Commit | Line | Data |
---|---|---|
f8bdfa2d JS |
1 | /*- |
2 | * Copyright (c) 2003 Networks Associates Technology, Inc. | |
09e61f6c | 3 | * Copyright (c) 2004-2011 Dag-Erling Smørgrav |
f8bdfa2d JS |
4 | * All rights reserved. |
5 | * | |
6 | * This software was developed for the FreeBSD Project by ThinkSec AS and | |
7 | * NAI Labs, the Security Research Division of Network Associates, Inc. | |
8 | * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the | |
9 | * DARPA CHATS research program. | |
10 | * | |
11 | * Redistribution and use in source and binary forms, with or without | |
12 | * modification, are permitted provided that the following conditions | |
13 | * are met: | |
14 | * 1. Redistributions of source code must retain the above copyright | |
15 | * notice, this list of conditions and the following disclaimer. | |
16 | * 2. Redistributions in binary form must reproduce the above copyright | |
17 | * notice, this list of conditions and the following disclaimer in the | |
18 | * documentation and/or other materials provided with the distribution. | |
19 | * 3. The name of the author may not be used to endorse or promote | |
20 | * products derived from this software without specific prior written | |
21 | * permission. | |
22 | * | |
23 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |
24 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
25 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
26 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
27 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
28 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
29 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
30 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
31 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
32 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
33 | * SUCH DAMAGE. | |
34 | * | |
09e61f6c | 35 | * $FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.49 2011/11/20 15:18:49 des Exp $ |
f8bdfa2d JS |
36 | */ |
37 | ||
38 | #include <sys/param.h> | |
39 | #include <sys/wait.h> | |
40 | ||
41 | #include <errno.h> | |
42 | #include <fcntl.h> | |
43 | #include <paths.h> | |
44 | #include <pwd.h> | |
45 | #include <signal.h> | |
46 | #include <stdio.h> | |
47 | #include <string.h> | |
48 | #include <unistd.h> | |
49 | ||
50 | #define PAM_SM_AUTH | |
51 | #define PAM_SM_SESSION | |
52 | ||
53 | #include <security/pam_appl.h> | |
54 | #include <security/pam_modules.h> | |
55 | #include <security/openpam.h> | |
56 | ||
57 | #include <openssl/evp.h> | |
58 | ||
fc401d71 | 59 | #include "buffer.h" |
f8bdfa2d JS |
60 | #include "key.h" |
61 | #include "authfd.h" | |
62 | #include "authfile.h" | |
63 | ||
4d25bb71 PA |
64 | #define ssh_add_identity(auth, key, comment) \ |
65 | ssh_add_identity_constrained(auth, key, comment, 0, 0) | |
66 | ||
f8bdfa2d JS |
67 | extern char **environ; |
68 | ||
69 | struct pam_ssh_key { | |
70 | Key *key; | |
71 | char *comment; | |
72 | }; | |
73 | ||
74 | static const char *pam_ssh_prompt = "SSH passphrase: "; | |
75 | static const char *pam_ssh_have_keys = "pam_ssh_have_keys"; | |
76 | ||
77 | static const char *pam_ssh_keyfiles[] = { | |
