1 /*
2 * Copyright (c) 2000 Damien Miller. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24 /*
25 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
26 */
27
28 #include "includes.h"
29
30 #ifdef USE_PAM
31 #include "xmalloc.h"
32 #include "log.h"
33 #include "auth.h"
34 #include "auth-options.h"
35 #include "auth-pam.h"
36 #include "buffer.h"
37 #include "servconf.h"
38 #include "canohost.h"
39 #include "compat.h"
40 #include "misc.h"
41 #include "sshlogin.h"
42 #include "ssh-gss.h"
43
44 #include <security/pam_appl.h>
45
46 extern char *__progname;
47
48 extern u_int utmp_len;
49 extern ServerOptions options;
50
51 extern Authmethod method_kbdint;
52
53 RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $");
54
55 #define NEW_AUTHTOK_MSG \
56 "Warning: Your password has expired, please change it now."
57
58 /* PAM conversation for non-interactive userauth methods */
59 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
60 struct pam_response **resp, void *appdata_ptr);
61
62 static void do_pam_cleanup_proc(void *context);
63
64 static char *get_method_name(Authctxt *authctxt);
65
66 /* PAM conversation for non-interactive userauth methods */
67 static struct pam_conv conv = {
68 (int (*)())do_pam_conversation,
69 NULL
70 };
71 static char *__pam_msg = NULL;
72
73 static
74 char *
75 get_method_name(Authctxt *authctxt)
76 {
77 if (!authctxt)
78 return "(unknown)";
79
80 if (!compat20)
81 return (authctxt->v1_auth_name) ? authctxt->v1_auth_name :
82 "(sshv1-unknown)";
83
84 if (!authctxt->method || !authctxt->method->name)
85 return "(sshv2-unknown)";
86
87 return authctxt->method->name;
88 }
89
90 char *
91 derive_pam_service_name(Authmethod *method)
92 {
93 char *svcname = xmalloc(BUFSIZ);
94
95 /*
96 * If PamServiceName is set we use that for everything, including
97 * SSHv1
98 */
99 if (options.pam_service_name != NULL) {
100 (void) strlcpy(svcname, options.pam_service_name, BUFSIZ);
101 return (svcname);
102 }
103
104 if (compat20 && method) {
105 char *method_name = method->name;
106
107 if (!method_name)
108 fatal("Userauth method unknown while starting PAM");
109
110 /*
111 * For SSHv2 we use "sshd-<userauth name>
112 * The "sshd" prefix can be changed via the PAMServicePrefix
113 * sshd_config option.
114 */
115 if (strcmp(method_name, "none") == 0) {
116 snprintf(svcname, BUFSIZ, "%s-none",
117 options.pam_service_prefix);
118 }
119 if (strcmp(method_name, "password") == 0) {
120 snprintf(svcname, BUFSIZ, "%s-password",
121 options.pam_service_prefix);
122 }
123 if (strcmp(method_name, "keyboard-interactive") == 0) {
124 /* "keyboard-interactive" is too long, shorten it */
125 snprintf(svcname, BUFSIZ, "%s-kbdint",
126 options.pam_service_prefix);
127 }
128 if (strcmp(method_name, "publickey") == 0) {
129 /* "publickey" is too long, shorten it */
130 snprintf(svcname, BUFSIZ, "%s-pubkey",
131 options.pam_service_prefix);
132 }
133 if (strcmp(method_name, "hostbased") == 0) {
134 /* "hostbased" can't really be shortened... */
135 snprintf(svcname, BUFSIZ, "%s-hostbased",
136 options.pam_service_prefix);
137 }
138 if (strncmp(method_name, "gss", 3) == 0) {
139 /* "gss" is too short, elongate it */
140 snprintf(svcname, BUFSIZ, "%s-gssapi",
141 options.pam_service_prefix);
142 }
143 return svcname;
144 } else {
145 /* SSHv1 doesn't get to be so cool */
146 snprintf(svcname, BUFSIZ, "%s-v1",
147 options.pam_service_prefix);
148 }
149 return svcname;
150 }
151
152 void
153 new_start_pam(Authctxt *authctxt, struct pam_conv *conv)
154 {
155 int retval;
156 pam_handle_t *pamh;
157 const char *rhost;
158 char *svc;
159 char *user = NULL;
160 pam_stuff *pam;
161
162 if (authctxt == NULL)
163 fatal("Internal error during userauth");
164
165 if (compat20 && authctxt->method == NULL)
166 fatal("Userauth method unknown while starting PAM");
167
168 /* PAM service selected here */
169 svc = derive_pam_service_name(authctxt->method);
170 debug2("Starting PAM service %s for method %s", svc,
171 get_method_name(authctxt));
172
173 if (authctxt->user != NULL)
174 user = authctxt->user;
175
176 /* Cleanup previous PAM state */
177 if (authctxt->pam != NULL) {
178 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
179 do_pam_cleanup_proc(authctxt->pam);
180 }
181
182 pam = xmalloc(sizeof(pam_stuff));
183 (void) memset(pam, 0, sizeof(pam_stuff));
184
185 /*
186 * pam->last_pam_retval has to be and is considered
187 * along with pam->state.
