/*
- * Copyright (c) 1999,2001,2003-2004 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1999-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*/
-#include "config.h"
+#include <config.h>
#include <sys/types.h>
#include <sys/param.h>
#endif /* HAVE_UNISTD_H */
#include <pwd.h>
#include <krb5.h>
+#ifdef HAVE_HEIMDAL
+#include <com_err.h>
+#endif
#include "sudo.h"
#include "sudo_auth.h"
#ifndef lint
-static const char rcsid[] = "$Sudo: kerb5.c,v 1.23 2004/06/07 00:02:56 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.36 2008/11/09 14:13:13 millert Exp $";
#endif /* lint */
#ifdef HAVE_HEIMDAL
-# define extract_name(c, p) krb5_principal_get_comp_string(c, p, 0)
+# define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
# define krb5_free_data_contents(c, d) krb5_data_free(d)
-# define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 /* XXX */
#else
# define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
#endif
-static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
+#ifndef HAVE_KRB5_VERIFY_USER
+static int verify_krb_v5_tgt __P((krb5_context, krb5_creds *, char *));
+#endif
static struct _sudo_krb5_data {
krb5_context sudo_context;
krb5_principal princ;
} sudo_krb5_data = { NULL, NULL, NULL };
typedef struct _sudo_krb5_data *sudo_krb5_datap;
-extern const krb5_cc_ops krb5_mcc_ops;
+#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+static krb5_error_code
+krb5_get_init_creds_opt_alloc(context, opts)
+ krb5_context context;
+ krb5_get_init_creds_opt **opts;
+{
+ *opts = emalloc(sizeof(krb5_get_init_creds_opt));
+ return 0;
+}
+
+static void
+krb5_get_init_creds_opt_free(opts)
+ krb5_get_init_creds_opt *opts;
+{
+ free(opts);
+}
+#endif
int
kerb5_init(pw, promptp, auth)
char cache_name[64];
char *pname;
- auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
+ auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
- if ((error = krb5_init_context(&(sudo_krb5_data.sudo_context))))
+#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
+ error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
+#else
+ error = krb5_init_context(&(sudo_krb5_data.sudo_context));
+#endif
+ if (error)
return(AUTH_FAILURE);
sudo_context = sudo_krb5_data.sudo_context;
free(pname);
#endif
- /* For CNS compatibility */
- if ((error = krb5_cc_register(sudo_context, &krb5_mcc_ops, FALSE))) {
- if (error != KRB5_CC_TYPE_EXISTS) {
- log_error(NO_EXIT|NO_MAIL,
- "%s: unable to use Memory ccache: %s", auth->name,
- error_message(error));
- return(AUTH_FAILURE);
- }
- }
-
(void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
(long) getpid());
if ((error = krb5_cc_resolve(sudo_context, cache_name,
}
ccache = sudo_krb5_data.ccache;
- if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
- log_error(NO_EXIT|NO_MAIL,
- "%s: unable to initialize ccache: %s", auth->name,
- error_message(error));
- return(AUTH_FAILURE);
- }
-
return(AUTH_SUCCESS);
}
+#ifdef HAVE_KRB5_VERIFY_USER
int
kerb5_verify(pw, pass, auth)
struct passwd *pw;
krb5_context sudo_context;
krb5_principal princ;
krb5_ccache ccache;
- krb5_creds creds;
krb5_error_code error;
- krb5_get_init_creds_opt opts;
sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
princ = ((sudo_krb5_datap) auth->data)->princ;
ccache = ((sudo_krb5_datap) auth->data)->ccache;
- /* Initialize options to defaults */
- krb5_get_init_creds_opt_init(&opts);
+ error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
+ return (error ? AUTH_FAILURE : AUTH_SUCCESS);
+}
+#else
+int
+kerb5_verify(pw, pass, auth)
+ struct passwd *pw;
+ char *pass;
+ sudo_auth *auth;
+{
+ krb5_context sudo_context;
+ krb5_principal princ;
+ krb5_creds credbuf, *creds = NULL;
+ krb5_ccache ccache;
+ krb5_error_code error;
+ krb5_get_init_creds_opt *opts = NULL;
- /* Note that we always obtain a new TGT to verify the user */
- if ((error = krb5_get_init_creds_password(sudo_context, &creds, princ,
- pass, krb5_prompter_posix,
- NULL, 0, NULL, &opts))) {
- if (error == KRB5KRB_AP_ERR_BAD_INTEGRITY) /* Bad password */
- return(AUTH_FAILURE);
- /* Some other error */
+ sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
+ princ = ((sudo_krb5_datap) auth->data)->princ;
+ ccache = ((sudo_krb5_datap) auth->data)->ccache;
+
+ /* Set default flags based on the local config file. */
+ error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
+ if (error) {
log_error(NO_EXIT|NO_MAIL,
- "%s: unable to get credentials: %s", auth->name,
+ "%s: unable to allocate options: %s", auth->name,
error_message(error));
- return(AUTH_FAILURE);
+ goto done;
+ }
+#ifdef HAVE_HEIMDAL
+ krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
