CoCalc -- kerb5.c

GitHub Repository: sudo-project/sudo
Path: blob/main/plugins/sudoers/auth/kerb5.c
¹⁵³² views
1
/*
2
 * SPDX-License-Identifier: ISC
3
 *
4
 * Copyright (c) 1999-2005, 2007-2008, 2010-2015
5
 *	Todd C. Miller <[email protected]>
6
 *
7
 * Permission to use, copy, modify, and distribute this software for any
8
 * purpose with or without fee is hereby granted, provided that the above
9
 * copyright notice and this permission notice appear in all copies.
10
 *
11
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
 *
19
 * Sponsored in part by the Defense Advanced Research Projects
20
 * Agency (DARPA) and Air Force Research Laboratory, Air Force
21
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
22
 */
23

24
#include <config.h>
25

26
#ifdef HAVE_KERB5
27

28
#include <sys/types.h>
29
#include <stdio.h>
30
#include <stdlib.h>
31
#include <string.h>
32
#include <unistd.h>
33
#include <pwd.h>
34
#include <krb5.h>
35
#ifdef HAVE_HEIMDAL
36
#include <com_err.h>
37
#endif
38

39
#include <sudoers.h>
40
#include "sudo_auth.h"
41

42
#ifdef HAVE_HEIMDAL
43
# define extract_name(c, p)		krb5_principal_get_comp_string(c, p, 1)
44
# define krb5_free_data_contents(c, d)	krb5_data_free(d)
45
#else
46
# define extract_name(c, p)		(krb5_princ_component(c, p, 1)->data)
47
#endif
48

49
#ifndef HAVE_KRB5_VERIFY_USER
50
static int verify_krb_v5_tgt(const struct sudoers_context *, krb5_context,
51
    krb5_creds *, const char *);
52
#endif
53
static struct _sudo_krb5_data {
54
    krb5_context	sudo_context;
55
    krb5_principal	princ;
56
    krb5_ccache		ccache;
57
} sudo_krb5_data = { NULL, NULL, NULL };
58
typedef struct _sudo_krb5_data *sudo_krb5_datap;
59

60
#ifdef SUDO_KRB5_INSTANCE
61
static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
62
#else
63
static const char *sudo_krb5_instance = NULL;
64
#endif
65

66
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
67
static krb5_error_code
68
krb5_get_init_creds_opt_alloc(krb5_context context,
69
    krb5_get_init_creds_opt **opts)
70
{
71
    *opts = malloc(sizeof(krb5_get_init_creds_opt));
72
    if (*opts == NULL)
73
	return KRB5_CC_NOMEM;
74
    krb5_get_init_creds_opt_init(*opts);
75
    return 0;
76
}
77

78
static void
79
krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opts)
80
{
81
    free(opts);
82
}
83
#endif
84

85
int
86
sudo_krb5_setup(const struct sudoers_context *ctx, struct passwd *pw,
87
    char **promptp, sudo_auth *auth)
88
{
89
    static char	*krb5_prompt;
90
    debug_decl(sudo_krb5_init, SUDOERS_DEBUG_AUTH);
91

92
    /* Don't override the prompt if the user specified their own. */
93
    if (strcmp(*promptp, PASSPROMPT) != 0) {
94
        debug_return_int(AUTH_SUCCESS);
95
    }
96

97
    if (krb5_prompt == NULL) {
98
	krb5_context	sudo_context;
99
	krb5_principal	princ;
100
	char		*pname;
101
	krb5_error_code	error;
102

103
	sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
104
	princ = ((sudo_krb5_datap) auth->data)->princ;
105

106
	/*
107
	 * Really, we need to tell the caller not to prompt for password. The
108
	 * API does not currently provide this unless the auth is standalone.
109
	 */
110
	if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
111
	    log_warningx(ctx, 0,
112
		N_("%s: unable to convert principal to string ('%s'): %s"),
113
		auth->name, pw->pw_name, error_message(error));
114
	    debug_return_int(AUTH_FAILURE);
115
	}
116

