1 /*- 2 * Copyright (c) 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 /* 35 * Copyright (C) 1990 by the Massachusetts Institute of Technology 36 * 37 * Export of this software from the United States of America may 38 * require a specific license from the United States Government. 39 * It is the responsibility of any person or organization contemplating 40 * export to obtain such a license before exporting. 41 * 42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 43 * distribute this software and its documentation for any purpose and 44 * without fee is hereby granted, provided that the above copyright 45 * notice appear in all copies and that both that copyright notice and 46 * this permission notice appear in supporting documentation, and that 47 * the name of M.I.T. not be used in advertising or publicity pertaining 48 * to distribution of the software without specific, written prior 49 * permission. M.I.T. makes no representations about the suitability of 50 * this software for any purpose. It is provided "as is" without express 51 * or implied warranty. 52 */ 53 54 #include <config.h> 55 56 RCSID("$Id: kerberos5.c,v 1.50 2002/08/28 20:55:53 joda Exp $"); 57 58 #ifdef KRB5 59 60 #include <arpa/telnet.h> 61 #include <stdio.h> 62 #include <stdlib.h> 63 #include <string.h> 64 #include <unistd.h> 65 #include <netdb.h> 66 #include <ctype.h> 67 #include <pwd.h> 68 #define Authenticator k5_Authenticator 69 #include <krb5.h> 70 #undef Authenticator 71 #include <roken.h> 72 #ifdef SOCKS 73 #include <socks.h> 74 #endif 75 76 77 #include "encrypt.h" 78 #include "auth.h" 79 #include "misc.h" 80 81 #if defined(DCE) 82 int dfsk5ok = 0; 83 int dfspag = 0; 84 int dfsfwd = 0; 85 #endif 86 87 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */ 88 89 int forward(int); 90 int forwardable(int); 91 92 /* These values need to be the same as those defined in telnet/main.c. */ 93 /* Either define them in both places, or put in some common header file. */ 94 #define OPTS_FORWARD_CREDS 0x00000002 95 #define OPTS_FORWARDABLE_CREDS 0x00000001 96 97 98 void kerberos5_forward (Authenticator *); 99 100 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, 101 AUTHTYPE_KERBEROS_V5, }; 102 103 #define KRB_AUTH 0 /* Authentication data follows */ 104 #define KRB_REJECT 1 /* Rejected (reason might follow) */ 105 #define KRB_ACCEPT 2 /* Accepted */ 106 #define KRB_RESPONSE 3 /* Response for mutual auth. */ 107 108 #define KRB_FORWARD 4 /* Forwarded credentials follow */ 109 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ 110 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ 111 112 static krb5_data auth; 113 static krb5_ticket *ticket; 114 115 static krb5_context context; 116 static krb5_auth_context auth_context; 117 118 static int 119 Data(Authenticator *ap, int type, void *d, int c) 120 { 121 unsigned char *p = str_data + 4; 122 unsigned char *cd = (unsigned char *)d; 123 124 if (c == -1) 125 c = strlen((char*)cd); 126 127 if (auth_debug_mode) { 128 printf("%s:%d: [%d] (%d)", 129 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 130 str_data[3], 131 type, c); 132 printd(d, c); 133 printf("\r\n"); 134 } 135 *p++ = ap->type; 136 *p++ = ap->way; 137 *p++ = type; 138 while (c-- > 0) { 139 if ((*p++ = *cd++) == IAC) 140 *p++ = IAC; 141 } 142 *p++ = IAC; 143 *p++ = SE; 144 if (str_data[3] == TELQUAL_IS) 