xref: /titanic_41/usr/src/cmd/ssh/sshd/gss-serv.c (revision 2a8d6eba033e4713ab12b61178f0513f1f075482)
1 /*
2  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  */
24 /*
25  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
26  * Use is subject to license terms.
27  */
28 
29 #include "includes.h"
30 
31 #ifdef GSSAPI
32 
33 #pragma ident	"%Z%%M%	%I%	%E% SMI"
34 
35 #include "includes.h"
36 #include "ssh.h"
37 #include "ssh2.h"
38 #include "xmalloc.h"
39 #include "buffer.h"
40 #include "bufaux.h"
41 #include "packet.h"
42 #include "compat.h"
43 #include <openssl/evp.h>
44 #include "cipher.h"
45 #include "kex.h"
46 #include "auth.h"
47 #include "log.h"
48 #include "channels.h"
49 #include "session.h"
50 #include "dispatch.h"
51 #include "servconf.h"
52 #include "uidswap.h"
53 #include "compat.h"
54 #include <pwd.h>
55 
56 #include "ssh-gss.h"
57 
58 extern char **environ;
59 
60 extern ServerOptions options;
61 extern uchar_t *session_id2;
62 extern int session_id2_len;
63 
64 Gssctxt	*xxx_gssctxt;
65 
66 void
67 ssh_gssapi_server_kex_hook(Kex *kex, char **proposal)
68 {
69 	gss_OID_set mechs = GSS_C_NULL_OID_SET;
70 
71 	if (kex == NULL || !kex->server)
72 		fatal("INTERNAL ERROR (%s)", __func__);
73 
74 	ssh_gssapi_server_mechs(&mechs);
75 	ssh_gssapi_modify_kex(kex, mechs, proposal);
76 }
77 
78 void
79 ssh_gssapi_server_mechs(gss_OID_set *mechs)
80 {
81 	static gss_OID_set	supported = GSS_C_NULL_OID_SET;
82 	gss_OID_set	s, acquired, indicated = GSS_C_NULL_OID_SET;
83 	gss_cred_id_t	creds;
84 	OM_uint32	maj, min;
85 	int		i;
86 
87 	if (!mechs) {
88 		(void) gss_release_oid_set(&min, &supported);
89 		return;
90 	}
91 
92 	if (supported != GSS_C_NULL_OID_SET) {
93 		*mechs = supported;
94 		return;
95 	}
96 
97 	*mechs = GSS_C_NULL_OID_SET;
98 
99 	maj = gss_create_empty_oid_set(&min, &s);
100 	if (GSS_ERROR(maj)) {
101 		debug("Could not allocate GSS-API resources (%s)",
102 		    ssh_gssapi_last_error(NULL, &maj, &min));
103 		return;
104 	}
105 
106 	maj = gss_indicate_mechs(&min, &indicated);
107 	if (GSS_ERROR(maj)) {
108 		debug("No GSS-API mechanisms are installed");
109 		return;
110 	}
111 
112 	maj = gss_acquire_cred(&min, GSS_C_NO_NAME, 0, indicated,
113 	    GSS_C_ACCEPT, &creds, &acquired, NULL);
114 
115 	if (GSS_ERROR(maj))
116 		debug("Failed to acquire GSS-API credentials for any "
117 		    "mechanisms (%s)", ssh_gssapi_last_error(NULL, &maj, &min));
118 
119 	(void) gss_release_oid_set(&min, &indicated);
120 	(void) gss_release_cred(&min, &creds);
121 
122 	if (acquired == GSS_C_NULL_OID_SET || acquired->count == 0)
123 		return;
124 
125 	for (i = 0; i < acquired->count; i++) {
126 		if (ssh_gssapi_is_spnego(&acquired->elements[i]))
127 			continue;
128 
129 		maj = gss_add_oid_set_member(&min, &acquired->elements[i], &s);
130 		if (GSS_ERROR(maj)) {
131 			debug("Could not allocate GSS-API resources (%s)",
132 			    ssh_gssapi_last_error(NULL, &maj, &min));
133 			return;
134 		}
135 	}
136 	(void) gss_release_oid_set(&min, &acquired);
137 
138 	if (s->count) {
139 		supported = s;
140 		*mechs = s;
141 	}
142 }
143 
144 /*
145  * Wrapper around accept_sec_context. Requires that the context contains:
146  *
147  *    oid
148  *    credentials	(from ssh_gssapi_acquire_cred)
149  */
150 /* Priviledged */
151 OM_uint32
152 ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_t recv_tok,
153     gss_buffer_t send_tok)
154 {
155 	/*
156 	 * Acquiring a cred for the ctx->desired_mech for GSS_C_NO_NAME
157 	 * may well be probably better than using GSS_C_NO_CREDENTIAL
158 	 * and then checking that ctx->desired_mech agrees with
159 	 * ctx->actual_mech...
