- dugsong@cvs.openbsd.org 2001/06/26 16:15:25

[auth1.c auth.h auth-krb4.c auth-passwd.c readconf.c readconf.h servconf.c servconf.h session.c sshconnect1.c sshd.c] Kerberos v5 support for SSH1, mostly from Assar Westerlund <assar@freebsd.org> and Bjorn Gronvall <bg@sics.se>. markus@ ok
author: Ben Lindstrom <mouring@eviladmin.org> 2001-07-04 04:21:14 +0000
committer: Ben Lindstrom <mouring@eviladmin.org> 2001-07-04 04:21:14 +0000
commit: ec95ed9b4ca014643a0272f6fa5b24ac9c70d263 (patch)
tree: 91a5c1b319337e52f7cc80742eda081f6dbfd6c2 /auth-krb4.c
parent: b4c774cf8878d9100fde92ff4e938671c3b0301b (diff)
1 files changed, 172 insertions, 190 deletions
diff --git a/auth-krb4.c b/auth-krb4.c
index 8bb6e3d6f..031dcd301 100644
--- a/auth-krb4.c
+++ b/auth-krb4.c
@@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.24 2001/06/26 16:15:22 dugsong Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -31,6 +31,7 @@ RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $");
 #include "xmalloc.h"
 #include "log.h"
 #include "servconf.h"
+#include "uidswap.h"
 #include "auth.h"
 #ifdef AFS
@@ -38,70 +39,114 @@ RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $");
 #endif
 #ifdef KRB4
-char *ticket = NULL;
 extern ServerOptions options;
+static int
+krb4_init(void *context)
+{
+        static int cleanup_registered = 0;
+        Authctxt *authctxt = (Authctxt *)context;
+        const char *tkt_root = TKT_ROOT;
+        struct stat st;
+        int fd;
+        
+        if (!authctxt->krb4_ticket_file) {
+                /* Set unique ticket string manually since we're still root. */
+                authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
+#ifdef AFS
+                if (lstat("/ticket", &st) != -1)
+                        tkt_root = "/ticket/";
+#endif /* AFS */
+                snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%d",
+                    tkt_root, authctxt->pw->pw_uid, getpid());
+                krb_set_tkt_string(authctxt->krb4_ticket_file);
+        }
+        /* Register ticket cleanup in case of fatal error. */
+        if (!cleanup_registered) {
+                fatal_add_cleanup(krb4_cleanup_proc, authctxt);
+                cleanup_registered = 1;
+        }
+        /* Try to create our ticket file. */
+        if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
+                close(fd);
+                return (1);
+        }
+        /* Ticket file exists - make sure user owns it (just passed ticket). */
+        if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
+                if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
+                    st.st_uid == authctxt->pw->pw_uid)
+                        return (1);
+        }
+        /* Failure - cancel cleanup function, leaving ticket for inspection. */
+        log("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
+        
+        fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
+        cleanup_registered = 0;
+        
+        xfree(authctxt->krb4_ticket_file);
+        authctxt->krb4_ticket_file = NULL;
+        
+        return (0);
+}
 /*
 * try krb4 authentication,
 * return 1 on success, 0 on failure, -1 if krb4 is not available
 */
 int
-auth_krb4_password(struct passwd * pw, const char *password)
+auth_krb4_password(Authctxt *authctxt, const char *password)
 {
        AUTH_DAT adata;
        KTEXT_ST tkt;
        struct hostent *hp;
-        u_long faddr;
+        struct passwd *pw;
-        char localhost[MAXHOSTNAMELEN];
+        char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
-        char phost[INST_SZ];
+        u_int32_t faddr;
-        char realm[REALM_SZ];
        int r;
+        
+        if ((pw = authctxt->pw) == NULL)
+                return (0);
+        
        /*
         * Try Kerberos password authentication only for non-root
         * users and only if Kerberos is installed.
         */
        if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
                /* Set up our ticket file. */
-                if (!krb4_init(pw->pw_uid)) {
+                if (!krb4_init(authctxt)) {
                        log("Couldn't initialize Kerberos ticket file for %s!",
                            pw->pw_name);
-                        goto kerberos_auth_failure;
+                        goto failure;
                }
                /* Try to get TGT using our password. */
-                r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
+                r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
-                    realm, "krbtgt", realm,
+                    "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
-                    DEFAULT_TKT_LIFE, (char *) password);
                if (r != INTK_OK) {
-                        packet_send_debug("Kerberos V4 password "
+                        debug("Kerberos v4 password authentication for %s "
-                            "authentication for %s failed: %s",
+                            "failed: %s", pw->pw_name, krb_err_txt[r]);
-                            pw->pw_name, krb_err_txt[r]);
+                        goto failure;
-                        goto kerberos_auth_failure;
                }
                /* Successful authentication. */
                chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+                
                /*
                 * Now that we have a TGT, try to get a local
                 * "rcmd" ticket to ensure that we are not talking
                 * to a bogus Kerberos server.
