search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
VM: simplify slab allocator
[minix.git] / usr.bin / login / k5login.c
blob5d2f6a12fd85c664d3b69c185b2a8e3f1273855b
1 /* $NetBSD: k5login.c,v 1.27 2006/03/23 23:33:28 wiz Exp $ */
2
3 /*-
4 * Copyright (c) 1990 The Regents of the University of California.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 /*
33 * Copyright (c) 1980, 1987, 1988 The Regents of the University of California.
34 * All rights reserved.
35 *
36 * Redistribution and use in source and binary forms are permitted
37 * provided that the above copyright notice and this paragraph are
38 * duplicated in all such forms and that any documentation,
39 * advertising materials, and other materials related to such
40 * distribution and use acknowledge that the software was developed
41 * by the University of California, Berkeley. The name of the
42 * University may not be used to endorse or promote products derived
43 * from this software without specific prior written permission.
44 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
45 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
46 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
47 */
48
49 #include <sys/cdefs.h>
50 #ifndef lint
51 #if 0
52 static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92";
53 #endif
54 __RCSID("$NetBSD: k5login.c,v 1.27 2006/03/23 23:33:28 wiz Exp $");
55 #endif /* not lint */
56
57 #ifdef KERBEROS5
58 #include <sys/param.h>
59 #include <sys/syslog.h>
60 #include <krb5/krb5.h>
61 #include <pwd.h>
62 #include <netdb.h>
63 #include <stdio.h>
64 #include <stdlib.h>
65 #include <string.h>
66 #include <unistd.h>
67 #include <errno.h>
68
69 #define KRB5_DEFAULT_OPTIONS 0
70 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
71
72 krb5_context kcontext;
73
74 int notickets;
75 int krb5_configured;
76 char *krb5tkfile_env;
77 extern char *tty;
78 extern int login_krb5_forwardable_tgt;
79 extern int has_ccache;
80
81 static char tkt_location[MAXPATHLEN];
82 static krb5_creds forw_creds;
83 int have_forward;
84 static krb5_principal me, server;
85
86 int k5_read_creds(char *);
87 int k5_write_creds(void);
88 int k5_verify_creds(krb5_context, krb5_ccache);
89 int k5login(struct passwd *, char *, char *, char *);
90 void k5destroy(void);
91
92 #ifndef krb5_realm_length
93 #define krb5_realm_length(r) ((r).length)
94 #endif
95 #ifndef krb5_realm_data
96 #define krb5_realm_data(r) ((r).data)
97 #endif
98
99 /*
100 * Verify the Kerberos ticket-granting ticket just retrieved for the
101 * user. If the Kerberos server doesn't respond, assume the user is
102 * trying to fake us out (since we DID just get a TGT from what is
103 * supposedly our KDC). If the host/<host> service is unknown (i.e.,
104 * the local keytab doesn't have it), let her in.
105 *
106 * Returns 1 for confirmation, -1 for failure, 0 for uncertainty.
