[doldaconnect.git] / daemon / auth-krb5.c

/*
 *  Dolda Connect - Modular multiuser Direct Connect-style client
 *  Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
 *  
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *  
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
*/

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
#include <pwd.h>
#include <time.h>
#include <sys/stat.h>
#include <sys/param.h>

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include "auth.h"
#include "utils.h"
#include "conf.h"
#include "log.h"
#include "module.h"
#include "sysevents.h"

#ifdef HAVE_KRB5

#include <krb5.h>
#include <com_err.h>

struct krb5data
{
    int state;
    krb5_auth_context context;
    krb5_ticket *ticket;
    krb5_creds *creds;
    krb5_ccache ccache;
    int renew;
    struct timer *renewtimer;
    char *username, *cname;
};

static void setrenew(struct krb5data *data);

static krb5_context k5context;
static krb5_principal myprinc;
static krb5_keytab keytab;

static void releasekrb5(struct krb5data *data)
{
    if(data->renewtimer != NULL)
	canceltimer(data->renewtimer);
    if(data->context != NULL)
	krb5_auth_con_free(k5context, data->context);
    if(data->ticket != NULL)
	krb5_free_ticket(k5context, data->ticket);
    if(data->creds != NULL)
	krb5_free_creds(k5context, data->creds);
    if(data->username != NULL)
	free(data->username);
    if(data->cname != NULL)
	free(data->cname);
    free(data);
}

static void release(struct authhandle *auth)
{
    releasekrb5((struct krb5data *)auth->mechdata);
}

static struct krb5data *newkrb5data(void)
{
    struct krb5data *new;
    
    new = smalloc(sizeof(*new));
    memset(new, 0, sizeof(*new));
    return(new);
}

static int inithandle(struct authhandle *auth, char *username)
{
    int ret;
    struct krb5data *data;
    
    data = newkrb5data();
    if((ret = krb5_auth_con_init(k5context, &data->context)) != 0)
    {
	flog(LOG_ERR, "could initialize Kerberos auth context: %s", error_message(ret));
	releasekrb5(data);
	return(1);
    }
    krb5_auth_con_setflags(k5context, data->context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
    data->username = sstrdup(username);
    data->state = 0;
    auth->mechdata = data;
    return(0);
}

/* Copied from MIT Kerberos 5 1.3.3*/
static krb5_boolean my_krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser, const char *loginfile, int authbydef)
{
    struct stat sbuf;
    struct passwd *pwd;
    char pbuf[MAXPATHLEN];
    krb5_boolean isok = FALSE;
    FILE *fp;
    char kuser[65];
    char *princname;
    char linebuf[BUFSIZ];
    char *newline;
    int gobble;

    /* no account => no access */
    if ((pwd = getpwnam(luser)) == NULL) {
	return(FALSE);
    }
    (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
    pbuf[sizeof(pbuf) - 1] = '\0';
    (void) strncat(pbuf, loginfile, sizeof(pbuf) - 1 - strlen(pbuf));

    if (access(pbuf, F_OK)) {	 /* not accessible */
	/*
	 * if he's trying to log in as himself, and there is no .k5login file,
	 * let him.  To find out, call
	 * krb5_aname_to_localname to convert the principal to a name
	 * which we can string compare. 
	 */
	if (authbydef) {
	    if (!(krb5_aname_to_localname(context, principal,
					  sizeof(kuser), kuser))
		&& (strcmp(kuser, luser) == 0)) {
		return(TRUE);
	    }
	} else {
	    return(FALSE);
	}
    }
    if (krb5_unparse_name(context, principal, &princname))
	return(FALSE);			/* no hope of matching */

    /* open ~/.k5login */
    if ((fp = fopen(pbuf, "r")) == NULL) {
	free(princname);
	return(FALSE);
    }
    /*
     * For security reasons, the .k5login file must be owned either by
     * the user himself, or by root.  Otherwise, don't grant access.
     */
    if (fstat(fileno(fp), &sbuf)) {
	fclose(fp);
	free(princname);
	return(FALSE);
    }
    if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) {
	fclose(fp);
	free(princname);
	return(FALSE);
    }

    /* check each line */
    while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
	/* null-terminate the input string */
	linebuf[BUFSIZ-1] = '\0';
	newline = NULL;
	/* nuke the newline if it exists */
	if ((newline = strchr(linebuf, '\n')))
	    *newline = '\0';
	if (!strcmp(linebuf, princname)) {
	    isok = TRUE;
	    continue;
	}
	/* clean up the rest of the line if necessary */
	if (!newline)
	    while (((gobble = getc(fp)) != EOF) && gobble != '\n');
    }
    free(princname);
    fclose(fp);
    return(isok);
}

static void renewcreds(int cancelled, struct krb5data *data)
{
    int ret;
    char ccnambuf[50];
    krb5_ccache tmpcc;
    krb5_creds newcreds;
    static int ccserial = 0;
    
