xref: /titanic_50/usr/src/cmd/ssh/sshd/auth-pam.c (revision 69b3e10436272b0970d58743de375d0dd61046ce)
1 /*
2  * Copyright (c) 2000 Damien Miller.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  */
24 /*
25  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
26  * Use is subject to license terms.
27  */
28 
29 #include "includes.h"
30 
31 #ifdef USE_PAM
32 #include "xmalloc.h"
33 #include "log.h"
34 #include "auth.h"
35 #include "auth-options.h"
36 #include "auth-pam.h"
37 #include "buffer.h"
38 #include "servconf.h"
39 #include "canohost.h"
40 #include "compat.h"
41 #include "misc.h"
42 #include "sshlogin.h"
43 #include "ssh-gss.h"
44 
45 #include <security/pam_appl.h>
46 
47 extern char *__progname;
48 
49 extern u_int utmp_len;
50 extern ServerOptions options;
51 
52 extern Authmethod method_kbdint;
53 
54 RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $");
55 
56 #define NEW_AUTHTOK_MSG \
57 	"Warning: Your password has expired, please change it now."
58 
59 /* PAM conversation for non-interactive userauth methods */
60 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
61 	struct pam_response **resp, void *appdata_ptr);
62 
63 static void do_pam_cleanup_proc(void *context);
64 
65 static char *get_method_name(Authctxt *authctxt);
66 
67 /* PAM conversation for non-interactive userauth methods */
68 static struct pam_conv conv = {
69 	(int (*)())do_pam_conversation,
70 	NULL
71 };
72 static char *__pam_msg = NULL;
73 
74 static
75 char *
76 get_method_name(Authctxt *authctxt)
77 {
78 	if (!authctxt)
79 		return "(unknown)";
80 
81 	if (!compat20)
82 		return (authctxt->v1_auth_name) ? authctxt->v1_auth_name :
83 						  "(sshv1-unknown)";
84 
85 	if (!authctxt->method || !authctxt->method->name)
86 			return "(sshv2-unknown)";
87 
88 	return authctxt->method->name;
89 }
90 
91 const
92 char *
93 derive_pam_svc_name(Authmethod *method)
94 {
95 	if (compat20 && method) {
96 		char *method_name = method->name;
97 
98 		if (!method_name)
99 			fatal("Userauth method unknown while starting PAM");
100 
101 		/* For SSHv2 we use "sshd-<userauth name> */
102 		if (strcmp(method_name, "none") == 0) {
103 			return "sshd-none";
104 		}
105 		if (strcmp(method_name, "password") == 0) {
106 			return "sshd-password";
107 		}
108 		if (strcmp(method_name, "keyboard-interactive") == 0) {
109 			/* "keyboard-interactive" is too long, shorten it */
110 			return "sshd-kbdint";
111 		}
112 		if (strcmp(method_name, "publickey") == 0) {
113 			/* "publickey" is too long, shorten it */
114 			return "sshd-pubkey";
115 		}
116 		if (strcmp(method_name, "hostbased") == 0) {
117 			/* "hostbased" can't really be shortened... */
118 			return "sshd-hostbased";
119 		}
120 		if (strncmp(method_name, "gss", 3) == 0) {
121 			/* "gss" is too short, elongate it */
122 			return "sshd-gssapi";
123 		}
124 	}
125 
126 	return "sshd-v1"; /* SSHv1 doesn't get to be so cool */
127 }
128 
129 void
130 new_start_pam(Authctxt *authctxt, struct pam_conv *conv)
131 {
132 	int		retval;
133 	pam_handle_t	*pamh;
134 	const char	*rhost, *svc;
135 	char		*user = NULL;
136 	pam_stuff	*pam;
137 
138 	if (authctxt == NULL)
139 		fatal("Internal error during userauth");
140 
141 	if (compat20 && authctxt->method == NULL)
142 		fatal("Userauth method unknown while starting PAM");
143 
144 	/* PAM service selected here */
145 	svc = derive_pam_svc_name(authctxt->method);
146 	debug2("Starting PAM service %s for method %s", svc,
147 		get_method_name(authctxt));
148 
149 	if (authctxt->user != NULL)
150 		user = authctxt->user;
151 
152 	/* Cleanup previous PAM state */
153 	if (authctxt->pam != NULL) {
154 		fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
155 		do_pam_cleanup_proc(authctxt->pam);
156 	}
157 
158 	pam = xmalloc(sizeof(pam_stuff));
159 	(void) memset(pam, 0, sizeof(pam_stuff));
160 
161 	/*
162 	 * pam->last_pam_retval has to be and is considered
163 	 * along with pam->state.
