10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*3391Ssemery * Common Development and Distribution License (the "License"). 6*3391Ssemery * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*3391Ssemery * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 270Sstevel@tonic-gate 280Sstevel@tonic-gate #include <security/pam_appl.h> 290Sstevel@tonic-gate #include <pwd.h> 300Sstevel@tonic-gate #include <string.h> 310Sstevel@tonic-gate #include <stdlib.h> 320Sstevel@tonic-gate #include <malloc.h> 330Sstevel@tonic-gate #include <unistd.h> 340Sstevel@tonic-gate #include <ctype.h> 350Sstevel@tonic-gate #include <syslog.h> 36781Sgtb #include <errno.h> 370Sstevel@tonic-gate 380Sstevel@tonic-gate #include "utils.h" 390Sstevel@tonic-gate 400Sstevel@tonic-gate extern const char *error_message(long); 410Sstevel@tonic-gate 420Sstevel@tonic-gate /* ******************************************************************** */ 430Sstevel@tonic-gate /* */ 440Sstevel@tonic-gate /* Utilities Functions */ 450Sstevel@tonic-gate /* */ 460Sstevel@tonic-gate /* ******************************************************************** */ 470Sstevel@tonic-gate 480Sstevel@tonic-gate /* 490Sstevel@tonic-gate * get_pw_uid(): 500Sstevel@tonic-gate * To get the uid from the passwd entry for specified user 510Sstevel@tonic-gate * It returns 0 if the user can't be found, otherwise returns 1. 520Sstevel@tonic-gate */ 530Sstevel@tonic-gate int 540Sstevel@tonic-gate get_pw_uid(char *user, uid_t *uid) 550Sstevel@tonic-gate { 560Sstevel@tonic-gate struct passwd sp; 570Sstevel@tonic-gate char buffer[1024]; 580Sstevel@tonic-gate 590Sstevel@tonic-gate if (getpwnam_r(user, &sp, buffer, sizeof (buffer)) == NULL) { 600Sstevel@tonic-gate return (0); 610Sstevel@tonic-gate } 620Sstevel@tonic-gate 630Sstevel@tonic-gate *uid = sp.pw_uid; 640Sstevel@tonic-gate 650Sstevel@tonic-gate return (1); 660Sstevel@tonic-gate } 670Sstevel@tonic-gate 680Sstevel@tonic-gate /* 690Sstevel@tonic-gate * get_pw_gid(): 700Sstevel@tonic-gate * To get the gid from the passwd entry for specified user 710Sstevel@tonic-gate * It returns 0 if the user can't be found, otherwise returns 1. 720Sstevel@tonic-gate */ 730Sstevel@tonic-gate int 740Sstevel@tonic-gate get_pw_gid(char *user, gid_t *gid) 750Sstevel@tonic-gate { 760Sstevel@tonic-gate struct passwd sp; 770Sstevel@tonic-gate char buffer[1024]; 780Sstevel@tonic-gate 790Sstevel@tonic-gate if (getpwnam_r(user, &sp, buffer, sizeof (buffer)) == NULL) { 800Sstevel@tonic-gate return (0); 810Sstevel@tonic-gate } 820Sstevel@tonic-gate 830Sstevel@tonic-gate *gid = sp.pw_gid; 840Sstevel@tonic-gate 850Sstevel@tonic-gate return (1); 860Sstevel@tonic-gate } 870Sstevel@tonic-gate 880Sstevel@tonic-gate 890Sstevel@tonic-gate /* 900Sstevel@tonic-gate * get_kmd_kuser(): 910Sstevel@tonic-gate * To get the kerberos user name for the specified user. 920Sstevel@tonic-gate * Assumes that the kuser string is allocated. It will be 930Sstevel@tonic-gate * overwritten. This saves us having to deal will allocating 940Sstevel@tonic-gate * and freeing the kuser string. 950Sstevel@tonic-gate * 960Sstevel@tonic-gate * RFC 1510 does not mention how to handle mixed case domainnames 970Sstevel@tonic-gate * while constructing client principals. So we will follow the same 980Sstevel@tonic-gate * procedure as for server principals and lowercase the domainname. 