2 * Copyright (c) 1999, 2000 Andrew J. Korty
4 * Copyright (c) 2001,2002 Networks Associates Technology, Inc.
7 * Portions of this software were developed for the FreeBSD Project by
8 * ThinkSec AS and NAI Labs, the Security Research Division of Network
9 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
10 * ("CBOSS"), as part of the DARPA CHATS research program.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. The name of the author may not be used to endorse or promote
21 * products derived from this software without specific prior written
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * $Id: pam_ssh.c,v 1.23 2001/08/20 01:44:02 akorty Exp $
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.28.2.4 2002/07/12 09:24:56 des Exp $");
42 #include <sys/param.h>
55 #define PAM_SM_SESSION
57 #include <security/pam_appl.h>
58 #include <security/pam_modules.h>
59 #include <security/pam_mod_misc.h>
61 #include <openssl/dsa.h>
62 #include <openssl/evp.h>
71 PAM_OPT_KEYFILES = PAM_OPT_STD_MAX
74 static struct opttab other_options[] = {
75 { "keyfiles", PAM_OPT_KEYFILES },
79 static void key_cleanup(pam_handle_t *, void *, int);
80 static void ssh_cleanup(pam_handle_t *, void *, int);
83 * Generic cleanup function for OpenSSH "Key" type.
87 key_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused)
95 * Generic PAM cleanup function for this module.
99 ssh_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused)
107 * Authenticate a user's key by trying to decrypt it with the password
108 * provided. The key and its comment are then stored for later
109 * retrieval by the session phase. An increasing index is embedded in
110 * the PAM variable names so this function may be called multiple times
115 auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
116 const struct passwd *user, const char *pass, struct options *options)
118 char *comment; /* private key comment */
119 char *data_name; /* PAM state */
120 static int key_idx = 0; /* for saved keys */
121 Key *key; /* user's key */
122 char *path; /* to key files */
123 int retval; /* from calls */
125 /* locate the user's private key file */
127 if (!asprintf(&path, "%s/%s", dir, file)) {
129 return (PAM_SERVICE_ERR);
132 /* Try to decrypt the private key with the passphrase provided. If
133 success, the user is authenticated. */
136 if ((retval = openpam_borrow_cred(pamh, user)) != PAM_SUCCESS)
138 key = key_load_private(path, pass, &comment);
139 openpam_restore_cred(pamh);
142 comment = strdup(file);
145 return (PAM_AUTH_ERR);
148 /* save the key and comment to pass to ssh-agent in the session
151 if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
154 return (PAM_SERVICE_ERR);
156 retval = pam_set_data(pamh, data_name, key, key_cleanup);
158 if (retval != PAM_SUCCESS) {
163 if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
166 return (PAM_SERVICE_ERR);
168 retval = pam_set_data(pamh, data_name, comment, ssh_cleanup);
170 if (retval != PAM_SUCCESS) {
176 return (PAM_SUCCESS);
181 * Add the keys stored by auth_via_key() to the agent connected to the
186 add_keys(pam_handle_t *pamh, struct options *options)
188 AuthenticationConnection *ac; /* connection to ssh-agent */
189 char *comment; /* private key comment */
190 char *data_name; /* PAM state */
191 int final; /* final return value */
192 int key_idx; /* for saved keys */
193 Key *key; /* user's private key */
194 int retval; /* from calls */
197 * Connect to the agent.
199 * XXX Because ssh_get_authentication_connection() gets the
200 * XXX agent parameters from the environment, we have to
201 * XXX temporarily replace the environment with the PAM
202 * XXX environment list. This is a hack.
