pam_ksu.c revision 1.2.34.1
1 /* $NetBSD: pam_ksu.c,v 1.2.34.1 2009/05/13 19:18:35 jym Exp $ */ 2 3 /*- 4 * Copyright (c) 2002 Jacques A. Vidrine <nectar (at) FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 #include <sys/cdefs.h> 29 #ifdef __FreeBSD__ 30 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); 31 #else 32 __RCSID("$NetBSD: pam_ksu.c,v 1.2.34.1 2009/05/13 19:18:35 jym Exp $"); 33 #endif 34 35 #include <sys/param.h> 36 #include <errno.h> 37 #include <stdio.h> 38 #include <stdlib.h> 39 #include <string.h> 40 #include <unistd.h> 41 42 #include <krb5/krb5.h> 43 44 #define PAM_SM_AUTH 45 #define PAM_SM_CRED 46 #include <security/pam_appl.h> 47 #include <security/pam_modules.h> 48 #include <security/pam_mod_misc.h> 49 50 static const char superuser[] = "root"; 51 52 #define PASSWORD_PROMPT "%s's password:" 53 54 static long get_su_principal(krb5_context, const char *, const char *, 55 char **, krb5_principal *); 56 static int auth_krb5(pam_handle_t *, krb5_context, const char *, 57 krb5_principal); 58 59 PAM_EXTERN int 60 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 61 int argc __unused, const char *argv[] __unused) 62 { 63 krb5_context context; 64 krb5_principal su_principal; 65 const char *user; 66 const void *ruser; 67 char *su_principal_name; 68 long rv; 69 int pamret; 70 71 pamret = pam_get_user(pamh, &user, NULL); 72 if (pamret != PAM_SUCCESS) 73 return (pamret); 74 PAM_LOG("Got user: %s", user); 75 pamret = pam_get_item(pamh, PAM_RUSER, &ruser); 76 if (pamret != PAM_SUCCESS) 77 return (pamret); 78 PAM_LOG("Got ruser: %s", (const char *)ruser); 79 rv = krb5_init_context(&context); 80 if (rv != 0) { 81 PAM_LOG("krb5_init_context failed: %s", 82 krb5_get_err_text(context, rv)); 83 return (PAM_SERVICE_ERR); 84 } 85 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); 86 if (rv != 0) 87 return (PAM_AUTH_ERR); 88 PAM_LOG("kuserok: %s -> %s", su_principal_name, user); 89 rv = krb5_kuserok(context, su_principal, user); 90 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; 91 free(su_principal_name); 92 krb5_free_principal(context, su_principal); 93 krb5_free_context(context); 94 return (pamret); 95 } 96 97 PAM_EXTERN int 98 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 99 int ac __unused, const char *av[] __unused) 100 { 101 102 return (PAM_SUCCESS); 103 } 104 105 /* Authenticate using Kerberos 5. 106 * pamh -- The PAM handle. 107 * context -- An initialized krb5_context. 108 * su_principal_name -- The target principal name, used only for password prompts. 109 * If NULL, the password prompts will not include a principal 110 * name. 111 * su_principal -- The target krb5_principal. 112 * Note that a valid keytab in the default location with a host entry 113 * must be available, and that the PAM application must have sufficient 114 * privileges to access it. 115 * Returns PAM_SUCCESS if authentication was successful, or an appropriate 116 * PAM error code if it was not. 117 */ 118 static int 119 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name, 120 krb5_principal su_principal) 121 { 122 krb5_creds creds; 123 krb5_get_init_creds_opt gic_opt; 124 krb5_verify_init_creds_opt vic_opt; 125 const char *pass; 126 char prompt[80]; 127 long rv; 128 int pamret; 129 130 krb5_get_init_creds_opt_init(&gic_opt); 131 krb5_verify_init_creds_opt_init(&vic_opt); 132 if (su_principal_name != NULL) 133 (void)snprintf(prompt, sizeof(prompt), PASSWORD_PROMPT, 134 su_principal_name); 135 else 136 (void)snprintf(prompt, sizeof(prompt), "Password:"); 137 if (prompt == NULL) 138 return (PAM_BUF_ERR); 139 pass = NULL; 140 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 141 if (pamret != PAM_SUCCESS) 142 return (pamret); 143 rv = krb5_get_init_creds_password(context, &creds, su_principal, 144 pass, NULL, NULL, 0, NULL, &gic_opt); 145 if (rv != 0) { 146 PAM_LOG("krb5_get_init_creds_password: %s", 147 krb5_get_err_text(context, rv)); 148 return (PAM_AUTH_ERR); 149 } 150 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); 151 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, 152 &vic_opt); 153 krb5_free_cred_contents(context, &creds); 154 if (rv != 0) { 155 PAM_LOG("krb5_verify_init_creds: %s", 156 krb5_get_err_text(context, rv)); 157 return (PAM_AUTH_ERR); 158 } 159 return (PAM_SUCCESS); 160 } 161 162 /* Determine the target principal given the current user and the target user. 163 * context -- An initialized krb5_context. 