Logo Search packages:      
Sourcecode: heimdal version File versions

k5dcecon.c

/*
 * (c) Copyright 1995 HEWLETT-PACKARD COMPANY
 * 
 * To anyone who acknowledges that this file is provided 
 * "AS IS" without any express or implied warranty:
 * permission to use, copy, modify, and distribute this 
 * file for any purpose is hereby granted without fee, 
 * provided that the above copyright notice and this 
 * notice appears in all copies, and that the name of 
 * Hewlett-Packard Company not be used in advertising or 
 * publicity pertaining to distribution of the software 
 * without specific, written prior permission.  Hewlett-
 * Packard Company makes no representations about the 
 * suitability of this software for any purpose.
 *
 */
/*
 * k5dcecon - Program to convert a K5 TGT to a DCE context,
 * for use with DFS and its PAG.
 * 
 * The program is designed to be called as a sub process, 
 * and return via stdout the name of the cache which implies 
 * the PAG which should be used. This program itself does not 
 * use the cache or PAG itself, so the PAG in the kernel for 
 * this program may not be set. 
 * 
 * The calling program can then use the name of the cache
 * to set the KRB5CCNAME and PAG for its self and its children. 
 *
 * If no ticket was passed, an attemplt to join an existing
 * PAG will be made. 
 * 
 * If a forwarded K5 TGT is passed in, either a new DCE 
 * context will be created, or an existing one will be updated.
 * If the same ticket was already used to create an existing
 * context, it will be joined instead. 
 * 
 * Parts of this program are based on k5dceauth,c which was
 * given to me by HP and by the k5dcelogin.c which I developed. 
 * A slightly different version of k5dcelogin.c, was added to
 * DCE 1.2.2
 * 
 * D. E. Engert 6/17/97 ANL
 */

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <dirent.h>
#include <sys/stat.h>
#include <locale.h>
#include <pwd.h>
#include <string.h>
#include <time.h>

#include <errno.h>
#include "k5dce.h"

#include <dce/sec_login.h>
#include <dce/dce_error.h>
#include <dce/passwd.h>

/* #define DEBUG */
#if defined(DEBUG)
#define DEEDEBUG(A) fprintf(stderr,A); fflush(stderr)
#define DEEDEBUG2(A,B) fprintf(stderr,A,B); fflush(stderr)
#else
#define DEEDEBUG(A)
#define DEEDEBUG2(A,B)
#endif

#ifdef __hpux
#define seteuid(A)            setresuid(-1,A,-1);
#endif


int k5dcecreate (uid_t, char *, char*, krb5_creds **);
int k5dcecon (uid_t, char *, char *);
int k5dcegettgt (krb5_ccache *, char *, char *, krb5_creds **);
int k5dcematch (uid_t, char *, char *, off_t *, krb5_creds **);
int k5dcesession (uid_t, char *, krb5_creds **, int *,krb5_flags);


char *progname = "k5dcecon";
static time_t now;

#ifdef notdef
#ifdef _AIX
/*---------------------------------------------*/
 /* AIX with DCE 1.1 does not have the com_err in the libdce.a
  * do a half hearted job of substituting for it. 
  */ 
void com_err(char *p1, int code, ...) 
{
    int lst;
    dce_error_string_t  err_string;
    dce_error_inq_text(code, err_string, &lst);
    fprintf(stderr,"Error %d in %s: %s\n", code, p1, err_string );
}

/*---------------------------------------------*/
void krb5_init_ets()
{

}
#endif
#endif


/*------------------------------------------------*/
/* find a cache to use  for our new pag           */
/* Since there is no simple way to determine which
 * caches are associated with a pag, we will have
 * do look around and see what makes most sense on 
 * different systems. 
 * on a Solaris system, and in the DCE source, 
 * the pags always start with a 41. 
 * this is not true on the IBM, where there does not
 * appear to be any pattern. 
 * 
 * But since we are always certifing our creds when
 * they are received, we can us that fact, and look
 * at the first word of the associated data file
 * to see that it has a "5". If not don't use. 
 */

int k5dcesession(luid, pname, tgt, ppag, tflags)
  uid_t luid;
  char *pname;
  krb5_creds **tgt;
  int *ppag;
  krb5_flags tflags;
{
  DIR *dirp;
  struct dirent *direntp;
  off_t size;
  krb5_timestamp endtime;
  int better = 0;
  krb5_creds *xtgt;

  char prev_name[17] = "";  
  krb5_timestamp prev_endtime;
  off_t prev_size;
  u_long prev_pag = 0;

  char ccname[64] = "FILE:/opt/dcelocal/var/security/creds/";
 
  error_status_t st;
  sec_login_handle_t lcontext = 0;
  dce_error_string_t  err_string;
  int lst;

