1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /*
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
36 *
37 * Export of this software from the United States of America may
38 * require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
41 *
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
52 */
53
54 #include <sys/cdefs.h>
55
56 __FBSDID("$FreeBSD: stable/10/contrib/telnet/libtelnet/kerberos5.c 233932 2012-04-06 00:03:45Z stas $");
57
58 #ifdef KRB5
59
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <unistd.h>
65 #include <netdb.h>
66 #include <ctype.h>
67 #include <pwd.h>
68 #define Authenticator k5_Authenticator
69 #include <krb5.h>
70 #undef Authenticator
71
72 #include "encrypt.h"
73 #include "auth.h"
74 #include "misc.h"
75
76 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
77
78 /* These values need to be the same as those defined in telnet/main.c. */
79 /* Either define them in both places, or put in some common header file. */
80 #define OPTS_FORWARD_CREDS 0x00000002
81 #define OPTS_FORWARDABLE_CREDS 0x00000001
82
83 void kerberos5_forward (Authenticator *);
84
85 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
86 AUTHTYPE_KERBEROS_V5, };
87
88 #define KRB_AUTH 0 /* Authentication data follows */
89 #define KRB_REJECT 1 /* Rejected (reason might follow) */
90 #define KRB_ACCEPT 2 /* Accepted */
91 #define KRB_RESPONSE 3 /* Response for mutual auth. */
92
93 #define KRB_FORWARD 4 /* Forwarded credentials follow */
94 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
95 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
96
97 static krb5_data auth;
98 static krb5_ticket *ticket;
99
100 static krb5_context context;
101 static krb5_auth_context auth_context;
102
103 static void
print_krb5_error(krb5_context context,krb5_error_code code,const char * msg)104 print_krb5_error(krb5_context context, krb5_error_code code, const char *msg)
105 {
106 const char *error_message;
107
108 error_message = krb5_get_error_message(context, code);
109 printf(msg, error_message);
110 krb5_free_error_message(context, error_message);
111 }
112
113 static int
Data(Authenticator * ap,int type,const char * d,int c)114 Data(Authenticator *ap, int type, const char *d, int c)
115 {
116 unsigned char *p = str_data + 4;
117 const unsigned char *cd = d;
118
119 if (c == -1)
120 c = strlen(cd);
121
122 if (auth_debug_mode) {
123 printf("%s:%d: [%d] (%d)",
124 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
125 str_data[3],
126 type, c);
127 printd(d, c);
128 printf("\r\n");
129 }
130 *p++ = ap->type;
131 *p++ = ap->way;
132 *p++ = type;
133 while (c-- > 0) {
134 if ((*p++ = *cd++) == IAC)
135 *p++ = IAC;
136 }
137 *p++ = IAC;
138 *p++ = SE;
139 if (str_data[3] == TELQUAL_IS)
140 printsub('>', &str_data[2], p - &str_data[2]);
141 return(net_write(str_data, p - str_data));
142 }
143
144 int
kerberos5_init(Authenticator * ap __unused,int server)145 kerberos5_init(Authenticator *ap __unused, int server)
146 {
147 krb5_error_code ret;
148
149 ret = krb5_init_context(&context);
150 if (ret)
151 return 0;
152 if (server) {
153 krb5_keytab kt;
154 krb5_kt_cursor cursor;
155
156 ret = krb5_kt_default(context, &kt);
157 if (ret)
158 return 0;
159
160 ret = krb5_kt_start_seq_get (context, kt, &cursor);
161 if (ret) {
162 krb5_kt_close (context, kt);
163 return 0;
164 }
165 krb5_kt_end_seq_get (context, kt, &cursor);
