2 * Amanda, The Advanced Maryland Automatic Network Disk Archiver
3 * Copyright (c) 1999 University of Maryland
6 * Permission to use, copy, modify, distribute, and sell this software and its
7 * documentation for any purpose is hereby granted without fee, provided that
8 * the above copyright notice appear in all copies and that both that
9 * copyright notice and this permission notice appear in supporting
10 * documentation, and that the name of U.M. not be used in advertising or
11 * publicity pertaining to distribution of the software without specific,
12 * written prior permission. U.M. makes no representations about the
13 * suitability of this software for any purpose. It is provided "as is"
14 * without express or implied warranty.
16 * U.M. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL U.M.
18 * BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
19 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
20 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
21 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 * Authors: the Amanda Development Team. Its members are listed in a
24 * file named AUTHORS, in the root directory of this distribution.
28 * $Id: krb5-security.c,v 1.22 2006/06/16 10:55:05 martinea Exp $
30 * krb5-security.c - kerberos V5 security module
32 * XXX still need to check for initial keyword on connect so we can skip
33 * over shell garbage and other stuff that krb5 might want to spew out.
41 #include "security-util.h"
43 #include "sockaddr-util.h"
45 #ifdef KRB5_HEIMDAL_INCLUDES
49 #define BROKEN_MEMORY_CCACHE
51 #ifdef BROKEN_MEMORY_CCACHE
53 * If you don't have atexit() or on_exit(), you could just consider
54 * making atexit() empty and clean up your ticket files some other
59 #define atexit(func) on_exit(func, 0)
61 #define atexit(func) (you must to resolve lack of atexit)
62 #endif /* HAVE_ON_EXIT */
63 #endif /* ! HAVE_ATEXIT */
65 #ifndef KRB5_HEIMDAL_INCLUDES
66 #include <gssapi/gssapi_generic.h>
68 #include <gssapi/gssapi.h>
72 #ifndef KRB5_ENV_CCNAME
73 #define KRB5_ENV_CCNAME "KRB5CCNAME"
77 * consider undefining when kdestroy() is fixed. The current version does
78 * not work under krb5-1.2.4 in rh7.3, perhaps others.
80 #define KDESTROY_VIA_UNLINK 1
83 * Where the keytab lives, if defined. Otherwise it expects something in the
86 /* #define AMANDA_KEYTAB "/.amanda-v5-keytab" */
89 * The name of the principal we authenticate with, if defined. Otherwise
90 * it expects something in the config file.
92 /* #define AMANDA_PRINCIPAL "service/amanda" */
95 * The lifetime of our tickets in seconds. This may or may not need to be
98 #define AMANDA_TKT_LIFETIME (12*60*60)
102 * The name of the service in /etc/services. This probably shouldn't be
105 #define AMANDA_KRB5_SERVICE_NAME "k5amanda"
108 * The default port to use if above entry in /etc/services doesn't exist
110 #define AMANDA_KRB5_DEFAULT_PORT 10082
113 * The timeout in seconds for each step of the GSS negotiation phase
115 #define GSS_TIMEOUT 30
118 * This is the tcp stream buffer size
120 #define KRB5_STREAM_BUFSIZE (32768 * 2)
123 * This is the max number of outgoing connections we can have at once.
124 * planner/amcheck/etc will open a bunch of connections as it tries
125 * to contact everything. We need to limit this to avoid blowing
126 * the max number of open file descriptors a process can have.
128 #define AMANDA_KRB5_MAXCONN 40
132 * Number of seconds krb5 has to start up
134 #define CONNECT_TIMEOUT 20
137 * Cache the local hostname
139 static char myhostname[MAX_HOSTNAME_LENGTH+1];
143 * Interface functions
145 static void krb5_accept(const struct security_driver *,
146 char *(*)(char *, void *),
148 void (*)(security_handle_t *, pkt_t *),
150 static void krb5_connect(const char *,
151 char *(*)(char *, void *),
152 void (*)(void *, security_handle_t *, security_status_t), void *, void *);
154 static void krb5_init(void);
155 #ifdef BROKEN_MEMORY_CCACHE
156 static void cleanup(void);
158 static const char *get_tgt(char *keytab_name, char *principal_name);
159 static int gss_server(struct tcp_conn *);
160 static int gss_client(struct sec_handle *);
161 static const char *gss_error(OM_uint32, OM_uint32);
162 static char *krb5_checkuser(char *host, char *name, char *realm);
164 static int k5_encrypt(void *cookie, void *buf, ssize_t buflen,
165 void **encbuf, ssize_t *encbuflen);
166 static int k5_decrypt(void *cookie, void *buf, ssize_t buflen,
167 void **encbuf, ssize_t *encbuflen);
170 * This is our interface to the outside world.
