2 * Redistribution and use in source and binary forms, with or without
3 * modification, are permitted provided that the following conditions are met:
4 * * Redistributions of source code must retain the above copyright
5 * notice, this list of conditions and the following disclaimer.
6 * * Redistributions in binary form must reproduce the above copyright
7 * notice, this list of conditions and the following disclaimer in the
8 * documentation and/or other materials provided with the distribution.
9 * * Neither the name of the <organization> nor the
10 * names of its contributors may be used to endorse or promote products
11 * derived from this software without specific prior written permission.
13 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
14 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 * ARE DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
17 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
18 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
19 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
20 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
22 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 * Copyright (c) 2020, Felix Dörre
25 * All rights reserved.
28 #include <sys/dsl_crypt.h>
29 #include <sys/byteorder.h>
34 #include <sys/zio_crypt.h>
35 #include <openssl/evp.h>
38 #define PAM_SM_PASSWORD
39 #define PAM_SM_SESSION
40 #include <security/pam_modules.h>
42 #if defined(__linux__)
43 #include <security/pam_ext.h>
44 #define MAP_FLAGS MAP_PRIVATE | MAP_ANONYMOUS
45 #elif defined(__FreeBSD__)
46 #include <security/pam_appl.h>
48 pam_syslog(pam_handle_t
*pamh
, int loglevel
, const char *fmt
, ...)
52 vsyslog(loglevel
, fmt
, args
);
55 #define MAP_FLAGS MAP_PRIVATE | MAP_ANON | MAP_NOCORE
68 static const char PASSWORD_VAR_NAME
[] = "pam_zfs_key_authtok";
70 static libzfs_handle_t
*g_zfs
;
72 static void destroy_pw(pam_handle_t
*pamh
, void *data
, int errcode
);
74 typedef int (*mlock_func_t
) (const void *, size_t);
82 * Try to mlock(2) or munlock(2) addr while handling EAGAIN by retrying ten
83 * times and sleeping 10 milliseconds in between for a total of 0.1
84 * seconds. lock_func must point to either mlock(2) or munlock(2).
87 try_lock(mlock_func_t lock_func
, const void *addr
, size_t len
)
91 useconds_t sleep_dur
= 10 * 1000;
93 if ((err
= (*lock_func
)(addr
, len
)) != EAGAIN
) {
96 for (int i
= retries
; i
> 0; --i
) {
97 (void) usleep(sleep_dur
);
98 if ((err
= (*lock_func
)(addr
, len
)) != EAGAIN
) {
106 static pw_password_t
*
107 alloc_pw_size(size_t len
)
109 pw_password_t
*pw
= malloc(sizeof (pw_password_t
));
115 * We use mmap(2) rather than malloc(3) since later on we mlock(2) the
116 * memory region. Since mlock(2) and munlock(2) operate on whole memory
117 * pages we should allocate a whole page here as mmap(2) does. Further
118 * this ensures that the addresses passed to mlock(2) an munlock(2) are
119 * on a page boundary as suggested by FreeBSD and required by some
120 * other implementations. Finally we avoid inadvertently munlocking
121 * memory mlocked by an concurrently running instance of us.
