Home | History | Annotate | Line # | Download | only in pam_ksu
      1 /*	$NetBSD: pam_ksu.c,v 1.11 2023/09/07 11:27:57 riastradh Exp $	*/
      2 
      3 /*-
      4  * Copyright (c) 2002 Jacques A. Vidrine <nectar (at) FreeBSD.org>
      5  * All rights reserved.
      6  *
      7  * Redistribution and use in source and binary forms, with or without
      8  * modification, are permitted provided that the following conditions
      9  * are met:
     10  * 1. Redistributions of source code must retain the above copyright
     11  *    notice, this list of conditions and the following disclaimer.
     12  * 2. Redistributions in binary form must reproduce the above copyright
     13  *    notice, this list of conditions and the following disclaimer in the
     14  *    documentation and/or other materials provided with the distribution.
     15  *
     16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
     17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     26  * SUCH DAMAGE.
     27  */
     28 #include <sys/cdefs.h>
     29 #ifdef __FreeBSD__
     30 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $");
     31 #else
     32 __RCSID("$NetBSD: pam_ksu.c,v 1.11 2023/09/07 11:27:57 riastradh Exp $");
     33 #endif
     34 
     35 #include <sys/param.h>
     36 #include <errno.h>
     37 #include <stdio.h>
     38 #include <stdlib.h>
     39 #include <string.h>
     40 #include <unistd.h>
     41 
     42 #include <krb5/krb5.h>
     43 
     44 #define PAM_SM_AUTH
     45 #define PAM_SM_CRED
     46 #include <security/pam_appl.h>
     47 #include <security/pam_modules.h>
     48 #include <security/pam_mod_misc.h>
     49 
     50 static const char superuser[] = "root";
     51 
     52 #define PASSWORD_PROMPT	"%s's password:"
     53 
     54 static void	log_krb5(krb5_context, krb5_error_code, const char *, ...)
     55     __printflike(3, 4);
     56 static krb5_error_code	get_su_principal(krb5_context, const char *,
     57     const char *, char **, krb5_principal *);
     58 static int	auth_krb5(pam_handle_t *, krb5_context, const char *,
     59 		    krb5_principal);
     60 
     61 PAM_EXTERN int
     62 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
     63     int argc __unused, const char *argv[] __unused)
     64 {
     65 	krb5_boolean	 allow_homedir;
     66 	krb5_context	 context;
     67 	krb5_principal	 su_principal;
     68 	const char	*user;
     69 	const void	*ruser;
     70 	char		*su_principal_name;
     71 	krb5_error_code	 rv;
     72 	int		 pamret;
     73 
     74 	pamret = pam_get_user(pamh, &user, NULL);
     75 	if (pamret != PAM_SUCCESS)
     76 		return (pamret);
     77 	PAM_LOG("Got user: %s", user);
     78 	pamret = pam_get_item(pamh, PAM_RUSER, &ruser);
     79 	if (pamret != PAM_SUCCESS)
     80 		return (pamret);
     81 	PAM_LOG("Got ruser: %s", (const char *)ruser);
     82 	allow_homedir = krb5_set_home_dir_access(NULL, FALSE);
     83 	rv = krb5_init_context(&context);
     84 	if (rv != 0) {
     85 		log_krb5(context, rv, "krb5_init_context failed");
     86 		pamret = PAM_SERVICE_ERR;
     87 		goto out;
     88 	}
     89 	rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal);
     90 	if (rv != 0) {
     91 		pamret = PAM_AUTH_ERR;
     92 		goto out;
     93 	}
     94 	PAM_LOG("kuserok: %s -> %s", su_principal_name, user);
     95 	(void)krb5_set_home_dir_access(NULL, TRUE); /* ~user/.k5login */
     96 	rv = krb5_kuserok(context, su_principal, user);
     97 	(void)krb5_set_home_dir_access(NULL, FALSE);
     98 	pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR;
     99 	free(su_principal_name);
    100 	krb5_free_principal(context, su_principal);
    101 	krb5_free_context(context);
    102 out:	(void)krb5_set_home_dir_access(NULL, allow_homedir);
    103 	return (pamret);
    104 }
    105 
    106 PAM_EXTERN int
    107 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
    108     int ac __unused, const char *av[] __unused)
    109 {
    110 
    111 	return (PAM_SUCCESS);
    112 }
    113 
    114 /* Authenticate using Kerberos 5.
