xref: /freebsd/contrib/telnet/libtelnet/kerberos5.c (revision a9fcb51fbb8d2c5b47a35bcae5b4d5fb771c5985)
1 /*-
2  * Copyright (c) 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 /*
35  * Copyright (C) 1990 by the Massachusetts Institute of Technology
36  *
37  * Export of this software from the United States of America may
38  * require a specific license from the United States Government.
39  * It is the responsibility of any person or organization contemplating
40  * export to obtain such a license before exporting.
41  *
42  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43  * distribute this software and its documentation for any purpose and
44  * without fee is hereby granted, provided that the above copyright
45  * notice appear in all copies and that both that copyright notice and
46  * this permission notice appear in supporting documentation, and that
47  * the name of M.I.T. not be used in advertising or publicity pertaining
48  * to distribution of the software without specific, written prior
49  * permission.  M.I.T. makes no representations about the suitability of
50  * this software for any purpose.  It is provided "as is" without express
51  * or implied warranty.
52  */
53 
54 #include <sys/cdefs.h>
55 
56 __FBSDID("$FreeBSD$");
57 
58 #ifdef	KRB5
59 
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <unistd.h>
65 #include <netdb.h>
66 #include <ctype.h>
67 #include <pwd.h>
68 #define Authenticator k5_Authenticator
69 #include <krb5.h>
70 #undef Authenticator
71 
72 #include "encrypt.h"
73 #include "auth.h"
74 #include "misc.h"
75 
76 int forward_flags = 0;  /* Flags get set in telnet/main.c on -f and -F */
77 
78 /* These values need to be the same as those defined in telnet/main.c. */
79 /* Either define them in both places, or put in some common header file. */
80 #define OPTS_FORWARD_CREDS	0x00000002
81 #define OPTS_FORWARDABLE_CREDS	0x00000001
82 
83 void kerberos5_forward (Authenticator *);
84 
85 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
86 			  		AUTHTYPE_KERBEROS_V5, };
87 
88 #define	KRB_AUTH		0	/* Authentication data follows */
89 #define	KRB_REJECT		1	/* Rejected (reason might follow) */
90 #define	KRB_ACCEPT		2	/* Accepted */
91 #define	KRB_RESPONSE		3	/* Response for mutual auth. */
92 
93 #define KRB_FORWARD     	4       /* Forwarded credentials follow */
94 #define KRB_FORWARD_ACCEPT     	5       /* Forwarded credentials accepted */
95 #define KRB_FORWARD_REJECT     	6       /* Forwarded credentials rejected */
96 
97 static	krb5_data auth;
98 static  krb5_ticket *ticket;
99 
100 static krb5_context context;
101 static krb5_auth_context auth_context;
102 
103 static void
104 print_krb5_error(krb5_context context, krb5_error_code code, const char *msg)
105 {
106 	const char *error_message;
107 
108 	error_message = krb5_get_error_message(context, code);
109 	printf(msg, error_message);
110 	krb5_free_error_message(context, error_message);
111 }
112 
113 static int
114 Data(Authenticator *ap, int type, const char *d, int c)
115 {
116     unsigned char *p = str_data + 4;
117     const unsigned char *cd = d;
118 
119     if (c == -1)
120 	c = strlen(cd);
121 
122     if (auth_debug_mode) {
123 	printf("%s:%d: [%d] (%d)",
124 	       str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
125 	       str_data[3],
126 	       type, c);
127 	printd(d, c);
128 	printf("\r\n");
129     }
130     *p++ = ap->type;
131     *p++ = ap->way;
132     *p++ = type;
133     while (c-- > 0) {
134 	if ((*p++ = *cd++) == IAC)
135 	    *p++ = IAC;
136     }
137     *p++ = IAC;
138     *p++ = SE;
139     if (str_data[3] == TELQUAL_IS)
140 	printsub('>', &str_data[2], p - &str_data[2]);
141     return(net_write(str_data, p - str_data));
142 }
143 
144 int
145 kerberos5_init(Authenticator *ap __unused, int server)
