krb5_child.c revision fa3cdcff460d555f4a4905fb0a2d96be564fc599
/*
SSSD
Kerberos 5 Backend Module -- tgt_req and changepw child
Authors:
Sumit Bose <sbose@redhat.com>
Copyright (C) 2009-2010 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <unistd.h>
#include <popt.h>
#include <security/pam_modules.h>
#include "util/sss_krb5.h"
#include "util/user_info_msg.h"
#include "util/child_common.h"
#include "providers/dp_backend.h"
#include "providers/krb5/krb5_auth.h"
#include "providers/krb5/krb5_utils.h"
#include "sss_cli.h"
#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
struct krb5_req {
char* name;
char *realm;
char *ccname;
char *keytab;
bool validate;
bool send_pac;
bool use_enterprise_princ;
char *fast_ccname;
const char *upn;
};
static krb5_context krb5_error_ctx;
{
if (kerr != 0) {
return kerr;
}
return 0;
}
{
struct sss_cli_req_data sss_data;
int ret;
int errnop;
return EIO;
}
return EOK;
}
{
int ret;
long exp_time;
if (password_expiration == 0) {
return;
}
return;
}
return;
}
}
return;
}
/*
* TODO: These features generally would requires a significant refactoring
* of SSSD and MIT krb5 doesn't support them anyway. They are listed here
* simply as a reminder of things that might become future feature potential.
*
* 1. tokeninfo selection
* 2. challenge
* 4. interactive otp format correction
* 5. nextOTP
*
*/
typedef int (*checker)(int c);
{
switch (format) {
return isdigit;
return isxdigit;
return isalnum;
}
return NULL;
}
static int token_pin_destructor(char *mem)
{
return 0;
}
const krb5_responder_otp_tokeninfo *ti,
{
int i;
return ENOTSUP;
}
return ENOTSUP;
}
/* This is a non-sensical value. */
return EPROTO;
}
/* ASSUMPTION: authtok has one of the following formats:
* 1. TokenValue
* 2. PIN+TokenValue
*/
return ENOMEM;
}
/* If the server desires a separate pin, we will split it.
* ASSUMPTION: Format of authtok is PIN+TokenValue. */
return ENOTSUP;
}
return EMSGSIZE;
}
/* Copy the PIN from the front of the value. */
return ENOMEM;
}
/* Remove the PIN from the front of the token value. */
} else {
return EMSGSIZE;
}
}
} else {
return EMSGSIZE;
}
}
} else {
return ENOMEM;
}
}
/* If check is set, we need to verify the contents of the token. */
return EBADMSG;
}
}
return 0;
}
{
/* Either an error, or nothing to do. */
return ret;
}
/* No tokeninfos? Absurd! */
goto done;
}
/* Validate our assumptions about the contents of authtok. */
goto done;
/* Find the first supported tokeninfo which matches our authtoken. */
break;
}
switch (ret) {
case EBADMSG:
case EMSGSIZE:
case ENOTSUP:
case EPROTO:
break;
default:
goto done;
}
}
("No tokeninfos found which match our credentials.\n"));
goto done;
}
/* Don't let SSSD cache the OTP authtok since it is single-use. */
goto done;
}
}
/* Respond with the appropriate answer. */
done:
return ret;
}
void *data,
{
return EINVAL;
}
}
#endif
{
int ret;
if (num_prompts != 0) {
return KRB5_LIBOS_CANTREADPWD;
}
return EOK;
}
}
return EOK;
}
krb5_creds **_cred)
{
return ENOMEM;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
done:
if (kerr != 0) {
}
} else {
}
return kerr;
}
static krb5_error_code
{
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
} else {
}
if (kerr != 0) {
goto done;
}
#ifdef HAVE_KRB5_DIRCACHE
if (kerr != 0) {
goto done;
}
#endif /* HAVE_KRB5_DIRCACHE */
if (kerr != 0) {
goto done;
}
done:
return kerr;
}
{
char *cc_file_name;
int fd = -1;
char *dummy;
char *tmp_ccname;
} else {
}
if (cc_file_name[0] != '/') {
return EINVAL;
}
return ENOMEM;
}
if (tmp_ccname == NULL) {
goto done;
}
if (tmp_ccname == NULL) {
goto done;
}
if (fd == -1) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (fd != -1) {
fd = -1;
}
if (kerr != 0) {
goto done;
}
if (fd == -1) {
goto done;
}
}
if (kerr == -1) {
}
done:
}
if (fd != -1) {
}
return kerr;
}
#ifdef HAVE_KRB5_DIRCACHE
static errno_t
{
if (ret == -1) {
/* Failing the mkdir is only OK if the directory already
* exists AND it is owned by the same user and group and
* has the correct permissions.
