pam_ksu.c revision 1.2.34.1
1 1.2.34.1 jym /* $NetBSD: pam_ksu.c,v 1.2.34.1 2009/05/13 19:18:35 jym Exp $ */ 2 1.2 christos 3 1.1 christos /*- 4 1.1 christos * Copyright (c) 2002 Jacques A. Vidrine <nectar (at) FreeBSD.org> 5 1.1 christos * All rights reserved. 6 1.1 christos * 7 1.1 christos * Redistribution and use in source and binary forms, with or without 8 1.1 christos * modification, are permitted provided that the following conditions 9 1.1 christos * are met: 10 1.1 christos * 1. Redistributions of source code must retain the above copyright 11 1.1 christos * notice, this list of conditions and the following disclaimer. 12 1.1 christos * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 christos * notice, this list of conditions and the following disclaimer in the 14 1.1 christos * documentation and/or other materials provided with the distribution. 15 1.1 christos * 16 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 1.1 christos * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 1.1 christos * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 1.1 christos * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 1.1 christos * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 1.1 christos * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 1.1 christos * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 1.1 christos * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 1.1 christos * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 1.1 christos * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 1.1 christos * SUCH DAMAGE. 27 1.1 christos */ 28 1.1 christos #include <sys/cdefs.h> 29 1.2 christos #ifdef __FreeBSD__ 30 1.1 christos __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); 31 1.2 christos #else 32 1.2.34.1 jym __RCSID("$NetBSD: pam_ksu.c,v 1.2.34.1 2009/05/13 19:18:35 jym Exp $"); 33 1.2 christos #endif 34 1.1 christos 35 1.1 christos #include <sys/param.h> 36 1.1 christos #include <errno.h> 37 1.1 christos #include <stdio.h> 38 1.1 christos #include <stdlib.h> 39 1.1 christos #include <string.h> 40 1.1 christos #include <unistd.h> 41 1.1 christos 42 1.2 christos #include <krb5/krb5.h> 43 1.1 christos 44 1.1 christos #define PAM_SM_AUTH 45 1.1 christos #define PAM_SM_CRED 46 1.1 christos #include <security/pam_appl.h> 47 1.1 christos #include <security/pam_modules.h> 48 1.1 christos #include <security/pam_mod_misc.h> 49 1.1 christos 50 1.1 christos static const char superuser[] = "root"; 51 1.1 christos 52 1.2.34.1 jym #define PASSWORD_PROMPT "%s's password:" 53 1.2.34.1 jym 54 1.1 christos static long get_su_principal(krb5_context, const char *, const char *, 55 1.1 christos char **, krb5_principal *); 56 1.1 christos static int auth_krb5(pam_handle_t *, krb5_context, const char *, 57 1.1 christos krb5_principal); 58 1.1 christos 59 1.1 christos PAM_EXTERN int 60 1.1 christos pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 61 1.1 christos int argc __unused, const char *argv[] __unused) 62 1.1 christos { 63 1.1 christos krb5_context context; 64 1.1 christos krb5_principal su_principal; 65 1.1 christos const char *user; 66 1.1 christos const void *ruser; 67 1.1 christos char *su_principal_name; 68 1.1 christos long rv; 69 1.1 christos int pamret; 70 1.1 christos 71 1.1 christos pamret = pam_get_user(pamh, &user, NULL); 72 1.1 christos if (pamret != PAM_SUCCESS) 73 1.1 christos return (pamret); 74 1.1 christos PAM_LOG("Got user: %s", user); 75 1.1 christos pamret = pam_get_item(pamh, PAM_RUSER, &ruser); 76 1.1 christos if (pamret != PAM_SUCCESS) 77 1.1 christos return (pamret); 78 1.1 christos PAM_LOG("Got ruser: %s", (const char *)ruser); 79 1.1 christos rv = krb5_init_context(&context); 80 1.1 christos if (rv != 0) { 81 1.1 christos PAM_LOG("krb5_init_context failed: %s", 82 1.1 christos krb5_get_err_text(context, rv)); 83 1.1 christos return (PAM_SERVICE_ERR); 84 1.1 christos } 85 1.1 christos rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); 86 1.1 christos if (rv != 0) 87 1.1 christos return (PAM_AUTH_ERR); 88 1.1 christos PAM_LOG("kuserok: %s -> %s", su_principal_name, user); 