summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2001-11-11 10:42:07 +0000
committerAndrew Bartlett <abartlet@samba.org>2001-11-11 10:42:07 +0000
commit7de42a4faf74678c35b2013200466e75b1430524 (patch)
tree3a64d84033aa6deb8208e6b0b000bf0f633ae143
parent5d152d24a39386a7b595f9fc157d86dff38c39dc (diff)
downloadsamba-7de42a4faf74678c35b2013200466e75b1430524.tar.gz
samba-7de42a4faf74678c35b2013200466e75b1430524.tar.bz2
samba-7de42a4faf74678c35b2013200466e75b1430524.zip
Remove built-in support for clear-text kerberos authentication.
This should remove some confusion from the ./configure, but does not affect the 'real' kerberos support currently residing in smbd/sesssetup.c. This code is vunerable to a spoofed KDC, and is best replaced by --with-pam and the pam_krb5 module. This module includes measures to prevent such spoofing. Andrew Bartlett (This used to be commit 3235880b41ee5dd5ef171195489fb9254f5d89b0)
-rw-r--r--source3/auth/pass_check.c126
-rw-r--r--source3/configure.in43
-rw-r--r--source3/passdb/pass_check.c126
3 files changed, 16 insertions, 279 deletions
diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index 44b3b9a237..77839e4bb0 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -26,7 +26,7 @@
/* these are kept here to keep the string_combinations function simple */
static fstring this_user;
-#if !(defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH))
+#if !defined(WITH_PAM)
static fstring this_salt;
static fstring this_crypted;
#endif
@@ -370,122 +370,6 @@ void dfs_unlogin(void)
}
#endif
-#ifdef KRB5_AUTH
-
-#include <krb5.h>
-
-/*******************************************************************
-check on Kerberos authentication
-********************************************************************/
-static BOOL krb5_auth(char *user, char *password)
-{
- krb5_data tgtname = {
- 0,
- KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME
- };
- krb5_context kcontext;
- krb5_principal kprinc;
- krb5_principal server;
- krb5_creds kcreds;
- int options = 0;
- krb5_address **addrs = (krb5_address **) 0;
- krb5_preauthtype *preauth = NULL;
- krb5_keytab keytab = NULL;
- krb5_timestamp now;
- krb5_ccache ccache = NULL;
- int retval;
- char *name;
-
- if (retval = krb5_init_context(&kcontext))
- {
- return (False);
- }
-
- if (retval = krb5_timeofday(kcontext, &now))
- {
- return (False);
- }
-
- if (retval = krb5_cc_default(kcontext, &ccache))
- {
- return (False);
- }
-
- if (retval = krb5_parse_name(kcontext, user, &kprinc))
- {
- return (False);
- }
-
- ZERO_STRUCT(kcreds);
-
- kcreds.client = kprinc;
-
- if ((retval = krb5_build_principal_ext(kcontext, &server,
- krb5_princ_realm(kcontext,
- kprinc)->
- length,
- krb5_princ_realm(kcontext,
- kprinc)->data,
- tgtname.length, tgtname.data,
- krb5_princ_realm(kcontext,
- kprinc)->
- length,
- krb5_princ_realm(kcontext,
- kprinc)->data,
- 0)))
- {
- return (False);
- }
-
- kcreds.server = server;
-
- retval = krb5_get_in_tkt_with_password(kcontext,
- options,
- addrs,
- NULL,
- preauth,
- password, 0, &kcreds, 0);
-
- if (retval)
- {
- return (False);
- }
-
- return (True);
-}
-#endif /* KRB5_AUTH */
-
-#ifdef KRB4_AUTH
-#include <krb.h>
-
-/*******************************************************************
-check on Kerberos authentication
-********************************************************************/
-static BOOL krb4_auth(char *user, char *password)
-{
- char realm[REALM_SZ];
- char tkfile[MAXPATHLEN];
-
- if (krb_get_lrealm(realm, 1) != KSUCCESS)
- {
- (void)safe_strcpy(realm, KRB_REALM, sizeof(realm) - 1);
- }
-
- (void)slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d",
- (int)sys_getpid());
-
- krb_set_tkt_string(tkfile);
- if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS)
- {
- unlink(tkfile);
- return 1;