*/
errno = 0;
if (ret == -1) {
return EIO;
}
("The directory %s is owned by %d/%d, expected %d/%d\n",
return EACCES;
}
("The directory %s has wrong permissions %o, expected 0700\n",
return EACCES;
}
} else {
return ret;
}
}
return EOK;
}
static krb5_error_code
{
const char *dirname;
return EIO;
}
goto done;
}
if (dirname[0] == ':') {
/* Cache name in the form of DIR::filepath represents a single
* ccache in a collection that we are trying to reuse.
*/
if (kerr != 0) {
goto done;
}
} else if (dirname[0] == '/') {
/* An absolute path denotes that krb5_child should create a new
* ccache. We can afford to just call mkdir(dirname) because we
* only want the last component to be created.
*/
if (kerr) {
("Cannot create directory %s\n", dirname));
goto done;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
} else {
("Wrong residual format for DIR in ccache %s\n", ccname));
return EIO;
}
if (kerr != 0) {
goto done;
}
done:
}
return kerr;
}
#endif /* HAVE_KRB5_DIRCACHE */
static krb5_error_code
{
enum sss_krb5_cc_type cctype;
switch (cctype) {
case SSS_KRB5_TYPE_FILE:
#ifdef HAVE_KRB5_DIRCACHE
case SSS_KRB5_TYPE_DIR:
#endif /* HAVE_KRB5_DIRCACHE */
default:
return EINVAL;
}
return EINVAL; /* Should never get here */
}
struct response_data *resp_list,
{
size_t p = 0;
struct response_data *pdr;
/* A buffer with the following structure must be created:
* int32_t status of the request (required)
* message (zero or more)
*
* A message consists of:
* int32_t type of the message
* int32_t length of the following data
* uint8_t[len] data
*/
}
if (!buf) {
return ENOMEM;
}
}
*_len = p;
return EOK;
}
{
int ret;
return ERR_INTERNAL;
}
return ENOMEM;
}
return ret;
}
{
int ret;
return ret;
}
errno = 0;
if (written == -1) {
return ret;
}
("Write error, wrote [%d] bytes, expected [%d]\n",
return EOK;
}
return EOK;
}
{
int ret;
int64_t t[4];
unsigned int upn_len = 0;
goto done;
}
if (kerr != 0) {
goto done;
}
goto done;
}
done:
return ret;
}
{
bool realm_entry_found = false;
if (kerr != 0) {
return kerr;
}
if (kerr != 0) {
return kerr;
}
/* We look for the first entry from our realm or take the last one */
if (validation_princ != NULL) {
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
}
("Found keytab entry with the realm of the credential.\n"));
realm_entry_found = true;
break;
}
}
if (!realm_entry_found) {
("Keytab entry with the realm of the credential not found "
"in keytab. Using the last entry.\n"));
}
/* Close the keytab here. Even though we're using cursors, the file
* handle is stored in the krb5_keytab structure, and it gets
* overwritten when the verify_init_creds() call below creates its own
* cursor, creating a leak. */
if (kerr != 0) {
"not verifying TGT.\n"));
goto done;
}
/* check if we got any errors from krb5_kt_next_entry */
goto done;
}
/* Get the principal to which the key belongs, for logging purposes. */
if (kerr != 0) {
"not verifying TGT.\n"));
goto done;
}
&validation_ccache, &opt);
if (kerr == 0) {
principal));
} else {
"for [%s].\n", principal));
goto done;
}
/* Try to find and send the PAC to the PAC responder.
* Failures are not critical. */
if (kerr != 0) {
"membership for user with principal [%s] " \
kerr = 0;
goto done;
}
if (kerr != 0) {
"membership for user with principal [%s] " \
kerr = 0;
}
}
done:
if (validation_ccache != NULL) {
}
}
if (validation_princ != NULL) {
}
}
return kerr;
}
{
int canonicalize = 0;
char *tmp_str;
canonicalize = 1;
}
}
char *ccname)
{
krb5_error_code kerr = 0;
&options);
if (kerr != 0) {
return kerr;
}
/* Use the updated principal in the creds in case canonicalized */
if (kerr != 0) {
goto done;
}
kerr = 0;
done:
return kerr;
}
const char *ccname)
{
char *tmp_ccname = NULL;
char *ret_ccname = NULL;
if (kerr != 0) {
return NULL;
}
if (kerr != 0) {
return NULL;
}
if (kerr !=0) {
goto done;
}
if (ret_ccname == NULL) {
}
done:
if (kerr != 0) {
}
}
return ret_ccname;
}
const char *password)
{
const char *realm_name;
int realm_length;
char *cc_name;
kr);
if (kerr != 0) {
}
("Attempting kinit for realm [%s]\n",realm_name));
sss_krb5_prompter, kr, 0,
if (kerr != 0) {
return kerr;
}
if (kerr != 0) {
return kerr;
}
} else {
}
/* We drop root privileges which were needed to read the keytab file
* for the validation of the credentials or for FAST here to run the
* ccache I/O operations with user privileges. */
if (kerr != 0) {
return kerr;
}
}
/* If kr->ccname is cache collection (DIR:/...), we want to work
* directly with file ccache (DIR::/...), but cache collection
* should be returned back to back end.
