search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
comm: add -Wall
[unleashed.git] / usr / src / lib / pam_modules / krb5 / krb5_authenticate.c
blob1fa11db17bcaa69f43d11d1a49ce0c4db47b74b4
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 #include <security/pam_appl.h>
27 #include <security/pam_modules.h>
28 #include <security/pam_impl.h>
29 #include <string.h>
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <sys/types.h>
33 #include <sys/stat.h>
34 #include <pwd.h>
35 #include <syslog.h>
36 #include <libintl.h>
37 #include <k5-int.h>
38 #include "profile/prof_int.h"
39 #include <netdb.h>
40 #include <ctype.h>
41 #include "utils.h"
42 #include "krb5_repository.h"
43
44 #define KRB5_DEFAULT_OPTIONS 0
45
46 int forwardable_flag = 0;
47 int renewable_flag = 0;
48 int proxiable_flag = 0;
49 int no_address_flag = 0;
50 profile_options_boolean config_option[] = {
51 { "forwardable", &forwardable_flag, 0 },
52 { "renewable", &renewable_flag, 0 },
53 { "proxiable", &proxiable_flag, 0 },
54 { "no_addresses", &no_address_flag, 0 },
55 { NULL, NULL, 0 }
56 };
57 char *renew_timeval;
58 char *life_timeval;
59 profile_option_strings config_times[] = {
60 { "max_life", &life_timeval, 0 },
61 { "max_renewable_life", &renew_timeval, 0 },
62 { NULL, NULL, 0 }
63 };
64 char *realmdef[] = { "realms", NULL, NULL, NULL };
65 char *appdef[] = { "appdefaults", "kinit", NULL };
66
67 #define krb_realm (*(realmdef + 1))
68
69 int attempt_krb5_auth(pam_handle_t *, krb5_module_data_t *, char *,
70 char **, boolean_t);
71 void krb5_cleanup(pam_handle_t *, void *, int);
72
73 extern errcode_t profile_get_options_boolean();
74 extern errcode_t profile_get_options_string();
75 extern int krb5_verifypw(char *, char *, int);
76 extern krb5_error_code krb5_verify_init_creds(krb5_context,
77 krb5_creds *, krb5_principal, krb5_keytab, krb5_ccache *,
78 krb5_verify_init_creds_opt *);
79 extern krb5_error_code __krb5_get_init_creds_password(krb5_context,
80 krb5_creds *, krb5_principal, char *, krb5_prompter_fct, void *,
81 krb5_deltat, char *, krb5_get_init_creds_opt *,
82 krb5_kdc_rep **);
83
84 /*
85 * pam_sm_authenticate - Authenticate user
86 */
87 int
88 pam_sm_authenticate(
89 pam_handle_t *pamh,
90 int flags,
91 int argc,
92 const char **argv)
93 {
94 char *user = NULL;
95 int err;
96 int result = PAM_AUTH_ERR;
97 /* pam.conf options */
98 int debug = 0;
99 int warn = 1;
100 /* return an error on password expire */
101 int err_on_exp = 0;
102 int i;
103 char *password = NULL;
104 uid_t pw_uid;
105 krb5_module_data_t *kmd = NULL;
106 krb5_repository_data_t *krb5_data = NULL;
107 pam_repository_t *rep_data = NULL;
108 boolean_t do_pkinit = FALSE;
109
110 for (i = 0; i < argc; i++) {
111 if (strcmp(argv[i], "debug") == 0) {
112 debug = 1;
113 } else if (strcmp(argv[i], "nowarn") == 0) {
114 warn = 0;
115 } else if (strcmp(argv[i], "err_on_exp") == 0) {
116 err_on_exp = 1;
117 } else if (strcmp(argv[i], "pkinit") == 0) {
118 do_pkinit = TRUE;
119 } else {
120 __pam_log(LOG_AUTH | LOG_ERR,
121 "PAM-KRB5 (auth) unrecognized option %s", argv[i]);
122 }
123 }
124 if (flags & PAM_SILENT) warn = 0;
125
126 if (debug)
127 __pam_log(LOG_AUTH | LOG_DEBUG,
128 "PAM-KRB5 (auth): pam_sm_authenticate flags=%d",
129 flags);
130
131 /*
132 * pam_get_data could fail if we are being called for the first time
133 * or if the module is not found, PAM_NO_MODULE_DATA is not an error
134 */
135 err = pam_get_data(pamh, KRB5_DATA, (const void**)&kmd);
136 if (!(err == PAM_SUCCESS || err == PAM_NO_MODULE_DATA))
137 return (PAM_SYSTEM_ERR);
138
139 /*
140 * If pam_krb5 was stacked higher in the auth stack and did PKINIT
141 * preauth sucessfully then this instance is a fallback to password
142 * based preauth and should just return PAM_IGNORE.
