* Copyright (c) 1991 The Regents of the University of California.
* %sccs.include.redist.c%
static char sccsid
[] = "@(#)kerberos5.c 5.1 (Berkeley) %G%";
* Copyright (C) 1990 by the Massachusetts Institute of Technology
* Export of this software from the United States of America is assumed
* to require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
#include <krb5/libos-proto.h>
static unsigned char str_data
[1024] = { IAC
, SB
, TELOPT_AUTHENTICATION
, 0,
#define KRB_AUTH 0 /* Authentication data follows */
#define KRB_REJECT 1 /* Rejected (reason might follow) */
#define KRB_ACCEPT 2 /* Accepted (name might follow) */
#define KRB_NEWKEY 3 /* New key to use */
#define KRB_NAME 4 /* Name to authenticate for */
/* telnetd gets session key from here */
static krb5_tkt_authent
*authdat
= NULL
;
unsigned char *p
= str_data
+ 6;
unsigned char *cd
= (unsigned char *)d
;
printf("%s:%d: [%d] (%d)",
str_data
[3] == TELQUAL_IS
? ">>>IS" : ">>>REPLY",
if ((*p
++ = *cd
++) == IAC
)
if (str_data
[3] == TELQUAL_IS
)
printsub('>', &str_data
[2], p
- &str_data
[2]);
return(net_write(str_data
, p
- str_data
));
kerberos5_init(ap
, server
)
str_data
[3] = TELQUAL_REPLY
;
str_data
[3] = TELQUAL_IS
;
krb5_octet sum
[CRC32_CKSUM_LENGTH
];
krb5_creds creds
; /* telnet gets session key from here */
extern krb5_flags krb5_kdc_default_options
;
ksum
.checksum_type
= CKSUMTYPE_CRC32
;
ksum
.length
= sizeof(sum
);
bzero((void *)sum
, sizeof(sum
));
if (!UserNameRequested
) {
printf("Kerberos V5: no user name supplied\r\n");
if (r
= krb5_cc_default(&ccache
)) {
printf("Kerberos V5: could not get default ccache\r\n");
if ((name
= malloc(strlen(RemoteHostName
)+1)) == NULL
) {
printf("Out of memory for hostname in Kerberos V5\r\n");
if (r
= krb5_get_host_realm(RemoteHostName
, &realms
)) {
printf("Kerberos V5: no realm for %s\r\n", RemoteHostName
);
srvdata
[0].data
= realms
[0];
srvdata
[0].length
= strlen(realms
[0]);
srvdata
[1].data
= "rcmd";
srvdata
[2].length
= p2
- name
;
bzero((char *)&creds
, sizeof(creds
));
creds
.server
= (krb5_principal
)server
;
if (r
= krb5_cc_get_principal(ccache
, &creds
.client
)) {
printf("Keberos V5: failure on principal (%d)\r\n",
krb5_free_host_realm(realms
);
if (r
= krb5_get_credentials(krb5_kdc_default_options
, ccache
, &creds
)) {
printf("Keberos V5: failure on credentials(%d)\r\n",r
);
krb5_free_host_realm(realms
);
r
= krb5_mk_req_extended(0, &ksum
, &creds
.times
,
krb5_kdc_default_options
,
ccache
, &creds
, 0, &auth
);
krb5_free_host_realm(realms
);
printf("Keberos V5: mk_req failed\r\n");
if (!Data(KRB_NAME
, (void *)UserNameRequested
, -1)) {
printf("Not enough room for user name\r\n");
if (!Data(KRB_AUTH
, auth
.data
, auth
.length
)) {
printf("Not enough room for authentication data\r\n");
if (creds
.keyblock
.keytype
== KEYTYPE_DES
) {
des_key_sched(creds
.keyblock
.contents
, krb_sched
);
des_set_random_generator_seed(creds
.keyblock
.contents
);
des_new_random_key(session_key
);
