xref: /freebsd/lib/libpam/modules/pam_ksu/pam_ksu.c (revision b52b9d56d4e96089873a75f9e29062eec19fabba) 
1 /*-
2  * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org>
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 #include <sys/cdefs.h>
27 __FBSDID("$FreeBSD$");
28 
29 #include <sys/param.h>
30 #include <errno.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <unistd.h>
35 
36 #include <krb5.h>
37 
38 #define PAM_SM_AUTH
39 #define PAM_SM_CRED
40 #include <security/pam_appl.h>
41 #include <security/pam_modules.h>
42 #include <security/pam_mod_misc.h>
43 
44 static const char superuser[] = "root";
45 
46 static long	get_su_principal(krb5_context, const char *, const char *,
47 		    char **, krb5_principal *);
48 static int	auth_krb5(pam_handle_t *, krb5_context, const char *,
49 		    krb5_principal);
50 
51 PAM_EXTERN int
52 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
53     int argc __unused, const char *argv[] __unused)
54 {
55 	krb5_context	 context;
56 	krb5_principal	 su_principal;
57 	const char	*user, *ruser;
58 	char		*su_principal_name;
59 	long		 rv;
60 	int		 pamret;
61 
62 	pamret = pam_get_user(pamh, &user, NULL);
63 	if (pamret != PAM_SUCCESS)
64 		return (pamret);
65 	PAM_LOG("Got user: %s", user);
66 	pamret = pam_get_item(pamh, PAM_RUSER, (const void **)&ruser);
67 	if (pamret != PAM_SUCCESS)
68 		return (pamret);
69 	PAM_LOG("Got ruser: %s", ruser);
70 	rv = krb5_init_context(&context);
71 	if (rv != 0) {
72 		PAM_LOG("krb5_init_context failed: %s",
73 			krb5_get_err_text(context, rv));
74 		return (PAM_SERVICE_ERR);
75 	}
76 	rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal);
77 	if (rv != 0)
78 		return (PAM_AUTH_ERR);
79 	PAM_LOG("kuserok: %s -> %s", su_principal_name, user);
80 	rv = krb5_kuserok(context, su_principal, user);
81 	pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR;
82 	free(su_principal_name);
83 	krb5_free_principal(context, su_principal);
84 	krb5_free_context(context);
85 	return (pamret);
86 }
87 
88 PAM_EXTERN int
89 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
90     int ac __unused, const char *av[] __unused)
91 {
92 
93 	return (PAM_SUCCESS);
94 }
95 
96 /* Authenticate using Kerberos 5.
97  *   pamh              -- The PAM handle.
98  *   context           -- An initialized krb5_context.
99  *   su_principal_name -- The target principal name, used only for password prompts.
100  *              If NULL, the password prompts will not include a principal
101  *              name.
102  *   su_principal      -- The target krb5_principal.
103  * Note that a valid keytab in the default location with a host entry
104  * must be available, and that the PAM application must have sufficient
105  * privileges to access it.
106  * Returns PAM_SUCCESS if authentication was successful, or an appropriate
107  * PAM error code if it was not.
108  */
109 static int
110 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name,
111     krb5_principal su_principal)
112 {
113 	krb5_creds	 creds;
114 	krb5_get_init_creds_opt gic_opt;
115 	krb5_verify_init_creds_opt vic_opt;
116 	const char	*pass;
117 	char		*prompt;
118 	long		 rv;
119 	int		 pamret;
120 
121 	prompt = NULL;
122 	krb5_get_init_creds_opt_init(&gic_opt);
123 	krb5_verify_init_creds_opt_init(&vic_opt);
124 	if (su_principal_name != NULL)
125 		(void)asprintf(&prompt, "Password for %s:", su_principal_name);
126 	else
127 		(void)asprintf(&prompt, "Password:");
128 	if (prompt == NULL)
129 		return (PAM_BUF_ERR);
130 	pass = NULL;
131 	(void)pam_get_item(pamh, PAM_AUTHTOK, (const void **)&pass);
132 	free(prompt);
133 	if (pass == NULL) {
134 		pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
135 		if (pamret != PAM_SUCCESS)
136 			return (pamret);
137 	}
138 	rv = krb5_get_init_creds_password(context, &creds, su_principal,
139 	    pass, NULL, NULL, 0, NULL, &gic_opt);
140 	if (rv != 0) {
141 		PAM_LOG("krb5_get_init_creds_password: %s",
142 			krb5_get_err_text(context, rv));
143 		return (PAM_AUTH_ERR);
144 	}
145 	krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1);
146 	rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL,
147 	    &vic_opt);
148 	krb5_free_cred_contents(context, &creds);
149 	if (rv != 0) {
150 		PAM_LOG("krb5_verify_init_creds: %s",
151 		       krb5_get_err_text(context, rv));
152 		return (PAM_AUTH_ERR);
153 	}
154 	return (PAM_SUCCESS);
155 }
156 
157 /* Determine the target principal given the current user and the target user.