143 *
144 * The else clause is handled further down.
145 */
146 if (kmd != NULL) {
147 if (++(kmd->auth_calls) > 2) {
148 /*
149 * pam_krb5 has been stacked > 2 times in the auth
150 * stack. Clear out the current kmd and proceed as if
151 * this is the first time pam_krb5 auth has been called.
152 */
153 if (debug) {
154 __pam_log(LOG_AUTH | LOG_DEBUG,
155 "PAM-KRB5 (auth): stacked more than"
156 " two times, clearing kmd");
157 }
158 /* clear out/free current kmd */
159 err = pam_set_data(pamh, KRB5_DATA, NULL, NULL);
160 if (err != PAM_SUCCESS) {
161 krb5_cleanup(pamh, kmd, err);
162 result = err;
163 goto out;
164 }
165 kmd = NULL;
166 } else if (kmd->auth_calls == 2 &&
167 kmd->auth_status == PAM_SUCCESS) {
168 /*
169 * The previous instance of pam_krb5 succeeded and this
170 * instance was a fall back in case it didn't succeed so
171 * return ignore.
172 */
173 if (debug) {
174 __pam_log(LOG_AUTH | LOG_DEBUG,
175 "PAM-KRB5 (auth): PKINIT succeeded "
176 "earlier so returning PAM_IGNORE");
177 }
178 return (PAM_IGNORE);
179 }
180 }
181
182 (void) pam_get_item(pamh, PAM_USER, (void**) &user);
183
184 if (user == NULL || *user == '\0') {
185 if (do_pkinit) {
186 /*
187 * If doing PKINIT it is okay to prompt for the user
188 * name.
189 */
190 if ((err = pam_get_user(pamh, &user, NULL)) !=
191 PAM_SUCCESS) {
192 if (debug) {
193 __pam_log(LOG_AUTH | LOG_DEBUG,
194 "PAM-KRB5 (auth): get user failed: "
195 "%s", pam_strerror(pamh, err));
196 }
197 return (err);
198 }
199 } else {
200 if (debug)
201 __pam_log(LOG_AUTH | LOG_DEBUG,
202 "PAM-KRB5 (auth): user empty or null");
203 return (PAM_USER_UNKNOWN);
204 }
205 }
206
207 /* make sure a password entry exists for this user */
208 if (!get_pw_uid(user, &pw_uid))
209 return (PAM_USER_UNKNOWN);
210
211 if (kmd == NULL) {
212 kmd = calloc(1, sizeof (krb5_module_data_t));
213 if (kmd == NULL) {
214 result = PAM_BUF_ERR;
215 goto out;
216 }
217
218 err = pam_set_data(pamh, KRB5_DATA, kmd, &krb5_cleanup);
219 if (err != PAM_SUCCESS) {
220 free(kmd);
221 result = err;
222 goto out;
223 }
224 }
225
226 if (!kmd->env) {
227 char buffer[512];
228
229 if (snprintf(buffer, sizeof (buffer),
230 "%s=FILE:/tmp/krb5cc_%d",
231 KRB5_ENV_CCNAME, (int)pw_uid) >= sizeof (buffer)) {
232 result = PAM_SYSTEM_ERR;
233 goto out;
234 }
235
236 /* we MUST copy this to the heap for the putenv to work! */
237 kmd->env = strdup(buffer);
238 if (!kmd->env) {
239 result = PAM_BUF_ERR;
240 goto out;
241 } else {
242 if (putenv(kmd->env)) {
243 result = PAM_SYSTEM_ERR;
244 goto out;
245 }
246 }
247 }
248
249 free(kmd->user);
250 if ((kmd->user = strdup(user)) == NULL) {
251 result = PAM_BUF_ERR;
252 goto out;
253 }
254
255 kmd->auth_status = PAM_AUTH_ERR;
256 kmd->debug = debug;
257 kmd->warn = warn;
258 kmd->err_on_exp = err_on_exp;
259 kmd->ccache = NULL;
260 kmd->kcontext = NULL;
261 kmd->password = NULL;
262 kmd->age_status = PAM_SUCCESS;
263 (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds));
264 kmd->auth_calls = 1;
265 kmd->preauth_type = do_pkinit ? KRB_PKINIT : KRB_PASSWD;
266
267 /*
268 * For apps that already did krb5 auth exchange...
