1 files changed, 25 insertions, 203 deletions
diff --git a/auth-krb5.c b/auth-krb5.c
index e3e2d9751..0aa5195b8 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -28,7 +28,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@@ -40,10 +40,8 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
 #include "auth.h"
 #ifdef KRB5
 #include <krb5.h>
-#ifndef HEIMDAL
-#define krb5_get_err_text(context,code) error_message(code)
-#endif /* !HEIMDAL */
 extern ServerOptions     options;
@@ -67,193 +65,6 @@ krb5_init(void *context)
        return (0);
 }
-/*
- * Try krb5 authentication. server_user is passed for logging purposes
- * only, in auth is received ticket, in client is returned principal
- * from the ticket
- */
-int
-auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply)
-{
-        krb5_error_code problem;
-        krb5_principal server;
-        krb5_ticket *ticket;
-        int fd, ret;
-        ret = 0;
-        server = NULL;
-        ticket = NULL;
-        reply->length = 0;
-        problem = krb5_init(authctxt);
-        if (problem)
-                goto err;
-        problem = krb5_auth_con_init(authctxt->krb5_ctx,
-            &authctxt->krb5_auth_ctx);
-        if (problem)
-                goto err;
-        fd = packet_get_connection_in();
-#ifdef HEIMDAL
-        problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
-            authctxt->krb5_auth_ctx, &fd);
-#else
-        problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, 
-            authctxt->krb5_auth_ctx,fd,
-            KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
-            KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
-#endif
-        if (problem)
-                goto err;
-        problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
-            KRB5_NT_SRV_HST, &server);
-        if (problem)
-                goto err;
-        problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
-            auth, server, NULL, NULL, &ticket);
-        if (problem)
-                goto err;
-#ifdef HEIMDAL
-        problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
-            &authctxt->krb5_user);
-#else
-        problem = krb5_copy_principal(authctxt->krb5_ctx, 
-                                      ticket->enc_part2->client,
-                                      &authctxt->krb5_user);
-#endif
-        if (problem)
-                goto err;
-        /* if client wants mutual auth */
-        problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            reply);
-        if (problem)
-                goto err;
-        /* Check .k5login authorization now. */
-        if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-            authctxt->pw->pw_name))
-                goto err;
-        if (client)
-                krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
-                    client);
-        ret = 1;
- err:
-        if (server)
-                krb5_free_principal(authctxt->krb5_ctx, server);
-        if (ticket)
-                krb5_free_ticket(authctxt->krb5_ctx, ticket);
-        if (!ret && reply->length) {
-                xfree(reply->data);
-                memset(reply, 0, sizeof(*reply));
-        }
-        if (problem) {
-                if (authctxt->krb5_ctx != NULL)
-                        debug("Kerberos v5 authentication failed: %s",
-                            krb5_get_err_text(authctxt->krb5_ctx, problem));
-                else
-                        debug("Kerberos v5 authentication failed: %d",
-                            problem);
-        }
-        return (ret);
-}
-int
-auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
-{
-        krb5_error_code problem;
-        krb5_ccache ccache = NULL;
-        char *pname;
-        krb5_creds **creds;
-        if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
-                return (0);
-        temporarily_use_uid(authctxt->pw);
-#ifdef HEIMDAL
-        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
-#else
-{
-        char ccname[40];
-        int tmpfd;
-        
-        snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-        
-        if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
-                log("mkstemp(): %.100s", strerror(errno));
-                problem = errno;
-                goto fail;
-        }
-        if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-                log("fchmod(): %.100s", strerror(errno));
-                close(tmpfd);
-                problem = errno;
-                goto fail;
-        }
-        close(tmpfd);
-        problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
-}
