pam_ksu.c revision 1.6.10.1
1 1.6.10.1 tls /* $NetBSD: pam_ksu.c,v 1.6.10.1 2014/08/20 00:02:19 tls Exp $ */ 2 1.2 christos 3 1.1 christos /*- 4 1.1 christos * Copyright (c) 2002 Jacques A. Vidrine <nectar (at) FreeBSD.org> 5 1.1 christos * All rights reserved. 6 1.1 christos * 7 1.1 christos * Redistribution and use in source and binary forms, with or without 8 1.1 christos * modification, are permitted provided that the following conditions 9 1.1 christos * are met: 10 1.1 christos * 1. Redistributions of source code must retain the above copyright 11 1.1 christos * notice, this list of conditions and the following disclaimer. 12 1.1 christos * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 christos * notice, this list of conditions and the following disclaimer in the 14 1.1 christos * documentation and/or other materials provided with the distribution. 15 1.1 christos * 16 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 1.1 christos * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 1.1 christos * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 1.1 christos * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 1.1 christos * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 1.1 christos * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 1.1 christos * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 1.1 christos * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 1.1 christos * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 1.1 christos * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 1.1 christos * SUCH DAMAGE. 27 1.1 christos */ 28 1.1 christos #include <sys/cdefs.h> 29 1.2 christos #ifdef __FreeBSD__ 30 1.1 christos __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); 31 1.2 christos #else 32 1.6.10.1 tls __RCSID("$NetBSD: pam_ksu.c,v 1.6.10.1 2014/08/20 00:02:19 tls Exp $"); 33 1.2 christos #endif 34 1.1 christos 35 1.1 christos #include <sys/param.h> 36 1.1 christos #include <errno.h> 37 1.1 christos #include <stdio.h> 38 1.1 christos #include <stdlib.h> 39 1.1 christos #include <string.h> 40 1.1 christos #include <unistd.h> 41 1.1 christos 42 1.2 christos #include <krb5/krb5.h> 43 1.1 christos 44 1.1 christos #define PAM_SM_AUTH 45 1.1 christos #define PAM_SM_CRED 46 1.1 christos #include <security/pam_appl.h> 47 1.1 christos #include <security/pam_modules.h> 48 1.1 christos #include <security/pam_mod_misc.h> 49 1.1 christos 50 1.1 christos static const char superuser[] = "root"; 51 1.1 christos 52 1.3 christos #define PASSWORD_PROMPT "%s's password:" 53 1.3 christos 54 1.5 christos static void log_krb5(krb5_context, krb5_error_code, const char *, ...) 55 1.5 christos __printflike(3, 4); 56 1.6.10.1 tls static krb5_error_code get_su_principal(krb5_context, const char *, 57 1.6.10.1 tls const char *, char **, krb5_principal *); 58 1.1 christos static int auth_krb5(pam_handle_t *, krb5_context, const char *, 59 1.1 christos krb5_principal); 60 1.1 christos 61 1.1 christos PAM_EXTERN int 62 1.1 christos pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 63 1.1 christos int argc __unused, const char *argv[] __unused) 64 1.1 christos { 65 1.1 christos krb5_context context; 66 1.1 christos krb5_principal su_principal; 67 1.1 christos const char *user; 68 1.1 christos const void *ruser; 69 1.1 christos char *su_principal_name; 70 1.6.10.1 tls krb5_error_code rv; 71 1.1 christos int pamret; 72 1.1 christos 73 1.1 christos pamret = pam_get_user(pamh, &user, NULL); 74 1.1 christos if (pamret != PAM_SUCCESS) 75 1.1 christos return (pamret); 76 1.1 christos PAM_LOG("Got user: %s", user); 77 1.1 christos pamret = pam_get_item(pamh, PAM_RUSER, &ruser); 78 1.1 christos if (pamret != PAM_SUCCESS) 79 1.1 christos return (pamret); 80 1.1 christos PAM_LOG("Got ruser: %s", (const char *)ruser); 81 1.1 christos rv = krb5_init_context(&context); 82 1.1 christos if (rv != 0) { 83 1.5 christos log_krb5(context, rv, "krb5_init_context failed"); 84 1.1 christos return (PAM_SERVICE_ERR); 85 1.1 christos } 86 1.1 christos rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); 87 1.1 christos if (rv != 0) 88 1.1 christos return (PAM_AUTH_ERR); 89 1.1 christos PAM_LOG("kuserok: %s -> %s", su_principal_name, user); 90 1.1 christos rv = krb5_kuserok(context, su_principal, user); 91 1.1 christos pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; 92 1.1 christos free(su_principal_name); 93 1.1 christos krb5_free_principal(context, su_principal); 94 1.1 christos krb5_free_context(context); 95 1.1 christos return (pamret); 96 1.1 christos } 97 1.1 christos 98 1.1 christos PAM_EXTERN int 99 1.1 christos pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 100 1.1 christos int ac __unused, const char *av[] __unused) 101 1.1 christos { 102 1.1 christos 103 1.1 christos return (PAM_SUCCESS); 104 1.1 christos } 105 1.1 christos 106 1.1 christos /* Authenticate using Kerberos 5. 