2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
5 * Authors: Doug Rabson <dfr@rabson.org>
6 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 #include <sys/param.h>
32 #include <sys/linker.h>
33 #include <sys/module.h>
34 #include <sys/queue.h>
35 #include <sys/socket.h>
36 #include <sys/sysctl.h>
37 #include <sys/syslog.h>
42 #ifndef WITHOUT_KERBEROS
53 #include <arpa/inet.h>
54 #include <netinet/in.h>
55 #include <gssapi/gssapi.h>
57 #include <rpc/rpc_com.h>
61 #ifndef _PATH_GSS_MECH
62 #define _PATH_GSS_MECH "/etc/gss/mech"
64 #ifndef _PATH_GSSDSOCK
65 #define _PATH_GSSDSOCK "/var/run/gssd.sock"
67 #define GSSD_CREDENTIAL_CACHE_FILE "/tmp/krb5cc_gssd"
70 LIST_ENTRY(gss_resource) gr_link;
71 uint64_t gr_id; /* identifier exported to kernel */
72 void* gr_res; /* GSS-API resource pointer */
74 LIST_HEAD(gss_resource_list, gss_resource) gss_resources;
75 int gss_resource_count;
77 uint32_t gss_start_time;
79 static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1];
80 static char pref_realm[1024];
82 static int hostbased_initiator_cred;
83 #ifndef WITHOUT_KERBEROS
84 /* 1.2.752.43.13.14 */
85 static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
86 {6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"};
87 static gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X =
88 &gss_krb5_set_allowable_enctypes_x_desc;
89 static gss_OID_desc gss_krb5_mech_oid_x_desc =
90 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
91 static gss_OID GSS_KRB5_MECH_OID_X =
92 &gss_krb5_mech_oid_x_desc;
95 static void gssd_load_mech(void);
96 static int find_ccache_file(const char *, uid_t, char *);
97 static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *);
98 static void gssd_verbose_out(const char *, ...);
99 #ifndef WITHOUT_KERBEROS
100 static krb5_error_code gssd_get_cc_from_keytab(const char *);
101 static OM_uint32 gssd_get_user_cred(OM_uint32 *, uid_t, gss_cred_id_t *);
103 void gssd_terminate(int);
105 extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp);
106 extern int gssd_syscall(char *path);
109 main(int argc, char **argv)
112 * We provide an RPC service on a local-domain socket. The
113 * kernel's GSS-API code will pass what it can't handle
116 struct sockaddr_un sun;
117 int fd, oldmask, ch, debug, jailed;
122 * Initialize the credential cache file name substring and the
123 * search directory list.
125 strlcpy(ccfile_substring, "krb5cc_", sizeof(ccfile_substring));
126 ccfile_dirlist[0] = '\0';
127 pref_realm[0] = '\0';
130 while ((ch = getopt(argc, argv, "dhvs:c:r:")) != -1) {
136 #ifndef WITHOUT_KERBEROS
138 * Enable use of a host based initiator credential
139 * in the default keytab file.
141 hostbased_initiator_cred = 1;
143 errx(1, "This option not available when built"
144 " without MK_KERBEROS\n");
151 #ifndef WITHOUT_KERBEROS
153 * Set the directory search list. This enables use of
154 * find_ccache_file() to search the directories for a
155 * suitable credentials cache file.
157 strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist));
159 errx(1, "This option not available when built"
160 " without MK_KERBEROS\n");
165 * Specify a non-default credential cache file
168 strlcpy(ccfile_substring, optarg,
169 sizeof(ccfile_substring));
173 * Set the preferred realm for the credential cache tgt.
