Annotation of embedaddon/sudo/plugins/sudoers/auth/kerb5.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (c) 1999-2005, 2007-2008, 2010-2011
! 3: * Todd C. Miller <Todd.Miller@courtesan.com>
! 4: *
! 5: * Permission to use, copy, modify, and distribute this software for any
! 6: * purpose with or without fee is hereby granted, provided that the above
! 7: * copyright notice and this permission notice appear in all copies.
! 8: *
! 9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 16: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
! 17: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
! 18: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 19: *
! 20: * Sponsored in part by the Defense Advanced Research Projects
! 21: * Agency (DARPA) and Air Force Research Laboratory, Air Force
! 22: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
! 23: */
! 24:
! 25: #include <config.h>
! 26:
! 27: #include <sys/types.h>
! 28: #include <sys/param.h>
! 29: #include <stdio.h>
! 30: #ifdef STDC_HEADERS
! 31: # include <stdlib.h>
! 32: # include <stddef.h>
! 33: #else
! 34: # ifdef HAVE_STDLIB_H
! 35: # include <stdlib.h>
! 36: # endif
! 37: #endif /* STDC_HEADERS */
! 38: #ifdef HAVE_STRING_H
! 39: # include <string.h>
! 40: #endif /* HAVE_STRING_H */
! 41: #ifdef HAVE_STRINGS_H
! 42: # include <strings.h>
! 43: #endif /* HAVE_STRING_H */
! 44: #ifdef HAVE_UNISTD_H
! 45: # include <unistd.h>
! 46: #endif /* HAVE_UNISTD_H */
! 47: #include <pwd.h>
! 48: #include <krb5.h>
! 49: #ifdef HAVE_HEIMDAL
! 50: #include <com_err.h>
! 51: #endif
! 52:
! 53: #include "sudoers.h"
! 54: #include "sudo_auth.h"
! 55:
! 56: #ifdef HAVE_HEIMDAL
! 57: # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
! 58: # define krb5_free_data_contents(c, d) krb5_data_free(d)
! 59: #else
! 60: # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
! 61: #endif
! 62:
! 63: #ifndef HAVE_KRB5_VERIFY_USER
! 64: static int verify_krb_v5_tgt(krb5_context, krb5_creds *, char *);
! 65: #endif
! 66: static struct _sudo_krb5_data {
! 67: krb5_context sudo_context;
! 68: krb5_principal princ;
! 69: krb5_ccache ccache;
! 70: } sudo_krb5_data = { NULL, NULL, NULL };
! 71: typedef struct _sudo_krb5_data *sudo_krb5_datap;
! 72:
! 73: #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
! 74: static krb5_error_code
! 75: krb5_get_init_creds_opt_alloc(krb5_context context,
! 76: krb5_get_init_creds_opt **opts)
! 77: {
! 78: *opts = emalloc(sizeof(krb5_get_init_creds_opt));
! 79: krb5_get_init_creds_opt_init(*opts);
! 80: return 0;
! 81: }
! 82:
! 83: static void
! 84: krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opts)
! 85: {
! 86: free(opts);
! 87: }
! 88: #endif
! 89:
! 90: int
! 91: kerb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
! 92: {
! 93: static char *krb5_prompt;
! 94:
! 95: if (krb5_prompt == NULL) {
! 96: krb5_context sudo_context;
! 97: krb5_principal princ;
! 98: char *pname;
! 99: krb5_error_code error;
! 100:
! 101: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
! 102: princ = ((sudo_krb5_datap) auth->data)->princ;
! 103:
! 104: /*
! 105: * Really, we need to tell the caller not to prompt for password. The
! 106: * API does not currently provide this unless the auth is standalone.
! 107: */
! 108: if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
! 109: log_error(NO_EXIT|NO_MAIL,
! 110: _("%s: unable to unparse princ ('%s'): %s"), auth->name,
! 111: pw->pw_name, error_message(error));
! 112: return AUTH_FAILURE;
! 113: }
! 114:
! 115: /* Only rewrite prompt if user didn't specify their own. */
! 116: /*if (!strcmp(prompt, PASSPROMPT)) { */
! 117: easprintf(&krb5_prompt, "Password for %s: ", pname);
! 118: /*}*/
! 119: free(pname);
! 120: }
! 121: *promptp = krb5_prompt;
! 122:
! 123: return AUTH_SUCCESS;
! 124: }
! 125:
! 126: int
! 127: kerb5_init(struct passwd *pw, sudo_auth *auth)
! 128: {
! 129: krb5_context sudo_context;
! 130: krb5_ccache ccache;
! 131: krb5_principal princ;
! 132: krb5_error_code error;
! 133: char cache_name[64];
! 134:
! 135: auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
! 136:
! 137: #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
! 138: error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
! 139: #else
! 140: error = krb5_init_context(&(sudo_krb5_data.sudo_context));
! 141: #endif
! 142: if (error)
! 143: return AUTH_FAILURE;
! 144: sudo_context = sudo_krb5_data.sudo_context;
! 145:
! 146: if ((error = krb5_parse_name(sudo_context, pw->pw_name,
! 147: &(sudo_krb5_data.princ)))) {
! 148: log_error(NO_EXIT|NO_MAIL,
! 149: _("%s: unable to parse '%s': %s"), auth->name, pw->pw_name,
! 150: error_message(error));
! 151: return AUTH_FAILURE;
! 152: }
! 153: princ = sudo_krb5_data.princ;
! 154:
! 155: (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
! 156: (long) getpid());
! 157: if ((error = krb5_cc_resolve(sudo_context, cache_name,
! 158: &(sudo_krb5_data.ccache)))) {
! 159: log_error(NO_EXIT|NO_MAIL,
! 160: _("%s: unable to resolve ccache: %s"), auth->name,
! 161: error_message(error));
! 162: return AUTH_FAILURE;
! 163: }
! 164: ccache = sudo_krb5_data.ccache;
! 165:
! 166: return AUTH_SUCCESS;
! 167: }
! 168:
