1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 /*
31 * Copyright (C) 1990 by the Massachusetts Institute of Technology
32 *
33 * Export of this software from the United States of America may
34 * require a specific license from the United States Government.
35 * It is the responsibility of any person or organization contemplating
36 * export to obtain such a license before exporting.
37 *
38 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
39 * distribute this software and its documentation for any purpose and
40 * without fee is hereby granted, provided that the above copyright
41 * notice appear in all copies and that both that copyright notice and
42 * this permission notice appear in supporting documentation, and that
43 * the name of M.I.T. not be used in advertising or publicity pertaining
44 * to distribution of the software without specific, written prior
45 * permission. M.I.T. makes no representations about the suitability of
46 * this software for any purpose. It is provided "as is" without express
47 * or implied warranty.
48 */
49
50 #ifdef KRB5
51
52 #include <arpa/telnet.h>
53 #include <stdio.h>
54 #include <stdlib.h>
55 #include <string.h>
56 #include <unistd.h>
57 #include <netdb.h>
58 #include <ctype.h>
59 #include <pwd.h>
60 #define Authenticator k5_Authenticator
61 #include <krb5.h>
62 #undef Authenticator
63
64 #include "encrypt.h"
65 #include "auth.h"
66 #include "misc.h"
67
68 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
69
70 /* These values need to be the same as those defined in telnet/main.c. */
71 /* Either define them in both places, or put in some common header file. */
72 #define OPTS_FORWARD_CREDS 0x00000002
73 #define OPTS_FORWARDABLE_CREDS 0x00000001
74
75 void kerberos5_forward (Authenticator *);
76
77 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
78 AUTHTYPE_KERBEROS_V5, };
79
80 #define KRB_AUTH 0 /* Authentication data follows */
81 #define KRB_REJECT 1 /* Rejected (reason might follow) */
82 #define KRB_ACCEPT 2 /* Accepted */
83 #define KRB_RESPONSE 3 /* Response for mutual auth. */
84
85 #define KRB_FORWARD 4 /* Forwarded credentials follow */
86 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
87 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
88
89 static krb5_data auth;
90 static krb5_ticket *ticket;
91
92 static krb5_context context;
93 static krb5_auth_context auth_context;
94
95 static void
print_krb5_error(krb5_context context,krb5_error_code code,const char * msg)96 print_krb5_error(krb5_context context, krb5_error_code code, const char *msg)
97 {
98 const char *error_message;
99
100 error_message = krb5_get_error_message(context, code);
101 printf(msg, error_message);
102 krb5_free_error_message(context, error_message);
103 }
104
105 static int
Data(Authenticator * ap,int type,const char * d,int c)106 Data(Authenticator *ap, int type, const char *d, int c)
107 {
108 unsigned char *p = str_data + 4;
109 const unsigned char *cd = d;
110
111 if (c == -1)
112 c = strlen(cd);
113
114 if (auth_debug_mode) {
115 printf("%s:%d: [%d] (%d)",
116 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
117 str_data[3],
118 type, c);
119 printd(d, c);
120 printf("\r\n");
121 }
122 *p++ = ap->type;
123 *p++ = ap->way;
124 *p++ = type;
125 while (c-- > 0) {
126 if ((*p++ = *cd++) == IAC)
127 *p++ = IAC;
128 }
129 *p++ = IAC;
130 *p++ = SE;
131 if (str_data[3] == TELQUAL_IS)
132 printsub('>', &str_data[2], p - &str_data[2]);