    data->renewtimer = NULL;
    if(cancelled)
	return;
    memset(&newcreds, 0, sizeof(newcreds));
    snprintf(ccnambuf, sizeof(ccnambuf), "MEMORY:%i", ccserial++);
    if((ret = krb5_cc_resolve(k5context, ccnambuf, &tmpcc)) != 0)
    {
	flog(LOG_ERR, "could not resolve a temporary ccache `%s': %s", ccnambuf, error_message(ret));
	data->renew = 0;
	return;
    }
    if((ret = krb5_cc_initialize(k5context, tmpcc, data->ticket->enc_part2->client)) != 0)
    {
	flog(LOG_ERR, "could not initialize temporary ccache: %s", error_message(ret));
	krb5_cc_destroy(k5context, tmpcc);
	data->renew = 0;
	return;
    }
    if((ret = krb5_cc_store_cred(k5context, tmpcc, data->creds)) != 0)
    {
	flog(LOG_ERR, "could not store creds into temporary ccache: %s", error_message(ret));
	krb5_cc_destroy(k5context, tmpcc);
	data->renew = 0;
	return;
    }
    if((ret = krb5_get_renewed_creds(k5context, &newcreds, data->ticket->enc_part2->client, tmpcc, NULL)) != 0)
    {
	flog(LOG_ERR, "could not get renewed tickets for %s: %s", data->username, error_message(ret));
	krb5_cc_destroy(k5context, tmpcc);
	data->renew = 0;
	return;
    }
    krb5_free_creds(k5context, data->creds);
    data->creds = NULL;
    if((ret = krb5_copy_creds(k5context, &newcreds, &data->creds)) != 0)
    {
	flog(LOG_ERR, "could not copy renewed creds: %s", error_message(ret));
	krb5_cc_destroy(k5context, tmpcc);
	data->renew = 0;
	return;
    }
    krb5_free_cred_contents(k5context, &newcreds);
    krb5_cc_destroy(k5context, tmpcc);
    flog(LOG_ERR, "successfully renewed krb5 creds for %s", data->username);
    setrenew(data);
}

static void setrenew(struct krb5data *data)
{
    krb5_ticket_times times;
    time_t now, good;
    
    times = data->creds->times;
    if(!times.starttime)
	times.starttime = times.authtime;
    now = time(NULL);
    if(times.endtime < now)
    {
	flog(LOG_DEBUG, "tickets already expired, cannot renew");
	data->renew = 0;
	return;
    }
    good = times.starttime + (((times.endtime - times.starttime) * 9) / 10);
    data->renewtimer = timercallback(good, (void (*)(int, void *))renewcreds, data);
}

static int krbauth(struct authhandle *auth, char *passdata)
{
    int ret;
    struct krb5data *data;
    char *msg;
    size_t msglen;
    int authorized;
    krb5_data k5d;
    krb5_flags apopt;
    krb5_creds **fwdcreds;
    