- }
- unlink(tkfile);
- return 0;
-}
-#endif /* KRB4_AUTH */
-
#ifdef LINUX_BIGCRYPT
/****************************************************************************
an enhanced crypt for Linux to handle password longer than 8 characters
@@ -602,10 +486,6 @@ static NTSTATUS password_check(char *password)
{
#ifdef WITH_PAM
return smb_pam_passcheck(this_user, password);
-#elif defined(KRB5_AUTH)
- return krb5_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK;
-#elif defined(KRB4_AUTH)
- return krb4_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK;
#else
BOOL ret;
@@ -729,7 +609,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
if (((!*password) || (!pwlen)) && !lp_null_passwords())
return NT_STATUS_LOGON_FAILURE;
-#if defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH)
+#if defined(WITH_PAM)
/*
* If we're using PAM we want to short-circuit all the
@@ -834,7 +714,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
}
}
-#endif /* defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) */
+#endif /* defined(WITH_PAM) */
/* try it as it came to us */
nt_status = password_check(password);
diff --git a/source3/configure.in b/source3/configure.in
index 134b7ec6af..39a0a97c6e 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -1542,10 +1542,10 @@ AC_ARG_WITH(smbwrapper,
)
#################################################
-# check for the AFS filesystem
-AC_MSG_CHECKING(whether to use AFS)
+# check for AFS clear-text auth support
+AC_MSG_CHECKING(whether to use AFS clear-text auth)
AC_ARG_WITH(afs,
-[ --with-afs Include AFS support (default=no) ],
+[ --with-afs Include AFS clear-text auth support (default=no) ],
[ case "$withval" in
yes)
AC_MSG_RESULT(yes)
@@ -1560,10 +1560,10 @@ AC_ARG_WITH(afs,
#################################################
-# check for the DFS auth system
-AC_MSG_CHECKING(whether to use DFS auth)
+# check for the DFS clear-text auth system
+AC_MSG_CHECKING(whether to use DFS clear-text auth)
AC_ARG_WITH(dfs,
-[ --with-dce-dfs Include DCE/DFS support (default=no)],
+[ --with-dce-dfs Include DCE/DFS clear-text auth support (default=no)],
[ case "$withval" in
yes)
AC_MSG_RESULT(yes)
@@ -1576,41 +1576,18 @@ AC_ARG_WITH(dfs,
AC_MSG_RESULT(no)
)
-#################################################
-# check for Kerberos IV auth system
-AC_MSG_CHECKING(whether to use Kerberos IV)
-AC_ARG_WITH(krb4,
-[ --with-krb4=base-dir Include Kerberos IV support (default=no)],
-[ case "$withval" in
- yes)
- AC_MSG_RESULT(yes)
- AC_DEFINE(KRB4_AUTH)
- LIBS="$LIBS -lkrb -ldes"
- CFLAGS="$CFLAGS -I$withval/include"
- LDFLAGS="$LDFLAGS -L$withval/lib"
- AC_DEFINE_UNQUOTED(KRB4_DIR, ${withval})
- ;;
- *)
- AC_MSG_RESULT(no)
- ;;
- esac ],
- AC_MSG_RESULT(no)
-)
-
-
#################################################
# check for location of Kerberos 5 install
AC_MSG_CHECKING(for kerberos 5 install path)
AC_ARG_WITH(krb5,
-[ --with-krb5=base-dir Include Kerberos 5 support (default=no)],
+[ --with-krb5=base-dir Locate Kerberos 5 support (default=/usr)],
[ case "$withval" in
no)
AC_MSG_RESULT(no)
;;
*)
AC_MSG_RESULT(yes)
- AC_DEFINE(KRB5_AUTH)
LIBS="$LIBS -lkrb5"
CFLAGS="$CFLAGS -I$withval/include"
LDFLAGS="$LDFLAGS -L$withval/lib"
@@ -1680,11 +1657,11 @@ AC_ARG_WITH(smbmount,
#################################################
-# check for a PAM password database
+# check for a PAM clear-text auth, accounts, password and session support
with_pam_for_crypt=no
-AC_MSG_CHECKING(whether to use PAM password database)
+AC_MSG_CHECKING(whether to use PAM)
AC_ARG_WITH(pam,
-[ --with-pam Include PAM password database support (default=no)],
+[ --with-pam Include PAM support (default=no)],
[ case "$withval" in
yes)
AC_MSG_RESULT(yes)
diff --git a/source3/passdb/pass_check.c b/source3/passdb/pass_check.c
