2 * Dolda Connect - Modular multiuser Direct Connect-style client
3 * Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27 #include <sys/param.h>
37 #include "sysevents.h"
47 krb5_auth_context context;
52 struct timer *renewtimer;
53 char *username, *cname;
56 static void setrenew(struct krb5data *data);
58 static krb5_context k5context;
59 static krb5_principal myprinc;
60 static krb5_keytab keytab;
62 static void releasekrb5(struct krb5data *data)
64 if(data->renewtimer != NULL)
65 canceltimer(data->renewtimer);
66 if(data->context != NULL)
67 krb5_auth_con_free(k5context, data->context);
68 if(data->ticket != NULL)
69 krb5_free_ticket(k5context, data->ticket);
70 if(data->creds != NULL)
71 krb5_free_creds(k5context, data->creds);
72 if(data->username != NULL)
74 if(data->cname != NULL)
79 static void release(struct authhandle *auth)
81 releasekrb5((struct krb5data *)auth->mechdata);
84 static struct krb5data *newkrb5data(void)
88 new = smalloc(sizeof(*new));
89 memset(new, 0, sizeof(*new));
93 static int inithandle(struct authhandle *auth, char *username)
96 struct krb5data *data;
99 if((ret = krb5_auth_con_init(k5context, &data->context)) != 0)
101 flog(LOG_ERR, "could initialize Kerberos auth context: %s", error_message(ret));
105 krb5_auth_con_setflags(k5context, data->context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
106 data->username = sstrdup(username);
108 auth->mechdata = data;
112 /* Copied from MIT Kerberos 5 1.3.3*/
113 static krb5_boolean my_krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser, const char *loginfile, int authbydef)
117 char pbuf[MAXPATHLEN];
118 krb5_boolean isok = FALSE;
122 char linebuf[BUFSIZ];
126 /* no account => no access */
127 if ((pwd = getpwnam(luser)) == NULL) {
130 (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
131 pbuf[sizeof(pbuf) - 1] = '\0';
132 (void) strncat(pbuf, loginfile, sizeof(pbuf) - 1 - strlen(pbuf));
134 if (access(pbuf, F_OK)) { /* not accessible */
136 * if he's trying to log in as himself, and there is no .k5login file,
137 * let him. To find out, call
138 * krb5_aname_to_localname to convert the principal to a name
139 * which we can string compare.
142 if (!(krb5_aname_to_localname(context, principal,
143 sizeof(kuser), kuser))
144 && (strcmp(kuser, luser) == 0)) {
151 if (krb5_unparse_name(context, principal, &princname))
152 return(FALSE); /* no hope of matching */
154 /* open ~/.k5login */
155 if ((fp = fopen(pbuf, "r")) == NULL) {
160 * For security reasons, the .k5login file must be owned either by
161 * the user himself, or by root. Otherwise, don't grant access.
163 if (fstat(fileno(fp), &sbuf)) {
168 if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) {
174 /* check each line */
175 while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
176 /* null-terminate the input string */
177 linebuf[BUFSIZ-1] = '\0';
179 /* nuke the newline if it exists */
180 if ((newline = strchr(linebuf, '\n')))
182 if (!strcmp(linebuf, princname)) {
186 /* clean up the rest of the line if necessary */
188 while (((gobble = getc(fp)) != EOF) && gobble != '\n');
195 static void renewcreds(int cancelled, struct krb5data *data)
201 static int ccserial = 0;
203 data->renewtimer = NULL;
206 memset(&newcreds, 0, sizeof(newcreds));
207 snprintf(ccnambuf, sizeof(ccnambuf), "MEMORY:%i", ccserial++);
208 if((ret = krb5_cc_resolve(k5context, ccnambuf, &tmpcc)) != 0)
210 flog(LOG_ERR, "could not resolve a temporary ccache `%s': %s", ccnambuf, error_message(ret));
214 if((ret = krb5_cc_initialize(k5context, tmpcc, data->ticket->enc_part2->client)) != 0)
216 flog(LOG_ERR, "could not initialize temporary ccache: %s", error_message(ret));
217 krb5_cc_destroy(k5context, tmpcc);
221 if((ret = krb5_cc_store_cred(k5context, tmpcc, data->creds)) != 0)
223 flog(LOG_ERR, "could not store creds into temporary ccache: %s", error_message(ret));
224 krb5_cc_destroy(k5context, tmpcc);
228 if((ret = krb5_get_renewed_creds(k5context, &newcreds, data->ticket->enc_part2->client, tmpcc, NULL)) != 0)