166 krb5_kt_close (context, kt);
167
168 str_data[3] = TELQUAL_REPLY;
169 } else
170 str_data[3] = TELQUAL_IS;
171 return(1);
172 }
173
174 extern int net;
175
176 static int
kerberos5_send(const char * name,Authenticator * ap)177 kerberos5_send(const char *name, Authenticator *ap)
178 {
179 krb5_error_code ret;
180 krb5_ccache ccache;
181 int ap_opts;
182 krb5_data cksum_data;
183 char foo[2];
184
185 if (!UserNameRequested) {
186 if (auth_debug_mode) {
187 printf("Kerberos V5: no user name supplied\r\n");
188 }
189 return(0);
190 }
191
192 ret = krb5_cc_default(context, &ccache);
193 if (ret) {
194 if (auth_debug_mode) {
195 print_krb5_error(context, ret, "Kerberos V5: could not get default ccache: %s\r\n");
196 }
197 return 0;
198 }
199
200 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
201 ap_opts = AP_OPTS_MUTUAL_REQUIRED;
202 else
203 ap_opts = 0;
204 ap_opts |= AP_OPTS_USE_SUBKEY;
205
206 ret = krb5_auth_con_init (context, &auth_context);
207 if (ret) {
208 if (auth_debug_mode) {
209 print_krb5_error(context, ret, "Kerberos V5: krb5_auth_con_init failed (%s)\r\n");
210 }
211 return(0);
212 }
213
214 ret = krb5_auth_con_setaddrs_from_fd (context,
215 auth_context,
216 &net);
217 if (ret) {
218 if (auth_debug_mode) {
219 print_krb5_error(context, ret, "Kerberos V5:"
220 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n");
221 }
222 return(0);
223 }
224
225 krb5_auth_con_setkeytype (context, auth_context, KEYTYPE_DES);
226
227 foo[0] = ap->type;
228 foo[1] = ap->way;
229
230 cksum_data.length = sizeof(foo);
231 cksum_data.data = foo;
232
233
234 {
235 krb5_principal service;
236 char sname[128];
237
238
239 ret = krb5_sname_to_principal (context,
240 RemoteHostName,
241 NULL,
242 KRB5_NT_SRV_HST,
243 &service);
244 if(ret) {
245 if (auth_debug_mode) {
246 const char *err_str;
247
248 err_str = krb5_get_error_message(context, ret);
249 printf("Kerberosr V5:"
250 " krb5_sname_to_principal(%s) failed (%s)\r\n",
251 RemoteHostName, err_str);
252 krb5_free_error_message(context, err_str);
253 }
254 return 0;
255 }
256 ret = krb5_unparse_name_fixed(context, service, sname, sizeof(sname));
257 if(ret) {
258 if (auth_debug_mode) {
259 print_krb5_error(context, ret, "Kerberos V5:"
260 " krb5_unparse_name_fixed failed (%s)\r\n");
261 }
262 return 0;
263 }
264 printf("[ Trying %s (%s)... ]\r\n", name, sname);
265 ret = krb5_mk_req_exact(context, &auth_context, ap_opts,
266 service,
267 &cksum_data, ccache, &auth);
268 krb5_free_principal (context, service);
269
270 }
271 if (ret) {
272 if (1 || auth_debug_mode) {
273 print_krb5_error(context, ret, "Kerberos V5: mk_req failed (%s)\r\n");
274 }
275 return(0);
276 }
277
278 if (!auth_sendname((unsigned char *)UserNameRequested,
279 strlen(UserNameRequested))) {
280 if (auth_debug_mode)
281 printf("Not enough room for user name\r\n");
282 return(0);
283 }
284 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
285 if (auth_debug_mode)
286 printf("Not enough room for authentication data\r\n");
287 return(0);
288 }
289 if (auth_debug_mode) {
290 printf("Sent Kerberos V5 credentials to server\r\n");
291 }
292 return(1);
293 }
294
295 int
kerberos5_send_mutual(Authenticator * ap)296 kerberos5_send_mutual(Authenticator *ap)
297 {
298 return kerberos5_send("mutual KERBEROS5", ap);
299 }
300
301 int
kerberos5_send_oneway(Authenticator * ap)302 kerberos5_send_oneway(Authenticator *ap)
