void plain_dump_principal ();
-krb5_data tgtname = {
- 0,
- KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME
-};
-
/*
* Try no preauthentication first; then try the encrypted timestamp
*/
-krb5_preauthtype preauth_list[2] = { 0, -1 };
krb5_preauthtype * preauth_ptr = NULL;
char *hostname;
opt_info *options;
char *target_user;
-uid_t target_uid;
+ uid_t target_uid;
krb5_ccache cc;
int *path_passwd;
{
-krb5_principal client, server;
-krb5_creds tgt, tgtq, in_creds, * out_creds;
-krb5_creds **tgts = NULL; /* list of ticket granting tickets */
-
-krb5_ticket * target_tkt; /* decrypted ticket for server */
-krb5_error_code retval =0;
-int got_it = 0;
-krb5_boolean zero_password;
-
- *path_passwd = 0;
- memset((char *) &tgtq, 0, sizeof(tgtq));
- memset((char *) &tgt, 0, sizeof(tgt));
- memset((char *) &in_creds, 0, sizeof(krb5_creds));
-
+ krb5_principal client, server;
+ krb5_creds tgt, tgtq, in_creds, * out_creds;
+ krb5_creds **tgts = NULL; /* list of ticket granting tickets */
+
+ krb5_ticket * target_tkt; /* decrypted ticket for server */
+ krb5_error_code retval =0;
+ int got_it = 0;
+ krb5_boolean zero_password;
+
+ *path_passwd = 0;
+ memset((char *) &tgtq, 0, sizeof(tgtq));
+ memset((char *) &tgt, 0, sizeof(tgt));
+ memset((char *) &in_creds, 0, sizeof(krb5_creds));
+
- if ((retval= krb5_copy_principal(context, client_pname, &client))){
- com_err(prog_name, retval,"while copying client principal");
- return (FALSE) ;
- }
-
- if (auth_debug)
- { dump_principal(context, "krb5_auth_check: Client principal name", client); }
-
- if ((retval = krb5_sname_to_principal(context, hostname, NULL,
- KRB5_NT_SRV_HST, &server))){
- com_err(prog_name, retval,
- "while creating server %s principal name", hostname);
- krb5_free_principal(context, client);
- return (FALSE) ;
- }
-
- if (auth_debug)
- { dump_principal(context, "krb5_auth_check: Server principal name", server); }
-
-
-
- /* check if ticket is already in the cache, if it is
- then use it.
- */
- if( krb5_fast_auth(context, client, server, target_user, cc) == TRUE){
- if (auth_debug ){
- fprintf (stderr,"Authenticated via fast_auth \n");
- }
- return TRUE;
- }
-
- /* check to see if the local tgt is in the cache */
-
- if ((retval= krb5_copy_principal(context, client, &tgtq.client))){
- com_err(prog_name, retval,"while copying client principal");
- return (FALSE) ;
+ if ((retval= krb5_copy_principal(context, client_pname, &client))){
+ com_err(prog_name, retval,"while copying client principal");
+ return (FALSE) ;
+ }
+
+ if (auth_debug) {
+ dump_principal(context, "krb5_auth_check: Client principal name",
+ client);
+ }
+
+ if ((retval = krb5_sname_to_principal(context, hostname, NULL,
+ KRB5_NT_SRV_HST, &server))){
+ com_err(prog_name, retval,
+ "while creating server %s principal name", hostname);
+ krb5_free_principal(context, client);
+ return (FALSE) ;
+ }
+
+ if (auth_debug) {
+ dump_principal(context, "krb5_auth_check: Server principal name",
+ server);
+ }
+
+
+
+ /* check if ticket is already in the cache, if it is
+ then use it.
+ */
+ if( krb5_fast_auth(context, client, server, target_user, cc) == TRUE){
+ if (auth_debug ){
+ fprintf (stderr,"Authenticated via fast_auth \n");
}
+ return TRUE;
+ }
+
+ /* check to see if the local tgt is in the cache */
+
+ if ((retval= krb5_copy_principal(context, client, &tgtq.client))){
+ com_err(prog_name, retval,"while copying client principal");
+ return (FALSE) ;
+ }
+
+ if ((retval = ksu_tgtname(context, krb5_princ_realm(context, client),
+ krb5_princ_realm(context, client),
+ &tgtq.server))){
+ com_err(prog_name, retval, "while creating tgt for local realm");
+ krb5_free_principal(context, client);
+ krb5_free_principal(context, server);
+ return (FALSE) ;
+ }
- if ((retval = krb5_tgtname(context, krb5_princ_realm(context, client),
- krb5_princ_realm(context, client),
- &tgtq.server))){
- com_err(prog_name, retval, "while creating tgt for local realm");
- krb5_free_principal(context, client);
- krb5_free_principal(context, server);
- return (FALSE) ;
- }
-
- if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); }
- retval = krb5_cc_retrieve_cred(context, cc,
- KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
- &tgtq, &tgt);
-
- if (! retval) retval = krb5_check_exp(context, tgt.times);
-
- if (retval){
- if ((retval != KRB5_CC_NOTFOUND) &&
- (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
- com_err(prog_name, retval,
- "while retrieving creds from cache");
- return (FALSE) ;
- }
- } else{
- got_it = 1;
+ if (auth_debug){ dump_principal(context, "local tgt principal name", tgtq.server ); }
+ retval = krb5_cc_retrieve_cred(context, cc,
+ KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
+ &tgtq, &tgt);
+
+ if (! retval) retval = krb5_check_exp(context, tgt.times);
+
+ if (retval){
+ if ((retval != KRB5_CC_NOTFOUND) &&
+ (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
+ com_err(prog_name, retval,
+ "while retrieving creds from cache");
+ return (FALSE) ;
}
+ } else{
+ got_it = 1;
+ }
+
+ if (! got_it){
- if (! got_it){
-
#ifdef GET_TGT_VIA_PASSWD
- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
+ if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
com_err("ksu", errno, "while switching to target uid");
return FALSE;
- }
-
-
- fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged \n");
- fprintf(stderr," in remotely using an unsecure (non-encrypted) channel. \n");
+ }
- /*get the ticket granting ticket, via passwd(promt for passwd)*/
- if (krb5_get_tkt_via_passwd (context, &cc, client, tgtq.server,
- options, & zero_password) == FALSE){
-krb5_seteuid(0);
-
- return FALSE;
- }
- *path_passwd = 1;
- if (krb5_seteuid(0)) {
- com_err("ksu", errno, "while reclaiming root uid");
- return FALSE;
- }
+ fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged \n");
+ fprintf(stderr," in remotely using an unsecure (non-encrypted) channel. \n");
+
+ /*get the ticket granting ticket, via passwd(promt for passwd)*/
+ if (krb5_get_tkt_via_passwd (context, &cc, client, tgtq.server,
+ options, & zero_password) == FALSE){
+ krb5_seteuid(0);
+
+ return FALSE;
+ }
+ *path_passwd = 1;
+ if (krb5_seteuid(0)) {
+ com_err("ksu", errno, "while reclaiming root uid");
+ return FALSE;
+ }
+
#else
plain_dump_principal (client);
fprintf(stderr,"does not have any appropriate tickets in the cache.\n");
return FALSE;
-
+
#endif /* GET_TGT_VIA_PASSWD */
- }
-
- if ((retval= krb5_copy_principal(context, client, &in_creds.client))){
- com_err(prog_name, retval,"while copying client principal");
- return (FALSE) ;
- }
+ }
+
+ if ((retval= krb5_copy_principal(context, client, &in_creds.client))){
+ com_err(prog_name, retval,"while copying client principal");
+ return (FALSE) ;
+ }
+
+ if ((retval= krb5_copy_principal(context, server, &in_creds.server))){
