Annotation of embedaddon/sudo/plugins/sudoers/auth/kerb5.c, revision 1.1.1.3
1.1 misho 1: /*
1.1.1.3 ! misho 2: * Copyright (c) 1999-2005, 2007-2008, 2010-2013
1.1 misho 3: * Todd C. Miller <Todd.Miller@courtesan.com>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
17: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
18: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19: *
20: * Sponsored in part by the Defense Advanced Research Projects
21: * Agency (DARPA) and Air Force Research Laboratory, Air Force
22: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23: */
24:
25: #include <config.h>
26:
27: #include <sys/types.h>
28: #include <stdio.h>
29: #ifdef STDC_HEADERS
30: # include <stdlib.h>
31: # include <stddef.h>
32: #else
33: # ifdef HAVE_STDLIB_H
34: # include <stdlib.h>
35: # endif
36: #endif /* STDC_HEADERS */
37: #ifdef HAVE_STRING_H
38: # include <string.h>
39: #endif /* HAVE_STRING_H */
40: #ifdef HAVE_STRINGS_H
41: # include <strings.h>
42: #endif /* HAVE_STRING_H */
43: #ifdef HAVE_UNISTD_H
44: # include <unistd.h>
45: #endif /* HAVE_UNISTD_H */
46: #include <pwd.h>
47: #include <krb5.h>
48: #ifdef HAVE_HEIMDAL
49: #include <com_err.h>
50: #endif
51:
52: #include "sudoers.h"
53: #include "sudo_auth.h"
54:
55: #ifdef HAVE_HEIMDAL
56: # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
57: # define krb5_free_data_contents(c, d) krb5_data_free(d)
58: #else
59: # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
60: #endif
61:
62: #ifndef HAVE_KRB5_VERIFY_USER
63: static int verify_krb_v5_tgt(krb5_context, krb5_creds *, char *);
64: #endif
65: static struct _sudo_krb5_data {
66: krb5_context sudo_context;
67: krb5_principal princ;
68: krb5_ccache ccache;
69: } sudo_krb5_data = { NULL, NULL, NULL };
70: typedef struct _sudo_krb5_data *sudo_krb5_datap;
71:
1.1.1.2 misho 72: #ifdef SUDO_KRB5_INSTANCE
73: static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
74: #else
75: static const char *sudo_krb5_instance = NULL;
76: #endif
77:
1.1 misho 78: #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
79: static krb5_error_code
80: krb5_get_init_creds_opt_alloc(krb5_context context,
81: krb5_get_init_creds_opt **opts)
82: {
83: *opts = emalloc(sizeof(krb5_get_init_creds_opt));
84: krb5_get_init_creds_opt_init(*opts);
85: return 0;
86: }
87:
88: static void
89: krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opts)
90: {
91: free(opts);
92: }
93: #endif
94:
95: int
1.1.1.2 misho 96: sudo_krb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
1.1 misho 97: {
98: static char *krb5_prompt;
1.1.1.2 misho 99: debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
1.1 misho 100:
101: if (krb5_prompt == NULL) {
102: krb5_context sudo_context;
103: krb5_principal princ;
104: char *pname;
105: krb5_error_code error;
106:
107: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
108: princ = ((sudo_krb5_datap) auth->data)->princ;
109:
110: /*
111: * Really, we need to tell the caller not to prompt for password. The
112: * API does not currently provide this unless the auth is standalone.
