* Copyright (c) 1991 The Regents of the University of California.
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
static char sccsid
[] = "@(#)kerberos5.c 5.2 (Berkeley) 3/22/91";
* Copyright (C) 1990 by the Massachusetts Institute of Technology
* Export of this software from the United States of America is assumed
* to require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
#include <krb5/libos-proto.h>
static unsigned char str_data
[1024] = { IAC
, SB
, TELOPT_AUTHENTICATION
, 0,
static unsigned char str_name
[1024] = { IAC
, SB
, TELOPT_AUTHENTICATION
,
#define KRB_AUTH 0 /* Authentication data follows */
#define KRB_REJECT 1 /* Rejected (reason might follow) */
#define KRB_ACCEPT 2 /* Accepted */
#define KRB_CHALLANGE 3 /* Challange for mutual auth. */
#define KRB_RESPONSE 4 /* Response for mutual auth. */
/* telnetd gets session key from here */
static krb5_tkt_authent
*authdat
= NULL
;
unsigned char *p
= str_data
+ 4;
unsigned char *cd
= (unsigned char *)d
;
printf("%s:%d: [%d] (%d)",
str_data
[3] == TELQUAL_IS
? ">>>IS" : ">>>REPLY",
if ((*p
++ = *cd
++) == IAC
)
if (str_data
[3] == TELQUAL_IS
)
printsub('>', &str_data
[2], p
- &str_data
[2]);
return(net_write(str_data
, p
- str_data
));
kerberos5_init(ap
, server
)
str_data
[3] = TELQUAL_REPLY
;
str_data
[3] = TELQUAL_IS
;
krb5_octet sum
[CRC32_CKSUM_LENGTH
];
krb5_creds creds
; /* telnet gets session key from here */
extern krb5_flags krb5_kdc_default_options
;
ksum
.checksum_type
= CKSUMTYPE_CRC32
;
ksum
.length
= sizeof(sum
);
bzero((void *)sum
, sizeof(sum
));
if (!UserNameRequested
) {
printf("Kerberos V5: no user name supplied\r\n");
if (r
= krb5_cc_default(&ccache
)) {
printf("Kerberos V5: could not get default ccache\r\n");
if ((name
= malloc(strlen(RemoteHostName
)+1)) == NULL
) {
printf("Out of memory for hostname in Kerberos V5\r\n");
if (r
= krb5_get_host_realm(RemoteHostName
, &realms
)) {
printf("Kerberos V5: no realm for %s\r\n", RemoteHostName
);
srvdata
[0].data
= realms
[0];
srvdata
[0].length
= strlen(realms
[0]);
srvdata
[1].data
= "rcmd";
srvdata
[2].length
= p2
- name
;
bzero((char *)&creds
, sizeof(creds
));
creds
.server
= (krb5_principal
)server
;
if (r
= krb5_cc_get_principal(ccache
, &creds
.client
)) {
printf("Keberos V5: failure on principal (%d)\r\n",
krb5_free_host_realm(realms
);
if (r
= krb5_get_credentials(krb5_kdc_default_options
, ccache
, &creds
)) {
printf("Keberos V5: failure on credentials(%d)\r\n",r
);
krb5_free_host_realm(realms
);
r
= krb5_mk_req_extended(0, &ksum
, &creds
.times
,
krb5_kdc_default_options
,
ccache
, &creds
, 0, &auth
);
krb5_free_host_realm(realms
);
printf("Keberos V5: mk_req failed\r\n");
if (!auth_sendname(UserNameRequested
, strlen(UserNameRequested
))) {
printf("Not enough room for user name\r\n");
if (!Data(ap
, KRB_AUTH
, auth
.data
, auth
.length
)) {
printf("Not enough room for authentication data\r\n");
* If we are doing mutual authentication, get set up to send
* the challange, and verify it when the response comes back.