303 {
304 return kerberos5_send("KERBEROS5", ap);
305 }
306
307 void
kerberos5_is(Authenticator * ap,unsigned char * data,int cnt)308 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
309 {
310 krb5_error_code ret;
311 krb5_data outbuf;
312 krb5_keyblock *key_block;
313 char *name;
314 krb5_principal server;
315 int zero = 0;
316
317 if (cnt-- < 1)
318 return;
319 switch (*data++) {
320 case KRB_AUTH:
321 auth.data = (char *)data;
322 auth.length = cnt;
323
324 auth_context = NULL;
325
326 ret = krb5_auth_con_init (context, &auth_context);
327 if (ret) {
328 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
329 auth_finished(ap, AUTH_REJECT);
330 if (auth_debug_mode)
331 print_krb5_error(context, ret, "Kerberos V5: krb5_auth_con_init failed (%s)\r\n");
332 return;
333 }
334
335 ret = krb5_auth_con_setaddrs_from_fd (context,
336 auth_context,
337 &zero);
338 if (ret) {
339 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
340 auth_finished(ap, AUTH_REJECT);
341 if (auth_debug_mode)
342 print_krb5_error(context, ret, "Kerberos V5: "
343 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n");
344 return;
345 }
346
347 ret = krb5_sock_to_principal (context,
348 0,
349 "host",
350 KRB5_NT_SRV_HST,
351 &server);
352 if (ret) {
353 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
354 auth_finished(ap, AUTH_REJECT);
355 if (auth_debug_mode)
356 print_krb5_error(context, ret, "Kerberos V5: "
357 "krb5_sock_to_principal failed (%s)\r\n");
358 return;
359 }
360
361 ret = krb5_rd_req(context,
362 &auth_context,
363 &auth,
364 server,
365 NULL,
366 NULL,
367 &ticket);
368
369 krb5_free_principal (context, server);
370 if (ret) {
371 char *errbuf;
372 const char *err_str;
373
374 err_str = krb5_get_error_message(context, ret);
375 asprintf(&errbuf,
376 "Read req failed: %s", err_str);
377 krb5_free_error_message(context, err_str);
378 Data(ap, KRB_REJECT, errbuf, -1);
379 if (auth_debug_mode)
380 printf("%s\r\n", errbuf);
381 free (errbuf);
382 return;
383 }
384
385 {
386 char foo[2];
387
388 foo[0] = ap->type;
389 foo[1] = ap->way;
390
391 ret = krb5_verify_authenticator_checksum(context,
392 auth_context,
393 foo,
394 sizeof(foo));
395
396 if (ret) {
397 char *errbuf;
398 const char *err_str;
399
400 err_str = krb5_get_error_message(context, ret);
401 asprintf(&errbuf, "Bad checksum: %s", err_str);
402 krb5_free_error_message(context, err_str);
403 Data(ap, KRB_REJECT, errbuf, -1);
404 if (auth_debug_mode)
405 printf ("%s\r\n", errbuf);
406 free(errbuf);
407 return;
408 }
409 }
410 ret = krb5_auth_con_getremotesubkey (context,
411 auth_context,
412 &key_block);
413
414 if (ret) {
415 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
416 auth_finished(ap, AUTH_REJECT);
417 if (auth_debug_mode)
418 print_krb5_error(context, ret, "Kerberos V5: "
419 "krb5_auth_con_getremotesubkey failed (%s)\r\n");
420 return;
421 }
422
423 if (key_block == NULL) {
424 ret = krb5_auth_con_getkey(context,
425 auth_context,
426 &key_block);
427 }
428 if (ret) {
429 Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
430 auth_finished(ap, AUTH_REJECT);
431 if (auth_debug_mode)
432 print_krb5_error(context, ret, "Kerberos V5: "
433 "krb5_auth_con_getkey failed (%s)\r\n");
434 return;
435 }
436 if (key_block == NULL) {
437 Data(ap, KRB_REJECT, "no subkey received", -1);