123 pw
->value
= mmap(NULL
, pw
->len
, PROT_READ
| PROT_WRITE
, MAP_FLAGS
,
126 if (pw
->value
== MAP_FAILED
) {
130 if (try_lock(mlock
, pw
->value
, pw
->len
) != 0) {
131 (void) munmap(pw
->value
, pw
->len
);
138 static pw_password_t
*
139 alloc_pw_string(const char *source
)
141 size_t len
= strlen(source
) + 1;
142 pw_password_t
*pw
= alloc_pw_size(len
);
147 memcpy(pw
->value
, source
, pw
->len
);
152 pw_free(pw_password_t
*pw
)
154 bzero(pw
->value
, pw
->len
);
155 if (try_lock(munlock
, pw
->value
, pw
->len
) == 0) {
156 (void) munmap(pw
->value
, pw
->len
);
161 static pw_password_t
*
162 pw_fetch(pam_handle_t
*pamh
)
165 if (pam_get_authtok(pamh
, PAM_AUTHTOK
, &token
, NULL
) != PAM_SUCCESS
) {
166 pam_syslog(pamh
, LOG_ERR
,
167 "couldn't get password from PAM stack");
171 pam_syslog(pamh
, LOG_ERR
,
172 "token from PAM stack is null");
175 return (alloc_pw_string(token
));
178 static const pw_password_t
*
179 pw_fetch_lazy(pam_handle_t
*pamh
)
181 pw_password_t
*pw
= pw_fetch(pamh
);
185 int ret
= pam_set_data(pamh
, PASSWORD_VAR_NAME
, pw
, destroy_pw
);
186 if (ret
!= PAM_SUCCESS
) {
188 pam_syslog(pamh
, LOG_ERR
, "pam_set_data failed");
194 static const pw_password_t
*
195 pw_get(pam_handle_t
*pamh
)
197 const pw_password_t
*authtok
= NULL
;
198 int ret
= pam_get_data(pamh
, PASSWORD_VAR_NAME
,
199 (const void**)(&authtok
));
200 if (ret
== PAM_SUCCESS
)
202 if (ret
== PAM_NO_MODULE_DATA
)
203 return (pw_fetch_lazy(pamh
));
204 pam_syslog(pamh
, LOG_ERR
, "password not available");
209 pw_clear(pam_handle_t
*pamh
)
211 int ret
= pam_set_data(pamh
, PASSWORD_VAR_NAME
, NULL
, NULL
);
212 if (ret
!= PAM_SUCCESS
) {
213 pam_syslog(pamh
, LOG_ERR
, "clearing password failed");
220 destroy_pw(pam_handle_t
*pamh
, void *data
, int errcode
)
222 (void) pamh
, (void) errcode
;
225 pw_free((pw_password_t
*)data
);
230 pam_zfs_init(pam_handle_t
*pamh
)
233 if ((g_zfs
= libzfs_init()) == NULL
) {
235 pam_syslog(pamh
, LOG_ERR
, "Zfs initialization error: %s",
236 libzfs_error_init(error
));
247 static pw_password_t
*
248 prepare_passphrase(pam_handle_t
*pamh
, zfs_handle_t
*ds
,
249 const char *passphrase
, nvlist_t
*nvlist
)
251 pw_password_t
*key
= alloc_pw_size(WRAPPING_KEY_LEN
);
257 if (nvlist
!= NULL
) {
258 int fd
= open("/dev/urandom", O_RDONLY
);
264 char *buf
= (char *)&salt
;
265 size_t bytes
= sizeof (uint64_t);
266 while (bytes_read
< bytes
) {
267 ssize_t len
= read(fd
, buf
+ bytes_read
, bytes
278 if (nvlist_add_uint64(nvlist
,
279 zfs_prop_to_name(ZFS_PROP_PBKDF2_SALT
), salt
)) {
280 pam_syslog(pamh
, LOG_ERR
,
281 "failed to add salt to nvlist");
285 iters
= DEFAULT_PBKDF2_ITERATIONS
;
286 if (nvlist_add_uint64(nvlist
, zfs_prop_to_name(
287 ZFS_PROP_PBKDF2_ITERS
), iters
)) {
288 pam_syslog(pamh
, LOG_ERR
,
289 "failed to add iters to nvlist");