145 printsub('>', &str_data[2], p - &str_data[2]); 146 return(telnet_net_write(str_data, p - str_data)); 147 } 148 149 int 150 kerberos5_init(Authenticator *ap, int server) 151 { 152 krb5_error_code ret; 153 154 ret = krb5_init_context(&context); 155 if (ret) 156 return 0; 157 if (server) { 158 krb5_keytab kt; 159 krb5_kt_cursor cursor; 160 161 ret = krb5_kt_default(context, &kt); 162 if (ret) 163 return 0; 164 165 ret = krb5_kt_start_seq_get (context, kt, &cursor); 166 if (ret) { 167 krb5_kt_close (context, kt); 168 return 0; 169 } 170 krb5_kt_end_seq_get (context, kt, &cursor); 171 krb5_kt_close (context, kt); 172 173 str_data[3] = TELQUAL_REPLY; 174 } else 175 str_data[3] = TELQUAL_IS; 176 return(1); 177 } 178 179 extern int net; 180 static int 181 kerberos5_send(char *name, Authenticator *ap) 182 { 183 krb5_error_code ret; 184 krb5_ccache ccache; 185 int ap_opts; 186 krb5_data cksum_data; 187 char foo[2]; 188 189 if (!UserNameRequested) { 190 if (auth_debug_mode) { 191 printf("Kerberos V5: no user name supplied\r\n"); 192 } 193 return(0); 194 } 195 196 ret = krb5_cc_default(context, &ccache); 197 if (ret) { 198 if (auth_debug_mode) { 199 printf("Kerberos V5: could not get default ccache: %s\r\n", 200 krb5_get_err_text (context, ret)); 201 } 202 return 0; 203 } 204 205 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) 206 ap_opts = AP_OPTS_MUTUAL_REQUIRED; 207 else 208 ap_opts = 0; 209 210 ret = krb5_auth_con_init (context, &auth_context); 211 if (ret) { 212 if (auth_debug_mode) { 213 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 214 krb5_get_err_text(context, ret)); 215 } 216 return(0); 217 } 218 219 ret = krb5_auth_con_setaddrs_from_fd (context, 220 auth_context, 221 &net); 222 if (ret) { 223 if (auth_debug_mode) { 224 printf ("Kerberos V5:" 225 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 226 krb5_get_err_text(context, ret)); 227 } 228 return(0); 229 } 230 231 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES); 232 233 foo[0] = ap->type; 234 foo[1] = ap->way; 235 236 cksum_data.length = sizeof(foo); 237 cksum_data.data = foo; 238 239 240 { 241 krb5_principal service; 242 char sname[128]; 243 244 245 ret = krb5_sname_to_principal (context, 246 RemoteHostName, 247 NULL, 248 KRB5_NT_SRV_HST, 249 &service); 250 if(ret) { 251 if (auth_debug_mode) { 252 printf ("Kerberos V5:" 253 " krb5_sname_to_principal(%s) failed (%s)\r\n", 254 RemoteHostName, krb5_get_err_text(context, ret)); 255 } 256 return 0; 257 } 258 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname)); 259 if(ret) { 260 if (auth_debug_mode) { 261 printf ("Kerberos V5:" 262 " krb5_unparse_name_fixed failed (%s)\r\n", 263 krb5_get_err_text(context, ret)); 264 } 265 return 0; 266 } 267 printf("[ Trying %s (%s)... ]\r\n", name, sname); 268 ret = krb5_mk_req_exact(context, &auth_context, ap_opts, 269 service, 270 &cksum_data, ccache, &auth); 271 krb5_free_principal (context, service); 272 273 } 274 if (ret) { 275 if (1 || auth_debug_mode) { 276 printf("Kerberos V5: mk_req failed (%s)\r\n", 277 krb5_get_err_text(context, ret)); 278 } 279 return(0); 280 } 281 282 if (!auth_sendname((unsigned char *)UserNameRequested, 283 strlen(UserNameRequested))) { 284 if (auth_debug_mode) 285 printf("Not enough room for user name\r\n"); 286 return(0); 287 } 288 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) { 