[doldaconnect.git] / daemon / auth-krb5.c

/*
 *  Dolda Connect - Modular multiuser Direct Connect-style client
 *  Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
 *  
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *  
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
*/

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <pwd.h>
#include <time.h>
#include <sys/stat.h>
#include <sys/param.h>

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include "auth.h"
#include "utils.h"
#include "conf.h"
#include "log.h"
#include "module.h"
#include "sysevents.h"

#ifdef HAVE_KRB5

#include <krb5.h>
#include <com_err.h>

struct krb5data
{
    int state;
    krb5_auth_context context;
    krb5_ticket *ticket;
    krb5_creds *creds;
    krb5_ccache ccache;
    int renew;
    struct timer *renewtimer;
    char *username, *cname;
};

static void setrenew(struct krb5data *data);

static krb5_context k5context;
static krb5_principal myprinc;
static krb5_keytab keytab;

static void releasekrb5(struct krb5data *data)
{
    if(data->renewtimer != NULL)
	canceltimer(data->renewtimer);
    if(data->context != NULL)
	krb5_auth_con_free(k5context, data->context);
    if(data->ticket != NULL)
	krb5_free_ticket(k5context, data->ticket);
    if(data->creds != NULL)
	krb5_free_creds(k5context, data->creds);
    if(data->username != NULL)
	free(data->username);
    if(data->cname != NULL)
	free(data->cname);
    free(data);
}

static void release(struct authhandle *auth)
{
    releasekrb5((struct krb5data *)auth->mechdata);
}

static struct krb5data *newkrb5data(void)
{
    struct krb5data *new;
    
    new = smalloc(sizeof(*new));
    memset(new, 0, sizeof(*new));
    return(new);
}

static int inithandle(struct authhandle *auth, char *username)
{
    int ret;
    struct krb5data *data;
    
    data = newkrb5data();
    if((ret = krb5_auth_con_init(k5context, &data->context)) != 0)
    {
	flog(LOG_ERR, "could initialize Kerberos auth context: %s", error_message(ret));
	releasekrb5(data);
	return(1);
    }
    krb5_auth_con_setflags(k5context, data->context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
    data->username = sstrdup(username);
    data->state = 0;
    auth->mechdata = data;
    return(0);
}

/* Copied from MIT Kerberos 5 1.3.3*/
static krb5_boolean my_krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser, const char *loginfile, int authbydef)
{
    struct stat sbuf;
    struct passwd *pwd;
    char pbuf[MAXPATHLEN];
    krb5_boolean isok = FALSE;
    FILE *fp;
    char kuser[65];
    char *princname;
    char linebuf[BUFSIZ];
    char *newline;
    int gobble;

    /* no account => no access */
    if ((pwd = getpwnam(luser)) == NULL) {
	return(FALSE);
    }
    (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
    pbuf[sizeof(pbuf) - 1] = '\0';
    (void) strncat(pbuf, loginfile, sizeof(pbuf) - 1 - strlen(pbuf));

    if (access(pbuf, F_OK)) {	 /* not accessible */
	/*
	 * if he's trying to log in as himself, and there is no .k5login file,
	 * let him.  To find out, call
	 * krb5_aname_to_localname to convert the principal to a name
	 * which we can string compare. 
	 */
	if (authbydef) {
	    if (!(krb5_aname_to_localname(context, principal,
					  sizeof(kuser), kuser))
		&& (strcmp(kuser, luser) == 0)) {
		return(TRUE);
	    }
	} else {
	    return(FALSE);
	}
    }
    if (krb5_unparse_name(context, principal, &princname))
	return(FALSE);			/* no hope of matching */

    /* open ~/.k5login */
    if ((fp = fopen(pbuf, "r")) == NULL) {
	free(princname);
	return(FALSE);
    }
    /*
     * For security reasons, the .k5login file must be owned either by
     * the user himself, or by root.  Otherwise, don't grant access.
     */
    if (fstat(fileno(fp), &sbuf)) {
	fclose(fp);
	free(princname);
	return(FALSE);
    }
    if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) {
	fclose(fp);
	free(princname);
	return(FALSE);
    }