269 * Now that we've created the kmd structure, we can
270 * return SUCCESS. 'kmd' may be needed later by other
271 * PAM functions, thats why we wait until this point to
272 * return.
273 */
274 (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data);
275
276 if (rep_data != NULL) {
277 if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) {
278 if (debug)
279 __pam_log(LOG_AUTH | LOG_DEBUG,
280 "PAM-KRB5 (auth): wrong"
281 "repository found (%s), returning "
282 "PAM_IGNORE", rep_data->type);
283 return (PAM_IGNORE);
284 }
285 if (rep_data->scope_len == sizeof (krb5_repository_data_t)) {
286 krb5_data = (krb5_repository_data_t *)rep_data->scope;
287
288 if (krb5_data->flags ==
289 SUNW_PAM_KRB5_ALREADY_AUTHENTICATED &&
290 krb5_data->principal != NULL &&
291 strlen(krb5_data->principal)) {
292 if (debug)
293 __pam_log(LOG_AUTH | LOG_DEBUG,
294 "PAM-KRB5 (auth): Principal "
295 "%s already authenticated",
296 krb5_data->principal);
297 kmd->auth_status = PAM_SUCCESS;
298 return (PAM_SUCCESS);
299 }
300 }
301 }
302
303 /*
304 * if root key exists in the keytab, it's a random key so no
305 * need to prompt for pw and we just return IGNORE.
306 *
307 * note we don't need to force a prompt for pw as authtok_get
308 * is required to be stacked above this module.
309 */
310 if ((strcmp(user, ROOT_UNAME) == 0) &&
311 key_in_keytab(user, debug)) {
312 if (debug)
313 __pam_log(LOG_AUTH | LOG_DEBUG,
314 "PAM-KRB5 (auth): "
315 "key for '%s' in keytab, returning IGNORE", user);
316 result = PAM_IGNORE;
317 goto out;
318 }
319
320 (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&password);
321
322 result = attempt_krb5_auth(pamh, kmd, user, &password, 1);
323
324 out:
325 if (kmd) {
326 if (debug)
327 __pam_log(LOG_AUTH | LOG_DEBUG,
328 "PAM-KRB5 (auth): pam_sm_auth finalize"
329 " ccname env, result =%d, env ='%s',"
330 " age = %d, status = %d",
331 result, kmd->env ? kmd->env : "<null>",
332 kmd->age_status, kmd->auth_status);
333
334 if (kmd->env &&
335 !(kmd->age_status == PAM_NEW_AUTHTOK_REQD &&
336 kmd->auth_status == PAM_SUCCESS)) {
337
338
339 if (result == PAM_SUCCESS) {
340 /*
341 * Put ccname into the pamh so that login
342 * apps can pick this up when they run
343 * pam_getenvlist().
344 */
345 if ((result = pam_putenv(pamh, kmd->env))
346 != PAM_SUCCESS) {
347 /* should not happen but... */
348 __pam_log(LOG_AUTH | LOG_ERR,
349 "PAM-KRB5 (auth):"
350 " pam_putenv failed: result: %d",
351 result);
352 goto cleanupccname;
353 }
354 } else {
355 cleanupccname:
356 /* for lack of a Solaris unputenv() */
357 krb5_unsetenv(KRB5_ENV_CCNAME);
358 free(kmd->env);
359 kmd->env = NULL;
360 }
361 }
362 kmd->auth_status = result;
363 }
364
365 if (debug)
366 __pam_log(LOG_AUTH | LOG_DEBUG,
367 "PAM-KRB5 (auth): end: %s", pam_strerror(pamh, result));
368
369 return (result);
370 }
371
372 static krb5_error_code
373 pam_krb5_prompter(
374 krb5_context ctx,
375 void *data,
376 /* ARGSUSED1 */
377 const char *name,
378 const char *banner,
379 int num_prompts,
380 krb5_prompt prompts[])
381 {
382 krb5_error_code rc = KRB5_LIBOS_CANTREADPWD;
383 pam_handle_t *pamh = (pam_handle_t *)data;
384 struct pam_conv *pam_convp;
385 struct pam_message *msgs = NULL;
386 struct pam_response *ret_respp = NULL;
387 int i;
388 krb5_prompt_type *prompt_type = krb5_get_prompt_types(ctx);
389 char tmpbuf[PAM_MAX_MSG_SIZE];
390
391 if (prompts) {
392 assert(num_prompts > 0);
393 }
394 /*
395 * Because this function should never be used for password prompts,
396 * disallow password prompts.