133 return(net_write(str_data, p - str_data));
134 }
135
136 int
kerberos5_init(Authenticator * ap __unused,int server)137 kerberos5_init(Authenticator *ap __unused, int server)
138 {
139 krb5_error_code ret;
140
141 ret = krb5_init_context(&context);
142 if (ret)
143 return 0;
144 if (server) {
145 krb5_keytab kt;
146 krb5_kt_cursor cursor;
147
148 ret = krb5_kt_default(context, &kt);
149 if (ret)
150 return 0;
151
152 ret = krb5_kt_start_seq_get (context, kt, &cursor);
153 if (ret) {
154 krb5_kt_close (context, kt);
155 return 0;
156 }
157 krb5_kt_end_seq_get (context, kt, &cursor);
158 krb5_kt_close (context, kt);
159
160 str_data[3] = TELQUAL_REPLY;
161 } else
162 str_data[3] = TELQUAL_IS;
163 return(1);
164 }
165
166 extern int net;
167
168 static int
kerberos5_send(const char * name,Authenticator * ap)169 kerberos5_send(const char *name, Authenticator *ap)
170 {
171 krb5_error_code ret;
172 krb5_ccache ccache;
173 int ap_opts;
174 krb5_data cksum_data;
175 char foo[2];
176
177 if (!UserNameRequested) {
178 if (auth_debug_mode) {
179 printf("Kerberos V5: no user name supplied\r\n");
180 }
181 return(0);
182 }
183
184 ret = krb5_cc_default(context, &ccache);
185 if (ret) {
186 if (auth_debug_mode) {
187 print_krb5_error(context, ret, "Kerberos V5: could not get default ccache: %s\r\n");
188 }
189 return 0;
190 }
191
192 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
193 ap_opts = AP_OPTS_MUTUAL_REQUIRED;
194 else
195 ap_opts = 0;
196 ap_opts |= AP_OPTS_USE_SUBKEY;
197
198 ret = krb5_auth_con_init (context, &auth_context);
199 if (ret) {
200 if (auth_debug_mode) {
201 print_krb5_error(context, ret, "Kerberos V5: krb5_auth_con_init failed (%s)\r\n");
202 }
203 return(0);
204 }
205
206 ret = krb5_auth_con_setaddrs_from_fd (context,
207 auth_context,
208 &net);
209 if (ret) {
210 if (auth_debug_mode) {
211 print_krb5_error(context, ret, "Kerberos V5:"
212 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n");
213 }
214 return(0);
215 }
216
217 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
218
219 foo[0] = ap->type;
220 foo[1] = ap->way;
221
222 cksum_data.length = sizeof(foo);
223 cksum_data.data = foo;
224
225
226 {
227 krb5_principal service;
228 char sname[128];
229
230
231 ret = krb5_sname_to_principal (context,
232 RemoteHostName,
233 NULL,
234 KRB5_NT_SRV_HST,
235 &service);
236 if(ret) {
237 if (auth_debug_mode) {
238 const char *err_str;
239
240 err_str = krb5_get_error_message(context, ret);
241 printf("Kerberosr V5:"
242 " krb5_sname_to_principal(%s) failed (%s)\r\n",
243 RemoteHostName, err_str);
244 krb5_free_error_message(context, err_str);
245 }
246 return 0;
247 }
248 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
249 if(ret) {
250 if (auth_debug_mode) {
251 print_krb5_error(context, ret, "Kerberos V5:"
252 " krb5_unparse_name_fixed failed (%s)\r\n");
253 }
254 return 0;
255 }
256 printf("[ Trying %s (%s)... ]\r\n", name, sname);
257 ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
258 service,
259 &cksum_data, ccache, &auth);
260 krb5_free_principal (context, service);
261
262 }
263 if (ret) {
264 if (1 || auth_debug_mode) {
265 print_krb5_error(context, ret, "Kerberos V5: mk_req failed (%s)\r\n");
266 }
267 return(0);
268 }
269
270 if (!auth_sendname((unsigned char *)UserNameRequested,
271 strlen(UserNameRequested))) {
272 if (auth_debug_mode)
273 printf("Not enough room for user name\r\n");
274 return(0);
275 }
276 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
277 if (auth_debug_mode)