107 */
108 int
109 k5_verify_creds(krb5_context c, krb5_ccache ccache)
110 {
111 char phost[MAXHOSTNAMELEN];
112 int retval, have_keys;
113 krb5_principal princ;
114 krb5_keyblock *kb = 0;
115 krb5_error_code kerror;
116 krb5_data packet;
117 krb5_auth_context auth_context = NULL;
118 krb5_ticket *ticket = NULL;
119
120 kerror = krb5_sname_to_principal(c, 0, 0, KRB5_NT_SRV_HST, &princ);
121 if (kerror) {
122 krb5_warn(kcontext, kerror, "constructing local service name");
123 return (-1);
124 }
125
126 /* Do we have host/<host> keys? */
127 /* (use default keytab, kvno IGNORE_VNO to get the first match,
128 * and default enctype.) */
129 kerror = krb5_kt_read_service_key(c, NULL, princ, 0, 0, &kb);
130 if (kb)
131 krb5_free_keyblock(c, kb);
132 /* any failure means we don't have keys at all. */
133 have_keys = kerror ? 0 : 1;
134
135 /* XXX there should be a krb5 function like mk_req, but taking a full
136 * principal, instead of a service/hostname. (Did I miss one?) */
137 gethostname(phost, sizeof(phost));
138 phost[sizeof(phost) - 1] = '\0';
139
140 /* talk to the kdc and construct the ticket */
141 kerror = krb5_mk_req(c, &auth_context, 0, "host", phost,
142 0, ccache, &packet);
143 /* wipe the auth context for rd_req */
144 if (auth_context) {
145 krb5_auth_con_free(c, auth_context);
146 auth_context = NULL;
147 }
148 if (kerror == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
149 /* we have a service key, so something should be
150 * in the database, therefore this error packet could
151 * have come from an attacker. */
152 if (have_keys) {
153 retval = -1;
154 goto EGRESS;
155 }
156 /* but if it is unknown and we've got no key, we don't
157 * have any security anyhow, so it is ok. */
158 else {
159 retval = 0;
160 goto EGRESS;
161 }
162 }
163 else if (kerror) {
164 krb5_warn(kcontext, kerror,
165 "Unable to verify Kerberos V5 TGT: %s", phost);
166 syslog(LOG_NOTICE, "Kerberos V5 TGT bad: %s",
167 krb5_get_err_text(kcontext, kerror));
168 retval = -1;
169 goto EGRESS;
170 }
171 /* got ticket, try to use it */
172 kerror = krb5_rd_req(c, &auth_context, &packet,
173 princ, NULL, NULL, &ticket);
174 if (kerror) {
175 if (!have_keys) {
176 /* The krb5 errors aren't specified well, but I think
177 * these values cover the cases we expect. */
178 switch (kerror) {
179 case ENOENT: /* no keytab */
180 case KRB5_KT_NOTFOUND:
181 retval = 0;
182 break;
183 default:
184 /* unexpected error: fail */
185 retval = -1;
186 break;
187 }
188 }
189 else {
190 /* we have keys, so if we got any error, we could be
191 * under attack. */
192 retval = -1;
193 }
194 krb5_warn(kcontext, kerror, "Unable to verify host ticket");
195 syslog(LOG_NOTICE, "can't verify v5 ticket: %s; %s\n",
196 krb5_get_err_text(kcontext, kerror),
197 retval
198 ? "keytab found, assuming failure"
199 : "no keytab found, assuming success");
200 goto EGRESS;
201 }
202 /*
203 * The host/<host> ticket has been received _and_ verified.
204 */
205 retval = 1;
206
207 /* do cleanup and return */
208 EGRESS:
209 if (auth_context)
210 krb5_auth_con_free(c, auth_context);
211 krb5_free_principal(c, princ);
212 /* possibly ticket and packet need freeing here as well */
213 return (retval);
214 }
215
216 /*
217 * Attempt to read forwarded kerberos creds
218 *
219 * return 0 on success (forwarded creds in memory)
220 * 1 if no forwarded creds.
