1 /* 2 * Copyright (c) 2000 Damien Miller. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 /* 25 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 26 * Use is subject to license terms. 27 */ 28 29 #include "includes.h" 30 31 #ifdef USE_PAM 32 #include "xmalloc.h" 33 #include "log.h" 34 #include "auth.h" 35 #include "auth-options.h" 36 #include "auth-pam.h" 37 #include "servconf.h" 38 #include "canohost.h" 39 #include "compat.h" 40 #include "misc.h" 41 #include "sshlogin.h" 42 #include "ssh-gss.h" 43 44 #include <security/pam_appl.h> 45 46 extern char *__progname; 47 48 extern u_int utmp_len; 49 extern ServerOptions options; 50 51 extern Authmethod method_kbdint; 52 53 RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); 54 55 #define NEW_AUTHTOK_MSG \ 56 "Warning: Your password has expired, please change it now." 57 58 /* PAM conversation for non-interactive userauth methods */ 59 static int do_pam_conversation(int num_msg, const struct pam_message **msg, 60 struct pam_response **resp, void *appdata_ptr); 61 62 static void do_pam_cleanup_proc(void *context); 63 64 static char *get_method_name(Authctxt *authctxt); 65 66 /* PAM conversation for non-interactive userauth methods */ 67 static struct pam_conv conv = { 68 (int (*)())do_pam_conversation, 69 NULL 70 }; 71 static char *__pam_msg = NULL; 72 73 static 74 char * 75 get_method_name(Authctxt *authctxt) 76 { 77 if (!authctxt) 78 return "(unknown)"; 79 80 if (!compat20) 81 return (authctxt->v1_auth_name) ? authctxt->v1_auth_name : 82 "(sshv1-unknown)"; 83 84 if (!authctxt->method || !authctxt->method->name) 85 return "(sshv2-unknown)"; 86 87 return authctxt->method->name; 88 } 89 90 const 91 char * 92 derive_pam_svc_name(Authmethod *method) 93 { 94 if (compat20 && method) { 95 char *method_name = method->name; 96 97 if (!method_name) 98 fatal("Userauth method unknown while starting PAM"); 99 100 /* For SSHv2 we use "sshd-<userauth name> */ 101 if (strcmp(method_name, "none") == 0) { 102 return "sshd-none"; 103 } 104 if (strcmp(method_name, "password") == 0) { 105 return "sshd-password"; 106 } 107 if (strcmp(method_name, "keyboard-interactive") == 0) { 108 /* "keyboard-interactive" is too long, shorten it */ 109 return "sshd-kbdint"; 110 } 111 if (strcmp(method_name, "publickey") == 0) { 112 /* "publickey" is too long, shorten it */ 113 return "sshd-pubkey"; 114 } 115 if (strcmp(method_name, "hostbased") == 0) { 116 /* "hostbased" can't really be shortened... */ 117 return "sshd-hostbased"; 118 } 119 if (strncmp(method_name, "gss", 3) == 0) { 120 /* "gss" is too short, elongate it */ 121 return "sshd-gssapi"; 122 } 123 } 124 125 return "sshd-v1"; /* SSHv1 doesn't get to be so cool */ 126 } 127 128 void 129 new_start_pam(Authctxt *authctxt, struct pam_conv *conv) 130 { 131 int retval; 132 pam_handle_t *pamh; 133 const char *rhost, *svc; 134 char *user = NULL; 135 pam_stuff *pam; 136 137 if (authctxt == NULL) 138 fatal("Internal error during userauth"); 139 140 if (compat20 && authctxt->method == NULL) 141 fatal("Userauth method unknown while starting PAM"); 142 143 /* PAM service selected here */ 144 svc = derive_pam_svc_name(authctxt->method); 145 debug2("Starting PAM service %s for method %s", svc, 146 get_method_name(authctxt)); 147 148 if (authctxt->user != NULL) 149 user = authctxt->user; 150 151 /* Cleanup previous PAM state */ 152 if (authctxt->pam != NULL) { 153 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam); 154 do_pam_cleanup_proc(authctxt->pam); 155 } 156 157 pam = xmalloc(sizeof(pam_stuff)); 158 (void) memset(pam, 0, sizeof(pam_stuff)); 159 160 /* 161 * pam->last_pam_retval has to be and is considered 162 * along with pam->state. 163 * 164 * pam->state = 0; -> no PAM auth, account, etc, work 165 * done yet. (Set by memset() above.) 166 * 167 * pam->last_pam_retval = PAM_SUCCESS; -> meaningless at 168 * this point. 