/** * @brief * renews the login context after certain time * * @param[in] lcon - structure handle for sec_login * * @return - time_t * @retval retry_time(now + SHORT_TIME) - refresh failure * validation failure * @retval refresh_time Success * */ time_t do_refresh(sec_login_handle_t lcon) { error_status_t st; time_t now = time(NULL); time_t retry_time = now + SHORT_TIME; boolean32 reset_passwd; sec_login_auth_src_t auth_src; if (!sec_login_refresh_identity(lcon, &st)) { /* fail refresh */ if (st == error_status_ok) { fprintf(stderr, "sec_login_refresh_identity fail - reason??\n"); } else { dce_error_inq_text(st, err_string, &inq_st); fprintf(stderr, "identity refresh fail - %s\n", err_string); } return retry_time; } else { /* refresh successful, try to validate */ fill_pwdrec((char*)&tmp_passwd[0], &pwdrec); if (!sec_login_validate_identity(lcon, &pwdrec, &reset_passwd, &auth_src, &st)) { /* fail validate */ if (st == error_status_ok) { fprintf(stderr, "sec_login_validate_identity fail - reason??\n"); } else { dce_error_inq_text(st, err_string, &inq_st); fprintf(stderr, "validate refresh fail - %s\n", err_string); } return retry_time; } else { /* refreshed and validated */ /* verify login_context is from trusted security server */ /* needed for error_status_ok from sec_login_get_expiration */ if (!sec_login_certify_identity(lcon, &st)) { dce_error_inq_text(st, err_string, &inq_st); fprintf(stderr, "failed certification of login_context for %s - %s\n", username, err_string); } } } return (compute_refresh_time(lcon)); }
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[]) { sec_passwd_rec_t pwr; sec_login_handle_t lhdl; boolean32 rstpwd; sec_login_auth_src_t asrc; error_status_t status; FILE *fd; /* easy case */ if (pw->pw_passwd && pw->pw_passwd[0] && pw->pw_passwd[1] && !strcmp (pw->pw_passwd,(char *) crypt (pass,pw->pw_passwd))) return pw; /* try DCE password cache file */ if (fd = fopen (PASSWD_OVERRIDE,"r")) { char *usr = cpystr (pw->pw_name); while ((pw = fgetpwent (fd)) && strcmp (usr,pw->pw_name)); fclose (fd); /* finished with cache file */ /* validate cached password */ if (pw && pw->pw_passwd && pw->pw_passwd[0] && pw->pw_passwd[1] && !strcmp (pw->pw_passwd,(char *) crypt (pass,pw->pw_passwd))) { fs_give ((void **) &usr); return pw; } if (!pw) pw = getpwnam (usr); fs_give ((void **) &usr); } if (pw) { /* try S-L-O-W DCE... */ sec_login_setup_identity ((unsigned_char_p_t) pw->pw_name, sec_login_no_flags,&lhdl,&status); if (status == error_status_ok) { pwr.key.tagged_union.plain = (idl_char *) pass; pwr.key.key_type = sec_passwd_plain; pwr.pepper = NIL; pwr.version_number = sec_passwd_c_version_none; /* validate password with login context */ sec_login_validate_identity (lhdl,&pwr,&rstpwd,&asrc,&status); if (!rstpwd && (asrc == sec_login_auth_src_network) && (status == error_status_ok)) { sec_login_purge_context (&lhdl,&status); if (status == error_status_ok) return pw; } } } return NIL; /* password validation failed */ }
int sudo_dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth, struct sudo_conv_callback *callback) { struct passwd temp_pw; sec_passwd_rec_t password_rec; sec_login_handle_t login_context; boolean32 reset_passwd; sec_login_auth_src_t auth_src; error_status_t status; debug_decl(sudo_dce_verify, SUDOERS_DEBUG_AUTH) /* * Create the local context of the DCE principal necessary * to perform authenticated network operations. The network * identity set up by this operation cannot be used until it * is validated via sec_login_validate_identity(). */ if (sec_login_setup_identity((unsigned_char_p_t) pw->pw_name, sec_login_no_flags, &login_context, &status)) { if (check_dce_status(status, "sec_login_setup_identity(1):")) debug_return_int(AUTH_FAILURE); password_rec.key.key_type = sec_passwd_plain; password_rec.key.tagged_union.plain = (idl_char *) plain_pw; password_rec.pepper = NULL; password_rec.version_number = sec_passwd_c_version_none; /* Validate the login context with the password */ if (sec_login_validate_identity(login_context, &password_rec, &reset_passwd, &auth_src, &status)) { if (check_dce_status(status, "sec_login_validate_identity(1):")) debug_return_int(AUTH_FAILURE); /* * Certify that the DCE Security Server used to set * up and validate a login context is legitimate. Makes * sure that we didn't get spoofed by another DCE server. */ if (!sec_login_certify_identity(login_context, &status)) { sudo_printf(SUDO_CONV_ERROR_MSG, "Whoa! Bogus authentication server!