diff options
Diffstat (limited to 'auth-krb5.c')
-rw-r--r-- | auth-krb5.c | 115 |
1 files changed, 114 insertions, 1 deletions
diff --git a/auth-krb5.c b/auth-krb5.c index f878b511f..76c2419aa 100644 --- a/auth-krb5.c +++ b/auth-krb5.c | |||
@@ -41,6 +41,9 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.8 2002/03/19 10:49:35 markus Exp $"); | |||
41 | 41 | ||
42 | #ifdef KRB5 | 42 | #ifdef KRB5 |
43 | #include <krb5.h> | 43 | #include <krb5.h> |
44 | #ifndef HEIMDAL | ||
45 | #define krb5_get_err_text(context,code) error_message(code) | ||
46 | #endif /* !HEIMDAL */ | ||
44 | 47 | ||
45 | extern ServerOptions options; | 48 | extern ServerOptions options; |
46 | 49 | ||
@@ -93,8 +96,15 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) | |||
93 | goto err; | 96 | goto err; |
94 | 97 | ||
95 | fd = packet_get_connection_in(); | 98 | fd = packet_get_connection_in(); |
99 | #ifdef HEIMDAL | ||
96 | problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx, | 100 | problem = krb5_auth_con_setaddrs_from_fd(authctxt->krb5_ctx, |
97 | authctxt->krb5_auth_ctx, &fd); | 101 | authctxt->krb5_auth_ctx, &fd); |
102 | #else | ||
103 | problem = krb5_auth_con_genaddrs(authctxt->krb5_ctx, | ||
104 | authctxt->krb5_auth_ctx,fd, | ||
105 | KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR | | ||
106 | KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR); | ||
107 | #endif | ||
98 | if (problem) | 108 | if (problem) |
99 | goto err; | 109 | goto err; |
100 | 110 | ||
@@ -108,8 +118,14 @@ auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) | |||
108 | if (problem) | 118 | if (problem) |
109 | goto err; | 119 | goto err; |
110 | 120 | ||
121 | #ifdef HEIMDAL | ||
111 | problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client, | 122 | problem = krb5_copy_principal(authctxt->krb5_ctx, ticket->client, |
112 | &authctxt->krb5_user); | 123 | &authctxt->krb5_user); |
124 | #else | ||
125 | problem = krb5_copy_principal(authctxt->krb5_ctx, | ||
126 | ticket->enc_part2->client, | ||
127 | &authctxt->krb5_user); | ||
128 | #endif | ||
113 | if (problem) | 129 | if (problem) |
114 | goto err; | 130 | goto err; |
115 | 131 | ||
@@ -160,13 +176,37 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt) | |||
160 | krb5_error_code problem; | 176 | krb5_error_code problem; |
161 | krb5_ccache ccache = NULL; | 177 | krb5_ccache ccache = NULL; |
162 | char *pname; | 178 | char *pname; |
179 | krb5_creds **creds; | ||
163 | 180 | ||
164 | if (authctxt->pw == NULL || authctxt->krb5_user == NULL) | 181 | if (authctxt->pw == NULL || authctxt->krb5_user == NULL) |
165 | return (0); | 182 | return (0); |
166 | 183 | ||
167 | temporarily_use_uid(authctxt->pw); | 184 | temporarily_use_uid(authctxt->pw); |
168 | 185 | ||
186 | #ifdef HEIMDAL | ||
169 | problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache); | 187 | problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &ccache); |
188 | #else | ||
189 | { | ||
190 | char ccname[40]; | ||
191 | int tmpfd; | ||
192 | |||
193 | snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); | ||
194 | |||
195 | if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { | ||
196 | log("mkstemp(): %.100s", strerror(errno)); | ||
197 | problem = errno; | ||
198 | goto fail; | ||
199 | } | ||
200 | if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { | ||
201 | log("fchmod(): %.100s", strerror(errno)); | ||
202 | close(tmpfd); | ||
203 | problem = errno; | ||
204 | goto fail; | ||
205 | } | ||
206 | close(tmpfd); | ||
207 | problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &ccache); | ||
208 | } | ||
209 | #endif | ||
170 | if (problem) | 210 | if (problem) |
171 | goto fail; | 211 | goto fail; |
172 | 212 | ||
@@ -175,10 +215,20 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt) | |||
175 | if (problem) | 215 | if (problem) |
176 | goto fail; | 216 | goto fail; |
177 | 217 | ||
218 | #ifdef HEIMDAL | ||
178 | problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, | 219 | problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, |
179 | ccache, tgt); | 220 | ccache, tgt); |
180 | if (problem) | 221 | if (problem) |