397 */
398 for (i = 0; i < num_prompts; i++) {
399 switch (prompt_type[i]) {
400 case KRB5_PROMPT_TYPE_PASSWORD:
401 case KRB5_PROMPT_TYPE_NEW_PASSWORD:
402 case KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:
403 return (rc);
404 }
405 }
406
407 if (pam_get_item(pamh, PAM_CONV, (void **)&pam_convp) != PAM_SUCCESS) {
408 return (rc);
409 }
410 if (pam_convp == NULL) {
411 return (rc);
412 }
413
414 msgs = (struct pam_message *)calloc(num_prompts,
415 sizeof (struct pam_message));
416 if (msgs == NULL) {
417 return (rc);
418 }
419 (void) memset(msgs, 0, sizeof (struct pam_message) * num_prompts);
420
421 for (i = 0; i < num_prompts; i++) {
422 /* convert krb prompt style to PAM style */
423 if (prompts[i].hidden) {
424 msgs[i].msg_style = PAM_PROMPT_ECHO_OFF;
425 } else {
426 msgs[i].msg_style = PAM_PROMPT_ECHO_ON;
427 }
428 /*
429 * krb expects the prompting function to append ": " to the
430 * prompt string.
431 */
432 if (snprintf(tmpbuf, sizeof (tmpbuf), "%s: ",
433 prompts[i].prompt) < 0) {
434 goto cleanup;
435 }
436 msgs[i].msg = strdup(tmpbuf);
437 if (msgs[i].msg == NULL) {
438 goto cleanup;
439 }
440 }
441
442 /*
443 * Call PAM conv function to display the prompt.
444 */
445
446 if ((pam_convp->conv)(num_prompts, &msgs, &ret_respp,
447 pam_convp->appdata_ptr) == PAM_SUCCESS) {
448 for (i = 0; i < num_prompts; i++) {
449 /* convert PAM response to krb prompt reply format */
450 assert(prompts[i].reply->data != NULL);
451 assert(ret_respp[i].resp != NULL);
452
453 if (strlcpy(prompts[i].reply->data,
454 ret_respp[i].resp, prompts[i].reply->length) >=
455 prompts[i].reply->length) {
456 char errmsg[1][PAM_MAX_MSG_SIZE];
457
458 (void) snprintf(errmsg[0], PAM_MAX_MSG_SIZE,
459 "%s", dgettext(TEXT_DOMAIN,
460 "Reply too long: "));
461 (void) __pam_display_msg(pamh, PAM_ERROR_MSG,
462 1, errmsg, NULL);
463 goto cleanup;
464 } else {
465 char *retp;
466
467 /*
468 * newline must be replaced with \0 terminator
469 */
470 retp = strchr(prompts[i].reply->data, '\n');
471 if (retp != NULL)
472 *retp = '\0';
473 /* NULL terminator should not be counted */
474 prompts[i].reply->length =
475 strlen(prompts[i].reply->data);
476 }
477 }
478 rc = 0;
479 }
480
481 cleanup:
482 for (i = 0; i < num_prompts; i++) {
483 if (msgs[i].msg) {
484 free(msgs[i].msg);
485 }
486 if (ret_respp[i].resp) {
487 /* 0 out sensitive data before free() */
488 (void) memset(ret_respp[i].resp, 0,
489 strlen(ret_respp[i].resp));
490 free(ret_respp[i].resp);
491 }
492 }
493 free(msgs);
494 free(ret_respp);
495 return (rc);
496 }
497
498 int
499 attempt_krb5_auth(
500 pam_handle_t *pamh,
501 krb5_module_data_t *kmd,
502 char *user,
503 char **krb5_pass,
504 boolean_t verify_tik)
505 {
506 krb5_principal me = NULL, clientp = NULL;
507 krb5_principal server = NULL, serverp = NULL;
508 krb5_creds *my_creds;
509 krb5_timestamp now;
510 krb5_error_code code = 0;
511 char kuser[2*MAXHOSTNAMELEN];
512 krb5_deltat lifetime;
513 krb5_deltat rlife;
514 krb5_deltat krb5_max_duration;
515 int options = KRB5_DEFAULT_OPTIONS;
516 krb5_data tgtname = {
517 0,
518 KRB5_TGS_NAME_SIZE,
519 KRB5_TGS_NAME
520 };
521 krb5_get_init_creds_opt *opts = NULL;
522 krb5_kdc_rep *as_reply = NULL;
523 /*
524 * "result" should not be assigned PAM_SUCCESS unless
525 * authentication has succeeded and there are no other errors.
