crypto/openssh/gss-serv-krb5.c

   1 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
   2
   3 /*
   4  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  * 1. Redistributions of source code must retain the above copyright
  10  *    notice, this list of conditions and the following disclaimer.
  11  * 2. Redistributions in binary form must reproduce the above copyright
  12  *    notice, this list of conditions and the following disclaimer in the
  13  *    documentation and/or other materials provided with the distribution.
  14  *
  15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
  16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  25  */
  26
  27 #include "includes.h"
  28
  29 #ifdef GSSAPI
  30 #ifdef KRB5
  31
  32 #include <sys/types.h>
  33
  34 #include <stdarg.h>
  35 #include <string.h>
  36
  37 #include "xmalloc.h"
  38 #include "key.h"
  39 #include "hostfile.h"
  40 #include "auth.h"
  41 #include "log.h"
  42 #include "servconf.h"
  43
  44 #include "buffer.h"
  45 #include "ssh-gss.h"
  46
  47 extern ServerOptions options;
  48
  49 #ifdef HEIMDAL
  50 # include <krb5.h>
  51 #endif
  52 #ifdef HAVE_GSSAPI_KRB5_H
  53 # include <gssapi_krb5.h>
  54 #elif HAVE_GSSAPI_GSSAPI_KRB5_H
  55 # include <gssapi/gssapi_krb5.h>
  56 #endif
  57
  58 static krb5_context krb_context = NULL;
  59
  60 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
  61
  62 static int
  63 ssh_gssapi_krb5_init(void)
  64 {
  65         krb5_error_code problem;
  66
  67         if (krb_context != NULL)
  68                 return 1;
  69
  70         problem = krb5_init_context(&krb_context);
  71         if (problem) {
  72                 logit("Cannot initialize krb5 context");
  73                 return 0;
  74         }
  75
  76         return 1;
  77 }
  78
  79 /* Check if this user is OK to login. This only works with krb5 - other
  80  * GSSAPI mechanisms will need their own.
  81  * Returns true if the user is OK to log in, otherwise returns 0
  82  */
  83
  84 static int
  85 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
  86 {
  87         krb5_principal princ;
  88         int retval;
  89         const char *errmsg;
  90
  91         if (ssh_gssapi_krb5_init() == 0)
  92                 return 0;
  93
  94         if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
  95             &princ))) {
  96                 errmsg = krb5_get_error_message(krb_context, retval);
  97                 logit("krb5_parse_name(): %.100s", errmsg);
  98                 krb5_free_error_message(krb_context, errmsg);
  99                 return 0;
 100         }
 101         if (krb5_kuserok(krb_context, princ, name)) {
 102                 retval = 1;
 103                 logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
 104                     name, (char *)client->displayname.value);
 105         } else
 106                 retval = 0;
 107
 108         krb5_free_principal(krb_context, princ);
 109         return retval;
 110 }
 111
 112
 113 /* This writes out any forwarded credentials from the structure populated
 114  * during userauth. Called after we have setuid to the user */
 115
 116 static void
 117 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
 118 {
 119         krb5_ccache ccache;
 120         krb5_error_code problem;
 121         krb5_principal princ;
 122         OM_uint32 maj_status, min_status;
 123         int len;
 124         const char *errmsg;
 125
 126         if (client->creds == NULL) {
 127                 debug("No credentials stored");
 128                 return;
 129         }
 130
 131         if (ssh_gssapi_krb5_init() == 0)
 132                 return;
 133
 134 #ifdef HEIMDAL
 135 # ifdef HAVE_KRB5_CC_NEW_UNIQUE
 136         if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
 137             NULL, &ccache)) != 0) {
 138                 errmsg = krb5_get_error_message(krb_context, problem);
 139                 logit("krb5_cc_new_unique(): %.100s", errmsg);
 140 # else
 141         if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
 142             logit("krb5_cc_gen_new(): %.100s",
 143                 krb5_get_err_text(krb_context, problem));
 144 # endif
 145                 krb5_free_error_message(krb_context, errmsg);
 146                 return;
 147         }
 148 #else
 149         if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
 150                 errmsg = krb5_get_error_message(krb_context, problem);
 151                 logit("ssh_krb5_cc_gen(): %.100s", errmsg);
 152                 krb5_free_error_message(krb_context, errmsg);
 153                 return;
 154         }
 155 #endif  /* #ifdef HEIMDAL */
 156
 157         if ((problem = krb5_parse_name(krb_context,
 158             client->exportedname.value, &princ))) {
 159                 errmsg = krb5_get_error_message(krb_context, problem);
 160                 logit("krb5_parse_name(): %.100s", errmsg);
 161                 krb5_free_error_message(krb_context, errmsg);
 162                 return;
 163         }
 164
 165         if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
 166                 errmsg = krb5_get_error_message(krb_context, problem);
 167                 logit("krb5_cc_initialize(): %.100s", errmsg);
 168                 krb5_free_error_message(krb_context, errmsg);
 169                 krb5_free_principal(krb_context, princ);
 170                 krb5_cc_destroy(krb_context, ccache);
 171                 return;
 172         }
 173
 174         krb5_free_principal(krb_context, princ);
 175
 176         if ((maj_status = gss_krb5_copy_ccache(&min_status,
 177             client->creds, ccache))) {
 178                 logit("gss_krb5_copy_ccache() failed");
 179                 krb5_cc_destroy(krb_context, ccache);
 180                 return;
 181         }
 182
 183         client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
 184         client->store.envvar = "KRB5CCNAME";
 185         len = strlen(client->store.filename) + 6;
 186         client->store.envval = xmalloc(len);
 187         snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
 188
 189 #ifdef USE_PAM
 190         if (options.use_pam)
 191                 do_pam_putenv(client->store.envvar, client->store.envval);
 192 #endif
 193
 194         krb5_cc_close(krb_context, ccache);
 195
 196         return;
 197 }
 198
 199 ssh_gssapi_mech gssapi_kerberos_mech = {
 200         "toWM5Slw5Ew8Mqkay+al2g==",
 201         "Kerberos",
 202         {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
 203         NULL,
 204         &ssh_gssapi_krb5_userok,
 205         NULL,
 206         &ssh_gssapi_krb5_storecreds
 207 };
 208
 209 #endif /* KRB5 */
 210
 211 #endif /* GSSAPI */