2 * Copyright (c) 1999-2005, 2007-2008, 2010-2013
3 * Todd C. Miller <Todd.Miller@courtesan.com>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
17 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
18 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20 * Sponsored in part by the Defense Advanced Research Projects
21 * Agency (DARPA) and Air Force Research Laboratory, Air Force
22 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
27 #include <sys/types.h>
36 #endif /* STDC_HEADERS */
39 #endif /* HAVE_STRING_H */
42 #endif /* HAVE_STRING_H */
45 #endif /* HAVE_UNISTD_H */
53 #include "sudo_auth.h"
56 # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)
57 # define krb5_free_data_contents(c, d) krb5_data_free(d)
59 # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)
62 #ifndef HAVE_KRB5_VERIFY_USER
63 static int verify_krb_v5_tgt(krb5_context, krb5_creds *, char *);
65 static struct _sudo_krb5_data {
66 krb5_context sudo_context;
69 } sudo_krb5_data = { NULL, NULL, NULL };
70 typedef struct _sudo_krb5_data *sudo_krb5_datap;
72 #ifdef SUDO_KRB5_INSTANCE
73 static const char *sudo_krb5_instance = SUDO_KRB5_INSTANCE;
75 static const char *sudo_krb5_instance = NULL;
78 #ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
79 static krb5_error_code
80 krb5_get_init_creds_opt_alloc(krb5_context context,
81 krb5_get_init_creds_opt **opts)
83 *opts = emalloc(sizeof(krb5_get_init_creds_opt));
84 krb5_get_init_creds_opt_init(*opts);
89 krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opts)
96 sudo_krb5_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
98 static char *krb5_prompt;
99 debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
101 if (krb5_prompt == NULL) {
102 krb5_context sudo_context;
103 krb5_principal princ;
105 krb5_error_code error;
107 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
108 princ = ((sudo_krb5_datap) auth->data)->princ;
111 * Really, we need to tell the caller not to prompt for password. The
112 * API does not currently provide this unless the auth is standalone.
114 if ((error = krb5_unparse_name(sudo_context, princ, &pname))) {
116 N_("%s: unable to convert principal to string ('%s'): %s"),
117 auth->name, pw->pw_name, error_message(error));
118 debug_return_int(AUTH_FAILURE);
121 /* Only rewrite prompt if user didn't specify their own. */
122 /*if (!strcmp(prompt, PASSPROMPT)) { */
123 easprintf(&krb5_prompt, "Password for %s: ", pname);
127 *promptp = krb5_prompt;
129 debug_return_int(AUTH_SUCCESS);
133 sudo_krb5_init(struct passwd *pw, sudo_auth *auth)
135 krb5_context sudo_context;
136 krb5_error_code error;
137 char cache_name[64], *pname = pw->pw_name;
138 debug_decl(sudo_krb5_init, SUDO_DEBUG_AUTH)
140 auth->data = (void *) &sudo_krb5_data; /* Stash all our data here */
142 if (sudo_krb5_instance != NULL) {
143 easprintf(&pname, "%s%s%s", pw->pw_name,
144 sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance);
147 #ifdef HAVE_KRB5_INIT_SECURE_CONTEXT
148 error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));
150 error = krb5_init_context(&(sudo_krb5_data.sudo_context));
154 sudo_context = sudo_krb5_data.sudo_context;
156 error = krb5_parse_name(sudo_context, pname, &(sudo_krb5_data.princ));
159 N_("%s: unable to parse '%s': %s"), auth->name, pname,
160 error_message(error));
164 (void) snprintf(cache_name, sizeof(cache_name), "MEMORY:sudocc_%ld",
166 if ((error = krb5_cc_resolve(sudo_context, cache_name,
167 &(sudo_krb5_data.ccache)))) {
169 N_("%s: unable to resolve credential cache: %s"), auth->name,
170 error_message(error));
175 if (sudo_krb5_instance != NULL)
177 debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
180 #ifdef HAVE_KRB5_VERIFY_USER
182 sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
184 krb5_context sudo_context;
185 krb5_principal princ;
187 krb5_error_code error;
188 debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
190 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