526 *
527 * "code" is sometimes used for PAM codes, sometimes for krb5
528 * codes. Be careful.
529 */
530 int result = PAM_AUTH_ERR;
531
532 if (kmd->debug)
533 __pam_log(LOG_AUTH | LOG_DEBUG,
534 "PAM-KRB5 (auth): attempt_krb5_auth: start: user='%s'",
535 user ? user : "<null>");
536
537 /* need to free context with krb5_free_context */
538 if (code = krb5_init_secure_context(&kmd->kcontext)) {
539 __pam_log(LOG_AUTH | LOG_ERR,
540 "PAM-KRB5 (auth): Error initializing "
541 "krb5: %s",
542 error_message(code));
543 return (PAM_SYSTEM_ERR);
544 }
545
546 if ((code = get_kmd_kuser(kmd->kcontext, (const char *)user, kuser,
547 2*MAXHOSTNAMELEN)) != 0) {
548 /* get_kmd_kuser returns proper PAM error statuses */
549 return (code);
550 }
551
552 if ((code = krb5_parse_name(kmd->kcontext, kuser, &me)) != 0) {
553 krb5_free_context(kmd->kcontext);
554 kmd->kcontext = NULL;
555 return (PAM_SYSTEM_ERR);
556 }
557
558 /* call krb5_free_cred_contents() on error */
559 my_creds = &kmd->initcreds;
560
561 if ((code =
562 krb5_copy_principal(kmd->kcontext, me, &my_creds->client))) {
563 result = PAM_SYSTEM_ERR;
564 goto out_err;
565 }
566 clientp = my_creds->client;
567
568 if (code = krb5_build_principal_ext(kmd->kcontext, &server,
569 krb5_princ_realm(kmd->kcontext, me)->length,
570 krb5_princ_realm(kmd->kcontext, me)->data,
571 tgtname.length, tgtname.data,
572 krb5_princ_realm(kmd->kcontext, me)->length,
573 krb5_princ_realm(kmd->kcontext, me)->data, 0)) {
574 __pam_log(LOG_AUTH | LOG_ERR,
575 "PAM-KRB5 (auth): attempt_krb5_auth: "
576 "krb5_build_princ_ext failed: %s",
577 error_message(code));
578 result = PAM_SYSTEM_ERR;
579 goto out;
580 }
581
582 if (code = krb5_copy_principal(kmd->kcontext, server,
583 &my_creds->server)) {
584 result = PAM_SYSTEM_ERR;
585 goto out_err;
586 }
587 serverp = my_creds->server;
588
589 if (code = krb5_timeofday(kmd->kcontext, &now)) {
590 __pam_log(LOG_AUTH | LOG_ERR,
591 "PAM-KRB5 (auth): attempt_krb5_auth: "
592 "krb5_timeofday failed: %s",
593 error_message(code));
594 result = PAM_SYSTEM_ERR;
595 goto out;
596 }
597
598 /*
599 * set the values for lifetime and rlife to be the maximum
600 * possible
601 */
602 krb5_max_duration = KRB5_KDB_EXPIRATION - now - 60*60;
603 lifetime = krb5_max_duration;
604 rlife = krb5_max_duration;
605
606 /*
607 * Let us get the values for various options
608 * from Kerberos configuration file
609 */
610
611 krb_realm = krb5_princ_realm(kmd->kcontext, me)->data;
612 profile_get_options_boolean(kmd->kcontext->profile,
613 realmdef, config_option);
614 profile_get_options_boolean(kmd->kcontext->profile,
615 appdef, config_option);
616 profile_get_options_string(kmd->kcontext->profile,
617 realmdef, config_times);
618 profile_get_options_string(kmd->kcontext->profile,
619 appdef, config_times);
620
621 if (renew_timeval) {
622 code = krb5_string_to_deltat(renew_timeval, &rlife);
623 if (code != 0 || rlife == 0 || rlife > krb5_max_duration) {
624 __pam_log(LOG_AUTH | LOG_ERR,
625 "PAM-KRB5 (auth): Bad max_renewable_life "
626 " value '%s' in Kerberos config file",
627 renew_timeval);
628 result = PAM_SYSTEM_ERR;
629 goto out;
630 }
631 }
632 if (life_timeval) {
633 code = krb5_string_to_deltat(life_timeval, &lifetime);
634 if (code != 0 || lifetime == 0 ||
635 lifetime > krb5_max_duration) {
636 __pam_log(LOG_AUTH | LOG_ERR,