    data = auth->mechdata;
    if(passdata == NULL)
    {
	auth->prompt = AUTH_PR_AUTO;
	if(auth->text != NULL)
	    free(auth->text);
	auth->text = swcsdup(L"Send hex-encoded krb5 data");
	data->state = 1;
	return(AUTH_PASS);
    } else {
	if((msg = hexdecode(passdata, &msglen)) == NULL)
	{
	    if(auth->text != NULL)
		free(auth->text);
	    auth->text = swcsdup(L"Invalid hex encoding");
	    return(AUTH_DENIED);
	}
	switch(data->state)
	{
	case 1:
	    k5d.length = msglen;
	    k5d.data = msg;
	    if((ret = krb5_rd_req(k5context, &data->context, &k5d, myprinc, keytab, &apopt, &data->ticket)) != 0)
	    {
		flog(LOG_INFO, "kerberos authentication failed for %s: %s", data->username, error_message(ret));
		if(auth->text != NULL)
		    free(auth->text);
		auth->text = icmbstowcs((char *)error_message(ret), NULL);
		return(AUTH_DENIED);
	    }
	    free(msg);
	    if(apopt & AP_OPTS_MUTUAL_REQUIRED)
	    {
		if((ret = krb5_mk_rep(k5context, data->context, &k5d)) != 0)
		{
		    flog(LOG_WARNING, "krb5_mk_rep returned an error: %s", error_message(ret));
		    return(AUTH_ERR);
		}
		msg = hexencode(k5d.data, k5d.length);
		if(auth->text != NULL)
		    free(auth->text);
		auth->text = icmbstowcs(msg, "us-ascii");
		free(msg);
		free(k5d.data);
	    } else {
		if(auth->text != NULL)
		    free(auth->text);
		auth->text = swcsdup(L"");
	    }
	    data->state = 2;
	    return(AUTH_PASS);
	case 2:
	    ret = atoi(msg);
	    free(msg);
	    if(ret == 1)
	    {
		/* That is, the client has accepted us as a valid
		 * server.  Now check if the client is authorized. */
		if((ret = krb5_unparse_name(k5context, data->ticket->enc_part2->client, &data->cname)) != 0)
		{
		    flog(LOG_ERR, "krb_unparse_name returned an error: %s", error_message(ret));
		    return(AUTH_ERR);
		}
		authorized = 0;
		if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.k5login", 1))
		    authorized = 1;
		/* Allow a seperate ACL for DC principals */
		if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.dc-k5login", 0))
		    authorized = 1;
		if(authorized)
		{
		    flog(LOG_INFO, "krb5 principal %s successfully authorized as %s", data->cname, data->username);
		    return(AUTH_SUCCESS);
		} else {
		    flog(LOG_INFO, "krb5 principal %s not authorized as %s", data->cname, data->username);
		}
	    }
	    if(ret == 2)
	    {
		if(auth->text != NULL)
		    free(auth->text);
		auth->text = swcsdup(L"");
		data->state = 3;
		return(AUTH_PASS);
	    }
	    return(AUTH_DENIED);
	case 3:
	    k5d.length = msglen;
	    k5d.data = msg;
	    if((ret = krb5_rd_cred(k5context, data->context, &k5d, &fwdcreds, NULL)) != 0)
	    {
		flog(LOG_ERR, "krb5_rd_cred returned an error: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	    if(*fwdcreds == NULL)
	    {
		flog(LOG_ERR, "forwarded credentials array was empty (from %s)", data->username);
		krb5_free_tgt_creds(k5context, fwdcreds);
		return(AUTH_ERR);
	    }
	    flog(LOG_INFO, "received forwarded credentials for %s", data->username);
	    /* Copy only the first credential. (Change this if it becomes a problem) */
	    ret = krb5_copy_creds(k5context, *fwdcreds, &data->creds);
	    krb5_free_tgt_creds(k5context, fwdcreds);
	    if(ret != 0)
	    {
		flog(LOG_ERR, "could not copy forwarded credentials: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	    if(confgetint("auth-krb5", "renewcreds"))
	    {
		data->renew = 1;
		setrenew(data);
	    }
	    if(auth->text != NULL)
		free(auth->text);
	    auth->text = swcsdup(L"");
	    data->state = 2;
	    return(AUTH_PASS);
	default:
	    free(msg);
	    flog(LOG_ERR, "BUG? Invalid state encountered in krbauth: %i", data->state);
	    return(AUTH_ERR);
	}
    }
}

static int opensess(struct authhandle *auth)
{
    int ret;
    struct krb5data *data;
    char *buf, *buf2;
    int fd;
    struct passwd *pwent;
    
    data = auth->mechdata;
    if(data->creds != NULL)
    {
	if((pwent = getpwnam(data->username)) == NULL)
	{
	    flog(LOG_ERR, "could not get passwd entry for forwarded tickets (user %s): %s", data->username, strerror(errno));
	    return(AUTH_ERR);
	}
	if(confgetint("auth-krb5", "usedefcc"))
	{
	    buf = sprintf2("/tmp/krb5cc_dc_%i_XXXXXX", pwent->pw_uid);
	    if((fd = mkstemp(buf)) < 0)
	    {
		free(buf);
		flog(LOG_ERR, "could not create temporary file for ccache: %s", strerror(errno));
		return(AUTH_ERR);
	    }
	    close(fd);
	    buf2 = sprintf2("FILE:%s", buf);
	    if((ret = krb5_cc_resolve(k5context, buf2, &data->ccache)) != 0)
	    {
		free(buf);
		free(buf2);
		flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
		return(AUTH_ERR);
	    }
	    setenv("KRB5CCNAME", buf2, 1);
	    free(buf2);
	    if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
	    {
		free(buf);
		flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	    if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
	    {
		free(buf);
		flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	    if(chown(buf, pwent->pw_uid, pwent->pw_gid))
	    {
		free(buf);
		flog(LOG_ERR, "could not chown new ccache to %i:%i: %s", pwent->pw_uid, pwent->pw_gid, strerror(errno));
		return(AUTH_ERR);
	    }
	    free(buf);
	} else {
	    if((buf = krb5_cc_default_name(k5context)) == NULL) {
		flog(LOG_ERR, "could not get default ccache name");
		return(AUTH_ERR);
	    }
	    if((ret = krb5_cc_resolve(k5context, buf, &data->ccache)) != 0)
	    {
		flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
		return(AUTH_ERR);
	    }
	    setenv("KRB5CCNAME", buf, 1);
	    if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
	    {
		flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	    if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
	    {
		flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
		return(AUTH_ERR);
	    }
	}
    }
    return(AUTH_SUCCESS);
}

static int closesess(struct authhandle *auth)
{
    struct krb5data *data;
    
