2 * Amanda, The Advanced Maryland Automatic Network Disk Archiver
3 * Copyright (c) 1999 University of Maryland
6 * Permission to use, copy, modify, distribute, and sell this software and its
7 * documentation for any purpose is hereby granted without fee, provided that
8 * the above copyright notice appear in all copies and that both that
9 * copyright notice and this permission notice appear in supporting
10 * documentation, and that the name of U.M. not be used in advertising or
11 * publicity pertaining to distribution of the software without specific,
12 * written prior permission. U.M. makes no representations about the
13 * suitability of this software for any purpose. It is provided "as is"
14 * without express or implied warranty.
16 * U.M. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL U.M.
18 * BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
19 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
20 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
21 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 * Authors: the Amanda Development Team. Its members are listed in a
24 * file named AUTHORS, in the root directory of this distribution.
28 * $Id: krb5-security.c,v 1.22 2006/06/16 10:55:05 martinea Exp $
30 * krb5-security.c - kerberos V5 security module
32 * XXX still need to check for initial keyword on connect so we can skip
33 * over shell garbage and other stuff that krb5 might want to spew out.
42 #include "security-util.h"
45 #include "sockaddr-util.h"
47 #ifdef KRB5_HEIMDAL_INCLUDES
51 #define BROKEN_MEMORY_CCACHE
53 #ifdef BROKEN_MEMORY_CCACHE
55 * If you don't have atexit() or on_exit(), you could just consider
56 * making atexit() empty and clean up your ticket files some other
61 #define atexit(func) on_exit(func, 0)
63 #define atexit(func) (you must to resolve lack of atexit)
64 #endif /* HAVE_ON_EXIT */
65 #endif /* ! HAVE_ATEXIT */
67 #ifndef KRB5_HEIMDAL_INCLUDES
68 #include <gssapi/gssapi_generic.h>
70 #include <gssapi/gssapi.h>
74 #ifndef KRB5_ENV_CCNAME
75 #define KRB5_ENV_CCNAME "KRB5CCNAME"
79 * consider undefining when kdestroy() is fixed. The current version does
80 * not work under krb5-1.2.4 in rh7.3, perhaps others.
82 #define KDESTROY_VIA_UNLINK 1
85 * Where the keytab lives, if defined. Otherwise it expects something in the
88 /* #define AMANDA_KEYTAB "/.amanda-v5-keytab" */
91 * The name of the principal we authenticate with, if defined. Otherwise
92 * it expects something in the config file.
94 /* #define AMANDA_PRINCIPAL "service/amanda" */
97 * The lifetime of our tickets in seconds. This may or may not need to be
100 #define AMANDA_TKT_LIFETIME (12*60*60)
104 * The name of the service in /etc/services. This probably shouldn't be
107 #define AMANDA_KRB5_SERVICE_NAME "k5amanda"
110 * The default port to use if above entry in /etc/services doesn't exist
112 #define AMANDA_KRB5_DEFAULT_PORT 10082
115 * The timeout in seconds for each step of the GSS negotiation phase
117 #define GSS_TIMEOUT 30
120 * The largest buffer we can send/receive.
122 #define AMANDA_MAX_TOK_SIZE (MAX_TAPE_BLOCK_BYTES * 4)
125 * This is the tcp stream buffer size
127 #define KRB5_STREAM_BUFSIZE (MAX_TAPE_BLOCK_BYTES * 2)
130 * This is the max number of outgoing connections we can have at once.
131 * planner/amcheck/etc will open a bunch of connections as it tries
132 * to contact everything. We need to limit this to avoid blowing
133 * the max number of open file descriptors a process can have.
135 #define AMANDA_KRB5_MAXCONN 40
139 * Number of seconds krb5 has to start up
141 #define CONNECT_TIMEOUT 20
144 * Cache the local hostname
146 static char myhostname[MAX_HOSTNAME_LENGTH+1];
150 * Interface functions
152 static void krb5_accept(const struct security_driver *,
153 char *(*)(char *, void *),
155 void (*)(security_handle_t *, pkt_t *),
157 static void krb5_connect(const char *,
158 char *(*)(char *, void *),
159 void (*)(void *, security_handle_t *, security_status_t), void *, void *);
161 static void krb5_init(void);
162 #ifdef BROKEN_MEMORY_CCACHE
163 static void cleanup(void);
165 static const char *get_tgt(char *keytab_name, char *principal_name);
166 static int gss_server(struct tcp_conn *);
167 static int gss_client(struct sec_handle *);
168 static const char *gss_error(OM_uint32, OM_uint32);
169 static char *krb5_checkuser(char *host, char *name, char *realm);
171 static int k5_encrypt(void *cookie, void *buf, ssize_t buflen,
172 void **encbuf, ssize_t *encbuflen);
173 static int k5_decrypt(void *cookie, void *buf, ssize_t buflen,
174 void **encbuf, ssize_t *encbuflen);
177 * This is our interface to the outside world.
