2 * Copyright (c) 2002 Networks Associates Technology, Inc.
5 * This software was developed for the FreeBSD Project by ThinkSec AS and
6 * NAI Labs, the Security Research Division of Network Associates, Inc.
7 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8 * DARPA CHATS research program.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
37 #if defined(HAVE_SECURITY_PAM_APPL_H)
38 #include <security/pam_appl.h>
39 #elif defined (HAVE_PAM_PAM_APPL_H)
40 #include <pam/pam_appl.h>
49 #include "monitor_wrap.h"
56 #include "auth-options.h"
58 extern ServerOptions options;
59 extern Buffer loginmsg;
62 #ifdef USE_POSIX_THREADS
65 * Avoid namespace clash when *not* using pthreads for systems *with*
66 * pthreads, which unconditionally define pthread_t via sys/types.h
69 typedef pthread_t sp_pthread_t;
71 typedef pid_t sp_pthread_t;
75 sp_pthread_t pam_thread;
81 static void sshpam_free_ctx(void *);
82 static struct pam_ctxt *cleanup_ctxt;
84 #ifndef USE_POSIX_THREADS
86 * Simulate threads with processes.
89 static int sshpam_thread_status = -1;
90 static mysig_t sshpam_oldsig;
93 sshpam_sigchld_handler(int sig)
95 if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0) == -1)
96 return; /* couldn't wait for process */
97 if (WIFSIGNALED(sshpam_thread_status) &&
98 WTERMSIG(sshpam_thread_status) == SIGTERM)
99 return; /* terminated by pthread_cancel */
100 if (!WIFEXITED(sshpam_thread_status))
101 fatal("PAM: authentication thread exited unexpectedly");
102 if (WEXITSTATUS(sshpam_thread_status) != 0)
103 fatal("PAM: authentication thread exited uncleanly");
107 pthread_exit(void *value __unused)
113 pthread_create(sp_pthread_t *thread, const void *attr __unused,
114 void *(*thread_start)(void *), void *arg)
118 switch ((pid = fork())) {
120 error("fork(): %s", strerror(errno));
127 sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler);
133 pthread_cancel(sp_pthread_t thread)
135 return (kill(thread, SIGTERM));
139 pthread_join(sp_pthread_t thread, void **value __unused)
143 if (sshpam_thread_status != -1)
144 return (sshpam_thread_status);
145 signal(SIGCHLD, sshpam_oldsig);
146 waitpid(thread, &status, 0);
152 static pam_handle_t *sshpam_handle = NULL;
153 static int sshpam_err = 0;
154 static int sshpam_authenticated = 0;
155 static int sshpam_new_authtok_reqd = 0;
156 static int sshpam_session_open = 0;
157 static int sshpam_cred_established = 0;
158 static int sshpam_account_status = -1;
159 static char **sshpam_env = NULL;
161 /* Some PAM implementations don't implement this */
162 #ifndef HAVE_PAM_GETENVLIST
164 pam_getenvlist(pam_handle_t *pamh)
167 * XXX - If necessary, we can still support envrionment passing
168 * for platforms without pam_getenvlist by searching for known
169 * env vars (e.g. KRB5CCNAME) from the PAM environment.