117
	if (asprintf(&krb5_prompt, "Password for %s: ", pname) == -1) {
118
	    log_warningx(ctx, 0, N_("unable to allocate memory"));
119
	    free(pname);
120
	    debug_return_int(AUTH_ERROR);
121
	}
122
	free(pname);
123
    }
124
    *promptp = krb5_prompt;
125

126
    debug_return_int(AUTH_SUCCESS);
127
}
128

129
int
130
sudo_krb5_init(const struct sudoers_context *ctx, struct passwd *pw,
131
    sudo_auth *auth)
132
{
133
    krb5_context	sudo_context;
134
    krb5_error_code 	error;
135
    char		cache_name[64], *pname = pw->pw_name;
136
    debug_decl(sudo_krb5_init, SUDOERS_DEBUG_AUTH);
137

138
    /* Only initialize once. */
139
    if (auth->data != NULL)
140
	debug_return_int(AUTH_SUCCESS);
141

142
    if (sudo_krb5_instance != NULL) {
143
	int len = asprintf(&pname, "%s%s%s", pw->pw_name,
144
	    sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
145
	if (len == -1) {
146
	    log_warningx(ctx, 0, N_("unable to allocate memory"));
147
	    debug_return_int(AUTH_ERROR);
148
	}
149
    }
150

151
#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
152
    error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
153
#else
154
    error = krb5_init_context(&(sudo_krb5_data.sudo_context));
155
#endif
156
    if (error)
157
	goto done;
158
    sudo_context = sudo_krb5_data.sudo_context;
159

160
    error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
161
    if (error) {
162
	log_warningx(ctx, 0, N_("%s: unable to parse '%s': %s"), auth->name,
163
	    pname, error_message(error));
164
	goto done;
165
    }
166

167
    (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
168
		    (long) getpid());
169
    if ((error = krb5_cc_resolve(sudo_context, cache_name,
170
	&(sudo_krb5_data.ccache)))) {
171
	log_warningx(ctx, 0, N_("%s: unable to resolve credential cache: %s"),
172
	    auth->name, error_message(error));
173
	goto done;
174
    }
175

176
    auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
177

178
done:
179
    if (sudo_krb5_instance != NULL)
180
	free(pname);
181
    debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
182
}
183

184
#ifdef HAVE_KRB5_VERIFY_USER
185
int
186
sudo_krb5_verify(const struct sudoers_context *ctx, struct passwd *pw,
187
    const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
188
{
189
    krb5_context	sudo_context;
190
    krb5_principal	princ;
191
    krb5_ccache		ccache;
192
    krb5_error_code	error;
193
    debug_decl(sudo_krb5_verify, SUDOERS_DEBUG_AUTH);
194

195
    sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
196
    princ = ((sudo_krb5_datap) auth->data)->princ;
197
    ccache = ((sudo_krb5_datap) auth->data)->ccache;
198

199
    error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
200
    debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
201
}
202
#else
203
int
204
sudo_krb5_verify(const struct sudoers_context *ctx, struct passwd *pw,
205
    const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
206
{
207
    krb5_context	sudo_context;
208
    krb5_principal	princ;
209
    krb5_creds		credbuf, *creds = NULL;
210
    krb5_ccache		ccache;
211
    krb5_error_code	error;
212
    krb5_get_init_creds_opt *opts = NULL;
213
    debug_decl(sudo_krb5_verify, SUDOERS_DEBUG_AUTH);
214

215
    sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
216
    princ = ((sudo_krb5_datap) auth->data)->princ;
217
    ccache = ((sudo_krb5_datap) auth->data)->ccache;
218

219
    /* Set default flags based on the local config file. */
220
    error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
221
    if (error) {
222
	log_warningx(ctx, 0, N_("%s: unable to allocate options: %s"),
223
	    auth->name, error_message(error));
224
	goto done;
225
    }
226
#ifdef HAVE_HEIMDAL
227
    krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
228
	krb5_principal_get_realm(sudo_context, princ), opts);
229
#endif
230

