2 * rlm_krb5.c module to authenticate against krb5
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2000 The FreeRADIUS server project
21 * Copyright 2000 Nathan Neulinger <nneul@umr.edu>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
26 static const char rcsid[] = "$Id$";
29 #include "libradius.h"
42 typedef struct rlm_krb5_t {
44 const char *service_princ;
45 krb5_context *context;
48 static CONF_PARSER module_config[] = {
49 { "keytab", PW_TYPE_STRING_PTR,
50 offsetof(rlm_krb5_t,keytab), NULL, NULL },
51 { "service_principal", PW_TYPE_STRING_PTR,
52 offsetof(rlm_krb5_t,service_princ), NULL, NULL },
53 { NULL, -1, 0, NULL, NULL }
57 static int verify_krb5_tgt(krb5_context context, rlm_krb5_t *instance,
58 const char *user, krb5_ccache ccache)
63 krb5_keyblock *keyblock = 0;
65 krb5_auth_context auth_context = NULL;
67 /* arbitrary 64-byte limit on service names; I've never seen a
68 service name this long, and hope never to. -srl */
69 char service[64] = "host";
70 char *servername = NULL;
72 if (instance->service_princ != NULL) {
73 servername = strchr(instance->service_princ, '/');
74 if (servername != NULL) {
78 strncpy(service,instance->service_princ,sizeof(service));
79 service[sizeof(service)-1] = '\0';
81 if (servername != NULL) {
87 memset(&packet, 0, sizeof packet);
88 if ((r = krb5_sname_to_principal(context, servername, service,
89 KRB5_NT_SRV_HST, &princ)))
91 radlog(L_DBG, "rlm_krb5: [%s] krb5_sname_to_principal failed: %s",
92 user, error_message(r));
93 return RLM_MODULE_REJECT;
96 strncpy(phost, krb5_princ_component(c, princ, 1)->data, BUFSIZ);
97 phost[BUFSIZ - 1] = '\0';
100 * Do we have host/<host> keys?
101 * (use default/configured keytab, kvno IGNORE_VNO to get the
102 * first match, and enctype is currently ignored anyhow.)
104 if ((r = krb5_kt_read_service_key(context, instance->keytab, princ, 0,
105 ENCTYPE_DES_CBC_MD5, &keyblock)))
107 /* Keytab or service key does not exist */
108 radlog(L_DBG, "rlm_krb5: verify_krb_v5_tgt: host key not found : %s",
110 return RLM_MODULE_OK;
113 krb5_free_keyblock(context, keyblock);
115 /* Talk to the kdc and construct the ticket. */
116 r = krb5_mk_req(context, &auth_context, 0, service, phost, NULL,
119 krb5_auth_con_free(context, auth_context);
120 auth_context = NULL; /* setup for rd_req */
124 radlog(L_DBG, "rlm_krb5: [%s] krb5_mk_req() failed: %s",
125 user, error_message(r));
126 r = RLM_MODULE_REJECT;
130 if (instance->keytab != NULL) {
131 r = krb5_kt_resolve(context, instance->keytab, &keytab);
134 if (instance->keytab == NULL || r) {
135 r = krb5_kt_default(context, &keytab);
138 /* Hmm? The keytab was just fine a second ago! */
140 radlog(L_AUTH, "rlm_krb5: [%s] krb5_kt_resolve failed: %s",
141 user, error_message(r));
142 r = RLM_MODULE_REJECT;
146 /* Try to use the ticket. */
147 r = krb5_rd_req(context, &auth_context, &packet, princ,
150 krb5_auth_con_free(context, auth_context);
152 krb5_kt_close(context, keytab);
155 radlog(L_AUTH, "rlm_krb5: [%s] krb5_rd_req() failed: %s",
156 user, error_message(r));
157 r = RLM_MODULE_REJECT;
164 krb5_free_data_contents(context, &packet);
170 static int krb5_instantiate(CONF_SECTION *conf, void **instance)
174 krb5_context *context;
176 data = rad_malloc(sizeof(*data));
178 memset(data, 0, sizeof(*data));
180 if (cf_section_parse(conf, data, module_config) < 0) {
185 context = data->context = rad_malloc(sizeof(*context));
187 if ((r = krb5_init_context(context)) ) {
188 radlog(L_AUTH, "rlm_krb5: krb5_init failed: %s",
193 radlog(L_AUTH, "rlm_krb5: krb5_init ok");
201 static int krb5_detach(void *instance)
203 free(((rlm_krb5_t *)instance)->context);
208 /* validate userid/passwd */
211 static int krb5_auth(void *instance, REQUEST *request)
215 krb5_data tgtname = {
222 char cache_name[L_tmpnam + 8];
224 krb5_context context = *((rlm_krb5_t *)instance)->context; /* copy data */
225 const char *user, *pass;
228 * We can only authenticate user requests which HAVE
229 * a User-Name attribute.
231 if (!request->username) {
232 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Name\" is required for authentication.");
233 return RLM_MODULE_INVALID;
237 * We can only authenticate user requests which HAVE
238 * a User-Password attribute.
