1 /*- 2 * Copyright (c) 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* 35 * Copyright (C) 1990 by the Massachusetts Institute of Technology 36 * 37 * Export of this software from the United States of America may 38 * require a specific license from the United States Government. 39 * It is the responsibility of any person or organization contemplating 40 * export to obtain such a license before exporting. 41 * 42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 43 * distribute this software and its documentation for any purpose and 44 * without fee is hereby granted, provided that the above copyright 45 * notice appear in all copies and that both that copyright notice and 46 * this permission notice appear in supporting documentation, and that 47 * the name of M.I.T. not be used in advertising or publicity pertaining 48 * to distribution of the software without specific, written prior 49 * permission. M.I.T. makes no representations about the suitability of 50 * this software for any purpose. It is provided "as is" without express 51 * or implied warranty. 52 */ 53 54 #include <config.h> 55 56 RCSID("$Id: kerberos5.c,v 1.53.2.1 2004/06/21 08:21:07 lha Exp $"); 57 58 #ifdef KRB5 59 60 #include <arpa/telnet.h> 61 #include <stdio.h> 62 #include <stdlib.h> 63 #include <string.h> 64 #include <unistd.h> 65 #include <netdb.h> 66 #include <ctype.h> 67 #include <pwd.h> 68 #define Authenticator k5_Authenticator 69 #include <krb5.h> 70 #undef Authenticator 71 #include <roken.h> 72 #ifdef SOCKS 73 #include <socks.h> 74 #endif 75 76 77 #include "encrypt.h" 78 #include "auth.h" 79 #include "misc.h" 80 81 #if defined(DCE) 82 int dfsk5ok = 0; 83 int dfspag = 0; 84 int dfsfwd = 0; 85 #endif 86 87 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ 88 89 int forward(int); 90 int forwardable(int); 91 92 /* These values need to be the same as those defined in telnet/main.c. */ 93 /* Either define them in both places, or put in some common header file. */ 94 #define OPTS_FORWARD_CREDS 0x00000002 95 #define OPTS_FORWARDABLE_CREDS 0x00000001 96 97 98 void kerberos5_forward (Authenticator *); 99 100 static unsigned char str_data[4] = { IAC, SB, TELOPT_AUTHENTICATION, 0 }; 101 102 #define KRB_AUTH 0 /* Authentication data follows */ 103 #define KRB_REJECT 1 /* Rejected (reason might follow) */ 104 #define KRB_ACCEPT 2 /* Accepted */ 105 #define KRB_RESPONSE 3 /* Response for mutual auth. */ 106 107 #define KRB_FORWARD 4 /* Forwarded credentials follow */ 108 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 109 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 110 111 static krb5_data auth; 112 static krb5_ticket *ticket; 113 114 static krb5_context context; 115 static krb5_auth_context auth_context; 116 117 static int 118 Data(Authenticator *ap, int type, void *d, int c) 119 { 120 unsigned char *cd = (unsigned char *)d; 121 unsigned char *p0, *p; 122 size_t len = sizeof(str_data) + 3 + 2; 123 int ret; 124 125 if (c == -1) 126 c = strlen((char*)cd); 127 128 for (p = cd; p - cd < c; p++, len++) 129 if (*p == IAC) 130 len++; 131 132 p0 = malloc(len); 133 if (p0 == NULL) 134 return 0; 135 136 memcpy(p0, str_data, sizeof(str_data)); 137 p = p0 + sizeof(str_data); 138 139 if (auth_debug_mode) { 140 printf("%s:%d: [%d] (%d)", 141 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 142 str_data[3], 143 type, c); 144 printd(d, c); 145 printf("\r\n"); 146 } 147 *p++ = ap->type; 148 *p++ = ap->way; 149 *p++ = type; 150 while (c-- > 0) { 151 if ((*p++ = *cd++) == IAC) 152 *p++ = IAC; 153 } 154 *p++ = IAC; 155 *p++ = SE; 156 if (str_data[3] == TELQUAL_IS) 157 printsub('>', &p0[2], len - 2); 158 ret = telnet_net_write(p0, len); 159 free(p0); 160 return ret; 161 } 162 163 int 164 kerberos5_init(Authenticator *ap, int server) 165 { 166 krb5_error_code ret; 167 168 ret = krb5_init_context(&context); 169 if (ret) 170 return 0; 171 if (server) { 172 krb5_keytab kt; 173 krb5_kt_cursor cursor; 174 175 ret = krb5_kt_default(context, &kt); 176 if (ret) 177 return 0; 178 179 ret = krb5_kt_start_seq_get (context, kt, &cursor); 180 if (ret) { 181 krb5_kt_close (context, kt); 182 return 0; 183 } 184 krb5_kt_end_seq_get (context, kt, &cursor); 185 krb5_kt_close (context, kt); 186 187 str_data[3] = TELQUAL_REPLY; 188 } else 189 str_data[3] = TELQUAL_IS; 190 return(1); 191 } 192 193 extern int net; 194 static int 195 kerberos5_send(char *name, Authenticator *ap) 196 { 197 krb5_error_code ret; 198 krb5_ccache ccache; 199 int ap_opts; 200 krb5_data cksum_data; 201 char foo[2]; 202 203 if (!UserNameRequested) { 204 if (auth_debug_mode) { 205 printf("Kerberos V5: no user name supplied\r\n"); 206 } 207 return(0); 208 } 209 210 ret = krb5_cc_default(context, &ccache); 211 if (ret) { 212 if (auth_debug_mode) { 213 printf("Kerberos V5: could not get default ccache: %s\r\n", 214 krb5_get_err_text (context, ret)); 215 } 216 return 0; 217 } 218 219 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 220 ap_opts = AP_OPTS_MUTUAL_REQUIRED; 221 else 222 ap_opts = 0; 223 224 ap_opts |= AP_OPTS_USE_SUBKEY; 225 226 ret = krb5_auth_con_init (context, &auth_context); 227 if (ret) { 228 if (auth_debug_mode) { 229 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 230 krb5_get_err_text(context, ret)); 231 } 232 return(0); 233 } 234 235 ret = krb5_auth_con_setaddrs_from_fd (context, 236 auth_context, 237 &net); 238 if (ret) { 239 if (auth_debug_mode) { 240 printf ("Kerberos V5:" 241 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 242 krb5_get_err_text(context, ret)); 243 } 244 return(0); 245 } 246 247 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES); 248 249 foo[0] = ap->type; 250 foo[1] = ap->way; 251 252 cksum_data.length = sizeof(foo); 253 cksum_data.data = foo; 254 255 256 { 257 krb5_principal service; 258 char sname[128]; 259 260 261 ret = krb5_sname_to_principal (context, 262 RemoteHostName, 263 NULL, 264 KRB5_NT_SRV_HST, 265 &service); 266 if(ret) { 267 if (auth_debug_mode) { 268 printf ("Kerberos V5:" 269 " krb5_sname_to_principal(%s) failed (%s)\r\n", 270 RemoteHostName, krb5_get_err_text(context, ret)); 271 } 272 return 0; 273 } 274 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname)); 275 if(ret) { 276 if (auth_debug_mode) { 277 printf ("Kerberos V5:" 278 " krb5_unparse_name_fixed failed (%s)\r\n", 279 krb5_get_err_text(context, ret)); 280 } 281 return 0; 282 } 283 printf("[ Trying %s (%s)... ]\r\n", name, sname); 284 ret = krb5_mk_req_exact(context, &auth_context, ap_opts, 285 service, 286 &cksum_data, ccache, &auth); 287 krb5_free_principal (context, service); 288 289 } 290 if (ret) { 291 if (1 || auth_debug_mode) { 292 printf("Kerberos V5: mk_req failed (%s)\r\n", 293 krb5_get_err_text(context, ret)); 294 } 295 return(0); 296 } 297 298 if (!auth_sendname((unsigned char *)UserNameRequested, 299 strlen(UserNameRequested))) { 300 if (auth_debug_mode) 301 printf("Not enough room for user name\r\n"); 302 return(0); 303 } 304 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 305 if (auth_debug_mode) 306 printf("Not enough room for authentication data\r\n"); 307 return(0); 308 } 309 if (auth_debug_mode) { 310 printf("Sent Kerberos V5 credentials to server\r\n"); 311 } 312 return(1); 313 } 314 315 int 316 kerberos5_send_mutual(Authenticator *ap) 317 { 318 return kerberos5_send("mutual KERBEROS5", ap); 319 } 320 321 int 322 kerberos5_send_oneway(Authenticator *ap) 323 { 324 return kerberos5_send("KERBEROS5", ap); 325 } 326 327 void 328 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) 329 { 330 krb5_error_code ret; 331 krb5_data outbuf; 332 krb5_keyblock *key_block; 333 char *name; 334 krb5_principal server; 335 int zero = 0; 336 337 if (cnt-- < 1) 338 return; 339 switch (*data++) { 340 case KRB_AUTH: 341 auth.data = (char *)data; 342 auth.length = cnt; 343 344 auth_context = NULL; 345 346 ret = krb5_auth_con_init (context, &auth_context); 347 if (ret) { 348 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); 349 auth_finished(ap, AUTH_REJECT); 350 if (auth_debug_mode) 351 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 352 krb5_get_err_text(context, ret)); 353 return; 354 } 355 356 ret = krb5_auth_con_setaddrs_from_fd (context, 357 auth_context, 358 &zero); 359 if (ret) { 360 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); 361 auth_finished(ap, AUTH_REJECT); 362 if (auth_debug_mode) 363 printf("Kerberos V5: " 364 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 365 krb5_get_err_text(context, ret)); 366 return; 367 } 368 369 ret = krb5_sock_to_principal (context, 370 0, 371 "host", 372 KRB5_NT_SRV_HST, 373 &server); 374 if (ret) { 375 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); 376 auth_finished(ap, AUTH_REJECT); 377 if (auth_debug_mode) 378 printf("Kerberos V5: " 379 "krb5_sock_to_principal failed (%s)\r\n", 380 krb5_get_err_text(context, ret)); 381 return; 382 } 383 384 ret = krb5_rd_req(context, 385 &auth_context, 386 &auth, 387 server, 388 NULL, 389 NULL, 390 &ticket); 391 392 krb5_free_principal (context, server); 393 if (ret) { 394 char *errbuf; 395 396 asprintf(&errbuf, 397 "Read req failed: %s", 398 krb5_get_err_text(context, ret)); 399 Data(ap, KRB_REJECT, errbuf, -1); 400 if (auth_debug_mode) 401 printf("%s\r\n", errbuf); 402 free (errbuf); 403 return; 404 } 405 406 { 407 char foo[2]; 408 409 foo[0] = ap->type; 410 foo[1] = ap->way; 411 412 ret = krb5_verify_authenticator_checksum(context, 413 auth_context, 414 foo, 415 sizeof(foo)); 416 417 if (ret) { 418 char *errbuf; 419 asprintf(&errbuf, "Bad checksum: %s", 420 krb5_get_err_text(context, ret)); 421 Data(ap, KRB_REJECT, errbuf, -1); 422 if (auth_debug_mode) 423 printf ("%s\r\n", errbuf); 424 free(errbuf); 425 return; 426 } 427 } 428 ret = krb5_auth_con_getremotesubkey (context, 429 auth_context, 430 &key_block); 431 432 if (ret) { 433 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); 434 auth_finished(ap, AUTH_REJECT); 435 if (auth_debug_mode) 436 printf("Kerberos V5: " 437 "krb5_auth_con_getremotesubkey failed (%s)\r\n", 438 krb5_get_err_text(context, ret)); 439 return; 440 } 441 442 if (key_block == NULL) { 443 ret = krb5_auth_con_getkey(context, 444 auth_context, 445 &key_block); 446 } 447 if (ret) { 448 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1); 449 auth_finished(ap, AUTH_REJECT); 450 if (auth_debug_mode) 451 printf("Kerberos V5: " 452 "krb5_auth_con_getkey failed (%s)\r\n", 453 krb5_get_err_text(context, ret)); 454 return; 455 } 456 if (key_block == NULL) { 457 Data(ap, KRB_REJECT, "no