| /* |
| * Copyright (c) 1999-2005, 2007-2008, 2010 |
| * Todd C. Miller <Todd.Miller@courtesan.com> |
| * |
| * Permission to use, copy, modify, and distribute this software for any |
| * purpose with or without fee is hereby granted, provided that the above |
| * copyright notice and this permission notice appear in all copies. |
| * |
| * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR |
| * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF |
| * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| * |
| * Sponsored in part by the Defense Advanced Research Projects |
| * Agency (DARPA) and Air Force Research Laboratory, Air Force |
| * Materiel Command, USAF, under agreement number F39502-99-1-0512. |
| */ |
| |
| #include <config.h> |
| |
| #include <sys/types.h> |
| #include <sys/param.h> |
| #include <stdio.h> |
| #ifdef STDC_HEADERS |
| # include <stdlib.h> |
| # include <stddef.h> |
| #else |
| # ifdef HAVE_STDLIB_H |
| # include <stdlib.h> |
| # endif |
| #endif /* STDC_HEADERS */ |
| #ifdef HAVE_STRING_H |
| # include <string.h> |
| #endif /* HAVE_STRING_H */ |
| #ifdef HAVE_STRINGS_H |
| # include <strings.h> |
| #endif /* HAVE_STRING_H */ |
| #ifdef HAVE_UNISTD_H |
| # include <unistd.h> |
| #endif /* HAVE_UNISTD_H */ |
| #include <pwd.h> |
| #include <krb5.h> |
| #ifdef HAVE_HEIMDAL |
| #include <com_err.h> |
| #endif |
| |
| #include "sudo.h" |
| #include "sudo_auth.h" |
| |
| #ifdef HAVE_HEIMDAL |
| # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1) |
| # define krb5_free_data_contents(c, d) krb5_data_free(d) |
| #else |
| # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data) |
| #endif |
| |
| #ifndef HAVE_KRB5_VERIFY_USER |
| static int verify_krb_v5_tgt __P((krb5_context, krb5_creds *, char *)); |
| #endif |
| static struct _sudo_krb5_data { |
| krb5_context sudo_context; |
| krb5_principal princ; |
| krb5_ccache ccache; |
| } sudo_krb5_data = { NULL, NULL, NULL }; |
| typedef struct _sudo_krb5_data *sudo_krb5_datap; |
| |
| #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC |
| static krb5_error_code |
| krb5_get_init_creds_opt_alloc(context, opts) |
| krb5_context context; |
| krb5_get_init_creds_opt **opts; |
| { |
| *opts = emalloc(sizeof(krb5_get_init_creds_opt)); |
| krb5_get_init_creds_opt_init(*opts); |
| return 0; |
| } |
| |
| static void |
| krb5_get_init_creds_opt_free(opts) |
| krb5_get_init_creds_opt *opts; |
| { |
| free(opts); |
| } |
| #endif |
| |
| int |
| kerb5_init(pw, promptp, auth) |
| struct passwd *pw; |
| char **promptp; |
| sudo_auth *auth; |
| { |
| krb5_context sudo_context; |
| krb5_ccache ccache; |
| krb5_principal princ; |
| krb5_error_code error; |
| char cache_name[64]; |
| char *pname; |
| |
| auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */ |
| |
| #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT |
| error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context)); |
| #else |
| error = krb5_init_context(&(sudo_krb5_data.sudo_context)); |
| #endif |
| if (error) |
| return(AUTH_FAILURE); |
| sudo_context = sudo_krb5_data.sudo_context; |
| |
| if ((error = krb5_parse_name(sudo_context, pw->pw_name, |
| &(sudo_krb5_data.princ)))) { |
| log_error(NO_EXIT|NO_MAIL, |
| "%s: unable to parse '%s': %s", auth->name, pw->pw_name, |
| error_message(error)); |
| return(AUTH_FAILURE); |
| } |
| princ = sudo_krb5_data.princ; |
| |
| /* |
| * Really, we need to tell the caller not to prompt for password. |
| * The API does not currently provide this unless the auth is standalone. |
| */ |
| #if 1 |
| if ((error = krb5_unparse_name(sudo_context, princ, &pname))) { |
| log_error(NO_EXIT|NO_MAIL, |
| "%s: unable to unparse princ ('%s'): %s", auth->name, |
| pw->pw_name, error_message(error)); |
| return(AUTH_FAILURE); |
| } |
| |
| /* Only rewrite prompt if user didn't specify their own. */ |
| /*if (!strcmp(prompt, PASSPROMPT)) { */ |
| easprintf(promptp, "Password for %s: ", pname); |
| /*}*/ |
| free(pname); |
| #endif |
| |
| (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld", |
| (long) getpid()); |
| if ((error = krb5_cc_resolve(sudo_context, cache_name, |
| &(sudo_krb5_data.ccache)))) { |
| log_error(NO_EXIT|NO_MAIL, |
| "%s: unable to resolve ccache: %s", auth->name, |
| error_message(error)); |
| return(AUTH_FAILURE); |
| } |
| ccache = sudo_krb5_data.ccache; |
| |
| return(AUTH_SUCCESS); |
| } |
| |
| #ifdef HAVE_KRB5_VERIFY_USER |
| int |
| kerb5_verify(pw, pass, auth) |
| struct passwd *pw; |
| char *pass; |
| sudo_auth *auth; |
| { |
| krb5_context sudo_context; |
| krb5_principal princ; |
| krb5_ccache ccache; |
| krb5_error_code error; |
| |
| sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; |
| princ = ((sudo_krb5_datap) auth->data)->princ; |
| ccache = ((sudo_krb5_datap) auth->data)->ccache; |
| |
| error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL); |
| return (error ? AUTH_FAILURE : AUTH_SUCCESS); |
| } |
| #else |
| int |
| kerb5_verify(pw, pass, auth) |
| struct passwd *pw; |
| char *pass; |
| sudo_auth *auth; |
| { |
| krb5_context sudo_context; |
| krb5_principal princ; |
| krb5_creds credbuf, *creds = NULL; |
| krb5_ccache ccache; |
| krb5_error_code error; |
| krb5_get_init_creds_opt *opts = NULL; |
| |
| sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; |
| princ = ((sudo_krb5_datap) auth->data)->princ; |
| ccache = ((sudo_krb5_datap) auth->data)->ccache; |
| |
| /* Set default flags based on the local config file. */ |
| error = krb5_get_init_creds_opt_alloc(sudo_context, &opts); |
| if (error) { |
| log_error(NO_EXIT|NO_MAIL, |
| "%s: unable to allocate options: %s", auth->name, |
| error_message(error)); |
| goto done; |
| } |
| #ifdef HAVE_HEIMDAL |
| krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL, |
| krb5_principal_get_realm(sudo_context, princ), opts); |
| #endif |
| |
| /* Note that we always obtain a new TGT to verify the user */ |
| if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ, |
| pass, krb5_prompter_posix, |
| NULL, 0, NULL, opts))) { |
| /* Don't print error if just a bad password */ |
| if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY) |
| log_error(NO_EXIT|NO_MAIL, |
| "%s: unable to get credentials: %s", auth->name, |
| error_message(error)); |
| goto done; |
| } |
| creds = &credbuf; |
| |
| /* Verify the TGT to prevent spoof attacks. */ |
| if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name))) |
| goto done; |
| |
| /* Store cred in cred cache. */ |
| if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) { |
| log_error(NO_EXIT|NO_MAIL, |
| "%s: unable to initialize ccache: %s", auth->name, |
| error_message(error)); |
| } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) { |
| log_error(NO_EXIT|NO_MAIL, |
| "%s: unable to store cred in ccache: %s", auth->name, |
| error_message(error)); |
| } |
| |
| done: |
| if (opts) { |
| #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS |
| krb5_get_init_creds_opt_free(sudo_context, opts); |
| #else |
| krb5_get_init_creds_opt_free(opts); |
| #endif |
| } |
| if (creds) |
| krb5_free_cred_contents(sudo_context, creds); |
| return (error ? AUTH_FAILURE : AUTH_SUCCESS); |
| } |
| #endif |
| |
| int |
| kerb5_cleanup(pw, auth) |
| struct passwd *pw; |
| sudo_auth *auth; |
| { |
| krb5_context sudo_context; |
| krb5_principal princ; |
| krb5_ccache ccache; |
| |
| sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context; |
| princ = ((sudo_krb5_datap) auth->data)->princ; |
| ccache = ((sudo_krb5_datap) auth->data)->ccache; |
| |
| if (sudo_context) { |
| if (ccache) |
| krb5_cc_destroy(sudo_context, ccache); |
| if (princ) |
| krb5_free_principal(sudo_context, princ); |
| krb5_free_context(sudo_context); |
| } |
| |
| return(AUTH_SUCCESS); |
| } |
| |
| #ifndef HAVE_KRB5_VERIFY_USER |
| /* |
| * Verify the Kerberos ticket-granting ticket just retrieved for the |
| * user. If the Kerberos server doesn't respond, assume the user is |
| * trying to fake us out (since we DID just get a TGT from what is |
| * supposedly our KDC). |
| * |
| * Returns 0 for successful authentication, non-zero for failure. |
| */ |
| static int |
| verify_krb_v5_tgt(sudo_context, cred, auth_name) |
| krb5_context sudo_context; |
| krb5_creds *cred; |
| char *auth_name; /* For error reporting */ |
| { |
| krb5_error_code error; |
| krb5_principal server; |
| krb5_verify_init_creds_opt vopt; |
| |
| /* |
| * Get the server principal for the local host. |
| * (Use defaults of "host" and canonicalized local name.) |
| */ |
| if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL, |
| KRB5_NT_SRV_HST, &server))) { |
| log_error(NO_EXIT|NO_MAIL, |
| "%s: unable to get host principal: %s", auth_name, |
| error_message(error)); |
| return(-1); |
| } |
| |
| /* Initialize verify opts and set secure mode */ |
| krb5_verify_init_creds_opt_init(&vopt); |
| krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1); |
| |
| /* verify the Kerberos ticket-granting ticket we just retrieved */ |
| error = krb5_verify_init_creds(sudo_context, cred, server, NULL, |
| NULL, &vopt); |
| krb5_free_principal(sudo_context, server); |
| if (error) |
| log_error(NO_EXIT|NO_MAIL, |
| "%s: Cannot verify TGT! Possible attack!: %s", auth_name, |
| error_message(error)); |
| return(error); |
| } |
| #endif |