2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Volker Lendecke 2003
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #ifdef WITH_FAKE_KASERVER
28 #include <afs/venus.h>
29 #include <asm/unistd.h>
30 #include <openssl/des.h>
36 uint32 BeginTimestamp;
40 static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
41 const struct ClearToken *ct)
46 DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
49 base64_ticket = base64_encode_data_blob(ticket);
50 if (base64_ticket == NULL)
53 base64_key = base64_encode_data_blob(key);
54 if (base64_key == NULL) {
59 asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
60 ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
61 ct->EndTimestamp, base64_ticket);
63 DEBUG(10, ("Got ticket string:\n%s\n", result));
71 /* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
72 * ViceId set, this should be set by the caller. */
74 static BOOL afs_createtoken(const char *username, const char *cell,
75 DATA_BLOB *ticket, struct ClearToken *ct)
78 char *p = clear_ticket;
83 des_key_schedule key_schedule;
88 if (!secrets_fetch_afs_key(cell, &key)) {
89 DEBUG(1, ("Could not fetch AFS service key\n"));
93 ct->AuthHandle = key.kvno;
95 /* Build the ticket. This is going to be encrypted, so in our
96 way we fill in ct while we still have the unencrypted
105 /* "Alice", the client username */
106 strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
108 strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
110 strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
113 /* Alice's network layer address. At least Openafs-1.2.10
114 ignores this, so we fill in a dummy value here. */
118 /* We need to create a session key */
119 generate_random_buffer(p, 8);
121 /* Our client code needs the the key in the clear, it does not
122 know the server-key ... */
123 memcpy(ct->HandShakeKey, p, 8);
127 /* This is a kerberos 4 life time. The life time is expressed
128 * in units of 5 minute intervals up to 38400 seconds, after
129 * that a table is used up to lifetime 0xBF. Values between
130 * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
131 * infinite time that never expire.
133 * So here we cheat and use the infinite time */
137 /* Ticket creation time */
140 ct->BeginTimestamp = now;
142 ct->EndTimestamp = now + (255*60*5);
143 if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
144 ct->BeginTimestamp += 1; /* Lifetime must be even */
148 /* And here comes Bob's name and instance, in this case the
150 strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
152 strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
155 /* And zero-pad to a multiple of 8 bytes */
156 len = PTR_DIFF(p, clear_ticket);
158 uint32 extra_space = 8-(len & 7);
159 memset(p, 0, extra_space);
162 len = PTR_DIFF(p, clear_ticket);
164 des_key_sched((const_des_cblock *)key.key, key_schedule);
165 des_pcbc_encrypt(clear_ticket, clear_ticket,
166 len, key_schedule, (C_Block *)key.key, 1);
170 *ticket = data_blob(clear_ticket, len);
175 char *afs_createtoken_str(const char *username, const char *cell)
178 struct ClearToken ct;
181 if (!afs_createtoken(username, cell, &ticket, &ct))
184 result = afs_encode_token(cell, ticket, &ct);
186 data_blob_free(&ticket);
192 This routine takes a radical approach completely bypassing the
193 Kerberos idea of security and using AFS simply as an intelligent
194 file backend. Samba has persuaded itself somehow that the user is
195 actually correctly identified and then we create a ticket that the
196 AFS server hopefully accepts using its KeyFile that the admin has
197 kindly stored to our secrets.tdb.
199 Thanks to the book "Network Security -- PRIVATE Communication in a
200 PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
201 Kerberos 4 tickets are not really hard to construct.
203 For the comments "Alice" is the User to be auth'ed, and "Bob" is the
206 BOOL afs_login(connection_struct *conn)
209 pstring afs_username;
214 struct ClearToken ct;
216 pstrcpy(afs_username, lp_afs_username_map());
217 standard_sub_conn(conn, afs_username, sizeof(afs_username));
219 /* The pts command always generates completely lower-case user
221 strlower_m(afs_username);
223 cell = strchr(afs_username, '@');
226 DEBUG(1, ("AFS username doesn't contain a @, "
227 "could not find cell\n"));
234 DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
235 afs_username, cell));
237 if (!afs_createtoken(afs_username, cell, &ticket, &ct))
240 /* For which Unix-UID do we want to set the token? */
241 ct.ViceId = getuid();
243 ticket_str = afs_encode_token(cell, ticket, &ct);
245 result = afs_settoken_str(ticket_str);
247 SAFE_FREE(ticket_str);
249 data_blob_free(&ticket);
256 BOOL afs_login(connection_struct *conn)
261 char *afs_createtoken_str(const char *username, const char *cell)
266 #endif /* WITH_FAKE_KASERVER */
git.samba.org / amitay / samba.git / blob