10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
53391Ssemery * Common Development and Distribution License (the "License").
63391Ssemery * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
22*8991SPeter.Shoults@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
230Sstevel@tonic-gate * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate #include <security/pam_appl.h>
270Sstevel@tonic-gate #include <pwd.h>
280Sstevel@tonic-gate #include <string.h>
290Sstevel@tonic-gate #include <stdlib.h>
300Sstevel@tonic-gate #include <malloc.h>
310Sstevel@tonic-gate #include <unistd.h>
320Sstevel@tonic-gate #include <ctype.h>
330Sstevel@tonic-gate #include <syslog.h>
34781Sgtb #include <errno.h>
350Sstevel@tonic-gate
360Sstevel@tonic-gate #include "utils.h"
370Sstevel@tonic-gate
380Sstevel@tonic-gate extern const char *error_message(long);
390Sstevel@tonic-gate
400Sstevel@tonic-gate /* ******************************************************************** */
410Sstevel@tonic-gate /* */
420Sstevel@tonic-gate /* Utilities Functions */
430Sstevel@tonic-gate /* */
440Sstevel@tonic-gate /* ******************************************************************** */
450Sstevel@tonic-gate
460Sstevel@tonic-gate /*
470Sstevel@tonic-gate * get_pw_uid():
480Sstevel@tonic-gate * To get the uid from the passwd entry for specified user
490Sstevel@tonic-gate * It returns 0 if the user can't be found, otherwise returns 1.
500Sstevel@tonic-gate */
510Sstevel@tonic-gate int
get_pw_uid(char * user,uid_t * uid)520Sstevel@tonic-gate get_pw_uid(char *user, uid_t *uid)
530Sstevel@tonic-gate {
540Sstevel@tonic-gate struct passwd sp;
550Sstevel@tonic-gate char buffer[1024];
560Sstevel@tonic-gate
570Sstevel@tonic-gate if (getpwnam_r(user, &sp, buffer, sizeof (buffer)) == NULL) {
580Sstevel@tonic-gate return (0);
590Sstevel@tonic-gate }
600Sstevel@tonic-gate
610Sstevel@tonic-gate *uid = sp.pw_uid;
620Sstevel@tonic-gate
630Sstevel@tonic-gate return (1);
640Sstevel@tonic-gate }
650Sstevel@tonic-gate
660Sstevel@tonic-gate /*
670Sstevel@tonic-gate * get_pw_gid():
680Sstevel@tonic-gate * To get the gid from the passwd entry for specified user
690Sstevel@tonic-gate * It returns 0 if the user can't be found, otherwise returns 1.
700Sstevel@tonic-gate */
710Sstevel@tonic-gate int
get_pw_gid(char * user,gid_t * gid)720Sstevel@tonic-gate get_pw_gid(char *user, gid_t *gid)
730Sstevel@tonic-gate {
740Sstevel@tonic-gate struct passwd sp;
750Sstevel@tonic-gate char buffer[1024];
760Sstevel@tonic-gate
770Sstevel@tonic-gate if (getpwnam_r(user, &sp, buffer, sizeof (buffer)) == NULL) {
780Sstevel@tonic-gate return (0);
790Sstevel@tonic-gate }
800Sstevel@tonic-gate
810Sstevel@tonic-gate *gid = sp.pw_gid;
820Sstevel@tonic-gate
830Sstevel@tonic-gate return (1);
840Sstevel@tonic-gate }
850Sstevel@tonic-gate
860Sstevel@tonic-gate
870Sstevel@tonic-gate /*
880Sstevel@tonic-gate * get_kmd_kuser():
890Sstevel@tonic-gate * To get the kerberos user name for the specified user.
900Sstevel@tonic-gate * Assumes that the kuser string is allocated. It will be
910Sstevel@tonic-gate * overwritten. This saves us having to deal will allocating
920Sstevel@tonic-gate * and freeing the kuser string.
930Sstevel@tonic-gate *
940Sstevel@tonic-gate * RFC 1510 does not mention how to handle mixed case domainnames
950Sstevel@tonic-gate * while constructing client principals. So we will follow the same
960Sstevel@tonic-gate * procedure as for server principals and lowercase the domainname.
