o use krb5_verify_user() if available instead of doing it by hand
o use krb5_init_secure_context() if we have it o pass an encryption type of 0 to krb5_kt_read_service_key() instead of ENCTYPE_DES_CBC_MD5 to let kerberos choose.
This commit is contained in:
Todd C. Miller
38
auth/kerb5.c
38
auth/kerb5.c
@@ -46,6 +46,9 @@
|
|||||||
#endif /* HAVE_UNISTD_H */
|
#endif /* HAVE_UNISTD_H */
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
#include <krb5.h>
|
#include <krb5.h>
|
||||||
|
#ifdef HAVE_HEIMDAL
|
||||||
|
#include <com_err.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include "sudo.h"
|
#include "sudo.h"
|
||||||
#include "sudo_auth.h"
|
#include "sudo_auth.h"
|
||||||
@@ -57,12 +60,13 @@ __unused static const char rcsid[] = "$Sudo$";
|
|||||||
#ifdef HAVE_HEIMDAL
|
#ifdef HAVE_HEIMDAL
|
||||||
# define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
|
# define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
|
||||||
# define krb5_free_data_contents(c, d) krb5_data_free(d)
|
# define krb5_free_data_contents(c, d) krb5_data_free(d)
|
||||||
# define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 /* XXX */
|
|
||||||
#else
|
#else
|
||||||
# define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
|
# define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifndef HAVE_KRB5_VERIFY_USER
|
||||||
static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
|
static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));
|
||||||
|
#endif
|
||||||
static struct _sudo_krb5_data {
|
static struct _sudo_krb5_data {
|
||||||
krb5_context sudo_context;
|
krb5_context sudo_context;
|
||||||
krb5_principal princ;
|
krb5_principal princ;
|
||||||
@@ -87,7 +91,12 @@ kerb5_init(pw, promptp, auth)
|
|||||||
|
|
||||||
auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
|
auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */
|
||||||
|
|
||||||
if ((error = krb5_init_context(&(sudo_krb5_data.sudo_context))))
|
#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
|
||||||
|
error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
|
||||||
|
#else
|
||||||
|
error = krb5_init_context(&(sudo_krb5_data.sudo_context));
|
||||||
|
#endif
|
||||||
|
if (error)
|
||||||
return(AUTH_FAILURE);
|
return(AUTH_FAILURE);
|
||||||
sudo_context = sudo_krb5_data.sudo_context;
|
sudo_context = sudo_krb5_data.sudo_context;
|
||||||
|
|
||||||
@@ -150,6 +159,26 @@ kerb5_init(pw, promptp, auth)
|
|||||||
return(AUTH_SUCCESS);
|
return(AUTH_SUCCESS);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_KRB5_VERIFY_USER
|
||||||
|
int
|
||||||
|
kerb5_verify(pw, pass, auth)
|
||||||
|
struct passwd *pw;
|
||||||
|
char *pass;
|
||||||
|
sudo_auth *auth;
|
||||||
|
{
|
||||||
|
krb5_context sudo_context;
|
||||||
|
krb5_principal princ;
|
||||||
|
krb5_ccache ccache;
|
||||||
|
krb5_error_code error;
|
||||||
|
|
||||||
|
sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
|
||||||
|
princ = ((sudo_krb5_datap) auth->data)->princ;
|
||||||
|
ccache = ((sudo_krb5_datap) auth->data)->ccache;
|
||||||
|
|
||||||
|
error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
|
||||||
|
return (error ? AUTH_FAILURE : AUTH_SUCCESS);
|
||||||
|
}
|
||||||
|
#else
|
||||||
int
|
int
|
||||||
kerb5_verify(pw, pass, auth)
|
kerb5_verify(pw, pass, auth)
|
||||||
struct passwd *pw;
|
struct passwd *pw;
|
||||||
@@ -195,6 +224,7 @@ kerb5_verify(pw, pass, auth)
|
|||||||
krb5_free_cred_contents(sudo_context, &creds);
|
krb5_free_cred_contents(sudo_context, &creds);
|
||||||
return (error ? AUTH_FAILURE : AUTH_SUCCESS);
|
return (error ? AUTH_FAILURE : AUTH_SUCCESS);
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
int
|
int
|
||||||
kerb5_cleanup(pw, auth)
|
kerb5_cleanup(pw, auth)
|
||||||
@@ -220,6 +250,7 @@ kerb5_cleanup(pw, auth)
|
|||||||
return(AUTH_SUCCESS);
|
return(AUTH_SUCCESS);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifndef HAVE_KRB5_VERIFY_USER
|
||||||
/*
|
/*
|
||||||
* This routine with some modification is from the MIT V5B6 appl/bsd/login.c
|
* This routine with some modification is from the MIT V5B6 appl/bsd/login.c
|
||||||
*
|
*
|
||||||
@@ -269,7 +300,7 @@ verify_krb_v5_tgt(sudo_context, ccache, auth_name)
|
|||||||
* and enctype is currently ignored anyhow.)