172 const security_driver_t krb5_security_driver = {
179 stream_recvpkt_cancel,
188 tcpm_stream_read_sync,
189 tcpm_stream_read_cancel,
190 tcpm_close_connection,
195 static int newhandle = 1;
200 static int runkrb5(struct sec_handle *);
203 char *principal_name;
206 * krb5 version of a security handle allocator. Logically sets
207 * up a network "connection".
211 const char *hostname,
212 char * (*conf_fn)(char *, void *),
213 void (*fn)(void *, security_handle_t *, security_status_t),
217 struct sec_handle *rh;
222 assert(hostname != NULL);
224 auth_debug(1, "krb5: krb5_connect: %s\n", hostname);
228 rh = alloc(sizeof(*rh));
229 security_handleinit(&rh->sech, &krb5_security_driver);
232 rh->ev_timeout = NULL;
235 result = resolve_hostname(hostname, 0, NULL, &canonname);
237 dbprintf(_("resolve_hostname(%s): %s\n"), hostname, gai_strerror(result));
238 security_seterror(&rh->sech, _("resolve_hostname(%s): %s\n"), hostname,
239 gai_strerror(result));
240 (*fn)(arg, &rh->sech, S_ERROR);
243 if (canonname == NULL) {
244 dbprintf(_("resolve_hostname(%s) did not return a canonical name\n"), hostname);
245 security_seterror(&rh->sech,
246 _("resolve_hostname(%s) did not return a canonical name\n"), hostname);
247 (*fn)(arg, &rh->sech, S_ERROR);
251 rh->hostname = canonname; /* will be replaced */
252 canonname = NULL; /* steal reference */
253 rh->rs = tcpma_stream_client(rh, newhandle++);
254 rh->rc->conf_fn = conf_fn;
255 rh->rc->datap = datap;
256 rh->rc->recv_security_ok = NULL;
257 rh->rc->prefix_packet = NULL;
262 amfree(rh->hostname);
263 rh->hostname = stralloc(rh->rs->rc->hostname);
266 keytab_name = AMANDA_KEYTAB;
269 keytab_name = conf_fn("krb5keytab", datap);
272 #ifdef AMANDA_PRINCIPAL
273 principal_name = AMANDA_PRINCIPAL;
276 principal_name = conf_fn("krb5principal", datap);
281 * We need to open a new connection.
283 * XXX need to eventually limit number of outgoing connections here.
285 if(rh->rc->read == -1) {
292 * The socket will be opened async so hosts that are down won't
293 * block everything. We need to register a write event
294 * so we will know when the socket comes alive.
296 * Overload rh->rs->ev_read to provide a write event handle.
297 * We also register a timeout.
301 rh->rs->ev_read = event_register((event_id_t)(rh->rs->rc->write),
302 EV_WRITEFD, sec_connect_callback, rh);
303 rh->ev_timeout = event_register(CONNECT_TIMEOUT, EV_TIME,
304 sec_connect_timeout, rh);
311 (*fn)(arg, &rh->sech, S_ERROR);
316 * Setup to handle new incoming connections
320 const struct security_driver *driver,
321 char *(*conf_fn)(char *, void *),
324 void (*fn)(security_handle_t *, pkt_t *),
330 char hostname[NI_MAXHOST];
337 if (getpeername(in, (struct sockaddr *)&sin, &len) < 0) {
338 dbprintf(_("getpeername returned: %s\n"),
343 if ((result = getnameinfo((struct sockaddr *)&sin, len,
344 hostname, NI_MAXHOST, NULL, 0, 0) != 0)) {
345 dbprintf(_("getnameinfo failed: %s\n"),
346 gai_strerror(result));
349 if (check_name_give_sockaddr(hostname,
350 (struct sockaddr *)&sin, &errmsg) < 0) {
351 dbprintf(_("check_name_give_sockaddr(%s): %s\n"),
358 rc = sec_tcp_conn_get(hostname, 0);
359 rc->conf_fn = conf_fn;
361 rc->recv_security_ok = NULL;
362 rc->prefix_packet = NULL;
363 copy_sockaddr(&rc->peer, &sin);
367 if (gss_server(rc) < 0)
368 error("gss_server failed: %s\n", rc->errmsg);
370 sec_tcp_conn_read(rc);
374 * Forks a krb5 to the host listed in rc->hostname
375 * Returns negative on error, with an errmsg in rc->errmsg.
