1 | /** @file
|
---|
2 | *
|
---|
3 | * VirtualBox External Authentication Library:
|
---|
4 | * Linux PAM Authentication.
|
---|
5 | */
|
---|
6 |
|
---|
7 | /*
|
---|
8 | * Copyright (C) 2006-2020 Oracle Corporation
|
---|
9 | *
|
---|
10 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
11 | * available from http://www.virtualbox.org. This file is free software;
|
---|
12 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
13 | * General Public License (GPL) as published by the Free Software
|
---|
14 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
15 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
16 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
17 | */
|
---|
18 |
|
---|
19 |
|
---|
20 | /* The PAM service name.
|
---|
21 | *
|
---|
22 | * The service name is the name of a file in the /etc/pam.d which contains
|
---|
23 | * authentication rules. It is possible to use an existing service
|
---|
24 | * name, like "login" for example. But if different set of rules
|
---|
25 | * is required, one can create a new file /etc/pam.d/vrdpauth
|
---|
26 | * specially for VRDP authentication. Note that the name of the
|
---|
27 | * service must be lowercase. See PAM documentation for details.
|
---|
28 | *
|
---|
29 | * The Auth module takes the PAM service name from the
|
---|
30 | * environment variable VBOX_AUTH_PAM_SERVICE. If the variable
|
---|
31 | * is not specified, then the 'login' PAM service is used.
|
---|
32 | */
|
---|
33 | #define VBOX_AUTH_PAM_SERVICE_NAME_ENV_OLD "VRDP_AUTH_PAM_SERVICE"
|
---|
34 | #define VBOX_AUTH_PAM_SERVICE_NAME_ENV "VBOX_AUTH_PAM_SERVICE"
|
---|
35 | #define VBOX_AUTH_PAM_DEFAULT_SERVICE_NAME "login"
|
---|
36 |
|
---|
37 |
|
---|
38 | /* The debug log file name.
|
---|
39 | *
|
---|
40 | * If defined, debug messages will be written to the file specified in the
|
---|
41 | * VBOX_AUTH_DEBUG_FILENAME (or deprecated VRDP_AUTH_DEBUG_FILENAME) environment
|
---|
42 | * variable:
|
---|
43 | *
|
---|
44 | * export VBOX_AUTH_DEBUG_FILENAME=pam.log
|
---|
45 | *
|
---|
46 | * The above will cause writing to the pam.log.
|
---|
47 | */
|
---|
48 | #define VBOX_AUTH_DEBUG_FILENAME_ENV_OLD "VRDP_AUTH_DEBUG_FILENAME"
|
---|
49 | #define VBOX_AUTH_DEBUG_FILENAME_ENV "VBOX_AUTH_DEBUG_FILENAME"
|
---|
50 |
|
---|
51 |
|
---|
52 | /* Dynamic loading of the PAM library.
|
---|
53 | *
|
---|
54 | * If defined, the libpam.so is loaded dynamically.
|
---|
55 | * Enabled by default since it is often required,
|
---|
56 | * and does not harm.
