2 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/
3 * Authors: Doug Rabson <dfr@rabson.org>
4 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include <sys/param.h>
33 #include <sys/linker.h>
34 #include <sys/module.h>
35 #include <sys/queue.h>
36 #include <sys/syslog.h>
40 #ifndef WITHOUT_KERBEROS
48 #include <gssapi/gssapi.h>
50 #include <rpc/rpc_com.h>
54 #ifndef _PATH_GSS_MECH
55 #define _PATH_GSS_MECH "/etc/gss/mech"
57 #ifndef _PATH_GSSDSOCK
58 #define _PATH_GSSDSOCK "/var/run/gssd.sock"
62 LIST_ENTRY(gss_resource) gr_link;
63 uint64_t gr_id; /* indentifier exported to kernel */
64 void* gr_res; /* GSS-API resource pointer */
66 LIST_HEAD(gss_resource_list, gss_resource) gss_resources;
67 int gss_resource_count;
69 uint32_t gss_start_time;
71 static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1];
72 static char pref_realm[1024];
74 static void gssd_load_mech(void);
75 static int find_ccache_file(const char *, uid_t, char *);
76 static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *);
78 extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp);
79 extern int gssd_syscall(char *path);
82 main(int argc, char **argv)
85 * We provide an RPC service on a local-domain socket. The
86 * kernel's GSS-API code will pass what it can't handle
89 struct sockaddr_un sun;
90 int fd, oldmask, ch, debug;
94 * Initialize the credential cache file name substring and the
95 * search directory list.
97 strlcpy(ccfile_substring, "krb5cc_", sizeof(ccfile_substring));
98 ccfile_dirlist[0] = '\0';
101 while ((ch = getopt(argc, argv, "ds:c:r:")) != -1) {
107 #ifndef WITHOUT_KERBEROS
109 * Set the directory search list. This enables use of
110 * find_ccache_file() to search the directories for a
111 * suitable credentials cache file.
113 strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist));
115 errx(1, "This option not available when built"
116 " without MK_KERBEROS\n");
121 * Specify a non-default credential cache file
124 strlcpy(ccfile_substring, optarg,
125 sizeof(ccfile_substring));
129 * Set the preferred realm for the credential cache tgt.
131 strlcpy(pref_realm, optarg, sizeof(pref_realm));
135 "usage: %s [-d] [-s dir-list] [-c file-substring]"
136 " [-r preferred-realm]\n", argv[0]);
147 memset(&sun, 0, sizeof sun);
148 sun.sun_family = AF_LOCAL;
149 unlink(_PATH_GSSDSOCK);
150 strcpy(sun.sun_path, _PATH_GSSDSOCK);
151 sun.sun_len = SUN_LEN(&sun);
152 fd = socket(AF_LOCAL, SOCK_STREAM, 0);
154 if (debug_level == 0) {
155 syslog(LOG_ERR, "Can't create local gssd socket");
158 err(1, "Can't create local gssd socket");
160 oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
161 if (bind(fd, (struct sockaddr *) &sun, sun.sun_len) < 0) {
162 if (debug_level == 0) {
163 syslog(LOG_ERR, "Can't bind local gssd socket");
166 err(1, "Can't bind local gssd socket");
169 if (listen(fd, SOMAXCONN) < 0) {
170 if (debug_level == 0) {
171 syslog(LOG_ERR, "Can't listen on local gssd socket");
174 err(1, "Can't listen on local gssd socket");
176 xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE);
178 if (debug_level == 0) {
180 "Can't create transport for local gssd socket");
183 err(1, "Can't create transport for local gssd socket");
185 if (!svc_reg(xprt, GSSD, GSSDVERS, gssd_1, NULL)) {
186 if (debug_level == 0) {
188 "Can't register service for local gssd socket");
191 err(1, "Can't register service for local gssd socket");
194 LIST_INIT(&gss_resources);
196 gss_start_time = time(0);
198 gssd_syscall(_PATH_GSSDSOCK);
210 char *name, *oid, *lib, *kobj;
212 fp = fopen(_PATH_GSS_MECH, "r");
216 while (fgets(buf, sizeof(buf), fp)) {
220 name = strsep(&p, "\t\n ");
221 if (p) while (isspace(*p)) p++;
222 oid = strsep(&p, "\t\n ");
223 if (p) while (isspace(*p)) p++;
224 lib = strsep(&p, "\t\n ");
225 if (p) while (isspace(*p)) p++;
226 kobj = strsep(&p, "\t\n ");
227 if (!name || !oid || !lib || !kobj)
230 if (strcmp(kobj, "-")) {
232 * Attempt to load the kernel module if its
233 * not already present.