379 struct sec_handle * rh)
383 in_port_t my_port, port;
384 struct tcp_conn * rc = rh->rc;
387 if ((sp = getservbyname(AMANDA_KRB5_SERVICE_NAME, "tcp")) == NULL)
388 port = htons(AMANDA_KRB5_DEFAULT_PORT);
392 if ((err = get_tgt(keytab_name, principal_name)) != NULL) {
393 security_seterror(&rh->sech, "%s: could not get TGT: %s",
399 server_socket = stream_client(rc->hostname,
400 (in_port_t)(ntohs(port)),
407 if(server_socket < 0) {
408 security_seterror(&rh->sech,
409 "%s", strerror(errno));
414 rc->read = rc->write = server_socket;
416 if (gss_client(rh) < 0) {
428 * Negotiate a krb5 gss context from the client end.
432 struct sec_handle *rh)
434 struct sec_stream *rs = rh->rs;
435 struct tcp_conn *rc = rs->rc;
436 gss_buffer_desc send_tok, recv_tok, AA;
438 OM_uint32 maj_stat, min_stat;
439 unsigned int ret_flags;
445 auth_debug(1, "gss_client\n");
447 send_tok.value = vstralloc("host/", rs->rc->hostname, NULL);
448 send_tok.length = strlen(send_tok.value) + 1;
449 maj_stat = gss_import_name(&min_stat, &send_tok, GSS_C_NULL_OID,
451 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
452 security_seterror(&rh->sech, _("can't import name %s: %s"),
453 (char *)send_tok.value, gss_error(maj_stat, min_stat));
454 amfree(send_tok.value);
457 amfree(send_tok.value);
458 rc->gss_context = GSS_C_NO_CONTEXT;
459 maj_stat = gss_display_name(&min_stat, gss_name, &AA, &doid);
460 dbprintf(_("gss_name %s\n"), (char *)AA.value);
463 * Perform the context-establishement loop.
465 * Every generated token is stored in send_tok which is then
466 * transmitted to the server; every received token is stored in
467 * recv_tok (empty on the first pass) to be processed by
468 * the next call to gss_init_sec_context.
470 * GSS-API guarantees that send_tok's length will be non-zero
471 * if and only if the server is expecting another token from us,
472 * and that gss_init_sec_context returns GSS_S_CONTINUE_NEEDED if
473 * and only if the server has another token to send us.
476 recv_tok.value = NULL;
477 for (recv_tok.length = 0;;) {
479 maj_stat = gss_init_sec_context(&min_stat,
484 (OM_uint32)GSS_C_MUTUAL_FLAG|GSS_C_REPLAY_FLAG,
485 0, NULL, /* no channel bindings */
486 (recv_tok.length == 0 ? GSS_C_NO_BUFFER : &recv_tok),
487 NULL, /* ignore mech type */
490 NULL); /* ignore time_rec */
492 if (recv_tok.length != 0) {
493 amfree(recv_tok.value);
496 if (maj_stat != (OM_uint32)GSS_S_COMPLETE && maj_stat != (OM_uint32)GSS_S_CONTINUE_NEEDED) {
497 security_seterror(&rh->sech,
498 _("error getting gss context: %s %s"),
499 gss_error(maj_stat, min_stat), (char *)send_tok.value);
504 * Send back the response
506 if (send_tok.length != 0 && tcpm_send_token(rc, rc->write, rs->handle, &errmsg, send_tok.value, send_tok.length) < 0) {
507 security_seterror(&rh->sech, "%s", rc->errmsg);
508 gss_release_buffer(&min_stat, &send_tok);
511 gss_release_buffer(&min_stat, &send_tok);
514 * If we need to continue, then register for more packets
516 if (maj_stat != (OM_uint32)GSS_S_CONTINUE_NEEDED)
519 rvalue = tcpm_recv_token(rc, rc->read, &rc->handle, &rc->errmsg,
520 (void *)&recv_tok.value,
521 (ssize_t *)&recv_tok.length, 60);
524 security_seterror(&rh->sech,
525 _("recv error in gss loop: %s"), rc->errmsg);
527 security_seterror(&rh->sech, _("EOF in gss loop"));
535 gss_release_name(&min_stat, &gss_name);
540 * Negotiate a krb5 gss context from the server end.
