2 * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
16 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
17 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19 * Sponsored in part by the Defense Advanced Research Projects
20 * Agency (DARPA) and Air Force Research Laboratory, Air Force
21 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
26 #include <sys/types.h>
27 #include <sys/param.h>
36 #endif /* STDC_HEADERS */
40 # ifdef HAVE_STRINGS_H
43 #endif /* HAVE_STRING_H */
46 #endif /* HAVE_UNISTD_H */
54 #include "sudo_auth.h"
57 __unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.8 2008/02/13 22:17:41 millert Exp $";
61 # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
62 # define krb5_free_data_contents(c, d) krb5_data_free(d)
64 # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
67 #ifndef HAVE_KRB5_VERIFY_USER
68 static int verify_krb_v5_tgt __P((krb5_context, krb5_creds *, char *));
70 static struct _sudo_krb5_data {
71 krb5_context sudo_context;
74 } sudo_krb5_data = { NULL, NULL, NULL };
75 typedef struct _sudo_krb5_data *sudo_krb5_datap;
78 kerb5_init(pw, promptp, auth)
83 krb5_context sudo_context;
86 krb5_error_code error;
90 auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
92 #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
93 error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
95 error = krb5_init_context(&(sudo_krb5_data.sudo_context));
99 sudo_context = sudo_krb5_data.sudo_context;
101 if ((error = krb5_parse_name(sudo_context, pw->pw_name,
102 &(sudo_krb5_data.princ)))) {
103 log_error(NO_EXIT|NO_MAIL,
104 "%s: unable to parse '%s': %s", auth->name, pw->pw_name,
105 error_message(error));
106 return(AUTH_FAILURE);
108 princ = sudo_krb5_data.princ;
111 * Really, we need to tell the caller not to prompt for password.
112 * The API does not currently provide this unless the auth is standalone.
115 if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
116 log_error(NO_EXIT|NO_MAIL,
117 "%s: unable to unparse princ ('%s'): %s", auth->name,
118 pw->pw_name, error_message(error));
119 return(AUTH_FAILURE);
122 /* Only rewrite prompt if user didn't specify their own. */
123 /*if (!strcmp(prompt, PASSPROMPT)) { */
124 easprintf(promptp, "Password for %s: ", pname);
129 (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
131 if ((error = krb5_cc_resolve(sudo_context, cache_name,
132 &(sudo_krb5_data.ccache)))) {
133 log_error(NO_EXIT|NO_MAIL,
134 "%s: unable to resolve ccache: %s", auth->name,
135 error_message(error));
136 return(AUTH_FAILURE);
138 ccache = sudo_krb5_data.ccache;
140 return(AUTH_SUCCESS);
143 #ifdef HAVE_KRB5_VERIFY_USER
145 kerb5_verify(pw, pass, auth)
150 krb5_context sudo_context;
151 krb5_principal princ;
153 krb5_error_code error;
155 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
156 princ = ((sudo_krb5_datap) auth->data)->princ;
157 ccache = ((sudo_krb5_datap) auth->data)->ccache;
159 error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
160 return (error ? AUTH_FAILURE : AUTH_SUCCESS);
164 kerb5_verify(pw, pass, auth)
169 krb5_context sudo_context;
170 krb5_principal princ;
171 krb5_creds credbuf, *creds = NULL;
173 krb5_error_code error;
174 krb5_get_init_creds_opt *opts = NULL;
176 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
177 princ = ((sudo_krb5_datap) auth->data)->princ;
178 ccache = ((sudo_krb5_datap) auth->data)->ccache;
180 /* Set default flags based on the local config file. */
181 error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
183 log_error(NO_EXIT|NO_MAIL,
184 "%s: unable to allocate options: %s", auth->name,
185 error_message(error));
189 krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
190 krb5_principal_get_realm(sudo_context, princ), opts);
193 /* Note that we always obtain a new TGT to verify the user */
194 if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
195 pass, krb5_prompter_posix,
196 NULL, 0, NULL, opts))) {
197 /* Don't print error if just a bad password */
198 if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
199 log_error(NO_EXIT|NO_MAIL,
200 "%s: unable to get credentials: %s", auth->name,
201 error_message(error));
206 /* Verify the TGT to prevent spoof attacks. */
207 if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name)))
210 /* Store cred in cred cache. */
211 if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
212 log_error(NO_EXIT|NO_MAIL,
213 "%s: unable to initialize ccache: %s", auth->name,
214 error_message(error));
215 } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
216 log_error(NO_EXIT|NO_MAIL,
217 "%s: unable to store cred in ccache: %s", auth->name,
218 error_message(error));
224 krb5_get_init_creds_opt_free(opts);
226 krb5_get_init_creds_opt_free(sudo_context, opts);
230 krb5_free_cred_contents(sudo_context, creds);
231 return (error ? AUTH_FAILURE : AUTH_SUCCESS);
236 kerb5_cleanup(pw, auth)
240 krb5_context sudo_context;
241 krb5_principal princ;
244 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
245 princ = ((sudo_krb5_datap) auth->data)->princ;
246 ccache = ((sudo_krb5_datap) auth->data)->ccache;
250 krb5_cc_destroy(sudo_context, ccache);
252 krb5_free_principal(sudo_context, princ);
253 krb5_free_context(sudo_context);
256 return(AUTH_SUCCESS);
259 #ifndef HAVE_KRB5_VERIFY_USER
261 * Verify the Kerberos ticket-granting ticket just retrieved for the
262 * user. If the Kerberos server doesn't respond, assume the user is
263 * trying to fake us out (since we DID just get a TGT from what is
264 * supposedly our KDC).
266 * Returns 0 for successful authentication, non-zero for failure.
269 verify_krb_v5_tgt(sudo_context, cred, auth_name)
270 krb5_context sudo_context;
272 char *auth_name; /* For error reporting */
274 krb5_error_code error;
275 krb5_principal server;
276 krb5_verify_init_creds_opt vopt;
279 * Get the server principal for the local host.
280 * (Use defaults of "host" and canonicalized local name.)
282 if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
283 KRB5_NT_SRV_HST, &server))) {
284 log_error(NO_EXIT|NO_MAIL,
285 "%s: unable to get host principal: %s", auth_name,
286 error_message(error));
290 /* Initialize verify opts and set secure mode */
291 krb5_verify_init_creds_opt_init(&vopt);
292 krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
294 /* verify the Kerberos ticket-granting ticket we just retrieved */
295 error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
297 krb5_free_principal(sudo_context, server);
299 log_error(NO_EXIT|NO_MAIL,
300 "%s: Cannot verify TGT! Possible attack!: %s", auth_name,
301 error_message(error));