146 {
147     krb5_error_code ret;
148 
149     ret = krb5_init_context(&context);
150     if (ret)
151 	return 0;
152     if (server) {
153 	krb5_keytab kt;
154 	krb5_kt_cursor cursor;
155 
156 	ret = krb5_kt_default(context, &kt);
157 	if (ret)
158 	    return 0;
159 
160 	ret = krb5_kt_start_seq_get (context, kt, &cursor);
161 	if (ret) {
162 	    krb5_kt_close (context, kt);
163 	    return 0;
164 	}
165 	krb5_kt_end_seq_get (context, kt, &cursor);
166 	krb5_kt_close (context, kt);
167 
168 	str_data[3] = TELQUAL_REPLY;
169     } else
170 	str_data[3] = TELQUAL_IS;
171     return(1);
172 }
173 
174 extern int net;
175 
176 static int
177 kerberos5_send(const char *name, Authenticator *ap)
178 {
179     krb5_error_code ret;
180     krb5_ccache ccache;
181     int ap_opts;
182     krb5_data cksum_data;
183     char foo[2];
184 
185     if (!UserNameRequested) {
186 	if (auth_debug_mode) {
187 	    printf("Kerberos V5: no user name supplied\r\n");
188 	}
189 	return(0);
190     }
191 
192     ret = krb5_cc_default(context, &ccache);
193     if (ret) {
194 	if (auth_debug_mode) {
195 	    print_krb5_error(context, ret, "Kerberos V5: could not get default ccache: %s\r\n");
196 	}
197 	return 0;
198     }
199 
200     if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
201 	ap_opts = AP_OPTS_MUTUAL_REQUIRED;
202     else
203 	ap_opts = 0;
204     ap_opts |= AP_OPTS_USE_SUBKEY;
205 
206     ret = krb5_auth_con_init (context, &auth_context);
207     if (ret) {
208 	if (auth_debug_mode) {
209 	    print_krb5_error(context, ret, "Kerberos V5: krb5_auth_con_init failed (%s)\r\n");
210 	}
211 	return(0);
212     }
213 
214     ret = krb5_auth_con_setaddrs_from_fd (context,
215 					  auth_context,
216 					  &net);
217     if (ret) {
218 	if (auth_debug_mode) {
219 	    print_krb5_error(context, ret, "Kerberos V5:"
220 		    " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n");
221 	}
222 	return(0);
223     }
224 
225     krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
226 
227     foo[0] = ap->type;
228     foo[1] = ap->way;
229 
230     cksum_data.length = sizeof(foo);
231     cksum_data.data   = foo;
232 
233 
234     {
235 	krb5_principal service;
236 	char sname[128];
237 
238 
239 	ret = krb5_sname_to_principal (context,
240 				       RemoteHostName,
241 				       NULL,
242 				       KRB5_NT_SRV_HST,
243 				       &service);
244 	if(ret) {
245 	    if (auth_debug_mode) {
246 		const char *err_str;
247 
248 		err_str = krb5_get_error_message(context, ret);
249 		printf("Kerberosr V5:"
250 			" krb5_sname_to_principal(%s) failed (%s)\r\n",
251 			RemoteHostName, err_str);
252 		krb5_free_error_message(context, err_str);
253 	    }
254 	    return 0;
255 	}
256 	ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
257 	if(ret) {
258 	    if (auth_debug_mode) {
259 		print_krb5_error(context, ret, "Kerberos V5:"
260 			" krb5_unparse_name_fixed failed (%s)\r\n");
261 	    }
262 	    return 0;
263 	}
264 	printf("[ Trying %s (%s)... ]\r\n", name, sname);
265 	ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
266 				service,
267 				&cksum_data, ccache, &auth);
268 	krb5_free_principal (context, service);
269 
270     }
271     if (ret) {
272 	if (1 || auth_debug_mode) {
273 	    print_krb5_error(context, ret, "Kerberos V5: mk_req failed (%s)\r\n");
274 	}
275 	return(0);
276     }
277 
278     if (!auth_sendname((unsigned char *)UserNameRequested,
279 		       strlen(UserNameRequested))) {
280 	if (auth_debug_mode)
281 	    printf("Not enough room for user name\r\n");
282 	return(0);
283     }
284     if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
285 	if (auth_debug_mode)
286 	    printf("Not enough room for authentication data\r\n");
287 	return(0);
288     }