|
---|
57 | */
|
---|
58 | #define VBOX_AUTH_USE_PAM_DLLOAD
|
---|
59 |
|
---|
60 |
|
---|
61 | #ifdef VBOX_AUTH_USE_PAM_DLLOAD
|
---|
62 | /* The name of the PAM library */
|
---|
63 | # ifdef RT_OS_SOLARIS
|
---|
64 | # define PAM_LIB_NAME "libpam.so.1"
|
---|
65 | # elif defined(RT_OS_FREEBSD)
|
---|
66 | # define PAM_LIB_NAME "libpam.so"
|
---|
67 | # else
|
---|
68 | # define PAM_LIB_NAME "libpam.so.0"
|
---|
69 | # endif
|
---|
70 | #endif /* VBOX_AUTH_USE_PAM_DLLOAD */
|
---|
71 |
|
---|
72 |
|
---|
73 | #include <stdio.h>
|
---|
74 | #include <stdlib.h>
|
---|
75 | #include <stdarg.h>
|
---|
76 | #include <string.h>
|
---|
77 | #ifndef RT_OS_FREEBSD
|
---|
78 | # include <malloc.h>
|
---|
79 | #endif
|
---|
80 |
|
---|
81 | #include <security/pam_appl.h>
|
---|
82 |
|
---|
83 | #include <VBox/VBoxAuth.h>
|
---|
84 |
|
---|
85 | #ifdef VBOX_AUTH_USE_PAM_DLLOAD
|
---|
86 | #include <dlfcn.h>
|
---|
87 |
|
---|
88 | static int (*fn_pam_start)(const char *service_name,
|
---|
89 | const char *user,
|
---|
90 | const struct pam_conv *pam_conversation,
|
---|
91 | pam_handle_t **pamh);
|
---|
92 | static int (*fn_pam_authenticate)(pam_handle_t *pamh, int flags);
|
---|
93 | static int (*fn_pam_acct_mgmt)(pam_handle_t *pamh, int flags);
|
---|
94 | static int (*fn_pam_end)(pam_handle_t *pamh, int pam_status);
|
---|
95 | static const char * (*fn_pam_strerror)(pam_handle_t *pamh, int errnum);
|
---|
96 | #else
|
---|
97 | #define fn_pam_start pam_start
|
---|
98 | #define fn_pam_authenticate pam_authenticate
|
---|
99 | #define fn_pam_acct_mgmt pam_acct_mgmt
|
---|
100 | #define fn_pam_end pam_end
|
---|
101 | #define fn_pam_strerror pam_strerror
|
---|
102 | #endif /* VBOX_AUTH_USE_PAM_DLLOAD */
|
---|
103 |
|
---|
104 | static void debug_printf(const char *fmt, ...)
|
---|
105 | {
|
---|
106 | #if defined(VBOX_AUTH_DEBUG_FILENAME_ENV) || defined(VBOX_AUTH_DEBUG_FILENAME_ENV_OLD)
|
---|
107 | va_list va;
|
---|
108 |
|
---|
109 | char buffer[1024];
|
---|
110 |
|
---|
111 | const char *filename = NULL;
|
---|
112 |
|
---|
113 | va_start(va, fmt);
|
---|
114 |
|
---|
115 | #if defined(VBOX_AUTH_DEBUG_FILENAME_ENV)
|
---|
116 | filename = getenv (VBOX_AUTH_DEBUG_FILENAME_ENV);
|
---|
117 | #endif /* VBOX_AUTH_DEBUG_FILENAME_ENV */
|
---|
118 |
|
---|
119 | #if defined(VBOX_AUTH_DEBUG_FILENAME_ENV_OLD)
|
---|
120 | if (filename == NULL)
|
---|
121 | {
|
---|
122 | filename = getenv (VBOX_AUTH_DEBUG_FILENAME_ENV_OLD);
|
---|
123 | }
|
---|
124 | #endif /* VBOX_AUTH_DEBUG_FILENAME_ENV_OLD */
|
---|
125 |
|
---|
126 | if (filename)
|
---|
127 | {
|
---|
128 | FILE *f;
|
---|
129 |
|
---|
130 | vsnprintf (buffer, sizeof (buffer), fmt, va);
|
---|
131 |
|
---|
132 | f = fopen (filename, "ab");
|
---|
133 | if (f != NULL)
|
---|
134 | {
|
---|