990Sstevel@tonic-gate * 1000Sstevel@tonic-gate * Returns: 1010Sstevel@tonic-gate * PAM_BUF_ERR - if there is an error from krb5_sname_to_principal(), 1020Sstevel@tonic-gate * or krb5_unparse_name() 1030Sstevel@tonic-gate * 0 - if there was no error 1040Sstevel@tonic-gate */ 1050Sstevel@tonic-gate int 1060Sstevel@tonic-gate get_kmd_kuser(krb5_context kcontext, const char *user, char *kuser, int length) 1070Sstevel@tonic-gate { 1080Sstevel@tonic-gate if (strcmp(user, ROOT_UNAME) == 0) { 1090Sstevel@tonic-gate krb5_principal princ; 1100Sstevel@tonic-gate char *name, *princname, *lasts; 1110Sstevel@tonic-gate 1120Sstevel@tonic-gate if (krb5_sname_to_principal(kcontext, NULL, ROOT_UNAME, 1130Sstevel@tonic-gate KRB5_NT_SRV_HST, &princ)) { 1140Sstevel@tonic-gate return (PAM_BUF_ERR); 1150Sstevel@tonic-gate } 1160Sstevel@tonic-gate if (krb5_unparse_name(kcontext, princ, &princname)) { 1170Sstevel@tonic-gate krb5_free_principal(kcontext, princ); 1180Sstevel@tonic-gate return (PAM_BUF_ERR); 1190Sstevel@tonic-gate } 1200Sstevel@tonic-gate /* just interested in princ name before the @REALM part */ 1210Sstevel@tonic-gate if ((name = strtok_r(princname, "@", &lasts)) == NULL) { 1220Sstevel@tonic-gate krb5_free_principal(kcontext, princ); 1230Sstevel@tonic-gate free(princname); 1240Sstevel@tonic-gate return (PAM_BUF_ERR); 1250Sstevel@tonic-gate } 1260Sstevel@tonic-gate if (strlcpy(kuser, name, length) >= length) { 1270Sstevel@tonic-gate krb5_free_principal(kcontext, princ); 1280Sstevel@tonic-gate free(princname); 1290Sstevel@tonic-gate return (PAM_BUF_ERR); 1300Sstevel@tonic-gate } 1310Sstevel@tonic-gate krb5_free_principal(kcontext, princ); 1320Sstevel@tonic-gate free(princname); 1330Sstevel@tonic-gate } else { 1340Sstevel@tonic-gate if (strlcpy(kuser, user, length) >= length) { 1350Sstevel@tonic-gate return (PAM_BUF_ERR); 1360Sstevel@tonic-gate } 1370Sstevel@tonic-gate } 1380Sstevel@tonic-gate return (0); 1390Sstevel@tonic-gate } 1400Sstevel@tonic-gate 1410Sstevel@tonic-gate /* 1420Sstevel@tonic-gate * return true (1) if the user's key is in the (default) keytab 1430Sstevel@tonic-gate */ 1440Sstevel@tonic-gate int 1450Sstevel@tonic-gate key_in_keytab(const char *user, int debug) 1460Sstevel@tonic-gate { 1470Sstevel@tonic-gate krb5_keytab kt_handle; 1480Sstevel@tonic-gate krb5_keytab_entry kt_ent; 1490Sstevel@tonic-gate char *whoami = "key_in_keytab"; 1500Sstevel@tonic-gate krb5_error_code retval = 0; 1510Sstevel@tonic-gate krb5_error_code code = 0; 1520Sstevel@tonic-gate krb5_context kcontext = NULL; 1530Sstevel@tonic-gate krb5_principal princ = NULL; 1540Sstevel@tonic-gate char kuser[2*MAXHOSTNAMELEN]; 1550Sstevel@tonic-gate 1560Sstevel@tonic-gate 1570Sstevel@tonic-gate if (debug) 158*3391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG, 1590Sstevel@tonic-gate "PAM-KRB5 (%s): start for user '%s'", 1600Sstevel@tonic-gate whoami, user ? user : "<null>"); 1610Sstevel@tonic-gate 1620Sstevel@tonic-gate if (!user) 1630Sstevel@tonic-gate return (retval); 1640Sstevel@tonic-gate 1650Sstevel@tonic-gate /* need to free context with krb5_free_context */ 1660Sstevel@tonic-gate if (code = krb5_init_context(&kcontext)) { 1670Sstevel@tonic-gate if (debug) 