index 44b3b9a237..77839e4bb0 100644
--- a/source3/passdb/pass_check.c
+++ b/source3/passdb/pass_check.c
@@ -26,7 +26,7 @@
/* these are kept here to keep the string_combinations function simple */
static fstring this_user;
-#if !(defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH))
+#if !defined(WITH_PAM)
static fstring this_salt;
static fstring this_crypted;
#endif
@@ -370,122 +370,6 @@ void dfs_unlogin(void)
}
#endif
-#ifdef KRB5_AUTH
-
-#include <krb5.h>
-
-/*******************************************************************
-check on Kerberos authentication
-********************************************************************/
-static BOOL krb5_auth(char *user, char *password)
-{
- krb5_data tgtname = {
- 0,
- KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME
- };
- krb5_context kcontext;
- krb5_principal kprinc;
- krb5_principal server;
- krb5_creds kcreds;
- int options = 0;
- krb5_address **addrs = (krb5_address **) 0;
- krb5_preauthtype *preauth = NULL;
- krb5_keytab keytab = NULL;
- krb5_timestamp now;
- krb5_ccache ccache = NULL;
- int retval;
- char *name;
-
- if (retval = krb5_init_context(&kcontext))
- {
- return (False);
- }
-
- if (retval = krb5_timeofday(kcontext, &now))
- {
- return (False);
- }
-
- if (retval = krb5_cc_default(kcontext, &ccache))
- {
- return (False);
- }
-
- if (retval = krb5_parse_name(kcontext, user, &kprinc))
- {
- return (False);
- }
-
- ZERO_STRUCT(kcreds);
-
- kcreds.client = kprinc;
-
- if ((retval = krb5_build_principal_ext(kcontext, &server,
- krb5_princ_realm(kcontext,
- kprinc)->
- length,
- krb5_princ_realm(kcontext,
- kprinc)->data,
- tgtname.length, tgtname.data,
- krb5_princ_realm(kcontext,
- kprinc)->
- length,
- krb5_princ_realm(kcontext,
- kprinc)->data,
- 0)))
- {
- return (False);
- }
-
- kcreds.server = server;
-
- retval = krb5_get_in_tkt_with_password(kcontext,
- options,
- addrs,
- NULL,
- preauth,
- password, 0, &kcreds, 0);
-
- if (retval)
- {
- return (False);
- }
-
- return (True);
-}
-#endif /* KRB5_AUTH */
-
-#ifdef KRB4_AUTH
-#include <krb.h>
-
-/*******************************************************************
-check on Kerberos authentication
-********************************************************************/
-static BOOL krb4_auth(char *user, char *password)
-{
- char realm[REALM_SZ];
- char tkfile[MAXPATHLEN];
-
- if (krb_get_lrealm(realm, 1) != KSUCCESS)
- {
- (void)safe_strcpy(realm, KRB_REALM, sizeof(realm) - 1);
- }
-
- (void)slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d",
- (int)sys_getpid());
-
- krb_set_tkt_string(tkfile);
- if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS)
- {
- unlink(tkfile);
- return 1;
- }
- unlink(tkfile);
- return 0;
-}
-#endif /* KRB4_AUTH */
-
#ifdef LINUX_BIGCRYPT
/****************************************************************************
an enhanced crypt for Linux to handle password longer than 8 characters
@@ -602,10 +486,6 @@ static NTSTATUS password_check(char *password)
{
#ifdef WITH_PAM
return smb_pam_passcheck(this_user, password);
-#elif defined(KRB5_AUTH)
- return krb5_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK;
-#elif defined(KRB4_AUTH)
- return krb4_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK;
#else
BOOL ret;
@@ -729,7 +609,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
if (((!*password) || (!pwlen)) && !lp_null_passwords())
return NT_STATUS_LOGON_FAILURE;
-#if defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH)
+#if defined(WITH_PAM)
/*
* If we're using PAM we want to short-circuit all the
@@ -834,7 +714,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
}
}
-#endif /* defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) */
+#endif /* defined(WITH_PAM) */
/* try it as it came to us */
nt_status = password_check(password);