xref: /openbsd/usr.bin/ssh/gss-serv-krb5.c (revision fc61954a) 
1 /* $OpenBSD: gss-serv-krb5.c,v 1.8 2013/07/20 01:55:13 djm Exp $ */
2 
3 /*
4  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #ifdef GSSAPI
28 #ifdef KRB5
29 
30 #include <sys/types.h>
31 
32 #include "xmalloc.h"
33 #include "key.h"
34 #include "hostfile.h"
35 #include "auth.h"
36 #include "log.h"
37 
38 #include "buffer.h"
39 #include "ssh-gss.h"
40 
41 #include <krb5.h>
42 #include <gssapi/gssapi_krb5.h>
43 
44 static krb5_context krb_context = NULL;
45 
46 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
47 
48 static int
49 ssh_gssapi_krb5_init(void)
50 {
51 	krb5_error_code problem;
52 
53 	if (krb_context != NULL)
54 		return 1;
55 
56 	problem = krb5_init_context(&krb_context);
57 	if (problem) {
58 		logit("Cannot initialize krb5 context");
59 		return 0;
60 	}
61 	krb5_init_ets(krb_context);
62 
63 	return 1;
64 }
65 
66 /* Check if this user is OK to login. This only works with krb5 - other
67  * GSSAPI mechanisms will need their own.
68  * Returns true if the user is OK to log in, otherwise returns 0
69  */
70 
71 static int
72 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
73 {
74 	krb5_principal princ;
75 	int retval;
76 	const char *errmsg;
77 
78 	if (ssh_gssapi_krb5_init() == 0)
79 		return 0;
80 
81 	if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
82 	    &princ))) {
83 		errmsg = krb5_get_error_message(krb_context, retval);
84 		logit("krb5_parse_name(): %.100s", errmsg);
85 		krb5_free_error_message(krb_context, errmsg);
86 		return 0;
87 	}
88 	if (krb5_kuserok(krb_context, princ, name)) {
89 		retval = 1;
90 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
91 		    name, (char *)client->displayname.value);
92 	} else
93 		retval = 0;
94 
95 	krb5_free_principal(krb_context, princ);
96 	return retval;
97 }
98 
99 
100 /* This writes out any forwarded credentials from the structure populated
101  * during userauth. Called after we have setuid to the user */
102 
103 static void
104 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
105 {
106 	krb5_ccache ccache;
107 	krb5_error_code problem;
108 	krb5_principal princ;
109 	OM_uint32 maj_status, min_status;
110 	const char *errmsg;
111 
112 	if (client->creds == NULL) {
113 		debug("No credentials stored");
114 		return;
115 	}
116 
117 	if (ssh_gssapi_krb5_init() == 0)
118 		return;
119 
120 	if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
121 	    NULL, &ccache)) != 0) {
122 		errmsg = krb5_get_error_message(krb_context, problem);
123 		logit("krb5_cc_new_unique(): %.100s", errmsg);
124 		krb5_free_error_message(krb_context, errmsg);
125 		return;
126 	}
127 
128 	if ((problem = krb5_parse_name(krb_context,
129 	    client->exportedname.value, &princ))) {
130 		errmsg = krb5_get_error_message(krb_context, problem);
131 		logit("krb5_parse_name(): %.100s", errmsg);
132 		krb5_free_error_message(krb_context, errmsg);
133 		krb5_cc_destroy(krb_context, ccache);
134 		return;
135 	}
136 
137 	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
138 		errmsg = krb5_get_error_message(krb_context, problem);
139 		logit("krb5_cc_initialize(): %.100s", errmsg);
140 		krb5_free_error_message(krb_context, errmsg);
141 		krb5_free_principal(krb_context, princ);
142 		krb5_cc_destroy(krb_context, ccache);
143 		return;
144 	}
145 
146 	krb5_free_principal(krb_context, princ);
147 
148 	if ((maj_status = gss_krb5_copy_ccache(&min_status,
149 	    client->creds, ccache))) {
150 		logit("gss_krb5_copy_ccache() failed");
151 		krb5_cc_destroy(krb_context, ccache);
152 		return;
153 	}
154 
155 	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
156 	client->store.envvar = "KRB5CCNAME";
157 	client->store.envval = xstrdup(client->store.filename);
158 
159 	krb5_cc_close(krb_context, ccache);
160 
161 	return;
162 }
163 
164 ssh_gssapi_mech gssapi_kerberos_mech = {
165 	"toWM5Slw5Ew8Mqkay+al2g==",
166 	"Kerberos",
167 	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
168 	NULL,
169 	&ssh_gssapi_krb5_userok,
170 	NULL,
171 	&ssh_gssapi_krb5_storecreds
172 };
173 
174 #endif /* KRB5 */
175 
176 #endif /* GSSAPI */
177