188 *
189 * pam->state = 0; -> no PAM auth, account, etc, work
190 * done yet. (Set by memset() above.)
191 *
192 * pam->last_pam_retval = PAM_SUCCESS; -> meaningless at
193 * this point.
194 *
195 * See finish_userauth_do_pam() below.
196 */
197 pam->authctxt = authctxt;
198 pam->last_pam_retval = PAM_SUCCESS;
199
200 authctxt->pam = pam;
201
202 /* Free any previously stored text/error PAM prompts */
203 if (__pam_msg) {
204 xfree(__pam_msg);
205 __pam_msg = NULL;
206 }
207
208 if ((retval = pam_start(svc, user, conv, &pamh)) != PAM_SUCCESS) {
209 fatal("PAM initialization failed during %s userauth",
210 get_method_name(authctxt));
211 }
212
213 free(svc);
214
215 fatal_add_cleanup((void (*)(void *)) &do_pam_cleanup_proc,
216 (void *) authctxt->pam);
217
218 rhost = get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping);
219 if ((retval = pam_set_item(pamh, PAM_RHOST, rhost)) != PAM_SUCCESS) {
220 (void) pam_end(pamh, retval);
221 fatal("Could not set PAM_RHOST item during %s userauth",
222 get_method_name(authctxt));
223 }
224
225 if ((retval = pam_set_item(pamh, PAM_TTY, "sshd")) != PAM_SUCCESS) {
226 (void) pam_end(pamh, retval);
227 fatal("Could not set PAM_TTY item during %s userauth",
228 get_method_name(authctxt));
229 }
230
231 if (authctxt->cuser != NULL)
232 if ((retval = pam_set_item(pamh, PAM_AUSER, authctxt->cuser)) != PAM_SUCCESS) {
233 (void) pam_end(pamh, retval);
234 fatal("Could not set PAM_AUSER item during %s userauth",
235 get_method_name(authctxt));
236 }
237
238 authctxt->pam->h = pamh;
239 }
240
241 /*
242 * To be called from userauth methods, directly (as in keyboard-interactive) or
243 * indirectly (from auth_pam_password() or from do_pam_non_initial_userauth().
244 *
245 * The caller is responsible for calling new_start_pam() first.
246 *
247 * PAM state is not cleaned up here on error. This is left to subsequent calls
248 * to new_start_pam() or to the cleanup function upon authentication error.