-#endif
-        if (problem)
-                goto fail;
-        problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-            authctxt->krb5_user);
-        if (problem)
-                goto fail;
-#ifdef HEIMDAL
-        problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            ccache, tgt);
-        if (problem)
-                goto fail;
-#else
-        problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
-            tgt, &creds, NULL);
-        if (problem)
-                goto fail;
-        problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
-        if (problem)
-                goto fail;
-#endif
-        authctxt->krb5_fwd_ccache = ccache;
-        ccache = NULL;
-        authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-        problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
-            &pname);
-        if (problem)
-                goto fail;
-        debug("Kerberos v5 TGT accepted (%s)", pname);
-        restore_uid();
-        return (1);
- fail:
-        if (problem)
-                debug("Kerberos v5 TGT passing failed: %s",
-                    krb5_get_err_text(authctxt->krb5_ctx, problem));
-        if (ccache)
-                krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-        restore_uid();
-        return (0);
-}
 int
 auth_krb5_password(Authctxt *authctxt, const char *password)
 {
@@ -264,6 +75,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        int tmpfd;
 #endif  
        krb5_error_code problem;
+        krb5_ccache ccache = NULL;
        if (authctxt->pw == NULL)
                return (0);
@@ -280,23 +92,35 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
                goto out;
 #ifdef HEIMDAL
-        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,
+        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
-            &authctxt->krb5_fwd_ccache);
        if (problem)
                goto out;
-        problem = krb5_cc_initialize(authctxt->krb5_ctx,
+        problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-            authctxt->krb5_fwd_ccache, authctxt->krb5_user);
+                authctxt->krb5_user);
        if (problem)
                goto out;
        restore_uid();
+        
        problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-            authctxt->krb5_fwd_ccache, password, 1, NULL);
+            ccache, password, 1, NULL);
+        
        temporarily_use_uid(authctxt->pw);
        if (problem)
                goto out;
+        problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
+            &authctxt->krb5_fwd_ccache);
+        if (problem)
+                goto out;
+        problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
+            authctxt->krb5_fwd_ccache);
+        krb5_cc_destroy(authctxt->krb5_ctx, ccache);
+        ccache = NULL;
+        if (problem)
+                goto out;
 #else
        problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
@@ -326,13 +150,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
        
        if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
-                log("mkstemp(): %.100s", strerror(errno));
+                logit("mkstemp(): %.100s", strerror(errno));
                problem = errno;
                goto out;
        }
        
        if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-                log("fchmod(): %.100s", strerror(errno));
+                logit("fchmod(): %.100s", strerror(errno));
                close(tmpfd);
                problem = errno;
                goto out;
@@ -360,6 +184,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
        restore_uid();
        if (problem) {
+                if (ccache)
+                        krb5_cc_destroy(authctxt->krb5_ctx, ccache);
                if (authctxt->krb5_ctx != NULL && problem!=-1)
                        debug("Kerberos password authentication failed: %s",
                            krb5_get_err_text(authctxt->krb5_ctx, problem));
@@ -391,11 +218,6 @@ krb5_cleanup_proc(void *context)
                krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
                authctxt->krb5_user = NULL;
        }
-        if (authctxt->krb5_auth_ctx) {
-                krb5_auth_con_free(authctxt->krb5_ctx,
-                    authctxt->krb5_auth_ctx);
-                authctxt->krb5_auth_ctx = NULL;
-        }
        if (authctxt->krb5_ctx) {
                krb5_free_context(authctxt->krb5_ctx);
                authctxt->krb5_ctx = NULL;

diff --git a/auth-krb5.c b/auth-krb5.c index e3e2d9751..0aa5195b8 100644 --- a/auth-krb5.c +++ b/auth-krb5.c
@@ -28,7 +28,7 @@