  DEEDEBUG2("k5dcesession looking for flags %8.8x\n",tflags);

  dirp = opendir("/opt/dcelocal/var/security/creds/");
  if (dirp == NULL) {
      return 1;
  }

  while ( (direntp = readdir( dirp )) != NULL ) {

/*  
 * (but root has the ffffffff which we are not interested in)
 */
    if (!strncmp(direntp->d_name,"dcecred_",8)
         && (strlen(direntp->d_name) == 16)) {

      /* looks like a cache name, lets do the stat, etc */

      strcpy(ccname+38,direntp->d_name);
      if (!k5dcematch(luid, pname, ccname, &size, &xtgt))  {

        /* its one of our caches, see if it is better  
         * i.e. the endtime is farther, and if the endtimes
         * are the same, take the larger, as he who has the 
         * most tickets wins.
         * it must also had the same set of flags at least
         * i.e. if the forwarded TGT is forwardable, this one must 
         * be as well.   
         */

        DEEDEBUG2("Cache:%s",direntp->d_name);
        DEEDEBUG2(" size:%d",size);
            DEEDEBUG2(" flags:%8.8x",xtgt->ticket_flags);
            DEEDEBUG2(" %s",ctime((time_t *)&xtgt->times.endtime));
 
        if ((xtgt->ticket_flags & tflags) == tflags ) {
          if (prev_name[0]) {
            if (xtgt->times.endtime > prev_endtime) {
              better = 1;
            } else if ((xtgt->times.endtime = prev_endtime) 
                  && (size > prev_size)){
              better = 1;
              }
          } else {   /* the first */
            if (xtgt->times.endtime >= now) {
            better = 1;
              }
          }
          if (better) {
            strcpy(prev_name, direntp->d_name);
                prev_endtime = xtgt->times.endtime;
            prev_size = size;
            sscanf(prev_name+8,"%8X",&prev_pag);
                  *tgt = xtgt;
            better = 0;
          }
        }
      } 
    }
  }
  (void)closedir( dirp );

  if (!prev_name[0])  
       return 1; /* failed to find one */

   DEEDEBUG2("Best: %s\n",prev_name);

   if (ppag)
      *ppag = prev_pag;

   strcpy(ccname+38,prev_name);
   setenv("KRB5CCNAME",ccname,1);
 
   return(0);
}


/*----------------------------------------------*/
/* see if this cache is for this this principal */

int k5dcematch(luid, pname, ccname, sizep, tgt) 
  uid_t luid;
  char *pname;
  char *ccname;
  off_t *sizep;  /* size of the file */
  krb5_creds **tgt;
{

  krb5_ccache cache;
  struct stat stbuf;
  char ccdata[256];
  int fd;
  int status;

  /* DEEDEBUG2("k5dcematch called: cache=%s\n",ccname+38); */

  if (!strncmp(ccname,"FILE:",5)) {

    strcpy(ccdata,ccname+5);
    strcat(ccdata,".data");

    /* DEEDEBUG2("Checking the .data file for %s\n",ccdata); */

    if (stat(ccdata, &stbuf))
      return(1);
 
    if (stbuf.st_uid != luid)
      return(1);

    if ((fd = open(ccdata,O_RDONLY)) == -1)
      return(1);
    
    if ((read(fd,&status,4)) != 4) {
      close(fd);
      return(1);
    }
    
    /* DEEDEBUG2(".data file status = %d\n", status); */

    if (status != 5)
     return(1);

    if (stat(ccname+5, &stbuf))
      return(1);

    if (stbuf.st_uid != luid)
      return(1);

    *sizep = stbuf.st_size;
  }

  return(k5dcegettgt(&cache, ccname, pname, tgt));
}


/*----------------------------------------*/
/* k5dcegettgt - get the tgt from a cache */

int k5dcegettgt(pcache, ccname, pname, tgt)
  krb5_ccache *pcache;
  char *ccname;
  char *pname;
  krb5_creds **tgt;

{
  krb5_ccache cache;
  krb5_cc_cursor cur;
  krb5_creds creds;
  int code;
  int found = 1;
  krb5_principal princ;
  char *kusername;
  krb5_flags flags;
  char *sname, *realm, *tgtname = NULL;