289 if (auth_debug_mode) 290 printf("Not enough room for authentication data\r\n"); 291 return(0); 292 } 293 if (auth_debug_mode) { 294 printf("Sent Kerberos V5 credentials to server\r\n"); 295 } 296 return(1); 297 } 298 299 int 300 kerberos5_send_mutual(Authenticator *ap) 301 { 302 return kerberos5_send("mutual KERBEROS5", ap); 303 } 304 305 int 306 kerberos5_send_oneway(Authenticator *ap) 307 { 308 return kerberos5_send("KERBEROS5", ap); 309 } 310 311 void 312 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt) 313 { 314 krb5_error_code ret; 315 krb5_data outbuf; 316 krb5_keyblock *key_block; 317 char *name; 318 krb5_principal server; 319 int zero = 0; 320 321 if (cnt-- < 1) 322 return; 323 switch (*data++) { 324 case KRB_AUTH: 325 auth.data = (char *)data; 326 auth.length = cnt; 327 328 auth_context = NULL; 329 330 ret = krb5_auth_con_init (context, &auth_context); 331 if (ret) { 332 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1); 333 auth_finished(ap, AUTH_REJECT); 334 if (auth_debug_mode) 335 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n", 336 krb5_get_err_text(context, ret)); 337 return; 338 } 339 340 ret = krb5_auth_con_setaddrs_from_fd (context, 341 auth_context, 342 &zero); 343 if (ret) { 344 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1); 345 auth_finished(ap, AUTH_REJECT); 346 if (auth_debug_mode) 347 printf("Kerberos V5: " 348 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n", 349 krb5_get_err_text(context, ret)); 350 return; 351 } 352 353 ret = krb5_sock_to_principal (context, 354 0, 355 "host", 356 KRB5_NT_SRV_HST, 357 &server); 358 if (ret) { 359 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1); 360 auth_finished(ap, AUTH_REJECT); 361 if (auth_debug_mode) 362 printf("Kerberos V5: " 363 "krb5_sock_to_principal failed (%s)\r\n", 364 krb5_get_err_text(context, ret)); 365 return; 366 } 367 368 ret = krb5_rd_req(context, 369 &auth_context, 370 &auth, 371 server, 372 NULL, 373 NULL, 374 &ticket); 375 376 krb5_free_principal (context, server); 377 if (ret) { 378 char *errbuf; 379 380 asprintf(&errbuf, 381 "Read req failed: %s", 382 krb5_get_err_text(context, ret)); 383 Data(ap, KRB_REJECT, errbuf, -1); 384 if (auth_debug_mode) 385 printf("%s\r\n", errbuf); 386 free (errbuf); 387 return; 388 } 389 390 { 391 char foo[2]; 392 393 foo[0] = ap->type; 394 foo[1] = ap->way; 395 396 ret = krb5_verify_authenticator_checksum(context, 397 auth_context, 398 foo, 399 sizeof(foo)); 400 401 if (ret) { 402 char *errbuf; 403 asprintf(&errbuf, "Bad checksum: %s", 404 krb5_get_err_text(context, ret)); 405 Data(ap, KRB_REJECT, errbuf, -1); 406 if (auth_debug_mode) 407 printf ("%s\r\n", errbuf); 408 free(errbuf); 409 return; 410 } 411 } 412 ret = krb5_auth_con_getremotesubkey (context, 413 auth_context, 414 &key_block); 415 416 if (ret) { 417 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1); 418 auth_finished(ap, AUTH_REJECT); 419 if (auth_debug_mode) 420 printf("Kerberos V5: " 421 "krb5_auth_con_getremotesubkey failed (%s)\r\n", 422 krb5_get_err_text(context, ret)); 423 return; 424 } 425 426 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 427 ret = krb5_mk_rep(context, auth_context, &outbuf); 428 if (ret) { 429 Data(ap, KRB_REJECT, 430 "krb5_mk_rep failed", -1); 431 auth_finished(ap, AUTH_REJECT); 432 if (auth_debug_mode) 433 