637 "lifetime value '%s' in Kerberos config file",
638 life_timeval);
639 result = PAM_SYSTEM_ERR;
640 goto out;
641 }
642 }
643 /* start timer when request gets to KDC */
644 my_creds->times.starttime = 0;
645 my_creds->times.endtime = now + lifetime;
646
647 if (options & KDC_OPT_RENEWABLE) {
648 my_creds->times.renew_till = now + rlife;
649 } else
650 my_creds->times.renew_till = 0;
651
652 code = krb5_get_init_creds_opt_alloc(kmd->kcontext, &opts);
653 if (code != 0) {
654 __pam_log(LOG_AUTH | LOG_ERR,
655 "Error allocating gic opts: %s",
656 error_message(code));
657 result = PAM_SYSTEM_ERR;
658 goto out;
659 }
660
661 krb5_get_init_creds_opt_set_tkt_life(opts, lifetime);
662
663 if (proxiable_flag) { /* Set in config file */
664 if (kmd->debug)
665 __pam_log(LOG_AUTH | LOG_DEBUG,
666 "PAM-KRB5 (auth): Proxiable tickets "
667 "requested");
668 krb5_get_init_creds_opt_set_proxiable(opts, TRUE);
669 }
670 if (forwardable_flag) {
671 if (kmd->debug)
672 __pam_log(LOG_AUTH | LOG_DEBUG,
673 "PAM-KRB5 (auth): Forwardable tickets "
674 "requested");
675 krb5_get_init_creds_opt_set_forwardable(opts, TRUE);
676 }
677 if (renewable_flag) {
678 if (kmd->debug)
679 __pam_log(LOG_AUTH | LOG_DEBUG,
680 "PAM-KRB5 (auth): Renewable tickets "
681 "requested");
682 krb5_get_init_creds_opt_set_renew_life(opts, rlife);
683 }
684 if (no_address_flag) {
685 if (kmd->debug)
686 __pam_log(LOG_AUTH | LOG_DEBUG,
687 "PAM-KRB5 (auth): Addressless tickets "
688 "requested");
689 krb5_get_init_creds_opt_set_address_list(opts, NULL);
690 }
691
692 /*
693 * mech_krb5 interprets empty passwords as NULL passwords and tries to
694 * read a password from stdin. Since we are in pam this is bad and
695 * should not be allowed.
696 *
697 * Note, the logic now is that if the preauth_type is PKINIT then
698 * provide a proper PAMcentric prompt function that the underlying
699 * PKINIT preauth plugin will use to prompt for the PIN.
700 */
701 if (kmd->preauth_type == KRB_PKINIT) {
702 /*
703 * Do PKINIT preauth
704 *
705 * Note: we want to limit preauth types to just those for PKINIT
706 * but krb5_get_init_creds() doesn't support that at this point.
707 * Instead we rely on pam_krb5_prompter() to limit prompts to
708 * non-password types. So all we can do here is set the preauth
709 * list so krb5_get_init_creds() will try that first.
710 */
711 krb5_preauthtype pk_pa_list[] = {
712 KRB5_PADATA_PK_AS_REQ,
713 KRB5_PADATA_PK_AS_REQ_OLD
714 };
715 krb5_get_init_creds_opt_set_preauth_list(opts, pk_pa_list, 2);
716
717 if (*krb5_pass == NULL || strlen(*krb5_pass) != 0) {
718 if (*krb5_pass != NULL) {
719 /* treat the krb5_pass as a PIN */
720 code = krb5_get_init_creds_opt_set_pa(
721 kmd->kcontext, opts, "PIN", *krb5_pass);
722 }
723
724 if (!code) {
725 code = __krb5_get_init_creds_password(
726 kmd->kcontext,
727 my_creds,
728 me,
729 NULL, /* clear text passwd */
730 pam_krb5_prompter, /* prompter */
731 pamh, /* prompter data */
732 0, /* start time */
733 NULL, /* defaults to krbtgt@REALM */
734 opts,
735 &as_reply);
736 }
737 } else {
738 /* invalid PIN */
739 code = KRB5KRB_AP_ERR_BAD_INTEGRITY;
740 }
741 } else {
742 /*
743 * Do password based preauths
744 *
745 * See earlier PKINIT comment. We are doing something similar
746 * here but we do not pass in a prompter (we assume
747 * pam_authtok_get has already prompted for that).