                 */
-                (void) gethostname(localhost, sizeof(localhost));
+                gethostname(localhost, sizeof(localhost));
-                (void) strlcpy(phost, (char *) krb_get_phost(localhost),
+                strlcpy(phost, (char *)krb_get_phost(localhost),
-                    INST_SZ);
+                    sizeof(phost));
                r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
+                
                if (r == KSUCCESS) {
-                        if (!(hp = gethostbyname(localhost))) {
+                        if ((hp = gethostbyname(localhost)) == NULL) {
                                log("Couldn't get local host address!");
-                                goto kerberos_auth_failure;
+                                goto failure;
                        }
-                        memmove((void *) &faddr, (void *) hp->h_addr,
+                        memmove((void *)&faddr, (void *)hp->h_addr,
                            sizeof(faddr));
+                        
                        /* Verify our "rcmd" ticket. */
                        r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
                            faddr, &adata, "");
@@ -110,119 +155,74 @@ auth_krb4_password(struct passwd * pw, const char *password)
                                 * Probably didn't have a srvtab on
                                 * localhost. Disallow login.
                                 */
-                                log("Kerberos V4 TGT for %s unverifiable, "
+                                log("Kerberos v4 TGT for %s unverifiable, "
                                    "no srvtab installed? krb_rd_req: %s",
                                    pw->pw_name, krb_err_txt[r]);
-                                goto kerberos_auth_failure;
+                                goto failure;
                        } else if (r != KSUCCESS) {
-                                log("Kerberos V4 %s ticket unverifiable: %s",
+                                log("Kerberos v4 %s ticket unverifiable: %s",
                                    KRB4_SERVICE_NAME, krb_err_txt[r]);
-                                goto kerberos_auth_failure;
+                                goto failure;
                        }
                } else if (r == KDC_PR_UNKNOWN) {
                        /*
                         * Disallow login if no rcmd service exists, and
                         * log the error.
                         */
-                        log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
+                        log("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
                            "not registered, or srvtab is wrong?", pw->pw_name,
-                        krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+                            krb_err_txt[r], KRB4_SERVICE_NAME, phost);
-                        goto kerberos_auth_failure;
+                        goto failure;
                } else {
                        /*
                         * TGT is bad, forget it. Possibly spoofed!
                         */
-                        packet_send_debug("WARNING: Kerberos V4 TGT "
+                        debug("WARNING: Kerberos v4 TGT possibly spoofed "
-                            "possibly spoofed for %s: %s",
+                            "for %s: %s", pw->pw_name, krb_err_txt[r]);
-                            pw->pw_name, krb_err_txt[r]);
+                        goto failure;
-                        goto kerberos_auth_failure;
                }
                /* Authentication succeeded. */
-                return 1;
+                return (1);
+        } else
-kerberos_auth_failure:
-                krb4_cleanup_proc(NULL);
-                if (!options.kerberos_or_local_passwd)
-                        return 0;
-        } else {
                /* Logging in as root or no local Kerberos realm. */
-                packet_send_debug("Unable to authenticate to Kerberos.");
+                debug("Unable to authenticate to Kerberos.");
-        }
+        
+ failure:
+        krb4_cleanup_proc(authctxt);
+        
+        if (!options.kerberos_or_local_passwd)
+                return (0);
+        
        /* Fall back to ordinary passwd authentication. */
-        return -1;
+        return (-1);
 }
 void
-krb4_cleanup_proc(void *ignore)
+krb4_cleanup_proc(void *context)
 {
+        Authctxt *authctxt = (Authctxt *)context;
        debug("krb4_cleanup_proc called");
-        if (ticket) {
+        if (authctxt->krb4_ticket_file) {
                (void) dest_tkt();
-                xfree(ticket);
+                xfree(authctxt->krb4_ticket_file);
-                ticket = NULL;
+                authctxt->krb4_ticket_file = NULL;
-        }
-}
-int
-krb4_init(uid_t uid)
-{
-        static int cleanup_registered = 0;
-        const char *tkt_root = TKT_ROOT;
-        struct stat st;
-        int fd;
-        if (!ticket) {
-                /* Set unique ticket string manually since we're still root. */
-                ticket = xmalloc(MAXPATHLEN);
-#ifdef AFS
-                if (lstat("/ticket", &st) != -1)
-                        tkt_root = "/ticket/";
-#endif /* AFS */
-                snprintf(ticket, MAXPATHLEN, "%s%u_%d", tkt_root, uid, getpid());
-                (void) krb_set_tkt_string(ticket);
-        }
-        /* Register ticket cleanup in case of fatal error. */
-        if (!cleanup_registered) {
-                fatal_add_cleanup(krb4_cleanup_proc, NULL);
-                cleanup_registered = 1;
-        }
-        /* Try to create our ticket file. */
-        if ((fd = mkstemp(ticket)) != -1) {
-                close(fd);
-                return 1;
-        }
-        /* Ticket file exists - make sure user owns it (just passed ticket). */
-        if (lstat(ticket, &st) != -1) {
-                if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) &&
-                    st.st_uid == uid)
-                        return 1;
        }
-        /* Failure - cancel cleanup function, leaving bad ticket for inspection. */
-        log("WARNING: bad ticket file %s", ticket);
-        fatal_remove_cleanup(krb4_cleanup_proc, NULL);
-        cleanup_registered = 0;
-        xfree(ticket);
-        ticket = NULL;
-        return 0;
 }
 int
