xref: /openbsd/usr.bin/ssh/auth-krb5.c (revision 91f110e0) 
1 /* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
2 /*
3  *    Kerberos v5 authentication and ticket-passing routines.
4  *
5  * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
6  */
7 /*
8  * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29  */
30 
31 #include <sys/types.h>
32 #include <pwd.h>
33 #include <stdarg.h>
34 
35 #include "xmalloc.h"
36 #include "ssh.h"
37 #include "ssh1.h"
38 #include "packet.h"
39 #include "log.h"
40 #include "buffer.h"
41 #include "servconf.h"
42 #include "uidswap.h"
43 #include "key.h"
44 #include "hostfile.h"
45 #include "auth.h"
46 
47 #ifdef KRB5
48 #include <krb5.h>
49 
50 extern ServerOptions	 options;
51 
52 static int
53 krb5_init(void *context)
54 {
55 	Authctxt *authctxt = (Authctxt *)context;
56 	krb5_error_code problem;
57 
58 	if (authctxt->krb5_ctx == NULL) {
59 		problem = krb5_init_context(&authctxt->krb5_ctx);
60 		if (problem)
61 			return (problem);
62 		krb5_init_ets(authctxt->krb5_ctx);
63 	}
64 	return (0);
65 }
66 
67 int
68 auth_krb5_password(Authctxt *authctxt, const char *password)
69 {
70 	krb5_error_code problem;
71 	krb5_ccache ccache = NULL;
72 	const char *errmsg;
73 
74 	temporarily_use_uid(authctxt->pw);
75 
76 	problem = krb5_init(authctxt);
77 	if (problem)
78 		goto out;
79 
80 	problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
81 		    &authctxt->krb5_user);
82 	if (problem)
83 		goto out;
84 
85 	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
86 	     krb5_mcc_ops.prefix, NULL, &ccache);
87 	if (problem)
88 		goto out;
89 
90 	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
91 		authctxt->krb5_user);
92 	if (problem)
93 		goto out;
94 
95 	restore_uid();
96 
97 	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
98 	    ccache, password, 1, NULL);
99 
100 	temporarily_use_uid(authctxt->pw);
101 
102 	if (problem)
103 		goto out;
104 
105 	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
106 	     krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
107 	if (problem)
108 		goto out;
109 
110 	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
111 	    authctxt->krb5_fwd_ccache);
112 	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
113 	ccache = NULL;
114 	if (problem)
115 		goto out;
116 
117 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
118 	    authctxt->krb5_fwd_ccache);
119 
120  out:
121 	restore_uid();
122 
123 	if (problem) {
124 		if (ccache)
125 			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
126 
127 		if (authctxt->krb5_ctx != NULL) {
128 			errmsg = krb5_get_error_message(authctxt->krb5_ctx,
129 			    problem);
130 			debug("Kerberos password authentication failed: %s",
131 			    errmsg);
132 			krb5_free_error_message(authctxt->krb5_ctx, errmsg);
133 		} else
134 			debug("Kerberos password authentication failed: %d",
135 			    problem);
136 
137 		krb5_cleanup_proc(authctxt);
138 
139 		if (options.kerberos_or_local_passwd)
140 			return (-1);
141 		else
142 			return (0);
143 	}
144 	return (authctxt->valid ? 1 : 0);
145 }
146 
147 void
148 krb5_cleanup_proc(Authctxt *authctxt)
149 {
150 	debug("krb5_cleanup_proc called");
151 	if (authctxt->krb5_fwd_ccache) {
152 		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
153 		authctxt->krb5_fwd_ccache = NULL;
154 	}
155 	if (authctxt->krb5_user) {
156 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
157 		authctxt->krb5_user = NULL;
158 	}
159 	if (authctxt->krb5_ctx) {
160 		krb5_free_context(authctxt->krb5_ctx);
161 		authctxt->krb5_ctx = NULL;
162 	}
163 }
164 
165 #endif /* KRB5 */
166