+ com_err(prog_name, retval,"while copying client principal");
+ return (FALSE) ;
+ }
+
+ if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds,
+ &out_creds, &tgts))){
+ com_err(prog_name, retval, "while geting credentials from kdc");
+ return (FALSE);
+ }
+
- if ((retval= krb5_copy_principal(context, server, &in_creds.server))){
- com_err(prog_name, retval,"while copying client principal");
- return (FALSE) ;
- }
+ if (auth_debug){
+ fprintf(stderr,"krb5_auth_check: got ticket for end server \n");
+ dump_principal(context, "out_creds->server", out_creds->server );
+ }
+
+
+ if (tgts){
+ register int i =0;
- if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds,
- &out_creds, &tgts))){
- com_err(prog_name, retval, "while geting credentials from kdc");
- return (FALSE);
+ if (auth_debug){
+ fprintf(stderr, "krb5_auth_check: went via multiple realms");
}
-
-
- if (auth_debug){
- fprintf(stderr,"krb5_auth_check: got ticket for end server \n");
- dump_principal(context, "out_creds->server", out_creds->server );
- }
-
-
- if (tgts){
- register int i =0;
-
- if (auth_debug){
- fprintf(stderr, "krb5_auth_check: went via multiple realms");
- }
- while (tgts[i]){
- if ((retval=krb5_cc_store_cred(context,cc,tgts[i]))) {
- com_err(prog_name, retval,
- "while storing credentials from cross-realm walk");
- return (FALSE);
- }
- i++;
- }
- krb5_free_tgt_creds(context, tgts);
- }
-
- retval = krb5_verify_tkt_def(context, client, server,
- &out_creds->keyblock, &out_creds->ticket,
- &target_tkt);
- if (retval) {
- com_err(prog_name, retval, "while verifying ticket for server");
- return (FALSE);
- }
-
- if ((retval = krb5_cc_store_cred(context, cc, out_creds))){
+ while (tgts[i]){
+ if ((retval=krb5_cc_store_cred(context,cc,tgts[i]))) {
com_err(prog_name, retval,
- "While storing credentials");
+ "while storing credentials from cross-realm walk");
return (FALSE);
+ }
+ i++;
}
+ krb5_free_tgt_creds(context, tgts);
+ }
+
+ retval = krb5_verify_tkt_def(context, client, server,
+ &out_creds->keyblock, &out_creds->ticket,
+ &target_tkt);
+ if (retval) {
+ com_err(prog_name, retval, "while verifying ticket for server");
+ return (FALSE);
+ }
+
+ if ((retval = krb5_cc_store_cred(context, cc, out_creds))){
+ com_err(prog_name, retval,
+ "While storing credentials");
+ return (FALSE);
+ }
- return (TRUE);
+ return (TRUE);
}
/* krb5_fast_auth checks if ticket for the end server is already in
krb5_ccache cc;
{
-krb5_creds tgt, tgtq;
-krb5_ticket * target_tkt;
-krb5_error_code retval;
-
- memset((char *) &tgtq, 0, sizeof(tgtq));
- memset((char *) &tgt, 0, sizeof(tgt));
-
- if ((retval= krb5_copy_principal(context, client, &tgtq.client))){
- com_err(prog_name, retval,"while copying client principal");
- return (FALSE) ;
- }
-
- if ((retval= krb5_copy_principal(context, server, &tgtq.server))){
- com_err(prog_name, retval,"while copying client principal");
- return (FALSE) ;
- }
-
- if ((retval = krb5_cc_retrieve_cred(context, cc,
- KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
- &tgtq, &tgt))){
- if (auth_debug)
- com_err(prog_name, retval,"While Retrieving credentials");
- return (FALSE) ;
-
- }
-
- if ((retval = krb5_verify_tkt_def(context, client, server, &tgt.keyblock,
- &tgt.ticket, &target_tkt))){
- com_err(prog_name, retval, "while verifing ticket for server");
- return (FALSE);
- }
-
- return TRUE;
+ krb5_creds tgt, tgtq;
+ krb5_ticket * target_tkt;
+ krb5_error_code retval;
+
+ memset((char *) &tgtq, 0, sizeof(tgtq));
+ memset((char *) &tgt, 0, sizeof(tgt));
+
+ if ((retval= krb5_copy_principal(context, client, &tgtq.client))){
+ com_err(prog_name, retval,"while copying client principal");
+ return (FALSE) ;
+ }
+
+ if ((retval= krb5_copy_principal(context, server, &tgtq.server))){
+ com_err(prog_name, retval,"while copying client principal");
+ return (FALSE) ;
+ }
+
+ if ((retval = krb5_cc_retrieve_cred(context, cc,
+ KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
+ &tgtq, &tgt))){
+ if (auth_debug)
+ com_err(prog_name, retval,"While Retrieving credentials");
+ return (FALSE) ;
+
+ }
+
+ if ((retval = krb5_verify_tkt_def(context, client, server, &tgt.keyblock,
+ &tgt.ticket, &target_tkt))){
+ com_err(prog_name, retval, "while verifing ticket for server");
+ return (FALSE);
+ }
+
+ return TRUE;
}
static krb5_error_code
/* OUT */
krb5_ticket **clear_ticket;
{
-krb5_keytab keytabid;
-krb5_enctype enctype;
-krb5_keytab_entry ktentry;
-krb5_keyblock *tkt_key = NULL;
-krb5_ticket * tkt = NULL;
-krb5_error_code retval =0;
-krb5_keyblock * tkt_ses_key;
-
- if ((retval = decode_krb5_ticket(scr_ticket, &tkt))){
- return retval;
- }
-
- if (server && !krb5_principal_compare(context, server, tkt->server)){
- return KRB5KRB_AP_WRONG_PRINC;
- }
-
- if (auth_debug){
- fprintf(stderr,"krb5_verify_tkt_def: verified target server\n");
- dump_principal(context, "server", server);
- dump_principal(context, "tkt->server", tkt->server);
- }
-
- /* get the default keytab */
- if ((retval = krb5_kt_default(context, &keytabid))){
- krb5_free_ticket(context, tkt);
- return retval;
- }
-
- enctype = tkt->enc_part.enctype;
-
- if ((retval = krb5_kt_get_entry(context, keytabid, server,
- tkt->enc_part.kvno, enctype, &ktentry))){
- krb5_free_ticket(context, tkt);
- return retval;
- }
-
- krb5_kt_close(context, keytabid);
-
- if ((retval = krb5_copy_keyblock(context, &ktentry.key, &tkt_key))){
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- return retval;
- }
+ krb5_keytab keytabid;
+ krb5_enctype enctype;
+ krb5_keytab_entry ktentry;
+ krb5_keyblock *tkt_key = NULL;
+ krb5_ticket * tkt = NULL;
+ krb5_error_code retval =0;
+ krb5_keyblock * tkt_ses_key;
+
+ if ((retval = decode_krb5_ticket(scr_ticket, &tkt))){
+ return retval;
+ }
+
+ if (server && !krb5_principal_compare(context, server, tkt->server)){
+ return KRB5KRB_AP_WRONG_PRINC;
+ }
+
+ if (auth_debug){
+ fprintf(stderr,"krb5_verify_tkt_def: verified target server\n");
+ dump_principal(context, "server", server);
+ dump_principal(context, "tkt->server", tkt->server);
+ }
+
+ /* get the default keytab */
+ if ((retval = krb5_kt_default(context, &keytabid))){
+ krb5_free_ticket(context, tkt);
+ return retval;
+ }
+ enctype = tkt->enc_part.enctype;
+
+ if ((retval = krb5_kt_get_entry(context, keytabid, server,
+ tkt->enc_part.kvno, enctype, &ktentry))){
+ krb5_free_ticket(context, tkt);
+ return retval;
+ }
+
+ krb5_kt_close(context, keytabid);
+
+ if ((retval = krb5_copy_keyblock(context, &ktentry.key, &tkt_key))){
+ krb5_free_ticket(context, tkt);
+ krb5_kt_free_entry(context, &ktentry);
+ return retval;
+ }
+
/* decrypt the ticket */
- if ((retval = krb5_decrypt_tkt_part(context, tkt_key, tkt))) {
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- krb5_free_keyblock(context, tkt_key);
- return(retval);
- }
-
- /* Check to make sure ticket hasn't expired */
