17c478bd9Sstevel@tonic-gate /*
2fe598cdcSmp * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
37c478bd9Sstevel@tonic-gate * Use is subject to license terms.
47c478bd9Sstevel@tonic-gate */
57c478bd9Sstevel@tonic-gate
67c478bd9Sstevel@tonic-gate /*
77c478bd9Sstevel@tonic-gate * usr/src/cmd/cmd-inet/usr.bin/telnet/kerberos5.c
87c478bd9Sstevel@tonic-gate *
97c478bd9Sstevel@tonic-gate * Copyright (c) 1991, 1993
107c478bd9Sstevel@tonic-gate * The Regents of the University of California. All rights reserved.
117c478bd9Sstevel@tonic-gate *
127c478bd9Sstevel@tonic-gate * Redistribution and use in source and binary forms, with or without
137c478bd9Sstevel@tonic-gate * modification, are permitted provided that the following conditions
147c478bd9Sstevel@tonic-gate * are met:
157c478bd9Sstevel@tonic-gate * 1. Redistributions of source code must retain the above copyright
167c478bd9Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer.
177c478bd9Sstevel@tonic-gate * 2. Redistributions in binary form must reproduce the above copyright
187c478bd9Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer in the
197c478bd9Sstevel@tonic-gate * documentation and/or other materials provided with the distribution.
207c478bd9Sstevel@tonic-gate * 3. All advertising materials mentioning features or use of this software
217c478bd9Sstevel@tonic-gate * must display the following acknowledgement:
227c478bd9Sstevel@tonic-gate * This product includes software developed by the University of
237c478bd9Sstevel@tonic-gate * California, Berkeley and its contributors.
247c478bd9Sstevel@tonic-gate * 4. Neither the name of the University nor the names of its contributors
257c478bd9Sstevel@tonic-gate * may be used to endorse or promote products derived from this software
267c478bd9Sstevel@tonic-gate * without specific prior written permission.
277c478bd9Sstevel@tonic-gate *
287c478bd9Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
297c478bd9Sstevel@tonic-gate * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
307c478bd9Sstevel@tonic-gate * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
317c478bd9Sstevel@tonic-gate * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
327c478bd9Sstevel@tonic-gate * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
337c478bd9Sstevel@tonic-gate * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
347c478bd9Sstevel@tonic-gate * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
357c478bd9Sstevel@tonic-gate * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
367c478bd9Sstevel@tonic-gate * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
377c478bd9Sstevel@tonic-gate * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
387c478bd9Sstevel@tonic-gate * SUCH DAMAGE.
397c478bd9Sstevel@tonic-gate */
407c478bd9Sstevel@tonic-gate
417c478bd9Sstevel@tonic-gate /* based on @(#)kerberos5.c 8.1 (Berkeley) 6/4/93 */
427c478bd9Sstevel@tonic-gate
437c478bd9Sstevel@tonic-gate /*
447c478bd9Sstevel@tonic-gate * Copyright (C) 1990 by the Massachusetts Institute of Technology
457c478bd9Sstevel@tonic-gate *
467c478bd9Sstevel@tonic-gate * Export of this software from the United States of America may
477c478bd9Sstevel@tonic-gate * require a specific license from the United States Government.
487c478bd9Sstevel@tonic-gate * It is the responsibility of any person or organization contemplating
497c478bd9Sstevel@tonic-gate * export to obtain such a license before exporting.
507c478bd9Sstevel@tonic-gate *
517c478bd9Sstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
527c478bd9Sstevel@tonic-gate * distribute this software and its documentation for any purpose and
537c478bd9Sstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
547c478bd9Sstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
557c478bd9Sstevel@tonic-gate * this permission notice appear in supporting documentation, and that
567c478bd9Sstevel@tonic-gate * the name of M.I.T. not be used in advertising or publicity pertaining
577c478bd9Sstevel@tonic-gate * to distribution of the software without specific, written prior
587c478bd9Sstevel@tonic-gate * permission. Furthermore if you modify this software you must label
597c478bd9Sstevel@tonic-gate * your software as modified software and not distribute it in such a
607c478bd9Sstevel@tonic-gate * fashion that it might be confused with the original M.I.T. software.
617c478bd9Sstevel@tonic-gate * M.I.T. makes no representations about the suitability of
627c478bd9Sstevel@tonic-gate * this software for any purpose. It is provided "as is" without express
637c478bd9Sstevel@tonic-gate * or implied warranty.
647c478bd9Sstevel@tonic-gate */
657c478bd9Sstevel@tonic-gate
667c478bd9Sstevel@tonic-gate
677c478bd9Sstevel@tonic-gate #include <arpa/telnet.h>
687c478bd9Sstevel@tonic-gate #include <stdio.h>
697c478bd9Sstevel@tonic-gate #include <ctype.h>
707c478bd9Sstevel@tonic-gate #include <syslog.h>
717c478bd9Sstevel@tonic-gate #include <stdlib.h>
727c478bd9Sstevel@tonic-gate
737c478bd9Sstevel@tonic-gate /* the following are from the kerberos tree */
747c478bd9Sstevel@tonic-gate #include <k5-int.h>
757c478bd9Sstevel@tonic-gate #include <com_err.h>