    /* check each line */
    while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
	/* null-terminate the input string */
	linebuf[BUFSIZ-1] = '\0';
	newline = NULL;
	/* nuke the newline if it exists */
	if ((newline = strchr(linebuf, '\n')))
	    *newline = '\0';
	if (!strcmp(linebuf, princname)) {
	    isok = TRUE;
	    continue;
	}
	/* clean up the rest of the line if necessary */
	if (!newline)
	    while (((gobble = getc(fp)) != EOF) && gobble != '\n');
    }
    free(princname);
    fclose(fp);
    return(isok);
}

static void renewcreds(int cancelled, struct krb5data *data)
{
    int ret;
    char ccnambuf[50];
    krb5_ccache tmpcc;
    krb5_creds newcreds;
    static int ccserial = 0;
    
    data->renewtimer = NULL;
    if(cancelled)
	return;
    memset(&newcreds, 0, sizeof(newcreds));
    snprintf(ccnambuf, sizeof(ccnambuf), "MEMORY:%i", ccserial++);
    if((ret = krb5_cc_resolve(k5context, ccnambuf, &tmpcc)) != 0)
    {
	flog(LOG_ERR, "could not resolve a temporary ccache `%s': %s", ccnambuf, error_message(ret));
	data->renew = 0;
	return;
    }
    if((ret = krb5_cc_initialize(k5context, tmpcc, data->ticket->enc_part2->client)) != 0)
    {
	flog(LOG_ERR, "could not initialize temporary ccache: %s", error_message(ret));
	krb5_cc_destroy(k5context, tmpcc);
	data->renew = 0;
	return;
    }
    if((ret = krb5_cc_store_cred(k5context, tmpcc, data->creds)) != 0)
    {
	flog(LOG_ERR, "could not store creds into temporary ccache: %s", error_message(ret));
	krb5_cc_destroy(k5context, tmpcc);
	data->renew = 0;
	return;
    }
    if((ret = krb5_get_renewed_creds(k5context, &newcreds, data->ticket->enc_part2->client, tmpcc, NULL)) != 0)
    {
	flog(LOG_ERR, "could not get renewed tickets for %s: %s", data->username, error_message(ret));
	krb5_cc_destroy(k5context, tmpcc);
	data->renew = 0;
	return;
    }
    krb5_free_creds(k5context, data->creds);
    data->creds = NULL;
    if((ret = krb5_copy_creds(k5context, &newcreds, &data->creds)) != 0)
    {
	flog(LOG_ERR, "could not copy renewed creds: %s", error_message(ret));
	krb5_cc_destroy(k5context, tmpcc);
	data->renew = 0;
	return;
    }
    krb5_free_cred_contents(k5context, &newcreds);
    krb5_cc_destroy(k5context, tmpcc);
    flog(LOG_ERR, "successfully renewed krb5 creds for %s", data->username);
    setrenew(data);
}

static void setrenew(struct krb5data *data)
{
    krb5_ticket_times times;
    time_t now, good;
    
    times = data->creds->times;
    if(!times.starttime)
	times.starttime = times.authtime;
    now = time(NULL);
    if(times.endtime < now)
    {
	flog(LOG_DEBUG, "tickets already expired, cannot renew");
	data->renew = 0;
	return;
    }
    good = times.starttime + (((times.endtime - times.starttime) * 9) / 10);
    data->renewtimer = timercallback(good, (void (*)(int, void *))renewcreds, data);
}

static int krbauth(struct authhandle *auth, char *passdata)
{
    int ret;
    struct krb5data *data;
    char *msg;
    size_t msglen;
    int authorized;
    krb5_data k5d;
    krb5_flags apopt;
    krb5_creds **fwdcreds;
    