179 const security_driver_t krb5_security_driver = {
186 stream_recvpkt_cancel,
195 tcpm_stream_read_sync,
196 tcpm_stream_read_cancel,
197 tcpm_close_connection,
202 static int newhandle = 1;
207 static int runkrb5(struct sec_handle *);
210 char *principal_name;
213 * krb5 version of a security handle allocator. Logically sets
214 * up a network "connection".
218 const char *hostname,
219 char * (*conf_fn)(char *, void *),
220 void (*fn)(void *, security_handle_t *, security_status_t),
224 struct sec_handle *rh;
229 assert(hostname != NULL);
231 auth_debug(1, "krb5: krb5_connect: %s\n", hostname);
235 rh = alloc(sizeof(*rh));
236 security_handleinit(&rh->sech, &krb5_security_driver);
239 rh->ev_timeout = NULL;
242 result = resolve_hostname(hostname, 0, NULL, &canonname);
244 dbprintf(_("resolve_hostname(%s): %s\n"), hostname, gai_strerror(result));
245 security_seterror(&rh->sech, _("resolve_hostname(%s): %s\n"), hostname,
246 gai_strerror(result));
247 (*fn)(arg, &rh->sech, S_ERROR);
250 if (canonname == NULL) {
251 dbprintf(_("resolve_hostname(%s) did not return a canonical name\n"), hostname);
252 security_seterror(&rh->sech,
253 _("resolve_hostname(%s) did not return a canonical name\n"), hostname);
254 (*fn)(arg, &rh->sech, S_ERROR);
258 rh->hostname = canonname; /* will be replaced */
259 canonname = NULL; /* steal reference */
260 rh->rs = tcpma_stream_client(rh, newhandle++);
261 rh->rc->conf_fn = conf_fn;
262 rh->rc->datap = datap;
263 rh->rc->recv_security_ok = NULL;
264 rh->rc->prefix_packet = NULL;
269 amfree(rh->hostname);
270 rh->hostname = stralloc(rh->rs->rc->hostname);
273 keytab_name = AMANDA_KEYTAB;
276 keytab_name = conf_fn("krb5keytab", datap);
279 #ifdef AMANDA_PRINCIPAL
280 principal_name = AMANDA_PRINCIPAL;
283 principal_name = conf_fn("krb5principal", datap);
288 * We need to open a new connection.
290 * XXX need to eventually limit number of outgoing connections here.
292 if(rh->rc->read == -1) {
299 * The socket will be opened async so hosts that are down won't
300 * block everything. We need to register a write event
301 * so we will know when the socket comes alive.
303 * Overload rh->rs->ev_read to provide a write event handle.
304 * We also register a timeout.
308 rh->rs->ev_read = event_register((event_id_t)(rh->rs->rc->write),
309 EV_WRITEFD, sec_connect_callback, rh);
310 rh->ev_timeout = event_register(CONNECT_TIMEOUT, EV_TIME,
311 sec_connect_timeout, rh);
318 (*fn)(arg, &rh->sech, S_ERROR);
323 * Setup to handle new incoming connections
327 const struct security_driver *driver,
328 char *(*conf_fn)(char *, void *),
331 void (*fn)(security_handle_t *, pkt_t *),
337 char hostname[NI_MAXHOST];
344 if (getpeername(in, (struct sockaddr *)&sin, &len) < 0) {
345 dbprintf(_("getpeername returned: %s\n"),
350 if ((result = getnameinfo((struct sockaddr *)&sin, len,
351 hostname, NI_MAXHOST, NULL, 0, 0) != 0)) {
352 dbprintf(_("getnameinfo failed: %s\n"),
353 gai_strerror(result));
356 if (check_name_give_sockaddr(hostname,
357 (struct sockaddr *)&sin, &errmsg) < 0) {
358 dbprintf(_("check_name_give_sockaddr(%s): %s\n"),
365 rc = sec_tcp_conn_get(hostname, 0);
366 rc->conf_fn = conf_fn;
368 rc->recv_security_ok = NULL;
369 rc->prefix_packet = NULL;
370 copy_sockaddr(&rc->peer, &sin);
374 if (gss_server(rc) < 0)
375 error("gss_server failed: %s\n", rc->errmsg);
377 sec_tcp_conn_read(rc);
381 * Forks a krb5 to the host listed in rc->hostname
382 * Returns negative on error, with an errmsg in rc->errmsg.
