0a146bb31945dd13e6f7ad35818f6842ec91ff53nd

3a5c8a7c39f03520463a70cf3f90091dc3a1eb32nd#include <sys/types.h>

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include <unistd.h>

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include <sys/stat.h>

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include <popt.h>

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include <security/pam_modules.h>

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include "util/util.h"

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include "util/sss_krb5.h"

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include "util/user_info_msg.h"

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include "util/child_common.h"

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include "providers/dp_backend.h"

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include "providers/krb5/krb5_auth.h"

0a146bb31945dd13e6f7ad35818f6842ec91ff53nd#include "providers/krb5/krb5_utils.h"

#include "sss_cli.h"

#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"

struct krb5_req {

krb5_context ctx;

krb5_principal princ;

char* name;

krb5_creds *creds;

krb5_get_init_creds_opt *options;

struct pam_data *pd;

char *realm;

char *ccname;

char *keytab;

bool validate;

bool send_pac;

bool use_enterprise_princ;

char *fast_ccname;

const char *upn;

uid_t uid;

gid_t gid;

};

static krb5_context krb5_error_ctx;

#define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error)

static krb5_error_code get_changepw_options(krb5_context ctx,

krb5_get_init_creds_opt **_options)

{

krb5_get_init_creds_opt *options;

krb5_error_code kerr;

kerr = sss_krb5_get_init_creds_opt_alloc(ctx, &options);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

return kerr;

}

sss_krb5_get_init_creds_opt_set_canonicalize(options, 0);

krb5_get_init_creds_opt_set_forwardable(options, 0);

krb5_get_init_creds_opt_set_proxiable(options, 0);

krb5_get_init_creds_opt_set_renew_life(options, 0);

krb5_get_init_creds_opt_set_tkt_life(options, 5*60);

*_options = options;

return 0;

}

static errno_t sss_send_pac(krb5_authdata **pac_authdata)

{

struct sss_cli_req_data sss_data;

int ret;

int errnop;

sss_data.len = pac_authdata[0]->length;

sss_data.data = pac_authdata[0]->contents;

ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data,

NULL, NULL, &errnop);

if (ret != NSS_STATUS_SUCCESS || errnop != 0) {

DEBUG(SSSDBG_OP_FAILURE, ("sss_pac_make_request failed [%d][%d].\n",

ret, errnop));

return EIO;

}

return EOK;

}

static void sss_krb5_expire_callback_func(krb5_context context, void *data,

krb5_timestamp password_expiration,

krb5_timestamp account_expiration,

krb5_boolean is_last_req)

{

int ret;

uint32_t *blob;

long exp_time;

struct krb5_req *kr = talloc_get_type(data, struct krb5_req);

if (password_expiration == 0) {

return;

}

exp_time = password_expiration - time(NULL);

if (exp_time < 0 || exp_time > UINT32_MAX) {

DEBUG(1, ("Time to expire out of range.\n"));

return;

}

DEBUG(SSSDBG_TRACE_INTERNAL, ("exp_time: [%d]\n", exp_time));

blob = talloc_array(kr->pd, uint32_t, 2);

if (blob == NULL) {

DEBUG(1, ("talloc_size failed.\n"));

return;

}

blob[0] = SSS_PAM_USER_INFO_EXPIRE_WARN;

blob[1] = (uint32_t) exp_time;

ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, 2 * sizeof(uint32_t),

(uint8_t *) blob);

if (ret != EOK) {

DEBUG(1, ("pam_add_response failed.\n"));

}

return;

}

#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER

typedef int (*checker)(int c);

static inline checker pick_checker(int format)

{

switch (format) {

case KRB5_RESPONDER_OTP_FORMAT_DECIMAL:

return isdigit;

case KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:

return isxdigit;

case KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:

return isalnum;

}

return NULL;

}

static int token_pin_destructor(char *mem)

{

safezero(mem, strlen(mem));

return 0;

}

static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx,

const krb5_responder_otp_tokeninfo *ti,

const char *pwd, size_t len,

char **out_token, char **out_pin)

{

char *token = NULL, *pin = NULL;

checker check = NULL;

int i;

if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_NEXTOTP) {

return ENOTSUP;

}

if (ti->challenge != NULL) {

return ENOTSUP;

}

/* This is a non-sensical value. */

if (ti->length == 0) {

return EPROTO;