249 */
250 int
251 finish_userauth_do_pam(Authctxt *authctxt)
252 {
253 int retval;
254 char *user, *method;
255
256 /* Various checks; fail gracefully */
257 if (authctxt == NULL || authctxt->pam == NULL)
258 return PAM_SYSTEM_ERR; /* shouldn't happen */
259
260 if (compat20) {
261 if (authctxt->method == NULL || authctxt->method->name == NULL)
262 return PAM_SYSTEM_ERR; /* shouldn't happen */
263 method = authctxt->method->name;
264 } else if ((method = authctxt->v1_auth_name) == NULL)
265 return PAM_SYSTEM_ERR; /* shouldn't happen */
266
267 if (AUTHPAM_DONE(authctxt))
268 return PAM_SYSTEM_ERR; /* shouldn't happen */
269
270 if (!(authctxt->pam->state & PAM_S_DONE_ACCT_MGMT)) {
271 retval = pam_acct_mgmt(authctxt->pam->h, 0);
272 authctxt->pam->last_pam_retval = retval;
273 if (retval == PAM_NEW_AUTHTOK_REQD) {
274 userauth_force_kbdint();
275 return retval;
276 }
277 if (retval != PAM_SUCCESS)
278 return retval;
279 authctxt->pam->state |= PAM_S_DONE_ACCT_MGMT;
280 }
281
282 /*
283 * Handle PAM_USER change, if any.
284 *
285 * We do this before pam_open_session() because we need the PAM_USER's
286 * UID for:
287 *
288 * a) PermitRootLogin checking
289 * b) to get at the lastlog entry before pam_open_session() updates it.
290 */
291 retval = pam_get_item(authctxt->pam->h, PAM_USER, (void **) &user);
292 if (retval != PAM_SUCCESS) {
293 fatal("PAM failure: pam_get_item(PAM_USER) "
294 "returned %d: %.200s", retval,
295 PAM_STRERROR(authctxt->pam->h, retval));
296 }
297
298 if (user == NULL || *user == '\0') {
299 debug("PAM set NULL PAM_USER");
300 return PAM_PERM_DENIED;
301 }
302
303 if (strcmp(user, authctxt->user) != 0) {
304 log("PAM changed the SSH username");
305 pwfree(&authctxt->pw);
306 authctxt->pw = getpwnamallow(user);
307 authctxt->valid = (authctxt->pw != NULL);
308 xfree(authctxt->user);
309 authctxt->user = xstrdup(user);
310 }
311
312 if (!authctxt->valid) {
313 debug2("PAM set PAM_USER to unknown user");
314 /*
315 * Return success, userauth_finish() will catch
316 * this and send back a failure message.
317 */
318 return PAM_SUCCESS;
319 }
320
321 /* Check PermitRootLogin semantics */
322 if (authctxt->pw->pw_uid == 0 && !auth_root_allowed(method))
323 return PAM_PERM_DENIED;
324
325 if (!(authctxt->pam->state & PAM_S_DONE_SETCRED)) {
326 retval = pam_setcred(authctxt->pam->h,
327 PAM_ESTABLISH_CRED);
328 authctxt->pam->last_pam_retval = retval;
329 if (retval != PAM_SUCCESS)
330 return retval;
331 authctxt->pam->state |= PAM_S_DONE_SETCRED;
332
333 #ifdef GSSAPI
334 /*
335 * Store GSS-API delegated creds after pam_setcred(), which may
336 * have set the current credential store.
337 */
338 ssh_gssapi_storecreds(NULL, authctxt);
339 #endif /* GSSAPI */
340 }
341
342 /*
343 * On Solaris pam_unix_session.so updates the lastlog, but does
344 * not converse a PAM_TEXT_INFO message about it. So we need to
345 * fetch the lastlog entry here and save it for use later.
346 */
347 authctxt->last_login_time =
348 get_last_login_time(authctxt->pw->pw_uid,
349 authctxt->pw->pw_name,
350 authctxt->last_login_host,
351 sizeof(authctxt->last_login_host));
352
353 if (!(authctxt->pam->state & PAM_S_DONE_OPEN_SESSION)) {
354 retval = pam_open_session(authctxt->pam->h, 0);
355 authctxt->pam->last_pam_retval = retval;
356 if (retval != PAM_SUCCESS)
357 return retval;
358 authctxt->pam->state |= PAM_S_DONE_OPEN_SESSION;
359 }
360
361 /*
362 * All PAM work done successfully.
