1 /* $NetBSD: k5login.c,v 1.27 2006/03/23 23:33:28 wiz Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 /* 33 * Copyright (c) 1980, 1987, 1988 The Regents of the University of California. 34 * All rights reserved. 35 * 36 * Redistribution and use in source and binary forms are permitted 37 * provided that the above copyright notice and this paragraph are 38 * duplicated in all such forms and that any documentation, 39 * advertising materials, and other materials related to such 40 * distribution and use acknowledge that the software was developed 41 * by the University of California, Berkeley. The name of the 42 * University may not be used to endorse or promote products derived 43 * from this software without specific prior written permission. 44 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 45 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 46 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 47 */ 48 49 #include <sys/cdefs.h> 50 #ifndef lint 51 #if 0 52 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; 53 #endif 54 __RCSID("$NetBSD: k5login.c,v 1.27 2006/03/23 23:33:28 wiz Exp $"); 55 #endif /* not lint */ 56 57 #ifdef KERBEROS5 58 #include <sys/param.h> 59 #include <sys/syslog.h> 60 #include <krb5/krb5.h> 61 #include <pwd.h> 62 #include <netdb.h> 63 #include <stdio.h> 64 #include <stdlib.h> 65 #include <string.h> 66 #include <unistd.h> 67 #include <errno.h> 68 69 #define KRB5_DEFAULT_OPTIONS 0 70 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 71 72 krb5_context kcontext; 73 74 int notickets; 75 int krb5_configured; 76 char *krb5tkfile_env; 77 extern char *tty; 78 extern int login_krb5_forwardable_tgt; 79 extern int has_ccache; 80 81 static char tkt_location[MAXPATHLEN]; 82 static krb5_creds forw_creds; 83 int have_forward; 84 static krb5_principal me, server; 85 86 int k5_read_creds(char *); 87 int k5_write_creds(void); 88 int k5_verify_creds(krb5_context, krb5_ccache); 89 int k5login(struct passwd *, char *, char *, char *); 90 void k5destroy(void); 91 92 #ifndef krb5_realm_length 93 #define krb5_realm_length(r) ((r).length) 94 #endif 95 #ifndef krb5_realm_data 96 #define krb5_realm_data(r) ((r).data) 97 #endif 98 99 /* 100 * Verify the Kerberos ticket-granting ticket just retrieved for the 101 * user. If the Kerberos server doesn't respond, assume the user is 102 * trying to fake us out (since we DID just get a TGT from what is 103 * supposedly our KDC). If the host/<host> service is unknown (i.e., 104 * the local keytab doesn't have it), let her in. 105 * 106 * Returns 1 for confirmation, -1 for failure, 0 for uncertainty. 107 */ 108 int 109 k5_verify_creds(krb5_context c, krb5_ccache ccache) 110 { 111 char phost[MAXHOSTNAMELEN]; 112 int retval, have_keys; 113 krb5_principal princ; 114 krb5_keyblock *kb = 0; 115 krb5_error_code kerror; 116 krb5_data packet; 117 krb5_auth_context auth_context = NULL; 118 krb5_ticket *ticket = NULL; 119 120 kerror = krb5_sname_to_principal(c, 0, 0, KRB5_NT_SRV_HST, &princ); 121 if (kerror) { 122 krb5_warn(kcontext, kerror, "constructing local service name"); 123 return (-1); 124 } 125 126 /* Do we have host/<host> keys? */ 127 /* (use default keytab, kvno IGNORE_VNO to get the first match, 128 * and default enctype.) */ 129 kerror = krb5_kt_read_service_key(c, NULL, princ, 0, 0, &kb); 130 if (kb) 131 krb5_free_keyblock(c, kb); 132 /* any failure means we don't have keys at all. */ 133 have_keys = kerror ? 0 : 1; 134 135 /* XXX there should be a krb5 function like mk_req, but taking a full 136 * principal, instead of a service/hostname. (Did I miss one?) */ 137 gethostname(phost, sizeof(phost)); 138 phost[sizeof(phost) - 1] = '\0'; 139 140 /* talk to the kdc and construct the ticket */ 141 kerror = krb5_mk_req(c, &auth_context, 0, "host", phost, 142 0, ccache, &packet); 143 /* wipe the auth context for rd_req */ 144 if (auth_context) { 145 krb5_auth_con_free(c, auth_context); 146 auth_context = NULL; 147 } 148 if (kerror == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { 149 /* we have a service key, so something should be 150 * in the database, therefore this error packet could 151 * have come from an attacker. */ 152 if (have_keys) { 153 retval = -1; 154 goto EGRESS; 155 } 156 /* but if it is unknown and we've got no key, we don't 157 * have any security anyhow, so