1 /* 2 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 /* 25 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 26 * Use is subject to license terms. 27 */ 28 29 #include "includes.h" 30 31 #ifdef GSSAPI 32 33 #pragma ident "%Z%%M% %I% %E% SMI" 34 35 #include "includes.h" 36 #include "ssh.h" 37 #include "ssh2.h" 38 #include "xmalloc.h" 39 #include "buffer.h" 40 #include "bufaux.h" 41 #include "packet.h" 42 #include "compat.h" 43 #include <openssl/evp.h> 44 #include "cipher.h" 45 #include "kex.h" 46 #include "auth.h" 47 #include "log.h" 48 #include "channels.h" 49 #include "session.h" 50 #include "dispatch.h" 51 #include "servconf.h" 52 #include "uidswap.h" 53 #include "compat.h" 54 #include <pwd.h> 55 56 #include "ssh-gss.h" 57 58 extern char **environ; 59 60 extern ServerOptions options; 61 extern uchar_t *session_id2; 62 extern int session_id2_len; 63 64 Gssctxt *xxx_gssctxt; 65 66 void 67 ssh_gssapi_server_kex_hook(Kex *kex, char **proposal) 68 { 69 gss_OID_set mechs = GSS_C_NULL_OID_SET; 70 71 if (kex == NULL || !kex->server) 72 fatal("INTERNAL ERROR (%s)", __func__); 73 74 ssh_gssapi_server_mechs(&mechs); 75 ssh_gssapi_modify_kex(kex, mechs, proposal); 76 } 77 78 void 79 ssh_gssapi_server_mechs(gss_OID_set *mechs) 80 { 81 static gss_OID_set supported = GSS_C_NULL_OID_SET; 82 gss_OID_set s, acquired, indicated = GSS_C_NULL_OID_SET; 83 gss_cred_id_t creds; 84 OM_uint32 maj, min; 85 int i; 86 87 if (!mechs) { 88 (void) gss_release_oid_set(&min, &supported); 89 return; 90 } 91 92 if (supported != GSS_C_NULL_OID_SET) { 93 *mechs = supported; 94 return; 95 } 96 97 *mechs = GSS_C_NULL_OID_SET; 98 99 maj = gss_create_empty_oid_set(&min, &s); 100 if (GSS_ERROR(maj)) { 101 debug("Could not allocate GSS-API resources (%s)", 102 ssh_gssapi_last_error(NULL, &maj, &min)); 103 return; 104 } 105 106 maj = gss_indicate_mechs(&min, &indicated); 107 if (GSS_ERROR(maj)) { 108 debug("No GSS-API mechanisms are installed"); 109 return; 110 } 111 112 maj = gss_acquire_cred(&min, GSS_C_NO_NAME, 0, indicated, 113 GSS_C_ACCEPT, &creds, &acquired, NULL); 114 115 if (GSS_ERROR(maj)) 116 debug("Failed to acquire GSS-API credentials for any " 117 "mechanisms (%s)", ssh_gssapi_last_error(NULL, &maj, &min)); 118 119 (void) gss_release_oid_set(&min, &indicated); 120 (void) gss_release_cred(&min, &creds); 121 122 if (acquired == GSS_C_NULL_OID_SET || acquired->count == 0) 123 return; 124 125 for (i = 0; i < acquired->count; i++) { 126 if (ssh_gssapi_is_spnego(&acquired->elements[i])) 127 continue; 128 129 maj = gss_add_oid_set_member(&min, &acquired->elements[i], &s); 130 if (GSS_ERROR(maj)) { 131 debug("Could not allocate GSS-API resources (%s)", 132 ssh_gssapi_last_error(NULL, &maj, &min)); 133 return; 134 } 135 } 136 (void) gss_release_oid_set(&min, &acquired); 137 138 if (s->count) { 139 supported = s; 140 *mechs = s; 141 } 142 } 143 144 /* 145 * Wrapper around accept_sec_context. Requires that the context contains: 146 * 147 * oid 148 * credentials (from ssh_gssapi_acquire_cred) 149 */ 150 /* Priviledged */ 151 OM_uint32 152 ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_t recv_tok, 153 gss_buffer_t send_tok) 154 { 155 /* 156 * Acquiring a cred for the ctx->desired_mech for GSS_C_NO_NAME 157 * may well be probably better than using GSS_C_NO_CREDENTIAL 158 * and then checking that ctx->desired_mech agrees with 159 * ctx->actual_mech... 160 */ 161 ctx->major = gss_accept_sec_context(&ctx->minor, &ctx->context, 162 GSS_C_NO_CREDENTIAL, recv_tok, GSS_C_NO_CHANNEL_BINDINGS, 163 &ctx->src_name, &ctx->actual_mech, send_tok, &ctx->flags, 164 NULL, &ctx->deleg_creds); 165 166 if (GSS_ERROR(ctx->major)) 167 ssh_gssapi_error(ctx, "accepting security context"); 168 169 if (ctx->major == GSS_S_CONTINUE_NEEDED && send_tok->length == 0) 170 fatal("Zero length GSS context token output when " 171 "continue needed"); 172 else if (GSS_ERROR(ctx->major) && send_tok->length == 0) 173 debug2("Zero length GSS context error token output"); 174 175 if (ctx->major == GSS_S_COMPLETE && 176 ctx->desired_mech != GSS_C_NULL_OID && 177 (ctx->desired_mech->length != ctx->actual_mech->length || 178 memcmp(ctx->desired_mech->elements, ctx->actual_mech->elements, 179 ctx->desired_mech->length) != 0)) { 180 181 gss_OID_set supported; 182 OM_uint32 min; 183 int present = 0; 184 185 debug("The client did not use the GSS-API mechanism it " 186 "asked for"); 187 188 /* Let it slide as long as the mech is supported */ 189 ssh_gssapi_server_mechs(&supported); 190 if (supported != GSS_C_NULL_OID_SET) { 191 (void) gss_test_oid_set_member(&min, ctx->actual_mech, 192 supported, &present); 193 } 194 if (!present) 195 ctx->major = GSS_S_BAD_MECH; 196 } 197 198 if (ctx->deleg_creds) 199 debug("Received delegated GSS credentials"); 200 201 if (ctx->major == GSS_S_COMPLETE) { 202 ctx->major = gss_inquire_context(&ctx->minor, ctx->context, 203 NULL, &ctx->dst_name, NULL, NULL, NULL, NULL, 204 &ctx->established); 205 206 if (GSS_ERROR(ctx->major)) { 207 ssh_gssapi_error(ctx, 208 "inquiring established sec context"); 209 return (ctx->major); 210 } 211 212 xxx_gssctxt = ctx; 213 } 214 215 return (ctx->major); 216 } 217 218 219 /* As user - called through fatal cleanup hook */ 220 void 221 ssh_gssapi_cleanup_creds(Gssctxt *ctx) 222 { 223 #ifdef HAVE_GSS_STORE_CRED 224 /* pam_setcred() will take care of this */ 225 return; 226 #else 227 return; 228 /* #error "Portability broken in cleanup of stored creds" */ 229 #endif /* HAVE_GSS_STORE_CRED */ 230 } 231 232 void 233 ssh_gssapi_storecreds(Gssctxt *ctx, Authctxt *authctxt) 234 { 235 #ifdef USE_PAM 236 char **penv, **tmp_env; 237 #endif /* USE_PAM */ 238 239 if (authctxt == NULL) { 240 error("Missing context while storing GSS-API credentials"); 241 return; 242 } 243 244 if (ctx == NULL && xxx_gssctxt == NULL) 245 return; 246 247 if (ctx == NULL) 248 ctx = xxx_gssctxt; 249 250 if (!options.gss_cleanup_creds || 251 ctx->deleg_creds == GSS_C_NO_CREDENTIAL) { 252 debug3("Not storing delegated GSS credentials" 253 " (none delegated)"); 254 return; 255 } 256 257 if (!authctxt->valid || authctxt->pw == NULL) { 258 debug3("Not storing delegated GSS credentials" 259 " for invalid user"); 260 return; 261 } 262 263 debug("Storing delegated GSS-API credentials"); 264 265 /* 266 * The GSS-API has a flaw in that it does not provide a 267 * mechanism by which delegated credentials can be made 268 * available for acquisition by GSS_Acquire_cred() et. al.; 269 * gss_store_cred() is the proposed GSS-API extension for 270 * generically storing delegated credentials. 271 * 272 * gss_store_cred() does not speak to how credential stores are 273 * referenced. Generically this may be done by switching to the 274 * user context of the user in whose default credential store we 275 * wish to place delegated credentials. But environment 276 * variables could conceivably affect the choice of credential 277 * store as well, and perhaps in a mechanism-specific manner. 