386 struct sec_handle * rh)
390 in_port_t my_port, port;
391 struct tcp_conn * rc = rh->rc;
394 if ((sp = getservbyname(AMANDA_KRB5_SERVICE_NAME, "tcp")) == NULL)
395 port = htons(AMANDA_KRB5_DEFAULT_PORT);
399 if ((err = get_tgt(keytab_name, principal_name)) != NULL) {
400 security_seterror(&rh->sech, "%s: could not get TGT: %s",
406 server_socket = stream_client(rc->hostname,
407 (in_port_t)(ntohs(port)),
414 if(server_socket < 0) {
415 security_seterror(&rh->sech,
416 "%s", strerror(errno));
421 rc->read = rc->write = server_socket;
423 if (gss_client(rh) < 0) {
435 * Negotiate a krb5 gss context from the client end.
439 struct sec_handle *rh)
441 struct sec_stream *rs = rh->rs;
442 struct tcp_conn *rc = rs->rc;
443 gss_buffer_desc send_tok, recv_tok, AA;
445 OM_uint32 maj_stat, min_stat;
446 unsigned int ret_flags;
452 auth_debug(1, "gss_client\n");
454 send_tok.value = vstralloc("host/", rs->rc->hostname, NULL);
455 send_tok.length = strlen(send_tok.value) + 1;
456 maj_stat = gss_import_name(&min_stat, &send_tok, GSS_C_NULL_OID,
458 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
459 security_seterror(&rh->sech, _("can't import name %s: %s"),
460 (char *)send_tok.value, gss_error(maj_stat, min_stat));
461 amfree(send_tok.value);
464 amfree(send_tok.value);
465 rc->gss_context = GSS_C_NO_CONTEXT;
466 maj_stat = gss_display_name(&min_stat, gss_name, &AA, &doid);
467 dbprintf(_("gss_name %s\n"), (char *)AA.value);
470 * Perform the context-establishement loop.
472 * Every generated token is stored in send_tok which is then
473 * transmitted to the server; every received token is stored in
474 * recv_tok (empty on the first pass) to be processed by
475 * the next call to gss_init_sec_context.
477 * GSS-API guarantees that send_tok's length will be non-zero
478 * if and only if the server is expecting another token from us,
479 * and that gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if
480 * and only if the server has another token to send us.
483 recv_tok.value = NULL;
484 for (recv_tok.length = 0;;) {
486 maj_stat = gss_init_sec_context(&min_stat,
491 (OM_uint32)GSS_C_MUTUAL_FLAG|GSS_C_REPLAY_FLAG,
492 0, NULL, /* no channel bindings */
493 (recv_tok.length == 0 ? GSS_C_NO_BUFFER : &recv_tok),
494 NULL, /* ignore mech type */
497 NULL); /* ignore time_rec */
499 if (recv_tok.length != 0) {
500 amfree(recv_tok.value);
503 if (maj_stat != (OM_uint32)GSS_S_COMPLETE && maj_stat != (OM_uint32)GSS_S_CONTINUE_NEEDED) {
504 security_seterror(&rh->sech,
505 _("error getting gss context: %s %s"),
506 gss_error(maj_stat, min_stat), (char *)send_tok.value);
511 * Send back the response
513 if (send_tok.length != 0 && tcpm_send_token(rc, rc->write, rs->handle, &errmsg, send_tok.value, send_tok.length) < 0) {
514 security_seterror(&rh->sech, "%s", rc->errmsg);
515 gss_release_buffer(&min_stat, &send_tok);
518 gss_release_buffer(&min_stat, &send_tok);
521 * If we need to continue, then register for more packets
523 if (maj_stat != (OM_uint32)GSS_S_CONTINUE_NEEDED)
526 rvalue = tcpm_recv_token(rc, rc->read, &rc->handle, &rc->errmsg,
527 (void *)&recv_tok.value,
528 (ssize_t *)&recv_tok.length, 60);
531 security_seterror(&rh->sech,
532 _("recv error in gss loop: %s"), rc->errmsg);
534 security_seterror(&rh->sech, _("EOF in gss loop"));
542 gss_release_name(&min_stat, &gss_name);
547 * Negotiate a krb5 gss context from the server end.
