Skip to content

Commit

Permalink
pam: add pam_sss_gss module for gssapi authentication
Browse files Browse the repository at this point in the history 
:feature: New PAM module `pam_sss_gss` for authentication using GSSAPI
:packaging: Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page
:config: Added `pam_gssapi_services` to list PAM services
  that can authenticate using GSSAPI
  • Loading branch information
@pbrezina
pbrezina committed Oct 27, 2020
1 parent a213fb8 commit bc06fa6
Show file tree
Hide file tree
Showing 13 changed files with 1,274 additions and 3 deletions.
33 changes: 32 additions & 1 deletion Makefile.am
View file
Expand Up @@ -1585,12 +1585,14 @@ sssd_pam_SOURCES = \
src/responder/pam/pamsrv_cmd.c \
src/responder/pam/pamsrv_p11.c \
src/responder/pam/pamsrv_dp.c \
src/responder/pam/pamsrv_gssapi.c \
src/responder/pam/pam_prompting_config.c \
src/sss_client/pam_sss_prompt_config.c \
src/responder/pam/pam_helpers.c \
$(SSSD_RESPONDER_OBJ)
sssd_pam_CFLAGS = \
$(AM_CFLAGS) \
$(GSSAPI_KRB5_CFLAGS) \
$(NULL)
sssd_pam_LDADD = \
$(LIBADD_DL) \
Expand All @@ -1599,6 +1601,7 @@ sssd_pam_LDADD = \
$(SELINUX_LIBS) \
$(PAM_LIBS) \
$(SYSTEMD_DAEMON_LIBS) \
$(GSSAPI_KRB5_LIBS) \
libsss_certmap.la \
$(SSSD_INTERNAL_LTLIBS) \
libsss_iface.la \
Expand Down Expand Up @@ -2708,6 +2711,7 @@ pam_srv_tests_SOURCES = \
src/sss_client/pam_message.c \
src/responder/pam/pamsrv_cmd.c \
src/responder/pam/pamsrv_p11.c \
src/responder/pam/pamsrv_gssapi.c \
src/responder/pam/pam_helpers.c \
src/responder/pam/pamsrv_dp.c \
src/responder/pam/pam_LOCAL_domain.c \
Expand All @@ -2719,6 +2723,7 @@ pam_srv_tests_CFLAGS = \
-I$(abs_builddir)/src \
$(AM_CFLAGS) \
$(CMOCKA_CFLAGS) \
$(GSSAPI_KRB5_CFLAGS) \
$(NULL)
pam_srv_tests_LDFLAGS = \
-Wl,-wrap,sss_packet_get_body \
Expand All @@ -2734,6 +2739,7 @@ pam_srv_tests_LDADD = \
$(SSSD_LIBS) \
$(SSSD_INTERNAL_LTLIBS) \
$(SYSTEMD_DAEMON_LIBS) \
$(GSSAPI_KRB5_LIBS) \
libsss_test_common.la \
libsss_idmap.la \
libsss_certmap.la \
Expand Down Expand Up @@ -4145,6 +4151,28 @@ pam_sss_la_LDFLAGS = \
-avoid-version \
-Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports

pamlib_LTLIBRARIES += pam_sss_gss.la
pam_sss_gss_la_SOURCES = \
src/sss_client/pam_sss_gss.c \
src/sss_client/common.c \
$(NULL)

pam_sss_gss_la_CFLAGS = \
$(AM_CFLAGS) \
$(GSSAPI_KRB5_CFLAGS) \
$(NULL)

pam_sss_gss_la_LIBADD = \
$(CLIENT_LIBS) \
$(PAM_LIBS) \
$(GSSAPI_KRB5_LIBS) \
$(NULL)

pam_sss_gss_la_LDFLAGS = \
-module \
-avoid-version \
-Wl,--version-script,$(srcdir)/src/sss_client/pam_sss_gss.exports

if BUILD_SUDO

libsss_sudo_la_SOURCES = \
Expand Down Expand Up @@ -4183,7 +4211,10 @@ endif

dist_noinst_DATA += \
src/sss_client/sss_nss.exports \
src/sss_client/sss_pam.exports
src/sss_client/sss_pam.exports \
src/sss_client/pam_sss_gss.exports \
$(NULL)

if BUILD_SUDO
dist_noinst_DATA += src/sss_client/sss_sudo.exports
endif
Expand Down
1 change: 1 addition & 0 deletions configure.ac
View file
Expand Up @@ -181,6 +181,7 @@ m4_include([src/external/libldb.m4])
m4_include([src/external/libdhash.m4])
m4_include([src/external/libcollection.m4])
m4_include([src/external/libini_config.m4])
m4_include([src/external/libgssapi_krb5.m4])
m4_include([src/external/pam.m4])
m4_include([src/external/ldap.m4])
m4_include([src/external/libpcre.m4])
Expand Down
2 changes: 2 additions & 0 deletions contrib/sssd.spec.in
View file
Expand Up @@ -1166,6 +1166,7 @@ done
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
/%{_lib}/libnss_sss.so.2
/%{_lib}/security/pam_sss.so
/%{_lib}/security/pam_sss_gss.so
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
%if (0%{?with_cifs_utils_plugin} == 1)
Expand All @@ -1178,6 +1179,7 @@ done
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
%{_mandir}/man8/pam_sss.8*
%{_mandir}/man8/pam_sss_gss.8*
%{_mandir}/man8/sssd_krb5_locator_plugin.8*

%files -n libsss_sudo
Expand Down
8 changes: 8 additions & 0 deletions src/external/libgssapi_krb5.m4
View file
@@ -0,0 +1,8 @@
AC_SUBST(GSSAPI_KRB5_CFLAGS)
AC_SUBST(GSSAPI_KRB5_LIBS)

