svn commit: r245089 - stable/9/usr.sbin/gssd
Rick Macklem
rmacklem at FreeBSD.org
Sun Jan 6 01:41:15 UTC 2013
Author: rmacklem
Date: Sun Jan 6 01:41:14 2013
New Revision: 245089
URL: http://svnweb.freebsd.org/changeset/base/245089
Log:
MFC: r244604, r244638, r245014
It was reported via email that some sshds create kerberos
credential cache files with names other than /tmp/krb5cc_<uid>.
The gssd daemon does not know how to find these credential caches.
This patch implements a new option "-s" that does a search for
credential cache files, using roughly the same algorithm as the
gssd daemon for Linux uses. The gssd behaviour is only changed
if the new "-s" option is specified.
Modified:
stable/9/usr.sbin/gssd/Makefile
stable/9/usr.sbin/gssd/gssd.c
Directory Properties:
stable/9/usr.sbin/gssd/ (props changed)
Modified: stable/9/usr.sbin/gssd/Makefile
==============================================================================
--- stable/9/usr.sbin/gssd/Makefile Sun Jan 6 01:17:58 2013 (r245088)
+++ stable/9/usr.sbin/gssd/Makefile Sun Jan 6 01:41:14 2013 (r245089)
@@ -1,5 +1,7 @@
# $FreeBSD$
+.include <bsd.own.mk>
+
PROG= gssd
MAN= gssd.8
SRCS= gssd.c gssd.h gssd_svc.c gssd_xdr.c gssd_prot.c
@@ -9,6 +11,12 @@ WARNS?= 1
DPADD= ${LIBGSSAPI}
LDADD= -lgssapi
+.if ${MK_KERBEROS_SUPPORT} != "no"
+DPADD+= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO}
+LDADD+= -lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lcrypt -lcrypto
+.else
+CFLAGS+= -DWITHOUT_KERBEROS
+.endif
CLEANFILES= gssd_svc.c gssd.h
Modified: stable/9/usr.sbin/gssd/gssd.c
==============================================================================
--- stable/9/usr.sbin/gssd/gssd.c Sun Jan 6 01:17:58 2013 (r245088)
+++ stable/9/usr.sbin/gssd/gssd.c Sun Jan 6 01:41:14 2013 (r245089)
@@ -35,7 +35,11 @@ __FBSDID("$FreeBSD$");
#include <sys/queue.h>
#include <sys/syslog.h>
#include <ctype.h>
+#include <dirent.h>
#include <err.h>
+#ifndef WITHOUT_KERBEROS
+#include <krb5.h>
+#endif
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
@@ -64,8 +68,12 @@ int gss_resource_count;
uint32_t gss_next_id;
uint32_t gss_start_time;
int debug_level;
+static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1];
+static char pref_realm[1024];
static void gssd_load_mech(void);
+static int find_ccache_file(const char *, uid_t, char *);
+static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *);
extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp);
extern int gssd_syscall(char *path);
@@ -82,14 +90,50 @@ main(int argc, char **argv)
int fd, oldmask, ch, debug;
SVCXPRT *xprt;
+ /*
+ * Initialize the credential cache file name substring and the
+ * search directory list.
+ */
+ strlcpy(ccfile_substring, "krb5cc_", sizeof(ccfile_substring));
+ ccfile_dirlist[0] = '\0';
+ pref_realm[0] = '\0';
debug = 0;
- while ((ch = getopt(argc, argv, "d")) != -1) {
+ while ((ch = getopt(argc, argv, "ds:c:r:")) != -1) {
switch (ch) {
case 'd':
debug_level++;
break;
+ case 's':
+#ifndef WITHOUT_KERBEROS
+ /*
+ * Set the directory search list. This enables use of
+ * find_ccache_file() to search the directories for a
+ * suitable credentials cache file.
+ */
+ strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist));
+#else
+ errx(1, "This option not available when built"
+ " without MK_KERBEROS\n");
+#endif
+ break;
+ case 'c':
+ /*
+ * Specify a non-default credential cache file
+ * substring.
+ */
+ strlcpy(ccfile_substring, optarg,
+ sizeof(ccfile_substring));
+ break;
+ case 'r':
+ /*
+ * Set the preferred realm for the credential cache tgt.
+ */
+ strlcpy(pref_realm, optarg, sizeof(pref_realm));
+ break;
default:
- fprintf(stderr, "usage: %s [-d]\n", argv[0]);
+ fprintf(stderr,
+ "usage: %s [-d] [-s dir-list] [-c file-substring]"
+ " [-r preferred-realm]\n", argv[0]);
exit(1);
break;
}
@@ -267,13 +311,52 @@ gssd_init_sec_context_1_svc(init_sec_con
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
gss_name_t name = GSS_C_NO_NAME;
- char ccname[strlen("FILE:/tmp/krb5cc_") + 6 + 1];
+ char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
+ int gotone;
- snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
- (int) argp->uid);
+ memset(result, 0, sizeof(*result));
+ if (ccfile_dirlist[0] != '\0' && argp->cred == 0) {
+ /*
+ * For the "-s" case and no credentials provided as an
+ * argument, search the directory list for an appropriate
+ * credential cache file. If the search fails, return failure.