169 * 170 * See finish_userauth_do_pam() below. 171 */ 172 pam->authctxt = authctxt; 173 pam->last_pam_retval = PAM_SUCCESS; 174 175 authctxt->pam = pam; 176 177 /* Free any previously stored text/error PAM prompts */ 178 if (__pam_msg) { 179 xfree(__pam_msg); 180 __pam_msg = NULL; 181 } 182 183 if ((retval = pam_start(svc, user, conv, &pamh)) != PAM_SUCCESS) { 184 fatal("PAM initialization failed during %s userauth", 185 get_method_name(authctxt)); 186 } 187 188 fatal_add_cleanup((void (*)(void *)) &do_pam_cleanup_proc, 189 (void *) authctxt->pam); 190 191 rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping); 192 if ((retval = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) { 193 (void) pam_end(pamh, retval); 194 fatal("Could not set PAM_RHOST item during %s userauth", 195 get_method_name(authctxt)); 196 } 197 198 if ((retval = pam_set_item(pamh, PAM_TTY, "sshd")) != PAM_SUCCESS) { 199 (void) pam_end(pamh, retval); 200 fatal("Could not set PAM_TTY item during %s userauth", 201 get_method_name(authctxt)); 202 } 203 204 if (authctxt->cuser != NULL) 205 if ((retval = pam_set_item(pamh, PAM_AUSER, authctxt->cuser)) != PAM_SUCCESS) { 206 (void) pam_end(pamh, retval); 207 fatal("Could not set PAM_AUSER item during %s userauth", 208 get_method_name(authctxt)); 209 } 210 211 authctxt->pam->h = pamh; 212 } 213 214 /* 215 * To be called from userauth methods, directly (as in keyboard-interactive) or 216 * indirectly (from auth_pam_password() or from do_pam_non_initial_userauth(). 217 * 218 * The caller is responsible for calling new_start_pam() first. 219 * 220 * PAM state is not cleaned up here on error. This is left to subsequent calls 221 * to new_start_pam() or to the cleanup function upon authentication error. 222 */ 223 int 224 finish_userauth_do_pam(Authctxt *authctxt) 225 { 226 int retval; 227 char *user, *method; 228 229 /* Various checks; fail gracefully */ 230 if (authctxt == NULL || authctxt->pam == NULL) 231 return PAM_SYSTEM_ERR; /* shouldn't happen */ 232 233 if (compat20) { 234 if (authctxt->method == NULL || authctxt->method->name == NULL) 235 return PAM_SYSTEM_ERR; /* shouldn't happen */ 236 method = authctxt->method->name; 237 } else if ((method = authctxt->v1_auth_name) == NULL) 238 return PAM_SYSTEM_ERR; /* shouldn't happen */ 239 240 if (AUTHPAM_DONE(authctxt)) 241 return PAM_SYSTEM_ERR; /* shouldn't happen */ 242 243 if (!(authctxt->pam->state & PAM_S_DONE_ACCT_MGMT)) { 244 retval = pam_acct_mgmt(authctxt->pam->h, 0); 245 authctxt->pam->last_pam_retval = retval; 246 if (retval == PAM_NEW_AUTHTOK_REQD) { 247 userauth_force_kbdint(); 248 return retval; 249 } 250 if (retval != PAM_SUCCESS) 251 return retval; 252 authctxt->pam->state |= PAM_S_DONE_ACCT_MGMT; 253 } 254 255 /* 256 * Handle PAM_USER change, if any. 257 * 258 * We do this before pam_open_session() because we need the PAM_USER's 259 * UID for: 260 * 261 * a) PermitRootLogin checking 262 * b) to get at the lastlog entry before pam_open_session() updates it. 263 */ 264 retval = pam_get_item(authctxt->pam->h, PAM_USER, (void **) &user); 265 if (retval != PAM_SUCCESS) { 266 fatal("PAM failure: pam_get_item(PAM_USER) " 267 "returned %d: %.200s", retval, 268 PAM_STRERROR(authctxt->pam->h, retval)); 269 } 270 271 if (user == NULL || *user == '\0') { 272 debug("PAM set NULL PAM_USER"); 273 return PAM_PERM_DENIED; 274 } 275 276 if (strcmp(user, authctxt->user) != 0) { 277 log("PAM changed the SSH username"); 278 pwfree(&authctxt->pw); 279 authctxt->pw = getpwnamallow(user); 280 authctxt->valid = (authctxt->pw != NULL); 281 xfree(authctxt->user); 282 authctxt->user = xstrdup(user); 283 } 284 285 if (!authctxt->valid) { 286 debug2("PAM set PAM_USER to unknown user"); 287 /* 288 * Return success, userauth_finish() will catch 289 * this and send back a failure message. 