2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * @brief Authenticate users, retrieving their TGT from a Kerberos V5 TDC.
22 * @copyright 2000,2006,2012-2013 The FreeRADIUS server project
23 * @copyright 2013 Arran Cudbard-Bell <a.cudbardb@freeradius.org>
24 * @copyright 2000 Nathan Neulinger <nneul@umr.edu>
25 * @copyright 2000 Alan DeKok <aland@ox.org>
29 #include <freeradius-devel/radiusd.h>
30 #include <freeradius-devel/modules.h>
31 #include <freeradius-devel/rad_assert.h>
34 static const CONF_PARSER module_config[] = {
35 { "keytab", PW_TYPE_STRING_PTR, offsetof(rlm_krb5_t, keytabname), NULL, NULL },
36 { "service_principal", PW_TYPE_STRING_PTR, offsetof(rlm_krb5_t,service_princ), NULL, NULL },
37 { NULL, -1, 0, NULL, NULL }
40 static int krb5_detach(void *instance)
42 rlm_krb5_t *inst = instance;
45 talloc_free(inst->vic_options);
47 if (inst->gic_options) {
48 krb5_get_init_creds_opt_free(inst->context, inst->gic_options);
52 krb5_free_principal(inst->context, inst->server);
56 /* Don't free hostname, it's just a pointer into service_princ */
57 talloc_free(inst->service);
60 krb5_free_context(inst->context);
62 #ifdef KRB5_IS_THREAD_SAFE
63 fr_connection_pool_delete(inst->pool);
69 static int krb5_instantiate(CONF_SECTION *conf, void *instance)
71 rlm_krb5_t *inst = instance;
75 char keytab_name[200];
80 DEBUG("Using Heimdal Kerberos library");
82 DEBUG("Using MIT Kerberos library");
85 #ifndef KRB5_IS_THREAD_SAFE
86 if (!krb5_is_thread_safe()) {
87 DEBUGI("libkrb5 is not threadsafe, recompile it, and the server with thread support enabled");
88 WDEBUG("rlm_krb5 will run in single threaded mode, performance may be degraded");
90 WDEBUG("Build time libkrb5 was not threadsafe, but run time library claims to be");
91 WDEBUG("Reconfigure and recompile rlm_krb5 to enable thread support");
94 inst->xlat_name = cf_section_name2(conf);
95 if (!inst->xlat_name) {
96 inst->xlat_name = cf_section_name1(conf);
99 ret = krb5_init_context(&inst->context);
101 ERROR("rlm_krb5 (%s): context initialisation failed: %s", inst->xlat_name,
102 rlm_krb5_error(NULL, ret));
108 * Split service principal into service and host components
109 * they're needed to build the server principal in MIT,
110 * and to set the validation service in Heimdal.
112 if (inst->service_princ) {
114 /* Service principal appears to contain a host component */
115 inst->hostname = strchr(inst->service_princ, '/');
116 if (inst->hostname) {
117 len = (inst->hostname - inst->service_princ);
120 len = strlen(inst->service_princ);
124 inst->service = talloc_array(inst, char, (len + 1));
125 strlcpy(inst->service, inst->service_princ, len + 1);
130 if (inst->hostname) {
131 DEBUG("rlm_krb5 (%s): Ignoring hostname component of service principal \"%s\", not "
132 "needed/supported by Heimdal", inst->xlat_name, inst->hostname);
137 * Convert the service principal string to a krb5 principal.
139 ret = krb5_sname_to_principal(inst->context, inst->hostname, inst->service, KRB5_NT_SRV_HST, &(inst->server));
141 ERROR("rlm_krb5 (%s): Failed parsing service principal: %s", inst->xlat_name,
142 rlm_krb5_error(inst->context, ret));
147 ret = krb5_unparse_name(inst->context, inst->server, &princ_name);
150 ERROR("rlm_krb5 (%s): Failed constructing service principal string: %s", inst->xlat_name,
151 rlm_krb5_error(inst->context, ret));
157 * Not necessarily the same as the config item
159 DEBUG("rlm_krb5 (%s): Using service principal \"%s\"", inst->xlat_name, princ_name);
161 krb5_free_unparsed_name(inst->context, princ_name);
164 * Setup options for getting credentials and verifying them
167 /* For some reason the 'init' version of this function is deprecated */
168 ret = krb5_get_init_creds_opt_alloc(inst->context, &(inst->gic_options));
170 ERROR("rlm_krb5 (%s): Couldn't allocated inital credential options: %s", inst->xlat_name,
171 rlm_krb5_error(inst->context, ret));
177 * Perform basic checks on the keytab
179 ret = inst->keytabname ?
