1 /* 2 * Copyright (c) 2000 Damien Miller. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 /* 25 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 26 * Use is subject to license terms. 27 */ 28 29 #include "includes.h" 30 31 #ifdef USE_PAM 32 #include "xmalloc.h" 33 #include "log.h" 34 #include "auth.h" 35 #include "auth-options.h" 36 #include "auth-pam.h" 37 #include "servconf.h" 38 #include "canohost.h" 39 #include "compat.h" 40 #include "misc.h" 41 #include "sshlogin.h" 42 #include "monitor_wrap.h" 43 44 #include <security/pam_appl.h> 45 46 extern char *__progname; 47 48 extern int use_privsep; 49 50 extern u_int utmp_len; 51 extern ServerOptions options; 52 53 extern Authmethod method_kbdint; 54 55 RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); 56 57 #pragma ident "%Z%%M% %I% %E% SMI" 58 59 #define NEW_AUTHTOK_MSG \ 60 "Warning: Your password has expired, please change it now." 61 #define NEW_AUTHTOK_MSG_PRIVSEP \ 62 "Your password has expired, the session cannot proceed." 63 64 /* PAM conversation for non-interactive userauth methods */ 65 static int do_pam_conversation(int num_msg, const struct pam_message **msg, 66 struct pam_response **resp, void *appdata_ptr); 67 68 static void do_pam_cleanup_proc(void *context); 69 70 static char *get_method_name(Authctxt *authctxt); 71 72 /* PAM conversation for non-interactive userauth methods */ 73 static struct pam_conv conv = { 74 (int (*)())do_pam_conversation, 75 NULL 76 }; 77 static char *__pam_msg = NULL; 78 79 static 80 char * 81 get_method_name(Authctxt *authctxt) 82 { 83 if (!authctxt) 84 return "(unknown)"; 85 86 if (!compat20) 87 return (authctxt->v1_auth_name) ? authctxt->v1_auth_name : 88 "(sshv1-unknown)"; 89 90 if (!authctxt->method || !authctxt->method->name) 91 return "(sshv2-unknown)"; 92 93 return authctxt->method->name; 94 } 95 96 const 97 char * 98 derive_pam_svc_name(Authmethod *method) 99 { 100 if (compat20 && method) { 101 char *method_name = method->name; 102 103 if (!method_name) 104 fatal("Userauth method unknown while starting PAM"); 105 106 /* For SSHv2 we use "sshd-<userauth name> */ 107 if (strcmp(method_name, "none") == 0) { 108 return "sshd-none"; 109 } 110 if (strcmp(method_name, "password") == 0) { 111 return "sshd-password"; 112 } 113 if (strcmp(method_name, "keyboard-interactive") == 0) { 114 /* "keyboard-interactive" is too long, shorten it */ 115 return "sshd-kbdint"; 116 } 117 if (strcmp(method_name, "publickey") == 0) { 118 /* "publickey" is too long, shorten it */ 119 return "sshd-pubkey"; 120 } 121 if (strcmp(method_name, "hostbased") == 0) { 122 /* "hostbased" can't really be shortened... */ 123 return "sshd-hostbased"; 124 } 125 if (strncmp(method_name, "gss", 3) == 0) { 126 /* "gss" is too short, elongate it */ 127 return "sshd-gssapi"; 128 } 129 } 130 131 return "sshd-v1"; /* SSHv1 doesn't get to be so cool */ 132 } 133 134 void 135 new_start_pam(Authctxt *authctxt, struct pam_conv *conv) 136 { 137 int retval; 138 pam_handle_t *pamh; 139 const char *rhost, *svc; 140 char *user = NULL; 141 pam_stuff *pam; 142 143 if (authctxt == NULL) 144 fatal("Internal error during userauth"); 145 146 if (compat20 && authctxt->method == NULL) 147 fatal("Userauth method unknown while starting PAM"); 148 149 /* PAM service selected here */ 150 svc = derive_pam_svc_name(authctxt->method); 151 debug2("Starting PAM service %s for method %s", svc, 152 get_method_name(authctxt)); 153 154 if (authctxt->user != NULL) 155 user = authctxt->user; 156 157 /* Cleanup previous PAM state */ 158 if (authctxt->pam != NULL) { 159 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam); 160 do_pam_cleanup_proc(authctxt->pam); 161 } 162 163 pam = xmalloc(sizeof(pam_stuff)); 164 (void) memset(pam, 0, sizeof(pam_stuff)); 165 166 /* 167 * pam->last_pam_retval has to be and is considered 168 * along with pam->state. 