xref: /illumos-gate/usr/src/lib/pam_modules/krb5/krb5_password.c (revision 4e93fb0f6383eaac21897dcdae56b87118131e4d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <kadm5/admin.h>
29 #include <krb5.h>
30 
31 #include <security/pam_appl.h>
32 #include <security/pam_modules.h>
33 #include <security/pam_impl.h>
34 #include <syslog.h>
35 #include <string.h>
36 #include <stdio.h>
37 #include <stdlib.h>
38 #include <sys/types.h>
39 #include <pwd.h>
40 #include <libintl.h>
41 #include <netdb.h>
42 #include "utils.h"
43 #include "krb5_repository.h"
44 
45 extern int attempt_krb5_auth(krb5_module_data_t *, char *, char **,
46 			boolean_t);
47 extern int krb5_verifypw(char *, char *, int);
48 
49 static void display_msg(pam_handle_t *, int, char *);
50 static void display_msgs(pam_handle_t *, int, int,
51 		char msgs[][PAM_MAX_MSG_SIZE]);
52 static int krb5_changepw(pam_handle_t *, char *, char *, char *, int);
53 
54 /*
55  * set_ccname()
56  *
57  * set KRB5CCNAME shell var
58  */
59 static void
60 set_ccname(
61 	pam_handle_t *pamh,
62 	krb5_module_data_t *kmd,
63 	int login_result,
64 	int debug)
65 {
66 	int result;
67 
68 	if (debug)
69 		__pam_log(LOG_AUTH | LOG_DEBUG,
70 		    "PAM-KRB5 (password): password: finalize"
71 		    " ccname env, login_result =%d, env ='%s'",
72 		    login_result, kmd->env ? kmd->env : "<null>");
73 
74 	if (kmd->env) {
75 
76 		if (login_result == PAM_SUCCESS) {
77 				/*
78 				 * Put ccname into the pamh so that login
79 				 * apps can pick this up when they run
80 				 * pam_getenvlist().
81 				 */
82 			if ((result = pam_putenv(pamh, kmd->env))
83 			    != PAM_SUCCESS) {
84 				/* should not happen but... */
85 				__pam_log(LOG_AUTH | LOG_ERR,
86 					    "PAM-KRB5 (password):"
87 					    " pam_putenv failed: result: %d",
88 				    result);
89 				goto cleanupccname;
90 			}
91 		} else {
92 		cleanupccname:
93 				/* for lack of a Solaris unputenv() */
94 			krb5_unsetenv(KRB5_ENV_CCNAME);
95 			free(kmd->env);
96 			kmd->env = NULL;
97 		}
98 	}
99 }
100 
101 /*
102  * get_set_creds()
103  *
104  * do a krb5 login to get and set krb5 creds (needed after a pw change
105  * on pw expire on login)
106  */
107 static void
108 get_set_creds(
109 	pam_handle_t *pamh,
110 	krb5_module_data_t *kmd,
111 	char *user,
112 	char *newpass,
113 	int debug)
114 {
115 	int login_result;
116 
117 	if (!kmd || kmd->age_status != PAM_NEW_AUTHTOK_REQD)
118 		return;
119 
120 	/*
121 	 * if pw has expired, get/set krb5 creds ala auth mod
122 	 *
123 	 * pwchange verified user sufficiently, so don't request strict
124 	 * tgt verification (will cause rcache perm issues possibly anyways)
125 	 */
126 	login_result = attempt_krb5_auth(kmd, user, &newpass, 0);
127 	if (debug)
128 		__pam_log(LOG_AUTH | LOG_DEBUG,
129 		    "PAM-KRB5 (password): get_set_creds: login_result= %d",
130 		    login_result);
131 	/*
132 	 * the krb5 login should not fail, but if so,
133 	 * warn the user they have to kinit(1)
134 	 */
135 	if (login_result != PAM_SUCCESS) {
136 		display_msg(pamh, PAM_TEXT_INFO,
137 			    dgettext(TEXT_DOMAIN,
138 				    "Warning: "
139 				    "Could not cache Kerberos"
140 				    " credentials, please run "
141 				    "kinit(1) or re-login\n"));
142 	}
143 	set_ccname(pamh, kmd, login_result, debug);
144 }
145 /*
146  * This is the PAM Kerberos Password Change module
147  *
148  */
149 
150 int
151 pam_sm_chauthtok(
152 	pam_handle_t		*pamh,
153 	int			flags,
154 	int			argc,
