1
/* $OpenBSD: auth-krb5.c,v 1.24 2021/04/03 06:18:40 djm Exp $ */
2
/*
3
 *    Kerberos v5 authentication and ticket-passing routines.
4
 *
5
 * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
6
 */
7
/*
8
 * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
9
 *
10
 * Redistribution and use in source and binary forms, with or without
11
 * modification, are permitted provided that the following conditions
12
 * are met:
13
 * 1. Redistributions of source code must retain the above copyright
14
 *    notice, this list of conditions and the following disclaimer.
15
 * 2. Redistributions in binary form must reproduce the above copyright
16
 *    notice, this list of conditions and the following disclaimer in the
17
 *    documentation and/or other materials provided with the distribution.
18
 *
19
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
20
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
23
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
 */
30

31
#include "includes.h"
32

33
#include <sys/types.h>
34
#include <pwd.h>
35
#include <stdarg.h>
36

37
#include "xmalloc.h"
38
#include "ssh.h"
39
#include "packet.h"
40
#include "log.h"
41
#include "sshbuf.h"
42
#include "sshkey.h"
43
#include "misc.h"
44
#include "servconf.h"
45
#include "uidswap.h"
46
#include "hostfile.h"
47
#include "auth.h"
48

49
#ifdef KRB5
50
#include <errno.h>
51
#include <unistd.h>
52
#include <string.h>
53
#include <krb5.h>
54

55
extern ServerOptions	 options;
56

57
static int
58
krb5_init(void *context)
59
{
60
	Authctxt *authctxt = (Authctxt *)context;
61
	krb5_error_code problem;
62

63
	if (authctxt->krb5_ctx == NULL) {
64
		problem = krb5_init_context(&authctxt->krb5_ctx);
65
		if (problem)
66
			return (problem);
67
	}
68
	return (0);
69
}
70

71
int
72
auth_krb5_password(Authctxt *authctxt, const char *password)
73
{
74
#ifndef HEIMDAL
75
	krb5_creds creds;
76
	krb5_principal server;
77
#endif
78
	krb5_error_code problem;
79
	krb5_ccache ccache = NULL;
80
	int len;
81
	char *client, *platform_client;
82
	const char *errmsg;
83

84
	/* get platform-specific kerberos client principal name (if it exists) */
85
	platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
86
	client = platform_client ? platform_client : authctxt->pw->pw_name;
87

88
	temporarily_use_uid(authctxt->pw);
89

90
	problem = krb5_init(authctxt);
91
	if (problem)
92
		goto out;
93

94
	problem = krb5_parse_name(authctxt->krb5_ctx, client,
95
		    &authctxt->krb5_user);
96
	if (problem)
97
		goto out;
98

99
#ifdef HEIMDAL
100
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
101
	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
102
	    krb5_mcc_ops.prefix, NULL, &ccache);
103
# else
104
	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
105
# endif
106
	if (problem)
107
		goto out;
108

109
	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
110
		authctxt->krb5_user);
111
	if (problem)
112
		goto out;
113

114
	restore_uid();
115

116
	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
117
	    ccache, password, 1, NULL);
118

119
	temporarily_use_uid(authctxt->pw);
120

121
	if (problem)
122
		goto out;
123

124
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
125
	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
126
	    krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
127
# else
128
	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
129
	    &authctxt->krb5_fwd_ccache);
130
# endif
131
	if (problem)
132
		goto out;
133

134
	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
135
	    authctxt->krb5_fwd_ccache);
136
	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
137
	ccache = NULL;
138
	if (problem)
139
		goto out;
140

141
#else
142
	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
143
	    authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
144
	if (problem)
145
		goto out;
146

147
	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
148
	    KRB5_NT_SRV_HST, &server);
149
	if (problem)
150
		goto out;
151

152
	restore_uid();
153
	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
154
	    NULL, NULL, NULL);
155
	krb5_free_principal(authctxt->krb5_ctx, server);
156
	temporarily_use_uid(authctxt->pw);
157
	if (problem)
158
		goto out;
159

160
	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
161
	    authctxt->pw->pw_name)) {
162
		problem = -1;
163
		goto out;
164
	}
165

166
	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
167
	    &authctxt->krb5_fwd_ccache);
168
	if (problem)
169
		goto out;
170

171
	problem = krb5_cc_initialize(authctxt->krb5_ctx,
172
	    authctxt->krb5_fwd_ccache, authctxt->krb5_user);
173
	if (problem)
174
		goto out;
175

176
	problem = krb5_cc_store_cred(authctxt->krb5_ctx,
177
	    authctxt->krb5_fwd_ccache, &creds);
178
	if (problem)
179
		goto out;
180
#endif
181

182
	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
183

184
	len = strlen(authctxt->krb5_ticket_file) + 6;
185
	authctxt->krb5_ccname = xmalloc(len);
186
	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
187
	    authctxt->krb5_ticket_file);
188

189
#ifdef USE_PAM
190
	if (options.use_pam)
191
		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
192
#endif
193

194
 out:
195
	restore_uid();
196
	
197
	free(platform_client);
198

199
	if (problem) {
200
		if (ccache)
201
			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
202

203
		if (authctxt->krb5_ctx != NULL && problem!=-1) {
204
			errmsg = krb5_get_error_message(authctxt->krb5_ctx,
205
			    problem);
206
			debug("Kerberos password authentication failed: %s",
207
			    errmsg);
208
			krb5_free_error_message(authctxt->krb5_ctx, errmsg);
209
		} else
210
			debug("Kerberos password authentication failed: %d",
211
			    problem);
212

213
		krb5_cleanup_proc(authctxt);
214

215
		if (options.kerberos_or_local_passwd)
216
			return (-1);
217
		else
218
			return (0);
219
	}
220
	return (authctxt->valid ? 1 : 0);
221
}
222

223
void
224
krb5_cleanup_proc(Authctxt *authctxt)
225
{
226
	debug("krb5_cleanup_proc called");
227
	if (authctxt->krb5_fwd_ccache) {
228
		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
229
		authctxt->krb5_fwd_ccache = NULL;
230
	}
231
	if (authctxt->krb5_user) {
232
		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
233
		authctxt->krb5_user = NULL;
234
	}
235
	if (authctxt->krb5_ctx) {
236
		krb5_free_context(authctxt->krb5_ctx);
237
		authctxt->krb5_ctx = NULL;
238
	}
239
}
240

241
#ifndef HEIMDAL
242
krb5_error_code
243
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
244
	int tmpfd, ret, oerrno;
245
	char ccname[40];
246
	mode_t old_umask;
247

248
	ret = snprintf(ccname, sizeof(ccname),
249
	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
250
	if (ret < 0 || (size_t)ret >= sizeof(ccname))
251
		return ENOMEM;
252

253
	old_umask = umask(0177);
254
	tmpfd = mkstemp(ccname + strlen("FILE:"));
255
	oerrno = errno;
256
	umask(old_umask);
257
	if (tmpfd == -1) {
258
		logit("mkstemp(): %.100s", strerror(oerrno));
259
		return oerrno;
260
	}
261

262
	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
263
		oerrno = errno;
264
		logit("fchmod(): %.100s", strerror(oerrno));
265
		close(tmpfd);
266
		return oerrno;
267
	}
268
	close(tmpfd);
269

270
	return (krb5_cc_resolve(ctx, ccname, ccache));
271
}
272
#endif /* !HEIMDAL */
273
#endif /* KRB5 */
274

275