78 | ".ssh/identity", /* SSH1 RSA key */ | |
79 | ".ssh/id_rsa", /* SSH2 RSA key */ | |
80 | ".ssh/id_dsa", /* SSH2 DSA key */ | |
09e61f6c | 81 | ".ssh/id_ecdsa", /* SSH2 ECDSA key */ |
f8bdfa2d JS |
82 | NULL |
83 | }; | |
84 | ||
85 | static const char *pam_ssh_agent = "/usr/bin/ssh-agent"; | |
86 | static const char *pam_ssh_agent_argv[] = { "ssh_agent", "-s", NULL }; | |
87 | static char *const pam_ssh_agent_envp[] = { NULL }; | |
88 | ||
89 | /* | |
90 | * Attempts to load a private key from the specified file in the specified | |
91 | * directory, using the specified passphrase. If successful, returns a | |
92 | * struct pam_ssh_key containing the key and its comment. | |
93 | */ | |
94 | static struct pam_ssh_key * | |
09e61f6c PA |
95 | pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, |
96 | int nullok) | |
f8bdfa2d JS |
97 | { |
98 | struct pam_ssh_key *psk; | |
99 | char fn[PATH_MAX]; | |
100 | char *comment; | |
101 | Key *key; | |
102 | ||
103 | if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) | |
104 | return (NULL); | |
105 | comment = NULL; | |
09e61f6c PA |
106 | /* |
107 | * If the key is unencrypted, OpenSSL ignores the passphrase, so | |
108 | * it will seem like the user typed in the right one. This allows | |
109 | * a user to circumvent nullok by providing a dummy passphrase. | |
110 | * Verify that the key really *is* encrypted by trying to load it | |
111 | * with an empty passphrase, and if the key is not encrypted, | |
112 | * accept only an empty passphrase. | |
113 | */ | |
114 | key = key_load_private(fn, NULL, &comment); | |
115 | if (key != NULL && !(*passphrase == '\0' && nullok)) { | |
116 | key_free(key); | |
117 | return (NULL); | |
118 | } | |
119 | if (key == NULL) | |
120 | key = key_load_private(fn, passphrase, &comment); | |
f8bdfa2d | 121 | if (key == NULL) { |
09e61f6c | 122 | openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn); |
f8bdfa2d JS |
123 | return (NULL); |
124 | } | |
125 | ||
09e61f6c | 126 | openpam_log(PAM_LOG_DEBUG, "loaded '%s' from %s", comment, fn); |
f8bdfa2d JS |
127 | if ((psk = malloc(sizeof(*psk))) == NULL) { |
128 | key_free(key); | |
129 | free(comment); | |
130 | return (NULL); | |
131 | } | |
132 | psk->key = key; | |
133 | psk->comment = comment; | |
134 | return (psk); | |
135 | } | |
136 | ||
137 | /* | |
138 | * Wipes a private key and frees the associated resources. | |
139 | */ | |
140 | static void | |
141 | pam_ssh_free_key(pam_handle_t *pamh __unused, | |
142 | void *data, int pam_err __unused) | |
143 | { | |
144 | struct pam_ssh_key *psk; | |
145 | ||
146 | psk = data; | |
147 | key_free(psk->key); | |
148 | free(psk->comment); | |
149 | free(psk); | |
150 | } | |
151 | ||
152 | PAM_EXTERN int | |
153 | pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, | |
154 | int argc __unused, const char *argv[] __unused) | |
155 | { | |
156 | const char **kfn, *passphrase, *user; | |
6a3bc796 | 157 | const void *item; |
f8bdfa2d JS |
158 | struct passwd *pwd; |
159 | struct pam_ssh_key *psk; | |
6a3bc796 PA |
160 | int nkeys, nullok, pam_err, pass; |
161 | ||