235 if (modfind(kobj) < 0) {
236 if (kldload(kobj) < 0) {
238 "%s: can't find or load kernel module %s for %s\n",
239 getprogname(), kobj, name);
248 gssd_find_resource(uint64_t id)
250 struct gss_resource *gr;
255 LIST_FOREACH(gr, &gss_resources, gr_link)
263 gssd_make_resource(void *res)
265 struct gss_resource *gr;
270 gr = malloc(sizeof(struct gss_resource));
273 gr->gr_id = (gss_next_id++) + ((uint64_t) gss_start_time << 32);
275 LIST_INSERT_HEAD(&gss_resources, gr, gr_link);
276 gss_resource_count++;
278 printf("%d resources allocated\n", gss_resource_count);
284 gssd_delete_resource(uint64_t id)
286 struct gss_resource *gr;
288 LIST_FOREACH(gr, &gss_resources, gr_link) {
289 if (gr->gr_id == id) {
290 LIST_REMOVE(gr, gr_link);
292 gss_resource_count--;
294 printf("%d resources allocated\n",
302 gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp)
309 gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp)
311 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
312 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
313 gss_name_t name = GSS_C_NO_NAME;
314 char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
317 memset(result, 0, sizeof(*result));
318 if (ccfile_dirlist[0] != '\0' && argp->cred == 0) {
320 * For the "-s" case and no credentials provided as an
321 * argument, search the directory list for an appropriate
322 * credential cache file. If the search fails, return failure.
327 cp2 = strchr(cp, ':');
330 gotone = find_ccache_file(cp, argp->uid, ccname);
336 } while (cp != NULL && *cp != '\0');
338 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
343 * If there wasn't a "-s" option or the credentials have
344 * been provided as an argument, do it the old way.
345 * When credentials are provided, the uid should be root.
347 if (argp->cred != 0 && argp->uid != 0) {
348 if (debug_level == 0)
349 syslog(LOG_ERR, "gss_init_sec_context:"
350 " cred for non-root");
352 fprintf(stderr, "gss_init_sec_context:"
353 " cred for non-root\n");
355 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
358 setenv("KRB5CCNAME", ccname, TRUE);
361 cred = gssd_find_resource(argp->cred);
363 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
368 ctx = gssd_find_resource(argp->ctx);
370 result->major_status = GSS_S_CONTEXT_EXPIRED;
375 name = gssd_find_resource(argp->name);
377 result->major_status = GSS_S_BAD_NAME;
382 result->major_status = gss_init_sec_context(&result->minor_status,
383 cred, &ctx, name, argp->mech_type,
384 argp->req_flags, argp->time_req, argp->input_chan_bindings,
385 &argp->input_token, &result->actual_mech_type,
386 &result->output_token, &result->ret_flags, &result->time_rec);
388 if (result->major_status == GSS_S_COMPLETE
389 || result->major_status == GSS_S_CONTINUE_NEEDED) {
391 result->ctx = argp->ctx;
393 result->ctx = gssd_make_resource(ctx);
400 gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_res *result, struct svc_req *rqstp)
402 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
403 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
405 gss_cred_id_t delegated_cred_handle;
407 memset(result, 0, sizeof(*result));
409 ctx = gssd_find_resource(argp->ctx);
411 result->major_status = GSS_S_CONTEXT_EXPIRED;
416 cred = gssd_find_resource(argp->cred);
418 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
423 memset(result, 0, sizeof(*result));
424 result->major_status = gss_accept_sec_context(&result->minor_status,
425 &ctx, cred, &argp->input_token, argp->input_chan_bindings,
426 &src_name, &result->mech_type, &result->output_token,
427 &result->ret_flags, &result->time_rec,
428 &delegated_cred_handle);
430 if (result->major_status == GSS_S_COMPLETE
431 || result->major_status == GSS_S_CONTINUE_NEEDED) {
433 result->ctx = argp->ctx;
435 result->ctx = gssd_make_resource(ctx);
436 result->src_name = gssd_make_resource(src_name);