767c478bd9Sstevel@tonic-gate #include <netdb.h>
777c478bd9Sstevel@tonic-gate #include <profile/prof_int.h>
787c478bd9Sstevel@tonic-gate #include <sys/param.h>
797c478bd9Sstevel@tonic-gate #include "externs.h"
807c478bd9Sstevel@tonic-gate
817c478bd9Sstevel@tonic-gate extern char *RemoteHostName;
827c478bd9Sstevel@tonic-gate extern boolean_t auth_debug_mode;
837c478bd9Sstevel@tonic-gate extern int net;
847c478bd9Sstevel@tonic-gate
85ef2b2792Smp #define ACCEPTED_ENCTYPE(a) \
86ef2b2792Smp (a == ENCTYPE_DES_CBC_CRC || a == ENCTYPE_DES_CBC_MD5)
877c478bd9Sstevel@tonic-gate /* for comapatibility with non-Solaris KDC's, this has to be big enough */
887c478bd9Sstevel@tonic-gate #define KERBEROS_BUFSIZ 8192
897c478bd9Sstevel@tonic-gate
907c478bd9Sstevel@tonic-gate int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
917c478bd9Sstevel@tonic-gate static void kerberos5_forward(Authenticator *);
927c478bd9Sstevel@tonic-gate
937c478bd9Sstevel@tonic-gate static unsigned char str_data[KERBEROS_BUFSIZ] = { IAC, SB,
947c478bd9Sstevel@tonic-gate TELOPT_AUTHENTICATION, 0, AUTHTYPE_KERBEROS_V5, };
957c478bd9Sstevel@tonic-gate static char *appdef[] = { "appdefaults", "telnet", NULL };
967c478bd9Sstevel@tonic-gate static char *realmdef[] = { "realms", NULL, "telnet", NULL };
977c478bd9Sstevel@tonic-gate
987c478bd9Sstevel@tonic-gate static krb5_auth_context auth_context = 0;
997c478bd9Sstevel@tonic-gate
1007c478bd9Sstevel@tonic-gate static krb5_data auth; /* telnetd gets session key from here */
1017c478bd9Sstevel@tonic-gate static krb5_ticket *ticket = NULL;
1027c478bd9Sstevel@tonic-gate /* telnet matches the AP_REQ and AP_REP with this */
1037c478bd9Sstevel@tonic-gate
1047c478bd9Sstevel@tonic-gate static krb5_keyblock *session_key = 0;
1057c478bd9Sstevel@tonic-gate char *telnet_krb5_realm = NULL;
1067c478bd9Sstevel@tonic-gate
1077c478bd9Sstevel@tonic-gate /*
1087c478bd9Sstevel@tonic-gate * Change the kerberos realm
1097c478bd9Sstevel@tonic-gate */
1107c478bd9Sstevel@tonic-gate void
set_krb5_realm(char * name)1117c478bd9Sstevel@tonic-gate set_krb5_realm(char *name)
1127c478bd9Sstevel@tonic-gate {
1137c478bd9Sstevel@tonic-gate if (name == NULL) {
1147c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext("Could not set Kerberos realm, "
1157c478bd9Sstevel@tonic-gate "no realm provided.\n"));
1167c478bd9Sstevel@tonic-gate return;
1177c478bd9Sstevel@tonic-gate }
1187c478bd9Sstevel@tonic-gate
1197c478bd9Sstevel@tonic-gate if (telnet_krb5_realm)
1207c478bd9Sstevel@tonic-gate free(telnet_krb5_realm);
1217c478bd9Sstevel@tonic-gate
1227c478bd9Sstevel@tonic-gate telnet_krb5_realm = (char *)strdup(name);
1237c478bd9Sstevel@tonic-gate
1247c478bd9Sstevel@tonic-gate if (telnet_krb5_realm == NULL)
1257c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext(
1267c478bd9Sstevel@tonic-gate "Could not set Kerberos realm, malloc failed\n"));
1277c478bd9Sstevel@tonic-gate }
1287c478bd9Sstevel@tonic-gate
1297c478bd9Sstevel@tonic-gate #define RETURN_NOMEM { errno = ENOMEM; return (-1); }
1307c478bd9Sstevel@tonic-gate
1317c478bd9Sstevel@tonic-gate static int
krb5_send_data(Authenticator * ap,int type,krb5_pointer d,int c)1327c478bd9Sstevel@tonic-gate krb5_send_data(Authenticator *ap, int type, krb5_pointer d, int c)
1337c478bd9Sstevel@tonic-gate {
1347c478bd9Sstevel@tonic-gate /* the first 3 bytes are control chars */
1357c478bd9Sstevel@tonic-gate unsigned char *p = str_data + 4;
1367c478bd9Sstevel@tonic-gate unsigned char *cd = (unsigned char *)d;
1377c478bd9Sstevel@tonic-gate /* spaceleft is incremented whenever p is decremented */
1387c478bd9Sstevel@tonic-gate size_t spaceleft = sizeof (str_data) - 4;
1397c478bd9Sstevel@tonic-gate
1407c478bd9Sstevel@tonic-gate if (c == -1)
1417c478bd9Sstevel@tonic-gate c = strlen((char *)cd);
1427c478bd9Sstevel@tonic-gate
1437c478bd9Sstevel@tonic-gate if (auth_debug_mode) {
1447c478bd9Sstevel@tonic-gate (void) printf("%s:%d: [%d] (%d)",
1457c478bd9Sstevel@tonic-gate str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
1467c478bd9Sstevel@tonic-gate str_data[3], type, c);
1477c478bd9Sstevel@tonic-gate printd(d, c);
1487c478bd9Sstevel@tonic-gate (void) printf("\r\n");
1497c478bd9Sstevel@tonic-gate }
1507c478bd9Sstevel@tonic-gate
1517c478bd9Sstevel@tonic-gate if (spaceleft < 3)
1527c478bd9Sstevel@tonic-gate RETURN_NOMEM;
1537c478bd9Sstevel@tonic-gate *p++ = ap->type;
1547c478bd9Sstevel@tonic-gate *p++ = ap->way;
1557c478bd9Sstevel@tonic-gate *p++ = type;
1567c478bd9Sstevel@tonic-gate spaceleft -= 3;
1577c478bd9Sstevel@tonic-gate
1587c478bd9Sstevel@tonic-gate while (c-- > 0) {
1597c478bd9Sstevel@tonic-gate if (spaceleft < 2)
1607c478bd9Sstevel@tonic-gate RETURN_NOMEM;
1617c478bd9Sstevel@tonic-gate if ((*p++ = *cd++) == IAC) {
1627c478bd9Sstevel@tonic-gate *p++ = IAC;
1637c478bd9Sstevel@tonic-gate spaceleft -= 2;
1647c478bd9Sstevel@tonic-gate }
1657c478bd9Sstevel@tonic-gate }
1667c478bd9Sstevel@tonic-gate
1677c478bd9Sstevel@tonic-gate if (spaceleft < 2)
1687c478bd9Sstevel@tonic-gate RETURN_NOMEM;
1697c478bd9Sstevel@tonic-gate *p++ = IAC;
1707c478bd9Sstevel@tonic-gate *p++ = SE;
1717c478bd9Sstevel@tonic-gate if (str_data[3] == TELQUAL_IS)
