search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / external / bsd / openssh / dist / gss-serv-krb5.c
blob1ae7c5afbe4b3795b0f60702e9aaa780cec83a76
1 /* $NetBSD$ */
2 /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
3
4 /*
5 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28 #include "includes.h"
29 __RCSID("$NetBSD: gss-serv-krb5.c,v 1.4 2006/09/28 21:22:14 christos Exp $");
30 #ifdef GSSAPI
31 #ifdef KRB5
32
33 #include <sys/types.h>
34
35 #include <stdarg.h>
36 #include <string.h>
37
38 #include "xmalloc.h"
39 #include "key.h"
40 #include "hostfile.h"
41 #include "auth.h"
42 #include "log.h"
43
44 #include "buffer.h"
45 #include "servconf.h"
46 #include "ssh-gss.h"
47
48 extern ServerOptions options;
49
50 #ifdef HEIMDAL
51 # include <krb5.h>
52 #else
53 # ifdef HAVE_GSSAPI_KRB5_H
54 # include <gssapi_krb5.h>
55 # elif HAVE_GSSAPI_GSSAPI_KRB5_H
56 # include <gssapi/gssapi_krb5.h>
57 # endif
58 #endif
59
60 static krb5_context krb_context = NULL;
61
62 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
63
64 static int
65 ssh_gssapi_krb5_init(void)
66 {
67 krb5_error_code problem;
68
69 if (krb_context != NULL)
70 return 1;
71
72 problem = krb5_init_context(&krb_context);
73 if (problem) {
74 logit("Cannot initialize krb5 context");
75 return 0;
76 }
77 #ifdef isneeded
78 krb5_init_ets(krb_context);
79 #endif
80
81 return 1;
82 }
83
84 /* Check if this user is OK to login. This only works with krb5 - other
85 * GSSAPI mechanisms will need their own.
86 * Returns true if the user is OK to log in, otherwise returns 0
87 */
88
89 static int
90 ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
91 {
92 krb5_principal princ;
93 int retval;
94
95 if (ssh_gssapi_krb5_init() == 0)
96 return 0;
97
98 if ((retval = krb5_parse_name(krb_context, client->exportedname.value,
99 &princ))) {
100 logit("krb5_parse_name(): %.100s",
101 krb5_get_err_text(krb_context, retval));
102 return 0;
103 }
104 if (krb5_kuserok(krb_context, princ, name)) {
105 retval = 1;
106 logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
107 name, (char *)client->displayname.value);
108 } else
109 retval = 0;
110
111 krb5_free_principal(krb_context, princ);
112 return retval;
113 }
114
115
116 /* This writes out any forwarded credentials from the structure populated
117 * during userauth. Called after we have setuid to the user */
118
119 static void
120 ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
121 {
122 krb5_ccache ccache;
123 krb5_error_code problem;
124 krb5_principal princ;
125 OM_uint32 maj_status, min_status;
126 int len;
127
128 if (client->creds == NULL) {
129 debug("No credentials stored");
130 return;
131 }
132
133 if (ssh_gssapi_krb5_init() == 0)
134 return;
135
136 #ifdef HEIMDAL
137 if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
138 logit("krb5_cc_gen_new(): %.100s",
139 krb5_get_err_text(krb_context, problem));
140 return;
141 }
142 #else
143 if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
144 logit("ssh_krb5_cc_gen(): %.100s",
145 krb5_get_err_text(krb_context, problem));
146 return;
147 }
148 #endif /* #ifdef HEIMDAL */
149
150 if ((problem = krb5_parse_name(krb_context,
151 client->exportedname.value, &princ))) {
152 logit("krb5_parse_name(): %.100s",
153 krb5_get_err_text(krb_context, problem));
154 krb5_cc_destroy(krb_context, ccache);
155 return;
156 }
157
158 if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
159 logit("krb5_cc_initialize(): %.100s",
160 krb5_get_err_text(krb_context, problem));
161 krb5_free_principal(krb_context, princ);
162 krb5_cc_destroy(krb_context, ccache);
163 return;
164 }
165
166 krb5_free_principal(krb_context, princ);
167
168 if ((maj_status = gss_krb5_copy_ccache(&min_status,
169 client->creds, ccache))) {
170 logit("gss_krb5_copy_ccache() failed");
171 krb5_cc_destroy(krb_context, ccache);
172 return;
173 }
174
175 client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
176 client->store.envvar = "KRB5CCNAME";
177 len = strlen(client->store.filename) + 6;
178 client->store.envval = xmalloc(len);
179 snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
180
181 #ifdef USE_PAM
182 if (options.use_pam)
183 do_pam_putenv(client->store.envvar, client->store.envval);
184 #endif
185
186 krb5_cc_close(krb_context, ccache);
187
188 return;
189 }
190
191 ssh_gssapi_mech gssapi_kerberos_mech = {
192 "toWM5Slw5Ew8Mqkay+al2g==",
193 "Kerberos",
194 {9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
195 NULL,
196 &ssh_gssapi_krb5_userok,
197 NULL,
198 &ssh_gssapi_krb5_storecreds
199 };
200
201 #endif /* KRB5 */
202
203 #endif /* GSSAPI */
NetBSD on the FriendlyARM MINI2440