113: */
114: if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
1.1.1.3 ! misho 115: log_warning(NO_MAIL,
! 116: N_("%s: unable to convert principal to string ('%s'): %s"),
! 117: auth->name, pw->pw_name, error_message(error));
1.1.1.2 misho 118: debug_return_int(AUTH_FAILURE);
1.1 misho 119: }
120:
121: /* Only rewrite prompt if user didn't specify their own. */
122: /*if (!strcmp(prompt, PASSPROMPT)) { */
123: easprintf(&krb5_prompt, "Password for %s: ", pname);
124: /*}*/
125: free(pname);
126: }
127: *promptp = krb5_prompt;
128:
1.1.1.2 misho 129: debug_return_int(AUTH_SUCCESS);
1.1 misho 130: }
131:
132: int
1.1.1.2 misho 133: sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
1.1 misho 134: {
135: krb5_context sudo_context;
136: krb5_error_code error;
1.1.1.2 misho 137: char cache_name[64], *pname = pw->pw_name;
138: debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
1.1 misho 139:
140: auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
141:
1.1.1.2 misho 142: if (sudo_krb5_instance != NULL) {
143: easprintf(&pname, "%s%s%s", pw->pw_name,
144: sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
145: }
146:
1.1 misho 147: #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
148: error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
149: #else
150: error = krb5_init_context(&(sudo_krb5_data.sudo_context));
151: #endif
152: if (error)
1.1.1.2 misho 153: goto done;
1.1 misho 154: sudo_context = sudo_krb5_data.sudo_context;
155:
1.1.1.2 misho 156: error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
157: if (error) {
1.1.1.3 ! misho 158: log_warning(NO_MAIL,
! 159: N_("%s: unable to parse '%s': %s"), auth->name, pname,
1.1 misho 160: error_message(error));
1.1.1.2 misho 161: goto done;
1.1 misho 162: }
163:
164: (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
165: (long) getpid());
166: if ((error = krb5_cc_resolve(sudo_context, cache_name,
167: &(sudo_krb5_data.ccache)))) {
1.1.1.3 ! misho 168: log_warning(NO_MAIL,
! 169: N_("%s: unable to resolve credential cache: %s"), auth->name,
1.1 misho 170: error_message(error));
1.1.1.2 misho 171: goto done;
1.1 misho 172: }
173:
1.1.1.2 misho 174: done:
175: if (sudo_krb5_instance != NULL)
176: efree(pname);
177: debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
1.1 misho 178: }
179:
180: #ifdef HAVE_KRB5_VERIFY_USER
181: int
1.1.1.2 misho 182: sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
1.1 misho 183: {
184: krb5_context sudo_context;
185: krb5_principal princ;
186: krb5_ccache ccache;
187: krb5_error_code error;
1.1.1.2 misho 188: debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
1.1 misho 189:
190: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
191: princ = ((sudo_krb5_datap) auth->data)->princ;
192: ccache = ((sudo_krb5_datap) auth->data)->ccache;
193:
194: error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
1.1.1.2 misho 195: debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
1.1 misho 196: }
197: #else
198: int
1.1.1.2 misho 199: sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
1.1 misho 200: {
201: krb5_context sudo_context;
202: krb5_principal princ;
203: krb5_creds credbuf, *creds = NULL;
204: krb5_ccache ccache;
205: krb5_error_code error;
206: krb5_get_init_creds_opt *opts = NULL;
1.1.1.2 misho 207: debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
1.1 misho 208:
209: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
210: princ = ((sudo_krb5_datap) auth->data)->princ;
211: ccache = ((sudo_krb5_datap) auth->data)->ccache;
212:
213: /* Set default flags based on the local config file. */
214: error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
215: if (error) {
1.1.1.3 ! misho 216: log_warning(NO_MAIL,
! 217: N_("%s: unable to allocate options: %s"), auth->name,
1.1 misho 218: error_message(error));
219: goto done;
220: }
221: #ifdef HAVE_HEIMDAL
222: krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
223: krb5_principal_get_realm(sudo_context, princ), opts);