289     if (auth_debug_mode) {
290 	printf("Sent Kerberos V5 credentials to server\r\n");
291     }
292     return(1);
293 }
294 
295 int
296 kerberos5_send_mutual(Authenticator *ap)
297 {
298     return kerberos5_send("mutual KERBEROS5", ap);
299 }
300 
301 int
302 kerberos5_send_oneway(Authenticator *ap)
303 {
304     return kerberos5_send("KERBEROS5", ap);
305 }
306 
307 void
308 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
309 {
310     krb5_error_code ret;
311     krb5_data outbuf;
312     krb5_keyblock *key_block;
313     char *name;
314     krb5_principal server;
315     int zero = 0;
316 
317     if (cnt-- < 1)
318 	return;
319     switch (*data++) {
320     case KRB_AUTH:
321 	auth.data = (char *)data;
322 	auth.length = cnt;
323 
324 	auth_context = NULL;
325 
326 	ret = krb5_auth_con_init (context, &auth_context);
327 	if (ret) {
328 	    Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
329 	    auth_finished(ap, AUTH_REJECT);
330 	    if (auth_debug_mode)
331 		print_krb5_error(context, ret, "Kerberos V5: krb5_auth_con_init failed (%s)\r\n");
332 	    return;
333 	}
334 
335 	ret = krb5_auth_con_setaddrs_from_fd (context,
336 					      auth_context,
337 					      &zero);
338 	if (ret) {
339 	    Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
340 	    auth_finished(ap, AUTH_REJECT);
341 	    if (auth_debug_mode)
342 		print_krb5_error(context, ret, "Kerberos V5: "
343 		       "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n");
344 	    return;
345 	}
346 
347 	ret = krb5_sock_to_principal (context,
348 				      0,
349 				      "host",
350 				      KRB5_NT_SRV_HST,
351 				      &server);
352 	if (ret) {
353 	    Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
354 	    auth_finished(ap, AUTH_REJECT);
355 	    if (auth_debug_mode)
356 		print_krb5_error(context, ret, "Kerberos V5: "
357 		       "krb5_sock_to_principal failed (%s)\r\n");
358 	    return;
359 	}
360 
361 	ret = krb5_rd_req(context,
362 			  &auth_context,
363 			  &auth,
364 			  server,
365 			  NULL,
366 			  NULL,
367 			  &ticket);
368 
369 	krb5_free_principal (context, server);
370 	if (ret) {
371 	    char *errbuf;
372 	    const char *err_str;
373 
374 	    err_str = krb5_get_error_message(context, ret);
375 	    asprintf(&errbuf,
376 		     "Read req failed: %s", err_str);
377 	    krb5_free_error_message(context, err_str);
378 	    Data(ap, KRB_REJECT, errbuf, -1);
379 	    if (auth_debug_mode)
380 		printf("%s\r\n", errbuf);
381 	    free (errbuf);
382 	    return;
383 	}
384 
385 	{
386 	    char foo[2];
387 
388 	    foo[0] = ap->type;
389 	    foo[1] = ap->way;
390 
391 	    ret = krb5_verify_authenticator_checksum(context,
392 						     auth_context,
393 						     foo,
394 						     sizeof(foo));
395 
396 	    if (ret) {
397 		char *errbuf;
398 		const char *err_str;
399 
400 		err_str = krb5_get_error_message(context, ret);
401 		asprintf(&errbuf, "Bad checksum: %s", err_str);
402 		krb5_free_error_message(context, err_str);
403 		Data(ap, KRB_REJECT, errbuf, -1);
404 		if (auth_debug_mode)
405 		    printf ("%s\r\n", errbuf);
406 		free(errbuf);
407 		return;
408 	    }
409 	}
410 	ret = krb5_auth_con_getremotesubkey (context,
411 					     auth_context,
412 					     &key_block);
413 
414 	if (ret) {
415 	    Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
416 	    auth_finished(ap, AUTH_REJECT);
417 	    if (auth_debug_mode)
418 		print_krb5_error(context, ret, "Kerberos V5: "
419 		       "krb5_auth_con_getremotesubkey failed (%s)\r\n");
420 	    return;
421 	}
422 
423 	if (key_block == NULL) {
424 	    ret = krb5_auth_con_getkey(context,
425 				       auth_context,
426 				       &key_block);
427 	}
428 	if (ret) {
429 	    Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