748 */
749 if (*krb5_pass == NULL || strlen(*krb5_pass) == 0) {
750 code = KRB5KRB_AP_ERR_BAD_INTEGRITY;
751 } else {
752 krb5_preauthtype pk_pa_list[] = {
753 KRB5_PADATA_ENC_TIMESTAMP
754 };
755
756 krb5_get_init_creds_opt_set_preauth_list(opts,
757 pk_pa_list, 1);
758
759 /*
760 * We call our own private version of gic_pwd, because
761 * we need more information, such as password/account
762 * expiration, that is found in the as_reply. The
763 * "prompter" interface is not granular enough for PAM
764 * to make use of.
765 */
766 code = __krb5_get_init_creds_password(kmd->kcontext,
767 my_creds,
768 me,
769 *krb5_pass, /* clear text passwd */
770 NULL, /* prompter */
771 NULL, /* data */
772 0, /* start time */
773 NULL, /* defaults to krbtgt@REALM */
774 opts,
775 &as_reply);
776 }
777 }
778
779 if (kmd->debug)
780 __pam_log(LOG_AUTH | LOG_DEBUG,
781 "PAM-KRB5 (auth): attempt_krb5_auth: "
782 "krb5_get_init_creds_password returns: %s",
783 code == 0 ? "SUCCESS" : error_message(code));
784
785 switch (code) {
786 case 0:
787 /* got a tgt, let's verify it */
788 if (verify_tik) {
789 krb5_verify_init_creds_opt vopts;
790
791 krb5_principal sp = NULL;
792 char kt_name[MAX_KEYTAB_NAME_LEN];
793 char *fqdn;
794
795 krb5_verify_init_creds_opt_init(&vopts);
796
797 code = krb5_verify_init_creds(kmd->kcontext,
798 my_creds,
799 NULL, /* defaults to host/localhost@REALM */
800 NULL,
801 NULL,
802 &vopts);
803
804 if (code) {
805 result = PAM_SYSTEM_ERR;
806
807 /*
808 * Give a better error message when the
809 * keytable entry isn't found or the keytab
810 * file cannot be found.
811 */
812 if (krb5_sname_to_principal(kmd->kcontext, NULL,
813 NULL, KRB5_NT_SRV_HST, &sp))
814 fqdn = "<fqdn>";
815 else
816 fqdn = sp->data[1].data;
817
818 if (krb5_kt_default_name(kmd->kcontext, kt_name,
819 sizeof (kt_name)))
820 (void) strlcpy(kt_name,
821 "default keytab",
822 sizeof (kt_name));
823
824 switch (code) {
825 case KRB5_KT_NOTFOUND:
826 __pam_log(LOG_AUTH | LOG_ERR,
827 "PAM-KRB5 (auth): "
828 "krb5_verify_init_creds failed:"
829 " Key table entry \"host/%s\""
830 " not found in %s",
831 fqdn, kt_name);
832 break;
833 case ENOENT:
834 __pam_log(LOG_AUTH | LOG_ERR,
835 "PAM-KRB5 (auth): "
836 "krb5_verify_init_creds failed:"
837 " Keytab file \"%s\""
838 " does not exist.\n",
839 kt_name);
840 break;
841 default:
842 __pam_log(LOG_AUTH | LOG_ERR,
843 "PAM-KRB5 (auth): "
844 "krb5_verify_init_creds failed:"
845 " %s",
846 error_message(code));
847 break;
848 }
849
850 if (sp)
851 krb5_free_principal(kmd->kcontext, sp);
852 }
853 }
854
855 if (code == 0)
856 kmd->expiration = as_reply->enc_part2->key_exp;
857
858 break;
859
860 case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
861 /*
862 * Since this principal is not part of the local
863 * Kerberos realm, we just return PAM_USER_UNKNOWN.
864 */
865 result = PAM_USER_UNKNOWN;
866
867 if (kmd->debug)
868 __pam_log(LOG_AUTH | LOG_DEBUG,
869 "PAM-KRB5 (auth): attempt_krb5_auth:"
870 " User is not part of the local Kerberos"
871 " realm: %s", error_message(code));
872 break;
873
874 case KRB5KDC_ERR_PREAUTH_FAILED:
875 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
876 /*
877 * We could be trying the password from a previous
878 * pam authentication module, but we don't want to
879 * generate an error if the unix password is different
880 * than the Kerberos password...
881 */
882 break;
883
884 case KRB5KDC_ERR_KEY_EXP:
885 if (!kmd->err_on_exp) {
886 /*
887 * Request a tik for changepw service and it will tell
888 * us if pw is good or not. If PKINIT is being done it
889 * is possible that *krb5_pass may be NULL so check for
890 * that. If that is the case this function will return
891 * an error.
