mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-30 15:38:06 +01:00
444 lines
11 KiB
C
444 lines
11 KiB
C
/*
|
|
* Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
|
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of the Institute nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include<config.h>
|
|
RCSID("$Id: pam.c,v 1.22.2.2 2000/10/13 15:41:09 assar Exp $");
|
|
#endif
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <pwd.h>
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
#include <syslog.h>
|
|
|
|
#include <security/pam_appl.h>
|
|
#include <security/pam_modules.h>
|
|
#ifndef PAM_AUTHTOK_RECOVERY_ERR /* Fix linsux typo. */
|
|
#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
|
|
#endif
|
|
|
|
#include <netinet/in.h>
|
|
#include <krb.h>
|
|
#include <kafs.h>
|
|
|
|
#if 0
|
|
/* Debugging PAM modules is a royal pain, truss helps. */
|
|
#define DEBUG(msg) (access(msg " at line", __LINE__))
|
|
#endif
|
|
|
|
static void
|
|
psyslog(int level, const char *format, ...)
|
|
{
|
|
va_list args;
|
|
va_start(args, format);
|
|
openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
|
|
vsyslog(level, format, args);
|
|
va_end(args);
|
|
closelog();
|
|
}
|
|
|
|
enum {
|
|
KRB4_DEBUG,
|
|
KRB4_USE_FIRST_PASS,
|
|
KRB4_TRY_FIRST_PASS,
|
|
KRB4_IGNORE_ROOT,
|
|
KRB4_NO_VERIFY,
|
|
KRB4_REAFSLOG,
|
|
KRB4_CTRLS /* Number of ctrl arguments defined. */
|
|
};
|
|
|
|
#define KRB4_DEFAULTS 0
|
|
|
|
static int ctrl_flags = KRB4_DEFAULTS;
|
|
#define ctrl_on(x) (krb4_args[x].flag & ctrl_flags)
|
|
#define ctrl_off(x) (!ctrl_on(x))
|
|
|
|
typedef struct
|
|
{
|
|
const char *token;
|
|
unsigned int flag;
|
|
} krb4_ctrls_t;
|
|
|
|
static krb4_ctrls_t krb4_args[KRB4_CTRLS] =
|
|
{
|
|
/* KRB4_DEBUG */ { "debug", 0x01 },
|
|
/* KRB4_USE_FIRST_PASS */ { "use_first_pass", 0x02 },
|
|
/* KRB4_TRY_FIRST_PASS */ { "try_first_pass", 0x04 },
|
|
/* KRB4_IGNORE_ROOT */ { "ignore_root", 0x08 },
|
|
/* KRB4_NO_VERIFY */ { "no_verify", 0x10 },
|
|
/* KRB4_REAFSLOG */ { "reafslog", 0x20 },
|
|
};
|
|
|
|
static void
|
|
parse_ctrl(int argc, const char **argv)
|
|
{
|
|
int i, j;
|
|
|
|
ctrl_flags = KRB4_DEFAULTS;
|
|
for (i = 0; i < argc; i++)
|
|
{
|
|
for (j = 0; j < KRB4_CTRLS; j++)
|
|
if (strcmp(argv[i], krb4_args[j].token) == 0)
|
|
break;
|
|
|
|
if (j >= KRB4_CTRLS)
|
|
psyslog(LOG_ALERT, "unrecognized option [%s]", *argv);
|
|
else
|
|
ctrl_flags |= krb4_args[j].flag;
|
|
}
|
|
}
|
|
|
|
static void
|
|
pdeb(const char *format, ...)
|
|
{
|
|
va_list args;
|
|
if (ctrl_off(KRB4_DEBUG))
|
|
return;
|
|
va_start(args, format);
|
|
openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
|
|
vsyslog(LOG_DEBUG, format, args);
|
|
va_end(args);
|
|
closelog();
|
|
}
|
|
|
|
#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid())
|
|
|
|
static void
|
|
set_tkt_string(uid_t uid)
|
|
{
|
|
char buf[128];
|
|
|
|
snprintf(buf, sizeof(buf), "%s%u", TKT_ROOT, (unsigned)uid);
|
|
krb_set_tkt_string(buf);
|
|
|
|
#if 0
|
|
/* pam_set_data+pam_get_data are not guaranteed to work, grr. */
|
|
pam_set_data(pamh, "KRBTKFILE", strdup(t), cleanup);
|
|
if (pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt) == PAM_SUCCESS)
|
|
{
|
|
pam_putenv(pamh, var);
|
|
}
|
|
#endif
|
|
|
|
/* We don't want to inherit this variable.