438 auth_finished(ap, AUTH_REJECT);
439 if (auth_debug_mode)
440 printf("Kerberos V5: "
441 "krb5_auth_con_getremotesubkey returned NULL key\r\n");
442 return;
443 }
444
445 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
446 ret = krb5_mk_rep(context, auth_context, &outbuf);
447 if (ret) {
448 Data(ap, KRB_REJECT,
449 "krb5_mk_rep failed", -1);
450 auth_finished(ap, AUTH_REJECT);
451 if (auth_debug_mode)
452 print_krb5_error(context, ret, "Kerberos V5: "
453 "krb5_mk_rep failed (%s)\r\n");
454 return;
455 }
456 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
457 }
458 if (krb5_unparse_name(context, ticket->client, &name))
459 name = 0;
460
461 if(UserNameRequested && krb5_kuserok(context,
462 ticket->client,
463 UserNameRequested)) {
464 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
465 if (auth_debug_mode) {
466 printf("Kerberos5 identifies him as ``%s''\r\n",
467 name ? name : "");
468 }
469
470 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
471 key_block->keytype == ETYPE_DES_CBC_MD4 ||
472 key_block->keytype == ETYPE_DES_CBC_CRC) {
473 Session_Key skey;
474
475 skey.type = SK_DES;
476 skey.length = 8;
477 skey.data = key_block->keyvalue.data;
478 encrypt_session_key(&skey, 0);
479 }
480
481 } else {
482 char *msg;
483
484 asprintf (&msg, "user `%s' is not authorized to "
485 "login as `%s'",
486 name ? name : "<unknown>",
487 UserNameRequested ? UserNameRequested : "<nobody>");
488 if (msg == NULL)
489 Data(ap, KRB_REJECT, NULL, 0);
490 else {
491 Data(ap, KRB_REJECT, (void *)msg, -1);
492 free(msg);
493 }
494 auth_finished (ap, AUTH_REJECT);
495 krb5_free_keyblock_contents(context, key_block);
496 break;
497 }
498 auth_finished(ap, AUTH_USER);
499 krb5_free_keyblock_contents(context, key_block);
500
501 break;
502 case KRB_FORWARD: {
503 struct passwd *pwd;
504 char ccname[1024]; /* XXX */
505 krb5_data inbuf;
506 krb5_ccache ccache;
507 inbuf.data = (char *)data;
508 inbuf.length = cnt;
509
510 pwd = getpwnam (UserNameRequested);
511 if (pwd == NULL)
512 break;
513
514 snprintf (ccname, sizeof(ccname),
515 "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
516
517 ret = krb5_cc_resolve (context, ccname, &ccache);
518 if (ret) {
519 if (auth_debug_mode)
520 print_krb5_error(context, ret, "Kerberos V5: could not get ccache: %s\r\n");
521 break;
522 }
523
524 ret = krb5_cc_initialize (context,
525 ccache,
526 ticket->client);
527 if (ret) {
528 if (auth_debug_mode)
529 print_krb5_error(context, ret, "Kerberos V5: could not init ccache: %s\r\n");
530 break;
531 }
532
533 #if defined(DCE)
534 esetenv("KRB5CCNAME", ccname, 1);
535 #endif
536 ret = krb5_rd_cred2 (context,
537 auth_context,
538 ccache,
539 &inbuf);
540 if(ret) {
541 char *errbuf;
542 const char *err_str;
543
544 err_str = krb5_get_error_message(context, ret);
545 asprintf (&errbuf,
546 "Read forwarded creds failed: %s", err_str);
547 krb5_free_error_message(context, err_str);
548 if(errbuf == NULL)
549 Data(ap, KRB_FORWARD_REJECT, NULL, 0);
550 else
551 Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
552 if (auth_debug_mode)
553 printf("Could not read forwarded credentials: %s\r\n",
554 errbuf);
555 free (errbuf);
556 } else {
557 Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
558 #if defined(DCE)
559 dfsfwd = 1;
560 #endif
561 }
562 chown (ccname + 5, pwd->pw_uid, -1);
563 if (auth_debug_mode)