278 printf("Not enough room for authentication data\r\n");
279 return(0);
280 }
281 if (auth_debug_mode) {
282 printf("Sent Kerberos V5 credentials to server\r\n");
283 }
284 return(1);
285 }
286
287 int
kerberos5_send_mutual(Authenticator * ap)288 kerberos5_send_mutual(Authenticator *ap)
289 {
290 return kerberos5_send("mutual KERBEROS5", ap);
291 }
292
293 int
kerberos5_send_oneway(Authenticator * ap)294 kerberos5_send_oneway(Authenticator *ap)
295 {
296 return kerberos5_send("KERBEROS5", ap);
297 }
298
299 void
kerberos5_is(Authenticator * ap,unsigned char * data,int cnt)300 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
301 {
302 krb5_error_code ret;
303 krb5_data outbuf;
304 krb5_keyblock *key_block;
305 char *name;
306 krb5_principal server;
307 int zero = 0;
308
309 if (cnt-- < 1)
310 return;
311 switch (*data++) {
312 case KRB_AUTH:
313 auth.data = (char *)data;
314 auth.length = cnt;
315
316 auth_context = NULL;
317
318 ret = krb5_auth_con_init (context, &auth_context);
319 if (ret) {
320 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
321 auth_finished(ap, AUTH_REJECT);
322 if (auth_debug_mode)
323 print_krb5_error(context, ret, "Kerberos V5: krb5_auth_con_init failed (%s)\r\n");
324 return;
325 }
326
327 ret = krb5_auth_con_setaddrs_from_fd (context,
328 auth_context,
329 &zero);
330 if (ret) {
331 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
332 auth_finished(ap, AUTH_REJECT);
333 if (auth_debug_mode)
334 print_krb5_error(context, ret, "Kerberos V5: "
335 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n");
336 return;
337 }
338
339 ret = krb5_sock_to_principal (context,
340 0,
341 "host",
342 KRB5_NT_SRV_HST,
343 &server);
344 if (ret) {
345 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
346 auth_finished(ap, AUTH_REJECT);
347 if (auth_debug_mode)
348 print_krb5_error(context, ret, "Kerberos V5: "
349 "krb5_sock_to_principal failed (%s)\r\n");
350 return;
351 }
352
353 ret = krb5_rd_req(context,
354 &auth_context,
355 &auth,
356 server,
357 NULL,
358 NULL,
359 &ticket);
360
361 krb5_free_principal (context, server);
362 if (ret) {
363 char *errbuf;
364 const char *err_str;
365
366 err_str = krb5_get_error_message(context, ret);
367 asprintf(&errbuf,
368 "Read req failed: %s", err_str);
369 krb5_free_error_message(context, err_str);
370 Data(ap, KRB_REJECT, errbuf, -1);
371 if (auth_debug_mode)
372 printf("%s\r\n", errbuf);
373 free (errbuf);
374 return;
375 }
376
377 {
378 char foo[2];
379
380 foo[0] = ap->type;
381 foo[1] = ap->way;
382
383 ret = krb5_verify_authenticator_checksum(context,
384 auth_context,
385 foo,
386 sizeof(foo));
387
388 if (ret) {
389 char *errbuf;
390 const char *err_str;
391
392 err_str = krb5_get_error_message(context, ret);
393 asprintf(&errbuf, "Bad checksum: %s", err_str);
394 krb5_free_error_message(context, err_str);
395 Data(ap, KRB_REJECT, errbuf, -1);
396 if (auth_debug_mode)
397 printf ("%s\r\n", errbuf);
398 free(errbuf);
399 return;
400 }
401 }
402 ret = krb5_auth_con_getremotesubkey (context,
403 auth_context,
404 &key_block);
405
406 if (ret) {
407 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
408 auth_finished(ap, AUTH_REJECT);
409 if (auth_debug_mode)
410 print_krb5_error(context, ret, "Kerberos V5: "
411 "krb5_auth_con_getremotesubkey failed (%s)\r\n");
412 return;
413 }
414
415 if (key_block == NULL) {
416 ret = krb5_auth_con_getkey(context,
417 auth_context,
418 &key_block);
419 }
420 if (ret) {
