xref: /titanic_50/usr/src/cmd/ssh/sshd/auth-pam.c (revision 24da5b34f49324ed742a340010ed5bd3d4e06625)
1 /*
2  * Copyright (c) 2000 Damien Miller.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  */
24 /*
25  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
26  * Use is subject to license terms.
27  */
28 
29 #include "includes.h"
30 
31 #ifdef USE_PAM
32 #include "xmalloc.h"
33 #include "log.h"
34 #include "auth.h"
35 #include "auth-options.h"
36 #include "auth-pam.h"
37 #include "servconf.h"
38 #include "canohost.h"
39 #include "compat.h"
40 #include "misc.h"
41 #include "sshlogin.h"
42 #include "monitor_wrap.h"
43 
44 #include <security/pam_appl.h>
45 
46 extern char *__progname;
47 
48 extern int use_privsep;
49 
50 extern u_int utmp_len;
51 extern ServerOptions options;
52 
53 extern Authmethod method_kbdint;
54 
55 RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $");
56 
57 #pragma ident	"%Z%%M%	%I%	%E% SMI"
58 
59 #define NEW_AUTHTOK_MSG \
60 	"Warning: Your password has expired, please change it now."
61 #define NEW_AUTHTOK_MSG_PRIVSEP \
62 	"Your password has expired, the session cannot proceed."
63 
64 /* PAM conversation for non-interactive userauth methods */
65 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
66 	struct pam_response **resp, void *appdata_ptr);
67 
68 static void do_pam_cleanup_proc(void *context);
69 
70 static char *get_method_name(Authctxt *authctxt);
71 
72 /* PAM conversation for non-interactive userauth methods */
73 static struct pam_conv conv = {
74 	(int (*)())do_pam_conversation,
75 	NULL
76 };
77 static char *__pam_msg = NULL;
78 
79 static
80 char *
81 get_method_name(Authctxt *authctxt)
82 {
83 	if (!authctxt)
84 		return "(unknown)";
85 
86 	if (!compat20)
87 		return (authctxt->v1_auth_name) ? authctxt->v1_auth_name :
88 						  "(sshv1-unknown)";
89 
90 	if (!authctxt->method || !authctxt->method->name)
91 			return "(sshv2-unknown)";
92 
93 	return authctxt->method->name;
94 }
95 
96 const
97 char *
98 derive_pam_svc_name(Authmethod *method)
99 {
100 	if (compat20 && method) {
101 		char *method_name = method->name;
102 
103 		if (!method_name)
104 			fatal("Userauth method unknown while starting PAM");
105 
106 		/* For SSHv2 we use "sshd-<userauth name> */
107 		if (strcmp(method_name, "none") == 0) {
108 			return "sshd-none";
109 		}
110 		if (strcmp(method_name, "password") == 0) {
111 			return "sshd-password";
112 		}
113 		if (strcmp(method_name, "keyboard-interactive") == 0) {
114 			/* "keyboard-interactive" is too long, shorten it */
115 			return "sshd-kbdint";
116 		}
117 		if (strcmp(method_name, "publickey") == 0) {
118 			/* "publickey" is too long, shorten it */
119 			return "sshd-pubkey";
120 		}
121 		if (strcmp(method_name, "hostbased") == 0) {
122 			/* "hostbased" can't really be shortened... */
123 			return "sshd-hostbased";
124 		}
125 		if (strncmp(method_name, "gss", 3) == 0) {
126 			/* "gss" is too short, elongate it */
127 			return "sshd-gssapi";
128 		}
129 	}
130 
131 	return "sshd-v1"; /* SSHv1 doesn't get to be so cool */
132 }
133 
134 void
135 new_start_pam(Authctxt *authctxt, struct pam_conv *conv)
136 {
137 	int		retval;
138 	pam_handle_t	*pamh;
139 	const char	*rhost, *svc;
140 	char		*user = NULL;
141 	pam_stuff	*pam;
142 
143 	if (authctxt == NULL)
144 		fatal("Internal error during userauth");
145 
146 	if (compat20 && authctxt->method == NULL)
147 		fatal("Userauth method unknown while starting PAM");
148 
149 	/* PAM service selected here */
150 	svc = derive_pam_svc_name(authctxt->method);
151 	debug2("Starting PAM service %s for method %s", svc,
152 		get_method_name(authctxt));
153 
154 	if (authctxt->user != NULL)
155 		user = authctxt->user;
156 
157 	/* Cleanup previous PAM state */
158 	if (authctxt->pam != NULL) {
159 		fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
160 		do_pam_cleanup_proc(authctxt->pam);
161 	}
162 
163 	pam = xmalloc(sizeof(pam_stuff));
164 	(void) memset(pam, 0, sizeof(pam_stuff));
165 
166 	/*
167 	 * pam->last_pam_retval has to be and is considered
168 	 * along with pam->state.
