Annotation of embedaddon/sudo/plugins/sudoers/auth/kerb5.c, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (c) 1999-2005, 2007-2008, 2010-2011
3: * Todd C. Miller <Todd.Miller@courtesan.com>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
17: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
18: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19: *
20: * Sponsored in part by the Defense Advanced Research Projects
21: * Agency (DARPA) and Air Force Research Laboratory, Air Force
22: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23: */
24:
25: #include <config.h>
26:
27: #include <sys/types.h>
28: #include <sys/param.h>
29: #include <stdio.h>
30: #ifdef STDC_HEADERS
31: # include <stdlib.h>
32: # include <stddef.h>
33: #else
34: # ifdef HAVE_STDLIB_H
35: # include <stdlib.h>
36: # endif
37: #endif /* STDC_HEADERS */
38: #ifdef HAVE_STRING_H
39: # include <string.h>
40: #endif /* HAVE_STRING_H */
41: #ifdef HAVE_STRINGS_H
42: # include <strings.h>
43: #endif /* HAVE_STRING_H */
44: #ifdef HAVE_UNISTD_H
45: # include <unistd.h>
46: #endif /* HAVE_UNISTD_H */
47: #include <pwd.h>
48: #include <krb5.h>
49: #ifdef HAVE_HEIMDAL
50: #include <com_err.h>
51: #endif
52:
53: #include "sudoers.h"
54: #include "sudo_auth.h"
55:
56: #ifdef HAVE_HEIMDAL
57: # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
58: # define krb5_free_data_contents(c, d) krb5_data_free(d)
59: #else
60: # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
61: #endif
62:
63: #ifndef HAVE_KRB5_VERIFY_USER
64: static int verify_krb_v5_tgt(krb5_context, krb5_creds *, char *);
65: #endif
66: static struct _sudo_krb5_data {
67: krb5_context sudo_context;
68: krb5_principal princ;
69: krb5_ccache ccache;
70: } sudo_krb5_data = { NULL, NULL, NULL };
71: typedef struct _sudo_krb5_data *sudo_krb5_datap;
72:
73: #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
74: static krb5_error_code
75: krb5_get_init_creds_opt_alloc(krb5_context context,
76: krb5_get_init_creds_opt **opts)
77: {
78: *opts = emalloc(sizeof(krb5_get_init_creds_opt));
79: krb5_get_init_creds_opt_init(*opts);
80: return 0;
81: }
82:
83: static void
84: krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opts)
85: {
86: free(opts);
87: }
88: #endif
89:
90: int
91: kerb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
92: {
93: static char *krb5_prompt;
94:
95: if (krb5_prompt == NULL) {
96: krb5_context sudo_context;
97: krb5_principal princ;
98: char *pname;
99: krb5_error_code error;
100:
101: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
102: princ = ((sudo_krb5_datap) auth->data)->princ;
103:
104: /*
105: * Really, we need to tell the caller not to prompt for password. The
106: * API does not currently provide this unless the auth is standalone.
107: */
108: if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
109: log_error(NO_EXIT|NO_MAIL,
110: _("%s: unable to unparse princ ('%s'): %s"), auth->name,
111: pw->pw_name, error_message(error));
112: return AUTH_FAILURE;
113: }
114:
115: /* Only rewrite prompt if user didn't specify their own. */
116: /*if (!strcmp(prompt, PASSPROMPT)) { */
117: easprintf(&krb5_prompt, "Password for %s: ", pname);
118: /*}*/
119: free(pname);
120: }
121: *promptp = krb5_prompt;
122:
123: return AUTH_SUCCESS;
124: }
125:
126: int
127: kerb5_init(struct passwd *pw, sudo_auth *auth)
128: {
129: krb5_context sudo_context;
130: krb5_ccache ccache;
131: krb5_principal princ;
132: krb5_error_code error;
133: char cache_name[64];
134:
135: auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
136:
137: #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
138: error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
139: #else
140: error = krb5_init_context(&(sudo_krb5_data.sudo_context));
141: #endif
142: if (error)
143: return AUTH_FAILURE;
144: sudo_context = sudo_krb5_data.sudo_context;
145:
146: if ((error = krb5_parse_name(sudo_context, pw->pw_name,
147: &(sudo_krb5_data.princ)))) {
148: log_error(NO_EXIT|NO_MAIL,
149: _("%s: unable to parse '%s': %s"), auth->name, pw->pw_name,
150: error_message(error));
151: return AUTH_FAILURE;
152: }
153: princ = sudo_krb5_data.princ;
154:
155: (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
156: (long) getpid());
157: if ((error = krb5_cc_resolve(sudo_context, cache_name,
158: &(sudo_krb5_data.ccache)))) {
159: log_error(NO_EXIT|NO_MAIL,
160: _("%s: unable to resolve ccache: %s"), auth->name,
161: error_message(error));
162: return AUTH_FAILURE;
163: }
164: ccache = sudo_krb5_data.ccache;
165:
166: return AUTH_SUCCESS;
167: }
168:
169: #ifdef HAVE_KRB5_VERIFY_USER
170: int
171: kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
172: {
173: krb5_context sudo_context;
174: krb5_principal princ;