564 printf("Forwarded credentials obtained\r\n");
565 break;
566 }
567 default:
568 if (auth_debug_mode)
569 printf("Unknown Kerberos option %d\r\n", data[-1]);
570 Data(ap, KRB_REJECT, 0, 0);
571 break;
572 }
573 }
574
575 void
kerberos5_reply(Authenticator * ap,unsigned char * data,int cnt)576 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
577 {
578 static int mutual_complete = 0;
579
580 if (cnt-- < 1)
581 return;
582 switch (*data++) {
583 case KRB_REJECT:
584 if (cnt > 0) {
585 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
586 cnt, data);
587 } else
588 printf("[ Kerberos V5 refuses authentication ]\r\n");
589 auth_send_retry();
590 return;
591 case KRB_ACCEPT: {
592 krb5_error_code ret;
593 Session_Key skey;
594 krb5_keyblock *keyblock;
595
596 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
597 !mutual_complete) {
598 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
599 auth_send_retry();
600 return;
601 }
602 if (cnt)
603 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
604 else
605 printf("[ Kerberos V5 accepts you ]\r\n");
606
607 ret = krb5_auth_con_getlocalsubkey (context,
608 auth_context,
609 &keyblock);
610 if (ret)
611 ret = krb5_auth_con_getkey (context,
612 auth_context,
613 &keyblock);
614 if(ret) {
615 print_krb5_error(context, ret, "[ krb5_auth_con_getkey: %s ]\r\n");
616 auth_send_retry();
617 return;
618 }
619
620 skey.type = SK_DES;
621 skey.length = 8;
622 skey.data = keyblock->keyvalue.data;
623 encrypt_session_key(&skey, 0);
624 krb5_free_keyblock_contents (context, keyblock);
625 auth_finished(ap, AUTH_USER);
626 if (forward_flags & OPTS_FORWARD_CREDS)
627 kerberos5_forward(ap);
628 break;
629 }
630 case KRB_RESPONSE:
631 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
632 /* the rest of the reply should contain a krb_ap_rep */
633 krb5_ap_rep_enc_part *reply;
634 krb5_data inbuf;
635 krb5_error_code ret;
636
637 inbuf.length = cnt;
638 inbuf.data = (char *)data;
639
640 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
641 if (ret) {
642 print_krb5_error(context, ret, "[ Mutual authentication failed: %s ]\r\n");
643 auth_send_retry();
644 return;
645 }
646 krb5_free_ap_rep_enc_part(context, reply);
647 mutual_complete = 1;
648 }
649 return;
650 case KRB_FORWARD_ACCEPT:
651 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
652 return;
653 case KRB_FORWARD_REJECT:
654 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
655 cnt, data);
656 return;
657 default:
658 if (auth_debug_mode)
659 printf("Unknown Kerberos option %d\r\n", data[-1]);
660 return;
661 }
662 }
663
664 int
kerberos5_status(Authenticator * ap __unused,char * name,int level)665 kerberos5_status(Authenticator *ap __unused, char *name, int level)
666 {
667 if (level < AUTH_USER)
668 return(level);
669
670 if (UserNameRequested &&
671 krb5_kuserok(context,
672 ticket->client,
673 UserNameRequested))
674 {
675 strcpy(name, UserNameRequested);
676 return(AUTH_VALID);
677 } else
678 return(AUTH_USER);
679 }
680
681 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
682 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
683
684 void
kerberos5_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)685 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
686 {
687 int i;
688
689 buf[buflen-1] = '\0'; /* make sure its NULL terminated */
690 buflen -= 1;
691
692 switch(data[3]) {