}

if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) {

/* ASSUMPTION: authtok has one of the following formats:

token = talloc_strndup(mem_ctx, pwd, len);

if (token == NULL) {

return ENOMEM;

}

talloc_set_destructor(token, token_pin_destructor);

if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN) {

/* If the server desires a separate pin, we will split it.

if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN) {

if (ti->length < 1) {

talloc_free(token);

return ENOTSUP;

}

if (ti->length >= len) {

talloc_free(token);

return EMSGSIZE;

}

/* Copy the PIN from the front of the value. */

pin = talloc_strndup(NULL, pwd, len - ti->length);

if (pin == NULL) {

talloc_free(token);

return ENOMEM;

}

talloc_set_destructor(pin, token_pin_destructor);

/* Remove the PIN from the front of the token value. */

memmove(token, token + len - ti->length, ti->length + 1);

check = pick_checker(ti->format);

} else {

if (ti->length > 0 && ti->length > len) {

talloc_free(token);

return EMSGSIZE;

}

}

} else {

if (ti->length > 0 && ti->length != len) {

talloc_free(token);

return EMSGSIZE;

}

check = pick_checker(ti->format);

}

} else {

pin = talloc_strndup(mem_ctx, pwd, len);

if (pin == NULL) {

return ENOMEM;

}

talloc_set_destructor(pin, token_pin_destructor);

}

/* If check is set, we need to verify the contents of the token. */

for (i = 0; check != NULL && token[i] != '\0'; i++) {

if (!check(token[i])) {

talloc_free(token);

talloc_free(pin);

return EBADMSG;

}

}

*out_token = token;

*out_pin = pin;

return 0;

}

static krb5_error_code answer_otp(krb5_context ctx,

struct krb5_req *kr,

krb5_responder_context rctx)

{

krb5_responder_otp_challenge *chl;

char *token = NULL, *pin = NULL;

const char *pwd = NULL;

krb5_error_code ret;

size_t i, len;

ret = krb5_responder_otp_get_challenge(ctx, rctx, &chl);

if (ret != EOK || chl == NULL) {

/* Either an error, or nothing to do. */

return ret;

}

if (chl->tokeninfo == NULL || chl->tokeninfo[0] == NULL) {

/* No tokeninfos? Absurd! */

ret = EINVAL;

goto done;

}

/* Validate our assumptions about the contents of authtok. */

ret = sss_authtok_get_password(kr->pd->authtok, &pwd, &len);

if (ret != EOK)

goto done;

/* Find the first supported tokeninfo which matches our authtoken. */

for (i = 0; chl->tokeninfo[i] != NULL; i++) {

ret = tokeninfo_matches(kr, chl->tokeninfo[i], pwd, len, &token, &pin);

if (ret == EOK) {

break;

}

switch (ret) {

case EBADMSG:

case EMSGSIZE:

case ENOTSUP:

case EPROTO:

break;

default:

goto done;

}

}

if (chl->tokeninfo[i] == NULL) {

DEBUG(SSSDBG_CRIT_FAILURE,

("No tokeninfos found which match our credentials.\n"));

ret = EOK;

goto done;

}

if (chl->tokeninfo[i]->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) {

/* Don't let SSSD cache the OTP authtok since it is single-use. */

ret = pam_add_response(kr->pd, SSS_OTP, 0, NULL);

if (ret != EOK) {

DEBUG(1, ("pam_add_response failed.\n"));

goto done;

}

}

/* Respond with the appropriate answer. */

ret = krb5_responder_otp_set_answer(ctx, rctx, i, token, pin);

done:

talloc_free(token);

talloc_free(pin);

krb5_responder_otp_challenge_free(ctx, rctx, chl);

return ret;

}

static krb5_error_code sss_krb5_responder(krb5_context ctx,

void *data,

krb5_responder_context rctx)

{

struct krb5_req *kr = talloc_get_type(data, struct krb5_req);

if (kr == NULL) {

return EINVAL;

}

return answer_otp(ctx, kr, rctx);

}

#endif

static krb5_error_code sss_krb5_prompter(krb5_context context, void *data,

const char *name, const char *banner,

int num_prompts, krb5_prompt prompts[])

{

int ret;

struct krb5_req *kr = talloc_get_type(data, struct krb5_req);

if (num_prompts != 0) {

DEBUG(1, ("Cannot handle password prompts.\n"));

return KRB5_LIBOS_CANTREADPWD;