155 	const char		**argv)
156 {
157 
158 	char			*user;
159 	int			err, result = PAM_AUTHTOK_ERR;
160 	char			*newpass = NULL;
161 	char			*oldpass = NULL;
162 	int			i;
163 	int			debug = 0;
164 	uid_t			pw_uid;
165 	krb5_module_data_t	*kmd = NULL;
166 	pam_repository_t	*rep_data = NULL;
167 
168 	for (i = 0; i < argc; i++) {
169 		if (strcmp(argv[i], "debug") == 0)
170 			debug = 1;
171 		else
172 			__pam_log(LOG_AUTH | LOG_ERR,
173 				    "PAM-KRB5 (password): illegal option %s",
174 			    argv[i]);
175 	}
176 
177 	if (debug)
178 		__pam_log(LOG_AUTH | LOG_DEBUG,
179 		    "PAM-KRB5 (password): start: flags = %x",
180 		    flags);
181 
182 	(void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data);
183 
184 	if (rep_data != NULL) {
185 		if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) {
186 			if (debug)
187 				__pam_log(LOG_AUTH | LOG_DEBUG,
188 					"PAM-KRB5 (auth): wrong"
189 					"repository found (%s), returning "
190 					"PAM_IGNORE", rep_data->type);
191 			return (PAM_IGNORE);
192 		}
193 	}
194 
195 	if (flags & PAM_PRELIM_CHECK) {
196 		/* Nothing to do here */
197 		if (debug)
198 			__pam_log(LOG_AUTH | LOG_DEBUG,
199 			    "PAM-KRB5 (password): prelim check");
200 		return (PAM_IGNORE);
201 	}
202 
203 	/* make sure PAM framework is telling us to update passwords */
204 	if (!(flags & PAM_UPDATE_AUTHTOK)) {
205 		__pam_log(LOG_AUTH | LOG_ERR,
206 			"PAM-KRB5 (password): bad flags: %d",
207 			flags);
208 		return (PAM_SYSTEM_ERR);
209 	}
210 
211 
212 	if ((err = pam_get_data(pamh, KRB5_DATA, (const void **)&kmd))
213 	    != PAM_SUCCESS) {
214 		if (debug)
215 			__pam_log(LOG_AUTH | LOG_DEBUG,
216 			    "PAM-KRB5 (password): get mod data failed %d",
217 			    err);
218 		kmd = NULL;
219 	}
220 
221 	if (flags & PAM_CHANGE_EXPIRED_AUTHTOK) {
222 		/* let's make sure we know the krb5 pw has expired */
223 
224 		if (debug)
225 			__pam_log(LOG_AUTH | LOG_DEBUG,
226 			    "PAM-KRB5 (password): kmd age status %d",
227 			    kmd ? kmd->age_status : -99);
228 
229 		if (!kmd || kmd->age_status != PAM_NEW_AUTHTOK_REQD)
230 			return (PAM_IGNORE);
231 	}
232 
233 	(void) pam_get_item(pamh, PAM_USER, (void **)&user);
234 
235 	if (user == NULL || *user == '\0') {
236 		__pam_log(LOG_AUTH | LOG_ERR,
237 			"PAM-KRB5 (password): username is empty");
238 		return (PAM_USER_UNKNOWN);
239 	}
240 
241 	if (!get_pw_uid(user, &pw_uid)) {
242 		__pam_log(LOG_AUTH | LOG_ERR,
243 		    "PAM-KRB5 (password): can't get uid for %s", user);
244 		return (PAM_USER_UNKNOWN);
245 	}
246 
247 	/*
248 	 * if root key exists in the keytab, it's a random key so no
249 	 * need to prompt for pw and we just return IGNORE
250 	 */
251 	if ((strcmp(user, ROOT_UNAME) == 0) &&
252 	    key_in_keytab(user, debug)) {
253 		if (debug)
254 			__pam_log(LOG_AUTH | LOG_DEBUG,
255 			    "PAM-KRB5 (password): "
256 			    "key for '%s' in keytab, returning IGNORE", user);
257 		result = PAM_IGNORE;
258 		goto out;
259 	}
260 
261 	(void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&newpass);
262 
263 	if (newpass == NULL)
264 		return (PAM_SYSTEM_ERR);
265 
266 	(void) pam_get_item(pamh, PAM_OLDAUTHTOK, (void **)&oldpass);
267 
268 	if (oldpass == NULL)
269 		return (PAM_SYSTEM_ERR);
270 
271 	result = krb5_verifypw(user, oldpass, debug);
272 	if (debug)
273 		__pam_log(LOG_AUTH | LOG_DEBUG,
274 			"PAM-KRB5 (password): verifypw %d", result);
275 
276 	/*
277 	 * If it's a bad password or general failure, we are done.
