search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patrick Welche <prlw1@cam.ac.uk>
[netbsd-mini2440.git] / lib / libpam / modules / pam_ksu / pam_ksu.c
blobe5999bb618e2316bec4cee22e5eb5d3f853b880c
1 /* $NetBSD: pam_ksu.c,v 1.2 2004/12/12 08:18:46 christos Exp $ */
2
3 /*-
4 * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28 #include <sys/cdefs.h>
29 #ifdef __FreeBSD__
30 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $");
31 #else
32 __RCSID("$NetBSD: pam_ksu.c,v 1.2 2004/12/12 08:18:46 christos Exp $");
33 #endif
34
35 #include <sys/param.h>
36 #include <errno.h>
37 #include <stdio.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <unistd.h>
41
42 #include <krb5/krb5.h>
43
44 #define PAM_SM_AUTH
45 #define PAM_SM_CRED
46 #include <security/pam_appl.h>
47 #include <security/pam_modules.h>
48 #include <security/pam_mod_misc.h>
49
50 static const char superuser[] = "root";
51
52 #define PASSWORD_PROMPT "%s's password:"
53
54 static long get_su_principal(krb5_context, const char *, const char *,
55 char **, krb5_principal *);
56 static int auth_krb5(pam_handle_t *, krb5_context, const char *,
57 krb5_principal);
58
59 PAM_EXTERN int
60 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
61 int argc __unused, const char *argv[] __unused)
62 {
63 krb5_context context;
64 krb5_principal su_principal;
65 const char *user;
66 const void *ruser;
67 char *su_principal_name;
68 long rv;
69 int pamret;
70
71 pamret = pam_get_user(pamh, &user, NULL);
72 if (pamret != PAM_SUCCESS)
73 return (pamret);
74 PAM_LOG("Got user: %s", user);
75 pamret = pam_get_item(pamh, PAM_RUSER, &ruser);
76 if (pamret != PAM_SUCCESS)
77 return (pamret);
78 PAM_LOG("Got ruser: %s", (const char *)ruser);
79 rv = krb5_init_context(&context);
80 if (rv != 0) {
81 PAM_LOG("krb5_init_context failed: %s",
82 krb5_get_err_text(context, rv));
83 return (PAM_SERVICE_ERR);
84 }
85 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal);
86 if (rv != 0)
87 return (PAM_AUTH_ERR);
88 PAM_LOG("kuserok: %s -> %s", su_principal_name, user);
89 rv = krb5_kuserok(context, su_principal, user);
90 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR;
91 free(su_principal_name);
92 krb5_free_principal(context, su_principal);
93 krb5_free_context(context);
94 return (pamret);
95 }
96
97 PAM_EXTERN int
98 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
99 int ac __unused, const char *av[] __unused)
100 {
101
102 return (PAM_SUCCESS);
103 }
104
105 /* Authenticate using Kerberos 5.
106 * pamh -- The PAM handle.
107 * context -- An initialized krb5_context.
108 * su_principal_name -- The target principal name, used only for password prompts.
109 * If NULL, the password prompts will not include a principal
110 * name.
111 * su_principal -- The target krb5_principal.
112 * Note that a valid keytab in the default location with a host entry
113 * must be available, and that the PAM application must have sufficient
114 * privileges to access it.
115 * Returns PAM_SUCCESS if authentication was successful, or an appropriate
116 * PAM error code if it was not.
117 */
118 static int
119 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name,
120 krb5_principal su_principal)
121 {
122 krb5_creds creds;
123 krb5_get_init_creds_opt gic_opt;
124 krb5_verify_init_creds_opt vic_opt;
125 const char *pass;
126 char prompt[80];
127 long rv;
128 int pamret;
129
130 krb5_get_init_creds_opt_init(&gic_opt);
131 krb5_verify_init_creds_opt_init(&vic_opt);
132 if (su_principal_name != NULL)
133 (void)snprintf(prompt, sizeof(prompt), PASSWORD_PROMPT,
134 su_principal_name);
135 else
136 (void)snprintf(prompt, sizeof(prompt), "Password:");
137 if (prompt == NULL)
138 return (PAM_BUF_ERR);
139 pass = NULL;
140 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
141 if (pamret != PAM_SUCCESS)
142 return (pamret);
143 rv = krb5_get_init_creds_password(context, &creds, su_principal,
144 pass, NULL, NULL, 0, NULL, &gic_opt);
145 if (rv != 0) {
146 PAM_LOG("krb5_get_init_creds_password: %s",
147 krb5_get_err_text(context, rv));
148 return (PAM_AUTH_ERR);
149 }
150 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1);
151 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL,
152 &vic_opt);
153 krb5_free_cred_contents(context, &creds);
154 if (rv != 0) {
155 PAM_LOG("krb5_verify_init_creds: %s",
156 krb5_get_err_text(context, rv));
157 return (PAM_AUTH_ERR);
158 }
159 return (PAM_SUCCESS);
160 }
161
162 /* Determine the target principal given the current user and the target user.