28	*/	28	*/
29		29
30	#include "includes.h"	30	#include "includes.h"
31	RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");	31	RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $");
32		32
33	#include "ssh.h"	33	#include "ssh.h"
34	#include "ssh1.h"	34	#include "ssh1.h"
@@ -40,10 +40,8 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.10 2002/11/21 23:03:51 deraadt Exp $");
40	#include "auth.h"	40	#include "auth.h"
41		41
42	#ifdef KRB5	42	#ifdef KRB5
		43
43	#include <krb5.h>	44	#include <krb5.h>
44	#ifndef HEIMDAL
45	#define krb5_get_err_text(context,code) error_message(code)
46	#endif /* !HEIMDAL */
47		45
48	extern ServerOptions options;	46	extern ServerOptions options;
49		47
@@ -67,193 +65,6 @@ krb5_init(void *context)
67	return (0);	65	return (0);
68	}	66	}
69		67
70	/*
71	* Try krb5 authentication. server_user is passed for logging purposes
72	* only, in auth is received ticket, in client is returned principal
73	* from the ticket
74	*/
75	int
76	auth_krb5(Authctxt authctxt, krb5_data auth, char *client, krb5_data reply)
77	{
78	krb5_error_code problem;
79	krb5_principal server;
80	krb5_ticket *ticket;
81	int fd, ret;
82
83	ret = 0;
84	server = NULL;
85	ticket = NULL;
86	reply->length = 0;
87
88	problem = krb5_init(authctxt);
89	if (problem)
90	goto err;
91
92	problem = krb5_auth_con_init(authctxt->krb5_ctx,
93	&authctxt->krb5_auth_ctx);
94	if (problem)
95	goto err;
96
97	fd = packet_get_connection_in();
98	#ifdef HEIMDAL
99	problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx,
100	authctxt->krb5_auth_ctx, &fd);
101	#else
102	problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx,
103	authctxt->krb5_auth_ctx,fd,
104	KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR \|
105	KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
106	#endif
107	if (problem)
108	goto err;
109
110	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
111	KRB5_NT_SRV_HST, &server);
112	if (problem)
113	goto err;
114
115	problem = krb5_rd_req(authctxt->krb5_ctx, &authctxt->krb5_auth_ctx,
116	auth, server, NULL, NULL, &ticket);
117	if (problem)
118	goto err;
119
120	#ifdef HEIMDAL
121	problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client,
122	&authctxt->krb5_user);
123	#else
124	problem = krb5_copy_principal(authctxt->krb5_ctx,
125	ticket->enc_part2->client,
126	&authctxt->krb5_user);
127	#endif
128	if (problem)
129	goto err;
130
131	/* if client wants mutual auth */
132	problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
133	reply);
134	if (problem)
135	goto err;
136
137	/* Check .k5login authorization now. */
138	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
139	authctxt->pw->pw_name))
140	goto err;
141
142	if (client)
143	krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
144	client);
145
146	ret = 1;
147	err:
148	if (server)
149	krb5_free_principal(authctxt->krb5_ctx, server);
150	if (ticket)
151	krb5_free_ticket(authctxt->krb5_ctx, ticket);
152	if (!ret && reply->length) {
153	xfree(reply->data);
154	memset(reply, 0, sizeof(*reply));
155	}
156
157	if (problem) {
158	if (authctxt->krb5_ctx != NULL)
159	debug("Kerberos v5 authentication failed: %s",
160	krb5_get_err_text(authctxt->krb5_ctx, problem));
161	else
162	debug("Kerberos v5 authentication failed: %d",
163	problem);
164	}
165
166	return (ret);
167	}
168
169	int
170	auth_krb5_tgt(Authctxt authctxt, krb5_data tgt)
171	{
172	krb5_error_code problem;
173	krb5_ccache ccache = NULL;
174	char *pname;
175	krb5_creds **creds;
176
177	if (authctxt->pw == NULL \|\| authctxt->krb5_user == NULL)
178	return (0);
179
180	temporarily_use_uid(authctxt->pw);
181
182	#ifdef HEIMDAL
183	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache);
184	#else
185	{
186	char ccname[40];
187	int tmpfd;
188
189	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
190
191	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
192	log("mkstemp(): %.100s", strerror(errno));
193	problem = errno;
194	goto fail;
195	}
196	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
197	log("fchmod(): %.100s", strerror(errno));
198	close(tmpfd);
199	problem = errno;
200	goto fail;
201	}
202	close(tmpfd);
203	problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache);
204	}
205	#endif
206	if (problem)
207	goto fail;
208
209	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
210	authctxt->krb5_user);
211	if (problem)
212	goto fail;
213
214	#ifdef HEIMDAL
215	problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
216	ccache, tgt);
217	if (problem)
218	goto fail;
219	#else
220	problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
221	tgt, &creds, NULL);
222	if (problem)
223	goto fail;