    data = auth->mechdata;
    if(passdata == NULL)
    {
	auth->prompt = AUTH_PR_AUTO;
	if(auth->text != NULL)
	    free(auth->text);
	auth->text = swcsdup(L"Send hex-encoded krb5 data");
	data->state = 1;
	return(AUTH_PASS);
    } else {
	if((msg = hexdecode(passdata, &msglen)) == NULL)
	{
	    if(auth->text != NULL)
		free(auth->text);
	    auth->text = swcsdup(L"Invalid hex encoding");
	    return(AUTH_DENIED);
	}
	switch(data->state)
	{
	case 1:
	    k5d.length = msglen;
	    k5d.data = msg;
	    if((ret = krb5_rd_req(k5context, &data->context, &k5d, myprinc, keytab, &apopt, &data->ticket)) != 0)
	    {
		flog(LOG_INFO, "kerberos authentication failed for %s: %s", data->username, error_message(ret));
		if(auth->text != NULL)
		    free(auth->text);
		auth->text = icmbstowcs((char *)error_message(ret), NULL);
		free(msg);
		return(AUTH_DENIED);
	    }
	    free(msg);
	    if(apopt & AP_OPTS_MUTUAL_REQUIRED)
	    {
		if((ret = krb5_mk_rep(k5context, data->context, &k5d)) != 0)
		{
		    flog(LOG_WARNING, "krb5_mk_rep returned an error: %s", error_message(ret));
		    return(AUTH_ERR);
		}
		msg = hexencode(k5d.data, k5d.length);
		if(auth->text != NULL)
		    free(auth->text);
		auth->text = icmbstowcs(msg, "us-ascii");
		free(msg);
		free(k5d.data);
	    } else {
		if(auth->text != NULL)
		    free(auth->text);
		auth->text = swcsdup(L"");
	    }
	    data->state = 2;
	    return(AUTH_PASS);
	case 2:
	    ret = atoi(msg);
	    free(msg);
	    if(ret == 1)
	    {
		/* That is, the client has accepted us as a valid
		 * server.  Now check if the client is authorized. */
		if((ret = krb5_unparse_name(k5context, data->ticket->enc_part2->client, &data->cname)) != 0)
		{
		    flog(LOG_ERR, "krb_unparse_name returned an error: %s", error_message(ret));
		    return(AUTH_ERR);
		}
		authorized = 0;
		if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.k5login", 1))
		    authorized = 1;
		/* Allow a seperate ACL for DC principals */
		if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.dc-k5login", 0))
		    authorized = 1;
		if(authorized)
		{
		    flog(LOG_INFO, "krb5 principal %s successfully authorized as %s%s", data->cname, data->username, (data->creds == NULL)?"":" (with fwd creds)");
		    return(AUTH_SUCCESS);
		} else {
		    flog(LOG_INFO, "krb5 principal %s not authorized as %s", data->cname, data->username);
		}
	    }
	    if(ret == 2)
	    {
		if(auth->text != NULL)
		    free(auth->text);
		auth->text = swcsdup(L"");
		data->state = 3;
		return(AUTH_PASS);
	    }
	    return(AUTH_DENIED);
	case 3:
	    k5d.length = msglen;
	    k5d.data = msg;
	    if((ret = krb5_rd_cred(k5context, data->context, &k5d, &fwdcreds, NULL)) != 0)
	    {
		flog(LOG_ERR, "krb5_rd_cred returned an error: %s", error_message(ret));
		free(msg);
		return(AUTH_ERR);
	    }
	    free(msg);
	    if(*fwdcreds == NULL)
	    {
		flog(LOG_ERR, "forwarded credentials array was empty (from %s)", data->username);
		krb5_free_tgt_creds(k5context, fwdcreds);
		return(AUTH_ERR);
	    }
	    /* Copy only the first credential. (Change this if it becomes a problem) */
	    ret = krb5_copy_creds(k5context, *fwdcreds, &data->creds);
	    krb5_free_tgt_creds(k5context, fwdcreds);
	    if(ret != 0)
	    {
		flog(LOG_ERR, "could not copy forwarded credentials: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	    if(confgetint("auth-krb5", "renewcreds"))
	    {
		data->renew = 1;
		setrenew(data);
	    }
	    if(auth->text != NULL)
		free(auth->text);
	    auth->text = swcsdup(L"");
	    data->state = 2;
	    return(AUTH_PASS);
	default:
	    free(msg);
	    flog(LOG_ERR, "BUG? Invalid state encountered in krbauth: %i", data->state);
	    return(AUTH_ERR);
	}
    }
}

static int opensess(struct authhandle *auth)
{
    int ret;
    struct krb5data *data;
    char *buf, *buf2;
    int fd;
    struct passwd *pwent;
    
    data = auth->mechdata;
    if(data->creds != NULL)
    {
	if((pwent = getpwnam(data->username)) == NULL)
	{
	    flog(LOG_ERR, "could not get passwd entry for forwarded tickets (user %s): %s", data->username, strerror(errno));
	    return(AUTH_ERR);
	}
	if(!confgetint("auth-krb5", "usedefcc"))
	{
	    buf = sprintf2("/tmp/krb5cc_dc_%i_XXXXXX", pwent->pw_uid);
	    if((fd = mkstemp(buf)) < 0)
	    {
		free(buf);
		flog(LOG_ERR, "could not create temporary file for ccache: %s", strerror(errno));
		return(AUTH_ERR);
	    }
	    close(fd);
	    buf2 = sprintf2("FILE:%s", buf);
	    if((ret = krb5_cc_resolve(k5context, buf2, &data->ccache)) != 0)
	    {
		free(buf);
		free(buf2);
		flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
		return(AUTH_ERR);
	    }
	    setenv("KRB5CCNAME", buf2, 1);
	    free(buf2);
	    if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
	    {
		free(buf);
		flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	    if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
	    {
		free(buf);
		flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	    if(chown(buf, pwent->pw_uid, pwent->pw_gid))
	    {
		free(buf);
		flog(LOG_ERR, "could not chown new ccache to %i:%i: %s", pwent->pw_uid, pwent->pw_gid, strerror(errno));
		return(AUTH_ERR);
	    }
	    free(buf);
	} else {
	    if((buf = (char *)krb5_cc_default_name(k5context)) == NULL) {
		flog(LOG_ERR, "could not get default ccache name");
		return(AUTH_ERR);
	    }
	    if((ret = krb5_cc_resolve(k5context, buf, &data->ccache)) != 0)
	    {
		flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
		return(AUTH_ERR);
	    }
	    setenv("KRB5CCNAME", buf, 1);
	    if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
	    {
		flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	    if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
	    {
		flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	}
    }
    return(AUTH_SUCCESS);
}