175 strlcpy(pref_realm, optarg, sizeof(pref_realm));
179 "usage: %s [-d] [-s dir-list] [-c file-substring]"
180 " [-r preferred-realm]\n", argv[0]);
189 if (daemon(0, 0) != 0)
190 err(1, "Can't daemonize");
191 signal(SIGINT, SIG_IGN);
192 signal(SIGQUIT, SIG_IGN);
193 signal(SIGHUP, SIG_IGN);
195 signal(SIGTERM, gssd_terminate);
196 signal(SIGPIPE, gssd_terminate);
198 memset(&sun, 0, sizeof sun);
199 sun.sun_family = AF_LOCAL;
200 unlink(_PATH_GSSDSOCK);
201 strcpy(sun.sun_path, _PATH_GSSDSOCK);
202 sun.sun_len = SUN_LEN(&sun);
203 fd = socket(AF_LOCAL, SOCK_STREAM, 0);
205 if (debug_level == 0) {
206 syslog(LOG_ERR, "Can't create local gssd socket");
209 err(1, "Can't create local gssd socket");
211 oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
212 if (bind(fd, (struct sockaddr *) &sun, sun.sun_len) < 0) {
213 if (debug_level == 0) {
214 syslog(LOG_ERR, "Can't bind local gssd socket");
217 err(1, "Can't bind local gssd socket");
220 if (listen(fd, SOMAXCONN) < 0) {
221 if (debug_level == 0) {
222 syslog(LOG_ERR, "Can't listen on local gssd socket");
225 err(1, "Can't listen on local gssd socket");
227 xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE);
229 if (debug_level == 0) {
231 "Can't create transport for local gssd socket");
234 err(1, "Can't create transport for local gssd socket");
236 if (!svc_reg(xprt, GSSD, GSSDVERS, gssd_1, NULL)) {
237 if (debug_level == 0) {
239 "Can't register service for local gssd socket");
242 err(1, "Can't register service for local gssd socket");
245 LIST_INIT(&gss_resources);
247 gss_start_time = time(0);
249 if (gssd_syscall(_PATH_GSSDSOCK) < 0) {
251 if (errno == EPERM) {
252 jailed_size = sizeof(jailed);
253 sysctlbyname("security.jail.jailed", &jailed,
254 &jailed_size, NULL, 0);
256 if (debug_level == 0) {
258 syslog(LOG_ERR, "Cannot start gssd."
259 " allow.nfsd must be configured");
261 syslog(LOG_ERR, "Cannot start gssd");
265 err(1, "Cannot start gssd."
266 " allow.nfsd must be configured");
268 err(1, "Cannot start gssd");
282 char *name, *oid, *lib, *kobj;
284 fp = fopen(_PATH_GSS_MECH, "r");
288 while (fgets(buf, sizeof(buf), fp)) {
292 name = strsep(&p, "\t\n ");
293 if (p) while (isspace(*p)) p++;
294 oid = strsep(&p, "\t\n ");
295 if (p) while (isspace(*p)) p++;
296 lib = strsep(&p, "\t\n ");
297 if (p) while (isspace(*p)) p++;
298 kobj = strsep(&p, "\t\n ");
299 if (!name || !oid || !lib || !kobj)
302 if (strcmp(kobj, "-")) {
304 * Attempt to load the kernel module if its
305 * not already present.
307 if (modfind(kobj) < 0) {
308 if (kldload(kobj) < 0) {
310 "%s: can't find or load kernel module %s for %s\n",
311 getprogname(), kobj, name);
320 gssd_find_resource(uint64_t id)
322 struct gss_resource *gr;
327 LIST_FOREACH(gr, &gss_resources, gr_link)
335 gssd_make_resource(void *res)
337 struct gss_resource *gr;
342 gr = malloc(sizeof(struct gss_resource));
345 gr->gr_id = (gss_next_id++) + ((uint64_t) gss_start_time << 32);
347 LIST_INSERT_HEAD(&gss_resources, gr, gr_link);
348 gss_resource_count++;
350 printf("%d resources allocated\n", gss_resource_count);
356 gssd_delete_resource(uint64_t id)
358 struct gss_resource *gr;
360 LIST_FOREACH(gr, &gss_resources, gr_link) {
361 if (gr->gr_id == id) {
362 LIST_REMOVE(gr, gr_link);
364 gss_resource_count--;
366 printf("%d resources allocated\n",
374 gssd_verbose_out(const char *fmt, ...)
380 if (debug_level == 0)
381 vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap);
383 vfprintf(stderr, fmt, ap);
389 gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp)
392 gssd_verbose_out("gssd_null: done\n");
397 gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp)
399 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
400 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
401 gss_name_t name = GSS_C_NO_NAME;
402 char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
405 #ifndef WITHOUT_KERBEROS
406 gss_buffer_desc principal_desc;
407 char enctype[sizeof(uint32_t)];
412 memset(result, 0, sizeof(*result));
413 if (hostbased_initiator_cred != 0 && argp->cred != 0 &&
416 * These credentials are for a host based initiator name
417 * in a keytab file, which should now have credentials
418 * in /tmp/krb5cc_gssd, because gss_acquire_cred() did
419 * the equivalent of "kinit -k".
