summaryrefslogtreecommitdiff
path: root/auth-krb5.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2003-09-02 22:51:17 +1000
committerDamien Miller <djm@mindrot.org>2003-09-02 22:51:17 +1000
commit1a0c0b96219b037865d624079a81ab7d88bbccc1 (patch)
treead24303a17d1f49c98b66d5bfe014103019411af /auth-krb5.c
parent55c47edc81accd3118fc0fda2c37765631c0aef0 (diff)
- markus@cvs.openbsd.org 2003/08/28 12:54:34
[auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5] [sshconnect1.c sshd.c sshd_config sshd_config.5] remove kerberos support from ssh1, since it has been replaced with GSSAPI; but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ...
Diffstat (limited to 'auth-krb5.c')
-rw-r--r--auth-krb5.c194
1 files changed, 1 insertions, 193 deletions
diff --git a/auth-krb5.c b/auth-krb5.c
index b9eeb5ba6..0aa5195b8 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
28 */ 28 */
29 29
30#include "includes.h" 30#include "includes.h"
31RCSID("$OpenBSD: auth-krb5.c,v 1.11 2003/07/16 15:02:06 markus Exp $"); 31RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
32 32
33#include "ssh.h" 33#include "ssh.h"
34#include "ssh1.h" 34#include "ssh1.h"
@@ -65,193 +65,6 @@ krb5_init(void *context)
65 return (0); 65 return (0);
66} 66}
67 67
68/*
69 * Try krb5 authentication. server_user is passed for logging purposes
70 * only, in auth is received ticket, in client is returned principal
71 * from the ticket
72 */
73int
74auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
75{
76 krb5_error_code problem;
77 krb5_principal server;
78 krb5_ticket *ticket;
79 int fd, ret;
80
81 ret = 0;
82 server = NULL;
83 ticket = NULL;
84 reply->length = 0;
85
86 problem = krb5_init(authctxt);
87 if (problem)
88 goto err;
89
90 problem = krb5_auth_con_init(authctxt->krb5_ctx,
91 &authctxt->krb5_auth_ctx);
92 if (problem)
93 goto err;
94
95 fd = packet_get_connection_in();
96#ifdef HEIMDAL
97 problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
98 authctxt->krb5_auth_ctx, &fd);
99#else
100 problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
101 authctxt->krb5_auth_ctx,fd,
102 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
103 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
104#endif
105 if (problem)
106 goto err;
107
108 problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
109 KRB5_NT_SRV_HST, &server);
110 if (problem)
111 goto err;
112
113 problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
114 auth, server, NULL, NULL, &ticket);
115 if (problem)
116 goto err;
117
118#ifdef HEIMDAL
119 problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
120 &authctxt->krb5_user);
121#else
122 problem = krb5_copy_principal(authctxt->krb5_ctx,
123 ticket->enc_part2->client,
124 &authctxt->krb5_user);
125#endif
126 if (problem)
127 goto err;
128
129 /* if client wants mutual auth */
130 problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
131 reply);
132 if (problem)
133 goto err;
134
135 /* Check .k5login authorization now. */
136 if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
137 authctxt->pw->pw_name))
138 goto err;
139
140 if (client)
141 krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
142 client);
143
144 ret = 1;
145 err:
146 if (server)
147 krb5_free_principal(authctxt->krb5_ctx, server);
148 if (ticket)
149 krb5_free_ticket(authctxt->krb5_ctx, ticket);
150 if (!ret && reply->length) {
151 xfree(reply->data);
152 memset(reply, 0, sizeof(*reply));
153 }
154
155 if (problem) {
156 if (authctxt->krb5_ctx != NULL)
157 debug("Kerberos v5 authentication failed: %s",
158 krb5_get_err_text(authctxt->krb5_ctx, problem));
159 else
160 debug("Kerberos v5 authentication failed: %d",
161 problem);
162 }
163
164 return (ret);
165}
166
167int
168auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
169{
170 krb5_error_code problem;
171 krb5_ccache ccache = NULL;
172 char *pname;
173 krb5_creds **creds;
174
175 if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
176 return (0);
177
178 temporarily_use_uid(authctxt->pw);
179
180#ifdef HEIMDAL
181 problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
182#else
183{
184 char ccname[40];
185 int tmpfd;
186
187 snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
188
189 if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
190 logit("mkstemp(): %.100s", strerror(errno));
191 problem = errno;
192 goto fail;
193 }
194 if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
195 logit("fchmod(): %.100s", strerror(errno));
196 close(tmpfd);
197 problem = errno;
198 goto fail;
199 }
200 close(tmpfd);
201 problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
202}
203#endif
204 if (problem)
205 goto fail;
206
207 problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
208 authctxt->krb5_user);
209 if (problem)
210 goto fail;
211
212#ifdef HEIMDAL
213 problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
214 ccache, tgt);
215 if (problem)
216 goto fail;
217#else
218 problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
219 tgt, &creds, NULL);
220 if (problem)
221 goto fail;
222 problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
223 if (problem)
224 goto fail;
225#endif
226
227 authctxt->krb5_fwd_ccache = ccache;
228 ccache = NULL;
229
230 authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
231
232 problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
233 &pname);
234 if (problem)
235 goto fail;
236
237 debug("Kerberos v5 TGT accepted (%s)", pname);
238
239 restore_uid();
240
241 return (1);
242
243 fail:
244 if (problem)
245 debug("Kerberos v5 TGT passing failed: %s",
246 krb5_get_err_text(authctxt->krb5_ctx, problem));
247 if (ccache)
248 krb5_cc_destroy(authctxt->krb5_ctx, ccache);
249
250 restore_uid();
251
252 return (0);
253}
254
255int 68int
256auth_krb5_password(Authctxt *authctxt, const char *password) 69auth_krb5_password(Authctxt *authctxt, const char *password)
257{ 70{
@@ -405,11 +218,6 @@ krb5_cleanup_proc(void *context)
405 krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); 218 krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
406 authctxt->krb5_user = NULL; 219 authctxt->krb5_user = NULL;
407 } 220 }
408 if (authctxt->krb5_auth_ctx) {
409 krb5_auth_con_free(authctxt->krb5_ctx,
410 authctxt->krb5_auth_ctx);
411 authctxt->krb5_auth_ctx = NULL;
412 }
413 if (authctxt->krb5_ctx) { 221 if (authctxt->krb5_ctx) {
414 krb5_free_context(authctxt->krb5_ctx); 222 krb5_free_context(authctxt->krb5_ctx);
415 authctxt->krb5_ctx = NULL; 223 authctxt->krb5_ctx = NULL;