421 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
422 auth_finished(ap, AUTH_REJECT);
423 if (auth_debug_mode)
424 print_krb5_error(context, ret, "Kerberos V5: "
425 "krb5_auth_con_getkey failed (%s)\r\n");
426 return;
427 }
428 if (key_block == NULL) {
429 Data(ap, KRB_REJECT, "no subkey received", -1);
430 auth_finished(ap, AUTH_REJECT);
431 if (auth_debug_mode)
432 printf("Kerberos V5: "
433 "krb5_auth_con_getremotesubkey returned NULL key\r\n");
434 return;
435 }
436
437 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
438 ret = krb5_mk_rep(context, auth_context, &outbuf);
439 if (ret) {
440 Data(ap, KRB_REJECT,
441 "krb5_mk_rep failed", -1);
442 auth_finished(ap, AUTH_REJECT);
443 if (auth_debug_mode)
444 print_krb5_error(context, ret, "Kerberos V5: "
445 "krb5_mk_rep failed (%s)\r\n");
446 return;
447 }
448 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
449 }
450 if (krb5_unparse_name(context, ticket->client, &name))
451 name = 0;
452
453 if(UserNameRequested && krb5_kuserok(context,
454 ticket->client,
455 UserNameRequested)) {
456 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
457 if (auth_debug_mode) {
458 printf("Kerberos5 identifies him as ``%s''\r\n",
459 name ? name : "");
460 }
461
462 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
463 key_block->keytype == ETYPE_DES_CBC_MD4 ||
464 key_block->keytype == ETYPE_DES_CBC_CRC) {
465 Session_Key skey;
466
467 skey.type = SK_DES;
468 skey.length = 8;
469 skey.data = key_block->keyvalue.data;
470 encrypt_session_key(&skey, 0);
471 }
472
473 } else {
474 char *msg;
475
476 asprintf (&msg, "user `%s' is not authorized to "
477 "login as `%s'",
478 name ? name : "<unknown>",
479 UserNameRequested ? UserNameRequested : "<nobody>");
480 if (msg == NULL)
481 Data(ap, KRB_REJECT, NULL, 0);
482 else {
483 Data(ap, KRB_REJECT, (void *)msg, -1);
484 free(msg);
485 }
486 auth_finished (ap, AUTH_REJECT);
487 krb5_free_keyblock_contents(context, key_block);
488 break;
489 }
490 auth_finished(ap, AUTH_USER);
491 krb5_free_keyblock_contents(context, key_block);
492
493 break;
494 case KRB_FORWARD: {
495 struct passwd *pwd;
496 char ccname[1024]; /* XXX */
497 krb5_data inbuf;
498 krb5_ccache ccache;
499 inbuf.data = (char *)data;
500 inbuf.length = cnt;
501
502 pwd = getpwnam (UserNameRequested);
503 if (pwd == NULL)
504 break;
505
506 snprintf (ccname, sizeof(ccname),
507 "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
508
509 ret = krb5_cc_resolve (context, ccname, &ccache);
510 if (ret) {
511 if (auth_debug_mode)
512 print_krb5_error(context, ret, "Kerberos V5: could not get ccache: %s\r\n");
513 break;
514 }
515
516 ret = krb5_cc_initialize (context,
517 ccache,
518 ticket->client);
519 if (ret) {
520 if (auth_debug_mode)
521 print_krb5_error(context, ret, "Kerberos V5: could not init ccache: %s\r\n");
522 break;
523 }
524
525 #if defined(DCE)
526 esetenv("KRB5CCNAME", ccname, 1);
527 #endif
528 ret = krb5_rd_cred2 (context,
529 auth_context,
530 ccache,
531 &inbuf);
532 if(ret) {
533 char *errbuf;
534 const char *err_str;
535
536 err_str = krb5_get_error_message(context, ret);
537 asprintf (&errbuf,
538 "Read forwarded creds failed: %s", err_str);
539 krb5_free_error_message(context, err_str);
540 if(errbuf == NULL)
541 Data(ap, KRB_FORWARD_REJECT, NULL, 0);
542 else
543 Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
544 if (auth_debug_mode)
545 printf("Could not read forwarded credentials: %s\r\n",
546 errbuf);
547 free (errbuf);