290 */ 291 return PAM_SUCCESS; 292 } 293 294 /* Check PermitRootLogin semantics */ 295 if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) 296 return PAM_PERM_DENIED; 297 298 if (!(authctxt->pam->state & PAM_S_DONE_SETCRED)) { 299 retval = pam_setcred(authctxt->pam->h, 300 PAM_ESTABLISH_CRED); 301 authctxt->pam->last_pam_retval = retval; 302 if (retval != PAM_SUCCESS) 303 return retval; 304 authctxt->pam->state |= PAM_S_DONE_SETCRED; 305 306 #ifdef GSSAPI 307 /* 308 * Store GSS-API delegated creds after pam_setcred(), which may 309 * have set the current credential store. 310 */ 311 ssh_gssapi_storecreds(NULL, authctxt); 312 #endif /* GSSAPI */ 313 } 314 315 /* 316 * On Solaris pam_unix_session.so updates the lastlog, but does 317 * not converse a PAM_TEXT_INFO message about it. So we need to 318 * fetch the lastlog entry here and save it for use later. 319 */ 320 authctxt->last_login_time = 321 get_last_login_time(authctxt->pw->pw_uid, 322 authctxt->pw->pw_name, 323 authctxt->last_login_host, 324 sizeof(authctxt->last_login_host)); 325 326 if (!(authctxt->pam->state & PAM_S_DONE_OPEN_SESSION)) { 327 retval = pam_open_session(authctxt->pam->h, 0); 328 authctxt->pam->last_pam_retval = retval; 329 if (retval != PAM_SUCCESS) 330 return retval; 331 authctxt->pam->state |= PAM_S_DONE_OPEN_SESSION; 332 } 333 334 /* 335 * All PAM work done successfully. 336 * 337 * PAM handle stays around so we can call pam_close_session() on 338 * it later. 339 */ 340 return PAM_SUCCESS; 341 } 342 343 /* 344 * PAM conversation function for non-interactive userauth methods that 345 * really cannot do any prompting. Password userauth and CHANGEREQ can 346 * always set the PAM_AUTHTOK and PAM_OLDAUTHTOK items to avoid 347 * conversation (and if they do and nonetheless some module tries to 348 * converse, then password userauth / CHANGEREQ MUST fail). 349 * 350 * Except, PAM_TEXT_INFO and PAM_ERROR_MSG prompts can be squirelled 351 * away and shown to the user later. 352 * 353 * Keyboard-interactive userauth has its own much more interesting 354 * conversation function. 355 * 356 */ 357 static int 358 do_pam_conversation(int num_msg, const struct pam_message **msg, 359 struct pam_response **resp, void *appdata_ptr) 360 { 361 struct pam_response *reply; 362 int count; 363 364 /* PAM will free this later */ 365 reply = xmalloc(num_msg * sizeof(*reply)); 366 367 (void) memset(reply, 0, num_msg * sizeof(*reply)); 368 369 for (count = 0; count < num_msg; count++) { 370 /* 371 * We can't use stdio yet, queue messages for 372 * printing later 373 */ 374 switch(PAM_MSG_MEMBER(msg, count, msg_style)) { 375 case PAM_PROMPT_ECHO_ON: 376 xfree(reply); 377 return PAM_CONV_ERR; 378 case PAM_PROMPT_ECHO_OFF: 379 xfree(reply); 380 return PAM_CONV_ERR; 381 break; 382 case PAM_ERROR_MSG: 383 case PAM_TEXT_INFO: 384 if (PAM_MSG_MEMBER(msg, count, msg) != NULL) { 385 message_cat(&__pam_msg, 386 PAM_MSG_MEMBER(msg, count, msg)); 387 } 388 reply[count].resp = xstrdup(""); 389 reply[count].resp_retcode = PAM_SUCCESS; 390 break; 391 default: 392 xfree(reply); 393 return PAM_CONV_ERR; 394 } 395 } 396 397 *resp = reply; 398 399 return PAM_SUCCESS; 400 } 401 402 /* Called at exit to cleanly shutdown PAM */ 403 static void 404 do_pam_cleanup_proc(void *context) 405 { 406 int pam_retval; 407 pam_stuff *pam = (pam_stuff *) context; 408 409 if (pam == NULL) 410 return; 411 412 if (pam->authctxt != NULL && pam->authctxt->pam == pam) { 413 pam->authctxt->pam_retval = pam->last_pam_retval; 414 pam->authctxt->pam = NULL; 415 pam->authctxt = NULL; 416 } 417 418 if (pam->h == NULL) 419 return; 420 421 /* 422 * We're in fatal_cleanup() or not in userauth or without a 423 * channel -- can't converse now, too bad. 424 */ 425 pam_retval = pam_set_item(pam->h, PAM_CONV, NULL); 426 if (pam_retval != PAM_SUCCESS) { 427 log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s", 428 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 