*/
}
/* Use the updated principal in the creds in case canonicalized */
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
}
kerr = 0;
done:
return kerr;
}
{
switch (kerr) {
case 0:
return ERR_OK;
case KRB5_LIBOS_CANTREADPWD:
return ERR_NO_CREDS;
case KRB5_KDC_UNREACH:
return ERR_NETWORK_IO;
case KRB5KDC_ERR_KEY_EXP:
return ERR_CREDS_EXPIRED;
return ERR_AUTH_FAILED;
case KRB5_PREAUTH_FAILED:
return ERR_CREDS_INVALID;
default:
return ERR_INTERNAL;
}
}
{
int ret;
krb5_error_code kerr = 0;
const char *newpassword = NULL;
int result_code = -1;
char *user_error_message = NULL;
const char *realm_name;
int realm_length;
return ERR_NO_CREDS;
}
if (!prelim) {
/* We do not need a password expiration warning here. */
}
if (kerr != 0) {
return kerr;
}
("Attempting kinit for realm [%s]\n",realm_name));
if (kerr != 0) {
return kerr;
}
if (prelim) {
("Initial authentication for change password operation "
"successful.\n"));
return EOK;
}
return ERR_NO_CREDS;
}
if (kerr == KRB5_KDC_UNREACH) {
return ERR_NETWORK_IO;
}
if (kerr != 0 || result_code != 0) {
if (kerr != 0) {
}
if (result_code_string.length > 0) {
if (user_error_message == NULL) {
}
}
if (result_string.length > 0) {
if (user_error_message == NULL) {
}
}
if (user_error_message != NULL) {
&user_resp_len, &user_resp);
} else {
}
}
}
return ERR_CHPASS_FAILED;
}
if (kerr == 0) {
}
return map_krb5_error(kerr);
}
{
int ret;
switch (ret) {
return ERR_INVALID_CRED_TYPE;
}
return ERR_NO_CREDS;
}
if (kerr != KRB5KDC_ERR_KEY_EXP) {
if (kerr == 0) {
}
goto done;
}
/* If the password is expired the KDC will always return
KRB5KDC_ERR_KEY_EXP regardless if the supplied password is correct or
not. In general the password can still be used to get a changepw ticket.
So we validate the password by trying to get a changepw ticket. */
if (kerr != 0) {
}
if (kerr != 0) {
return kerr;
}
sss_krb5_prompter, kr, 0,
if (kerr == 0) {
} else {
}
done:
return ret;
}
{
/* krb5_kuserok tries to verify that kr->pd->user is a locally known
* account, so we have to unset _SSS_LOOPS to make getpwnam() work. */
if (unsetenv("_SSS_LOOPS") != 0) {
"krb5_kuserok will most certainly fail.\n"));
}
if (kerr != 0) {
"krb5_kuserok may fail.\n"));
}
if (access_allowed) {
return EOK;
}
return ERR_AUTH_DENIED;
}
{
const char *ccname;
int ret;
("Unsupported authtok type for TGT renewal [%d].\n",
return ERR_INVALID_CRED_TYPE;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
} else {
}
/* We drop root privileges which were needed to read the keytab file
* for the validation of the credentials or for FAST here to run the
* ccache I/O operations with user privileges. */
if (kerr != 0) {
goto done;
}
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (kerr != 0) {
}
done:
}
return map_krb5_error(kerr);
}
{
if (kerr != 0) {
} else {
}
return map_krb5_error(kerr);
}
{
if ((*p + auth_token_length) > size) {
return EINVAL;
}
switch (auth_token_type) {
case SSS_AUTHTOK_TYPE_EMPTY:
break;
break;
case SSS_AUTHTOK_TYPE_CCFILE:
break;
default:
return EINVAL;
}
*p += auth_token_length;
}
return ret;
}
{
size_t p = 0;
return ENOMEM;
}
p += len;
("cmd [%d] uid [%llu] gid [%llu] validate [%s] "
"enterprise principal [%s] offline [%s] UPN [%s]\n",
p += len;
p += len;
if (ret) {
return ret;
}
} else {
}
if (ret) {
return ret;
}
} else {
}
p += len;
} else {
}
return EOK;
}
{
}
}
return EOK;
}
{
if (krberr != 0) {
goto done;
}
if (krberr != 0) {
krberr = 0;
goto done;
}
krberr = 0;
done:
}
return krberr;
}
const char *primary,