421 snprintf(ccname, sizeof(ccname), "FILE:%s",
422 GSSD_CREDENTIAL_CACHE_FILE);
423 } else if (ccfile_dirlist[0] != '\0' && argp->cred == 0) {
425 * For the "-s" case and no credentials provided as an
426 * argument, search the directory list for an appropriate
427 * credential cache file. If the search fails, return failure.
432 cp2 = strchr(cp, ':');
435 gotone = find_ccache_file(cp, argp->uid, ccname);
441 } while (cp != NULL && *cp != '\0');
443 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
444 gssd_verbose_out("gssd_init_sec_context: -s no"
445 " credential cache file found for uid=%d\n",
451 * If there wasn't a "-s" option or the credentials have
452 * been provided as an argument, do it the old way.
453 * When credentials are provided, the uid should be root.
455 if (argp->cred != 0 && argp->uid != 0) {
456 if (debug_level == 0)
457 syslog(LOG_ERR, "gss_init_sec_context:"
458 " cred for non-root");
460 fprintf(stderr, "gss_init_sec_context:"
461 " cred for non-root\n");
463 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
466 setenv("KRB5CCNAME", ccname, TRUE);
469 cred = gssd_find_resource(argp->cred);
471 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
472 gssd_verbose_out("gssd_init_sec_context: cred"
473 " resource not found\n");
478 ctx = gssd_find_resource(argp->ctx);
480 result->major_status = GSS_S_CONTEXT_EXPIRED;
481 gssd_verbose_out("gssd_init_sec_context: context"
482 " resource not found\n");
487 name = gssd_find_resource(argp->name);
489 result->major_status = GSS_S_BAD_NAME;
490 gssd_verbose_out("gssd_init_sec_context: name"
491 " resource not found\n");
497 result->major_status = gss_init_sec_context(&result->minor_status,
498 cred, &ctx, name, argp->mech_type,
499 argp->req_flags, argp->time_req, argp->input_chan_bindings,
500 &argp->input_token, &result->actual_mech_type,
501 &result->output_token, &result->ret_flags, &result->time_rec);
502 gssd_verbose_out("gssd_init_sec_context: done major=0x%x minor=%d"
503 " uid=%d\n", (unsigned int)result->major_status,
504 (int)result->minor_status, (int)argp->uid);
506 gss_release_cred(&min_stat, &cred);
508 if (result->major_status == GSS_S_COMPLETE
509 || result->major_status == GSS_S_CONTINUE_NEEDED) {
511 result->ctx = argp->ctx;
513 result->ctx = gssd_make_resource(ctx);
520 gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_res *result, struct svc_req *rqstp)
522 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
523 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
525 gss_cred_id_t delegated_cred_handle;
527 memset(result, 0, sizeof(*result));
529 ctx = gssd_find_resource(argp->ctx);
531 result->major_status = GSS_S_CONTEXT_EXPIRED;
532 gssd_verbose_out("gssd_accept_sec_context: ctx"
533 " resource not found\n");
538 cred = gssd_find_resource(argp->cred);
540 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
541 gssd_verbose_out("gssd_accept_sec_context: cred"
542 " resource not found\n");
547 memset(result, 0, sizeof(*result));
548 result->major_status = gss_accept_sec_context(&result->minor_status,
549 &ctx, cred, &argp->input_token, argp->input_chan_bindings,
550 &src_name, &result->mech_type, &result->output_token,
551 &result->ret_flags, &result->time_rec,
552 &delegated_cred_handle);
553 gssd_verbose_out("gssd_accept_sec_context: done major=0x%x minor=%d\n",
554 (unsigned int)result->major_status, (int)result->minor_status);
556 if (result->major_status == GSS_S_COMPLETE
557 || result->major_status == GSS_S_CONTINUE_NEEDED) {
559 result->ctx = argp->ctx;
561 result->ctx = gssd_make_resource(ctx);
562 result->src_name = gssd_make_resource(src_name);
563 result->delegated_cred_handle =
564 gssd_make_resource(delegated_cred_handle);
571 gssd_delete_sec_context_1_svc(delete_sec_context_args *argp, delete_sec_context_res *result, struct svc_req *rqstp)