892 */
893 if (*krb5_pass != NULL) {
894 code = krb5_verifypw(kuser, *krb5_pass,
895 kmd->debug);
896 if (kmd->debug) {
897 __pam_log(LOG_AUTH | LOG_DEBUG,
898 "PAM-KRB5 (auth): "
899 "attempt_krb5_auth: "
900 "verifypw %d", code);
901 }
902 if (code == 0) {
903 /*
904 * pw is good, set age status for
905 * acct_mgmt.
906 */
907 kmd->age_status = PAM_NEW_AUTHTOK_REQD;
908 }
909 }
910
911 }
912 break;
913
914 default:
915 result = PAM_SYSTEM_ERR;
916 if (kmd->debug)
917 __pam_log(LOG_AUTH | LOG_DEBUG,
918 "PAM-KRB5 (auth): error %d - %s",
919 code, error_message(code));
920 break;
921 }
922
923 if (code == 0) {
924 /*
925 * success for the entered pw or PKINIT succeeded.
926 *
927 * we can't rely on the pw in PAM_AUTHTOK
928 * to be the (correct) krb5 one so
929 * store krb5 pw in module data for
930 * use in acct_mgmt. Note that *krb5_pass may be NULL if we're
931 * doing PKINIT.
932 */
933 if (*krb5_pass != NULL &&
934 !(kmd->password = strdup(*krb5_pass))) {
935 __pam_log(LOG_AUTH | LOG_ERR,
936 "Cannot strdup password");
937 result = PAM_BUF_ERR;
938 goto out_err;
939 }
940
941 result = PAM_SUCCESS;
942 goto out;
943 }
944
945 out_err:
946 /* jump (or reach) here if error and cred cache has been init */
947
948 if (kmd->debug)
949 __pam_log(LOG_AUTH | LOG_DEBUG,
950 "PAM-KRB5 (auth): clearing initcreds in "
951 "pam_authenticate()");
952
953 krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds);
954 (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds));
955
956 out:
957 if (server)
958 krb5_free_principal(kmd->kcontext, server);
959 if (me)
960 krb5_free_principal(kmd->kcontext, me);
961 if (as_reply)
962 krb5_free_kdc_rep(kmd->kcontext, as_reply);
963
964 /*
965 * clientp or serverp could be NULL in certain error cases in this
966 * function. mycreds->[client|server] could also be NULL in case
967 * of error in this function, see out_err above. The pointers clientp
968 * and serverp reference the input argument in my_creds for
969 * get_init_creds and must be freed if the input argument does not
970 * match the output argument, which occurs during a successful call
971 * to get_init_creds.
972 */
973 if (clientp && my_creds->client && clientp != my_creds->client)
974 krb5_free_principal(kmd->kcontext, clientp);
975 if (serverp && my_creds->server && serverp != my_creds->server)
976 krb5_free_principal(kmd->kcontext, serverp);
977
978 if (kmd->kcontext) {
979 krb5_free_context(kmd->kcontext);
980 kmd->kcontext = NULL;
981 }
982 if (opts)
983 krb5_get_init_creds_opt_free(kmd->kcontext, opts);
984
985 if (kmd->debug)
986 __pam_log(LOG_AUTH | LOG_DEBUG,
987 "PAM-KRB5 (auth): attempt_krb5_auth returning %d",
988 result);
989
990 return (kmd->auth_status = result);
991 }
992
993 /*ARGSUSED*/
994 void
995 krb5_cleanup(pam_handle_t *pamh, void *data, int pam_status)
996 {
997 krb5_module_data_t *kmd = (krb5_module_data_t *)data;
998
999 if (kmd == NULL)
1000 return;
1001
1002 if (kmd->debug) {
1003 __pam_log(LOG_AUTH | LOG_DEBUG,
1004 "PAM-KRB5 (auth): krb5_cleanup auth_status = %d",
1005 kmd->auth_status);
1006 }
1007
1008 /*
1009 * Apps could be calling pam_end here, so we should always clean
1010 * up regardless of success or failure here.
1011 */
1012 if (kmd->ccache)
1013 (void) krb5_cc_close(kmd->kcontext, kmd->ccache);
1014
1015 if (kmd->password) {
1016 (void) memset(kmd->password, 0, strlen(kmd->password));
1017 free(kmd->password);
1018 }
1019
1020 free(kmd->user);
1021
1022 free(kmd->env);
1023
1024 krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds);
1025 (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds));
1026
1027 free(kmd);
1028 }
Unleashed OS