180 krb5_kt_resolve(inst->context, inst->keytabname, &keytab) :
181 krb5_kt_default(inst->context, &keytab);
183 ERROR("rlm_krb5 (%s): Resolving keytab failed: %s", inst->xlat_name,
184 rlm_krb5_error(inst->context, ret));
189 ret = krb5_kt_get_name(inst->context, keytab, keytab_name, sizeof(keytab_name));
190 krb5_kt_close(inst->context, keytab);
192 ERROR("rlm_krb5 (%s): Can't retrieve keytab name: %s", inst->xlat_name,
193 rlm_krb5_error(inst->context, ret));
198 DEBUG("rlm_krb5 (%s): Using keytab \"%s\"", inst->xlat_name, keytab_name);
200 MEM(inst->vic_options = talloc_zero(inst, krb5_verify_init_creds_opt));
201 krb5_verify_init_creds_opt_init(inst->vic_options);
204 #ifdef KRB5_IS_THREAD_SAFE
206 * Initialize the socket pool.
208 inst->pool = fr_connection_pool_init(conf, inst, mod_conn_create, NULL, mod_conn_delete, NULL);
213 inst->conn = mod_conn_create(inst);
221 /** Common function for transforming a User-Name string into a principal.
223 * @param[out] client Where to write the client principal.
224 * @param[in] request Current request.
225 * @param[in] context Kerberos context.
227 static rlm_rcode_t krb5_parse_user(krb5_principal *client, REQUEST *request, krb5_context context)
233 * We can only authenticate user requests which HAVE
234 * a User-Name attribute.
236 if (!request->username) {
237 REDEBUG("Attribute \"User-Name\" is required for authentication");
239 return RLM_MODULE_INVALID;
243 * We can only authenticate user requests which HAVE
244 * a User-Password attribute.
246 if (!request->password) {
247 REDEBUG("Attribute \"User-Password\" is required for authentication");
249 return RLM_MODULE_INVALID;
253 * Ensure that we're being passed a plain-text password,
254 * and not anything else.
256 if (request->password->da->attr != PW_USER_PASSWORD) {
257 REDEBUG("Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".",
258 request->password->da->name);
260 return RLM_MODULE_INVALID;
263 ret = krb5_parse_name(context, request->username->vp_strvalue, client);
265 REDEBUG("Failed parsing username as principal: %s", rlm_krb5_error(context, ret));
267 return RLM_MODULE_FAIL;
270 krb5_unparse_name(context, *client, &princ_name);
271 RDEBUG("Using client principal \"%s\"", princ_name);
275 krb5_free_unparsed_name(context, princ_name);
277 return RLM_MODULE_OK;
283 * Validate user/pass (Heimdal)
285 static rlm_rcode_t krb5_auth(void *instance, REQUEST *request)
287 rlm_krb5_t *inst = instance;
291 rlm_krb5_handle_t *conn;
293 krb5_principal client;
295 #ifdef KRB5_IS_THREAD_SAFE
296 conn = fr_connection_get(inst->pool);
298 REDEBUG("All krb5 contexts are in use");
300 return RLM_MODULE_FAIL;
307 * Zero out local storage
309 memset(&client, 0, sizeof(client));
311 rcode = krb5_parse_user(&client, request, conn->context);
312 if (rcode != RLM_MODULE_OK) goto cleanup;
315 * Verify the user, using the options we set in instantiate
317 ret = krb5_verify_user_opt(conn->context, client, request->password->vp_strvalue, &conn->options);
320 case KRB5_LIBOS_BADPWDMATCH:
321 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
322 REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret));
323 rcode = RLM_MODULE_REJECT;