224: #endif
225:
226: /* Note that we always obtain a new TGT to verify the user */
227: if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
228: pass, krb5_prompter_posix,
229: NULL, 0, NULL, opts))) {
230: /* Don't print error if just a bad password */
231: if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
1.1.1.3 ! misho 232: log_warning(NO_MAIL,
! 233: N_("%s: unable to get credentials: %s"), auth->name,
1.1 misho 234: error_message(error));
235: goto done;
236: }
237: creds = &credbuf;
238:
239: /* Verify the TGT to prevent spoof attacks. */
240: if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name)))
241: goto done;
242:
1.1.1.3 ! misho 243: /* Store credential in cache. */
1.1 misho 244: if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
1.1.1.3 ! misho 245: log_warning(NO_MAIL,
! 246: N_("%s: unable to initialize credential cache: %s"),
! 247: auth->name, error_message(error));
1.1 misho 248: } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
1.1.1.3 ! misho 249: log_warning(NO_MAIL,
! 250: N_("%s: unable to store credential in cache: %s"),
! 251: auth->name, error_message(error));
1.1 misho 252: }
253:
254: done:
255: if (opts) {
256: #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS
257: krb5_get_init_creds_opt_free(sudo_context, opts);
258: #else
259: krb5_get_init_creds_opt_free(opts);
260: #endif
261: }
262: if (creds)
263: krb5_free_cred_contents(sudo_context, creds);
1.1.1.2 misho 264: debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
1.1 misho 265: }
266: #endif
267:
268: int
1.1.1.2 misho 269: sudo_krb5_cleanup(struct passwd *pw, sudo_auth *auth)
1.1 misho 270: {
271: krb5_context sudo_context;
272: krb5_principal princ;
273: krb5_ccache ccache;
1.1.1.2 misho 274: debug_decl(sudo_krb5_cleanup, SUDO_DEBUG_AUTH)
1.1 misho 275:
276: sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
277: princ = ((sudo_krb5_datap) auth->data)->princ;
278: ccache = ((sudo_krb5_datap) auth->data)->ccache;
279:
280: if (sudo_context) {
281: if (ccache)
282: krb5_cc_destroy(sudo_context, ccache);
283: if (princ)
284: krb5_free_principal(sudo_context, princ);
285: krb5_free_context(sudo_context);
286: }
287:
1.1.1.2 misho 288: debug_return_int(AUTH_SUCCESS);
1.1 misho 289: }
290:
291: #ifndef HAVE_KRB5_VERIFY_USER
292: /*
293: * Verify the Kerberos ticket-granting ticket just retrieved for the
294: * user. If the Kerberos server doesn't respond, assume the user is
295: * trying to fake us out (since we DID just get a TGT from what is
296: * supposedly our KDC).
297: *
298: * Returns 0 for successful authentication, non-zero for failure.
299: */
300: static int
301: verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
302: {
303: krb5_error_code error;
304: krb5_principal server;
305: krb5_verify_init_creds_opt vopt;
1.1.1.2 misho 306: debug_decl(verify_krb_v5_tgt, SUDO_DEBUG_AUTH)
1.1 misho 307:
308: /*
309: * Get the server principal for the local host.
310: * (Use defaults of "host" and canonicalized local name.)
311: */
312: if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
313: KRB5_NT_SRV_HST, &server))) {
1.1.1.3 ! misho 314: log_warning(NO_MAIL,
! 315: N_("%s: unable to get host principal: %s"), auth_name,
1.1 misho 316: error_message(error));
1.1.1.2 misho 317: debug_return_int(-1);
1.1 misho 318: }
319:
320: /* Initialize verify opts and set secure mode */
321: krb5_verify_init_creds_opt_init(&vopt);
322: krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
323:
324: /* verify the Kerberos ticket-granting ticket we just retrieved */
325: error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
326: NULL, &vopt);
327: krb5_free_principal(sudo_context, server);
328: if (error)
1.1.1.3 ! misho 329: log_warning(NO_MAIL,
! 330: N_("%s: Cannot verify TGT! Possible attack!: %s"),
1.1 misho 331: auth_name, error_message(error));
1.1.1.2 misho 332: debug_return_int(error);
1.1 misho 333: }
334: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>