\n"); (void) check_dce_status(status,"sec_login_certify_identity(1):"); debug_return_int(AUTH_FAILURE); } if (check_dce_status(status, "sec_login_certify_identity(2):")) debug_return_int(AUTH_FAILURE); /* * Sets the network credentials to those specified * by the now validated login context. */ sec_login_set_context(login_context, &status); if (check_dce_status(status, "sec_login_set_context:")) debug_return_int(AUTH_FAILURE); /* * Oops, your credentials were no good. Possibly * caused by clock times out of adjustment between * DCE client and DCE security server... */ if (auth_src != sec_login_auth_src_network) { sudo_printf(SUDO_CONV_ERROR_MSG, "You have no network credentials.\n"); debug_return_int(AUTH_FAILURE); } /* Check if the password has aged and is thus no good */ if (reset_passwd) { sudo_printf(SUDO_CONV_ERROR_MSG, "Your DCE password needs resetting.\n"); debug_return_int(AUTH_FAILURE); } /* * We should be a valid user by this point. Pull the * user's password structure from the DCE security * server just to make sure. If we get it with no * problems, then we really are legitimate... */ sec_login_get_pwent(login_context, (sec_login_passwd_t) &temp_pw, &status); if (check_dce_status(status, "sec_login_get_pwent:")) debug_return_int(AUTH_FAILURE); /* * If we get to here, then the pwent above properly fetched * the password structure from the DCE registry, so the user * must be valid. We don't really care what the user's * registry password is, just that the user could be * validated. In fact, if we tried to compare the local * password to the DCE entry at this point, the operation * would fail if the hidden password feature is turned on, * because the password field would contain an asterisk. * Also go ahead and destroy the user's DCE login context * before we leave here (and don't bother checking the * status), in order to clean up credentials files in * /opt/dcelocal/var/security/creds. By doing this, we are * assuming that the user will not need DCE authentication * later in the program, only local authentication. If this * is not true, then the login_context will have to be * returned to the calling program, and the context purged * somewhere later in the program. */ sec_login_purge_context(&login_context, &status); debug_return_int(AUTH_SUCCESS); } else { if(check_dce_status(status, "sec_login_validate_identity(2):")) debug_return_int(AUTH_FAILURE); sec_login_purge_context(&login_context, &status); if(check_dce_status(status, "sec_login_purge_context:")) debug_return_int(AUTH_FAILURE); } } (void) check_dce_status(status, "sec_login_setup_identity(2):"); debug_return_int(AUTH_FAILURE); }
/** * @brief * establishes the dce login context by validating the security credentials * username and password. * * @param[in] username - username for validation * * @return - Error code * @retval 253 - sec_login_setup_identity was not successful * 254 - the validate call did not return success * @retval 0 Success * */ int establish_login_context(char *username) { error_status_t st; sec_login_auth_src_t auth_src; boolean32 reset_passwd; if (sec_login_setup_identity((unsigned_char_p_t)username, sec_login_no_flags, &lcon, &st)) { /* now validate the login context information */ fill_pwdrec((char*)&tmp_passwd[0], &pwdrec); if (sec_login_validate_identity(lcon, &pwdrec, &reset_passwd, &auth_src, &st)) { /* verify login_context is from trusted security server */ if (!sec_login_certify_identity(lcon, &st)) { dce_error_inq_text(st, err_string, &inq_st); fprintf(stderr, "Didn't certify login_context for %s - %s\n", username, err_string); } /* notify user if password valid period expired */ if (reset_passwd) { fprintf(stderr, "Password must be changed for %s\n", username); } /* authentication frm netwrk security server or local host? */ if (auth_src == sec_login_auth_src_local) { fprintf(stderr, "Credential source for %s is local registry\n", username); } if (auth_src == sec_login_auth_src_overridden) { fprintf(stderr, "Credential source for %s is overridden\n", username); } /* finally, set this context as the current context */ /* DCE cache files created upon success on this step*/ sec_login_set_context(lcon, &st); if (st != error_status_ok) { dce_error_inq_text(st, err_string, &inq_st); fprintf(stderr, "Couldn't set context for %s - %s\n", username, err_string); } /* end of sequece (validate, certify, set context) */ } else { /* the validate call did not return success */ if (st != error_status_ok) { dce_error_inq_text(st, err_string, &inq_st); fprintf(stderr, "Unable to validate security context for %s - %s\n", username, err_string); } else { fprintf(stderr, "sec_login_validate_identity failed - reason??\n"); } return (254); } } else { /* sec_login_setup_identity was not successful */ if (st != error_status_ok) { dce_error_inq_text(st, err_string, &inq_st); fprintf(stderr, "Unable to setup login entry for %s because %s\n", username, err_string); } else { fprintf(stderr, "sec_login_setup_identity failed - reason??\n"); } return (253); } return (0); }