it is ok. */ 158 else { 159 retval = 0; 160 goto EGRESS; 161 } 162 } 163 else if (kerror) { 164 krb5_warn(kcontext, kerror, 165 "Unable to verify Kerberos V5 TGT: %s", phost); 166 syslog(LOG_NOTICE, "Kerberos V5 TGT bad: %s", 167 krb5_get_err_text(kcontext, kerror)); 168 retval = -1; 169 goto EGRESS; 170 } 171 /* got ticket, try to use it */ 172 kerror = krb5_rd_req(c, &auth_context, &packet, 173 princ, NULL, NULL, &ticket); 174 if (kerror) { 175 if (!have_keys) { 176 /* The krb5 errors aren't specified well, but I think 177 * these values cover the cases we expect. */ 178 switch (kerror) { 179 case ENOENT: /* no keytab */ 180 case KRB5_KT_NOTFOUND: 181 retval = 0; 182 break; 183 default: 184 /* unexpected error: fail */ 185 retval = -1; 186 break; 187 } 188 } 189 else { 190 /* we have keys, so if we got any error, we could be 191 * under attack. */ 192 retval = -1; 193 } 194 krb5_warn(kcontext, kerror, "Unable to verify host ticket"); 195 syslog(LOG_NOTICE, "can't verify v5 ticket: %s; %s\n", 196 krb5_get_err_text(kcontext, kerror), 197 retval 198 ? "keytab found, assuming failure" 199 : "no keytab found, assuming success"); 200 goto EGRESS; 201 } 202 /* 203 * The host/<host> ticket has been received _and_ verified. 204 */ 205 retval = 1; 206 207 /* do cleanup and return */ 208 EGRESS: 209 if (auth_context) 210 krb5_auth_con_free(c, auth_context); 211 krb5_free_principal(c, princ); 212 /* possibly ticket and packet need freeing here as well */ 213 return (retval); 214 } 215 216 /* 217 * Attempt to read forwarded kerberos creds 218 * 219 * return 0 on success (forwarded creds in memory) 220 * 1 if no forwarded creds. 221 */ 222 int 223 k5_read_creds(char *username) 224 { 225 krb5_error_code kerror; 226 krb5_creds mcreds; 227 krb5_ccache ccache; 228 229 have_forward = 0; 230 memset((char*) &mcreds, 0, sizeof(forw_creds)); 231 memset((char*) &forw_creds, 0, sizeof(forw_creds)); 232 233 kerror = krb5_cc_default(kcontext, &ccache); 234 if (kerror) { 235 krb5_warn(kcontext, kerror, "while getting default ccache"); 236 return(1); 237 } 238 239 kerror = krb5_parse_name(kcontext, username, &me); 240 if (kerror) { 241 krb5_warn(kcontext, kerror, "when parsing name %s", username); 242 return(1); 243 } 244 245 mcreds.client = me; 246 kerror = krb5_build_principal_ext(kcontext, &mcreds.server, 247 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 248 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 249 KRB5_TGS_NAME_SIZE, 250 KRB5_TGS_NAME, 251 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 252 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 253 0); 254 if (kerror) { 255 krb5_warn(kcontext, kerror, "while building server name"); 256 goto nuke_ccache; 257 } 258 259 kerror = krb5_cc_retrieve_cred(kcontext, ccache, 0, 260 &mcreds, &forw_creds); 261 if (kerror) { 262 krb5_warn(kcontext, kerror, 263 "while retrieving V5 initial ticket for copy"); 264 goto nuke_ccache; 265 } 266 267 have_forward = 1; 268 269 strlcpy(tkt_location, getenv("KRB5CCNAME"), sizeof(tkt_location)); 270 krb5tkfile_env = tkt_location; 271 has_ccache = 1; 272 notickets = 0; 273 274 nuke_ccache: 275 krb5_cc_destroy(kcontext, ccache); 276 return(!have_forward); 277 } 278 279 int 280 k5_write_creds(void) 281 { 282 krb5_error_code kerror; 283 krb5_ccache ccache; 284 285 if (!have_forward) 286 return (1); 287 288 kerror = krb5_cc_default(kcontext, &ccache); 289 if (kerror) { 290 krb5_warn(kcontext, kerror, "while getting default ccache"); 291 return (1); 292 } 293 294 kerror = krb5_cc_initialize(kcontext, ccache, me); 295 if (kerror) { 296 krb5_warn(kcontext, kerror, 297 "while re-initializing V5 ccache as user"); 298 goto nuke_ccache_contents; 299 } 300 301 kerror = krb5_cc_store_cred(kcontext, ccache, &forw_creds); 302 if (kerror) { 303 krb5_warn(kcontext, kerror, 304 "while re-storing V5 ccache as user"); 305 goto nuke_ccache_contents; 306 } 307 308 nuke_ccache_contents: 309 krb5_free_cred_contents(kcontext, &forw_creds); 310 return (kerror != 0); 311 } 312 313 /* 314 * Attempt to log the user in using Kerberos authentication 315 * 316 * return 0 on success (will be logged in) 317 * 1 if Kerberos failed (try local password in login) 318 */ 319 int 320 k5login(struct passwd *pw, char *instance, char *localhost, char *password) 321 { 322 krb5_error_code kerror; 323 krb5_creds my_creds; 324 krb5_timestamp now; 325 krb5_ccache ccache = NULL; 326 long lifetime = KRB5_DEFAULT_LIFE; 327 int options = KRB5_DEFAULT_OPTIONS; 328 char *realm, *client_name; 329 char *principal; 330 331 krb5_configured = 1; 332 333 if (login_krb5_forwardable_tgt) 334 options |= KDC_OPT_FORWARDABLE; 335 336 /* 337 * Root logins don't use Kerberos. 