|
* and enctype is currently ignored anyhow.)
|
||||||
*/
|
*/
|
||||||
if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
|
if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
|
||||||
ENCTYPE_DES_CBC_MD5, &keyblock))) {
|
0, &keyblock))) {
|
||||||
/* Keytab or service key does not exist. */
|
/* Keytab or service key does not exist. */
|
||||||
log_error(NO_EXIT,
|
log_error(NO_EXIT,
|
||||||
"%s: host service key not found: %s", auth_name,
|
"%s: host service key not found: %s", auth_name,
|
||||||
@@ -302,3 +333,4 @@ cleanup:
|
|||||||
error_message(error));
|
error_message(error));
|
||||||
return(error);
|
return(error);
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|||||||
@@ -191,6 +191,12 @@
|
|||||||
/* Define to 1 if you use Kerberos V. */
|
/* Define to 1 if you use Kerberos V. */
|
||||||
#undef HAVE_KERB5
|
#undef HAVE_KERB5
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `krb5_init_secure_context' function. */
|
||||||
|
#undef HAVE_KRB5_INIT_SECURE_CONTEXT
|
||||||
|
|
||||||
|
/* Define to 1 if you have the `krb5_verify_user' function. */
|
||||||
|
#undef HAVE_KRB5_VERIFY_USER
|
||||||
|
|
||||||
/* Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not) */
|
/* Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not) */
|
||||||
#undef HAVE_LBER_H
|
#undef HAVE_LBER_H
|
||||||
|
|
||||||
|
|||||||
@@ -1897,6 +1897,8 @@ if test "$with_kerb5" = "yes"; then
|
|||||||
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
|
||||||
AC_MSG_RESULT(yes)
|
AC_MSG_RESULT(yes)
|
||||||
AC_DEFINE(HAVE_HEIMDAL)
|
AC_DEFINE(HAVE_HEIMDAL)
|
||||||
|
], [
|
||||||
|
AC_MSG_RESULT(no)
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
fi
|
fi
|
||||||
@@ -1930,7 +1932,8 @@ if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then
|
|||||||
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
|
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
|
||||||
AC_MSG_RESULT(yes)
|
AC_MSG_RESULT(yes)
|
||||||
AC_DEFINE(HAVE_HEIMDAL)
|
AC_DEFINE(HAVE_HEIMDAL)
|
||||||
SUDO_LIBS="${SUDO_LIBS} -lkrb5 -ldes -lcom_err -lasn1"
|
# XXX - need to check whether -lcrypo is needed!
|
||||||
|
SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
|
||||||
AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"])
|
AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"])
|
||||||
], [
|
], [
|
||||||
AC_MSG_RESULT(no)
|
AC_MSG_RESULT(no)
|
||||||
@@ -1942,6 +1945,10 @@ if test -n "$with_kerb5" -a -z "$KRB5CONFIG"; then
|
|||||||
else
|
else
|
||||||
AUTH_OBJS="${AUTH_OBJS} kerb5.o"
|
AUTH_OBJS="${AUTH_OBJS} kerb5.o"
|
||||||
fi
|
fi
|
||||||
|
_LIBS="$LIBS"
|
||||||
|
LIBS="${LIBS} ${SUDO_LIBS}"
|
||||||
|
AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context)
|
||||||
|
LIBS="$_LIBS"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
dnl
|
dnl
|
||||||
|
|||||||
Reference in New Issue
Block a user