2 * Copyright (c) 1999, 2001 Todd C. Miller <Todd.Miller@courtesan.com>
5 * This code is derived from software contributed by Frank Cusack
6 * <fcusack@fcusack.com>.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote products
20 * derived from this software without specific prior written permission.
22 * 4. Products derived from this software may not be called "Sudo" nor
23 * may "Sudo" appear in their names without specific prior written
24 * permission from the author.
26 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
27 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
28 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
29 * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
30 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
31 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
32 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
33 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
34 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
35 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40 #include <sys/types.h>
41 #include <sys/param.h>
50 #endif /* STDC_HEADERS */
54 # ifdef HAVE_STRINGS_H
57 #endif /* HAVE_STRING_H */
60 #endif /* HAVE_UNISTD_H */
65 #include "sudo_auth.h"
68 static const char rcsid[] = "$Sudo: kerb5.c,v 1.11 2001/12/14 19:52:53 millert Exp $";
71 static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
72 static struct _sudo_krb5_data {
73 krb5_context sudo_context;
76 } sudo_krb5_data = { NULL, NULL, NULL };
77 typedef struct _sudo_krb5_data *sudo_krb5_datap;
79 extern krb5_cc_ops krb5_mcc_ops;
82 kerb5_init(pw, promptp, auth)
87 krb5_context sudo_context;
90 krb5_error_code error;
94 auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
96 if (error = krb5_init_context(&(sudo_krb5_data.sudo_context))) {
97 log_error(NO_EXIT|NO_MAIL,
98 "%s: unable to initialize context: %s", auth->name,
99 error_message(error));
100 return(AUTH_FAILURE);
102 sudo_context = sudo_krb5_data.sudo_context;
104 if (error = krb5_parse_name(sudo_context, pw->pw_name,
105 &(sudo_krb5_data.princ))) {
106 log_error(NO_EXIT|NO_MAIL,
107 "%s: unable to parse '%s': %s", auth->name, pw->pw_name,
108 error_message(error));
109 return(AUTH_FAILURE);
111 princ = sudo_krb5_data.princ;
114 * Really, we need to tell the caller not to prompt for password.
115 * The API does not currently provide this unless the auth is standalone.
118 if (error = krb5_unparse_name(sudo_context, princ, &pname)) {
119 log_error(NO_EXIT|NO_MAIL,
120 "%s: unable to unparse princ ('%s'): %s", auth->name,
121 pw->pw_name, error_message(error));
122 return(AUTH_FAILURE);
125 /* Only rewrite prompt if user didn't specify their own. */
126 /*if (!strcmp(prompt, PASSPROMPT)) { */
127 easprintf(promptp, "Password for %s: ", pname);
132 /* For CNS compatibility */
133 if (error = krb5_cc_register(sudo_context, &krb5_mcc_ops, FALSE)) {
134 if (error != KRB5_CC_TYPE_EXISTS) {
135 log_error(NO_EXIT|NO_MAIL,
136 "%s: unable to use Memory ccache: %s", auth->name,
137 error_message(error));
138 return(AUTH_FAILURE);
142 (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
144 if (error = krb5_cc_resolve(sudo_context, cache_name,
145 &(sudo_krb5_data.ccache))) {
146 log_error(NO_EXIT|NO_MAIL,
147 "%s: unable to resolve ccache: %s", auth->name,
148 error_message(error));
149 return(AUTH_FAILURE);
151 ccache = sudo_krb5_data.ccache;
153 if (error = krb5_cc_initialize(sudo_context, ccache, princ)) {
154 log_error(NO_EXIT|NO_MAIL,
155 "%s: unable to initialize ccache: %s", auth->name,
156 error_message(error));
157 return(AUTH_FAILURE);
160 return(AUTH_SUCCESS);
164 kerb5_verify(pw, pass, auth)
169 krb5_context sudo_context;
170 krb5_principal princ;
173 krb5_error_code error;
174 krb5_get_init_creds_opt opts;