176 pam_password_change_required(int reqd)
178 sshpam_new_authtok_reqd = reqd;
180 no_port_forwarding_flag |= 2;
181 no_agent_forwarding_flag |= 2;
182 no_x11_forwarding_flag |= 2;
184 no_port_forwarding_flag &= ~2;
185 no_agent_forwarding_flag &= ~2;
186 no_x11_forwarding_flag &= ~2;
190 /* Import regular and PAM environment from subprocess */
192 import_environments(Buffer *b)
198 /* Import variables set by do_pam_account */
199 sshpam_account_status = buffer_get_int(b);
200 pam_password_change_required(buffer_get_int(b));
202 /* Import environment from subprocess */
203 num_env = buffer_get_int(b);
204 sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));
205 debug3("PAM: num env strings %d", num_env);
206 for(i = 0; i < num_env; i++)
207 sshpam_env[i] = buffer_get_string(b, NULL);
209 sshpam_env[num_env] = NULL;
211 /* Import PAM environment from subprocess */
212 num_env = buffer_get_int(b);
213 debug("PAM: num PAM env strings %d", num_env);
214 for(i = 0; i < num_env; i++) {
215 env = buffer_get_string(b, NULL);
217 #ifdef HAVE_PAM_PUTENV
218 /* Errors are not fatal here */
219 if ((err = pam_putenv(sshpam_handle, env)) != PAM_SUCCESS) {
220 error("PAM: pam_putenv: %s",
221 pam_strerror(sshpam_handle, sshpam_err));
228 * Conversation function for authentication thread.
231 sshpam_thread_conv(int n, const struct pam_message **msg,
232 struct pam_response **resp, void *data)
235 struct pam_ctxt *ctxt;
236 struct pam_response *reply;
242 if (n <= 0 || n > PAM_MAX_NUM_MSG)
243 return (PAM_CONV_ERR);
245 if ((reply = malloc(n * sizeof(*reply))) == NULL)
246 return (PAM_CONV_ERR);
247 memset(reply, 0, n * sizeof(*reply));
249 buffer_init(&buffer);
250 for (i = 0; i < n; ++i) {
251 switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
252 case PAM_PROMPT_ECHO_OFF:
253 buffer_put_cstring(&buffer,
254 PAM_MSG_MEMBER(msg, i, msg));
255 if (ssh_msg_send(ctxt->pam_csock,
256 PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
258 if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
260 if (buffer_get_char(&buffer) != PAM_AUTHTOK)
262 reply[i].resp = buffer_get_string(&buffer, NULL);
264 case PAM_PROMPT_ECHO_ON:
265 buffer_put_cstring(&buffer,
266 PAM_MSG_MEMBER(msg, i, msg));
267 if (ssh_msg_send(ctxt->pam_csock,
268 PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
270 if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
272 if (buffer_get_char(&buffer) != PAM_AUTHTOK)
274 reply[i].resp = buffer_get_string(&buffer, NULL);
277 buffer_put_cstring(&buffer,
278 PAM_MSG_MEMBER(msg, i, msg));
279 if (ssh_msg_send(ctxt->pam_csock,
280 PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
284 buffer_put_cstring(&buffer,
285 PAM_MSG_MEMBER(msg, i, msg));
286 if (ssh_msg_send(ctxt->pam_csock,
287 PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
293 buffer_clear(&buffer);
295 buffer_free(&buffer);
297 return (PAM_SUCCESS);
300 for(i = 0; i < n; i++) {
301 if (reply[i].resp != NULL)
302 xfree(reply[i].resp);
305 buffer_free(&buffer);
306 return (PAM_CONV_ERR);
310 * Authentication thread.
