1 /* 2 * Copyright (c) 2000 Damien Miller. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 /* 25 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 26 * Use is subject to license terms. 27 */ 28 29 #include "includes.h" 30 31 #ifdef USE_PAM 32 #include "xmalloc.h" 33 #include "log.h" 34 #include "auth.h" 35 #include "auth-options.h" 36 #include "auth-pam.h" 37 #include "buffer.h" 38 #include "servconf.h" 39 #include "canohost.h" 40 #include "compat.h" 41 #include "misc.h" 42 #include "sshlogin.h" 43 #include "ssh-gss.h" 44 45 #include <security/pam_appl.h> 46 47 extern char *__progname; 48 49 extern u_int utmp_len; 50 extern ServerOptions options; 51 52 extern Authmethod method_kbdint; 53 54 RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); 55 56 #define NEW_AUTHTOK_MSG \ 57 "Warning: Your password has expired, please change it now." 58 59 /* PAM conversation for non-interactive userauth methods */ 60 static int do_pam_conversation(int num_msg, const struct pam_message **msg, 61 struct pam_response **resp, void *appdata_ptr); 62 63 static void do_pam_cleanup_proc(void *context); 64 65 static char *get_method_name(Authctxt *authctxt); 66 67 /* PAM conversation for non-interactive userauth methods */ 68 static struct pam_conv conv = { 69 (int (*)())do_pam_conversation, 70 NULL 71 }; 72 static char *__pam_msg = NULL; 73 74 static 75 char * 76 get_method_name(Authctxt *authctxt) 77 { 78 if (!authctxt) 79 return "(unknown)"; 80 81 if (!compat20) 82 return (authctxt->v1_auth_name) ? authctxt->v1_auth_name : 83 "(sshv1-unknown)"; 84 85 if (!authctxt->method || !authctxt->method->name) 86 return "(sshv2-unknown)"; 87 88 return authctxt->method->name; 89 } 90 91 const 92 char * 93 derive_pam_svc_name(Authmethod *method) 94 { 95 if (compat20 && method) { 96 char *method_name = method->name; 97 98 if (!method_name) 99 fatal("Userauth method unknown while starting PAM"); 100 101 /* For SSHv2 we use "sshd-<userauth name> */ 102 if (strcmp(method_name, "none") == 0) { 103 return "sshd-none"; 104 } 105 if (strcmp(method_name, "password") == 0) { 106 return "sshd-password"; 107 } 108 if (strcmp(method_name, "keyboard-interactive") == 0) { 109 /* "keyboard-interactive" is too long, shorten it */ 110 return "sshd-kbdint"; 111 } 112 if (strcmp(method_name, "publickey") == 0) { 113 /* "publickey" is too long, shorten it */ 114 return "sshd-pubkey"; 115 } 116 if (strcmp(method_name, "hostbased") == 0) { 117 /* "hostbased" can't really be shortened... */ 118 return "sshd-hostbased"; 119 } 120 if (strncmp(method_name, "gss", 3) == 0) { 121 /* "gss" is too short, elongate it */ 122 return "sshd-gssapi"; 123 } 124 } 125 126 return "sshd-v1"; /* SSHv1 doesn't get to be so cool */ 127 } 128 129 void 130 new_start_pam(Authctxt *authctxt, struct pam_conv *conv) 131 { 132 int retval; 133 pam_handle_t *pamh; 134 const char *rhost, *svc; 135 char *user = NULL; 136 pam_stuff *pam; 137 138 if (authctxt == NULL) 139 fatal("Internal error during userauth"); 140 141 if (compat20 && authctxt->method == NULL) 142 fatal("Userauth method unknown while starting PAM"); 143 144 /* PAM service selected here */ 145 svc = derive_pam_svc_name(authctxt->method); 146 debug2("Starting PAM service %s for method %s", svc, 147 get_method_name(authctxt)); 148 149 if (authctxt->user != NULL) 150 user = authctxt->user; 151 152 /* Cleanup previous PAM state */ 153 if (authctxt->pam != NULL) { 154 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam); 155 do_pam_cleanup_proc(authctxt->pam); 156 } 157 158 pam = xmalloc(sizeof(pam_stuff)); 159 (void) memset(pam, 0, sizeof(pam_stuff)); 160 161 /* 162 * pam->last_pam_retval has to be and is considered 163 * along with pam->state. 164 * 165 * pam->state = 0; -> no PAM auth, account, etc, work 166 * done yet. (Set by memset() above.) 167 * 168 * pam->last_pam_retval = PAM_SUCCESS; -> meaningless at 169 * this point. 