181 | goto fail; | 222 | goto fail; |
223 | #else | ||
224 | problem = krb5_rd_cred(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, | ||
225 | tgt, &creds, NULL); | ||
226 | if (problem) | ||
227 | goto fail; | ||
228 | problem = krb5_cc_store_cred(authctxt->krb5_ctx, ccache, *creds); | ||
229 | if (problem) | ||
230 | goto fail; | ||
231 | #endif | ||
182 | 232 | ||
183 | authctxt->krb5_fwd_ccache = ccache; | 233 | authctxt->krb5_fwd_ccache = ccache; |
184 | ccache = NULL; | 234 | ccache = NULL; |
@@ -211,6 +261,12 @@ auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt) | |||
211 | int | 261 | int |
212 | auth_krb5_password(Authctxt *authctxt, const char *password) | 262 | auth_krb5_password(Authctxt *authctxt, const char *password) |
213 | { | 263 | { |
264 | #ifndef HEIMDAL | ||
265 | krb5_creds creds; | ||
266 | krb5_principal server; | ||
267 | char ccname[40]; | ||
268 | int tmpfd; | ||
269 | #endif | ||
214 | krb5_error_code problem; | 270 | krb5_error_code problem; |
215 | 271 | ||
216 | if (authctxt->pw == NULL) | 272 | if (authctxt->pw == NULL) |
@@ -227,6 +283,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | |||
227 | if (problem) | 283 | if (problem) |
228 | goto out; | 284 | goto out; |
229 | 285 | ||
286 | #ifdef HEIMDAL | ||
230 | problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, | 287 | problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, |
231 | &authctxt->krb5_fwd_ccache); | 288 | &authctxt->krb5_fwd_ccache); |
232 | if (problem) | 289 | if (problem) |
@@ -245,13 +302,69 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | |||
245 | if (problem) | 302 | if (problem) |
246 | goto out; | 303 | goto out; |
247 | 304 | ||
305 | #else | ||
306 | problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds, | ||
307 | authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL); | ||
308 | if (problem) | ||
309 | goto out; | ||
310 | |||
311 | problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL, | ||
312 | KRB5_NT_SRV_HST, &server); | ||
313 | if (problem) | ||
314 | goto out; | ||
315 | |||
316 | restore_uid(); | ||
317 | problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server, | ||
318 | NULL, NULL, NULL); | ||
319 | krb5_free_principal(authctxt->krb5_ctx, server); | ||
320 | temporarily_use_uid(authctxt->pw); | ||
321 | if (problem) | ||
322 | goto out; | ||
323 | |||
324 | if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, | ||
325 | authctxt->pw->pw_name)) { | ||
326 | problem = -1; | ||
327 | goto out; | ||
328 | } | ||
329 | |||
330 | snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); | ||
331 | |||
332 | if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { | ||
333 | log("mkstemp(): %.100s", strerror(errno)); | ||
334 | problem = errno; | ||
335 | goto out; | ||
336 | } | ||
337 | |||
338 | if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { | ||
339 | log("fchmod(): %.100s", strerror(errno)); | ||
340 | close(tmpfd); | ||
341 | problem = errno; | ||
342 | goto out; | ||
343 | } | ||
344 | close(tmpfd); | ||
345 | |||
346 | problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache); | ||
347 | if (problem) | ||
348 | goto out; | ||
349 | |||
350 | problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, | ||
351 | authctxt->krb5_user); | ||
352 | if (problem) | ||
353 | goto out; | ||
354 | |||
355 | problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, | ||
356 | &creds); | ||
357 | if (problem) | ||
358 | goto out; | ||
359 | #endif | ||
360 | |||
248 | authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); | 361 | authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); |
249 | 362 | ||
250 | out: | 363 | out: |
251 | restore_uid(); | 364 | restore_uid(); |
252 | 365 | ||
253 | if (problem) { | 366 | if (problem) { |
254 | if (authctxt->krb5_ctx != NULL) | 367 | if (authctxt->krb5_ctx != NULL && problem!=-1) |
255 | debug("Kerberos password authentication failed: %s", | 368 | debug("Kerberos password authentication failed: %s", |
256 | krb5_get_err_text(authctxt->krb5_ctx, problem)); | 369 | krb5_get_err_text(authctxt->krb5_ctx, problem)); |
257 | else | 370 | else |