}

if (banner == NULL || *banner == '\0') {

DEBUG(5, ("Prompter called with empty banner, nothing to do.\n"));

return EOK;

}

DEBUG(SSSDBG_FUNC_DATA, ("Prompter called with [%s].\n", banner));

ret = pam_add_response(kr->pd, SSS_PAM_TEXT_MSG, strlen(banner)+1,

(const uint8_t *) banner);

if (ret != EOK) {

DEBUG(1, ("pam_add_response failed.\n"));

}

return EOK;

}

static krb5_error_code create_empty_cred(krb5_context ctx, krb5_principal princ,

krb5_creds **_cred)

{

krb5_error_code kerr;

krb5_creds *cred = NULL;

krb5_data *krb5_realm;

cred = calloc(sizeof(krb5_creds), 1);

if (cred == NULL) {

DEBUG(1, ("calloc failed.\n"));

return ENOMEM;

}

kerr = krb5_copy_principal(ctx, princ, &cred->client);

if (kerr != 0) {

DEBUG(1, ("krb5_copy_principal failed.\n"));

goto done;

}

krb5_realm = krb5_princ_realm(ctx, princ);

kerr = krb5_build_principal_ext(ctx, &cred->server,

krb5_realm->length, krb5_realm->data,

KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,

krb5_realm->length, krb5_realm->data, 0);

if (kerr != 0) {

DEBUG(1, ("krb5_build_principal_ext failed.\n"));

goto done;

}

DEBUG(SSSDBG_TRACE_INTERNAL, ("Created empty krb5_creds.\n"));

done:

if (kerr != 0) {

if (cred != NULL && cred->client != NULL) {

krb5_free_principal(ctx, cred->client);

}

free(cred);

} else {

*_cred = cred;

}

return kerr;

}

#ifdef HAVE_KRB5_CC_COLLECTION

static bool need_switch_to_principal(krb5_context ctx, krb5_principal princ)

{

krb5_error_code kerr;

krb5_ccache default_cc = NULL;

krb5_principal default_princ = NULL;

char *default_full_name = NULL;

char *full_name = NULL;

bool ret = false;

kerr = krb5_cc_default(ctx, &default_cc);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr);

goto done;

}

kerr = krb5_cc_get_principal(ctx, default_cc, &default_princ);

if (kerr == KRB5_FCC_NOFILE) {

/* There is not any default cache. */

ret = true;

goto done;

} else if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr);

goto done;

}

kerr = krb5_unparse_name(ctx, default_princ, &default_full_name);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr);

goto done;

}

kerr = krb5_unparse_name(ctx, princ, &full_name);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_TRACE_INTERNAL, kerr);

goto done;

}

DEBUG(SSSDBG_FUNC_DATA,

("Comparing default principal [%s] and new principal [%s].\n",

default_full_name, full_name));

if (0 == strcmp(default_full_name, full_name)) {

ret = true;

}

done:

if (default_cc != NULL) {

kerr = krb5_cc_close(ctx, default_cc);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

}

/* all functions can be safely called with NULL. */

krb5_free_principal(ctx, default_princ);

krb5_free_unparsed_name(ctx, default_full_name);

krb5_free_unparsed_name(ctx, full_name);

return ret;

}

#endif /* HAVE_KRB5_CC_COLLECTION */

static krb5_error_code

store_creds_in_ccache(krb5_context ctx, krb5_principal princ,

krb5_ccache cc, krb5_creds *creds)

{

krb5_error_code kerr;

krb5_creds *l_cred;

kerr = krb5_cc_initialize(ctx, cc, princ);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

if (creds == NULL) {

kerr = create_empty_cred(ctx, princ, &l_cred);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

} else {

l_cred = creds;

}

kerr = krb5_cc_store_cred(ctx, cc, l_cred);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

#ifdef HAVE_KRB5_CC_COLLECTION

if (need_switch_to_principal(ctx, princ)) {

kerr = krb5_cc_switch(ctx, cc);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

}

#endif /* HAVE_KRB5_CC_COLLECTION */

kerr = krb5_cc_close(ctx, cc);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

done:

return kerr;

}

static krb5_error_code create_ccache_file(krb5_context ctx,

krb5_principal princ,

char *ccname, krb5_creds *creds)

{

krb5_error_code kerr;

krb5_ccache tmp_cc = NULL;

char *cc_file_name;

int fd = -1;

size_t ccname_len;

char *dummy;

char *tmp_ccname;