170 * 171 * See finish_userauth_do_pam() below. 172 */ 173 pam->authctxt = authctxt; 174 pam->last_pam_retval = PAM_SUCCESS; 175 176 authctxt->pam = pam; 177 178 /* Free any previously stored text/error PAM prompts */ 179 if (__pam_msg) { 180 xfree(__pam_msg); 181 __pam_msg = NULL; 182 } 183 184 if ((retval = pam_start(svc, user, conv, &pamh)) != PAM_SUCCESS) { 185 fatal("PAM initialization failed during %s userauth", 186 get_method_name(authctxt)); 187 } 188 189 fatal_add_cleanup((void (*)(void *)) &do_pam_cleanup_proc, 190 (void *) authctxt->pam); 191 192 rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping); 193 if ((retval = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) { 194 (void) pam_end(pamh, retval); 195 fatal("Could not set PAM_RHOST item during %s userauth", 196 get_method_name(authctxt)); 197 } 198 199 if ((retval = pam_set_item(pamh, PAM_TTY, "sshd")) != PAM_SUCCESS) { 200 (void) pam_end(pamh, retval); 201 fatal("Could not set PAM_TTY item during %s userauth", 202 get_method_name(authctxt)); 203 } 204 205 if (authctxt->cuser != NULL) 206 if ((retval = pam_set_item(pamh, PAM_AUSER, authctxt->cuser)) != PAM_SUCCESS) { 207 (void) pam_end(pamh, retval); 208 fatal("Could not set PAM_AUSER item during %s userauth", 209 get_method_name(authctxt)); 210 } 211 212 authctxt->pam->h = pamh; 213 } 214 215 /* 216 * To be called from userauth methods, directly (as in keyboard-interactive) or 217 * indirectly (from auth_pam_password() or from do_pam_non_initial_userauth(). 218 * 219 * The caller is responsible for calling new_start_pam() first. 220 * 221 * PAM state is not cleaned up here on error. This is left to subsequent calls 222 * to new_start_pam() or to the cleanup function upon authentication error. 223 */ 224 int 225 finish_userauth_do_pam(Authctxt *authctxt) 226 { 227 int retval; 228 char *user, *method; 229 230 /* Various checks; fail gracefully */ 231 if (authctxt == NULL || authctxt->pam == NULL) 232 return PAM_SYSTEM_ERR; /* shouldn't happen */ 233 234 if (compat20) { 235 if (authctxt->method == NULL || authctxt->method->name == NULL) 236 return PAM_SYSTEM_ERR; /* shouldn't happen */ 237 method = authctxt->method->name; 238 } else if ((method = authctxt->v1_auth_name) == NULL) 239 return PAM_SYSTEM_ERR; /* shouldn't happen */ 240 241 if (AUTHPAM_DONE(authctxt)) 242 return PAM_SYSTEM_ERR; /* shouldn't happen */ 243 244 if (!(authctxt->pam->state & PAM_S_DONE_ACCT_MGMT)) { 245 retval = pam_acct_mgmt(authctxt->pam->h, 0); 246 authctxt->pam->last_pam_retval = retval; 247 if (retval == PAM_NEW_AUTHTOK_REQD) { 248 userauth_force_kbdint(); 249 return retval; 250 } 251 if (retval != PAM_SUCCESS) 252 return retval; 253 authctxt->pam->state |= PAM_S_DONE_ACCT_MGMT; 254 } 255 256 /* 257 * Handle PAM_USER change, if any. 258 * 259 * We do this before pam_open_session() because we need the PAM_USER's 260 * UID for: 261 * 262 * a) PermitRootLogin checking 263 * b) to get at the lastlog entry before pam_open_session() updates it. 264 */ 265 retval = pam_get_item(authctxt->pam->h, PAM_USER, (void **) &user); 266 if (retval != PAM_SUCCESS) { 267 fatal("PAM failure: pam_get_item(PAM_USER) " 268 "returned %d: %.200s", retval, 269 PAM_STRERROR(authctxt->pam->h, retval)); 270 } 271 272 if (user == NULL || *user == '\0') { 273 debug("PAM set NULL PAM_USER"); 274 return PAM_PERM_DENIED; 275 } 276 277 if (strcmp(user, authctxt->user) != 0) { 278 log("PAM changed the SSH username"); 279 pwfree(&authctxt->pw); 280 authctxt->pw = getpwnamallow(user); 281 authctxt->valid = (authctxt->pw != NULL); 282 xfree(authctxt->user); 283 authctxt->user = xstrdup(user); 284 } 285 286 if (!authctxt->valid) { 287 debug2("PAM set PAM_USER to unknown user"); 288 /* 289 * Return success, userauth_finish() will catch 290 * this and send back a failure message. 