1/* 2 * Copyright (c) 1999-2005, 2007-2008, 2010 3 * Todd C. Miller <Todd.Miller@courtesan.com> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 17 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 18 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 19 * 20 * Sponsored in part by the Defense Advanced Research Projects 21 * Agency (DARPA) and Air Force Research Laboratory, Air Force 22 * Materiel Command, USAF, under agreement number F39502-99-1-0512. 23 */ 24 25#include <config.h> 26 27#include <sys/types.h> 28#include <sys/param.h> 29#include <stdio.h> 30#ifdef STDC_HEADERS 31# include <stdlib.h> 32# include <stddef.h> 33#else 34# ifdef HAVE_STDLIB_H 35# include <stdlib.h> 36# endif 37#endif /* STDC_HEADERS */ 38#ifdef HAVE_STRING_H 39# include <string.h> 40#endif /* HAVE_STRING_H */ 41#ifdef HAVE_STRINGS_H 42# include <strings.h> 43#endif /* HAVE_STRING_H */ 44#ifdef HAVE_UNISTD_H 45# include <unistd.h> 46#endif /* HAVE_UNISTD_H */ 47#include <pwd.h> 48#include <krb5.h> 49#ifdef HAVE_HEIMDAL 50#include <com_err.h> 51#endif 52 53#include "sudo.h" 54#include "sudo_auth.h" 55 56#ifdef HAVE_HEIMDAL 57# define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1) 58# define krb5_free_data_contents(c, d) krb5_data_free(d) 59#else 60# define extract_name(c, p) (krb5_princ_component(c, p, 1)->data) 61#endif 62 63#ifndef HAVE_KRB5_VERIFY_USER 64static int verify_krb_v5_tgt __P((krb5_context, krb5_creds *, char *)); 65#endif 66static struct _sudo_krb5_data { 67 krb5_context sudo_context; 68 krb5_principal princ; 69 krb5_ccache ccache; 70} sudo_krb5_data = { NULL, NULL, NULL }; 71typedef struct _sudo_krb5_data *sudo_krb5_datap; 72 73#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC 74static krb5_error_code 75krb5_get_init_creds_opt_alloc(context, opts) 76 krb5_context context; 77 krb5_get_init_creds_opt **opts; 78{ 79 *opts = emalloc(sizeof(krb5_get_init_creds_opt)); 80 krb5_get_init_creds_opt_init(*opts); 81 return 0; 82} 83 84static void 85krb5_get_init_creds_opt_free(opts) 86 krb5_get_init_creds_opt *opts; 87{ 88 free(opts); 89} 90#endif 91 92int 93kerb5_setup(pw, promptp, auth) 94 struct passwd *pw; 95 char **promptp; 96 sudo_auth *auth; 97{ 98 static char *krb5_prompt; 99 100 if (krb5_prompt == NULL) { 101 krb5_context sudo_context; 102 krb5_principal princ; 103 char *pname; 104 krb5_error_code error; 105 106 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; 107 princ = ((sudo_krb5_datap) auth->data)->princ; 108 109 /* 110 * Really, we need to tell the caller not to prompt for password. The 111 * API does not currently provide this unless the auth is standalone. 112 */ 113 if ((error = krb5_unparse_name(sudo_context, princ, &pname))) { 114 log_error(NO_MAIL, 115 "%s: unable to unparse princ ('%s'): %s", auth->name, 116 pw->pw_name, error_message(error)); 117 return AUTH_FAILURE; 118 } 119 120 /* Only rewrite prompt if user didn't specify their own. */ 121 /*if (!strcmp(prompt, PASSPROMPT)) { */ 122 easprintf(&krb5_prompt, "Password for %s: ", pname); 123 /*}*/ 124 free(pname); 125 } 126 *promptp = krb5_prompt; 127 128 return AUTH_SUCCESS; 129} 130 131int 132kerb5_init(pw, auth) 133 struct passwd *pw; 134 sudo_auth *auth; 135{ 136 krb5_context sudo_context; 137 krb5_ccache ccache; 138 krb5_principal princ; 139 krb5_error_code error; 140 char cache_name[64]; 141 142 auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */ 143 144#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT 145 error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context)); 146#else 147 error = krb5_init_context(&(sudo_krb5_data.sudo_context)); 148#endif 149 if (error) 150 return AUTH_FAILURE; 151 sudo_context = sudo_krb5_data.sudo_context; 152 153 if ((error = krb5_parse_name(sudo_context, pw->pw_name, 154 &(sudo_krb5_data.princ)))) { 155 log_error(NO_MAIL, 156 "%s: unable to parse '%s': %s", auth->name, pw->pw_name, 157 error_message(error)); 158 return AUTH_FAILURE; 159 } 160 princ = sudo_krb5_data.princ; 161 162 (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld", 163 (long) getpid()); 164 if ((error = krb5_cc_resolve(sudo_context, cache_name, 165 &(sudo_krb5_data.ccache)))) { 166 log_error(NO_MAIL, 167 "%s: unable to resolve ccache: %s", auth->name, 168 error_message(error)); 169 return AUTH_FAILURE; 170 } 171 ccache = sudo_krb5_data.ccache; 172 173 return AUTH_SUCCESS; 174} 175 176#ifdef HAVE_KRB5_VERIFY_USER 177int 178kerb5_verify(pw, pass, auth) 179 struct passwd *pw; 180 char *pass; 181 sudo_auth *auth; 182{ 183 krb5_context sudo_context; 184 krb5_principal princ; 185 krb5_ccache ccache; 