xref: /openbsd/usr.bin/ssh/gss-serv-krb5.c (revision e5dd7070) 
1 /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */
2 
3 /*
4  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26 
27 #ifdef GSSAPI
28 #ifdef KRB5
29 
30 #include <sys/types.h>
31 
32 #include "xmalloc.h"
33 #include "sshkey.h"
34 #include "hostfile.h"
35 #include "auth.h"
36 #include "log.h"
37 
38 #include "ssh-gss.h"
39 
40 #include <krb5.h>
41 #include <gssapi/gssapi_krb5.h>
42 
43 static krb5_context krb_context = NULL;
44 
45 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
46 
47 static int
48 ssh_gssapi_krb5_init(void)
49 {
50 	krb5_error_code problem;
51 
52 	if (krb_context != NULL)
53 		return 1;
54 
55 	problem = krb5_init_context(&krb_context);
56 	if (problem) {
57 		logit("Cannot initialize krb5 context");
58 		return 0;
59 	}
60 	krb5_init_ets(krb_context);
61 
62 	return 1;
63 }
64 
65 /* Check if this user is OK to login. This only works with krb5 - other
66  * GSSAPI mechanisms will need their own.
67  * Returns true if the user is OK to log in, otherwise returns 0
68  */
69 
70 static int
71 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
72 {
73 	krb5_principal princ;
74 	int retval;
75 	const char *errmsg;
76 
77 	if (ssh_gssapi_krb5_init() == 0)
78 		return 0;
79 
80 	if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
81 	    &princ))) {
82 		errmsg = krb5_get_error_message(krb_context, retval);
83 		logit("krb5_parse_name(): %.100s", errmsg);
84 		krb5_free_error_message(krb_context, errmsg);
85 		return 0;
86 	}
87 	if (krb5_kuserok(krb_context, princ, name)) {
88 		retval = 1;
89 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
90 		    name, (char *)client->displayname.value);
91 	} else
92 		retval = 0;
93 
94 	krb5_free_principal(krb_context, princ);
95 	return retval;
96 }
97 
98 
99 /* This writes out any forwarded credentials from the structure populated
100  * during userauth. Called after we have setuid to the user */
101 
102 static void
103 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
104 {
105 	krb5_ccache ccache;
106 	krb5_error_code problem;
107 	krb5_principal princ;
108 	OM_uint32 maj_status, min_status;
109 	const char *errmsg;
110 
111 	if (client->creds == NULL) {
112 		debug("No credentials stored");
113 		return;
114 	}
115 
116 	if (ssh_gssapi_krb5_init() == 0)
117 		return;
118 
119 	if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
120 	    NULL, &ccache)) != 0) {
121 		errmsg = krb5_get_error_message(krb_context, problem);
122 		logit("krb5_cc_new_unique(): %.100s", errmsg);
123 		krb5_free_error_message(krb_context, errmsg);
124 		return;
125 	}
126 
127 	if ((problem = krb5_parse_name(krb_context,
128 	    client->exportedname.value, &princ))) {
129 		errmsg = krb5_get_error_message(krb_context, problem);
130 		logit("krb5_parse_name(): %.100s", errmsg);
131 		krb5_free_error_message(krb_context, errmsg);
132 		krb5_cc_destroy(krb_context, ccache);
133 		return;
134 	}
135 
136 	if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
137 		errmsg = krb5_get_error_message(krb_context, problem);
138 		logit("krb5_cc_initialize(): %.100s", errmsg);
139 		krb5_free_error_message(krb_context, errmsg);
140 		krb5_free_principal(krb_context, princ);
141 		krb5_cc_destroy(krb_context, ccache);
142 		return;
143 	}
144 
145 	krb5_free_principal(krb_context, princ);
146 
147 	if ((maj_status = gss_krb5_copy_ccache(&min_status,
148 	    client->creds, ccache))) {
149 		logit("gss_krb5_copy_ccache() failed");
150 		krb5_cc_destroy(krb_context, ccache);
151 		return;
152 	}
153 
154 	client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
155 	client->store.envvar = "KRB5CCNAME";
156 	client->store.envval = xstrdup(client->store.filename);
157 
158 	krb5_cc_close(krb_context, ccache);
159 
160 	return;
161 }
162 
163 ssh_gssapi_mech gssapi_kerberos_mech = {
164 	"toWM5Slw5Ew8Mqkay+al2g==",
165 	"Kerberos",
166 	{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
167 	NULL,
168 	&ssh_gssapi_krb5_userok,
169 	NULL,
170 	&ssh_gssapi_krb5_storecreds
171 };
172 
173 #endif /* KRB5 */
174 
175 #endif /* GSSAPI */
176