static int closesess(struct authhandle *auth)
{
    struct krb5data *data;
    
    data = auth->mechdata;
    if(data->ccache != NULL)
    {
	krb5_cc_destroy(k5context, data->ccache);
	data->ccache = NULL;
    }
    return(AUTH_SUCCESS);
}

struct authmech authmech_krb5 =
{
    .inithandle = inithandle,
    .release = release,
    .authenticate = krbauth,
    .opensess = opensess,
    .closesess = closesess,
    .name = L"krb5",
    .enabled = 1
};

static int init(int hup)
{
    int ret;
    char *buf;
    krb5_principal newprinc;
    
    if(!hup)
    {
	regmech(&authmech_krb5);
	if((ret = krb5_init_context(&k5context)))
	{
	    flog(LOG_CRIT, "could not initialize Kerberos context: %s", error_message(ret));
	    return(1);
	}
	if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
	{
	    flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s", confgetstr("auth-krb5", "service"), strerror(errno));
	    return(1);
	} else {
	    if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &myprinc)) != 0)
	    {
		flog(LOG_CRIT, "could not get principal for service %s: %s", buf, error_message(ret));
		free(buf);
		return(1);
	    }
	    free(buf);
	}
	if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
	{
	    flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
	    keytab = NULL;
	} else {
	    if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
	    {
		flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
		keytab = NULL;
	    }
	    free(buf);
	}
    }
    if(hup)
    {
	if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
	{
	    flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s, not updating principal", confgetstr("auth-krb5", "service"), strerror(errno));
	} else {
	    if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &newprinc)) != 0)
	    {
		flog(LOG_CRIT, "could not get principal for service %s: %s, not updating principal", buf, error_message(ret));
	    } else {
		krb5_free_principal(k5context, myprinc);
		myprinc = newprinc;
	    }
	    free(buf);
	}
	if(keytab != NULL)
	    krb5_kt_close(k5context, keytab);
	if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
	{
	    flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
	    keytab = NULL;
	} else {
	    if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
	    {
		flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
		keytab = NULL;
	    }
	    free(buf);
	}
    }
    return(0);
}

static void terminate(void)
{
    if(keytab != NULL)
	krb5_kt_close(k5context, keytab);
    krb5_free_principal(k5context, myprinc);
    krb5_free_context(k5context);
}

static struct configvar myvars[] =
{
    {CONF_VAR_STRING, "service", {.str = L"doldacond"}},
    {CONF_VAR_STRING, "keytab", {.str = L""}},
    {CONF_VAR_BOOL, "renewcreds", {.num = 1}},
    {CONF_VAR_BOOL, "usedefcc", {.num = 0}},
    {CONF_VAR_END}
};

static struct module me =
{
    .conf =
    {
	.vars = myvars
    },
    .init = init,
    .terminate = terminate,
    .name = "auth-krb5"
};

MODULE(me);

