auth-krb4.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* Copyright (c) 1999 Dug Song. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $");
#pragma ident "%Z%%M% %I% %E% SMI"
#include "ssh.h"
#include "ssh1.h"
#include "packet.h"
#include "xmalloc.h"
#include "log.h"
#include "servconf.h"
#include "uidswap.h"
#include "auth.h"
#ifdef AFS
#include "radix.h"
#endif
#ifdef KRB4
extern ServerOptions options;
static int
{
static int cleanup_registered = 0;
int fd;
if (!authctxt->krb4_ticket_file) {
/* Set unique ticket string manually since we're still root. */
#ifdef AFS
tkt_root = "/ticket/";
#endif /* AFS */
}
/* Register ticket cleanup in case of fatal error. */
if (!cleanup_registered) {
cleanup_registered = 1;
}
/* Try to create our ticket file. */
return (1);
}
/* Ticket file exists - make sure user owns it (just passed ticket). */
return (1);
}
/* Failure - cancel cleanup function, leaving ticket for inspection. */
cleanup_registered = 0;
return (0);
}
/*
* try krb4 authentication,
* return 1 on success, 0 on failure, -1 if krb4 is not available
*/
int
{
int r;
return (0);
/*
* Try Kerberos password authentication only for non-root
* users and only if Kerberos is installed.
*/
/* Set up our ticket file. */
log("Couldn't initialize Kerberos ticket file for %s!",
goto failure;
}
/* Try to get TGT using our password. */
if (r != INTK_OK) {
debug("Kerberos v4 password authentication for %s "
goto failure;
}
/* Successful authentication. */
/*
* Now that we have a TGT, try to get a local
* "rcmd" ticket to ensure that we are not talking
* to a bogus Kerberos server.
*/
sizeof(phost));
if (r == KSUCCESS) {
log("Couldn't get local host address!");
goto failure;
}
sizeof(faddr));
/* Verify our "rcmd" ticket. */
if (r == RD_AP_UNDEC) {
/*
* Probably didn't have a srvtab on
* localhost. Disallow login.
*/
log("Kerberos v4 TGT for %s unverifiable, "
"no srvtab installed? krb_rd_req: %s",
goto failure;
} else if (r != KSUCCESS) {
log("Kerberos v4 %s ticket unverifiable: %s",
KRB4_SERVICE_NAME, krb_err_txt[r]);
goto failure;
}
} else if (r == KDC_PR_UNKNOWN) {
/*
* Disallow login if no rcmd service exists, and
* log the error.
*/
log("Kerberos v4 TGT for %s unverifiable: %s; %s.%s "
goto failure;
} else {
/*
* TGT is bad, forget it. Possibly spoofed!
*/
debug("WARNING: Kerberos v4 TGT possibly spoofed "
goto failure;
}
/* Authentication succeeded. */
return (1);
} else
/* Logging in as root or no local Kerberos realm. */
debug("Unable to authenticate to Kerberos.");
return (0);
/* Fall back to ordinary passwd authentication. */
return (-1);
}
void
krb4_cleanup_proc(void *context)
{
debug("krb4_cleanup_proc called");
if (authctxt->krb4_ticket_file) {
(void) dest_tkt();
}
}
int
{
int r, s;
s = packet_get_connection_in();
}
instance[0] = '*';
instance[1] = 0;
/* Get the encrypted request, challenge, and session key. */
0, &adat, ""))) {
return (0);
}
/* Check ~/.klogin authorization now. */
log("Kerberos v4 .klogin authorization failed for %s to "
return (0);
}
/* Increment the checksum, and return it encrypted with the
session key. */
/* If we can't successfully encrypt the checksum, we send back an
empty message, admitting our failure. */
} else
/* Clear session key. */
return (1);
}
#endif /* KRB4 */
#ifdef AFS
int
{
goto failure;
log("Protocol error decoding Kerberos v4 TGT");
goto failure;
}
log("Kerberos v4 TGT (%s%s%s@%s) rejected for %s",
goto failure;
}
goto failure;
goto failure;
debug("Kerberos v4 TGT refused: couldn't save credentials");
goto failure;
}
/* Successful authentication, passed all checks. */
debug("Kerberos v4 TGT accepted (%s%s%s@%s)",
restore_uid();
return (1);
restore_uid();
return (0);
}
int
{
return (0);
log("Protocol error decoding AFS token");
return (0);
}
else
log("AFS token (%s@%s) rejected for %s",
return (0);
}
return (1);
}
#endif /* AFS */