205 extern char **environ;
209 if ((environ = pam_getenvlist(pamh)) == NULL) {
212 return (PAM_BUF_ERR);
214 ac = ssh_get_authentication_connection();
215 for (evp = environ; *evp; evp++)
222 return (PAM_SESSION_ERR);
225 /* hand off each private key to the agent */
228 for (key_idx = 0; ; key_idx++) {
229 if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
231 ssh_close_authentication_connection(ac);
232 return (PAM_SERVICE_ERR);
234 retval = pam_get_data(pamh, data_name, (const void **)&key);
236 if (retval != PAM_SUCCESS)
238 if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
240 ssh_close_authentication_connection(ac);
241 return (PAM_SERVICE_ERR);
243 retval = pam_get_data(pamh, data_name,
244 (const void **)&comment);
246 if (retval != PAM_SUCCESS)
248 retval = ssh_add_identity(ac, key, comment);
252 ssh_close_authentication_connection(ac);
254 return (final ? PAM_SUCCESS : PAM_SESSION_ERR);
259 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
260 int argc __unused, const char *argv[] __unused)
262 struct options options;
263 int authenticated; /* user authenticated? */
264 char *dotdir; /* .ssh dir name */
265 char *file; /* current key file */
266 char *kfspec; /* list of key files to add */
268 const char *pass; /* passphrase */
269 const struct passwd *pwent; /* user's passwd entry */
270 struct passwd *pwent_keep; /* our own copy */
271 int retval; /* from calls */
272 const char *user; /* username */
274 pam_std_option(&options, other_options, argc, argv);
276 if (!pam_test_option(&options, PAM_OPT_KEYFILES, &kfspec)) {
277 kfspec = DEF_KEYFILES;
280 if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
282 if (user == NULL || (pwent = getpwnam(user)) == NULL ||
283 pwent->pw_dir == NULL || pwent->pw_dir[0] == '\0')
284 return (PAM_AUTH_ERR);
286 /* pass prompt message to application and receive passphrase */
288 retval = pam_get_pass(pamh, &pass, NEED_PASSPHRASE, &options);
289 if (retval != PAM_SUCCESS)
292 OpenSSL_add_all_algorithms(); /* required for DSA */
294 /* any key will authenticate us, but if we can decrypt all of the
295 specified keys, we'll do so here so we can cache them in the
298 if (!asprintf(&dotdir, "%s/%s", pwent->pw_dir, SSH_CLIENT_DIR)) {
300 return (PAM_SERVICE_ERR);
303 keyfiles = strdup(kfspec);
304 for (file = strtok(keyfiles, SEP_KEYFILES); file;
305 file = strtok(NULL, SEP_KEYFILES))
306 if (auth_via_key(pamh, file, dotdir, pwent, pass, &options) ==
312 return (PAM_AUTH_ERR);
314 /* copy the passwd entry (in case successive calls are made) and
315 save it for the session phase */
317 if (!(pwent_keep = malloc(sizeof *pwent))) {
319 return (PAM_SERVICE_ERR);
321 (void) memcpy(pwent_keep, pwent, sizeof *pwent_keep);
322 if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep,
323 ssh_cleanup)) != PAM_SUCCESS) {
328 return (PAM_SUCCESS);
333 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
334 int argc __unused, const char *argv[] __unused)
337 return (PAM_SUCCESS);
342 pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
343 int argc __unused, const char *argv[] __unused)
345 struct options options;
346 char *agent_socket; /* agent socket */
347 char *env_end; /* end of env */
348 FILE *env_read; /* env data source */
349 char env_string[BUFSIZ]; /* environment string */
350 char *env_value; /* envariable value */
351 int env_write; /* env file descriptor */
352 char hname[MAXHOSTNAMELEN]; /* local hostname */
353 int no_link; /* link per-agent file? */
354 char *per_agent; /* to store env */
355 char *per_session; /* per-session filename */
356 char *agent_pid; /* agent pid */
357 const struct passwd *pwent; /* user's passwd entry */
358 int retval; /* from calls */
359 int start_agent; /* start agent? */
360 const char *tty; /* tty or display name */
362 pam_std_option(&options, other_options, argc, argv);
364 /* dump output of ssh-agent in ~/.ssh */
365 if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
366 (const void **)&pwent)) != PAM_SUCCESS)
370 * Use reference counts to limit agents to one per user per host.
372 * Technique: Create an environment file containing
373 * information about the agent. Only one file is created, but
374 * it may be given many names. One name is given for the
375 * agent itself, agent-<host>. Another name is given for each
376 * session, agent-<host>-<display> or agent-<host>-<tty>. We
377 * delete the per-session filename on session close, and when
378 * the link count goes to unity on the per-agent file, we
379 * delete the file and kill the agent.