135 | fprintf (f, "%s", buffer);
|
---|
136 | fclose (f);
|
---|
137 | }
|
---|
138 | }
|
---|
139 |
|
---|
140 | va_end (va);
|
---|
141 | #endif /* VBOX_AUTH_DEBUG_FILENAME_ENV || VBOX_AUTH_DEBUG_FILENAME_ENV_OLD */
|
---|
142 | }
|
---|
143 |
|
---|
144 | #ifdef VBOX_AUTH_USE_PAM_DLLOAD
|
---|
145 |
|
---|
146 | static void *gpvLibPam = NULL;
|
---|
147 |
|
---|
148 | typedef struct _SymMap
|
---|
149 | {
|
---|
150 | void **ppfn;
|
---|
151 | const char *pszName;
|
---|
152 | } SymMap;
|
---|
153 |
|
---|
154 | static SymMap symmap[] =
|
---|
155 | {
|
---|
156 | { (void **)&fn_pam_start, "pam_start" },
|
---|
157 | { (void **)&fn_pam_authenticate, "pam_authenticate" },
|
---|
158 | { (void **)&fn_pam_acct_mgmt, "pam_acct_mgmt" },
|
---|
159 | { (void **)&fn_pam_end, "pam_end" },
|
---|
160 | { (void **)&fn_pam_strerror, "pam_strerror" },
|
---|
161 | { NULL, NULL }
|
---|
162 | };
|
---|
163 |
|
---|
164 | static int auth_pam_init(void)
|
---|
165 | {
|
---|
166 | SymMap *iter;
|
---|
167 |
|
---|
168 | gpvLibPam = dlopen(PAM_LIB_NAME, RTLD_LAZY | RTLD_GLOBAL);
|
---|
169 |
|
---|
170 | if (!gpvLibPam)
|
---|
171 | {
|
---|
172 | debug_printf("auth_pam_init: dlopen %s failed\n", PAM_LIB_NAME);
|
---|
173 | return PAM_SYSTEM_ERR;
|
---|
174 | }
|
---|
175 |
|
---|
176 | iter = &symmap[0];
|
---|
177 |
|
---|
178 | while (iter->pszName != NULL)
|
---|
179 | {
|
---|
180 | void *pv = dlsym (gpvLibPam, iter->pszName);
|
---|
181 |
|
---|
182 | if (pv == NULL)
|
---|
183 | {
|
---|
184 | debug_printf("auth_pam_init: dlsym %s failed\n", iter->pszName);
|
---|
185 |
|
---|
186 | dlclose(gpvLibPam);
|
---|
187 | gpvLibPam = NULL;
|
---|
188 |
|
---|
189 | return PAM_SYSTEM_ERR;
|
---|
190 | }
|
---|
191 |
|
---|
192 | *iter->ppfn = pv;
|
---|
193 |
|
---|
194 | iter++;
|
---|
195 | }
|
---|
196 |
|
---|
197 | return PAM_SUCCESS;
|
---|
198 | }
|
---|
199 |
|
---|
200 | static void auth_pam_close(void)
|
---|
201 | {
|
---|
202 | if (gpvLibPam)
|
---|
203 | {
|
---|
204 | dlclose(gpvLibPam);
|
---|
205 | gpvLibPam = NULL;
|
---|
206 | }
|
---|
207 |
|
---|
208 | return;
|
---|
209 | }
|
---|
210 | #else
|
---|
211 | static int auth_pam_init(void)
|
---|
212 | {
|
---|
213 | return PAM_SUCCESS;
|
---|
214 | }
|
---|
215 |
|
---|
216 | static void auth_pam_close(void)
|
---|
217 | {
|
---|
218 | return;
|
---|
219 | }
|
---|
220 | #endif /* VBOX_AUTH_USE_PAM_DLLOAD */
|
---|
221 |
|
---|
222 | static const char *auth_get_pam_service (void)
|
---|
223 | {
|
---|
224 | const char *service = getenv (VBOX_AUTH_PAM_SERVICE_NAME_ENV);
|
---|
225 |
|
---|
226 | if (service == NULL)
|
---|
227 | {
|
---|
228 | service = getenv (VBOX_AUTH_PAM_SERVICE_NAME_ENV_OLD);
|
---|
229 |
|
---|
230 | if (service == NULL)
|
---|
231 | {
|
---|