294 salt
= zfs_prop_get_int(ds
, ZFS_PROP_PBKDF2_SALT
);
295 iters
= zfs_prop_get_int(ds
, ZFS_PROP_PBKDF2_ITERS
);
299 if (!PKCS5_PBKDF2_HMAC_SHA1((char *)passphrase
,
300 strlen(passphrase
), (uint8_t *)&salt
,
301 sizeof (uint64_t), iters
, WRAPPING_KEY_LEN
,
302 (uint8_t *)key
->value
)) {
303 pam_syslog(pamh
, LOG_ERR
, "pbkdf failed");
311 is_key_loaded(pam_handle_t
*pamh
, const char *ds_name
)
313 zfs_handle_t
*ds
= zfs_open(g_zfs
, ds_name
, ZFS_TYPE_FILESYSTEM
);
315 pam_syslog(pamh
, LOG_ERR
, "dataset %s not found", ds_name
);
318 int keystatus
= zfs_prop_get_int(ds
, ZFS_PROP_KEYSTATUS
);
320 return (keystatus
!= ZFS_KEYSTATUS_UNAVAILABLE
);
324 change_key(pam_handle_t
*pamh
, const char *ds_name
,
325 const char *passphrase
)
327 zfs_handle_t
*ds
= zfs_open(g_zfs
, ds_name
, ZFS_TYPE_FILESYSTEM
);
329 pam_syslog(pamh
, LOG_ERR
, "dataset %s not found", ds_name
);
332 nvlist_t
*nvlist
= fnvlist_alloc();
333 pw_password_t
*key
= prepare_passphrase(pamh
, ds
, passphrase
, nvlist
);
339 if (nvlist_add_string(nvlist
,
340 zfs_prop_to_name(ZFS_PROP_KEYLOCATION
),
342 pam_syslog(pamh
, LOG_ERR
, "nvlist_add failed for keylocation");
348 if (nvlist_add_uint64(nvlist
,
349 zfs_prop_to_name(ZFS_PROP_KEYFORMAT
),
350 ZFS_KEYFORMAT_PASSPHRASE
)) {
351 pam_syslog(pamh
, LOG_ERR
, "nvlist_add failed for keyformat");
357 int ret
= lzc_change_key(ds_name
, DCP_CMD_NEW_KEY
, nvlist
,
358 (uint8_t *)key
->value
, WRAPPING_KEY_LEN
);
361 pam_syslog(pamh
, LOG_ERR
, "change_key failed: %d", ret
);
372 decrypt_mount(pam_handle_t
*pamh
, const char *ds_name
,
373 const char *passphrase
)
375 zfs_handle_t
*ds
= zfs_open(g_zfs
, ds_name
, ZFS_TYPE_FILESYSTEM
);
377 pam_syslog(pamh
, LOG_ERR
, "dataset %s not found", ds_name
);
380 pw_password_t
*key
= prepare_passphrase(pamh
, ds
, passphrase
, NULL
);
385 int ret
= lzc_load_key(ds_name
, B_FALSE
, (uint8_t *)key
->value
,
389 pam_syslog(pamh
, LOG_ERR
, "load_key failed: %d", ret
);
393 ret
= zfs_mount(ds
, NULL
, 0);
395 pam_syslog(pamh
, LOG_ERR
, "mount failed: %d", ret
);
404 unmount_unload(pam_handle_t
*pamh
, const char *ds_name
)
406 zfs_handle_t
*ds
= zfs_open(g_zfs
, ds_name
, ZFS_TYPE_FILESYSTEM
);
408 pam_syslog(pamh
, LOG_ERR
, "dataset %s not found", ds_name
);
411 int ret
= zfs_unmount(ds
, NULL
, 0);
413 pam_syslog(pamh
, LOG_ERR
, "zfs_unmount failed with: %d", ret
);
418 ret
= lzc_unload_key(ds_name
);
420 pam_syslog(pamh
, LOG_ERR
, "unload_key failed with: %d", ret
);
434 const char *username
;
435 int unmount_and_unload
;
439 zfs_key_config_load(pam_handle_t
*pamh
, zfs_key_config_t
*config
,
440 int argc
, const char **argv
)
442 config
->homes_prefix
= strdup("rpool/home");
443 if (config
->homes_prefix
== NULL
) {
444 pam_syslog(pamh
, LOG_ERR
, "strdup failure");
447 config
->runstatedir
= strdup(RUNSTATEDIR