169 * 170 * pam->state = 0; -> no PAM auth, account, etc, work 171 * done yet. (Set by memset() above.) 172 * 173 * pam->last_pam_retval = PAM_SUCCESS; -> meaningless at 174 * this point. 175 * 176 * See finish_userauth_do_pam() below. 177 */ 178 pam->authctxt = authctxt; 179 pam->last_pam_retval = PAM_SUCCESS; 180 181 authctxt->pam = pam; 182 183 /* Free any previously stored text/error PAM prompts */ 184 if (__pam_msg) { 185 xfree(__pam_msg); 186 __pam_msg = NULL; 187 } 188 189 if ((retval = pam_start(svc, user, conv, &pamh)) != PAM_SUCCESS) { 190 fatal("PAM initialization failed during %s userauth", 191 get_method_name(authctxt)); 192 } 193 194 fatal_add_cleanup((void (*)(void *)) &do_pam_cleanup_proc, 195 (void *) authctxt->pam); 196 197 rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping); 198 if ((retval = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) { 199 (void) pam_end(pamh, retval); 200 fatal("Could not set PAM_RHOST item during %s userauth", 201 get_method_name(authctxt)); 202 } 203 204 if ((retval = pam_set_item(pamh, PAM_TTY, "sshd")) != PAM_SUCCESS) { 205 (void) pam_end(pamh, retval); 206 fatal("Could not set PAM_TTY item during %s userauth", 207 get_method_name(authctxt)); 208 } 209 210 if (authctxt->cuser != NULL) 211 if ((retval = pam_set_item(pamh, PAM_AUSER, authctxt->cuser)) != PAM_SUCCESS) { 212 (void) pam_end(pamh, retval); 213 fatal("Could not set PAM_AUSER item during %s userauth", 214 get_method_name(authctxt)); 215 } 216 217 authctxt->pam->h = pamh; 218 } 219 220 /* 221 * To be called from userauth methods, directly (as in keyboard-interactive) or 222 * indirectly (from auth_pam_password() or from do_pam_non_initial_userauth(). 223 * 224 * The caller is responsible for calling new_start_pam() first. 225 * 226 * PAM state is not cleaned up here on error. This is left to subsequent calls 227 * to new_start_pam() or to the cleanup function upon authentication error. 228 */ 229 int 230 finish_userauth_do_pam(Authctxt *authctxt) 231 { 232 int retval; 233 char *user, *method; 234 235 /* Various checks; fail gracefully */ 236 if (authctxt == NULL || authctxt->pam == NULL) 237 return PAM_SYSTEM_ERR; /* shouldn't happen */ 238 239 if (compat20) { 240 if (authctxt->method == NULL || authctxt->method->name == NULL) 241 return PAM_SYSTEM_ERR; /* shouldn't happen */ 242 method = authctxt->method->name; 243 } else if ((method = authctxt->v1_auth_name) == NULL) 244 return PAM_SYSTEM_ERR; /* shouldn't happen */ 245 246 if (AUTHPAM_DONE(authctxt)) 247 return PAM_SYSTEM_ERR; /* shouldn't happen */ 248 249 if (!(authctxt->pam->state & PAM_S_DONE_ACCT_MGMT)) { 250 retval = pam_acct_mgmt(authctxt->pam->h, 0); 251 authctxt->pam->last_pam_retval = retval; 252 if (retval == PAM_NEW_AUTHTOK_REQD) { 253 userauth_force_kbdint(); 254 return retval; 255 } 256 if (retval != PAM_SUCCESS) 257 return retval; 258 authctxt->pam->state |= PAM_S_DONE_ACCT_MGMT; 259 } 260 261 /* 262 * Handle PAM_USER change, if any. 263 * 264 * We do this before pam_open_session() because we need the PAM_USER's 265 * UID for: 266 * 267 * a) PermitRootLogin checking 268 * b) to get at the lastlog entry before pam_open_session() updates it. 269 */ 270 retval = pam_get_item(authctxt->pam->h, PAM_USER, (void **) &user); 271 if (retval != PAM_SUCCESS) { 272 fatal("PAM failure: pam_get_item(PAM_USER) " 273 "returned %d: %.200s", retval, 274 PAM_STRERROR(authctxt->pam->h, retval)); 275 } 276 277 if (user == NULL || *user == '\0') { 278 debug("PAM set NULL PAM_USER"); 279 return PAM_PERM_DENIED; 280 } 281 282 if (strcmp(user, authctxt->user) != 0) { 283 log("PAM changed the SSH username"); 284 pwfree(&authctxt->pw); 285 authctxt->pw = PRIVSEP(getpwnamallow(user)); 286 authctxt->valid = (authctxt->pw != NULL); 287 xfree(authctxt->user); 288 authctxt->user = xstrdup(user); 289 } 290 291 if (!authctxt->valid) { 292 debug2("PAM set PAM_USER to unknown user"); 293 /* 294 * Return success, userauth_finish() will catch 295 * this and send back a failure message. 