158  *   context           -- An initialized krb5_context.
159  *   target_user       -- The target username.
160  *   current_user      -- The current username.
161  *   su_principal_name -- (out) The target principal name.
162  *   su_principal      -- (out) The target krb5_principal.
163  * When the target user is `root', the target principal will be a `root
164  * instance', e.g. `luser/root@REA.LM'.  Otherwise, the target principal
165  * will simply be the current user's default principal name.  Note that
166  * in any case, if KRB5CCNAME is set and a credentials cache exists, the
167  * principal name found there will be the `starting point', rather than
168  * the ruser parameter.
169  *
170  * Returns 0 for success, or a com_err error code on failure.
171  */
172 static long
173 get_su_principal(krb5_context context, const char *target_user, const char *current_user,
174     char **su_principal_name, krb5_principal *su_principal)
175 {
176 	krb5_principal	 default_principal;
177 	krb5_ccache	 ccache;
178 	char		*principal_name, *ccname, *p;
179 	long		 rv;
180 	uid_t		 euid, ruid;
181 
182 	*su_principal = NULL;
183 	default_principal = NULL;
184 	/* Unless KRB5CCNAME was explicitly set, we won't really be able
185 	 * to look at the credentials cache since krb5_cc_default will
186 	 * look at getuid().
187 	 */
188 	ruid = getuid();
189 	euid = geteuid();
190 	rv = seteuid(ruid);
191 	if (rv != 0)
192 		return (errno);
193 	p = getenv("KRB5CCNAME");
194 	if (p != NULL)
195 		ccname = strdup(p);
196 	else
197 		(void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid);
198 	if (ccname == NULL)
199 		return (errno);
200 	rv = krb5_cc_resolve(context, ccname, &ccache);
201 	free(ccname);
202 	if (rv == 0) {
203 		rv = krb5_cc_get_principal(context, ccache, &default_principal);
204 		krb5_cc_close(context, ccache);
205 		if (rv != 0)
206 			default_principal = NULL; /* just to be safe */
207 	}
208 	rv = seteuid(euid);
209 	if (rv != 0)
210 		return (errno);
211 	if (default_principal == NULL) {
212 		rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
213 		if (rv != 0) {
214 			PAM_LOG("Could not determine default principal name.");
215 			return (rv);
216 		}
217 	}
218 	/* Now that we have some principal, if the target account is
219 	 * `root', then transform it into a `root' instance, e.g.
220 	 * `user@REA.LM' -> `user/root@REA.LM'.
221 	 */
222 	rv = krb5_unparse_name(context, default_principal, &principal_name);
223 	krb5_free_principal(context, default_principal);
224 	if (rv != 0) {
225 		PAM_LOG("krb5_unparse_name: %s",
226 		    krb5_get_err_text(context, rv));
227 		return (rv);
228 	}
229 	PAM_LOG("Default principal name: %s", principal_name);
230 	if (strcmp(target_user, superuser) == 0) {
231 		p = strrchr(principal_name, '@');
232 		if (p == NULL) {
233 			PAM_LOG("malformed principal name `%s'", principal_name);
234 			free(principal_name);
235 			return (rv);
236 		}
237 		*p++ = '\0';
238 		*su_principal_name = NULL;
239 		(void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p);
240 		free(principal_name);
241 	} else
242 		*su_principal_name = principal_name;
243 
244 	if (*su_principal_name == NULL)
245 		return (errno);
246 	rv = krb5_parse_name(context, *su_principal_name, &default_principal);
247 	if (rv != 0) {
248 		PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name,
249 		    krb5_get_err_text(context, rv));
250 		free(*su_principal_name);
251 		return (rv);
252 	}
253 	PAM_LOG("Target principal name: %s", *su_principal_name);
254 	*su_principal = default_principal;
255 	return (0);
256 }
257