Kerberos5 changes to login -- now supports forwarded TGTs.

1999-07-12 21:36:10 +00:00 · 1999-07-12 21:36:10 +00:00 · 3a4abbe0d1
commit 3a4abbe0d1
parent 07a43a7c2e
4 changed files with 135 additions and 13 deletions
--- a/usr.bin/login/Makefile
+++ b/usr.bin/login/Makefile
@ -1,9 +1,10 @@
-#	$NetBSD: Makefile,v 1.21 1999/03/05 01:07:56 kim Exp $
+#	$NetBSD: Makefile,v 1.22 1999/07/12 21:36:10 aidan Exp $
 #	@(#)Makefile	8.1 (Berkeley) 7/19/93

 .include <bsd.own.mk>			# for EXPORTABLE_SYSTEM definition

-.if !exists(${.CURDIR}/../../domestic/usr.bin/login) || \
+.if !exists(${.CURDIR}/../../domestic/usr.bin/login) && \
+    !exists(${.CURDIR}/../../crypto-us/usr.bin/login) || \
    defined(EXPORTABLE_SYSTEM) || \
    make(obj) || make(clean) || make(cleandir) || make(distclean)

--- a/usr.bin/login/k5login.c
+++ b/usr.bin/login/k5login.c
@ -1,4 +1,4 @@
-/*	$NetBSD: k5login.c,v 1.6 1997/10/12 14:07:06 mycroft Exp $	*/
+/*	$NetBSD: k5login.c,v 1.7 1999/07/12 21:36:10 aidan Exp $	*/

 /*-
 * Copyright (c) 1990 The Regents of the University of California.
@ -38,7 +38,7 @@
 #if 0
 static char sccsid[] = "@(#)klogin.c	5.11 (Berkeley) 7/12/92";
 #endif
-__RCSID("$NetBSD: k5login.c,v 1.6 1997/10/12 14:07:06 mycroft Exp $");
+__RCSID("$NetBSD: k5login.c,v 1.7 1999/07/12 21:36:10 aidan Exp $");
 #endif /* not lint */

 #ifdef KERBEROS5
@ -48,6 +48,7 @@ __RCSID("$NetBSD: k5login.c,v 1.6 1997/10/12 14:07:06 mycroft Exp $");
 #include <pwd.h>
 #include <netdb.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <unistd.h>

@ -67,6 +68,101 @@ extern char *krbtkfile_env;
 extern char *tty;

 static char tkt_location[MAXPATHLEN];
+static krb5_creds forw_creds;
+int have_forward;
+static krb5_principal me, server;
+
+/*
+ * Attempt to read forwarded kerberos creds
+ *
+ * return 0 on success (forwarded creds in memory)
+ *        1 if no forwarded creds.
+ */
+int
+k5_read_creds(username)
+	char *username;
+{
+	krb5_error_code code;
+	krb5_creds mcreds;
+	krb5_ccache ccache;
+
+	have_forward = 0;
+	memset((char*) &mcreds, 0, sizeof(forw_creds));
+	memset((char*) &forw_creds, 0, sizeof(forw_creds));
+
+	code = krb5_cc_default(kcontext, &ccache);
+	if (code) {
+		com_err("login", code, "while getting default ccache");
+		return(1);
+	}
+
+	code = krb5_parse_name(kcontext, username, &me);
+	if (code) {
+		com_err("login", code, "when parsing name %s", username);
+		return(1);
+	}
+
+	mcreds.client = me;
+	code = krb5_build_principal_ext(kcontext, &mcreds.server,
+					krb5_princ_realm(kcontext, me)->length,
+					krb5_princ_realm(kcontext, me)->data,
+					tgtname.length, tgtname.data,
+					krb5_princ_realm(kcontext, me)->length,
+					krb5_princ_realm(kcontext, me)->data,
+					0);
+	if (code) {
+		com_err("login", code, "while building server name");
+		goto nuke_ccache;
+	}
+
+	code = krb5_cc_retrieve_cred(kcontext, ccache, 0,
+				       &mcreds, &forw_creds);
+	if (code) {
+		com_err("login", code, "while retrieving V5 initial ticket for copy");
+		goto nuke_ccache;
+	}
+	have_forward = 1;
+
+	strcpy(tkt_location, getenv("KRB5CCNAME"));
+	krbtkfile_env = tkt_location;
+	notickets = 0;
+
+nuke_ccache:
+	krb5_cc_destroy(kcontext, ccache);
+	return(!have_forward);
+}
+
+int
+k5_write_creds()
+{
+	krb5_error_code code;
+	krb5_ccache ccache;
+	char buf[256];
+
+	if (!have_forward)
+		return(1);
+	code = krb5_cc_default(kcontext, &ccache);
+	if (code) {
+		com_err("login", code, "while getting default ccache");
+		return(1);
+	}
+
+	code = krb5_cc_initialize(kcontext, ccache, me);
+	if (code) {
+		com_err("login", code, "while re-initializing V5 ccache as user");
+		goto nuke_ccache_contents;
+	}
+
+	code = krb5_cc_store_cred(kcontext, ccache, &forw_creds);
+	if (code) {
+		com_err("login", code, "while re-storing V5 ccache as user");
+		goto nuke_ccache_contents;
+	}
+
+nuke_ccache_contents:
+	krb5_free_cred_contents(kcontext, &forw_creds);
+	return(code != 0);
+}