- retval = krb5_check_exp(context, tkt->enc_part2->times);
- if (retval) {
- if (auth_debug && (retval == KRB5KRB_AP_ERR_TKT_EXPIRED)) {
- fprintf(stderr,
- "krb5_verify_tkt_def: ticket has expired");
- }
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- krb5_free_keyblock(context, tkt_key);
- return KRB5KRB_AP_ERR_TKT_EXPIRED;
- }
+ if ((retval = krb5_decrypt_tkt_part(context, tkt_key, tkt))) {
+ krb5_free_ticket(context, tkt);
+ krb5_kt_free_entry(context, &ktentry);
+ krb5_free_keyblock(context, tkt_key);
+ return(retval);
+ }
- if (!krb5_principal_compare(context, client, tkt->enc_part2->client)) {
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- krb5_free_keyblock(context, tkt_key);
- return KRB5KRB_AP_ERR_BADMATCH;
+ /* Check to make sure ticket hasn't expired */
+ retval = krb5_check_exp(context, tkt->enc_part2->times);
+ if (retval) {
+ if (auth_debug && (retval == KRB5KRB_AP_ERR_TKT_EXPIRED)) {
+ fprintf(stderr,
+ "krb5_verify_tkt_def: ticket has expired");
}
-
- if (auth_debug){
- fprintf(stderr,
- "krb5_verify_tkt_def: verified client's identity\n");
- dump_principal(context, "client", client);
- dump_principal(context, "tkt->enc_part2->client",tkt->enc_part2->client);
- }
-
- tkt_ses_key = tkt->enc_part2->session;
-
- if (cred_ses_key->enctype != tkt_ses_key->enctype ||
- cred_ses_key->length != tkt_ses_key->length ||
- memcmp((char *)cred_ses_key->contents,
- (char *)tkt_ses_key->contents, cred_ses_key->length)) {
-
- krb5_free_ticket(context, tkt);
- krb5_kt_free_entry(context, &ktentry);
- krb5_free_keyblock(context, tkt_key);
- return KRB5KRB_AP_ERR_BAD_INTEGRITY;
- }
-
- if (auth_debug){
- fprintf(stderr,
- "krb5_verify_tkt_def: session keys match \n");
- }
-
- *clear_ticket = tkt;
+ krb5_free_ticket(context, tkt);
krb5_kt_free_entry(context, &ktentry);
krb5_free_keyblock(context, tkt_key);
- return 0;
-
+ return KRB5KRB_AP_ERR_TKT_EXPIRED;
+ }
+
+ if (!krb5_principal_compare(context, client, tkt->enc_part2->client)) {
+ krb5_free_ticket(context, tkt);
+ krb5_kt_free_entry(context, &ktentry);
+ krb5_free_keyblock(context, tkt_key);
+ return KRB5KRB_AP_ERR_BADMATCH;
+ }
+
+ if (auth_debug){
+ fprintf(stderr,
+ "krb5_verify_tkt_def: verified client's identity\n");
+ dump_principal(context, "client", client);
+ dump_principal(context, "tkt->enc_part2->client",tkt->enc_part2->client);
+ }
+
+ tkt_ses_key = tkt->enc_part2->session;
+
+ if (cred_ses_key->enctype != tkt_ses_key->enctype ||
+ cred_ses_key->length != tkt_ses_key->length ||
+ memcmp((char *)cred_ses_key->contents,
+ (char *)tkt_ses_key->contents, cred_ses_key->length)) {
+
+ krb5_free_ticket(context, tkt);
+ krb5_kt_free_entry(context, &ktentry);
+ krb5_free_keyblock(context, tkt_key);
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
+
+ if (auth_debug){
+ fprintf(stderr,
+ "krb5_verify_tkt_def: session keys match \n");
+ }
+
+ *clear_ticket = tkt;
+ krb5_kt_free_entry(context, &ktentry);
+ krb5_free_keyblock(context, tkt_key);
+ return 0;
+
}
*zero_password = FALSE;
-
+
if ((code = krb5_unparse_name(context, client, &client_name))) {
com_err (prog_name, code, "when unparsing name");
return (FALSE);
my_creds.times.starttime = 0; /* start timer when request
gets to KDC */
-
+
my_creds.times.endtime = now + options->lifetime;
if (options->opt & KDC_OPT_RENEWABLE) {
my_creds.times.renew_till = now + options->rlife;
} else
my_creds.times.renew_till = 0;
- if (strlen (client_name) + 80 > sizeof (prompt)) {
- fprintf (stderr,
- "principal name %s too long for internal buffer space\n",
- client_name);
- return FALSE;
- }
- (void) sprintf(prompt,"Kerberos password for %s: ", client_name);
-
- pwsize = sizeof(password);
-
- code = krb5_read_password(context, prompt, 0, password, &pwsize);
- if (code ) {
- com_err(prog_name, code, "while reading password for '%s'\n",
- client_name);
- memset(password, 0, sizeof(password));
- return (FALSE);
- }
-
- if ( pwsize == 0) {
- fprintf(stderr, "No password given\n");
- *zero_password = TRUE;
- memset(password, 0, sizeof(password));
- return (FALSE);
- }
-
- code = krb5_get_in_tkt_with_password(context, options->opt,
- 0, NULL, preauth_ptr,
- password, *ccache, &my_creds, 0);
- memset(password, 0, sizeof(password));
-
+ if (strlen (client_name) + 80 > sizeof (prompt)) {
+ fprintf (stderr,
+ "principal name %s too long for internal buffer space\n",
+ client_name);
+ return FALSE;
+ }
+ (void) sprintf(prompt,"Kerberos password for %s: ", client_name);
+
+ pwsize = sizeof(password);
+
+ code = krb5_read_password(context, prompt, 0, password, &pwsize);
+ if (code ) {
+ com_err(prog_name, code, "while reading password for '%s'\n",
+ client_name);
+ memset(password, 0, sizeof(password));
+ return (FALSE);
+ }
+
+ if ( pwsize == 0) {
+ fprintf(stderr, "No password given\n");
+ *zero_password = TRUE;
+ memset(password, 0, sizeof(password));
+ return (FALSE);
+ }
+
+ code = krb5_get_in_tkt_with_password(context, options->opt,
+ 0, NULL, preauth_ptr,
+ password, *ccache, &my_creds, 0);
+ memset(password, 0, sizeof(password));
+
if (code) {
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
fprintf(stderr, "%s ", stname);
}
-#if 0
-krb5_error_code get_tgt_via_login_list(context, server, cc, k5login_plist,
- client, got_it)
- krb5_context context;
- krb5_principal server;
- krb5_ccache cc;
- char **k5login_plist;
- krb5_principal *client;
- int *got_it;
-{
-
-krb5_creds tgt, tgtq;
-int i =0;
-krb5_principal temp_client;
-krb5_error_code retval =0;
- *got_it=0;
-
- if (! k5login_plist ) return 0;
-
- memset((char *) &tgtq, 0, sizeof(tgtq));
- memset((char *) &tgt, 0, sizeof(tgt));
-
- while(k5login_plist[i]){
- if (retval = krb5_parse_name(context, k5login_plist[i],
- &temp_client)){
- return retval;
- }
-
-
- if (retval= krb5_copy_principal(context, temp_client,
- &tgtq.client)){
- return retval ;
- }
-
- /* check to see if the local tgt is in the cache */
-
- if (retval = krb5_tgtname(context,
- krb5_princ_realm(context, temp_client),
- krb5_princ_realm(context, temp_client),
- &tgtq.server)){
- return retval ;
- }
-
- retval = krb5_cc_retrieve_cred(context, cc,
- KRB5_TC_MATCH_SRV_NAMEONLY,
- &tgtq, &tgt);
-
- if (! retval) retval = krb5_check_exp(context, tgt.times);
-
- if (retval){
- if ((retval != KRB5_CC_NOTFOUND) &&
- (retval != KRB5KRB_AP_ERR_TKT_EXPIRED)){
- return retval ;
- }
- } else{
- if (auth_debug){
- fprintf(stderr,"Auth via k5login name %s\n",
- k5login_plist[i]);
- }
-
- *got_it = 1;
- *client = temp_client;
- break;
- }
-
- i++;
- }
-
- return 0;
-}
-#endif
/**********************************************************************
-returns the principal that is closes to client. plist contains
+returns the principal that is closest to client. plist contains
a principal list obtained from .k5login and parhaps .k5users file.
