xref: /titanic_41/usr/src/cmd/ssh/sshd/auth-pam.c (revision 1816cb7076d3ec8a78ef9ac9f895574e13c43645)
1 /*
2  * Copyright (c) 2000 Damien Miller.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  */
24 /*
25  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
26  * Use is subject to license terms.
27  */
28 
29 #include "includes.h"
30 
31 #ifdef USE_PAM
32 #include "xmalloc.h"
33 #include "log.h"
34 #include "auth.h"
35 #include "auth-options.h"
36 #include "auth-pam.h"
37 #include "servconf.h"
38 #include "canohost.h"
39 #include "compat.h"
40 #include "misc.h"
41 #include "sshlogin.h"
42 #include "ssh-gss.h"
43 
44 #include <security/pam_appl.h>
45 
46 extern char *__progname;
47 
48 extern u_int utmp_len;
49 extern ServerOptions options;
50 
51 extern Authmethod method_kbdint;
52 
53 RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $");
54 
55 #define NEW_AUTHTOK_MSG \
56 	"Warning: Your password has expired, please change it now."
57 
58 /* PAM conversation for non-interactive userauth methods */
59 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
60 	struct pam_response **resp, void *appdata_ptr);
61 
62 static void do_pam_cleanup_proc(void *context);
63 
64 static char *get_method_name(Authctxt *authctxt);
65 
66 /* PAM conversation for non-interactive userauth methods */
67 static struct pam_conv conv = {
68 	(int (*)())do_pam_conversation,
69 	NULL
70 };
71 static char *__pam_msg = NULL;
72 
73 static
74 char *
75 get_method_name(Authctxt *authctxt)
76 {
77 	if (!authctxt)
78 		return "(unknown)";
79 
80 	if (!compat20)
81 		return (authctxt->v1_auth_name) ? authctxt->v1_auth_name :
82 						  "(sshv1-unknown)";
83 
84 	if (!authctxt->method || !authctxt->method->name)
85 			return "(sshv2-unknown)";
86 
87 	return authctxt->method->name;
88 }
89 
90 const
91 char *
92 derive_pam_svc_name(Authmethod *method)
93 {
94 	if (compat20 && method) {
95 		char *method_name = method->name;
96 
97 		if (!method_name)
98 			fatal("Userauth method unknown while starting PAM");
99 
100 		/* For SSHv2 we use "sshd-<userauth name> */
101 		if (strcmp(method_name, "none") == 0) {
102 			return "sshd-none";
103 		}
104 		if (strcmp(method_name, "password") == 0) {
105 			return "sshd-password";
106 		}
107 		if (strcmp(method_name, "keyboard-interactive") == 0) {
108 			/* "keyboard-interactive" is too long, shorten it */
109 			return "sshd-kbdint";
110 		}
111 		if (strcmp(method_name, "publickey") == 0) {
112 			/* "publickey" is too long, shorten it */
113 			return "sshd-pubkey";
114 		}
115 		if (strcmp(method_name, "hostbased") == 0) {
116 			/* "hostbased" can't really be shortened... */
117 			return "sshd-hostbased";
118 		}
119 		if (strncmp(method_name, "gss", 3) == 0) {
120 			/* "gss" is too short, elongate it */
121 			return "sshd-gssapi";
122 		}
123 	}
124 
125 	return "sshd-v1"; /* SSHv1 doesn't get to be so cool */
126 }
127 
128 void
129 new_start_pam(Authctxt *authctxt, struct pam_conv *conv)
130 {
131 	int		retval;
132 	pam_handle_t	*pamh;
133 	const char	*rhost, *svc;
134 	char		*user = NULL;
135 	pam_stuff	*pam;
136 
137 	if (authctxt == NULL)
138 		fatal("Internal error during userauth");
139 
140 	if (compat20 && authctxt->method == NULL)
141 		fatal("Userauth method unknown while starting PAM");
142 
143 	/* PAM service selected here */
144 	svc = derive_pam_svc_name(authctxt->method);
145 	debug2("Starting PAM service %s for method %s", svc,
146 		get_method_name(authctxt));
147 
148 	if (authctxt->user != NULL)
149 		user = authctxt->user;
150 
151 	/* Cleanup previous PAM state */
152 	if (authctxt->pam != NULL) {
153 		fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
154 		do_pam_cleanup_proc(authctxt->pam);
155 	}
156 
157 	pam = xmalloc(sizeof(pam_stuff));
158 	(void) memset(pam, 0, sizeof(pam_stuff));
159 
160 	/*
161 	 * pam->last_pam_retval has to be and is considered
162 	 * along with pam->state.