-auth_krb4(const char *server_user, KTEXT auth, char **client)
+auth_krb4(Authctxt *authctxt, KTEXT auth, char **client)
 {
        AUTH_DAT adat = {0};
        KTEXT_ST reply;
+        Key_schedule schedule;
+        struct sockaddr_in local, foreign;
        char instance[INST_SZ];
-        int r, s;
        socklen_t slen;
        u_int cksum;
-        Key_schedule schedule;
+        int r, s;
-        struct sockaddr_in local, foreign;
+        
        s = packet_get_connection_in();
+        
        slen = sizeof(local);
        memset(&local, 0, sizeof(local));
        if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
@@ -235,157 +235,139 @@ auth_krb4(const char *server_user, KTEXT auth, char **client)
        }
        instance[0] = '*';
        instance[1] = 0;
+        
        /* Get the encrypted request, challenge, and session key. */
-        if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {
+        if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
-                packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);
+            0, &adat, ""))) {
-                return 0;
+                debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
+                return (0);
        }
        des_key_sched((des_cblock *) adat.session, schedule);
+        
        *client = xmalloc(MAX_K_NAME_SZ);
        (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
            *adat.pinst ? "." : "", adat.pinst, adat.prealm);
+        
        /* Check ~/.klogin authorization now. */
-        if (kuserok(&adat, (char *) server_user) != KSUCCESS) {
+        if (kuserok(&adat, authctxt->user) != KSUCCESS) {
-                packet_send_debug("Kerberos V4 .klogin authorization failed!");
+                log("Kerberos v4 .klogin authorization failed for %s to "
-                log("Kerberos V4 .klogin authorization failed for %s to account %s",
+                    "account %s", *client, authctxt->user);
-                    *client, server_user);
                xfree(*client);
-                return 0;
+                return (0);
        }
        /* Increment the checksum, and return it encrypted with the
           session key. */
        cksum = adat.checksum + 1;
        cksum = htonl(cksum);
+        
        /* If we can't successfully encrypt the checksum, we send back an
           empty message, admitting our failure. */
        if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
            schedule, &adat.session, &local, &foreign)) < 0) {
-                packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);
+                debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
                reply.dat[0] = 0;
                reply.length = 0;
        } else
                reply.length = r;
+        
        /* Clear session key. */
        memset(&adat.session, 0, sizeof(&adat.session));
+        
        packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
        packet_put_string((char *) reply.dat, reply.length);
        packet_send();
        packet_write_wait();
-        return 1;
+        return (1);
 }
 #endif /* KRB4 */
 #ifdef AFS
 int
-auth_kerberos_tgt(struct passwd *pw, const char *string)
+auth_krb4_tgt(Authctxt *authctxt, const char *string)
 {
        CREDENTIALS creds;
+        struct passwd *pw;
-        if (pw == NULL)
+        
-                goto auth_kerberos_tgt_failure;
+        if ((pw = authctxt->pw) == NULL)
+                goto failure;
+        
+        temporarily_use_uid(pw);
+        
        if (!radix_to_creds(string, &creds)) {
-                log("Protocol error decoding Kerberos V4 tgt");
+                log("Protocol error decoding Kerberos v4 TGT");
-                packet_send_debug("Protocol error decoding Kerberos V4 tgt");
+                goto failure;
-                goto auth_kerberos_tgt_failure;
        }
        if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
                strlcpy(creds.service, "krbtgt", sizeof creds.service);
+        
        if (strcmp(creds.service, "krbtgt")) {
-                log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,
+                log("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
-                    creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
-                    pw->pw_name);
-                packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
                    creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
                    creds.realm, pw->pw_name);
-                goto auth_kerberos_tgt_failure;
+                goto failure;
        }
-        if (!krb4_init(pw->pw_uid))
+        if (!krb4_init(authctxt))
-                goto auth_kerberos_tgt_failure;
+                goto failure;
+        
        if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
-                goto auth_kerberos_tgt_failure;
+                goto failure;
+        
        if (save_credentials(creds.service, creds.instance, creds.realm,
-            creds.session, creds.lifetime, creds.kvno,
+            creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
-            &creds.ticket_st, creds.issue_date) != KSUCCESS) {
+            creds.issue_date) != KSUCCESS) {
-                packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");
+                debug("Kerberos v4 TGT refused: couldn't save credentials");
-                goto auth_kerberos_tgt_failure;
+                goto failure;
        }
        /* Successful authentication, passed all checks. */
        chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+        
-        packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",
+        debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
-            creds.service, creds.instance, creds.realm, creds.pname,
+            creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
-            creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
        memset(&creds, 0, sizeof(creds));
-        packet_start(SSH_SMSG_SUCCESS);
+        
-        packet_send();
+        restore_uid();
-        packet_write_wait();
+        
-        return 1;
+        return (1);
+        
-auth_kerberos_tgt_failure:
+ failure:
-        krb4_cleanup_proc(NULL);
+        krb4_cleanup_proc(authctxt);
        memset(&creds, 0, sizeof(creds));
-        packet_start(SSH_SMSG_FAILURE);