162 | nullok = (openpam_get_option(pamh, "nullok") != NULL); | |
f8bdfa2d JS |
163 | |
164 | /* PEM is not loaded by default */ | |
165 | OpenSSL_add_all_algorithms(); | |
166 | ||
167 | /* get user name and home directory */ | |
168 | pam_err = pam_get_user(pamh, &user, NULL); | |
169 | if (pam_err != PAM_SUCCESS) | |
170 | return (pam_err); | |
171 | pwd = getpwnam(user); | |
172 | if (pwd == NULL) | |
173 | return (PAM_USER_UNKNOWN); | |
174 | if (pwd->pw_dir == NULL) | |
175 | return (PAM_AUTH_ERR); | |
176 | ||
6a3bc796 PA |
177 | nkeys = 0; |
178 | pass = (pam_get_item(pamh, PAM_AUTHTOK, &item) == PAM_SUCCESS && | |
179 | item != NULL); | |
f8bdfa2d JS |
180 | load_keys: |
181 | /* get passphrase */ | |
182 | pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, | |
183 | &passphrase, pam_ssh_prompt); | |
6a3bc796 PA |
184 | if (pam_err != PAM_SUCCESS) |
185 | return (pam_err); | |
186 | ||
6a3bc796 PA |
187 | /* switch to user credentials */ |
188 | pam_err = openpam_borrow_cred(pamh, pwd); | |
189 | if (pam_err != PAM_SUCCESS) | |
f8bdfa2d | 190 | return (pam_err); |
f8bdfa2d JS |
191 | |
192 | /* try to load keys from all keyfiles we know of */ | |
f8bdfa2d | 193 | for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { |
09e61f6c | 194 | psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok); |
f8bdfa2d JS |
195 | if (psk != NULL) { |
196 | pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); | |
197 | ++nkeys; | |
198 | } | |
199 | } | |
200 | ||
6a3bc796 PA |
201 | /* switch back to arbitrator credentials */ |
202 | openpam_restore_cred(pamh); | |
203 | ||
f8bdfa2d JS |
204 | /* |
205 | * If we tried an old token and didn't get anything, and | |
206 | * try_first_pass was specified, try again after prompting the | |
207 | * user for a new passphrase. | |
208 | */ | |
209 | if (nkeys == 0 && pass == 1 && | |
210 | openpam_get_option(pamh, "try_first_pass") != NULL) { | |
211 | pam_set_item(pamh, PAM_AUTHTOK, NULL); | |
212 | pass = 0; | |
213 | goto load_keys; | |
214 | } | |
215 | ||
f8bdfa2d JS |
216 | /* no keys? */ |
217 | if (nkeys == 0) | |
218 | return (PAM_AUTH_ERR); | |
219 | ||
220 | pam_set_data(pamh, pam_ssh_have_keys, NULL, NULL); | |
221 | return (PAM_SUCCESS); | |
222 | } | |
223 | ||
224 | PAM_EXTERN int | |
225 | pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, | |
226 | int argc __unused, const char *argv[] __unused) | |
227 | { | |
228 | ||
229 | return (PAM_SUCCESS); | |
230 | } | |
231 | ||
232 | /* | |
233 | * Parses a line from ssh-agent's output. | |
234 | */ | |
235 | static void | |
236 | pam_ssh_process_agent_output(pam_handle_t *pamh, FILE *f) | |
237 | { | |
238 | char *line, *p, *key, *val; | |
239 | size_t len; | |
240 | ||
241 | while ((line = fgetln(f, &len)) != NULL) { | |
242 | if (len < 4 || strncmp(line, "SSH_", 4) != 0) | |
243 | continue; | |
244 | ||
245 | /* find equal sign at end of key */ | |
246 | for (p = key = line; p < line + len; ++p) | |
247 | if (*p == '=') | |
248 | break; | |
249 | if (p == line + len || *p != '=') | |
250 | continue; | |
251 | *p = '\0'; | |
252 | ||
253 | /* find semicolon at end of value */ | |
254 | for (val = ++p; p < line + len; ++p) | |