546 OM_uint32 maj_stat, min_stat, ret_flags;
547 gss_buffer_desc send_tok, recv_tok, AA;
550 gss_cred_id_t gss_creds;
551 char *p, *realm, *msg;
557 auth_debug(1, "gss_server\n");
562 * We need to be root while in gss_acquire_cred() to read the host key
563 * out of the default keytab. We also need to be root in
564 * gss_accept_context() thanks to the replay cache code.
566 if (!set_root_privs(0)) {
567 g_snprintf(errbuf, SIZEOF(errbuf),
568 _("can't take root privileges to read krb5 host key: %s"), strerror(errno));
572 rc->gss_context = GSS_C_NO_CONTEXT;
573 send_tok.value = vstralloc("host/", myhostname, NULL);
574 send_tok.length = strlen(send_tok.value) + 1;
575 for (p = send_tok.value; *p != '\0'; p++) {
576 if (isupper((int)*p))
579 maj_stat = gss_import_name(&min_stat, &send_tok, GSS_C_NULL_OID,
581 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
583 g_snprintf(errbuf, SIZEOF(errbuf),
584 _("can't import name %s: %s"), (char *)send_tok.value,
585 gss_error(maj_stat, min_stat));
586 amfree(send_tok.value);
589 amfree(send_tok.value);
591 maj_stat = gss_display_name(&min_stat, gss_name, &AA, &doid);
592 dbprintf(_("gss_name %s\n"), (char *)AA.value);
593 maj_stat = gss_acquire_cred(&min_stat, gss_name, 0,
594 GSS_C_NULL_OID_SET, GSS_C_ACCEPT, &gss_creds, NULL, NULL);
595 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
596 g_snprintf(errbuf, SIZEOF(errbuf),
597 _("can't acquire creds for host key host/%s: %s"), myhostname,
598 gss_error(maj_stat, min_stat));
599 gss_release_name(&min_stat, &gss_name);
603 gss_release_name(&min_stat, &gss_name);
605 for (recv_tok.length = 0;;) {
606 recv_tok.value = NULL;
607 rvalue = tcpm_recv_token(rc, rc->read, &rc->handle, &rc->errmsg,
608 /* (void *) is to avoid type-punning warning */
609 (char **)(void *)&recv_tok.value,
610 (ssize_t *)&recv_tok.length, 60);
613 g_snprintf(errbuf, SIZEOF(errbuf),
614 _("recv error in gss loop: %s"), rc->errmsg);
617 g_snprintf(errbuf, SIZEOF(errbuf), _("EOF in gss loop"));
621 maj_stat = gss_accept_sec_context(&min_stat, &rc->gss_context,
622 gss_creds, &recv_tok, GSS_C_NO_CHANNEL_BINDINGS,
623 &gss_name, &doid, &send_tok, &ret_flags, NULL, NULL);
625 if (maj_stat != (OM_uint32)GSS_S_COMPLETE &&
626 maj_stat != (OM_uint32)GSS_S_CONTINUE_NEEDED) {
627 g_snprintf(errbuf, SIZEOF(errbuf),
628 _("error accepting context: %s"), gss_error(maj_stat, min_stat));
629 amfree(recv_tok.value);
632 amfree(recv_tok.value);
634 if (send_tok.length != 0 && tcpm_send_token(rc, rc->write, 0, &errmsg, send_tok.value, send_tok.length) < 0) {
635 strncpy(errbuf, rc->errmsg, SIZEOF(errbuf) - 1);
636 errbuf[SIZEOF(errbuf) - 1] = '\0';
638 gss_release_buffer(&min_stat, &send_tok);
641 gss_release_buffer(&min_stat, &send_tok);
645 * If we need to get more from the client, then register for
648 if (maj_stat != (OM_uint32)GSS_S_CONTINUE_NEEDED)
652 maj_stat = gss_display_name(&min_stat, gss_name, &send_tok, &doid);
653 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
654 g_snprintf(errbuf, SIZEOF(errbuf),
655 _("can't display gss name: %s"), gss_error(maj_stat, min_stat));
656 gss_release_name(&min_stat, &gss_name);
659 gss_release_name(&min_stat, &gss_name);
661 /* get rid of the realm */
662 if ((p = strchr(send_tok.value, '@')) == NULL) {
663 g_snprintf(errbuf, SIZEOF(errbuf),
664 _("malformed gss name: %s"), (char *)send_tok.value);
665 amfree(send_tok.value);
672 * If the principal doesn't match, complain
674 if ((msg = krb5_checkuser(rc->hostname, send_tok.value, realm)) != NULL) {
675 g_snprintf(errbuf, SIZEOF(errbuf),
676 _("access not allowed from %s: %s"), (char *)send_tok.value, msg);
677 amfree(send_tok.value);
680 amfree(send_tok.value);
686 rc->errmsg = stralloc(errbuf);
690 auth_debug(1, _("gss_server returning %d\n"), rval);
695 * Setup some things about krb5. This should only be called once.