des_ecb_encrypt(session_key
, enckey
, krb_sched
, 1);
Data(KRB_NEWKEY
, (void *)enckey
, sizeof(enckey
));
printf("Sent Kerberos V5 credentials to server\r\n");
kerberos5_is(ap
, data
, cnt
)
static char *realm
= NULL
;
strncpy(user
, data
, cnt
);
auth
.data
= (char *)data
;
if (!(hp
= gethostbyname(LocalHostName
))) {
printf("Cannot resolve local host name\r\n");
Data(KRB_REJECT
, "Unknown local hostname.", -1);
auth_finished(ap
, AUTH_REJECT
);
if (!realm
&& (krb5_get_default_realm(&realm
))) {
printf("Could not get defualt realm\r\n");
Data(KRB_REJECT
, "Could not get default realm.", -1);
auth_finished(ap
, AUTH_REJECT
);
if ((name
= malloc(strlen(hp
->h_name
)+1)) == NULL
) {
printf("Out of memory for hostname in Kerberos V5\r\n");
Data(KRB_REJECT
, "Out of memory.", -1);
auth_finished(ap
, AUTH_REJECT
);
srvdata
[0].length
= strlen(realm
);
srvdata
[1].data
= "rcmd";
srvdata
[2].length
= p2
- name
;
krb5_free_tkt_authent(authdat
);
if (r
= krb5_rd_req_simple(&auth
, server
, 0, &authdat
)) {
(void) strcpy(errbuf
, "Read req failed: ");
(void) strcat(errbuf
, error_message(r
));
Data(KRB_REJECT
, errbuf
, -1);
printf("%s\r\n", errbuf
);
if (krb5_unparse_name(authdat
->ticket
->enc_part2
->client
,
Data(KRB_ACCEPT
, name
, name
? -1 : 0);
printf("Kerberos5 accepting him as ``%s''\r\n",
auth_finished(ap
, AUTH_USER
);
if (authdat
&& authdat
->ticket
->enc_part2
->session
->keytype
des_key_sched(authdat
->ticket
->enc_part2
->session
des_ecb_encrypt(data
, session_key
, sched
, 0);
encrypt_session_key(&skey
, 1);
printf("Unknown Kerberos option %d\r\n", data
[-1]);
kerberos5_reply(ap
, data
, cnt
)
printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
printf("[ Kerberos V5 refuses authentication ]\r\n");
printf("[ Kerberos V5 accepts you as %.*s ]\n", cnt
, data
);
printf("[ Kerberos V5 accepts you ]\n", cnt
, data
);
encrypt_session_key(&skey
, 0);
auth_finished(ap
, AUTH_USER
);
printf("Unknown Kerberos option %d\r\n", data
[-1]);
kerberos5_status(ap
, name
, level
)
krb5_kuserok(authdat
->ticket
->enc_part2
->client
, UserNameRequested
))
strcpy(name
, UserNameRequested
);
#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len));}
kerberos5_printsub(data
, cnt
, buf
, buflen
)
unsigned char *data
, *buf
;
buf
[buflen
-1] = '\0'; /* make sure its NULL terminated */
case KRB_NAME
: /* Name to authenticate for */
strncpy(buf
, " NAME ", buflen
);
case KRB_REJECT
: /* Rejected (reason might follow) */
strncpy(buf
, " REJECT ", buflen
);
case KRB_ACCEPT
: /* Accepted (name might follow) */
strncpy(buf
, " ACCEPT ", buflen
);
for (i
= 4; i
< cnt
; i
++)
ADDC(buf
, buflen
, data
[i
]);
case KRB_AUTH
: /* Authentication data follows */
strncpy(buf
, " AUTH", buflen
);
case KRB_NEWKEY
: /* A new session key follows */
strncpy(buf
, " NEWKEY", buflen
);
sprintf(lbuf
, " %d (unknown)", data
[3]);
strncpy(buf
, lbuf
, buflen
);
for (i
= 4; i
< cnt
; i
++) {
sprintf(lbuf
, " %d", data
[i
]);
strncpy(buf
, lbuf
, buflen
);