255 | if (*p == ';') | |
256 | break; | |
257 | if (p == line + len || *p != ';') | |
258 | continue; | |
259 | *p = '\0'; | |
260 | ||
261 | /* store key-value pair in environment */ | |
262 | openpam_log(PAM_LOG_DEBUG, "got %s: %s", key, val); | |
263 | pam_setenv(pamh, key, val, 1); | |
264 | } | |
265 | } | |
266 | ||
267 | /* | |
268 | * Starts an ssh agent and stores the environment variables derived from | |
269 | * its output. | |
270 | */ | |
271 | static int | |
272 | pam_ssh_start_agent(pam_handle_t *pamh) | |
273 | { | |
274 | int agent_pipe[2]; | |
275 | pid_t pid; | |
276 | FILE *f; | |
277 | ||
278 | /* get a pipe which we will use to read the agent's output */ | |
6a3bc796 | 279 | if (pipe(agent_pipe) == -1) |
f8bdfa2d | 280 | return (PAM_SYSTEM_ERR); |
f8bdfa2d JS |
281 | |
282 | /* start the agent */ | |
283 | openpam_log(PAM_LOG_DEBUG, "starting an ssh agent"); | |
284 | pid = fork(); | |
285 | if (pid == (pid_t)-1) { | |
286 | /* failed */ | |
287 | close(agent_pipe[0]); | |
288 | close(agent_pipe[1]); | |
289 | return (PAM_SYSTEM_ERR); | |
290 | } | |
291 | if (pid == 0) { | |
292 | int fd; | |
293 | ||
294 | /* child: drop privs, close fds and start agent */ | |
295 | setgid(getegid()); | |
296 | setuid(geteuid()); | |
297 | close(STDIN_FILENO); | |
298 | open(_PATH_DEVNULL, O_RDONLY); | |
299 | dup2(agent_pipe[1], STDOUT_FILENO); | |
300 | dup2(agent_pipe[1], STDERR_FILENO); | |
301 | for (fd = 3; fd < getdtablesize(); ++fd) | |
302 | close(fd); | |
303 | execve(pam_ssh_agent, | |
304 | __DECONST(char * const *, pam_ssh_agent_argv), | |
305 | pam_ssh_agent_envp); | |
306 | _exit(127); | |
307 | } | |
308 | ||
309 | /* parent */ | |
310 | close(agent_pipe[1]); | |
311 | if ((f = fdopen(agent_pipe[0], "r")) == NULL) | |
312 | return (PAM_SYSTEM_ERR); | |
313 | pam_ssh_process_agent_output(pamh, f); | |
314 | fclose(f); | |
315 | ||
316 | return (PAM_SUCCESS); | |
317 | } | |
318 | ||
319 | /* | |
320 | * Adds previously stored keys to a running agent. | |
321 | */ | |
322 | static int | |
323 | pam_ssh_add_keys_to_agent(pam_handle_t *pamh) | |
324 | { | |
325 | AuthenticationConnection *ac; | |
210bf96c | 326 | const struct pam_ssh_key *psk; |
f8bdfa2d | 327 | const char **kfn; |
09e61f6c | 328 | const void *item; |
f8bdfa2d JS |
329 | char **envlist, **env; |
330 | int pam_err; | |
331 | ||
332 | /* switch to PAM environment */ | |
333 | envlist = environ; | |
334 | if ((environ = pam_getenvlist(pamh)) == NULL) { | |
335 | environ = envlist; | |
336 | return (PAM_SYSTEM_ERR); | |
337 | } | |
338 | ||
339 | /* get a connection to the agent */ | |
340 | if ((ac = ssh_get_authentication_connection()) == NULL) { | |
09e61f6c | 341 | openpam_log(PAM_LOG_DEBUG, "failed to connect to the agent"); |
f8bdfa2d JS |
342 | pam_err = PAM_SYSTEM_ERR; |
343 | goto end; | |
344 | } | |
345 | ||
346 | /* look for keys to add to it */ | |
347 | for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { | |
09e61f6c PA |
348 | pam_err = pam_get_data(pamh, *kfn, &item); |
349 | if (pam_err == PAM_SUCCESS && item != NULL) { | |
350 | psk = item; | |
f8bdfa2d JS |
