2 * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
16 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
17 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19 * Sponsored in part by the Defense Advanced Research Projects
20 * Agency (DARPA) and Air Force Research Laboratory, Air Force
21 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
26 #include <sys/types.h>
27 #include <sys/param.h>
36 #endif /* STDC_HEADERS */
40 # ifdef HAVE_STRINGS_H
43 #endif /* HAVE_STRING_H */
46 #endif /* HAVE_UNISTD_H */
54 #include "sudo_auth.h"
57 __unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.4 2007/06/12 01:28:42 millert Exp $";
61 # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
62 # define krb5_free_data_contents(c, d) krb5_data_free(d)
64 # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
67 #ifndef HAVE_KRB5_VERIFY_USER
68 static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
70 static struct _sudo_krb5_data {
71 krb5_context sudo_context;
74 } sudo_krb5_data = { NULL, NULL, NULL };
75 typedef struct _sudo_krb5_data *sudo_krb5_datap;
77 extern const krb5_cc_ops krb5_mcc_ops;
80 kerb5_init(pw, promptp, auth)
85 krb5_context sudo_context;
88 krb5_error_code error;
92 auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
94 #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
95 error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
97 error = krb5_init_context(&(sudo_krb5_data.sudo_context));
100 return(AUTH_FAILURE);
101 sudo_context = sudo_krb5_data.sudo_context;
103 if ((error = krb5_parse_name(sudo_context, pw->pw_name,
104 &(sudo_krb5_data.princ)))) {
105 log_error(NO_EXIT|NO_MAIL,
106 "%s: unable to parse '%s': %s", auth->name, pw->pw_name,
107 error_message(error));
108 return(AUTH_FAILURE);
110 princ = sudo_krb5_data.princ;
113 * Really, we need to tell the caller not to prompt for password.
114 * The API does not currently provide this unless the auth is standalone.
117 if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
118 log_error(NO_EXIT|NO_MAIL,
119 "%s: unable to unparse princ ('%s'): %s", auth->name,
120 pw->pw_name, error_message(error));
121 return(AUTH_FAILURE);
124 /* Only rewrite prompt if user didn't specify their own. */
125 /*if (!strcmp(prompt, PASSPROMPT)) { */
126 easprintf(promptp, "Password for %s: ", pname);
131 /* For CNS compatibility */
132 if ((error = krb5_cc_register(sudo_context, &krb5_mcc_ops, FALSE))) {
133 if (error != KRB5_CC_TYPE_EXISTS) {
134 log_error(NO_EXIT|NO_MAIL,
135 "%s: unable to use Memory ccache: %s", auth->name,
136 error_message(error));
137 return(AUTH_FAILURE);
141 (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
143 if ((error = krb5_cc_resolve(sudo_context, cache_name,
144 &(sudo_krb5_data.ccache)))) {
145 log_error(NO_EXIT|NO_MAIL,
146 "%s: unable to resolve ccache: %s", auth->name,
147 error_message(error));
148 return(AUTH_FAILURE);
150 ccache = sudo_krb5_data.ccache;
152 if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
153 log_error(NO_EXIT|NO_MAIL,
154 "%s: unable to initialize ccache: %s", auth->name,
155 error_message(error));
156 return(AUTH_FAILURE);
159 return(AUTH_SUCCESS);
162 #ifdef HAVE_KRB5_VERIFY_USER
164 kerb5_verify(pw, pass, auth)
169 krb5_context sudo_context;
170 krb5_principal princ;
172 krb5_error_code error;
174 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
175 princ = ((sudo_krb5_datap) auth->data)->princ;
176 ccache = ((sudo_krb5_datap) auth->data)->ccache;
178 error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
179 return (error ? AUTH_FAILURE : AUTH_SUCCESS);
183 kerb5_verify(pw, pass, auth)
188 krb5_context sudo_context;
189 krb5_principal princ;
192 krb5_error_code error;
193 krb5_get_init_creds_opt opts;