    data = auth->mechdata;
    if(data->ccache != NULL)
    {
	krb5_cc_destroy(k5context, data->ccache);
	data->ccache = NULL;
    }
    return(AUTH_SUCCESS);
}

struct authmech authmech_krb5 =
{
    .inithandle = inithandle,
    .release = release,
    .authenticate = krbauth,
    .opensess = opensess,
    .closesess = closesess,
    .name = L"krb5",
    .enabled = 1
};

static int init(int hup)
{
    int ret;
    char *buf;
    krb5_principal newprinc;
    
    if(!hup)
    {
	regmech(&authmech_krb5);
	if((ret = krb5_init_context(&k5context)))
	{
	    flog(LOG_CRIT, "could not initialize Kerberos context: %s", error_message(ret));
	    return(1);
	}
	if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
	{
	    flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s", confgetstr("auth-krb5", "service"), strerror(errno));
	    return(1);
	} else {
	    if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &myprinc)) != 0)
	    {
		flog(LOG_CRIT, "could not get principal for service %s: %s", buf, error_message(ret));
		free(buf);
		return(1);
	    }
	    free(buf);
	}
	if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
	{
	    flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
	    keytab = NULL;
	} else {
	    if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
	    {
		flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
		keytab = NULL;
	    }
	    free(buf);
	}
    }
    if(hup)
    {
	if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
	{
	    flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s, not updating principal", confgetstr("auth-krb5", "service"), strerror(errno));
	} else {
	    if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &newprinc)) != 0)
	    {
		flog(LOG_CRIT, "could not get principal for service %s: %s, not updating principal", buf, error_message(ret));
	    } else {
		krb5_free_principal(k5context, myprinc);
		myprinc = newprinc;
	    }
	    free(buf);
	}
	if(keytab != NULL)
	    krb5_kt_close(k5context, keytab);
	if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
	{
	    flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
	    keytab = NULL;
	} else {
	    if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
	    {
		flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
		keytab = NULL;
	    }
	    free(buf);
	}
    }
    return(0);
}

static void terminate(void)
{
    if(keytab != NULL)
	krb5_kt_close(k5context, keytab);
    krb5_free_principal(k5context, myprinc);
    krb5_free_context(k5context);
}

static struct configvar myvars[] =
{
    {CONF_VAR_STRING, "service", {.str = L"doldacond"}},
    {CONF_VAR_STRING, "keytab", {.str = L""}},
    {CONF_VAR_BOOL, "renewcreds", {.num = 1}},
    {CONF_VAR_BOOL, "usedefcc", {.num = 0}},
    {CONF_VAR_END}
};

static struct module me =
{
    .conf =
    {
	.vars = myvars
    },
    .init = init,
    .terminate = terminate,
    .name = "auth-krb5"
};

MODULE(me);