TALLOC_CTX *tmp_ctx = NULL;

mode_t old_umask;

DEBUG(SSSDBG_FUNC_DATA, ("Creating ccache at [%s]\n", ccname));

if (strncmp(ccname, "FILE:", 5) == 0) {

cc_file_name = ccname + 5;

} else {

cc_file_name = ccname;

}

if (cc_file_name[0] != '/') {

DEBUG(1, ("Ccache filename is not an absolute path.\n"));

return EINVAL;

}

tmp_ctx = talloc_new(tmp_ctx);

if (tmp_ctx == NULL) {

DEBUG(1, ("talloc_new failed.\n"));

return ENOMEM;

}

dummy = strrchr(cc_file_name, '/');

tmp_ccname = talloc_strndup(tmp_ctx, cc_file_name,

(size_t) (dummy-cc_file_name));

if (tmp_ccname == NULL) {

DEBUG(1, ("talloc_strdup failed.\n"));

kerr = ENOMEM;

goto done;

}

tmp_ccname = talloc_asprintf_append(tmp_ccname, "/.krb5cc_dummy_XXXXXX");

if (tmp_ccname == NULL) {

kerr = ENOMEM;

goto done;

}

old_umask = umask(077);

fd = mkstemp(tmp_ccname);

umask(old_umask);

if (fd == -1) {

kerr = errno;

DEBUG(SSSDBG_CRIT_FAILURE,

("mkstemp failed [%d][%s].\n", kerr, strerror(kerr)));

goto done;

}

kerr = krb5_cc_resolve(ctx, tmp_ccname, &tmp_cc);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

goto done;

}

kerr = store_creds_in_ccache(ctx, princ, tmp_cc, creds);

if (fd != -1) {

close(fd);

fd = -1;

}

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

goto done;

}

ccname_len = strlen(cc_file_name);

if (ccname_len >= 6 && strcmp(cc_file_name + (ccname_len - 6), "XXXXXX") == 0) {

fd = mkstemp(cc_file_name);

if (fd == -1) {

kerr = errno;

DEBUG(SSSDBG_CRIT_FAILURE,

("mkstemp failed [%d][%s].\n", kerr, strerror(kerr)));

goto done;

}

}

kerr = rename(tmp_ccname, cc_file_name);

if (kerr == -1) {

kerr = errno;

DEBUG(1, ("rename failed [%d][%s].\n", kerr, strerror(kerr)));

}

DEBUG(SSSDBG_TRACE_LIBS, ("Created ccache file: [%s]\n", ccname));

done:

if (kerr != 0 && tmp_cc != NULL) {

krb5_cc_destroy(ctx, tmp_cc);

}

if (fd != -1) {

close(fd);

}

talloc_free(tmp_ctx);

return kerr;

}

#ifdef HAVE_KRB5_CC_COLLECTION

static errno_t

create_ccdir(const char *dirname, uid_t uid, gid_t gid)

{

mode_t old_umask;

struct stat statbuf;

errno_t ret;

old_umask = umask(0000);

ret = mkdir(dirname, 0700);

umask(old_umask);

if (ret == -1) {

/* Failing the mkdir is only OK if the directory already

ret = errno;

if (ret == EEXIST) {

errno = 0;

ret = stat(dirname, &statbuf);

if (ret == -1) {

ret = errno;

DEBUG(SSSDBG_CRIT_FAILURE,

("stat failed [%d]: %s\n", ret, strerror(ret)));

return EIO;

}

if (statbuf.st_uid != uid || statbuf.st_gid != gid) {

DEBUG(SSSDBG_CRIT_FAILURE,

("The directory %s is owned by %d/%d, expected %d/%d\n",

dirname, statbuf.st_uid, statbuf.st_gid, uid, gid));

return EACCES;

}

if ((statbuf.st_mode & ~S_IFMT) != 0700) {

DEBUG(SSSDBG_CRIT_FAILURE,

("The directory %s has wrong permissions %o, expected 0700\n",

dirname, (statbuf.st_mode & ~S_IFMT)));

return EACCES;

}

} else {

DEBUG(SSSDBG_CRIT_FAILURE, ("mkdir [%s] failed [%d]: %s\n",

dirname, ret, strerror(ret)));

return ret;

}

}

return EOK;