+        restore_uid();
-        packet_send();
+        
-        packet_write_wait();
+        return (0);
-        return 0;
 }
 int
-auth_afs_token(struct passwd *pw, const char *token_string)
+auth_afs_token(Authctxt *authctxt, const char *token_string)
 {
        CREDENTIALS creds;
+        struct passwd *pw;
        uid_t uid;
+        
-        if (pw == NULL) {
+        if ((pw = authctxt->pw) == NULL)
-                /* XXX fake protocol error */
+                return (0);
-                packet_send_debug("Protocol error decoding AFS token");
+        
-                packet_start(SSH_SMSG_FAILURE);
-                packet_send();
-                packet_write_wait();
-                return 0;
-        }
        if (!radix_to_creds(token_string, &creds)) {
                log("Protocol error decoding AFS token");
-                packet_send_debug("Protocol error decoding AFS token");
+                return (0);
-                packet_start(SSH_SMSG_FAILURE);
-                packet_send();
-                packet_write_wait();
-                return 0;
        }
        if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
                strlcpy(creds.service, "afs", sizeof creds.service);
+        
        if (strncmp(creds.pname, "AFS ID ", 7) == 0)
                uid = atoi(creds.pname + 7);
        else
                uid = pw->pw_uid;
+        
        if (kafs_settoken(creds.realm, uid, &creds)) {
-                log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
+                log("AFS token (%s@%s) rejected for %s",
-                    pw->pw_name);
+                    creds.pname, creds.realm, pw->pw_name);
-                packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
-                    creds.realm, pw->pw_name);
                memset(&creds, 0, sizeof(creds));
-                packet_start(SSH_SMSG_FAILURE);
+                return (0);
-                packet_send();
-                packet_write_wait();
-                return 0;
        }
-        packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,
+        debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
-            creds.realm, creds.pname, creds.realm);
        memset(&creds, 0, sizeof(creds));
-        packet_start(SSH_SMSG_SUCCESS);
+        
-        packet_send();
+        return (1);
-        packet_write_wait();
-        return 1;
 }
 #endif /* AFS */
author	Ben Lindstrom <mouring@eviladmin.org>	2001-07-04 04:21:14 +0000
committer	Ben Lindstrom <mouring@eviladmin.org>	2001-07-04 04:21:14 +0000
commit	ec95ed9b4ca014643a0272f6fa5b24ac9c70d263 (patch)
tree	91a5c1b319337e52f7cc80742eda081f6dbfd6c2 /auth-krb4.c
parent	b4c774cf8878d9100fde92ff4e938671c3b0301b (diff)

diff --git a/auth-krb4.c b/auth-krb4.c index 8bb6e3d6f..031dcd301 100644 --- a/auth-krb4.c +++ b/auth-krb4.c
@@ -23,7 +23,7 @@
23	*/	23	*/
24		24
25	#include "includes.h"	25	#include "includes.h"
26	RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $");	26	RCSID("$OpenBSD: auth-krb4.c,v 1.24 2001/06/26 16:15:22 dugsong Exp $");
27		27
28	#include "ssh.h"	28	#include "ssh.h"
29	#include "ssh1.h"	29	#include "ssh1.h"
@@ -31,6 +31,7 @@ RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $");
31	#include "xmalloc.h"	31	#include "xmalloc.h"
32	#include "log.h"	32	#include "log.h"
33	#include "servconf.h"	33	#include "servconf.h"
		34	#include "uidswap.h"
34	#include "auth.h"	35	#include "auth.h"
35		36
36	#ifdef AFS	37	#ifdef AFS
@@ -38,70 +39,114 @@ RCSID("$OpenBSD: auth-krb4.c,v 1.23 2001/01/22 08:15:00 markus Exp $");
38	#endif	39	#endif
39		40
40	#ifdef KRB4	41	#ifdef KRB4
41	char *ticket = NULL;
42
43	extern ServerOptions options;	42	extern ServerOptions options;
44		43
		44	static int
		45	krb4_init(void *context)
		46	{
		47	static int cleanup_registered = 0;
		48	Authctxt authctxt = (Authctxt )context;
		49	const char *tkt_root = TKT_ROOT;
		50	struct stat st;
		51	int fd;
		52
		53	if (!authctxt->krb4_ticket_file) {
		54	/* Set unique ticket string manually since we're still root. */
		55	authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN);
		56	#ifdef AFS
		57	if (lstat("/ticket", &st) != -1)
		58	tkt_root = "/ticket/";
		59	#endif /* AFS */
		60	snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%d",
		61	tkt_root, authctxt->pw->pw_uid, getpid());
		62	krb_set_tkt_string(authctxt->krb4_ticket_file);
		63	}
		64	/* Register ticket cleanup in case of fatal error. */
		65	if (!cleanup_registered) {
		66	fatal_add_cleanup(krb4_cleanup_proc, authctxt);
		67	cleanup_registered = 1;
		68	}
		69	/* Try to create our ticket file. */
		70	if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) {
		71	close(fd);
		72	return (1);
		73	}
		74	/* Ticket file exists - make sure user owns it (just passed ticket). */
		75	if (lstat(authctxt->krb4_ticket_file, &st) != -1) {
		76	if (st.st_mode == (S_IFREG \| S_IRUSR \| S_IWUSR) &&
		77	st.st_uid == authctxt->pw->pw_uid)
		78	return (1);
		79	}
		80	/* Failure - cancel cleanup function, leaving ticket for inspection. */
		81	log("WARNING: bad ticket file %s", authctxt->krb4_ticket_file);
		82
		83	fatal_remove_cleanup(krb4_cleanup_proc, authctxt);
		84	cleanup_registered = 0;
		85
		86	xfree(authctxt->krb4_ticket_file);
		87	authctxt->krb4_ticket_file = NULL;
		88
		89	return (0);
		90	}
		91
45	/*	92	/*
46	* try krb4 authentication,	93	* try krb4 authentication,
47	* return 1 on success, 0 on failure, -1 if krb4 is not available	94	* return 1 on success, 0 on failure, -1 if krb4 is not available
48	*/	95	*/
49
50	int	96	int
51	auth_krb4_password(struct passwd * pw, const char *password)	97	auth_krb4_password(Authctxt authctxt, const char password)
52	{	98	{
53	AUTH_DAT adata;	99	AUTH_DAT adata;
54	KTEXT_ST tkt;	100	KTEXT_ST tkt;
55	struct hostent *hp;	101	struct hostent *hp;
56	u_long faddr;	102	struct passwd *pw;
57	char localhost[MAXHOSTNAMELEN];	103	char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ];
58	char phost[INST_SZ];	104	u_int32_t faddr;
59	char realm[REALM_SZ];
60	int r;	105	int r;
61		106
		107	if ((pw = authctxt->pw) == NULL)
		108	return (0);
		109
62	/*	110	/*
63	* Try Kerberos password authentication only for non-root	111	* Try Kerberos password authentication only for non-root
64	* users and only if Kerberos is installed.	112	* users and only if Kerberos is installed.