#endif /* HAVE_KRB5 */
Commit	Line	Data
d3372da9	1	/*
	2	* Dolda Connect - Modular multiuser Direct Connect-style client
	3	* Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License as published by
	7	* the Free Software Foundation; either version 2 of the License, or
	8	* (at your option) any later version.
	9	*
	10	* This program is distributed in the hope that it will be useful,
	11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	* GNU General Public License for more details.
	14	*
	15	* You should have received a copy of the GNU General Public License
	16	* along with this program; if not, write to the Free Software
	17	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	18	*/
	19
	20	#include <stdlib.h>
	21	#include <unistd.h>
	22	#include <string.h>
	23	#include <errno.h>
	24	#include <pwd.h>
	25	#include <time.h>
	26	#include <sys/stat.h>
	27	#include <sys/param.h>
	28
	29	#ifdef HAVE_CONFIG_H
	30	#include <config.h>
	31	#endif
	32	#include "auth.h"
	33	#include "utils.h"
	34	#include "conf.h"
	35	#include "log.h"
	36	#include "module.h"
	37	#include "sysevents.h"
	38
	39	#ifdef HAVE_KRB5
	40
	41	#include <krb5.h>
	42	#include <com_err.h>
	43
	44	struct krb5data
	45	{
	46	int state;
	47	krb5_auth_context context;
	48	krb5_ticket *ticket;
	49	krb5_creds *creds;
	50	krb5_ccache ccache;
	51	int renew;
	52	struct timer *renewtimer;
	53	char username, cname;
	54	};
	55
	56	static void setrenew(struct krb5data *data);
	57
	58	static krb5_context k5context;
	59	static krb5_principal myprinc;
	60	static krb5_keytab keytab;
	61
	62	static void releasekrb5(struct krb5data *data)
	63	{
	64	if(data->renewtimer != NULL)
65	canceltimer(data->renewtimer);
66	if(data->context != NULL)
67	krb5_auth_con_free(k5context, data->context);
68	if(data->ticket != NULL)
69	krb5_free_ticket(k5context, data->ticket);
70	if(data->creds != NULL)
71	krb5_free_creds(k5context, data->creds);
72	if(data->username != NULL)
73	free(data->username);
74	if(data->cname != NULL)
75	free(data->cname);
76	free(data);
77	}
78
79	static void release(struct authhandle *auth)
80	{
81	releasekrb5((struct krb5data *)auth->mechdata);
82	}
83
84	static struct krb5data *newkrb5data(void)
85	{
86	struct krb5data *new;
87
88	new = smalloc(sizeof(*new));
89	memset(new, 0, sizeof(*new));
90	return(new);
91	}
92
93	static int inithandle(struct authhandle auth, char username)
94	{
95	int ret;
96	struct krb5data *data;
97
98	data = newkrb5data();
99	if((ret = krb5_auth_con_init(k5context, &data->context)) != 0)
100	{
101	flog(LOG_ERR, "could initialize Kerberos auth context: %s", error_message(ret));
102	releasekrb5(data);
103	return(1);
104	}
105	krb5_auth_con_setflags(k5context, data->context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
106	data->username = sstrdup(username);
107	data->state = 0;
108	auth->mechdata = data;
109	return(0);
110	}
111
112	/* Copied from MIT Kerberos 5 1.3.3*/
113	static krb5_boolean my_krb5_kuserok(krb5_context context, krb5_principal principal, const char luser, const char loginfile, int authbydef)
114	{
115	struct stat sbuf;
116	struct passwd *pwd;
117	char pbuf[MAXPATHLEN];
118	krb5_boolean isok = FALSE;
119	FILE *fp;
120	char kuser[65];
121	char *princname;
122	char linebuf[BUFSIZ];
123	char *newline;
124	int gobble;
125
126	/* no account => no access */
127	if ((pwd = getpwnam(luser)) == NULL) {
128	return(FALSE);
129	}
130	(void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
131	pbuf[sizeof(pbuf) - 1] = '\0';
132	(void) strncat(pbuf, loginfile, sizeof(pbuf) - 1 - strlen(pbuf));
133
134	if (access(pbuf, F_OK)) { /* not accessible */
135	/*
136	* if he's trying to log in as himself, and there is no .k5login file,
137	* let him. To find out, call
138	* krb5_aname_to_localname to convert the principal to a name
139	* which we can string compare.
140	*/
141	if (authbydef) {
142	if (!(krb5_aname_to_localname(context, principal,
143	sizeof(kuser), kuser))
144	&& (strcmp(kuser, luser) == 0)) {
145	return(TRUE);
146	}
147	} else {
148	return(FALSE);
149	}
150	}
151	if (krb5_unparse_name(context, principal, &princname))
152	return(FALSE); /* no hope of matching */
153
154	/* open ~/.k5login */
155	if ((fp = fopen(pbuf, "r")) == NULL) {
156	free(princname);
157	return(FALSE);
158	}
159	/*
160	* For security reasons, the .k5login file must be owned either by
161	* the user himself, or by root. Otherwise, don't grant access.
162	*/