700 static int beenhere = 0;
702 char *myfqhostname=NULL;
708 #ifndef BROKEN_MEMORY_CCACHE
709 putenv(stralloc("KRB5_ENV_CCNAME=MEMORY:amanda_ccache"));
712 * MEMORY ccaches seem buggy and cause a lot of internal heap
713 * corruption. malloc has been known to core dump. This behavior
714 * has been witnessed in Cygnus' kerbnet 1.2, MIT's krb V 1.0.5 and
715 * MIT's krb V -current as of 3/17/1999.
717 * We just use a lame ccache scheme with a uid suffix.
722 ccache = malloc(128);
723 g_snprintf(ccache, SIZEOF(ccache),
724 "KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld",
725 (long)geteuid(), (long)getpid());
730 gethostname(myhostname, SIZEOF(myhostname) - 1);
731 myhostname[SIZEOF(myhostname) - 1] = '\0';
734 * In case it isn't fully qualified, do a DNS lookup. Ignore
735 * any errors (this is best-effort).
737 if (resolve_hostname(myhostname, SOCK_STREAM, NULL, &myfqhostname) == 0
738 && myfqhostname != NULL) {
739 strncpy(myhostname, myfqhostname, SIZEOF(myhostname)-1);
740 myhostname[SIZEOF(myhostname)-1] = '\0';
741 amfree(myfqhostname);
745 * Lowercase the results. We assume all host/ principals will be
748 for (p = myhostname; *p != '\0'; p++) {
749 if (isupper((int)*p))
754 #ifdef BROKEN_MEMORY_CCACHE
758 #ifdef KDESTROY_VIA_UNLINK
760 g_snprintf(ccache, SIZEOF(ccache), "/tmp/amanda_ccache.%ld.%ld",
761 (long)geteuid(), (long)getpid());
770 * Get a ticket granting ticket and stuff it in the cache
775 char * principal_name)
777 krb5_context context;
779 krb5_principal client = NULL, server = NULL;
784 #ifdef KRB5_HEIMDAL_INCLUDES
785 krb5_data tgtname = { KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME };
787 krb5_data tgtname = { 0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME };
789 static char *error = NULL;
795 if ((ret = krb5_init_context(&context)) != 0) {
796 error = vstrallocf(_("error initializing krb5 context: %s"),
801 /*krb5_init_ets(context);*/
804 error = vstrallocf(_("error -- no krb5 keytab defined"));
808 if(!principal_name) {
809 error = vstrallocf(_("error -- no krb5 principal defined"));
814 * Resolve keytab file into a keytab object
816 if ((ret = krb5_kt_resolve(context, keytab_name, &keytab)) != 0) {
817 error = vstrallocf(_("error resolving keytab %s: %s"), keytab_name,
823 * Resolve the amanda service held in the keytab into a principal
826 ret = krb5_parse_name(context, principal_name, &client);
828 error = vstrallocf(_("error parsing %s: %s"), principal_name,
833 #ifdef KRB5_HEIMDAL_INCLUDES
834 ret = krb5_build_principal_ext(context, &server,
835 krb5_realm_length(*krb5_princ_realm(context, client)),
836 krb5_realm_data(*krb5_princ_realm(context, client)),
837 tgtname.length, tgtname.data,
838 krb5_realm_length(*krb5_princ_realm(context, client)),
839 krb5_realm_data(*krb5_princ_realm(context, client)),
842 ret = krb5_build_principal_ext(context, &server,
843 krb5_princ_realm(context, client)->length,
844 krb5_princ_realm(context, client)->data,
845 tgtname.length, tgtname.data,
846 krb5_princ_realm(context, client)->length,
847 krb5_princ_realm(context, client)->data,
851 error = vstrallocf(_("error while building server name: %s"),
856 ret = krb5_timeofday(context, &now);