291 */ 292 return PAM_SUCCESS; 293 } 294 295 /* Check PermitRootLogin semantics */ 296 if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) 297 return PAM_PERM_DENIED; 298 299 if (!(authctxt->pam->state & PAM_S_DONE_SETCRED)) { 300 retval = pam_setcred(authctxt->pam->h, 301 PAM_ESTABLISH_CRED); 302 authctxt->pam->last_pam_retval = retval; 303 if (retval != PAM_SUCCESS) 304 return retval; 305 authctxt->pam->state |= PAM_S_DONE_SETCRED; 306 307 #ifdef GSSAPI 308 /* 309 * Store GSS-API delegated creds after pam_setcred(), which may 310 * have set the current credential store. 311 */ 312 ssh_gssapi_storecreds(NULL, authctxt); 313 #endif /* GSSAPI */ 314 } 315 316 /* 317 * On Solaris pam_unix_session.so updates the lastlog, but does 318 * not converse a PAM_TEXT_INFO message about it. So we need to 319 * fetch the lastlog entry here and save it for use later. 320 */ 321 authctxt->last_login_time = 322 get_last_login_time(authctxt->pw->pw_uid, 323 authctxt->pw->pw_name, 324 authctxt->last_login_host, 325 sizeof(authctxt->last_login_host)); 326 327 if (!(authctxt->pam->state & PAM_S_DONE_OPEN_SESSION)) { 328 retval = pam_open_session(authctxt->pam->h, 0); 329 authctxt->pam->last_pam_retval = retval; 330 if (retval != PAM_SUCCESS) 331 return retval; 332 authctxt->pam->state |= PAM_S_DONE_OPEN_SESSION; 333 } 334 335 /* 336 * All PAM work done successfully. 337 * 338 * PAM handle stays around so we can call pam_close_session() on 339 * it later. 340 */ 341 return PAM_SUCCESS; 342 } 343 344 /* 345 * PAM conversation function for non-interactive userauth methods that 346 * really cannot do any prompting. Password userauth and CHANGEREQ can 347 * always set the PAM_AUTHTOK and PAM_OLDAUTHTOK items to avoid 348 * conversation (and if they do and nonetheless some module tries to 349 * converse, then password userauth / CHANGEREQ MUST fail). 350 * 351 * Except, PAM_TEXT_INFO and PAM_ERROR_MSG prompts can be squirelled 352 * away and shown to the user later. 353 * 354 * Keyboard-interactive userauth has its own much more interesting 355 * conversation function. 356 * 357 */ 358 static int 359 do_pam_conversation(int num_msg, const struct pam_message **msg, 360 struct pam_response **resp, void *appdata_ptr) 361 { 362 struct pam_response *reply; 363 int count; 364 365 /* PAM will free this later */ 366 reply = xmalloc(num_msg * sizeof(*reply)); 367 368 (void) memset(reply, 0, num_msg * sizeof(*reply)); 369 370 for (count = 0; count < num_msg; count++) { 371 /* 372 * We can't use stdio yet, queue messages for 373 * printing later 374 */ 375 switch(PAM_MSG_MEMBER(msg, count, msg_style)) { 376 case PAM_PROMPT_ECHO_ON: 377 xfree(reply); 378 return PAM_CONV_ERR; 379 case PAM_PROMPT_ECHO_OFF: 380 xfree(reply); 381 return PAM_CONV_ERR; 382 break; 383 case PAM_ERROR_MSG: 384 case PAM_TEXT_INFO: 385 if (PAM_MSG_MEMBER(msg, count, msg) != NULL) { 386 message_cat(&__pam_msg, 387 PAM_MSG_MEMBER(msg, count, msg)); 388 } 389 reply[count].resp = xstrdup(""); 390 reply[count].resp_retcode = PAM_SUCCESS; 391 break; 392 default: 393 xfree(reply); 394 return PAM_CONV_ERR; 395 } 396 } 397 398 *resp = reply; 399 400 return PAM_SUCCESS; 401 } 402 403 /* Called at exit to cleanly shutdown PAM */ 404 static void 405 do_pam_cleanup_proc(void *context) 406 { 407 int pam_retval; 408 pam_stuff *pam = (pam_stuff *) context; 409 410 if (pam == NULL) 411 return; 412 413 if (pam->authctxt != NULL && pam->authctxt->pam == pam) { 414 pam->authctxt->pam_retval = pam->last_pam_retval; 415 pam->authctxt->pam = NULL; 416 pam->authctxt = NULL; 417 } 418 419 if (pam->h == NULL) 420 return; 421 422 /* 423 * We're in fatal_cleanup() or not in userauth or without a 424 * channel -- can't converse now, too bad. 425 */ 426 pam_retval = pam_set_item(pam->h, PAM_CONV, NULL); 427 if (pam_retval != PAM_SUCCESS) { 428 log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s", 429 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 