2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
37 * Export of this software from the United States of America may
38 * require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
56 RCSID("$Id: kerberos5.c 22071 2007-11-14 20:04:50Z lha $");
60 #include <arpa/telnet.h>
68 #define Authenticator k5_Authenticator
87 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
92 /* These values need to be the same as those defined in telnet/main.c. */
93 /* Either define them in both places, or put in some common header file. */
94 #define OPTS_FORWARD_CREDS 0x00000002
95 #define OPTS_FORWARDABLE_CREDS 0x00000001
98 void kerberos5_forward (Authenticator *);
100 static unsigned char str_data[4] = { IAC, SB, TELOPT_AUTHENTICATION, 0 };
102 #define KRB_AUTH 0 /* Authentication data follows */
103 #define KRB_REJECT 1 /* Rejected (reason might follow) */
104 #define KRB_ACCEPT 2 /* Accepted */
105 #define KRB_RESPONSE 3 /* Response for mutual auth. */
107 #define KRB_FORWARD 4 /* Forwarded credentials follow */
108 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
109 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
111 static krb5_data auth;
112 static krb5_ticket *ticket;
114 static krb5_context context;
115 static krb5_auth_context auth_context;
118 Data(Authenticator *ap, int type, const void *d, int c)
120 const unsigned char *cp, *cd = d;
121 unsigned char *p0, *p;
122 size_t len = sizeof(str_data) + 3 + 2;
126 c = strlen((const char*)cd);
128 for (cp = cd; cp - cd < c; cp++, len++)
136 memcpy(p0, str_data, sizeof(str_data));
137 p = p0 + sizeof(str_data);
139 if (auth_debug_mode) {
140 printf("%s:%d: [%d] (%d)",
141 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
151 if ((*p++ = *cd++) == IAC)
156 if (str_data[3] == TELQUAL_IS)
157 printsub('>', &p0[2], len - 2);
158 ret = telnet_net_write(p0, len);
164 kerberos5_init(Authenticator *ap, int server)
168 ret = krb5_init_context(&context);
173 krb5_kt_cursor cursor;
175 ret = krb5_kt_default(context, &kt);
179 ret = krb5_kt_start_seq_get (context, kt, &cursor);
181 krb5_kt_close (context, kt);
184 krb5_kt_end_seq_get (context, kt, &cursor);
185 krb5_kt_close (context, kt);
187 str_data[3] = TELQUAL_REPLY;
189 str_data[3] = TELQUAL_IS;
195 kerberos5_send(char *name, Authenticator *ap)
200 krb5_data cksum_data;
203 if (!UserNameRequested) {
204 if (auth_debug_mode) {
205 printf("Kerberos V5: no user name supplied\r\n");
210 ret = krb5_cc_default(context, &ccache);
212 if (auth_debug_mode) {
213 printf("Kerberos V5: could not get default ccache: %s\r\n",
214 krb5_get_err_text (context, ret));
219 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
220 ap_opts = AP_OPTS_MUTUAL_REQUIRED;
224 ap_opts |= AP_OPTS_USE_SUBKEY;
226 ret = krb5_auth_con_init (context, &auth_context);
228 if (auth_debug_mode) {
229 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
230 krb5_get_err_text(context, ret));
235 ret = krb5_auth_con_setaddrs_from_fd (context,
239 if (auth_debug_mode) {
240 printf ("Kerberos V5:"
241 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
242 krb5_get_err_text(context, ret));
247 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
249 ap_msg[0] = ap->type;
252 cksum_data.length = sizeof(ap_msg);
253 cksum_data.data = ap_msg;
257 krb5_principal service;
261 ret = krb5_sname_to_principal (context,
267 if (auth_debug_mode) {
268 printf ("Kerberos V5:"
269 " krb5_sname_to_principal(%s) failed (%s)\r\n",
270 RemoteHostName, krb5_get_err_text(context, ret));
274 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
276 if (auth_debug_mode) {
277 printf ("Kerberos V5:"
278 " krb5_unparse_name_fixed failed (%s)\r\n",
279 krb5_get_err_text(context, ret));
283 printf("[ Trying %s (%s)... ]\r\n", name, sname);
284 ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
286 &cksum_data, ccache, &auth);
287 krb5_free_principal (context, service);
291 if (1 || auth_debug_mode) {
292 printf("Kerberos V5: mk_req failed (%s)\r\n",
293 krb5_get_err_text(context, ret));
298 if (!auth_sendname((unsigned char *)UserNameRequested,
299 strlen(UserNameRequested))) {
301 printf("Not enough room for user name\r\n");
304 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
306 printf("Not enough room for authentication data\r\n");
309 if (auth_debug_mode) {
310 printf("Sent Kerberos V5 credentials to server\r\n");
316 kerberos5_send_mutual(Authenticator *ap)
318 return kerberos5_send("mutual KERBEROS5", ap);
322 kerberos5_send_oneway(Authenticator *ap)
324 return kerberos5_send("KERBEROS5", ap);
327 static void log_message(const char *fmt, ...)