65	*/	113	*/
66	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {	114	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
67
68	/* Set up our ticket file. */	115	/* Set up our ticket file. */
69	if (!krb4_init(pw->pw_uid)) {	116	if (!krb4_init(authctxt)) {
70	log("Couldn't initialize Kerberos ticket file for %s!",	117	log("Couldn't initialize Kerberos ticket file for %s!",
71	pw->pw_name);	118	pw->pw_name);
72	goto kerberos_auth_failure;	119	goto failure;
73	}	120	}
74	/* Try to get TGT using our password. */	121	/* Try to get TGT using our password. */
75	r = krb_get_pw_in_tkt((char *) pw->pw_name, "",	122	r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm,
76	realm, "krbtgt", realm,	123	"krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password);
77	DEFAULT_TKT_LIFE, (char *) password);
78	if (r != INTK_OK) {	124	if (r != INTK_OK) {
79	packet_send_debug("Kerberos V4 password "	125	debug("Kerberos v4 password authentication for %s "
80	"authentication for %s failed: %s",	126	"failed: %s", pw->pw_name, krb_err_txt[r]);
81	pw->pw_name, krb_err_txt[r]);	127	goto failure;
82	goto kerberos_auth_failure;
83	}	128	}
84	/* Successful authentication. */	129	/* Successful authentication. */
85	chown(tkt_string(), pw->pw_uid, pw->pw_gid);	130	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
86		131
87	/*	132	/*
88	* Now that we have a TGT, try to get a local	133	* Now that we have a TGT, try to get a local
89	* "rcmd" ticket to ensure that we are not talking	134	* "rcmd" ticket to ensure that we are not talking
90	* to a bogus Kerberos server.	135	* to a bogus Kerberos server.
91	*/	136	*/
92	(void) gethostname(localhost, sizeof(localhost));	137	gethostname(localhost, sizeof(localhost));
93	(void) strlcpy(phost, (char *) krb_get_phost(localhost),	138	strlcpy(phost, (char *)krb_get_phost(localhost),
94	INST_SZ);	139	sizeof(phost));
95	r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);	140	r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
96		141
97	if (r == KSUCCESS) {	142	if (r == KSUCCESS) {
98	if (!(hp = gethostbyname(localhost))) {	143	if ((hp = gethostbyname(localhost)) == NULL) {
99	log("Couldn't get local host address!");	144	log("Couldn't get local host address!");
100	goto kerberos_auth_failure;	145	goto failure;
101	}	146	}
102	memmove((void ) &faddr, (void ) hp->h_addr,	147	memmove((void )&faddr, (void )hp->h_addr,
103	sizeof(faddr));	148	sizeof(faddr));
104		149
105	/* Verify our "rcmd" ticket. */	150	/* Verify our "rcmd" ticket. */
106	r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,	151	r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
107	faddr, &adata, "");	152	faddr, &adata, "");
@@ -110,119 +155,74 @@ auth_krb4_password(struct passwd * pw, const char *password)
110	* Probably didn't have a srvtab on	155	* Probably didn't have a srvtab on
111	* localhost. Disallow login.	156	* localhost. Disallow login.
112	*/	157	*/
113	log("Kerberos V4 TGT for %s unverifiable, "	158	log("Kerberos v4 TGT for %s unverifiable, "
114	"no srvtab installed? krb_rd_req: %s",	159	"no srvtab installed? krb_rd_req: %s",
115	pw->pw_name, krb_err_txt[r]);	160	pw->pw_name, krb_err_txt[r]);
116	goto kerberos_auth_failure;	161	goto failure;
117	} else if (r != KSUCCESS) {	162	} else if (r != KSUCCESS) {
118	log("Kerberos V4 %s ticket unverifiable: %s",	163	log("Kerberos v4 %s ticket unverifiable: %s",
119	KRB4_SERVICE_NAME, krb_err_txt[r]);	164	KRB4_SERVICE_NAME, krb_err_txt[r]);
120	goto kerberos_auth_failure;	165	goto failure;
121	}	166	}
122	} else if (r == KDC_PR_UNKNOWN) {	167	} else if (r == KDC_PR_UNKNOWN) {
123	/*	168	/*
124	* Disallow login if no rcmd service exists, and	169	* Disallow login if no rcmd service exists, and
125	* log the error.	170	* log the error.