338 * If we have a realm, try getting a ticket-granting ticket 339 * and using it to authenticate. Otherwise, return 340 * failure so that we can try the normal passwd file 341 * for a password. If that's ok, log the user in 342 * without issuing any tickets. 343 */ 344 if (strcmp(pw->pw_name, "root") == 0 || 345 krb5_get_default_realm(kcontext, &realm)) { 346 krb5_configured = 0; 347 return (1); 348 } 349 350 /* 351 * get TGT for local realm 352 * tickets are stored in a file named TKT_ROOT plus uid 353 * except for user.root tickets. 354 */ 355 356 if (strcmp(instance, "root") != 0) 357 (void)snprintf(tkt_location, sizeof tkt_location, 358 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty); 359 else 360 (void)snprintf(tkt_location, sizeof tkt_location, 361 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty); 362 krb5tkfile_env = tkt_location; 363 has_ccache = 1; 364 365 if (strlen(instance)) 366 asprintf(&principal, "%s/%s", pw->pw_name, instance); 367 else 368 principal = strdup(pw->pw_name); 369 if (!principal) { 370 syslog(LOG_NOTICE, "fatal: %s", strerror(errno)); 371 return (1); 372 } 373 374 if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { 375 syslog(LOG_NOTICE, "warning: %s while getting default ccache", 376 krb5_get_err_text(kcontext, kerror)); 377 return (1); 378 } 379 380 if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { 381 syslog(LOG_NOTICE, "warning: %s when parsing name %s", 382 krb5_get_err_text(kcontext, kerror), principal); 383 return (1); 384 } 385 386 if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { 387 syslog(LOG_NOTICE, "warning: %s when unparsing name %s", 388 krb5_get_err_text(kcontext, kerror), principal); 389 return (1); 390 } 391 392 kerror = krb5_cc_initialize(kcontext, ccache, me); 393 if (kerror != 0) { 394 syslog(LOG_NOTICE, "%s when initializing cache %s", 395 krb5_get_err_text(kcontext, kerror), tkt_location); 396 return (1); 397 } 398 399 memset((char *)&my_creds, 0, sizeof(my_creds)); 400 401 my_creds.client = me; 402 403 if ((kerror = krb5_build_principal_ext(kcontext, 404 &server, 405 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 406 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 407 KRB5_TGS_NAME_SIZE, 408 KRB5_TGS_NAME, 409 krb5_realm_length(*krb5_princ_realm(kcontext, me)), 410 krb5_realm_data(*krb5_princ_realm(kcontext, me)), 411 0)) != 0) { 412 syslog(LOG_NOTICE, "%s while building server name", 413 krb5_get_err_text(kcontext, kerror)); 414 return (1); 415 } 416 417 my_creds.server = server; 418 419 if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { 420 syslog(LOG_NOTICE, "%s while getting time of day", 421 krb5_get_err_text(kcontext, kerror)); 422 return (1); 423 } 424 425 my_creds.times.starttime = 0; /* start timer when request 426 gets to KDC */ 427 my_creds.times.endtime = now + lifetime; 428 my_creds.times.renew_till = 0; 429 430 kerror = krb5_get_in_tkt_with_password(kcontext, options, 431 NULL, 432 NULL, 433 NULL, 434 password, 435 ccache, 436 &my_creds, 0); 437 438 if (my_creds.server != NULL) 439 krb5_free_principal(kcontext, my_creds.server); 440 441 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) 442 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); 443 444 if (kerror) { 445 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) 446 printf("%s: Kerberos Password incorrect\n", principal); 447 else 448 krb5_warn(kcontext, kerror, 449 "while getting initial credentials"); 450 451 return (1); 452 } 453 454 if (k5_verify_creds(kcontext, ccache) < 0) 455 return (1); 456 457 /* Success */ 458 notickets = 0; 459 return (0); 460 } 461 462 /* 463 * Remove any credentials 464 */ 465 void 466 k5destroy(void) 467 { 468 krb5_error_code kerror; 469 krb5_ccache ccache = NULL; 470 471 if (krb5tkfile_env == NULL) 472 return; 473 474 kerror = krb5_cc_resolve(kcontext, krb5tkfile_env, &ccache); 475 if (kerror == 0) 476 (void)krb5_cc_destroy(kcontext, ccache); 477 } 478 #endif /* KERBEROS5 */ 479