printf("Kerberos V5: " 434 "krb5_mk_rep failed (%s)\r\n", 435 krb5_get_err_text(context, ret)); 436 return; 437 } 438 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); 439 } 440 if (krb5_unparse_name(context, ticket->client, &name)) 441 name = 0; 442 443 if(UserNameRequested && krb5_kuserok(context, 444 ticket->client, 445 UserNameRequested)) { 446 Data(ap, KRB_ACCEPT, name, name ? -1 : 0); 447 if (auth_debug_mode) { 448 printf("Kerberos5 identifies him as ``%s''\r\n", 449 name ? name : ""); 450 } 451 452 if(key_block->keytype == ETYPE_DES_CBC_MD5 || 453 key_block->keytype == ETYPE_DES_CBC_MD4 || 454 key_block->keytype == ETYPE_DES_CBC_CRC) { 455 Session_Key skey; 456 457 skey.type = SK_DES; 458 skey.length = 8; 459 skey.data = key_block->keyvalue.data; 460 encrypt_session_key(&skey, 0); 461 } 462 463 } else { 464 char *msg; 465 466 asprintf (&msg, "user `%s' is not authorized to " 467 "login as `%s'", 468 name ? name : "<unknown>", 469 UserNameRequested ? UserNameRequested : "<nobody>"); 470 if (msg == NULL) 471 Data(ap, KRB_REJECT, NULL, 0); 472 else { 473 Data(ap, KRB_REJECT, (void *)msg, -1); 474 free(msg); 475 } 476 auth_finished (ap, AUTH_REJECT); 477 krb5_free_keyblock_contents(context, key_block); 478 break; 479 } 480 auth_finished(ap, AUTH_USER); 481 krb5_free_keyblock_contents(context, key_block); 482 483 break; 484 case KRB_FORWARD: { 485 struct passwd *pwd; 486 char ccname[1024]; /* XXX */ 487 krb5_data inbuf; 488 krb5_ccache ccache; 489 inbuf.data = (char *)data; 490 inbuf.length = cnt; 491 492 pwd = getpwnam (UserNameRequested); 493 if (pwd == NULL) 494 break; 495 496 snprintf (ccname, sizeof(ccname), 497 "FILE:/tmp/krb5cc_%u", pwd->pw_uid); 498 499 ret = krb5_cc_resolve (context, ccname, &ccache); 500 if (ret) { 501 if (auth_debug_mode) 502 printf ("Kerberos V5: could not get ccache: %s\r\n", 503 krb5_get_err_text(context, ret)); 504 break; 505 } 506 507 ret = krb5_cc_initialize (context, 508 ccache, 509 ticket->client); 510 if (ret) { 511 if (auth_debug_mode) 512 printf ("Kerberos V5: could not init ccache: %s\r\n", 513 krb5_get_err_text(context, ret)); 514 break; 515 } 516 517 #if defined(DCE) 518 esetenv("KRB5CCNAME", ccname, 1); 519 #endif 520 ret = krb5_rd_cred2 (context, 521 auth_context, 522 ccache, 523 &inbuf); 524 if(ret) { 525 char *errbuf; 526 527 asprintf (&errbuf, 528 "Read forwarded creds failed: %s", 529 krb5_get_err_text (context, ret)); 530 if(errbuf == NULL) 531 Data(ap, KRB_FORWARD_REJECT, NULL, 0); 532 else 533 Data(ap, KRB_FORWARD_REJECT, errbuf, -1); 534 if (auth_debug_mode) 535 printf("Could not read forwarded credentials: %s\r\n", 536 errbuf); 537 free (errbuf); 538 } else { 539 Data(ap, KRB_FORWARD_ACCEPT, 0, 0); 540 #if defined(DCE) 541 dfsfwd = 1; 542 #endif 543 } 544 chown (ccname + 5, pwd->pw_uid, -1); 545 if (auth_debug_mode) 546 printf("Forwarded credentials obtained\r\n"); 547 break; 548 } 549 default: 550 if (auth_debug_mode) 551 printf("Unknown Kerberos option %d\r\n", data[-1]); 552 Data(ap, KRB_REJECT, 0, 0); 553 break; 554 } 555 } 556 557 void 558 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt) 559 { 560 static int mutual_complete = 0; 561 562 if (cnt-- < 1) 563 return; 564 switch (*data++) { 565 case KRB_REJECT: 566 if (cnt > 0) { 567 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n", 568 cnt, data); 569 } else 570 