548 } else {
549 Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
550 #if defined(DCE)
551 dfsfwd = 1;
552 #endif
553 }
554 chown (ccname + 5, pwd->pw_uid, -1);
555 if (auth_debug_mode)
556 printf("Forwarded credentials obtained\r\n");
557 break;
558 }
559 default:
560 if (auth_debug_mode)
561 printf("Unknown Kerberos option %d\r\n", data[-1]);
562 Data(ap, KRB_REJECT, 0, 0);
563 break;
564 }
565 }
566
567 void
kerberos5_reply(Authenticator * ap,unsigned char * data,int cnt)568 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
569 {
570 static int mutual_complete = 0;
571
572 if (cnt-- < 1)
573 return;
574 switch (*data++) {
575 case KRB_REJECT:
576 if (cnt > 0) {
577 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
578 cnt, data);
579 } else
580 printf("[ Kerberos V5 refuses authentication ]\r\n");
581 auth_send_retry();
582 return;
583 case KRB_ACCEPT: {
584 krb5_error_code ret;
585 Session_Key skey;
586 krb5_keyblock *keyblock;
587
588 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
589 !mutual_complete) {
590 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
591 auth_send_retry();
592 return;
593 }
594 if (cnt)
595 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
596 else
597 printf("[ Kerberos V5 accepts you ]\r\n");
598
599 ret = krb5_auth_con_getlocalsubkey (context,
600 auth_context,
601 &keyblock);
602 if (ret)
603 ret = krb5_auth_con_getkey (context,
604 auth_context,
605 &keyblock);
606 if(ret) {
607 print_krb5_error(context, ret, "[ krb5_auth_con_getkey: %s ]\r\n");
608 auth_send_retry();
609 return;
610 }
611
612 skey.type = SK_DES;
613 skey.length = 8;
614 skey.data = keyblock->keyvalue.data;
615 encrypt_session_key(&skey, 0);
616 krb5_free_keyblock_contents (context, keyblock);
617 auth_finished(ap, AUTH_USER);
618 if (forward_flags & OPTS_FORWARD_CREDS)
619 kerberos5_forward(ap);
620 break;
621 }
622 case KRB_RESPONSE:
623 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
624 /* the rest of the reply should contain a krb_ap_rep */
625 krb5_ap_rep_enc_part *reply;
626 krb5_data inbuf;
627 krb5_error_code ret;
628
629 inbuf.length = cnt;
630 inbuf.data = (char *)data;
631
632 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
633 if (ret) {
634 print_krb5_error(context, ret, "[ Mutual authentication failed: %s ]\r\n");
635 auth_send_retry();
636 return;
637 }
638 krb5_free_ap_rep_enc_part(context, reply);
639 mutual_complete = 1;
640 }
641 return;
642 case KRB_FORWARD_ACCEPT:
643 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
644 return;
645 case KRB_FORWARD_REJECT:
646 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
647 cnt, data);
648 return;
649 default:
650 if (auth_debug_mode)
651 printf("Unknown Kerberos option %d\r\n", data[-1]);
652 return;
653 }
654 }
655
656 int
kerberos5_status(Authenticator * ap __unused,char * name,int level)657 kerberos5_status(Authenticator *ap __unused, char *name, int level)
658 {
659 if (level < AUTH_USER)
660 return(level);
661
662 if (UserNameRequested &&
663 krb5_kuserok(context,
664 ticket->client,
665 UserNameRequested))
666 {
667 strcpy(name, UserNameRequested);
668 return(AUTH_VALID);
669 } else
670 return(AUTH_USER);
671 }
672
673 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
674 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
675
676 void
kerberos5_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)677 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
678 {
679 int i;
680