}

static krb5_error_code

create_ccache_in_dir(uid_t uid, gid_t gid,

krb5_context ctx,

krb5_principal princ,

char *ccname, krb5_creds *creds)

{

krb5_error_code kerr;

krb5_ccache tmp_cc = NULL;

const char *dirname;

DEBUG(SSSDBG_FUNC_DATA, ("Creating ccache at [%s]\n", ccname));

dirname = sss_krb5_residual_check_type(ccname, SSS_KRB5_TYPE_DIR);

if (dirname == NULL) {

return EIO;

}

if (dirname[0] == ':') {

/* Cache name in the form of DIR::filepath represents a single

kerr = krb5_cc_resolve(ctx, ccname, &tmp_cc);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

} else if (dirname[0] == '/') {

/* An absolute path denotes that krb5_child should create a new

kerr = create_ccdir(dirname, uid, gid);

if (kerr) {

DEBUG(SSSDBG_OP_FAILURE,

("Cannot create directory %s\n", dirname));

goto done;

}

kerr = krb5_cc_set_default_name(ctx, ccname);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

kerr = krb5_cc_new_unique(ctx, "DIR", NULL, &tmp_cc);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

} else {

DEBUG(SSSDBG_CRIT_FAILURE,

("Wrong residual format for DIR in ccache %s\n", ccname));

return EIO;

}

kerr = store_creds_in_ccache(ctx, princ, tmp_cc, creds);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_OP_FAILURE, kerr);

goto done;

}

done:

if (kerr != 0 && tmp_cc != NULL) {

krb5_cc_destroy(ctx, tmp_cc);

}

return kerr;

}

#endif /* HAVE_KRB5_CC_COLLECTION */

static krb5_error_code

create_ccache(uid_t uid, gid_t gid, krb5_context ctx,

krb5_principal princ, char *ccname, krb5_creds *creds)

{

enum sss_krb5_cc_type cctype;

cctype = sss_krb5_get_type(ccname);

switch (cctype) {

case SSS_KRB5_TYPE_FILE:

return create_ccache_file(ctx, princ, ccname, creds);

#ifdef HAVE_KRB5_CC_COLLECTION

case SSS_KRB5_TYPE_DIR:

return create_ccache_in_dir(uid, gid, ctx, princ, ccname, creds);

#endif /* HAVE_KRB5_CC_COLLECTION */

default:

DEBUG(SSSDBG_CRIT_FAILURE, ("Unknown cache type\n"));

return EINVAL;

}

return EINVAL; /* Should never get here */

}

static errno_t pack_response_packet(TALLOC_CTX *mem_ctx, errno_t error,

struct response_data *resp_list,

uint8_t **_buf, size_t *_len)

{

uint8_t *buf;

size_t size = 0;

size_t p = 0;

struct response_data *pdr;

/* A buffer with the following structure must be created:

size = sizeof(int32_t);

for (pdr = resp_list; pdr != NULL; pdr = pdr->next) {

size += 2*sizeof(int32_t) + pdr->len;

}

buf = talloc_array(mem_ctx, uint8_t, size);

if (!buf) {

DEBUG(1, ("Insufficient memory to create message.\n"));

return ENOMEM;

}

SAFEALIGN_SET_INT32(&buf[p], error, &p);

for (pdr = resp_list; pdr != NULL; pdr = pdr->next) {

SAFEALIGN_SET_INT32(&buf[p], pdr->type, &p);

SAFEALIGN_SET_INT32(&buf[p], pdr->len, &p);

safealign_memcpy(&buf[p], pdr->data, pdr->len, &p);

}

DEBUG(SSSDBG_TRACE_INTERNAL, ("response packet size: [%d]\n", p));

*_buf = buf;

*_len = p;

return EOK;

}

static errno_t k5c_attach_ccname_msg(struct krb5_req *kr)

{

char *msg = NULL;

int ret;

if (kr->ccname == NULL) {

DEBUG(1, ("Error obtaining ccname.\n"));

return ERR_INTERNAL;

}

msg = talloc_asprintf(kr, "%s=%s",CCACHE_ENV_NAME, kr->ccname);

if (msg == NULL) {

DEBUG(1, ("talloc_asprintf failed.\n"));

return ENOMEM;

}

ret = pam_add_response(kr->pd, SSS_PAM_ENV_ITEM,

strlen(msg) + 1, (uint8_t *)msg);

talloc_zfree(msg);

return ret;