#endif /* HAVE_KRB5 */
Commit	Line	Data
	1	/*
	2	* Dolda Connect - Modular multiuser Direct Connect-style client
	3	* Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License as published by
	7	* the Free Software Foundation; either version 2 of the License, or
	8	* (at your option) any later version.
	9	*
	10	* This program is distributed in the hope that it will be useful,
	11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	* GNU General Public License for more details.
	14	*
	15	* You should have received a copy of the GNU General Public License
	16	* along with this program; if not, write to the Free Software
	17	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	18	*/
	19
	20	#include <stdlib.h>
	21	#include <unistd.h>
	22	#include <string.h>
	23	#include <errno.h>
	24	#include <pwd.h>
	25	#include <time.h>
	26	#include <sys/stat.h>
	27	#include <sys/param.h>
	28
	29	#ifdef HAVE_CONFIG_H
	30	#include <config.h>
	31	#endif
	32	#include "auth.h"
	33	#include "utils.h"
	34	#include "conf.h"
	35	#include "log.h"
	36	#include "module.h"
	37	#include "sysevents.h"
	38
	39	#ifdef HAVE_KRB5
	40
	41	#include <krb5.h>
	42	#include <com_err.h>
	43
	44	struct krb5data
	45	{
	46	int state;
	47	krb5_auth_context context;
	48	krb5_ticket *ticket;
	49	krb5_creds *creds;
	50	krb5_ccache ccache;
	51	int renew;
	52	struct timer *renewtimer;
	53	char username, cname;
	54	};
	55
	56	static void setrenew(struct krb5data *data);
	57
	58	static krb5_context k5context;
	59	static krb5_principal myprinc;
	60	static krb5_keytab keytab;
	61
	62	static void releasekrb5(struct krb5data *data)
	63	{
	64	if(data->renewtimer != NULL)
	65	canceltimer(data->renewtimer);
	66	if(data->context != NULL)
	67	krb5_auth_con_free(k5context, data->context);
	68	if(data->ticket != NULL)
	69	krb5_free_ticket(k5context, data->ticket);
	70	if(data->creds != NULL)
	71	krb5_free_creds(k5context, data->creds);
	72	if(data->username != NULL)
	73	free(data->username);
	74	if(data->cname != NULL)
	75	free(data->cname);
	76	free(data);
	77	}
	78
	79	static void release(struct authhandle *auth)
	80	{
	81	releasekrb5((struct krb5data *)auth->mechdata);
	82	}
	83
	84	static struct krb5data *newkrb5data(void)
	85	{
	86	struct krb5data *new;
	87
	88	new = smalloc(sizeof(*new));
	89	memset(new, 0, sizeof(*new));
	90	return(new);
	91	}
	92
	93	static int inithandle(struct authhandle auth, char username)
	94	{
	95	int ret;
	96	struct krb5data *data;
	97
	98	data = newkrb5data();
	99	if((ret = krb5_auth_con_init(k5context, &data->context)) != 0)
	100	{
	101	flog(LOG_ERR, "could initialize Kerberos auth context: %s", error_message(ret));
	102	releasekrb5(data);
	103	return(1);
	104	}
	105	krb5_auth_con_setflags(k5context, data->context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
	106	data->username = sstrdup(username);
	107	data->state = 0;
	108	auth->mechdata = data;
	109	return(0);
	110	}
	111
	112	/* Copied from MIT Kerberos 5 1.3.3*/
	113	static krb5_boolean my_krb5_kuserok(krb5_context context, krb5_principal principal, const char luser, const char loginfile, int authbydef)
	114	{
	115	struct stat sbuf;
	116	struct passwd *pwd;
	117	char pbuf[MAXPATHLEN];
	118	krb5_boolean isok = FALSE;
	119	FILE *fp;
	120	char kuser[65];
	121	char *princname;
	122	char linebuf[BUFSIZ];
	123	char *newline;
	124	int gobble;
	125
	126	/* no account => no access */
	127	if ((pwd = getpwnam(luser)) == NULL) {
	128	return(FALSE);
	129	}
	130	(void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
	131	pbuf[sizeof(pbuf) - 1] = '\0';
	132	(void) strncat(pbuf, loginfile, sizeof(pbuf) - 1 - strlen(pbuf));
	133
	134	if (access(pbuf, F_OK)) { /* not accessible */
	135	/*
	136	* if he's trying to log in as himself, and there is no .k5login file,
	137	* let him. To find out, call
	138	* krb5_aname_to_localname to convert the principal to a name
	139	* which we can string compare.
	140	*/
	141	if (authbydef) {
	142	if (!(krb5_aname_to_localname(context, principal,
	143	sizeof(kuser), kuser))
	144	&& (strcmp(kuser, luser) == 0)) {
	145	return(TRUE);
	146	}
	147	} else {
	148	return(FALSE);
	149	}
	150	}
	151	if (krb5_unparse_name(context, principal, &princname))
	152	return(FALSE); /* no hope of matching */
	153
	154	/* open ~/.k5login */
	155	if ((fp = fopen(pbuf, "r")) == NULL) {
	156	free(princname);
	157	return(FALSE);
	158	}
	159	/*
	160	* For security reasons, the .k5login file must be owned either by
