void dfs_unlogin(void)
{
error_status_t err;
int err2;
unsigned char dce_errstr[dce_c_error_string_len];
sec_login_purge_context(my_dce_sec_context, &err);
if (err != error_status_ok )
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,("DCE purge login context failed for server instance %d: %s\n",
getpid(), dce_errstr));
}
}
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[])
{
sec_passwd_rec_t pwr;
sec_login_handle_t lhdl;
boolean32 rstpwd;
sec_login_auth_src_t asrc;
error_status_t status;
FILE *fd;
/* easy case */
if (pw->pw_passwd && pw->pw_passwd[0] && pw->pw_passwd[1] &&
!strcmp (pw->pw_passwd,(char *) crypt (pass,pw->pw_passwd))) return pw;
/* try DCE password cache file */
if (fd = fopen (PASSWD_OVERRIDE,"r")) {
char *usr = cpystr (pw->pw_name);
while ((pw = fgetpwent (fd)) && strcmp (usr,pw->pw_name));
fclose (fd); /* finished with cache file */
/* validate cached password */
if (pw && pw->pw_passwd && pw->pw_passwd[0] && pw->pw_passwd[1] &&
!strcmp (pw->pw_passwd,(char *) crypt (pass,pw->pw_passwd))) {
fs_give ((void **) &usr);
return pw;
}
if (!pw) pw = getpwnam (usr);
fs_give ((void **) &usr);
}
if (pw) { /* try S-L-O-W DCE... */
sec_login_setup_identity ((unsigned_char_p_t) pw->pw_name,
sec_login_no_flags,&lhdl,&status);
if (status == error_status_ok) {
pwr.key.tagged_union.plain = (idl_char *) pass;
pwr.key.key_type = sec_passwd_plain;
pwr.pepper = NIL;
pwr.version_number = sec_passwd_c_version_none;
/* validate password with login context */
sec_login_validate_identity (lhdl,&pwr,&rstpwd,&asrc,&status);
if (!rstpwd && (asrc == sec_login_auth_src_network) &&
(status == error_status_ok)) {
sec_login_purge_context (&lhdl,&status);
if (status == error_status_ok) return pw;
}
}
}
return NIL; /* password validation failed */
}
/**
* @brief
* Removes the dce login context in case of fork fail
* or child finishes its task.
*
* @return - Error code
* @retval -1 Failure
* @retval 0 Success
*
*/
int
remove_context()
{
error_status_t st;
if (have_login_context) {
sec_login_purge_context(&lcon, &st);
if (st != error_status_ok) {
dce_error_inq_text(st, err_string, &inq_st);
fprintf(stderr,
"Error purging DCE login context for %s - cache not destroyed\n",
username, err_string);
return (-1);
}
have_login_context = 0;
}
return (0);
}
/*******************************************************************
check on a DCE/DFS authentication
********************************************************************/
static BOOL dfs_auth(char *this_user,char *password)
{
error_status_t err;
int err2;
int prterr;
boolean32 password_reset;
sec_passwd_rec_t my_dce_password;
sec_login_auth_src_t auth_src = sec_login_auth_src_network;
unsigned char dce_errstr[dce_c_error_string_len];
/*
* We only go for a DCE login context if the given password
* matches that stored in the local password file..
* Assumes local passwd file is kept in sync w/ DCE RGY!