|
|
* If we still do, it must have a sane value. */
|
|
if (getenv("KRBTKFILE") != 0)
|
|
{
|
|
char *var = malloc(sizeof(buf));
|
|
snprintf(var, sizeof(buf), "KRBTKFILE=%s", tkt_string());
|
|
putenv(var);
|
|
/* free(var); XXX */
|
|
}
|
|
}
|
|
|
|
static int
|
|
verify_pass(pam_handle_t *pamh,
|
|
const char *name,
|
|
const char *inst,
|
|
const char *pass)
|
|
{
|
|
char realm[REALM_SZ];
|
|
int ret, krb_verify, old_euid, old_ruid;
|
|
|
|
krb_get_lrealm(realm, 1);
|
|
if (ctrl_on(KRB4_NO_VERIFY))
|
|
krb_verify = KRB_VERIFY_SECURE_FAIL;
|
|
else
|
|
krb_verify = KRB_VERIFY_SECURE;
|
|
old_ruid = getuid();
|
|
old_euid = geteuid();
|
|
setreuid(0, 0);
|
|
ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL);
|
|
pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s",
|
|
name, inst, realm, krb_verify,
|
|
krb_get_err_text(ret));
|
|
setreuid(old_ruid, old_euid);
|
|
if (getuid() != old_ruid || geteuid() != old_euid)
|
|
{
|
|
psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
|
|
old_ruid, old_euid, __LINE__);
|
|
exit(1);
|
|
}
|
|
|
|
switch(ret) {
|
|
case KSUCCESS:
|
|
return PAM_SUCCESS;
|
|
case KDC_PR_UNKNOWN:
|
|
return PAM_USER_UNKNOWN;
|
|
case SKDC_CANT:
|
|
case SKDC_RETRY:
|
|
case RD_AP_TIME:
|
|
return PAM_AUTHINFO_UNAVAIL;
|
|
default:
|
|
return PAM_AUTH_ERR;
|
|
}
|
|
}
|
|
|
|
static int
|
|
krb4_auth(pam_handle_t *pamh,
|
|
int flags,
|
|
const char *name,
|
|
const char *inst,
|
|
struct pam_conv *conv)
|
|
{
|
|
struct pam_response *resp;
|
|
char prompt[128];
|
|
struct pam_message msg, *pmsg = &msg;
|
|
int ret;
|
|
|
|
if (ctrl_on(KRB4_TRY_FIRST_PASS) || ctrl_on(KRB4_USE_FIRST_PASS))
|
|
{
|
|
char *pass = 0;
|
|
ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass);
|
|
if (ret != PAM_SUCCESS)
|
|
{
|
|
psyslog(LOG_ERR , "pam_get_item returned error to get-password");
|
|
return ret;
|
|
}
|
|
else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS)
|
|
return PAM_SUCCESS;
|
|
else if (ctrl_on(KRB4_USE_FIRST_PASS))
|
|
return PAM_AUTHTOK_RECOVERY_ERR; /* Wrong password! */
|
|
else
|
|
/* We tried the first password but it didn't work, cont. */;
|
|
}
|
|
|
|
msg.msg_style = PAM_PROMPT_ECHO_OFF;
|
|
if (*inst == 0)
|
|
snprintf(prompt, sizeof(prompt), "%s's Password: ", name);
|
|
else
|
|
snprintf(prompt, sizeof(prompt), "%s.%s's Password: ", name, inst);
|
|
msg.msg = prompt;
|
|
|
|
ret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr);
|
|
if (ret != PAM_SUCCESS)
|
|
return ret;
|
|
|
|
ret = verify_pass(pamh, name, inst, resp->resp);
|
|
if (ret == PAM_SUCCESS)
|
|
{
|
|
memset(resp->resp, 0, strlen(resp->resp)); /* Erase password! */
|
|
free(resp->resp);
|
|
free(resp);
|
|
}
|
|
else
|
|
{
|
|
pam_set_item(pamh, PAM_AUTHTOK, resp->resp); /* Save password. */
|
|
/* free(resp->resp); XXX */
|
|
/* free(resp); XXX */
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
int
|
|
pam_sm_authenticate(pam_handle_t *pamh,
|
|
int flags,
|
|
int argc,
|
|
const char **argv)
|
|
{
|
|
char *user;
|
|
int ret;
|
|
struct pam_conv *conv;
|
|
struct passwd *pw;
|
|
uid_t uid = -1;
|
|
const char *name, *inst;
|
|
char realm[REALM_SZ];
|
|
realm[0] = 0;
|
|
|
|
parse_ctrl(argc, argv);
|
|
ENTRY("pam_sm_authenticate");
|
|
|
|
ret = pam_get_user(pamh, &user, "login: ");
|
|
if (ret != PAM_SUCCESS)
|
|
return ret;
|
|
|
|
if (ctrl_on(KRB4_IGNORE_ROOT) && strcmp(user, "root") == 0)
|
|
return PAM_AUTHINFO_UNAVAIL;
|
|
|
|
ret = pam_get_item(pamh, PAM_CONV, (void*)&conv);
|
|
if (ret != PAM_SUCCESS)
|
|
return ret;
|
|
|
|
pw = getpwnam(user);
|
|
if (pw != 0)
|
|
{
|
|
uid = pw->pw_uid;
|
|
set_tkt_string(uid);
|
|
}
|
|
|
|
if (strcmp(user, "root") == 0 && getuid() != 0)
|
|
{
|
|
pw = getpwuid(getuid());
|
|
if (pw != 0)
|
|
{
|
|
name = strdup(pw->pw_name);
|
|
inst = "root";
|
|
}
|
|
}
|
|
else
|
|
{
|
|
name = user;
|
|
inst = "";
|
|
}
|
|
|
|
ret = krb4_auth(pamh, flags, name, inst, conv);
|
|
|
|
/*
|
|
* The realm was lost inside krb_verify_user() so we can't simply do
|
|
* a krb_kuserok() when inst != "".