89 1.1 christos rv = krb5_kuserok(context, su_principal, user); 90 1.1 christos pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; 91 1.1 christos free(su_principal_name); 92 1.1 christos krb5_free_principal(context, su_principal); 93 1.1 christos krb5_free_context(context); 94 1.1 christos return (pamret); 95 1.1 christos } 96 1.1 christos 97 1.1 christos PAM_EXTERN int 98 1.1 christos pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 99 1.1 christos int ac __unused, const char *av[] __unused) 100 1.1 christos { 101 1.1 christos 102 1.1 christos return (PAM_SUCCESS); 103 1.1 christos } 104 1.1 christos 105 1.1 christos /* Authenticate using Kerberos 5. 106 1.1 christos * pamh -- The PAM handle. 107 1.1 christos * context -- An initialized krb5_context. 108 1.1 christos * su_principal_name -- The target principal name, used only for password prompts. 109 1.1 christos * If NULL, the password prompts will not include a principal 110 1.1 christos * name. 111 1.1 christos * su_principal -- The target krb5_principal. 112 1.1 christos * Note that a valid keytab in the default location with a host entry 113 1.1 christos * must be available, and that the PAM application must have sufficient 114 1.1 christos * privileges to access it. 115 1.1 christos * Returns PAM_SUCCESS if authentication was successful, or an appropriate 116 1.1 christos * PAM error code if it was not. 117 1.1 christos */ 118 1.1 christos static int 119 1.1 christos auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name, 120 1.1 christos krb5_principal su_principal) 121 1.1 christos { 122 1.1 christos krb5_creds creds; 123 1.1 christos krb5_get_init_creds_opt gic_opt; 124 1.1 christos krb5_verify_init_creds_opt vic_opt; 125 1.1 christos const char *pass; 126 1.2.34.1 jym char prompt[80]; 127 1.1 christos long rv; 128 1.1 christos int pamret; 129 1.1 christos 130 1.1 christos krb5_get_init_creds_opt_init(&gic_opt); 131 1.1 christos krb5_verify_init_creds_opt_init(&vic_opt); 132 1.1 christos if (su_principal_name != NULL) 133 1.2.34.1 jym (void)snprintf(prompt, sizeof(prompt), PASSWORD_PROMPT, 134 1.2.34.1 jym su_principal_name); 135 1.1 christos else 136 1.2.34.1 jym (void)snprintf(prompt, sizeof(prompt), "Password:"); 137 1.1 christos if (prompt == NULL) 138 1.1 christos return (PAM_BUF_ERR); 139 1.1 christos pass = NULL; 140 1.1 christos pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 141 1.1 christos if (pamret != PAM_SUCCESS) 142 1.1 christos return (pamret); 143 1.1 christos rv = krb5_get_init_creds_password(context, &creds, su_principal, 144 1.1 christos pass, NULL, NULL, 0, NULL, &gic_opt); 145 1.1 christos if (rv != 0) { 146 1.1 christos PAM_LOG("krb5_get_init_creds_password: %s", 147 1.1 christos krb5_get_err_text(context, rv)); 148 1.1 christos return (PAM_AUTH_ERR); 149 1.1 christos } 150 1.1 christos krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); 151 1.1 christos rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, 152 1.1 christos &vic_opt); 153 1.1 christos krb5_free_cred_contents(context, &creds); 154 1.1 christos if (rv != 0) { 155 1.1 christos PAM_LOG("krb5_verify_init_creds: %s", 156 1.1 christos krb5_get_err_text(context, rv)); 157 1.1 christos return (PAM_AUTH_ERR); 158 1.1 christos } 159 1.1 christos return (PAM_SUCCESS); 160 1.1 christos } 161 1.1 christos 162 1.1 christos /* Determine the target principal given the current user and the target user. 163 1.1 christos * context -- An initialized krb5_context. 164 1.1 christos * target_user -- The target username. 165 1.1 christos * current_user -- The current username. 166 1.1 christos * su_principal_name -- (out) The target principal name. 167 1.1 christos * su_principal -- (out) The target krb5_principal. 168 1.1 christos * When the target user is `root', the target principal will be a `root 169 1.1 christos * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal 170 1.1 christos * will simply be the current user's default principal name. Note that 171 1.1 christos * in any case, if KRB5CCNAME is set and a credentials cache exists, the 172 1.1 christos * principal name found there will be the `starting point', rather than 173 1.1 christos * the ruser parameter. 