363 *
364 * PAM handle stays around so we can call pam_close_session() on
365 * it later.
366 */
367 return PAM_SUCCESS;
368 }
369
370 /*
371 * PAM conversation function for non-interactive userauth methods that
372 * really cannot do any prompting. Password userauth and CHANGEREQ can
373 * always set the PAM_AUTHTOK and PAM_OLDAUTHTOK items to avoid
374 * conversation (and if they do and nonetheless some module tries to
375 * converse, then password userauth / CHANGEREQ MUST fail).
376 *
377 * Except, PAM_TEXT_INFO and PAM_ERROR_MSG prompts can be squirelled
378 * away and shown to the user later.
379 *
380 * Keyboard-interactive userauth has its own much more interesting
381 * conversation function.
382 *
383 */
384 static int
385 do_pam_conversation(int num_msg, const struct pam_message **msg,
386 struct pam_response **resp, void *appdata_ptr)
387 {
388 struct pam_response *reply;
389 int count;
390
391 /* PAM will free this later */
392 reply = xmalloc(num_msg * sizeof(*reply));
393
394 (void) memset(reply, 0, num_msg * sizeof(*reply));
395
396 for (count = 0; count < num_msg; count++) {
397 /*
398 * We can't use stdio yet, queue messages for
399 * printing later
400 */
401 switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
402 case PAM_PROMPT_ECHO_ON:
403 xfree(reply);
404 return PAM_CONV_ERR;
405 case PAM_PROMPT_ECHO_OFF:
406 xfree(reply);
407 return PAM_CONV_ERR;
408 break;
409 case PAM_ERROR_MSG:
410 case PAM_TEXT_INFO:
411 if (PAM_MSG_MEMBER(msg, count, msg) != NULL) {
412 message_cat(&__pam_msg,
413 PAM_MSG_MEMBER(msg, count, msg));
414 }
415 reply[count].resp = xstrdup("");
416 reply[count].resp_retcode = PAM_SUCCESS;
417 break;
418 default:
419 xfree(reply);
420 return PAM_CONV_ERR;
421 }
422 }
423
424 *resp = reply;
425
426 return PAM_SUCCESS;
427 }
428
429 /* Called at exit to cleanly shutdown PAM */
430 static void
431 do_pam_cleanup_proc(void *context)
432 {
433 int pam_retval;
434 pam_stuff *pam = (pam_stuff *) context;
435
436 if (pam == NULL)
437 return;
438
439 if (pam->authctxt != NULL && pam->authctxt->pam == pam) {
440 pam->authctxt->pam_retval = pam->last_pam_retval;
441 pam->authctxt->pam = NULL;
442 pam->authctxt = NULL;
443 }
444
445 if (pam->h == NULL)
446 return;
447
448 /*
449 * We're in fatal_cleanup() or not in userauth or without a
450 * channel -- can't converse now, too bad.