+ */
+ gotone = 0;
+ cp = ccfile_dirlist;
+ do {
+ cp2 = strchr(cp, ':');
+ if (cp2 != NULL)
+ *cp2 = '\0';
+ gotone = find_ccache_file(cp, argp->uid, ccname);
+ if (gotone != 0)
+ break;
+ if (cp2 != NULL)
+ *cp2++ = ':';
+ cp = cp2;
+ } while (cp != NULL && *cp != '\0');
+ if (gotone == 0) {
+ result->major_status = GSS_S_CREDENTIALS_EXPIRED;
+ return (TRUE);
+ }
+ } else {
+ /*
+ * If there wasn't a "-s" option or the credentials have
+ * been provided as an argument, do it the old way.
+ * When credentials are provided, the uid should be root.
+ */
+ if (argp->cred != 0 && argp->uid != 0) {
+ if (debug_level == 0)
+ syslog(LOG_ERR, "gss_init_sec_context:"
+ " cred for non-root");
+ else
+ fprintf(stderr, "gss_init_sec_context:"
+ " cred for non-root\n");
+ }
+ snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
+ (int) argp->uid);
+ }
setenv("KRB5CCNAME", ccname, TRUE);
- memset(result, 0, sizeof(*result));
if (argp->cred) {
cred = gssd_find_resource(argp->cred);
if (!cred) {
@@ -296,7 +379,6 @@ gssd_init_sec_context_1_svc(init_sec_con
}
}
- memset(result, 0, sizeof(*result));
result->major_status = gss_init_sec_context(&result->minor_status,
cred, &ctx, name, argp->mech_type,
argp->req_flags, argp->time_req, argp->input_chan_bindings,
@@ -516,13 +598,53 @@ gssd_acquire_cred_1_svc(acquire_cred_arg
{
gss_name_t desired_name = GSS_C_NO_NAME;
gss_cred_id_t cred;
- char ccname[strlen("FILE:/tmp/krb5cc_") + 6 + 1];
+ char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
+ int gotone;
- snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
- (int) argp->uid);
+ memset(result, 0, sizeof(*result));
+ if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) {
+ /*
+ * For the "-s" case and no name provided as an
+ * argument, search the directory list for an appropriate
+ * credential cache file. If the search fails, return failure.
+ */
+ gotone = 0;
+ cp = ccfile_dirlist;
+ do {
+ cp2 = strchr(cp, ':');
+ if (cp2 != NULL)
+ *cp2 = '\0';
+ gotone = find_ccache_file(cp, argp->uid, ccname);
+ if (gotone != 0)
+ break;
+ if (cp2 != NULL)
+ *cp2++ = ':';
+ cp = cp2;
+ } while (cp != NULL && *cp != '\0');
+ if (gotone == 0) {
+ result->major_status = GSS_S_CREDENTIALS_EXPIRED;
+ return (TRUE);
+ }
+ } else {
+ /*
+ * If there wasn't a "-s" option or the name has
+ * been provided as an argument, do it the old way.
+ * When a name is provided, it will normally exist in the
+ * default keytab file and the uid will be root.
+ */
+ if (argp->desired_name != 0 && argp->uid != 0) {
+ if (debug_level == 0)
+ syslog(LOG_ERR, "gss_acquire_cred:"
+ " principal_name for non-root");
+ else
+ fprintf(stderr, "gss_acquire_cred:"
+ " principal_name for non-root\n");
+ }
+ snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
+ (int) argp->uid);
+ }
setenv("KRB5CCNAME", ccname, TRUE);
- memset(result, 0, sizeof(*result));
if (argp->desired_name) {
desired_name = gssd_find_resource(argp->desired_name);
if (!desired_name) {
@@ -631,3 +753,176 @@ gssd_1_freeresult(SVCXPRT *transp, xdrpr
return (TRUE);
}
+
+/*
+ * Search a directory for the most likely candidate to be used as the
+ * credential cache for a uid. If successful, return 1 and fill the
+ * file's path id into "rpath". Otherwise, return 0.