313 sshpam_thread(void *ctxtp)
315 struct pam_ctxt *ctxt = ctxtp;
317 struct pam_conv sshpam_conv;
318 #ifndef USE_POSIX_THREADS
319 extern char **environ;
322 const char *pam_user;
324 pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user);
325 setproctitle("%s [pam]", pam_user);
329 sshpam_conv.conv = sshpam_thread_conv;
330 sshpam_conv.appdata_ptr = ctxt;
332 buffer_init(&buffer);
333 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
334 (const void *)&sshpam_conv);
335 if (sshpam_err != PAM_SUCCESS)
337 sshpam_err = pam_authenticate(sshpam_handle, 0);
338 if (sshpam_err != PAM_SUCCESS)
342 if (!do_pam_account())
344 if (sshpam_new_authtok_reqd) {
345 sshpam_err = pam_chauthtok(sshpam_handle,
346 PAM_CHANGE_EXPIRED_AUTHTOK);
347 if (sshpam_err != PAM_SUCCESS)
349 pam_password_change_required(0);
353 buffer_put_cstring(&buffer, "OK");
355 #ifndef USE_POSIX_THREADS
356 /* Export variables set by do_pam_account */
357 buffer_put_int(&buffer, sshpam_account_status);
358 buffer_put_int(&buffer, sshpam_new_authtok_reqd);
360 /* Export any environment strings set in child */
361 for(i = 0; environ[i] != NULL; i++)
363 buffer_put_int(&buffer, i);
364 for(i = 0; environ[i] != NULL; i++)
365 buffer_put_cstring(&buffer, environ[i]);
367 /* Export any environment strings set by PAM in child */
368 env_from_pam = pam_getenvlist(sshpam_handle);
369 for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
371 buffer_put_int(&buffer, i);
372 for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
373 buffer_put_cstring(&buffer, env_from_pam[i]);
374 #endif /* USE_POSIX_THREADS */
376 /* XXX - can't do much about an error here */
377 ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
378 buffer_free(&buffer);
382 buffer_put_cstring(&buffer,
383 pam_strerror(sshpam_handle, sshpam_err));
384 /* XXX - can't do much about an error here */
385 ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
386 buffer_free(&buffer);
389 return (NULL); /* Avoid warning for non-pthread case */
393 sshpam_thread_cleanup(void)
395 struct pam_ctxt *ctxt = cleanup_ctxt;
397 if (ctxt != NULL && ctxt->pam_thread != 0) {
398 pthread_cancel(ctxt->pam_thread);
399 pthread_join(ctxt->pam_thread, NULL);
400 close(ctxt->pam_psock);
401 close(ctxt->pam_csock);
402 memset(ctxt, 0, sizeof(*ctxt));
408 sshpam_null_conv(int n, const struct pam_message **msg,
409 struct pam_response **resp, void *data)
411 return (PAM_CONV_ERR);
414 static struct pam_conv null_conv = { sshpam_null_conv, NULL };
419 debug("PAM: cleanup");
420 if (sshpam_handle == NULL)
422 pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
423 if (sshpam_cred_established) {
424 pam_setcred(sshpam_handle, PAM_DELETE_CRED);
425 sshpam_cred_established = 0;
427 if (sshpam_session_open) {
428 pam_close_session(sshpam_handle, PAM_SILENT);
429 sshpam_session_open = 0;
431 sshpam_authenticated = sshpam_new_authtok_reqd = 0;
432 pam_end(sshpam_handle, sshpam_err);
433 sshpam_handle = NULL;
437 sshpam_init(const char *user)
439 extern u_int utmp_len;
440 extern char *__progname;
441 const char *pam_rhost, *pam_user;
443 if (sshpam_handle != NULL) {
444 /* We already have a PAM context; check if the user matches */
445 sshpam_err = pam_get_item(sshpam_handle,
446 PAM_USER, (const void **)&pam_user);
447 if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
449 pam_end(sshpam_handle, sshpam_err);
450 sshpam_handle = NULL;