224	problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds);
225	if (problem)
226	goto fail;
227	#endif
228
229	authctxt->krb5_fwd_ccache = ccache;
230	ccache = NULL;
231
232	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
233
234	problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
235	&pname);
236	if (problem)
237	goto fail;
238
239	debug("Kerberos v5 TGT accepted (%s)", pname);
240
241	restore_uid();
242
243	return (1);
244
245	fail:
246	if (problem)
247	debug("Kerberos v5 TGT passing failed: %s",
248	krb5_get_err_text(authctxt->krb5_ctx, problem));
249	if (ccache)
250	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
251
252	restore_uid();
253
254	return (0);
255	}
256
257	int	68	int
258	auth_krb5_password(Authctxt authctxt, const char password)	69	auth_krb5_password(Authctxt authctxt, const char password)
259	{	70	{
@@ -264,6 +75,7 @@ auth_krb5_password(Authctxt authctxt, const char password)
264	int tmpfd;	75	int tmpfd;
265	#endif	76	#endif
266	krb5_error_code problem;	77	krb5_error_code problem;
		78	krb5_ccache ccache = NULL;
267		79
268	if (authctxt->pw == NULL)	80	if (authctxt->pw == NULL)
269	return (0);	81	return (0);
@@ -280,23 +92,35 @@ auth_krb5_password(Authctxt authctxt, const char password)
280	goto out;	92	goto out;
281		93
282	#ifdef HEIMDAL	94	#ifdef HEIMDAL
283	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops,	95	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
284	&authctxt->krb5_fwd_ccache);
285	if (problem)	96	if (problem)
286	goto out;	97	goto out;
287		98
288	problem = krb5_cc_initialize(authctxt->krb5_ctx,	99	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
289	authctxt->krb5_fwd_ccache, authctxt->krb5_user);	100	authctxt->krb5_user);
290	if (problem)	101	if (problem)
291	goto out;	102	goto out;
292		103
293	restore_uid();	104	restore_uid();
		105
294	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,	106	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
295	authctxt->krb5_fwd_ccache, password, 1, NULL);	107	ccache, password, 1, NULL);
		108
296	temporarily_use_uid(authctxt->pw);	109	temporarily_use_uid(authctxt->pw);
297		110
298	if (problem)	111	if (problem)
299	goto out;	112	goto out;
		113	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
		114	&authctxt->krb5_fwd_ccache);
		115	if (problem)
		116	goto out;
		117
		118	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
		119	authctxt->krb5_fwd_ccache);
		120	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
		121	ccache = NULL;
		122	if (problem)
		123	goto out;
300		124
301	#else	125	#else
302	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,	126	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
@@ -326,13 +150,13 @@ auth_krb5_password(Authctxt authctxt, const char password)
326	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());	150	snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
327		151
328	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {	152	if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) {
329	log("mkstemp(): %.100s", strerror(errno));	153	logit("mkstemp(): %.100s", strerror(errno));
330	problem = errno;	154	problem = errno;
331	goto out;	155	goto out;
332	}	156	}
333		157
334	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {	158	if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {
335	log("fchmod(): %.100s", strerror(errno));	159	logit("fchmod(): %.100s", strerror(errno));
336	close(tmpfd);	160	close(tmpfd);
337	problem = errno;	161	problem = errno;
338	goto out;	162	goto out;
@@ -360,6 +184,9 @@ auth_krb5_password(Authctxt authctxt, const char password)
360	restore_uid();	184	restore_uid();
361		185
362	if (problem) {	186	if (problem) {
		187	if (ccache)
		188	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
		189
363	if (authctxt->krb5_ctx != NULL && problem!=-1)	190	if (authctxt->krb5_ctx != NULL && problem!=-1)
364	debug("Kerberos password authentication failed: %s",	191	debug("Kerberos password authentication failed: %s",
365	krb5_get_err_text(authctxt->krb5_ctx, problem));	192	krb5_get_err_text(authctxt->krb5_ctx, problem));
@@ -391,11 +218,6 @@ krb5_cleanup_proc(void *context)
391	krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);	218	krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
392	authctxt->krb5_user = NULL;	219	authctxt->krb5_user = NULL;
393	}	220	}
394	if (authctxt->krb5_auth_ctx) {
395	krb5_auth_con_free(authctxt->krb5_ctx,
396	authctxt->krb5_auth_ctx);
397	authctxt->krb5_auth_ctx = NULL;
398	}
399	if (authctxt->krb5_ctx) {	221	if (authctxt->krb5_ctx) {
400	krb5_free_context(authctxt->krb5_ctx);	222	krb5_free_context(authctxt->krb5_ctx);
401	authctxt->krb5_ctx = NULL;	223	authctxt->krb5_ctx = NULL;