681 buf[buflen-1] = '\0'; /* make sure its NULL terminated */
682 buflen -= 1;
683
684 switch(data[3]) {
685 case KRB_REJECT: /* Rejected (reason might follow) */
686 strlcpy((char *)buf, " REJECT ", buflen);
687 goto common;
688
689 case KRB_ACCEPT: /* Accepted (name might follow) */
690 strlcpy((char *)buf, " ACCEPT ", buflen);
691 common:
692 BUMP(buf, buflen);
693 if (cnt <= 4)
694 break;
695 ADDC(buf, buflen, '"');
696 for (i = 4; i < cnt; i++)
697 ADDC(buf, buflen, data[i]);
698 ADDC(buf, buflen, '"');
699 ADDC(buf, buflen, '\0');
700 break;
701
702
703 case KRB_AUTH: /* Authentication data follows */
704 strlcpy((char *)buf, " AUTH", buflen);
705 goto common2;
706
707 case KRB_RESPONSE:
708 strlcpy((char *)buf, " RESPONSE", buflen);
709 goto common2;
710
711 case KRB_FORWARD: /* Forwarded credentials follow */
712 strlcpy((char *)buf, " FORWARD", buflen);
713 goto common2;
714
715 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
716 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
717 goto common2;
718
719 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
720 /* (reason might follow) */
721 strlcpy((char *)buf, " FORWARD_REJECT", buflen);
722 goto common2;
723
724 default:
725 snprintf(buf, buflen, " %d (unknown)", data[3]);
726 common2:
727 BUMP(buf, buflen);
728 for (i = 4; i < cnt; i++) {
729 snprintf(buf, buflen, " %d", data[i]);
730 BUMP(buf, buflen);
731 }
732 break;
733 }
734 }
735
736 void
kerberos5_forward(Authenticator * ap)737 kerberos5_forward(Authenticator *ap)
738 {
739 krb5_error_code ret;
740 krb5_ccache ccache;
741 krb5_creds creds;
742 krb5_kdc_flags flags;
743 krb5_data out_data;
744 krb5_principal principal;
745
746 ret = krb5_cc_default (context, &ccache);
747 if (ret) {
748 if (auth_debug_mode)
749 print_krb5_error(context, ret, "KerberosV5: could not get default ccache: %s\r\n");
750 return;
751 }
752
753 ret = krb5_cc_get_principal (context, ccache, &principal);
754 if (ret) {
755 if (auth_debug_mode)
756 print_krb5_error(context, ret, "KerberosV5: could not get principal: %s\r\n");
757 return;
758 }
759
760 memset (&creds, 0, sizeof(creds));
761
762 creds.client = principal;
763
764 ret = krb5_build_principal (context,
765 &creds.server,
766 strlen(principal->realm),
767 principal->realm,
768 "krbtgt",
769 principal->realm,
770 NULL);
771
772 if (ret) {
773 if (auth_debug_mode)
774 print_krb5_error(context, ret, "KerberosV5: could not get principal: %s\r\n");
775 return;
776 }
777
778 creds.times.endtime = 0;
779
780 flags.i = 0;
781 flags.b.forwarded = 1;
782 if (forward_flags & OPTS_FORWARDABLE_CREDS)
783 flags.b.forwardable = 1;
784
785 ret = krb5_get_forwarded_creds (context,
786 auth_context,
787 ccache,
788 flags.i,
789 RemoteHostName,
790 &creds,
791 &out_data);
792 if (ret) {
793 if (auth_debug_mode)
794 print_krb5_error(context, ret, "Kerberos V5: error getting forwarded creds: %s\r\n");
795 return;
796 }
797
798 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
799 if (auth_debug_mode)
800 printf("Not enough room for authentication data\r\n");
801 } else {
802 if (auth_debug_mode)
803 printf("Forwarded local Kerberos V5 credentials to server\r\n");
804 }
805 }
806
807 #if defined(DCE)
808 /* if this was a K5 authentication try and join a PAG for the user. */
809 void
kerberos5_dfspag(void)810 kerberos5_dfspag(void)
811 {
812 if (dfsk5ok) {
813 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
814 UserNameRequested);
815 }
816 }
817 #endif
818
819 #endif /* KRB5 */
820