source/web_server/pam.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    PAM Password checking
   4    Copyright (C) Andrew Tridgell 1992-2001
   5    Copyright (C) John H Terpsta 1999-2001
   6    Copyright (C) Andrew Bartlett 2001
   7    Copyright (C) Jeremy Allison 2001
   8    Copyright (C) Simo Sorce 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 2 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 /*
  26  * This module provides PAM based functions for validation of
  27  * username/password pairs.
  28  * Note: This module is a stripped down version of pampass.c of samba 3
  29  *       It has been adapted to perform only pam auth checks and code has
  30  *       been shaped out to meet samba4 coding stile
  31  */
  32
  33 #include "includes.h"
  34
  35 #ifdef HAVE_SECURITY_PAM_APPL_H
  36
  37 /*******************************************************************
  38  * Handle PAM authentication
  39  *      - Access, Authentication, Session, Password
  40  *   Note: See PAM Documentation and refer to local system PAM implementation
  41  *   which determines what actions/limitations/allowances become affected.
  42  *********************************************************************/
  43
  44 #include <security/pam_appl.h>
  45
  46 /*
  47  * Structure used to communicate between the conversation function
  48  * and the server_login/change password functions.
  49  */
  50
  51 struct smb_pam_userdata {
  52         const char *PAM_username;
  53         const char *PAM_password;
  54 };
  55
  56 typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr);
  57
  58 /*******************************************************************
  59  PAM error handler.
  60  *********************************************************************/
  61
  62 static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl)
  63 {
  64
  65         if( pam_error != PAM_SUCCESS) {
  66                 DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
  67                                 msg, pam_strerror(pamh, pam_error)));
  68
  69                 return False;
  70         }
  71         return True;
  72 }
  73
  74 /*******************************************************************
  75  This function is a sanity check, to make sure that we NEVER report
  76  failure as sucess.
  77 *********************************************************************/
  78
  79 static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
  80                                             const char *msg, int dbglvl,
  81                                             NTSTATUS *nt_status)
  82 {
  83         *nt_status = pam_to_nt_status(pam_error);
  84
  85         if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
  86                 return True;
  87
  88         if (NT_STATUS_IS_OK(*nt_status)) {
  89                 /* Complain LOUDLY */
  90                 DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
  91 error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
  92                 *nt_status = NT_STATUS_LOGON_FAILURE;
  93         }
  94         return False;
  95 }
  96
  97 /*
  98  * PAM conversation function
  99  * Here we assume (for now, at least) that echo on means login name, and
 100  * echo off means password.
 101  */
 102
 103 static int smb_pam_conv(int num_msg,
 104                     const struct pam_message **msg,
 105                     struct pam_response **resp,
 106                     void *appdata_ptr)
 107 {
 108         int replies = 0;
 109         struct pam_response *reply = NULL;
 110         struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
 111
 112         *resp = NULL;
 113
 114         if (num_msg <= 0)
 115                 return PAM_CONV_ERR;
 116
 117         /*
 118          * Apparantly HPUX has a buggy PAM that doesn't support the
 119          * appdata_ptr. Fail if this is the case. JRA.
 120          */
 121
 122         if (udp == NULL) {
 123                 DEBUG(0,("smb_pam_conv: PAM on this system is broken - appdata_ptr == NULL !\n"));
 124                 return PAM_CONV_ERR;
 125         }
 126
 127         reply = malloc_array_p(struct pam_response, num_msg);
 128         if (!reply)
 129                 return PAM_CONV_ERR;
 130
 131         memset(reply, '\0', sizeof(struct pam_response) * num_msg);
 132
 133         for (replies = 0; replies < num_msg; replies++) {
 134                 switch (msg[replies]->msg_style) {
 135                         case PAM_PROMPT_ECHO_ON:
 136                                 reply[replies].resp_retcode = PAM_SUCCESS;
 137                                 reply[replies].resp = strdup(udp->PAM_username);
 138                                 /* PAM frees resp */
 139                                 break;
 140
 141                         case PAM_PROMPT_ECHO_OFF:
 142                                 reply[replies].resp_retcode = PAM_SUCCESS;
 143                                 reply[replies].resp = strdup(udp->PAM_password);
 144                                 /* PAM frees resp */
 145                                 break;
 146
 147                         case PAM_TEXT_INFO:
 148                                 /* fall through */
 149
 150                         case PAM_ERROR_MSG:
 151                                 /* ignore it... */
 152                                 reply[replies].resp_retcode = PAM_SUCCESS;
 153                                 reply[replies].resp = NULL;
 154                                 break;
 155
 156                         default:
 157                                 /* Must be an error of some sort... */
 158                                 if (reply)
 159                                         free(reply);
 160                                 return PAM_CONV_ERR;
 161                 }
 162         }
 163         if (reply)
 164                 *resp = reply;
 165         return PAM_SUCCESS;