}

static errno_t k5c_send_data(struct krb5_req *kr, int fd, errno_t error)

{

size_t written;

uint8_t *buf;

size_t len;

int ret;

ret = pack_response_packet(kr, error, kr->pd->resp_list, &buf, &len);

if (ret != EOK) {

DEBUG(1, ("pack_response_packet failed.\n"));

return ret;

}

errno = 0;

written = sss_atomic_write_s(fd, buf, len);

if (written == -1) {

ret = errno;

DEBUG(SSSDBG_CRIT_FAILURE,

("write failed [%d][%s].\n", ret, strerror(ret)));

return ret;

}

if (written != len) {

DEBUG(SSSDBG_CRIT_FAILURE,

("Write error, wrote [%d] bytes, expected [%d]\n",

written, len));

return EOK;

}

DEBUG(SSSDBG_TRACE_ALL, ("Response sent.\n"));

return EOK;

}

static errno_t add_ticket_times_and_upn_to_response(struct krb5_req *kr)

{

int ret;

int64_t t[4];

krb5_error_code kerr;

char *upn = NULL;

unsigned int upn_len = 0;

t[0] = (int64_t) kr->creds->times.authtime;

t[1] = (int64_t) kr->creds->times.starttime;

t[2] = (int64_t) kr->creds->times.endtime;

t[3] = (int64_t) kr->creds->times.renew_till;

ret = pam_add_response(kr->pd, SSS_KRB5_INFO_TGT_LIFETIME,

4*sizeof(int64_t), (uint8_t *) t);

if (ret != EOK) {

DEBUG(1, ("pack_response_packet failed.\n"));

goto done;

}

kerr = krb5_unparse_name_ext(kr->ctx, kr->creds->client, &upn, &upn_len);

if (kerr != 0) {

DEBUG(SSSDBG_OP_FAILURE, ("krb5_unparse_name failed.\n"));

goto done;

}

ret = pam_add_response(kr->pd, SSS_KRB5_INFO_UPN, upn_len,

(uint8_t *) upn);

krb5_free_unparsed_name(kr->ctx, upn);

if (ret != EOK) {

DEBUG(1, ("pack_response_packet failed.\n"));

goto done;

}

done:

return ret;

}

static krb5_error_code validate_tgt(struct krb5_req *kr)

{

krb5_error_code kerr;

krb5_error_code kt_err;

char *principal = NULL;

krb5_keytab keytab;

krb5_kt_cursor cursor;

krb5_keytab_entry entry;

krb5_verify_init_creds_opt opt;

krb5_principal validation_princ = NULL;

bool realm_entry_found = false;

krb5_ccache validation_ccache = NULL;

krb5_authdata **pac_authdata = NULL;

memset(&keytab, 0, sizeof(keytab));

kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab);

if (kerr != 0) {

DEBUG(SSSDBG_CRIT_FAILURE, ("error resolving keytab [%s], " \

"not verifying TGT.\n", kr->keytab));

return kerr;

}

memset(&cursor, 0, sizeof(cursor));

kerr = krb5_kt_start_seq_get(kr->ctx, keytab, &cursor);

if (kerr != 0) {

DEBUG(SSSDBG_CRIT_FAILURE, ("error reading keytab [%s], " \

"not verifying TGT.\n", kr->keytab));

return kerr;

}

/* We look for the first entry from our realm or take the last one */

memset(&entry, 0, sizeof(entry));

while ((kt_err = krb5_kt_next_entry(kr->ctx, keytab, &entry, &cursor)) == 0) {

if (validation_princ != NULL) {

krb5_free_principal(kr->ctx, validation_princ);

validation_princ = NULL;

}

kerr = krb5_copy_principal(kr->ctx, entry.principal,

&validation_princ);

if (kerr != 0) {

DEBUG(SSSDBG_CRIT_FAILURE, ("krb5_copy_principal failed.\n"));

goto done;

}

kerr = sss_krb5_free_keytab_entry_contents(kr->ctx, &entry);

if (kerr != 0) {

DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to free keytab entry.\n"));

}

memset(&entry, 0, sizeof(entry));

if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) {

DEBUG(SSSDBG_TRACE_INTERNAL,

("Found keytab entry with the realm of the credential.\n"));

realm_entry_found = true;

break;