*/
/* Fix for original (broken) code from Brett Wooldridge <*****@*****.**> */
if (dcelogin_atmost_once)
return (False);
/* This can be ifdefed as the DCE check below is stricter... */
#ifndef NO_CRYPT
if ( strcmp((char *)crypt(password,this_salt),this_crypted) )
return (False);
#endif
if (sec_login_setup_identity(
(unsigned char *)this_user,
sec_login_no_flags,
&my_dce_sec_context,
&err) == 0)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,("DCE Setup Identity for %s failed: %s\n",
this_user,dce_errstr));
return(False);
}
my_dce_password.version_number = sec_passwd_c_version_none;
my_dce_password.pepper = NULL;
my_dce_password.key.key_type = sec_passwd_plain;
my_dce_password.key.tagged_union.plain = (idl_char *)password;
if (sec_login_valid_and_cert_ident(my_dce_sec_context,
&my_dce_password,
&password_reset,
&auth_src,
&err) == 0 )
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n",
this_user,dce_errstr));
return(False);
}
sec_login_set_context(my_dce_sec_context, &err);
if (err != error_status_ok )
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,("DCE login failed for principal %s, cant set context: %s\n",
this_user,dce_errstr));
sec_login_purge_context(my_dce_sec_context, &err);
return(False);
}
else
{
DEBUG(0,("DCE login succeeded for principal %s on pid %d\n",
this_user, getpid()));
}
dcelogin_atmost_once = 1;
return (True);
}
int
sudo_dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth, struct sudo_conv_callback *callback)
{
struct passwd temp_pw;
sec_passwd_rec_t password_rec;
sec_login_handle_t login_context;
boolean32 reset_passwd;
sec_login_auth_src_t auth_src;
error_status_t status;
debug_decl(sudo_dce_verify, SUDOERS_DEBUG_AUTH)
/*
* Create the local context of the DCE principal necessary
* to perform authenticated network operations. The network
* identity set up by this operation cannot be used until it
* is validated via sec_login_validate_identity().
*/
if (sec_login_setup_identity((unsigned_char_p_t) pw->pw_name,
sec_login_no_flags, &login_context, &status)) {
if (check_dce_status(status, "sec_login_setup_identity(1):"))
debug_return_int(AUTH_FAILURE);
password_rec.key.key_type = sec_passwd_plain;
password_rec.key.tagged_union.plain = (idl_char *) plain_pw;
password_rec.pepper = NULL;
password_rec.version_number = sec_passwd_c_version_none;
/* Validate the login context with the password */
if (sec_login_validate_identity(login_context, &password_rec,
&reset_passwd, &auth_src, &status)) {
if (check_dce_status(status, "sec_login_validate_identity(1):"))
debug_return_int(AUTH_FAILURE);
/*
* Certify that the DCE Security Server used to set
* up and validate a login context is legitimate. Makes
* sure that we didn't get spoofed by another DCE server.
*/
if (!sec_login_certify_identity(login_context, &status)) {
sudo_printf(SUDO_CONV_ERROR_MSG,
"Whoa! Bogus authentication server!\n");
(void) check_dce_status(status,"sec_login_certify_identity(1):");
debug_return_int(AUTH_FAILURE);
}
if (check_dce_status(status, "sec_login_certify_identity(2):"))
debug_return_int(AUTH_FAILURE);
/*
* Sets the network credentials to those specified
* by the now validated login context.
*/
sec_login_set_context(login_context, &status);
if (check_dce_status(status, "sec_login_set_context:"))
debug_return_int(AUTH_FAILURE);
/*
* Oops, your credentials were no good. Possibly
* caused by clock times out of adjustment between
* DCE client and DCE security server...
*/
if (auth_src != sec_login_auth_src_network) {
sudo_printf(SUDO_CONV_ERROR_MSG,
"You have no network credentials.\n");
debug_return_int(AUTH_FAILURE);
}
/* Check if the password has aged and is thus no good */
if (reset_passwd) {
sudo_printf(SUDO_CONV_ERROR_MSG,
"Your DCE password needs resetting.\n");
debug_return_int(AUTH_FAILURE);
}
/*
* We should be a valid user by this point. Pull the
* user's password structure from the DCE security
* server just to make sure. If we get it with no
* problems, then we really are legitimate...
*/
sec_login_get_pwent(login_context, (sec_login_passwd_t) &temp_pw,
&status);
if (check_dce_status(status, "sec_login_get_pwent:"))
debug_return_int(AUTH_FAILURE);
/*
* If we get to here, then the pwent above properly fetched
* the password structure from the DCE registry, so the user
* must be valid. We don't really care what the user's
* registry password is, just that the user could be
* validated. In fact, if we tried to compare the local
* password to the DCE entry at this point, the operation
* would fail if the hidden password feature is turned on,
* because the password field would contain an asterisk.