553 OM_uint32 maj_stat, min_stat, ret_flags;
554 gss_buffer_desc send_tok, recv_tok, AA;
557 gss_cred_id_t gss_creds;
558 char *p, *realm, *msg;
565 auth_debug(1, "gss_server\n");
570 * We need to be root while in gss_acquire_cred() to read the host key
571 * out of the default keytab. We also need to be root in
572 * gss_accept_context() thanks to the replay cache code.
576 g_snprintf(errbuf, SIZEOF(errbuf),
577 _("real uid is %ld, needs to be 0 to read krb5 host key"),
581 if (!set_root_privs(0)) {
582 g_snprintf(errbuf, SIZEOF(errbuf),
583 _("can't seteuid to uid 0: %s"), strerror(errno));
587 rc->gss_context = GSS_C_NO_CONTEXT;
588 send_tok.value = vstralloc("host/", myhostname, NULL);
589 send_tok.length = strlen(send_tok.value) + 1;
590 for (p = send_tok.value; *p != '\0'; p++) {
591 if (isupper((int)*p))
594 maj_stat = gss_import_name(&min_stat, &send_tok, GSS_C_NULL_OID,
596 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
598 g_snprintf(errbuf, SIZEOF(errbuf),
599 _("can't import name %s: %s"), (char *)send_tok.value,
600 gss_error(maj_stat, min_stat));
601 amfree(send_tok.value);
604 amfree(send_tok.value);
606 maj_stat = gss_display_name(&min_stat, gss_name, &AA, &doid);
607 dbprintf(_("gss_name %s\n"), (char *)AA.value);
608 maj_stat = gss_acquire_cred(&min_stat, gss_name, 0,
609 GSS_C_NULL_OID_SET, GSS_C_ACCEPT, &gss_creds, NULL, NULL);
610 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
611 g_snprintf(errbuf, SIZEOF(errbuf),
612 _("can't acquire creds for host key host/%s: %s"), myhostname,
613 gss_error(maj_stat, min_stat));
614 gss_release_name(&min_stat, &gss_name);
618 gss_release_name(&min_stat, &gss_name);
620 for (recv_tok.length = 0;;) {
621 recv_tok.value = NULL;
622 rvalue = tcpm_recv_token(rc, rc->read, &rc->handle, &rc->errmsg,
623 /* (void *) is to avoid type-punning warning */
624 (char **)(void *)&recv_tok.value,
625 (ssize_t *)&recv_tok.length, 60);
628 g_snprintf(errbuf, SIZEOF(errbuf),
629 _("recv error in gss loop: %s"), rc->errmsg);
632 g_snprintf(errbuf, SIZEOF(errbuf), _("EOF in gss loop"));
636 maj_stat = gss_accept_sec_context(&min_stat, &rc->gss_context,
637 gss_creds, &recv_tok, GSS_C_NO_CHANNEL_BINDINGS,
638 &gss_name, &doid, &send_tok, &ret_flags, NULL, NULL);
640 if (maj_stat != (OM_uint32)GSS_S_COMPLETE &&
641 maj_stat != (OM_uint32)GSS_S_CONTINUE_NEEDED) {
642 g_snprintf(errbuf, SIZEOF(errbuf),
643 _("error accepting context: %s"), gss_error(maj_stat, min_stat));
644 amfree(recv_tok.value);
647 amfree(recv_tok.value);
649 if (send_tok.length != 0 && tcpm_send_token(rc, rc->write, 0, &errmsg, send_tok.value, send_tok.length) < 0) {
650 strncpy(errbuf, rc->errmsg, SIZEOF(errbuf) - 1);
651 errbuf[SIZEOF(errbuf) - 1] = '\0';
653 gss_release_buffer(&min_stat, &send_tok);
656 gss_release_buffer(&min_stat, &send_tok);
660 * If we need to get more from the client, then register for
663 if (maj_stat != (OM_uint32)GSS_S_CONTINUE_NEEDED)
667 maj_stat = gss_display_name(&min_stat, gss_name, &send_tok, &doid);
668 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
669 g_snprintf(errbuf, SIZEOF(errbuf),
670 _("can't display gss name: %s"), gss_error(maj_stat, min_stat));
671 gss_release_name(&min_stat, &gss_name);
674 gss_release_name(&min_stat, &gss_name);
676 /* get rid of the realm */
677 if ((p = strchr(send_tok.value, '@')) == NULL) {
678 g_snprintf(errbuf, SIZEOF(errbuf),
679 _("malformed gss name: %s"), (char *)send_tok.value);
680 amfree(send_tok.value);
687 * If the principal doesn't match, complain
689 if ((msg = krb5_checkuser(rc->hostname, send_tok.value, realm)) != NULL) {
690 g_snprintf(errbuf, SIZEOF(errbuf),
691 _("access not allowed from %s: %s"), (char *)send_tok.value, msg);
692 amfree(send_tok.value);
695 amfree(send_tok.value);
701 rc->errmsg = stralloc(errbuf);
705 auth_debug(1, _("gss_server returning %d\n"), rval);
710 * Setup some things about krb5. This should only be called once.
