1 /* 2 * Copyright (c) 1999 Dug Song. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25 #include "includes.h" 26 RCSID("$OpenBSD: auth-krb4.c,v 1.28 2002/09/26 11:38:43 markus Exp $"); 27 28 #pragma ident "%Z%%M% %I% %E% SMI" 29 30 #include "ssh.h" 31 #include "ssh1.h" 32 #include "packet.h" 33 #include "xmalloc.h" 34 #include "log.h" 35 #include "servconf.h" 36 #include "uidswap.h" 37 #include "auth.h" 38 39 #ifdef AFS 40 #include "radix.h" 41 #endif 42 43 #ifdef KRB4 44 extern ServerOptions options; 45 46 static int 47 krb4_init(void *context) 48 { 49 static int cleanup_registered = 0; 50 Authctxt *authctxt = (Authctxt *)context; 51 const char *tkt_root = TKT_ROOT; 52 struct stat st; 53 int fd; 54 55 if (!authctxt->krb4_ticket_file) { 56 /* Set unique ticket string manually since we're still root. */ 57 authctxt->krb4_ticket_file = xmalloc(MAXPATHLEN); 58 #ifdef AFS 59 if (lstat("/ticket", &st) != -1) 60 tkt_root = "/ticket/"; 61 #endif /* AFS */ 62 snprintf(authctxt->krb4_ticket_file, MAXPATHLEN, "%s%u_%ld", 63 tkt_root, authctxt->pw->pw_uid, (long)getpid()); 64 krb_set_tkt_string(authctxt->krb4_ticket_file); 65 } 66 /* Register ticket cleanup in case of fatal error. */ 67 if (!cleanup_registered) { 68 fatal_add_cleanup(krb4_cleanup_proc, authctxt); 69 cleanup_registered = 1; 70 } 71 /* Try to create our ticket file. */ 72 if ((fd = mkstemp(authctxt->krb4_ticket_file)) != -1) { 73 close(fd); 74 return (1); 75 } 76 /* Ticket file exists - make sure user owns it (just passed ticket). */ 77 if (lstat(authctxt->krb4_ticket_file, &st) != -1) { 78 if (st.st_mode == (S_IFREG | S_IRUSR | S_IWUSR) && 79 st.st_uid == authctxt->pw->pw_uid) 80 return (1); 81 } 82 /* Failure - cancel cleanup function, leaving ticket for inspection. */ 83 log("WARNING: bad ticket file %s", authctxt->krb4_ticket_file); 84 85 fatal_remove_cleanup(krb4_cleanup_proc, authctxt); 86 cleanup_registered = 0; 87 88 xfree(authctxt->krb4_ticket_file); 89 authctxt->krb4_ticket_file = NULL; 90 91 return (0); 92 } 93 94 /* 95 * try krb4 authentication, 96 * return 1 on success, 0 on failure, -1 if krb4 is not available 97 */ 98 int 99 auth_krb4_password(Authctxt *authctxt, const char *password) 100 { 101 AUTH_DAT adata; 102 KTEXT_ST tkt; 103 struct hostent *hp; 104 struct passwd *pw; 105 char localhost[MAXHOSTNAMELEN], phost[INST_SZ], realm[REALM_SZ]; 106 u_int32_t faddr; 107 int r; 108 109 if ((pw = authctxt->pw) == NULL) 110 return (0); 111 112 /* 113 * Try Kerberos password authentication only for non-root 114 * users and only if Kerberos is installed. 115 */ 116 if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { 117 /* Set up our ticket file. */ 118 if (!krb4_init(authctxt)) { 119 log("Couldn't initialize Kerberos ticket file for %s!", 120 pw->pw_name); 121 goto failure; 122 } 123 /* Try to get TGT using our password. */ 124 r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm, 125 "krbtgt", realm, DEFAULT_TKT_LIFE, (char *)password); 126 if (r != INTK_OK) { 127 debug("Kerberos v4 password authentication for %s " 128 "failed: %s", pw->pw_name, krb_err_txt[r]); 129 goto failure; 130 } 131 /* Successful authentication. */ 132 chown(tkt_string(), pw->pw_uid, pw->pw_gid); 133 134 /* 135 * Now that we have a TGT, try to get a local 136 * "rcmd" ticket to ensure that we are not talking 137 * to a bogus Kerberos server. 