pam_ksu.c revision 1.9.28.1
1 /* $NetBSD: pam_ksu.c,v 1.9.28.1 2023/06/21 22:07:06 martin Exp $ */ 2 3 /*- 4 * Copyright (c) 2002 Jacques A. Vidrine <nectar (at) FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 #include <sys/cdefs.h> 29 #ifdef __FreeBSD__ 30 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); 31 #else 32 __RCSID("$NetBSD: pam_ksu.c,v 1.9.28.1 2023/06/21 22:07:06 martin Exp $"); 33 #endif 34 35 #include <sys/param.h> 36 #include <errno.h> 37 #include <stdio.h> 38 #include <stdlib.h> 39 #include <string.h> 40 #include <unistd.h> 41 42 #include <krb5/krb5.h> 43 44 #define PAM_SM_AUTH 45 #define PAM_SM_CRED 46 #include <security/pam_appl.h> 47 #include <security/pam_modules.h> 48 #include <security/pam_mod_misc.h> 49 50 static const char superuser[] = "root"; 51 52 #define PASSWORD_PROMPT "%s's password:" 53 54 static void log_krb5(krb5_context, krb5_error_code, const char *, ...) 55 __printflike(3, 4); 56 static krb5_error_code get_su_principal(krb5_context, const char *, 57 const char *, char **, krb5_principal *); 58 static int auth_krb5(pam_handle_t *, krb5_context, const char *, 59 krb5_principal); 60 61 PAM_EXTERN int 62 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 63 int argc __unused, const char *argv[] __unused) 64 { 65 krb5_boolean allow_homedir; 66 krb5_context context; 67 krb5_principal su_principal; 68 const char *user; 69 const void *ruser; 70 char *su_principal_name; 71 krb5_error_code rv; 72 int pamret; 73 74 pamret = pam_get_user(pamh, &user, NULL); 75 if (pamret != PAM_SUCCESS) 76 return (pamret); 77 PAM_LOG("Got user: %s", user); 78 pamret = pam_get_item(pamh, PAM_RUSER, &ruser); 79 if (pamret != PAM_SUCCESS) 80 return (pamret); 81 PAM_LOG("Got ruser: %s", (const char *)ruser); 82 allow_homedir = krb5_set_home_dir_access(NULL, FALSE); 83 rv = krb5_init_context(&context); 84 if (rv != 0) { 85 log_krb5(context, rv, "krb5_init_context failed"); 86 pamret = PAM_SERVICE_ERR; 87 goto out; 88 } 89 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); 90 if (rv != 0) { 91 pamret = PAM_AUTH_ERR; 92 goto out; 93 } 94 PAM_LOG("kuserok: %s -> %s", su_principal_name, user); 95 rv = krb5_kuserok(context, su_principal, user); 96 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; 97 free(su_principal_name); 98 krb5_free_principal(context, su_principal); 99 krb5_free_context(context); 100 out: (void)krb5_set_home_dir_access(NULL, allow_homedir); 101 return (pamret); 102 } 103 104 PAM_EXTERN int 105 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 106 int ac __unused, const char *av[] __unused) 107 { 108 109 return (PAM_SUCCESS); 110 } 111 112 /* Authenticate using Kerberos 5. 113 * pamh -- The PAM handle. 114 * context -- An initialized krb5_context. 115 * su_principal_name -- The target principal name, used only for password prompts. 116 * If NULL, the password prompts will not include a principal 117 * name. 118 * su_principal -- The target krb5_principal. 119 * Note that a valid keytab in the default location with a host entry 120 * must be available, and that the PAM application must have sufficient 121 * privileges to access it. 122 * Returns PAM_SUCCESS if authentication was successful, or an appropriate 123 * PAM error code if it was not. 124 */ 125 static int 126 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name, 127 krb5_principal su_principal) 128 { 129 krb5_creds creds; 130 krb5_get_init_creds_opt *gic_opt; 131 krb5_verify_init_creds_opt vic_opt; 132 const char *pass; 133 char prompt[80]; 134 krb5_error_code rv; 135 int pamret; 136 137 rv = krb5_get_init_creds_opt_alloc(context, &gic_opt); 138 if (rv != 0) { 139 log_krb5(context, rv, "krb5_get_init_creds_opt_alloc"); 140 return (PAM_SERVICE_ERR); 141 } 142 krb5_verify_init_creds_opt_init(&vic_opt); 143 if (su_principal_name != NULL) 144 (void)snprintf(prompt, sizeof(prompt), PASSWORD_PROMPT, 145 su_principal_name); 146 else 147 (void)snprintf(prompt, sizeof(prompt), "Password:"); 148 pass = NULL; 149 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 150 if (pamret != PAM_SUCCESS) 151 return (pamret); 152 rv = krb5_get_init_creds_password(context, &creds, su_principal, 153 pass, NULL, NULL, 0, NULL, gic_opt); 154 if (rv != 0) { 155 log_krb5(context, rv, "krb5_get_init_creds_password"); 156 return (PAM_AUTH_ERR); 157 } 158 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); 159 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, 160 &vic_opt); 161 krb5_free_cred_contents(context, &creds); 162 if (rv != 0) { 163 log_krb5(context, rv, "krb5_verify_init_creds"); 164 return (PAM_AUTH_ERR); 165 } 166 return (PAM_SUCCESS); 167 } 168 169 static void 170 log_krb5(krb5_context ctx, krb5_error_code err, const char *fmt, ...) 