2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * Copyright (C) 1990 by the Massachusetts Institute of Technology
37 * Export of this software from the United States of America may
38 * require a specific license from the United States Government.
39 * It is the responsibility of any person or organization contemplating
40 * export to obtain such a license before exporting.
42 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
43 * distribute this software and its documentation for any purpose and
44 * without fee is hereby granted, provided that the above copyright
45 * notice appear in all copies and that both that copyright notice and
46 * this permission notice appear in supporting documentation, and that
47 * the name of M.I.T. not be used in advertising or publicity pertaining
48 * to distribution of the software without specific, written prior
49 * permission. M.I.T. makes no representations about the suitability of
50 * this software for any purpose. It is provided "as is" without express
51 * or implied warranty.
56 RCSID("$Id: kerberos5.c,v 1.38 1999/09/16 20:41:33 assar Exp $");
60 #include <arpa/telnet.h>
68 #define Authenticator k5_Authenticator
81 int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
83 /* These values need to be the same as those defined in telnet/main.c. */
84 /* Either define them in both places, or put in some common header file. */
85 #define OPTS_FORWARD_CREDS 0x00000002
86 #define OPTS_FORWARDABLE_CREDS 0x00000001
88 void kerberos5_forward (Authenticator *);
90 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
91 AUTHTYPE_KERBEROS_V5, };
93 #define KRB_AUTH 0 /* Authentication data follows */
94 #define KRB_REJECT 1 /* Rejected (reason might follow) */
95 #define KRB_ACCEPT 2 /* Accepted */
96 #define KRB_RESPONSE 3 /* Response for mutual auth. */
98 #define KRB_FORWARD 4 /* Forwarded credentials follow */
99 #define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
100 #define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
102 static krb5_data auth;
103 static krb5_ticket *ticket;
105 static krb5_context context;
106 static krb5_auth_context auth_context;
109 Data(Authenticator *ap, int type, void *d, int c)
111 unsigned char *p = str_data + 4;
112 unsigned char *cd = (unsigned char *)d;
117 if (auth_debug_mode) {
118 printf("%s:%d: [%d] (%d)",
119 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
129 if ((*p++ = *cd++) == IAC)
134 if (str_data[3] == TELQUAL_IS)
135 printsub('>', &str_data[2], p - &str_data[2]);
136 return(telnet_net_write(str_data, p - str_data));
140 kerberos5_init(Authenticator *ap, int server)
143 str_data[3] = TELQUAL_REPLY;
145 str_data[3] = TELQUAL_IS;
146 krb5_init_context(&context);
151 kerberos5_send(char *name, Authenticator *ap)
156 krb5_data cksum_data;
160 printf("[ Trying %s ... ]\r\n", name);
161 if (!UserNameRequested) {
162 if (auth_debug_mode) {
163 printf("Kerberos V5: no user name supplied\r\n");
168 ret = krb5_cc_default(context, &ccache);
170 if (auth_debug_mode) {
171 printf("Kerberos V5: could not get default ccache: %s\r\n",
172 krb5_get_err_text (context, ret));
177 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
178 ap_opts = AP_OPTS_MUTUAL_REQUIRED;
182 ret = krb5_auth_con_init (context, &auth_context);
184 if (auth_debug_mode) {
185 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
186 krb5_get_err_text(context, ret));
191 ret = krb5_auth_con_setaddrs_from_fd (context,
195 if (auth_debug_mode) {
196 printf ("Kerberos V5:"
197 " krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
198 krb5_get_err_text(context, ret));
203 krb5_auth_setkeytype (context, auth_context, KEYTYPE_DES);
208 cksum_data.length = sizeof(foo);
209 cksum_data.data = foo;
210 ret = krb5_mk_req(context, &auth_context, ap_opts,
211 "host", RemoteHostName,
212 &cksum_data, ccache, &auth);
215 if (1 || auth_debug_mode) {
216 printf("Kerberos V5: mk_req failed (%s)\r\n",
217 krb5_get_err_text(context, ret));
222 if (!auth_sendname((unsigned char *)UserNameRequested,
223 strlen(UserNameRequested))) {
225 printf("Not enough room for user name\r\n");
