2 * Kerberos v5 authentication and ticket-passing routines.
14 extern krb5_context ssh_context;
15 krb5_auth_context auth_context;
16 krb5_ccache mem_ccache = NULL; /* Credential cache for acquired ticket */
18 /* Try krb5 authentication. server_user is passed for logging purposes only,
19 in auth is received ticket, in client is returned principal from the
22 auth_krb5(const char* server_user, krb5_data *auth, krb5_principal *client)
24 krb5_error_code problem;
25 krb5_principal server = NULL;
26 krb5_principal tkt_client = NULL;
28 krb5_ticket *ticket = NULL;
34 problem = krb5_init();
38 problem = krb5_auth_con_init(ssh_context, &auth_context);
40 log("Kerberos v5 authentication failed: %.100s",
41 krb5_get_err_text(ssh_context, problem));
46 fd = packet_get_connection_in();
47 problem = krb5_auth_con_setaddrs_from_fd(ssh_context, auth_context, &fd);
53 problem = krb5_sname_to_principal(ssh_context, NULL, NULL ,
54 KRB5_NT_SRV_HST, &server);
60 problem = krb5_rd_req(ssh_context, &auth_context, auth, server, NULL,
67 problem = krb5_copy_principal(ssh_context, ticket->client, &tkt_client);
73 /* if client wants mutual auth */
74 problem = krb5_mk_rep(ssh_context, &auth_context, &reply);
82 packet_start(SSH_SMSG_AUTH_KRB5_RESPONSE);
83 packet_put_string((char *) reply.data, reply.length);
90 krb5_free_principal(ssh_context, server);
92 krb5_free_ticket(ssh_context, ticket);
99 auth_krb5_tgt(char *server_user, krb5_data *tgt, krb5_principal tkt_client)
101 krb5_error_code problem;
102 krb5_ccache ccache = NULL;
104 if (ssh_context == NULL) {
108 problem = krb5_cc_gen_new(ssh_context, &krb5_mcc_ops, &ccache);
113 problem = krb5_cc_initialize(ssh_context, ccache, tkt_client);
118 problem = krb5_rd_cred(ssh_context, auth_context, ccache, tgt);
127 problem = krb5_cc_copy_cache(ssh_context, ccache, mem_ccache);
134 problem = krb5_cc_destroy(ssh_context, ccache);
140 packet_start(SSH_SMSG_SUCCESS);
148 krb5_cc_destroy(ssh_context, ccache);
150 packet_start(SSH_SMSG_FAILURE);
158 auth_krb5_password(struct passwd *pw, const char *password)
160 krb5_error_code problem;
161 krb5_ccache ccache = NULL;
162 krb5_principal client = NULL;
165 problem = krb5_init();
169 problem = krb5_parse_name(ssh_context, pw->pw_name, &client);
175 problem = krb5_cc_gen_new(ssh_context, &krb5_mcc_ops, &ccache);
181 problem = krb5_cc_initialize(ssh_context, ccache, client);
187 problem = krb5_verify_user(ssh_context, client, ccache, password, 1, NULL);
194 problem = krb5_cc_copy_cache(ssh_context, ccache, mem_ccache);
207 krb5_free_principal(ssh_context, client);
209 krb5_cc_destroy(ssh_context, ccache);
214 krb5_cleanup_proc(void *ignore)
216 extern krb5_principal tkt_client;
218 debug("krb5_cleanup_proc() called");
220 krb5_cc_destroy(ssh_context, mem_ccache);
222 krb5_free_principal(ssh_context, tkt_client);
224 krb5_auth_con_free(ssh_context, auth_context);
226 krb5_free_context(ssh_context);
232 krb5_error_code problem;
233 static cleanup_registered = 0;
235 if (ssh_context == NULL) {
236 problem = krb5_init_context(&ssh_context);
239 krb5_init_ets(ssh_context);
242 if (!cleanup_registered) {
243 fatal_add_cleanup(krb5_cleanup_proc, NULL);
244 cleanup_registered = 1;