 166 }
 167
 168 /***************************************************************************
 169  Allocate a pam_conv struct.
 170 ****************************************************************************/
 171
 172 static struct pam_conv *smb_setup_pam_conv(TALLOC_CTX *ctx,
 173                                            smb_pam_conv_fn smb_pam_conv_fnptr,
 174                                            const char *username, const char *password)
 175 {
 176         struct pam_conv *pconv;
 177         struct smb_pam_userdata *udp;
 178
 179         pconv = talloc(ctx, struct pam_conv);
 180         if (pconv == NULL)
 181                 return NULL;
 182
 183         udp = talloc(ctx, struct smb_pam_userdata);
 184         if (udp == NULL)
 185                 return NULL;
 186
 187         udp->PAM_username = username;
 188         udp->PAM_password = password;
 189
 190         pconv->conv = smb_pam_conv_fnptr;
 191         pconv->appdata_ptr = (void *)udp;
 192
 193         return pconv;
 194 }
 195
 196 /*
 197  * PAM Closing out cleanup handler
 198  */
 199
 200 static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
 201 {
 202         int pam_error;
 203
 204         if( pamh != NULL ) {
 205                 pam_error = pam_end(pamh, 0);
 206                 if(smb_pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
 207                         DEBUG(4, ("smb_pam_end: PAM: PAM_END OK.\n"));
 208                         return True;
 209                 }
 210         }
 211         DEBUG(2,("smb_pam_end: PAM: not initialised"));
 212         return False;
 213 }
 214
 215 /*
 216  * Start PAM authentication for specified account
 217  */
 218
 219 static BOOL smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv)
 220 {
 221         int pam_error;
 222         const char *our_rhost;
 223
 224         if (user == NULL || rhost == NULL || pconv == NULL) {
 225                 return False;
 226         }
 227
 228         *pamh = (pam_handle_t *)NULL;
 229
 230         DEBUG(4,("smb_pam_start: PAM: Init user: %s\n", user));
 231
 232         pam_error = pam_start("samba", user, pconv, pamh);
 233         if( !smb_pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
 234                 *pamh = (pam_handle_t *)NULL;
 235                 return False;
 236         }
 237
 238 #ifdef PAM_RHOST
 239         DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost));
 240         pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
 241         if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
 242                 smb_pam_end(*pamh, pconv);
 243                 *pamh = (pam_handle_t *)NULL;
 244                 return False;
 245         }
 246 #endif
 247 #ifdef PAM_TTY
 248         DEBUG(4,("smb_pam_start: PAM: setting tty\n"));
 249         pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
 250         if (!smb_pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
 251                 smb_pam_end(*pamh, pconv);
 252                 *pamh = (pam_handle_t *)NULL;
 253                 return False;
 254         }
 255 #endif
 256         DEBUG(4,("smb_pam_start: PAM: Init passed for user: %s\n", user));
 257         return True;
 258 }
 259
 260 /*
 261  * PAM Authentication Handler
 262  */
 263 static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user)
 264 {
 265         int pam_error;
 266         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 267
 268         /*
 269          * To enable debugging set in /etc/pam.d/samba:
 270          *      auth required /lib/security/pam_pwdb.so nullok shadow audit
 271          */
 272
 273         DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
 274         pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
 275         switch( pam_error ){
 276                 case PAM_AUTH_ERR:
 277                         DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user));
 278                         break;
 279                 case PAM_CRED_INSUFFICIENT:
 280                         DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
 281                         break;
 282                 case PAM_AUTHINFO_UNAVAIL:
 283                         DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
 284                         break;
 285                 case PAM_USER_UNKNOWN:
 286                         DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
 287                         break;
 288                 case PAM_MAXTRIES:
 289                         DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
 290                         break;
 291                 case PAM_ABORT:
 292                         DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
 293                         break;
 294                 case PAM_SUCCESS:
 295                         DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
 296                         break;
 297                 default:
 298                         DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
 299                         break;
 300         }
 301
 302         smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
 303         return nt_status;
 304 }
 305
 306 /*
 307  * PAM Password Validation Suite
 308  */
 309
 310 NTSTATUS unix_passcheck(TALLOC_CTX *ctx, const char *client, const char *username, const char *password)
 311 {
 312         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 313         pam_handle_t *pamh = NULL;
 314         struct pam_conv *pconv = NULL;
 315
 316         if ((pconv = smb_setup_pam_conv(ctx, smb_pam_conv, username, password)) == NULL)
 317                 return nt_status;
 318
 319         if (!smb_pam_start(&pamh, username, client, pconv)) {
 320                 talloc_free(pconv);
 321                 return nt_status;
 322         }
 323
 324         if (!NT_STATUS_IS_OK(nt_status = smb_pam_auth(pamh, username))) {
 325                 DEBUG(0, ("smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User %s !\n", username));
 326         }
 327
 328         smb_pam_end(pamh, pconv);
 329         talloc_free(pconv);
 330
 331         return nt_status;
 332 }
 333
 334 #else
 335
 336 NTSTATUS unix_passcheck(TALLOC_CTX *ctx, const char *client, const char *username, const char *password)
 337 {
 338         return NT_STATUS_LOGON_FAILURE;
 339 }
 340
 341 #endif /* WITH_PAM */