430 	    auth_finished(ap, AUTH_REJECT);
431 	    if (auth_debug_mode)
432 		print_krb5_error(context, ret, "Kerberos V5: "
433 		       "krb5_auth_con_getkey failed (%s)\r\n");
434 	    return;
435 	}
436 	if (key_block == NULL) {
437 	    Data(ap, KRB_REJECT, "no subkey received", -1);
438 	    auth_finished(ap, AUTH_REJECT);
439 	    if (auth_debug_mode)
440 		printf("Kerberos V5: "
441 		       "krb5_auth_con_getremotesubkey returned NULL key\r\n");
442 	    return;
443 	}
444 
445 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
446 	    ret = krb5_mk_rep(context, auth_context, &outbuf);
447 	    if (ret) {
448 		Data(ap, KRB_REJECT,
449 		     "krb5_mk_rep failed", -1);
450 		auth_finished(ap, AUTH_REJECT);
451 		if (auth_debug_mode)
452 		    print_krb5_error(context, ret, "Kerberos V5: "
453 			   "krb5_mk_rep failed (%s)\r\n");
454 		return;
455 	    }
456 	    Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
457 	}
458 	if (krb5_unparse_name(context, ticket->client, &name))
459 	    name = 0;
460 
461 	if(UserNameRequested && krb5_kuserok(context,
462 					     ticket->client,
463 					     UserNameRequested)) {
464 	    Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
465 	    if (auth_debug_mode) {
466 		printf("Kerberos5 identifies him as ``%s''\r\n",
467 		       name ? name : "");
468 	    }
469 
470 	    if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
471 	       key_block->keytype == ETYPE_DES_CBC_MD4 ||
472 	       key_block->keytype == ETYPE_DES_CBC_CRC) {
473 		Session_Key skey;
474 
475 		skey.type = SK_DES;
476 		skey.length = 8;
477 		skey.data = key_block->keyvalue.data;
478 		encrypt_session_key(&skey, 0);
479 	    }
480 
481 	} else {
482 	    char *msg;
483 
484 	    asprintf (&msg, "user `%s' is not authorized to "
485 		      "login as `%s'",
486 		      name ? name : "<unknown>",
487 		      UserNameRequested ? UserNameRequested : "<nobody>");
488 	    if (msg == NULL)
489 		Data(ap, KRB_REJECT, NULL, 0);
490 	    else {
491 		Data(ap, KRB_REJECT, (void *)msg, -1);
492 		free(msg);
493 	    }
494 	    auth_finished (ap, AUTH_REJECT);
495 	    krb5_free_keyblock_contents(context, key_block);
496 	    break;
497 	}
498 	auth_finished(ap, AUTH_USER);
499 	krb5_free_keyblock_contents(context, key_block);
500 
501 	break;
502     case KRB_FORWARD: {
503 	struct passwd *pwd;
504 	char ccname[1024];	/* XXX */
505 	krb5_data inbuf;
506 	krb5_ccache ccache;
507 	inbuf.data = (char *)data;
508 	inbuf.length = cnt;
509 
510 	pwd = getpwnam (UserNameRequested);
511 	if (pwd == NULL)
512 	    break;
513 
514 	snprintf (ccname, sizeof(ccname),
515 		  "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
516 
517 	ret = krb5_cc_resolve (context, ccname, &ccache);
518 	if (ret) {
519 	    if (auth_debug_mode)
520 		print_krb5_error(context, ret, "Kerberos V5: could not get ccache: %s\r\n");
521 	    break;
522 	}
523 
524 	ret = krb5_cc_initialize (context,
525 				  ccache,
526 				  ticket->client);
527 	if (ret) {
528 	    if (auth_debug_mode)
529 		print_krb5_error(context, ret, "Kerberos V5: could not init ccache: %s\r\n");
530 	    break;
531 	}
532 
533 #if defined(DCE)
534 	esetenv("KRB5CCNAME", ccname, 1);
535 #endif
536 	ret = krb5_rd_cred2 (context,
537 			     auth_context,
538 			     ccache,
539 			     &inbuf);
540 	if(ret) {
541 	    char *errbuf;
542 	    const char *err_str;
543 
544 	    err_str = krb5_get_error_message(context, ret);
545 	    asprintf (&errbuf,
546 		      "Read forwarded creds failed: %s", err_str);
547 	    krb5_free_error_message(context, err_str);
548 	    if(errbuf == NULL)
549 		Data(ap, KRB_FORWARD_REJECT, NULL, 0);
550 	    else
551 		Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
552 	    if (auth_debug_mode)
