- (djm) Add KrbV support patch from Simon Wilkinson <simon@sxw.org.uk>

author: Damien Miller <djm@mindrot.org> 2002-04-13 11:04:40 +1000
committer: Damien Miller <djm@mindrot.org> 2002-04-13 11:04:40 +1000
commit: fd4c9eee25e4e796b714477c3fbb0286ebe50fb7 (patch)
tree: 2b9995e4425eac437a6f1b195abf9f096cda0edb /auth-krb5.c
parent: 927dfd2d7eb8801e444a3bcff7fdf7a628a779f0 (diff)
1 files changed, 114 insertions, 1 deletions
diff --git a/auth-krb5.c b/auth-krb5.c
index f878b511f..76c2419aa 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -41,6 +41,9 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $");
 #ifdef KRB5
 #include <krb5.h>
+#ifndef HEIMDAL
+#define krb5_get_err_text(context,code) error_message(code)
+#endif /* !HEIMDAL */
 extern ServerOptions     options;
@@ -93,8 +96,15 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
                goto err;
        fd = packet_get_connection_in();
+#ifdef HEIMDAL
        problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
            authctxt->krb5_auth_ctx, &fd);
+#else
+        problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, 
+            authctxt->krb5_auth_ctx,fd,
+            KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
+            KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
+#endif
        if (problem)
                goto err;
@@ -108,8 +118,14 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client)
        if (problem)
                goto err;
+#ifdef HEIMDAL
        problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
            &authctxt->krb5_user);
+#else
+        problem = krb5_copy_principal(authctxt->krb5_ctx, 
+                                      ticket->enc_part2->client,
+                                      &authctxt->krb5_user);
+#endif
        if (problem)
                goto err;
@@ -160,13 +176,37 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
        krb5_error_code problem;
        krb5_ccache ccache = NULL;
        char *pname;
+        krb5_creds **creds;
        if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
                return (0);
        temporarily_use_uid(authctxt->pw);
+#ifdef HEIMDAL
        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
+#else
+{
+        char ccname[40];
+        int tmpfd;
+        
+        snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
+        
+        if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
+                log("mkstemp(): %.100s", strerror(errno));
+                problem = errno;
+                goto fail;
+        }
+        if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+                log("fchmod(): %.100s", strerror(errno));
+                close(tmpfd);
+                problem = errno;
+                goto fail;
+        }
+        close(tmpfd);
+        problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
+}
+#endif
        if (problem)
                goto fail;
@@ -175,10 +215,20 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
        if (problem)
                goto fail;
+#ifdef HEIMDAL
        problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
            ccache, tgt);
        if (problem)
                goto fail;
+#else
+        problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
+            tgt, &creds, NULL);
+        if (problem)
+                goto fail;
+        problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
+        if (problem)
+                goto fail;
+#endif
        authctxt->krb5_fwd_ccache = ccache;
        ccache = NULL;
@@ -211,6 +261,12 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
 int
 auth_krb5_password(Authctxt *authctxt, const char *password)
 {
+#ifndef HEIMDAL
+        krb5_creds creds;
+        krb5_principal server;
+        char ccname[40];
+        int tmpfd;
+#endif  
        krb5_error_code problem;
        if (authctxt->pw == NULL)
@@ -227,6 +283,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        if (problem)
                goto out;
+#ifdef HEIMDAL
        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
            &authctxt->krb5_fwd_ccache);
        if (problem)
@@ -245,13 +302,69 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        if (problem)
                goto out;
+#else
+        problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
+            authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
+        if (problem)
+                goto out;
+        problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