331 if (auth_debug_mode) {
333 vfprintf(stdout, fmt, ap);
335 fprintf(stdout, "\r\n");
338 vsyslog(LOG_NOTICE, fmt, ap);
343 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
347 krb5_keyblock *key_block;
349 krb5_principal server;
356 auth.data = (char *)data;
361 ret = krb5_auth_con_init (context, &auth_context);
363 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
364 auth_finished(ap, AUTH_REJECT);
365 log_message("Kerberos V5: krb5_auth_con_init failed (%s)",
366 krb5_get_err_text(context, ret));
370 ret = krb5_auth_con_setaddrs_from_fd (context,
374 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
375 auth_finished(ap, AUTH_REJECT);
376 log_message("Kerberos V5: "
377 "krb5_auth_con_setaddrs_from_fd failed (%s)",
378 krb5_get_err_text(context, ret));
382 ret = krb5_sock_to_principal (context,
388 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
389 auth_finished(ap, AUTH_REJECT);
390 log_message("Kerberos V5: "
391 "krb5_sock_to_principal failed (%s)",
392 krb5_get_err_text(context, ret));
396 ret = krb5_rd_req(context,
404 krb5_free_principal (context, server);
406 const char *errbuf2 = "Read req failed";
410 ret2 = asprintf(&errbuf,
411 "Read req failed: %s",
412 krb5_get_err_text(context, ret));
415 Data(ap, KRB_REJECT, errbuf2, -1);
416 log_message("%s", errbuf2);
425 ap_msg[0] = ap->type;
428 ret = krb5_verify_authenticator_checksum(context,
434 const char *errbuf2 = "Bad checksum";
438 ret2 = asprintf(&errbuf, "Bad checksum: %s",
439 krb5_get_err_text(context, ret));
442 Data(ap, KRB_REJECT, errbuf2, -1);
443 log_message("%s", errbuf2);
449 ret = krb5_auth_con_getremotesubkey (context,
454 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
455 auth_finished(ap, AUTH_REJECT);
456 log_message("Kerberos V5: "
457 "krb5_auth_con_getremotesubkey failed (%s)",
458 krb5_get_err_text(context, ret));
462 if (key_block == NULL) {
463 ret = krb5_auth_con_getkey(context,
468 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
469 auth_finished(ap, AUTH_REJECT);
470 log_message("Kerberos V5: "
471 "krb5_auth_con_getkey failed (%s)",
472 krb5_get_err_text(context, ret));
475 if (key_block == NULL) {
476 Data(ap, KRB_REJECT, "no subkey received", -1);
477 auth_finished(ap, AUTH_REJECT);
478 log_message("Kerberos V5: "
479 "krb5_auth_con_getremotesubkey returned NULL key");
483 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
484 ret = krb5_mk_rep(context, auth_context, &outbuf);
487 "krb5_mk_rep failed", -1);
488 auth_finished(ap, AUTH_REJECT);
489 log_message("Kerberos V5: "
490 "krb5_mk_rep failed (%s)",
491 krb5_get_err_text(context, ret));
494 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
496 if (krb5_unparse_name(context, ticket->client, &name))
499 if(UserNameRequested && krb5_kuserok(context,
501 UserNameRequested)) {
502 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
503 log_message("%s accepted as user %s from %s",
504 name ? name : "<unknown>",
505 UserNameRequested ? UserNameRequested : "<unknown>",
506 RemoteHostName ? RemoteHostName : "<unknown>");
508 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
509 key_block->keytype == ETYPE_DES_CBC_MD4 ||
510 key_block->keytype == ETYPE_DES_CBC_CRC) {
515 skey.data = key_block->keyvalue.data;
516 encrypt_session_key(&skey, 0);
520 const char *msg2 = "user is not authorized to login";
523 ret = asprintf (&msg, "user `%s' is not authorized to "
525 name ? name : "<unknown>",
526 UserNameRequested ? UserNameRequested : "<nobody>");
529 Data(ap, KRB_REJECT, (void *)msg2, -1);
532 auth_finished (ap, AUTH_REJECT);
533 krb5_free_keyblock_contents(context, key_block);
536 auth_finished(ap, AUTH_USER);
537 krb5_free_keyblock_contents(context, key_block);
542 char ccname[1024]; /* XXX */
545 inbuf.data = (char *)data;
548 pwd = getpwnam (UserNameRequested);
552 snprintf (ccname, sizeof(ccname),
553 "FILE:/tmp/krb5cc_%lu", (unsigned long)pwd->pw_uid);
555 ret = krb5_cc_resolve (context, ccname, &ccache);
557 log_message("Kerberos V5: could not get ccache: %s",
558 krb5_get_err_text(context, ret));
562 ret = krb5_cc_initialize (context,
566 log_message("Kerberos V5: could not init ccache: %s",
567 krb5_get_err_text(context, ret));
572 esetenv("KRB5CCNAME", ccname, 1);
574 ret = krb5_rd_cred2 (context,
579 const char *errbuf2 = "Read forwarded creds failed";
583 ret2 = asprintf (&errbuf,
584 "Read forwarded creds failed: %s",
585 krb5_get_err_text (context, ret));
588 Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
589 log_message("Could not read forwarded credentials: %s", errbuf);
594 Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
599 chown (ccname + 5, pwd->pw_uid, -1);