This routine gets called before getting the password for a tgt.
A principal is picked that has the best chance of getting in.
char **plist;
krb5_principal *client;
{
-krb5_error_code retval =0;
-krb5_principal temp_client, best_client = NULL;
-
-int i = 0, nelem;
-
- if (! plist ) return 0;
-
- nelem = krb5_princ_size(context, *client);
-
- while(plist[i]){
-
- if ((retval = krb5_parse_name(context, plist[i], &temp_client))){
- return retval;
- }
-
- if (krb5_princ_realm(context, *client)->length ==
- krb5_princ_realm(context, temp_client)->length
- && (!memcmp (krb5_princ_realm(context, *client)->data,
- krb5_princ_realm(context, temp_client)->data,
- krb5_princ_realm(context, temp_client)->length))){
-
-
- if(nelem){
- krb5_data *p1 =
- krb5_princ_component(context, *client, 0);
- krb5_data *p2 =
- krb5_princ_component(context, temp_client, 0);
-
- if ((p1->length == p2->length) &&
- (!memcmp(p1->data,p2->data,p1->length))){
-
- if (auth_debug){
- fprintf(stderr,
- "get_best_principal: compare with %s\n",
- plist[i]);
- }
-
- if(best_client){
- if(krb5_princ_size(context, best_client) >
- krb5_princ_size(context, temp_client)){
- best_client = temp_client;
- }
- }else{
- best_client = temp_client;
- }
- }
+ krb5_error_code retval =0;
+ krb5_principal temp_client, best_client = NULL;
+
+ int i = 0, nelem;
+
+ if (! plist ) return 0;
+
+ nelem = krb5_princ_size(context, *client);
+
+ while(plist[i]){
+
+ if ((retval = krb5_parse_name(context, plist[i], &temp_client))){
+ return retval;
+ }
+
+ if (krb5_princ_realm(context, *client)->length ==
+ krb5_princ_realm(context, temp_client)->length
+ && (!memcmp (krb5_princ_realm(context, *client)->data,
+ krb5_princ_realm(context, temp_client)->data,
+ krb5_princ_realm(context, temp_client)->length))){
+
+
+ if(nelem){
+ krb5_data *p1 =
+ krb5_princ_component(context, *client, 0);
+ krb5_data *p2 =
+ krb5_princ_component(context, temp_client, 0);
+
+ if ((p1->length == p2->length) &&
+ (!memcmp(p1->data,p2->data,p1->length))){
+
+ if (auth_debug){
+ fprintf(stderr,
+ "get_best_principal: compare with %s\n",
+ plist[i]);
+ }
+
+ if(best_client){
+ if(krb5_princ_size(context, best_client) >
+ krb5_princ_size(context, temp_client)){
+ best_client = temp_client;
}
-
+ }else{
+ best_client = temp_client;
+ }
}
- i++;
- }
-
- if (best_client) *client = best_client;
- return 0;
+ }
+
+ }
+ i++;
+ }
+
+ if (best_client) *client = best_client;
+ return 0;
}
#include <sys/types.h>
#include <sys/wait.h>
#include <signal.h>
+#include <grp.h>
/* globals */
char * prog_name;
ill specified arguments to commands */
void usage (){
- fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
+ fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
}
/* for Ultrix and friends ... */
int
main (argc, argv)
- int argc;
- char ** argv;
+ int argc;
+ char ** argv;
{
-int hp =0;
-int some_rest_copy = 0;
-int all_rest_copy = 0;
-char *localhostname = NULL;
-opt_info options;
-int option=0;
-int statusp=0;
-krb5_error_code retval = 0;
-krb5_principal client = NULL;
-krb5_ccache cc_target = NULL;
-krb5_context ksu_context;
-char * cc_target_tag = NULL;
-char * target_user = NULL;
-char * source_user;
-
-krb5_ccache cc_source = NULL;
-const char * cc_source_tag = NULL;
-uid_t source_gid, target_gid;
-const char * cc_source_tag_tmp = NULL;
-char * cc_target_tag_tmp=NULL;
-char * cmd = NULL, * exec_cmd = NULL;
-int errflg = 0;
-krb5_boolean auth_val;
-krb5_boolean authorization_val = FALSE;
-int path_passwd = 0;
-int done =0,i,j;
-uid_t ruid = getuid ();
-struct passwd *pwd=NULL, *target_pwd ;
-char * shell;
-char ** params;
-int keep_target_cache = 0;
-int child_pid, child_pgrp, ret_pid;
-extern char * getpass(), *crypt();
-int pargc;
-char ** pargv;
-struct stat st_temp;
-krb5_boolean stored = FALSE;
-krb5_principal kdc_server;
-krb5_boolean zero_password;
-char * dir_of_cc_target;
-
+ int hp =0;
+ int some_rest_copy = 0;
+ int all_rest_copy = 0;
+ char *localhostname = NULL;
+ opt_info options;
+ int option=0;
+ int statusp=0;
+ krb5_error_code retval = 0;
+ krb5_principal client = NULL;
+ krb5_ccache cc_target = NULL;
+ krb5_context ksu_context;
+ char * cc_target_tag = NULL;
+ char * target_user = NULL;
+ char * source_user;
+
+ krb5_ccache cc_source = NULL;
+ const char * cc_source_tag = NULL;
+ uid_t source_gid, target_gid;
+ const char * cc_source_tag_tmp = NULL;
+ char * cc_target_tag_tmp=NULL;
+ char * cmd = NULL, * exec_cmd = NULL;
+ int errflg = 0;
+ krb5_boolean auth_val;
+ krb5_boolean authorization_val = FALSE;
+ int path_passwd = 0;
+ int done =0,i,j;
+ uid_t ruid = getuid ();
+ struct passwd *pwd=NULL, *target_pwd ;
+ char * shell;
+ char ** params;
+ int keep_target_cache = 0;
+ int child_pid, child_pgrp, ret_pid;
+ extern char * getpass(), *crypt();
+ int pargc;
+ char ** pargv;
+ struct stat st_temp;
+ krb5_boolean stored = FALSE;
+ krb5_principal kdc_server;
+ krb5_boolean zero_password;
+ char * dir_of_cc_target;
+
options.opt = KRB5_DEFAULT_OPTIONS;
options.lifetime = KRB5_DEFAULT_TKT_LIFE;
options.rlife =0;
#ifndef LOG_NDELAY
#define LOG_NDELAY 0
#endif
-
+
#ifndef LOG_AUTH /* 4.2 syslog */
openlog(prog_name, LOG_PID|LOG_NDELAY);
#else
openlog(prog_name, LOG_PID | LOG_AUTH | LOG_NDELAY, LOG_AUTH);
#endif /* 4.2 syslog */
-
+
if (( argc == 1) || (argv[1][0] == '-')){
- target_user = xstrdup("root");
- pargc = argc;
- pargv = argv;
- } else {
- target_user = xstrdup(argv[1]);
- pargc = argc -1;
-
- if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){
- com_err(prog_name, errno, "while allocating memory");
- exit(1);
- }
-
- pargv[pargc] = NULL;
- pargv[0] = argv[0];
-
- for(i =1; i< pargc; i ++){
- pargv[i] = argv[i + 1];
- }
- }
-
+ target_user = xstrdup("root");
+ pargc = argc;
+ pargv = argv;
+ } else {
+ target_user = xstrdup(argv[1]);
+ pargc = argc -1;
+
+ if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){
+ com_err(prog_name, errno, "while allocating memory");
+ exit(1);
+ }
+
+ pargv[pargc] = NULL;
+ pargv[0] = argv[0];
+
+ for(i =1; i< pargc; i ++){
+ pargv[i] = argv[i + 1];
+ }
+ }
+
if (krb5_seteuid (ruid)) {
com_err (prog_name, errno, "while setting euid to source user");
exit (1);
take care of params argument */
optind --;
if (auth_debug){printf("Before get_params optind=%d\n", optind);}
-
+
if ((retval = get_params( & optind, pargc, pargv, ¶ms))){
com_err(prog_name, retval, "when gathering parameters");
errflg++;
}
if(auth_debug){ printf("After get_params optind=%d\n", optind);}
- done = 1;
+ done = 1;
break;
case 'p':
options.opt |= KDC_OPT_PROXIABLE;
com_err(prog_name, retval, "when parsing name %s", optarg);
errflg++;
}
-
+
options.princ = 1;
-
+
break;
#ifdef DEBUG
case 'D':
if (cc_source_tag == NULL) {
cc_source_tag = xstrdup(optarg);
if ( strchr(cc_source_tag, ':')){
- cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
-
- if( stat( cc_source_tag_tmp, &st_temp)){
- com_err (prog_name, errno,
- "while looking for credentials file %s",
- cc_source_tag_tmp);
- exit (1);
- }
+ cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
+
+ if( stat( cc_source_tag_tmp, &st_temp)){
+ com_err (prog_name, errno,
+ "while looking for credentials file %s",
+ cc_source_tag_tmp);
+ exit (1);
+ }
}
else {
- fprintf(stderr,"malformed credential cache name %s\n",
- cc_source_tag);
- errflg++;
+ fprintf(stderr,"malformed credential cache name %s\n",
+ cc_source_tag);
+ errflg++;
}
} else {
if (auth_debug){
for(j=1; params[j] != NULL; j++){
- fprintf (stderr,"params[%d]= %s\n", j,params[j]);
+ fprintf (stderr,"params[%d]= %s\n", j,params[j]);
}
}
- /***********************************/
- source_user = getlogin(); /*checks for the the login name in /etc/utmp*/
-
- /* verify that that the user exists and get his passwd structure */
-
- if (source_user == NULL ||(pwd = getpwnam(source_user)) == NULL ||
- pwd->pw_uid != ruid){
- pwd = getpwuid(ruid);
- }
-
- if (pwd == NULL) {
- fprintf(stderr, "ksu: who are you?\n");
- exit(1);
- }
- if (pwd->pw_uid != ruid) {
- fprintf (stderr, "Your uid doesn't match your passwd entry?!\n");
- exit (1);
- }
- /* Okay, now we have *some* passwd entry that matches the
- current real uid. */
-
- /* allocate space and copy the usernamane there */
- source_user = xstrdup(pwd->pw_name);
- source_uid = pwd->pw_uid;
- source_gid = pwd->pw_gid;
-
-
- if (!strcmp(SOURCE_USER_LOGIN, target_user)){
- target_user = xstrdup (source_user);
- }
-
- if ((target_pwd = getpwnam(target_user)) == NULL){
- fprintf(stderr, "ksu: unknown login %s\n", target_user);
- exit(1);
- }
- target_uid = target_pwd->pw_uid;
- target_gid = target_pwd->pw_gid;
-
- init_auth_names(target_pwd->pw_dir);
-
- /***********************************/
-
- if (cc_source_tag == NULL){
- cc_source_tag = krb5_cc_default_name(ksu_context);
- cc_source_tag_tmp = strchr(cc_source_tag, ':');
- if (cc_source_tag_tmp == 0)
- cc_source_tag_tmp = cc_source_tag;
- else
- cc_source_tag_tmp++;
- }
-
- /* get a handle for the cache */
- if ((retval = krb5_cc_resolve(ksu_context, cc_source_tag, &cc_source))){
- com_err(prog_name, retval,"while getting source cache");
- exit(1);
- }
-
- if (((retval = krb5_cc_set_flags(ksu_context, cc_source, 0x0)) != 0)
- && (retval != KRB5_FCC_NOFILE)) {
+ /***********************************/
+ source_user = getlogin(); /*checks for the the login name in /etc/utmp*/
+
+ /* verify that that the user exists and get his passwd structure */
+
+ if (source_user == NULL ||(pwd = getpwnam(source_user)) == NULL ||
+ pwd->pw_uid != ruid){
+ pwd = getpwuid(ruid);
+ }
+
+ if (pwd == NULL) {
+ fprintf(stderr, "ksu: who are you?\n");
+ exit(1);
+ }
+ if (pwd->pw_uid != ruid) {
+ fprintf (stderr, "Your uid doesn't match your passwd entry?!\n");
+ exit (1);
+ }
+ /* Okay, now we have *some* passwd entry that matches the
+ current real uid. */
+
+ /* allocate space and copy the usernamane there */
+ source_user = xstrdup(pwd->pw_name);
+ source_uid = pwd->pw_uid;
+ source_gid = pwd->pw_gid;
+
+
+ if (!strcmp(SOURCE_USER_LOGIN, target_user)){
+ target_user = xstrdup (source_user);
+ }
+
+ if ((target_pwd = getpwnam(target_user)) == NULL){
+ fprintf(stderr, "ksu: unknown login %s\n", target_user);
+ exit(1);
+ }
+ target_uid = target_pwd->pw_uid;
+ target_gid = target_pwd->pw_gid;
+
+ init_auth_names(target_pwd->pw_dir);
+
+ /***********************************/
+
+ if (cc_source_tag == NULL){
+ cc_source_tag = krb5_cc_default_name(ksu_context);
+ cc_source_tag_tmp = strchr(cc_source_tag, ':');
+ if (cc_source_tag_tmp == 0)
+ cc_source_tag_tmp = cc_source_tag;
+ else
+ cc_source_tag_tmp++;
+ }
+
+ /* get a handle for the cache */
+ if ((retval = krb5_cc_resolve(ksu_context, cc_source_tag, &cc_source))){
+ com_err(prog_name, retval,"while getting source cache");
+ exit(1);
+ }
+
+ if (((retval = krb5_cc_set_flags(ksu_context, cc_source, 0x0)) != 0)
+ && (retval != KRB5_FCC_NOFILE)) {
com_err(prog_name, retval, "while opening ccache");
exit(1);
- }
- if ((retval = get_best_princ_for_target(ksu_context, source_uid,
- target_uid, source_user, target_user, cc_source,
- &options, cmd, localhostname, &client, &hp))){
- com_err(prog_name,retval, "while selecting the best principal");
- exit(1);
- }
-
- /* We may be running as either source or target, depending on
- what happened; become source.*/
- if ( geteuid() != source_uid) {
- if (krb5_seteuid(0) || krb5_seteuid(source_uid) ) {
+ }
+ if ((retval = get_best_princ_for_target(ksu_context, source_uid,
+ target_uid, source_user,
+ target_user, cc_source,
+ &options, cmd, localhostname,
+ &client, &hp))){
+ com_err(prog_name,retval, "while selecting the best principal");
+ exit(1);
+ }
+
+ /* We may be running as either source or target, depending on
+ what happened; become source.*/
+ if ( geteuid() != source_uid) {
+ if (krb5_seteuid(0) || krb5_seteuid(source_uid) ) {
com_err(prog_name, errno, "while returning to source uid after finding best principal");
exit(1);
- }
- }
-
- if (auth_debug){
- if (hp){
- fprintf(stderr,
- "GET_best_princ_for_target result: NOT AUTHORIZED\n");
- }else{
- fprintf(stderr,
- "GET_best_princ_for_target result-best principal ");
- plain_dump_principal (ksu_context, client);
- fprintf(stderr,"\n");
- }
}
-
+ }
+
+ if (auth_debug){
if (hp){
- if (gb_err) fprintf(stderr, "%s", gb_err);
- fprintf(stderr,"account %s: authorization failed\n",target_user);
- exit(1);
- }
-
- if (cc_target_tag == NULL) {
-
- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char));
- /* make sure that the new ticket file does not already exist
- This is run as source_uid because it is reasonable to
- require the source user to have write to where the target
- cache will be created.*/
-
- do {
- sprintf(cc_target_tag, "%s%ld.%d",
- KRB5_SECONDARY_CACHE,
- (long) target_uid, gen_sym());
- cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1;
-
- }while ( !stat ( cc_target_tag_tmp, &st_temp));
- }
-
-
- dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp);
-
- if (access(dir_of_cc_target, R_OK | W_OK )){
fprintf(stderr,
- "%s does not have correct permissions for %s\n",
- source_user, cc_target_tag);
- exit(1);
- }
-
- if (auth_debug){
- fprintf(stderr, " source cache = %s\n", cc_source_tag);
- fprintf(stderr, " target cache = %s\n", cc_target_tag);
+ "GET_best_princ_for_target result: NOT AUTHORIZED\n");
+ }else{
+ fprintf(stderr,
+ "GET_best_princ_for_target result-best principal ");
+ plain_dump_principal (ksu_context, client);
+ fprintf(stderr,"\n");
}
-
- /*
- Only when proper authentication and authorization
- takes place, the target user becomes the owner of the cache.