/******************************************************************* check on a DCE/DFS authentication ********************************************************************/ static BOOL dfs_auth(char *user, char *password) { error_status_t err; int err2; int prterr; signed32 expire_time, current_time; boolean32 password_reset; struct passwd *pw; sec_passwd_rec_t passwd_rec; sec_login_auth_src_t auth_src = sec_login_auth_src_network; unsigned char dce_errstr[dce_c_error_string_len]; gid_t egid; if (dcelogin_atmost_once) return (False); #ifdef HAVE_CRYPT /* * We only go for a DCE login context if the given password * matches that stored in the local password file.. * Assumes local passwd file is kept in sync w/ DCE RGY! */ if (strcmp((char *)crypt(password, this_salt), this_crypted)) { return (False); } #endif sec_login_get_current_context(&my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); return (False); } sec_login_certify_identity(my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); return (False); } sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); return (False); } time(¤t_time); if (expire_time < (current_time + 60)) { struct passwd *pw; sec_passwd_rec_t *key; sec_login_get_pwent(my_dce_sec_context, (sec_login_passwd_t *) & pw, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); return (False); } sec_login_refresh_identity(my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't refresh identity. %s\n", dce_errstr)); return (False); } sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL, (unsigned char *)pw->pw_name, sec_c_key_version_none, (void **)&key, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get key for %s. %s\n", pw->pw_name, dce_errstr)); return (False); } sec_login_valid_and_cert_ident(my_dce_sec_context, key, &password_reset, &auth_src, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't validate and certify identity for %s. %s\n", pw->pw_name, dce_errstr)); } sec_key_mgmt_free_key(key, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't free key.\n", dce_errstr)); } } if (sec_login_setup_identity((unsigned char *)user, sec_login_no_flags, &my_dce_sec_context, &err) == 0) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", user, dce_errstr)); return (False); } sec_login_get_pwent(my_dce_sec_context, (sec_login_passwd_t *) & pw, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); return (False); } sec_login_purge_context(&my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr)); return (False); } /* * NB. I'd like to change these to call something like change_to_user() * instead but currently we don't have a connection * context to become the correct user. This is already * fairly platform specific code however, so I think * this should be ok. I have added code to go * back to being root on error though. JRA. */ egid = getegid(); set_effective_gid(pw->pw_gid); set_effective_uid(pw->pw_uid); if (sec_login_setup_identity((unsigned char *)user, sec_login_no_flags, &my_dce_sec_context, &err) == 0) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", user, dce_errstr)); goto err; } sec_login_get_pwent(my_dce_sec_context, (sec_login_passwd_t *) & pw, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); goto err; } passwd_rec.version_number = sec_passwd_c_version_none; passwd_rec.pepper = NULL; passwd_rec.key.key_type = sec_passwd_plain; passwd_rec.key.tagged_union.plain = (idl_char *) password; sec_login_validate_identity(my_dce_sec_context, &passwd_rec, &password_reset, &auth_src, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE Identity Validation failed for principal %s: %s\n", user, dce_errstr)); goto err; } sec_login_certify_identity(my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr)); goto err; } if (auth_src != sec_login_auth_src_network) { DEBUG(0, ("DCE context has no network credentials.\n")); } sec_login_set_context(my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE login failed for principal %s, cant set context: %s\n", user, dce_errstr)); sec_login_purge_context(&my_dce_sec_context, &err); goto err; } sec_login_get_pwent(my_dce_sec_context, (sec_login_passwd_t *) & pw, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); goto err; } DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n", user, sys_getpid())); DEBUG(3, ("DCE principal: %s\n" " uid: %d\n" " gid: %d\n", pw->pw_name, pw->pw_uid, pw->pw_gid)); DEBUG(3, (" info: %s\n" " dir: %s\n" " shell: %s\n", pw->pw_gecos, pw->pw_dir, pw->pw_shell)); sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); goto err; } set_effective_uid(0); set_effective_gid(0); DEBUG(0, ("DCE context expires: %s", asctime(localtime(&expire_time)))); dcelogin_atmost_once = 1; return (True); err: /* Go back to root, JRA. */ set_effective_uid(0); set_effective_gid(egid); return (False); }