1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/param.h> 30 #include <errno.h> 31 #include <stdio.h> 32 #include <stdlib.h> 33 #include <string.h> 34 #include <unistd.h> 35 36 #include <krb5.h> 37 38 #define PAM_SM_AUTH 39 #define PAM_SM_CRED 40 #include <security/pam_appl.h> 41 #include <security/pam_modules.h> 42 #include <security/pam_mod_misc.h> 43 44 static const char superuser[] = "root"; 45 46 static long get_su_principal(krb5_context, const char *, const char *, 47 char **, krb5_principal *); 48 static int auth_krb5(pam_handle_t *, krb5_context, const char *, 49 krb5_principal); 50 51 #ifdef MK_MITKRB5 52 /* For MIT KRB5 only. */ 53 54 /* 55 * XXX This entire module will need to be rewritten when heimdal 56 * XXX compatidibility is no longer needed. 57 */ 58 #define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_" 59 #define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT 60 61 typedef char *heim_general_string; 62 typedef heim_general_string Realm; 63 typedef Realm krb5_realm; 64 typedef const char *krb5_const_realm; 65 66 static krb5_error_code 67 krb5_make_principal(krb5_context context, krb5_principal *principal, 68 krb5_const_realm realm, ...) 69 { 70 krb5_realm temp_realm = NULL; 71 krb5_error_code rc; 72 va_list ap; 73 74 if (realm == NULL) { 75 if ((rc = krb5_get_default_realm(context, &temp_realm))) 76 return (rc); 77 realm=temp_realm; 78 } 79 va_start(ap, realm); 80 81 rc = krb5_build_principal_alloc_va(context, principal, strlen(realm), 82 realm, ap); 83 va_end(ap); 84 if (temp_realm) 85 free(temp_realm); 86 return (rc); 87 } 88 #endif 89 90 PAM_EXTERN int 91 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 92 int argc __unused, const char *argv[] __unused) 93 { 94 krb5_context context; 95 krb5_principal su_principal; 96 const char *user; 97 const void *ruser; 98 char *su_principal_name; 99 long rv; 100 int pamret; 101 102 pamret = pam_get_user(pamh, &user, NULL); 103 if (pamret != PAM_SUCCESS) 104 return (pamret); 105 PAM_LOG("Got user: %s", user); 106 pamret = pam_get_item(pamh, PAM_RUSER, &ruser); 107 if (pamret != PAM_SUCCESS) 108 return (pamret); 109 PAM_LOG("Got ruser: %s", (const char *)ruser); 110 rv = krb5_init_context(&context); 111 if (rv != 0) { 112 const char *msg = krb5_get_error_message(context, rv); 113 PAM_LOG("krb5_init_context failed: %s", msg); 114 krb5_free_error_message(context, msg); 115 return (PAM_SERVICE_ERR); 116 } 117 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); 118 if (rv != 0) 119 return (PAM_AUTH_ERR); 120 PAM_LOG("kuserok: %s -> %s", su_principal_name, user); 121 rv = krb5_kuserok(context, su_principal, user); 122 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; 123 free(su_principal_name); 124 krb5_free_principal(context, su_principal); 125 krb5_free_context(context); 126 return (pamret); 127 } 128 129 PAM_EXTERN int 130 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 131 int ac __unused, const char *av[] __unused) 132 { 133 134 return (PAM_SUCCESS); 135 } 136 137 /* Authenticate using Kerberos 5. 138 * pamh -- The PAM handle. 139 * context -- An initialized krb5_context. 140 * su_principal_name -- The target principal name, used only for password prompts. 141 * If NULL, the password prompts will not include a principal 142 * name. 143 * su_principal -- The target krb5_principal. 144 * Note that a valid keytab in the default location with a host entry 145 * must be available, and that the PAM application must have sufficient 146 * privileges to access it. 147 * Returns PAM_SUCCESS if authentication was successful, or an appropriate 148 * PAM error code if it was not. 149 */ 150 static int 151 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name, 152 krb5_principal su_principal) 153 { 154 krb5_creds creds; 155 krb5_get_init_creds_opt *gic_opt; 156 krb5_verify_init_creds_opt vic_opt; 157 const char *pass; 158 char *prompt; 159 long rv; 160 int pamret; 161 162 prompt = NULL; 163 krb5_verify_init_creds_opt_init(&vic_opt); 164 if (su_principal_name != NULL) 165 (void)asprintf(&prompt, "Password for %s:", su_principal_name); 166 else 167 (void)asprintf(&prompt, "Password:"); 168 if (prompt == NULL) 169 return (PAM_BUF_ERR); 170 pass = NULL; 171 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 172 free(prompt); 173 if (pamret != PAM_SUCCESS) 174 return (pamret); 175 rv = krb5_get_init_creds_opt_alloc(context, &gic_opt); 176 if (rv != 0) { 177 const char *msg = krb5_get_error_message(context, rv); 178 PAM_LOG("krb5_get_init_creds_opt_alloc: %s", msg); 179 krb5_free_error_message(context, msg); 180 return (PAM_AUTH_ERR); 181 } 182 rv = krb5_get_init_creds_password(context, &creds, su_principal, 183 pass, NULL, NULL, 0, NULL, gic_opt); 184 krb5_get_init_creds_opt_free(context, gic_opt); 185 if (rv != 0) { 186 const char *msg = krb5_get_error_message(context, rv); 187 PAM_LOG("krb5_get_init_creds_password: %s", msg); 188 krb5_free_error_message(context, msg); 189 return (PAM_AUTH_ERR); 190 } 191 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); 192 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, 193 &vic_opt); 194 krb5_free_cred_contents(context, &creds); 195 if (rv != 0) { 196 const char *msg = krb5_get_error_message(context, rv); 197 PAM_LOG("krb5_verify_init_creds: %s", msg); 198 krb5_free_error_message(context, msg); 199 return (PAM_AUTH_ERR); 200 } 201 return (PAM_SUCCESS); 202 } 203 204 /* Determine the target principal given the current user and the target user. 205 * context -- An initialized krb5_context. 206 * target_user -- The target username. 207 * current_user -- The current username. 208 * su_principal_name -- (out) The target principal name. 209 * su_principal -- (out) The target krb5_principal. 210 * When the target user is `root', the target principal will be a `root 211 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal 212 * will simply be the current user's default principal name. Note that 213 * in any case, if KRB5CCNAME is set and a credentials cache exists, the 214 * principal name found there will be the `starting point', rather than 215 * the ruser parameter. 216 * 217 * Returns 0 for success, or a com_err error code on failure. 218 */ 219 static long 220 get_su_principal(krb5_context context, const char *target_user, const char *current_user, 221 char **su_principal_name, krb5_principal *su_principal) 222 { 223 krb5_principal default_principal; 224 krb5_ccache ccache; 225 char *principal_name, *ccname, *p; 226 long rv; 227 uid_t euid, ruid; 228 229 *su_principal = NULL; 230 default_principal = NULL; 231 /* Unless KRB5CCNAME was explicitly set, we won't really be able 232 * to look at the credentials cache since krb5_cc_default will 233 * look at getuid(). 234 */ 235 ruid = getuid(); 236 euid = geteuid(); 237 rv = seteuid(ruid); 238 if (rv != 0) 239 return (errno); 240 p = getenv("KRB5CCNAME"); 241 if (p != NULL) 242 ccname = strdup(p); 243 else 244 (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid); 245 if (ccname == NULL) 246 return (errno); 247 rv = krb5_cc_resolve(context, ccname, &ccache); 248 free(ccname); 249 if (rv == 0) { 250 rv = krb5_cc_get_principal(context, ccache, &default_principal); 251 krb5_cc_close(context, ccache); 252 if (rv != 0) 253 default_principal = NULL; /* just to be safe */ 254 } 255 rv = seteuid(euid); 256 if (rv != 0) 257 return (errno); 258 if (default_principal == NULL) { 259 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); 260 if (rv != 0) { 261 PAM_LOG("Could not determine default principal name."); 262 return (rv); 263 } 264 } 265 /* Now that we have some principal, if the target account is 266 * `root', then transform it into a `root' instance, e.g. 267 * `user@REA.LM' -> `user/root@REA.LM'. 268 */ 269 rv = krb5_unparse_name(context, default_principal, &principal_name); 270 krb5_free_principal(context, default_principal); 271 if (rv != 0) { 272 const char *msg = krb5_get_error_message(context, rv); 273 PAM_LOG("krb5_unparse_name: %s", msg); 274 krb5_free_error_message(context, msg); 275 return (rv); 276 } 277 PAM_LOG("Default principal name: %s", principal_name); 278 if (strcmp(target_user, superuser) == 0) { 279 p = strrchr(principal_name, '@'); 280 if (p == NULL) { 281 PAM_LOG("malformed principal name `%s'", principal_name); 282 free(principal_name); 283 return (rv); 284 } 285 *p++ = '\0'; 286 *su_principal_name = NULL; 287 (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p); 288 free(principal_name); 289 } else 290 *su_principal_name = principal_name; 291 292 if (*su_principal_name == NULL) 293 return (errno); 294 rv = krb5_parse_name(context, *su_principal_name, &default_principal); 295 if (rv != 0) { 296 const char *msg = krb5_get_error_message(context, rv); 297 PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, msg); 298 krb5_free_error_message(context, msg); 299 free(*su_principal_name); 300 return (rv); 301 } 302 PAM_LOG("Target principal name: %s", *su_principal_name); 303 *su_principal = default_principal; 304 return (0); 305 } 306 307 PAM_MODULE_ENTRY("pam_ksu"); 308