126	*/	171	*/
127	log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "	172	log("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
128	"not registered, or srvtab is wrong?", pw->pw_name,	173	"not registered, or srvtab is wrong?", pw->pw_name,
129	krb_err_txt[r], KRB4_SERVICE_NAME, phost);	174	krb_err_txt[r], KRB4_SERVICE_NAME, phost);
130	goto kerberos_auth_failure;	175	goto failure;
131	} else {	176	} else {
132	/*	177	/*
133	* TGT is bad, forget it. Possibly spoofed!	178	* TGT is bad, forget it. Possibly spoofed!
134	*/	179	*/
135	packet_send_debug("WARNING: Kerberos V4 TGT "	180	debug("WARNING: Kerberos v4 TGT possibly spoofed "
136	"possibly spoofed for %s: %s",	181	"for %s: %s", pw->pw_name, krb_err_txt[r]);
137	pw->pw_name, krb_err_txt[r]);	182	goto failure;
138	goto kerberos_auth_failure;
139	}	183	}
140
141	/* Authentication succeeded. */	184	/* Authentication succeeded. */
142	return 1;	185	return (1);
143		186	} else
144	kerberos_auth_failure:
145	krb4_cleanup_proc(NULL);
146
147	if (!options.kerberos_or_local_passwd)
148	return 0;
149	} else {
150	/* Logging in as root or no local Kerberos realm. */	187	/* Logging in as root or no local Kerberos realm. */
151	packet_send_debug("Unable to authenticate to Kerberos.");	188	debug("Unable to authenticate to Kerberos.");
152	}	189
		190	failure:
		191	krb4_cleanup_proc(authctxt);
		192
		193	if (!options.kerberos_or_local_passwd)
		194	return (0);
		195
153	/* Fall back to ordinary passwd authentication. */	196	/* Fall back to ordinary passwd authentication. */
154	return -1;	197	return (-1);
155	}	198	}
156		199
157	void	200	void
158	krb4_cleanup_proc(void *ignore)	201	krb4_cleanup_proc(void *context)
159	{	202	{
		203	Authctxt authctxt = (Authctxt )context;
160	debug("krb4_cleanup_proc called");	204	debug("krb4_cleanup_proc called");
161	if (ticket) {	205	if (authctxt->krb4_ticket_file) {
162	(void) dest_tkt();	206	(void) dest_tkt();
163	xfree(ticket);	207	xfree(authctxt->krb4_ticket_file);
164	ticket = NULL;	208	authctxt->krb4_ticket_file = NULL;
165	}
166	}
167
168	int
169	krb4_init(uid_t uid)
170	{
171	static int cleanup_registered = 0;
172	const char *tkt_root = TKT_ROOT;
173	struct stat st;
174	int fd;
175
176	if (!ticket) {
177	/* Set unique ticket string manually since we're still root. */
178	ticket = xmalloc(MAXPATHLEN);
179	#ifdef AFS
180	if (lstat("/ticket", &st) != -1)
181	tkt_root = "/ticket/";
182	#endif /* AFS */
183	snprintf(ticket, MAXPATHLEN, "%s%u_%d", tkt_root, uid, getpid());
184	(void) krb_set_tkt_string(ticket);
185	}
186	/* Register ticket cleanup in case of fatal error. */
187	if (!cleanup_registered) {
188	fatal_add_cleanup(krb4_cleanup_proc, NULL);
189	cleanup_registered = 1;
190	}
191	/* Try to create our ticket file. */
192	if ((fd = mkstemp(ticket)) != -1) {
193	close(fd);
194	return 1;
195	}
196	/* Ticket file exists - make sure user owns it (just passed ticket). */
197	if (lstat(ticket, &st) != -1) {
198	if (st.st_mode == (S_IFREG \| S_IRUSR \| S_IWUSR) &&
199	st.st_uid == uid)
200	return 1;
201	}	209	}
202	/* Failure - cancel cleanup function, leaving bad ticket for inspection. */
203	log("WARNING: bad ticket file %s", ticket);
204	fatal_remove_cleanup(krb4_cleanup_proc, NULL);
205	cleanup_registered = 0;
206	xfree(ticket);
207	ticket = NULL;
208
209	return 0;
210	}	210	}
211		211
212	int	212	int
213	auth_krb4(const char server_user, KTEXT auth, char *client)	213	auth_krb4(Authctxt authctxt, KTEXT auth, char *client)
214	{	214	{
215	AUTH_DAT adat = {0};	215	AUTH_DAT adat = {0};
216	KTEXT_ST reply;	216	KTEXT_ST reply;
		217	Key_schedule schedule;
		218	struct sockaddr_in local, foreign;
217	char instance[INST_SZ];	219	char instance[INST_SZ];
218	int r, s;
219	socklen_t slen;	220	socklen_t slen;
220	u_int cksum;	221	u_int cksum;
221	Key_schedule schedule;	222	int r, s;
222	struct sockaddr_in local, foreign;	223
223
224	s = packet_get_connection_in();	224	s = packet_get_connection_in();
225		225
226	slen = sizeof(local);	226	slen = sizeof(local);
227	memset(&local, 0, sizeof(local));	227	memset(&local, 0, sizeof(local));
228	if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)	228	if (getsockname(s, (struct sockaddr *) & local, &slen) < 0)
@@ -235,157 +235,139 @@ auth_krb4(const char server_user, KTEXT auth, char *client)
235	}	235	}
236	instance[0] = '*';	236	instance[0] = '*';
237	instance[1] = 0;	237	instance[1] = 0;
238		238
239	/* Get the encrypted request, challenge, and session key. */	239	/* Get the encrypted request, challenge, and session key. */