177 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
178 princ = ((sudo_krb5_datap) auth->data)->princ;
179 ccache = ((sudo_krb5_datap) auth->data)->ccache;
181 /* Initialize options to defaults */
182 krb5_get_init_creds_opt_init(&opts);
184 /* Note that we always obtain a new TGT to verify the user */
185 if (error = krb5_get_init_creds_password(sudo_context, &creds, princ,
186 pass, krb5_prompter_posix,
187 NULL, 0, NULL, &opts)) {
188 if (error == KRB5KRB_AP_ERR_BAD_INTEGRITY) /* Bad password */
189 return(AUTH_FAILURE);
190 /* Some other error */
191 log_error(NO_EXIT|NO_MAIL,
192 "%s: unable to get credentials: %s", auth->name,
193 error_message(error));
194 return(AUTH_FAILURE);
197 /* Stash the TGT so we can verify it. */
198 if (error = krb5_cc_store_cred(sudo_context, ccache, &creds)) {
199 log_error(NO_EXIT|NO_MAIL,
200 "%s: unable to store credentials: %s", auth->name,
201 error_message(error));
203 error = verify_krb_v5_tgt(sudo_context, ccache, auth->name);
206 krb5_free_cred_contents(sudo_context, &creds);
207 return (error ? AUTH_FAILURE : AUTH_SUCCESS);
211 kerb5_cleanup(pw, auth)
215 krb5_context sudo_context;
216 krb5_principal princ;
219 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
220 princ = ((sudo_krb5_datap) auth->data)->princ;
221 ccache = ((sudo_krb5_datap) auth->data)->ccache;
225 krb5_cc_destroy(sudo_context, ccache);
227 krb5_free_principal(sudo_context, princ);
228 krb5_free_context(sudo_context);
231 return(AUTH_SUCCESS);
235 * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
237 * Verify the Kerberos ticket-granting ticket just retrieved for the
238 * user. If the Kerberos server doesn't respond, assume the user is
239 * trying to fake us out (since we DID just get a TGT from what is
240 * supposedly our KDC). If the host/<host> service is unknown (i.e.,
241 * the local keytab doesn't have it), return success but log the error.
243 * This needs to run as root (to read the host service ticket).
245 * Returns 0 for successful authentication, non-zero for failure.
248 verify_krb_v5_tgt(sudo_context, ccache, auth_name)
249 krb5_context sudo_context;
251 char *auth_name; /* For error reporting */
254 krb5_error_code error;
255 krb5_principal princ;
257 krb5_keyblock *keyblock = 0;
258 krb5_auth_context auth_context = NULL;
263 * Get the server principal for the local host.
264 * (Use defaults of "host" and canonicalized local name.)
266 if (error = krb5_sname_to_principal(sudo_context, NULL, NULL,
267 KRB5_NT_SRV_HST, &princ)) {
268 log_error(NO_EXIT|NO_MAIL,
269 "%s: unable to get host principal: %s", auth_name,
270 error_message(error));
274 /* Extract the name directly. Yow. */
275 strncpy(phost, krb5_princ_component(sudo_context, princ, 1)->data,
277 phost[sizeof(phost) - 1] = '\0';
280 * Do we have host/<host> keys?
281 * (use default keytab, kvno IGNORE_VNO to get the first match,
282 * and enctype is currently ignored anyhow.)
284 if (error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
285 ENCTYPE_DES_CBC_MD5, &keyblock)) {
286 /* Keytab or service key does not exist. */
288 "%s: host service key not found: %s", auth_name,
289 error_message(error));
294 krb5_free_keyblock(sudo_context, keyblock);
296 /* Talk to the kdc and construct the ticket. */
297 error = krb5_mk_req(sudo_context, &auth_context, 0, "host", phost,
298 NULL, ccache, &packet);
300 krb5_auth_con_free(sudo_context, auth_context);
301 auth_context = NULL; /* setup for rd_req */
304 /* Try to use the ticket. */
306 error = krb5_rd_req(sudo_context, &auth_context, &packet, princ,
310 krb5_free_data_contents(sudo_context, &packet);
311 krb5_free_principal(sudo_context, princ);
314 log_error(NO_EXIT|NO_MAIL,
315 "%s: Cannot verify TGT! Possible attack!: %s", auth_name,
316 error_message(error));