usr/src/lib/pam_modules/krb5/utils.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  */
  25
  26 #include <security/pam_appl.h>
  27 #include <pwd.h>
  28 #include <string.h>
  29 #include <stdlib.h>
  30 #include <malloc.h>
  31 #include <unistd.h>
  32 #include <ctype.h>
  33 #include <syslog.h>
  34 #include <errno.h>
  35
  36 #include "utils.h"
  37
  38 extern const char *error_message(long);
  39
  40 /* ******************************************************************** */
  41 /*                                                                      */
  42 /*              Utilities Functions                                     */
  43 /*                                                                      */
  44 /* ******************************************************************** */
  45
  46 /*
  47  * get_pw_uid():
  48  *      To get the uid from the passwd entry for specified user
  49  *      It returns 0 if the user can't be found, otherwise returns 1.
  50  */
  51 int
  52 get_pw_uid(char *user, uid_t *uid)
  53 {
  54         struct passwd sp;
  55         char buffer[1024];
  56
  57         if (getpwnam_r(user, &sp, buffer, sizeof (buffer)) == NULL) {
  58                 return (0);
  59         }
  60
  61         *uid = sp.pw_uid;
  62
  63         return (1);
  64 }
  65
  66 /*
  67  * get_pw_gid():
  68  *      To get the gid from the passwd entry for specified user
  69  *      It returns 0 if the user can't be found, otherwise returns 1.
  70  */
  71 int
  72 get_pw_gid(char *user, gid_t *gid)
  73 {
  74         struct passwd sp;
  75         char buffer[1024];
  76
  77         if (getpwnam_r(user, &sp, buffer, sizeof (buffer)) == NULL) {
  78                 return (0);
  79         }
  80
  81         *gid = sp.pw_gid;
  82
  83         return (1);
  84 }
  85
  86
  87 /*
  88  * get_kmd_kuser():
  89  *      To get the kerberos user name for the specified user.
  90  *      Assumes that the kuser string is allocated.  It will be
  91  *      overwritten.  This saves us having to deal will allocating
  92  *      and freeing the kuser string.
  93  *
  94  * RFC 1510 does not mention how to handle mixed case domainnames
  95  * while constructing client principals. So we will follow the same
  96  * procedure as for server principals and lowercase the domainname.
  97  *
  98  * Returns:
  99  *      PAM_BUF_ERR     - if there is an error from krb5_sname_to_principal(),
 100  *                        or krb5_unparse_name()
 101  *      0               - if there was no error
 102  */
 103 int
 104 get_kmd_kuser(krb5_context kcontext, const char *user, char *kuser, int length)
 105 {
 106         if (strcmp(user, ROOT_UNAME) == 0) {
 107                 krb5_principal princ;
 108                 char *name, *princname, *lasts;
 109
 110                 if (krb5_sname_to_principal(kcontext, NULL, ROOT_UNAME,
 111                         KRB5_NT_SRV_HST, &princ)) {
 112                         return (PAM_BUF_ERR);
 113                 }
 114                 if (krb5_unparse_name(kcontext, princ, &princname)) {
 115                         krb5_free_principal(kcontext, princ);
 116                         return (PAM_BUF_ERR);
 117                 }
 118                 /* just interested in princ name before the @REALM part */
 119                 if ((name = strtok_r(princname, "@", &lasts)) == NULL) {
 120                         krb5_free_principal(kcontext, princ);
 121                         free(princname);
 122                         return (PAM_BUF_ERR);
 123                 }
 124                 if (strlcpy(kuser, name, length) >= length) {
 125                         krb5_free_principal(kcontext, princ);
 126                         free(princname);
 127                         return (PAM_BUF_ERR);
 128                 }
 129                 krb5_free_principal(kcontext, princ);
 130                 free(princname);
 131         } else {
 132                 if (strlcpy(kuser, user, length) >= length) {
 133                         return (PAM_BUF_ERR);
 134                 }
 135         }
 136         return (0);
 137 }
 138
 139 /*
 140  * return true (1) if the user's key is in the (default) keytab
 141  */
 142 int