858 error = vstrallocf(_("error getting time of day: %s"), error_message(ret));
862 memset(&creds, 0, SIZEOF(creds));
863 creds.times.starttime = 0;
864 creds.times.endtime = now + AMANDA_TKT_LIFETIME;
866 creds.client = client;
867 creds.server = server;
870 * Get a ticket for the service, using the keytab
872 ret = krb5_get_in_tkt_with_keytab(context, 0, NULL, NULL, NULL,
873 keytab, 0, &creds, 0);
876 error = vstrallocf(_("error getting ticket for %s: %s"),
877 principal_name, error_message(ret));
881 if ((ret = krb5_cc_default(context, &ccache)) != 0) {
882 error = vstrallocf(_("error initializing ccache: %s"), error_message(ret));
885 if ((ret = krb5_cc_initialize(context, ccache, client)) != 0) {
886 error = vstrallocf(_("error initializing ccache: %s"), error_message(ret));
889 if ((ret = krb5_cc_store_cred(context, ccache, &creds)) != 0) {
890 error = vstrallocf(_("error storing creds in ccache: %s"),
894 krb5_cc_close(context, ccache);
896 krb5_free_cred_contents(context, &creds);
899 krb5_free_principal(context, client);
900 krb5_free_principal(context, server);
902 krb5_free_context(context);
906 #ifndef KDESTROY_VIA_UNLINK
913 krb5_context context;
916 if ((krb5_init_context(&context)) != 0) {
919 if ((krb5_cc_default(context, &ccache)) != 0) {
923 krb5_cc_destroy(context, ccache);
924 krb5_cc_close(context, ccache);
927 krb5_free_context(context);
933 * Formats an error from the gss api
940 static gss_buffer_desc msg;
941 OM_uint32 min_stat, msg_ctx;
944 gss_release_buffer(&min_stat, &msg);
947 if (major == GSS_S_FAILURE)
948 gss_display_status(&min_stat, minor, GSS_C_MECH_CODE, GSS_C_NULL_OID,
951 gss_display_status(&min_stat, major, GSS_C_GSS_CODE, GSS_C_NULL_OID,
953 return ((const char *)msg.value);
964 struct tcp_conn *rc = cookie;
965 gss_buffer_desc dectok;
966 gss_buffer_desc enctok;
967 OM_uint32 maj_stat, min_stat;
970 if (rc->conf_fn && rc->conf_fn("kencrypt", rc->datap)) {
971 auth_debug(1, _("krb5: k5_encrypt: enter %p\n"), rc);
973 dectok.length = buflen;
977 assert(rc->gss_context != GSS_C_NO_CONTEXT);
978 maj_stat = gss_seal(&min_stat, rc->gss_context, 1,
979 GSS_C_QOP_DEFAULT, &dectok, &conf_state,
981 if (maj_stat != (OM_uint32)GSS_S_COMPLETE || conf_state == 0) {
982 auth_debug(1, _("krb5 encrypt error to %s: %s\n"),
983 rc->hostname, gss_error(maj_stat, min_stat));
986 auth_debug(1, _("krb5: k5_encrypt: give %zu bytes\n"),
988 *encbuf = enctok.value;
989 *encbuflen = enctok.length;
994 auth_debug(1, _("krb5: k5_encrypt: exit\n"));
1008 struct tcp_conn *rc = cookie;
1009 gss_buffer_desc enctok;
1010 gss_buffer_desc dectok;
1011 OM_uint32 maj_stat, min_stat;
1012 int conf_state, qop_state;
1014 if (rc->conf_fn && rc->conf_fn("kencrypt", rc->datap)) {
1015 auth_debug(1, _("krb5: k5_decrypt: enter\n"));
1016 if (rc->auth == 1) {
1017 enctok.length = buflen;
1020 auth_debug(1, _("krb5: k5_decrypt: decrypting %zu bytes\n"), enctok.length);
1022 assert(rc->gss_context != GSS_C_NO_CONTEXT);
1023 maj_stat = gss_unseal(&min_stat, rc->gss_context, &enctok, &dectok,
1024 &conf_state, &qop_state);
1025 if (maj_stat != (OM_uint32)GSS_S_COMPLETE) {
1026 auth_debug(1, _("krb5 decrypt error from %s: %s\n"),
1027 rc->hostname, gss_error(maj_stat, min_stat));
1030 auth_debug(1, _("krb5: k5_decrypt: give %zu bytes\n"),
