- extend PAM support to ksu: perform account and session management for the

target user - pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware network-facing services
2009-04-23 22:43:26 +00:00 · 2009-04-23 22:43:26 +00:00 · 5ebd815122
commit 5ebd815122
parent d3b2b69619
3 changed files with 218 additions and 23 deletions
--- a/krb5-1.6.1-pam.patch
+++ b/krb5-1.6.1-pam.patch
@ -28,7 +28,15 @@ is pretty much always going to be there.  At run-time, login's behavior
 can be reset to the earlier, non-PAM behavior by setting "use_pam" to
 false in the [login] section of /etc/krb5.conf.

-When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+Modify ksu so that it performs account and session management for the
+target user account, mimicking the action of regular su.  The default
+service name is "ksu", because on Fedora at least the configuration used
+is determined by whether or not a login shell is being opened, and so
+this may need to vary, too.  At run-time, ksu's behavior can be reset to
+the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
+section of /etc/krb5.conf.
+
+When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.

 --- krb5-1.6.1/src/appl/bsd/configure.in	2006-03-27 23:35:02.000000000 -0500
 +++ krb5-1.6.1/src/appl/bsd/configure.in	2007-06-21 17:39:57.000000000 -0400
@ -76,7 +84,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 #ifdef KERBEROS
 
 #if defined(KRB5_KRB4_COMPAT) && !defined(ALWAYS_V5_KUSEROK)
-@@ -1151,11 +1148,49 @@ void doit(f, fromp)
+@@ -1151,11 +1148,50 @@ void doit(f, fromp)
 	goto signout_please;
     }
     
@ -88,6 +96,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +			       0,
 +			       locuser,
 +			       "",
+			       hostname,
 +			       do_encrypt ?
 +			       EKSHELL_PAM_SERVICE :
 +			       KSHELL_PAM_SERVICE) != 0) {
@ -126,7 +135,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
     /* Log access to account */
     pwd = (struct passwd *) getpwnam(locuser);
     if (pwd && (pwd->pw_uid == 0)) {
-@@ -1195,7 +1230,7 @@ void doit(f, fromp)
+@@ -1195,7 +1231,7 @@ void doit(f, fromp)
     
     (void) write(2, "", 1);
     
@ -135,7 +144,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 	if (port&&(pipe(pv) < 0)) {
 	    error("Can't make pipe.\n");
 	    goto signout_please;
-@@ -1507,6 +1542,15 @@ void doit(f, fromp)
+@@ -1507,6 +1543,15 @@ void doit(f, fromp)
 
     environ = envinit;
     
@ -215,13 +224,14 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 #ifdef KRB5_GET_TICKETS
     {"krb5_get_tickets", &login_krb5_get_tickets},
 #endif
-@@ -1292,6 +1294,18 @@ int main(argc, argv)
+@@ -1292,6 +1300,19 @@ int main(argc, argv)
 	if (!unix_needs_passwd())
 	    break;
 
 +#ifdef USE_PAM
 +	if (login_use_pam) {
 +	    if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "",
+	                              hostname,
 +				      ttyname(STDIN_FILENO)) == PAM_SUCCESS) {
 +	        break;
 +	    } else {
@ -234,14 +244,14 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 	/* we have several sets of code:
 	   1) get v5 tickets alone -DKRB5_GET_TICKETS
 	   2) get v4 tickets alone [** don't! only get them *with* v5 **]
-@@ -1406,6 +1420,24 @@ int main(argc, argv)
+@@ -1406,6 +1427,24 @@ int main(argc, argv)
     /* committed to login -- turn off timeout */
     (void) alarm((u_int) 0);
 
