1 /* $NetBSD: pam_ksu.c,v 1.9 2014/02/27 18:09:38 joerg Exp $ */ 2 3 /*- 4 * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 #include <sys/cdefs.h> 29 #ifdef __FreeBSD__ 30 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); 31 #else 32 __RCSID("$NetBSD: pam_ksu.c,v 1.9 2014/02/27 18:09:38 joerg Exp $"); 33 #endif 34 35 #include <sys/param.h> 36 #include <errno.h> 37 #include <stdio.h> 38 #include <stdlib.h> 39 #include <string.h> 40 #include <unistd.h> 41 42 #include <krb5/krb5.h> 43 44 #define PAM_SM_AUTH 45 #define PAM_SM_CRED 46 #include <security/pam_appl.h> 47 #include <security/pam_modules.h> 48 #include <security/pam_mod_misc.h> 49 50 static const char superuser[] = "root"; 51 52 #define PASSWORD_PROMPT "%s's password:" 53 54 static void log_krb5(krb5_context, krb5_error_code, const char *, ...) 55 __printflike(3, 4); 56 static krb5_error_code get_su_principal(krb5_context, const char *, 57 const char *, char **, krb5_principal *); 58 static int auth_krb5(pam_handle_t *, krb5_context, const char *, 59 krb5_principal); 60 61 PAM_EXTERN int 62 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 63 int argc __unused, const char *argv[] __unused) 64 { 65 krb5_context context; 66 krb5_principal su_principal; 67 const char *user; 68 const void *ruser; 69 char *su_principal_name; 70 krb5_error_code rv; 71 int pamret; 72 73 pamret = pam_get_user(pamh, &user, NULL); 74 if (pamret != PAM_SUCCESS) 75 return (pamret); 76 PAM_LOG("Got user: %s", user); 77 pamret = pam_get_item(pamh, PAM_RUSER, &ruser); 78 if (pamret != PAM_SUCCESS) 79 return (pamret); 80 PAM_LOG("Got ruser: %s", (const char *)ruser); 81 rv = krb5_init_context(&context); 82 if (rv != 0) { 83 log_krb5(context, rv, "krb5_init_context failed"); 84 return (PAM_SERVICE_ERR); 85 } 86 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); 87 if (rv != 0) 88 return (PAM_AUTH_ERR); 89 PAM_LOG("kuserok: %s -> %s", su_principal_name, user); 90 rv = krb5_kuserok(context, su_principal, user); 91 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; 92 free(su_principal_name); 93 krb5_free_principal(context, su_principal); 94 krb5_free_context(context); 95 return (pamret); 96 } 97 98 PAM_EXTERN int 99 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 100 int ac __unused, const char *av[] __unused) 101 { 102 103 return (PAM_SUCCESS); 104 } 105 106 /* Authenticate using Kerberos 5. 107 * pamh -- The PAM handle. 108 * context -- An initialized krb5_context. 109 * su_principal_name -- The target principal name, used only for password prompts. 110 * If NULL, the password prompts will not include a principal 111 * name. 112 * su_principal -- The target krb5_principal. 113 * Note that a valid keytab in the default location with a host entry 114 * must be available, and that the PAM application must have sufficient 115 * privileges to access it. 116 * Returns PAM_SUCCESS if authentication was successful, or an appropriate 117 * PAM error code if it was not. 118 */ 119 static int 120 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name, 121 krb5_principal su_principal) 122 { 123 krb5_creds creds; 124 krb5_get_init_creds_opt *gic_opt; 125 krb5_verify_init_creds_opt vic_opt; 126 const char *pass; 127 char prompt[80]; 128 krb5_error_code rv; 129 int pamret; 130 131 rv = krb5_get_init_creds_opt_alloc(context, &gic_opt); 132 if (rv != 0) { 133 log_krb5(context, rv, "krb5_get_init_creds_opt_alloc"); 134 return (PAM_SERVICE_ERR); 135 } 136 krb5_verify_init_creds_opt_init(&vic_opt); 137 if (su_principal_name != NULL) 138 (void)snprintf(prompt, sizeof(prompt), PASSWORD_PROMPT, 139 su_principal_name); 140 else 141 (void)snprintf(prompt, sizeof(prompt), "Password:"); 142 pass = NULL; 143 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 144 if (pamret != PAM_SUCCESS) 145 return (pamret); 146 rv = krb5_get_init_creds_password(context, &creds, su_principal, 147 pass, NULL, NULL, 0, NULL, gic_opt); 148 if (rv != 0) { 149 log_krb5(context, rv, "krb5_get_init_creds_password"); 150 return (PAM_AUTH_ERR); 151 } 152 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); 153 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, 154 &vic_opt); 155 krb5_free_cred_contents(context, &creds); 156 if (rv != 0) { 157 log_krb5(context, rv, "krb5_verify_init_creds"); 158 return (PAM_AUTH_ERR); 159 } 160 return (PAM_SUCCESS); 161 } 162 163 static void 164 log_krb5(krb5_context ctx, krb5_error_code err, const char *fmt, ...) 