553 		printf("Could not read forwarded credentials: %s\r\n",
554 		       errbuf);
555 	    free (errbuf);
556 	} else {
557 	    Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
558 #if defined(DCE)
559 	    dfsfwd = 1;
560 #endif
561 	}
562 	chown (ccname + 5, pwd->pw_uid, -1);
563 	if (auth_debug_mode)
564 	    printf("Forwarded credentials obtained\r\n");
565 	break;
566     }
567     default:
568 	if (auth_debug_mode)
569 	    printf("Unknown Kerberos option %d\r\n", data[-1]);
570 	Data(ap, KRB_REJECT, 0, 0);
571 	break;
572     }
573 }
574 
575 void
576 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
577 {
578     static int mutual_complete = 0;
579 
580     if (cnt-- < 1)
581 	return;
582     switch (*data++) {
583     case KRB_REJECT:
584 	if (cnt > 0) {
585 	    printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
586 		   cnt, data);
587 	} else
588 	    printf("[ Kerberos V5 refuses authentication ]\r\n");
589 	auth_send_retry();
590 	return;
591     case KRB_ACCEPT: {
592 	krb5_error_code ret;
593 	Session_Key skey;
594 	krb5_keyblock *keyblock;
595 
596 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
597 	    !mutual_complete) {
598 	    printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
599 	    auth_send_retry();
600 	    return;
601 	}
602 	if (cnt)
603 	    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
604 	else
605 	    printf("[ Kerberos V5 accepts you ]\r\n");
606 
607 	ret = krb5_auth_con_getlocalsubkey (context,
608 					    auth_context,
609 					    &keyblock);
610 	if (ret)
611 	    ret = krb5_auth_con_getkey (context,
612 					auth_context,
613 					&keyblock);
614 	if(ret) {
615 	    print_krb5_error(context, ret, "[ krb5_auth_con_getkey: %s ]\r\n");
616 	    auth_send_retry();
617 	    return;
618 	}
619 
620 	skey.type = SK_DES;
621 	skey.length = 8;
622 	skey.data = keyblock->keyvalue.data;
623 	encrypt_session_key(&skey, 0);
624 	krb5_free_keyblock_contents (context, keyblock);
625 	auth_finished(ap, AUTH_USER);
626 	if (forward_flags & OPTS_FORWARD_CREDS)
627 	    kerberos5_forward(ap);
628 	break;
629     }
630     case KRB_RESPONSE:
631 	if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
632 	    /* the rest of the reply should contain a krb_ap_rep */
633 	  krb5_ap_rep_enc_part *reply;
634 	  krb5_data inbuf;
635 	  krb5_error_code ret;
636 
637 	  inbuf.length = cnt;
638 	  inbuf.data = (char *)data;
639 
640 	  ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
641 	  if (ret) {
642 	      print_krb5_error(context, ret, "[ Mutual authentication failed: %s ]\r\n");
643 	      auth_send_retry();
644 	      return;
645 	  }
646 	  krb5_free_ap_rep_enc_part(context, reply);
647 	  mutual_complete = 1;
648 	}
649 	return;
650     case KRB_FORWARD_ACCEPT:
651 	printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
652 	return;
653     case KRB_FORWARD_REJECT:
654 	printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
655 	       cnt, data);
656 	return;
657     default:
658 	if (auth_debug_mode)
659 	    printf("Unknown Kerberos option %d\r\n", data[-1]);
660 	return;
661     }
662 }
663 
664 int
665 kerberos5_status(Authenticator *ap __unused, char *name, int level)
666 {
667     if (level < AUTH_USER)
668 	return(level);
669 
670     if (UserNameRequested &&
671 	krb5_kuserok(context,
672 		     ticket->client,
673 		     UserNameRequested))
674 	{
675 	    strcpy(name, UserNameRequested);
676 	    return(AUTH_VALID);
677 	} else
678 	    return(AUTH_USER);
679 }
680 
681 #define	BUMP(buf, len)		while (*(buf)) {++(buf), --(len);}
682 #define	ADDC(buf, len, c)	if ((len) > 0) {*(buf)++ = (c); --(len);}
683 
684 void
685 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
686 {
687     int i;
688 
689     buf[buflen-1] = '\0';		/* make sure its NULL terminated */
