2 * rlm_krb5.c module to authenticate against krb5
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000,2006 The FreeRADIUS server project
21 * Copyright 2000 Nathan Neulinger <nneul@umr.edu>
22 * Copyright 2000 Alan DeKok <aland@ox.org>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/modules.h>
35 typedef struct rlm_krb5_t {
37 const char *service_princ;
38 krb5_context *context;
41 static const CONF_PARSER module_config[] = {
42 { "keytab", PW_TYPE_STRING_PTR,
43 offsetof(rlm_krb5_t,keytab), NULL, NULL },
44 { "service_principal", PW_TYPE_STRING_PTR,
45 offsetof(rlm_krb5_t,service_princ), NULL, NULL },
46 { NULL, -1, 0, NULL, NULL }
50 static int verify_krb5_tgt(krb5_context context, rlm_krb5_t *instance,
51 const char *user, krb5_ccache ccache)
56 krb5_keyblock *keyblock = 0;
58 krb5_auth_context auth_context = NULL;
60 /* arbitrary 64-byte limit on service names; I've never seen a
61 service name this long, and hope never to. -srl */
62 char service[64] = "host";
63 char *servername = NULL;
65 if (instance->service_princ != NULL) {
66 servername = strchr(instance->service_princ, '/');
67 if (servername != NULL) {
71 strlcpy(service,instance->service_princ,sizeof(service));
72 service[sizeof(service)-1] = '\0';
74 if (servername != NULL) {
80 memset(&packet, 0, sizeof packet);
81 if ((r = krb5_sname_to_principal(context, servername, service,
82 KRB5_NT_SRV_HST, &princ)))
84 radlog(L_DBG, "rlm_krb5: [%s] krb5_sname_to_principal failed: %s",
85 user, error_message(r));
86 return RLM_MODULE_REJECT;
89 strlcpy(phost, krb5_princ_component(c, princ, 1)->data, BUFSIZ);
90 phost[BUFSIZ - 1] = '\0';
93 * Do we have host/<host> keys?
94 * (use default/configured keytab, kvno IGNORE_VNO to get the
95 * first match, and enctype is currently ignored anyhow.)
97 if ((r = krb5_kt_read_service_key(context, instance->keytab, princ, 0,
98 ENCTYPE_DES_CBC_MD5, &keyblock)))
100 /* Keytab or service key does not exist */
101 radlog(L_DBG, "rlm_krb5: verify_krb_v5_tgt: host key not found : %s",
103 return RLM_MODULE_OK;
106 krb5_free_keyblock(context, keyblock);
108 /* Talk to the kdc and construct the ticket. */
109 r = krb5_mk_req(context, &auth_context, 0, service, phost, NULL,
112 krb5_auth_con_free(context, auth_context);
113 auth_context = NULL; /* setup for rd_req */
117 radlog(L_DBG, "rlm_krb5: [%s] krb5_mk_req() failed: %s",
118 user, error_message(r));
119 r = RLM_MODULE_REJECT;
123 if (instance->keytab != NULL) {
124 r = krb5_kt_resolve(context, instance->keytab, &keytab);
127 if (instance->keytab == NULL || r) {
128 r = krb5_kt_default(context, &keytab);
131 /* Hmm? The keytab was just fine a second ago! */
133 radlog(L_AUTH, "rlm_krb5: [%s] krb5_kt_resolve failed: %s",
134 user, error_message(r));
135 r = RLM_MODULE_REJECT;
139 /* Try to use the ticket. */
140 r = krb5_rd_req(context, &auth_context, &packet, princ,
143 krb5_auth_con_free(context, auth_context);
145 krb5_kt_close(context, keytab);
148 radlog(L_AUTH, "rlm_krb5: [%s] krb5_rd_req() failed: %s",
149 user, error_message(r));
150 r = RLM_MODULE_REJECT;
157 krb5_free_data_contents(context, &packet);
163 static int krb5_instantiate(CONF_SECTION *conf, void **instance)
167 krb5_context *context;
169 data = rad_malloc(sizeof(*data));
171 memset(data, 0, sizeof(*data));
173 if (cf_section_parse(conf, data, module_config) < 0) {
178 context = data->context = rad_malloc(sizeof(*context));
180 if ((r = krb5_init_context(context)) ) {
181 radlog(L_AUTH, "rlm_krb5: krb5_init failed: %s",
186 radlog(L_AUTH, "rlm_krb5: krb5_init ok");
194 static int krb5_detach(void *instance)
196 free(((rlm_krb5_t *)instance)->context);
201 /* validate userid/passwd */
204 static int krb5_auth(void *instance, REQUEST *request)
208 krb5_data tgtname = {
215 char cache_name[L_tmpnam + 8];
217 krb5_context context = *((rlm_krb5_t *)instance)->context; /* copy data */
218 const char *user, *pass;
221 * We can only authenticate user requests which HAVE
222 * a User-Name attribute.
224 if (!request->username) {
225 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Name\" is required for authentication.");
226 return RLM_MODULE_INVALID;
230 * We can only authenticate user requests which HAVE
231 * a User-Password attribute.