165 { 166 char b1[1024], b2[1024]; 167 const char *errtxt; 168 va_list ap; 169 170 va_start(ap, fmt); 171 vsnprintf(b1, sizeof(b1), fmt, ap); 172 va_end(ap); 173 if (ctx) 174 errtxt = krb5_get_error_message(ctx, err); 175 else 176 errtxt = NULL; 177 if (errtxt != NULL) { 178 snprintf(b2, sizeof(b2), "%s", errtxt); 179 krb5_free_error_message(ctx, errtxt); 180 } else { 181 snprintf(b2, sizeof(b2), "unknown %d", (int)err); 182 } 183 PAM_LOG("%s (%s)", b1, b2); 184 } 185 186 /* Determine the target principal given the current user and the target user. 187 * context -- An initialized krb5_context. 188 * target_user -- The target username. 189 * current_user -- The current username. 190 * su_principal_name -- (out) The target principal name. 191 * su_principal -- (out) The target krb5_principal. 192 * When the target user is `root', the target principal will be a `root 193 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal 194 * will simply be the current user's default principal name. Note that 195 * in any case, if KRB5CCNAME is set and a credentials cache exists, the 196 * principal name found there will be the `starting point', rather than 197 * the ruser parameter. 198 * 199 * Returns 0 for success, or a com_err error code on failure. 200 */ 201 static krb5_error_code 202 get_su_principal(krb5_context context, const char *target_user, const char *current_user, 203 char **su_principal_name, krb5_principal *su_principal) 204 { 205 krb5_principal default_principal; 206 krb5_ccache ccache; 207 char *principal_name, *ccname, *p; 208 krb5_error_code rv; 209 uid_t euid, ruid; 210 211 *su_principal = NULL; 212 default_principal = NULL; 213 /* Unless KRB5CCNAME was explicitly set, we won't really be able 214 * to look at the credentials cache since krb5_cc_default will 215 * look at getuid(). 216 */ 217 ruid = getuid(); 218 euid = geteuid(); 219 rv = seteuid(ruid); 220 if (rv != 0) 221 return (errno); 222 p = getenv("KRB5CCNAME"); 223 if (p != NULL) 224 ccname = strdup(p); 225 else 226 (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid); 227 if (ccname == NULL) 228 return (errno); 229 rv = krb5_cc_resolve(context, ccname, &ccache); 230 free(ccname); 231 if (rv == 0) { 232 rv = krb5_cc_get_principal(context, ccache, &default_principal); 233 krb5_cc_close(context, ccache); 234 if (rv != 0) 235 default_principal = NULL; /* just to be safe */ 236 } 237 rv = seteuid(euid); 238 if (rv != 0) 239 return (errno); 240 if (default_principal == NULL) { 241 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); 242 if (rv != 0) { 243 PAM_LOG("Could not determine default principal name."); 244 return (rv); 245 } 246 } 247 /* Now that we have some principal, if the target account is 248 * `root', then transform it into a `root' instance, e.g. 249 * `user@REA.LM' -> `user/root@REA.LM'. 250 */ 251 rv = krb5_unparse_name(context, default_principal, &principal_name); 252 krb5_free_principal(context, default_principal); 253 if (rv != 0) { 254 log_krb5(context, rv, "krb5_unparse_name"); 255 return (rv); 256 } 257 PAM_LOG("Default principal name: %s", principal_name); 258 if (strcmp(target_user, superuser) == 0) { 259 p = strrchr(principal_name, '@'); 260 if (p == NULL) { 261 PAM_LOG("malformed principal name `%s'", principal_name); 262 free(principal_name); 263 return (rv); 264 } 265 *p++ = '\0'; 266 *su_principal_name = NULL; 267 (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p); 268 free(principal_name); 269 } else 270 *su_principal_name = principal_name; 271 272 if (*su_principal_name == NULL) 273 return (errno); 274 rv = krb5_parse_name(context, *su_principal_name, &default_principal); 275 if (rv != 0) { 276 log_krb5(context, rv, "krb5_parse_name `%s'", 277 *su_principal_name); 278 return (rv); 279 } 280 PAM_LOG("Target principal name: %s", *su_principal_name); 281 *su_principal = default_principal; 282 return (0); 283 } 284 285 PAM_MODULE_ENTRY("pam_ksu"); 286