163 	 *
164 	 * pam->state = 0; -> no PAM auth, account, etc, work
165 	 * done yet.  (Set by memset() above.)
166 	 *
167 	 * pam->last_pam_retval = PAM_SUCCESS; -> meaningless at
168 	 * this point.
169 	 *
170 	 * See finish_userauth_do_pam() below.
171 	 */
172 	pam->authctxt = authctxt;
173 	pam->last_pam_retval = PAM_SUCCESS;
174 
175 	authctxt->pam = pam;
176 
177 	/* Free any previously stored text/error PAM prompts */
178 	if (__pam_msg) {
179 		xfree(__pam_msg);
180 		__pam_msg = NULL;
181 	}
182 
183 	if ((retval = pam_start(svc, user, conv, &pamh)) != PAM_SUCCESS) {
184 		fatal("PAM initialization failed during %s userauth",
185 			get_method_name(authctxt));
186 	}
187 
188 	fatal_add_cleanup((void (*)(void *)) &do_pam_cleanup_proc,
189 			  (void *) authctxt->pam);
190 
191 	rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
192 	if ((retval = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) {
193 		(void) pam_end(pamh, retval);
194 		fatal("Could not set PAM_RHOST item during %s userauth",
195 			get_method_name(authctxt));
196 	}
197 
198 	if ((retval = pam_set_item(pamh, PAM_TTY, "sshd")) != PAM_SUCCESS) {
199 		(void) pam_end(pamh, retval);
200 		fatal("Could not set PAM_TTY item during %s userauth",
201 			get_method_name(authctxt));
202 	}
203 
204 	if (authctxt->cuser != NULL)
205 		if ((retval = pam_set_item(pamh, PAM_AUSER, authctxt->cuser)) != PAM_SUCCESS) {
206 			(void) pam_end(pamh, retval);
207 			fatal("Could not set PAM_AUSER item during %s userauth",
208 				get_method_name(authctxt));
209 		}
210 
211 	authctxt->pam->h = pamh;
212 }
213 
214 /*
215  * To be called from userauth methods, directly (as in keyboard-interactive) or
216  * indirectly (from auth_pam_password() or from do_pam_non_initial_userauth().
217  *
218  * The caller is responsible for calling new_start_pam() first.
219  *
220  * PAM state is not cleaned up here on error.  This is left to subsequent calls
221  * to new_start_pam() or to the cleanup function upon authentication error.
222  */
223 int
224 finish_userauth_do_pam(Authctxt *authctxt)
225 {
226 	int retval;
227 	char *user, *method;
228 
229 	/* Various checks; fail gracefully */
230 	if (authctxt == NULL || authctxt->pam == NULL)
231 		return PAM_SYSTEM_ERR;	/* shouldn't happen */
232 
233 	if (compat20) {
234 		if (authctxt->method == NULL || authctxt->method->name == NULL)
235 			return PAM_SYSTEM_ERR;	/* shouldn't happen */
236 		method = authctxt->method->name;
237 	} else if ((method = authctxt->v1_auth_name) == NULL)
238 		return PAM_SYSTEM_ERR;	/* shouldn't happen */
239 
240 	if (AUTHPAM_DONE(authctxt))
241 		return PAM_SYSTEM_ERR;	/* shouldn't happen */
242 
243 	if (!(authctxt->pam->state & PAM_S_DONE_ACCT_MGMT)) {
244 		retval = pam_acct_mgmt(authctxt->pam->h, 0);
245 		authctxt->pam->last_pam_retval = retval;
246 		if (retval == PAM_NEW_AUTHTOK_REQD) {
247 			userauth_force_kbdint();
248 			return retval;
249 		}
250 		if (retval != PAM_SUCCESS)
251 			return retval;
252 		authctxt->pam->state |= PAM_S_DONE_ACCT_MGMT;
253 	}
254 
255 	/*
256 	 * Handle PAM_USER change, if any.