452 debug("PAM: initializing for \"%s\"", user);
454 pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
455 if (sshpam_err != PAM_SUCCESS) {
456 pam_end(sshpam_handle, sshpam_err);
457 sshpam_handle = NULL;
460 pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
461 debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
462 sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
463 if (sshpam_err != PAM_SUCCESS) {
464 pam_end(sshpam_handle, sshpam_err);
465 sshpam_handle = NULL;
468 #ifdef PAM_TTY_KLUDGE
470 * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
471 * sshd doesn't set the tty until too late in the auth process and
472 * may not even set one (for tty-less connections)
474 debug("PAM: setting PAM_TTY to \"ssh\"");
475 sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh");
476 if (sshpam_err != PAM_SUCCESS) {
477 pam_end(sshpam_handle, sshpam_err);
478 sshpam_handle = NULL;
486 sshpam_init_ctx(Authctxt *authctxt)
488 struct pam_ctxt *ctxt;
491 /* Refuse to start if we don't have PAM enabled */
492 if (!options.use_pam)
496 if (sshpam_init(authctxt->user) == -1) {
497 error("PAM: initialization failed");
501 ctxt = xmalloc(sizeof *ctxt);
502 memset(ctxt, 0, sizeof(*ctxt));
504 /* Start the authentication thread */
505 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
506 error("PAM: failed create sockets: %s", strerror(errno));
510 ctxt->pam_psock = socks[0];
511 ctxt->pam_csock = socks[1];
512 if (pthread_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) {
513 error("PAM: failed to start authentication thread: %s",
525 sshpam_query(void *ctx, char **name, char **info,
526 u_int *num, char ***prompts, u_int **echo_on)
529 struct pam_ctxt *ctxt = ctx;
535 buffer_init(&buffer);
538 *prompts = xmalloc(sizeof(char *));
541 *echo_on = xmalloc(sizeof(u_int));
542 while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
543 type = buffer_get_char(&buffer);
544 msg = buffer_get_string(&buffer, NULL);
546 case PAM_PROMPT_ECHO_ON:
547 case PAM_PROMPT_ECHO_OFF:
549 len = plen + strlen(msg) + 1;
550 **prompts = xrealloc(**prompts, len);
551 plen += snprintf(**prompts + plen, len, "%s", msg);
552 **echo_on = (type == PAM_PROMPT_ECHO_ON);
557 /* accumulate messages */
558 len = plen + strlen(msg) + 2;
559 **prompts = xrealloc(**prompts, len);
560 plen += snprintf(**prompts + plen, len, "%s\n", msg);
565 if (**prompts != NULL) {
566 /* drain any accumulated messages */
567 debug("PAM: %s", **prompts);
568 buffer_append(&loginmsg, **prompts,
573 if (type == PAM_SUCCESS) {
574 import_environments(&buffer);
581 error("PAM: %s", msg);
594 /* XXX - see also comment in auth-chall.c:verify_response */
596 sshpam_respond(void *ctx, u_int num, char **resp)
599 struct pam_ctxt *ctxt = ctx;
601 debug2("PAM: %s", __func__);
602 switch (ctxt->pam_done) {
604 sshpam_authenticated = 1;
612 error("PAM: expected one response, got %u", num);
615 buffer_init(&buffer);
616 buffer_put_cstring(&buffer, *resp);
617 if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
618 buffer_free(&buffer);
621 buffer_free(&buffer);
626 sshpam_free_ctx(void *ctxtp)
628 struct pam_ctxt *ctxt = ctxtp;
630 sshpam_thread_cleanup();
633 * We don't call sshpam_cleanup() here because we may need the PAM
634 * handle at a later stage, e.g. when setting up a session. It's
635 * still on the cleanup list, so pam_end() *will* be called before
636 * the server process terminates.
