* Copyright (c) 1991, 1993
* The Regents of the University of California. All rights reserved.
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
static char sccsid
[] = "@(#)kerberos.c 8.1 (Berkeley) 6/4/93";
* Copyright (C) 1990 by the Massachusetts Institute of Technology
* Export of this software from the United States of America is assumed
* to require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
#include <des.h> /* BSD wont include this in krb.h, so we do it here */
int kerberos4_cksum
P((unsigned char *, int));
int krb_mk_req
P((KTEXT
, char *, char *, char *, u_long
));
int krb_rd_req
P((KTEXT
, char *, char *, u_long
, AUTH_DAT
*, char *));
int krb_kntoln
P((AUTH_DAT
*, char *));
int krb_get_cred
P((char *, char *, char *, CREDENTIALS
*));
int krb_get_lrealm
P((char *, int));
int kuserok
P((AUTH_DAT
*, char *));
static unsigned char str_data
[1024] = { IAC
, SB
, TELOPT_AUTHENTICATION
, 0,
static unsigned char str_name
[1024] = { IAC
, SB
, TELOPT_AUTHENTICATION
,
#define KRB_AUTH 0 /* Authentication data follows */
#define KRB_REJECT 1 /* Rejected (reason might follow) */
#define KRB_ACCEPT 2 /* Accepted */
#define KRB_CHALLENGE 3 /* Challenge for mutual auth. */
#define KRB_RESPONSE 4 /* Response for mutual auth. */
#define KRB_SERVICE_NAME "rcmd"
static char name
[ANAME_SZ
];
static AUTH_DAT adat
= { 0 };
unsigned char *p
= str_data
+ 4;
unsigned char *cd
= (unsigned char *)d
;
printf("%s:%d: [%d] (%d)",
str_data
[3] == TELQUAL_IS
? ">>>IS" : ">>>REPLY",
if ((*p
++ = *cd
++) == IAC
)
if (str_data
[3] == TELQUAL_IS
)
printsub('>', &str_data
[2], p
- (&str_data
[2]));
return(net_write(str_data
, p
- str_data
));
kerberos4_init(ap
, server
)
str_data
[3] = TELQUAL_REPLY
;
if ((fp
= fopen(KEYFILE
, "r")) == NULL
)
str_data
[3] = TELQUAL_IS
;
char dst_realm_buf
[REALM_SZ
], *dest_realm
= NULL
;
int dst_realm_sz
= REALM_SZ
;
printf("[ Trying KERBEROS4 ... ]\n");
if (!UserNameRequested
) {
printf("Kerberos V4: no user name supplied\r\n");
bzero(instance
, sizeof(instance
));
if (realm
= krb_get_phost(RemoteHostName
))
strncpy(instance
, realm
, sizeof(instance
));
instance
[sizeof(instance
)-1] = '\0';
realm
= dest_realm
? dest_realm
: krb_realmofhost(RemoteHostName
);
printf("Kerberos V4: no realm for %s\r\n", RemoteHostName
);
if (r
= krb_mk_req(&auth
, KRB_SERVICE_NAME
, instance
, realm
, 0L)) {
printf("mk_req failed: %s\r\n", krb_err_txt
[r
]);
if (r
= krb_get_cred(KRB_SERVICE_NAME
, instance
, realm
, &cred
)) {
printf("get_cred failed: %s\r\n", krb_err_txt
[r
]);
if (!auth_sendname(UserNameRequested
, strlen(UserNameRequested
))) {
printf("Not enough room for user name\r\n");
printf("Sent %d bytes of authentication data\r\n", auth
.length
);
if (!Data(ap
, KRB_AUTH
, (void *)auth
.dat
, auth
.length
)) {
printf("Not enough room for authentication data\r\n");
printf("CK: %d:", kerberos4_cksum(auth
.dat
, auth
.length
));
printd(auth
.dat
, auth
.length
);
printf("Sent Kerberos V4 credentials to server\r\n");
kerberos4_is(ap
, data
, cnt
)
if (krb_get_lrealm(realm
, 1) != KSUCCESS
) {
Data(ap
, KRB_REJECT
, (void *)"No local V4 Realm.", -1);
auth_finished(ap
, AUTH_REJECT
);
printf("No local realm\r\n");
bcopy((void *)data
, (void *)auth
.dat
, auth
.length
= cnt
);
printf("Got %d bytes of authentication data\r\n", cnt
);
printf("CK: %d:", kerberos4_cksum(auth
.dat
, auth
.length
));
printd(auth
.dat
, auth
.length
);
instance
[0] = '*'; instance
[1] = 0;
if (r
= krb_rd_req(&auth
, KRB_SERVICE_NAME
,
instance
, 0, &adat
, "")) {
printf("Kerberos failed him as %s\r\n", name
);
Data(ap
, KRB_REJECT
, (void *)krb_err_txt
[r
], -1);
auth_finished(ap
, AUTH_REJECT
);
if (UserNameRequested
&& !kuserok(&adat
, UserNameRequested
))
Data(ap
, KRB_ACCEPT
, (void *)0, 0);
(void *)"user is not authorized", -1);
auth_finished(ap
, AUTH_USER
);
Data(ap
, KRB_RESPONSE
, (void *)0, 0);
printf("Unknown Kerberos option %d\r\n", data
[-1]);
Data(ap
, KRB_REJECT
, 0, 0);
kerberos4_reply(ap
, data
, cnt
)
printf("[ Kerberos V4 refuses authentication because %.*s ]\r\n",
printf("[ Kerberos V4 refuses authentication ]\r\n");
printf("[ Kerberos V4 accepts you ]\n");
if ((ap
->way
& AUTH_HOW_MASK
) == AUTH_HOW_MUTUAL
) {
* Send over the encrypted challenge.
Data(ap
, KRB_CHALLENGE
, (void *)0, 0);
auth_finished(ap
, AUTH_USER
);
printf("[ Kerberos V4 challenge failed!!! ]\r\n");
printf("Unknown Kerberos option %d\r\n", data
[-1]);
kerberos4_status(ap
, name
, level
)
if (UserNameRequested
&& !kuserok(&adat
, UserNameRequested
)) {
strcpy(name
, UserNameRequested
);
#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
kerberos4_printsub(data
, cnt
, buf
, buflen
)
unsigned char *data
, *buf
;
buf
[buflen
-1] = '\0'; /* make sure its NULL terminated */
case KRB_REJECT
: /* Rejected (reason might follow) */
strncpy((char *)buf
, " REJECT ", buflen
);
case KRB_ACCEPT
: /* Accepted (name might follow) */
strncpy((char *)buf
, " ACCEPT ", buflen
);
for (i
= 4; i
< cnt
; i
++)
ADDC(buf
, buflen
, data
[i
]);
case KRB_AUTH
: /* Authentication data follows */
strncpy((char *)buf
, " AUTH", buflen
);
strncpy((char *)buf
, " CHALLENGE", buflen
);
strncpy((char *)buf
, " RESPONSE", buflen
);
sprintf(lbuf
, " %d (unknown)", data
[3]);
strncpy((char *)buf
, lbuf
, buflen
);
for (i
= 4; i
< cnt
; i
++) {
sprintf(lbuf
, " %d", data
[i
]);
strncpy((char *)buf
, lbuf
, buflen
);
* A comment is probably needed here for those not
* well versed in the "C" language. Yes, this is
* supposed to be a "switch" with the body of the
* "switch" being a "while" statement. The whole
* purpose of the switch is to allow us to jump into
* the middle of the while() loop, and then not have
* to do any more switch()s.
* Some compilers will spit out a warning message
* about the loop not being entered at the top.