232 | service = VBOX_AUTH_PAM_DEFAULT_SERVICE_NAME;
|
---|
233 | }
|
---|
234 | }
|
---|
235 |
|
---|
236 | debug_printf ("Using PAM service: %s\n", service);
|
---|
237 |
|
---|
238 | return service;
|
---|
239 | }
|
---|
240 |
|
---|
241 | typedef struct _PamContext
|
---|
242 | {
|
---|
243 | char *pszUser;
|
---|
244 | char *pszPassword;
|
---|
245 | } PamContext;
|
---|
246 |
|
---|
247 | static int conv (int num_msg, const struct pam_message **msg,
|
---|
248 | struct pam_response **resp, void *appdata_ptr)
|
---|
249 | {
|
---|
250 | int i;
|
---|
251 | struct pam_response *r;
|
---|
252 |
|
---|
253 | PamContext *ctx = (PamContext *)appdata_ptr;
|
---|
254 |
|
---|
255 | if (ctx == NULL)
|
---|
256 | {
|
---|
257 | debug_printf("conv: ctx is NULL\n");
|
---|
258 | return PAM_CONV_ERR;
|
---|
259 | }
|
---|
260 |
|
---|
261 | debug_printf("conv: num %d u[%s] p[%d]\n", num_msg, ctx->pszUser, ctx->pszPassword? strlen (ctx->pszPassword): 0);
|
---|
262 |
|
---|
263 | r = (struct pam_response *) calloc (num_msg, sizeof (struct pam_response));
|
---|
264 |
|
---|
265 | if (r == NULL)
|
---|
266 | {
|
---|
267 | return PAM_CONV_ERR;
|
---|
268 | }
|
---|
269 |
|
---|
270 | for (i = 0; i < num_msg; i++)
|
---|
271 | {
|
---|
272 | r[i].resp_retcode = 0;
|
---|
273 |
|
---|
274 | if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF)
|
---|
275 | {
|
---|
276 | r[i].resp = strdup (ctx->pszPassword);
|
---|
277 | debug_printf("conv: %d returning password [%d]\n", i, r[i].resp? strlen (r[i].resp): 0);
|
---|
278 | }
|
---|
279 | else if (msg[i]->msg_style == PAM_PROMPT_ECHO_ON)
|
---|
280 | {
|
---|
281 | r[i].resp = strdup (ctx->pszUser);
|
---|
282 | debug_printf("conv: %d returning name [%s]\n", i, r[i].resp);
|
---|
283 | }
|
---|
284 | else
|
---|
285 | {
|
---|
286 | debug_printf("conv: %d style %d: [%s]\n", i, msg[i]->msg_style, msg[i]->msg? msg[i]->msg: "(null)");
|
---|
287 | r[i].resp = NULL;
|
---|
288 | }
|
---|
289 | }
|
---|
290 |
|
---|
291 | *resp = r;
|
---|
292 | return PAM_SUCCESS;
|
---|
293 | }
|
---|
294 |
|
---|
295 | /* The entry point must be visible. */
|
---|
296 | #if defined(_MSC_VER) || defined(__OS2__)
|
---|
297 | # define DECLEXPORT(type) __declspec(dllexport) type
|
---|
298 | #else
|
---|
299 | # ifdef VBOX_HAVE_VISIBILITY_HIDDEN
|
---|
300 | # define DECLEXPORT(type) __attribute__((visibility("default"))) type
|
---|
301 | # else
|
---|
302 | # define DECLEXPORT(type) type
|
---|
303 | # endif
|
---|
304 | #endif
|
---|
305 |
|
---|
306 | /* prototype to prevent gcc warning */
|
---|
307 | DECLEXPORT(AUTHENTRY3) AuthEntry;
|
---|
308 |
|
---|
309 | DECLEXPORT(AuthResult) AUTHCALL AuthEntry(const char *pszCaller,
|
---|
310 | PAUTHUUID pUuid,
|
---|
311 | AuthGuestJudgement guestJudgement,
|
---|
312 | const char *pszUser,
|
---|
