Home | History | Annotate | Line # | Download | only in pam_ksu
pam_ksu.c revision 1.1.1.1
      1 /*-
      2  * Copyright (c) 2002 Jacques A. Vidrine <nectar (at) FreeBSD.org>
      3  * All rights reserved.
      4  *
      5  * Redistribution and use in source and binary forms, with or without
      6  * modification, are permitted provided that the following conditions
      7  * are met:
      8  * 1. Redistributions of source code must retain the above copyright
      9  *    notice, this list of conditions and the following disclaimer.
     10  * 2. Redistributions in binary form must reproduce the above copyright
     11  *    notice, this list of conditions and the following disclaimer in the
     12  *    documentation and/or other materials provided with the distribution.
     13  *
     14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
     15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     24  * SUCH DAMAGE.
     25  */
     26 #include <sys/cdefs.h>
     27 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $");
     28 
     29 #include <sys/param.h>
     30 #include <errno.h>
     31 #include <stdio.h>
     32 #include <stdlib.h>
     33 #include <string.h>
     34 #include <unistd.h>
     35 
     36 #include <krb5.h>
     37 
     38 #define PAM_SM_AUTH
     39 #define PAM_SM_CRED
     40 #include <security/pam_appl.h>
     41 #include <security/pam_modules.h>
     42 #include <security/pam_mod_misc.h>
     43 
     44 static const char superuser[] = "root";
     45 
     46 static long	get_su_principal(krb5_context, const char *, const char *,
     47 		    char **, krb5_principal *);
     48 static int	auth_krb5(pam_handle_t *, krb5_context, const char *,
     49 		    krb5_principal);
     50 
     51 PAM_EXTERN int
     52 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
     53     int argc __unused, const char *argv[] __unused)
     54 {
     55 	krb5_context	 context;
     56 	krb5_principal	 su_principal;
     57 	const char	*user;
     58 	const void	*ruser;
     59 	char		*su_principal_name;
     60 	long		 rv;
     61 	int		 pamret;
     62 
     63 	pamret = pam_get_user(pamh, &user, NULL);
     64 	if (pamret != PAM_SUCCESS)
     65 		return (pamret);
     66 	PAM_LOG("Got user: %s", user);
     67 	pamret = pam_get_item(pamh, PAM_RUSER, &ruser);
     68 	if (pamret != PAM_SUCCESS)
     69 		return (pamret);
     70 	PAM_LOG("Got ruser: %s", (const char *)ruser);
     71 	rv = krb5_init_context(&context);
     72 	if (rv != 0) {
     73 		PAM_LOG("krb5_init_context failed: %s",
     74 			krb5_get_err_text(context, rv));
     75 		return (PAM_SERVICE_ERR);
     76 	}
     77 	rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal);
     78 	if (rv != 0)
     79 		return (PAM_AUTH_ERR);
     80 	PAM_LOG("kuserok: %s -> %s", su_principal_name, user);
     81 	rv = krb5_kuserok(context, su_principal, user);
     82 	pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR;
     83 	free(su_principal_name);
     84 	krb5_free_principal(context, su_principal);
     85 	krb5_free_context(context);
     86 	return (pamret);
     87 }
     88 
     89 PAM_EXTERN int
     90 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
     91     int ac __unused, const char *av[] __unused)
     92 {
     93 
     94 	return (PAM_SUCCESS);
     95 }
     96 
     97 /* Authenticate using Kerberos 5.
     98  *   pamh              -- The PAM handle.
     99  *   context           -- An initialized krb5_context.
    100  *   su_principal_name -- The target principal name, used only for password prompts.
    101  *              If NULL, the password prompts will not include a principal
    102  *              name.
    103  *   su_principal      -- The target krb5_principal.
    104  * Note that a valid keytab in the default location with a host entry
    105  * must be available, and that the PAM application must have sufficient
    106  * privileges to access it.
    107  * Returns PAM_SUCCESS if authentication was successful, or an appropriate
    108  * PAM error code if it was not.
    109  */
    110 static int
    111 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name,
    112     krb5_principal su_principal)
    113 {
    114 	krb5_creds	 creds;
    115 	krb5_get_init_creds_opt gic_opt;
    116 	krb5_verify_init_creds_opt vic_opt;
    117 	const char	*pass;
    118 	char		*prompt;
    119 	long		 rv;
    120 	int		 pamret;
    121 
    122 	prompt = NULL;
    123 	krb5_get_init_creds_opt_init(&gic_opt);
    124 	krb5_verify_init_creds_opt_init(&vic_opt);
    125 	if (su_principal_name != NULL)
    126 		(void)asprintf(&prompt, "Password for %s:", su_principal_name);
    127 	else
    128 		(void)asprintf(&prompt, "Password:");
    129 	if (prompt == NULL)
    130 		return (PAM_BUF_ERR);
    131 	pass = NULL;
    132 	pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
    133 	free(prompt);
    134 	if (pamret != PAM_SUCCESS)
    135 		return (pamret);
    136 	rv = krb5_get_init_creds_password(context, &creds, su_principal,
    137 	    pass, NULL, NULL, 0, NULL, &gic_opt);
    138 	if (rv != 0) {
    139 		PAM_LOG("krb5_get_init_creds_password: %s",
    140 			krb5_get_err_text(context, rv));
    141 		return (PAM_AUTH_ERR);
    142 	}
    143 	krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1);
    144 	rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL,
    145 	    &vic_opt);
    146 	krb5_free_cred_contents(context, &creds);
    147 	if (rv != 0) {
    148 		PAM_LOG("krb5_verify_init_creds: %s",
    149 		       krb5_get_err_text(context, rv));
    150 		return (PAM_AUTH_ERR);
    151 	}
    152 	return (PAM_SUCCESS);
    153 }
    154 
    155 /* Determine the target principal given the current user and the target user.