191 princ = ((sudo_krb5_datap) auth->data)->princ;
192 ccache = ((sudo_krb5_datap) auth->data)->ccache;
194 error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);
195 debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
199 sudo_krb5_verify(struct passwd *pw, char *pass, sudo_auth *auth)
201 krb5_context sudo_context;
202 krb5_principal princ;
203 krb5_creds credbuf, *creds = NULL;
205 krb5_error_code error;
206 krb5_get_init_creds_opt *opts = NULL;
207 debug_decl(sudo_krb5_verify, SUDO_DEBUG_AUTH)
209 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
210 princ = ((sudo_krb5_datap) auth->data)->princ;
211 ccache = ((sudo_krb5_datap) auth->data)->ccache;
213 /* Set default flags based on the local config file. */
214 error = krb5_get_init_creds_opt_alloc(sudo_context, &opts);
217 N_("%s: unable to allocate options: %s"), auth->name,
218 error_message(error));
222 krb5_get_init_creds_opt_set_default_flags(sudo_context, NULL,
223 krb5_principal_get_realm(sudo_context, princ), opts);
226 /* Note that we always obtain a new TGT to verify the user */
227 if ((error = krb5_get_init_creds_password(sudo_context, &credbuf, princ,
228 pass, krb5_prompter_posix,
229 NULL, 0, NULL, opts))) {
230 /* Don't print error if just a bad password */
231 if (error != KRB5KRB_AP_ERR_BAD_INTEGRITY)
233 N_("%s: unable to get credentials: %s"), auth->name,
234 error_message(error));
239 /* Verify the TGT to prevent spoof attacks. */
240 if ((error = verify_krb_v5_tgt(sudo_context, creds, auth->name)))
243 /* Store credential in cache. */
244 if ((error = krb5_cc_initialize(sudo_context, ccache, princ))) {
246 N_("%s: unable to initialize credential cache: %s"),
247 auth->name, error_message(error));
248 } else if ((error = krb5_cc_store_cred(sudo_context, ccache, creds))) {
250 N_("%s: unable to store credential in cache: %s"),
251 auth->name, error_message(error));
256 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS
257 krb5_get_init_creds_opt_free(sudo_context, opts);
259 krb5_get_init_creds_opt_free(opts);
263 krb5_free_cred_contents(sudo_context, creds);
264 debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
269 sudo_krb5_cleanup(struct passwd *pw, sudo_auth *auth)
271 krb5_context sudo_context;
272 krb5_principal princ;
274 debug_decl(sudo_krb5_cleanup, SUDO_DEBUG_AUTH)
276 sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;
277 princ = ((sudo_krb5_datap) auth->data)->princ;
278 ccache = ((sudo_krb5_datap) auth->data)->ccache;
282 krb5_cc_destroy(sudo_context, ccache);
284 krb5_free_principal(sudo_context, princ);
285 krb5_free_context(sudo_context);
288 debug_return_int(AUTH_SUCCESS);
291 #ifndef HAVE_KRB5_VERIFY_USER
293 * Verify the Kerberos ticket-granting ticket just retrieved for the
294 * user. If the Kerberos server doesn't respond, assume the user is
295 * trying to fake us out (since we DID just get a TGT from what is
296 * supposedly our KDC).
298 * Returns 0 for successful authentication, non-zero for failure.
301 verify_krb_v5_tgt(krb5_context sudo_context, krb5_creds *cred, char *auth_name)
303 krb5_error_code error;
304 krb5_principal server;
305 krb5_verify_init_creds_opt vopt;
306 debug_decl(verify_krb_v5_tgt, SUDO_DEBUG_AUTH)
309 * Get the server principal for the local host.
310 * (Use defaults of "host" and canonicalized local name.)
312 if ((error = krb5_sname_to_principal(sudo_context, NULL, NULL,
313 KRB5_NT_SRV_HST, &server))) {
315 N_("%s: unable to get host principal: %s"), auth_name,
316 error_message(error));
317 debug_return_int(-1);
320 /* Initialize verify opts and set secure mode */
321 krb5_verify_init_creds_opt_init(&vopt);
322 krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
324 /* verify the Kerberos ticket-granting ticket we just retrieved */
325 error = krb5_verify_init_creds(sudo_context, cred, server, NULL,
327 krb5_free_principal(sudo_context, server);
330 N_("%s: Cannot verify TGT! Possible attack!: %s"),
331 auth_name, error_message(error));
332 debug_return_int(error);