}

}

if (!realm_entry_found) {

DEBUG(SSSDBG_TRACE_INTERNAL,

("Keytab entry with the realm of the credential not found "

"in keytab. Using the last entry.\n"));

}

/* Close the keytab here. Even though we're using cursors, the file

kerr = krb5_kt_end_seq_get(kr->ctx, keytab, &cursor);

if (kerr != 0) {

DEBUG(SSSDBG_CRIT_FAILURE, ("krb5_kt_end_seq_get failed, " \

"not verifying TGT.\n"));

goto done;

}

/* check if we got any errors from krb5_kt_next_entry */

if (kt_err != 0 && kt_err != KRB5_KT_END) {

DEBUG(SSSDBG_CRIT_FAILURE, ("error reading keytab [%s], " \

"not verifying TGT.\n", kr->keytab));

goto done;

}

/* Get the principal to which the key belongs, for logging purposes. */

principal = NULL;

kerr = krb5_unparse_name(kr->ctx, validation_princ, &principal);

if (kerr != 0) {

DEBUG(SSSDBG_CRIT_FAILURE, ("internal error parsing principal name, "

"not verifying TGT.\n"));

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

goto done;

}

krb5_verify_init_creds_opt_init(&opt);

kerr = krb5_verify_init_creds(kr->ctx, kr->creds, validation_princ, keytab,

&validation_ccache, &opt);

if (kerr == 0) {

DEBUG(SSSDBG_TRACE_FUNC, ("TGT verified using key for [%s].\n",

principal));

} else {

DEBUG(SSSDBG_CRIT_FAILURE ,("TGT failed verification using key " \

"for [%s].\n", principal));

goto done;

}

/* Try to find and send the PAC to the PAC responder.

if (kr->send_pac) {

kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ,

kr->creds->client, keytab, &pac_authdata);

if (kerr != 0) {

DEBUG(SSSDBG_OP_FAILURE, ("sss_extract_and_send_pac failed, group " \

"membership for user with principal [%s] " \

"might not be correct.\n", kr->name));

kerr = 0;

goto done;

}

kerr = sss_send_pac(pac_authdata);

krb5_free_authdata(kr->ctx, pac_authdata);

if (kerr != 0) {

DEBUG(SSSDBG_OP_FAILURE, ("sss_send_pac failed, group " \

"membership for user with principal [%s] " \

"might not be correct.\n", kr->name));

kerr = 0;

}

}

done:

if (validation_ccache != NULL) {

krb5_cc_destroy(kr->ctx, validation_ccache);

}

if (krb5_kt_close(kr->ctx, keytab) != 0) {

DEBUG(SSSDBG_MINOR_FAILURE, ("krb5_kt_close failed"));

}

if (validation_princ != NULL) {

krb5_free_principal(kr->ctx, validation_princ);

}

if (principal != NULL) {

sss_krb5_free_unparsed_name(kr->ctx, principal);

}

return kerr;

}

static void krb5_set_canonicalize(krb5_get_init_creds_opt *opts)

{

int canonicalize = 0;

char *tmp_str;

tmp_str = getenv(SSSD_KRB5_CANONICALIZE);

if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {

canonicalize = 1;

}

DEBUG(SSSDBG_CONF_SETTINGS, ("%s is set to [%s]\n",

SSSD_KRB5_CANONICALIZE, tmp_str ? tmp_str : "not set"));

sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize);

}

static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx,

krb5_principal princ,

krb5_keytab keytab,

char *ccname)

{

krb5_error_code kerr = 0;

krb5_creds creds;

krb5_get_init_creds_opt options;

memset(&creds, 0, sizeof(creds));

memset(&options, 0, sizeof(options));

krb5_get_init_creds_opt_set_address_list(&options, NULL);

krb5_get_init_creds_opt_set_forwardable(&options, 0);

krb5_get_init_creds_opt_set_proxiable(&options, 0);

krb5_set_canonicalize(&options);

kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL,

&options);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

return kerr;

}

/* Use the updated principal in the creds in case canonicalized */

kerr = create_ccache_file(ctx, creds.client, ccname, &creds);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

goto done;

}

kerr = 0;

done:

krb5_free_cred_contents(ctx, &creds);

return kerr;

}

static krb5_error_code get_and_save_tgt(struct krb5_req *kr,

const char *password)