278 * 279 * SUNW -- On Solaris the euid selects the current credential 280 * store, but PAM modules could select alternate stores by 281 * setting, for example, KRB5CCNAME, so we also use the PAM 282 * environment temporarily. 283 */ 284 285 #ifdef HAVE_GSS_STORE_CRED 286 #ifdef USE_PAM 287 /* 288 * PAM may have set mechanism-specific variables (e.g., 289 * KRB5CCNAME). fetch_pam_environment() protects against LD_* 290 * and other environment variables. 291 */ 292 penv = fetch_pam_environment(authctxt); 293 tmp_env = environ; 294 environ = penv; 295 #endif /* USE_PAM */ 296 if (authctxt->pw->pw_uid != geteuid()) { 297 temporarily_use_uid(authctxt->pw); 298 ctx->major = gss_store_cred(&ctx->minor, ctx->deleg_creds, 299 GSS_C_INITIATE, GSS_C_NULL_OID, 0, ctx->default_creds, 300 NULL, NULL); 301 restore_uid(); 302 } else { 303 /* only when logging in as the privileged user used by sshd */ 304 ctx->major = gss_store_cred(&ctx->minor, ctx->deleg_creds, 305 GSS_C_INITIATE, GSS_C_NULL_OID, 0, ctx->default_creds, 306 NULL, NULL); 307 } 308 #ifdef USE_PAM 309 environ = tmp_env; 310 free_pam_environment(penv); 311 #endif /* USE_PAM */ 312 if (GSS_ERROR(ctx->major)) 313 ssh_gssapi_error(ctx, "storing delegated credentials"); 314 315 #else 316 #ifdef KRB5_GSS 317 #error "MIT/Heimdal krb5-specific code missing in ssh_gssapi_storecreds()" 318 if (ssh_gssapi_is_krb5(ctx->mech)) 319 ssh_gssapi_krb5_storecreds(ctx); 320 #endif /* KRB5_GSS */ 321 #ifdef GSI_GSS 322 #error "GSI krb5-specific code missing in ssh_gssapi_storecreds()" 323 if (ssh_gssapi_is_gsi(ctx->mech)) 324 ssh_gssapi_krb5_storecreds(ctx); 325 #endif /* GSI_GSS */ 326 /* #error "Mechanism-specific code missing in ssh_gssapi_storecreds()" */ 327 return; 328 #endif /* HAVE_GSS_STORE_CRED */ 329 } 330 331 void 332 ssh_gssapi_do_child(Gssctxt *ctx, char ***envp, uint_t *envsizep) 333 { 334 /* 335 * MIT/Heimdal/GSI specific code goes here. 336 * 337 * On Solaris there's nothing to do here as the GSS store and 338 * related environment variables are to be set by PAM, if at all 339 * (no environment variables are needed to address the default 340 * credential store -- the euid does that). 341 */ 342 #ifdef KRB5_GSS 343 #error "MIT/Heimdal krb5-specific code missing in ssh_gssapi_storecreds()" 344 #endif /* KRB5_GSS */ 345 #ifdef GSI_GSS 346 #error "GSI krb5-specific code missing in ssh_gssapi_storecreds()" 347 #endif /* GSI_GSS */ 348 } 349 350 int 351 ssh_gssapi_userok(Gssctxt *ctx, char *user) 352 { 353 if (ctx == NULL) { 354 debug3("INTERNAL ERROR: %s", __func__); 355 return (0); 356 } 357 358 if (user == NULL || *user == '\0') 359 return (0); 360 361 #ifdef HAVE___GSS_USEROK 362 { 363 int user_ok = 0; 364 365 ctx->major = __gss_userok(&ctx->minor, ctx->src_name, user, 366 &user_ok); 367 if (GSS_ERROR(ctx->major)) { 368 debug2("__GSS_userok() failed"); 369 return (0); 370 } 371 372 if (user_ok) 373 return (1); 374 375 /* fall through */ 376 } 377 #else 378 #ifdef GSSAPI_SIMPLE_USEROK 379 { 380 /* Mechanism-generic */ 381 OM_uint32 min; 382 gss_buffer_desc buf, ename1, ename2; 383 gss_name_t iname, cname; 384 int eql; 385 386 buf.value = user; 387 buf.length = strlen(user); 388 ctx->major = gss_import_name(&ctx->minor, &buf, 389 GSS_C_NULL_OID, &iname); 390 if (GSS_ERROR(ctx->major)) { 