1/*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include <sys/param.h>
30#include <errno.h>
31#include <stdio.h>
32#include <stdlib.h>
33#include <string.h>
34#include <unistd.h>
35
36#include <krb5.h>
37
38#define PAM_SM_AUTH
39#define PAM_SM_CRED
40#include <security/pam_appl.h>
41#include <security/pam_modules.h>
42#include <security/pam_mod_misc.h>
43
44static const char superuser[] = "root";
45
46static long	get_su_principal(krb5_context, const char *, const char *,
47		    char **, krb5_principal *);
48static int	auth_krb5(pam_handle_t *, krb5_context, const char *,
49		    krb5_principal);
50
51PAM_EXTERN int
52pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
53    int argc __unused, const char *argv[] __unused)
54{
55	krb5_context	 context;
56	krb5_principal	 su_principal;
57	const char	*user;
58	const void	*ruser;
59	char		*su_principal_name;
60	long		 rv;
61	int		 pamret;
62
63	pamret = pam_get_user(pamh, &user, NULL);
64	if (pamret != PAM_SUCCESS)
65		return (pamret);
66	PAM_LOG("Got user: %s", user);
67	pamret = pam_get_item(pamh, PAM_RUSER, &ruser);
68	if (pamret != PAM_SUCCESS)
69		return (pamret);
70	PAM_LOG("Got ruser: %s", (const char *)ruser);
71	rv = krb5_init_context(&context);
72	if (rv != 0) {
73		const char *msg = krb5_get_error_message(context, rv);
74		PAM_LOG("krb5_init_context failed: %s", msg);
75		krb5_free_error_message(context, msg);
76		return (PAM_SERVICE_ERR);
77	}
78	rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal);
79	if (rv != 0)
80		return (PAM_AUTH_ERR);
81	PAM_LOG("kuserok: %s -> %s", su_principal_name, user);
82	rv = krb5_kuserok(context, su_principal, user);
83	pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR;
84	free(su_principal_name);
85	krb5_free_principal(context, su_principal);
86	krb5_free_context(context);
87	return (pamret);
88}
89
90PAM_EXTERN int
91pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
92    int ac __unused, const char *av[] __unused)
93{
94
95	return (PAM_SUCCESS);
96}
97
98/* Authenticate using Kerberos 5.
99 *   pamh              -- The PAM handle.
100 *   context           -- An initialized krb5_context.
101 *   su_principal_name -- The target principal name, used only for password prompts.
102 *              If NULL, the password prompts will not include a principal
103 *              name.
104 *   su_principal      -- The target krb5_principal.
105 * Note that a valid keytab in the default location with a host entry
106 * must be available, and that the PAM application must have sufficient
107 * privileges to access it.
108 * Returns PAM_SUCCESS if authentication was successful, or an appropriate
109 * PAM error code if it was not.
110 */
111static int
112auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name,
113    krb5_principal su_principal)
114{
115	krb5_creds	 creds;
116	krb5_get_init_creds_opt *gic_opt;
117	krb5_verify_init_creds_opt vic_opt;
118	const char	*pass;
119	char		*prompt;
120	long		 rv;
121	int		 pamret;
122
123	prompt = NULL;
124	krb5_verify_init_creds_opt_init(&vic_opt);
125	if (su_principal_name != NULL)
126		(void)asprintf(&prompt, "Password for %s:", su_principal_name);
127	else
128		(void)asprintf(&prompt, "Password:");
129	if (prompt == NULL)
130		return (PAM_BUF_ERR);
131	pass = NULL;
132	pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
133	free(prompt);
134	if (pamret != PAM_SUCCESS)
135		return (pamret);
136	rv = krb5_get_init_creds_opt_alloc(context, &gic_opt);
137	if (rv != 0) {
138		const char *msg = krb5_get_error_message(context, rv);
139		PAM_LOG("krb5_get_init_creds_opt_alloc: %s", msg);
140		krb5_free_error_message(context, msg);
141		return (PAM_AUTH_ERR);
142	}
143	rv = krb5_get_init_creds_password(context, &creds, su_principal,
144	    pass, NULL, NULL, 0, NULL, gic_opt);
145	krb5_get_init_creds_opt_free(context, gic_opt);
146	if (rv != 0) {
147		const char *msg = krb5_get_error_message(context, rv);
148		PAM_LOG("krb5_get_init_creds_password: %s", msg);
149		krb5_free_error_message(context, msg);
150		return (PAM_AUTH_ERR);
151	}
152	krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1);
153	rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL,
154	    &vic_opt);
155	krb5_free_cred_contents(context, &creds);
156	if (rv != 0) {
157		const char *msg = krb5_get_error_message(context, rv);
158		PAM_LOG("krb5_verify_init_creds: %s", msg);
159		krb5_free_error_message(context, msg);
160		return (PAM_AUTH_ERR);
161	}
162	return (PAM_SUCCESS);
163}
164
165/* Determine the target principal given the current user and the target user.