221 */
222 int
223 k5_read_creds(char *username)
224 {
225 krb5_error_code kerror;
226 krb5_creds mcreds;
227 krb5_ccache ccache;
228
229 have_forward = 0;
230 memset((char*) &mcreds, 0, sizeof(forw_creds));
231 memset((char*) &forw_creds, 0, sizeof(forw_creds));
232
233 kerror = krb5_cc_default(kcontext, &ccache);
234 if (kerror) {
235 krb5_warn(kcontext, kerror, "while getting default ccache");
236 return(1);
237 }
238
239 kerror = krb5_parse_name(kcontext, username, &me);
240 if (kerror) {
241 krb5_warn(kcontext, kerror, "when parsing name %s", username);
242 return(1);
243 }
244
245 mcreds.client = me;
246 kerror = krb5_build_principal_ext(kcontext, &mcreds.server,
247 krb5_realm_length(*krb5_princ_realm(kcontext, me)),
248 krb5_realm_data(*krb5_princ_realm(kcontext, me)),
249 KRB5_TGS_NAME_SIZE,
250 KRB5_TGS_NAME,
251 krb5_realm_length(*krb5_princ_realm(kcontext, me)),
252 krb5_realm_data(*krb5_princ_realm(kcontext, me)),
253 0);
254 if (kerror) {
255 krb5_warn(kcontext, kerror, "while building server name");
256 goto nuke_ccache;
257 }
258
259 kerror = krb5_cc_retrieve_cred(kcontext, ccache, 0,
260 &mcreds, &forw_creds);
261 if (kerror) {
262 krb5_warn(kcontext, kerror,
263 "while retrieving V5 initial ticket for copy");
264 goto nuke_ccache;
265 }
266
267 have_forward = 1;
268
269 strlcpy(tkt_location, getenv("KRB5CCNAME"), sizeof(tkt_location));
270 krb5tkfile_env = tkt_location;
271 has_ccache = 1;
272 notickets = 0;
273
274 nuke_ccache:
275 krb5_cc_destroy(kcontext, ccache);
276 return(!have_forward);
277 }
278
279 int
280 k5_write_creds(void)
281 {
282 krb5_error_code kerror;
283 krb5_ccache ccache;
284
285 if (!have_forward)
286 return (1);
287
288 kerror = krb5_cc_default(kcontext, &ccache);
289 if (kerror) {
290 krb5_warn(kcontext, kerror, "while getting default ccache");
291 return (1);
292 }
293
294 kerror = krb5_cc_initialize(kcontext, ccache, me);
295 if (kerror) {
296 krb5_warn(kcontext, kerror,
297 "while re-initializing V5 ccache as user");
298 goto nuke_ccache_contents;
299 }
300
301 kerror = krb5_cc_store_cred(kcontext, ccache, &forw_creds);
302 if (kerror) {
303 krb5_warn(kcontext, kerror,
304 "while re-storing V5 ccache as user");
305 goto nuke_ccache_contents;
306 }
307
308 nuke_ccache_contents:
309 krb5_free_cred_contents(kcontext, &forw_creds);
310 return (kerror != 0);
311 }
312
313 /*
314 * Attempt to log the user in using Kerberos authentication
315 *
316 * return 0 on success (will be logged in)
317 * 1 if Kerberos failed (try local password in login)
318 */
319 int
320 k5login(struct passwd *pw, char *instance, char *localhost, char *password)
321 {
322 krb5_error_code kerror;
323 krb5_creds my_creds;
324 krb5_timestamp now;
325 krb5_ccache ccache = NULL;
326 long lifetime = KRB5_DEFAULT_LIFE;
327 int options = KRB5_DEFAULT_OPTIONS;
328 char *realm, *client_name;
329 char *principal;
330
331 krb5_configured = 1;
332
333 if (login_krb5_forwardable_tgt)
334 options |= KDC_OPT_FORWARDABLE;
335
336 /*
337 * Root logins don't use Kerberos.
338 * If we have a realm, try getting a ticket-granting ticket
339 * and using it to authenticate. Otherwise, return
340 * failure so that we can try the normal passwd file
341 * for a password. If that's ok, log the user in
342 * without issuing any tickets.
343 */
344 if (strcmp(pw->pw_name, "root") == 0 ||
345 krb5_get_default_realm(kcontext, &realm)) {
346 krb5_configured = 0;
347 return (1);
348 }
349
350 /*
351 * get TGT for local realm
352 * tickets are stored in a file named TKT_ROOT plus uid
353 * except for user.root tickets.