437 result->delegated_cred_handle =
438 gssd_make_resource(delegated_cred_handle);
445 gssd_delete_sec_context_1_svc(delete_sec_context_args *argp, delete_sec_context_res *result, struct svc_req *rqstp)
447 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx);
450 result->major_status = gss_delete_sec_context(
451 &result->minor_status, &ctx, &result->output_token);
452 gssd_delete_resource(argp->ctx);
454 result->major_status = GSS_S_COMPLETE;
455 result->minor_status = 0;
462 gssd_export_sec_context_1_svc(export_sec_context_args *argp, export_sec_context_res *result, struct svc_req *rqstp)
464 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx);
467 result->major_status = gss_export_sec_context(
468 &result->minor_status, &ctx,
469 &result->interprocess_token);
470 result->format = KGSS_HEIMDAL_1_1;
471 gssd_delete_resource(argp->ctx);
473 result->major_status = GSS_S_FAILURE;
474 result->minor_status = 0;
475 result->interprocess_token.length = 0;
476 result->interprocess_token.value = NULL;
483 gssd_import_name_1_svc(import_name_args *argp, import_name_res *result, struct svc_req *rqstp)
487 result->major_status = gss_import_name(&result->minor_status,
488 &argp->input_name_buffer, argp->input_name_type, &name);
490 if (result->major_status == GSS_S_COMPLETE)
491 result->output_name = gssd_make_resource(name);
493 result->output_name = 0;
499 gssd_canonicalize_name_1_svc(canonicalize_name_args *argp, canonicalize_name_res *result, struct svc_req *rqstp)
501 gss_name_t name = gssd_find_resource(argp->input_name);
502 gss_name_t output_name;
504 memset(result, 0, sizeof(*result));
506 result->major_status = GSS_S_BAD_NAME;
510 result->major_status = gss_canonicalize_name(&result->minor_status,
511 name, argp->mech_type, &output_name);
513 if (result->major_status == GSS_S_COMPLETE)
514 result->output_name = gssd_make_resource(output_name);
516 result->output_name = 0;
522 gssd_export_name_1_svc(export_name_args *argp, export_name_res *result, struct svc_req *rqstp)
524 gss_name_t name = gssd_find_resource(argp->input_name);
526 memset(result, 0, sizeof(*result));
528 result->major_status = GSS_S_BAD_NAME;
532 result->major_status = gss_export_name(&result->minor_status,
533 name, &result->exported_name);
539 gssd_release_name_1_svc(release_name_args *argp, release_name_res *result, struct svc_req *rqstp)
541 gss_name_t name = gssd_find_resource(argp->input_name);
544 result->major_status = gss_release_name(&result->minor_status,
546 gssd_delete_resource(argp->input_name);
548 result->major_status = GSS_S_COMPLETE;
549 result->minor_status = 0;
556 gssd_pname_to_uid_1_svc(pname_to_uid_args *argp, pname_to_uid_res *result, struct svc_req *rqstp)
558 gss_name_t name = gssd_find_resource(argp->pname);
561 struct passwd pwd, *pw;
563 memset(result, 0, sizeof(*result));
565 result->major_status =
566 gss_pname_to_uid(&result->minor_status,
567 name, argp->mech, &uid);
568 if (result->major_status == GSS_S_COMPLETE) {
570 getpwuid_r(uid, &pwd, buf, sizeof(buf), &pw);
574 result->gid = pw->pw_gid;
575 getgrouplist(pw->pw_name, pw->pw_gid,
577 result->gidlist.gidlist_len = len;
578 result->gidlist.gidlist_val =
579 mem_alloc(len * sizeof(int));
580 memcpy(result->gidlist.gidlist_val, groups,
584 result->gidlist.gidlist_len = 0;
585 result->gidlist.gidlist_val = NULL;
589 result->major_status = GSS_S_BAD_NAME;
590 result->minor_status = 0;
597 gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struct svc_req *rqstp)
599 gss_name_t desired_name = GSS_C_NO_NAME;
601 char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
604 memset(result, 0, sizeof(*result));
605 if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) {
607 * For the "-s" case and no name provided as an
608 * argument, search the directory list for an appropriate
609 * credential cache file. If the search fails, return failure.