164 	 *
165 	 * pam->state = 0; -> no PAM auth, account, etc, work
166 	 * done yet.  (Set by memset() above.)
167 	 *
168 	 * pam->last_pam_retval = PAM_SUCCESS; -> meaningless at
169 	 * this point.
170 	 *
171 	 * See finish_userauth_do_pam() below.
172 	 */
173 	pam->authctxt = authctxt;
174 	pam->last_pam_retval = PAM_SUCCESS;
175 
176 	authctxt->pam = pam;
177 
178 	/* Free any previously stored text/error PAM prompts */
179 	if (__pam_msg) {
180 		xfree(__pam_msg);
181 		__pam_msg = NULL;
182 	}
183 
184 	if ((retval = pam_start(svc, user, conv, &pamh)) != PAM_SUCCESS) {
185 		fatal("PAM initialization failed during %s userauth",
186 			get_method_name(authctxt));
187 	}
188 
189 	fatal_add_cleanup((void (*)(void *)) &do_pam_cleanup_proc,
190 			  (void *) authctxt->pam);
191 
192 	rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
193 	if ((retval = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) {
194 		(void) pam_end(pamh, retval);
195 		fatal("Could not set PAM_RHOST item during %s userauth",
196 			get_method_name(authctxt));
197 	}
198 
199 	if ((retval = pam_set_item(pamh, PAM_TTY, "sshd")) != PAM_SUCCESS) {
200 		(void) pam_end(pamh, retval);
201 		fatal("Could not set PAM_TTY item during %s userauth",
202 			get_method_name(authctxt));
203 	}
204 
205 	if (authctxt->cuser != NULL)
206 		if ((retval = pam_set_item(pamh, PAM_AUSER, authctxt->cuser)) != PAM_SUCCESS) {
207 			(void) pam_end(pamh, retval);
208 			fatal("Could not set PAM_AUSER item during %s userauth",
209 				get_method_name(authctxt));
210 		}
211 
212 	authctxt->pam->h = pamh;
213 }
214 
215 /*
216  * To be called from userauth methods, directly (as in keyboard-interactive) or
217  * indirectly (from auth_pam_password() or from do_pam_non_initial_userauth().
218  *
219  * The caller is responsible for calling new_start_pam() first.
220  *
221  * PAM state is not cleaned up here on error.  This is left to subsequent calls
222  * to new_start_pam() or to the cleanup function upon authentication error.
223  */
224 int
225 finish_userauth_do_pam(Authctxt *authctxt)
226 {
227 	int retval;
228 	char *user, *method;
229 
230 	/* Various checks; fail gracefully */
231 	if (authctxt == NULL || authctxt->pam == NULL)
232 		return PAM_SYSTEM_ERR;	/* shouldn't happen */
233 
234 	if (compat20) {
235 		if (authctxt->method == NULL || authctxt->method->name == NULL)
236 			return PAM_SYSTEM_ERR;	/* shouldn't happen */
237 		method = authctxt->method->name;
238 	} else if ((method = authctxt->v1_auth_name) == NULL)
239 		return PAM_SYSTEM_ERR;	/* shouldn't happen */
240 
241 	if (AUTHPAM_DONE(authctxt))
242 		return PAM_SYSTEM_ERR;	/* shouldn't happen */
243 
244 	if (!(authctxt->pam->state & PAM_S_DONE_ACCT_MGMT)) {
245 		retval = pam_acct_mgmt(authctxt->pam->h, 0);
246 		authctxt->pam->last_pam_retval = retval;
247 		if (retval == PAM_NEW_AUTHTOK_REQD) {
248 			userauth_force_kbdint();
249 			return retval;
250 		}
251 		if (retval != PAM_SUCCESS)
252 			return retval;
253 		authctxt->pam->state |= PAM_S_DONE_ACCT_MGMT;
254 	}
255 
256 	/*
257 	 * Handle PAM_USER change, if any.