1727c478bd9Sstevel@tonic-gate printsub('>', &str_data[2], p - &str_data[2]);
1737c478bd9Sstevel@tonic-gate return (net_write(str_data, p - str_data));
1747c478bd9Sstevel@tonic-gate }
1757c478bd9Sstevel@tonic-gate
1767c478bd9Sstevel@tonic-gate krb5_context telnet_context = 0;
1777c478bd9Sstevel@tonic-gate
1787c478bd9Sstevel@tonic-gate /* ARGSUSED */
1797c478bd9Sstevel@tonic-gate int
kerberos5_init(Authenticator * ap)1807c478bd9Sstevel@tonic-gate kerberos5_init(Authenticator *ap)
1817c478bd9Sstevel@tonic-gate {
1827c478bd9Sstevel@tonic-gate krb5_error_code retval;
1837c478bd9Sstevel@tonic-gate
1847c478bd9Sstevel@tonic-gate str_data[3] = TELQUAL_IS;
1857c478bd9Sstevel@tonic-gate if (krb5auth_flag && (telnet_context == 0)) {
1867c478bd9Sstevel@tonic-gate retval = krb5_init_context(&telnet_context);
1877c478bd9Sstevel@tonic-gate if (retval)
1887c478bd9Sstevel@tonic-gate return (0);
1897c478bd9Sstevel@tonic-gate }
1907c478bd9Sstevel@tonic-gate return (1);
1917c478bd9Sstevel@tonic-gate }
1927c478bd9Sstevel@tonic-gate
1937c478bd9Sstevel@tonic-gate int
kerberos5_send(Authenticator * ap)1947c478bd9Sstevel@tonic-gate kerberos5_send(Authenticator *ap)
1957c478bd9Sstevel@tonic-gate {
1967c478bd9Sstevel@tonic-gate krb5_error_code retval;
1977c478bd9Sstevel@tonic-gate krb5_ccache ccache;
1987c478bd9Sstevel@tonic-gate krb5_creds creds; /* telnet gets session key from here */
1997c478bd9Sstevel@tonic-gate krb5_creds *new_creds = 0;
2007c478bd9Sstevel@tonic-gate int ap_opts;
2017c478bd9Sstevel@tonic-gate char type_check[2];
2027c478bd9Sstevel@tonic-gate krb5_data check_data;
2037c478bd9Sstevel@tonic-gate
2047c478bd9Sstevel@tonic-gate krb5_keyblock *newkey = 0;
2057c478bd9Sstevel@tonic-gate
206ef2b2792Smp int i;
207ef2b2792Smp krb5_enctype *ktypes;
208ef2b2792Smp
2097c478bd9Sstevel@tonic-gate if (!UserNameRequested) {
2107c478bd9Sstevel@tonic-gate if (auth_debug_mode)
2117c478bd9Sstevel@tonic-gate (void) printf(gettext("telnet: Kerberos V5: "
2127c478bd9Sstevel@tonic-gate "no user name supplied\r\n"));
2137c478bd9Sstevel@tonic-gate return (0);
2147c478bd9Sstevel@tonic-gate }
2157c478bd9Sstevel@tonic-gate
2167c478bd9Sstevel@tonic-gate if ((retval = krb5_cc_default(telnet_context, &ccache))) {
2177c478bd9Sstevel@tonic-gate if (auth_debug_mode)
2187c478bd9Sstevel@tonic-gate (void) printf(gettext("telnet: Kerberos V5: "
2197c478bd9Sstevel@tonic-gate "could not get default ccache\r\n"));
2207c478bd9Sstevel@tonic-gate return (0);
2217c478bd9Sstevel@tonic-gate }
2227c478bd9Sstevel@tonic-gate
2237c478bd9Sstevel@tonic-gate (void) memset((char *)&creds, 0, sizeof (creds));
224fe598cdcSmp if (auth_debug_mode)
225fe598cdcSmp printf("telnet: calling krb5_sname_to_principal\n");
2267c478bd9Sstevel@tonic-gate if ((retval = krb5_sname_to_principal(telnet_context, RemoteHostName,
2277c478bd9Sstevel@tonic-gate "host", KRB5_NT_SRV_HST, &creds.server))) {
2287c478bd9Sstevel@tonic-gate if (auth_debug_mode)
2297c478bd9Sstevel@tonic-gate (void) printf(gettext("telnet: Kerberos V5: error "
2307c478bd9Sstevel@tonic-gate "while constructing service name: %s\r\n"),
2317c478bd9Sstevel@tonic-gate error_message(retval));
2327c478bd9Sstevel@tonic-gate return (0);
2337c478bd9Sstevel@tonic-gate }
234fe598cdcSmp if (auth_debug_mode)
235fe598cdcSmp printf("telnet: done calling krb5_sname_to_principal\n");
2367c478bd9Sstevel@tonic-gate
2377c478bd9Sstevel@tonic-gate if (telnet_krb5_realm != NULL) {
2387c478bd9Sstevel@tonic-gate krb5_data rdata;
2397c478bd9Sstevel@tonic-gate
240fe598cdcSmp rdata.magic = 0;
2417c478bd9Sstevel@tonic-gate rdata.length = strlen(telnet_krb5_realm);
2427c478bd9Sstevel@tonic-gate rdata.data = (char *)malloc(rdata.length + 1);
2437c478bd9Sstevel@tonic-gate if (rdata.data == NULL) {
2447c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext("malloc failed\n"));
2457c478bd9Sstevel@tonic-gate return (0);
2467c478bd9Sstevel@tonic-gate }
2477c478bd9Sstevel@tonic-gate (void) strcpy(rdata.data, telnet_krb5_realm);
2487c478bd9Sstevel@tonic-gate krb5_princ_set_realm(telnet_context, creds.server, &rdata);
2497c478bd9Sstevel@tonic-gate if (auth_debug_mode)
2507c478bd9Sstevel@tonic-gate (void) printf(gettext(
2517c478bd9Sstevel@tonic-gate "telnet: Kerberos V5: set kerberos realm to %s\r\n"),
2527c478bd9Sstevel@tonic-gate telnet_krb5_realm);
2537c478bd9Sstevel@tonic-gate }
2547c478bd9Sstevel@tonic-gate
2557c478bd9Sstevel@tonic-gate if ((retval = krb5_cc_get_principal(telnet_context, ccache,
256*95c74518SToomas Soome &creds.client)) != 0) {
2577c478bd9Sstevel@tonic-gate if (auth_debug_mode) {
2587c478bd9Sstevel@tonic-gate (void) printf(gettext(
2597c478bd9Sstevel@tonic-gate "telnet: Kerberos V5: failure on principal "
2607c478bd9Sstevel@tonic-gate "(%s)\r\n"), error_message(retval));
2617c478bd9Sstevel@tonic-gate }
2627c478bd9Sstevel@tonic-gate krb5_free_cred_contents(telnet_context, &creds);
2637c478bd9Sstevel@tonic-gate return (0);
2647c478bd9Sstevel@tonic-gate }
265ef2b2792Smp /*
266ef2b2792Smp * Check to to confirm that at least one of the supported
267ef2b2792Smp * encryption types (des-cbc-md5, des-cbc-crc is available. If
268ef2b2792Smp * one is available then use it to obtain credentials.