296 */ 297 return PAM_SUCCESS; 298 } 299 300 /* Check PermitRootLogin semantics */ 301 if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) 302 return PAM_PERM_DENIED; 303 304 if (!(authctxt->pam->state & PAM_S_DONE_SETCRED)) { 305 retval = pam_setcred(authctxt->pam->h, 306 PAM_ESTABLISH_CRED); 307 authctxt->pam->last_pam_retval = retval; 308 if (retval != PAM_SUCCESS) 309 return retval; 310 authctxt->pam->state |= PAM_S_DONE_SETCRED; 311 312 #ifdef GSSAPI 313 /* 314 * Store GSS-API delegated creds after pam_setcred(), which may 315 * have set the current credential store. 316 */ 317 ssh_gssapi_storecreds(NULL, authctxt); 318 #endif /* GSSAPI */ 319 } 320 321 /* 322 * On Solaris pam_unix_session.so updates the lastlog, but does 323 * not converse a PAM_TEXT_INFO message about it. So we need to 324 * fetch the lastlog entry here and save it for use later. 325 */ 326 authctxt->last_login_time = 327 get_last_login_time(authctxt->pw->pw_uid, 328 authctxt->pw->pw_name, 329 authctxt->last_login_host, 330 sizeof(authctxt->last_login_host)); 331 332 if (!(authctxt->pam->state & PAM_S_DONE_OPEN_SESSION)) { 333 retval = pam_open_session(authctxt->pam->h, 0); 334 authctxt->pam->last_pam_retval = retval; 335 if (retval != PAM_SUCCESS) 336 return retval; 337 authctxt->pam->state |= PAM_S_DONE_OPEN_SESSION; 338 } 339 340 /* 341 * All PAM work done successfully. 342 * 343 * PAM handle stays around so we can call pam_close_session() on 344 * it later. 345 */ 346 return PAM_SUCCESS; 347 } 348 349 /* 350 * PAM conversation function for non-interactive userauth methods that 351 * really cannot do any prompting. Password userauth and CHANGEREQ can 352 * always set the PAM_AUTHTOK and PAM_OLDAUTHTOK items to avoid 353 * conversation (and if they do and nonetheless some module tries to 354 * converse, then password userauth / CHANGEREQ MUST fail). 355 * 356 * Except, PAM_TEXT_INFO and PAM_ERROR_MSG prompts can be squirelled 357 * away and shown to the user later. 358 * 359 * Keyboard-interactive userauth has its own much more interesting 360 * conversation function. 361 * 362 */ 363 static int 364 do_pam_conversation(int num_msg, const struct pam_message **msg, 365 struct pam_response **resp, void *appdata_ptr) 366 { 367 struct pam_response *reply; 368 int count; 369 370 /* PAM will free this later */ 371 reply = xmalloc(num_msg * sizeof(*reply)); 372 373 (void) memset(reply, 0, num_msg * sizeof(*reply)); 374 375 for (count = 0; count < num_msg; count++) { 376 /* 377 * We can't use stdio yet, queue messages for 378 * printing later 379 */ 380 switch(PAM_MSG_MEMBER(msg, count, msg_style)) { 381 case PAM_PROMPT_ECHO_ON: 382 xfree(reply); 383 return PAM_CONV_ERR; 384 case PAM_PROMPT_ECHO_OFF: 385 xfree(reply); 386 return PAM_CONV_ERR; 387 break; 388 case PAM_ERROR_MSG: 389 case PAM_TEXT_INFO: 390 if (PAM_MSG_MEMBER(msg, count, msg) != NULL) { 391 message_cat(&__pam_msg, 392 PAM_MSG_MEMBER(msg, count, msg)); 393 } 394 reply[count].resp = xstrdup(""); 395 reply[count].resp_retcode = PAM_SUCCESS; 396 break; 397 default: 398 xfree(reply); 399 return PAM_CONV_ERR; 400 } 401 } 402 403 *resp = reply; 404 405 return PAM_SUCCESS; 406 } 407 408 /* Called at exit to cleanly shutdown PAM */ 409 static void 410 do_pam_cleanup_proc(void *context) 411 { 412 int pam_retval; 413 pam_stuff *pam = (pam_stuff *) context; 414 415 if (pam == NULL) 416 return; 417 418 if (pam->authctxt != NULL && pam->authctxt->pam == pam) { 419 pam->authctxt->pam_retval = pam->last_pam_retval; 420 pam->authctxt->pam = NULL; 421 pam->authctxt = NULL; 422 } 423 424 if (pam->h == NULL) 425 return; 426 427 /* 428 * We're in fatal_cleanup() or not in userauth or without a 429 * channel -- can't converse now, too bad. 430 */ 431 pam_retval = pam_set_item(pam->h, PAM_CONV, NULL); 432 if (pam_retval != PAM_SUCCESS) { 433 log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s", 434 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 435 goto cleanup; 436 } 437 438 if (pam->state & PAM_S_DONE_OPEN_SESSION) { 439 pam_retval = pam_close_session(pam->h, 0); 440 if (pam_retval != PAM_SUCCESS) 441 log("Cannot close PAM session[%d]: %.200s", 442 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 443 } 444 445 if (pam->state & PAM_S_DONE_SETCRED) { 446 pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED); 447 if (pam_retval != PAM_SUCCESS) 448 debug("Cannot delete credentials[%d]: %.200s", 449 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 450 } 451 452 cleanup: 453 454 /* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */ 455 if (pam->last_pam_retval != PAM_SUCCESS) 456 pam_retval = pam_end(pam->h, pam->last_pam_retval); 457 else if (pam_retval != PAM_SUCCESS) 458 pam_retval = pam_end(pam->h, pam_retval); 459 else 460 pam_retval = pam_end(pam->h, PAM_ABORT); 461 462 if (pam_retval != PAM_SUCCESS) 463 log("Cannot release PAM authentication[%d]: %.200s", 464 pam_retval, PAM_STRERROR(pam->h, pam_retval)); 465 466 xfree(pam); 467 } 468 469 /* Attempt password authentation using PAM */ 470 int 471 auth_pam_password(Authctxt *authctxt, const char *password) 472 { 473 int retval; 474 475 /* Ensure we have a fresh PAM handle / state */ 476 new_start_pam(authctxt, &conv); 477 478 retval = pam_set_item(authctxt->pam->h, PAM_AUTHTOK, password); 479 if (retval != PAM_SUCCESS) 480 return 1; 481 482 retval = pam_authenticate(authctxt->pam->h, 483 options.permit_empty_passwd ? 0 : 484 PAM_DISALLOW_NULL_AUTHTOK); 485 486 if (retval != PAM_SUCCESS) 487 return 0; 488 489 if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS) 490 return 0; 491 492 if (authctxt->method) 493 authctxt->method->authenticated = 1; /* SSHv2 */ 494 495 return 1; 496 } 497 498 int 499 do_pam_non_initial_userauth(Authctxt *authctxt) 500 { 501 new_start_pam(authctxt, NULL); 502 return (finish_userauth_do_pam(authctxt) == PAM_SUCCESS); 503 } 504 505 /* Cleanly shutdown PAM */ 506 void finish_pam(Authctxt *authctxt) 507 { 508 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam); 509 do_pam_cleanup_proc(authctxt->pam); 510 } 511 512 static 513 char ** 514 find_env(char **env, char *var) 515 { 516 char **p; 517 int len; 518 519 if (strchr(var, '=') == NULL) 520 len = strlen(var); 521 else 522 len = (strchr(var, '=') - var) + 1; 523 524 for ( p = env ; p != NULL && *p != NULL ; p++ ) { 525 if (strncmp(*p, var, len) == 0) 526 return (p); 527 } 528 529 return (NULL); 530 } 531 532 /* Return list of PAM environment strings */ 533 char ** 534 fetch_pam_environment(Authctxt *authctxt) 535 { 536 #ifdef HAVE_PAM_GETENVLIST 537 char **penv; 538 539 if (authctxt == NULL || authctxt->pam == NULL || 540 authctxt->pam->h == NULL) 541 return (NULL); 542 543 penv = pam_getenvlist(authctxt->pam->h); 544 545 return (penv); 546 #else /* HAVE_PAM_GETENVLIST */ 547 return(NULL); 548 #endif /* HAVE_PAM_GETENVLIST */ 549 } 550 551 void free_pam_environment(char **env) 552 { 553 int i; 554 555 if (env != NULL) { 556 for (i = 0; env[i] != NULL; i++) 557 xfree(env[i]); 558 } 559 560 xfree(env); 561 } 562 563 /* Print any messages that have been generated during authentication */ 564 /* or account checking to stderr */ 565 void print_pam_messages(void) 566 { 567 if (__pam_msg != NULL) 568 (void) fputs(__pam_msg, stderr); 569 } 570 571 /* Append a message to buffer */ 572 void message_cat(char **p, const char *a) 573 { 574 char *cp; 575 size_t new_len; 576 577 new_len = strlen(a); 578 579 if (*p) { 580 size_t len = strlen(*p); 581 582 *p = xrealloc(*p, new_len + len + 2); 583 cp = *p + len; 584 } else 585 *p = cp = xmalloc(new_len + 2); 586 587 (void) memcpy(cp, a, new_len); 588 cp[new_len] = '\n'; 589 cp[new_len + 1] = '\0'; 590 } 591 592 #endif /* USE_PAM */ 593