Annotation of embedaddon/sudo/plugins/sudoers/auth/kerb5.c, revision 1.1.1.2
1.1 misho 1: /*
1.1.1.2 ! misho 2: * Copyright (c) 1999-2005, 2007-2008, 2010-2012
1.1 misho 3: * Todd C. Miller <Todd.Miller@courtesan.com>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
17: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
18: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19: *
20: * Sponsored in part by the Defense Advanced Research Projects
21: * Agency (DARPA) and Air Force Research Laboratory, Air Force
22: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23: */
24:
25: #include <config.h>
26:
27: #include <sys/types.h>
28: #include <sys/param.h>
29: #include <stdio.h>
30: #ifdef STDC_HEADERS
31: # include <stdlib.h>
32: # include <stddef.h>
33: #else
34: # ifdef HAVE_STDLIB_H
35: # include <stdlib.h>
36: # endif
37: #endif /* STDC_HEADERS */
38: #ifdef HAVE_STRING_H
39: # include <string.h>
40: #endif /* HAVE_STRING_H */
41: #ifdef HAVE_STRINGS_H
42: # include <strings.h>
43: #endif /* HAVE_STRING_H */
44: #ifdef HAVE_UNISTD_H
45: # include <unistd.h>
46: #endif /* HAVE_UNISTD_H */
47: #include <pwd.h>
48: #include <krb5.h>
49: #ifdef HAVE_HEIMDAL
50: #include <com_err.h>
51: #endif
52:
53: #include "sudoers.h"
54: #include "sudo_auth.h"
55:
56: #ifdef HAVE_HEIMDAL
57: # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
58: # define krb5_free_data_contents(c, d) krb5_data_free(d)
59: #else
60: # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
61: #endif
62:
63: #ifndef HAVE_KRB5_VERIFY_USER
64: static int verify_krb_v5_tgt(krb5_context, krb5_creds *, char *);
65: #endif
66: static struct _sudo_krb5_data {
67: krb5_context sudo_context;
68: krb5_principal princ;
69: krb5_ccache ccache;
70: } sudo_krb5_data = { NULL, NULL, NULL };
71: typedef struct _sudo_krb5_data *sudo_krb5_datap;
72:
1.1.1.2 ! misho 73: #ifdef SUDO_KRB5_INSTANCE
! 74: static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
! 75: #else
! 76: static const char *sudo_krb5_instance = NULL;
! 77: #endif
! 78:
1.1 misho 79: #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
80: static krb5_error_code
81: krb5_get_init_creds_opt_alloc(krb5_context context,
82: krb5_get_init_creds_opt **opts)
83: {
84: *opts = emalloc(sizeof(krb5_get_init_creds_opt));
85: krb5_get_init_creds_opt_init(*opts);
86: return 0;
87: }
88:
89: static void
90: krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opts)
91: {
92: free(opts);
93: }
94: #endif
95:
96: int
1.1.1.2 ! misho 97: sudo_krb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
1.1 misho 98: {
99: static char *krb5_prompt;
1.1.1.2 ! misho 100: debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
1.1 misho 101:
102: if (krb5_prompt == NULL) {
103: krb5_context sudo_context;
104: krb5_principal princ;
105: char *pname;
106: krb5_error_code error;
107:
108: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
109: princ = ((sudo_krb5_datap) auth->data)->princ;
110:
111: /*
112: * Really, we need to tell the caller not to prompt for password. The
113: * API does not currently provide this unless the auth is standalone.