107 1.1 christos * pamh -- The PAM handle. 108 1.1 christos * context -- An initialized krb5_context. 109 1.1 christos * su_principal_name -- The target principal name, used only for password prompts. 110 1.1 christos * If NULL, the password prompts will not include a principal 111 1.1 christos * name. 112 1.1 christos * su_principal -- The target krb5_principal. 113 1.1 christos * Note that a valid keytab in the default location with a host entry 114 1.1 christos * must be available, and that the PAM application must have sufficient 115 1.1 christos * privileges to access it. 116 1.1 christos * Returns PAM_SUCCESS if authentication was successful, or an appropriate 117 1.1 christos * PAM error code if it was not. 118 1.1 christos */ 119 1.1 christos static int 120 1.1 christos auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name, 121 1.1 christos krb5_principal su_principal) 122 1.1 christos { 123 1.1 christos krb5_creds creds; 124 1.4 elric krb5_get_init_creds_opt *gic_opt; 125 1.1 christos krb5_verify_init_creds_opt vic_opt; 126 1.1 christos const char *pass; 127 1.3 christos char prompt[80]; 128 1.6.10.1 tls krb5_error_code rv; 129 1.1 christos int pamret; 130 1.1 christos 131 1.4 elric rv = krb5_get_init_creds_opt_alloc(context, &gic_opt); 132 1.4 elric if (rv != 0) { 133 1.5 christos log_krb5(context, rv, "krb5_get_init_creds_opt_alloc"); 134 1.4 elric return (PAM_SERVICE_ERR); 135 1.4 elric } 136 1.1 christos krb5_verify_init_creds_opt_init(&vic_opt); 137 1.1 christos if (su_principal_name != NULL) 138 1.3 christos (void)snprintf(prompt, sizeof(prompt), PASSWORD_PROMPT, 139 1.3 christos su_principal_name); 140 1.1 christos else 141 1.3 christos (void)snprintf(prompt, sizeof(prompt), "Password:"); 142 1.1 christos pass = NULL; 143 1.1 christos pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 144 1.1 christos if (pamret != PAM_SUCCESS) 145 1.1 christos return (pamret); 146 1.1 christos rv = krb5_get_init_creds_password(context, &creds, su_principal, 147 1.4 elric pass, NULL, NULL, 0, NULL, gic_opt); 148 1.1 christos if (rv != 0) { 149 1.5 christos log_krb5(context, rv, "krb5_get_init_creds_password"); 150 1.1 christos return (PAM_AUTH_ERR); 151 1.1 christos } 152 1.1 christos krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); 153 1.1 christos rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, 154 1.1 christos &vic_opt); 155 1.1 christos krb5_free_cred_contents(context, &creds); 156 1.1 christos if (rv != 0) { 157 1.5 christos log_krb5(context, rv, "krb5_verify_init_creds"); 158 1.1 christos return (PAM_AUTH_ERR); 159 1.1 christos } 160 1.1 christos return (PAM_SUCCESS); 161 1.1 christos } 162 1.1 christos 163 1.4 elric static void 164 1.5 christos log_krb5(krb5_context ctx, krb5_error_code err, const char *fmt, ...) 165 1.4 elric { 166 1.5 christos char b1[1024], b2[1024]; 167 1.5 christos const char *errtxt; 168 1.5 christos va_list ap; 169 1.4 elric 170 1.5 christos va_start(ap, fmt); 171 1.5 christos vsnprintf(b1, sizeof(b1), fmt, ap); 172 1.5 christos va_end(ap); 173 1.5 christos if (ctx) 174 1.5 christos errtxt = krb5_get_error_message(ctx, err); 175 1.5 christos else 176 1.5 christos errtxt = NULL; 177 1.4 elric if (errtxt != NULL) { 178 1.6.10.1 tls snprintf(b2, sizeof(b2), "%s", errtxt); 179 1.4 elric krb5_free_error_message(ctx, errtxt); 180 1.4 elric } else { 181 1.6.10.1 tls snprintf(b2, sizeof(b2), "unknown %d", (int)err); 182 1.4 elric } 183 1.6.10.1 tls PAM_LOG("%s (%s)", b1, b2); 184 1.4 elric } 185 1.4 elric 186 1.1 christos /* Determine the target principal given the current user and the target user. 187 1.1 christos * context -- An initialized krb5_context. 188 1.1 christos * target_user -- The target username. 189 1.1 christos * current_user -- The current username. 190 1.1 christos * su_principal_name -- (out) The target principal name. 191 1.1 christos * su_principal -- (out) The target krb5_principal. 