subkey received", -1); 458 auth_finished(ap, AUTH_REJECT); 459 if (auth_debug_mode) 460 printf("Kerberos V5: " 461 "krb5_auth_con_getremotesubkey returned NULL key\r\n"); 462 return; 463 } 464 465 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 466 ret = krb5_mk_rep(context, auth_context, &outbuf); 467 if (ret) { 468 Data(ap, KRB_REJECT, 469 "krb5_mk_rep failed", -1); 470 auth_finished(ap, AUTH_REJECT); 471 if (auth_debug_mode) 472 printf("Kerberos V5: " 473 "krb5_mk_rep failed (%s)\r\n", 474 krb5_get_err_text(context, ret)); 475 return; 476 } 477 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 478 } 479 if (krb5_unparse_name(context, ticket->client, &name)) 480 name = 0; 481 482 if(UserNameRequested && krb5_kuserok(context, 483 ticket->client, 484 UserNameRequested)) { 485 Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 486 if (auth_debug_mode) { 487 printf("Kerberos5 identifies him as ``%s''\r\n", 488 name ? name : ""); 489 } 490 491 if(key_block->keytype == ETYPE_DES_CBC_MD5 || 492 key_block->keytype == ETYPE_DES_CBC_MD4 || 493 key_block->keytype == ETYPE_DES_CBC_CRC) { 494 Session_Key skey; 495 496 skey.type = SK_DES; 497 skey.length = 8; 498 skey.data = key_block->keyvalue.data; 499 encrypt_session_key(&skey, 0); 500 } 501 502 } else { 503 char *msg; 504 505 asprintf (&msg, "user `%s' is not authorized to " 506 "login as `%s'", 507 name ? name : "<unknown>", 508 UserNameRequested ? UserNameRequested : "<nobody>"); 509 if (msg == NULL) 510 Data(ap, KRB_REJECT, NULL, 0); 511 else { 512 Data(ap, KRB_REJECT, (void *)msg, -1); 513 free(msg); 514 } 515 auth_finished (ap, AUTH_REJECT); 516 krb5_free_keyblock_contents(context, key_block); 517 break; 518 } 519 auth_finished(ap, AUTH_USER); 520 krb5_free_keyblock_contents(context, key_block); 521 522 break; 523 case KRB_FORWARD: { 524 struct passwd *pwd; 525 char ccname[1024]; /* XXX */ 526 krb5_data inbuf; 527 krb5_ccache ccache; 528 inbuf.data = (char *)data; 529 inbuf.length = cnt; 530 531 pwd = getpwnam (UserNameRequested); 532 if (pwd == NULL) 533 break; 534 535 snprintf (ccname, sizeof(ccname), 536 "FILE:/tmp/krb5cc_%u", pwd->pw_uid); 537 538 ret = krb5_cc_resolve (context, ccname, &ccache); 539 if (ret) { 540 if (auth_debug_mode) 541 printf ("Kerberos V5: could not get ccache: %s\r\n", 542 krb5_get_err_text(context, ret)); 543 break; 544 } 545 546 ret = krb5_cc_initialize (context, 547 ccache, 548 ticket->client); 549 if (ret) { 550 if (auth_debug_mode) 551 printf ("Kerberos V5: could not init ccache: %s\r\n", 552 krb5_get_err_text(context, ret)); 553 break; 554 } 555 556 #if defined(DCE) 557 esetenv("KRB5CCNAME", ccname, 1); 558 #endif 559 ret = krb5_rd_cred2 (context, 560 auth_context, 561 ccache, 562 &inbuf); 563 if(ret) { 564 char *errbuf; 565 566 asprintf (&errbuf, 567 "Read forwarded creds failed: %s", 568 krb5_get_err_text (context, ret)); 569 if(errbuf == NULL) 570 Data(ap, KRB_FORWARD_REJECT, NULL, 0); 571 else 572 Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 573 if (auth_debug_mode) 574 printf("Could not read forwarded credentials: %s\r\n", 575 errbuf); 576 free (errbuf); 577 } else { 578 Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 579 #if defined(DCE) 580 dfsfwd = 1; 581 #endif 582 } 583 chown (ccname + 5, pwd->pw_uid, -1); 584 if (auth_debug_mode) 585 printf("Forwarded credentials obtained\r\n"); 586 break; 587 } 588 default: 589 if (auth_debug_mode) 590 printf("Unknown Kerberos option %d\r\n", data[-1]); 591 Data(ap, KRB_REJECT, 0, 0); 