186 krb5_error_code error; 187 188 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; 189 princ = ((sudo_krb5_datap) auth->data)->princ; 190 ccache = ((sudo_krb5_datap) auth->data)->ccache; 191 192 error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL); 193 return error ? AUTH_FAILURE : AUTH_SUCCESS; 194} 195#else 196int 197kerb5_verify(pw, pass, auth) 198 struct passwd *pw; 199 char *pass; 200 sudo_auth *auth; 201{ 202 krb5_context sudo_context; 203 krb5_principal princ; 204 krb5_creds credbuf, *creds = NULL; 205 krb5_ccache ccache; 206 krb5_error_code error; 207 krb5_get_init_creds_opt *opts = NULL; 208 209 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; 210 princ = ((sudo_krb5_datap) auth->data)->princ; 211 ccache = ((sudo_krb5_datap) auth->data)->ccache; 212 213 /* Set default flags based on the local config file. */ 214 error = krb5_get_init_creds_opt_alloc(sudo_context, &opts); 215 if (error) { 216 log_error(NO_MAIL, 217 "%s: unable to allocate options: %s", auth->name, 218 error_message(error)); 219 goto done; 220 } 221#ifdef HAVE_HEIMDAL 222 krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL, 223 krb5_principal_get_realm(sudo_context, princ), opts); 224#endif 225 226 /* Note that we always obtain a new TGT to verify the user */ 227 if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ, 228 pass, krb5_prompter_posix, 229 NULL, 0, NULL, opts))) { 230 /* Don't print error if just a bad password */ 231 if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY) 232 log_error(NO_MAIL, 233 "%s: unable to get credentials: %s", auth->name, 234 error_message(error)); 235 goto done; 236 } 237 creds = &credbuf; 238 239 /* Verify the TGT to prevent spoof attacks. */ 240 if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name))) 241 goto done; 242 243 /* Store cred in cred cache. */ 244 if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) { 245 log_error(NO_MAIL, 246 "%s: unable to initialize ccache: %s", auth->name, 247 error_message(error)); 248 } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) { 249 log_error(NO_MAIL, 250 "%s: unable to store cred in ccache: %s", auth->name, 251 error_message(error)); 252 } 253 254done: 255 if (opts) { 256#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS 257 krb5_get_init_creds_opt_free(sudo_context, opts); 258#else 259 krb5_get_init_creds_opt_free(opts); 260#endif 261 } 262 if (creds) 263 krb5_free_cred_contents(sudo_context, creds); 264 return error ? AUTH_FAILURE : AUTH_SUCCESS; 265} 266#endif 267 268int 269kerb5_cleanup(pw, auth) 270 struct passwd *pw; 271 sudo_auth *auth; 272{ 273 krb5_context sudo_context; 274 krb5_principal princ; 275 krb5_ccache ccache; 276 277 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; 278 princ = ((sudo_krb5_datap) auth->data)->princ; 279 ccache = ((sudo_krb5_datap) auth->data)->ccache; 280 281 if (sudo_context) { 282 if (ccache) 283 krb5_cc_destroy(sudo_context, ccache); 284 if (princ) 285 krb5_free_principal(sudo_context, princ); 286 krb5_free_context(sudo_context); 287 } 288 289 return AUTH_SUCCESS; 290} 291 292#ifndef HAVE_KRB5_VERIFY_USER 293/* 294 * Verify the Kerberos ticket-granting ticket just retrieved for the 295 * user. If the Kerberos server doesn't respond, assume the user is 296 * trying to fake us out (since we DID just get a TGT from what is 297 * supposedly our KDC). 298 * 299 * Returns 0 for successful authentication, non-zero for failure. 300 */ 301static int 302verify_krb_v5_tgt(sudo_context, cred, auth_name) 303 krb5_context sudo_context; 304 krb5_creds *cred; 305 char *auth_name; /* For error reporting */ 306{ 307 krb5_error_code error; 308 krb5_principal server; 309 krb5_verify_init_creds_opt vopt; 310 311 /* 312 * Get the server principal for the local host. 313 * (Use defaults of "host" and canonicalized local name.) 314 */ 315 if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL, 316 KRB5_NT_SRV_HST, &server))) { 317 log_error(NO_MAIL, 318 "%s: unable to get host principal: %s", auth_name, 319 error_message(error)); 320 return -1; 321 } 322 323 /* Initialize verify opts and set secure mode */ 324 krb5_verify_init_creds_opt_init(&vopt); 325 krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1); 326 327 /* verify the Kerberos ticket-granting ticket we just retrieved */ 328 error = krb5_verify_init_creds(sudo_context, cred, server, NULL, 329 NULL, &vopt); 330 krb5_free_principal(sudo_context, server); 331 if (error) 332 log_error(NO_MAIL, 333 "%s: Cannot verify TGT! Possible attack!: %s", auth_name, 334 error_message(error)); 335 return error; 336} 337#endif 338