 /*
 * Attempt to log the user in using Kerberos authentication
@ -81,7 +177,6 @@ klogin(pw, instance, localhost, password)
 {
        krb5_error_code kerror;
 	krb5_address **my_addresses;
-	krb5_principal me, server;
 	krb5_creds my_creds;
 	krb5_timestamp now;
 	krb5_ccache ccache = NULL;
@ -91,8 +186,6 @@ klogin(pw, instance, localhost, password)
 	int i;
 	char *realm, *client_name;
 	char *principal;
-	
-	krb5_init_ets(kcontext);

 	/*
 	 * Root logins don't use Kerberos.
--- a/usr.bin/login/login.1
+++ b/usr.bin/login/login.1
@ -1,4 +1,4 @@
-.\"	$NetBSD: login.1,v 1.16 1999/03/22 18:16:39 garbled Exp $
+.\"	$NetBSD: login.1,v 1.17 1999/07/12 21:36:11 aidan Exp $
 .\"
 .\" Copyright (c) 1980, 1990, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -41,7 +41,7 @@
 .Nd authenticate users and set up their session environment
 .Sh SYNOPSIS
 .Nm
-.Op Fl fps
+.Op Fl Ffps
 .Op Fl h Ar hostname
 .Op Ar user
 .Sh DESCRIPTION
@ -67,6 +67,15 @@ Neither will be echoed.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
+.It Fl F
+The
+.Fl F
+option acts like the
+.Fl f
+option, but also indicates to \fBlogin\fR
+that it should attempt to rewrite an existing kerberos5 credentials cache
+(specified by the KRB5CCNAME environment variable) after dropping
+permissions to the user logging in.
 .It Fl f
 The
 .Fl f
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@ -1,4 +1,4 @@
-/*     $NetBSD: login.c,v 1.43 1999/06/15 14:19:53 christos Exp $       */
+/*     $NetBSD: login.c,v 1.44 1999/07/12 21:36:11 aidan Exp $       */

 /*-
 * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
@ -44,7 +44,7 @@ __COPYRIGHT(
 #if 0
 static char sccsid[] = "@(#)login.c	8.4 (Berkeley) 4/2/94";
 #endif
-__RCSID("$NetBSD: login.c,v 1.43 1999/06/15 14:19:53 christos Exp $");
+__RCSID("$NetBSD: login.c,v 1.44 1999/07/12 21:36:11 aidan Exp $");
 #endif /* not lint */

 /*
@ -101,6 +101,10 @@ int	 klogin __P((struct passwd *, char *, char *, char *));
 void	 kdestroy __P((void));
 void	 dofork __P((void));
 #endif
+#ifdef KERBEROS5
+int	k5_read_creds __P((char*));
+int	k5_write_creds __P((void));
+#endif

 #define	TTYGRPNAME	"tty"		/* name of group to own ttys */

@ -117,6 +121,7 @@ char	*krbtkfile_env;
 #endif
 #ifdef KERBEROS5
 extern krb5_context kcontext;
+extern int	have_forward;
 #endif

 struct	passwd *pwd;
@ -140,6 +145,7 @@ main(argc, argv)
 	struct timeval tp;
 	struct utmp utmp;
 	int ask, ch, cnt, fflag, hflag, pflag, sflag, quietlog, rootlogin, rval;
+	int Fflag;
 	uid_t uid, saved_uid;
 	gid_t saved_gid, saved_gids[NGROUPS_MAX];
 	int nsaved_gids;
@ -179,10 +185,16 @@ main(argc, argv)
 		domain = strchr(localhost, '.');
 	localhost[sizeof(localhost) - 1] = '\0';

-	fflag = hflag = pflag = sflag = 0;
+	Fflag = fflag = hflag = pflag = sflag = 0;
+#ifdef KERBEROS5
+	have_forward = 0;
+#endif
 	uid = getuid();
-	while ((ch = getopt(argc, argv, "fh:ps")) != -1)
+	while ((ch = getopt(argc, argv, "Ffh:ps")) != -1)
 		switch (ch) {
+		case 'F':
+			Fflag = 1;
+			/* FALLTHROUGH */
 		case 'f':
 			fflag = 1;
 			break;
@ -292,6 +304,10 @@ main(argc, argv)

 			if (fflag && (uid == 0 || uid == pwd->pw_uid)) {
 				/* already authenticated */
+#ifdef KERBEROS5
+				if (Fflag)
+					k5_read_creds(username);
+#endif
 				break;
 			} else if (pwd->pw_passwd[0] == '\0') {
 				/* pretend password okay */
@ -568,6 +584,9 @@ main(argc, argv)
 		}
 	}

+#ifdef KERBEROS5
+	k5_write_creds();
+#endif
 	execlp(pwd->pw_shell, tbuf, 0);
 	err(1, "%s", pwd->pw_shell);
 }