From 7de42a4faf74678c35b2013200466e75b1430524 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 10:42:07 +0000 Subject: Remove built-in support for clear-text kerberos authentication. This should remove some confusion from the ./configure, but does not affect the 'real' kerberos support currently residing in smbd/sesssetup.c. This code is vunerable to a spoofed KDC, and is best replaced by --with-pam and the pam_krb5 module. This module includes measures to prevent such spoofing. Andrew Bartlett (This used to be commit 3235880b41ee5dd5ef171195489fb9254f5d89b0) --- source3/auth/pass_check.c | 126 ++------------------------------------------ source3/configure.in | 43 ++++----------- source3/passdb/pass_check.c | 126 ++------------------------------------------ 3 files changed, 16 insertions(+), 279 deletions(-) diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index 44b3b9a237..77839e4bb0 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -26,7 +26,7 @@ /* these are kept here to keep the string_combinations function simple */ static fstring this_user; -#if !(defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH)) +#if !defined(WITH_PAM) static fstring this_salt; static fstring this_crypted; #endif @@ -370,122 +370,6 @@ void dfs_unlogin(void) } #endif -#ifdef KRB5_AUTH - -#include - -/******************************************************************* -check on Kerberos authentication -********************************************************************/ -static BOOL krb5_auth(char *user, char *password) -{ - krb5_data tgtname = { - 0, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME - }; - krb5_context kcontext; - krb5_principal kprinc; - krb5_principal server; - krb5_creds kcreds; - int options = 0; - krb5_address **addrs = (krb5_address **) 0; - krb5_preauthtype *preauth = NULL; - krb5_keytab keytab = NULL; - krb5_timestamp now; - krb5_ccache ccache = NULL; - int retval; - char *name; - - if (retval = krb5_init_context(&kcontext)) - { - return (False); - } - - if (retval = krb5_timeofday(kcontext, &now)) - { - return (False); - } - - if (retval = krb5_cc_default(kcontext, &ccache)) - { - return (False); - } - - if (retval = krb5_parse_name(kcontext, user, &kprinc)) - { - return (False); - } - - ZERO_STRUCT(kcreds); - - kcreds.client = kprinc; - - if ((retval = krb5_build_principal_ext(kcontext, &server, - krb5_princ_realm(kcontext, - kprinc)-> - length, - krb5_princ_realm(kcontext, - kprinc)->data, - tgtname.length, tgtname.data, - krb5_princ_realm(kcontext, - kprinc)-> - length, - krb5_princ_realm(kcontext, - kprinc)->data, - 0))) - { - return (False); - } - - kcreds.server = server; - - retval = krb5_get_in_tkt_with_password(kcontext, - options, - addrs, - NULL, - preauth, - password, 0, &kcreds, 0); - - if (retval) - { - return (False); - } - - return (True); -} -#endif /* KRB5_AUTH */ - -#ifdef KRB4_AUTH -#include - -/******************************************************************* -check on Kerberos authentication -********************************************************************/ -static BOOL krb4_auth(char *user, char *password) -{ - char realm[REALM_SZ]; - char tkfile[MAXPATHLEN]; - - if (krb_get_lrealm(realm, 1) != KSUCCESS) - { - (void)safe_strcpy(realm, KRB_REALM, sizeof(realm) - 1); - } - - (void)slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d", - (int)sys_getpid()); - - krb_set_tkt_string(tkfile); - if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS) - { - unlink(tkfile); - return 1; - } - unlink(tkfile); - return 0; -} -#endif /* KRB4_AUTH */ - #ifdef LINUX_BIGCRYPT /**************************************************************************** an enhanced crypt for Linux to handle password longer than 8 characters @@ -602,10 +486,6 @@ static NTSTATUS password_check(char *password) { #ifdef WITH_PAM return smb_pam_passcheck(this_user, password); -#elif defined(KRB5_AUTH) - return krb5_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK; -#elif defined(KRB4_AUTH) - return krb4_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK; #else BOOL ret; @@ -729,7 +609,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, if (((!