168*3391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG, 1690Sstevel@tonic-gate "PAM-KRB5 (%s): Error initializing " 1700Sstevel@tonic-gate "krb5: %s", whoami, 1710Sstevel@tonic-gate error_message(code)); 1720Sstevel@tonic-gate return (retval); 1730Sstevel@tonic-gate } 1740Sstevel@tonic-gate 1750Sstevel@tonic-gate if ((code = get_kmd_kuser(kcontext, (const char *)user, kuser, 1760Sstevel@tonic-gate 2*MAXHOSTNAMELEN)) != 0) { 1770Sstevel@tonic-gate goto out; 1780Sstevel@tonic-gate } 1790Sstevel@tonic-gate 1800Sstevel@tonic-gate /* need to free princ with krb5_free_principal */ 1810Sstevel@tonic-gate if ((code = krb5_parse_name(kcontext, kuser, &princ)) != 0) { 1820Sstevel@tonic-gate if (debug) 183*3391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG, 1840Sstevel@tonic-gate "PAM-KRB5 (%s): can't parse name (%s)", 1850Sstevel@tonic-gate whoami, error_message(code)); 1860Sstevel@tonic-gate goto out; 1870Sstevel@tonic-gate } 1880Sstevel@tonic-gate 1890Sstevel@tonic-gate /* need to close keytab handle with krb5_kt_close */ 1900Sstevel@tonic-gate if ((code = krb5_kt_default(kcontext, &kt_handle))) { 1910Sstevel@tonic-gate if (debug) 192*3391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG, 1930Sstevel@tonic-gate "PAM-KRB5 (%s): krb5_kt_default failed (%s)", 1940Sstevel@tonic-gate whoami, error_message(code)); 1950Sstevel@tonic-gate goto out; 1960Sstevel@tonic-gate } 1970Sstevel@tonic-gate 1980Sstevel@tonic-gate code = krb5_kt_get_entry(kcontext, kt_handle, princ, 0, 0, &kt_ent); 1990Sstevel@tonic-gate if (code != 0) { 2000Sstevel@tonic-gate if (code == ENOENT) { 2010Sstevel@tonic-gate if (debug) 202*3391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG, 2030Sstevel@tonic-gate "PAM-KRB5 (%s): " 2040Sstevel@tonic-gate "Keytab does not exist", 2050Sstevel@tonic-gate whoami); 2060Sstevel@tonic-gate } else if (code == KRB5_KT_NOTFOUND) { 2070Sstevel@tonic-gate if (debug) 208*3391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG, 2090Sstevel@tonic-gate "PAM-KRB5 (%s): " 2100Sstevel@tonic-gate "No entry for principal " 2110Sstevel@tonic-gate "'%s' exists in keytab", 2120Sstevel@tonic-gate whoami, kuser); 2130Sstevel@tonic-gate } else { 2140Sstevel@tonic-gate if (debug) 215*3391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG, 2160Sstevel@tonic-gate "PAM-KRB5 (%s): " 2170Sstevel@tonic-gate "krb5_kt_get_entry failed (%s)", 2180Sstevel@tonic-gate whoami, error_message(code)); 2190Sstevel@tonic-gate } 2200Sstevel@tonic-gate } else { /* Key found in keytab, return success */ 2210Sstevel@tonic-gate (void) krb5_kt_free_entry(kcontext, &kt_ent); 2220Sstevel@tonic-gate if (debug) 223*3391Ssemery __pam_log(LOG_AUTH | LOG_DEBUG, 2240Sstevel@tonic-gate "PAM-KRB5 (%s): " 2250Sstevel@tonic-gate "keytab entry for '%s' found", 2260Sstevel@tonic-gate whoami, user); 2270Sstevel@tonic-gate retval = 1; 2280Sstevel@tonic-gate } 2290Sstevel@tonic-gate 2300Sstevel@tonic-gate (void) krb5_kt_close(kcontext, kt_handle); 2310Sstevel@tonic-gate out: 2320Sstevel@tonic-gate if (princ && kcontext) 2330Sstevel@tonic-gate krb5_free_principal(kcontext, princ); 2340Sstevel@tonic-gate 2350Sstevel@tonic-gate if (kcontext) 2360Sstevel@tonic-gate krb5_free_context(kcontext); 2370Sstevel@tonic-gate 2380Sstevel@tonic-gate return (retval); 2390Sstevel@tonic-gate } 240