391 ssh_gssapi_error(ctx, 392 "importing name for authorizing initiator"); 393 goto failed_simple_userok; 394 } 395 396 ctx->major = gss_canonicalize_name(&ctx->minor, iname, 397 ctx->actual_mech, &cname); 398 (void) gss_release_name(&min, &iname); 399 if (GSS_ERROR(ctx->major)) { 400 ssh_gssapi_error(ctx, "canonicalizing name"); 401 goto failed_simple_userok; 402 } 403 404 ctx->major = gss_export_name(&ctx->minor, cname, &ename1); 405 (void) gss_release_name(&min, &cname); 406 if (GSS_ERROR(ctx->major)) { 407 ssh_gssapi_error(ctx, "exporting name"); 408 goto failed_simple_userok; 409 } 410 411 ctx->major = gss_export_name(&ctx->minor, ctx->src_name, 412 &ename2); 413 if (GSS_ERROR(ctx->major)) { 414 ssh_gssapi_error(ctx, 415 "exporting client principal name"); 416 (void) gss_release_buffer(&min, &ename1); 417 goto failed_simple_userok; 418 } 419 420 eql = (ename1.length == ename2.length && 421 memcmp(ename1.value, ename2.value, ename1.length) == 0); 422 423 (void) gss_release_buffer(&min, &ename1); 424 (void) gss_release_buffer(&min, &ename2); 425 426 if (eql) 427 return (1); 428 /* fall through */ 429 } 430 failed_simple_userok: 431 #endif /* GSSAPI_SIMPLE_USEROK */ 432 #ifdef HAVE_GSSCRED_API 433 { 434 /* Mechanism-generic, Solaris-specific */ 435 OM_uint32 maj; 436 uid_t uid; 437 struct passwd *pw; 438 439 maj = gsscred_name_to_unix_cred(ctx->src_name, 440 ctx->actual_mech, &uid, NULL, NULL, NULL); 441 442 if (GSS_ERROR(maj)) 443 goto failed_simple_gsscred_userok; 444 445 if ((pw = getpwnam(user)) == NULL) 446 goto failed_simple_gsscred_userok; 447 448 if (pw->pw_uid == uid) 449 return (1); 450 /* fall through */ 451 } 452 453 failed_simple_gsscred_userok: 454 #endif /* HAVE_GSSCRED_API */ 455 #ifdef KRB5_GSS 456 if (ssh_gssapi_is_krb5(ctx->mech)) 457 if (ssh_gssapi_krb5_userok(ctx->src_name, user)) 458 return (1); 459 #endif /* KRB5_GSS */ 460 #ifdef GSI_GSS 461 if (ssh_gssapi_is_gsi(ctx->mech)) 462 if (ssh_gssapi_gsi_userok(ctx->src_name, user)) 463 return (1); 464 #endif /* GSI_GSS */ 465 #endif /* HAVE___GSS_USEROK */ 466 467 /* default to not authorized */ 468 return (0); 469 } 470 471 char * 472 ssh_gssapi_localname(Gssctxt *ctx) 473 { 474 if (ctx == NULL) { 475 debug3("INTERNAL ERROR: %s", __func__); 476 return (NULL); 477 } 478 479 debug2("Mapping initiator GSS-API principal to local username"); 480 #ifdef HAVE_GSSCRED_API 481 { 482 /* Mechanism-generic, Solaris-specific */ 483 OM_uint32 maj; 484 uid_t uid; 485 struct passwd *pw; 486 487 if (ctx->src_name == GSS_C_NO_NAME) 488 goto failed_gsscred_localname; 489 490 maj = gsscred_name_to_unix_cred(ctx->src_name, 491 ctx->actual_mech, &uid, NULL, NULL, NULL); 492 493 if (GSS_ERROR(maj)) 494 goto failed_gsscred_localname; 495 496 if ((pw = getpwuid(uid)) == NULL) 497 goto failed_gsscred_localname; 498 499 debug2("Mapped the initiator to: %s", pw->pw_name); 500 return (xstrdup(pw->pw_name)); 501 } 502 failed_gsscred_localname: 503 #endif /* HAVE_GSSCRED_API */ 504 #ifdef KRB5_GSS 505 #error "ssh_gssapi_krb5_localname() not implemented" 506 if (ssh_gssapi_is_krb5(ctx->mech)) 507 return (ssh_gssapi_krb5_localname(ctx->src_name)); 508 #endif /* KRB5_GSS */ 509 #ifdef GSI_GSS 510 #error "ssh_gssapi_gsi_localname() not implemented" 511 if (ssh_gssapi_is_gsi(ctx->mech)) 512 return (ssh_gssapi_gsi_localname(ctx->src_name)); 513 #endif /* GSI_GSS */ 514 return (NULL); 515 } 516 #endif /* GSSAPI */ 517