  /* Since DCE does not expose much of the Kerberos interface,
   * we will have to use what we can. This means setting the 
   * KRB5CCNAME for each file we want to test
   * We will also not worry about freeing extra cache structures
   * as this this routine is also not exposed, and this should not 
   * effect this module. 
   * We should also free the creds contents, but that is not exposed
   * either. 
   */

  setenv("KRB5CCNAME",ccname,1);
  cache = NULL;
  *tgt = NULL;

  if (code = krb5_cc_default(pcache)) {
     com_err(progname, code, "while getting ccache");
     goto return2;
  }

  DEEDEBUG("Got cache\n");
  flags = 0;
  if (code = krb5_cc_set_flags(*pcache, flags)) {
    com_err(progname, code,"While setting flags"); 
    goto return2;
  }
  DEEDEBUG("Set flags\n");
  if (code = krb5_cc_get_principal(*pcache, &princ)) {
      com_err(progname, code, "While getting princ");
    goto return1;
  }
  DEEDEBUG("Got principal\n");
  if (code = krb5_unparse_name(princ, &kusername)) {
    com_err(progname, code, "While unparsing principal");
    goto return1;
  }

  DEEDEBUG2("Unparsed to \"%s\"\n", kusername);
  DEEDEBUG2("pname is \"%s\"\n", pname);
  if (strcmp(kusername, pname)) {
   DEEDEBUG("Principals not equal\n");
   goto return1;
  }
  DEEDEBUG("Principals equal\n");

  realm = strchr(pname,'@');
  realm++;

  if ((tgtname = malloc(9 + 2 * strlen(realm))) == 0) {
       fprintf(stderr,"Malloc failed for tgtname\n");
       goto return1;
  }

  strcpy(tgtname,"krbtgt/");
  strcat(tgtname,realm);
  strcat(tgtname,"@");
  strcat(tgtname,realm);
 
  DEEDEBUG2("Getting tgt %s\n", tgtname);
  if (code = krb5_cc_start_seq_get(*pcache, &cur)) {
    com_err(progname, code, "while starting to retrieve tickets");
    goto return1;
  }

  while (!(code = krb5_cc_next_cred(*pcache, &cur, &creds))) {
    krb5_creds *cred = &creds;

    if (code = krb5_unparse_name(cred->server, &sname)) {
      com_err(progname, code, "while unparsing server name");
      continue;
    }

    if (strncmp(sname, tgtname, strlen(tgtname)) == 0) {
      DEEDEBUG("FOUND\n");
      if (code = krb5_copy_creds(&creds, tgt)) {
        com_err(progname, code, "while copying TGT");
        goto return1;
      }
      found = 0;
      break;
    } 
    /* we should do a krb5_free_cred_contents(creds); */
  }

  if (code = krb5_cc_end_seq_get(*pcache, &cur)) {
    com_err(progname, code, "while finishing retrieval"); 
    goto return2;
  }

return1:
  flags = KRB5_TC_OPENCLOSE; 
  krb5_cc_set_flags(*pcache, flags); /* force a close */
   
return2:
  if (tgtname)
    free(tgtname);

  return(found);
}


/*------------------------------------------*/
/* Convert a forwarded TGT to a DCE context */
int k5dcecon(luid, luser, pname)
  uid_t luid;
  char *luser;
  char *pname;
{

  krb5_creds *ftgt = NULL;
  krb5_creds *tgt = NULL;
  unsigned32 dfspag;
  boolean32 reset_passwd = 0;
  int lst;
  dce_error_string_t  err_string;
  char *shell_prog;
  krb5_ccache fcache;
  char *ccname;
  char *kusername;
  char *urealm;
  char *cp;
  int pag;
  int code;
  krb5_timestamp endtime;


  /* If there is no cache to be converted, we should not be here */

  if ((ccname = getenv("KRB5CCNAME")) == NULL) {
    DEEDEBUG("No KRB5CCNAME\n");
    return(1);
  }

  if (k5dcegettgt(&fcache, ccname, pname, &ftgt)) {
    fprintf(stderr, "%s: Did not find TGT\n", progname);
    return(1);
  }

 
  DEEDEBUG2("flags=%x\n",ftgt->ticket_flags);
  if (!(ftgt->ticket_flags & TKT_FLG_FORWARDABLE)){
    fprintf(stderr,"Ticket not forwardable\n");
    return(0); /* but OK to continue */
  }

  setenv("KRB5CCNAME","",1);
    