1032 *decbuf = dectok.value;
1033 *decbuflen = dectok.length;
1036 *decbuflen = buflen;
1038 auth_debug(1, _("krb5: k5_decrypt: exit\n"));
1041 *decbuflen = buflen;
1047 * check ~/.k5amandahosts to see if this principal is allowed in. If it's
1048 * hardcoded, then we don't check the realm
1051 krb5_checkuser( char * host,
1055 #ifdef AMANDA_PRINCIPAL
1056 if(strcmp(name, AMANDA_PRINCIPAL) == 0) {
1059 return(vstrallocf(_("does not match compiled in default")));
1064 char *result = _("generic error"); /* default is to not permit */
1069 char *filehost = NULL, *fileuser = NULL, *filerealm = NULL;
1071 assert( host != NULL);
1072 assert( name != NULL);
1074 if((pwd = getpwnam(CLIENT_LOGIN)) == NULL) {
1075 result = vstrallocf(_("can not find user %s"), CLIENT_LOGIN);
1077 localuid = pwd->pw_uid;
1079 #ifdef USE_AMANDAHOSTS
1080 ptmp = stralloc2(pwd->pw_dir, "/.k5amandahosts");
1082 ptmp = stralloc2(pwd->pw_dir, "/.k5login");
1086 result = vstrallocf(_("could not find home directory for %s"), CLIENT_LOGIN);
1091 * check to see if the ptmp file does nto exist.
1093 if(access(ptmp, R_OK) == -1 && errno == ENOENT) {
1095 * in this case we check to see if the principal matches
1096 * the destination user mimicing the .k5login functionality.
1098 if(strcmp(name, CLIENT_LOGIN) != 0) {
1099 result = vstrallocf(_("%s does not match %s"),
1100 name, CLIENT_LOGIN);
1107 auth_debug(1, _("opening ptmp: %s\n"), (ptmp)?ptmp: "NULL!");
1108 if((fp = fopen(ptmp, "r")) == NULL) {
1109 result = vstrallocf(_("can not open %s"), ptmp);
1112 auth_debug(1, _("opened ptmp\n"));
1114 if (fstat(fileno(fp), &sbuf) != 0) {
1115 result = vstrallocf(_("cannot fstat %s: %s"), ptmp, strerror(errno));
1119 if (sbuf.st_uid != localuid) {
1120 result = vstrallocf(_("%s is owned by %ld, should be %ld"),
1121 ptmp, (long)sbuf.st_uid, (long)localuid);
1124 if ((sbuf.st_mode & 077) != 0) {
1125 result = vstrallocf(
1126 _("%s: incorrect permissions; file must be accessible only by its owner"), ptmp);
1130 while ((line = agets(fp)) != NULL) {
1131 if (line[0] == '\0') {
1136 /* if there's more than one column, then it's the host */
1137 if( (filehost = strtok(line, " \t")) == NULL) {
1143 * if there's only one entry, then it's a username and we have
1144 * no hostname. (so the principal is allowed from anywhere.
1146 if((fileuser = strtok(NULL, " \t")) == NULL) {
1147 fileuser = filehost;
1151 if(filehost && strcmp(filehost, host) != 0) {
1155 auth_debug(1, _("found a host match\n"));
1158 if( (filerealm = strchr(fileuser, '@')) != NULL) {
1159 *filerealm++ = '\0';
1163 * we have a match. We're going to be a little bit insecure
1164 * and indicate that the principal is correct but the realm is
1165 * not if that's the case. Technically we should say nothing
1166 * and let the user figure it out, but it's helpful for debugging.
1167 * You likely only get this far if you've turned on cross-realm auth
1170 auth_debug(1, _("comparing %s %s\n"), fileuser, name);
1171 if(strcmp(fileuser, name) == 0) {
1172 auth_debug(1, _("found a match!\n"));
1173 if(realm && filerealm && (strcmp(realm, filerealm)!=0)) {
1183 result = vstrallocf(_("no match in %s"), ptmp);
1188 #endif /* AMANDA_PRINCIPAL */