269ef2b2792Smp */
270ef2b2792Smp
271ef2b2792Smp if ((retval = krb5_get_tgs_ktypes(telnet_context, creds.server,
272ef2b2792Smp &ktypes))) {
273ef2b2792Smp if (auth_debug_mode) {
274ef2b2792Smp (void) printf(gettext(
275ef2b2792Smp "telnet: Kerberos V5: could not determine "
276ef2b2792Smp "TGS encryption types "
277ef2b2792Smp "(see default_tgs_enctypes in krb5.conf) "
278ef2b2792Smp "(%s)\r\n"), error_message(retval));
279ef2b2792Smp }
280ef2b2792Smp krb5_free_cred_contents(telnet_context, &creds);
281ef2b2792Smp return (0);
282ef2b2792Smp }
283ef2b2792Smp
284ef2b2792Smp for (i = 0; ktypes[i]; i++) {
285ef2b2792Smp if (ACCEPTED_ENCTYPE(ktypes[i]))
286ef2b2792Smp break;
287ef2b2792Smp }
288ef2b2792Smp
289ef2b2792Smp if (ktypes[i] == 0) {
290ef2b2792Smp if (auth_debug_mode) {
291ef2b2792Smp (void) printf(gettext(
292ef2b2792Smp "telnet: Kerberos V5: "
293ef2b2792Smp "failure on encryption types. "
294ef2b2792Smp "Cannot find des-cbc-md5 or des-cbc-crc "
295ef2b2792Smp "in list of TGS encryption types "
296ef2b2792Smp "(see default_tgs_enctypes in krb5.conf)\n"));
297ef2b2792Smp }
298ef2b2792Smp krb5_free_cred_contents(telnet_context, &creds);
299ef2b2792Smp return (0);
300ef2b2792Smp }
3017c478bd9Sstevel@tonic-gate
302ef2b2792Smp creds.keyblock.enctype = ktypes[i];
3037c478bd9Sstevel@tonic-gate if ((retval = krb5_get_credentials(telnet_context, 0,
3047c478bd9Sstevel@tonic-gate ccache, &creds, &new_creds))) {
3057c478bd9Sstevel@tonic-gate if (auth_debug_mode) {
3067c478bd9Sstevel@tonic-gate (void) printf(gettext(
3077c478bd9Sstevel@tonic-gate "telnet: Kerberos V5: failure on credentials "
3087c478bd9Sstevel@tonic-gate "(%s)\r\n"), error_message(retval));
3097c478bd9Sstevel@tonic-gate }
3107c478bd9Sstevel@tonic-gate krb5_free_cred_contents(telnet_context, &creds);
3117c478bd9Sstevel@tonic-gate return (0);
3127c478bd9Sstevel@tonic-gate }
3137c478bd9Sstevel@tonic-gate
3147c478bd9Sstevel@tonic-gate ap_opts = ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
3157c478bd9Sstevel@tonic-gate AP_OPTS_MUTUAL_REQUIRED : 0;
3167c478bd9Sstevel@tonic-gate
3177c478bd9Sstevel@tonic-gate ap_opts |= AP_OPTS_USE_SUBKEY;
3187c478bd9Sstevel@tonic-gate
3197c478bd9Sstevel@tonic-gate if (auth_context) {
3207c478bd9Sstevel@tonic-gate krb5_auth_con_free(telnet_context, auth_context);
3217c478bd9Sstevel@tonic-gate auth_context = 0;
3227c478bd9Sstevel@tonic-gate }
3237c478bd9Sstevel@tonic-gate if ((retval = krb5_auth_con_init(telnet_context, &auth_context))) {
3247c478bd9Sstevel@tonic-gate if (auth_debug_mode) {
3257c478bd9Sstevel@tonic-gate (void) printf(gettext(
3267c478bd9Sstevel@tonic-gate "Kerberos V5: failed to init auth_context "
3277c478bd9Sstevel@tonic-gate "(%s)\r\n"), error_message(retval));
3287c478bd9Sstevel@tonic-gate }
3297c478bd9Sstevel@tonic-gate return (0);
3307c478bd9Sstevel@tonic-gate }
3317c478bd9Sstevel@tonic-gate
3327c478bd9Sstevel@tonic-gate krb5_auth_con_setflags(telnet_context, auth_context,
3337c478bd9Sstevel@tonic-gate KRB5_AUTH_CONTEXT_RET_TIME);
3347c478bd9Sstevel@tonic-gate
3357c478bd9Sstevel@tonic-gate type_check[0] = ap->type;
3367c478bd9Sstevel@tonic-gate type_check[1] = ap->way;
3377c478bd9Sstevel@tonic-gate check_data.magic = KV5M_DATA;
3387c478bd9Sstevel@tonic-gate check_data.length = 2;
3397c478bd9Sstevel@tonic-gate check_data.data = (char *)&type_check;
3407c478bd9Sstevel@tonic-gate
3417c478bd9Sstevel@tonic-gate retval = krb5_mk_req_extended(telnet_context, &auth_context, ap_opts,
3427c478bd9Sstevel@tonic-gate &check_data, new_creds, &auth);
3437c478bd9Sstevel@tonic-gate
3447c478bd9Sstevel@tonic-gate krb5_auth_con_getlocalsubkey(telnet_context, auth_context, &newkey);
3457c478bd9Sstevel@tonic-gate if (session_key) {
3467c478bd9Sstevel@tonic-gate krb5_free_keyblock(telnet_context, session_key);
3477c478bd9Sstevel@tonic-gate session_key = 0;
3487c478bd9Sstevel@tonic-gate }
3497c478bd9Sstevel@tonic-gate
3507c478bd9Sstevel@tonic-gate if (newkey) {
3517c478bd9Sstevel@tonic-gate /*
3527c478bd9Sstevel@tonic-gate * keep the key in our private storage, but don't use it
3537c478bd9Sstevel@tonic-gate * yet---see kerberos5_reply() below
3547c478bd9Sstevel@tonic-gate */
355ef2b2792Smp if (!(ACCEPTED_ENCTYPE(newkey->enctype))) {
356ef2b2792Smp if (!(ACCEPTED_ENCTYPE(new_creds->keyblock.enctype)))
3577c478bd9Sstevel@tonic-gate /* use the session key in credentials instead */
3587c478bd9Sstevel@tonic-gate krb5_copy_keyblock(telnet_context,
3597c478bd9Sstevel@tonic-gate &new_creds->keyblock, &session_key);