"/pam_zfs_key");
448 if (config
->runstatedir
== NULL
) {
449 pam_syslog(pamh
, LOG_ERR
, "strdup failure");
450 free(config
->homes_prefix
);
454 if (pam_get_user(pamh
, &name
, NULL
) != PAM_SUCCESS
) {
455 pam_syslog(pamh
, LOG_ERR
,
456 "couldn't get username from PAM stack");
457 free(config
->runstatedir
);
458 free(config
->homes_prefix
);
461 struct passwd
*entry
= getpwnam(name
);
463 free(config
->runstatedir
);
464 free(config
->homes_prefix
);
467 config
->uid
= entry
->pw_uid
;
468 config
->username
= name
;
469 config
->unmount_and_unload
= 1;
470 config
->dsname
= NULL
;
471 config
->homedir
= NULL
;
472 for (int c
= 0; c
< argc
; c
++) {
473 if (strncmp(argv
[c
], "homes=", 6) == 0) {
474 free(config
->homes_prefix
);
475 config
->homes_prefix
= strdup(argv
[c
] + 6);
476 } else if (strncmp(argv
[c
], "runstatedir=", 12) == 0) {
477 free(config
->runstatedir
);
478 config
->runstatedir
= strdup(argv
[c
] + 12);
479 } else if (strcmp(argv
[c
], "nounmount") == 0) {
480 config
->unmount_and_unload
= 0;
481 } else if (strcmp(argv
[c
], "prop_mountpoint") == 0) {
482 config
->homedir
= strdup(entry
->pw_dir
);
489 zfs_key_config_free(zfs_key_config_t
*config
)
491 free(config
->homes_prefix
);
492 free(config
->runstatedir
);
493 free(config
->homedir
);
494 free(config
->dsname
);
498 find_dsname_by_prop_value(zfs_handle_t
*zhp
, void *data
)
500 zfs_type_t type
= zfs_get_type(zhp
);
501 zfs_key_config_t
*target
= data
;
502 char mountpoint
[ZFS_MAXPROPLEN
];
504 /* Skip any datasets whose type does not match */
505 if ((type
& ZFS_TYPE_FILESYSTEM
) == 0) {
510 /* Skip any datasets whose mountpoint does not match */
511 (void) zfs_prop_get(zhp
, ZFS_PROP_MOUNTPOINT
, mountpoint
,
512 sizeof (mountpoint
), NULL
, NULL
, 0, B_FALSE
);
513 if (strcmp(target
->homedir
, mountpoint
) != 0) {
518 target
->dsname
= strdup(zfs_get_name(zhp
));
524 zfs_key_config_get_dataset(zfs_key_config_t
*config
)
526 if (config
->homedir
!= NULL
&&
527 config
->homes_prefix
!= NULL
) {
528 zfs_handle_t
*zhp
= zfs_open(g_zfs
, config
->homes_prefix
,
529 ZFS_TYPE_FILESYSTEM
);
531 pam_syslog(NULL
, LOG_ERR
, "dataset %s not found",
532 config
->homes_prefix
);
537 (void) zfs_iter_filesystems(zhp
, find_dsname_by_prop_value
,
540 char *dsname
= config
->dsname
;
541 config
->dsname
= NULL
;
545 size_t len
= ZFS_MAX_DATASET_NAME_LEN
;
546 size_t total_len
= strlen(config
->homes_prefix
) + 1
547 + strlen(config
->username
);
548 if (total_len
> len
) {
551 char *ret
= malloc(len
+ 1);
556 strcat(ret
, config
->homes_prefix
);
558 strcat(ret
, config
->username
);
563 zfs_key_config_modify_session_counter(pam_handle_t
*pamh
,
564 zfs_key_config_t
*config
, int delta
)
566 const char *runtime_path
= config
->runstatedir
;
567 if (mkdir(runtime_path
, S_IRWXU
) != 0 && errno