258 	 *
259 	 * We do this before pam_open_session() because we need the PAM_USER's
260 	 * UID for:
261 	 *
262 	 * a) PermitRootLogin checking
263 	 * b) to get at the lastlog entry before pam_open_session() updates it.
264 	 */
265 	retval = pam_get_item(authctxt->pam->h, PAM_USER, (void **) &user);
266 	if (retval != PAM_SUCCESS) {
267 		fatal("PAM failure: pam_get_item(PAM_USER) "
268 		      "returned %d: %.200s", retval,
269 		      PAM_STRERROR(authctxt->pam->h, retval));
270 	}
271 
272 	if (user == NULL || *user == '\0') {
273 		debug("PAM set NULL PAM_USER");
274 		return PAM_PERM_DENIED;
275 	}
276 
277 	if (strcmp(user, authctxt->user) != 0) {
278 		log("PAM changed the SSH username");
279 		pwfree(&authctxt->pw);
280 		authctxt->pw = getpwnamallow(user);
281 		authctxt->valid = (authctxt->pw != NULL);
282 		xfree(authctxt->user);
283 		authctxt->user = xstrdup(user);
284 	}
285 
286 	if (!authctxt->valid) {
287 		debug2("PAM set PAM_USER to unknown user");
288 		/*
289 		 * Return success, userauth_finish() will catch
290 		 * this and send back a failure message.
291 		 */
292 		return PAM_SUCCESS;
293 	}
294 
295 	/* Check PermitRootLogin semantics */
296 	if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(method))
297 		return PAM_PERM_DENIED;
298 
299 	if (!(authctxt->pam->state & PAM_S_DONE_SETCRED)) {
300 		retval = pam_setcred(authctxt->pam->h,
301 				     PAM_ESTABLISH_CRED);
302 		authctxt->pam->last_pam_retval = retval;
303 		if (retval != PAM_SUCCESS)
304 			return retval;
305 		authctxt->pam->state |= PAM_S_DONE_SETCRED;
306 
307 #ifdef GSSAPI
308 		/*
309 		 * Store GSS-API delegated creds after pam_setcred(), which may
310 		 * have set the current credential store.
311 		 */
312 		ssh_gssapi_storecreds(NULL, authctxt);
313 #endif /* GSSAPI */
314 	}
315 
316 	/*
317 	 * On Solaris pam_unix_session.so updates the lastlog, but does
318 	 * not converse a PAM_TEXT_INFO message about it.  So we need to
319 	 * fetch the lastlog entry here and save it for use later.
320 	 */
321 	authctxt->last_login_time =
322 		get_last_login_time(authctxt->pw->pw_uid,
323 			authctxt->pw->pw_name,
324 			authctxt->last_login_host,
325 			sizeof(authctxt->last_login_host));
326 
327 	if (!(authctxt->pam->state & PAM_S_DONE_OPEN_SESSION)) {
328 		retval = pam_open_session(authctxt->pam->h, 0);
329 		authctxt->pam->last_pam_retval = retval;
330 		if (retval != PAM_SUCCESS)
331 			return retval;
332 		authctxt->pam->state |= PAM_S_DONE_OPEN_SESSION;
333 	}
334 
335 	/*
336 	 * All PAM work done successfully.
337 	 *
338 	 * PAM handle stays around so we can call pam_close_session() on
339 	 * it later.
340 	 */
341 	return PAM_SUCCESS;
342 }
343 
344 /*
345  * PAM conversation function for non-interactive userauth methods that
346  * really cannot do any prompting.  Password userauth and CHANGEREQ can
347  * always set the PAM_AUTHTOK and PAM_OLDAUTHTOK items to avoid
348  * conversation (and if they do and nonetheless some module tries to
349  * converse, then password userauth / CHANGEREQ MUST fail).