! 169: #ifdef HAVE_KRB5_VERIFY_USER
! 170: int
! 171: kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
! 172: {
! 173: krb5_context sudo_context;
! 174: krb5_principal princ;
! 175: krb5_ccache ccache;
! 176: krb5_error_code error;
! 177:
! 178: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
! 179: princ = ((sudo_krb5_datap) auth->data)->princ;
! 180: ccache = ((sudo_krb5_datap) auth->data)->ccache;
! 181:
! 182: error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
! 183: return error ? AUTH_FAILURE : AUTH_SUCCESS;
! 184: }
! 185: #else
! 186: int
! 187: kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
! 188: {
! 189: krb5_context sudo_context;
! 190: krb5_principal princ;
! 191: krb5_creds credbuf, *creds = NULL;
! 192: krb5_ccache ccache;
! 193: krb5_error_code error;
! 194: krb5_get_init_creds_opt *opts = NULL;
! 195:
! 196: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
! 197: princ = ((sudo_krb5_datap) auth->data)->princ;
! 198: ccache = ((sudo_krb5_datap) auth->data)->ccache;
! 199:
! 200: /* Set default flags based on the local config file. */
! 201: error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
! 202: if (error) {
! 203: log_error(NO_EXIT|NO_MAIL,
! 204: _("%s: unable to allocate options: %s"), auth->name,
! 205: error_message(error));
! 206: goto done;
! 207: }
! 208: #ifdef HAVE_HEIMDAL
! 209: krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
! 210: krb5_principal_get_realm(sudo_context, princ), opts);
! 211: #endif
! 212:
! 213: /* Note that we always obtain a new TGT to verify the user */
! 214: if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
! 215: pass, krb5_prompter_posix,
! 216: NULL, 0, NULL, opts))) {
! 217: /* Don't print error if just a bad password */
! 218: if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
! 219: log_error(NO_EXIT|NO_MAIL,
! 220: _("%s: unable to get credentials: %s"), auth->name,
! 221: error_message(error));
! 222: goto done;
! 223: }
! 224: creds = &credbuf;
! 225:
! 226: /* Verify the TGT to prevent spoof attacks. */
! 227: if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name)))
! 228: goto done;
! 229:
! 230: /* Store cred in cred cache. */
! 231: if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
! 232: log_error(NO_EXIT|NO_MAIL,
! 233: _("%s: unable to initialize ccache: %s"), auth->name,
! 234: error_message(error));
! 235: } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
! 236: log_error(NO_EXIT|NO_MAIL,
! 237: _("%s: unable to store cred in ccache: %s"), auth->name,
! 238: error_message(error));
! 239: }
! 240:
! 241: done:
! 242: if (opts) {
! 243: #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS
! 244: krb5_get_init_creds_opt_free(sudo_context, opts);
! 245: #else
! 246: krb5_get_init_creds_opt_free(opts);
! 247: #endif
! 248: }
! 249: if (creds)
! 250: krb5_free_cred_contents(sudo_context, creds);
! 251: return error ? AUTH_FAILURE : AUTH_SUCCESS;
! 252: }
! 253: #endif
! 254:
! 255: int
! 256: kerb5_cleanup(struct passwd *pw, sudo_auth *auth)
! 257: {
! 258: krb5_context sudo_context;
! 259: krb5_principal princ;
! 260: krb5_ccache ccache;
! 261:
! 262: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
! 263: princ = ((sudo_krb5_datap) auth->data)->princ;
! 264: ccache = ((sudo_krb5_datap) auth->data)->ccache;
! 265:
! 266: if (sudo_context) {
! 267: if (ccache)
! 268: krb5_cc_destroy(sudo_context, ccache);
! 269: if (princ)
! 270: krb5_free_principal(sudo_context, princ);
! 271: krb5_free_context(sudo_context);
! 272: }
! 273:
! 274: return AUTH_SUCCESS;
! 275: }
! 276:
! 277: #ifndef HAVE_KRB5_VERIFY_USER
! 278: /*
! 279: * Verify the Kerberos ticket-granting ticket just retrieved for the
! 280: * user. If the Kerberos server doesn't respond, assume the user is
! 281: * trying to fake us out (since we DID just get a TGT from what is
! 282: * supposedly our KDC).
! 283: *
! 284: * Returns 0 for successful authentication, non-zero for failure.
! 285: */
! 286: static int
! 287: verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
! 288: {
! 289: krb5_error_code error;
! 290: krb5_principal server;
! 291: krb5_verify_init_creds_opt vopt;
! 292:
! 293: /*
! 294: * Get the server principal for the local host.
! 295: * (Use defaults of "host" and canonicalized local name.)
! 296: */
! 297: if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
! 298: KRB5_NT_SRV_HST, &server))) {
! 299: log_error(NO_EXIT|NO_MAIL,
! 300: _("%s: unable to get host principal: %s"), auth_name,
! 301: error_message(error));
! 302: return -1;
! 303: }
! 304:
! 305: /* Initialize verify opts and set secure mode */
! 306: krb5_verify_init_creds_opt_init(&vopt);
! 307: krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
! 308:
! 309: /* verify the Kerberos ticket-granting ticket we just retrieved */
! 310: error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
! 311: NULL, &vopt);
! 312: krb5_free_principal(sudo_context, server);
! 313: if (error)
! 314: log_error(NO_EXIT|NO_MAIL,
! 315: _("%s: Cannot verify TGT! Possible attack!: %s"),
! 316: auth_name, error_message(error));
! 317: return error;
! 318: }
! 319: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>