    115  *   pamh              -- The PAM handle.
    116  *   context           -- An initialized krb5_context.
    117  *   su_principal_name -- The target principal name, used only for password prompts.
    118  *              If NULL, the password prompts will not include a principal
    119  *              name.
    120  *   su_principal      -- The target krb5_principal.
    121  * Note that a valid keytab in the default location with a host entry
    122  * must be available, and that the PAM application must have sufficient
    123  * privileges to access it.
    124  * Returns PAM_SUCCESS if authentication was successful, or an appropriate
    125  * PAM error code if it was not.
    126  */
    127 static int
    128 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name,
    129     krb5_principal su_principal)
    130 {
    131 	krb5_creds	 creds;
    132 	krb5_get_init_creds_opt *gic_opt;
    133 	krb5_verify_init_creds_opt vic_opt;
    134 	const char	*pass;
    135 	char		 prompt[80];
    136 	krb5_error_code	 rv;
    137 	int		 pamret;
    138 
    139 	rv = krb5_get_init_creds_opt_alloc(context, &gic_opt);
    140 	if (rv != 0) {
    141 		log_krb5(context, rv, "krb5_get_init_creds_opt_alloc");
    142 		return (PAM_SERVICE_ERR);
    143 	}
    144 	krb5_verify_init_creds_opt_init(&vic_opt);
    145 	if (su_principal_name != NULL)
    146 		(void)snprintf(prompt, sizeof(prompt), PASSWORD_PROMPT,
    147 		    su_principal_name);
    148 	else
    149 		(void)snprintf(prompt, sizeof(prompt), "Password:");
    150 	pass = NULL;
    151 	pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
    152 	if (pamret != PAM_SUCCESS)
    153 		return (pamret);
    154 	rv = krb5_get_init_creds_password(context, &creds, su_principal,
    155 	    pass, NULL, NULL, 0, NULL, gic_opt);
    156 	if (rv != 0) {
    157 		log_krb5(context, rv, "krb5_get_init_creds_password");
    158 		return (PAM_AUTH_ERR);
    159 	}
    160 	krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1);
    161 	rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL,
    162 	    &vic_opt);
    163 	krb5_free_cred_contents(context, &creds);
    164 	if (rv != 0) {
    165 		log_krb5(context, rv, "krb5_verify_init_creds");
    166 		return (PAM_AUTH_ERR);
    167 	}
    168 	return (PAM_SUCCESS);
    169 }
    170 
    171 static void
    172 log_krb5(krb5_context ctx, krb5_error_code err, const char *fmt, ...)
    173 {
    174 	char b1[1024], b2[1024];
    175 	const char *errtxt;
    176 	va_list ap;
    177 
    178 	va_start(ap, fmt);
    179 	vsnprintf(b1, sizeof(b1), fmt, ap);
    180 	va_end(ap);
    181 	if (ctx)
    182 		errtxt = krb5_get_error_message(ctx, err);
    183 	else
    184 		errtxt = NULL;
    185 	if (errtxt != NULL) {
    186 		snprintf(b2, sizeof(b2), "%s", errtxt);
    187 		krb5_free_error_message(ctx, errtxt);
    188 	} else {
    189 		snprintf(b2, sizeof(b2), "unknown %d", (int)err);
    190 	}
    191 	PAM_LOG("%s (%s)", b1, b2);
    192 }
    193 
    194 /* Determine the target principal given the current user and the target user.
    195  *   context           -- An initialized krb5_context.
    196  *   target_user       -- The target username.
    197  *   current_user      -- The current username.