3607c478bd9Sstevel@tonic-gate } else
3617c478bd9Sstevel@tonic-gate krb5_copy_keyblock(telnet_context,
3627c478bd9Sstevel@tonic-gate newkey, &session_key);
3637c478bd9Sstevel@tonic-gate
3647c478bd9Sstevel@tonic-gate krb5_free_keyblock(telnet_context, newkey);
3657c478bd9Sstevel@tonic-gate }
3667c478bd9Sstevel@tonic-gate
3677c478bd9Sstevel@tonic-gate krb5_free_cred_contents(telnet_context, &creds);
3687c478bd9Sstevel@tonic-gate krb5_free_creds(telnet_context, new_creds);
3697c478bd9Sstevel@tonic-gate
3707c478bd9Sstevel@tonic-gate if (retval) {
3717c478bd9Sstevel@tonic-gate if (auth_debug_mode)
3727c478bd9Sstevel@tonic-gate (void) printf(gettext(
3737c478bd9Sstevel@tonic-gate "telnet: Kerberos V5: mk_req failed (%s)\r\n"),
3747c478bd9Sstevel@tonic-gate error_message(retval));
3757c478bd9Sstevel@tonic-gate return (0);
3767c478bd9Sstevel@tonic-gate }
3777c478bd9Sstevel@tonic-gate
3787c478bd9Sstevel@tonic-gate if ((auth_sendname((uchar_t *)UserNameRequested,
379*95c74518SToomas Soome strlen(UserNameRequested))) == 0) {
3807c478bd9Sstevel@tonic-gate if (auth_debug_mode)
3817c478bd9Sstevel@tonic-gate (void) printf(gettext(
3827c478bd9Sstevel@tonic-gate "telnet: Not enough room for user name\r\n"));
3837c478bd9Sstevel@tonic-gate return (0);
3847c478bd9Sstevel@tonic-gate }
3857c478bd9Sstevel@tonic-gate retval = krb5_send_data(ap, KRB_AUTH, auth.data, auth.length);
3867c478bd9Sstevel@tonic-gate if (auth_debug_mode && retval) {
3877c478bd9Sstevel@tonic-gate (void) printf(gettext(
3887c478bd9Sstevel@tonic-gate "telnet: Sent Kerberos V5 credentials to server\r\n"));
3897c478bd9Sstevel@tonic-gate } else if (auth_debug_mode) {
3907c478bd9Sstevel@tonic-gate (void) printf(gettext(
3917c478bd9Sstevel@tonic-gate "telnet: Not enough room for authentication data\r\n"));
3927c478bd9Sstevel@tonic-gate return (0);
3937c478bd9Sstevel@tonic-gate }
3947c478bd9Sstevel@tonic-gate return (1);
3957c478bd9Sstevel@tonic-gate }
3967c478bd9Sstevel@tonic-gate
3977c478bd9Sstevel@tonic-gate void
kerberos5_reply(Authenticator * ap,unsigned char * data,int cnt)3987c478bd9Sstevel@tonic-gate kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
3997c478bd9Sstevel@tonic-gate {
4007c478bd9Sstevel@tonic-gate Session_Key skey;
4017c478bd9Sstevel@tonic-gate static boolean_t mutual_complete = B_FALSE;
4027c478bd9Sstevel@tonic-gate
4037c478bd9Sstevel@tonic-gate if (cnt-- < 1)
4047c478bd9Sstevel@tonic-gate return;
4057c478bd9Sstevel@tonic-gate switch (*data++) {
4067c478bd9Sstevel@tonic-gate case KRB_REJECT:
4077c478bd9Sstevel@tonic-gate if (cnt > 0)
4087c478bd9Sstevel@tonic-gate (void) printf(gettext(
4097c478bd9Sstevel@tonic-gate "[ Kerberos V5 refuses authentication because "
4107c478bd9Sstevel@tonic-gate "%.*s ]\r\n"), cnt, data);
4117c478bd9Sstevel@tonic-gate else
4127c478bd9Sstevel@tonic-gate (void) printf(gettext(
4137c478bd9Sstevel@tonic-gate "[ Kerberos V5 refuses authentication ]\r\n"));
4147c478bd9Sstevel@tonic-gate auth_send_retry();
4157c478bd9Sstevel@tonic-gate return;
4167c478bd9Sstevel@tonic-gate case KRB_ACCEPT:
4177c478bd9Sstevel@tonic-gate if (!mutual_complete) {
4187c478bd9Sstevel@tonic-gate if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
4197c478bd9Sstevel@tonic-gate (void) printf(gettext(
4207c478bd9Sstevel@tonic-gate "[ Kerberos V5 accepted you, but didn't "
4217c478bd9Sstevel@tonic-gate "provide mutual authentication! ]\r\n"));
4227c478bd9Sstevel@tonic-gate auth_send_retry();
4237c478bd9Sstevel@tonic-gate return;
4247c478bd9Sstevel@tonic-gate }
4257c478bd9Sstevel@tonic-gate
4267c478bd9Sstevel@tonic-gate if (session_key) {
4277c478bd9Sstevel@tonic-gate skey.type = SK_DES;
4287c478bd9Sstevel@tonic-gate skey.length = 8;
4297c478bd9Sstevel@tonic-gate skey.data = session_key->contents;
4307c478bd9Sstevel@tonic-gate encrypt_session_key(&skey);
4317c478bd9Sstevel@tonic-gate }
4327c478bd9Sstevel@tonic-gate }
4337c478bd9Sstevel@tonic-gate if (cnt)
4347c478bd9Sstevel@tonic-gate (void) printf(gettext(
4357c478bd9Sstevel@tonic-gate "[ Kerberos V5 accepts you as ``%.*s'' ]\r\n"),
4367c478bd9Sstevel@tonic-gate cnt, data);
4377c478bd9Sstevel@tonic-gate else
4387c478bd9Sstevel@tonic-gate (void) printf(gettext(
4397c478bd9Sstevel@tonic-gate "[ Kerberos V5 accepts you ]\r\n"));
4407c478bd9Sstevel@tonic-gate auth_finished(ap, AUTH_USER);
4417c478bd9Sstevel@tonic-gate
4427c478bd9Sstevel@tonic-gate if (forward_flags & OPTS_FORWARD_CREDS)
4437c478bd9Sstevel@tonic-gate kerberos5_forward(ap);
4447c478bd9Sstevel@tonic-gate
4457c478bd9Sstevel@tonic-gate break;