- */
-
- /* we continue to run as source uid until
- the middle of the copy, when becomewe become the target user
- The cache is owned by the target user.*/
+ }
+
+ if (hp){
+ if (gb_err) fprintf(stderr, "%s", gb_err);
+ fprintf(stderr,"account %s: authorization failed\n",target_user);
+ exit(1);
+ }
+
+ if (cc_target_tag == NULL) {
+ cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char));
+ /* make sure that the new ticket file does not already exist
+ This is run as source_uid because it is reasonable to
+ require the source user to have write to where the target
+ cache will be created.*/
- /* if root ksu's to a regular user, then
- then only the credentials for that particular user
- should be copied */
-
- if ((source_uid == 0) && (target_uid != 0)) {
-
- if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source,
- cc_target_tag, client, &cc_target, &stored, target_uid))){
- com_err (prog_name, retval,
- "while copying cache %s to %s",
- krb5_cc_get_name(ksu_context, cc_source),cc_target_tag);
- exit(1);
- }
-
- } else {
- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
- client,&cc_target, &stored, target_uid))) {
- com_err (prog_name, retval,
- "while copying cache %s to %s",
- krb5_cc_get_name(ksu_context, cc_source),
- cc_target_tag);
- exit(1);
- }
+ do {
+ sprintf(cc_target_tag, "%s%ld.%d",
+ KRB5_SECONDARY_CACHE,
+ (long) target_uid, gen_sym());
+ cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1;
+ }while ( !stat ( cc_target_tag_tmp, &st_temp));
+ }
+
+
+ dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp);
+
+ if (access(dir_of_cc_target, R_OK | W_OK )){
+ fprintf(stderr,
+ "%s does not have correct permissions for %s\n",
+ source_user, cc_target_tag);
+ exit(1);
+ }
+
+ if (auth_debug){
+ fprintf(stderr, " source cache = %s\n", cc_source_tag);
+ fprintf(stderr, " target cache = %s\n", cc_target_tag);
+ }
+
+ /*
+ Only when proper authentication and authorization
+ takes place, the target user becomes the owner of the cache.
+ */
+
+ /* we continue to run as source uid until
+ the middle of the copy, when becomewe become the target user
+ The cache is owned by the target user.*/
+
+
+ /* if root ksu's to a regular user, then
+ then only the credentials for that particular user
+ should be copied */
+
+ if ((source_uid == 0) && (target_uid != 0)) {
+
+ if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source,
+ cc_target_tag, client,
+ &cc_target, &stored,
+ target_uid))){
+ com_err (prog_name, retval,
+ "while copying cache %s to %s",
+ krb5_cc_get_name(ksu_context, cc_source),cc_target_tag);
+ exit(1);
}
- /* Become root for authentication*/
-
- if (krb5_seteuid(0)) {
+ } else {
+ if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
+ client,&cc_target, &stored, target_uid))) {
+ com_err (prog_name, retval,
+ "while copying cache %s to %s",
+ krb5_cc_get_name(ksu_context, cc_source),
+ cc_target_tag);
+ exit(1);
+ }
+
+ }
+
+ /* Become root for authentication*/
+
+ if (krb5_seteuid(0)) {
com_err(prog_name, errno, "while reclaiming root uid");
exit(1);
- }
-
- if ((source_uid == 0) || (target_uid == source_uid)){
+ }
+
+ if ((source_uid == 0) || (target_uid == source_uid)){
#ifdef GET_TGT_VIA_PASSWD
- if ((!all_rest_copy) && options.princ && (stored == FALSE)){
- if ((retval = krb5_tgtname(ksu_context,
- krb5_princ_realm (ksu_context, client),
- krb5_princ_realm(ksu_context, client),
- &kdc_server))){
- com_err(prog_name, retval,
- "while creating tgt for local realm");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged\n");
- fprintf(stderr," in remotely using an unsecure (non-encrypted) channel.\n");
- if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client,
+ if ((!all_rest_copy) && options.princ && (stored == FALSE)){
+ if ((retval = ksu_tgtname(ksu_context,
+ krb5_princ_realm (ksu_context, client),
+ krb5_princ_realm(ksu_context, client),
+ &kdc_server))){
+ com_err(prog_name, retval,
+ "while creating tgt for local realm");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+ fprintf(stderr,"WARNING: Your password may be exposed if you enter it here and are logged\n");
+ fprintf(stderr," in remotely using an unsecure (non-encrypted) channel.\n");
+ if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client,
kdc_server, &options,
&zero_password) == FALSE){
-
- if (zero_password == FALSE){
- fprintf(stderr,"Goodbye\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- fprintf(stderr,
- "Could not get a tgt for ");
- plain_dump_principal (ksu_context, client);
- fprintf(stderr, "\n");
-
- }
- }
-#endif /* GET_TGT_VIA_PASSWD */
- }
-
- /* if the user is root or same uid then authentication is not neccesary,
- root gets in automatically */
-
- if (source_uid && (source_uid != target_uid)) {
- char * client_name;
-
- auth_val = krb5_auth_check(ksu_context, client, localhostname, &options,
- target_user,cc_target, &path_passwd, target_uid);
- /* if Kerberos authentication failed then exit */
- if (auth_val ==FALSE){
- fprintf(stderr, "Authentication failed.\n");
- syslog(LOG_WARNING,
- "'%s %s' authentication failed for %s%s",
- prog_name,target_user,source_user,ontty());
- sweep_up(ksu_context, cc_target);
- exit(1);
+ if (zero_password == FALSE){
+ fprintf(stderr,"Goodbye\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
}
-
+
+ fprintf(stderr,
+ "Could not get a tgt for ");
+ plain_dump_principal (ksu_context, client);
+ fprintf(stderr, "\n");
+
+ }
+ }
+#endif /* GET_TGT_VIA_PASSWD */
+ }
+
+ /* if the user is root or same uid then authentication is not neccesary,
+ root gets in automatically */
+
+ if (source_uid && (source_uid != target_uid)) {
+ char * client_name;
+
+ auth_val = krb5_auth_check(ksu_context, client, localhostname, &options,
+ target_user,cc_target, &path_passwd, target_uid);
+
+ /* if Kerberos authentication failed then exit */
+ if (auth_val ==FALSE){
+ fprintf(stderr, "Authentication failed.\n");
+ syslog(LOG_WARNING,
+ "'%s %s' authentication failed for %s%s",
+ prog_name,target_user,source_user,ontty());
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
#if 0
- /* At best, this avoids a single kdc request
- It is hard to implement dealing with file permissions and
- is unnecessary. It is important
- to properly handle races in chown if this code is ever re-enabled.
- */
- /* cache the tickets if possible in the source cache */
- if (!path_passwd){
-
- if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source,
- client))){
- com_err (prog_name, retval,
- "while copying cache %s to %s",
- krb5_cc_get_name(ksu_context, cc_target),
- krb5_cc_get_name(ksu_context, cc_source));
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
- if (chown(cc_source_tag_tmp, source_uid, source_gid)){
- com_err(prog_name, errno,
- "while changing owner for %s",
- cc_source_tag_tmp);
- exit(1);
- }
- }
+ /* At best, this avoids a single kdc request
+ It is hard to implement dealing with file permissions and
+ is unnecessary. It is important
+ to properly handle races in chown if this code is ever re-enabled.