+            KRB5_NT_SRV_HST, &server);
+        if (problem)
+                goto out;
+        restore_uid();
+        problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
+            NULL, NULL, NULL);
+        krb5_free_principal(authctxt->krb5_ctx, server);
+        temporarily_use_uid(authctxt->pw);
+        if (problem)
+                goto out;
+        
+        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, 
+                          authctxt->pw->pw_name)) {
+                problem = -1;
+                goto out;
+        } 
+        snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
+        
+        if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
+                log("mkstemp(): %.100s", strerror(errno));
+                problem = errno;
+                goto out;
+        }
+        
+        if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+                log("fchmod(): %.100s", strerror(errno));
+                close(tmpfd);
+                problem = errno;
+                goto out;
+        }
+        close(tmpfd);
+        problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
+        if (problem)
+                goto out;
+        problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+                                     authctxt->krb5_user);
+        if (problem)
+                goto out;
+                                
+        problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+                                 &creds);
+        if (problem)
+                goto out;
+#endif          
        authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 out:
        restore_uid();
        if (problem) {
-                if (authctxt->krb5_ctx != NULL)
+                if (authctxt->krb5_ctx != NULL && problem!=-1)
                        debug("Kerberos password authentication failed: %s",
                            krb5_get_err_text(authctxt->krb5_ctx, problem));
                else
author	Damien Miller <djm@mindrot.org>	2002-04-13 11:04:40 +1000
committer	Damien Miller <djm@mindrot.org>	2002-04-13 11:04:40 +1000
commit	fd4c9eee25e4e796b714477c3fbb0286ebe50fb7 (patch)
tree	2b9995e4425eac437a6f1b195abf9f096cda0edb /auth-krb5.c
parent	927dfd2d7eb8801e444a3bcff7fdf7a628a779f0 (diff)

diff --git a/auth-krb5.c b/auth-krb5.c index f878b511f..76c2419aa 100644 --- a/auth-krb5.c +++ b/auth-krb5.c
@@ -41,6 +41,9 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $");
41		41
42	#ifdef KRB5	42	#ifdef KRB5
43	#include <krb5.h>	43	#include <krb5.h>
		44	#ifndef HEIMDAL
		45	#define krb5_get_err_text(context,code) error_message(code)
		46	#endif /* !HEIMDAL */
44		47
45	extern ServerOptions options;	48	extern ServerOptions options;
46		49
@@ -93,8 +96,15 @@ auth_krb5(Authctxt authctxt, krb5_data auth, char **client)
93	goto err;	96	goto err;
94		97
95	fd = packet_get_connection_in();	98	fd = packet_get_connection_in();
		99	#ifdef HEIMDAL
96	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,	100	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
97	authctxt->krb5_auth_ctx, &fd);	101	authctxt->krb5_auth_ctx, &fd);
		102	#else
		103	problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
		104	authctxt->krb5_auth_ctx,fd,
		105	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
		106	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
		107	#endif
98	if (problem)	108	if (problem)
99	goto err;	109	goto err;
100		110
@@ -108,8 +118,14 @@ auth_krb5(Authctxt authctxt, krb5_data auth, char **client)
108	if (problem)	118	if (problem)
109	goto err;	119	goto err;
110		120
		121	#ifdef HEIMDAL
111	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,	122	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
112	&authctxt->krb5_user);	123	&authctxt->krb5_user);
		124	#else
		125	problem = krb5_copy_principal(authctxt->krb5_ctx,
		126	ticket->enc_part2->client,
		127	&authctxt->krb5_user);
		128	#endif
113	if (problem)	129	if (problem)
114	goto err;	130	goto err;
115		131
@@ -160,13 +176,37 @@ auth_krb5_tgt(Authctxt authctxt, krb5_data tgt)
160	krb5_error_code problem;	176	krb5_error_code problem;
161	krb5_ccache ccache = NULL;	177	krb5_ccache ccache = NULL;
162	char *pname;	178	char *pname;
		179	krb5_creds **creds;
163		180
164	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)	181	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)
165	return (0);	182	return (0);
166		183
167	temporarily_use_uid(authctxt->pw);	184	temporarily_use_uid(authctxt->pw);
168		185
		186	#ifdef HEIMDAL