257 	 *
258 	 * We do this before pam_open_session() because we need the PAM_USER's
259 	 * UID for:
260 	 *
261 	 * a) PermitRootLogin checking
262 	 * b) to get at the lastlog entry before pam_open_session() updates it.
263 	 */
264 	retval = pam_get_item(authctxt->pam->h, PAM_USER, (void **) &user);
265 	if (retval != PAM_SUCCESS) {
266 		fatal("PAM failure: pam_get_item(PAM_USER) "
267 		      "returned %d: %.200s", retval,
268 		      PAM_STRERROR(authctxt->pam->h, retval));
269 	}
270 
271 	if (user == NULL || *user == '\0') {
272 		debug("PAM set NULL PAM_USER");
273 		return PAM_PERM_DENIED;
274 	}
275 
276 	if (strcmp(user, authctxt->user) != 0) {
277 		log("PAM changed the SSH username");
278 		pwfree(&authctxt->pw);
279 		authctxt->pw = getpwnamallow(user);
280 		authctxt->valid = (authctxt->pw != NULL);
281 		xfree(authctxt->user);
282 		authctxt->user = xstrdup(user);
283 	}
284 
285 	if (!authctxt->valid) {
286 		debug2("PAM set PAM_USER to unknown user");
287 		/*
288 		 * Return success, userauth_finish() will catch
289 		 * this and send back a failure message.
290 		 */
291 		return PAM_SUCCESS;
292 	}
293 
294 	/* Check PermitRootLogin semantics */
295 	if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(method))
296 		return PAM_PERM_DENIED;
297 
298 	if (!(authctxt->pam->state & PAM_S_DONE_SETCRED)) {
299 		retval = pam_setcred(authctxt->pam->h,
300 				     PAM_ESTABLISH_CRED);
301 		authctxt->pam->last_pam_retval = retval;
302 		if (retval != PAM_SUCCESS)
303 			return retval;
304 		authctxt->pam->state |= PAM_S_DONE_SETCRED;
305 
306 #ifdef GSSAPI
307 		/*
308 		 * Store GSS-API delegated creds after pam_setcred(), which may
309 		 * have set the current credential store.
310 		 */
311 		ssh_gssapi_storecreds(NULL, authctxt);
312 #endif /* GSSAPI */
313 	}
314 
315 	/*
316 	 * On Solaris pam_unix_session.so updates the lastlog, but does
317 	 * not converse a PAM_TEXT_INFO message about it.  So we need to
318 	 * fetch the lastlog entry here and save it for use later.
319 	 */
320 	authctxt->last_login_time =
321 		get_last_login_time(authctxt->pw->pw_uid,
322 			authctxt->pw->pw_name,
323 			authctxt->last_login_host,
324 			sizeof(authctxt->last_login_host));
325 
326 	if (!(authctxt->pam->state & PAM_S_DONE_OPEN_SESSION)) {
327 		retval = pam_open_session(authctxt->pam->h, 0);
328 		authctxt->pam->last_pam_retval = retval;
329 		if (retval != PAM_SUCCESS)
330 			return retval;
331 		authctxt->pam->state |= PAM_S_DONE_OPEN_SESSION;
332 	}
333 
334 	/*
335 	 * All PAM work done successfully.
336 	 *
337 	 * PAM handle stays around so we can call pam_close_session() on
338 	 * it later.
339 	 */
340 	return PAM_SUCCESS;
341 }
342 
343 /*
344  * PAM conversation function for non-interactive userauth methods that
345  * really cannot do any prompting.  Password userauth and CHANGEREQ can
346  * always set the PAM_AUTHTOK and PAM_OLDAUTHTOK items to avoid
347  * conversation (and if they do and nonetheless some module tries to
348  * converse, then password userauth / CHANGEREQ MUST fail).