#define TKT_ACCEPTABLE (TKT_FLG_FORWARDABLE | TKT_FLG_PROXIABLE \
         | TKT_FLG_MAY_POSTDATE | TKT_FLG_RENEWABLE | TKT_FLG_HW_AUTH \
         | TKT_FLG_PRE_AUTH)

  if (!k5dcesession(luid, pname, &tgt, &pag, 
        (ftgt->ticket_flags & TKT_ACCEPTABLE))) {
    if (ftgt->times.endtime > tgt->times.endtime) {
      DEEDEBUG("Updating existing cache\n"); 
      return(k5dceupdate(&ftgt, pag));
    } else {
      DEEDEBUG("Using existing cache\n");
      return(0); /* use the original one */
    }
  } 
    /* see if the tgts match up */

  if ((code = k5dcecreate(luid, luser, pname, &ftgt))) {
      return (code);
  }

  /*
   * Destroy the Kerberos5 cred cache file.
   * but dont care aout the return code. 
   */

  DEEDEBUG("Destroying the old cache\n");
  if ((code = krb5_cc_destroy(fcache))) {
    com_err(progname, code, "while destroying Kerberos5 ccache");
  }
  return (0);
}


/*--------------------------------------------------*/
/* k5dceupdate - update the cache with a new TGT    */
/* Assumed that the KRB5CCNAME has been set         */

int k5dceupdate(krbtgt, pag) 
   krb5_creds **krbtgt;
   int pag;
{
 
  krb5_ccache ccache;
  int code;

  if (code = krb5_cc_default(&ccache)) {
    com_err(progname, code, "while opening cache for update");
    return(2);
   }

  if (code = ccache->ops->init(ccache,(*krbtgt)->client)) {
    com_err(progname, code, "while reinitilizing cache");
    return(3);
  } 

    /* krb5_cc_store_cred */
  if (code = ccache->ops->store(ccache, *krbtgt)) {
    com_err(progname, code, "while updating cache");
    return(2);
  }

  sec_login_pag_new_tgt(pag, (*krbtgt)->times.endtime);
  return(0);
}
/*--------------------------------------------------*/
/* k5dcecreate - create a new DCE context           */

int k5dcecreate(luid, luser, pname, krbtgt)
   uid_t luid;
   char *luser;
   char *pname;
   krb5_creds **krbtgt;
{
   
    char *cp;
    char *urealm;
    char *username;
    char *defrealm;
    uid_t uid;

    error_status_t st;
    sec_login_handle_t lcontext = 0;
    sec_login_auth_src_t auth_src = 0;
    boolean32 reset_passwd = 0;
    int lst;
    dce_error_string_t  err_string;

      setenv("KRB5CCNAME","",1); /* make sure it not misused */

      uid = getuid();
      DEEDEBUG2("uid=%d\n",uid);
    
      /* if run as root, change to user, so as to have the
       * cache created for the local user even if cross-cell
       * If run as a user, let standard file protection work.
       */

      if (uid == 0) {
            seteuid(luid);
      }  

      cp = strchr(pname,'@');
      *cp = '\0';
      urealm = ++cp;

 DEEDEBUG2("basename=%s\n",cp);
 DEEDEBUG2("realm=%s\n",urealm);

    /* now build the username as a single string or a /.../cell/user
     * if this is a cross cell
     */

      if ((username = malloc(7+strlen(pname)+strlen(urealm))) == 0) {
         fprintf(stderr,"Malloc failed for username\n");
         goto abort;
    }
    if (krb5_get_default_realm(&defrealm)) {
        DEEDEBUG("krb5_get_default_realm failed\n");
        goto abort;
    }


    if (!strcmp(urealm,defrealm)) {
        strcpy(username,pname);
    } else {
        strcpy(username,"/.../");
        strcat(username,urealm);
        strcat(username,"/");
        strcat(username,pname);
    }

    /*
     * Setup a DCE login context
     */

    if (sec_login_setup_identity((unsigned_char_p_t)username, 
                         (sec_login_external_tgt|sec_login_proxy_cred),
                         &lcontext, &st)) {
      /*
       * Add our TGT.
       */
        DEEDEBUG("Adding our new TGT\n");
        sec_login_krb5_add_cred(lcontext, *krbtgt, &st);
        if (st) {
          dce_error_inq_text(st, err_string, &lst);
          fprintf(stderr,
                        "Error while adding credentials for %s because %s\n", 
                        username, err_string);
          goto abort;
        }   
        DEEDEBUG("validating and certifying\n");
        /*
         * Now "validate" and certify the identity,
         *  usually we would pass a password here, but...
         * sec_login_valid_and_cert_ident
         * sec_login_validate_identity
         */

        if (sec_login_validate_identity(lcontext, 0, &reset_passwd,
             &auth_src, &st)) {
          DEEDEBUG2("validate_identity st=%d\n",st);
          if (st) {
              dce_error_inq_text(st, err_string, &lst);
              fprintf(stderr, "Validation error for %s because %s\n",
                         username, err_string);
              goto abort;
          }
            if (!sec_login_certify_identity(lcontext,&st)) {
                  dce_error_inq_text(st, err_string, &lst);
                  fprintf(stderr,
                  "Credentials not certified because %s\n",err_string);
            }
          if (reset_passwd) {
             fprintf(stderr,
                "Password must be changed for %s\n", username);
          }
          if (auth_src == sec_login_auth_src_local) {
            fprintf(stderr,
                   "Credentials obtained from local registry for %s\n", 
                   username);
          }
          if (auth_src == sec_login_auth_src_overridden) {
              fprintf(stderr, "Validated %s from local override entry, no network credentials obtained\n", username);
              goto abort; 