970Sstevel@tonic-gate *
980Sstevel@tonic-gate * Returns:
990Sstevel@tonic-gate * PAM_BUF_ERR - if there is an error from krb5_sname_to_principal(),
1000Sstevel@tonic-gate * or krb5_unparse_name()
1010Sstevel@tonic-gate * 0 - if there was no error
1020Sstevel@tonic-gate */
1030Sstevel@tonic-gate int
get_kmd_kuser(krb5_context kcontext,const char * user,char * kuser,int length)1040Sstevel@tonic-gate get_kmd_kuser(krb5_context kcontext, const char *user, char *kuser, int length)
1050Sstevel@tonic-gate {
1060Sstevel@tonic-gate if (strcmp(user, ROOT_UNAME) == 0) {
1070Sstevel@tonic-gate krb5_principal princ;
1080Sstevel@tonic-gate char *name, *princname, *lasts;
1090Sstevel@tonic-gate
1100Sstevel@tonic-gate if (krb5_sname_to_principal(kcontext, NULL, ROOT_UNAME,
1110Sstevel@tonic-gate KRB5_NT_SRV_HST, &princ)) {
1120Sstevel@tonic-gate return (PAM_BUF_ERR);
1130Sstevel@tonic-gate }
1140Sstevel@tonic-gate if (krb5_unparse_name(kcontext, princ, &princname)) {
1150Sstevel@tonic-gate krb5_free_principal(kcontext, princ);
1160Sstevel@tonic-gate return (PAM_BUF_ERR);
1170Sstevel@tonic-gate }
1180Sstevel@tonic-gate /* just interested in princ name before the @REALM part */
1190Sstevel@tonic-gate if ((name = strtok_r(princname, "@", &lasts)) == NULL) {
1200Sstevel@tonic-gate krb5_free_principal(kcontext, princ);
1210Sstevel@tonic-gate free(princname);
1220Sstevel@tonic-gate return (PAM_BUF_ERR);
1230Sstevel@tonic-gate }
1240Sstevel@tonic-gate if (strlcpy(kuser, name, length) >= length) {
1250Sstevel@tonic-gate krb5_free_principal(kcontext, princ);
1260Sstevel@tonic-gate free(princname);
1270Sstevel@tonic-gate return (PAM_BUF_ERR);
1280Sstevel@tonic-gate }
1290Sstevel@tonic-gate krb5_free_principal(kcontext, princ);
1300Sstevel@tonic-gate free(princname);
1310Sstevel@tonic-gate } else {
1320Sstevel@tonic-gate if (strlcpy(kuser, user, length) >= length) {
1330Sstevel@tonic-gate return (PAM_BUF_ERR);
1340Sstevel@tonic-gate }
1350Sstevel@tonic-gate }
1360Sstevel@tonic-gate return (0);
1370Sstevel@tonic-gate }
1380Sstevel@tonic-gate
1390Sstevel@tonic-gate /*
1400Sstevel@tonic-gate * return true (1) if the user's key is in the (default) keytab
1410Sstevel@tonic-gate */
1420Sstevel@tonic-gate int
key_in_keytab(const char * user,int debug)1430Sstevel@tonic-gate key_in_keytab(const char *user, int debug)
1440Sstevel@tonic-gate {
1450Sstevel@tonic-gate krb5_keytab kt_handle;
1460Sstevel@tonic-gate krb5_keytab_entry kt_ent;
1470Sstevel@tonic-gate char *whoami = "key_in_keytab";
1480Sstevel@tonic-gate krb5_error_code retval = 0;
1490Sstevel@tonic-gate krb5_error_code code = 0;
1500Sstevel@tonic-gate krb5_context kcontext = NULL;
1510Sstevel@tonic-gate krb5_principal princ = NULL;
1520Sstevel@tonic-gate char kuser[2*MAXHOSTNAMELEN];
1530Sstevel@tonic-gate
1540Sstevel@tonic-gate
1550Sstevel@tonic-gate if (debug)
1563391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG,
1570Sstevel@tonic-gate "PAM-KRB5 (%s): start for user '%s'",
1580Sstevel@tonic-gate whoami, user ? user : "<null>");
1590Sstevel@tonic-gate
1600Sstevel@tonic-gate if (!user)
1610Sstevel@tonic-gate return (retval);
1620Sstevel@tonic-gate
1630Sstevel@tonic-gate /* need to free context with krb5_free_context */
164*8991SPeter.Shoults@Sun.COM if (code = krb5_init_secure_context(&kcontext)) {
1650Sstevel@tonic-gate if (debug)
