From 22209cf03e0be5375295c4e8c7b5251b7a6f4fc1 Mon Sep 17 00:00:00 2001 From: reyk Date: Tue, 22 Apr 2014 11:06:22 +0000 Subject: [PATCH] Remove the kerberos login methods. --- libexec/login_krb5/login_krb5.8 | 112 ---------------- libexec/login_krb5/login_krb5.c | 230 -------------------------------- 2 files changed, 342 deletions(-) delete mode 100644 libexec/login_krb5/login_krb5.8 delete mode 100644 libexec/login_krb5/login_krb5.c diff --git a/libexec/login_krb5/login_krb5.8 b/libexec/login_krb5/login_krb5.8 deleted file mode 100644 index 6c4a6a1458f..00000000000 --- a/libexec/login_krb5/login_krb5.8 +++ /dev/null @@ -1,112 +0,0 @@ -.\" $OpenBSD: login_krb5.8,v 1.18 2012/06/01 01:43:19 dlg Exp $ -.\" -.\" Copyright (c) 2000 Todd C. Miller -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 1 2012 $ -.Dt LOGIN_KRB5 8 -.Os -.Sh NAME -.Nm login_krb5 -.Nd provide KerberosV authentication type -.Sh SYNOPSIS -.Nm login_krb5 -.Bk -words -.Op Fl s Ar service -.Op Fl v Ar login Ns = Ns Li yes Ns | Ns Li no -.Op Fl v Ar notickets Ns = Ns Li yes Ns | Ns Li no -.Op Fl v Ar invokinguser Ns = Ns Ar user -.Ar user -.Op Ar class -.Ek -.Sh DESCRIPTION -The -.Nm -utility implements the KerberosV authentication mechanism. -It is called by -.Xr login 1 , -.Xr su 1 , -.Xr ftpd 8 , -and others to authenticate the -.Ar user -with KerberosV. -.Pp -The -.Ar user -argument is the user's name to be authenticated. -.Pp -The -.Ar service -argument specifies which protocol to use with the -invoking program. -The allowed protocols are -.Em login , -.Em challenge , -and -.Em response . -(The -.Em challenge -protocol is silently ignored but will report success as KerberosV -authentication is not challenge-response based). -.Pp -If -.Ar invokinguser -is set and the -.Ar user -argument is root, the principal -invokinguser/root will be used for authentication. -.Pp -If the -.Ar notickets -argument is equal to -.Dq no , -the default value, and the -.Ar login -argument is equal to -.Dq yes , -then the ticket will be saved in a credentials cache. -.Pp -The -.Ar class -argument is ignored for compatibility with other login scripts. -.Pp -.Nm -will prompt the user for a password and report back to the -invoking program whether or not the authentication was -successful. -.Sh LOGIN.CONF VARIABLES -The -.Nm -utility uses the following krb5-specific -.Pa /etc/login.conf -variables: -.Bl -column "krb5-noverify" "bool" "Description" -.It Sy Name Ta Sy Type Ta Sy Description -.It krb5-noverify Ta bool Ta -Failure to verify credentials against a local key is not considered a fatal -error. -.El -.Sh FILES -.Bl -tag -compact -width xetcxloginxconfxx -.It Pa /etc/login.conf -login configuration database -.El -.Sh SEE ALSO -.Xr login 1 , -.Xr passwd 1 , -.Xr su 1 , -.Xr login.conf 5 , -.Xr ftpd 8 , -.Xr kerberos 8 , -.Xr login_krb5-or-pwd 8 diff --git a/libexec/login_krb5/login_krb5.c b/libexec/login_krb5/login_krb5.c deleted file mode 100644 index 6f8f2835a7c..00000000000 --- a/libexec/login_krb5/login_krb5.c +++ /dev/null @@ -1,230 +0,0 @@ -/* $OpenBSD: login_krb5.c,v 1.27 2013/06/21 13:35:26 ajacoutot Exp $ */ - -/*- - * Copyright (c) 2001, 2002 Hans Insulander . - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "common.h" - -#include - -krb5_error_code ret; -krb5_context context; -krb5_ccache ccache; -krb5_principal princ; - -char *__progname; - -static void -krb5_syslog(krb5_context context, int level, krb5_error_code code, char *fmt, ...) -{ - va_list ap; - char buf[256]; - const char *s = krb5_get_error_message(context, code); - - va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), fmt, ap); - va_end(ap); - syslog(level, "%s: %s", buf, s); - krb5_free_error_message(context, s); -} - -static void -store_tickets(struct passwd *pwd, int ticket_newfiles, int ticket_store, - int token_install) -{ - char cc_file[MAXPATHLEN]; - krb5_ccache ccache_store; -#ifdef KRB524 - int get_krb4_ticket = 0; - char