233 if (!request->password) {
234 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication.");
235 return RLM_MODULE_INVALID;
239 * Ensure that we're being passed a plain-text password,
240 * and not anything else.
242 if (request->password->attribute != PW_USER_PASSWORD) {
243 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
244 return RLM_MODULE_INVALID;
250 user = request->username->vp_strvalue;
251 pass = request->password->vp_strvalue;
253 /* Generate a unique cache_name */
254 memset(cache_name, 0, sizeof(cache_name));
255 strcpy(cache_name, "MEMORY:");
256 (void) tmpnam(&cache_name[7]);
258 if ((r = krb5_cc_resolve(context, cache_name, &ccache))) {
259 radlog(L_AUTH, "rlm_krb5: [%s] krb5_cc_resolve(): %s",
260 user, error_message(r));
261 return RLM_MODULE_REJECT;
265 * Actually perform the authentication
267 memset((char *)&kcreds, 0, sizeof(kcreds));
269 if ( (r = krb5_parse_name(context, user, &kcreds.client)) ) {
270 radlog(L_AUTH, "rlm_krb5: [%s] krb5_parse_name failed: %s",
271 user, error_message(r));
272 return RLM_MODULE_REJECT;
275 if ((r = krb5_cc_initialize(context, ccache, kcreds.client))) {
276 radlog(L_AUTH, "rlm_krb5: [%s] krb5_cc_initialize(): %s",
277 user, error_message(r));
278 return RLM_MODULE_REJECT;
282 * MIT krb5 verification
284 if ( (r = krb5_build_principal_ext(context, &kcreds.server,
285 krb5_princ_realm(context, kcreds.client)->length,
286 krb5_princ_realm(context, kcreds.client)->data,
289 krb5_princ_realm(context, kcreds.client)->length,
290 krb5_princ_realm(context, kcreds.client)->data,
292 radlog(L_AUTH, "rlm_krb5: [%s] krb5_build_principal_ext failed: %s",
293 user, error_message(r));
294 krb5_cc_destroy(context, ccache);
295 return RLM_MODULE_REJECT;
298 if ( (r = krb5_get_in_tkt_with_password(context,
299 0, NULL, NULL, NULL, pass, ccache, &kcreds, 0)) ) {
300 radlog(L_AUTH, "rlm_krb5: [%s] krb5_g_i_t_w_p failed: %s",
301 user, error_message(r));
302 krb5_free_cred_contents(context, &kcreds);
303 krb5_cc_destroy(context, ccache);
304 return RLM_MODULE_REJECT;
306 /* Now verify the KDC's identity. */
307 r = verify_krb5_tgt(context, (rlm_krb5_t *)instance, user, ccache);
308 krb5_free_cred_contents(context, &kcreds);
309 krb5_cc_destroy(context, ccache);
313 return RLM_MODULE_REJECT;
316 #else /* HEIMDAL_KRB5 */
318 /* validate user/pass, heimdal krb5 way */
319 static int krb5_auth(void *instance, REQUEST *request)
324 krb5_principal userP;
326 krb5_context context = *((rlm_krb5_t *)instance)->context; /* copy data */
327 const char *user, *pass;
330 * We can only authenticate user requests which HAVE
331 * a User-Name attribute.
333 if (!request->username) {
334 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Name\" is required for authentication.");
335 return RLM_MODULE_INVALID;
339 * We can only authenticate user requests which HAVE
340 * a User-Password attribute.
342 if (!request->password) {
343 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication.");
344 return RLM_MODULE_INVALID;
348 * Ensure that we're being passed a plain-text password,
349 * and not anything else.
351 if (request->password->attribute != PW_USER_PASSWORD) {
352 radlog(L_AUTH, "rlm_krb5: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
353 return RLM_MODULE_INVALID;
359 user = request->username->vp_strvalue;
360 pass = request->password->vp_strvalue;
362 if ( (r = krb5_parse_name(context, user, &userP)) ) {
363 radlog(L_AUTH, "rlm_krb5: [%s] krb5_parse_name failed: %s",
364 user, error_message(r));
365 return RLM_MODULE_REJECT;
369 * Heimdal krb5 verification
371 radlog(L_AUTH, "rlm_krb5: Parsed name is: %s@%s\n",
372 *userP->name.name_string.val,
375 krb5_cc_default(context, &id);
377 ret = krb5_verify_user(context,
383 return RLM_MODULE_OK;
385 radlog(L_AUTH, "rlm_krb5: failed verify_user: %s (%s@%s )",
387 *userP->name.name_string.val,
390 return RLM_MODULE_REJECT;
393 #endif /* HEIMDAL_KRB5 */
395 module_t rlm_krb5 = {
398 RLM_TYPE_THREAD_UNSAFE, /* type: not thread safe */
399 krb5_instantiate, /* instantiation */
400 krb5_detach, /* detach */
402 krb5_auth, /* authenticate */
403 NULL, /* authorize */
404 NULL, /* pre-accounting */
405 NULL, /* accounting */
406 NULL, /* checksimul */
407 NULL, /* pre-proxy */
408 NULL, /* post-proxy */