240	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, ""))) {	240	if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance,
241	packet_send_debug("Kerberos V4 krb_rd_req: %.100s", krb_err_txt[r]);	241	0, &adat, ""))) {
242	return 0;	242	debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]);
		243	return (0);
243	}	244	}
244	des_key_sched((des_cblock *) adat.session, schedule);	245	des_key_sched((des_cblock *) adat.session, schedule);
245		246
246	*client = xmalloc(MAX_K_NAME_SZ);	247	*client = xmalloc(MAX_K_NAME_SZ);
247	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,	248	(void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname,
248	*adat.pinst ? "." : "", adat.pinst, adat.prealm);	249	*adat.pinst ? "." : "", adat.pinst, adat.prealm);
249		250
250	/* Check ~/.klogin authorization now. */	251	/* Check ~/.klogin authorization now. */
251	if (kuserok(&adat, (char *) server_user) != KSUCCESS) {	252	if (kuserok(&adat, authctxt->user) != KSUCCESS) {
252	packet_send_debug("Kerberos V4 .klogin authorization failed!");	253	log("Kerberos v4 .klogin authorization failed for %s to "
253	log("Kerberos V4 .klogin authorization failed for %s to account %s",	254	"account %s", *client, authctxt->user);
254	*client, server_user);
255	xfree(*client);	255	xfree(*client);
256	return 0;	256	return (0);
257	}	257	}
258	/* Increment the checksum, and return it encrypted with the	258	/* Increment the checksum, and return it encrypted with the
259	session key. */	259	session key. */
260	cksum = adat.checksum + 1;	260	cksum = adat.checksum + 1;
261	cksum = htonl(cksum);	261	cksum = htonl(cksum);
262		262
263	/* If we can't successfully encrypt the checksum, we send back an	263	/* If we can't successfully encrypt the checksum, we send back an
264	empty message, admitting our failure. */	264	empty message, admitting our failure. */
265	if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,	265	if ((r = krb_mk_priv((u_char *) & cksum, reply.dat, sizeof(cksum) + 1,
266	schedule, &adat.session, &local, &foreign)) < 0) {	266	schedule, &adat.session, &local, &foreign)) < 0) {
267	packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]);	267	debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]);
268	reply.dat[0] = 0;	268	reply.dat[0] = 0;
269	reply.length = 0;	269	reply.length = 0;
270	} else	270	} else
271	reply.length = r;	271	reply.length = r;
272		272
273	/* Clear session key. */	273	/* Clear session key. */
274	memset(&adat.session, 0, sizeof(&adat.session));	274	memset(&adat.session, 0, sizeof(&adat.session));
275		275
276	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);	276	packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE);
277	packet_put_string((char *) reply.dat, reply.length);	277	packet_put_string((char *) reply.dat, reply.length);
278	packet_send();	278	packet_send();
279	packet_write_wait();	279	packet_write_wait();
280	return 1;	280	return (1);
281	}	281	}
282	#endif /* KRB4 */	282	#endif /* KRB4 */
283		283
284	#ifdef AFS	284	#ifdef AFS
285	int	285	int
286	auth_kerberos_tgt(struct passwd pw, const char string)	286	auth_krb4_tgt(Authctxt authctxt, const char string)
287	{	287	{
288	CREDENTIALS creds;	288	CREDENTIALS creds;
289		289	struct passwd *pw;
290	if (pw == NULL)	290
291	goto auth_kerberos_tgt_failure;	291	if ((pw = authctxt->pw) == NULL)
		292	goto failure;
		293
		294	temporarily_use_uid(pw);
		295
292	if (!radix_to_creds(string, &creds)) {	296	if (!radix_to_creds(string, &creds)) {
293	log("Protocol error decoding Kerberos V4 tgt");	297	log("Protocol error decoding Kerberos v4 TGT");
294	packet_send_debug("Protocol error decoding Kerberos V4 tgt");	298	goto failure;
295	goto auth_kerberos_tgt_failure;
296	}	299	}
297	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */	300	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
298	strlcpy(creds.service, "krbtgt", sizeof creds.service);	301	strlcpy(creds.service, "krbtgt", sizeof creds.service);
299		302
300	if (strcmp(creds.service, "krbtgt")) {	303	if (strcmp(creds.service, "krbtgt")) {
301	log("Kerberos V4 tgt (%s%s%s@%s) rejected for %s", creds.pname,	304	log("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
302	creds.pinst[0] ? "." : "", creds.pinst, creds.realm,
303	pw->pw_name);
304	packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for %s",
305	creds.pname, creds.pinst[0] ? "." : "", creds.pinst,	305	creds.pname, creds.pinst[0] ? "." : "", creds.pinst,