|
|
*/
|
|
if (ret == PAM_SUCCESS && inst[0] != 0)
|
|
{
|
|
uid_t old_euid = geteuid();
|
|
uid_t old_ruid = getuid();
|
|
|
|
setreuid(0, 0); /* To read ticket file. */
|
|
if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
|
|
ret = PAM_SERVICE_ERR;
|
|
else if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
|
|
{
|
|
setreuid(0, uid); /* To read ~/.klogin. */
|
|
if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
|
|
ret = PAM_PERM_DENIED;
|
|
}
|
|
|
|
if (ret != PAM_SUCCESS)
|
|
{
|
|
dest_tkt(); /* Passwd known, ok to kill ticket. */
|
|
psyslog(LOG_NOTICE,
|
|
"%s.%s@%s is not allowed to log in as %s",
|
|
name, inst, realm, user);
|
|
}
|
|
|
|
setreuid(old_ruid, old_euid);
|
|
if (getuid() != old_ruid || geteuid() != old_euid)
|
|
{
|
|
psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
|
|
old_ruid, old_euid, __LINE__);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
if (ret == PAM_SUCCESS)
|
|
{
|
|
psyslog(LOG_INFO,
|
|
"%s.%s@%s authenticated as user %s",
|
|
name, inst, realm, user);
|
|
if (chown(tkt_string(), uid, -1) == -1)
|
|
{
|
|
dest_tkt();
|
|
psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Kludge alert!!! Sun dtlogin unlock screen fails to call
|
|
* pam_setcred(3) with PAM_REFRESH_CRED after a successful
|
|
* authentication attempt, sic.
|
|
*
|
|
* This hack is designed as a workaround to that problem.
|
|
*/
|
|
if (ctrl_on(KRB4_REAFSLOG))
|
|
if (ret == PAM_SUCCESS)
|
|
pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv);
|
|
|
|
return ret;
|
|
}
|
|
|
|
int
|
|
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
{
|
|
parse_ctrl(argc, argv);
|
|
ENTRY("pam_sm_setcred");
|
|
|
|
switch (flags & ~PAM_SILENT) {
|
|
case 0:
|
|
case PAM_ESTABLISH_CRED:
|
|
if (k_hasafs())
|
|
k_setpag();
|
|
/* Fall through, fill PAG with credentials below. */
|
|
case PAM_REINITIALIZE_CRED:
|
|
case PAM_REFRESH_CRED:
|
|
if (k_hasafs())
|
|
{
|
|
void *user = 0;
|
|
|
|
if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS)
|
|
{
|
|
struct passwd *pw = getpwnam((char *)user);
|
|
if (pw != 0)
|
|
krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0,
|
|
pw->pw_uid, pw->pw_dir);
|
|
}
|
|
}
|
|
break;
|
|
case PAM_DELETE_CRED:
|
|
dest_tkt();
|
|
if (k_hasafs())
|
|
k_unlog();
|
|
break;
|
|
default:
|
|
psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
|
|
break;
|
|
}
|
|
|
|
return PAM_SUCCESS;
|
|
}
|
|
|
|
int
|
|
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
|
{
|
|
parse_ctrl(argc, argv);
|
|
ENTRY("pam_sm_open_session");
|
|
|
|
return PAM_SUCCESS;
|
|
}
|
|
|
|
|
|
int
|
|
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
|
|
{
|
|
parse_ctrl(argc, argv);
|
|
ENTRY("pam_sm_close_session");
|
|
|
|
/* This isn't really kosher, but it's handy. */
|
|
pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv);
|
|
|
|
return PAM_SUCCESS;
|
|
}
|