+ krb5_principal_get_realm(sudo_context, princ), opts);
+#endif
+
+ /* Note that we always obtain a new TGT to verify the user */
+ if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
+ pass, krb5_prompter_posix,
+ NULL, 0, NULL, opts))) {
+ /* Don't print error if just a bad password */
+ if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
+ log_error(NO_EXIT|NO_MAIL,
+ "%s: unable to get credentials: %s", auth->name,
+ error_message(error));
+ goto done;
}
+ creds = &credbuf;
- /* Stash the TGT so we can verify it. */
- if ((error = krb5_cc_store_cred(sudo_context, ccache, &creds))) {
+ /* Verify the TGT to prevent spoof attacks. */
+ if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name)))
+ goto done;
+
+ /* Store cred in cred cache. */
+ if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
+ log_error(NO_EXIT|NO_MAIL,
+ "%s: unable to initialize ccache: %s", auth->name,
+ error_message(error));
+ } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
log_error(NO_EXIT|NO_MAIL,
- "%s: unable to store credentials: %s", auth->name,
+ "%s: unable to store cred in ccache: %s", auth->name,
error_message(error));
- } else {
- error = verify_krb_v5_tgt(sudo_context, ccache, auth->name);
}
- krb5_free_cred_contents(sudo_context, &creds);
+done:
+ if (opts) {
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS
+ krb5_get_init_creds_opt_free(sudo_context, opts);
+#else
+ krb5_get_init_creds_opt_free(opts);
+#endif
+ }
+ if (creds)
+ krb5_free_cred_contents(sudo_context, creds);
return (error ? AUTH_FAILURE : AUTH_SUCCESS);
}
+#endif
int
kerb5_cleanup(pw, auth)
return(AUTH_SUCCESS);
}
+#ifndef HAVE_KRB5_VERIFY_USER
/*
- * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
- *
* Verify the Kerberos ticket-granting ticket just retrieved for the
* user. If the Kerberos server doesn't respond, assume the user is
* trying to fake us out (since we DID just get a TGT from what is
- * supposedly our KDC). If the host/<host> service is unknown (i.e.,
- * the local keytab doesn't have it), return success but log the error.
- *
- * This needs to run as root (to read the host service ticket).
+ * supposedly our KDC).
*
* Returns 0 for successful authentication, non-zero for failure.
*/
static int
-verify_krb_v5_tgt(sudo_context, ccache, auth_name)
+verify_krb_v5_tgt(sudo_context, cred, auth_name)
krb5_context sudo_context;
- krb5_ccache ccache;
+ krb5_creds *cred;
char *auth_name; /* For error reporting */
{
- char phost[BUFSIZ];
krb5_error_code error;
- krb5_principal princ;
- krb5_data packet;
- krb5_keyblock *keyblock = 0;
- krb5_auth_context auth_context = NULL;
-
- packet.data = 0;
+ krb5_principal server;
+ krb5_verify_init_creds_opt vopt;
/*
* Get the server principal for the local host.
* (Use defaults of "host" and canonicalized local name.)
*/
if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
- KRB5_NT_SRV_HST, &princ))) {
+ KRB5_NT_SRV_HST, &server))) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to get host principal: %s", auth_name,
error_message(error));
return(-1);
}
- /* Extract the name directly. Yow. */
- strlcpy(phost, extract_name(sudo_context, princ), sizeof(phost));
-
- /*
- * Do we have host/<host> keys?
- * (use default keytab, kvno IGNORE_VNO to get the first match,
- * and enctype is currently ignored anyhow.)
- */
- if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
- ENCTYPE_DES_CBC_MD5, &keyblock))) {
- /* Keytab or service key does not exist. */
- log_error(NO_EXIT,
- "%s: host service key not found: %s", auth_name,
- error_message(error));
- error = 0;
- goto cleanup;
- }
- if (keyblock)
- krb5_free_keyblock(sudo_context, keyblock);
-
- /* Talk to the kdc and construct the ticket. */
- error = krb5_mk_req(sudo_context, &auth_context, 0, "host", phost,
- NULL, ccache, &packet);
- if (auth_context) {
- krb5_auth_con_free(sudo_context, auth_context);
- auth_context = NULL; /* setup for rd_req */
- }
-
- /* Try to use the ticket. */
- if (!error)
- error = krb5_rd_req(sudo_context, &auth_context, &packet, princ,
- NULL, NULL, NULL);
-cleanup:
- if (packet.data)
- krb5_free_data_contents(sudo_context, &packet);
- krb5_free_principal(sudo_context, princ);
+ /* Initialize verify opts and set secure mode */
+ krb5_verify_init_creds_opt_init(&vopt);
+ krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
+ /* verify the Kerberos ticket-granting ticket we just retrieved */
+ error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
+ NULL, &vopt);
+ krb5_free_principal(sudo_context, server);
if (error)
log_error(NO_EXIT|NO_MAIL,
"%s: Cannot verify TGT! Possible attack!: %s", auth_name,
error_message(error));
return(error);
}
+#endif