306	creds.realm, pw->pw_name);	306	creds.realm, pw->pw_name);
307	goto auth_kerberos_tgt_failure;	307	goto failure;
308	}	308	}
309	if (!krb4_init(pw->pw_uid))	309	if (!krb4_init(authctxt))
310	goto auth_kerberos_tgt_failure;	310	goto failure;
311		311
312	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)	312	if (in_tkt(creds.pname, creds.pinst) != KSUCCESS)
313	goto auth_kerberos_tgt_failure;	313	goto failure;
314		314
315	if (save_credentials(creds.service, creds.instance, creds.realm,	315	if (save_credentials(creds.service, creds.instance, creds.realm,
316	creds.session, creds.lifetime, creds.kvno,	316	creds.session, creds.lifetime, creds.kvno, &creds.ticket_st,
317	&creds.ticket_st, creds.issue_date) != KSUCCESS) {	317	creds.issue_date) != KSUCCESS) {
318	packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials");	318	debug("Kerberos v4 TGT refused: couldn't save credentials");
319	goto auth_kerberos_tgt_failure;	319	goto failure;
320	}	320	}
321	/* Successful authentication, passed all checks. */	321	/* Successful authentication, passed all checks. */
322	chown(tkt_string(), pw->pw_uid, pw->pw_gid);	322	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
323		323
324	packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)",	324	debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
325	creds.service, creds.instance, creds.realm, creds.pname,	325	creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
326	creds.pinst[0] ? "." : "", creds.pinst, creds.realm);
327	memset(&creds, 0, sizeof(creds));	326	memset(&creds, 0, sizeof(creds));
328	packet_start(SSH_SMSG_SUCCESS);	327
329	packet_send();	328	restore_uid();
330	packet_write_wait();	329
331	return 1;	330	return (1);
332		331
333	auth_kerberos_tgt_failure:	332	failure:
334	krb4_cleanup_proc(NULL);	333	krb4_cleanup_proc(authctxt);
335	memset(&creds, 0, sizeof(creds));	334	memset(&creds, 0, sizeof(creds));
336	packet_start(SSH_SMSG_FAILURE);	335	restore_uid();
337	packet_send();	336
338	packet_write_wait();	337	return (0);
339	return 0;
340	}	338	}
341		339
342	int	340	int
343	auth_afs_token(struct passwd pw, const char token_string)	341	auth_afs_token(Authctxt authctxt, const char token_string)
344	{	342	{
345	CREDENTIALS creds;	343	CREDENTIALS creds;
		344	struct passwd *pw;
346	uid_t uid;	345	uid_t uid;
347		346
348	if (pw == NULL) {	347	if ((pw = authctxt->pw) == NULL)
349	/* XXX fake protocol error */	348	return (0);
350	packet_send_debug("Protocol error decoding AFS token");	349
351	packet_start(SSH_SMSG_FAILURE);
352	packet_send();
353	packet_write_wait();
354	return 0;
355	}
356	if (!radix_to_creds(token_string, &creds)) {	350	if (!radix_to_creds(token_string, &creds)) {
357	log("Protocol error decoding AFS token");	351	log("Protocol error decoding AFS token");
358	packet_send_debug("Protocol error decoding AFS token");	352	return (0);
359	packet_start(SSH_SMSG_FAILURE);
360	packet_send();
361	packet_write_wait();
362	return 0;
363	}	353	}
364	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */	354	if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */
365	strlcpy(creds.service, "afs", sizeof creds.service);	355	strlcpy(creds.service, "afs", sizeof creds.service);
366		356
367	if (strncmp(creds.pname, "AFS ID ", 7) == 0)	357	if (strncmp(creds.pname, "AFS ID ", 7) == 0)
368	uid = atoi(creds.pname + 7);	358	uid = atoi(creds.pname + 7);
369	else	359	else
370	uid = pw->pw_uid;	360	uid = pw->pw_uid;
371		361
372	if (kafs_settoken(creds.realm, uid, &creds)) {	362	if (kafs_settoken(creds.realm, uid, &creds)) {
373	log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,	363	log("AFS token (%s@%s) rejected for %s",
374	pw->pw_name);	364	creds.pname, creds.realm, pw->pw_name);
375	packet_send_debug("AFS token (%s@%s) rejected for %s", creds.pname,
376	creds.realm, pw->pw_name);
377	memset(&creds, 0, sizeof(creds));	365	memset(&creds, 0, sizeof(creds));
378	packet_start(SSH_SMSG_FAILURE);	366	return (0);
379	packet_send();
380	packet_write_wait();
381	return 0;
382	}	367	}
383	packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service,	368	debug("AFS token accepted (%s@%s)", creds.pname, creds.realm);
384	creds.realm, creds.pname, creds.realm);
385	memset(&creds, 0, sizeof(creds));	369	memset(&creds, 0, sizeof(creds));
386	packet_start(SSH_SMSG_SUCCESS);	370
387	packet_send();	371	return (1);
388	packet_write_wait();
389	return 1;
390	}	372	}
391	#endif /* AFS */	373	#endif /* AFS */