195 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
196 princ = ((sudo_krb5_datap) auth->data)->princ;
197 ccache = ((sudo_krb5_datap) auth->data)->ccache;
199 /* Initialize options to defaults */
200 krb5_get_init_creds_opt_init(&opts);
202 /* Note that we always obtain a new TGT to verify the user */
203 if ((error = krb5_get_init_creds_password(sudo_context, &creds, princ,
204 pass, krb5_prompter_posix,
205 NULL, 0, NULL, &opts))) {
206 if (error == KRB5KRB_AP_ERR_BAD_INTEGRITY) /* Bad password */
207 return(AUTH_FAILURE);
208 /* Some other error */
209 log_error(NO_EXIT|NO_MAIL,
210 "%s: unable to get credentials: %s", auth->name,
211 error_message(error));
212 return(AUTH_FAILURE);
215 /* Stash the TGT so we can verify it. */
216 if ((error = krb5_cc_store_cred(sudo_context, ccache, &creds))) {
217 log_error(NO_EXIT|NO_MAIL,
218 "%s: unable to store credentials: %s", auth->name,
219 error_message(error));
221 error = verify_krb_v5_tgt(sudo_context, ccache, auth->name);
224 krb5_free_cred_contents(sudo_context, &creds);
225 return (error ? AUTH_FAILURE : AUTH_SUCCESS);
230 kerb5_cleanup(pw, auth)
234 krb5_context sudo_context;
235 krb5_principal princ;
238 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
239 princ = ((sudo_krb5_datap) auth->data)->princ;
240 ccache = ((sudo_krb5_datap) auth->data)->ccache;
244 krb5_cc_destroy(sudo_context, ccache);
246 krb5_free_principal(sudo_context, princ);
247 krb5_free_context(sudo_context);
250 return(AUTH_SUCCESS);
253 #ifndef HAVE_KRB5_VERIFY_USER
255 * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
257 * Verify the Kerberos ticket-granting ticket just retrieved for the
258 * user. If the Kerberos server doesn't respond, assume the user is
259 * trying to fake us out (since we DID just get a TGT from what is
260 * supposedly our KDC). If the host/<host> service is unknown (i.e.,
261 * the local keytab doesn't have it), return success but log the error.
263 * This needs to run as root (to read the host service ticket).
265 * Returns 0 for successful authentication, non-zero for failure.
268 verify_krb_v5_tgt(sudo_context, ccache, auth_name)
269 krb5_context sudo_context;
271 char *auth_name; /* For error reporting */
274 krb5_error_code error;
275 krb5_principal princ;
277 krb5_keyblock *keyblock = 0;
278 krb5_auth_context auth_context = NULL;
283 * Get the server principal for the local host.
284 * (Use defaults of "host" and canonicalized local name.)
286 if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
287 KRB5_NT_SRV_HST, &princ))) {
288 log_error(NO_EXIT|NO_MAIL,
289 "%s: unable to get host principal: %s", auth_name,
290 error_message(error));
294 /* Extract the name directly. Yow. */
295 strlcpy(phost, extract_name(sudo_context, princ), sizeof(phost));
298 * Do we have host/<host> keys?
299 * (use default keytab, kvno IGNORE_VNO to get the first match,
300 * and enctype is currently ignored anyhow.)
302 if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
304 /* Keytab or service key does not exist. */
306 "%s: host service key not found: %s", auth_name,
307 error_message(error));
311 krb5_free_keyblock(sudo_context, keyblock);
313 /* Talk to the kdc and construct the ticket. */
314 error = krb5_mk_req(sudo_context, &auth_context, 0, "host", phost,
315 NULL, ccache, &packet);
317 krb5_auth_con_free(sudo_context, auth_context);
318 auth_context = NULL; /* setup for rd_req */
321 /* Try to use the ticket. */
323 error = krb5_rd_req(sudo_context, &auth_context, &packet, princ,
327 krb5_free_data_contents(sudo_context, &packet);
328 krb5_free_principal(sudo_context, princ);
331 log_error(NO_EXIT|NO_MAIL,
332 "%s: Cannot verify TGT! Possible attack!: %s", auth_name,
333 error_message(error));