xref: /openbsd/usr.bin/ssh/auth-krb5.c (revision e5dd7070) 
1 /* $OpenBSD: auth-krb5.c,v 1.23 2018/07/09 21:35:50 markus Exp $ */
2 /*
3  *    Kerberos v5 authentication and ticket-passing routines.
4  *
5  * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
6  */
7 /*
8  * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29  */
30 
31 #include <sys/types.h>
32 #include <pwd.h>
33 #include <stdarg.h>
34 
35 #include "xmalloc.h"
36 #include "ssh.h"
37 #include "packet.h"
38 #include "log.h"
39 #include "sshbuf.h"
40 #include "sshkey.h"
41 #include "servconf.h"
42 #include "uidswap.h"
43 #include "hostfile.h"
44 #include "auth.h"
45 
46 #ifdef KRB5
47 #include <krb5.h>
48 
49 extern ServerOptions	 options;
50 
51 static int
52 krb5_init(void *context)
53 {
54 	Authctxt *authctxt = (Authctxt *)context;
55 	krb5_error_code problem;
56 
57 	if (authctxt->krb5_ctx == NULL) {
58 		problem = krb5_init_context(&authctxt->krb5_ctx);
59 		if (problem)
60 			return (problem);
61 		krb5_init_ets(authctxt->krb5_ctx);
62 	}
63 	return (0);
64 }
65 
66 int
67 auth_krb5_password(Authctxt *authctxt, const char *password)
68 {
69 	krb5_error_code problem;
70 	krb5_ccache ccache = NULL;
71 	const char *errmsg;
72 
73 	temporarily_use_uid(authctxt->pw);
74 
75 	problem = krb5_init(authctxt);
76 	if (problem)
77 		goto out;
78 
79 	problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
80 		    &authctxt->krb5_user);
81 	if (problem)
82 		goto out;
83 
84 	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
85 	     krb5_mcc_ops.prefix, NULL, &ccache);
86 	if (problem)
87 		goto out;
88 
89 	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
90 		authctxt->krb5_user);
91 	if (problem)
92 		goto out;
93 
94 	restore_uid();
95 
96 	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
97 	    ccache, password, 1, NULL);
98 
99 	temporarily_use_uid(authctxt->pw);
100 
101 	if (problem)
102 		goto out;
103 
104 	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
105 	     krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
106 	if (problem)
107 		goto out;
108 
109 	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
110 	    authctxt->krb5_fwd_ccache);
111 	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
112 	ccache = NULL;
113 	if (problem)
114 		goto out;
115 
116 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx,
117 	    authctxt->krb5_fwd_ccache);
118 
119  out:
120 	restore_uid();
121 
122 	if (problem) {
123 		if (ccache)
124 			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
125 
126 		if (authctxt->krb5_ctx != NULL) {
127 			errmsg = krb5_get_error_message(authctxt->krb5_ctx,
128 			    problem);
129 			debug("Kerberos password authentication failed: %s",
130 			    errmsg);
131 			krb5_free_error_message(authctxt->krb5_ctx, errmsg);
132 		} else
133 			debug("Kerberos password authentication failed: %d",
134 			    problem);
135 
136 		krb5_cleanup_proc(authctxt);
137 
138 		if (options.kerberos_or_local_passwd)
139 			return (-1);
140 		else
141 			return (0);
142 	}
143 	return (authctxt->valid ? 1 : 0);
144 }
145 
146 void
147 krb5_cleanup_proc(Authctxt *authctxt)
148 {
149 	debug("krb5_cleanup_proc called");
150 	if (authctxt->krb5_fwd_ccache) {
151 		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
152 		authctxt->krb5_fwd_ccache = NULL;
153 	}
154 	if (authctxt->krb5_user) {
155 		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
156 		authctxt->krb5_user = NULL;
157 	}
158 	if (authctxt->krb5_ctx) {
159 		krb5_free_context(authctxt->krb5_ctx);
160 		authctxt->krb5_ctx = NULL;
161 	}
162 }
163 
164 #endif /* KRB5 */
165