 143 key_in_keytab(const char *user, int debug)
 144 {
 145         krb5_keytab kt_handle;
 146         krb5_keytab_entry kt_ent;
 147         char *whoami = "key_in_keytab";
 148         krb5_error_code retval = 0;
 149         krb5_error_code code = 0;
 150         krb5_context kcontext = NULL;
 151         krb5_principal  princ = NULL;
 152         char            kuser[2*MAXHOSTNAMELEN];
 153
 154
 155         if (debug)
 156                 __pam_log(LOG_AUTH | LOG_DEBUG,
 157                     "PAM-KRB5 (%s): start for user '%s'",
 158                                     whoami, user ? user : "<null>");
 159
 160         if (!user)
 161                 return (retval);
 162
 163         /* need to free context with krb5_free_context */
 164         if (code = krb5_init_secure_context(&kcontext)) {
 165                 if (debug)
 166                         __pam_log(LOG_AUTH | LOG_DEBUG,
 167                             "PAM-KRB5 (%s): Error initializing "
 168                             "krb5: %s", whoami,
 169                             error_message(code));
 170                 return (retval);
 171         }
 172
 173         if ((code = get_kmd_kuser(kcontext, (const char *)user, kuser,
 174                 2*MAXHOSTNAMELEN)) != 0) {
 175                 goto out;
 176         }
 177
 178         /* need to free princ with krb5_free_principal */
 179         if ((code = krb5_parse_name(kcontext, kuser, &princ)) != 0) {
 180                 if (debug)
 181                         __pam_log(LOG_AUTH | LOG_DEBUG,
 182                             "PAM-KRB5 (%s): can't parse name (%s)",
 183                                     whoami, error_message(code));
 184                 goto out;
 185         }
 186
 187         /* need to close keytab handle with krb5_kt_close */
 188         if ((code = krb5_kt_default(kcontext, &kt_handle))) {
 189                 if (debug)
 190                         __pam_log(LOG_AUTH | LOG_DEBUG,
 191                             "PAM-KRB5 (%s): krb5_kt_default failed (%s)",
 192                             whoami, error_message(code));
 193                 goto out;
 194         }
 195
 196         code = krb5_kt_get_entry(kcontext, kt_handle, princ, 0, 0, &kt_ent);
 197         if (code != 0) {
 198                 if (code == ENOENT) {
 199                                 if (debug)
 200                                         __pam_log(LOG_AUTH | LOG_DEBUG,
 201                                             "PAM-KRB5 (%s): "
 202                                             "Keytab does not exist",
 203                                             whoami);
 204                 } else if (code == KRB5_KT_NOTFOUND) {
 205                                 if (debug)
 206                                         __pam_log(LOG_AUTH | LOG_DEBUG,
 207                                             "PAM-KRB5 (%s): "
 208                                             "No entry for principal "
 209                                             "'%s' exists in keytab",
 210                                             whoami, kuser);
 211                 } else {
 212                                 if (debug)
 213                                         __pam_log(LOG_AUTH | LOG_DEBUG,
 214                                             "PAM-KRB5 (%s): "
 215                                             "krb5_kt_get_entry failed (%s)",
 216                                             whoami, error_message(code));
 217                 }
 218         } else { /* Key found in keytab, return success */
 219                         (void) krb5_kt_free_entry(kcontext, &kt_ent);
 220                         if (debug)
 221                                 __pam_log(LOG_AUTH | LOG_DEBUG,
 222                                     "PAM-KRB5 (%s): "
 223                                     "keytab entry for '%s' found",
 224                                     whoami, user);
 225                         retval = 1;
 226         }
 227
 228         (void) krb5_kt_close(kcontext, kt_handle);
 229 out:
 230         if (princ && kcontext)
 231                 krb5_free_principal(kcontext, princ);
 232
 233         if (kcontext)
 234                 krb5_free_context(kcontext);
 235
 236         return (retval);
 237 }