350  *
351  * Except, PAM_TEXT_INFO and PAM_ERROR_MSG prompts can be squirelled
352  * away and shown to the user later.
353  *
354  * Keyboard-interactive userauth has its own much more interesting
355  * conversation function.
356  *
357  */
358 static int
359 do_pam_conversation(int num_msg, const struct pam_message **msg,
360 	struct pam_response **resp, void *appdata_ptr)
361 {
362 	struct pam_response *reply;
363 	int count;
364 
365 	/* PAM will free this later */
366 	reply = xmalloc(num_msg * sizeof(*reply));
367 
368 	(void) memset(reply, 0, num_msg * sizeof(*reply));
369 
370 	for (count = 0; count < num_msg; count++) {
371 		/*
372 		 * We can't use stdio yet, queue messages for
373 		 * printing later
374 		 */
375 		switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
376 		case PAM_PROMPT_ECHO_ON:
377 			xfree(reply);
378 			return PAM_CONV_ERR;
379 		case PAM_PROMPT_ECHO_OFF:
380 			xfree(reply);
381 			return PAM_CONV_ERR;
382 			break;
383 		case PAM_ERROR_MSG:
384 		case PAM_TEXT_INFO:
385 			if (PAM_MSG_MEMBER(msg, count, msg) != NULL) {
386 				message_cat(&__pam_msg,
387 				    PAM_MSG_MEMBER(msg, count, msg));
388 			}
389 			reply[count].resp = xstrdup("");
390 			reply[count].resp_retcode = PAM_SUCCESS;
391 			break;
392 		default:
393 			xfree(reply);
394 			return PAM_CONV_ERR;
395 		}
396 	}
397 
398 	*resp = reply;
399 
400 	return PAM_SUCCESS;
401 }
402 
403 /* Called at exit to cleanly shutdown PAM */
404 static void
405 do_pam_cleanup_proc(void *context)
406 {
407 	int pam_retval;
408 	pam_stuff *pam = (pam_stuff *) context;
409 
410 	if (pam == NULL)
411 		return;
412 
413 	if (pam->authctxt != NULL && pam->authctxt->pam == pam) {
414 		pam->authctxt->pam_retval = pam->last_pam_retval;
415 		pam->authctxt->pam = NULL;
416 		pam->authctxt = NULL;
417 	}
418 
419 	if (pam->h == NULL)
420 		return;
421 
422 	/*
423 	 * We're in fatal_cleanup() or not in userauth or without a
424 	 * channel -- can't converse now, too bad.
425 	 */
426 	pam_retval = pam_set_item(pam->h, PAM_CONV, NULL);
427 	if (pam_retval != PAM_SUCCESS) {
428 		log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s",
429 			pam_retval, PAM_STRERROR(pam->h, pam_retval));
430 		goto cleanup;
431 	}
432 
433 	if (pam->state & PAM_S_DONE_OPEN_SESSION) {
434 		pam_retval = pam_close_session(pam->h, 0);
435 		if (pam_retval != PAM_SUCCESS)
436 			log("Cannot close PAM session[%d]: %.200s",
437 			    pam_retval, PAM_STRERROR(pam->h, pam_retval));
438 	}
439 
440 	if (pam->state & PAM_S_DONE_SETCRED) {
441 		pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED);
442 		if (pam_retval != PAM_SUCCESS)
443 			debug("Cannot delete credentials[%d]: %.200s",
444 			    pam_retval, PAM_STRERROR(pam->h, pam_retval));
445 	}
446 
447 cleanup:
448 
449 	/* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */
450 	if (pam->last_pam_retval != PAM_SUCCESS)
451 		pam_retval = pam_end(pam->h, pam->last_pam_retval);
452 	else if (pam_retval != PAM_SUCCESS)
453 		pam_retval = pam_end(pam->h, pam_retval);
454 	else
455 		pam_retval = pam_end(pam->h, PAM_ABORT);
456 