const char *realm,
const char *keytab_name,
char **fast_ccname)
{
char *ccname;
char *server_name;
goto done;
}
goto done;
}
if (keytab_name != NULL) {
} else {
}
if (kerr) {
("Failed to read keytab file [%s]: %s\n",
goto done;
}
if (kerr != 0) {
("find_principal_in_keytab failed for principal %s@%s.\n",
goto done;
}
if (server_name == NULL) {
goto done;
}
if (kerr != 0) {
goto done;
}
if (kerr == 0) {
goto done;
}
}
if (kerr != 0) {
goto done;
}
kerr = 0;
done:
if (client_princ != NULL) {
}
if (server_princ != NULL) {
}
if (kerr == 0) {
}
}
return kerr;
}
{
errno = 0;
if (len == -1) {
return ret;
}
}
return ret;
}
{
char *fast_principal_realm;
char *fast_principal;
char *tmp_str;
if (tmp_str) {
if (kerr) {
return kerr;
}
&tmp_str);
if (kerr) {
return kerr;
}
if (!fast_principal) {
return KRB5KRB_ERR_GENERIC;
}
if (!fast_principal_realm) {
return ENOMEM;
}
} else {
}
if (kerr != 0) {
return kerr;
}
kr->fast_ccname);
if (kerr != 0) {
"failed.\n"));
return kerr;
}
if (demand) {
if (kerr != 0) {
"failed.\n"));
return kerr;
}
}
return EOK;
}
{
char *lifetime_str;
char *use_fast_str;
int parse_flags;
("Cannot read [%s] from environment.\n", SSSD_KRB5_REALM));
}
if (kerr != 0) {
return kerr;
}
/* Set the global error context */
if (debug_level & SSSDBG_TRACE_ALL) {
if (kerr) {
return EIO;
}
}
/* Enterprise principals require that a default realm is available. To
* make SSSD more robust in the case that the default realm option is
* missing in krb5.conf or to allow SSSD to work with multiple unconnected
* realms (e.g. AD domains without trust between them) the default realm
* will be set explicitly. */
if (kr->use_enterprise_princ) {
if (kerr != 0) {
}
}
if (kerr != 0) {
return kerr;
}
if (kerr != 0) {
return kerr;
}
return ENOMEM;
}
if (kerr != 0) {
return kerr;
}
if (kerr != 0) {
return kerr;
}
#endif
/* A prompter is used to catch messages about when a password will
* expired. The library shall not use the prompter to ask for a new password
* but shall return KRB5KDC_ERR_KEY_EXP. */
#endif
if (lifetime_str == NULL) {
} else {
if (kerr != 0) {
lifetime_str));
return kerr;
}
}
if (lifetime_str == NULL) {
} else {
if (kerr != 0) {
lifetime_str));
return kerr;
}
}
if (!offline) {
} else {
("Unsupported value [%s] for krb5_use_fast.\n",
use_fast_str));
return EINVAL;
}
}
/* TODO: set options, e.g.
* krb5_get_init_creds_opt_set_forwardable
* krb5_get_init_creds_opt_set_proxiable
* krb5_get_init_creds_opt_set_etype_list
* krb5_get_init_creds_opt_set_address_list
* krb5_get_init_creds_opt_set_preauth_list
* krb5_get_init_creds_opt_set_salt
* krb5_get_init_creds_opt_set_change_password_prompt
* krb5_get_init_creds_opt_set_pa
*/
return kerr;
}
{
int opt;
int debug_fd = -1;
struct poptOption long_options[] = {
_("Debug level"), NULL},
_("Add debug timestamps"), NULL},
_("Show timestamps with microseconds"), NULL},
_("An open file descriptor for the debug logs"), NULL},
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
switch(opt) {
default:
_exit(-1);
}
}
exit(-1);
}
if (!debug_prg_name) {
goto done;
}
if (debug_fd != -1) {
}
}
goto done;
}
goto done;
}
case SSS_PAM_AUTHENTICATE:
/* If we are offline, we need to create an empty ccache file */
if (offline) {
} else {
}
break;
case SSS_PAM_CHAUTHTOK:
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
break;
case SSS_PAM_ACCT_MGMT:
break;
case SSS_CMD_RENEW:
if (offline) {
goto done;
}
break;
default:
goto done;
}
}
done:
exit(0);
} else {
exit(-1);
}
}