171 { 172 char b1[1024], b2[1024]; 173 const char *errtxt; 174 va_list ap; 175 176 va_start(ap, fmt); 177 vsnprintf(b1, sizeof(b1), fmt, ap); 178 va_end(ap); 179 if (ctx) 180 errtxt = krb5_get_error_message(ctx, err); 181 else 182 errtxt = NULL; 183 if (errtxt != NULL) { 184 snprintf(b2, sizeof(b2), "%s", errtxt); 185 krb5_free_error_message(ctx, errtxt); 186 } else { 187 snprintf(b2, sizeof(b2), "unknown %d", (int)err); 188 } 189 PAM_LOG("%s (%s)", b1, b2); 190 } 191 192 /* Determine the target principal given the current user and the target user. 193 * context -- An initialized krb5_context. 194 * target_user -- The target username. 195 * current_user -- The current username. 196 * su_principal_name -- (out) The target principal name. 197 * su_principal -- (out) The target krb5_principal. 198 * When the target user is `root', the target principal will be a `root 199 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal 200 * will simply be the current user's default principal name. Note that 201 * in any case, if KRB5CCNAME is set and a credentials cache exists, the 202 * principal name found there will be the `starting point', rather than 203 * the ruser parameter. 204 * 205 * Returns 0 for success, or a com_err error code on failure. 206 */ 207 static krb5_error_code 208 get_su_principal(krb5_context context, const char *target_user, const char *current_user, 209 char **su_principal_name, krb5_principal *su_principal) 210 { 211 krb5_principal default_principal; 212 krb5_ccache ccache; 213 char *principal_name, *ccname, *p; 214 krb5_error_code rv; 215 uid_t euid, ruid; 216 217 *su_principal = NULL; 218 default_principal = NULL; 219 /* Unless KRB5CCNAME was explicitly set, we won't really be able 220 * to look at the credentials cache since krb5_cc_default will 221 * look at getuid(). 222 */ 223 ruid = getuid(); 224 euid = geteuid(); 225 rv = seteuid(ruid); 226 if (rv != 0) 227 return (errno); 228 p = getenv("KRB5CCNAME"); 229 if (p != NULL) 230 ccname = strdup(p); 231 else 232 (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid); 233 if (ccname == NULL) 234 return (errno); 235 rv = krb5_cc_resolve(context, ccname, &ccache); 236 free(ccname); 237 if (rv == 0) { 238 rv = krb5_cc_get_principal(context, ccache, &default_principal); 239 krb5_cc_close(context, ccache); 240 if (rv != 0) 241 default_principal = NULL; /* just to be safe */ 242 } 243 rv = seteuid(euid); 244 if (rv != 0) 245 return (errno); 246 if (default_principal == NULL) { 247 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); 248 if (rv != 0) { 249 PAM_LOG("Could not determine default principal name."); 250 return (rv); 251 } 252 } 253 /* Now that we have some principal, if the target account is 254 * `root', then transform it into a `root' instance, e.g. 255 * `user (at) REA.LM' -> `user/root@REA.LM'. 256 */ 257 rv = krb5_unparse_name(context, default_principal, &principal_name); 258 krb5_free_principal(context, default_principal); 259 if (rv != 0) { 260 log_krb5(context, rv, "krb5_unparse_name"); 261 return (rv); 262 } 263 PAM_LOG("Default principal name: %s", principal_name); 264 if (strcmp(target_user, superuser) == 0) { 265 p = strrchr(principal_name, '@'); 266 if (p == NULL) { 267 PAM_LOG("malformed principal name `%s'", principal_name); 268 free(principal_name); 269 return (rv); 270 } 271 *p++ = '\0'; 272 *su_principal_name = NULL; 273 (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p); 274 free(principal_name); 275 } else 276 *su_principal_name = principal_name; 277 278 if (*su_principal_name == NULL) 279 return (errno); 280 rv = krb5_parse_name(context, *su_principal_name, &default_principal); 281 if (rv != 0) { 282 log_krb5(context, rv, "krb5_parse_name `%s'", 283 *su_principal_name); 284 return (rv); 285 } 286 PAM_LOG("Target principal name: %s", *su_principal_name); 287 *su_principal = default_principal; 288 return (0); 289 } 290 291 PAM_MODULE_ENTRY("pam_ksu"); 292
Indexes created Tue Oct 14 01:09:49 GMT 2025