diff options
Diffstat (limited to 'crypto/kerberosIV/lib/auth/afskauthlib/verify.c')
-rw-r--r-- | crypto/kerberosIV/lib/auth/afskauthlib/verify.c | 143 |
1 files changed, 109 insertions, 34 deletions
diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c index f7db523..1c23119 100644 --- a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c +++ b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c @@ -14,12 +14,7 @@ * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Kungliga Tekniska - * Högskolan and its contributors. - * - * 4. Neither the name of the Institute nor the names of its contributors + * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * @@ -38,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$Id: verify.c,v 1.13 1999/04/08 12:36:16 joda Exp $"); +RCSID("$Id: verify.c,v 1.20 1999/12/02 16:58:37 joda Exp $"); #endif #include <unistd.h> #include <sys/types.h> @@ -52,10 +47,24 @@ RCSID("$Id: verify.c,v 1.13 1999/04/08 12:36:16 joda Exp $"); #endif #include <roken.h> -#if 0 +#ifdef KRB5 static char krb5ccname[128]; #endif +#ifdef KRB4 static char krbtkfile[128]; +#endif + +/* + In some cases is afs_gettktstring called twice (once before + afs_verify and once after afs_verify). + In some cases (rlogin with access allowed via .rhosts) + afs_verify is not called! + So we can't rely on correct value in krbtkfile in some + cases! +*/ + +static int correct_tkfilename=0; +static int pag_set=0; #ifdef KRB4 static void @@ -63,9 +72,44 @@ set_krbtkfile(uid_t uid) { snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid); krb_set_tkt_string (krbtkfile); + correct_tkfilename = 1; } #endif +/* XXX this has to be the default cache name, since the KRB5CCNAME + * environment variable isn't exported by login/xdm + */ + +#ifdef KRB5 +static void +set_krb5ccname(uid_t uid) +{ + snprintf (krb5ccname, sizeof(krb5ccname), "FILE:/tmp/krb5cc_%d", uid); +#ifdef KRB4 + snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid); +#endif + correct_tkfilename = 1; +} +#endif + +static void +set_spec_krbtkfile(void) +{ + int fd; +#ifdef KRB4 + snprintf (krbtkfile, sizeof(krbtkfile), "%s_XXXXXX", TKT_ROOT); + fd = mkstemp(krbtkfile); + close(fd); + unlink(krbtkfile); + krb_set_tkt_string (krbtkfile); +#endif +#ifdef KRB5 + snprintf(krb5ccname, sizeof(krb5ccname),"FILE:/tmp/krb5cc_XXXXXX"); + fd=mkstemp(krb5ccname+5); + close(fd); + unlink(krb5ccname+5); +#endif +} #ifdef KRB5 static int @@ -76,42 +120,38 @@ verify_krb5(struct passwd *pwd, { krb5_context context; krb5_error_code ret; - char ticket[128]; krb5_ccache ccache; krb5_principal principal; - krb5_realm realm; krb5_init_context(&context); - krb5_get_default_realm(context, &realm); - krb5_make_principal(context, &principal, realm, pwd->pw_name, NULL); - - if(!krb5_kuserok(context, principal, pwd->pw_name)) { - syslog(LOG_AUTH|LOG_DEBUG, "krb5_kuserok failed"); + ret = krb5_parse_name (context, pwd->pw_name, &principal); + if (ret) { + syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s", + krb5_get_err_text(context, ret)); goto out; } - /* XXX this has to be the default cache name, since the KRB5CCNAME - environment variable isn't exported by login/xdm - */ - snprintf(ticket, sizeof(ticket), "FILE:/tmp/krb5cc_%d", pwd->pw_uid); - ret = krb5_cc_resolve(context, ticket, &ccache); + + set_krb5ccname(pwd->pw_uid); + ret = krb5_cc_resolve(context, krb5ccname, &ccache); if(ret) { syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", krb5_get_err_text(context, ret)); goto out; } - ret = krb5_verify_user(context, - principal, - ccache, - password, - TRUE, - NULL); + ret = krb5_verify_user_lrealm(context, + principal, + ccache, + password, + TRUE, + NULL); if(ret) { syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", krb5_get_err_text(context, ret)); goto out; } + if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) { syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", krb5_get_err_text(context, errno)); @@ -119,17 +159,23 @@ verify_krb5(struct passwd *pwd, } #ifdef KRB4 - { + if (krb5_config_get_bool(context, NULL, + "libdefaults", + "krb4_get_tickets", + NULL)) { CREDENTIALS c; krb5_creds mcred, cred; + krb5_realm realm; + krb5_get_default_realm(context, &realm); krb5_make_principal(context, &mcred.server, realm, "krbtgt", realm, NULL); + free (realm); ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); if(ret == 0) { - ret = krb524_convert_creds_kdc(context, &cred, &c); + ret = krb524_convert_creds_kdc(context, ccache, &cred, &c); if(ret) krb5_warn(context, ret, "converting creds"); else { @@ -144,13 +190,13 @@ verify_krb5(struct passwd *pwd, krb5_free_principal(context, mcred.server); } - if (k_hasafs()) { + if (!pag_set && k_hasafs()) { k_setpag(); + pag_set = 1; krb5_afslog_uid_home(context, ccache, NULL, NULL, pwd->pw_uid, pwd->pw_dir); } #endif - out: if(ret && !quiet) printf ("%s\n", krb5_get_err_text (context, ret)); @@ -173,8 +219,9 @@ verify_krb4(struct passwd *pwd, ret = krb_verify_user (pwd->pw_name, "", lrealm, password, KRB_VERIFY_SECURE, NULL); if (ret == KSUCCESS) { - if (k_hasafs()) { + if (!pag_set && k_hasafs()) { k_setpag (); + pag_set = 1; krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir); } } else if (!quiet) @@ -192,22 +239,50 @@ afs_verify(char *name, { int ret = 1; struct passwd *pwd = k_getpwnam (name); + if(pwd == NULL) return 1; + if (ret) + ret = unix_verify_user (name, password); #ifdef KRB5 - ret = verify_krb5(pwd, password, exp, quiet); + if (ret) + ret = verify_krb5(pwd, password, exp, quiet); #endif #ifdef KRB4 if(ret) ret = verify_krb4(pwd, password, exp, quiet); #endif - if (ret) - ret = unix_verify_user (name, password); return ret; } char * afs_gettktstring (void) { + char *ptr; + struct passwd *pwd; + + if (!correct_tkfilename) { + ptr = getenv("LOGNAME"); + if (ptr != NULL && ((pwd = getpwnam(ptr)) != NULL)) { + set_krb5ccname(pwd->pw_uid); +#ifdef KRB4 + set_krbtkfile(pwd->pw_uid); + if (!pag_set && k_hasafs()) { + k_setpag(); + pag_set=1; + } +#endif + } else { + set_spec_krbtkfile(); + } + } +#ifdef KRB5 + setenv("KRB5CCNAME",krb5ccname,1); +#endif +#ifdef KRB4 + setenv("KRBTKFILE",krbtkfile,1); return krbtkfile; +#else + return ""; +#endif } |