160 	 */
161 	ctx->major = gss_accept_sec_context(&ctx->minor, &ctx->context,
162 	    GSS_C_NO_CREDENTIAL, recv_tok, GSS_C_NO_CHANNEL_BINDINGS,
163 	    &ctx->src_name, &ctx->actual_mech, send_tok, &ctx->flags,
164 	    NULL, &ctx->deleg_creds);
165 
166 	if (GSS_ERROR(ctx->major))
167 		ssh_gssapi_error(ctx, "accepting security context");
168 
169 	if (ctx->major == GSS_S_CONTINUE_NEEDED && send_tok->length == 0)
170 		fatal("Zero length GSS context token output when "
171 		    "continue needed");
172 	else if (GSS_ERROR(ctx->major) && send_tok->length == 0)
173 		debug2("Zero length GSS context error token output");
174 
175 	if (ctx->major == GSS_S_COMPLETE &&
176 	    ctx->desired_mech != GSS_C_NULL_OID &&
177 	    (ctx->desired_mech->length != ctx->actual_mech->length ||
178 	    memcmp(ctx->desired_mech->elements, ctx->actual_mech->elements,
179 	    ctx->desired_mech->length) != 0)) {
180 
181 		gss_OID_set supported;
182 		OM_uint32 min;
183 		int present = 0;
184 
185 		debug("The client did not use the GSS-API mechanism it "
186 		    "asked for");
187 
188 		/* Let it slide as long as the mech is supported */
189 		ssh_gssapi_server_mechs(&supported);
190 		if (supported != GSS_C_NULL_OID_SET) {
191 			(void) gss_test_oid_set_member(&min, ctx->actual_mech,
192 			    supported, &present);
193 		}
194 		if (!present)
195 			ctx->major = GSS_S_BAD_MECH;
196 	}
197 
198 	if (ctx->deleg_creds)
199 		debug("Received delegated GSS credentials");
200 
201 	if (ctx->major == GSS_S_COMPLETE) {
202 		ctx->major = gss_inquire_context(&ctx->minor, ctx->context,
203 		    NULL, &ctx->dst_name, NULL, NULL, NULL, NULL,
204 		    &ctx->established);
205 
206 		if (GSS_ERROR(ctx->major)) {
207 			ssh_gssapi_error(ctx,
208 			    "inquiring established sec context");
209 			return (ctx->major);
210 		}
211 
212 		xxx_gssctxt = ctx;
213 	}
214 
215 	return (ctx->major);
216 }
217 
218 
219 /* As user - called through fatal cleanup hook */
220 void
221 ssh_gssapi_cleanup_creds(Gssctxt *ctx)
222 {
223 #ifdef HAVE_GSS_STORE_CRED
224 	/* pam_setcred() will take care of this */
225 	return;
226 #else
227 	return;
228 /* #error "Portability broken in cleanup of stored creds" */
229 #endif /* HAVE_GSS_STORE_CRED */
230 }
231 
232 void
233 ssh_gssapi_storecreds(Gssctxt *ctx, Authctxt *authctxt)
234 {
235 #ifdef USE_PAM
236 	char **penv, **tmp_env;
237 #endif /* USE_PAM */
238 
239 	if (authctxt == NULL) {
240 		error("Missing context while storing GSS-API credentials");
241 		return;
242 	}
243 
244 	if (ctx == NULL && xxx_gssctxt == NULL)
245 		return;
246 
247 	if (ctx == NULL)
248 		ctx = xxx_gssctxt;
249 
250 	if (!options.gss_cleanup_creds ||
251 	    ctx->deleg_creds == GSS_C_NO_CREDENTIAL) {
252 		debug3("Not storing delegated GSS credentials"
253 		    " (none delegated)");
254 		return;
255 	}
256 
257 	if (!authctxt->valid || authctxt->pw == NULL) {
258 		debug3("Not storing delegated GSS credentials"
259 		    " for invalid user");
260 		return;
261 	}
262 
263 	debug("Storing delegated GSS-API credentials");
264 
265 	/*
266 	 * The GSS-API has a flaw in that it does not provide a
267 	 * mechanism by which delegated credentials can be made
268 	 * available for acquisition by GSS_Acquire_cred() et. al.;
269 	 * gss_store_cred() is the proposed GSS-API extension for
270 	 * generically storing delegated credentials.
271 	 *
272 	 * gss_store_cred() does not speak to how credential stores are
273 	 * referenced.  Generically this may be done by switching to the
274 	 * user context of the user in whose default credential store we
275 	 * wish to place delegated credentials.  But environment
276 	 * variables could conceivably affect the choice of credential
277 	 * store as well, and perhaps in a mechanism-specific manner.