 +#ifdef USE_PAM
 +    if (login_use_pam) {
 +	if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "",
-+			       ttyname(STDIN_FILENO)) != 0) {
+			       hostname, ttyname(STDIN_FILENO)) != 0) {
 +	    printf("Login incorrect\n");
 +	    sleepexit(1);
 +	}
@ -259,7 +269,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
     /*
      * If valid so far and root is logging in, see if root logins on
      * this terminal are permitted.
-@@ -1446,6 +1478,21 @@ int main(argc, argv)
+@@ -1446,6 +1487,21 @@ int main(argc, argv)
 	sleepexit(0);
     }
 #endif
@ -281,7 +291,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 
     if (chdir(pwd->pw_dir) < 0) {
 	printf("No directory %s!\n", pwd->pw_dir);
-@@ -1792,6 +1839,11 @@ int main(argc, argv)
+@@ -1792,6 +1846,11 @@ int main(argc, argv)
     }
 #endif /* KRB5_GET_TICKETS */
 
@ -295,11 +305,11 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
     if (pwd->pw_uid == 0)
 --- /dev/null	2007-06-22 10:29:46.741860805 -0400
 +++ krb5-1.6.1/src/appl/bsd/pam.c	2007-06-22 14:22:10.000000000 -0400
-@@ -0,0 +1,414 @@
+@@ -0,0 +1,424 @@
 +/*
 + * src/appl/bsd/pam.c
 + *
-+ * Copyright 2007 Red Hat, Inc.
+ * Copyright 2007,2009 Red Hat, Inc.
 + *
 + * All Rights Reserved.
 + *
@ -332,6 +342,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 + * Convenience wrappers for using PAM.
 + */
 +
+#include "autoconf.h"
 +#ifdef USE_PAM
 +#include <sys/types.h>
 +#include <stdio.h>
@ -549,6 +560,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +appl_pam_start(const char *service, int interactive,
 +	       const char *login_username,
 +	       const char *non_interactive_password,
+	       const char *hostname,
 +	       const char *tty)
 +{
 +	static int exit_handler_registered;
@ -577,6 +589,12 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +		ret = pam_start(service, login_username,
 +				&appl_pam_conv, &appl_pamh);
 +		if (ret == 0) {
+			if (hostname != NULL) {
+#ifdef DEBUG
+				printf("Setting PAM_RHOST to \"%s\".\n", hostname);
+#endif
+				pam_set_item(appl_pamh, PAM_RHOST, hostname);
+			}
 +			if (tty != NULL) {
 +#ifdef DEBUG
 +				printf("Setting PAM_TTY to \"%s\".\n", tty);
@ -602,11 +620,12 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +appl_pam_authenticate(const char *service, int interactive,
 +		      const char *login_username,
 +		      const char *non_interactive_password,
+		      const char *hostname,
 +		      const char *tty)
 +{
 +	int ret;
 +	ret = appl_pam_start(service, interactive, login_username,
-+			     non_interactive_password, tty);
+			     non_interactive_password, hostname, tty);
 +	if (ret == 0) {
 +		ret = pam_authenticate(appl_pamh, 0);
 +	}
@ -616,12 +635,13 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +appl_pam_acct_mgmt(const char *service, int interactive,
 +		   const char *login_username,
 +		   const char *non_interactive_password,
+		   const char *hostname,
 +		   const char *tty)
 +{
 +	int ret;
 +	appl_pam_pwchange_required = 0;
 +	ret = appl_pam_start(service, interactive, login_username,
-+			     non_interactive_password, tty);
+			     non_interactive_password, hostname, tty);
 +	if (ret == 0) {
 +#ifdef DEBUG
 +		printf("Calling pam_acct_mgmt().\n");
@ -712,11 +732,11 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +#endif
 --- /dev/null	2007-06-22 10:29:46.741860805 -0400
 +++ krb5-1.6.1/src/appl/bsd/pam.h	2007-06-22 14:27:05.000000000 -0400
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,63 @@
 +/*
 + * src/appl/bsd/pam.h
 + *
-+ * Copyright 2007 Red Hat, Inc.
+ * Copyright 2007,2009 Red Hat, Inc.
 + *
 + * All Rights Reserved.
 + *
@ -761,10 +781,12 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +int appl_pam_authenticate(const char *service, int interactive,
 +			  const char *local_username,
 +			  const char *non_interactive_password,
+			  const char *hostname,
 +			  const char *tty);
 +int appl_pam_acct_mgmt(const char *service, int interactive,
 +		       const char *local_username,
 +		       const char *non_interactive_password,
+		       const char *hostname,
 +		       const char *tty);
 +int appl_pam_requires_chauthtok(void);
 +int appl_pam_chauthtok(void);
@ -825,7 +847,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 #include <grp.h> 
 #include <setjmp.h>
 #ifndef POSIX_SETJMP
-@@ -803,6 +807,16 @@
+@@ -803,6 +806,21 @@
 		}
 #endif /* KRB5_KRB4_COMPAT */
 