351 | if (ssh_add_identity(ac, psk->key, psk->comment)) |
352 | openpam_log(PAM_LOG_DEBUG, | |
353 | "added %s to ssh agent", psk->comment); | |
354 | else | |
355 | openpam_log(PAM_LOG_DEBUG, "failed " | |
356 | "to add %s to ssh agent", psk->comment); | |
357 | /* we won't need the key again, so wipe it */ | |
358 | pam_set_data(pamh, *kfn, NULL, NULL); | |
359 | } | |
360 | } | |
361 | pam_err = PAM_SUCCESS; | |
362 | end: | |
363 | /* disconnect from agent */ | |
364 | if (ac != NULL) | |
365 | ssh_close_authentication_connection(ac); | |
366 | ||
367 | /* switch back to original environment */ | |
368 | for (env = environ; *env != NULL; ++env) | |
369 | free(*env); | |
370 | free(environ); | |
371 | environ = envlist; | |
372 | ||
373 | return (pam_err); | |
374 | } | |
375 | ||
376 | PAM_EXTERN int | |
377 | pam_sm_open_session(pam_handle_t *pamh, int flags __unused, | |
378 | int argc __unused, const char *argv[] __unused) | |
379 | { | |
380 | struct passwd *pwd; | |
381 | const char *user; | |
210bf96c | 382 | const void *data; |
f8bdfa2d JS |
383 | int pam_err; |
384 | ||
385 | /* no keys, no work */ | |
386 | if (pam_get_data(pamh, pam_ssh_have_keys, &data) != PAM_SUCCESS && | |
387 | openpam_get_option(pamh, "want_agent") == NULL) | |
388 | return (PAM_SUCCESS); | |
389 | ||
390 | /* switch to user credentials */ | |
391 | pam_err = pam_get_user(pamh, &user, NULL); | |
392 | if (pam_err != PAM_SUCCESS) | |
393 | return (pam_err); | |
394 | pwd = getpwnam(user); | |
395 | if (pwd == NULL) | |
396 | return (PAM_USER_UNKNOWN); | |
397 | pam_err = openpam_borrow_cred(pamh, pwd); | |
398 | if (pam_err != PAM_SUCCESS) | |
399 | return (pam_err); | |
400 | ||
401 | /* start the agent */ | |
402 | pam_err = pam_ssh_start_agent(pamh); | |
403 | if (pam_err != PAM_SUCCESS) { | |
404 | openpam_restore_cred(pamh); | |
405 | return (pam_err); | |
406 | } | |
407 | ||
408 | /* we have an agent, see if we can add any keys to it */ | |
409 | pam_err = pam_ssh_add_keys_to_agent(pamh); | |
410 | if (pam_err != PAM_SUCCESS) { | |
411 | /* XXX ignore failures */ | |
412 | } | |
413 | ||
414 | openpam_restore_cred(pamh); | |
415 | return (PAM_SUCCESS); | |
416 | } | |
417 | ||
418 | PAM_EXTERN int | |
419 | pam_sm_close_session(pam_handle_t *pamh, int flags __unused, | |
420 | int argc __unused, const char *argv[] __unused) | |
421 | { | |
422 | const char *ssh_agent_pid; | |
423 | char *end; | |
424 | int status; | |
425 | pid_t pid; | |
426 | ||
427 | if ((ssh_agent_pid = pam_getenv(pamh, "SSH_AGENT_PID")) == NULL) { | |
428 | openpam_log(PAM_LOG_DEBUG, "no ssh agent"); | |
429 | return (PAM_SUCCESS); | |
430 | } | |
431 | pid = (pid_t)strtol(ssh_agent_pid, &end, 10); | |
432 | if (*ssh_agent_pid == '\0' || *end != '\0') { | |
433 | openpam_log(PAM_LOG_DEBUG, "invalid ssh agent pid"); | |
434 | return (PAM_SESSION_ERR); | |
435 | } | |
436 | openpam_log(PAM_LOG_DEBUG, "killing ssh agent %d", (int)pid); | |
437 | if (kill(pid, SIGTERM) == -1 || | |
438 | (waitpid(pid, &status, 0) == -1 && errno != ECHILD)) | |
439 | return (PAM_SYSTEM_ERR); | |
440 | return (PAM_SUCCESS); | |
441 | } | |
442 | ||
443 | PAM_MODULE_ENTRY("pam_ssh"); |