169	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);	187	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
		188	#else
		189	{
		190	char ccname[40];
		191	int tmpfd;
		192
		193	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
		194
		195	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
		196	log("mkstemp(): %.100s", strerror(errno));
		197	problem = errno;
		198	goto fail;
		199	}
		200	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
		201	log("fchmod(): %.100s", strerror(errno));
		202	close(tmpfd);
		203	problem = errno;
		204	goto fail;
		205	}
		206	close(tmpfd);
		207	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
		208	}
		209	#endif
170	if (problem)	210	if (problem)
171	goto fail;	211	goto fail;
172		212
@@ -175,10 +215,20 @@ auth_krb5_tgt(Authctxt authctxt, krb5_data tgt)
175	if (problem)	215	if (problem)
176	goto fail;	216	goto fail;
177		217
		218	#ifdef HEIMDAL
178	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,	219	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
179	ccache, tgt);	220	ccache, tgt);
180	if (problem)	221	if (problem)
181	goto fail;	222	goto fail;
		223	#else
		224	problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
		225	tgt, &creds, NULL);
		226	if (problem)
		227	goto fail;
		228	problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
		229	if (problem)
		230	goto fail;
		231	#endif
182		232
183	authctxt->krb5_fwd_ccache = ccache;	233	authctxt->krb5_fwd_ccache = ccache;
184	ccache = NULL;	234	ccache = NULL;
@@ -211,6 +261,12 @@ auth_krb5_tgt(Authctxt authctxt, krb5_data tgt)
211	int	261	int
212	auth_krb5_password(Authctxt authctxt, const char password)	262	auth_krb5_password(Authctxt authctxt, const char password)
213	{	263	{
		264	#ifndef HEIMDAL
		265	krb5_creds creds;
		266	krb5_principal server;
		267	char ccname[40];
		268	int tmpfd;
		269	#endif
214	krb5_error_code problem;	270	krb5_error_code problem;
215		271
216	if (authctxt->pw == NULL)	272	if (authctxt->pw == NULL)
@@ -227,6 +283,7 @@ auth_krb5_password(Authctxt authctxt, const char password)
227	if (problem)	283	if (problem)
228	goto out;	284	goto out;
229		285
		286	#ifdef HEIMDAL
230	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,	287	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
231	&authctxt->krb5_fwd_ccache);	288	&authctxt->krb5_fwd_ccache);
232	if (problem)	289	if (problem)
@@ -245,13 +302,69 @@ auth_krb5_password(Authctxt authctxt, const char password)
245	if (problem)	302	if (problem)
246	goto out;	303	goto out;
247		304
		305	#else
		306	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
		307	authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
		308	if (problem)
		309	goto out;
		310
		311	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
		312	KRB5_NT_SRV_HST, &server);
		313	if (problem)
		314	goto out;
		315
		316	restore_uid();
		317	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
		318	NULL, NULL, NULL);
		319	krb5_free_principal(authctxt->krb5_ctx, server);
		320	temporarily_use_uid(authctxt->pw);
		321	if (problem)
		322	goto out;
		323
		324	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
		325	authctxt->pw->pw_name)) {
		326	problem = -1;
		327	goto out;
		328	}
		329
		330	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
		331
		332	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
		333	log("mkstemp(): %.100s", strerror(errno));
		334	problem = errno;
		335	goto out;
		336	}
		337
		338	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
		339	log("fchmod(): %.100s", strerror(errno));
		340	close(tmpfd);
		341	problem = errno;
		342	goto out;
		343	}
		344	close(tmpfd);
		345
		346	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
		347	if (problem)
		348	goto out;
		349
		350	problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
		351	authctxt->krb5_user);
		352	if (problem)
		353	goto out;
		354
		355	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
		356	&creds);
		357	if (problem)
		358	goto out;
		359	#endif
		360
248	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);	361	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
249		362
250	out:	363	out:
251	restore_uid();	364	restore_uid();
252		365
253	if (problem) {	366	if (problem) {
254	if (authctxt->krb5_ctx != NULL)	367	if (authctxt->krb5_ctx != NULL && problem!=-1)
255	debug("Kerberos password authentication failed: %s",	368	debug("Kerberos password authentication failed: %s",
256	krb5_get_err_text(authctxt->krb5_ctx, problem));	369	krb5_get_err_text(authctxt->krb5_ctx, problem));
257	else	370	else