138 */ 139 gethostname(localhost, sizeof(localhost)); 140 strlcpy(phost, (char *)krb_get_phost(localhost), 141 sizeof(phost)); 142 r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); 143 144 if (r == KSUCCESS) { 145 if ((hp = gethostbyname(localhost)) == NULL) { 146 log("Couldn't get local host address!"); 147 goto failure; 148 } 149 memmove((void *)&faddr, (void *)hp->h_addr, 150 sizeof(faddr)); 151 152 /* Verify our "rcmd" ticket. */ 153 r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, 154 faddr, &adata, ""); 155 if (r == RD_AP_UNDEC) { 156 /* 157 * Probably didn't have a srvtab on 158 * localhost. Disallow login. 159 */ 160 log("Kerberos v4 TGT for %s unverifiable, " 161 "no srvtab installed? krb_rd_req: %s", 162 pw->pw_name, krb_err_txt[r]); 163 goto failure; 164 } else if (r != KSUCCESS) { 165 log("Kerberos v4 %s ticket unverifiable: %s", 166 KRB4_SERVICE_NAME, krb_err_txt[r]); 167 goto failure; 168 } 169 } else if (r == KDC_PR_UNKNOWN) { 170 /* 171 * Disallow login if no rcmd service exists, and 172 * log the error. 173 */ 174 log("Kerberos v4 TGT for %s unverifiable: %s; %s.%s " 175 "not registered, or srvtab is wrong?", pw->pw_name, 176 krb_err_txt[r], KRB4_SERVICE_NAME, phost); 177 goto failure; 178 } else { 179 /* 180 * TGT is bad, forget it. Possibly spoofed! 181 */ 182 debug("WARNING: Kerberos v4 TGT possibly spoofed " 183 "for %s: %s", pw->pw_name, krb_err_txt[r]); 184 goto failure; 185 } 186 /* Authentication succeeded. */ 187 return (1); 188 } else 189 /* Logging in as root or no local Kerberos realm. */ 190 debug("Unable to authenticate to Kerberos."); 191 192 failure: 193 krb4_cleanup_proc(authctxt); 194 195 if (!options.kerberos_or_local_passwd) 196 return (0); 197 198 /* Fall back to ordinary passwd authentication. */ 199 return (-1); 200 } 201 202 void 203 krb4_cleanup_proc(void *context) 204 { 205 Authctxt *authctxt = (Authctxt *)context; 206 debug("krb4_cleanup_proc called"); 207 if (authctxt->krb4_ticket_file) { 208 (void) dest_tkt(); 209 xfree(authctxt->krb4_ticket_file); 210 authctxt->krb4_ticket_file = NULL; 211 } 212 } 213 214 int 215 auth_krb4(Authctxt *authctxt, KTEXT auth, char **client, KTEXT reply) 216 { 217 AUTH_DAT adat = {0}; 218 Key_schedule schedule; 219 struct sockaddr_in local, foreign; 220 char instance[INST_SZ]; 221 socklen_t slen; 222 u_int cksum; 223 int r, s; 224 225 s = packet_get_connection_in(); 226 227 slen = sizeof(local); 228 memset(&local, 0, sizeof(local)); 229 if (getsockname(s, (struct sockaddr *) & local, &slen) < 0) 230 debug("getsockname failed: %.100s", strerror(errno)); 231 slen = sizeof(foreign); 232 memset(&foreign, 0, sizeof(foreign)); 233 if (getpeername(s, (struct sockaddr *) & foreign, &slen) < 0) { 234 debug("getpeername failed: %.100s", strerror(errno)); 235 fatal_cleanup(); 236 } 237 instance[0] = '*'; 238 instance[1] = 0; 239 240 /* Get the encrypted request, challenge, and session key. */ 241 if ((r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 242 0, &adat, ""))) { 243 debug("Kerberos v4 krb_rd_req: %.100s", krb_err_txt[r]); 244 return (0); 245 } 246 des_key_sched((des_cblock *) adat.session, schedule); 247 248 *client = xmalloc(MAX_K_NAME_SZ); 249 (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname, 250 *adat.pinst ? "." : "", adat.pinst, adat.prealm); 251 252 /* Check ~/.klogin authorization now. */ 253 if (kuserok(&adat, authctxt->user) != KSUCCESS) { 254 log("Kerberos v4 .klogin authorization failed for %s to " 255 "account %s", *client, authctxt->user); 256 xfree(*client); 257 *client = NULL; 258 return (0); 259 } 260 /* Increment the checksum, and return it encrypted with the 261 session key. */ 262 cksum = adat.checksum + 1; 263 cksum = htonl(cksum); 264 265 /* If we can't successfully encrypt the checksum, we send back an 266 empty message, admitting our failure. */ 267 if ((r = krb_mk_priv((u_char *) & cksum, reply->dat, sizeof(cksum) + 1, 268 schedule, &adat.session, &local, &foreign)) < 0) { 269 debug("Kerberos v4 mk_priv: (%d) %s", r, krb_err_txt[r]); 270 reply->dat[0] = 0; 271 reply->length = 0; 272 } else 273 reply->length = r; 274 275 /* Clear session key. */ 276 memset(&adat.session, 0, sizeof(&adat.session)); 277 return (1); 278 } 279 #endif /* KRB4 */ 280 281 #ifdef AFS 282 int 283 auth_krb4_tgt(Authctxt *authctxt, const char *string) 284 { 285 CREDENTIALS creds; 286 struct passwd *pw; 287 288 if ((pw = authctxt->pw) == NULL) 289 goto failure; 290 291 temporarily_use_uid(pw); 292 293 if (!radix_to_creds(string, &creds)) { 294 log("Protocol error decoding Kerberos v4 TGT"); 295 goto failure; 296 } 297 if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ 298 strlcpy(creds.service, "krbtgt", sizeof creds.service); 299 300 if (strcmp(creds.service, "krbtgt")) { 301 log("Kerberos v4 TGT (%s%s%s@%s) rejected for %s", 302 creds.pname, creds.pinst[0] ? "." : "", creds.pinst, 303 creds.realm, pw->pw_name); 304 goto failure; 305 } 306 if (!krb4_init(authctxt)) 307 goto failure; 308 309 if (in_tkt(creds.pname, creds.pinst) != KSUCCESS) 310 goto failure; 311 312 if (save_credentials(creds.service, creds.instance, creds.realm, 313 creds.session, creds.lifetime, creds.kvno, &creds.ticket_st, 314 creds.issue_date) != KSUCCESS) { 315 debug("Kerberos v4 TGT refused: couldn't save credentials"); 316 goto failure; 317 } 318 /* Successful authentication, passed all checks. */ 319 chown(tkt_string(), pw->pw_uid, pw->pw_gid); 320 321 debug("Kerberos v4 TGT accepted (%s%s%s@%s)", 322 creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm); 323 memset(&creds, 0, sizeof(creds)); 324 325 restore_uid(); 326 327 return (1); 328 329 failure: 330 krb4_cleanup_proc(authctxt); 331 memset(&creds, 0, sizeof(creds)); 332 restore_uid(); 333 334 return (0); 335 } 336 337 int 338 auth_afs_token(Authctxt *authctxt, const char *token_string) 339 { 340 CREDENTIALS creds; 341 struct passwd *pw; 342 uid_t uid; 343 344 if ((pw = authctxt->pw) == NULL) 345 return (0); 346 347 if (!radix_to_creds(token_string, &creds)) { 348 log("Protocol error decoding AFS token"); 349 return (0); 350 } 351 if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ 352 strlcpy(creds.service, "afs", sizeof creds.service); 353 354 if (strncmp(creds.pname, "AFS ID ", 7) == 0) 355 uid = atoi(creds.pname + 7); 356 else 357 uid = pw->pw_uid; 358 359 if (kafs_settoken(creds.realm, uid, &creds)) { 360 log("AFS token (%s@%s) rejected for %s", 361 creds.pname, creds.realm, pw->pw_name); 362 memset(&creds, 0, sizeof(creds)); 363 return (0); 364 } 365 debug("AFS token accepted (%s@%s)", creds.pname, creds.realm); 366 memset(&creds, 0, sizeof(creds)); 367 368 return (1); 369 } 370 #endif /* AFS */