xref: /freebsd/crypto/openssh/gss-serv-krb5.c (revision 39beb93c3f8bdbf72a61fda42300b5ebed7390c8)
1 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
2 
3 /*
4  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #include "includes.h"
28 
29 #ifdef GSSAPI
30 #ifdef KRB5
31 
32 #include <sys/types.h>
33 
34 #include <stdarg.h>
35 #include <string.h>
36 
37 #include "xmalloc.h"
38 #include "key.h"
39 #include "hostfile.h"
40 #include "auth.h"
41 #include "log.h"
42 #include "servconf.h"
43 
44 #include "buffer.h"
45 #include "ssh-gss.h"
46 
47 extern ServerOptions options;
48 
49 #ifdef HEIMDAL
50 # include <krb5.h>
51 #else
52 # ifdef HAVE_GSSAPI_KRB5_H
53 #  include <gssapi_krb5.h>
54 # elif HAVE_GSSAPI_GSSAPI_KRB5_H
55 #  include <gssapi/gssapi_krb5.h>
56 # endif
57 #endif
58 
59 static krb5_context krb_context = NULL;
60 
61 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
62 
63 static int
64 ssh_gssapi_krb5_init(void)
65 {
66 	krb5_error_code problem;
67 
68 	if (krb_context != NULL)
69 		return 1;
70 
71 	problem = krb5_init_context(&krb_context);
72 	if (problem) {
73 		logit("Cannot initialize krb5 context");
74 		return 0;
75 	}
76 
77 	return 1;
78 }
79 
80 /* Check if this user is OK to login. This only works with krb5 - other
81  * GSSAPI mechanisms will need their own.
82  * Returns true if the user is OK to log in, otherwise returns 0
83  */
84 
85 static int
86 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
87 {
88 	krb5_principal princ;
89 	int retval;
90 
91 	if (ssh_gssapi_krb5_init() == 0)
92 		return 0;
93 
94 	if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
95 	    &princ))) {
96 		logit("krb5_parse_name(): %.100s",
97 		    krb5_get_err_text(krb_context, retval));
98 		return 0;
99 	}
100 	if (krb5_kuserok(krb_context, princ, name)) {
101 		retval = 1;
102 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
103 		    name, (char *)client->displayname.value);
104 	} else
105 		retval = 0;
106 
107 	krb5_free_principal(krb_context, princ);
108 	return retval;
109 }
110 
111 
112 /* This writes out any forwarded credentials from the structure populated
113  * during userauth. Called after we have setuid to the user */
114 
115 static void
116 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
117 {
118 	krb5_ccache ccache;
119 	krb5_error_code problem;
120 	krb5_principal princ;
121 	OM_uint32 maj_status, min_status;
122 	int len;
123 
124 	if (client->creds == NULL) {
125 		debug("No credentials stored");
126 		return;
127 	}
128 
129 	if (ssh_gssapi_krb5_init() == 0)
130 		return;
131 
132 #ifdef HEIMDAL
133 	if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
134 		logit("krb5_cc_gen_new(): %.100s",
135 		    krb5_get_err_text(krb_context, problem));
136 		return;
137 	}
138 #else
139 	if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
140 		logit("ssh_krb5_cc_gen(): %.100s",
141 		    krb5_get_err_text(krb_context, problem));
142 		return;
143 	}
144 #endif	/* #ifdef HEIMDAL */
145 
146 	if ((problem = krb5_parse_name(krb_context,
147 	    client->exportedname.value, &princ))) {
148 		logit("krb5_parse_name(): %.100s",
149 		    krb5_get_err_text(krb_context, problem));
150 		krb5_cc_destroy(krb_context, ccache);
151 		return;
152 	}
153 
154 	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
155 		logit("krb5_cc_initialize(): %.100s",
156 		    krb5_get_err_text(krb_context, problem));
157 		krb5_free_principal(krb_context, princ);
158 		krb5_cc_destroy(krb_context, ccache);
159 		return;
160 	}
161 
162 	krb5_free_principal(krb_context, princ);
163 
164 	if ((maj_status = gss_krb5_copy_ccache(&min_status,
165 	    client->creds, ccache))) {
166 		logit("gss_krb5_copy_ccache() failed");
167 		krb5_cc_destroy(krb_context, ccache);
168 		return;
169 	}
170 
171 	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
172 	client->store.envvar = "KRB5CCNAME";
173 	len = strlen(client->store.filename) + 6;
174 	client->store.envval = xmalloc(len);
175 	snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
176 
177 #ifdef USE_PAM
178 	if (options.use_pam)
179 		do_pam_putenv(client->store.envvar, client->store.envval);
180 #endif
181 
182 	krb5_cc_close(krb_context, ccache);
183 
184 	return;
185 }
186 
187 ssh_gssapi_mech gssapi_kerberos_mech = {
188 	"toWM5Slw5Ew8Mqkay+al2g==",
189 	"Kerberos",
190 	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
191 	NULL,
192 	&ssh_gssapi_krb5_userok,
193 	NULL,
194 	&ssh_gssapi_krb5_storecreds
195 };
196 
197 #endif /* KRB5 */
198 
199 #endif /* GSSAPI */
200