231
    /* Note that we always obtain a new TGT to verify the user */
232
    if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
233
					     pass, krb5_prompter_posix,
234
					     NULL, 0, NULL, opts))) {
235
	/* Don't print error if just a bad password */
236
	if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY) {
237
	    log_warningx(ctx, 0, N_("%s: unable to get credentials: %s"),
238
		auth->name, error_message(error));
239
	}
240
	goto done;
241
    }
242
    creds = &credbuf;
243

244
    /* Verify the TGT to prevent spoof attacks. */
245
    if ((error = verify_krb_v5_tgt(ctx, sudo_context, creds, auth->name)))
246
	goto done;
247

248
    /* Store credential in cache. */
249
    if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
250
	log_warningx(ctx, 0, N_("%s: unable to initialize credential cache: %s"),
251
	    auth->name, error_message(error));
252
    } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
253
	log_warningx(ctx, 0, N_("%s: unable to store credential in cache: %s"),
254
	    auth->name, error_message(error));
255
    }
256

257
done:
258
    if (opts) {
259
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS
260
	krb5_get_init_creds_opt_free(sudo_context, opts);
261
#else
262
	krb5_get_init_creds_opt_free(opts);
263
#endif
264
    }
265
    if (creds)
266
	krb5_free_cred_contents(sudo_context, creds);
267
    debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
268
}
269
#endif
270

271
int
272
sudo_krb5_cleanup(const struct sudoers_context *ctx, struct passwd *pw,
273
    sudo_auth *auth, bool force)
274
{
275
    krb5_context	sudo_context;
276
    krb5_principal	princ;
277
    krb5_ccache		ccache;
278
    debug_decl(sudo_krb5_cleanup, SUDOERS_DEBUG_AUTH);
279

280
    sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
281
    princ = ((sudo_krb5_datap) auth->data)->princ;
282
    ccache = ((sudo_krb5_datap) auth->data)->ccache;
283

284
    if (sudo_context) {
285
	if (ccache)
286
	    krb5_cc_destroy(sudo_context, ccache);
287
	if (princ)
288
	    krb5_free_principal(sudo_context, princ);
289
	krb5_free_context(sudo_context);
290
    }
291

292
    debug_return_int(AUTH_SUCCESS);
293
}
294

295
#ifndef HAVE_KRB5_VERIFY_USER
296
/*
297
 * Verify the Kerberos ticket-granting ticket just retrieved for the
298
 * user.  If the Kerberos server doesn't respond, assume the user is
299
 * trying to fake us out (since we DID just get a TGT from what is
300
 * supposedly our KDC).
301
 *
302
 * Returns 0 for successful authentication, non-zero for failure.
303
 */
304
static int
305
verify_krb_v5_tgt(const struct sudoers_context *ctx, krb5_context sudo_context,
306
    krb5_creds *cred, const char *auth_name)
307
{
308
    krb5_error_code	error;
309
    krb5_principal	server;
310
    krb5_verify_init_creds_opt vopt;
311
    debug_decl(verify_krb_v5_tgt, SUDOERS_DEBUG_AUTH);
312

313
    /*
314
     * Get the server principal for the local host.
315
     * (Use defaults of "host" and canonicalized local name.)
316
     */
317
    if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
318
					KRB5_NT_SRV_HST, &server))) {
319
	log_warningx(ctx, 0, N_("%s: unable to get host principal: %s"),
320
	    auth_name, error_message(error));
321
	debug_return_int(-1);
322
    }
323

324
    /* Initialize verify opts and set secure mode */
325
    krb5_verify_init_creds_opt_init(&vopt);
326
    krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
327

328
    /* verify the Kerberos ticket-granting ticket we just retrieved */
329
    error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
330
				   NULL, &vopt);
331
    krb5_free_principal(sudo_context, server);
332
    if (error) {
333
	log_warningx(ctx, 0, N_("%s: Cannot verify TGT! Possible attack!: %s"),
334
	    auth_name, error_message(error));
335
    }
336
    debug_return_int(error);
337
}
338
#endif
339

340
#endif /* HAVE_KERB5 */
341

342
Product

Resources

Company