278 	 *
279 	 * SUNW -- On Solaris the euid selects the current credential
280 	 * store, but PAM modules could select alternate stores by
281 	 * setting, for example, KRB5CCNAME, so we also use the PAM
282 	 * environment temporarily.
283 	 */
284 
285 #ifdef HAVE_GSS_STORE_CRED
286 #ifdef USE_PAM
287 	/*
288 	 * PAM may have set mechanism-specific variables (e.g.,
289 	 * KRB5CCNAME).  fetch_pam_environment() protects against LD_*
290 	 * and other environment variables.
291 	 */
292 	penv = fetch_pam_environment(authctxt);
293 	tmp_env = environ;
294 	environ = penv;
295 #endif /* USE_PAM */
296 	if (authctxt->pw->pw_uid != geteuid()) {
297 		temporarily_use_uid(authctxt->pw);
298 		ctx->major = gss_store_cred(&ctx->minor, ctx->deleg_creds,
299 		    GSS_C_INITIATE, GSS_C_NULL_OID, 0, ctx->default_creds,
300 		    NULL, NULL);
301 		restore_uid();
302 	} else {
303 		/* only when logging in as the privileged user used by sshd */
304 		ctx->major = gss_store_cred(&ctx->minor, ctx->deleg_creds,
305 		    GSS_C_INITIATE, GSS_C_NULL_OID, 0, ctx->default_creds,
306 		    NULL, NULL);
307 	}
308 #ifdef USE_PAM
309 	environ = tmp_env;
310 	free_pam_environment(penv);
311 #endif /* USE_PAM */
312 	if (GSS_ERROR(ctx->major))
313 		ssh_gssapi_error(ctx, "storing delegated credentials");
314 
315 #else
316 #ifdef KRB5_GSS
317 #error "MIT/Heimdal krb5-specific code missing in ssh_gssapi_storecreds()"
318 	if (ssh_gssapi_is_krb5(ctx->mech))
319 		ssh_gssapi_krb5_storecreds(ctx);
320 #endif /* KRB5_GSS */
321 #ifdef GSI_GSS
322 #error "GSI krb5-specific code missing in ssh_gssapi_storecreds()"
323 	if (ssh_gssapi_is_gsi(ctx->mech))
324 		ssh_gssapi_krb5_storecreds(ctx);
325 #endif /* GSI_GSS */
326 /* #error "Mechanism-specific code missing in ssh_gssapi_storecreds()" */
327 	return;
328 #endif /* HAVE_GSS_STORE_CRED */
329 }
330 
331 void
332 ssh_gssapi_do_child(Gssctxt *ctx, char ***envp, uint_t *envsizep)
333 {
334 	/*
335 	 * MIT/Heimdal/GSI specific code goes here.
336 	 *
337 	 * On Solaris there's nothing to do here as the GSS store and
338 	 * related environment variables are to be set by PAM, if at all
339 	 * (no environment variables are needed to address the default
340 	 * credential store -- the euid does that).
341 	 */
342 #ifdef KRB5_GSS
343 #error "MIT/Heimdal krb5-specific code missing in ssh_gssapi_storecreds()"
344 #endif /* KRB5_GSS */
345 #ifdef GSI_GSS
346 #error "GSI krb5-specific code missing in ssh_gssapi_storecreds()"
347 #endif /* GSI_GSS */
348 }
349 
350 int
351 ssh_gssapi_userok(Gssctxt *ctx, char *user)
352 {
353 	if (ctx == NULL) {
354 		debug3("INTERNAL ERROR: %s", __func__);
355 		return (0);
356 	}
357 
358 	if (user == NULL || *user == '\0')
359 		return (0);
360 
361 #ifdef HAVE___GSS_USEROK
362 	{
363 		int user_ok = 0;
364 
365 		ctx->major = __gss_userok(&ctx->minor, ctx->src_name, user,
366 		    &user_ok);
367 		if (GSS_ERROR(ctx->major)) {
368 			debug2("__GSS_userok() failed");
369 			return (0);
370 		}
371 
372 		if (user_ok)
373 			return (1);
374 
375 		/* fall through */
376 	}
377 #else
378 #ifdef GSSAPI_SIMPLE_USEROK
379 	{
380 		/* Mechanism-generic */
381 		OM_uint32	min;
382 		gss_buffer_desc	buf, ename1, ename2;
383 		gss_name_t	iname, cname;
384 		int		eql;
385 
386 		buf.value = user;
387 		buf.length = strlen(user);
388 		ctx->major = gss_import_name(&ctx->minor, &buf,
389 		    GSS_C_NULL_OID, &iname);
390 		if (GSS_ERROR(ctx->major)) {
391 			ssh_gssapi_error(ctx,
392 			    "importing name for authorizing initiator");