114: */
115: if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
1.1.1.2 ! misho 116: log_error(NO_MAIL,
1.1 misho 117: _("%s: unable to unparse princ ('%s'): %s"), auth->name,
118: pw->pw_name, error_message(error));
1.1.1.2 ! misho 119: debug_return_int(AUTH_FAILURE);
1.1 misho 120: }
121:
122: /* Only rewrite prompt if user didn't specify their own. */
123: /*if (!strcmp(prompt, PASSPROMPT)) { */
124: easprintf(&krb5_prompt, "Password for %s: ", pname);
125: /*}*/
126: free(pname);
127: }
128: *promptp = krb5_prompt;
129:
1.1.1.2 ! misho 130: debug_return_int(AUTH_SUCCESS);
1.1 misho 131: }
132:
133: int
1.1.1.2 ! misho 134: sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
1.1 misho 135: {
136: krb5_context sudo_context;
137: krb5_error_code error;
1.1.1.2 ! misho 138: char cache_name[64], *pname = pw->pw_name;
! 139: debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
1.1 misho 140:
141: auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
142:
1.1.1.2 ! misho 143: if (sudo_krb5_instance != NULL) {
! 144: easprintf(&pname, "%s%s%s", pw->pw_name,
! 145: sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
! 146: }
! 147:
1.1 misho 148: #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
149: error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
150: #else
151: error = krb5_init_context(&(sudo_krb5_data.sudo_context));
152: #endif
153: if (error)
1.1.1.2 ! misho 154: goto done;
1.1 misho 155: sudo_context = sudo_krb5_data.sudo_context;
156:
1.1.1.2 ! misho 157: error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
! 158: if (error) {
! 159: log_error(NO_MAIL,
! 160: _("%s: unable to parse '%s': %s"), auth->name, pname,
1.1 misho 161: error_message(error));
1.1.1.2 ! misho 162: goto done;
1.1 misho 163: }
164:
165: (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
166: (long) getpid());
167: if ((error = krb5_cc_resolve(sudo_context, cache_name,
168: &(sudo_krb5_data.ccache)))) {
1.1.1.2 ! misho 169: log_error(NO_MAIL,
1.1 misho 170: _("%s: unable to resolve ccache: %s"), auth->name,
171: error_message(error));
1.1.1.2 ! misho 172: goto done;
1.1 misho 173: }
174:
1.1.1.2 ! misho 175: done:
! 176: if (sudo_krb5_instance != NULL)
! 177: efree(pname);
! 178: debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
1.1 misho 179: }
180:
181: #ifdef HAVE_KRB5_VERIFY_USER
182: int
1.1.1.2 ! misho 183: sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
1.1 misho 184: {
185: krb5_context sudo_context;
186: krb5_principal princ;
187: krb5_ccache ccache;
188: krb5_error_code error;
1.1.1.2 ! misho 189: debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
1.1 misho 190:
191: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
192: princ = ((sudo_krb5_datap) auth->data)->princ;
193: ccache = ((sudo_krb5_datap) auth->data)->ccache;
194:
195: error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
1.1.1.2 ! misho 196: debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
1.1 misho 197: }
198: #else
199: int
1.1.1.2 ! misho 200: sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
1.1 misho 201: {
202: krb5_context sudo_context;
203: krb5_principal princ;
204: krb5_creds credbuf, *creds = NULL;
205: krb5_ccache ccache;
206: krb5_error_code error;
207: krb5_get_init_creds_opt *opts = NULL;
1.1.1.2 ! misho 208: debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
1.1 misho 209:
210: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
211: princ = ((sudo_krb5_datap) auth->data)->princ;
212: ccache = ((sudo_krb5_datap) auth->data)->ccache;
213:
214: /* Set default flags based on the local config file. */
215: error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
216: if (error) {
1.1.1.2 ! misho 217: log_error(NO_MAIL,
1.1 misho 218: _("%s: unable to allocate options: %s"), auth->name,
219: error_message(error));
220: goto done;
221: }
222: #ifdef HAVE_HEIMDAL
223: krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