4467c478bd9Sstevel@tonic-gate case KRB_RESPONSE:
4477c478bd9Sstevel@tonic-gate if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
4487c478bd9Sstevel@tonic-gate /* the rest of the reply should contain a krb_ap_rep */
4497c478bd9Sstevel@tonic-gate krb5_ap_rep_enc_part *reply;
4507c478bd9Sstevel@tonic-gate krb5_data inbuf;
4517c478bd9Sstevel@tonic-gate krb5_error_code retval;
4527c478bd9Sstevel@tonic-gate
4537c478bd9Sstevel@tonic-gate inbuf.length = cnt;
4547c478bd9Sstevel@tonic-gate inbuf.data = (char *)data;
4557c478bd9Sstevel@tonic-gate
4567c478bd9Sstevel@tonic-gate retval = krb5_rd_rep(telnet_context, auth_context,
4577c478bd9Sstevel@tonic-gate &inbuf, &reply);
4587c478bd9Sstevel@tonic-gate if (retval) {
4597c478bd9Sstevel@tonic-gate (void) printf(gettext(
4607c478bd9Sstevel@tonic-gate "[ Mutual authentication failed: "
4617c478bd9Sstevel@tonic-gate "%s ]\r\n"), error_message(retval));
4627c478bd9Sstevel@tonic-gate auth_send_retry();
4637c478bd9Sstevel@tonic-gate return;
4647c478bd9Sstevel@tonic-gate }
4657c478bd9Sstevel@tonic-gate krb5_free_ap_rep_enc_part(telnet_context, reply);
4667c478bd9Sstevel@tonic-gate
4677c478bd9Sstevel@tonic-gate if (session_key) {
4687c478bd9Sstevel@tonic-gate skey.type = SK_DES;
4697c478bd9Sstevel@tonic-gate skey.length = 8;
4707c478bd9Sstevel@tonic-gate skey.data = session_key->contents;
4717c478bd9Sstevel@tonic-gate encrypt_session_key(&skey);
4727c478bd9Sstevel@tonic-gate }
4737c478bd9Sstevel@tonic-gate mutual_complete = B_TRUE;
4747c478bd9Sstevel@tonic-gate }
4757c478bd9Sstevel@tonic-gate return;
4767c478bd9Sstevel@tonic-gate case KRB_FORWARD_ACCEPT:
4777c478bd9Sstevel@tonic-gate (void) printf(gettext(
4787c478bd9Sstevel@tonic-gate "[ Kerberos V5 accepted forwarded credentials ]\r\n"));
4797c478bd9Sstevel@tonic-gate return;
4807c478bd9Sstevel@tonic-gate case KRB_FORWARD_REJECT:
4817c478bd9Sstevel@tonic-gate (void) printf(gettext(
4827c478bd9Sstevel@tonic-gate "[ Kerberos V5 refuses forwarded credentials because "
4837c478bd9Sstevel@tonic-gate "%.*s ]\r\n"), cnt, data);
4847c478bd9Sstevel@tonic-gate return;
4857c478bd9Sstevel@tonic-gate default:
4867c478bd9Sstevel@tonic-gate if (auth_debug_mode)
4877c478bd9Sstevel@tonic-gate (void) printf(gettext(
4887c478bd9Sstevel@tonic-gate "Unknown Kerberos option %d\r\n"), data[-1]);
4897c478bd9Sstevel@tonic-gate return;
4907c478bd9Sstevel@tonic-gate }
4917c478bd9Sstevel@tonic-gate }
4927c478bd9Sstevel@tonic-gate
4937c478bd9Sstevel@tonic-gate /* ARGSUSED */
4947c478bd9Sstevel@tonic-gate int
kerberos5_status(Authenticator * ap,char * name,int level)4957c478bd9Sstevel@tonic-gate kerberos5_status(Authenticator *ap, char *name, int level)
4967c478bd9Sstevel@tonic-gate {
4977c478bd9Sstevel@tonic-gate if (level < AUTH_USER)
4987c478bd9Sstevel@tonic-gate return (level);
4997c478bd9Sstevel@tonic-gate
5007c478bd9Sstevel@tonic-gate if (UserNameRequested && krb5_kuserok(telnet_context,
5017c478bd9Sstevel@tonic-gate ticket->enc_part2->client, UserNameRequested)) {
5027c478bd9Sstevel@tonic-gate
5037c478bd9Sstevel@tonic-gate /* the name buffer comes from telnetd/telnetd{-ktd}.c */
5047c478bd9Sstevel@tonic-gate (void) strncpy(name, UserNameRequested, MAXNAMELEN);
5057c478bd9Sstevel@tonic-gate name[MAXNAMELEN-1] = '\0';
5067c478bd9Sstevel@tonic-gate return (AUTH_VALID);
5077c478bd9Sstevel@tonic-gate } else
5087c478bd9Sstevel@tonic-gate return (AUTH_USER);
5097c478bd9Sstevel@tonic-gate }
5107c478bd9Sstevel@tonic-gate
5117c478bd9Sstevel@tonic-gate #define BUMP(buf, len) while (*(buf)) {++(buf), --(len); }
5127c478bd9Sstevel@tonic-gate #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len); }
5137c478bd9Sstevel@tonic-gate
5147c478bd9Sstevel@tonic-gate /*
5157c478bd9Sstevel@tonic-gate * Used with the set opt command to print suboptions
5167c478bd9Sstevel@tonic-gate */
5177c478bd9Sstevel@tonic-gate void
kerberos5_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)5187c478bd9Sstevel@tonic-gate kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
5197c478bd9Sstevel@tonic-gate {
5207c478bd9Sstevel@tonic-gate char lbuf[AUTH_LBUF_BUFSIZ];
5217c478bd9Sstevel@tonic-gate register int i;
5227c478bd9Sstevel@tonic-gate
5237c478bd9Sstevel@tonic-gate buf[buflen-1] = '\0'; /* make sure its NULL terminated */
5247c478bd9Sstevel@tonic-gate buflen -= 1;
5257c478bd9Sstevel@tonic-gate
5267c478bd9Sstevel@tonic-gate switch (data[3]) {
5277c478bd9Sstevel@tonic-gate case KRB_REJECT: /* Rejected (reason might follow) */
5287c478bd9Sstevel@tonic-gate (void) strncpy((char *)buf, " REJECT ", buflen);