240 if (!request->password) {
241 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication.");
242 return RLM_MODULE_INVALID;
246 * Ensure that we're being passed a plain-text password,
247 * and not anything else.
249 if (request->password->attribute != PW_PASSWORD) {
250 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
251 return RLM_MODULE_INVALID;
257 user = request->username->strvalue;
258 pass = request->password->strvalue;
260 /* Generate a unique cache_name */
261 memset(cache_name, 0, sizeof(cache_name));
262 strcpy(cache_name, "MEMORY:");
263 (void) tmpnam(&cache_name[7]);
265 if ((r = krb5_cc_resolve(context, cache_name, &ccache))) {
266 radlog(L_AUTH, "rlm_krb5: [%s] krb5_cc_resolve(): %s",
267 user, error_message(r));
268 return RLM_MODULE_REJECT;
272 * Actually perform the authentication
274 memset((char *)&kcreds, 0, sizeof(kcreds));
276 if ( (r = krb5_parse_name(context, user, &kcreds.client)) ) {
277 radlog(L_AUTH, "rlm_krb5: [%s] krb5_parse_name failed: %s",
278 user, error_message(r));
279 return RLM_MODULE_REJECT;
282 if ((r = krb5_cc_initialize(context, ccache, kcreds.client))) {
283 radlog(L_AUTH, "rlm_krb5: [%s] krb5_cc_initialize(): %s",
284 user, error_message(r));
285 return RLM_MODULE_REJECT;
289 * MIT krb5 verification
291 if ( (r = krb5_build_principal_ext(context, &kcreds.server,
292 krb5_princ_realm(context, kcreds.client)->length,
293 krb5_princ_realm(context, kcreds.client)->data,
296 krb5_princ_realm(context, kcreds.client)->length,
297 krb5_princ_realm(context, kcreds.client)->data,
299 radlog(L_AUTH, "rlm_krb5: [%s] krb5_build_principal_ext failed: %s",
300 user, error_message(r));
301 krb5_cc_destroy(context, ccache);
302 return RLM_MODULE_REJECT;
305 if ( (r = krb5_get_in_tkt_with_password(context,
306 0, NULL, NULL, NULL, pass, ccache, &kcreds, 0)) ) {
307 radlog(L_AUTH, "rlm_krb5: [%s] krb5_g_i_t_w_p failed: %s",
308 user, error_message(r));
309 krb5_free_cred_contents(context, &kcreds);
310 krb5_cc_destroy(context, ccache);
311 return RLM_MODULE_REJECT;
313 /* Now verify the KDC's identity. */
314 r = verify_krb5_tgt(context, (rlm_krb5_t *)instance, user, ccache);
315 krb5_free_cred_contents(context, &kcreds);
316 krb5_cc_destroy(context, ccache);
320 return RLM_MODULE_REJECT;
323 #else /* HEIMDAL_KRB5 */
325 /* validate user/pass, heimdal krb5 way */
326 static int krb5_auth(void *instance, REQUEST *request)
331 krb5_principal userP;
333 krb5_context context = *((rlm_krb5_t *)instance)->context; /* copy data */
334 const char *user, *pass;
337 * We can only authenticate user requests which HAVE
338 * a User-Name attribute.
340 if (!request->username) {
341 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Name\" is required for authentication.");
342 return RLM_MODULE_INVALID;
346 * We can only authenticate user requests which HAVE
347 * a User-Password attribute.
349 if (!request->password) {
350 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication.");
351 return RLM_MODULE_INVALID;
355 * Ensure that we're being passed a plain-text password,
356 * and not anything else.
358 if (request->password->attribute != PW_PASSWORD) {
359 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
360 return RLM_MODULE_INVALID;
366 user = request->username->strvalue;
367 pass = request->password->strvalue;
369 if ( (r = krb5_parse_name(context, user, &userP)) ) {
370 radlog(L_AUTH, "rlm_krb5: [%s] krb5_parse_name failed: %s",
371 user, error_message(r));
372 return RLM_MODULE_REJECT;
376 * Heimdal krb5 verification
378 radlog(L_AUTH, "rlm_krb5: Parsed name is: %s@%s\n",
379 *userP->name.name_string.val,
382 krb5_cc_default(context, &id);
384 ret = krb5_verify_user(context,
390 return RLM_MODULE_OK;
392 radlog(L_AUTH, "rlm_krb5: failed verify_user: %s (%s@%s )",
394 *userP->name.name_string.val,
397 return RLM_MODULE_REJECT;
400 #endif /* HEIMDAL_KRB5 */
402 module_t rlm_krb5 = {
404 RLM_TYPE_THREAD_UNSAFE, /* type: not thread safe */
405 NULL, /* initialize */
406 krb5_instantiate, /* instantiation */
408 krb5_auth, /* authenticate */
409 NULL, /* authorize */
410 NULL, /* pre-accounting */
411 NULL, /* accounting */
412 NULL, /* checksimul */
413 NULL, /* pre-proxy */
414 NULL, /* post-proxy */
417 krb5_detach, /* detach */