1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/param.h> 32 #include <errno.h> 33 #include <stdio.h> 34 #include <stdlib.h> 35 #include <string.h> 36 #include <unistd.h> 37 38 #include <krb5.h> 39 40 #define PAM_SM_AUTH 41 #define PAM_SM_CRED 42 #include <security/pam_appl.h> 43 #include <security/pam_modules.h> 44 #include <security/pam_mod_misc.h> 45 46 static const char superuser[] = "root"; 47 48 static long get_su_principal(krb5_context, const char *, const char *, 49 char **, krb5_principal *); 50 static int auth_krb5(pam_handle_t *, krb5_context, const char *, 51 krb5_principal); 52 53 PAM_EXTERN int 54 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 55 int argc __unused, const char *argv[] __unused) 56 { 57 krb5_context context; 58 krb5_principal su_principal; 59 const char *user; 60 const void *ruser; 61 char *su_principal_name; 62 long rv; 63 int pamret; 64 65 pamret = pam_get_user(pamh, &user, NULL); 66 if (pamret != PAM_SUCCESS) 67 return (pamret); 68 PAM_LOG("Got user: %s", user); 69 pamret = pam_get_item(pamh, PAM_RUSER, &ruser); 70 if (pamret != PAM_SUCCESS) 71 return (pamret); 72 PAM_LOG("Got ruser: %s", (const char *)ruser); 73 rv = krb5_init_context(&context); 74 if (rv != 0) { 75 const char *msg = krb5_get_error_message(context, rv); 76 PAM_LOG("krb5_init_context failed: %s", msg); 77 krb5_free_error_message(context, msg); 78 return (PAM_SERVICE_ERR); 79 } 80 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); 81 if (rv != 0) 82 return (PAM_AUTH_ERR); 83 PAM_LOG("kuserok: %s -> %s", su_principal_name, user); 84 rv = krb5_kuserok(context, su_principal, user); 85 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; 86 free(su_principal_name); 87 krb5_free_principal(context, su_principal); 88 krb5_free_context(context); 89 return (pamret); 90 } 91 92 PAM_EXTERN int 93 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 94 int ac __unused, const char *av[] __unused) 95 { 96 97 return (PAM_SUCCESS); 98 } 99 100 /* Authenticate using Kerberos 5. 101 * pamh -- The PAM handle. 102 * context -- An initialized krb5_context. 103 * su_principal_name -- The target principal name, used only for password prompts. 104 * If NULL, the password prompts will not include a principal 105 * name. 106 * su_principal -- The target krb5_principal. 107 * Note that a valid keytab in the default location with a host entry 108 * must be available, and that the PAM application must have sufficient 109 * privileges to access it. 110 * Returns PAM_SUCCESS if authentication was successful, or an appropriate 111 * PAM error code if it was not. 112 */ 113 static int 114 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name, 115 krb5_principal su_principal) 116 { 117 krb5_creds creds; 118 krb5_get_init_creds_opt *gic_opt; 119 krb5_verify_init_creds_opt vic_opt; 120 const char *pass; 121 char *prompt; 122 long rv; 123 int pamret; 124 125 prompt = NULL; 126 krb5_verify_init_creds_opt_init(&vic_opt); 127 if (su_principal_name != NULL) 128 (void)asprintf(&prompt, "Password for %s:", su_principal_name); 129 else 130 (void)asprintf(&prompt, "Password:"); 131 if (prompt == NULL) 132 return (PAM_BUF_ERR); 133 pass = NULL; 134 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 135 free(prompt); 136 if (pamret != PAM_SUCCESS) 137 return (pamret); 138 rv = krb5_get_init_creds_opt_alloc(context, &gic_opt); 139 if (rv != 0) { 140 const char *msg = krb5_get_error_message(context, rv); 141 PAM_LOG("krb5_get_init_creds_opt_alloc: %s", msg); 142 krb5_free_error_message(context, msg); 143 return (PAM_AUTH_ERR); 144 } 145 rv = krb5_get_init_creds_password(context, &creds, su_principal, 146 pass, NULL, NULL, 0, NULL, gic_opt); 147 krb5_get_init_creds_opt_free(context, gic_opt); 148 if (rv != 0) { 149 const char *msg = krb5_get_error_message(context, rv); 150 PAM_LOG("krb5_get_init_creds_password: %s", msg); 151 krb5_free_error_message(context, msg); 152 return (PAM_AUTH_ERR); 153 } 154 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); 155 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, 156 &vic_opt); 157 krb5_free_cred_contents(context, &creds); 158 if (rv != 0) { 159 const char *msg = krb5_get_error_message(context, rv); 160 PAM_LOG("krb5_verify_init_creds: %s", msg); 161 krb5_free_error_message(context, msg); 162 return (PAM_AUTH_ERR); 163 } 164 return (PAM_SUCCESS); 165 } 166 167 /* Determine the target principal given the current user and the target user. 168 * context -- An initialized krb5_context. 