715 static int beenhere = 0;
717 char *myfqhostname=NULL;
723 #ifndef BROKEN_MEMORY_CCACHE
724 putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache"));
727 * MEMORY ccaches seem buggy and cause a lot of internal heap
728 * corruption. malloc has been known to core dump. This behavior
729 * has been witnessed in Cygnus' kerbnet 1.2, MIT's krb V 1.0.5 and
730 * MIT's krb V -current as of 3/17/1999.
732 * We just use a lame ccache scheme with a uid suffix.
737 ccache = malloc(128);
738 g_snprintf(ccache, SIZEOF(ccache),
739 "KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld",
740 (long)geteuid(), (long)getpid());
745 gethostname(myhostname, SIZEOF(myhostname) - 1);
746 myhostname[SIZEOF(myhostname) - 1] = '\0';
749 * In case it isn't fully qualified, do a DNS lookup. Ignore
750 * any errors (this is best-effort).
752 if (resolve_hostname(myhostname, SOCK_STREAM, NULL, &myfqhostname) == 0
753 && myfqhostname != NULL) {
754 strncpy(myhostname, myfqhostname, SIZEOF(myhostname)-1);
755 myhostname[SIZEOF(myhostname)-1] = '\0';
756 amfree(myfqhostname);
760 * Lowercase the results. We assume all host/ principals will be
763 for (p = myhostname; *p != '\0'; p++) {
764 if (isupper((int)*p))
769 #ifdef BROKEN_MEMORY_CCACHE
773 #ifdef KDESTROY_VIA_UNLINK
775 g_snprintf(ccache, SIZEOF(ccache), "/tmp/amanda_ccache.%ld.%ld",
776 (long)geteuid(), (long)getpid());
785 * Get a ticket granting ticket and stuff it in the cache
790 char * principal_name)
792 krb5_context context;
794 krb5_principal client = NULL, server = NULL;
799 #ifdef KRB5_HEIMDAL_INCLUDES
800 krb5_data tgtname = { KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME };
802 krb5_data tgtname = { 0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME };
804 static char *error = NULL;
810 if ((ret = krb5_init_context(&context)) != 0) {
811 error = vstrallocf(_("error initializing krb5 context: %s"),
816 /*krb5_init_ets(context);*/
819 error = vstrallocf(_("error -- no krb5 keytab defined"));
823 if(!principal_name) {
824 error = vstrallocf(_("error -- no krb5 principal defined"));
829 * Resolve keytab file into a keytab object
831 if ((ret = krb5_kt_resolve(context, keytab_name, &keytab)) != 0) {
832 error = vstrallocf(_("error resolving keytab %s: %s"), keytab_name,
838 * Resolve the amanda service held in the keytab into a principal
841 ret = krb5_parse_name(context, principal_name, &client);
843 error = vstrallocf(_("error parsing %s: %s"), principal_name,
848 #ifdef KRB5_HEIMDAL_INCLUDES
849 ret = krb5_build_principal_ext(context, &server,
850 krb5_realm_length(*krb5_princ_realm(context, client)),
851 krb5_realm_data(*krb5_princ_realm(context, client)),
852 tgtname.length, tgtname.data,
853 krb5_realm_length(*krb5_princ_realm(context, client)),
854 krb5_realm_data(*krb5_princ_realm(context, client)),
857 ret = krb5_build_principal_ext(context, &server,
858 krb5_princ_realm(context, client)->length,
859 krb5_princ_realm(context, client)->data,
860 tgtname.length, tgtname.data,
861 krb5_princ_realm(context, client)->length,
862 krb5_princ_realm(context, client)->data,
866 error = vstrallocf(_("error while building server name: %s"),
871 ret = krb5_timeofday(context, &now);
873 error = vstrallocf(_("error getting time of day: %s"), error_message(ret));