@ -833,16 +855,21 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +		if (appl_pam_enabled(kcontext, "ftpd")) {
 +			if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
 +					       pw->pw_name, "",
+					       hostname,
 +					       FTP_PAM_SERVICE) != 0) {
 +				reply(530, "Login incorrect.");
 +				return;
 +			}
+        		if (appl_pam_requires_chauthtok()) {
+				reply(530, "Password change required.");
+				return;
+        		}
 +		}
 +#endif
 		if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) {
 			strncat(buf, "; Access denied.",
 				sizeof(buf) - strlen(buf) - 1);
-@@ -903,6 +916,10 @@ end_login()
+@@ -903,6 +921,10 @@ end_login()
 	(void) krb5_seteuid((uid_t)0);
 	if (logged_in)
 		pty_logwtmp(ttyline, "", "");
@ -853,7 +880,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 	if (have_creds) {
 #ifdef GSSAPI
 		krb5_cc_destroy(kcontext, ccache);
-@@ -1073,9 +1090,17 @@ pass(passwd)
+@@ -1073,9 +1095,18 @@ pass(passwd)
 		 *   kpass fails and the user has no local password
 		 *   kpass fails and the provided password doesn't match pw
 		 */
@ -865,6 +892,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +		    appl_pam_enabled(kcontext, "ftpd") ?
 +		    (appl_pam_authenticate(FTP_PAM_SERVICE, 0,
 +					   pw->pw_name, passwd,
+					   hostname,
 +					   FTP_PAM_SERVICE) != 0) :
 +#endif
 +		    (!kpass(pw->pw_name, passwd) &&
@ -874,7 +902,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 			pw = NULL;
 			sleep(5);
 			if (++login_attempts >= 3) {
-@@ -1092,6 +1117,17 @@ pass(passwd)
+@@ -1092,6 +1123,22 @@ pass(passwd)
 	}
 	login_attempts = 0;		/* this time successful */
 