printf("[ Kerberos V5 refuses authentication ]\r\n"); 571 auth_send_retry(); 572 return; 573 case KRB_ACCEPT: { 574 krb5_error_code ret; 575 Session_Key skey; 576 krb5_keyblock *keyblock; 577 578 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && 579 !mutual_complete) { 580 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n"); 581 auth_send_retry(); 582 return; 583 } 584 if (cnt) 585 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data); 586 else 587 printf("[ Kerberos V5 accepts you ]\r\n"); 588 589 ret = krb5_auth_con_getlocalsubkey (context, 590 auth_context, 591 &keyblock); 592 if (ret) 593 ret = krb5_auth_con_getkey (context, 594 auth_context, 595 &keyblock); 596 if(ret) { 597 printf("[ krb5_auth_con_getkey: %s ]\r\n", 598 krb5_get_err_text(context, ret)); 599 auth_send_retry(); 600 return; 601 } 602 603 skey.type = SK_DES; 604 skey.length = 8; 605 skey.data = keyblock->keyvalue.data; 606 encrypt_session_key(&skey, 0); 607 krb5_free_keyblock_contents (context, keyblock); 608 auth_finished(ap, AUTH_USER); 609 if (forward_flags & OPTS_FORWARD_CREDS) 610 kerberos5_forward(ap); 611 break; 612 } 613 case KRB_RESPONSE: 614 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { 615 /* the rest of the reply should contain a krb_ap_rep */ 616 krb5_ap_rep_enc_part *reply; 617 krb5_data inbuf; 618 krb5_error_code ret; 619 620 inbuf.length = cnt; 621 inbuf.data = (char *)data; 622 623 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply); 624 if (ret) { 625 printf("[ Mutual authentication failed: %s ]\r\n", 626 krb5_get_err_text (context, ret)); 627 auth_send_retry(); 628 return; 629 } 630 krb5_free_ap_rep_enc_part(context, reply); 631 mutual_complete = 1; 632 } 633 return; 634 case KRB_FORWARD_ACCEPT: 635 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n"); 636 return; 637 case KRB_FORWARD_REJECT: 638 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n", 639 cnt, data); 640 return; 641 default: 642 if (auth_debug_mode) 643 printf("Unknown Kerberos option %d\r\n", data[-1]); 644 return; 645 } 646 } 647 648 int 649 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level) 650 { 651 if (level < AUTH_USER) 652 return(level); 653 654 if (UserNameRequested && 655 krb5_kuserok(context, 656 ticket->client, 657 UserNameRequested)) 658 { 659 strlcpy(name, UserNameRequested, name_sz); 660 #if defined(DCE) 661 dfsk5ok = 1; 662 #endif 663 return(AUTH_VALID); 664 } else 665 return(AUTH_USER); 666 } 667 668 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 669 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 670 671 void 672 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 673 { 674 int i; 675 676 buf[buflen-1] = '\0'; /* make sure its NULL terminated */ 677 buflen -= 1; 678 679 switch(data[3]) { 680 case KRB_REJECT: /* Rejected (reason might follow) */ 681 strlcpy((char *)buf, " REJECT ", buflen); 682 goto common; 683 684 case KRB_ACCEPT: /* Accepted (name might follow) */ 685 strlcpy((char *)buf, " ACCEPT ", buflen); 686 common: 687 BUMP(buf, buflen); 688 if (cnt <= 4) 689 break; 690 ADDC(buf, buflen, '"'); 691 for (i = 4; i < cnt; i++) 692 ADDC(buf, buflen, data[i]); 693 ADDC(buf, buflen, '"'); 694 ADDC(buf, buflen, '\0'); 695 break; 696 697 698 case KRB_AUTH: /* Authentication data follows */ 699 strlcpy((char *)buf, " AUTH", buflen); 700 goto common2; 701 702 