573 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx);
576 result->major_status = gss_delete_sec_context(
577 &result->minor_status, &ctx, &result->output_token);
578 gssd_delete_resource(argp->ctx);
580 result->major_status = GSS_S_COMPLETE;
581 result->minor_status = 0;
583 gssd_verbose_out("gssd_delete_sec_context: done major=0x%x minor=%d\n",
584 (unsigned int)result->major_status, (int)result->minor_status);
590 gssd_export_sec_context_1_svc(export_sec_context_args *argp, export_sec_context_res *result, struct svc_req *rqstp)
592 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx);
595 result->major_status = gss_export_sec_context(
596 &result->minor_status, &ctx,
597 &result->interprocess_token);
598 result->format = KGSS_HEIMDAL_1_1;
599 gssd_delete_resource(argp->ctx);
601 result->major_status = GSS_S_FAILURE;
602 result->minor_status = 0;
603 result->interprocess_token.length = 0;
604 result->interprocess_token.value = NULL;
606 gssd_verbose_out("gssd_export_sec_context: done major=0x%x minor=%d\n",
607 (unsigned int)result->major_status, (int)result->minor_status);
613 gssd_import_name_1_svc(import_name_args *argp, import_name_res *result, struct svc_req *rqstp)
617 result->major_status = gss_import_name(&result->minor_status,
618 &argp->input_name_buffer, argp->input_name_type, &name);
619 gssd_verbose_out("gssd_import_name: done major=0x%x minor=%d\n",
620 (unsigned int)result->major_status, (int)result->minor_status);
622 if (result->major_status == GSS_S_COMPLETE)
623 result->output_name = gssd_make_resource(name);
625 result->output_name = 0;
631 * If the name is a numeric IP host address, do a DNS lookup on it and
632 * return the DNS name in a malloc'd string.
635 gssd_conv_ip_to_dns(int len, char *name)
637 struct sockaddr_in sin;
638 struct sockaddr_in6 sin6;
643 retcp = mem_alloc(NI_MAXHOST);
644 memcpy(retcp, name, len);
646 if (inet_pton(AF_INET, retcp, &sin.sin_addr) != 0) {
647 sin.sin_family = AF_INET;
648 sin.sin_len = sizeof(sin);
650 if (getnameinfo((struct sockaddr *)&sin,
651 sizeof(sin), retcp, NI_MAXHOST,
652 NULL, 0, NI_NAMEREQD) != 0) {
653 mem_free(retcp, NI_MAXHOST);
656 } else if (inet_pton(AF_INET6, retcp, &sin6.sin6_addr) != 0) {
657 sin6.sin6_family = AF_INET6;
658 sin6.sin6_len = sizeof(sin6);
660 if (getnameinfo((struct sockaddr *)&sin6,
661 sizeof(sin6), retcp, NI_MAXHOST,
662 NULL, 0, NI_NAMEREQD) != 0) {
663 mem_free(retcp, NI_MAXHOST);
667 mem_free(retcp, NI_MAXHOST);
670 gssd_verbose_out("gssd_conv_ip_to_dns: %s\n", retcp);
676 gssd_canonicalize_name_1_svc(canonicalize_name_args *argp, canonicalize_name_res *result, struct svc_req *rqstp)
678 gss_name_t name = gssd_find_resource(argp->input_name);
679 gss_name_t output_name;
681 memset(result, 0, sizeof(*result));
683 result->major_status = GSS_S_BAD_NAME;
687 result->major_status = gss_canonicalize_name(&result->minor_status,
688 name, argp->mech_type, &output_name);
689 gssd_verbose_out("gssd_canonicalize_name: done major=0x%x minor=%d\n",
690 (unsigned int)result->major_status, (int)result->minor_status);
692 if (result->major_status == GSS_S_COMPLETE)
693 result->output_name = gssd_make_resource(output_name);
695 result->output_name = 0;
701 gssd_export_name_1_svc(export_name_args *argp, export_name_res *result, struct svc_req *rqstp)
703 gss_name_t name = gssd_find_resource(argp->input_name);
705 memset(result, 0, sizeof(*result));
707 result->major_status = GSS_S_BAD_NAME;
708 gssd_verbose_out("gssd_export_name: name resource not found\n");
712 result->major_status = gss_export_name(&result->minor_status,
713 name, &result->exported_name);
714 gssd_verbose_out("gssd_export_name: done major=0x%x minor=%d\n",
715 (unsigned int)result->major_status, (int)result->minor_status);
721 gssd_release_name_1_svc(release_name_args *argp, release_name_res *result, struct svc_req *rqstp)