@ -882,17 +910,22 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +	if (appl_pam_enabled(kcontext, "ftpd")) {
 +		if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
 +				       pw->pw_name, passwd,
+				       hostname,
 +				       FTP_PAM_SERVICE) != 0) {
 +			reply(530, "Login incorrect.");
 +			return;
 +		}
+       	if (appl_pam_requires_chauthtok()) {
+			reply(530, "Password change required.");
+			return;
+       	}
 +	}
 +#endif
 +
 	login(passwd, 0);
 	return;
 }
-@@ -1110,6 +1146,18 @@ login(passwd, logincode)
+@@ -1110,6 +1157,18 @@ login(passwd, logincode)
 		chown(tkt_string(), pw->pw_uid, pw->pw_gid);
 #endif
 	}
@ -911,7 +944,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 
 	(void) krb5_setegid((gid_t)pw->pw_gid);
 	(void) initgroups(pw->pw_name, pw->pw_gid);
-@@ -2125,6 +2173,10 @@ dologout(status)
+@@ -2125,6 +2194,10 @@ dologout(status)
 		dest_tkt();
 #endif
 	}
@ -955,7 +988,7 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 INSTALL_STRIP=
 --- krb5-1.6.1/src/aclocal.m4	2007-06-21 17:39:57.000000000 -0400
 +++ krb5-1.6.1/src/aclocal.m4	2007-06-21 17:39:57.000000000 -0400
-@@ -1823,3 +1823,82 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
+@@ -1823,3 +1823,86 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
       ]))
 ])dnl
 dnl
@ -975,6 +1008,8 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +	    withekshellpamservice="$withval",withekshellpamservice=ekshell)
 +AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])],
 +	    withftppamservice="$withval",withftppamservice=gssftp)
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
+	    withksupamservice="$withval",withksupamservice=ksu)
 +old_LIBS="$LIBS"
 +if test "$withpam" != no ; then
 +	AC_MSG_RESULT([checking for PAM...])
@ -1025,6 +1060,8 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +				   [Define to the name of the PAM service name to be used by rshd for encrypted sessions.])
 +		AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice",
 +				   [Define to the name of the PAM service name to be used by ftpd.])
+		AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
+				   [Define to the name of the PAM service name to be used by ksu.])
 +		PAM_LIBS="$LIBS"
 +		NON_PAM_MAN=".\\\" "
 +		PAM_MAN=
@ -1038,3 +1075,151 @@ When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
 +AC_SUBST(PAM_MAN)
 +AC_SUBST(NON_PAM_MAN)
 +])dnl
+diff -up krb5-1.6.1/src/clients/ksu/Makefile.in krb5-1.6.1/src/clients/ksu/Makefile.in
+--- krb5-1.6.1/src/clients/ksu/Makefile.in	2009-04-21 15:07:16.000000000 -0400
+++ krb5-1.6.1/src/clients/ksu/Makefile.in	2009-04-23 13:47:36.000000000 -0400
+@@ -15,6 +15,7 @@ SRCS = \
+ 	$(srcdir)/ccache.c \
+ 	$(srcdir)/authorization.c \
+ 	$(srcdir)/main.c \
+	$(srcdir)/../../appl/bsd/pam.c \
+ 	$(srcdir)/heuristic.c \
+ 	$(srcdir)/xmalloc.c \
+ 	$(srcdir)/setenv.c
+@@ -23,13 +24,17 @@ OBJS = \
+ 	ccache.o \
+ 	authorization.o \
+ 	main.o \
+	pam.o \
+ 	heuristic.o \
+ 	xmalloc.o @SETENVOBJ@
+ 
+ all:: ksu
+ 
+ ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
+-	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+	$(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: $(srcdir)/../../appl/bsd/pam.c
+	$(CC) $(ALL_CFLAGS) -c $<
+ 
+ clean::
+ 	$(RM) ksu
+--- krb5-1.6.3/src/clients/ksu/main.c	2006-08-15 15:27:08.000000000 -0400
+++ krb5-1.6.3/src/clients/ksu/main.c	2009-04-23 18:39:03.000000000 -0400
+@@ -25,6 +25,7 @@
+  * KSU was writen by:  Ari Medvinsky, ari@isi.edu
+  */
+ 
+#include "autoconf.h"
+ #include "ksu.h"
+ #include "adm_proto.h"
+ #include <sys/types.h>
+@@ -32,6 +33,11 @@
+ #include <signal.h>
+ #include <grp.h>
+ 
+#ifdef USE_PAM
+#include "../../appl/bsd/pam.h"
+int force_fork = 0;