case KRB_RESPONSE: 703 strlcpy((char *)buf, " RESPONSE", buflen); 704 goto common2; 705 706 case KRB_FORWARD: /* Forwarded credentials follow */ 707 strlcpy((char *)buf, " FORWARD", buflen); 708 goto common2; 709 710 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */ 711 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen); 712 goto common2; 713 714 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */ 715 /* (reason might follow) */ 716 strlcpy((char *)buf, " FORWARD_REJECT", buflen); 717 goto common2; 718 719 default: 720 snprintf((char*)buf, buflen, " %d (unknown)", data[3]); 721 common2: 722 BUMP(buf, buflen); 723 for (i = 4; i < cnt; i++) { 724 snprintf((char*)buf, buflen, " %d", data[i]); 725 BUMP(buf, buflen); 726 } 727 break; 728 } 729 } 730 731 void 732 kerberos5_forward(Authenticator *ap) 733 { 734 krb5_error_code ret; 735 krb5_ccache ccache; 736 krb5_creds creds; 737 krb5_kdc_flags flags; 738 krb5_data out_data; 739 krb5_principal principal; 740 741 ret = krb5_cc_default (context, &ccache); 742 if (ret) { 743 if (auth_debug_mode) 744 printf ("KerberosV5: could not get default ccache: %s\r\n", 745 krb5_get_err_text (context, ret)); 746 return; 747 } 748 749 ret = krb5_cc_get_principal (context, ccache, &principal); 750 if (ret) { 751 if (auth_debug_mode) 752 printf ("KerberosV5: could not get principal: %s\r\n", 753 krb5_get_err_text (context, ret)); 754 return; 755 } 756 757 memset (&creds, 0, sizeof(creds)); 758 759 creds.client = principal; 760 761 ret = krb5_build_principal (context, 762 &creds.server, 763 strlen(principal->realm), 764 principal->realm, 765 "krbtgt", 766 principal->realm, 767 NULL); 768 769 if (ret) { 770 if (auth_debug_mode) 771 printf ("KerberosV5: could not get principal: %s\r\n", 772 krb5_get_err_text (context, ret)); 773 return; 774 } 775 776 creds.times.endtime = 0; 777 778 flags.i = 0; 779 flags.b.forwarded = 1; 780 if (forward_flags & OPTS_FORWARDABLE_CREDS) 781 flags.b.forwardable = 1; 782 783 ret = krb5_get_forwarded_creds (context, 784 auth_context, 785 ccache, 786 flags.i, 787 RemoteHostName, 788 &creds, 789 &out_data); 790 if (ret) { 791 if (auth_debug_mode) 792 printf ("Kerberos V5: error getting forwarded creds: %s\r\n", 793 krb5_get_err_text (context, ret)); 794 return; 795 } 796 797 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) { 798 if (auth_debug_mode) 799 printf("Not enough room for authentication data\r\n"); 800 } else { 801 if (auth_debug_mode) 802 printf("Forwarded local Kerberos V5 credentials to server\r\n"); 803 } 804 } 805 806 #if defined(DCE) 807 /* if this was a K5 authentication try and join a PAG for the user. */ 808 void 809 kerberos5_dfspag(void) 810 { 811 if (dfsk5ok) { 812 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client, 813 UserNameRequested); 814 } 815 } 816 #endif 817 818 int 819 kerberos5_set_forward(int on) 820 { 821 if(on == 0) 822 forward_flags &= ~OPTS_FORWARD_CREDS; 823 if(on == 1) 824 forward_flags |= OPTS_FORWARD_CREDS; 825 if(on == -1) 826 forward_flags ^= OPTS_FORWARD_CREDS; 827 return 0; 828 } 829 830 int 831 kerberos5_set_forwardable(int on) 832 { 833 if(on == 0) 834 forward_flags &= ~OPTS_FORWARDABLE_CREDS; 835 if(on == 1) 836 forward_flags |= OPTS_FORWARDABLE_CREDS; 837 if(on == -1) 838 forward_flags ^= OPTS_FORWARDABLE_CREDS; 839 return 0; 840 } 841 842 #endif /* KRB5 */ 843