430 goto cleanup; 431 } 432 433 if (pam->state & PAM_S_DONE_OPEN_SESSION) { 434 pam_retval = pam_close_session(pam->h, 0); 435 if (pam_retval != PAM_SUCCESS) 436 log("Cannot close PAM session[%d]: %.200s", 437 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 438 } 439 440 if (pam->state & PAM_S_DONE_SETCRED) { 441 pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED); 442 if (pam_retval != PAM_SUCCESS) 443 debug("Cannot delete credentials[%d]: %.200s", 444 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 445 } 446 447 cleanup: 448 449 /* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */ 450 if (pam->last_pam_retval != PAM_SUCCESS) 451 pam_retval = pam_end(pam->h, pam->last_pam_retval); 452 else if (pam_retval != PAM_SUCCESS) 453 pam_retval = pam_end(pam->h, pam_retval); 454 else 455 pam_retval = pam_end(pam->h, PAM_ABORT); 456 457 if (pam_retval != PAM_SUCCESS) 458 log("Cannot release PAM authentication[%d]: %.200s", 459 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 460 461 xfree(pam); 462 } 463 464 /* Attempt password authentation using PAM */ 465 int 466 auth_pam_password(Authctxt *authctxt, const char *password) 467 { 468 int retval; 469 470 /* Ensure we have a fresh PAM handle / state */ 471 new_start_pam(authctxt, &conv); 472 473 retval = pam_set_item(authctxt->pam->h, PAM_AUTHTOK, password); 474 if (retval != PAM_SUCCESS) { 475 authctxt->pam->last_pam_retval = retval; 476 return 1; 477 } 478 479 retval = pam_authenticate(authctxt->pam->h, 480 options.permit_empty_passwd ? 0 : 481 PAM_DISALLOW_NULL_AUTHTOK); 482 483 if (retval != PAM_SUCCESS) { 484 authctxt->pam->last_pam_retval = retval; 485 return 0; 486 } 487 488 if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS) 489 return 0; 490 491 if (authctxt->method) 492 authctxt->method->authenticated = 1; /* SSHv2 */ 493 494 return 1; 495 } 496 497 int 498 do_pam_non_initial_userauth(Authctxt *authctxt) 499 { 500 new_start_pam(authctxt, NULL); 501 return (finish_userauth_do_pam(authctxt) == PAM_SUCCESS); 502 } 503 504 /* Cleanly shutdown PAM */ 505 void finish_pam(Authctxt *authctxt) 506 { 507 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam); 508 do_pam_cleanup_proc(authctxt->pam); 509 } 510 511 static 512 char ** 513 find_env(char **env, char *var) 514 { 515 char **p; 516 int len; 517 518 if (strchr(var, '=') == NULL) 519 len = strlen(var); 520 else 521 len = (strchr(var, '=') - var) + 1; 522 523 for ( p = env ; p != NULL && *p != NULL ; p++ ) { 524 if (strncmp(*p, var, len) == 0) 525 return (p); 526 } 527 528 return (NULL); 529 } 530 531 /* Return list of PAM environment strings */ 532 char ** 533 fetch_pam_environment(Authctxt *authctxt) 534 { 535 #ifdef HAVE_PAM_GETENVLIST 536 char **penv; 537 538 if (authctxt == NULL || authctxt->pam == NULL || 539 authctxt->pam->h == NULL) 540 return (NULL); 541 542 penv = pam_getenvlist(authctxt->pam->h); 543 544 return (penv); 545 #else /* HAVE_PAM_GETENVLIST */ 546 return(NULL); 547 #endif /* HAVE_PAM_GETENVLIST */ 548 } 549 550 void free_pam_environment(char **env) 551 { 552 int i; 553 554 if (env != NULL) { 555 for (i = 0; env[i] != NULL; i++) 556 xfree(env[i]); 557 } 558 559 xfree(env); 560 } 561 562 /* Print any messages that have been generated during authentication */ 563 /* or account checking to stderr */ 564 void print_pam_messages(void) 565 { 566 if (__pam_msg != NULL) 567 (void) fputs(__pam_msg, stderr); 568 } 569 570 /* Append a message to buffer */ 571 void message_cat(char **p, const char *a) 572 { 573 char *cp; 574 size_t new_len; 575 576 new_len = strlen(a); 577 578 if (*p) { 579 size_t len = strlen(*p); 580 581 *p = xrealloc(*p, new_len + len + 2); 582 cp = *p + len; 583 } else 584 *p = cp = xmalloc(new_len + 2); 585 586 (void) memcpy(cp, a, new_len); 587 cp[new_len] = '\n'; 588 cp[new_len + 1] = '\0'; 589 } 590 591 #endif /* USE_PAM */ 592