5297c478bd9Sstevel@tonic-gate goto common;
5307c478bd9Sstevel@tonic-gate
5317c478bd9Sstevel@tonic-gate case KRB_ACCEPT: /* Accepted (name might follow) */
5327c478bd9Sstevel@tonic-gate (void) strncpy((char *)buf, " ACCEPT ", buflen);
5337c478bd9Sstevel@tonic-gate common:
5347c478bd9Sstevel@tonic-gate BUMP(buf, buflen);
5357c478bd9Sstevel@tonic-gate if (cnt <= 4)
5367c478bd9Sstevel@tonic-gate break;
5377c478bd9Sstevel@tonic-gate ADDC(buf, buflen, '"');
5387c478bd9Sstevel@tonic-gate for (i = 4; i < cnt; i++)
5397c478bd9Sstevel@tonic-gate ADDC(buf, buflen, data[i]);
5407c478bd9Sstevel@tonic-gate ADDC(buf, buflen, '"');
5417c478bd9Sstevel@tonic-gate ADDC(buf, buflen, '\0');
5427c478bd9Sstevel@tonic-gate break;
5437c478bd9Sstevel@tonic-gate
5447c478bd9Sstevel@tonic-gate case KRB_AUTH: /* Authentication data follows */
5457c478bd9Sstevel@tonic-gate (void) strncpy((char *)buf, " AUTH", buflen);
5467c478bd9Sstevel@tonic-gate goto common2;
5477c478bd9Sstevel@tonic-gate
5487c478bd9Sstevel@tonic-gate case KRB_RESPONSE:
5497c478bd9Sstevel@tonic-gate (void) strncpy((char *)buf, " RESPONSE", buflen);
5507c478bd9Sstevel@tonic-gate goto common2;
5517c478bd9Sstevel@tonic-gate
5527c478bd9Sstevel@tonic-gate case KRB_FORWARD: /* Forwarded credentials follow */
5537c478bd9Sstevel@tonic-gate (void) strncpy((char *)buf, " FORWARD", buflen);
5547c478bd9Sstevel@tonic-gate goto common2;
5557c478bd9Sstevel@tonic-gate
5567c478bd9Sstevel@tonic-gate case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
5577c478bd9Sstevel@tonic-gate (void) strncpy((char *)buf, " FORWARD_ACCEPT", buflen);
5587c478bd9Sstevel@tonic-gate goto common2;
5597c478bd9Sstevel@tonic-gate
5607c478bd9Sstevel@tonic-gate case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
5617c478bd9Sstevel@tonic-gate /* (reason might follow) */
5627c478bd9Sstevel@tonic-gate (void) strncpy((char *)buf, " FORWARD_REJECT", buflen);
5637c478bd9Sstevel@tonic-gate goto common2;
5647c478bd9Sstevel@tonic-gate
5657c478bd9Sstevel@tonic-gate default:
5667c478bd9Sstevel@tonic-gate (void) snprintf(lbuf, AUTH_LBUF_BUFSIZ,
5677c478bd9Sstevel@tonic-gate gettext(" %d (unknown)"),
5687c478bd9Sstevel@tonic-gate data[3]);
5697c478bd9Sstevel@tonic-gate (void) strncpy((char *)buf, lbuf, buflen);
5707c478bd9Sstevel@tonic-gate common2:
5717c478bd9Sstevel@tonic-gate BUMP(buf, buflen);
5727c478bd9Sstevel@tonic-gate for (i = 4; i < cnt; i++) {
5737c478bd9Sstevel@tonic-gate (void) snprintf(lbuf, AUTH_LBUF_BUFSIZ, " %d", data[i]);
5747c478bd9Sstevel@tonic-gate (void) strncpy((char *)buf, lbuf, buflen);
5757c478bd9Sstevel@tonic-gate BUMP(buf, buflen);
5767c478bd9Sstevel@tonic-gate }
5777c478bd9Sstevel@tonic-gate break;
5787c478bd9Sstevel@tonic-gate }
5797c478bd9Sstevel@tonic-gate }
5807c478bd9Sstevel@tonic-gate
5817c478bd9Sstevel@tonic-gate void
krb5_profile_get_options(char * host,char * realm,profile_options_boolean * optionsp)5827c478bd9Sstevel@tonic-gate krb5_profile_get_options(char *host, char *realm,
5837c478bd9Sstevel@tonic-gate profile_options_boolean *optionsp)
5847c478bd9Sstevel@tonic-gate {
5857c478bd9Sstevel@tonic-gate char **realms = NULL;
5867c478bd9Sstevel@tonic-gate krb5_error_code err = 0;
5877c478bd9Sstevel@tonic-gate
5887c478bd9Sstevel@tonic-gate if (!telnet_context) {
5897c478bd9Sstevel@tonic-gate err = krb5_init_context(&telnet_context);
5907c478bd9Sstevel@tonic-gate if (err) {
5917c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext(
5927c478bd9Sstevel@tonic-gate "Error initializing Kerberos 5 library: %s\n"),
5937c478bd9Sstevel@tonic-gate error_message(err));
5947c478bd9Sstevel@tonic-gate return;
5957c478bd9Sstevel@tonic-gate }
5967c478bd9Sstevel@tonic-gate }
5977c478bd9Sstevel@tonic-gate
5987c478bd9Sstevel@tonic-gate if ((realmdef[1] = realm) == NULL) {
5997c478bd9Sstevel@tonic-gate err = krb5_get_host_realm(telnet_context, host, &realms);
6007c478bd9Sstevel@tonic-gate if (err) {
6017c478bd9Sstevel@tonic-gate (void) fprintf(stderr, gettext(
6027c478bd9Sstevel@tonic-gate "Error getting Kerberos 5 realms for: %s (%s)\n"),
6037c478bd9Sstevel@tonic-gate host, error_message(err));
6047c478bd9Sstevel@tonic-gate return;
6057c478bd9Sstevel@tonic-gate }
6067c478bd9Sstevel@tonic-gate realmdef[1] = realms[0];
6077c478bd9Sstevel@tonic-gate }
6087c478bd9Sstevel@tonic-gate
6097c478bd9Sstevel@tonic-gate profile_get_options_boolean(telnet_context->profile,
6107c478bd9Sstevel@tonic-gate realmdef, optionsp);
6117c478bd9Sstevel@tonic-gate profile_get_options_boolean(telnet_context->profile,
