static void
expose_authinfo(const char *caller)
{
char *auth_info;
/*
* Expose authentication information to PAM.
* The environment variable is versioned. Please increment the
* version suffix if the format of session_info changes.
*/
if (sshpam_authctxt->session_info == NULL)
auth_info = xstrdup("");
else if ((auth_info = sshbuf_dup_string(
sshpam_authctxt->session_info)) == NULL)
fatal("%s: sshbuf_dup_string failed", __func__);
debug2("%s: auth information in SSH_AUTH_INFO_0", caller);
do_pam_putenv("SSH_AUTH_INFO_0", auth_info);
free(auth_info);
}
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
int len;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
#ifdef HEIMDAL
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
#else
{
int tmpfd;
char ccname[40];
snprintf(ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
logit("mkstemp(): %.100s", strerror(errno));
problem = errno;
return;
}
if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
problem = errno;
return;
}
close(tmpfd);
if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
logit("krb5_cc_resolve(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
}
#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
logit("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_cc_destroy(krb_context, ccache);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
logit("krb5_cc_initialize(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
client->store.envvar = "KRB5CCNAME";
len = strlen(client->store.filename) + 6;
client->store.envval = xmalloc(len);
snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
krb5_cc_close(krb_context, ccache);
return;
}
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
const char *errmsg;
const char *new_ccname;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
#ifdef HEIMDAL
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
NULL, &ccache)) != 0) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_new_unique(): %.100s", errmsg);
# else
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
# endif
krb5_free_error_message(krb_context, errmsg);
return;
}
#else
if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("ssh_krb5_cc_gen(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_initialize(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
new_ccname = krb5_cc_get_name(krb_context, ccache);
client->store.envvar = "KRB5CCNAME";
#ifdef USE_CCAPI
xasprintf(&client->store.envval, "API:%s", new_ccname);
client->store.filename = NULL;
#else
xasprintf(&client->store.envval, "FILE:%s", new_ccname);
client->store.filename = xstrdup(new_ccname);
#endif
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
krb5_cc_close(krb_context, ccache);
return;
}
int
ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
ssh_gssapi_client *client)
{
krb5_ccache ccache = NULL;
krb5_principal principal = NULL;
char *name = NULL;
krb5_error_code problem;
OM_uint32 maj_status, min_status;
if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
logit("krb5_cc_resolve(): %.100s",
krb5_get_err_text(krb_context, problem));
return 0;
}
/* Find out who the principal in this cache is */
if ((problem = krb5_cc_get_principal(krb_context, ccache,
&principal))) {
logit("krb5_cc_get_principal(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_cc_close(krb_context, ccache);
return 0;
}
if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
logit("krb5_unparse_name(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_free_principal(krb_context, principal);
krb5_cc_close(krb_context, ccache);
return 0;
}
if (strcmp(name,client->exportedname.value)!=0) {
debug("Name in local credentials cache differs. Not storing");
krb5_free_principal(krb_context, principal);
krb5_cc_close(krb_context, ccache);
krb5_free_unparsed_name(krb_context, name);
return 0;
}
krb5_free_unparsed_name(krb_context, name);
/* Name matches, so lets get on with it! */
if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
logit("krb5_cc_initialize(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_free_principal(krb_context, principal);
krb5_cc_close(krb_context, ccache);
return 0;
}
krb5_free_principal(krb_context, principal);
if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
ccache))) {
logit("gss_krb5_copy_ccache() failed. Sorry!");
krb5_cc_close(krb_context, ccache);
return 0;
}
return 1;
}
int
auth_krb5_password(Authctxt *authctxt, const char *password)
{
#ifndef HEIMDAL
krb5_creds creds;
krb5_principal server;
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
int len;
char *client, *platform_client;
/* get platform-specific kerberos client principal name (if it exists) */
platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
client = platform_client ? platform_client : authctxt->pw->pw_name;
temporarily_use_uid(authctxt->pw);
problem = krb5_init(authctxt);
if (problem)
goto out;
problem = krb5_parse_name(authctxt->krb5_ctx, client,
&authctxt->krb5_user);
if (problem)
goto out;
#ifdef HEIMDAL
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
if (problem)
goto out;
problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
authctxt->krb5_user);
if (problem)
goto out;
restore_uid();
problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
ccache, password, 1, NULL);
temporarily_use_uid(authctxt->pw);
if (problem)
goto out;
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
&authctxt->krb5_fwd_ccache);
if (problem)
goto out;
problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
authctxt->krb5_fwd_ccache);
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
ccache = NULL;
if (problem)
goto out;
#else
problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
if (problem)
goto out;
problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
KRB5_NT_SRV_HST, &server);
if (problem)
goto out;
restore_uid();
problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
NULL, NULL, NULL);
krb5_free_principal(authctxt->krb5_ctx, server);
temporarily_use_uid(authctxt->pw);
if (problem)
goto out;