* Also go ahead and destroy the user's DCE login context
* before we leave here (and don't bother checking the
* status), in order to clean up credentials files in
* /opt/dcelocal/var/security/creds. By doing this, we are
* assuming that the user will not need DCE authentication
* later in the program, only local authentication. If this
* is not true, then the login_context will have to be
* returned to the calling program, and the context purged
* somewhere later in the program.
*/
sec_login_purge_context(&login_context, &status);
debug_return_int(AUTH_SUCCESS);
} else {
if(check_dce_status(status, "sec_login_validate_identity(2):"))
debug_return_int(AUTH_FAILURE);
sec_login_purge_context(&login_context, &status);
if(check_dce_status(status, "sec_login_purge_context:"))
debug_return_int(AUTH_FAILURE);
}
}
(void) check_dce_status(status, "sec_login_setup_identity(2):");
debug_return_int(AUTH_FAILURE);
}
/*
* pam_sm_setcred
*/
int
pam_sm_setcred(
pam_handle_t *pamh,
int flags,
int argc,
const char **argv)
{
int debug = 0;
int warn = 1;
int i;
dce_module_data_t *dsd;
error_status_t st;
int err;
for (i = 0; i < argc; i++) {
if (strcmp(argv[i], "debug") == 0)
debug = 1;
if (strcmp(argv[i], "nowarn") == 0)
warn = 0;
}
if (flags & PAM_SILENT) warn = 0;
if (debug)
syslog(LOG_DEBUG, "DCE pam_setcred");
if (pam_get_data(pamh, DCE_DATA, (void**)&dsd) != PAM_SUCCESS ||
dsd == NULL) {
if (flags & PAM_DELETE_CRED) {
sec_login_handle_t context;
/* attempt to get current context and purge */
sec_login_get_current_context(&context, &st);
if (st == error_status_ok) {
sec_login_purge_context(&context, &st);
}
return (st == error_status_ok ? PAM_SUCCESS :
PAM_CRED_UNAVAIL);
}
if (warn) do_cred_warn(pamh);
return (PAM_IGNORE); /* since pam_auth was never called */
}
if (dsd->auth_status != PAM_SUCCESS)
return (dsd->auth_status);
if (flags & PAM_DELETE_CRED) {
(void) sec_login_purge_context(dsd->login_context, &st);
if (debug) {
dce_error_string_t text;
syslog(LOG_DEBUG,
"PAM: DCE sec_login_purge_context: %s",
get_dce_error_message(st, text));
}
} else {
if (dsd->auth_src == sec_login_auth_src_local) {
/* we can't set_context on locally authenticated */
/* contexts */
st = sec_login_s_auth_local;
} else {
(void) sec_login_set_context(dsd->login_context, &st);
}
if (debug) {
dce_error_string_t text;
syslog(LOG_DEBUG, "PAM: DCE sec_login_set_context: %s",
get_dce_error_message(st, text));
}
}
/* might want an option to return success even if set_context failed */
if (st == error_status_ok) {
return (PAM_SUCCESS);
} else {
if (warn) do_cred_warn(pamh);
if (debug) syslog(LOG_DEBUG,
"Can't set user login context");
return (PAM_CRED_ERR);
}
}
/*******************************************************************
check on a DCE/DFS authentication
********************************************************************/
static BOOL dfs_auth(char *user, char *password)
{
error_status_t err;
int err2;
int prterr;
signed32 expire_time, current_time;
boolean32 password_reset;
struct passwd *pw;
sec_passwd_rec_t passwd_rec;
sec_login_auth_src_t auth_src = sec_login_auth_src_network;
unsigned char dce_errstr[dce_c_error_string_len];
gid_t egid;
if (dcelogin_atmost_once)
return (False);
#ifdef HAVE_CRYPT
/*
* We only go for a DCE login context if the given password
* matches that stored in the local password file..