723 gss_name_t name = gssd_find_resource(argp->input_name);
726 result->major_status = gss_release_name(&result->minor_status,
728 gssd_delete_resource(argp->input_name);
730 result->major_status = GSS_S_COMPLETE;
731 result->minor_status = 0;
733 gssd_verbose_out("gssd_release_name: done major=0x%x minor=%d\n",
734 (unsigned int)result->major_status, (int)result->minor_status);
740 gssd_pname_to_uid_1_svc(pname_to_uid_args *argp, pname_to_uid_res *result, struct svc_req *rqstp)
742 gss_name_t name = gssd_find_resource(argp->pname);
744 char buf[1024], *bufp;
745 struct passwd pwd, *pw;
748 static size_t buflen_hint = 1024;
750 memset(result, 0, sizeof(*result));
752 result->major_status =
753 gss_pname_to_uid(&result->minor_status,
754 name, argp->mech, &uid);
755 if (result->major_status == GSS_S_COMPLETE) {
757 buflen = buflen_hint;
761 if (buflen > sizeof(buf))
762 bufp = malloc(buflen);
765 error = getpwuid_r(uid, &pwd, bufp, buflen,
769 if (buflen > sizeof(buf))
772 if (buflen > buflen_hint)
773 buflen_hint = buflen;
778 result->gid = pw->pw_gid;
779 getgrouplist(pw->pw_name, pw->pw_gid,
781 result->gidlist.gidlist_len = len;
782 result->gidlist.gidlist_val =
783 mem_alloc(len * sizeof(int));
784 memcpy(result->gidlist.gidlist_val, groups,
786 gssd_verbose_out("gssd_pname_to_uid: mapped"
787 " to uid=%d, gid=%d\n", (int)result->uid,
791 result->gidlist.gidlist_len = 0;
792 result->gidlist.gidlist_val = NULL;
793 gssd_verbose_out("gssd_pname_to_uid: mapped"
794 " to uid=%d, but no groups\n",
797 if (bufp != NULL && buflen > sizeof(buf))
800 gssd_verbose_out("gssd_pname_to_uid: failed major=0x%x"
801 " minor=%d\n", (unsigned int)result->major_status,
802 (int)result->minor_status);
804 result->major_status = GSS_S_BAD_NAME;
805 result->minor_status = 0;
806 gssd_verbose_out("gssd_pname_to_uid: no name\n");
813 gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struct svc_req *rqstp)
815 gss_name_t desired_name = GSS_C_NO_NAME;
817 char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
819 #ifndef WITHOUT_KERBEROS
820 gss_buffer_desc namebuf;
822 krb5_error_code kret;
825 memset(result, 0, sizeof(*result));
826 if (argp->desired_name) {
827 desired_name = gssd_find_resource(argp->desired_name);
829 result->major_status = GSS_S_BAD_NAME;
830 gssd_verbose_out("gssd_acquire_cred: no desired name"
836 #ifndef WITHOUT_KERBEROS
837 if (hostbased_initiator_cred != 0 && argp->desired_name != 0 &&
838 argp->uid == 0 && argp->cred_usage == GSS_C_INITIATE) {
839 /* This is a host based initiator name in the keytab file. */
840 snprintf(ccname, sizeof(ccname), "FILE:%s",
841 GSSD_CREDENTIAL_CACHE_FILE);
842 setenv("KRB5CCNAME", ccname, TRUE);
843 result->major_status = gss_display_name(&result->minor_status,
844 desired_name, &namebuf, NULL);
845 gssd_verbose_out("gssd_acquire_cred: desired name for host "
846 "based initiator cred major=0x%x minor=%d\n",
847 (unsigned int)result->major_status,
848 (int)result->minor_status);
849 if (result->major_status != GSS_S_COMPLETE)
851 if (namebuf.length > PATH_MAX + 5) {
852 result->minor_status = 0;
853 result->major_status = GSS_S_FAILURE;
856 memcpy(ccname, namebuf.value, namebuf.length);
857 ccname[namebuf.length] = '\0';
858 if ((cp = strchr(ccname, '@')) != NULL)
860 kret = gssd_get_cc_from_keytab(ccname);
861 gssd_verbose_out("gssd_acquire_cred: using keytab entry for "
862 "%s, kerberos ret=%d\n", ccname, (int)kret);
863 gss_release_buffer(&minstat, &namebuf);
865 result->minor_status = kret;
866 result->major_status = GSS_S_FAILURE;
870 #endif /* !WITHOUT_KERBEROS */
871 if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) {
873 * For the "-s" case and no name provided as an
874 * argument, search the directory list for an appropriate
875 * credential cache file. If the search fails, return failure.