393 			goto failed_simple_userok;
394 		}
395 
396 		ctx->major = gss_canonicalize_name(&ctx->minor, iname,
397 		    ctx->actual_mech, &cname);
398 		(void) gss_release_name(&min, &iname);
399 		if (GSS_ERROR(ctx->major)) {
400 			ssh_gssapi_error(ctx, "canonicalizing name");
401 			goto failed_simple_userok;
402 		}
403 
404 		ctx->major = gss_export_name(&ctx->minor, cname, &ename1);
405 		(void) gss_release_name(&min, &cname);
406 		if (GSS_ERROR(ctx->major)) {
407 			ssh_gssapi_error(ctx, "exporting name");
408 			goto failed_simple_userok;
409 		}
410 
411 		ctx->major = gss_export_name(&ctx->minor, ctx->src_name,
412 		    &ename2);
413 		if (GSS_ERROR(ctx->major)) {
414 			ssh_gssapi_error(ctx,
415 			    "exporting client principal name");
416 			(void) gss_release_buffer(&min, &ename1);
417 			goto failed_simple_userok;
418 		}
419 
420 		eql = (ename1.length == ename2.length &&
421 		    memcmp(ename1.value, ename2.value, ename1.length) == 0);
422 
423 		(void) gss_release_buffer(&min, &ename1);
424 		(void) gss_release_buffer(&min, &ename2);
425 
426 		if (eql)
427 			return (1);
428 		/* fall through */
429 	}
430 failed_simple_userok:
431 #endif /* GSSAPI_SIMPLE_USEROK */
432 #ifdef HAVE_GSSCRED_API
433 	{
434 		/* Mechanism-generic, Solaris-specific */
435 		OM_uint32	 maj;
436 		uid_t		 uid;
437 		struct passwd	*pw;
438 
439 		maj = gsscred_name_to_unix_cred(ctx->src_name,
440 		    ctx->actual_mech, &uid, NULL, NULL, NULL);
441 
442 		if (GSS_ERROR(maj))
443 			goto failed_simple_gsscred_userok;
444 
445 		if ((pw = getpwnam(user)) == NULL)
446 			goto failed_simple_gsscred_userok;
447 
448 		if (pw->pw_uid == uid)
449 			return (1);
450 		/* fall through */
451 	}
452 
453 failed_simple_gsscred_userok:
454 #endif /* HAVE_GSSCRED_API */
455 #ifdef KRB5_GSS
456 	if (ssh_gssapi_is_krb5(ctx->mech))
457 		if (ssh_gssapi_krb5_userok(ctx->src_name, user))
458 			return (1);
459 #endif /* KRB5_GSS */
460 #ifdef GSI_GSS
461 	if (ssh_gssapi_is_gsi(ctx->mech))
462 		if (ssh_gssapi_gsi_userok(ctx->src_name, user))
463 			return (1);
464 #endif /* GSI_GSS */
465 #endif /* HAVE___GSS_USEROK */
466 
467 	/* default to not authorized */
468 	return (0);
469 }
470 
471 char *
472 ssh_gssapi_localname(Gssctxt *ctx)
473 {
474 	if (ctx == NULL) {
475 		debug3("INTERNAL ERROR: %s", __func__);
476 		return (NULL);
477 	}
478 
479 	debug2("Mapping initiator GSS-API principal to local username");
480 #ifdef HAVE_GSSCRED_API
481 	{
482 		/* Mechanism-generic, Solaris-specific */
483 		OM_uint32	 maj;
484 		uid_t		 uid;
485 		struct passwd	*pw;
486 
487 		if (ctx->src_name == GSS_C_NO_NAME)
488 			goto failed_gsscred_localname;
489 
490 		maj = gsscred_name_to_unix_cred(ctx->src_name,
491 		    ctx->actual_mech, &uid, NULL, NULL, NULL);
492 
493 		if (GSS_ERROR(maj))
494 			goto failed_gsscred_localname;
495 
496 		if ((pw = getpwuid(uid)) == NULL)
497 			goto failed_gsscred_localname;
498 
499 		debug2("Mapped the initiator to: %s", pw->pw_name);
500 		return (xstrdup(pw->pw_name));
501 	}
502 failed_gsscred_localname:
503 #endif /* HAVE_GSSCRED_API */
504 #ifdef KRB5_GSS
505 #error "ssh_gssapi_krb5_localname() not implemented"
506 	if (ssh_gssapi_is_krb5(ctx->mech))
507 		return (ssh_gssapi_krb5_localname(ctx->src_name));
508 #endif /* KRB5_GSS */
509 #ifdef GSI_GSS
510 #error "ssh_gssapi_gsi_localname() not implemented"
511 	if (ssh_gssapi_is_gsi(ctx->mech))
512 		return (ssh_gssapi_gsi_localname(ctx->src_name));
513 #endif /* GSI_GSS */
514 	return (NULL);
515 }
516 #endif /* GSSAPI */
517