592 break; 593 } 594 } 595 596 void 597 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) 598 { 599 static int mutual_complete = 0; 600 601 if (cnt-- < 1) 602 return; 603 switch (*data++) { 604 case KRB_REJECT: 605 if (cnt > 0) { 606 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 607 cnt, data); 608 } else 609 printf("[ Kerberos V5 refuses authentication ]\r\n"); 610 auth_send_retry(); 611 return; 612 case KRB_ACCEPT: { 613 krb5_error_code ret; 614 Session_Key skey; 615 krb5_keyblock *keyblock; 616 617 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 618 !mutual_complete) { 619 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); 620 auth_send_retry(); 621 return; 622 } 623 if (cnt) 624 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); 625 else 626 printf("[ Kerberos V5 accepts you ]\r\n"); 627 628 ret = krb5_auth_con_getlocalsubkey (context, 629 auth_context, 630 &keyblock); 631 if (ret) 632 ret = krb5_auth_con_getkey (context, 633 auth_context, 634 &keyblock); 635 if(ret) { 636 printf("[ krb5_auth_con_getkey: %s ]\r\n", 637 krb5_get_err_text(context, ret)); 638 auth_send_retry(); 639 return; 640 } 641 642 skey.type = SK_DES; 643 skey.length = 8; 644 skey.data = keyblock->keyvalue.data; 645 encrypt_session_key(&skey, 0); 646 krb5_free_keyblock_contents (context, keyblock); 647 auth_finished(ap, AUTH_USER); 648 if (forward_flags & OPTS_FORWARD_CREDS) 649 kerberos5_forward(ap); 650 break; 651 } 652 case KRB_RESPONSE: 653 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 654 /* the rest of the reply should contain a krb_ap_rep */ 655 krb5_ap_rep_enc_part *reply; 656 krb5_data inbuf; 657 krb5_error_code ret; 658 659 inbuf.length = cnt; 660 inbuf.data = (char *)data; 661 662 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply); 663 if (ret) { 664 printf("[ Mutual authentication failed: %s ]\r\n", 665 krb5_get_err_text (context, ret)); 666 auth_send_retry(); 667 return; 668 } 669 krb5_free_ap_rep_enc_part(context, reply); 670 mutual_complete = 1; 671 } 672 return; 673 case KRB_FORWARD_ACCEPT: 674 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); 675 return; 676 case KRB_FORWARD_REJECT: 677 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 678 cnt, data); 679 return; 680 default: 681 if (auth_debug_mode) 682 printf("Unknown Kerberos option %d\r\n", data[-1]); 683 return; 684 } 685 } 686 687 int 688 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level) 689 { 690 if (level < AUTH_USER) 691 return(level); 692 693 if (UserNameRequested && 694 krb5_kuserok(context, 695 ticket->client, 696 UserNameRequested)) 697 { 698 strlcpy(name, UserNameRequested, name_sz); 699 #if defined(DCE) 700 dfsk5ok = 1; 701 #endif 702 return(AUTH_VALID); 703 } else 704 return(AUTH_USER); 705 } 706 707 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 708 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 709 710 void 711 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 712 { 713 int i; 714 715 buf[buflen-1] = '\0'; /* make sure its NULL terminated */ 716 buflen -= 1; 717 718 switch(data[3]) { 719 case KRB_REJECT: /* Rejected (reason might follow) */ 720 strlcpy((char *)buf, " REJECT ", buflen); 721 goto common; 722 723 case KRB_ACCEPT: /* Accepted (name might follow) */ 724 strlcpy((char *)buf, " ACCEPT ", buflen); 725 common: 726 BUMP(buf, buflen); 727 if (cnt <= 4) 728 break; 729 ADDC(buf, buflen, '"'); 730 for (i = 4; i < cnt; i++) 731 ADDC(buf, buflen, data[i]); 732 ADDC(buf, buflen, '"'); 733 