	161	* the user himself, or by root. Otherwise, don't grant access.
	162	*/
	163	if (fstat(fileno(fp), &sbuf)) {
	164	fclose(fp);
	165	free(princname);
	166	return(FALSE);
	167	}
	168	if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) {
	169	fclose(fp);
	170	free(princname);
	171	return(FALSE);
	172	}
	173
	174	/* check each line */
	175	while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
	176	/* null-terminate the input string */
	177	linebuf[BUFSIZ-1] = '\0';
	178	newline = NULL;
	179	/* nuke the newline if it exists */
	180	if ((newline = strchr(linebuf, '\n')))
	181	*newline = '\0';
	182	if (!strcmp(linebuf, princname)) {
	183	isok = TRUE;
	184	continue;
	185	}
	186	/* clean up the rest of the line if necessary */
	187	if (!newline)
	188	while (((gobble = getc(fp)) != EOF) && gobble != '\n');
	189	}
	190	free(princname);
	191	fclose(fp);
	192	return(isok);
	193	}
	194
	195	static void renewcreds(int cancelled, struct krb5data *data)
	196	{
	197	int ret;
	198	char ccnambuf[50];
	199	krb5_ccache tmpcc;
	200	krb5_creds newcreds;
	201	static int ccserial = 0;
	202
	203	data->renewtimer = NULL;
	204	if(cancelled)
	205	return;
	206	memset(&newcreds, 0, sizeof(newcreds));
	207	snprintf(ccnambuf, sizeof(ccnambuf), "MEMORY:%i", ccserial++);
	208	if((ret = krb5_cc_resolve(k5context, ccnambuf, &tmpcc)) != 0)
	209	{
	210	flog(LOG_ERR, "could not resolve a temporary ccache `%s': %s", ccnambuf, error_message(ret));
	211	data->renew = 0;
	212	return;
	213	}
	214	if((ret = krb5_cc_initialize(k5context, tmpcc, data->ticket->enc_part2->client)) != 0)
	215	{
	216	flog(LOG_ERR, "could not initialize temporary ccache: %s", error_message(ret));
	217	krb5_cc_destroy(k5context, tmpcc);
	218	data->renew = 0;
	219	return;
	220	}
	221	if((ret = krb5_cc_store_cred(k5context, tmpcc, data->creds)) != 0)
	222	{
	223	flog(LOG_ERR, "could not store creds into temporary ccache: %s", error_message(ret));
	224	krb5_cc_destroy(k5context, tmpcc);
	225	data->renew = 0;
	226	return;
	227	}
	228	if((ret = krb5_get_renewed_creds(k5context, &newcreds, data->ticket->enc_part2->client, tmpcc, NULL)) != 0)
	229	{
	230	flog(LOG_ERR, "could not get renewed tickets for %s: %s", data->username, error_message(ret));
	231	krb5_cc_destroy(k5context, tmpcc);
	232	data->renew = 0;
	233	return;
	234	}
	235	krb5_free_creds(k5context, data->creds);
	236	data->creds = NULL;
	237	if((ret = krb5_copy_creds(k5context, &newcreds, &data->creds)) != 0)
	238	{
	239	flog(LOG_ERR, "could not copy renewed creds: %s", error_message(ret));
	240	krb5_cc_destroy(k5context, tmpcc);
	241	data->renew = 0;
	242	return;
	243	}
	244	krb5_free_cred_contents(k5context, &newcreds);
	245	krb5_cc_destroy(k5context, tmpcc);
	246	flog(LOG_ERR, "successfully renewed krb5 creds for %s", data->username);
	247	setrenew(data);
	248	}
	249
	250	static void setrenew(struct krb5data *data)
	251	{
	252	krb5_ticket_times times;
	253	time_t now, good;
	254
	255	times = data->creds->times;
	256	if(!times.starttime)
	257	times.starttime = times.authtime;
	258	now = time(NULL);
	259	if(times.endtime < now)
	260	{
	261	flog(LOG_DEBUG, "tickets already expired, cannot renew");
	262	data->renew = 0;
	263	return;
	264	}
	265	good = times.starttime + (((times.endtime - times.starttime) * 9) / 10);
	266	data->renewtimer = timercallback(good, (void ()(int, void ))renewcreds, data);
	267	}
	268
	269	static int krbauth(struct authhandle auth, char passdata)
	270	{
	271	int ret;
	272	struct krb5data *data;
	273	char *msg;
	274	size_t msglen;
	275	int authorized;
	276	krb5_data k5d;
	277	krb5_flags apopt;
	278	krb5_creds **fwdcreds;
	279
	280	data = auth->mechdata;
	281	if(passdata == NULL)
	282	{
	283	auth->prompt = AUTH_PR_AUTO;
	284	if(auth->text != NULL)
	285	free(auth->text);
	286	auth->text = swcsdup(L"Send hex-encoded krb5 data");
	287	data->state = 1;
	288	return(AUTH_PASS);
	289	} else {
	290	if((msg = hexdecode(passdata, &msglen)) == NULL)
	291	{
	292	if(auth->text != NULL)
	293	free(auth->text);
	294	auth->text = swcsdup(L"Invalid hex encoding");
	295	return(AUTH_DENIED);
	296	}
	297	switch(data->state)
	298	{
	299	case 1:
	300	k5d.length = msglen;
	301	k5d.data = msg;
	302	if((ret = krb5_rd_req(k5context, &data->context, &k5d, myprinc, keytab, &apopt, &data->ticket)) != 0)
	303	{
	304	flog(LOG_INFO, "kerberos authentication failed for %s: %s", data->username, error_message(ret));