278 	 */
279 	if (result != 0) {
280 		if (result == 2)
281 			display_msg(pamh, PAM_ERROR_MSG, dgettext(TEXT_DOMAIN,
282 				"Old Kerberos password incorrect\n"));
283 		return (PAM_AUTHTOK_ERR);
284 	}
285 
286 	result = krb5_changepw(pamh, user, oldpass, newpass, debug);
287 	if (result == PAM_SUCCESS) {
288 		display_msg(pamh, PAM_TEXT_INFO, dgettext(TEXT_DOMAIN,
289 		    "Kerberos password successfully changed\n"));
290 
291 		get_set_creds(pamh, kmd, user, newpass, debug);
292 	}
293 
294 out:
295 	if (debug)
296 		__pam_log(LOG_AUTH | LOG_DEBUG,
297 			"PAM-KRB5 (password): out: returns %d",
298 		    result);
299 
300 	return (result);
301 }
302 
303 int
304 krb5_verifypw(
305 	char 	*princ_str,
306 	char	*old_password,
307 	int debug)
308 {
309 	kadm5_ret_t		code;
310 	krb5_principal 		princ = 0;
311 	char 			admin_realm[1024];
312 	char			kprinc[2*MAXHOSTNAMELEN];
313 	char			*cpw_service;
314 	void 			*server_handle;
315 	krb5_context		context;
316 	kadm5_config_params	params;
317 
318 	(void) memset((char *)&params, 0, sizeof (params));
319 
320 	if (code = krb5_init_context(&context)) {
321 		return (6);
322 	}
323 
324 	if ((code = get_kmd_kuser(context, (const char *)princ_str, kprinc,
325 		2*MAXHOSTNAMELEN)) != 0) {
326 		return (code);
327 	}
328 
329 	/* Need to get a krb5_principal struct */
330 
331 	code = krb5_parse_name(context, kprinc, &princ);
332 
333 	if (code != 0)
334 		return (6);
335 
336 	if (strlen(old_password) == 0) {
337 		krb5_free_principal(context, princ);
338 		return (5);
339 	}
340 
341 	(void) strlcpy(admin_realm,
342 		    krb5_princ_realm(context, princ)->data,
343 		    sizeof (admin_realm));
344 
345 	params.mask |= KADM5_CONFIG_REALM;
346 	params.realm = admin_realm;
347 
348 
349 	if (kadm5_get_cpw_host_srv_name(context, admin_realm, &cpw_service)) {
350 		__pam_log(LOG_AUTH | LOG_ERR,
351 			"PAM-KRB5 (password): unable to get host based "
352 			"service name for realm %s\n",
353 			admin_realm);
354 		krb5_free_principal(context, princ);
355 		return (3);
356 	}
357 
358 	code = kadm5_init_with_password(kprinc, old_password, cpw_service,
359 					&params, KADM5_STRUCT_VERSION,
360 					KADM5_API_VERSION_2, &server_handle);
361 	if (code != 0) {
362 		if (debug)
363 			__pam_log(LOG_AUTH | LOG_DEBUG,
364 			    "PAM-KRB5: krb5_verifypw: init_with_pw"
365 			    " failed: (%s)", error_message(code));
366 		krb5_free_principal(context, princ);
367 		return ((code == KADM5_BAD_PASSWORD) ? 2 : 3);
368 	}
369 
370 	krb5_free_principal(context, princ);
371 
372 	(void) kadm5_destroy(server_handle);
373 
374 	return (0);
375 }
376 
377 /*
378  * Function: krb5_changepw
379  *
380  * Purpose: Initialize and call lower level routines to change a password
381  *
382  * Arguments:
383  *
384  *	princ_str	principal name to use, optional
385  *	old_password 	old password
386  *	new_password  	new password
387  *
388  * Returns:
389  *                      exit status of PAM_SUCCESS for success
390  *			else returns PAM failure
391  *
392  * Requires:
393  *	Passwords cannot be more than 255 characters long.
394  *
395  * Modifies:
396  *
397  * Changes the principal's password.