349  *
350  * Except, PAM_TEXT_INFO and PAM_ERROR_MSG prompts can be squirelled
351  * away and shown to the user later.
352  *
353  * Keyboard-interactive userauth has its own much more interesting
354  * conversation function.
355  *
356  */
357 static int
358 do_pam_conversation(int num_msg, const struct pam_message **msg,
359 	struct pam_response **resp, void *appdata_ptr)
360 {
361 	struct pam_response *reply;
362 	int count;
363 
364 	/* PAM will free this later */
365 	reply = xmalloc(num_msg * sizeof(*reply));
366 
367 	(void) memset(reply, 0, num_msg * sizeof(*reply));
368 
369 	for (count = 0; count < num_msg; count++) {
370 		/*
371 		 * We can't use stdio yet, queue messages for
372 		 * printing later
373 		 */
374 		switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
375 		case PAM_PROMPT_ECHO_ON:
376 			xfree(reply);
377 			return PAM_CONV_ERR;
378 		case PAM_PROMPT_ECHO_OFF:
379 			xfree(reply);
380 			return PAM_CONV_ERR;
381 			break;
382 		case PAM_ERROR_MSG:
383 		case PAM_TEXT_INFO:
384 			if (PAM_MSG_MEMBER(msg, count, msg) != NULL) {
385 				message_cat(&__pam_msg,
386 				    PAM_MSG_MEMBER(msg, count, msg));
387 			}
388 			reply[count].resp = xstrdup("");
389 			reply[count].resp_retcode = PAM_SUCCESS;
390 			break;
391 		default:
392 			xfree(reply);
393 			return PAM_CONV_ERR;
394 		}
395 	}
396 
397 	*resp = reply;
398 
399 	return PAM_SUCCESS;
400 }
401 
402 /* Called at exit to cleanly shutdown PAM */
403 static void
404 do_pam_cleanup_proc(void *context)
405 {
406 	int pam_retval;
407 	pam_stuff *pam = (pam_stuff *) context;
408 
409 	if (pam == NULL)
410 		return;
411 
412 	if (pam->authctxt != NULL && pam->authctxt->pam == pam) {
413 		pam->authctxt->pam_retval = pam->last_pam_retval;
414 		pam->authctxt->pam = NULL;
415 		pam->authctxt = NULL;
416 	}
417 
418 	if (pam->h == NULL)
419 		return;
420 
421 	/*
422 	 * We're in fatal_cleanup() or not in userauth or without a
423 	 * channel -- can't converse now, too bad.
424 	 */
425 	pam_retval = pam_set_item(pam->h, PAM_CONV, NULL);
426 	if (pam_retval != PAM_SUCCESS) {
427 		log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s",
428 			pam_retval, PAM_STRERROR(pam->h, pam_retval));
429 		goto cleanup;
430 	}
431 
432 	if (pam->state & PAM_S_DONE_OPEN_SESSION) {
433 		pam_retval = pam_close_session(pam->h, 0);
434 		if (pam_retval != PAM_SUCCESS)
435 			log("Cannot close PAM session[%d]: %.200s",
436 			    pam_retval, PAM_STRERROR(pam->h, pam_retval));
437 	}
438 
439 	if (pam->state & PAM_S_DONE_SETCRED) {
440 		pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED);
441 		if (pam_retval != PAM_SUCCESS)
442 			debug("Cannot delete credentials[%d]: %.200s",
443 			    pam_retval, PAM_STRERROR(pam->h, pam_retval));
444 	}
445 
446 cleanup:
447 
448 	/* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */
449 	if (pam->last_pam_retval != PAM_SUCCESS)
450 		pam_retval = pam_end(pam->h, pam->last_pam_retval);
451 	else if (pam_retval != PAM_SUCCESS)
452 		pam_retval = pam_end(pam->h, pam_retval);
453 	else
454 		pam_retval = pam_end(pam->h, PAM_ABORT);
455 