228 if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
230 printf("Not enough room for authentication data\r\n");
233 if (auth_debug_mode) {
234 printf("Sent Kerberos V5 credentials to server\r\n");
240 kerberos5_send_mutual(Authenticator *ap)
242 return kerberos5_send("mutual KERBEROS5", ap);
246 kerberos5_send_oneway(Authenticator *ap)
248 return kerberos5_send("KERBEROS5", ap);
252 kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
256 krb5_keyblock *key_block;
258 krb5_principal server;
265 auth.data = (char *)data;
270 ret = krb5_auth_con_init (context, &auth_context);
272 Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
273 auth_finished(ap, AUTH_REJECT);
275 printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
276 krb5_get_err_text(context, ret));
280 ret = krb5_auth_con_setaddrs_from_fd (context,
284 Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
285 auth_finished(ap, AUTH_REJECT);
287 printf("Kerberos V5: "
288 "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
289 krb5_get_err_text(context, ret));
293 ret = krb5_sock_to_principal (context,
299 Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
300 auth_finished(ap, AUTH_REJECT);
302 printf("Kerberos V5: "
303 "krb5_sock_to_principal failed (%s)\r\n",
304 krb5_get_err_text(context, ret));
308 ret = krb5_rd_req(context,
315 krb5_free_principal (context, server);
321 "Read req failed: %s",
322 krb5_get_err_text(context, ret));
323 Data(ap, KRB_REJECT, errbuf, -1);
325 printf("%s\r\n", errbuf);
336 ret = krb5_verify_authenticator_checksum(context,
343 asprintf(&errbuf, "Bad checksum: %s",
344 krb5_get_err_text(context, ret));
345 Data(ap, KRB_REJECT, errbuf, -1);
347 printf ("%s\r\n", errbuf);
352 ret = krb5_auth_con_getremotesubkey (context,
357 Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
358 auth_finished(ap, AUTH_REJECT);
360 printf("Kerberos V5: "
361 "krb5_auth_con_getremotesubkey failed (%s)\r\n",
362 krb5_get_err_text(context, ret));
366 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
367 ret = krb5_mk_rep(context, &auth_context, &outbuf);
370 "krb5_mk_rep failed", -1);
371 auth_finished(ap, AUTH_REJECT);
373 printf("Kerberos V5: "
374 "krb5_mk_rep failed (%s)\r\n",
375 krb5_get_err_text(context, ret));
378 Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
380 if (krb5_unparse_name(context, ticket->client, &name))
383 if(UserNameRequested && krb5_kuserok(context,
385 UserNameRequested)) {
386 Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
387 if (auth_debug_mode) {
388 printf("Kerberos5 identifies him as ``%s''\r\n",
392 if(key_block->keytype == ETYPE_DES_CBC_MD5 ||
393 key_block->keytype == ETYPE_DES_CBC_MD4 ||
394 key_block->keytype == ETYPE_DES_CBC_CRC) {
399 skey.data = key_block->keyvalue.data;
400 encrypt_session_key(&skey, 0);
406 asprintf (&msg, "user `%s' is not authorized to "
408 name ? name : "<unknown>",
409 UserNameRequested ? UserNameRequested : "<nobody>");
411 Data(ap, KRB_REJECT, NULL, 0);
413 Data(ap, KRB_REJECT, (void *)msg, -1);
417 auth_finished(ap, AUTH_USER);
419 krb5_free_keyblock_contents(context, key_block);
424 char ccname[1024]; /* XXX */
427 inbuf.data = (char *)data;
430 pwd = getpwnam (UserNameRequested);
434 snprintf (ccname, sizeof(ccname),
435 "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
437 ret = krb5_cc_resolve (context, ccname, &ccache);
440 printf ("Kerberos V5: could not get ccache: %s\r\n",
441 krb5_get_err_text(context, ret));
445 ret = krb5_cc_initialize (context,
450 printf ("Kerberos V5: could not init ccache: %s\r\n",
451 krb5_get_err_text(context, ret));
455 ret = krb5_rd_cred (context,
463 "Read forwarded creds failed: %s",
464 krb5_get_err_text (context, ret));
466 Data(ap, KRB_FORWARD_REJECT, NULL, 0);
468 Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
470 printf("Could not read forwarded credentials: %s\r\n",
474 Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
475 chown (ccname + 5, pwd->pw_uid, -1);
477 printf("Forwarded credentials obtained\r\n");
482 printf("Unknown Kerberos option %d\r\n", data[-1]);