164 * target_user -- The target username. 165 * current_user -- The current username. 166 * su_principal_name -- (out) The target principal name. 167 * su_principal -- (out) The target krb5_principal. 168 * When the target user is `root', the target principal will be a `root 169 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal 170 * will simply be the current user's default principal name. Note that 171 * in any case, if KRB5CCNAME is set and a credentials cache exists, the 172 * principal name found there will be the `starting point', rather than 173 * the ruser parameter. 174 * 175 * Returns 0 for success, or a com_err error code on failure. 176 */ 177 static long 178 get_su_principal(krb5_context context, const char *target_user, const char *current_user, 179 char **su_principal_name, krb5_principal *su_principal) 180 { 181 krb5_principal default_principal; 182 krb5_ccache ccache; 183 char *principal_name, *ccname, *p; 184 long rv; 185 uid_t euid, ruid; 186 187 *su_principal = NULL; 188 default_principal = NULL; 189 /* Unless KRB5CCNAME was explicitly set, we won't really be able 190 * to look at the credentials cache since krb5_cc_default will 191 * look at getuid(). 192 */ 193 ruid = getuid(); 194 euid = geteuid(); 195 rv = seteuid(ruid); 196 if (rv != 0) 197 return (errno); 198 p = getenv("KRB5CCNAME"); 199 if (p != NULL) 200 ccname = strdup(p); 201 else 202 (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid); 203 if (ccname == NULL) 204 return (errno); 205 rv = krb5_cc_resolve(context, ccname, &ccache); 206 free(ccname); 207 if (rv == 0) { 208 rv = krb5_cc_get_principal(context, ccache, &default_principal); 209 krb5_cc_close(context, ccache); 210 if (rv != 0) 211 default_principal = NULL; /* just to be safe */ 212 } 213 rv = seteuid(euid); 214 if (rv != 0) 215 return (errno); 216 if (default_principal == NULL) { 217 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); 218 if (rv != 0) { 219 PAM_LOG("Could not determine default principal name."); 220 return (rv); 221 } 222 } 223 /* Now that we have some principal, if the target account is 224 * `root', then transform it into a `root' instance, e.g. 225 * `user (at) REA.LM' -> `user/root@REA.LM'. 226 */ 227 rv = krb5_unparse_name(context, default_principal, &principal_name); 228 krb5_free_principal(context, default_principal); 229 if (rv != 0) { 230 PAM_LOG("krb5_unparse_name: %s", 231 krb5_get_err_text(context, rv)); 232 return (rv); 233 } 234 PAM_LOG("Default principal name: %s", principal_name); 235 if (strcmp(target_user, superuser) == 0) { 236 p = strrchr(principal_name, '@'); 237 if (p == NULL) { 238 PAM_LOG("malformed principal name `%s'", principal_name); 239 free(principal_name); 240 return (rv); 241 } 242 *p++ = '\0'; 243 *su_principal_name = NULL; 244 (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p); 245 free(principal_name); 246 } else 247 *su_principal_name = principal_name; 248 249 if (*su_principal_name == NULL) 250 return (errno); 251 rv = krb5_parse_name(context, *su_principal_name, &default_principal); 252 if (rv != 0) { 253 PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, 254 krb5_get_err_text(context, rv)); 255 free(*su_principal_name); 256 return (rv); 257 } 258 PAM_LOG("Target principal name: %s", *su_principal_name); 259 *su_principal = default_principal; 260 return (0); 261 } 262 263 PAM_MODULE_ENTRY("pam_ksu"); 264
Indexes created Tue Oct 14 01:09:49 GMT 2025