1/* $NetBSD: pam_ksu.c,v 1.11 2023/09/07 11:27:57 riastradh Exp $ */ 2 3/*- 4 * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28#include <sys/cdefs.h> 29#ifdef __FreeBSD__ 30__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); 31#else 32__RCSID("$NetBSD: pam_ksu.c,v 1.11 2023/09/07 11:27:57 riastradh Exp $"); 33#endif 34 35#include <sys/param.h> 36#include <errno.h> 37#include <stdio.h> 38#include <stdlib.h> 39#include <string.h> 40#include <unistd.h> 41 42#include <krb5/krb5.h> 43 44#define PAM_SM_AUTH 45#define PAM_SM_CRED 46#include <security/pam_appl.h> 47#include <security/pam_modules.h> 48#include <security/pam_mod_misc.h> 49 50static const char superuser[] = "root"; 51 52#define PASSWORD_PROMPT "%s's password:" 53 54static void log_krb5(krb5_context, krb5_error_code, const char *, ...) 55 __printflike(3, 4); 56static krb5_error_code get_su_principal(krb5_context, const char *, 57 const char *, char **, krb5_principal *); 58static int auth_krb5(pam_handle_t *, krb5_context, const char *, 59 krb5_principal); 60 61PAM_EXTERN int 62pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 63 int argc __unused, const char *argv[] __unused) 64{ 65 krb5_boolean allow_homedir; 66 krb5_context context; 67 krb5_principal su_principal; 68 const char *user; 69 const void *ruser; 70 char *su_principal_name; 71 krb5_error_code rv; 72 int pamret; 73 74 pamret = pam_get_user(pamh, &user, NULL); 75 if (pamret != PAM_SUCCESS) 76 return (pamret); 77 PAM_LOG("Got user: %s", user); 78 pamret = pam_get_item(pamh, PAM_RUSER, &ruser); 79 if (pamret != PAM_SUCCESS) 80 return (pamret); 81 PAM_LOG("Got ruser: %s", (const char *)ruser); 82 allow_homedir = krb5_set_home_dir_access(NULL, FALSE); 83 rv = krb5_init_context(&context); 84 if (rv != 0) { 85 log_krb5(context, rv, "krb5_init_context failed"); 86 pamret = PAM_SERVICE_ERR; 87 goto out; 88 } 89 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal); 90 if (rv != 0) { 91 pamret = PAM_AUTH_ERR; 92 goto out; 93 } 94 PAM_LOG("kuserok: %s -> %s", su_principal_name, user); 95 (void)krb5_set_home_dir_access(NULL, TRUE); /* ~user/.k5login */ 96 rv = krb5_kuserok(context, su_principal, user); 97 (void)krb5_set_home_dir_access(NULL, FALSE); 98 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; 99 free(su_principal_name); 100 krb5_free_principal(context, su_principal); 101 krb5_free_context(context); 102out: (void)krb5_set_home_dir_access(NULL, allow_homedir); 103 return (pamret); 104} 105 106PAM_EXTERN int 107pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 108 int ac __unused, const char *av[] __unused) 109{ 110 111 return (PAM_SUCCESS); 112} 113 114/* Authenticate using Kerberos 5. 115 * pamh -- The PAM handle. 116 * context -- An initialized krb5_context. 117 * su_principal_name -- The target principal name, used only for password prompts. 118 * If NULL, the password prompts will not include a principal 119 * name. 120 * su_principal -- The target krb5_principal. 121 * Note that a valid keytab in the default location with a host entry 122 * must be available, and that the PAM application must have sufficient 123 * privileges to access it. 124 * Returns PAM_SUCCESS if authentication was successful, or an appropriate 125 * PAM error code if it was not. 126 */ 127static int 128auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name, 129 krb5_principal su_principal) 130{ 131 krb5_creds creds; 132 krb5_get_init_creds_opt *gic_opt; 133 krb5_verify_init_creds_opt vic_opt; 134 const char *pass; 135 char prompt[80]; 136 krb5_error_code rv; 137 int pamret; 138 139 rv = krb5_get_init_creds_opt_alloc(context, &gic_opt); 140 if (rv != 0) { 141 log_krb5(context, rv, "krb5_get_init_creds_opt_alloc"); 142 return (PAM_SERVICE_ERR); 143 } 144 krb5_verify_init_creds_opt_init(&vic_opt); 145 if (su_principal_name != NULL) 146 (void)snprintf(prompt, sizeof(prompt), PASSWORD_PROMPT, 147 su_principal_name); 148 else 149 (void)snprintf(prompt, sizeof(prompt), "Password:"); 150 pass = NULL; 151 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 152 if (pamret != PAM_SUCCESS) 153 return (pamret); 154 rv = krb5_get_init_creds_password(context, &creds, su_principal, 155 pass, NULL, NULL, 0, NULL, gic_opt); 156 if (rv != 0) { 157 log_krb5(context, rv, "krb5_get_init_creds_password"); 158 return (PAM_AUTH_ERR); 159 } 160 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1); 161 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, 162 &vic_opt); 163 krb5_free_cred_contents(context, &creds); 164 if (rv != 0) { 165 log_krb5(context, rv, "krb5_verify_init_creds"); 166 return (PAM_AUTH_ERR); 167 } 168 return (PAM_SUCCESS); 169} 170 171static void 172log_krb5(krb5_context ctx, krb5_error_code err, const char *fmt, ...) 