175: krb5_ccache ccache;
176: krb5_error_code error;
177:
178: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
179: princ = ((sudo_krb5_datap) auth->data)->princ;
180: ccache = ((sudo_krb5_datap) auth->data)->ccache;
181:
182: error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
183: return error ? AUTH_FAILURE : AUTH_SUCCESS;
184: }
185: #else
186: int
187: kerb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
188: {
189: krb5_context sudo_context;
190: krb5_principal princ;
191: krb5_creds credbuf, *creds = NULL;
192: krb5_ccache ccache;
193: krb5_error_code error;
194: krb5_get_init_creds_opt *opts = NULL;
195:
196: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
197: princ = ((sudo_krb5_datap) auth->data)->princ;
198: ccache = ((sudo_krb5_datap) auth->data)->ccache;
199:
200: /* Set default flags based on the local config file. */
201: error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
202: if (error) {
203: log_error(NO_EXIT|NO_MAIL,
204: _("%s: unable to allocate options: %s"), auth->name,
205: error_message(error));
206: goto done;
207: }
208: #ifdef HAVE_HEIMDAL
209: krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
210: krb5_principal_get_realm(sudo_context, princ), opts);
211: #endif
212:
213: /* Note that we always obtain a new TGT to verify the user */
214: if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
215: pass, krb5_prompter_posix,
216: NULL, 0, NULL, opts))) {
217: /* Don't print error if just a bad password */
218: if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
219: log_error(NO_EXIT|NO_MAIL,
220: _("%s: unable to get credentials: %s"), auth->name,
221: error_message(error));
222: goto done;
223: }
224: creds = &credbuf;
225:
226: /* Verify the TGT to prevent spoof attacks. */
227: if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name)))
228: goto done;
229:
230: /* Store cred in cred cache. */
231: if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
232: log_error(NO_EXIT|NO_MAIL,
233: _("%s: unable to initialize ccache: %s"), auth->name,
234: error_message(error));
235: } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
236: log_error(NO_EXIT|NO_MAIL,
237: _("%s: unable to store cred in ccache: %s"), auth->name,
238: error_message(error));
239: }
240:
241: done:
242: if (opts) {
243: #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS
244: krb5_get_init_creds_opt_free(sudo_context, opts);
245: #else
246: krb5_get_init_creds_opt_free(opts);
247: #endif
248: }
249: if (creds)
250: krb5_free_cred_contents(sudo_context, creds);
251: return error ? AUTH_FAILURE : AUTH_SUCCESS;
252: }
253: #endif
254:
255: int
256: kerb5_cleanup(struct passwd *pw, sudo_auth *auth)
257: {
258: krb5_context sudo_context;
259: krb5_principal princ;
260: krb5_ccache ccache;
261:
262: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
263: princ = ((sudo_krb5_datap) auth->data)->princ;
264: ccache = ((sudo_krb5_datap) auth->data)->ccache;
265:
266: if (sudo_context) {
267: if (ccache)
268: krb5_cc_destroy(sudo_context, ccache);
269: if (princ)
270: krb5_free_principal(sudo_context, princ);
271: krb5_free_context(sudo_context);
272: }
273:
274: return AUTH_SUCCESS;
275: }
276:
277: #ifndef HAVE_KRB5_VERIFY_USER
278: /*
279: * Verify the Kerberos ticket-granting ticket just retrieved for the
280: * user. If the Kerberos server doesn't respond, assume the user is
281: * trying to fake us out (since we DID just get a TGT from what is
282: * supposedly our KDC).
283: *
284: * Returns 0 for successful authentication, non-zero for failure.
285: */
286: static int
287: verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
288: {
289: krb5_error_code error;
290: krb5_principal server;
291: krb5_verify_init_creds_opt vopt;
292:
293: /*
294: * Get the server principal for the local host.
295: * (Use defaults of "host" and canonicalized local name.)
296: */
297: if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
298: KRB5_NT_SRV_HST, &server))) {
299: log_error(NO_EXIT|NO_MAIL,
300: _("%s: unable to get host principal: %s"), auth_name,
301: error_message(error));
302: return -1;
303: }
304:
305: /* Initialize verify opts and set secure mode */
306: krb5_verify_init_creds_opt_init(&vopt);
307: krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
308:
309: /* verify the Kerberos ticket-granting ticket we just retrieved */
310: error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
311: NULL, &vopt);
312: krb5_free_principal(sudo_context, server);
313: if (error)
314: log_error(NO_EXIT|NO_MAIL,
315: _("%s: Cannot verify TGT! Possible attack!: %s"),
316: auth_name, error_message(error));
317: return error;
318: }
319: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>