if (((ap
->way
& AUTH_HOW_MASK
) == AUTH_HOW_MUTUAL
)
&& (creds
.keyblock
.keytype
== KEYTYPE_DES
)) {
des_key_sched(creds
.keyblock
.contents
, sched
);
des_set_random_generator_seed(creds
.keyblock
.contents
);
des_new_random_key(challange
);
des_ecb_encrypt(challange
, session_key
, sched
, 1);
* Increment the challange by 1, and encrypt it for
for (i
= 7; i
>= 0; --i
) {
x
= (unsigned int)challange
[i
] + 1;
challange
[i
] = x
; /* ignore overflow */
if (x
< 256) /* if no overflow, all done */
des_ecb_encrypt(challange
, challange
, sched
, 1);
printf("Sent Kerberos V5 credentials to server\r\n");
kerberos5_is(ap
, data
, cnt
)
static char *realm
= NULL
;
auth
.data
= (char *)data
;
if (!(hp
= gethostbyname(LocalHostName
))) {
printf("Cannot resolve local host name\r\n");
Data(ap
, KRB_REJECT
, "Unknown local hostname.", -1);
auth_finished(ap
, AUTH_REJECT
);
if (!realm
&& (krb5_get_default_realm(&realm
))) {
printf("Could not get defualt realm\r\n");
Data(ap
, KRB_REJECT
, "Could not get default realm.", -1);
auth_finished(ap
, AUTH_REJECT
);
if ((name
= malloc(strlen(hp
->h_name
)+1)) == NULL
) {
printf("Out of memory for hostname in Kerberos V5\r\n");
Data(ap
, KRB_REJECT
, "Out of memory.", -1);
auth_finished(ap
, AUTH_REJECT
);
srvdata
[0].length
= strlen(realm
);
srvdata
[1].data
= "rcmd";
srvdata
[2].length
= p2
- name
;
krb5_free_tkt_authent(authdat
);
if (r
= krb5_rd_req_simple(&auth
, server
, 0, &authdat
)) {
(void) strcpy(errbuf
, "Read req failed: ");
(void) strcat(errbuf
, error_message(r
));
Data(ap
, KRB_REJECT
, errbuf
, -1);
printf("%s\r\n", errbuf
);
if (krb5_unparse_name(authdat
->ticket
->enc_part2
->client
,
Data(ap
, KRB_ACCEPT
, name
, name
? -1 : 0);
printf("Kerberos5 accepting him as ``%s''\r\n",
auth_finished(ap
, AUTH_USER
);
if (authdat
->ticket
->enc_part2
->session
->keytype
!= KEYTYPE_DES
)
bcopy((void *)authdat
->ticket
->enc_part2
->session
->contents
,
(void *)session_key
, sizeof(Block
));
if (!VALIDKEY(session_key
)) {
* We don't have a valid session key, so just
* send back a response with an empty session
Data(ap
, KRB_RESPONSE
, (void *)0, 0);
des_key_sched(session_key
, sched
);
bcopy((void *)data
, (void *)datablock
, sizeof(Block
));
* Take the received encrypted challange, and encrypt
* it again to get a unique session_key for the
des_ecb_encrypt(datablock
, session_key
, sched
, 1);
encrypt_session_key(&skey
, 1);
* Now decrypt the received encrypted challange,
* increment by one, re-encrypt it and send it back.
des_ecb_encrypt(datablock
, challange
, sched
, 0);
for (r
= 7; r
>= 0; r
++) {
t
= (unsigned int)challange
[r
] + 1;
challange
[r
] = t
; /* ignore overflow */
if (t
< 256) /* if no overflow, all done */
des_ecb_encrypt(challange
, challange
, sched
, 1);
Data(ap
, KRB_RESPONSE
, (void *)challange
, sizeof(challange
));
printf("Unknown Kerberos option %d\r\n", data
[-1]);
Data(ap
, KRB_REJECT
, 0, 0);
kerberos5_reply(ap
, data
, cnt
)
printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
printf("[ Kerberos V5 refuses authentication ]\r\n");
printf("[ Kerberos V5 accepts you ]\n", cnt
, data
);
if ((ap
->way
& AUTH_HOW_MASK
) == AUTH_HOW_MUTUAL
) {
* Send over the encrypted challange.
Data(ap
, KRB_CHALLANGE
, (void *)session_key
,
des_ecb_encrypt(session_key
, session_key
, sched
, 1);
encrypt_session_key(&skey
, 0);
auth_finished(ap
, AUTH_USER
);
* Verify that the response to the challange is correct.
if ((cnt
!= sizeof(Block
)) ||
(0 != memcmp((void *)data
, (void *)challange
,
printf("[ Kerberos V5 challange failed!!! ]\r\n");
printf("[ Kerberos V5 challange successful ]\r\n");
auth_finished(ap
, AUTH_USER
);
printf("Unknown Kerberos option %d\r\n", data
[-1]);
kerberos5_status(ap
, name
, level
)
krb5_kuserok(authdat
->ticket
->enc_part2
->client
, UserNameRequested
))
strcpy(name
, UserNameRequested
);
#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len));}
kerberos5_printsub(data
, cnt
, buf
, buflen
)
unsigned char *data
, *buf
;
buf
[buflen
-1] = '\0'; /* make sure its NULL terminated */
case KRB_REJECT
: /* Rejected (reason might follow) */
strncpy((char *)buf
, " REJECT ", buflen
);
case KRB_ACCEPT
: /* Accepted (name might follow) */
strncpy((char *)buf
, " ACCEPT ", buflen
);
for (i
= 4; i
< cnt
; i
++)
ADDC(buf
, buflen
, data
[i
]);
case KRB_AUTH
: /* Authentication data follows */
strncpy((char *)buf
, " AUTH", buflen
);
strncpy((char *)buf
, " CHALLANGE", buflen
);
strncpy((char *)buf
, " RESPONSE", buflen
);
sprintf(lbuf
, " %d (unknown)", data
[3]);
strncpy((char *)buf
, lbuf
, buflen
);
for (i
= 4; i
< cnt
; i
++) {
sprintf(lbuf
, " %d", data
[i
]);
strncpy((char *)buf
, lbuf
, buflen
);