166 *   context           -- An initialized krb5_context.
167 *   target_user       -- The target username.
168 *   current_user      -- The current username.
169 *   su_principal_name -- (out) The target principal name.
170 *   su_principal      -- (out) The target krb5_principal.
171 * When the target user is `root', the target principal will be a `root
172 * instance', e.g. `luser/root@REA.LM'.  Otherwise, the target principal
173 * will simply be the current user's default principal name.  Note that
174 * in any case, if KRB5CCNAME is set and a credentials cache exists, the
175 * principal name found there will be the `starting point', rather than
176 * the ruser parameter.
177 *
178 * Returns 0 for success, or a com_err error code on failure.
179 */
180static long
181get_su_principal(krb5_context context, const char *target_user, const char *current_user,
182    char **su_principal_name, krb5_principal *su_principal)
183{
184	krb5_principal	 default_principal;
185	krb5_ccache	 ccache;
186	char		*principal_name, *ccname, *p;
187	long		 rv;
188	uid_t		 euid, ruid;
189
190	*su_principal = NULL;
191	default_principal = NULL;
192	/* Unless KRB5CCNAME was explicitly set, we won't really be able
193	 * to look at the credentials cache since krb5_cc_default will
194	 * look at getuid().
195	 */
196	ruid = getuid();
197	euid = geteuid();
198	rv = seteuid(ruid);
199	if (rv != 0)
200		return (errno);
201	p = getenv("KRB5CCNAME");
202	if (p != NULL)
203		ccname = strdup(p);
204	else
205		(void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid);
206	if (ccname == NULL)
207		return (errno);
208	rv = krb5_cc_resolve(context, ccname, &ccache);
209	free(ccname);
210	if (rv == 0) {
211		rv = krb5_cc_get_principal(context, ccache, &default_principal);
212		krb5_cc_close(context, ccache);
213		if (rv != 0)
214			default_principal = NULL; /* just to be safe */
215	}
216	rv = seteuid(euid);
217	if (rv != 0)
218		return (errno);
219	if (default_principal == NULL) {
220		rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
221		if (rv != 0) {
222			PAM_LOG("Could not determine default principal name.");
223			return (rv);
224		}
225	}
226	/* Now that we have some principal, if the target account is
227	 * `root', then transform it into a `root' instance, e.g.
228	 * `user@REA.LM' -> `user/root@REA.LM'.
229	 */
230	rv = krb5_unparse_name(context, default_principal, &principal_name);
231	krb5_free_principal(context, default_principal);
232	if (rv != 0) {
233		const char *msg = krb5_get_error_message(context, rv);
234		PAM_LOG("krb5_unparse_name: %s", msg);
235		krb5_free_error_message(context, msg);
236		return (rv);
237	}
238	PAM_LOG("Default principal name: %s", principal_name);
239	if (strcmp(target_user, superuser) == 0) {
240		p = strrchr(principal_name, '@');
241		if (p == NULL) {
242			PAM_LOG("malformed principal name `%s'", principal_name);
243			free(principal_name);
244			return (rv);
245		}
246		*p++ = '\0';
247		*su_principal_name = NULL;
248		(void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p);
249		free(principal_name);
250	} else
251		*su_principal_name = principal_name;
252
253	if (*su_principal_name == NULL)
254		return (errno);
255	rv = krb5_parse_name(context, *su_principal_name, &default_principal);
256	if (rv != 0) {
257		const char *msg = krb5_get_error_message(context, rv);
258		PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, msg);
259		krb5_free_error_message(context, msg);
260		free(*su_principal_name);
261		return (rv);
262	}
263	PAM_LOG("Target principal name: %s", *su_principal_name);
264	*su_principal = default_principal;
265	return (0);
266}
267
268PAM_MODULE_ENTRY("pam_ksu");
269