354 */
355
356 if (strcmp(instance, "root") != 0)
357 (void)snprintf(tkt_location, sizeof tkt_location,
358 "FILE:/tmp/krb5cc_%d.%s", pw->pw_uid, tty);
359 else
360 (void)snprintf(tkt_location, sizeof tkt_location,
361 "FILE:/tmp/krb5cc_root_%d.%s", pw->pw_uid, tty);
362 krb5tkfile_env = tkt_location;
363 has_ccache = 1;
364
365 if (strlen(instance))
366 asprintf(&principal, "%s/%s", pw->pw_name, instance);
367 else
368 principal = strdup(pw->pw_name);
369 if (!principal) {
370 syslog(LOG_NOTICE, "fatal: %s", strerror(errno));
371 return (1);
372 }
373
374 if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) {
375 syslog(LOG_NOTICE, "warning: %s while getting default ccache",
376 krb5_get_err_text(kcontext, kerror));
377 return (1);
378 }
379
380 if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) {
381 syslog(LOG_NOTICE, "warning: %s when parsing name %s",
382 krb5_get_err_text(kcontext, kerror), principal);
383 return (1);
384 }
385
386 if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) {
387 syslog(LOG_NOTICE, "warning: %s when unparsing name %s",
388 krb5_get_err_text(kcontext, kerror), principal);
389 return (1);
390 }
391
392 kerror = krb5_cc_initialize(kcontext, ccache, me);
393 if (kerror != 0) {
394 syslog(LOG_NOTICE, "%s when initializing cache %s",
395 krb5_get_err_text(kcontext, kerror), tkt_location);
396 return (1);
397 }
398
399 memset((char *)&my_creds, 0, sizeof(my_creds));
400
401 my_creds.client = me;
402
403 if ((kerror = krb5_build_principal_ext(kcontext,
404 &server,
405 krb5_realm_length(*krb5_princ_realm(kcontext, me)),
406 krb5_realm_data(*krb5_princ_realm(kcontext, me)),
407 KRB5_TGS_NAME_SIZE,
408 KRB5_TGS_NAME,
409 krb5_realm_length(*krb5_princ_realm(kcontext, me)),
410 krb5_realm_data(*krb5_princ_realm(kcontext, me)),
411 0)) != 0) {
412 syslog(LOG_NOTICE, "%s while building server name",
413 krb5_get_err_text(kcontext, kerror));
414 return (1);
415 }
416
417 my_creds.server = server;
418
419 if ((kerror = krb5_timeofday(kcontext, &now)) != 0) {
420 syslog(LOG_NOTICE, "%s while getting time of day",
421 krb5_get_err_text(kcontext, kerror));
422 return (1);
423 }
424
425 my_creds.times.starttime = 0; /* start timer when request
426 gets to KDC */
427 my_creds.times.endtime = now + lifetime;
428 my_creds.times.renew_till = 0;
429
430 kerror = krb5_get_in_tkt_with_password(kcontext, options,
431 NULL,
432 NULL,
433 NULL,
434 password,
435 ccache,
436 &my_creds, 0);
437
438 if (my_creds.server != NULL)
439 krb5_free_principal(kcontext, my_creds.server);
440
441 if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0)
442 syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]);
443
444 if (kerror) {
445 if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY)
446 printf("%s: Kerberos Password incorrect\n", principal);
447 else
448 krb5_warn(kcontext, kerror,
449 "while getting initial credentials");
450
451 return (1);
452 }
453
454 if (k5_verify_creds(kcontext, ccache) < 0)
455 return (1);
456
457 /* Success */
458 notickets = 0;
459 return (0);
460 }
461
462 /*
463 * Remove any credentials
464 */
465 void
466 k5destroy(void)
467 {
468 krb5_error_code kerror;
469 krb5_ccache ccache = NULL;
470
471 if (krb5tkfile_env == NULL)
472 return;
473
474 kerror = krb5_cc_resolve(kcontext, krb5tkfile_env, &ccache);
475 if (kerror == 0)
476 (void)krb5_cc_destroy(kcontext, ccache);
477 }
478 #endif /* KERBEROS5 */
MINIX 3 (repo.or.cz mirror)