640 KbdintDevice sshpam_device = {
648 KbdintDevice mm_sshpam_device = {
657 * This replaces auth-pam.c
660 start_pam(const char *user)
662 if (!options.use_pam)
663 fatal("PAM: initialisation requested when UsePAM=no");
665 if (sshpam_init(user) == -1)
666 fatal("PAM: initialisation failed");
678 if (sshpam_account_status != -1)
679 return (sshpam_account_status);
681 sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
682 debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err);
684 if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
685 sshpam_account_status = 0;
686 return (sshpam_account_status);
689 if (sshpam_err == PAM_NEW_AUTHTOK_REQD)
690 pam_password_change_required(1);
692 sshpam_account_status = 1;
693 return (sshpam_account_status);
697 do_pam_set_tty(const char *tty)
700 debug("PAM: setting PAM_TTY to \"%s\"", tty);
701 sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty);
702 if (sshpam_err != PAM_SUCCESS)
703 fatal("PAM: failed to set PAM_TTY: %s",
704 pam_strerror(sshpam_handle, sshpam_err));
709 do_pam_setcred(int init)
711 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
712 (const void *)&null_conv);
713 if (sshpam_err != PAM_SUCCESS)
714 fatal("PAM: failed to set PAM_CONV: %s",
715 pam_strerror(sshpam_handle, sshpam_err));
717 debug("PAM: establishing credentials");
718 sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
720 debug("PAM: reinitializing credentials");
721 sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
723 if (sshpam_err == PAM_SUCCESS) {
724 sshpam_cred_established = 1;
727 if (sshpam_authenticated)
728 fatal("PAM: pam_setcred(): %s",
729 pam_strerror(sshpam_handle, sshpam_err));
731 debug("PAM: pam_setcred(): %s",
732 pam_strerror(sshpam_handle, sshpam_err));
736 is_pam_password_change_required(void)
738 return (sshpam_new_authtok_reqd);
742 pam_tty_conv(int n, const struct pam_message **msg,
743 struct pam_response **resp, void *data)
745 char input[PAM_MAX_MSG_SIZE];
746 struct pam_response *reply;
751 if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
752 return (PAM_CONV_ERR);
754 if ((reply = malloc(n * sizeof(*reply))) == NULL)
755 return (PAM_CONV_ERR);
756 memset(reply, 0, n * sizeof(*reply));
758 for (i = 0; i < n; ++i) {
759 switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
760 case PAM_PROMPT_ECHO_OFF:
762 read_passphrase(PAM_MSG_MEMBER(msg, i, msg),
764 reply[i].resp_retcode = PAM_SUCCESS;
766 case PAM_PROMPT_ECHO_ON:
767 fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
768 fgets(input, sizeof input, stdin);
769 reply[i].resp = xstrdup(input);
770 reply[i].resp_retcode = PAM_SUCCESS;
774 fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
775 reply[i].resp_retcode = PAM_SUCCESS;
782 return (PAM_SUCCESS);
785 for(i = 0; i < n; i++) {
786 if (reply[i].resp != NULL)
787 xfree(reply[i].resp);
790 return (PAM_CONV_ERR);
793 static struct pam_conv tty_conv = { pam_tty_conv, NULL };
796 * XXX this should be done in the authentication phase, but ssh1 doesn't
800 do_pam_chauthtok(void)
803 fatal("Password expired (unable to change with privsep)");
804 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
805 (const void *)&tty_conv);
806 if (sshpam_err != PAM_SUCCESS)
807 fatal("PAM: failed to set PAM_CONV: %s",
808 pam_strerror(sshpam_handle, sshpam_err));
809 debug("PAM: changing password");
810 sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
811 if (sshpam_err != PAM_SUCCESS)
812 fatal("PAM: pam_chauthtok(): %s",
813 pam_strerror(sshpam_handle, sshpam_err));
819 sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
820 (const void *)&tty_conv);
821 if (sshpam_err != PAM_SUCCESS)
822 fatal("PAM: failed to set PAM_CONV: %s",
823 pam_strerror(sshpam_handle, sshpam_err));
824 sshpam_err = pam_open_session(sshpam_handle, 0);
825 if (sshpam_err != PAM_SUCCESS)
826 fatal("PAM: pam_open_session(): %s",
827 pam_strerror(sshpam_handle, sshpam_err));
828 sshpam_session_open = 1;
832 * Set a PAM environment string. We need to do this so that the session
833 * modules can handle things like Kerberos/GSI credentials that appear
834 * during the ssh authentication process.
837 do_pam_putenv(char *name, char *value)
840 #ifdef HAVE_PAM_PUTENV
844 len = strlen(name) + strlen(value) + 2;
845 compound = xmalloc(len);
847 snprintf(compound, len, "%s=%s", name, value);
848 ret = pam_putenv(sshpam_handle, compound);
856 print_pam_messages(void)
862 fetch_pam_child_environment(void)
868 fetch_pam_environment(void)
870 return (pam_getenvlist(sshpam_handle));
874 free_pam_environment(char **env)
881 for (envp = env; *envp; envp++)