224: krb5_principal_get_realm(sudo_context, princ), opts);
225: #endif
226:
227: /* Note that we always obtain a new TGT to verify the user */
228: if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
229: pass, krb5_prompter_posix,
230: NULL, 0, NULL, opts))) {
231: /* Don't print error if just a bad password */
232: if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
1.1.1.2 ! misho 233: log_error(NO_MAIL,
1.1 misho 234: _("%s: unable to get credentials: %s"), auth->name,
235: error_message(error));
236: goto done;
237: }
238: creds = &credbuf;
239:
240: /* Verify the TGT to prevent spoof attacks. */
241: if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name)))
242: goto done;
243:
244: /* Store cred in cred cache. */
245: if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
1.1.1.2 ! misho 246: log_error(NO_MAIL,
1.1 misho 247: _("%s: unable to initialize ccache: %s"), auth->name,
248: error_message(error));
249: } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
1.1.1.2 ! misho 250: log_error(NO_MAIL,
1.1 misho 251: _("%s: unable to store cred in ccache: %s"), auth->name,
252: error_message(error));
253: }
254:
255: done:
256: if (opts) {
257: #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS
258: krb5_get_init_creds_opt_free(sudo_context, opts);
259: #else
260: krb5_get_init_creds_opt_free(opts);
261: #endif
262: }
263: if (creds)
264: krb5_free_cred_contents(sudo_context, creds);
1.1.1.2 ! misho 265: debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
1.1 misho 266: }
267: #endif
268:
269: int
1.1.1.2 ! misho 270: sudo_krb5_cleanup(struct passwd *pw, sudo_auth *auth)
1.1 misho 271: {
272: krb5_context sudo_context;
273: krb5_principal princ;
274: krb5_ccache ccache;
1.1.1.2 ! misho 275: debug_decl(sudo_krb5_cleanup, SUDO_DEBUG_AUTH)
1.1 misho 276:
277: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
278: princ = ((sudo_krb5_datap) auth->data)->princ;
279: ccache = ((sudo_krb5_datap) auth->data)->ccache;
280:
281: if (sudo_context) {
282: if (ccache)
283: krb5_cc_destroy(sudo_context, ccache);
284: if (princ)
285: krb5_free_principal(sudo_context, princ);
286: krb5_free_context(sudo_context);
287: }
288:
1.1.1.2 ! misho 289: debug_return_int(AUTH_SUCCESS);
1.1 misho 290: }
291:
292: #ifndef HAVE_KRB5_VERIFY_USER
293: /*
294: * Verify the Kerberos ticket-granting ticket just retrieved for the
295: * user. If the Kerberos server doesn't respond, assume the user is
296: * trying to fake us out (since we DID just get a TGT from what is
297: * supposedly our KDC).
298: *
299: * Returns 0 for successful authentication, non-zero for failure.
300: */
301: static int
302: verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
303: {
304: krb5_error_code error;
305: krb5_principal server;
306: krb5_verify_init_creds_opt vopt;
1.1.1.2 ! misho 307: debug_decl(verify_krb_v5_tgt, SUDO_DEBUG_AUTH)
1.1 misho 308:
309: /*
310: * Get the server principal for the local host.
311: * (Use defaults of "host" and canonicalized local name.)
312: */
313: if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
314: KRB5_NT_SRV_HST, &server))) {
1.1.1.2 ! misho 315: log_error(NO_MAIL,
1.1 misho 316: _("%s: unable to get host principal: %s"), auth_name,
317: error_message(error));
1.1.1.2 ! misho 318: debug_return_int(-1);
1.1 misho 319: }
320:
321: /* Initialize verify opts and set secure mode */
322: krb5_verify_init_creds_opt_init(&vopt);
323: krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
324:
325: /* verify the Kerberos ticket-granting ticket we just retrieved */
326: error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
327: NULL, &vopt);
328: krb5_free_principal(sudo_context, server);
329: if (error)
1.1.1.2 ! misho 330: log_error(NO_MAIL,
1.1 misho 331: _("%s: Cannot verify TGT! Possible attack!: %s"),
332: auth_name, error_message(error));
1.1.1.2 ! misho 333: debug_return_int(error);
1.1 misho 334: }
335: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>