* Assumes local passwd file is kept in sync w/ DCE RGY!
*/
if (strcmp((char *)crypt(password, this_salt), this_crypted))
{
return (False);
}
#endif
sec_login_get_current_context(&my_dce_sec_context, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
return (False);
}
sec_login_certify_identity(my_dce_sec_context, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
return (False);
}
sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
return (False);
}
time(¤t_time);
if (expire_time < (current_time + 60))
{
struct passwd *pw;
sec_passwd_rec_t *key;
sec_login_get_pwent(my_dce_sec_context,
(sec_login_passwd_t *) & pw, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
return (False);
}
sec_login_refresh_identity(my_dce_sec_context, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't refresh identity. %s\n",
dce_errstr));
return (False);
}
sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL,
(unsigned char *)pw->pw_name,
sec_c_key_version_none,
(void **)&key, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't get key for %s. %s\n",
pw->pw_name, dce_errstr));
return (False);
}
sec_login_valid_and_cert_ident(my_dce_sec_context, key,
&password_reset, &auth_src,
&err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,
("DCE can't validate and certify identity for %s. %s\n",
pw->pw_name, dce_errstr));
}
sec_key_mgmt_free_key(key, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't free key.\n", dce_errstr));
}
}
if (sec_login_setup_identity((unsigned char *)user,
sec_login_no_flags,
&my_dce_sec_context, &err) == 0)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
user, dce_errstr));
return (False);
}
sec_login_get_pwent(my_dce_sec_context,
(sec_login_passwd_t *) & pw, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
return (False);
}
sec_login_purge_context(&my_dce_sec_context, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr));
return (False);
}
/*
* NB. I'd like to change these to call something like change_to_user()
* instead but currently we don't have a connection
* context to become the correct user. This is already
* fairly platform specific code however, so I think
* this should be ok. I have added code to go
* back to being root on error though. JRA.
*/
egid = getegid();
set_effective_gid(pw->pw_gid);
set_effective_uid(pw->pw_uid);
if (sec_login_setup_identity((unsigned char *)user,
sec_login_no_flags,
&my_dce_sec_context, &err) == 0)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
user, dce_errstr));
goto err;
}
sec_login_get_pwent(my_dce_sec_context,
(sec_login_passwd_t *) & pw, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
goto err;
}
passwd_rec.version_number = sec_passwd_c_version_none;
passwd_rec.pepper = NULL;
passwd_rec.key.key_type = sec_passwd_plain;
passwd_rec.key.tagged_union.plain = (idl_char *) password;
sec_login_validate_identity(my_dce_sec_context,
&passwd_rec, &password_reset,
&auth_src, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,
("DCE Identity Validation failed for principal %s: %s\n",
user, dce_errstr));
goto err;
}
sec_login_certify_identity(my_dce_sec_context, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr));
goto err;
}
if (auth_src != sec_login_auth_src_network)
{
DEBUG(0, ("DCE context has no network credentials.\n"));
}
sec_login_set_context(my_dce_sec_context, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,
("DCE login failed for principal %s, cant set context: %s\n",
user, dce_errstr));
sec_login_purge_context(&my_dce_sec_context, &err);
goto err;
}
sec_login_get_pwent(my_dce_sec_context,
(sec_login_passwd_t *) & pw, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
goto err;
}
DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n",
user, sys_getpid()));
DEBUG(3, ("DCE principal: %s\n"
" uid: %d\n"
" gid: %d\n",
pw->pw_name, pw->pw_uid, pw->pw_gid));
DEBUG(3, (" info: %s\n"
" dir: %s\n"
" shell: %s\n",
pw->pw_gecos, pw->pw_dir, pw->pw_shell));
sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
if (err != error_status_ok)
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
goto err;
}
set_effective_uid(0);
set_effective_gid(0);
DEBUG(0,
("DCE context expires: %s", asctime(localtime(&expire_time))));
dcelogin_atmost_once = 1;
return (True);
err:
/* Go back to root, JRA. */
set_effective_uid(0);
set_effective_gid(egid);
return (False);
}