1 /*- 2 * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 #include <sys/cdefs.h> 27 __FBSDID("$FreeBSD$"); 28 29 #include <sys/param.h> 30 #include <errno.h> 31 #include <stdio.h> 32 #include <stdlib.h> 33 #include <string.h> 34 #include <unistd.h> 35 36 #include <krb5.h> 37 38 #define PAM_SM_AUTH 39 #define PAM_SM_CRED 40 #include <security/pam_appl.h> 41 #include <security/pam_modules.h> 42 #include <security/pam_mod_misc.h> 43 44 static const char superuser[] = "root"; 45 46 static long get_su_principal(krb5_context, const char *, const char *, 47 char **, krb5_principal *); 48 static int auth_krb5(pam_handle_t *, krb5_context, const char *, 49 krb5_principal); 50 51 PAM_EXTERN int 52 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 53 int argc __unused, const char *argv[] __unused) 54 { 55 krb5_context context; 56 krb5_principal su_principal; 57 const char *user, *ruser; 58 char *su_principal_name; 59 long rv; 60 int pamret; 61 62 pamret = pam_get_user(pamh, &user, NULL); 63 if (pamret != PAM_SUCCESS) 64 return (pamret); 65 PAM_LOG("Got user: %s", user); 66 pamret = pam_get_item(pamh, PAM_RUSER, (const void **)&ruser); 67 if (pamret != PAM_SUCCESS) 68 return (pamret); 69 PAM_LOG("Got ruser: %s", ruser); 70 rv = krb5_init_context(&context); 71 if (rv != 0) { 72 PAM_LOG("krb5_init_context failed: %s", 73 krb5_get_err_text(context, rv)); 74 return (PAM_SERVICE_ERR); 75 } 76 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); 77 if (rv != 0) 78 return (PAM_AUTH_ERR); 79 PAM_LOG("kuserok: %s -> %s", su_principal_name, user); 80 rv = krb5_kuserok(context, su_principal, user); 81 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; 82 free(su_principal_name); 83 krb5_free_principal(context, su_principal); 84 krb5_free_context(context); 85 return (pamret); 86 } 87 88 PAM_EXTERN int 89 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 90 int ac __unused, const char *av[] __unused) 91 { 92 93 return (PAM_SUCCESS); 94 } 95 96 /* Authenticate using Kerberos 5. 97 * pamh -- The PAM handle. 98 * context -- An initialized krb5_context. 99 * su_principal_name -- The target principal name, used only for password prompts. 100 * If NULL, the password prompts will not include a principal 101 * name. 102 * su_principal -- The target krb5_principal. 103 * Note that a valid keytab in the default location with a host entry 104 * must be available, and that the PAM application must have sufficient 105 * privileges to access it. 106 * Returns PAM_SUCCESS if authentication was successful, or an appropriate 107 * PAM error code if it was not. 108 */ 109 static int 110 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name, 111 krb5_principal su_principal) 112 { 113 krb5_creds creds; 114 krb5_get_init_creds_opt gic_opt; 115 krb5_verify_init_creds_opt vic_opt; 116 const char *pass; 117 char *prompt; 118 long rv; 119 int pamret; 120 121 prompt = NULL; 122 krb5_get_init_creds_opt_init(&gic_opt); 123 krb5_verify_init_creds_opt_init(&vic_opt); 124 if (su_principal_name != NULL) 125 (void)asprintf(&prompt, "Password for %s:", su_principal_name); 126 else 127 (void)asprintf(&prompt, "Password:"); 128 if (prompt == NULL) 129 return (PAM_BUF_ERR); 130 pass = NULL; 131 (void)pam_get_item(pamh, PAM_AUTHTOK, (const void **)&pass); 132 free(prompt); 133 if (pass == NULL) { 134 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 135 if (pamret != PAM_SUCCESS) 136 return (pamret); 137 } 138 rv = krb5_get_init_creds_password(context, &creds, su_principal, 139 pass, NULL, NULL, 0, NULL, &gic_opt); 140 if (rv != 0) { 141 PAM_LOG("krb5_get_init_creds_password: %s", 142 krb5_get_err_text(context, rv)); 143 return (PAM_AUTH_ERR); 144 } 145 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); 146 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, 147 &vic_opt); 148 krb5_free_cred_contents(context, &creds); 149 if (rv != 0) { 150 PAM_LOG("krb5_verify_init_creds: %s", 151 krb5_get_err_text(context, rv)); 152 return (PAM_AUTH_ERR); 153 } 154 return (PAM_SUCCESS); 155 } 156 157 /* Determine the target principal given the current user and the target user. 158 * context -- An initialized krb5_context. 