 

  152. 	restore_uid();
    153. 

  153. 	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
    154. 

  154. 	    NULL, NULL, NULL);
    155. 

  155. 	krb5_free_principal(authctxt->krb5_ctx, server);
    156. 

  156. 	temporarily_use_uid(authctxt->pw);
    157. 

  157. 	if (problem)
    158. 

  158. 		goto out;
    159. 

  159. 

  160. 	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
    161. 

  161. 	    authctxt->pw->pw_name)) {
    162. 

  162. 		problem = -1;
    163. 

  163. 		goto out;
    164. 

  164. 	}
    165. 

  165. 

  166. 	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
    167. 

  167. 	if (problem)
    168. 

  168. 		goto out;
    169. 

  169. 

  170. 	problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
    171. 

  171. 				     authctxt->krb5_user);
    172. 

  172. 	if (problem)
    173. 

  173. 		goto out;
    174. 

  174. 

  175. 	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
    176. 

  176. 				 &creds);
    177. 

  177. 	if (problem)
    178. 

  178. 		goto out;
    179. 

  179. #endif
    180. 

  180. 

  181. 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
    182. 

  182. 

  183. 	len = strlen(authctxt->krb5_ticket_file) + 6;
    184. 

  184. 	authctxt->krb5_ccname = xmalloc(len);
    185. 

  185. 	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
    186. 

  186. 	    authctxt->krb5_ticket_file);
    187. 

  187. 

  188. #ifdef USE_PAM
    189. 

  189. 	if (options.use_pam)
    190. 

  190. 		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
    191. 

  191. #endif
    192. 

  192. 

  193.  out:
    194. 

  194. 	restore_uid();
    195. 

  195. 	
    196. 

  196. 	free(platform_client);
    197. 

  197. 

  198. 	if (problem) {
    199. 

  199. 		if (ccache)
    200. 

  200. 			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
    201. 

  201. 

  202. 		if (authctxt->krb5_ctx != NULL && problem!=-1) {
    203. 

  203. 			errmsg = krb5_get_error_message(authctxt->krb5_ctx,
    204. 

  204. 			    problem);
    205. 

  205.  			debug("Kerberos password authentication failed: %s",
    206. 

  206. 			    errmsg);
    207. 

  207. 			krb5_free_error_message(authctxt->krb5_ctx, errmsg);
    208. 

  208. 		} else
    209. 

  209. 			debug("Kerberos password authentication failed: %d",
    210. 

  210. 			    problem);
    211. 

  211. 

  212. 		krb5_cleanup_proc(authctxt);
    213. 

  213. 

  214. 		if (options.kerberos_or_local_passwd)
    215. 

  215. 			return (-1);
    216. 

  216. 		else
    217. 

  217. 			return (0);
    218. 

  218. 	}
    219. 

  219. 	return (authctxt->valid ? 1 : 0);
    220. 

  220. }
    221. 

  221. 

  222. void
    223. 

  223. krb5_cleanup_proc(Authctxt *authctxt)
    224. 

  224. {
    225. 

  225. 	debug("krb5_cleanup_proc called");
    226. 

  226. 	if (authctxt->krb5_fwd_ccache) {
    227. 

  227. 		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
    228. 

  228. 		authctxt->krb5_fwd_ccache = NULL;
    229. 

  229. 	}
    230. 

  230. 	if (authctxt->krb5_user) {
    231. 

  231. 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
    232. 

  232. 		authctxt->krb5_user = NULL;
    233. 

  233. 	}
    234. 

  234. 	if (authctxt->krb5_ctx) {
    235. 

  235. 		krb5_free_context(authctxt->krb5_ctx);
    236. 

  236. 		authctxt->krb5_ctx = NULL;
    237. 

  237. 	}
    238. 

  238. }
    239. 

  239. 

  240. #ifndef HEIMDAL
    241. 

  241. krb5_error_code
    242. 

  242. ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
    243. 

  243. 	int tmpfd, ret, oerrno;
    244. 

  244. 	char ccname[40];
    245. 

  245. 	mode_t old_umask;
    246. 

  246. 

  247. 	ret = snprintf(ccname, sizeof(ccname),
    248. 

  248. 	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
    249. 

  249. 	if (ret < 0 || (size_t)ret >= sizeof(ccname))
    250. 

  250. 		return ENOMEM;
    251. 

  251. 

  252. 	old_umask = umask(0177);
    253. 

  253. 	tmpfd = mkstemp(ccname + strlen("FILE:"));
    254. 

  254. 	oerrno = errno;
    255. 

  255. 	umask(old_umask);
    256. 

  256. 	if (tmpfd == -1) {
    257. 

  257. 		logit("mkstemp(): %.100s", strerror(oerrno));
    258. 

  258. 		return oerrno;
    259. 

  259. 	}
    260. 

  260. 

  261. 	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
    262. 

  262. 		oerrno = errno;
    263. 

  263. 		logit("fchmod(): %.100s", strerror(oerrno));
    264. 

  264. 		close(tmpfd);
    265. 

  265. 		return oerrno;
    266. 

  266. 	}
    267. 

  267. 	close(tmpfd);
    268. 

  268. 

  269. 	return (krb5_cc_resolve(ctx, ccname, ccache));
    270. 

  270. }
    271. 

  271. #endif /* !HEIMDAL */
    272. 

  272. #endif /* KRB5 */
    273. 

  273.