*password) || (!pwlen)) && !lp_null_passwords()) return NT_STATUS_LOGON_FAILURE; -#if defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) +#if defined(WITH_PAM) /* * If we're using PAM we want to short-circuit all the @@ -834,7 +714,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, } } -#endif /* defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) */ +#endif /* defined(WITH_PAM) */ /* try it as it came to us */ nt_status = password_check(password); diff --git a/source3/configure.in b/source3/configure.in index 134b7ec6af..39a0a97c6e 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -1542,10 +1542,10 @@ AC_ARG_WITH(smbwrapper, ) ################################################# -# check for the AFS filesystem -AC_MSG_CHECKING(whether to use AFS) +# check for AFS clear-text auth support +AC_MSG_CHECKING(whether to use AFS clear-text auth) AC_ARG_WITH(afs, -[ --with-afs Include AFS support (default=no) ], +[ --with-afs Include AFS clear-text auth support (default=no) ], [ case "$withval" in yes) AC_MSG_RESULT(yes) @@ -1560,10 +1560,10 @@ AC_ARG_WITH(afs, ################################################# -# check for the DFS auth system -AC_MSG_CHECKING(whether to use DFS auth) +# check for the DFS clear-text auth system +AC_MSG_CHECKING(whether to use DFS clear-text auth) AC_ARG_WITH(dfs, -[ --with-dce-dfs Include DCE/DFS support (default=no)], +[ --with-dce-dfs Include DCE/DFS clear-text auth support (default=no)], [ case "$withval" in yes) AC_MSG_RESULT(yes) @@ -1576,41 +1576,18 @@ AC_ARG_WITH(dfs, AC_MSG_RESULT(no) ) -################################################# -# check for Kerberos IV auth system -AC_MSG_CHECKING(whether to use Kerberos IV) -AC_ARG_WITH(krb4, -[ --with-krb4=base-dir Include Kerberos IV support (default=no)], -[ case "$withval" in - yes) - AC_MSG_RESULT(yes) - AC_DEFINE(KRB4_AUTH) - LIBS="$LIBS -lkrb -ldes" - CFLAGS="$CFLAGS -I$withval/include" - LDFLAGS="$LDFLAGS -L$withval/lib" - AC_DEFINE_UNQUOTED(KRB4_DIR, ${withval}) - ;; - *) - AC_MSG_RESULT(no) - ;; - esac ], - AC_MSG_RESULT(no) -) - - ################################################# # check for location of Kerberos 5 install AC_MSG_CHECKING(for kerberos 5 install path) AC_ARG_WITH(krb5, -[ --with-krb5=base-dir Include Kerberos 5 support (default=no)], +[ --with-krb5=base-dir Locate Kerberos 5 support (default=/usr)], [ case "$withval" in no) AC_MSG_RESULT(no) ;; *) AC_MSG_RESULT(yes) - AC_DEFINE(KRB5_AUTH) LIBS="$LIBS -lkrb5" CFLAGS="$CFLAGS -I$withval/include" LDFLAGS="$LDFLAGS -L$withval/lib" @@ -1680,11 +1657,11 @@ AC_ARG_WITH(smbmount, ################################################# -# check for a PAM password database +# check for a PAM clear-text auth, accounts, password and session support with_pam_for_crypt=no -AC_MSG_CHECKING(whether to use PAM password database) +AC_MSG_CHECKING(whether to use PAM) AC_ARG_WITH(pam, -[ --with-pam Include PAM password database support (default=no)], +[ --with-pam Include PAM support (default=no)], [ case "$withval" in yes) AC_MSG_RESULT(yes) diff --git a/source3/passdb/pass_check.c b/source3/passdb/pass_check.c index 44b3b9a237..77839e4bb0 100644 --- a/source3/passdb/pass_check.c +++ b/source3/passdb/pass_check.c @@ -26,7 +26,7 @@ /* these are kept here to keep the string_combinations function simple */ static fstring this_user; -#if !(defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH)) +#if !defined(WITH_PAM) static fstring this_salt; static fstring this_crypted; #endif @@ -370,122 +370,6 @@ void dfs_unlogin(void) } #endif -#ifdef KRB5_AUTH - -#include - -/******************************************************************* -check on Kerberos authentication -********************************************************************/ -static BOOL krb5_auth(char *user, char *password) -{ - krb5_data tgtname = { - 0, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME - }; - krb5_context kcontext; - krb5_principal kprinc; - krb5_principal server; - krb5_creds kcreds; - int options = 0; - krb5_address **addrs = (krb5_address **) 0; - krb5_preauthtype *preauth = NULL; - krb5_keytab keytab = NULL; - krb5_timestamp now; - krb5_ccache ccache = NULL; - int retval; - char *name; - - if (retval = krb5_init_context(&kcontext)) - { - return (False); - } - - if (retval = krb5_timeofday(kcontext, &now)) - { - return (False); - } - - if (retval = krb5_cc_default(kcontext, &ccache)) - { - return (False); - } - - if (retval = krb5_parse_name(kcontext, user, &kprinc)) - { - return (False); - } - - ZERO_STRUCT(kcreds); - - kcreds.client = kprinc; - - if ((retval = krb5_build_principal_ext(kcontext, &server, - krb5_princ_realm(kcontext, - kprinc)-> - length, - krb5_princ_realm(kcontext, - kprinc)->data, - tgtname.length, tgtname.data, - krb5_princ_realm(kcontext, - kprinc)-> - length, - krb5_princ_realm(kcontext, - kprinc)->data, - 0))) - { - return (False); - } - - kcreds.server = server; - - retval = krb5_get_in_tkt_with_password(kcontext, - options, - addrs, - NULL, - preauth, - password, 0, &kcreds, 0); - - if (retval) - { - return (False); - } - - return (True); -} -#endif /* KRB5_AUTH */ - -#ifdef KRB4_AUTH -#include - -/******************************************************************* -check on Kerberos authentication -********************************************************************/ -static BOOL krb4_auth(char *user, char *password) -{ - char realm[REALM_SZ]; - char tkfile[MAXPATHLEN]; - - if (krb_get_lrealm(realm, 1) != KSUCCESS) - { - (void)safe_strcpy(realm, KRB_REALM, sizeof(realm) - 1); - } - - (void)slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d", - (int)sys_getpid()); - - krb_set_tkt_string(tkfile); - if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS) - { - unlink(tkfile); - return 1; - } - unlink(tkfile); - return 0; -} -#endif /* KRB4_AUTH */ - #ifdef LINUX_BIGCRYPT /**************************************************************************** an enhanced crypt for Linux to handle password longer than 8 characters @@ -602,10 +486,6 @@ static NTSTATUS password_check(char *password) { #ifdef WITH_PAM return smb_pam_passcheck(this_user, password); -#elif defined(KRB5_AUTH) - return krb5_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK; -#elif defined(KRB4_AUTH) - return krb4_auth(this_user, password) ? NT_STATUS_WRONG_PASSWORD : NT_STATUS_OK; #else BOOL ret; @@ -729,7 +609,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, if (((!*password) || (!pwlen)) && !lp_null_passwords()) return NT_STATUS_LOGON_FAILURE; -#if defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) +#if defined(WITH_PAM) /* * If we're using PAM we want to short-circuit all the @@ -834,7 +714,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password, } } -#endif /* defined(WITH_PAM) || defined(KRB4_AUTH) || defined(KRB5_AUTH) */ +#endif /* defined(WITH_PAM) */ /* try it as it came to us */ nt_status = password_check(password); -- cgit