159 * target_user -- The target username. 160 * current_user -- The current username. 161 * su_principal_name -- (out) The target principal name. 162 * su_principal -- (out) The target krb5_principal. 163 * When the target user is `root', the target principal will be a `root 164 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal 165 * will simply be the current user's default principal name. Note that 166 * in any case, if KRB5CCNAME is set and a credentials cache exists, the 167 * principal name found there will be the `starting point', rather than 168 * the ruser parameter. 169 * 170 * Returns 0 for success, or a com_err error code on failure. 171 */ 172 static long 173 get_su_principal(krb5_context context, const char *target_user, const char *current_user, 174 char **su_principal_name, krb5_principal *su_principal) 175 { 176 krb5_principal default_principal; 177 krb5_ccache ccache; 178 char *principal_name, *ccname, *p; 179 long rv; 180 uid_t euid, ruid; 181 182 *su_principal = NULL; 183 default_principal = NULL; 184 /* Unless KRB5CCNAME was explicitly set, we won't really be able 185 * to look at the credentials cache since krb5_cc_default will 186 * look at getuid(). 187 */ 188 ruid = getuid(); 189 euid = geteuid(); 190 rv = seteuid(ruid); 191 if (rv != 0) 192 return (errno); 193 p = getenv("KRB5CCNAME"); 194 if (p != NULL) 195 ccname = strdup(p); 196 else 197 (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid); 198 if (ccname == NULL) 199 return (errno); 200 rv = krb5_cc_resolve(context, ccname, &ccache); 201 free(ccname); 202 if (rv == 0) { 203 rv = krb5_cc_get_principal(context, ccache, &default_principal); 204 krb5_cc_close(context, ccache); 205 if (rv != 0) 206 default_principal = NULL; /* just to be safe */ 207 } 208 rv = seteuid(euid); 209 if (rv != 0) 210 return (errno); 211 if (default_principal == NULL) { 212 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); 213 if (rv != 0) { 214 PAM_LOG("Could not determine default principal name."); 215 return (rv); 216 } 217 } 218 /* Now that we have some principal, if the target account is 219 * `root', then transform it into a `root' instance, e.g. 220 * `user@REA.LM' -> `user/root@REA.LM'. 221 */ 222 rv = krb5_unparse_name(context, default_principal, &principal_name); 223 krb5_free_principal(context, default_principal); 224 if (rv != 0) { 225 PAM_LOG("krb5_unparse_name: %s", 226 krb5_get_err_text(context, rv)); 227 return (rv); 228 } 229 PAM_LOG("Default principal name: %s", principal_name); 230 if (strcmp(target_user, superuser) == 0) { 231 p = strrchr(principal_name, '@'); 232 if (p == NULL) { 233 PAM_LOG("malformed principal name `%s'", principal_name); 234 free(principal_name); 235 return (rv); 236 } 237 *p++ = '\0'; 238 *su_principal_name = NULL; 239 (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p); 240 free(principal_name); 241 } else 242 *su_principal_name = principal_name; 243 244 if (*su_principal_name == NULL) 245 return (errno); 246 rv = krb5_parse_name(context, *su_principal_name, &default_principal); 247 if (rv != 0) { 248 PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, 249 krb5_get_err_text(context, rv)); 250 free(*su_principal_name); 251 return (rv); 252 } 253 PAM_LOG("Target principal name: %s", *su_principal_name); 254 *su_principal = default_principal; 255 return (0); 256 } 257 258 PAM_MODULE_ENTRY("pam_ksu"); 259