398  *
399  */
400 static int
401 krb5_changepw(
402 	pam_handle_t *pamh,
403 	char *princ_str,
404 	char *old_password,
405 	char *new_password,
406 	int debug)
407 {
408 	kadm5_ret_t		code;
409 	krb5_principal 		princ = 0;
410 	char 			msg_ret[1024], admin_realm[1024];
411 	char			kprinc[2*MAXHOSTNAMELEN];
412 	char			*cpw_service;
413 	void 			*server_handle;
414 	krb5_context		context;
415 	kadm5_config_params	params;
416 
417 	(void) memset((char *)&params, 0, sizeof (params));
418 
419 	if (krb5_init_context(&context) != 0)
420 		return (PAM_SYSTEM_ERR);
421 
422 	if ((code = get_kmd_kuser(context, (const char *)princ_str, kprinc,
423 		2*MAXHOSTNAMELEN)) != 0) {
424 		return (code);
425 	}
426 
427 	/* Need to get a krb5_principal struct */
428 
429 	code = krb5_parse_name(context, kprinc, &princ);
430 	if (code != 0)
431 		return (PAM_SYSTEM_ERR);
432 
433 	if (strlen(old_password) == 0) {
434 		krb5_free_principal(context, princ);
435 		return (PAM_AUTHTOK_ERR);
436 	}
437 
438 	(void) snprintf(admin_realm, sizeof (admin_realm), "%s",
439 		krb5_princ_realm(context, princ)->data);
440 	params.mask |= KADM5_CONFIG_REALM;
441 	params.realm = admin_realm;
442 
443 
444 	if (kadm5_get_cpw_host_srv_name(context, admin_realm, &cpw_service)) {
445 		__pam_log(LOG_AUTH | LOG_ERR,
446 				"PAM-KRB5 (password):unable to get host based "
447 				"service name for realm %s\n",
448 			admin_realm);
449 		return (PAM_SYSTEM_ERR);
450 	}
451 
452 	code = kadm5_init_with_password(kprinc, old_password, cpw_service,
453 					&params, KADM5_STRUCT_VERSION,
454 					KADM5_API_VERSION_2, &server_handle);
455 	free(cpw_service);
456 	if (code != 0) {
457 		if (debug)
458 			__pam_log(LOG_AUTH | LOG_DEBUG,
459 			    "PAM-KRB5 (password): changepw: "
460 			    "init_with_pw failed:  (%s)", error_message(code));
461 		krb5_free_principal(context, princ);
462 		return ((code == KADM5_BAD_PASSWORD) ?
463 			PAM_AUTHTOK_ERR : PAM_SYSTEM_ERR);
464 	}
465 
466 	code = kadm5_chpass_principal_util(server_handle, princ,
467 					new_password,
468 					NULL /* don't need pw back */,
469 					msg_ret,
470 					sizeof (msg_ret));
471 
472 	if (code) {
473 		char msgs[2][PAM_MAX_MSG_SIZE];
474 
475 		(void) snprintf(msgs[0], PAM_MAX_MSG_SIZE, "%s",
476 			dgettext(TEXT_DOMAIN,
477 				"Kerberos password not changed: "));
478 		(void) snprintf(msgs[1], PAM_MAX_MSG_SIZE, "%s", msg_ret);
479 
480 		display_msgs(pamh, PAM_ERROR_MSG, 2, msgs);
481 	}
482 
483 	krb5_free_principal(context, princ);
484 
485 	(void) kadm5_destroy(server_handle);
486 
487 	if (debug)
488 		__pam_log(LOG_AUTH | LOG_DEBUG,
489 		    "PAM-KRB5 (password): changepw: end %d", code);
490 
491 	if (code != 0)
492 		return (PAM_AUTHTOK_ERR);
493 
494 	return (PAM_SUCCESS);
495 }
496 
497 static void
498 display_msgs(pam_handle_t *pamh,
499 	int msg_style, int nmsg, char msgs[][PAM_MAX_MSG_SIZE])
500 {
501 	(void) __pam_display_msg(pamh, msg_style, nmsg, msgs, NULL);
502 }
503 
504 
505 static void
506 display_msg(pam_handle_t *pamh, int msg_style, char *msg)
507 {
508 	char pam_msg[1][PAM_MAX_MSG_SIZE];
509 
510 	(void) snprintf(pam_msg[0], PAM_MAX_MSG_SIZE, "%s", msg);
511 	display_msgs(pamh, msg_style, 1, pam_msg);
512 }
513