1663391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG,
1670Sstevel@tonic-gate "PAM-KRB5 (%s): Error initializing "
1680Sstevel@tonic-gate "krb5: %s", whoami,
1690Sstevel@tonic-gate error_message(code));
1700Sstevel@tonic-gate return (retval);
1710Sstevel@tonic-gate }
1720Sstevel@tonic-gate
1730Sstevel@tonic-gate if ((code = get_kmd_kuser(kcontext, (const char *)user, kuser,
1740Sstevel@tonic-gate 2*MAXHOSTNAMELEN)) != 0) {
1750Sstevel@tonic-gate goto out;
1760Sstevel@tonic-gate }
1770Sstevel@tonic-gate
1780Sstevel@tonic-gate /* need to free princ with krb5_free_principal */
1790Sstevel@tonic-gate if ((code = krb5_parse_name(kcontext, kuser, &princ)) != 0) {
1800Sstevel@tonic-gate if (debug)
1813391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG,
1820Sstevel@tonic-gate "PAM-KRB5 (%s): can't parse name (%s)",
1830Sstevel@tonic-gate whoami, error_message(code));
1840Sstevel@tonic-gate goto out;
1850Sstevel@tonic-gate }
1860Sstevel@tonic-gate
1870Sstevel@tonic-gate /* need to close keytab handle with krb5_kt_close */
1880Sstevel@tonic-gate if ((code = krb5_kt_default(kcontext, &kt_handle))) {
1890Sstevel@tonic-gate if (debug)
1903391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG,
1910Sstevel@tonic-gate "PAM-KRB5 (%s): krb5_kt_default failed (%s)",
1920Sstevel@tonic-gate whoami, error_message(code));
1930Sstevel@tonic-gate goto out;
1940Sstevel@tonic-gate }
1950Sstevel@tonic-gate
1960Sstevel@tonic-gate code = krb5_kt_get_entry(kcontext, kt_handle, princ, 0, 0, &kt_ent);
1970Sstevel@tonic-gate if (code != 0) {
1980Sstevel@tonic-gate if (code == ENOENT) {
1990Sstevel@tonic-gate if (debug)
2003391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG,
2010Sstevel@tonic-gate "PAM-KRB5 (%s): "
2020Sstevel@tonic-gate "Keytab does not exist",
2030Sstevel@tonic-gate whoami);
2040Sstevel@tonic-gate } else if (code == KRB5_KT_NOTFOUND) {
2050Sstevel@tonic-gate if (debug)
2063391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG,
2070Sstevel@tonic-gate "PAM-KRB5 (%s): "
2080Sstevel@tonic-gate "No entry for principal "
2090Sstevel@tonic-gate "'%s' exists in keytab",
2100Sstevel@tonic-gate whoami, kuser);
2110Sstevel@tonic-gate } else {
2120Sstevel@tonic-gate if (debug)
2133391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG,
2140Sstevel@tonic-gate "PAM-KRB5 (%s): "
2150Sstevel@tonic-gate "krb5_kt_get_entry failed (%s)",
2160Sstevel@tonic-gate whoami, error_message(code));
2170Sstevel@tonic-gate }
2180Sstevel@tonic-gate } else { /* Key found in keytab, return success */
2190Sstevel@tonic-gate (void) krb5_kt_free_entry(kcontext, &kt_ent);
2200Sstevel@tonic-gate if (debug)
2213391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG,
2220Sstevel@tonic-gate "PAM-KRB5 (%s): "
2230Sstevel@tonic-gate "keytab entry for '%s' found",
2240Sstevel@tonic-gate whoami, user);
2250Sstevel@tonic-gate retval = 1;
2260Sstevel@tonic-gate }
2270Sstevel@tonic-gate
2280Sstevel@tonic-gate (void) krb5_kt_close(kcontext, kt_handle);
2290Sstevel@tonic-gate out:
2300Sstevel@tonic-gate if (princ && kcontext)
2310Sstevel@tonic-gate krb5_free_principal(kcontext, princ);
2320Sstevel@tonic-gate
2330Sstevel@tonic-gate if (kcontext)
2340Sstevel@tonic-gate krb5_free_context(kcontext);
2350Sstevel@tonic-gate
2360Sstevel@tonic-gate return (retval);
2370Sstevel@tonic-gate }
238