{

const char *realm_name;

int realm_length;

krb5_error_code kerr;

char *cc_name;

krb5_principal principal;

kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options,

sss_krb5_expire_callback_func,

kr);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

DEBUG(1, ("Failed to set expire callback, continue without.\n"));

}

sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);

DEBUG(SSSDBG_TRACE_FUNC,

("Attempting kinit for realm [%s]\n",realm_name));

kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,

discard_const(password),

sss_krb5_prompter, kr, 0,

NULL, kr->options);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

return kerr;

}

if (kr->validate) {

kerr = validate_tgt(kr);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

return kerr;

}

} else {

DEBUG(SSSDBG_CONF_SETTINGS, ("TGT validation is disabled.\n"));

}

if (kr->validate || kr->fast_ccname != NULL) {

/* We drop root privileges which were needed to read the keytab file

kerr = become_user(kr->uid, kr->gid);

if (kerr != 0) {

DEBUG(1, ("become_user failed.\n"));

return kerr;

}

}

principal = kr->creds ? kr->creds->client : kr->princ;

/* If kr->ccname is cache collection (DIR:/...), we want to work

cc_name = sss_get_ccache_name_for_principal(kr->pd, kr->ctx, principal,

kr->ccname);

if (cc_name == NULL) {

cc_name = kr->ccname;

}

/* Use the updated principal in the creds in case canonicalized */

kerr = create_ccache(kr->uid, kr->gid, kr->ctx,

principal, cc_name, kr->creds);

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

goto done;

}

kerr = add_ticket_times_and_upn_to_response(kr);

if (kerr != 0) {

DEBUG(1, ("add_ticket_times_and_upn_to_response failed.\n"));

}

kerr = 0;

done:

krb5_free_cred_contents(kr->ctx, kr->creds);

return kerr;

}

static errno_t map_krb5_error(krb5_error_code kerr)

{

if (kerr != 0) {

KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);

}

switch (kerr) {

case 0:

return ERR_OK;

case KRB5_LIBOS_CANTREADPWD:

return ERR_NO_CREDS;

case KRB5_KDC_UNREACH:

return ERR_NETWORK_IO;

case KRB5KDC_ERR_KEY_EXP:

return ERR_CREDS_EXPIRED;

case KRB5KRB_AP_ERR_BAD_INTEGRITY:

return ERR_AUTH_FAILED;

case KRB5_PREAUTH_FAILED:

case KRB5KDC_ERR_PREAUTH_FAILED:

return ERR_CREDS_INVALID;

default:

return ERR_INTERNAL;

}

}

static errno_t changepw_child(struct krb5_req *kr, bool prelim)

{

int ret;

krb5_error_code kerr = 0;

const char *password = NULL;

const char *newpassword = NULL;

int result_code = -1;

krb5_data result_code_string;

krb5_data result_string;

char *user_error_message = NULL;

size_t user_resp_len;

uint8_t *user_resp;

krb5_prompter_fct prompter = NULL;

const char *realm_name;

int realm_length;

krb5_get_init_creds_opt *chagepw_options;

size_t msg_len;

uint8_t *msg;

DEBUG(SSSDBG_TRACE_LIBS, ("Password change operation\n"));

ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);

if (ret != EOK) {

DEBUG(1, ("Failed to fetch current password [%d] %s.\n",

ret, strerror(ret)));

return ERR_NO_CREDS;

}

if (!prelim) {

/* We do not need a password expiration warning here. */

prompter = sss_krb5_prompter;

}

kerr = get_changepw_options(kr->ctx, &chagepw_options);

if (kerr != 0) {

DEBUG(SSSDBG_OP_FAILURE, ("get_changepw_options failed.\n"));

return kerr;

}

sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length);

DEBUG(SSSDBG_TRACE_FUNC,

("Attempting kinit for realm [%s]\n",realm_name));

kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,

discard_const(password),

prompter, kr, 0,

SSSD_KRB5_CHANGEPW_PRINCIPAL,

chagepw_options);

sss_krb5_get_init_creds_opt_free(kr->ctx, chagepw_options);

if (kerr != 0) {

ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.",

&msg_len, &msg);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE,

("pack_user_info_chpass_error failed.\n"));

} else {

ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, msg_len,

msg);

if (ret != EOK) {

DEBUG(SSSDBG_CRIT_FAILURE,

("pam_add_response failed.\n"));

}

}

return kerr;

}

sss_authtok_set_empty(kr->pd->authtok);

if (prelim) {