    156  *   context           -- An initialized krb5_context.
    157  *   target_user       -- The target username.
    158  *   current_user      -- The current username.
    159  *   su_principal_name -- (out) The target principal name.
    160  *   su_principal      -- (out) The target krb5_principal.
    161  * When the target user is `root', the target principal will be a `root
    162  * instance', e.g. `luser/root@REA.LM'.  Otherwise, the target principal
    163  * will simply be the current user's default principal name.  Note that
    164  * in any case, if KRB5CCNAME is set and a credentials cache exists, the
    165  * principal name found there will be the `starting point', rather than
    166  * the ruser parameter.
    167  *
    168  * Returns 0 for success, or a com_err error code on failure.
    169  */
    170 static long
    171 get_su_principal(krb5_context context, const char *target_user, const char *current_user,
    172     char **su_principal_name, krb5_principal *su_principal)
    173 {
    174 	krb5_principal	 default_principal;
    175 	krb5_ccache	 ccache;
    176 	char		*principal_name, *ccname, *p;
    177 	long		 rv;
    178 	uid_t		 euid, ruid;
    179 
    180 	*su_principal = NULL;
    181 	default_principal = NULL;
    182 	/* Unless KRB5CCNAME was explicitly set, we won't really be able
    183 	 * to look at the credentials cache since krb5_cc_default will
    184 	 * look at getuid().
    185 	 */
    186 	ruid = getuid();
    187 	euid = geteuid();
    188 	rv = seteuid(ruid);
    189 	if (rv != 0)
    190 		return (errno);
    191 	p = getenv("KRB5CCNAME");
    192 	if (p != NULL)
    193 		ccname = strdup(p);
    194 	else
    195 		(void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid);
    196 	if (ccname == NULL)
    197 		return (errno);
    198 	rv = krb5_cc_resolve(context, ccname, &ccache);
    199 	free(ccname);
    200 	if (rv == 0) {
    201 		rv = krb5_cc_get_principal(context, ccache, &default_principal);
    202 		krb5_cc_close(context, ccache);
    203 		if (rv != 0)
    204 			default_principal = NULL; /* just to be safe */
    205 	}
    206 	rv = seteuid(euid);
    207 	if (rv != 0)
    208 		return (errno);
    209 	if (default_principal == NULL) {
    210 		rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
    211 		if (rv != 0) {
    212 			PAM_LOG("Could not determine default principal name.");
    213 			return (rv);
    214 		}
    215 	}
    216 	/* Now that we have some principal, if the target account is
    217 	 * `root', then transform it into a `root' instance, e.g.
    218 	 * `user (at) REA.LM' -> `user/root@REA.LM'.
    219 	 */
    220 	rv = krb5_unparse_name(context, default_principal, &principal_name);
    221 	krb5_free_principal(context, default_principal);
    222 	if (rv != 0) {
    223 		PAM_LOG("krb5_unparse_name: %s",
    224 		    krb5_get_err_text(context, rv));
    225 		return (rv);
    226 	}
    227 	PAM_LOG("Default principal name: %s", principal_name);
    228 	if (strcmp(target_user, superuser) == 0) {
    229 		p = strrchr(principal_name, '@');
    230 		if (p == NULL) {
    231 			PAM_LOG("malformed principal name `%s'", principal_name);
    232 			free(principal_name);
    233 			return (rv);
    234 		}
    235 		*p++ = '\0';
    236 		*su_principal_name = NULL;
    237 		(void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p);
    238 		free(principal_name);
    239 	} else
    240 		*su_principal_name = principal_name;
    241 
    242 	if (*su_principal_name == NULL)
    243 		return (errno);
    244 	rv = krb5_parse_name(context, *su_principal_name, &default_principal);
    245 	if (rv != 0) {
    246 		PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name,
    247 		    krb5_get_err_text(context, rv));
    248 		free(*su_principal_name);
    249 		return (rv);
    250 	}
    251 	PAM_LOG("Target principal name: %s", *su_principal_name);
    252 	*su_principal = default_principal;
    253 	return (0);
    254 }
    255 
    256 PAM_MODULE_ENTRY("pam_ksu");
    257