    198  *   su_principal_name -- (out) The target principal name.
    199  *   su_principal      -- (out) The target krb5_principal.
    200  * When the target user is `root', the target principal will be a `root
    201  * instance', e.g. `luser/root@REA.LM'.  Otherwise, the target principal
    202  * will simply be the current user's default principal name.  Note that
    203  * in any case, if KRB5CCNAME is set and a credentials cache exists, the
    204  * principal name found there will be the `starting point', rather than
    205  * the ruser parameter.
    206  *
    207  * Returns 0 for success, or a com_err error code on failure.
    208  */
    209 static krb5_error_code
    210 get_su_principal(krb5_context context, const char *target_user, const char *current_user,
    211     char **su_principal_name, krb5_principal *su_principal)
    212 {
    213 	krb5_principal	 default_principal;
    214 	krb5_ccache	 ccache;
    215 	char		*principal_name, *ccname, *p;
    216 	krb5_error_code	 rv;
    217 	uid_t		 euid, ruid;
    218 
    219 	*su_principal = NULL;
    220 	default_principal = NULL;
    221 	/* Unless KRB5CCNAME was explicitly set, we won't really be able
    222 	 * to look at the credentials cache since krb5_cc_default will
    223 	 * look at getuid().
    224 	 */
    225 	ruid = getuid();
    226 	euid = geteuid();
    227 	rv = seteuid(ruid);
    228 	if (rv != 0)
    229 		return (errno);
    230 	p = getenv("KRB5CCNAME");
    231 	if (p != NULL)
    232 		ccname = strdup(p);
    233 	else
    234 		(void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid);
    235 	if (ccname == NULL)
    236 		return (errno);
    237 	rv = krb5_cc_resolve(context, ccname, &ccache);
    238 	free(ccname);
    239 	if (rv == 0) {
    240 		rv = krb5_cc_get_principal(context, ccache, &default_principal);
    241 		krb5_cc_close(context, ccache);
    242 		if (rv != 0)
    243 			default_principal = NULL; /* just to be safe */
    244 	}
    245 	rv = seteuid(euid);
    246 	if (rv != 0)
    247 		return (errno);
    248 	if (default_principal == NULL) {
    249 		rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
    250 		if (rv != 0) {
    251 			PAM_LOG("Could not determine default principal name.");
    252 			return (rv);
    253 		}
    254 	}
    255 	/* Now that we have some principal, if the target account is
    256 	 * `root', then transform it into a `root' instance, e.g.
    257 	 * `user (at) REA.LM' -> `user/root@REA.LM'.
    258 	 */
    259 	rv = krb5_unparse_name(context, default_principal, &principal_name);
    260 	krb5_free_principal(context, default_principal);
    261 	if (rv != 0) {
    262 		log_krb5(context, rv, "krb5_unparse_name");
    263 		return (rv);
    264 	}
    265 	PAM_LOG("Default principal name: %s", principal_name);
    266 	if (strcmp(target_user, superuser) == 0) {
    267 		p = strrchr(principal_name, '@');
    268 		if (p == NULL) {
    269 			PAM_LOG("malformed principal name `%s'", principal_name);
    270 			free(principal_name);
    271 			return (rv);
    272 		}
    273 		*p++ = '\0';
    274 		*su_principal_name = NULL;
    275 		(void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p);
    276 		free(principal_name);
    277 	} else
    278 		*su_principal_name = principal_name;
    279 
    280 	if (*su_principal_name == NULL)
    281 		return (errno);
    282 	rv = krb5_parse_name(context, *su_principal_name, &default_principal);
    283 	if (rv != 0) {
    284 		log_krb5(context, rv, "krb5_parse_name `%s'",
    285 		    *su_principal_name);
    286 		return (rv);
    287 	}
    288 	PAM_LOG("Target principal name: %s", *su_principal_name);
    289 	*su_principal = default_principal;
    290 	return (0);
    291 }
    292 
    293 PAM_MODULE_ENTRY("pam_ksu");
    294