456 	if (pam_retval != PAM_SUCCESS)
457 		log("Cannot release PAM authentication[%d]: %.200s",
458 		    pam_retval, PAM_STRERROR(pam->h, pam_retval));
459 
460 	xfree(pam);
461 }
462 
463 /* Attempt password authentation using PAM */
464 int
465 auth_pam_password(Authctxt *authctxt, const char *password)
466 {
467 	int retval;
468 
469 	/* Ensure we have a fresh PAM handle / state */
470 	new_start_pam(authctxt, &conv);
471 
472 	retval = pam_set_item(authctxt->pam->h, PAM_AUTHTOK, password);
473 	if (retval != PAM_SUCCESS) {
474 		authctxt->pam->last_pam_retval = retval;
475 		return 1;
476 	}
477 
478 	retval = pam_authenticate(authctxt->pam->h,
479 			options.permit_empty_passwd ?  0 :
480 			PAM_DISALLOW_NULL_AUTHTOK);
481 
482 	if (retval != PAM_SUCCESS) {
483 		authctxt->pam->last_pam_retval = retval;
484 		return 0;
485 	}
486 
487 	if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS)
488 		return 0;
489 
490 	if (authctxt->method)
491 		authctxt->method->authenticated = 1;	/* SSHv2 */
492 
493 	return 1;
494 }
495 
496 int
497 do_pam_non_initial_userauth(Authctxt *authctxt)
498 {
499 	new_start_pam(authctxt, NULL);
500 	return (finish_userauth_do_pam(authctxt) == PAM_SUCCESS);
501 }
502 
503 /* Cleanly shutdown PAM */
504 void finish_pam(Authctxt *authctxt)
505 {
506 	fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
507 	do_pam_cleanup_proc(authctxt->pam);
508 }
509 
510 static
511 char **
512 find_env(char **env, char *var)
513 {
514 	char **p;
515 	int len;
516 
517 	if (strchr(var, '=') == NULL)
518 		len = strlen(var);
519 	else
520 		len = (strchr(var, '=') - var) + 1;
521 
522 	for ( p = env ; p != NULL && *p != NULL ; p++ ) {
523 		if (strncmp(*p, var, len) == 0)
524 			return (p);
525 	}
526 
527 	return (NULL);
528 }
529 
530 /* Return list of PAM environment strings */
531 char **
532 fetch_pam_environment(Authctxt *authctxt)
533 {
534 #ifdef HAVE_PAM_GETENVLIST
535 	char	**penv;
536 
537 	if (authctxt == NULL || authctxt->pam == NULL ||
538 	    authctxt->pam->h == NULL)
539 		return (NULL);
540 
541 	penv = pam_getenvlist(authctxt->pam->h);
542 
543 	return (penv);
544 #else /* HAVE_PAM_GETENVLIST */
545 	return(NULL);
546 #endif /* HAVE_PAM_GETENVLIST */
547 }
548 
549 void free_pam_environment(char **env)
550 {
551 	int i;
552 
553 	if (env != NULL) {
554 		for (i = 0; env[i] != NULL; i++)
555 			xfree(env[i]);
556 	}
557 
558 	xfree(env);
559 }
560 
561 /* Print any messages that have been generated during authentication */
562 /* or account checking to stderr */
563 void print_pam_messages(void)
564 {
565 	if (__pam_msg != NULL)
566 		(void) fputs(__pam_msg, stderr);
567 }
568 
569 /* Append a message to buffer */
570 void message_cat(char **p, const char *a)
571 {
572 	char *cp;
573 	size_t new_len;
574 
575 	new_len = strlen(a);
576 
577 	if (*p) {
578 		size_t len = strlen(*p);
579 
580 		*p = xrealloc(*p, new_len + len + 2);
581 		cp = *p + len;
582 	} else
583 		*p = cp = xmalloc(new_len + 2);
584 
585 	(void) memcpy(cp, a, new_len);
586 	cp[new_len] = '\n';
587 	cp[new_len + 1] = '\0';
588 }
589 
590 #endif /* USE_PAM */
591