382 /* the per-agent file contains just the hostname */
384 (void) gethostname(hname, sizeof hname);
385 if (asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname)
388 return (PAM_SERVICE_ERR);
391 /* save the per-agent filename in case we want to delete it on
394 if ((retval = pam_set_data(pamh, "ssh_agent_env_agent", per_agent,
395 ssh_cleanup)) != PAM_SUCCESS) {
400 /* take on the user's privileges for writing files and starting the
403 if ((retval = openpam_borrow_cred(pamh, pwent)) != PAM_SUCCESS)
406 /* Try to create the per-agent file or open it for reading if it
407 exists. If we can't do either, we won't try to link a
408 per-session filename later. Start the agent if we can't open
409 the file for reading. */
411 env_write = no_link = 0;
413 if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY,
414 S_IRUSR)) < 0 && !(env_read = fopen(per_agent, "r")))
418 openpam_restore_cred(pamh);
421 env_read = popen(SSH_AGENT, "r");
422 openpam_restore_cred(pamh);
424 PAM_LOG( "%s: %m", SSH_AGENT);
426 (void) close(env_write);
427 return (PAM_SESSION_ERR);
431 /* save environment for application with pam_putenv() */
434 while (fgets(env_string, sizeof env_string, env_read)) {
436 /* parse environment definitions */
439 (void) write(env_write, env_string,
441 if (!(env_value = strchr(env_string, '=')) ||
442 !(env_end = strchr(env_value, ';')))
446 /* pass to the application */
448 if (!((retval = pam_putenv(pamh, env_string)) ==
451 (void) pclose(env_read);
453 (void) fclose(env_read);
455 (void) close(env_write);
458 return (PAM_SERVICE_ERR);
463 /* save the agent socket so we can connect to it and add
464 the keys as well as the PID so we can kill the agent on
467 if (strcmp(&env_string[strlen(env_string) -
468 strlen(ENV_SOCKET_SUFFIX)], ENV_SOCKET_SUFFIX) == 0 &&
469 !(agent_socket = strdup(env_value))) {
472 (void) pclose(env_read);
474 (void) fclose(env_read);
476 (void) close(env_write);
479 return (PAM_SERVICE_ERR);
480 } else if (strcmp(&env_string[strlen(env_string) -
481 strlen(ENV_PID_SUFFIX)], ENV_PID_SUFFIX) == 0 &&
482 ((agent_pid = strdup(env_value)) == NULL ||
483 (retval = pam_set_data(pamh, "ssh_agent_pid",
484 agent_pid, ssh_cleanup)) != PAM_SUCCESS)) {
486 (void) pclose(env_read);
488 (void) fclose(env_read);
490 (void) close(env_write);
500 (void) close(env_write);
503 switch (retval = pclose(env_read)) {
505 PAM_LOG( "%s: %m", SSH_AGENT);
508 return (PAM_SESSION_ERR);
512 PAM_LOG( "cannot execute %s",
516 return (PAM_SESSION_ERR);
518 PAM_LOG( "%s exited %s %d",
519 SSH_AGENT, WIFSIGNALED(retval) ? "on signal" :
520 "with status", WIFSIGNALED(retval) ?
521 WTERMSIG(retval) : WEXITSTATUS(retval));
524 return (PAM_SESSION_ERR);
527 (void) fclose(env_read);
530 return (PAM_SESSION_ERR);
532 if (start_agent && (retval = add_keys(pamh, &options))
537 /* if we couldn't access the per-agent file, don't link a
538 per-session filename to it */
541 return (PAM_SUCCESS);
543 /* the per-session file contains the display name or tty name as
544 well as the hostname */
546 if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty))
549 if (asprintf(&per_session, "%s/.ssh/agent-%s-%s", pwent->pw_dir,
552 return (PAM_SERVICE_ERR);
555 /* save the per-session filename so we can delete it on session
558 if ((retval = pam_set_data(pamh, "ssh_agent_env_session",
559 per_session, ssh_cleanup)) != PAM_SUCCESS) {
564 (void) unlink(per_session); /* remove cruft */
565 (void) link(per_agent, per_session);
567 return (PAM_SUCCESS);
572 pam_sm_close_session(pam_handle_t *pamh, int flags __unused,
573 int argc __unused, const char *argv[] __unused)
575 struct options options;
576 const char *env_file; /* ssh-agent environment */
577 pid_t pid; /* ssh-agent process id */
578 int retval; /* from calls */
579 const char *ssh_agent_pid; /* ssh-agent pid string */
580 struct stat sb; /* to check st_nlink */
582 pam_std_option(&options, other_options, argc, argv);
584 if ((retval = pam_get_data(pamh, "ssh_agent_env_session",
585 (const void **)&env_file)) == PAM_SUCCESS && env_file)
586 (void) unlink(env_file);
588 /* Retrieve per-agent filename and check link count. If it's
589 greater than unity, other sessions are still using this
592 if ((retval = pam_get_data(pamh, "ssh_agent_env_agent",
593 (const void **)&env_file)) == PAM_SUCCESS && env_file &&
594 stat(env_file, &sb) == 0) {
596 return (PAM_SUCCESS);
597 (void) unlink(env_file);
600 /* retrieve the agent's process id */
602 if ((retval = pam_get_data(pamh, "ssh_agent_pid",
603 (const void **)&ssh_agent_pid)) != PAM_SUCCESS)
606 /* Kill the agent. SSH's ssh-agent does not have a -k option, so
609 pid = atoi(ssh_agent_pid);
611 return (PAM_SESSION_ERR);
612 if (kill(pid, SIGTERM) != 0) {
613 PAM_LOG( "%s: %m", ssh_agent_pid);
614 return (PAM_SESSION_ERR);
617 return (PAM_SUCCESS);
620 PAM_MODULE_ENTRY(MODULE_NAME);