230 flog(LOG_ERR, "could not get renewed tickets for %s: %s", data->username, error_message(ret));
231 krb5_cc_destroy(k5context, tmpcc);
235 krb5_free_creds(k5context, data->creds);
237 if((ret = krb5_copy_creds(k5context, &newcreds, &data->creds)) != 0)
239 flog(LOG_ERR, "could not copy renewed creds: %s", error_message(ret));
240 krb5_cc_destroy(k5context, tmpcc);
244 krb5_free_cred_contents(k5context, &newcreds);
245 krb5_cc_destroy(k5context, tmpcc);
246 flog(LOG_ERR, "successfully renewed krb5 creds for %s", data->username);
250 static void setrenew(struct krb5data *data)
252 krb5_ticket_times times;
255 times = data->creds->times;
257 times.starttime = times.authtime;
259 if(times.endtime < now)
261 flog(LOG_DEBUG, "tickets already expired, cannot renew");
265 good = times.starttime + (((times.endtime - times.starttime) * 9) / 10);
266 data->renewtimer = timercallback(good, (void (*)(int, void *))renewcreds, data);
269 static int krbauth(struct authhandle *auth, char *passdata)
272 struct krb5data *data;
278 krb5_creds **fwdcreds;
280 data = auth->mechdata;
283 auth->prompt = AUTH_PR_AUTO;
284 if(auth->text != NULL)
286 auth->text = swcsdup(L"Send hex-encoded krb5 data");
290 if((msg = hexdecode(passdata, &msglen)) == NULL)
292 if(auth->text != NULL)
294 auth->text = swcsdup(L"Invalid hex encoding");
302 if((ret = krb5_rd_req(k5context, &data->context, &k5d, myprinc, keytab, &apopt, &data->ticket)) != 0)
304 flog(LOG_INFO, "kerberos authentication failed for %s: %s", data->username, error_message(ret));
305 if(auth->text != NULL)
307 auth->text = icmbstowcs((char *)error_message(ret), NULL);
312 if(apopt & AP_OPTS_MUTUAL_REQUIRED)
314 if((ret = krb5_mk_rep(k5context, data->context, &k5d)) != 0)
316 flog(LOG_WARNING, "krb5_mk_rep returned an error: %s", error_message(ret));
319 msg = hexencode(k5d.data, k5d.length);
320 if(auth->text != NULL)
322 auth->text = icmbstowcs(msg, "us-ascii");
326 if(auth->text != NULL)
328 auth->text = swcsdup(L"");
337 /* That is, the client has accepted us as a valid
338 * server. Now check if the client is authorized. */
339 if((ret = krb5_unparse_name(k5context, data->ticket->enc_part2->client, &data->cname)) != 0)
341 flog(LOG_ERR, "krb_unparse_name returned an error: %s", error_message(ret));
345 if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.k5login", 1))
347 /* Allow a seperate ACL for DC principals */
348 if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.dc-k5login", 0))
352 flog(LOG_INFO, "krb5 principal %s successfully authorized as %s%s", data->cname, data->username, (data->creds == NULL)?"":" (with fwd creds)");
353 return(AUTH_SUCCESS);
355 flog(LOG_INFO, "krb5 principal %s not authorized as %s", data->cname, data->username);
360 if(auth->text != NULL)
362 auth->text = swcsdup(L"");
370 if((ret = krb5_rd_cred(k5context, data->context, &k5d, &fwdcreds, NULL)) != 0)
372 flog(LOG_ERR, "krb5_rd_cred returned an error: %s", error_message(ret));
377 if(*fwdcreds == NULL)
379 flog(LOG_ERR, "forwarded credentials array was empty (from %s)", data->username);
380 krb5_free_tgt_creds(k5context, fwdcreds);
383 /* Copy only the first credential. (Change this if it becomes a problem) */
384 ret = krb5_copy_creds(k5context, *fwdcreds, &data->creds);
385 krb5_free_tgt_creds(k5context, fwdcreds);
388 flog(LOG_ERR, "could not copy forwarded credentials: %s", error_message(ret));
391 if(confgetint("auth-krb5", "renewcreds"))
396 if(auth->text != NULL)
398 auth->text = swcsdup(L"");
403 flog(LOG_ERR, "BUG? Invalid state encountered in krbauth: %i", data->state);
409 static int opensess(struct authhandle *auth)
412 struct krb5data *data;
415 struct passwd *pwent;
417 data = auth->mechdata;
418 if(data->creds != NULL)
420 if((pwent = getpwnam(data->username)) == NULL)
422 flog(LOG_ERR, "could not get passwd entry for forwarded tickets (user %s): %s", data->username, strerror(errno));
425 if(!confgetint("auth-krb5", "usedefcc"))
427 buf = sprintf2("/tmp/krb5cc_dc_%i_XXXXXX", pwent->pw_uid);
428 if((fd = mkstemp(buf)) < 0)