169 	 *
170 	 * pam->state = 0; -> no PAM auth, account, etc, work
171 	 * done yet.  (Set by memset() above.)
172 	 *
173 	 * pam->last_pam_retval = PAM_SUCCESS; -> meaningless at
174 	 * this point.
175 	 *
176 	 * See finish_userauth_do_pam() below.
177 	 */
178 	pam->authctxt = authctxt;
179 	pam->last_pam_retval = PAM_SUCCESS;
180 
181 	authctxt->pam = pam;
182 
183 	/* Free any previously stored text/error PAM prompts */
184 	if (__pam_msg) {
185 		xfree(__pam_msg);
186 		__pam_msg = NULL;
187 	}
188 
189 	if ((retval = pam_start(svc, user, conv, &pamh)) != PAM_SUCCESS) {
190 		fatal("PAM initialization failed during %s userauth",
191 			get_method_name(authctxt));
192 	}
193 
194 	fatal_add_cleanup((void (*)(void *)) &do_pam_cleanup_proc,
195 			  (void *) authctxt->pam);
196 
197 	rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
198 	if ((retval = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) {
199 		(void) pam_end(pamh, retval);
200 		fatal("Could not set PAM_RHOST item during %s userauth",
201 			get_method_name(authctxt));
202 	}
203 
204 	if ((retval = pam_set_item(pamh, PAM_TTY, "sshd")) != PAM_SUCCESS) {
205 		(void) pam_end(pamh, retval);
206 		fatal("Could not set PAM_TTY item during %s userauth",
207 			get_method_name(authctxt));
208 	}
209 
210 	if (authctxt->cuser != NULL)
211 		if ((retval = pam_set_item(pamh, PAM_AUSER, authctxt->cuser)) != PAM_SUCCESS) {
212 			(void) pam_end(pamh, retval);
213 			fatal("Could not set PAM_AUSER item during %s userauth",
214 				get_method_name(authctxt));
215 		}
216 
217 	authctxt->pam->h = pamh;
218 }
219 
220 /*
221  * To be called from userauth methods, directly (as in keyboard-interactive) or
222  * indirectly (from auth_pam_password() or from do_pam_non_initial_userauth().
223  *
224  * The caller is responsible for calling new_start_pam() first.
225  *
226  * PAM state is not cleaned up here on error.  This is left to subsequent calls
227  * to new_start_pam() or to the cleanup function upon authentication error.
228  */
229 int
230 finish_userauth_do_pam(Authctxt *authctxt)
231 {
232 	int retval;
233 	char *user, *method;
234 
235 	/* Various checks; fail gracefully */
236 	if (authctxt == NULL || authctxt->pam == NULL)
237 		return PAM_SYSTEM_ERR;	/* shouldn't happen */
238 
239 	if (compat20) {
240 		if (authctxt->method == NULL || authctxt->method->name == NULL)
241 			return PAM_SYSTEM_ERR;	/* shouldn't happen */
242 		method = authctxt->method->name;
243 	} else if ((method = authctxt->v1_auth_name) == NULL)
244 		return PAM_SYSTEM_ERR;	/* shouldn't happen */
245 
246 	if (AUTHPAM_DONE(authctxt))
247 		return PAM_SYSTEM_ERR;	/* shouldn't happen */
248 
249 	if (!(authctxt->pam->state & PAM_S_DONE_ACCT_MGMT)) {
250 		retval = pam_acct_mgmt(authctxt->pam->h, 0);
251 		authctxt->pam->last_pam_retval = retval;
252 		if (retval == PAM_NEW_AUTHTOK_REQD) {
253 			userauth_force_kbdint();
254 			return retval;
255 		}
256 		if (retval != PAM_SUCCESS)
257 			return retval;
258 		authctxt->pam->state |= PAM_S_DONE_ACCT_MGMT;
259 	}
260 
261 	/*
262 	 * Handle PAM_USER change, if any.