	305	if(auth->text != NULL)
	306	free(auth->text);
	307	auth->text = icmbstowcs((char *)error_message(ret), NULL);
	308	free(msg);
	309	return(AUTH_DENIED);
	310	}
	311	free(msg);
	312	if(apopt & AP_OPTS_MUTUAL_REQUIRED)
	313	{
	314	if((ret = krb5_mk_rep(k5context, data->context, &k5d)) != 0)
	315	{
	316	flog(LOG_WARNING, "krb5_mk_rep returned an error: %s", error_message(ret));
	317	return(AUTH_ERR);
	318	}
	319	msg = hexencode(k5d.data, k5d.length);
	320	if(auth->text != NULL)
	321	free(auth->text);
	322	auth->text = icmbstowcs(msg, "us-ascii");
	323	free(msg);
	324	free(k5d.data);
	325	} else {
	326	if(auth->text != NULL)
	327	free(auth->text);
	328	auth->text = swcsdup(L"");
	329	}
	330	data->state = 2;
	331	return(AUTH_PASS);
	332	case 2:
	333	ret = atoi(msg);
	334	free(msg);
	335	if(ret == 1)
	336	{
	337	/* That is, the client has accepted us as a valid
	338	* server. Now check if the client is authorized. */
	339	if((ret = krb5_unparse_name(k5context, data->ticket->enc_part2->client, &data->cname)) != 0)
	340	{
	341	flog(LOG_ERR, "krb_unparse_name returned an error: %s", error_message(ret));
	342	return(AUTH_ERR);
	343	}
	344	authorized = 0;
	345	if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.k5login", 1))
	346	authorized = 1;
	347	/* Allow a seperate ACL for DC principals */
	348	if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.dc-k5login", 0))
	349	authorized = 1;
	350	if(authorized)
	351	{
	352	flog(LOG_INFO, "krb5 principal %s successfully authorized as %s%s", data->cname, data->username, (data->creds == NULL)?"":" (with fwd creds)");
	353	return(AUTH_SUCCESS);
	354	} else {
	355	flog(LOG_INFO, "krb5 principal %s not authorized as %s", data->cname, data->username);
	356	}
	357	}
	358	if(ret == 2)
	359	{
	360	if(auth->text != NULL)
	361	free(auth->text);
	362	auth->text = swcsdup(L"");
	363	data->state = 3;
	364	return(AUTH_PASS);
	365	}
	366	return(AUTH_DENIED);
	367	case 3:
	368	k5d.length = msglen;
	369	k5d.data = msg;
	370	if((ret = krb5_rd_cred(k5context, data->context, &k5d, &fwdcreds, NULL)) != 0)
	371	{
	372	flog(LOG_ERR, "krb5_rd_cred returned an error: %s", error_message(ret));
	373	free(msg);
	374	return(AUTH_ERR);
	375	}
	376	free(msg);
	377	if(*fwdcreds == NULL)
	378	{
	379	flog(LOG_ERR, "forwarded credentials array was empty (from %s)", data->username);
	380	krb5_free_tgt_creds(k5context, fwdcreds);
	381	return(AUTH_ERR);
	382	}
	383	/* Copy only the first credential. (Change this if it becomes a problem) */
	384	ret = krb5_copy_creds(k5context, *fwdcreds, &data->creds);
	385	krb5_free_tgt_creds(k5context, fwdcreds);
	386	if(ret != 0)
	387	{
	388	flog(LOG_ERR, "could not copy forwarded credentials: %s", error_message(ret));
	389	return(AUTH_ERR);
	390	}
	391	if(confgetint("auth-krb5", "renewcreds"))
	392	{
	393	data->renew = 1;
	394	setrenew(data);
	395	}
	396	if(auth->text != NULL)
	397	free(auth->text);
	398	auth->text = swcsdup(L"");
	399	data->state = 2;
	400	return(AUTH_PASS);
	401	default:
	402	free(msg);
	403	flog(LOG_ERR, "BUG? Invalid state encountered in krbauth: %i", data->state);
	404	return(AUTH_ERR);
	405	}
	406	}
	407	}
	408
	409	static int opensess(struct authhandle *auth)
	410	{
	411	int ret;
	412	struct krb5data *data;
	413	char buf, buf2;
	414	int fd;
	415	struct passwd *pwent;
	416
	417	data = auth->mechdata;
	418	if(data->creds != NULL)
	419	{
	420	if((pwent = getpwnam(data->username)) == NULL)
	421	{
	422	flog(LOG_ERR, "could not get passwd entry for forwarded tickets (user %s): %s", data->username, strerror(errno));
	423	return(AUTH_ERR);
	424	}
	425	if(!confgetint("auth-krb5", "usedefcc"))
	426	{
	427	buf = sprintf2("/tmp/krb5cc_dc_%i_XXXXXX", pwent->pw_uid);
	428	if((fd = mkstemp(buf)) < 0)
	429	{
	430	free(buf);
	431	flog(LOG_ERR, "could not create temporary file for ccache: %s", strerror(errno));
	432	return(AUTH_ERR);
	433	}
	434	close(fd);
	435	buf2 = sprintf2("FILE:%s", buf);
	436	if((ret = krb5_cc_resolve(k5context, buf2, &data->ccache)) != 0)
	437	{
	438	free(buf);
	439	free(buf2);
	440	flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
	441	return(AUTH_ERR);
	442	}
	443	setenv("KRB5CCNAME", buf2, 1);
	444	free(buf2);
	445	if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
	446	{
	447	free(buf);
	448	flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
	449	return(AUTH_ERR);
	450	}
	451	if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
	452	{