614 cp2 = strchr(cp, ':');
617 gotone = find_ccache_file(cp, argp->uid, ccname);
623 } while (cp != NULL && *cp != '\0');
625 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
630 * If there wasn't a "-s" option or the name has
631 * been provided as an argument, do it the old way.
632 * When a name is provided, it will normally exist in the
633 * default keytab file and the uid will be root.
635 if (argp->desired_name != 0 && argp->uid != 0) {
636 if (debug_level == 0)
637 syslog(LOG_ERR, "gss_acquire_cred:"
638 " principal_name for non-root");
640 fprintf(stderr, "gss_acquire_cred:"
641 " principal_name for non-root\n");
643 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
646 setenv("KRB5CCNAME", ccname, TRUE);
648 if (argp->desired_name) {
649 desired_name = gssd_find_resource(argp->desired_name);
651 result->major_status = GSS_S_BAD_NAME;
656 result->major_status = gss_acquire_cred(&result->minor_status,
657 desired_name, argp->time_req, argp->desired_mechs,
658 argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec);
660 if (result->major_status == GSS_S_COMPLETE)
661 result->output_cred = gssd_make_resource(cred);
663 result->output_cred = 0;
669 gssd_set_cred_option_1_svc(set_cred_option_args *argp, set_cred_option_res *result, struct svc_req *rqstp)
671 gss_cred_id_t cred = gssd_find_resource(argp->cred);
673 memset(result, 0, sizeof(*result));
675 result->major_status = GSS_S_CREDENTIALS_EXPIRED;
679 result->major_status = gss_set_cred_option(&result->minor_status,
680 &cred, argp->option_name, &argp->option_value);
686 gssd_release_cred_1_svc(release_cred_args *argp, release_cred_res *result, struct svc_req *rqstp)
688 gss_cred_id_t cred = gssd_find_resource(argp->cred);
691 result->major_status = gss_release_cred(&result->minor_status,
693 gssd_delete_resource(argp->cred);
695 result->major_status = GSS_S_COMPLETE;
696 result->minor_status = 0;
703 gssd_display_status_1_svc(display_status_args *argp, display_status_res *result, struct svc_req *rqstp)
706 result->message_context = argp->message_context;
707 result->major_status = gss_display_status(&result->minor_status,
708 argp->status_value, argp->status_type, argp->mech_type,
709 &result->message_context, &result->status_string);
715 gssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result)
718 * We don't use XDR to free the results - anything which was
719 * allocated came from GSS-API. We use xdr_result to figure
724 if (xdr_result == (xdrproc_t) xdr_init_sec_context_res) {
725 init_sec_context_res *p = (init_sec_context_res *) result;
726 gss_release_buffer(&junk, &p->output_token);
727 } else if (xdr_result == (xdrproc_t) xdr_accept_sec_context_res) {
728 accept_sec_context_res *p = (accept_sec_context_res *) result;
729 gss_release_buffer(&junk, &p->output_token);
730 } else if (xdr_result == (xdrproc_t) xdr_delete_sec_context_res) {
731 delete_sec_context_res *p = (delete_sec_context_res *) result;
732 gss_release_buffer(&junk, &p->output_token);
733 } else if (xdr_result == (xdrproc_t) xdr_export_sec_context_res) {
734 export_sec_context_res *p = (export_sec_context_res *) result;
735 if (p->interprocess_token.length)
736 memset(p->interprocess_token.value, 0,
737 p->interprocess_token.length);
738 gss_release_buffer(&junk, &p->interprocess_token);
739 } else if (xdr_result == (xdrproc_t) xdr_export_name_res) {
740 export_name_res *p = (export_name_res *) result;
741 gss_release_buffer(&junk, &p->exported_name);
742 } else if (xdr_result == (xdrproc_t) xdr_acquire_cred_res) {
743 acquire_cred_res *p = (acquire_cred_res *) result;
744 gss_release_oid_set(&junk, &p->actual_mechs);
745 } else if (xdr_result == (xdrproc_t) xdr_pname_to_uid_res) {
746 pname_to_uid_res *p = (pname_to_uid_res *) result;
747 if (p->gidlist.gidlist_val)
748 free(p->gidlist.gidlist_val);
749 } else if (xdr_result == (xdrproc_t) xdr_display_status_res) {
750 display_status_res *p = (display_status_res *) result;
751 gss_release_buffer(&junk, &p->status_string);
758 * Search a directory for the most likely candidate to be used as the
759 * credential cache for a uid. If successful, return 1 and fill the
760 * file's path id into "rpath". Otherwise, return 0.