PKG_CHECK_MODULES(GSSAPI_KRB5,
krb5-gssapi,
,
AC_MSG_ERROR("Please install krb5-devel")
)
4 changes: 2 additions & 2 deletions src/man/Makefile.am
View file
Expand Up @@ -69,8 +69,8 @@ man_MANS = \
sssd.8 sssd.conf.5 sssd-ldap.5 sssd-ldap-attributes.5 \
sssd-krb5.5 sssd-simple.5 sss-certmap.5 \
sssd_krb5_locator_plugin.8 \
pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \
sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \
pam_sss.8 pam_sss_gss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 \
sss_seed.8 sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \
$(NULL)

if BUILD_LOCAL_PROVIDER
Expand Down
160 changes: 160 additions & 0 deletions src/man/pam_sss_gss.8.xml
View file
@@ -0,0 +1,160 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<reference>
<title>SSSD Manual pages</title>
<refentry>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="include/upstream.xml" />

<refmeta>
<refentrytitle>pam_sss_gss</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>

<refnamediv id='name'>
<refname>pam_sss_gss</refname>
<refpurpose>PAM module for SSSD GSSAPI authentication</refpurpose>
</refnamediv>

<refsynopsisdiv id='synopsis'>
<cmdsynopsis>
<command>pam_sss_gss.so</command>
<arg choice='opt'>
<replaceable>debug</replaceable>
</arg>
</cmdsynopsis>
</refsynopsisdiv>

<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
<command>pam_sss_gss.so</command> authenticates user
over GSSAPI in cooperation with SSSD.
</para>
<para>
This module will try to authenticate the user using host@hostname
service ticket (which translates to host/hostname@REALM Kerberos
principal). If the ticket is already present in the Kerberos
credentials cache or if user's ticket granting ticket can be used
to get the correct service ticket then the user will be
authenticated.
</para>
<para>
SSSD is used to provide correct service name that should be used
for validation (host@hostname where hostname is determined from
user's domain) and later to validate the user's credentials.
</para>
<para>
To enable GSSAPI authentication in SSSD, set
<option>pam_gssapi_services</option> option in [pam] or domain
section of sssd.conf. The service credentials need to be stored
in SSSD's keytab (it is already present if you use ipa or ad
provider). The keytab location can be set with
<option>krb5_keytab</option> option. See
<citerefentry>
<refentrytitle>sssd.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> and
<citerefentry>
<refentrytitle>sssd-krb5</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry> for more details on these options.
</para>
</refsect1>

<refsect1 id='options'>
<title>OPTIONS</title>
<variablelist remap='IP'>
<varlistentry>
<term>
<option>debug</option>
</term>
<listitem>
<para>Print debugging information.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

<refsect1 id='module_types_provides'>
<title>MODULE TYPES PROVIDED</title>
<para>Only the <option>auth</option> module type is provided.</para>
</refsect1>

<refsect1 id="return_values">
<title>RETURN VALUES</title>
<variablelist>
<varlistentry>
<term>PAM_SUCCESS</term>
<listitem>
<para>
The PAM operation finished successfully.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_USER_UNKNOWN</term>
<listitem>
<para>
The user is not known to the authentication service or
the GSSAPI authentication is not supported.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_AUTH_ERR</term>
<listitem>
<para>
Authentication failure.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_AUTHINFO_UNAVAIL</term>
<listitem>
<para>
Unable to access the authentication information.
This might be due to a network or hardware failure.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PAM_SYSTEM_ERR</term>
<listitem>
<para>
A system error occurred. The SSSD log files may contain
additional information about the error.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

<refsect1 id='examples'>
<title>EXAMPLES</title>
<para>
The main use case is to provide password-less authentication in
sudo but without the need to disable authentication completely.
To achieve this, first enable GSSAPI authentication for sudo in
sssd.conf:
</para>
<programlisting>
[domain/MYDOMAIN]
pam_gssapi_services = sudo, sudo-i
</programlisting>
<para>
And then enable the module in desired PAM stack
(e.g. /etc/pam.d/sudo and /etc/pam.d/sudo-i).
</para>
<programlisting>
...
auth sufficient pam_sss_gss.so
...
</programlisting>
</refsect1>

<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />

</refentry>
</reference>
4 changes: 4 additions & 0 deletions src/responder/pam/pamsrv.h
View file
Expand Up @@ -144,4 +144,8 @@ errno_t pam_eval_prompting_config(struct pam_ctx *pctx, struct pam_data *pd);

enum pam_initgroups_scheme pam_initgroups_string_to_enum(const char *str);
const char *pam_initgroup_enum_to_string(enum pam_initgroups_scheme scheme);

int pam_cmd_gssapi_init(struct cli_ctx *cli_ctx);
int pam_cmd_gssapi_sec_ctx(struct cli_ctx *cctx);

#endif /* __PAMSRV_H__ */
2 changes: 2 additions & 0 deletions src/responder/pam/pamsrv_cmd.c
View file
Expand Up @@ -2401,6 +2401,8 @@ struct sss_cmd_table *get_pam_cmds(void)
{SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok},
{SSS_PAM_CHAUTHTOK_PRELIM, pam_cmd_chauthtok_prelim},
{SSS_PAM_PREAUTH, pam_cmd_preauth},
{SSS_GSSAPI_INIT, pam_cmd_gssapi_init},
{SSS_GSSAPI_SEC_CTX, pam_cmd_gssapi_sec_ctx},
{SSS_CLI_NULL, NULL}
};

Expand Down

0 comments on commit bc06fa6

Please sign in to comment.