173{ 174 char b1[1024], b2[1024]; 175 const char *errtxt; 176 va_list ap; 177 178 va_start(ap, fmt); 179 vsnprintf(b1, sizeof(b1), fmt, ap); 180 va_end(ap); 181 if (ctx) 182 errtxt = krb5_get_error_message(ctx, err); 183 else 184 errtxt = NULL; 185 if (errtxt != NULL) { 186 snprintf(b2, sizeof(b2), "%s", errtxt); 187 krb5_free_error_message(ctx, errtxt); 188 } else { 189 snprintf(b2, sizeof(b2), "unknown %d", (int)err); 190 } 191 PAM_LOG("%s (%s)", b1, b2); 192} 193 194/* Determine the target principal given the current user and the target user. 195 * context -- An initialized krb5_context. 196 * target_user -- The target username. 197 * current_user -- The current username. 198 * su_principal_name -- (out) The target principal name. 199 * su_principal -- (out) The target krb5_principal. 200 * When the target user is `root', the target principal will be a `root 201 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal 202 * will simply be the current user's default principal name. Note that 203 * in any case, if KRB5CCNAME is set and a credentials cache exists, the 204 * principal name found there will be the `starting point', rather than 205 * the ruser parameter. 206 * 207 * Returns 0 for success, or a com_err error code on failure. 208 */ 209static krb5_error_code 210get_su_principal(krb5_context context, const char *target_user, const char *current_user, 211 char **su_principal_name, krb5_principal *su_principal) 212{ 213 krb5_principal default_principal; 214 krb5_ccache ccache; 215 char *principal_name, *ccname, *p; 216 krb5_error_code rv; 217 uid_t euid, ruid; 218 219 *su_principal = NULL; 220 default_principal = NULL; 221 /* Unless KRB5CCNAME was explicitly set, we won't really be able 222 * to look at the credentials cache since krb5_cc_default will 223 * look at getuid(). 224 */ 225 ruid = getuid(); 226 euid = geteuid(); 227 rv = seteuid(ruid); 228 if (rv != 0) 229 return (errno); 230 p = getenv("KRB5CCNAME"); 231 if (p != NULL) 232 ccname = strdup(p); 233 else 234 (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid); 235 if (ccname == NULL) 236 return (errno); 237 rv = krb5_cc_resolve(context, ccname, &ccache); 238 free(ccname); 239 if (rv == 0) { 240 rv = krb5_cc_get_principal(context, ccache, &default_principal); 241 krb5_cc_close(context, ccache); 242 if (rv != 0) 243 default_principal = NULL; /* just to be safe */ 244 } 245 rv = seteuid(euid); 246 if (rv != 0) 247 return (errno); 248 if (default_principal == NULL) { 249 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL); 250 if (rv != 0) { 251 PAM_LOG("Could not determine default principal name."); 252 return (rv); 253 } 254 } 255 /* Now that we have some principal, if the target account is 256 * `root', then transform it into a `root' instance, e.g. 257 * `user@REA.LM' -> `user/root@REA.LM'. 258 */ 259 rv = krb5_unparse_name(context, default_principal, &principal_name); 260 krb5_free_principal(context, default_principal); 261 if (rv != 0) { 262 log_krb5(context, rv, "krb5_unparse_name"); 263 return (rv); 264 } 265 PAM_LOG("Default principal name: %s", principal_name); 266 if (strcmp(target_user, superuser) == 0) { 267 p = strrchr(principal_name, '@'); 268 if (p == NULL) { 269 PAM_LOG("malformed principal name `%s'", principal_name); 270 free(principal_name); 271 return (rv); 272 } 273 *p++ = '\0'; 274 *su_principal_name = NULL; 275 (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p); 276 free(principal_name); 277 } else 278 *su_principal_name = principal_name; 279 280 if (*su_principal_name == NULL) 281 return (errno); 282 rv = krb5_parse_name(context, *su_principal_name, &default_principal); 283 if (rv != 0) { 284 log_krb5(context, rv, "krb5_parse_name `%s'", 285 *su_principal_name); 286 return (rv); 287 } 288 PAM_LOG("Target principal name: %s", *su_principal_name); 289 *su_principal = default_principal; 290 return (0); 291} 292 293PAM_MODULE_ENTRY("pam_ksu"); 294