+ */
+ /* cache the tickets if possible in the source cache */
+ if (!path_passwd){
+
+ if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source,
+ client))){
+ com_err (prog_name, retval,
+ "while copying cache %s to %s",
+ krb5_cc_get_name(ksu_context, cc_target),
+ krb5_cc_get_name(ksu_context, cc_source));
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (chown(cc_source_tag_tmp, source_uid, source_gid)){
+ com_err(prog_name, errno,
+ "while changing owner for %s",
+ cc_source_tag_tmp);
+ exit(1);
+ }
+ }
#endif /*0*/
- if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) {
- com_err (prog_name, retval, "When unparsing name");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- print_status("Authenticated %s\n", client_name);
- syslog(LOG_NOTICE,"'%s %s' authenticated %s for %s%s",
- prog_name,target_user,client_name,
- source_user,ontty());
-
- /* Run authorization as target.*/
- if (krb5_seteuid(target_uid)) {
- com_err(prog_name, errno, "while switching to target for authorization check");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+ if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) {
+ com_err (prog_name, retval, "When unparsing name");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+ print_status("Authenticated %s\n", client_name);
+ syslog(LOG_NOTICE,"'%s %s' authenticated %s for %s%s",
+ prog_name,target_user,client_name,
+ source_user,ontty());
+
+ /* Run authorization as target.*/
+ if (krb5_seteuid(target_uid)) {
+ com_err(prog_name, errno, "while switching to target for authorization check");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+ if ((retval = krb5_authorization(ksu_context, client,target_user,
+ cmd, &authorization_val, &exec_cmd))){
+ com_err(prog_name,retval,"while checking authorization");
+ krb5_seteuid(0); /*So we have some chance of sweeping up*/
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+ if (krb5_seteuid(0)) {
+ com_err(prog_name, errno, "while switching back from target after authorization check");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (authorization_val == TRUE){
+
+ if (cmd) {
+ print_status(
+ "Account %s: authorization for %s for execution of\n",
+ target_user, client_name);
+ print_status(" %s successful\n",exec_cmd);
+ syslog(LOG_NOTICE,
+ "Account %s: authorization for %s for execution of %s successful",
+ target_user, client_name, exec_cmd);
- if ((retval = krb5_authorization(ksu_context, client,target_user,
- cmd, &authorization_val, &exec_cmd))){
- com_err(prog_name,retval,"while checking authorization");
-krb5_seteuid(0); /*So we have some chance of sweeping up*/
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- if (krb5_seteuid(0)) {
- com_err(prog_name, errno, "while switching back from target after authorization check");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
- if (authorization_val == TRUE){
-
- if (cmd) {
- print_status(
- "Account %s: authorization for %s for execution of\n",
- target_user, client_name);
- print_status(" %s successful\n",exec_cmd);
- syslog(LOG_NOTICE,
- "Account %s: authorization for %s for execution of %s successful",
- target_user, client_name, exec_cmd);
-
- }else{
- print_status(
- "Account %s: authorization for %s successful\n",
+ }else{
+ print_status(
+ "Account %s: authorization for %s successful\n",
target_user, client_name);
- syslog(LOG_NOTICE,
- "Account %s: authorization for %s successful",
- target_user, client_name);
- }
- }else {
- if (cmd){
- if (exec_cmd){ /* was used to pass back the error msg */
- fprintf(stderr, "%s", exec_cmd );
- syslog(LOG_WARNING, "%s",exec_cmd);
- }
- fprintf(stderr,
- "Account %s: authorization for %s for execution of %s failed\n",
- target_user, client_name, cmd );
- syslog(LOG_WARNING,
- "Account %s: authorization for %s for execution of %s failed",
- target_user, client_name, cmd );
-
- }else{
- fprintf(stderr,
- "Account %s: authorization of %s failed\n",
- target_user, client_name);
- syslog(LOG_WARNING,
- "Account %s: authorization of %s failed",
- target_user, client_name);
-
- }
-
- sweep_up(ksu_context, cc_target);
- exit(1);
+ syslog(LOG_NOTICE,
+ "Account %s: authorization for %s successful",
+ target_user, client_name);
+ }
+ }else {
+ if (cmd){
+ if (exec_cmd){ /* was used to pass back the error msg */
+ fprintf(stderr, "%s", exec_cmd );
+ syslog(LOG_WARNING, "%s",exec_cmd);
}
+ fprintf(stderr,
+ "Account %s: authorization for %s for execution of %s failed\n",
+ target_user, client_name, cmd );
+ syslog(LOG_WARNING,
+ "Account %s: authorization for %s for execution of %s failed",
+ target_user, client_name, cmd );
+
+ }else{
+ fprintf(stderr,
+ "Account %s: authorization of %s failed\n",
+ target_user, client_name);
+ syslog(LOG_WARNING,
+ "Account %s: authorization of %s failed",
+ target_user, client_name);
+
+ }
+
+ sweep_up(ksu_context, cc_target);
+ exit(1);
}
-
- if( some_rest_copy){
- if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){
- com_err(prog_name,retval,"while calling cc_filter");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+ }
+
+ if( some_rest_copy){
+ if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){
+ com_err(prog_name,retval,"while calling cc_filter");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
}
-
- if (all_rest_copy){
- if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){
- com_err(prog_name, retval,
- "while erasing target cache");
- exit(1);
- }
-
+ }
+
+ if (all_rest_copy){
+ if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){
+ com_err(prog_name, retval,
+ "while erasing target cache");
+ exit(1);
}
-
- /* get the shell of the user, this will be the shell used by su */
- target_pwd = getpwnam(target_user);
-
- if (target_pwd->pw_shell)
- shell = xstrdup(target_pwd->pw_shell);
- else {
- shell = _DEF_CSH; /* default is cshell */
- }
-
+
+ }
+
+ /* get the shell of the user, this will be the shell used by su */
+ target_pwd = getpwnam(target_user);
+
+ if (target_pwd->pw_shell)
+ shell = xstrdup(target_pwd->pw_shell);
+ else {
+ shell = _DEF_CSH; /* default is cshell */
+ }
+
#ifdef HAVE_GETUSERSHELL
-
- /* insist that the target login uses a standard shell (root is omited) */
-
- if (!standard_shell(target_pwd->pw_shell) && source_uid) {
- fprintf(stderr, "ksu: permission denied (shell).\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+
+ /* insist that the target login uses a standard shell (root is omited) */
+
+ if (!standard_shell(target_pwd->pw_shell) && source_uid) {
+ fprintf(stderr, "ksu: permission denied (shell).\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
#endif /* HAVE_GETUSERSHELL */
+
+ if (target_pwd->pw_uid){
- if (target_pwd->pw_uid){
-
- if(set_env_var("USER", target_pwd->pw_name)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
- }
-
- if(set_env_var( "HOME", target_pwd->pw_dir)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- if(set_env_var( "SHELL", shell)){
- fprintf(stderr,"ksu: couldn't set environment variable USER\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- /* set the cc env name to target */
-
- if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){
- fprintf(stderr,"ksu: couldn't set environment variable %s\n",
- KRB5_ENV_CCNAME);
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- /* set permissions */
- if (setgid(target_pwd->pw_gid) < 0) {
- perror("ksu: setgid");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
-
- if (initgroups(target_user, target_pwd->pw_gid)) {
- fprintf(stderr, "ksu: initgroups failed.\n");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- if ( ! strcmp(target_user, source_user)){
- print_status("Leaving uid as %s (%d)\n",
- target_user, target_pwd->pw_uid);
- }else{
- print_status("Changing uid to %s (%d)\n",
- target_user, target_pwd->pw_uid);
- }
-
+ if(set_env_var("USER", target_pwd->pw_name)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ }
+
+ if(set_env_var( "HOME", target_pwd->pw_dir)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+ if(set_env_var( "SHELL", shell)){
+ fprintf(stderr,"ksu: couldn't set environment variable USER\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+ /* set the cc env name to target */
+
+ if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){
+ fprintf(stderr,"ksu: couldn't set environment variable %s\n",
+ KRB5_ENV_CCNAME);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+ /* set permissions */
+ if (setgid(target_pwd->pw_gid) < 0) {
+ perror("ksu: setgid");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+
+ if (initgroups(target_user, target_pwd->pw_gid)) {
+ fprintf(stderr, "ksu: initgroups failed.\n");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+ if ( ! strcmp(target_user, source_user)){
+ print_status("Leaving uid as %s (%ld)\n",
+ target_user, (long) target_pwd->pw_uid);
+ }else{
+ print_status("Changing uid to %s (%ld)\n",
+ target_user, target_pwd->pw_uid);
+ }
+
#ifdef HAVE_SETLUID
- /*
- * If we're on a system which keeps track of login uids, then
- * set the login uid. If this fails this opens up a problem on DEC OSF
- * with C2 enabled.