174 1.1 christos * 175 1.1 christos * Returns 0 for success, or a com_err error code on failure. 176 1.1 christos */ 177 1.1 christos static long 178 1.1 christos get_su_principal(krb5_context context, const char *target_user, const char *current_user, 179 1.1 christos char **su_principal_name, krb5_principal *su_principal) 180 1.1 christos { 181 1.1 christos krb5_principal default_principal; 182 1.1 christos krb5_ccache ccache; 183 1.1 christos char *principal_name, *ccname, *p; 184 1.1 christos long rv; 185 1.1 christos uid_t euid, ruid; 186 1.1 christos 187 1.1 christos *su_principal = NULL; 188 1.1 christos default_principal = NULL; 189 1.1 christos /* Unless KRB5CCNAME was explicitly set, we won't really be able 190 1.1 christos * to look at the credentials cache since krb5_cc_default will 191 1.1 christos * look at getuid(). 192 1.1 christos */ 193 1.1 christos ruid = getuid(); 194 1.1 christos euid = geteuid(); 195 1.1 christos rv = seteuid(ruid); 196 1.1 christos if (rv != 0) 197 1.1 christos return (errno); 198 1.1 christos p = getenv("KRB5CCNAME"); 199 1.1 christos if (p != NULL) 200 1.1 christos ccname = strdup(p); 201 1.1 christos else 202 1.1 christos (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid); 203 1.1 christos if (ccname == NULL) 204 1.1 christos return (errno); 205 1.1 christos rv = krb5_cc_resolve(context, ccname, &ccache); 206 1.1 christos free(ccname); 207 1.1 christos if (rv == 0) { 208 1.1 christos rv = krb5_cc_get_principal(context, ccache, &default_principal); 209 1.1 christos krb5_cc_close(context, ccache); 210 1.1 christos if (rv != 0) 211 1.1 christos default_principal = NULL; /* just to be safe */ 212 1.1 christos } 213 1.1 christos rv = seteuid(euid); 214 1.1 christos if (rv != 0) 215 1.1 christos return (errno); 216 1.1 christos if (default_principal == NULL) { 217 1.1 christos rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); 218 1.1 christos if (rv != 0) { 219 1.1 christos PAM_LOG("Could not determine default principal name."); 220 1.1 christos return (rv); 221 1.1 christos } 222 1.1 christos } 223 1.1 christos /* Now that we have some principal, if the target account is 224 1.1 christos * `root', then transform it into a `root' instance, e.g. 225 1.1 christos * `user (at) REA.LM' -> `user/root@REA.LM'. 226 1.1 christos */ 227 1.1 christos rv = krb5_unparse_name(context, default_principal, &principal_name); 228 1.1 christos krb5_free_principal(context, default_principal); 229 1.1 christos if (rv != 0) { 230 1.1 christos PAM_LOG("krb5_unparse_name: %s", 231 1.1 christos krb5_get_err_text(context, rv)); 232 1.1 christos return (rv); 233 1.1 christos } 234 1.1 christos PAM_LOG("Default principal name: %s", principal_name); 235 1.1 christos if (strcmp(target_user, superuser) == 0) { 236 1.1 christos p = strrchr(principal_name, '@'); 237 1.1 christos if (p == NULL) { 238 1.1 christos PAM_LOG("malformed principal name `%s'", principal_name); 239 1.1 christos free(principal_name); 240 1.1 christos return (rv); 241 1.1 christos } 242 1.1 christos *p++ = '\0'; 243 1.1 christos *su_principal_name = NULL; 244 1.1 christos (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p); 245 1.1 christos free(principal_name); 246 1.1 christos } else 247 1.1 christos *su_principal_name = principal_name; 248 1.1 christos 249 1.1 christos if (*su_principal_name == NULL) 250 1.1 christos return (errno); 251 1.1 christos rv = krb5_parse_name(context, *su_principal_name, &default_principal); 252 1.1 christos if (rv != 0) { 253 1.1 christos PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, 254 1.1 christos krb5_get_err_text(context, rv)); 255 1.1 christos free(*su_principal_name); 256 1.1 christos return (rv); 257 1.1 christos } 258 1.1 christos PAM_LOG("Target principal name: %s", *su_principal_name); 259 1.1 christos *su_principal = default_principal; 260 1.1 christos return (0); 261 1.1 christos } 262 1.1 christos 263 1.1 christos PAM_MODULE_ENTRY("pam_ksu"); 264
Indexes created Tue Oct 14 11:09:46 GMT 2025