263 	 *
264 	 * We do this before pam_open_session() because we need the PAM_USER's
265 	 * UID for:
266 	 *
267 	 * a) PermitRootLogin checking
268 	 * b) to get at the lastlog entry before pam_open_session() updates it.
269 	 */
270 	retval = pam_get_item(authctxt->pam->h, PAM_USER, (void **) &user);
271 	if (retval != PAM_SUCCESS) {
272 		fatal("PAM failure: pam_get_item(PAM_USER) "
273 		      "returned %d: %.200s", retval,
274 		      PAM_STRERROR(authctxt->pam->h, retval));
275 	}
276 
277 	if (user == NULL || *user == '\0') {
278 		debug("PAM set NULL PAM_USER");
279 		return PAM_PERM_DENIED;
280 	}
281 
282 	if (strcmp(user, authctxt->user) != 0) {
283 		log("PAM changed the SSH username");
284 		pwfree(&authctxt->pw);
285 		authctxt->pw = PRIVSEP(getpwnamallow(user));
286 		authctxt->valid = (authctxt->pw != NULL);
287 		xfree(authctxt->user);
288 		authctxt->user = xstrdup(user);
289 	}
290 
291 	if (!authctxt->valid) {
292 		debug2("PAM set PAM_USER to unknown user");
293 		/*
294 		 * Return success, userauth_finish() will catch
295 		 * this and send back a failure message.
296 		 */
297 		return PAM_SUCCESS;
298 	}
299 
300 	/* Check PermitRootLogin semantics */
301 	if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(method))
302 		return PAM_PERM_DENIED;
303 
304 	if (!(authctxt->pam->state & PAM_S_DONE_SETCRED)) {
305 		retval = pam_setcred(authctxt->pam->h,
306 				     PAM_ESTABLISH_CRED);
307 		authctxt->pam->last_pam_retval = retval;
308 		if (retval != PAM_SUCCESS)
309 			return retval;
310 		authctxt->pam->state |= PAM_S_DONE_SETCRED;
311 
312 #ifdef GSSAPI
313 		/*
314 		 * Store GSS-API delegated creds after pam_setcred(), which may
315 		 * have set the current credential store.
316 		 */
317 		ssh_gssapi_storecreds(NULL, authctxt);
318 #endif /* GSSAPI */
319 	}
320 
321 	/*
322 	 * On Solaris pam_unix_session.so updates the lastlog, but does
323 	 * not converse a PAM_TEXT_INFO message about it.  So we need to
324 	 * fetch the lastlog entry here and save it for use later.
325 	 */
326 	authctxt->last_login_time =
327 		get_last_login_time(authctxt->pw->pw_uid,
328 			authctxt->pw->pw_name,
329 			authctxt->last_login_host,
330 			sizeof(authctxt->last_login_host));
331 
332 	if (!(authctxt->pam->state & PAM_S_DONE_OPEN_SESSION)) {
333 		retval = pam_open_session(authctxt->pam->h, 0);
334 		authctxt->pam->last_pam_retval = retval;
335 		if (retval != PAM_SUCCESS)
336 			return retval;
337 		authctxt->pam->state |= PAM_S_DONE_OPEN_SESSION;
338 	}
339 
340 	/*
341 	 * All PAM work done successfully.
342 	 *
343 	 * PAM handle stays around so we can call pam_close_session() on
344 	 * it later.