- */
- if (setluid((uid_t) pwd->pw_uid) < 0) {
- perror("setluid");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
+ /*
+ * If we're on a system which keeps track of login uids, then
+ * set the login uid. If this fails this opens up a problem on DEC OSF
+ * with C2 enabled.
+ */
+ if (setluid((uid_t) pwd->pw_uid) < 0) {
+ perror("setluid");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
#endif /* HAVE_SETLUID */
-
- if (setuid(target_pwd->pw_uid) < 0) {
- perror("ksu: setuid");
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- if (access( cc_target_tag_tmp, R_OK | W_OK )){
- com_err(prog_name, errno,
- "%s does not have correct permissions for %s, %s aborted",
- target_user, cc_target_tag_tmp, prog_name);
- exit(1);
- }
-
- if ( cc_source)
- krb5_cc_close(ksu_context, cc_source);
-
- if (cmd){
- if ((source_uid == 0) || (source_uid == target_uid )){
- exec_cmd = cmd;
- }
-
- if( !exec_cmd){
- fprintf(stderr,
- "Internal error: command %s did not get resolved\n",cmd);
- exit(1);
- }
-
- params[0] = exec_cmd;
- }
- else{
- params[0] = shell;
+
+ if (setuid(target_pwd->pw_uid) < 0) {
+ perror("ksu: setuid");
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+
+ if (access( cc_target_tag_tmp, R_OK | W_OK )){
+ com_err(prog_name, errno,
+ "%s does not have correct permissions for %s, %s aborted",
+ target_user, cc_target_tag_tmp, prog_name);
+ exit(1);
+ }
+
+ if ( cc_source)
+ krb5_cc_close(ksu_context, cc_source);
+
+ if (cmd){
+ if ((source_uid == 0) || (source_uid == target_uid )){
+ exec_cmd = cmd;
}
-
- if (auth_debug){
- fprintf(stderr, "program to be execed %s\n",params[0]);
+
+ if( !exec_cmd){
+ fprintf(stderr,
+ "Internal error: command %s did not get resolved\n",cmd);
+ exit(1);
}
-
- if( keep_target_cache ) {
- execv(params[0], params);
- com_err(prog_name, errno, "while trying to execv %s",
- params[0]);
- sweep_up(ksu_context, cc_target);
- exit(1);
+
+ params[0] = exec_cmd;
+ }
+ else{
+ params[0] = shell;
+ }
+
+ if (auth_debug){
+ fprintf(stderr, "program to be execed %s\n",params[0]);
+ }
+
+ if( keep_target_cache ) {
+ execv(params[0], params);
+ com_err(prog_name, errno, "while trying to execv %s",
+ params[0]);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
}else{
statusp = 1;
switch ((child_pid = fork())) {
int standard_shell(sh)
char *sh;
{
-register char *cp;
-char *getusershell();
-
- while ((cp = getusershell()) != NULL)
- if (!strcmp(cp, sh))
- return (1);
- return (0);
+ register char *cp;
+ char *getusershell();
+
+ while ((cp = getusershell()) != NULL)
+ if (!strcmp(cp, sh))
+ return (1);
+ return (0);
}
#endif /* HAVE_GETUSERSHELL */
static char * ontty()
{
-char *p, *ttyname();
-static char buf[MAXPATHLEN + 4];
-
- buf[0] = 0;
- if ((p = ttyname(STDERR_FILENO))) {
- if (strlen (p) > MAXPATHLEN) {
- fprintf (stderr, "terminal name %s too long\n", p);
- exit (1);
- }
- sprintf(buf, " on %s", p);
- }
- return (buf);
+ char *p, *ttyname();
+ static char buf[MAXPATHLEN + 4];
+
+ buf[0] = 0;
+ if ((p = ttyname(STDERR_FILENO))) {
+ if (strlen (p) > MAXPATHLEN) {
+ fprintf (stderr, "terminal name %s too long\n", p);
+ exit (1);
+ }
+ sprintf(buf, " on %s", p);
+ }
+ return (buf);
}
char *name;
char *value;
{
-char * env_var_buf;
-
- /* allocate extra two spaces, one for the = and one for the \0 */
- env_var_buf = (char *) xcalloc(2 + strlen(name) + strlen(value),
- sizeof(char));
-
- sprintf(env_var_buf,"%s=%s",name, value);
- return putenv(env_var_buf);
-
+ char * env_var_buf;
+
+ /* allocate extra two spaces, one for the = and one for the \0 */
+ env_var_buf = (char *) xcalloc(2 + strlen(name) + strlen(value),
+ sizeof(char));
+
+ sprintf(env_var_buf,"%s=%s",name, value);
+ return putenv(env_var_buf);
+
}
static void sweep_up(context, cc)
krb5_seteuid(0);
krb5_seteuid(target_uid);
-
+
cc_name = krb5_cc_get_name(context, cc);
if ( ! stat(cc_name, &st_temp)){
if ((retval = krb5_cc_destroy(context, cc))){
}
}
}
+
/*****************************************************************
get_params is to be called for the -a option or -e option to
collect all params passed in for the shell or for
char ***params;
{
-int i,j;
-char ** ret_params;
-int size = pargc - *optind + 2;
-
- if ((ret_params = (char **) calloc(size, sizeof (char *)))== NULL ){
- return errno;
- }
-
- for (i = *optind, j=1; i < pargc; i++,j++){
- ret_params[j] = pargv[i];
- *optind = *optind + 1;
- }
-
- ret_params[size-1] = NULL;
- *params = ret_params;
-return 0;
-
+ int i,j;
+ char ** ret_params;
+ int size = pargc - *optind + 2;
+
+ if ((ret_params = (char **) calloc(size, sizeof (char *)))== NULL ){
+ return errno;
+ }
+
+ for (i = *optind, j=1; i < pargc; i++,j++){
+ ret_params[j] = pargv[i];
+ *optind = *optind + 1;
+ }
+
+ ret_params[size-1] = NULL;
+ *params = ret_params;
+ return 0;
}
static
va_dcl
#endif
{
- va_list ap;
+ va_list ap;
#ifndef HAVE_STDARG_H
- char *fmt;
- va_start (ap);
- fmt = va_arg (ap, char*);
- if (!quiet) vfprintf(stderr, fmt, ap);
- va_end(ap);
+ char *fmt;
+ va_start (ap);
+ fmt = va_arg (ap, char*);
+ if (!quiet) vfprintf(stderr, fmt, ap);
+ va_end(ap);
#else
- if (! quiet){
- va_start(ap, fmt);
- vfprintf(stderr, fmt, ap);
- va_end(ap);
- }
+ if (! quiet){
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ }
#endif
}
char * ptr;
temp_path = xstrdup(path);
-
+
if ((ptr = strrchr( temp_path, '/'))) {
*ptr = '\0';
} else {
}
return temp_path;
}
+
+krb5_error_code
+ksu_tgtname(context, server, client, tgtprinc)
+ krb5_context context;
+ const krb5_data *server, *client;
+ krb5_principal *tgtprinc;
+{
+ return krb5_build_principal_ext(context, tgtprinc, client->length, client->data,
+ KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
+ server->length, server->data,
+ 0);
+}
projects / krb5.git / commitdiff