          }
          /*
           * Actually create the cred files.
           */
            DEEDEBUG("Ceating new cred files.\n");
          sec_login_set_context(lcontext, &st);
          if (st) {
              dce_error_inq_text(st, err_string, &lst);
              fprintf(stderr, 
                "Unable to set context for %s because %s\n",
                username, err_string);
              goto abort;
          }

        /*
         * Now free up the local context and leave the 
         * network context with its pag
         */
#if 0
        sec_login_release_context(&lcontext, &st);
        if (st) {
          dce_error_inq_text(st, err_string, &lst);
          fprintf(stderr,
               "Unable to release context for %s because %s\n",
            username, err_string);
          goto abort;
        }
#endif
      }
      else {
        DEEDEBUG2("validate failed %d\n",st);
        dce_error_inq_text(st, err_string, &lst);
        fprintf(stderr,
             "Unable to validate %s because %s\n", username, 
                  err_string);
        goto abort;
      }
  }
  else {
      dce_error_inq_text(st, err_string, &lst);
      fprintf(stderr, 
          "Unable to setup login entry for %s because %s\n",
       username, err_string);
        goto abort;
  }

 done:
    /* if we were root, get back to root */

    DEEDEBUG2("sec_login_inq_pag %8.8x\n",
             sec_login_inq_pag(lcontext, &st));

    if (uid == 0) {
      seteuid(0);
    }  

      DEEDEBUG("completed\n");
      return(0);

 abort:
    if (uid == 0) {
      seteuid(0);
    }  

    DEEDEBUG("Aborting\n");
    return(2);
}



/*-------------------------------------------------*/
main(argc, argv)
  int argc;
  char *argv[];
{
  int status;
  extern int optind;
  extern char *optarg;
  int rv;

  char *lusername = NULL;
  char *pname = NULL;
  int fflag = 0;
  struct passwd *pw;
  uid_t luid;
  uid_t myuid;
  char *ccname;
  krb5_creds *tgt = NULL;

#ifdef DEBUG
  close(2);
  open("/tmp/k5dce.debug",O_WRONLY|O_CREAT|O_APPEND, 0600);
#endif

  if (myuid = getuid()) {
    DEEDEBUG2("UID = %d\n",myuid);
    exit(33); /* must be root to run this, get out now */
  }

  while ((rv = getopt(argc,argv,"l:p:fs")) != -1) {
    DEEDEBUG2("Arg = %c\n", rv);
    switch(rv) {
      case 'l':         /* user name */
      lusername = optarg;
      DEEDEBUG2("Optarg = %s\n", optarg);
      break;
      case 'p':         /* principal name */
        pname = optarg; 
      DEEDEBUG2("Optarg = %s\n", optarg);
        break;
      case 'f':         /* convert a forwarded TGT to a context */
        fflag++;
        break;
      case 's':      /* old test parameter, ignore it */
        break; 
    }
  }

  setlocale(LC_ALL, "");
  krb5_init_ets();
  time(&now); /* set time to check expired tickets */

  /* if lusername == NULL, Then user is passed as the USER= variable */ 

  if (!lusername) {
    lusername = getenv("USER");
    if (!lusername) {
      fprintf(stderr, "USER not in environment\n");
      return(3);
    }
  }

  if ((pw = getpwnam(lusername)) == NULL) {
    fprintf(stderr, "Who are you?\n");
    return(44);
  }

  luid = pw->pw_uid;

  if (fflag) {  
    status = k5dcecon(luid, lusername, pname); 
  } else {
    status = k5dcesession(luid, pname, &tgt, NULL, 0);
  }
 
  if (!status) {
    printf("%s",getenv("KRB5CCNAME")); /* return via stdout to caller */
    DEEDEBUG2("KRB5CCNAME=%s\n",getenv("KRB5CCNAME"));
  }

  DEEDEBUG2("Returning status %d\n",status);
  return (status);
}

Generated by  Doxygen 1.6.0   Back to index