877 memset(&creds, 0, SIZEOF(creds));
878 creds.times.starttime = 0;
879 creds.times.endtime = now + AMANDA_TKT_LIFETIME;
881 creds.client = client;
882 creds.server = server;
885 * Get a ticket for the service, using the keytab
887 ret = krb5_get_in_tkt_with_keytab(context, 0, NULL, NULL, NULL,
888 keytab, 0, &creds, 0);
891 error = vstrallocf(_("error getting ticket for %s: %s"),
892 principal_name, error_message(ret));
896 if ((ret = krb5_cc_default(context, &ccache)) != 0) {
897 error = vstrallocf(_("error initializing ccache: %s"), error_message(ret));
900 if ((ret = krb5_cc_initialize(context, ccache, client)) != 0) {
901 error = vstrallocf(_("error initializing ccache: %s"), error_message(ret));
904 if ((ret = krb5_cc_store_cred(context, ccache, &creds)) != 0) {
905 error = vstrallocf(_("error storing creds in ccache: %s"),
909 krb5_cc_close(context, ccache);
911 krb5_free_cred_contents(context, &creds);
914 krb5_free_principal(context, client);
915 krb5_free_principal(context, server);
917 krb5_free_context(context);
921 #ifndef KDESTROY_VIA_UNLINK
928 krb5_context context;
931 if ((krb5_init_context(&context)) != 0) {
934 if ((krb5_cc_default(context, &ccache)) != 0) {
938 krb5_cc_destroy(context, ccache);
939 krb5_cc_close(context, ccache);
942 krb5_free_context(context);
948 * Formats an error from the gss api
955 static gss_buffer_desc msg;
956 OM_uint32 min_stat, msg_ctx;
959 gss_release_buffer(&min_stat, &msg);
962 if (major == GSS_S_FAILURE)
963 gss_display_status(&min_stat, minor, GSS_C_MECH_CODE, GSS_C_NULL_OID,
966 gss_display_status(&min_stat, major, GSS_C_GSS_CODE, GSS_C_NULL_OID,
968 return ((const char *)msg.value);
979 struct tcp_conn *rc = cookie;
980 gss_buffer_desc dectok;
981 gss_buffer_desc enctok;
982 OM_uint32 maj_stat, min_stat;
985 if (rc->conf_fn && rc->conf_fn("kencrypt", rc->datap)) {
986 auth_debug(1, _("krb5: k5_encrypt: enter %p\n"), rc);
988 dectok.length = buflen;
992 assert(rc->gss_context != GSS_C_NO_CONTEXT);
993 maj_stat = gss_seal(&min_stat, rc->gss_context, 1,
994 GSS_C_QOP_DEFAULT, &dectok, &conf_state,
996 if (maj_stat != (OM_uint32)GSS_S_COMPLETE || conf_state == 0) {
997 auth_debug(1, _("krb5 encrypt error to %s: %s\n"),
998 rc->hostname, gss_error(maj_stat, min_stat));
1001 auth_debug(1, _("krb5: k5_encrypt: give %zu bytes\n"),
1003 *encbuf = enctok.value;
1004 *encbuflen = enctok.length;
1007 *encbuflen = buflen;
1009 auth_debug(1, _("krb5: k5_encrypt: exit\n"));
1023 struct tcp_conn *rc = cookie;
1024 gss_buffer_desc enctok;
1025 gss_buffer_desc dectok;
1026 OM_uint32 maj_stat, min_stat;
1027 int conf_state, qop_state;
1029 if (rc->conf_fn && rc->conf_fn("kencrypt", rc->datap)) {
1030 auth_debug(1, _("krb5: k5_decrypt: enter\n"));
1031 if (rc->auth == 1) {
1032 enctok.length = buflen;
1035 auth_debug(1, _("krb5: k5_decrypt: decrypting %zu bytes\n"), enctok.length);
1037 assert(rc->gss_context != GSS_C_NO_CONTEXT);
1038 maj_stat = gss_unseal(&min_stat, rc->gss_context, &enctok, &dectok,
1039 &conf_state, &qop_state);
1040 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
1041 auth_debug(1, _("krb5 decrypt error from %s: %s\n"),
1042 rc->hostname, gss_error(maj_stat, min_stat));