krb4_ticket_file[MAXPATHLEN]; -#endif - - if (ticket_newfiles) - snprintf(cc_file, sizeof(cc_file), "FILE:/tmp/krb5cc_%d", - pwd->pw_uid); - else - snprintf(cc_file, sizeof(cc_file), "%s", - krb5_cc_default_name(context)); - - if (ticket_store) { - ret = krb5_cc_resolve(context, cc_file, &ccache_store); - if (ret != 0) { - krb5_syslog(context, LOG_ERR, ret, - "krb5_cc_resolve"); - exit(1); - } - - ret = krb5_cc_copy_cache(context, ccache, ccache_store); - if (ret != 0) - krb5_syslog(context, LOG_ERR, ret, - "krb5_cc_copy_cache"); - - chown(krb5_cc_get_name(context, ccache_store), - pwd->pw_uid, pwd->pw_gid); - - fprintf(back, BI_SETENV " KRB5CCNAME %s:%s\n", - krb5_cc_get_type(context, ccache_store), - krb5_cc_get_name(context, ccache_store)); - -#ifdef KRB524 - get_krb4_ticket = krb5_config_get_bool_default (context, - NULL, get_krb4_ticket, "libdefaults", - "krb4_get_tickets", NULL); - if (get_krb4_ticket) { - CREDENTIALS c; - krb5_creds cred; - krb5_cc_cursor cursor; - - ret = krb5_cc_start_seq_get(context, ccache, &cursor); - if (ret != 0) { - krb5_syslog(context, LOG_ERR, ret, - "start seq"); - exit(1); - } - - ret = krb5_cc_next_cred(context, ccache, - &cursor, &cred); - if (ret != 0) { - krb5_syslog(context, LOG_ERR, ret, - "next cred"); - exit(1); - } - - ret = krb5_cc_end_seq_get(context, ccache, - &cursor); - if (ret != 0) { - krb5_syslog(context, LOG_ERR, ret, - "end seq"); - exit(1); - } - - ret = krb524_convert_creds_kdc_ccache(context, ccache, - &cred, &c); - if (ret != 0) { - krb5_syslog(context, LOG_ERR, ret, - "convert"); - } else { - snprintf(krb4_ticket_file, - sizeof(krb4_ticket_file), - "%s%d", TKT_ROOT, pwd->pw_uid); - krb_set_tkt_string(krb4_ticket_file); - tf_setup(&c, c.pname, c.pinst); - chown(krb4_ticket_file, - pwd->pw_uid, pwd->pw_gid); - } - } -#endif - } - - /* Need to chown the ticket file */ -#ifdef KRB524 - if (get_krb4_ticket) - fprintf(back, BI_SETENV " KRBTKFILE %s\n", - krb4_ticket_file); -#endif -} - -int -krb5_login(char *username, char *invokinguser, char *password, int login, - int tickets, char *class) -{ - login_cap_t *lc; - int return_code = AUTH_FAILED; - int noverify = 0; - - if (username == NULL || password == NULL) - return (AUTH_FAILED); - - if (strcmp(__progname, "krb5-or-pwd") == 0 && - strcmp(username,"root") == 0 && invokinguser[0] == '\0') - return (AUTH_FAILED); - - lc = login_getclass(class); - if (lc != NULL) - noverify = login_getcapbool(lc, "krb5-noverify", noverify); - - ret = krb5_init_context(&context); - if (ret != 0) { - krb5_syslog(context, LOG_ERR, ret, "krb5_init_context"); - exit(1); - } - - ret = krb5_cc_new_unique(context, krb5_mcc_ops.prefix, NULL, &ccache); - if (ret != 0) { - krb5_syslog(context, LOG_ERR, ret, "krb5_cc_new_unique"); - exit(1); - } - - if (strcmp(username, "root") == 0 && invokinguser[0] != '\0') { - char *tmp; - - ret = asprintf(&tmp, "%s/root", invokinguser); - if (ret == -1) { - krb5_syslog(context, LOG_ERR, ret, "asprintf"); - exit(1); - } - ret = krb5_parse_name(context, tmp, &princ); - free(tmp); - } else - ret = krb5_parse_name(context, username, &princ); - if (ret != 0) { - krb5_syslog(context, LOG_ERR, ret, "krb5_parse_name"); - exit(1); - } - - ret = krb5_verify_user_lrealm(context, princ, ccache, - password, !noverify, NULL); - - switch (ret) { - case 0: { - struct passwd *pwd; - - pwd = getpwnam(username); - if (pwd == NULL) { - krb5_syslog(context, LOG_ERR, ret, - "%s: no such user", username); - return (AUTH_FAILED); - } - fprintf(back, BI_AUTH "\n"); - store_tickets(pwd, login && tickets, login && tickets, login); - return_code = AUTH_OK; - break; - } - case KRB5KRB_AP_ERR_MODIFIED: - /* XXX syslog here? */ - case KRB5KRB_AP_ERR_BAD_INTEGRITY: - break; - default: - krb5_syslog(context, LOG_ERR, ret, "verify"); - break; - } - - krb5_free_principal(context, princ); - krb5_cc_close(context, ccache); - krb5_free_context(context); - - return (return_code); -} -- 2.20.1