693 case KRB_REJECT: /* Rejected (reason might follow) */
694 strlcpy((char *)buf, " REJECT ", buflen);
695 goto common;
696
697 case KRB_ACCEPT: /* Accepted (name might follow) */
698 strlcpy((char *)buf, " ACCEPT ", buflen);
699 common:
700 BUMP(buf, buflen);
701 if (cnt <= 4)
702 break;
703 ADDC(buf, buflen, '"');
704 for (i = 4; i < cnt; i++)
705 ADDC(buf, buflen, data[i]);
706 ADDC(buf, buflen, '"');
707 ADDC(buf, buflen, '\0');
708 break;
709
710
711 case KRB_AUTH: /* Authentication data follows */
712 strlcpy((char *)buf, " AUTH", buflen);
713 goto common2;
714
715 case KRB_RESPONSE:
716 strlcpy((char *)buf, " RESPONSE", buflen);
717 goto common2;
718
719 case KRB_FORWARD: /* Forwarded credentials follow */
720 strlcpy((char *)buf, " FORWARD", buflen);
721 goto common2;
722
723 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
724 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
725 goto common2;
726
727 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
728 /* (reason might follow) */
729 strlcpy((char *)buf, " FORWARD_REJECT", buflen);
730 goto common2;
731
732 default:
733 snprintf(buf, buflen, " %d (unknown)", data[3]);
734 common2:
735 BUMP(buf, buflen);
736 for (i = 4; i < cnt; i++) {
737 snprintf(buf, buflen, " %d", data[i]);
738 BUMP(buf, buflen);
739 }
740 break;
741 }
742 }
743
744 void
kerberos5_forward(Authenticator * ap)745 kerberos5_forward(Authenticator *ap)
746 {
747 krb5_error_code ret;
748 krb5_ccache ccache;
749 krb5_creds creds;
750 krb5_kdc_flags flags;
751 krb5_data out_data;
752 krb5_principal principal;
753
754 ret = krb5_cc_default (context, &ccache);
755 if (ret) {
756 if (auth_debug_mode)
757 print_krb5_error(context, ret, "KerberosV5: could not get default ccache: %s\r\n");
758 return;
759 }
760
761 ret = krb5_cc_get_principal (context, ccache, &principal);
762 if (ret) {
763 if (auth_debug_mode)
764 print_krb5_error(context, ret, "KerberosV5: could not get principal: %s\r\n");
765 return;
766 }
767
768 memset (&creds, 0, sizeof(creds));
769
770 creds.client = principal;
771
772 ret = krb5_build_principal (context,
773 &creds.server,
774 strlen(principal->realm),
775 principal->realm,
776 "krbtgt",
777 principal->realm,
778 NULL);
779
780 if (ret) {
781 if (auth_debug_mode)
782 print_krb5_error(context, ret, "KerberosV5: could not get principal: %s\r\n");
783 return;
784 }
785
786 creds.times.endtime = 0;
787
788 flags.i = 0;
789 flags.b.forwarded = 1;
790 if (forward_flags & OPTS_FORWARDABLE_CREDS)
791 flags.b.forwardable = 1;
792
793 ret = krb5_get_forwarded_creds (context,
794 auth_context,
795 ccache,
796 flags.i,
797 RemoteHostName,
798 &creds,
799 &out_data);
800 if (ret) {
801 if (auth_debug_mode)
802 print_krb5_error(context, ret, "Kerberos V5: error getting forwarded creds: %s\r\n");
803 return;
804 }
805
806 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
807 if (auth_debug_mode)
808 printf("Not enough room for authentication data\r\n");
809 } else {
810 if (auth_debug_mode)
811 printf("Forwarded local Kerberos V5 credentials to server\r\n");
812 }
813 }
814
815 #if defined(DCE)
816 /* if this was a K5 authentication try and join a PAG for the user. */
817 void
kerberos5_dfspag(void)818 kerberos5_dfspag(void)
819 {
820 if (dfsk5ok) {
821 dfspag = krb5_dfs_pag(context, dfsfwd, ticket->client,
822 UserNameRequested);
823 }
824 }
825 #endif
826
827 #endif /* KRB5 */
828