ADDC(buf, buflen, '\0'); 734 break; 735 736 737 case KRB_AUTH: /* Authentication data follows */ 738 strlcpy((char *)buf, " AUTH", buflen); 739 goto common2; 740 741 case KRB_RESPONSE: 742 strlcpy((char *)buf, " RESPONSE", buflen); 743 goto common2; 744 745 case KRB_FORWARD: /* Forwarded credentials follow */ 746 strlcpy((char *)buf, " FORWARD", buflen); 747 goto common2; 748 749 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 750 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen); 751 goto common2; 752 753 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 754 /* (reason might follow) */ 755 strlcpy((char *)buf, " FORWARD_REJECT", buflen); 756 goto common2; 757 758 default: 759 snprintf((char*)buf, buflen, " %d (unknown)", data[3]); 760 common2: 761 BUMP(buf, buflen); 762 for (i = 4; i < cnt; i++) { 763 snprintf((char*)buf, buflen, " %d", data[i]); 764 BUMP(buf, buflen); 765 } 766 break; 767 } 768 } 769 770 void 771 kerberos5_forward(Authenticator *ap) 772 { 773 krb5_error_code ret; 774 krb5_ccache ccache; 775 krb5_creds creds; 776 krb5_kdc_flags flags; 777 krb5_data out_data; 778 krb5_principal principal; 779 780 ret = krb5_cc_default (context, &ccache); 781 if (ret) { 782 if (auth_debug_mode) 783 printf ("KerberosV5: could not get default ccache: %s\r\n", 784 krb5_get_err_text (context, ret)); 785 return; 786 } 787 788 ret = krb5_cc_get_principal (context, ccache, &principal); 789 if (ret) { 790 if (auth_debug_mode) 791 printf ("KerberosV5: could not get principal: %s\r\n", 792 krb5_get_err_text (context, ret)); 793 return; 794 } 795 796 memset (&creds, 0, sizeof(creds)); 797 798 creds.client = principal; 799 800 ret = krb5_build_principal (context, 801 &creds.server, 802 strlen(principal->realm), 803 principal->realm, 804 "krbtgt", 805 principal->realm, 806 NULL); 807 808 if (ret) { 809 if (auth_debug_mode) 810 printf ("KerberosV5: could not get principal: %s\r\n", 811 krb5_get_err_text (context, ret)); 812 return; 813 } 814 815 creds.times.endtime = 0; 816 817 flags.i = 0; 818 flags.b.forwarded = 1; 819 if (forward_flags & OPTS_FORWARDABLE_CREDS) 820 flags.b.forwardable = 1; 821 822 ret = krb5_get_forwarded_creds (context, 823 auth_context, 824 ccache, 825 flags.i, 826 RemoteHostName, 827 &creds, 828 &out_data); 829 if (ret) { 830 if (auth_debug_mode) 831 printf ("Kerberos V5: error getting forwarded creds: %s\r\n", 832 krb5_get_err_text (context, ret)); 833 return; 834 } 835 836 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { 837 if (auth_debug_mode) 838 printf("Not enough room for authentication data\r\n"); 839 } else { 840 if (auth_debug_mode) 841 printf("Forwarded local Kerberos V5 credentials to server\r\n"); 842 } 843 } 844 845 #if defined(DCE) 846 /* if this was a K5 authentication try and join a PAG for the user. */ 847 void 848 kerberos5_dfspag(void) 849 { 850 if (dfsk5ok) { 851 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client, 852 UserNameRequested); 853 } 854 } 855 #endif 856 857 int 858 kerberos5_set_forward(int on) 859 { 860 if(on == 0) 861 forward_flags &= ~OPTS_FORWARD_CREDS; 862 if(on == 1) 863 forward_flags |= OPTS_FORWARD_CREDS; 864 if(on == -1) 865 forward_flags ^= OPTS_FORWARD_CREDS; 866 return 0; 867 } 868 869 int 870 kerberos5_set_forwardable(int on) 871 { 872 if(on == 0) 873 forward_flags &= ~OPTS_FORWARDABLE_CREDS; 874 if(on == 1) 875 forward_flags |= OPTS_FORWARDABLE_CREDS; 876 if(on == -1) 877 forward_flags ^= OPTS_FORWARDABLE_CREDS; 878 return 0; 879 } 880 881 #endif /* KRB5 */ 882