	453	free(buf);
	454	flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
	455	return(AUTH_ERR);
	456	}
	457	if(chown(buf, pwent->pw_uid, pwent->pw_gid))
	458	{
	459	free(buf);
	460	flog(LOG_ERR, "could not chown new ccache to %i:%i: %s", pwent->pw_uid, pwent->pw_gid, strerror(errno));
	461	return(AUTH_ERR);
	462	}
	463	free(buf);
	464	} else {
	465	if((buf = (char *)krb5_cc_default_name(k5context)) == NULL) {
	466	flog(LOG_ERR, "could not get default ccache name");
	467	return(AUTH_ERR);
	468	}
	469	if((ret = krb5_cc_resolve(k5context, buf, &data->ccache)) != 0)
	470	{
	471	flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
	472	return(AUTH_ERR);
	473	}
	474	setenv("KRB5CCNAME", buf, 1);
	475	if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
	476	{
	477	flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
	478	return(AUTH_ERR);
	479	}
	480	if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
	481	{
	482	flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
	483	return(AUTH_ERR);
	484	}
	485	}
	486	}
	487	return(AUTH_SUCCESS);
	488	}
	489
	490	static int closesess(struct authhandle *auth)
	491	{
	492	struct krb5data *data;
	493
	494	data = auth->mechdata;
	495	if(data->ccache != NULL)
	496	{
	497	krb5_cc_destroy(k5context, data->ccache);
	498	data->ccache = NULL;
	499	}
	500	return(AUTH_SUCCESS);
	501	}
	502
	503	struct authmech authmech_krb5 =
	504	{
	505	.inithandle = inithandle,
	506	.release = release,
	507	.authenticate = krbauth,
	508	.opensess = opensess,
	509	.closesess = closesess,
	510	.name = L"krb5",
	511	.enabled = 1
	512	};
	513
	514	static int init(int hup)
	515	{
	516	int ret;
	517	char *buf;
	518	krb5_principal newprinc;
	519
	520	if(!hup)
	521	{
	522	regmech(&authmech_krb5);
	523	if((ret = krb5_init_context(&k5context)))
	524	{
	525	flog(LOG_CRIT, "could not initialize Kerberos context: %s", error_message(ret));
	526	return(1);
	527	}
	528	if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
	529	{
	530	flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s", confgetstr("auth-krb5", "service"), strerror(errno));
	531	return(1);
	532	} else {
	533	if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &myprinc)) != 0)
	534	{
	535	flog(LOG_CRIT, "could not get principal for service %s: %s", buf, error_message(ret));
	536	free(buf);
	537	return(1);
	538	}
	539	free(buf);
	540	}
	541	if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
	542	{
	543	flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
	544	keytab = NULL;
	545	} else {
	546	if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
	547	{
	548	flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
	549	keytab = NULL;
	550	}
	551	free(buf);
	552	}
	553	}
	554	if(hup)
	555	{
	556	if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
	557	{
	558	flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s, not updating principal", confgetstr("auth-krb5", "service"), strerror(errno));
	559	} else {
	560	if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &newprinc)) != 0)
	561	{
	562	flog(LOG_CRIT, "could not get principal for service %s: %s, not updating principal", buf, error_message(ret));
	563	} else {
	564	krb5_free_principal(k5context, myprinc);
	565	myprinc = newprinc;
	566	}
	567	free(buf);
	568	}
	569	if(keytab != NULL)
	570	krb5_kt_close(k5context, keytab);
	571	if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
	572	{
	573	flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
	574	keytab = NULL;
	575	} else {
	576	if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
	577	{
	578	flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
	579	keytab = NULL;
	580	}
	581	free(buf);
	582	}
	583	}
	584	return(0);
	585	}
	586
	587	static void terminate(void)
	588	{
	589	if(keytab != NULL)
	590	krb5_kt_close(k5context, keytab);
	591	krb5_free_principal(k5context, myprinc);
	592	krb5_free_context(k5context);
	593	}
	594
	595	static struct configvar myvars[] =
	596	{
	597	{CONF_VAR_STRING, "service", {.str = L"doldacond"}},
	598	{CONF_VAR_STRING, "keytab", {.str = L""}},
	599	{CONF_VAR_BOOL, "renewcreds", {.num = 1}},
	600	{CONF_VAR_BOOL, "usedefcc", {.num = 0}},
	601	{CONF_VAR_END}
	602	};
	603
	604	static struct module me =
	605	{
	606	.conf =
	607	{
	608	.vars = myvars
	609	},
	610	.init = init,
	611	.terminate = terminate,
	612	.name = "auth-krb5"
	613	};
	614
	615	MODULE(me);
	616
	617	#endif /* HAVE_KRB5 */