163	if (fstat(fileno(fp), &sbuf)) {
164	fclose(fp);
165	free(princname);
166	return(FALSE);
167	}
168	if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) {
169	fclose(fp);
170	free(princname);
171	return(FALSE);
172	}
173
174	/* check each line */
175	while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
176	/* null-terminate the input string */
177	linebuf[BUFSIZ-1] = '\0';
178	newline = NULL;
179	/* nuke the newline if it exists */
180	if ((newline = strchr(linebuf, '\n')))
181	*newline = '\0';
182	if (!strcmp(linebuf, princname)) {
183	isok = TRUE;
184	continue;
185	}
186	/* clean up the rest of the line if necessary */
187	if (!newline)
188	while (((gobble = getc(fp)) != EOF) && gobble != '\n');
189	}
190	free(princname);
191	fclose(fp);
192	return(isok);
193	}
194
195	static void renewcreds(int cancelled, struct krb5data *data)
196	{
197	int ret;
198	char ccnambuf[50];
199	krb5_ccache tmpcc;
200	krb5_creds newcreds;
201	static int ccserial = 0;
202
203	data->renewtimer = NULL;
204	if(cancelled)
205	return;
206	memset(&newcreds, 0, sizeof(newcreds));
207	snprintf(ccnambuf, sizeof(ccnambuf), "MEMORY:%i", ccserial++);
208	if((ret = krb5_cc_resolve(k5context, ccnambuf, &tmpcc)) != 0)
209	{
210	flog(LOG_ERR, "could not resolve a temporary ccache `%s': %s", ccnambuf, error_message(ret));
211	data->renew = 0;
212	return;
213	}
214	if((ret = krb5_cc_initialize(k5context, tmpcc, data->ticket->enc_part2->client)) != 0)
215	{
216	flog(LOG_ERR, "could not initialize temporary ccache: %s", error_message(ret));
217	krb5_cc_destroy(k5context, tmpcc);
218	data->renew = 0;
219	return;
220	}
221	if((ret = krb5_cc_store_cred(k5context, tmpcc, data->creds)) != 0)
222	{
223	flog(LOG_ERR, "could not store creds into temporary ccache: %s", error_message(ret));
224	krb5_cc_destroy(k5context, tmpcc);
225	data->renew = 0;
226	return;
227	}
228	if((ret = krb5_get_renewed_creds(k5context, &newcreds, data->ticket->enc_part2->client, tmpcc, NULL)) != 0)
229	{
230	flog(LOG_ERR, "could not get renewed tickets for %s: %s", data->username, error_message(ret));
231	krb5_cc_destroy(k5context, tmpcc);
232	data->renew = 0;
233	return;
234	}
235	krb5_free_creds(k5context, data->creds);
236	data->creds = NULL;
237	if((ret = krb5_copy_creds(k5context, &newcreds, &data->creds)) != 0)
238	{
239	flog(LOG_ERR, "could not copy renewed creds: %s", error_message(ret));
240	krb5_cc_destroy(k5context, tmpcc);
241	data->renew = 0;
242	return;
243	}
244	krb5_free_cred_contents(k5context, &newcreds);
245	krb5_cc_destroy(k5context, tmpcc);
246	flog(LOG_ERR, "successfully renewed krb5 creds for %s", data->username);
247	setrenew(data);
248	}
249
250	static void setrenew(struct krb5data *data)
251	{
252	krb5_ticket_times times;
253	time_t now, good;
254
255	times = data->creds->times;
256	if(!times.starttime)
257	times.starttime = times.authtime;
258	now = time(NULL);
259	if(times.endtime < now)
260	{
261	flog(LOG_DEBUG, "tickets already expired, cannot renew");
262	data->renew = 0;
263	return;
264	}
265	good = times.starttime + (((times.endtime - times.starttime) * 9) / 10);
266	data->renewtimer = timercallback(good, (void ()(int, void ))renewcreds, data);
267	}
268
269	static int krbauth(struct authhandle auth, char passdata)
270	{
271	int ret;
272	struct krb5data *data;
273	char *msg;
274	size_t msglen;
275	int authorized;
276	krb5_data k5d;
277	krb5_flags apopt;
278	krb5_creds **fwdcreds;
279
280	data = auth->mechdata;
281	if(passdata == NULL)
282	{
283	auth->prompt = AUTH_PR_AUTO;
284	if(auth->text != NULL)
285	free(auth->text);
286	auth->text = swcsdup(L"Send hex-encoded krb5 data");
287	data->state = 1;
288	return(AUTH_PASS);
289	} else {
290	if((msg = hexdecode(passdata, &msglen)) == NULL)
291	{
292	if(auth->text != NULL)
293	free(auth->text);
294	auth->text = swcsdup(L"Invalid hex encoding");
295	return(AUTH_DENIED);
296	}
297	switch(data->state)
298	{
299	case 1:
300	k5d.length = msglen;
301	k5d.data = msg;
302	if((ret = krb5_rd_req(k5context, &data->context, &k5d, myprinc, keytab, &apopt, &data->ticket)) != 0)
303	{
304	flog(LOG_INFO, "kerberos authentication failed for %s: %s", data->username, error_message(ret));
305	if(auth->text != NULL)
306	free(auth->text);
307	auth->text = icmbstowcs((char *)error_message(ret), NULL);
308	return(AUTH_DENIED);
309	}
310	free(msg);
311	if(apopt & AP_OPTS_MUTUAL_REQUIRED)
312	{
313	if((ret = krb5_mk_rep(k5context, data->context, &k5d)) != 0)