if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
problem = -1;
goto out;
}
problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
if (problem)
goto out;
problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
authctxt->krb5_user);
if (problem)
goto out;
problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
&creds);
if (problem)
goto out;
#endif
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
snprintf(authctxt->krb5_ccname, len, "FILE:%s",
authctxt->krb5_ticket_file);
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif
out:
restore_uid();
if (platform_client != NULL)
xfree(platform_client);
if (problem) {
if (ccache)
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
if (authctxt->krb5_ctx != NULL && problem!=-1)
debug("Kerberos password authentication failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));
else
debug("Kerberos password authentication failed: %d",
problem);
krb5_cleanup_proc(authctxt);
if (options.kerberos_or_local_passwd)
return (-1);
else
return (0);
}
return (authctxt->valid ? 1 : 0);
}
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
int len;
const char *new_ccname;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
#ifdef HEIMDAL
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
#else
if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
logit("ssh_krb5_cc_gen(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
logit("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_cc_destroy(krb_context, ccache);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
logit("krb5_cc_initialize(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
new_ccname = krb5_cc_get_name(krb_context, ccache);
client->store.envvar = "KRB5CCNAME";
#ifdef USE_CCAPI
xasprintf(&client->store.envval, "API:%s", new_ccname);
client->store.filename = NULL;
#else
xasprintf(&client->store.envval, "FILE:%s", new_ccname);
client->store.filename = xstrdup(new_ccname);
#endif
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
krb5_cc_close(krb_context, ccache);
return;
}
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
int len;
const char *errmsg;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
#ifdef HEIMDAL
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
NULL, &ccache)) != 0) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_new_unique(): %.100s", errmsg);
# else
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
# endif
krb5_free_error_message(krb_context, errmsg);
return;
}
#else
if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("ssh_krb5_cc_gen(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_initialize(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
client->store.envvar = "KRB5CCNAME";
len = strlen(client->store.filename) + 6;
client->store.envval = xmalloc(len);
snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
krb5_cc_close(krb_context, ccache);
return;
}
ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
"Kerberos",
{9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"},
NULL,
&ssh_gssapi_krb5_userok,
NULL,
&ssh_gssapi_krb5_storecreds
};
int
auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt)
{
krb5_error_code problem;
krb5_ccache ccache = NULL;
char *pname;
const char *errtxt;
if (authctxt->pw == NULL || authctxt->krb5_user == NULL)
return (0);
temporarily_use_uid(authctxt->pw);
problem = krb5_cc_new_unique(authctxt->krb5_ctx, "FILE", NULL, &ccache);
if (problem)
goto fail;
problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
authctxt->krb5_user);
if (problem)
goto fail;
problem = krb5_rd_cred2(authctxt->krb5_ctx, authctxt->krb5_auth_ctx,
ccache, tgt);
if (problem)
goto fail;
authctxt->krb5_fwd_ccache = ccache;
ccache = NULL;
authctxt->krb5_ticket_file = __UNCONST(krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache));
problem = krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user,
&pname);
if (problem)
goto fail;
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(__UNCONST("KRB5CCNAME"), authctxt->krb5_ticket_file);
#endif
debug("Kerberos v5 TGT accepted (%s)", pname);
restore_uid();
return (1);
fail:
if (problem) {
errtxt = krb5_get_error_message(authctxt->krb5_ctx, problem);
if (errtxt != NULL) {
debug("Kerberos v5 TGT passing failed: %s", errtxt);
krb5_free_error_message(authctxt->krb5_ctx, errtxt);
} else
debug("Kerberos v5 TGT passing failed: %d", problem);
}
if (ccache)
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
restore_uid();
return (0);
}
/*
* Export GSI credentials to disk.
*/
static void
ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
{
OM_uint32 major_status;
OM_uint32 minor_status;
gss_buffer_desc export_cred = GSS_C_EMPTY_BUFFER;
char * p;
if (!client || !client->creds) {
return;
}
major_status = gss_export_cred(&minor_status,
client->creds,
GSS_C_NO_OID,
1,
&export_cred);
if (GSS_ERROR(major_status) && major_status != GSS_S_UNAVAILABLE) {
Gssctxt *ctx;
ssh_gssapi_build_ctx(&ctx);
ctx->major = major_status;
ctx->minor = minor_status;
ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid);
ssh_gssapi_error(ctx);
ssh_gssapi_delete_ctx(&ctx);
return;
}
p = strchr((char *) export_cred.value, '=');
if (p == NULL) {
logit("Failed to parse exported credentials string '%.100s'",
(char *)export_cred.value);
gss_release_buffer(&minor_status, &export_cred);
return;
}
*p++ = '\0';
if (strcmp((char *)export_cred.value,"X509_USER_DELEG_PROXY") == 0) {
client->store.envvar = strdup("X509_USER_PROXY");
} else {
client->store.envvar = strdup((char *)export_cred.value);
}
if (access(p, R_OK) == 0) {
if (client->store.filename) {
if (rename(p, client->store.filename) < 0) {
logit("Failed to rename %s to %s: %s", p,
client->store.filename, strerror(errno));
free(client->store.filename);
client->store.filename = strdup(p);
} else {
p = client->store.filename;
}
} else {
client->store.filename = strdup(p);
}
}
client->store.envval = strdup(p);
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
gss_release_buffer(&minor_status, &export_cred);
}