763 find_ccache_file(const char *dirpath, uid_t uid, char *rpath)
768 time_t exptime, oexptime;
769 int gotone, len, rating, orating;
770 char namepath[PATH_MAX + 5 + 1];
771 char retpath[PATH_MAX + 5 + 1];
773 dirp = opendir(dirpath);
779 while ((dp = readdir(dirp)) != NULL) {
780 len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath,
782 if (len < sizeof(namepath) &&
783 strstr(dp->d_name, ccfile_substring) != NULL &&
784 lstat(namepath, &sb) >= 0 &&
786 S_ISREG(sb.st_mode)) {
787 len = snprintf(namepath, sizeof(namepath), "FILE:%s/%s",
788 dirpath, dp->d_name);
789 if (len < sizeof(namepath) &&
790 is_a_valid_tgt_cache(namepath, uid, &rating,
792 if (gotone == 0 || rating > orating ||
793 (rating == orating && exptime > oexptime)) {
796 strcpy(retpath, namepath);
804 strcpy(rpath, retpath);
811 * Try to determine if the file is a valid tgt cache file.
812 * Check that the file has a valid tgt for a principal.
813 * If it does, return 1, otherwise return 0.
814 * It also returns a "rating" and the expiry time for the TGT, when found.
815 * This "rating" is higher based on heuristics that make it more
816 * likely to be the correct credential cache file to use. It can
817 * be used by the caller, along with expiry time, to select from
818 * multiple credential cache files.
821 is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating,
824 #ifndef WITHOUT_KERBEROS
825 krb5_context context;
826 krb5_principal princ;
828 krb5_error_code retval;
829 krb5_cc_cursor curse;
831 int gotone, orating, rating, ret;
833 char *cp, *cp2, *pname;
836 /* Find a likely name for the uid principal. */
840 * Do a bunch of krb5 library stuff to try and determine if
841 * this file is a credentials cache with an appropriate TGT
844 retval = krb5_init_context(&context);
847 retval = krb5_cc_resolve(context, filepath, &ccache);
849 krb5_free_context(context);
855 retval = krb5_cc_start_seq_get(context, ccache, &curse);
857 while ((retval = krb5_cc_next_cred(context, ccache, &curse,
861 retval = krb5_unparse_name(context, krbcred.server,
864 cp = strchr(pname, '/');
867 if (strcmp(pname, "krbtgt") == 0 &&
868 krbcred.times.endtime > time(NULL)
872 * Test to see if this is a
873 * tgt for cross-realm auth.
874 * Rate it higher, if it is not.
876 cp2 = strchr(cp, '@');
879 if (strcmp(cp, cp2) ==
888 retval = krb5_unparse_name(context,
889 krbcred.client, &pname);
891 cp = strchr(pname, '@');
894 if (pw != NULL && strcmp(pname,
897 if (strchr(pname, '/') == NULL)
899 if (pref_realm[0] != '\0' &&
900 strcmp(cp, pref_realm) == 0)
905 if (rating > orating) {
907 exptime = krbcred.times.endtime;
908 } else if (rating == orating &&
909 krbcred.times.endtime > exptime)
910 exptime = krbcred.times.endtime;
913 krb5_free_cred_contents(context, &krbcred);
915 krb5_cc_end_seq_get(context, ccache, &curse);
917 krb5_cc_close(context, ccache);
918 krb5_free_context(context);
920 *retrating = orating;
921 *retexptime = exptime;
924 #else /* WITHOUT_KERBEROS */
926 #endif /* !WITHOUT_KERBEROS */