880 cp2 = strchr(cp, ':');
883 gotone = find_ccache_file(cp, argp->uid, ccname);
889 } while (cp != NULL && *cp != '\0');
891 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
892 gssd_verbose_out("gssd_acquire_cred: no cred cache"
896 setenv("KRB5CCNAME", ccname, TRUE);
899 * If there wasn't a "-s" option or the name has
900 * been provided as an argument, do it the old way.
901 * When a name is provided, it will normally exist in the
902 * default keytab file and the uid will be root.
904 if (argp->desired_name != 0 && argp->uid != 0) {
905 if (debug_level == 0)
906 syslog(LOG_ERR, "gss_acquire_cred:"
907 " principal_name for non-root");
909 fprintf(stderr, "gss_acquire_cred:"
910 " principal_name for non-root\n");
912 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
914 setenv("KRB5CCNAME", ccname, TRUE);
917 result->major_status = gss_acquire_cred(&result->minor_status,
918 desired_name, argp->time_req, argp->desired_mechs,
919 argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec);
920 gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n",
921 (unsigned int)result->major_status, (int)result->minor_status);
923 if (result->major_status == GSS_S_COMPLETE)
924 result->output_cred = gssd_make_resource(cred);
926 result->output_cred = 0;
932 gssd_set_cred_option_1_svc(set_cred_option_args *argp, set_cred_option_res *result, struct svc_req *rqstp)
934 gss_cred_id_t cred = gssd_find_resource(argp->cred);
936 memset(result, 0, sizeof(*result));
938 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
939 gssd_verbose_out("gssd_set_cred: no credentials\n");
943 result->major_status = gss_set_cred_option(&result->minor_status,
944 &cred, argp->option_name, &argp->option_value);
945 gssd_verbose_out("gssd_set_cred: done major=0x%x minor=%d\n",
946 (unsigned int)result->major_status, (int)result->minor_status);
952 gssd_release_cred_1_svc(release_cred_args *argp, release_cred_res *result, struct svc_req *rqstp)
954 gss_cred_id_t cred = gssd_find_resource(argp->cred);
957 result->major_status = gss_release_cred(&result->minor_status,
959 gssd_delete_resource(argp->cred);
961 result->major_status = GSS_S_COMPLETE;
962 result->minor_status = 0;
964 gssd_verbose_out("gssd_release_cred: done major=0x%x minor=%d\n",
965 (unsigned int)result->major_status, (int)result->minor_status);
971 gssd_display_status_1_svc(display_status_args *argp, display_status_res *result, struct svc_req *rqstp)
974 result->message_context = argp->message_context;
975 result->major_status = gss_display_status(&result->minor_status,
976 argp->status_value, argp->status_type, argp->mech_type,
977 &result->message_context, &result->status_string);
978 gssd_verbose_out("gssd_display_status: done major=0x%x minor=%d\n",
979 (unsigned int)result->major_status, (int)result->minor_status);
985 gssd_ip_to_dns_1_svc(ip_to_dns_args *argp, ip_to_dns_res *result, struct svc_req *rqstp)
989 memset(result, 0, sizeof(*result));
990 /* Check to see if the name is actually an IP address. */
991 host = gssd_conv_ip_to_dns(argp->ip_addr.ip_addr_len,
992 argp->ip_addr.ip_addr_val);
994 result->major_status = GSS_S_COMPLETE;
995 result->dns_name.dns_name_len = strlen(host);
996 result->dns_name.dns_name_val = host;
999 result->major_status = GSS_S_FAILURE;
1004 gssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result)
1007 * We don't use XDR to free the results - anything which was
1008 * allocated came from GSS-API. We use xdr_result to figure
1013 if (xdr_result == (xdrproc_t) xdr_init_sec_context_res) {
1014 init_sec_context_res *p = (init_sec_context_res *) result;
1015 gss_release_buffer(&junk, &p->output_token);
1016 } else if (xdr_result == (xdrproc_t) xdr_accept_sec_context_res) {
1017 accept_sec_context_res *p = (accept_sec_context_res *) result;
1018 gss_release_buffer(&junk, &p->output_token);