345 	 */
346 	return PAM_SUCCESS;
347 }
348 
349 /*
350  * PAM conversation function for non-interactive userauth methods that
351  * really cannot do any prompting.  Password userauth and CHANGEREQ can
352  * always set the PAM_AUTHTOK and PAM_OLDAUTHTOK items to avoid
353  * conversation (and if they do and nonetheless some module tries to
354  * converse, then password userauth / CHANGEREQ MUST fail).
355  *
356  * Except, PAM_TEXT_INFO and PAM_ERROR_MSG prompts can be squirelled
357  * away and shown to the user later.
358  *
359  * Keyboard-interactive userauth has its own much more interesting
360  * conversation function.
361  *
362  */
363 static int
364 do_pam_conversation(int num_msg, const struct pam_message **msg,
365 	struct pam_response **resp, void *appdata_ptr)
366 {
367 	struct pam_response *reply;
368 	int count;
369 
370 	/* PAM will free this later */
371 	reply = xmalloc(num_msg * sizeof(*reply));
372 
373 	(void) memset(reply, 0, num_msg * sizeof(*reply));
374 
375 	for (count = 0; count < num_msg; count++) {
376 		/*
377 		 * We can't use stdio yet, queue messages for
378 		 * printing later
379 		 */
380 		switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
381 		case PAM_PROMPT_ECHO_ON:
382 			xfree(reply);
383 			return PAM_CONV_ERR;
384 		case PAM_PROMPT_ECHO_OFF:
385 			xfree(reply);
386 			return PAM_CONV_ERR;
387 			break;
388 		case PAM_ERROR_MSG:
389 		case PAM_TEXT_INFO:
390 			if (PAM_MSG_MEMBER(msg, count, msg) != NULL) {
391 				message_cat(&__pam_msg,
392 				    PAM_MSG_MEMBER(msg, count, msg));
393 			}
394 			reply[count].resp = xstrdup("");
395 			reply[count].resp_retcode = PAM_SUCCESS;
396 			break;
397 		default:
398 			xfree(reply);
399 			return PAM_CONV_ERR;
400 		}
401 	}
402 
403 	*resp = reply;
404 
405 	return PAM_SUCCESS;
406 }
407 
408 /* Called at exit to cleanly shutdown PAM */
409 static void
410 do_pam_cleanup_proc(void *context)
411 {
412 	int pam_retval;
413 	pam_stuff *pam = (pam_stuff *) context;
414 
415 	if (pam == NULL)
416 		return;
417 
418 	if (pam->authctxt != NULL && pam->authctxt->pam == pam) {
419 		pam->authctxt->pam_retval = pam->last_pam_retval;
420 		pam->authctxt->pam = NULL;
421 		pam->authctxt = NULL;
422 	}
423 
424 	if (pam->h == NULL)
425 		return;
426 
427 	/*
428 	 * We're in fatal_cleanup() or not in userauth or without a
429 	 * channel -- can't converse now, too bad.
430 	 */
431 	pam_retval = pam_set_item(pam->h, PAM_CONV, NULL);
432 	if (pam_retval != PAM_SUCCESS) {
433 		log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s",
434 			pam_retval, PAM_STRERROR(pam->h, pam_retval));
435 		goto cleanup;
436 	}
437 
438 	if (pam->state & PAM_S_DONE_OPEN_SESSION) {
439 		pam_retval = pam_close_session(pam->h, 0);
440 		if (pam_retval != PAM_SUCCESS)
441 			log("Cannot close PAM session[%d]: %.200s",
442 			    pam_retval, PAM_STRERROR(pam->h, pam_retval));
443 	}
444 
445 	if (pam->state & PAM_S_DONE_SETCRED) {
446 		pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED);
447 		if (pam_retval != PAM_SUCCESS)
448 			debug("Cannot delete credentials[%d]: %.200s",
449 			    pam_retval, PAM_STRERROR(pam->h, pam_retval));
450 	}
451 
452 cleanup:
453 
454 	/* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */
455 	if (pam->last_pam_retval != PAM_SUCCESS)
456 		pam_retval = pam_end(pam->h, pam->last_pam_retval);
457 	else if (pam_retval != PAM_SUCCESS)
458 		pam_retval = pam_end(pam->h, pam_retval);
459 	else
460 		pam_retval = pam_end(pam->h, PAM_ABORT);
461 
462 	if (pam_retval != PAM_SUCCESS)
463 		log("Cannot release PAM authentication[%d]: %.200s",
464 		    pam_retval, PAM_STRERROR(pam->h, pam_retval));
465 
466 	xfree(pam);
467 }
468 
469 /* Attempt password authentation using PAM */
470 int
471 auth_pam_password(Authctxt *authctxt, const char *password)
472 {
473 	int retval;
474 
475 	/* Ensure we have a fresh PAM handle / state */
476 	new_start_pam(authctxt, &conv);
477 
478 	retval = pam_set_item(authctxt->pam->h, PAM_AUTHTOK, password);
479 	if (retval != PAM_SUCCESS)
480 		return 1;
481 
482 	retval = pam_authenticate(authctxt->pam->h,
483 			options.permit_empty_passwd ?  0 :
484 			PAM_DISALLOW_NULL_AUTHTOK);
485 
486 	if (retval != PAM_SUCCESS)
487 		return 0;
488 
489 	if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS)
490 		return 0;
491 
492 	if (authctxt->method)
493 		authctxt->method->authenticated = 1;	/* SSHv2 */
494 
495 	return 1;
496 }
497 
498 int
499 do_pam_non_initial_userauth(Authctxt *authctxt)
500 {
501 	new_start_pam(authctxt, NULL);
502 	return (finish_userauth_do_pam(authctxt) == PAM_SUCCESS);
503 }
504 
505 /* Cleanly shutdown PAM */
506 void finish_pam(Authctxt *authctxt)
507 {
508 	fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
509 	do_pam_cleanup_proc(authctxt->pam);
510 }
511 
512 static
513 char **
514 find_env(char **env, char *var)
515 {
516 	char **p;
517 	int len;
518 
519 	if (strchr(var, '=') == NULL)
520 		len = strlen(var);
521 	else
522 		len = (strchr(var, '=') - var) + 1;
523 
524 	for ( p = env ; p != NULL && *p != NULL ; p++ ) {
525 		if (strncmp(*p, var, len) == 0)
526 			return (p);
527 	}
528 
529 	return (NULL);
530 }
531 
532 /* Return list of PAM environment strings */
533 char **
534 fetch_pam_environment(Authctxt *authctxt)
535 {
536 #ifdef HAVE_PAM_GETENVLIST
537 	char	**penv;
538 
539 	if (authctxt == NULL || authctxt->pam == NULL ||
540 	    authctxt->pam->h == NULL)
541 		return (NULL);
542 
543 	penv = pam_getenvlist(authctxt->pam->h);
544 
545 	return (penv);
546 #else /* HAVE_PAM_GETENVLIST */
547 	return(NULL);
548 #endif /* HAVE_PAM_GETENVLIST */
549 }
550 
551 void free_pam_environment(char **env)
552 {
553 	int i;
554 
555 	if (env != NULL) {
556 		for (i = 0; env[i] != NULL; i++)
557 			xfree(env[i]);
558 	}
559 
560 	xfree(env);
561 }
562 
563 /* Print any messages that have been generated during authentication */
564 /* or account checking to stderr */
565 void print_pam_messages(void)
566 {
567 	if (__pam_msg != NULL)
568 		(void) fputs(__pam_msg, stderr);
569 }
570 
571 /* Append a message to buffer */
572 void message_cat(char **p, const char *a)
573 {
574 	char *cp;
575 	size_t new_len;
576 
577 	new_len = strlen(a);
578 
579 	if (*p) {
580 		size_t len = strlen(*p);
581 
582 		*p = xrealloc(*p, new_len + len + 2);
583 		cp = *p + len;
584 	} else
585 		*p = cp = xmalloc(new_len + 2);
586 
587 	(void) memcpy(cp, a, new_len);
588 	cp[new_len] = '\n';
589 	cp[new_len + 1] = '\0';
590 }
591 
592 #endif /* USE_PAM */
593