163 * context -- An initialized krb5_context.
164 * target_user -- The target username.
165 * current_user -- The current username.
166 * su_principal_name -- (out) The target principal name.
167 * su_principal -- (out) The target krb5_principal.
168 * When the target user is `root', the target principal will be a `root
169 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal
170 * will simply be the current user's default principal name. Note that
171 * in any case, if KRB5CCNAME is set and a credentials cache exists, the
172 * principal name found there will be the `starting point', rather than
173 * the ruser parameter.
174 *
175 * Returns 0 for success, or a com_err error code on failure.
176 */
177 static long
178 get_su_principal(krb5_context context, const char *target_user, const char *current_user,
179 char **su_principal_name, krb5_principal *su_principal)
180 {
181 krb5_principal default_principal;
182 krb5_ccache ccache;
183 char *principal_name, *ccname, *p;
184 long rv;
185 uid_t euid, ruid;
186
187 *su_principal = NULL;
188 default_principal = NULL;
189 /* Unless KRB5CCNAME was explicitly set, we won't really be able
190 * to look at the credentials cache since krb5_cc_default will
191 * look at getuid().
192 */
193 ruid = getuid();
194 euid = geteuid();
195 rv = seteuid(ruid);
196 if (rv != 0)
197 return (errno);
198 p = getenv("KRB5CCNAME");
199 if (p != NULL)
200 ccname = strdup(p);
201 else
202 (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid);
203 if (ccname == NULL)
204 return (errno);
205 rv = krb5_cc_resolve(context, ccname, &ccache);
206 free(ccname);
207 if (rv == 0) {
208 rv = krb5_cc_get_principal(context, ccache, &default_principal);
209 krb5_cc_close(context, ccache);
210 if (rv != 0)
211 default_principal = NULL; /* just to be safe */
212 }
213 rv = seteuid(euid);
214 if (rv != 0)
215 return (errno);
216 if (default_principal == NULL) {
217 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
218 if (rv != 0) {
219 PAM_LOG("Could not determine default principal name.");
220 return (rv);
221 }
222 }
223 /* Now that we have some principal, if the target account is
224 * `root', then transform it into a `root' instance, e.g.
225 * `user@REA.LM' -> `user/root@REA.LM'.
226 */
227 rv = krb5_unparse_name(context, default_principal, &principal_name);
228 krb5_free_principal(context, default_principal);
229 if (rv != 0) {
230 PAM_LOG("krb5_unparse_name: %s",
231 krb5_get_err_text(context, rv));
232 return (rv);
233 }
234 PAM_LOG("Default principal name: %s", principal_name);
235 if (strcmp(target_user, superuser) == 0) {
236 p = strrchr(principal_name, '@');
237 if (p == NULL) {
238 PAM_LOG("malformed principal name `%s'", principal_name);
239 free(principal_name);
240 return (rv);
241 }
242 *p++ = '\0';
243 *su_principal_name = NULL;
244 (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p);
245 free(principal_name);
246 } else
247 *su_principal_name = principal_name;
248
249 if (*su_principal_name == NULL)
250 return (errno);
251 rv = krb5_parse_name(context, *su_principal_name, &default_principal);
252 if (rv != 0) {
253 PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name,
254 krb5_get_err_text(context, rv));
255 free(*su_principal_name);
256 return (rv);
257 }
258 PAM_LOG("Target principal name: %s", *su_principal_name);
259 *su_principal = default_principal;
260 return (0);
261 }
262
263 PAM_MODULE_ENTRY("pam_ksu");
NetBSD on the FriendlyARM MINI2440