483 Data(ap, KRB_REJECT, 0, 0);
489 kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
491 static int mutual_complete = 0;
498 printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
501 printf("[ Kerberos V5 refuses authentication ]\r\n");
507 krb5_keyblock *keyblock;
509 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
511 printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
516 printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
518 printf("[ Kerberos V5 accepts you ]\r\n");
520 ret = krb5_auth_con_getlocalsubkey (context,
524 ret = krb5_auth_con_getkey (context,
528 printf("[ krb5_auth_con_getkey: %s ]\r\n",
529 krb5_get_err_text(context, ret));
536 skey.data = keyblock->keyvalue.data;
537 encrypt_session_key(&skey, 0);
538 krb5_free_keyblock_contents (context, keyblock);
539 auth_finished(ap, AUTH_USER);
540 if (forward_flags & OPTS_FORWARD_CREDS)
541 kerberos5_forward(ap);
545 if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
546 /* the rest of the reply should contain a krb_ap_rep */
547 krb5_ap_rep_enc_part *reply;
552 inbuf.data = (char *)data;
554 ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
556 printf("[ Mutual authentication failed: %s ]\r\n",
557 krb5_get_err_text (context, ret));
561 krb5_free_ap_rep_enc_part(context, reply);
565 case KRB_FORWARD_ACCEPT:
566 printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
568 case KRB_FORWARD_REJECT:
569 printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
574 printf("Unknown Kerberos option %d\r\n", data[-1]);
580 kerberos5_status(Authenticator *ap, char *name, size_t name_sz, int level)
582 if (level < AUTH_USER)
585 if (UserNameRequested &&
586 krb5_kuserok(context,
590 strlcpy(name, UserNameRequested, name_sz);
596 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
597 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
600 kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
604 buf[buflen-1] = '\0'; /* make sure its NULL terminated */
608 case KRB_REJECT: /* Rejected (reason might follow) */
609 strlcpy((char *)buf, " REJECT ", buflen);
612 case KRB_ACCEPT: /* Accepted (name might follow) */
613 strlcpy((char *)buf, " ACCEPT ", buflen);
618 ADDC(buf, buflen, '"');
619 for (i = 4; i < cnt; i++)
620 ADDC(buf, buflen, data[i]);
621 ADDC(buf, buflen, '"');
622 ADDC(buf, buflen, '\0');
626 case KRB_AUTH: /* Authentication data follows */
627 strlcpy((char *)buf, " AUTH", buflen);
631 strlcpy((char *)buf, " RESPONSE", buflen);
634 case KRB_FORWARD: /* Forwarded credentials follow */
635 strlcpy((char *)buf, " FORWARD", buflen);
638 case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
639 strlcpy((char *)buf, " FORWARD_ACCEPT", buflen);
642 case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
643 /* (reason might follow) */
644 strlcpy((char *)buf, " FORWARD_REJECT", buflen);
648 snprintf(buf, buflen, " %d (unknown)", data[3]);
651 for (i = 4; i < cnt; i++) {
652 snprintf(buf, buflen, " %d", data[i]);
660 kerberos5_forward(Authenticator *ap)
665 krb5_kdc_flags flags;
667 krb5_principal principal;
669 ret = krb5_cc_default (context, &ccache);
672 printf ("KerberosV5: could not get default ccache: %s\r\n",
673 krb5_get_err_text (context, ret));
677 ret = krb5_cc_get_principal (context, ccache, &principal);
680 printf ("KerberosV5: could not get principal: %s\r\n",
681 krb5_get_err_text (context, ret));
685 memset (&creds, 0, sizeof(creds));
687 creds.client = principal;
689 ret = krb5_build_principal (context,
691 strlen(principal->realm),
699 printf ("KerberosV5: could not get principal: %s\r\n",
700 krb5_get_err_text (context, ret));
704 creds.times.endtime = 0;
707 flags.b.forwarded = 1;
708 if (forward_flags & OPTS_FORWARDABLE_CREDS)
709 flags.b.forwardable = 1;
711 ret = krb5_get_forwarded_creds (context,
720 printf ("Kerberos V5: error gettting forwarded creds: %s\r\n",
721 krb5_get_err_text (context, ret));
725 if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
727 printf("Not enough room for authentication data\r\n");
730 printf("Forwarded local Kerberos V5 credentials to server\r\n");