314	{
315	flog(LOG_WARNING, "krb5_mk_rep returned an error: %s", error_message(ret));
316	return(AUTH_ERR);
317	}
318	msg = hexencode(k5d.data, k5d.length);
319	if(auth->text != NULL)
320	free(auth->text);
321	auth->text = icmbstowcs(msg, "us-ascii");
322	free(msg);
323	free(k5d.data);
324	} else {
325	if(auth->text != NULL)
326	free(auth->text);
327	auth->text = swcsdup(L"");
328	}
329	data->state = 2;
330	return(AUTH_PASS);
331	case 2:
332	ret = atoi(msg);
333	free(msg);
334	if(ret == 1)
335	{
336	/* That is, the client has accepted us as a valid
337	* server. Now check if the client is authorized. */
338	if((ret = krb5_unparse_name(k5context, data->ticket->enc_part2->client, &data->cname)) != 0)
339	{
340	flog(LOG_ERR, "krb_unparse_name returned an error: %s", error_message(ret));
341	return(AUTH_ERR);
342	}
343	authorized = 0;
344	if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.k5login", 1))
345	authorized = 1;
346	/* Allow a seperate ACL for DC principals */
347	if(!authorized && my_krb5_kuserok(k5context, data->ticket->enc_part2->client, data->username, "/.dc-k5login", 0))
348	authorized = 1;
349	if(authorized)
350	{
351	flog(LOG_INFO, "krb5 principal %s successfully authorized as %s", data->cname, data->username);
352	return(AUTH_SUCCESS);
353	} else {
354	flog(LOG_INFO, "krb5 principal %s not authorized as %s", data->cname, data->username);
355	}
356	}
357	if(ret == 2)
358	{
359	if(auth->text != NULL)
360	free(auth->text);
361	auth->text = swcsdup(L"");
362	data->state = 3;
363	return(AUTH_PASS);
364	}
365	return(AUTH_DENIED);
366	case 3:
367	k5d.length = msglen;
368	k5d.data = msg;
369	if((ret = krb5_rd_cred(k5context, data->context, &k5d, &fwdcreds, NULL)) != 0)
370	{
371	flog(LOG_ERR, "krb5_rd_cred returned an error: %s", error_message(ret));
372	return(AUTH_ERR);
373	}
374	if(*fwdcreds == NULL)
375	{
376	flog(LOG_ERR, "forwarded credentials array was empty (from %s)", data->username);
377	krb5_free_tgt_creds(k5context, fwdcreds);
378	return(AUTH_ERR);
379	}
380	flog(LOG_INFO, "received forwarded credentials for %s", data->username);
381	/* Copy only the first credential. (Change this if it becomes a problem) */
382	ret = krb5_copy_creds(k5context, *fwdcreds, &data->creds);
383	krb5_free_tgt_creds(k5context, fwdcreds);
384	if(ret != 0)
385	{
386	flog(LOG_ERR, "could not copy forwarded credentials: %s", error_message(ret));
387	return(AUTH_ERR);
388	}
389	if(confgetint("auth-krb5", "renewcreds"))
390	{
391	data->renew = 1;
392	setrenew(data);
393	}
394	if(auth->text != NULL)
395	free(auth->text);
396	auth->text = swcsdup(L"");
397	data->state = 2;
398	return(AUTH_PASS);
399	default:
400	free(msg);
401	flog(LOG_ERR, "BUG? Invalid state encountered in krbauth: %i", data->state);
402	return(AUTH_ERR);
403	}
404	}
405	}
406
407	static int opensess(struct authhandle *auth)
408	{
409	int ret;
410	struct krb5data *data;
411	char buf, buf2;
412	int fd;
413	struct passwd *pwent;
414
415	data = auth->mechdata;
416	if(data->creds != NULL)
417	{
418	if((pwent = getpwnam(data->username)) == NULL)
419	{
420	flog(LOG_ERR, "could not get passwd entry for forwarded tickets (user %s): %s", data->username, strerror(errno));
421	return(AUTH_ERR);
422	}
56838143	423	if(confgetint("auth-krb5", "usedefcc"))
d3372da9	424	{
56838143	425	buf = sprintf2("/tmp/krb5cc_dc_%i_XXXXXX", pwent->pw_uid);
	426	if((fd = mkstemp(buf)) < 0)
	427	{
	428	free(buf);
	429	flog(LOG_ERR, "could not create temporary file for ccache: %s", strerror(errno));
	430	return(AUTH_ERR);
	431	}
	432	close(fd);
	433	buf2 = sprintf2("FILE:%s", buf);
	434	if((ret = krb5_cc_resolve(k5context, buf2, &data->ccache)) != 0)
	435	{
	436	free(buf);
	437	free(buf2);
	438	flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
	439	return(AUTH_ERR);
	440	}
	441	setenv("KRB5CCNAME", buf2, 1);
d3372da9	442	free(buf2);
56838143	443	if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
	444	{
	445	free(buf);
	446	flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
	447	return(AUTH_ERR);
	448	}
	449	if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
	450	{
	451	free(buf);
	452	flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
	453	return(AUTH_ERR);
	454	}
	455	if(chown(buf, pwent->pw_uid, pwent->pw_gid))
	456	{
	457	free(buf);
	458	flog(LOG_ERR, "could not chown new ccache to %i:%i: %s", pwent->pw_uid, pwent->pw_gid, strerror(errno));
	459	return(AUTH_ERR);
	460	}