192 1.1 christos * When the target user is `root', the target principal will be a `root 193 1.1 christos * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal 194 1.1 christos * will simply be the current user's default principal name. Note that 195 1.1 christos * in any case, if KRB5CCNAME is set and a credentials cache exists, the 196 1.1 christos * principal name found there will be the `starting point', rather than 197 1.1 christos * the ruser parameter. 198 1.1 christos * 199 1.1 christos * Returns 0 for success, or a com_err error code on failure. 200 1.1 christos */ 201 1.6.10.1 tls static krb5_error_code 202 1.1 christos get_su_principal(krb5_context context, const char *target_user, const char *current_user, 203 1.1 christos char **su_principal_name, krb5_principal *su_principal) 204 1.1 christos { 205 1.1 christos krb5_principal default_principal; 206 1.1 christos krb5_ccache ccache; 207 1.1 christos char *principal_name, *ccname, *p; 208 1.6.10.1 tls krb5_error_code rv; 209 1.1 christos uid_t euid, ruid; 210 1.1 christos 211 1.1 christos *su_principal = NULL; 212 1.1 christos default_principal = NULL; 213 1.1 christos /* Unless KRB5CCNAME was explicitly set, we won't really be able 214 1.1 christos * to look at the credentials cache since krb5_cc_default will 215 1.1 christos * look at getuid(). 216 1.1 christos */ 217 1.1 christos ruid = getuid(); 218 1.1 christos euid = geteuid(); 219 1.1 christos rv = seteuid(ruid); 220 1.1 christos if (rv != 0) 221 1.1 christos return (errno); 222 1.1 christos p = getenv("KRB5CCNAME"); 223 1.1 christos if (p != NULL) 224 1.1 christos ccname = strdup(p); 225 1.1 christos else 226 1.1 christos (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid); 227 1.1 christos if (ccname == NULL) 228 1.1 christos return (errno); 229 1.1 christos rv = krb5_cc_resolve(context, ccname, &ccache); 230 1.1 christos free(ccname); 231 1.1 christos if (rv == 0) { 232 1.1 christos rv = krb5_cc_get_principal(context, ccache, &default_principal); 233 1.1 christos krb5_cc_close(context, ccache); 234 1.1 christos if (rv != 0) 235 1.1 christos default_principal = NULL; /* just to be safe */ 236 1.1 christos } 237 1.1 christos rv = seteuid(euid); 238 1.1 christos if (rv != 0) 239 1.1 christos return (errno); 240 1.1 christos if (default_principal == NULL) { 241 1.1 christos rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); 242 1.1 christos if (rv != 0) { 243 1.1 christos PAM_LOG("Could not determine default principal name."); 244 1.1 christos return (rv); 245 1.1 christos } 246 1.1 christos } 247 1.1 christos /* Now that we have some principal, if the target account is 248 1.1 christos * `root', then transform it into a `root' instance, e.g. 249 1.1 christos * `user (at) REA.LM' -> `user/root@REA.LM'. 250 1.1 christos */ 251 1.1 christos rv = krb5_unparse_name(context, default_principal, &principal_name); 252 1.1 christos krb5_free_principal(context, default_principal); 253 1.1 christos if (rv != 0) { 254 1.5 christos log_krb5(context, rv, "krb5_unparse_name"); 255 1.1 christos return (rv); 256 1.1 christos } 257 1.1 christos PAM_LOG("Default principal name: %s", principal_name); 258 1.1 christos if (strcmp(target_user, superuser) == 0) { 259 1.1 christos p = strrchr(principal_name, '@'); 260 1.1 christos if (p == NULL) { 261 1.1 christos PAM_LOG("malformed principal name `%s'", principal_name); 262 1.1 christos free(principal_name); 263 1.1 christos return (rv); 264 1.1 christos } 265 1.1 christos *p++ = '\0'; 266 1.1 christos *su_principal_name = NULL; 267 1.1 christos (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p); 268 1.1 christos free(principal_name); 269 1.1 christos } else 270 1.1 christos *su_principal_name = principal_name; 271 1.1 christos 272 1.1 christos if (*su_principal_name == NULL) 273 1.1 christos return (errno); 274 1.1 christos rv = krb5_parse_name(context, *su_principal_name, &default_principal); 275 1.1 christos if (rv != 0) { 276 1.5 christos log_krb5(context, rv, "krb5_parse_name `%s'", 277 1.5 christos *su_principal_name); 278 1.1 christos return (rv); 279 1.1 christos } 280 1.1 christos PAM_LOG("Target principal name: %s", *su_principal_name); 281 1.1 christos *su_principal = default_principal; 282 1.1 christos return (0); 283 1.1 christos } 284 1.1 christos 285 1.1 christos PAM_MODULE_ENTRY("pam_ksu"); 286
Indexes created Tue Oct 14 15:09:51 GMT 2025