600 log_message("Forwarded credentials obtained");
604 log_message("Unknown Kerberos option %d", data[-1]);
605 Data(ap, KRB_REJECT, 0, 0);
611 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
613 static int mutual_complete = 0;
620 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
623 printf("[ Kerberos V5 refuses authentication ]\r\n");
629 krb5_keyblock *keyblock;
631 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
633 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
638 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
640 printf("[ Kerberos V5 accepts you ]\r\n");
642 ret = krb5_auth_con_getlocalsubkey (context,
646 ret = krb5_auth_con_getkey (context,
650 printf("[ krb5_auth_con_getkey: %s ]\r\n",
651 krb5_get_err_text(context, ret));
658 skey.data = keyblock->keyvalue.data;
659 encrypt_session_key(&skey, 0);
660 krb5_free_keyblock_contents (context, keyblock);
661 auth_finished(ap, AUTH_USER);
662 if (forward_flags & OPTS_FORWARD_CREDS)
663 kerberos5_forward(ap);
667 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
668 /* the rest of the reply should contain a krb_ap_rep */
669 krb5_ap_rep_enc_part *reply;
674 inbuf.data = (char *)data;
676 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
678 printf("[ Mutual authentication failed: %s ]\r\n",
679 krb5_get_err_text (context, ret));
683 krb5_free_ap_rep_enc_part(context, reply);
687 case KRB_FORWARD_ACCEPT:
688 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
690 case KRB_FORWARD_REJECT:
691 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
696 printf("Unknown Kerberos option %d\r\n", data[-1]);
702 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
704 if (level < AUTH_USER)
707 if (UserNameRequested &&
708 krb5_kuserok(context,
712 strlcpy(name, UserNameRequested, name_sz);
721 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
722 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
725 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
729 buf[buflen-1] = '\0'; /* make sure it's NULL terminated */
733 case KRB_REJECT: /* Rejected (reason might follow) */
734 strlcpy((char *)buf, " REJECT ", buflen);
737 case KRB_ACCEPT: /* Accepted (name might follow) */
738 strlcpy((char *)buf, " ACCEPT ", buflen);
743 ADDC(buf, buflen, '"');
744 for (i = 4; i < cnt; i++)
745 ADDC(buf, buflen, data[i]);
746 ADDC(buf, buflen, '"');
747 ADDC(buf, buflen, '\0');
751 case KRB_AUTH: /* Authentication data follows */
752 strlcpy((char *)buf, " AUTH", buflen);
756 strlcpy((char *)buf, " RESPONSE", buflen);
759 case KRB_FORWARD: /* Forwarded credentials follow */
760 strlcpy((char *)buf, " FORWARD", buflen);
763 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
764 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
767 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
768 /* (reason might follow) */
769 strlcpy((char *)buf, " FORWARD_REJECT", buflen);
773 snprintf((char*)buf, buflen, " %d (unknown)", data[3]);
776 for (i = 4; i < cnt; i++) {
777 snprintf((char*)buf, buflen, " %d", data[i]);
785 kerberos5_forward(Authenticator *ap)
792 krb5_principal principal;
794 ret = krb5_cc_default (context, &ccache);
797 printf ("KerberosV5: could not get default ccache: %s\r\n",
798 krb5_get_err_text (context, ret));
802 ret = krb5_cc_get_principal (context, ccache, &principal);
805 printf ("KerberosV5: could not get principal: %s\r\n",
806 krb5_get_err_text (context, ret));
810 memset (&creds, 0, sizeof(creds));
812 creds.client = principal;
814 ret = krb5_build_principal (context,
816 strlen(principal->realm),
824 printf ("KerberosV5: could not get principal: %s\r\n",
825 krb5_get_err_text (context, ret));
829 creds.times.endtime = 0;
831 memset(&flags, 0, sizeof(flags));
833 if (forward_flags & OPTS_FORWARDABLE_CREDS)
834 flags.forwardable = 1;
836 ret = krb5_get_forwarded_creds (context,
839 KDCOptions2int(flags),
845 printf ("Kerberos V5: error getting forwarded creds: %s\r\n",
846 krb5_get_err_text (context, ret));
850 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
852 printf("Not enough room for authentication data\r\n");
855 printf("Forwarded local Kerberos V5 credentials to server\r\n");
860 /* if this was a K5 authentication try and join a PAG for the user. */
862 kerberos5_dfspag(void)
865 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
872 kerberos5_set_forward(int on)
875 forward_flags &= ~OPTS_FORWARD_CREDS;
877 forward_flags |= OPTS_FORWARD_CREDS;
879 forward_flags ^= OPTS_FORWARD_CREDS;
884 kerberos5_set_forwardable(int on)
887 forward_flags &= ~OPTS_FORWARDABLE_CREDS;
889 forward_flags |= OPTS_FORWARDABLE_CREDS;
891 forward_flags ^= OPTS_FORWARDABLE_CREDS;