+#endif
+
+ /* globals */
+ char * prog_name;
+ int auth_debug =0;     
+@@ -791,7 +797,24 @@
+ 	fprintf(stderr, "program to be execed %s\n",params[0]);
+     }
+     
+-    if( keep_target_cache ) {
+#ifdef USE_PAM
+    if (appl_pam_enabled(ksu_context, "ksu")) {
+	if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
+			       NULL, ttyname(STDERR_FILENO)) != 0) {
+	    fprintf(stderr, "Access denied for %s.\n", target_user);
+	    sweep_up(ksu_context, cc_target);
+	    exit(1);
+	}
+	if (appl_pam_requires_chauthtok()) {
+	    fprintf(stderr, "Password change required for %s.\n", target_user);
+	    sweep_up(ksu_context, cc_target);
+	    exit(1);
+	}
+	force_fork++;
+    }
+#endif
+
+    if( keep_target_cache && !force_fork ) {
+ 	execv(params[0], params);
+ 	com_err(prog_name, errno, "while trying to execv %s",
+ 		params[0]);
+@@ -799,6 +822,33 @@
+ 	exit(1);
+     }else{
+ 	statusp = 1;
+
+#ifdef USE_PAM
+	if (appl_pam_enabled(ksu_context, "ksu")) {
+	    if (appl_pam_session_open() != 0) {
+		fprintf(stderr, "Error opening session for %s.\n", target_user);
+		sweep_up(ksu_context, cc_target);
+		exit(1);
+	    }
+#ifdef DEBUG
+	    if (auth_debug){
+		printf(" Opened PAM session.\n");
+	    }
+#endif
+	    if (appl_pam_cred_init()) {
+		fprintf(stderr, "Error initializing credentials for %s.\n",
+			target_user);
+		sweep_up(ksu_context, cc_target);
+		exit(1);
+	    }
+#ifdef DEBUG
+	    if (auth_debug){
+		printf(" Initialized PAM credentials.\n");
+	    }
+#endif
+	}
+#endif
+
+ 	switch ((child_pid = fork())) {
+ 	default:
+ 	    if (auth_debug){
+@@ -822,15 +872,34 @@
+ 	    if (ret_pid == -1) {
+ 	    	com_err(prog_name, errno, "while calling waitpid");
+ 	    }
+-	    sweep_up(ksu_context, cc_target);
+	    if( !keep_target_cache ) {
+	        sweep_up(ksu_context, cc_target);
+	    }
+ 	    exit (statusp);
+ 	case -1:
+ 	    com_err(prog_name, errno, "while trying to fork.");
+ 	    sweep_up(ksu_context, cc_target);
+ 	    exit (1);
+ 	case 0:
+#ifdef USE_PAM
+	    if (appl_pam_enabled(ksu_context, "ksu")) {
+		if (appl_pam_setenv() != 0) {
+		    fprintf(stderr, "Error setting up environment for %s.\n",
+			    target_user);
+		    exit (1);
+		}
+#ifdef DEBUG
+		if (auth_debug){
+		    printf(" Set up PAM environment.\n");
+		}
+#endif
+	    }
+#endif
+ 	    execv(params[0], params);
+ 	    com_err(prog_name, errno, "while trying to execv %s", params[0]);
+	    if( keep_target_cache ) {
+	        sweep_up(ksu_context, cc_target);
+	    }
+ 	    exit (1);
+ 	}
+     }
--- a/krb5.spec
+++ b/krb5.spec
@ -44,6 +44,7 @@ Source25: krb5-trunk-manpaths.txt
 Source26: gssftp.pamd
 Source27: kshell.pamd
 Source28: ekshell.pamd
+Source29: ksu.pamd

 Patch3: krb5-1.3-netkit-rsh.patch
 Patch4: krb5-1.3-rlogind-environ.patch
@ -227,6 +228,12 @@ to obtain initial credentials from a KDC using a private key and a
 certificate.

 %changelog
+* Thu Apr 23 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-104
+- extend PAM support to ksu: perform account and session management for the
+  target user
+- pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware
+  network-facing services
+
 * Tue Apr 21 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-103
 - fix a typo in a ksu error message (Marek Mahut)
 - "rev" works the way the test suite expects now, so don't disable tests
@ -1587,7 +1594,7 @@ done

 # PAM configuration files.
 mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
-for pam in kshell ekshell gssftp ; do
+for pam in kshell ekshell gssftp ksu ; do
 	install -pm 644 $RPM_SOURCE_DIR/$pam.pamd \
 	$RPM_BUILD_ROOT/etc/pam.d/$pam
 done
--- a/ksu.pamd
+++ b/ksu.pamd
@ -0,0 +1,3 @@
+#%PAM-1.0
+account include  su
+session include  su