1019 } else if (xdr_result == (xdrproc_t) xdr_delete_sec_context_res) {
1020 delete_sec_context_res *p = (delete_sec_context_res *) result;
1021 gss_release_buffer(&junk, &p->output_token);
1022 } else if (xdr_result == (xdrproc_t) xdr_export_sec_context_res) {
1023 export_sec_context_res *p = (export_sec_context_res *) result;
1024 if (p->interprocess_token.length)
1025 memset(p->interprocess_token.value, 0,
1026 p->interprocess_token.length);
1027 gss_release_buffer(&junk, &p->interprocess_token);
1028 } else if (xdr_result == (xdrproc_t) xdr_export_name_res) {
1029 export_name_res *p = (export_name_res *) result;
1030 gss_release_buffer(&junk, &p->exported_name);
1031 } else if (xdr_result == (xdrproc_t) xdr_acquire_cred_res) {
1032 acquire_cred_res *p = (acquire_cred_res *) result;
1033 gss_release_oid_set(&junk, &p->actual_mechs);
1034 } else if (xdr_result == (xdrproc_t) xdr_pname_to_uid_res) {
1035 pname_to_uid_res *p = (pname_to_uid_res *) result;
1036 if (p->gidlist.gidlist_val)
1037 free(p->gidlist.gidlist_val);
1038 } else if (xdr_result == (xdrproc_t) xdr_display_status_res) {
1039 display_status_res *p = (display_status_res *) result;
1040 gss_release_buffer(&junk, &p->status_string);
1047 * Search a directory for the most likely candidate to be used as the
1048 * credential cache for a uid. If successful, return 1 and fill the
1049 * file's path id into "rpath". Otherwise, return 0.
1052 find_ccache_file(const char *dirpath, uid_t uid, char *rpath)
1057 time_t exptime, oexptime;
1058 int gotone, len, rating, orating;
1059 char namepath[PATH_MAX + 5 + 1];
1060 char retpath[PATH_MAX + 5 + 1];
1062 dirp = opendir(dirpath);
1068 while ((dp = readdir(dirp)) != NULL) {
1069 len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath,
1071 if (len < sizeof(namepath) &&
1072 (hostbased_initiator_cred == 0 || strcmp(namepath,
1073 GSSD_CREDENTIAL_CACHE_FILE) != 0) &&
1074 strstr(dp->d_name, ccfile_substring) != NULL &&
1075 lstat(namepath, &sb) >= 0 &&
1077 S_ISREG(sb.st_mode)) {
1078 len = snprintf(namepath, sizeof(namepath), "FILE:%s/%s",
1079 dirpath, dp->d_name);
1080 if (len < sizeof(namepath) &&
1081 is_a_valid_tgt_cache(namepath, uid, &rating,
1083 if (gotone == 0 || rating > orating ||
1084 (rating == orating && exptime > oexptime)) {
1087 strcpy(retpath, namepath);
1095 strcpy(rpath, retpath);
1102 * Try to determine if the file is a valid tgt cache file.
1103 * Check that the file has a valid tgt for a principal.
1104 * If it does, return 1, otherwise return 0.
1105 * It also returns a "rating" and the expiry time for the TGT, when found.
1106 * This "rating" is higher based on heuristics that make it more
1107 * likely to be the correct credential cache file to use. It can
1108 * be used by the caller, along with expiry time, to select from
1109 * multiple credential cache files.
1112 is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating,
1115 #ifndef WITHOUT_KERBEROS
1116 krb5_context context;
1117 krb5_principal princ;
1119 krb5_error_code retval;
1120 krb5_cc_cursor curse;
1122 int gotone, orating, rating, ret;
1124 char *cp, *cp2, *pname;
1127 /* Find a likely name for the uid principal. */
1131 * Do a bunch of krb5 library stuff to try and determine if
1132 * this file is a credentials cache with an appropriate TGT
1135 retval = krb5_init_context(&context);
1138 retval = krb5_cc_resolve(context, filepath, &ccache);
1140 krb5_free_context(context);
1146 retval = krb5_cc_start_seq_get(context, ccache, &curse);
1148 while ((retval = krb5_cc_next_cred(context, ccache, &curse,
1152 retval = krb5_unparse_name(context, krbcred.server,
1155 cp = strchr(pname, '/');
1158 if (strcmp(pname, "krbtgt") == 0 &&
1159 krbcred.times.endtime > time(NULL)
1163 * Test to see if this is a
1164 * tgt for cross-realm auth.
1165 * Rate it higher, if it is not.