169 * target_user -- The target username. 170 * current_user -- The current username. 171 * su_principal_name -- (out) The target principal name. 172 * su_principal -- (out) The target krb5_principal. 173 * When the target user is `root', the target principal will be a `root 174 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal 175 * will simply be the current user's default principal name. Note that 176 * in any case, if KRB5CCNAME is set and a credentials cache exists, the 177 * principal name found there will be the `starting point', rather than 178 * the ruser parameter. 179 * 180 * Returns 0 for success, or a com_err error code on failure. 181 */ 182 static long 183 get_su_principal(krb5_context context, const char *target_user, const char *current_user, 184 char **su_principal_name, krb5_principal *su_principal) 185 { 186 krb5_principal default_principal; 187 krb5_ccache ccache; 188 char *principal_name, *ccname, *p; 189 long rv; 190 uid_t euid, ruid; 191 192 *su_principal = NULL; 193 default_principal = NULL; 194 /* Unless KRB5CCNAME was explicitly set, we won't really be able 195 * to look at the credentials cache since krb5_cc_default will 196 * look at getuid(). 197 */ 198 ruid = getuid(); 199 euid = geteuid(); 200 rv = seteuid(ruid); 201 if (rv != 0) 202 return (errno); 203 p = getenv("KRB5CCNAME"); 204 if (p != NULL) 205 ccname = strdup(p); 206 else 207 (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid); 208 if (ccname == NULL) 209 return (errno); 210 rv = krb5_cc_resolve(context, ccname, &ccache); 211 free(ccname); 212 if (rv == 0) { 213 rv = krb5_cc_get_principal(context, ccache, &default_principal); 214 krb5_cc_close(context, ccache); 215 if (rv != 0) 216 default_principal = NULL; /* just to be safe */ 217 } 218 rv = seteuid(euid); 219 if (rv != 0) 220 return (errno); 221 if (default_principal == NULL) { 222 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); 223 if (rv != 0) { 224 PAM_LOG("Could not determine default principal name."); 225 return (rv); 226 } 227 } 228 /* Now that we have some principal, if the target account is 229 * `root', then transform it into a `root' instance, e.g. 230 * `user@REA.LM' -> `user/root@REA.LM'. 231 */ 232 rv = krb5_unparse_name(context, default_principal, &principal_name); 233 krb5_free_principal(context, default_principal); 234 if (rv != 0) { 235 const char *msg = krb5_get_error_message(context, rv); 236 PAM_LOG("krb5_unparse_name: %s", msg); 237 krb5_free_error_message(context, msg); 238 return (rv); 239 } 240 PAM_LOG("Default principal name: %s", principal_name); 241 if (strcmp(target_user, superuser) == 0) { 242 p = strrchr(principal_name, '@'); 243 if (p == NULL) { 244 PAM_LOG("malformed principal name `%s'", principal_name); 245 free(principal_name); 246 return (rv); 247 } 248 *p++ = '\0'; 249 *su_principal_name = NULL; 250 (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p); 251 free(principal_name); 252 } else 253 *su_principal_name = principal_name; 254 255 if (*su_principal_name == NULL) 256 return (errno); 257 rv = krb5_parse_name(context, *su_principal_name, &default_principal); 258 if (rv != 0) { 259 const char *msg = krb5_get_error_message(context, rv); 260 PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, msg); 261 krb5_free_error_message(context, msg); 262 free(*su_principal_name); 263 return (rv); 264 } 265 PAM_LOG("Target principal name: %s", *su_principal_name); 266 *su_principal = default_principal; 267 return (0); 268 } 269 270 PAM_MODULE_ENTRY("pam_ksu"); 271