451 */
452 pam_retval = pam_set_item(pam->h, PAM_CONV, NULL);
453 if (pam_retval != PAM_SUCCESS) {
454 log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s",
455 pam_retval, PAM_STRERROR(pam->h, pam_retval));
456 goto cleanup;
457 }
458
459 if (pam->state & PAM_S_DONE_OPEN_SESSION) {
460 pam_retval = pam_close_session(pam->h, 0);
461 if (pam_retval != PAM_SUCCESS)
462 log("Cannot close PAM session[%d]: %.200s",
463 pam_retval, PAM_STRERROR(pam->h, pam_retval));
464 }
465
466 if (pam->state & PAM_S_DONE_SETCRED) {
467 pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED);
468 if (pam_retval != PAM_SUCCESS)
469 debug("Cannot delete credentials[%d]: %.200s",
470 pam_retval, PAM_STRERROR(pam->h, pam_retval));
471 }
472
473 cleanup:
474
475 /* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */
476 if (pam->last_pam_retval != PAM_SUCCESS)
477 pam_retval = pam_end(pam->h, pam->last_pam_retval);
478 else if (pam_retval != PAM_SUCCESS)
479 pam_retval = pam_end(pam->h, pam_retval);
480 else
481 pam_retval = pam_end(pam->h, PAM_ABORT);
482
483 if (pam_retval != PAM_SUCCESS)
484 log("Cannot release PAM authentication[%d]: %.200s",
485 pam_retval, PAM_STRERROR(pam->h, pam_retval));
486
487 xfree(pam);
488 }
489
490 /* Attempt password authentation using PAM */
491 int
492 auth_pam_password(Authctxt *authctxt, const char *password)
493 {
494 int retval;
495
496 /* Ensure we have a fresh PAM handle / state */
497 new_start_pam(authctxt, &conv);
498
499 retval = pam_set_item(authctxt->pam->h, PAM_AUTHTOK, password);
500 if (retval != PAM_SUCCESS) {
501 authctxt->pam->last_pam_retval = retval;
502 return 1;
503 }
504
505 retval = pam_authenticate(authctxt->pam->h,
506 options.permit_empty_passwd ? 0 :
507 PAM_DISALLOW_NULL_AUTHTOK);
508
509 if (retval != PAM_SUCCESS) {
510 authctxt->pam->last_pam_retval = retval;
511 return 0;
512 }
513
514 if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS)
515 return 0;
516
517 if (authctxt->method)
518 authctxt->method->authenticated = 1; /* SSHv2 */
519
520 return 1;
521 }
522
523 int
524 do_pam_non_initial_userauth(Authctxt *authctxt)
525 {
526 new_start_pam(authctxt, NULL);
527 return (finish_userauth_do_pam(authctxt) == PAM_SUCCESS);
528 }
529
530 /* Cleanly shutdown PAM */
531 void finish_pam(Authctxt *authctxt)
532 {
533 fatal_remove_cleanup(&do_pam_cleanup_proc, authctxt->pam);
534 do_pam_cleanup_proc(authctxt->pam);
535 }
536
537 static
538 char **
539 find_env(char **env, char *var)
540 {
541 char **p;
542 int len;
543
544 if (strchr(var, '=') == NULL)
545 len = strlen(var);
546 else
547 len = (strchr(var, '=') - var) + 1;
548
549 for ( p = env ; p != NULL && *p != NULL ; p++ ) {
550 if (strncmp(*p, var, len) == 0)
551 return (p);
552 }
553
554 return (NULL);
555 }
556
557 /* Return list of PAM environment strings */
558 char **
559 fetch_pam_environment(Authctxt *authctxt)
560 {
561 #ifdef HAVE_PAM_GETENVLIST
562 char **penv;
563
564 if (authctxt == NULL || authctxt->pam == NULL ||
565 authctxt->pam->h == NULL)
566 return (NULL);
567
568 penv = pam_getenvlist(authctxt->pam->h);
569
570 return (penv);
571 #else /* HAVE_PAM_GETENVLIST */
572 return(NULL);
573 #endif /* HAVE_PAM_GETENVLIST */
574 }
575
576 void free_pam_environment(char **env)
577 {
578 int i;
579
580 if (env != NULL) {
581 for (i = 0; env[i] != NULL; i++)
582 xfree(env[i]);
583 }
584
585 xfree(env);
586 }
587
588 /* Print any messages that have been generated during authentication */
589 /* or account checking to stderr */
590 void print_pam_messages(void)
591 {
592 if (__pam_msg != NULL)
593 (void) fputs(__pam_msg, stderr);
594 }
595
596 /* Append a message to buffer */
597 void message_cat(char **p, const char *a)
598 {
599 char *cp;
600 size_t new_len;
601
602 new_len = strlen(a);
603
604 if (*p) {
605 size_t len = strlen(*p);
606
607 *p = xrealloc(*p, new_len + len + 2);
608 cp = *p + len;
609 } else
610 *p = cp = xmalloc(new_len + 2);
611
612 (void) memcpy(cp, a, new_len);
613 cp[new_len] = '\n';
614 cp[new_len + 1] = '\0';
615 }
616
617 #endif /* USE_PAM */