690     buflen -= 1;
691 
692     switch(data[3]) {
693     case KRB_REJECT:		/* Rejected (reason might follow) */
694 	strlcpy((char *)buf, " REJECT ", buflen);
695 	goto common;
696 
697     case KRB_ACCEPT:		/* Accepted (name might follow) */
698 	strlcpy((char *)buf, " ACCEPT ", buflen);
699     common:
700 	BUMP(buf, buflen);
701 	if (cnt <= 4)
702 	    break;
703 	ADDC(buf, buflen, '"');
704 	for (i = 4; i < cnt; i++)
705 	    ADDC(buf, buflen, data[i]);
706 	ADDC(buf, buflen, '"');
707 	ADDC(buf, buflen, '\0');
708 	break;
709 
710 
711     case KRB_AUTH:			/* Authentication data follows */
712 	strlcpy((char *)buf, " AUTH", buflen);
713 	goto common2;
714 
715     case KRB_RESPONSE:
716 	strlcpy((char *)buf, " RESPONSE", buflen);
717 	goto common2;
718 
719     case KRB_FORWARD:		/* Forwarded credentials follow */
720 	strlcpy((char *)buf, " FORWARD", buflen);
721 	goto common2;
722 
723     case KRB_FORWARD_ACCEPT:	/* Forwarded credentials accepted */
724 	strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
725 	goto common2;
726 
727     case KRB_FORWARD_REJECT:	/* Forwarded credentials rejected */
728 	/* (reason might follow) */
729 	strlcpy((char *)buf, " FORWARD_REJECT", buflen);
730 	goto common2;
731 
732     default:
733 	snprintf(buf, buflen, " %d (unknown)", data[3]);
734     common2:
735 	BUMP(buf, buflen);
736 	for (i = 4; i < cnt; i++) {
737 	    snprintf(buf, buflen, " %d", data[i]);
738 	    BUMP(buf, buflen);
739 	}
740 	break;
741     }
742 }
743 
744 void
745 kerberos5_forward(Authenticator *ap)
746 {
747     krb5_error_code ret;
748     krb5_ccache     ccache;
749     krb5_creds      creds;
750     krb5_kdc_flags  flags;
751     krb5_data       out_data;
752     krb5_principal  principal;
753 
754     ret = krb5_cc_default (context, &ccache);
755     if (ret) {
756 	if (auth_debug_mode)
757 	    print_krb5_error(context, ret, "KerberosV5: could not get default ccache: %s\r\n");
758 	return;
759     }
760 
761     ret = krb5_cc_get_principal (context, ccache, &principal);
762     if (ret) {
763 	if (auth_debug_mode)
764 	    print_krb5_error(context, ret, "KerberosV5: could not get principal: %s\r\n");
765 	return;
766     }
767 
768     memset (&creds, 0, sizeof(creds));
769 
770     creds.client = principal;
771 
772     ret = krb5_build_principal (context,
773 				&creds.server,
774 				strlen(principal->realm),
775 				principal->realm,
776 				"krbtgt",
777 				principal->realm,
778 				NULL);
779 
780     if (ret) {
781 	if (auth_debug_mode)
782 	    print_krb5_error(context, ret, "KerberosV5: could not get principal: %s\r\n");
783 	return;
784     }
785 
786     creds.times.endtime = 0;
787 
788     flags.i = 0;
789     flags.b.forwarded = 1;
790     if (forward_flags & OPTS_FORWARDABLE_CREDS)
791 	flags.b.forwardable = 1;
792 
793     ret = krb5_get_forwarded_creds (context,
794 				    auth_context,
795 				    ccache,
796 				    flags.i,
797 				    RemoteHostName,
798 				    &creds,
799 				    &out_data);
800     if (ret) {
801 	if (auth_debug_mode)
802 	    print_krb5_error(context, ret, "Kerberos V5: error getting forwarded creds: %s\r\n");
803 	return;
804     }
805 
806     if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
807 	if (auth_debug_mode)
808 	    printf("Not enough room for authentication data\r\n");
809     } else {
810 	if (auth_debug_mode)
811 	    printf("Forwarded local Kerberos V5 credentials to server\r\n");
812     }
813 }
814 
815 #if defined(DCE)
816 /* if this was a K5 authentication try and join a PAG for the user. */
817 void
818 kerberos5_dfspag(void)
819 {
820     if (dfsk5ok) {
821 	dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
822 			      UserNameRequested);
823     }
824 }
825 #endif
826 
827 #endif /* KRB5 */
828