1045 auth_debug(1, _("krb5: k5_decrypt: give %zu bytes\n"),
1047 *decbuf = dectok.value;
1048 *decbuflen = dectok.length;
1051 *decbuflen = buflen;
1053 auth_debug(1, _("krb5: k5_decrypt: exit\n"));
1056 *decbuflen = buflen;
1062 * check ~/.k5amandahosts to see if this principal is allowed in. If it's
1063 * hardcoded, then we don't check the realm
1066 krb5_checkuser( char * host,
1070 #ifdef AMANDA_PRINCIPAL
1071 if(strcmp(name, AMANDA_PRINCIPAL) == 0) {
1074 return(vstrallocf(_("does not match compiled in default")));
1079 char *result = _("generic error"); /* default is to not permit */
1084 char *filehost = NULL, *fileuser = NULL, *filerealm = NULL;
1086 assert( host != NULL);
1087 assert( name != NULL);
1089 if((pwd = getpwnam(CLIENT_LOGIN)) == NULL) {
1090 result = vstrallocf(_("can not find user %s"), CLIENT_LOGIN);
1092 localuid = pwd->pw_uid;
1094 #ifdef USE_AMANDAHOSTS
1095 ptmp = stralloc2(pwd->pw_dir, "/.k5amandahosts");
1097 ptmp = stralloc2(pwd->pw_dir, "/.k5login");
1101 result = vstrallocf(_("could not find home directory for %s"), CLIENT_LOGIN);
1106 * check to see if the ptmp file does nto exist.
1108 if(access(ptmp, R_OK) == -1 && errno == ENOENT) {
1110 * in this case we check to see if the principal matches
1111 * the destination user mimicing the .k5login functionality.
1113 if(strcmp(name, CLIENT_LOGIN) != 0) {
1114 result = vstrallocf(_("%s does not match %s"),
1115 name, CLIENT_LOGIN);
1122 auth_debug(1, _("opening ptmp: %s\n"), (ptmp)?ptmp: "NULL!");
1123 if((fp = fopen(ptmp, "r")) == NULL) {
1124 result = vstrallocf(_("can not open %s"), ptmp);
1127 auth_debug(1, _("opened ptmp\n"));
1129 if (fstat(fileno(fp), &sbuf) != 0) {
1130 result = vstrallocf(_("cannot fstat %s: %s"), ptmp, strerror(errno));
1134 if (sbuf.st_uid != localuid) {
1135 result = vstrallocf(_("%s is owned by %ld, should be %ld"),
1136 ptmp, (long)sbuf.st_uid, (long)localuid);
1139 if ((sbuf.st_mode & 077) != 0) {
1140 result = vstrallocf(
1141 _("%s: incorrect permissions; file must be accessible only by its owner"), ptmp);
1145 while ((line = agets(fp)) != NULL) {
1146 if (line[0] == '\0') {
1151 /* if there's more than one column, then it's the host */
1152 if( (filehost = strtok(line, " \t")) == NULL) {
1158 * if there's only one entry, then it's a username and we have
1159 * no hostname. (so the principal is allowed from anywhere.
1161 if((fileuser = strtok(NULL, " \t")) == NULL) {
1162 fileuser = filehost;
1166 if(filehost && strcmp(filehost, host) != 0) {
1170 auth_debug(1, _("found a host match\n"));
1173 if( (filerealm = strchr(fileuser, '@')) != NULL) {
1174 *filerealm++ = '\0';
1178 * we have a match. We're going to be a little bit insecure
1179 * and indicate that the principal is correct but the realm is
1180 * not if that's the case. Technically we should say nothing
1181 * and let the user figure it out, but it's helpful for debugging.
1182 * You likely only get this far if you've turned on cross-realm auth
1185 auth_debug(1, _("comparing %s %s\n"), fileuser, name);
1186 if(strcmp(fileuser, name) == 0) {
1187 auth_debug(1, _("found a match!\n"));
1188 if(realm && filerealm && (strcmp(realm, filerealm)!=0)) {
1198 result = vstrallocf(_("no match in %s"), ptmp);
1203 #endif /* AMANDA_PRINCIPAL */