431 flog(LOG_ERR, "could not create temporary file for ccache: %s", strerror(errno));
435 buf2 = sprintf2("FILE:%s", buf);
436 if((ret = krb5_cc_resolve(k5context, buf2, &data->ccache)) != 0)
440 flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
443 setenv("KRB5CCNAME", buf2, 1);
445 if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
448 flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
451 if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
454 flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
457 if(chown(buf, pwent->pw_uid, pwent->pw_gid))
460 flog(LOG_ERR, "could not chown new ccache to %i:%i: %s", pwent->pw_uid, pwent->pw_gid, strerror(errno));
465 if((buf = (char *)krb5_cc_default_name(k5context)) == NULL) {
466 flog(LOG_ERR, "could not get default ccache name");
469 if((ret = krb5_cc_resolve(k5context, buf, &data->ccache)) != 0)
471 flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
474 setenv("KRB5CCNAME", buf, 1);
475 if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
477 flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
480 if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
482 flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
487 return(AUTH_SUCCESS);
490 static int closesess(struct authhandle *auth)
492 struct krb5data *data;
494 data = auth->mechdata;
495 if(data->ccache != NULL)
497 krb5_cc_destroy(k5context, data->ccache);
500 return(AUTH_SUCCESS);
503 struct authmech authmech_krb5 =
505 .inithandle = inithandle,
507 .authenticate = krbauth,
508 .opensess = opensess,
509 .closesess = closesess,
514 static int init(int hup)
518 krb5_principal newprinc;
522 regmech(&authmech_krb5);
523 if((ret = krb5_init_context(&k5context)))
525 flog(LOG_CRIT, "could not initialize Kerberos context: %s", error_message(ret));
528 if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
530 flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s", confgetstr("auth-krb5", "service"), strerror(errno));
533 if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &myprinc)) != 0)
535 flog(LOG_CRIT, "could not get principal for service %s: %s", buf, error_message(ret));
541 if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
543 flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
546 if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
548 flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
556 if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
558 flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s, not updating principal", confgetstr("auth-krb5", "service"), strerror(errno));
560 if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &newprinc)) != 0)
562 flog(LOG_CRIT, "could not get principal for service %s: %s, not updating principal", buf, error_message(ret));
564 krb5_free_principal(k5context, myprinc);
570 krb5_kt_close(k5context, keytab);
571 if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
573 flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
576 if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
578 flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
587 static void terminate(void)
590 krb5_kt_close(k5context, keytab);
591 krb5_free_principal(k5context, myprinc);
592 krb5_free_context(k5context);
595 static struct configvar myvars[] =
597 /** The name of the service principal to use for Kerberos V
599 {CONF_VAR_STRING, "service", {.str = L"doldacond"}},
600 /** The path to an alternative keytab file. If unspecified, the
601 * system default keytab will be used. */
602 {CONF_VAR_STRING, "keytab", {.str = L""}},
603 /** Whether to renew renewable credentials automatically before
605 {CONF_VAR_BOOL, "renewcreds", {.num = 1}},
606 /** If true, the default credentials cache will be used, which is
607 * useful for e.g. Linux kernel key handling. If false, a file
608 * credentials cache will be created using mkstemp(3), using the
609 * pattern /tmp/krb5cc_dc_$UID_XXXXXX. */
610 {CONF_VAR_BOOL, "usedefcc", {.num = 0}},
614 static struct module me =
621 .terminate = terminate,
627 #endif /* HAVE_KRB5 */