1167 cp2 = strchr(cp, '@');
1170 if (strcmp(cp, cp2) ==
1179 retval = krb5_unparse_name(context,
1180 krbcred.client, &pname);
1182 cp = strchr(pname, '@');
1185 if (pw != NULL && strcmp(pname,
1188 if (strchr(pname, '/') == NULL)
1190 if (pref_realm[0] != '\0' &&
1191 strcmp(cp, pref_realm) == 0)
1196 if (rating > orating) {
1198 exptime = krbcred.times.endtime;
1199 } else if (rating == orating &&
1200 krbcred.times.endtime > exptime)
1201 exptime = krbcred.times.endtime;
1204 krb5_free_cred_contents(context, &krbcred);
1206 krb5_cc_end_seq_get(context, ccache, &curse);
1208 krb5_cc_close(context, ccache);
1209 krb5_free_context(context);
1211 *retrating = orating;
1212 *retexptime = exptime;
1215 #else /* WITHOUT_KERBEROS */
1217 #endif /* !WITHOUT_KERBEROS */
1220 #ifndef WITHOUT_KERBEROS
1222 * This function attempts to do essentially a "kinit -k" for the principal
1223 * name provided as the argument, so that there will be a TGT in the
1226 static krb5_error_code
1227 gssd_get_cc_from_keytab(const char *name)
1229 krb5_error_code ret, opt_ret, princ_ret, cc_ret, kt_ret, cred_ret;
1230 krb5_context context;
1231 krb5_principal principal;
1234 krb5_get_init_creds_opt *opt;
1235 krb5_deltat start_time = 0;
1238 ret = krb5_init_context(&context);
1241 opt_ret = cc_ret = kt_ret = cred_ret = 1; /* anything non-zero */
1242 princ_ret = ret = krb5_parse_name(context, name, &principal);
1244 opt_ret = ret = krb5_get_init_creds_opt_alloc(context, &opt);
1246 cc_ret = ret = krb5_cc_default(context, &ccache);
1248 ret = krb5_cc_initialize(context, ccache, principal);
1250 krb5_get_init_creds_opt_set_default_flags(context, "gssd",
1251 krb5_principal_get_realm(context, principal), opt);
1252 kt_ret = ret = krb5_kt_default(context, &kt);
1255 cred_ret = ret = krb5_get_init_creds_keytab(context, &cred,
1256 principal, kt, start_time, NULL, opt);
1258 ret = krb5_cc_store_cred(context, ccache, &cred);
1260 krb5_kt_close(context, kt);
1262 krb5_cc_close(context, ccache);
1264 krb5_get_init_creds_opt_free(context, opt);
1266 krb5_free_principal(context, principal);
1268 krb5_free_cred_contents(context, &cred);
1269 krb5_free_context(context);
1274 * Acquire a gss credential for a uid.
1277 gssd_get_user_cred(OM_uint32 *min_statp, uid_t uid, gss_cred_id_t *credp)
1279 gss_buffer_desc principal_desc;
1281 OM_uint32 maj_stat, min_stat;
1282 gss_OID_set mechlist;
1288 return (GSS_S_FAILURE);
1292 * The mechanism must be set to KerberosV for acquisition
1293 * of credentials to work reliably.
1295 maj_stat = gss_create_empty_oid_set(min_statp, &mechlist);
1296 if (maj_stat != GSS_S_COMPLETE)
1298 maj_stat = gss_add_oid_set_member(min_statp, GSS_KRB5_MECH_OID_X,
1300 if (maj_stat != GSS_S_COMPLETE) {
1301 gss_release_oid_set(&min_stat, &mechlist);
1305 principal_desc.value = (void *)pw->pw_name;
1306 principal_desc.length = strlen(pw->pw_name);
1307 maj_stat = gss_import_name(min_statp, &principal_desc,
1308 GSS_C_NT_USER_NAME, &name);
1309 if (maj_stat != GSS_S_COMPLETE) {
1310 gss_release_oid_set(&min_stat, &mechlist);
1313 /* Acquire the credentials. */
1314 maj_stat = gss_acquire_cred(min_statp, name, 0, mechlist,
1315 GSS_C_INITIATE, credp, NULL, NULL);
1316 gss_release_name(&min_stat, &name);
1317 gss_release_oid_set(&min_stat, &mechlist);
1320 #endif /* !WITHOUT_KERBEROS */
1322 void gssd_terminate(int sig __unused)
1325 #ifndef WITHOUT_KERBEROS
1326 if (hostbased_initiator_cred != 0)
1327 unlink(GSSD_CREDENTIAL_CACHE_FILE);