313 | const char *pszPassword,
|
---|
314 | const char *pszDomain,
|
---|
315 | int fLogon,
|
---|
316 | unsigned clientId)
|
---|
317 | {
|
---|
318 | AuthResult result = AuthResultAccessDenied;
|
---|
319 | int rc;
|
---|
320 | PamContext ctx;
|
---|
321 | struct pam_conv pam_conversation;
|
---|
322 | pam_handle_t *pam_handle = NULL;
|
---|
323 |
|
---|
324 | (void)pszCaller;
|
---|
325 | (void)pUuid;
|
---|
326 | (void)guestJudgement;
|
---|
327 | (void)clientId;
|
---|
328 |
|
---|
329 | /* Only process logon requests. */
|
---|
330 | if (!fLogon)
|
---|
331 | return result; /* Return value is ignored by the caller. */
|
---|
332 |
|
---|
333 | debug_printf("u[%s], d[%s], p[%d]\n", pszUser, pszDomain, pszPassword ? strlen(pszPassword) : 0);
|
---|
334 |
|
---|
335 | ctx.pszUser = (char *)pszUser;
|
---|
336 | ctx.pszPassword = (char *)pszPassword;
|
---|
337 |
|
---|
338 | pam_conversation.conv = conv;
|
---|
339 | pam_conversation.appdata_ptr = &ctx;
|
---|
340 |
|
---|
341 | rc = auth_pam_init ();
|
---|
342 |
|
---|
343 | if (rc == PAM_SUCCESS)
|
---|
344 | {
|
---|
345 | debug_printf("init ok\n");
|
---|
346 |
|
---|
347 | rc = fn_pam_start(auth_get_pam_service (), pszUser, &pam_conversation, &pam_handle);
|
---|
348 |
|
---|
349 | if (rc == PAM_SUCCESS)
|
---|
350 | {
|
---|
351 | debug_printf("start ok\n");
|
---|
352 |
|
---|
353 | rc = fn_pam_authenticate(pam_handle, 0);
|
---|
354 |
|
---|
355 | if (rc == PAM_SUCCESS)
|
---|
356 | {
|
---|
357 | debug_printf("auth ok\n");
|
---|
358 |
|
---|
359 | rc = fn_pam_acct_mgmt(pam_handle, 0);
|
---|
360 | if (rc == PAM_AUTHINFO_UNAVAIL
|
---|
361 | &&
|
---|
362 | getenv("VBOX_PAM_ALLOW_INACTIVE") != NULL)
|
---|
363 | {
|
---|
364 | debug_printf("PAM_AUTHINFO_UNAVAIL\n");
|
---|
365 | rc = PAM_SUCCESS;
|
---|
366 | }
|
---|
367 |
|
---|
368 | if (rc == PAM_SUCCESS)
|
---|
369 | {
|
---|
370 | debug_printf("access granted\n");
|
---|
371 |
|
---|
372 | result = AuthResultAccessGranted;
|
---|
373 | }
|
---|
374 | else
|
---|
375 | {
|
---|
376 | debug_printf("pam_acct_mgmt failed %d. %s\n", rc, fn_pam_strerror (pam_handle, rc));
|
---|
377 | }
|
---|
378 | }
|
---|
379 | else
|
---|
380 | {
|
---|
381 | debug_printf("pam_authenticate failed %d. %s\n", rc, fn_pam_strerror (pam_handle, rc));
|
---|
382 | }
|
---|
383 |
|
---|
384 | fn_pam_end(pam_handle, rc);
|
---|
385 | }
|
---|
386 | else
|
---|
387 | {
|
---|
388 | debug_printf("pam_start failed %d\n", rc);
|
---|
389 | }
|
---|
390 |
|
---|
391 | auth_pam_close ();
|
---|
392 |
|
---|
393 | debug_printf("auth_pam_close completed\n");
|
---|
394 | }
|
---|
395 | else
|
---|
396 | {
|
---|
397 | debug_printf("auth_pam_init failed %d\n", rc);
|
---|
398 | }
|
---|
399 |
|
---|
400 | return result;
|
---|
401 | }
|
---|
402 |
|
---|