429 goto cleanup; 430 } 431 432 if (pam->state & PAM_S_DONE_OPEN_SESSION) { 433 pam_retval = pam_close_session(pam->h, 0); 434 if (pam_retval != PAM_SUCCESS) 435 log("Cannot close PAM session[%d]: %.200s", 436 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 437 } 438 439 if (pam->state & PAM_S_DONE_SETCRED) { 440 pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED); 441 if (pam_retval != PAM_SUCCESS) 442 debug("Cannot delete credentials[%d]: %.200s", 443 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 444 } 445 446 cleanup: 447 448 /* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */ 449 if (pam->last_pam_retval != PAM_SUCCESS) 450 pam_retval = pam_end(pam->h, pam->last_pam_retval); 451 else if (pam_retval != PAM_SUCCESS) 452 pam_retval = pam_end(pam->h, pam_retval); 453 else 454 pam_retval = pam_end(pam->h, PAM_ABORT); 455 456 if (pam_retval != PAM_SUCCESS) 457 log("Cannot release PAM authentication[%d]: %.200s", 458 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 459 460 xfree(pam); 461 } 462 463 /* Attempt password authentation using PAM */ 464 int 465 auth_pam_password(Authctxt *authctxt, const char *password) 466 { 467 int retval; 468 469 /* Ensure we have a fresh PAM handle / state */ 470 new_start_pam(authctxt, &conv); 471 472 retval = pam_set_item(authctxt->pam->h, PAM_AUTHTOK, password); 473 if (retval != PAM_SUCCESS) { 474 authctxt->pam->last_pam_retval = retval; 475 return 1; 476 } 477 478 retval = pam_authenticate(authctxt->pam->h, 479 options.permit_empty_passwd ? 0 : 480 PAM_DISALLOW_NULL_AUTHTOK); 481 482 if (retval != PAM_SUCCESS) { 483 authctxt->pam->last_pam_retval = retval; 484 return 0; 485 } 486 487 if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS) 488 return 0; 489 490 if (authctxt->method) 491 authctxt->method->authenticated = 1; /* SSHv2 */ 492 493 return 1; 494 } 495 496 int 497 do_pam_non_initial_userauth(Authctxt *authctxt) 498 { 499 new_start_pam(authctxt, NULL); 500 return (finish_userauth_do_pam(authctxt) == PAM_SUCCESS); 501 } 502 503 /* Cleanly shutdown PAM */ 504 void finish_pam(Authctxt *authctxt) 505 { 506 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam); 507 do_pam_cleanup_proc(authctxt->pam); 508 } 509 510 static 511 char ** 512 find_env(char **env, char *var) 513 { 514 char **p; 515 int len; 516 517 if (strchr(var, '=') == NULL) 518 len = strlen(var); 519 else 520 len = (strchr(var, '=') - var) + 1; 521 522 for ( p = env ; p != NULL && *p != NULL ; p++ ) { 523 if (strncmp(*p, var, len) == 0) 524 return (p); 525 } 526 527 return (NULL); 528 } 529 530 /* Return list of PAM environment strings */ 531 char ** 532 fetch_pam_environment(Authctxt *authctxt) 533 { 534 #ifdef HAVE_PAM_GETENVLIST 535 char **penv; 536 537 if (authctxt == NULL || authctxt->pam == NULL || 538 authctxt->pam->h == NULL) 539 return (NULL); 540 541 penv = pam_getenvlist(authctxt->pam->h); 542 543 return (penv); 544 #else /* HAVE_PAM_GETENVLIST */ 545 return(NULL); 546 #endif /* HAVE_PAM_GETENVLIST */ 547 } 548 549 void free_pam_environment(char **env) 550 { 551 int i; 552 553 if (env != NULL) { 554 for (i = 0; env[i] != NULL; i++) 555 xfree(env[i]); 556 } 557 558 xfree(env); 559 } 560 561 /* Print any messages that have been generated during authentication */ 562 /* or account checking to stderr */ 563 void print_pam_messages(void) 564 { 565 if (__pam_msg != NULL) 566 (void) fputs(__pam_msg, stderr); 567 } 568 569 /* Append a message to buffer */ 570 void message_cat(char **p, const char *a) 571 { 572 char *cp; 573 size_t new_len; 574 575 new_len = strlen(a); 576 577 if (*p) { 578 size_t len = strlen(*p); 579 580 *p = xrealloc(*p, new_len + len + 2); 581 cp = *p + len; 582 } else 583 *p = cp = xmalloc(new_len + 2); 584 585 (void) memcpy(cp, a, new_len); 586 cp[new_len] = '\n'; 587 cp[new_len + 1] = '\0'; 588 } 589 590 #endif /* USE_PAM */ 591