2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Volker Lendecke 2003
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #ifdef WITH_FAKE_KASERVER
28 #include <afs/venus.h>
29 #include <asm/unistd.h>
30 #include <openssl/des.h>
36 uint32 BeginTimestamp;
40 static char *afs_encode_token(const char *cell, const DATA_BLOB ticket,
41 const struct ClearToken *ct)
46 DATA_BLOB key = data_blob(ct->HandShakeKey, 8);
49 base64_ticket = base64_encode_data_blob(ticket);
50 if (base64_ticket == NULL)
53 base64_key = base64_encode_data_blob(key);
54 if (base64_key == NULL) {
59 asprintf(&result, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell,
60 ct->AuthHandle, base64_key, ct->ViceId, ct->BeginTimestamp,
61 ct->EndTimestamp, base64_ticket);
63 DEBUG(10, ("Got ticket string:\n%s\n", result));
71 /* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
72 * ViceId set, this should be set by the caller. */
74 static BOOL afs_createtoken(const char *username, const char *cell,
75 DATA_BLOB *ticket, struct ClearToken *ct)
78 char *p = clear_ticket;
83 des_key_schedule key_schedule;
88 if (!secrets_fetch_afs_key(cell, &key)) {
89 DEBUG(1, ("Could not fetch AFS service key\n"));
93 ct->AuthHandle = key.kvno;
95 /* Build the ticket. This is going to be encrypted, so in our
96 way we fill in ct while we still have the unencrypted
105 /* "Alice", the client username */
106 strncpy(p, username, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
108 strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
110 strncpy(p, cell, sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
113 /* Alice's network layer address. At least Openafs-1.2.10
114 ignores this, so we fill in a dummy value here. */
118 /* We need to create a session key */
119 generate_random_buffer(p, 8);
121 /* Our client code needs the the key in the clear, it does not
122 know the server-key ... */
123 memcpy(ct->HandShakeKey, p, 8);
127 /* Ticket lifetime. We fake everything here, so go as long as
128 possible. This is in 5-minute intervals, so 255 is 21 hours
133 /* Ticket creation time */
136 ct->BeginTimestamp = now;
138 ct->EndTimestamp = now + (255*60*5);
139 if (((ct->EndTimestamp - ct->BeginTimestamp) & 1) == 1) {
140 ct->BeginTimestamp += 1; /* Lifetime must be even */
144 /* And here comes Bob's name and instance, in this case the
146 strncpy(p, "afs", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
148 strncpy(p, "", sizeof(clear_ticket)-PTR_DIFF(p,clear_ticket)-1);
151 /* And zero-pad to a multiple of 8 bytes */
152 len = PTR_DIFF(p, clear_ticket);
154 uint32 extra_space = 8-(len & 7);
155 memset(p, 0, extra_space);
158 len = PTR_DIFF(p, clear_ticket);
160 des_key_sched((const_des_cblock *)key.key, key_schedule);
161 des_pcbc_encrypt(clear_ticket, clear_ticket,
162 len, key_schedule, (C_Block *)key.key, 1);
166 *ticket = data_blob(clear_ticket, len);
171 char *afs_createtoken_str(const char *username, const char *cell)
174 struct ClearToken ct;
177 if (!afs_createtoken(username, cell, &ticket, &ct))
180 result = afs_encode_token(cell, ticket, &ct);
182 data_blob_free(&ticket);
188 This routine takes a radical approach completely bypassing the
189 Kerberos idea of security and using AFS simply as an intelligent
190 file backend. Samba has persuaded itself somehow that the user is
191 actually correctly identified and then we create a ticket that the
192 AFS server hopefully accepts using its KeyFile that the admin has
193 kindly stored to our secrets.tdb.
195 Thanks to the book "Network Security -- PRIVATE Communication in a
196 PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
197 Kerberos 4 tickets are not really hard to construct.
199 For the comments "Alice" is the User to be auth'ed, and "Bob" is the
202 BOOL afs_login(connection_struct *conn)
205 pstring afs_username;
210 struct ClearToken ct;
212 pstrcpy(afs_username, lp_afs_username_map());
213 standard_sub_conn(conn, afs_username, sizeof(afs_username));
215 /* The pts command always generates completely lower-case user
217 strlower_m(afs_username);
219 cell = strchr(afs_username, '@');
222 DEBUG(1, ("AFS username doesn't contain a @, "
223 "could not find cell\n"));
230 DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
231 afs_username, cell));
233 if (!afs_createtoken(afs_username, cell, &ticket, &ct))
236 /* For which Unix-UID do we want to set the token? */
237 ct.ViceId = getuid();
239 ticket_str = afs_encode_token(cell, ticket, &ct);
241 result = afs_settoken_str(ticket_str);
243 SAFE_FREE(ticket_str);
245 data_blob_free(&ticket);
252 BOOL afs_login(connection_struct *conn)
257 char *afs_createtoken_str(const char *username, const char *cell)
262 #endif /* WITH_FAKE_KASERVER */