#include "config.h"
#include <sys/types.h>
#include <sys/param.h>
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
#else
# ifdef HAVE_STDLIB_H
# include <stdlib.h>
# endif
#endif
#ifdef HAVE_STRING_H
# include <string.h>
#else
# ifdef HAVE_STRINGS_H
# include <strings.h>
# endif
#endif
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif
#include <pwd.h>
#include <krb5.h>
#include "sudo.h"
#include "sudo_auth.h"
#ifndef lint
static const char rcsid[] = "$Sudo: kerb5.c,v 1.11 2001/12/14 19:52:53 millert Exp $";
#endif
static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
static struct _sudo_krb5_data {
krb5_context sudo_context;
krb5_principal princ;
krb5_ccache ccache;
} sudo_krb5_data = { NULL, NULL, NULL };
typedef struct _sudo_krb5_data *sudo_krb5_datap;
extern krb5_cc_ops krb5_mcc_ops;
int
kerb5_init(pw, promptp, auth)
struct passwd *pw;
char **promptp;
sudo_auth *auth;
{
krb5_context sudo_context;
krb5_ccache ccache;
krb5_principal princ;
krb5_error_code error;
char cache_name[64];
char *pname;
auth->data = (VOID *) &sudo_krb5_data;
if (error = krb5_init_context(&(sudo_krb5_data.sudo_context))) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to initialize context: %s", auth->name,
error_message(error));
return(AUTH_FAILURE);
}
sudo_context = sudo_krb5_data.sudo_context;
if (error = krb5_parse_name(sudo_context, pw->pw_name,
&(sudo_krb5_data.princ))) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to parse '%s': %s", auth->name, pw->pw_name,
error_message(error));
return(AUTH_FAILURE);
}
princ = sudo_krb5_data.princ;
#if 1
if (error = krb5_unparse_name(sudo_context, princ, &pname)) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to unparse princ ('%s'): %s", auth->name,
pw->pw_name, error_message(error));
return(AUTH_FAILURE);
}
easprintf(promptp, "Password for %s: ", pname);
free(pname);
#endif
if (error = krb5_cc_register(sudo_context, &krb5_mcc_ops, FALSE)) {
if (error != KRB5_CC_TYPE_EXISTS) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to use Memory ccache: %s", auth->name,
error_message(error));
return(AUTH_FAILURE);
}
}
(void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
(long) getpid());
if (error = krb5_cc_resolve(sudo_context, cache_name,
&(sudo_krb5_data.ccache))) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to resolve ccache: %s", auth->name,
error_message(error));
return(AUTH_FAILURE);
}
ccache = sudo_krb5_data.ccache;
if (error = krb5_cc_initialize(sudo_context, ccache, princ)) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to initialize ccache: %s", auth->name,
error_message(error));
return(AUTH_FAILURE);
}
return(AUTH_SUCCESS);
}
int
kerb5_verify(pw, pass, auth)
struct passwd *pw;
char *pass;
sudo_auth *auth;
{
krb5_context sudo_context;
krb5_principal princ;
krb5_ccache ccache;
krb5_creds creds;
krb5_error_code error;
krb5_get_init_creds_opt opts;
char cache_name[64];
sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
princ = ((sudo_krb5_datap) auth->data)->princ;
ccache = ((sudo_krb5_datap) auth->data)->ccache;
krb5_get_init_creds_opt_init(&opts);
if (error = krb5_get_init_creds_password(sudo_context, &creds, princ,
pass, krb5_prompter_posix,
NULL, 0, NULL, &opts)) {
if (error == KRB5KRB_AP_ERR_BAD_INTEGRITY)
return(AUTH_FAILURE);
log_error(NO_EXIT|NO_MAIL,
"%s: unable to get credentials: %s", auth->name,
error_message(error));
return(AUTH_FAILURE);
}
if (error = krb5_cc_store_cred(sudo_context, ccache, &creds)) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to store credentials: %s", auth->name,
error_message(error));
} else {
error = verify_krb_v5_tgt(sudo_context, ccache, auth->name);
}
krb5_free_cred_contents(sudo_context, &creds);
return (error ? AUTH_FAILURE : AUTH_SUCCESS);
}
int
kerb5_cleanup(pw, auth)
struct passwd *pw;
sudo_auth *auth;
{
krb5_context sudo_context;
krb5_principal princ;
krb5_ccache ccache;
sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
princ = ((sudo_krb5_datap) auth->data)->princ;
ccache = ((sudo_krb5_datap) auth->data)->ccache;
if (sudo_context) {
if (ccache)
krb5_cc_destroy(sudo_context, ccache);
if (princ)
krb5_free_principal(sudo_context, princ);
krb5_free_context(sudo_context);
}
return(AUTH_SUCCESS);
}
static int
verify_krb_v5_tgt(sudo_context, ccache, auth_name)
krb5_context sudo_context;
krb5_ccache ccache;
char *auth_name;
{
char phost[BUFSIZ];
krb5_error_code error;
krb5_principal princ;
krb5_data packet;
krb5_keyblock *keyblock = 0;
krb5_auth_context auth_context = NULL;
packet.data = 0;
if (error = krb5_sname_to_principal(sudo_context, NULL, NULL,
KRB5_NT_SRV_HST, &princ)) {
log_error(NO_EXIT|NO_MAIL,
"%s: unable to get host principal: %s", auth_name,
error_message(error));
return(-1);
}
strncpy(phost, krb5_princ_component(sudo_context, princ, 1)->data,
sizeof(phost) - 1);
phost[sizeof(phost) - 1] = '\0';
if (error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
ENCTYPE_DES_CBC_MD5, &keyblock)) {
log_error(NO_EXIT,
"%s: host service key not found: %s", auth_name,
error_message(error));
error = 0;
goto cleanup;
}
if (keyblock)
krb5_free_keyblock(sudo_context, keyblock);
error = krb5_mk_req(sudo_context, &auth_context, 0, "host", phost,
NULL, ccache, &packet);
if (auth_context) {
krb5_auth_con_free(sudo_context, auth_context);
auth_context = NULL;
}
if (!error)
error = krb5_rd_req(sudo_context, &auth_context, &packet, princ,
NULL, NULL, NULL);
cleanup:
if (packet.data)
krb5_free_data_contents(sudo_context, &packet);
krb5_free_principal(sudo_context, princ);
if (error)
log_error(NO_EXIT|NO_MAIL,
"%s: Cannot verify TGT! Possible attack!: %s", auth_name,
error_message(error));
return(error);
}