6127c478bd9Sstevel@tonic-gate appdef, optionsp);
6137c478bd9Sstevel@tonic-gate }
6147c478bd9Sstevel@tonic-gate
6157c478bd9Sstevel@tonic-gate static void
kerberos5_forward(Authenticator * ap)6167c478bd9Sstevel@tonic-gate kerberos5_forward(Authenticator *ap)
6177c478bd9Sstevel@tonic-gate {
6187c478bd9Sstevel@tonic-gate krb5_error_code retval;
6197c478bd9Sstevel@tonic-gate krb5_ccache ccache;
6207c478bd9Sstevel@tonic-gate krb5_principal client = 0;
6217c478bd9Sstevel@tonic-gate krb5_principal server = 0;
6227c478bd9Sstevel@tonic-gate krb5_data forw_creds;
6237c478bd9Sstevel@tonic-gate
6247c478bd9Sstevel@tonic-gate forw_creds.data = 0;
6257c478bd9Sstevel@tonic-gate
6267c478bd9Sstevel@tonic-gate if ((retval = krb5_cc_default(telnet_context, &ccache))) {
6277c478bd9Sstevel@tonic-gate if (auth_debug_mode)
6287c478bd9Sstevel@tonic-gate (void) printf(gettext(
6297c478bd9Sstevel@tonic-gate "Kerberos V5: could not get default ccache - %s\r\n"),
6307c478bd9Sstevel@tonic-gate error_message(retval));
6317c478bd9Sstevel@tonic-gate return;
6327c478bd9Sstevel@tonic-gate }
6337c478bd9Sstevel@tonic-gate
6347c478bd9Sstevel@tonic-gate retval = krb5_cc_get_principal(telnet_context, ccache, &client);
6357c478bd9Sstevel@tonic-gate if (retval) {
6367c478bd9Sstevel@tonic-gate if (auth_debug_mode)
6377c478bd9Sstevel@tonic-gate (void) printf(gettext(
6387c478bd9Sstevel@tonic-gate "Kerberos V5: could not get default "
6397c478bd9Sstevel@tonic-gate "principal - %s\r\n"), error_message(retval));
6407c478bd9Sstevel@tonic-gate goto cleanup;
6417c478bd9Sstevel@tonic-gate }
6427c478bd9Sstevel@tonic-gate
6437c478bd9Sstevel@tonic-gate retval = krb5_sname_to_principal(telnet_context, RemoteHostName,
6447c478bd9Sstevel@tonic-gate "host", KRB5_NT_SRV_HST, &server);
6457c478bd9Sstevel@tonic-gate if (retval) {
6467c478bd9Sstevel@tonic-gate if (auth_debug_mode)
6477c478bd9Sstevel@tonic-gate (void) printf(gettext(
6487c478bd9Sstevel@tonic-gate "Kerberos V5: could not make server "
6497c478bd9Sstevel@tonic-gate "principal - %s\r\n"), error_message(retval));
6507c478bd9Sstevel@tonic-gate goto cleanup;
6517c478bd9Sstevel@tonic-gate }
6527c478bd9Sstevel@tonic-gate
6537c478bd9Sstevel@tonic-gate retval = krb5_auth_con_genaddrs(telnet_context, auth_context, net,
6547c478bd9Sstevel@tonic-gate KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
6557c478bd9Sstevel@tonic-gate if (retval) {
6567c478bd9Sstevel@tonic-gate if (auth_debug_mode)
6577c478bd9Sstevel@tonic-gate (void) printf(gettext(
6587c478bd9Sstevel@tonic-gate "Kerberos V5: could not gen local full "
6597c478bd9Sstevel@tonic-gate "address - %s\r\n"), error_message(retval));
6607c478bd9Sstevel@tonic-gate goto cleanup;
6617c478bd9Sstevel@tonic-gate }
6627c478bd9Sstevel@tonic-gate
6637c478bd9Sstevel@tonic-gate retval = krb5_fwd_tgt_creds(telnet_context, auth_context, 0, client,
6647c478bd9Sstevel@tonic-gate server, ccache, forward_flags & OPTS_FORWARDABLE_CREDS,
6657c478bd9Sstevel@tonic-gate &forw_creds);
6667c478bd9Sstevel@tonic-gate if (retval) {
6677c478bd9Sstevel@tonic-gate if (auth_debug_mode)
6687c478bd9Sstevel@tonic-gate (void) printf(gettext(
6697c478bd9Sstevel@tonic-gate "Kerberos V5: error getting forwarded "
6707c478bd9Sstevel@tonic-gate "creds - %s\r\n"), error_message(retval));
6717c478bd9Sstevel@tonic-gate goto cleanup;
6727c478bd9Sstevel@tonic-gate }
6737c478bd9Sstevel@tonic-gate
6747c478bd9Sstevel@tonic-gate /* Send forwarded credentials */
6757c478bd9Sstevel@tonic-gate if (!krb5_send_data(ap, KRB_FORWARD, forw_creds.data,
6767c478bd9Sstevel@tonic-gate forw_creds.length)) {
6777c478bd9Sstevel@tonic-gate if (auth_debug_mode)
6787c478bd9Sstevel@tonic-gate (void) printf(gettext(
6797c478bd9Sstevel@tonic-gate "Not enough room for authentication data\r\n"));
6807c478bd9Sstevel@tonic-gate } else if (auth_debug_mode)
6817c478bd9Sstevel@tonic-gate (void) printf(gettext(
6827c478bd9Sstevel@tonic-gate "Forwarded local Kerberos V5 credentials to server\r\n"));
6837c478bd9Sstevel@tonic-gate cleanup:
6847c478bd9Sstevel@tonic-gate if (client)
6857c478bd9Sstevel@tonic-gate krb5_free_principal(telnet_context, client);
6867c478bd9Sstevel@tonic-gate if (server)
6877c478bd9Sstevel@tonic-gate krb5_free_principal(telnet_context, server);
6887c478bd9Sstevel@tonic-gate if (forw_creds.data)
6897c478bd9Sstevel@tonic-gate free(forw_creds.data);
6907c478bd9Sstevel@tonic-gate /* LINTED */
6917c478bd9Sstevel@tonic-gate krb5_cc_close(telnet_context, ccache);
6927c478bd9Sstevel@tonic-gate }
693