326 case KRB5KDC_ERR_KEY_EXP:
327 case KRB5KDC_ERR_CLIENT_REVOKED:
328 case KRB5KDC_ERR_SERVICE_REVOKED:
329 REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret));
330 rcode = RLM_MODULE_USERLOCK;
333 case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
334 RDEBUG("User not found: %s (%i)", ret, rlm_krb5_error(conn->context, ret));
335 rcode = RLM_MODULE_NOTFOUND;
338 REDEBUG("Error verifying credentials (%i): %s", ret, rlm_krb5_error(conn->context, ret));
339 rcode = RLM_MODULE_FAIL;
348 krb5_free_principal(conn->context, client);
351 #ifdef KRB5_IS_THREAD_SAFE
352 fr_connection_release(inst->pool, conn);
357 #else /* HEIMDAL_KRB5 */
360 * Validate userid/passwd (MIT)
362 static rlm_rcode_t krb5_auth(void *instance, REQUEST *request)
364 rlm_krb5_t *inst = instance;
368 rlm_krb5_handle_t *conn;
370 krb5_principal client;
371 krb5_creds init_creds;
372 char *password; /* compiler warnings */
374 rad_assert(inst->context);
376 #ifdef KRB5_IS_THREAD_SAFE
377 conn = fr_connection_get(inst->pool);
379 REDEBUG("All krb5 contexts are in use");
381 return RLM_MODULE_FAIL;
388 * Zero out local storage
390 memset(&client, 0, sizeof(client));
391 memset(&init_creds, 0, sizeof(init_creds));
394 * Check we have all the required VPs, and convert the username
397 rcode = krb5_parse_user(&client, request, conn->context);
398 if (rcode != RLM_MODULE_OK) goto cleanup;
401 * Retrieve the TGT from the TGS/KDC and check we can decrypt it.
403 memcpy(&password, &request->password->vp_strvalue, sizeof(password));
404 ret = krb5_get_init_creds_password(conn->context, &init_creds, client, password,
405 NULL, NULL, 0, NULL, inst->gic_options);
409 case KRB5_LIBOS_BADPWDMATCH:
410 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
411 REDEBUG("Provided password was incorrect (%i): %s", ret, rlm_krb5_error(conn->context, ret));
412 rcode = RLM_MODULE_REJECT;
415 case KRB5KDC_ERR_KEY_EXP:
416 case KRB5KDC_ERR_CLIENT_REVOKED:
417 case KRB5KDC_ERR_SERVICE_REVOKED:
418 REDEBUG("Account has been locked out (%i): %s", ret, rlm_krb5_error(conn->context, ret));
419 rcode = RLM_MODULE_USERLOCK;
422 case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
423 REDEBUG("User not found (%i): %s", ret, rlm_krb5_error(conn->context, ret));
424 rcode = RLM_MODULE_NOTFOUND;
428 REDEBUG("Error retrieving or verifying credentials (%i): %s", ret,
429 rlm_krb5_error(conn->context, ret));
430 rcode = RLM_MODULE_FAIL;
437 RDEBUG("Successfully retrieved and decrypted TGT");
439 ret = krb5_verify_init_creds(conn->context, &init_creds, inst->server, conn->keytab, NULL, inst->vic_options);
444 krb5_free_principal(conn->context, client);
446 krb5_free_cred_contents(conn->context, &init_creds);
448 #ifdef KRB5_IS_THREAD_SAFE
449 fr_connection_release(inst->pool, conn);
454 #endif /* MIT_KRB5 */
456 module_t rlm_krb5 = {
459 RLM_TYPE_CHECK_CONFIG_SAFE | RLM_TYPE_HUP_SAFE
460 #ifdef KRB5_IS_THREAD_SAFE
461 | RLM_TYPE_THREAD_SAFE
466 krb5_instantiate, /* instantiation */
467 krb5_detach, /* detach */
469 krb5_auth, /* authenticate */
470 NULL, /* authorize */
471 NULL, /* pre-accounting */
472 NULL, /* accounting */
473 NULL, /* checksimul */
474 NULL, /* pre-proxy */
475 NULL, /* post-proxy */