d3372da9	461	free(buf);
56838143	462	} else {
	463	if((buf = krb5_cc_default_name(k5context)) == NULL) {
	464	flog(LOG_ERR, "could not get default ccache name");
	465	return(AUTH_ERR);
	466	}
	467	if((ret = krb5_cc_resolve(k5context, buf, &data->ccache)) != 0)
	468	{
	469	flog(LOG_ERR, "could not resolve ccache name \"%s\": %s", buf2, error_message(ret));
	470	return(AUTH_ERR);
	471	}
	472	setenv("KRB5CCNAME", buf, 1);
	473	if((ret = krb5_cc_initialize(k5context, data->ccache, data->ticket->enc_part2->client)) != 0)
	474	{
	475	flog(LOG_ERR, "could not initialize ccache: %s", error_message(ret));
	476	return(AUTH_ERR);
	477	}
	478	if((ret = krb5_cc_store_cred(k5context, data->ccache, data->creds)) != 0)
	479	{
	480	flog(LOG_ERR, "could not store forwarded TGT into ccache: %s", error_message(ret));
	481	return(AUTH_ERR);
	482	}
d3372da9	483	}
d3372da9	484	}
	485	return(AUTH_SUCCESS);
	486	}
	487
	488	static int closesess(struct authhandle *auth)
	489	{
	490	struct krb5data *data;
	491
	492	data = auth->mechdata;
	493	if(data->ccache != NULL)
	494	{
	495	krb5_cc_destroy(k5context, data->ccache);
	496	data->ccache = NULL;
	497	}
	498	return(AUTH_SUCCESS);
	499	}
	500
	501	struct authmech authmech_krb5 =
	502	{
	503	.inithandle = inithandle,
	504	.release = release,
	505	.authenticate = krbauth,
	506	.opensess = opensess,
	507	.closesess = closesess,
	508	.name = L"krb5",
	509	.enabled = 1
	510	};
	511
	512	static int init(int hup)
	513	{
	514	int ret;
	515	char *buf;
	516	krb5_principal newprinc;
	517
	518	if(!hup)
	519	{
	520	regmech(&authmech_krb5);
	521	if((ret = krb5_init_context(&k5context)))
	522	{
	523	flog(LOG_CRIT, "could not initialize Kerberos context: %s", error_message(ret));
	524	return(1);
	525	}
	526	if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
	527	{
	528	flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s", confgetstr("auth-krb5", "service"), strerror(errno));
	529	return(1);
	530	} else {
	531	if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &myprinc)) != 0)
	532	{
	533	flog(LOG_CRIT, "could not get principal for service %s: %s", buf, error_message(ret));
	534	free(buf);
	535	return(1);
	536	}
	537	free(buf);
	538	}
	539	if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
	540	{
	541	flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
	542	keytab = NULL;
	543	} else {
	544	if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
	545	{
	546	flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
	547	keytab = NULL;
548	}
549	free(buf);
550	}
551	}
552	if(hup)
553	{
554	if((buf = icwcstombs(confgetstr("auth-krb5", "service"), NULL)) == NULL)
555	{
556	flog(LOG_CRIT, "could not convert service name (%ls) into local charset: %s, not updating principal", confgetstr("auth-krb5", "service"), strerror(errno));
557	} else {
558	if((ret = krb5_sname_to_principal(k5context, NULL, buf, KRB5_NT_SRV_HST, &newprinc)) != 0)
559	{
560	flog(LOG_CRIT, "could not get principal for service %s: %s, not updating principal", buf, error_message(ret));
561	} else {
562	krb5_free_principal(k5context, myprinc);
563	myprinc = newprinc;
564	}
565	free(buf);
566	}
567	if(keytab != NULL)
568	krb5_kt_close(k5context, keytab);
569	if((buf = icwcstombs(confgetstr("auth-krb5", "keytab"), NULL)) == NULL)
570	{
571	flog(LOG_ERR, "could not convert keytab name (%ls) into local charset: %s, using default keytab instead", confgetstr("auth-krb5", "keytab"), strerror(errno));
572	keytab = NULL;
573	} else {
574	if((ret = krb5_kt_resolve(k5context, buf, &keytab)) != 0)
575	{
576	flog(LOG_ERR, "could not open keytab %s: %s, using default keytab instead", buf, error_message(ret));
577	keytab = NULL;
578	}
579	free(buf);
580	}
581	}
582	return(0);
583	}
584
585	static void terminate(void)
586	{
587	if(keytab != NULL)
588	krb5_kt_close(k5context, keytab);
589	krb5_free_principal(k5context, myprinc);
590	krb5_free_context(k5context);
591	}
592
593	static struct configvar myvars[] =
594	{
595	{CONF_VAR_STRING, "service", {.str = L"doldacond"}},
596	{CONF_VAR_STRING, "keytab", {.str = L""}},
597	{CONF_VAR_BOOL, "renewcreds", {.num = 1}},
56838143	598	{CONF_VAR_BOOL, "usedefcc", {.num = 0}},
d3372da9	599	{CONF_VAR_END}
	600	};
	601
	602	static struct module me =
	603	{
	604	.conf =
	605	{
	606	.vars = myvars
	607	},
	608	.init = init,
	609	.terminate = terminate,
	610	.name = "auth-krb5"
	611	};
	612
	613	MODULE(me);
	614
	615	#endif /* HAVE_KRB5 */