+ */
+static int
+find_ccache_file(const char *dirpath, uid_t uid, char *rpath)
+{
+ DIR *dirp;
+ struct dirent *dp;
+ struct stat sb;
+ time_t exptime, oexptime;
+ int gotone, len, rating, orating;
+ char namepath[PATH_MAX + 5 + 1];
+ char retpath[PATH_MAX + 5 + 1];
+
+ dirp = opendir(dirpath);
+ if (dirp == NULL)
+ return (0);
+ gotone = 0;
+ orating = 0;
+ oexptime = 0;
+ while ((dp = readdir(dirp)) != NULL) {
+ len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath,
+ dp->d_name);
+ if (len < sizeof(namepath) &&
+ strstr(dp->d_name, ccfile_substring) != NULL &&
+ lstat(namepath, &sb) >= 0 &&
+ sb.st_uid == uid &&
+ S_ISREG(sb.st_mode)) {
+ len = snprintf(namepath, sizeof(namepath), "FILE:%s/%s",
+ dirpath, dp->d_name);
+ if (len < sizeof(namepath) &&
+ is_a_valid_tgt_cache(namepath, uid, &rating,
+ &exptime) != 0) {
+ if (gotone == 0 || rating > orating ||
+ (rating == orating && exptime > oexptime)) {
+ orating = rating;
+ oexptime = exptime;
+ strcpy(retpath, namepath);
+ gotone = 1;
+ }
+ }
+ }
+ }
+ closedir(dirp);
+ if (gotone != 0) {
+ strcpy(rpath, retpath);
+ return (1);
+ }
+ return (0);
+}
+
+/*
+ * Try to determine if the file is a valid tgt cache file.
+ * Check that the file has a valid tgt for a principal.
+ * If it does, return 1, otherwise return 0.
+ * It also returns a "rating" and the expiry time for the TGT, when found.
+ * This "rating" is higher based on heuristics that make it more
+ * likely to be the correct credential cache file to use. It can
+ * be used by the caller, along with expiry time, to select from
+ * multiple credential cache files.
+ */
+static int
+is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating,
+ time_t *retexptime)
+{
+#ifndef WITHOUT_KERBEROS
+ krb5_context context;
+ krb5_principal princ;
+ krb5_ccache ccache;
+ krb5_error_code retval;
+ krb5_cc_cursor curse;
+ krb5_creds krbcred;
+ int gotone, orating, rating, ret;
+ struct passwd *pw;
+ char *cp, *cp2, *pname;
+ time_t exptime;
+
+ /* Find a likely name for the uid principal. */
+ pw = getpwuid(uid);
+
+ /*
+ * Do a bunch of krb5 library stuff to try and determine if
+ * this file is a credentials cache with an appropriate TGT
+ * in it.
+ */
+ retval = krb5_init_context(&context);
+ if (retval != 0)
+ return (0);
+ retval = krb5_cc_resolve(context, filepath, &ccache);
+ if (retval != 0) {
+ krb5_free_context(context);
+ return (0);
+ }
+ ret = 0;
+ orating = 0;
+ exptime = 0;
+ retval = krb5_cc_start_seq_get(context, ccache, &curse);
+ if (retval == 0) {
+ while ((retval = krb5_cc_next_cred(context, ccache, &curse,
+ &krbcred)) == 0) {
+ gotone = 0;
+ rating = 0;
+ retval = krb5_unparse_name(context, krbcred.server,
+ &pname);
+ if (retval == 0) {
+ cp = strchr(pname, '/');
+ if (cp != NULL) {
+ *cp++ = '\0';
+ if (strcmp(pname, "krbtgt") == 0 &&
+ krbcred.times.endtime > time(NULL)
+ ) {
+ gotone = 1;
+ /*
+ * Test to see if this is a
+ * tgt for cross-realm auth.
+ * Rate it higher, if it is not.
+ */
+ cp2 = strchr(cp, '@');
+ if (cp2 != NULL) {
+ *cp2++ = '\0';
+ if (strcmp(cp, cp2) ==
+ 0)
+ rating++;
+ }
+ }
+ }
+ free(pname);
+ }
+ if (gotone != 0) {
+ retval = krb5_unparse_name(context,
+ krbcred.client, &pname);
+ if (retval == 0) {
+ cp = strchr(pname, '@');
+ if (cp != NULL) {
+ *cp++ = '\0';
+ if (pw != NULL && strcmp(pname,
+ pw->pw_name) == 0)
+ rating++;
+ if (strchr(pname, '/') == NULL)
+ rating++;
+ if (pref_realm[0] != '\0' &&
+ strcmp(cp, pref_realm) == 0)
+ rating++;
+ }
+ }
+ free(pname);
+ if (rating > orating) {
+ orating = rating;
+ exptime = krbcred.times.endtime;
+ } else if (rating == orating &&
+ krbcred.times.endtime > exptime)
+ exptime = krbcred.times.endtime;
+ ret = 1;
+ }
+ krb5_free_cred_contents(context, &krbcred);
+ }
+ krb5_cc_end_seq_get(context, ccache, &curse);
+ }
+ krb5_cc_close(context, ccache);
+ krb5_free_context(context);
+ if (ret != 0) {
+ *retrating = orating;
+ *retexptime = exptime;
+ }
+ return (ret);
+#else /* WITHOUT_KERBEROS */
+ return (0);
+#endif /* !WITHOUT_KERBEROS */
+}
+
More information about the svn-src-stable-9
mailing list