457 	if (pam_retval != PAM_SUCCESS)
458 		log("Cannot release PAM authentication[%d]: %.200s",
459 		    pam_retval, PAM_STRERROR(pam->h, pam_retval));
460 
461 	xfree(pam);
462 }
463 
464 /* Attempt password authentation using PAM */
465 int
466 auth_pam_password(Authctxt *authctxt, const char *password)
467 {
468 	int retval;
469 
470 	/* Ensure we have a fresh PAM handle / state */
471 	new_start_pam(authctxt, &conv);
472 
473 	retval = pam_set_item(authctxt->pam->h, PAM_AUTHTOK, password);
474 	if (retval != PAM_SUCCESS) {
475 		authctxt->pam->last_pam_retval = retval;
476 		return 1;
477 	}
478 
479 	retval = pam_authenticate(authctxt->pam->h,
480 			options.permit_empty_passwd ?  0 :
481 			PAM_DISALLOW_NULL_AUTHTOK);
482 
483 	if (retval != PAM_SUCCESS) {
484 		authctxt->pam->last_pam_retval = retval;
485 		return 0;
486 	}
487 
488 	if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS)
489 		return 0;
490 
491 	if (authctxt->method)
492 		authctxt->method->authenticated = 1;	/* SSHv2 */
493 
494 	return 1;
495 }
496 
497 int
498 do_pam_non_initial_userauth(Authctxt *authctxt)
499 {
500 	new_start_pam(authctxt, NULL);
501 	return (finish_userauth_do_pam(authctxt) == PAM_SUCCESS);
502 }
503 
504 /* Cleanly shutdown PAM */
505 void finish_pam(Authctxt *authctxt)
506 {
507 	fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
508 	do_pam_cleanup_proc(authctxt->pam);
509 }
510 
511 static
512 char **
513 find_env(char **env, char *var)
514 {
515 	char **p;
516 	int len;
517 
518 	if (strchr(var, '=') == NULL)
519 		len = strlen(var);
520 	else
521 		len = (strchr(var, '=') - var) + 1;
522 
523 	for ( p = env ; p != NULL && *p != NULL ; p++ ) {
524 		if (strncmp(*p, var, len) == 0)
525 			return (p);
526 	}
527 
528 	return (NULL);
529 }
530 
531 /* Return list of PAM environment strings */
532 char **
533 fetch_pam_environment(Authctxt *authctxt)
534 {
535 #ifdef HAVE_PAM_GETENVLIST
536 	char	**penv;
537 
538 	if (authctxt == NULL || authctxt->pam == NULL ||
539 	    authctxt->pam->h == NULL)
540 		return (NULL);
541 
542 	penv = pam_getenvlist(authctxt->pam->h);
543 
544 	return (penv);
545 #else /* HAVE_PAM_GETENVLIST */
546 	return(NULL);
547 #endif /* HAVE_PAM_GETENVLIST */
548 }
549 
550 void free_pam_environment(char **env)
551 {
552 	int i;
553 
554 	if (env != NULL) {
555 		for (i = 0; env[i] != NULL; i++)
556 			xfree(env[i]);
557 	}
558 
559 	xfree(env);
560 }
561 
562 /* Print any messages that have been generated during authentication */
563 /* or account checking to stderr */
564 void print_pam_messages(void)
565 {
566 	if (__pam_msg != NULL)
567 		(void) fputs(__pam_msg, stderr);
568 }
569 
570 /* Append a message to buffer */
571 void message_cat(char **p, const char *a)
572 {
573 	char *cp;
574 	size_t new_len;
575 
576 	new_len = strlen(a);
577 
578 	if (*p) {
579 		size_t len = strlen(*p);
580 
581 		*p = xrealloc(*p, new_len + len + 2);
582 		cp = *p + len;
583 	} else
584 		*p = cp = xmalloc(new_len + 2);
585 
586 	(void) memcpy(cp, a, new_len);
587 	cp[new_len] = '\n';
588 	cp[new_len + 1] = '\0';
589 }
590 
591 #endif /* USE_PAM */
592