!= EEXIST
) {
568 pam_syslog(pamh
, LOG_ERR
, "Can't create runtime path: %d",
572 if (chown(runtime_path
, 0, 0) != 0) {
573 pam_syslog(pamh
, LOG_ERR
, "Can't chown runtime path: %d",
577 if (chmod(runtime_path
, S_IRWXU
) != 0) {
578 pam_syslog(pamh
, LOG_ERR
, "Can't chmod runtime path: %d",
582 size_t runtime_path_len
= strlen(runtime_path
);
583 size_t counter_path_len
= runtime_path_len
+ 1 + 10;
584 char *counter_path
= malloc(counter_path_len
+ 1);
589 strcat(counter_path
, runtime_path
);
590 snprintf(counter_path
+ runtime_path_len
, counter_path_len
, "/%d",
592 const int fd
= open(counter_path
,
593 O_RDWR
| O_CLOEXEC
| O_CREAT
| O_NOFOLLOW
,
597 pam_syslog(pamh
, LOG_ERR
, "Can't open counter file: %d", errno
);
600 if (flock(fd
, LOCK_EX
) != 0) {
601 pam_syslog(pamh
, LOG_ERR
, "Can't lock counter file: %d", errno
);
607 int remaining
= sizeof (counter
) - 1;
609 counter
[sizeof (counter
) - 1] = 0;
610 while (remaining
> 0 && (ret
= read(fd
, pos
, remaining
)) > 0) {
615 long int counter_value
= strtol(counter
, NULL
, 10);
616 counter_value
+= delta
;
617 if (counter_value
< 0) {
620 lseek(fd
, 0, SEEK_SET
);
621 if (ftruncate(fd
, 0) != 0) {
622 pam_syslog(pamh
, LOG_ERR
, "Can't truncate counter file: %d",
627 snprintf(counter
, sizeof (counter
), "%ld", counter_value
);
628 remaining
= strlen(counter
);
630 while (remaining
> 0 && (ret
= write(fd
, pos
, remaining
)) > 0) {
635 return (counter_value
);
638 __attribute__((visibility("default")))
640 pam_sm_authenticate(pam_handle_t
*pamh
, int flags
,
641 int argc
, const char **argv
)
643 (void) flags
, (void) argc
, (void) argv
;
645 if (pw_fetch_lazy(pamh
) == NULL
) {
646 return (PAM_AUTH_ERR
);
649 return (PAM_SUCCESS
);
652 __attribute__((visibility("default")))
654 pam_sm_setcred(pam_handle_t
*pamh
, int flags
,
655 int argc
, const char **argv
)
657 (void) pamh
, (void) flags
, (void) argc
, (void) argv
;
658 return (PAM_SUCCESS
);
661 __attribute__((visibility("default")))
663 pam_sm_chauthtok(pam_handle_t
*pamh
, int flags
,
664 int argc
, const char **argv
)
666 if (geteuid() != 0) {
667 pam_syslog(pamh
, LOG_ERR
,
668 "Cannot zfs_mount when not being root.");
669 return (PAM_PERM_DENIED
);
671 zfs_key_config_t config
;
672 if (zfs_key_config_load(pamh
, &config
, argc
, argv
) == -1) {
673 return (PAM_SERVICE_ERR
);
675 if (config
.uid
< 1000) {
676 zfs_key_config_free(&config
);
677 return (PAM_SUCCESS
);
680 if (pam_zfs_init(pamh
) != 0) {
681 zfs_key_config_free(&config
);
682 return (PAM_SERVICE_ERR
);
684 char *dataset
= zfs_key_config_get_dataset(&config
);
687 zfs_key_config_free(&config
);
688 return (PAM_SERVICE_ERR
);
690 int key_loaded
= is_key_loaded(pamh
, dataset
);
691 if (key_loaded
== -1) {
694 zfs_key_config_free(&config
);
695 return (PAM_SERVICE_ERR
);
700 pam_syslog(pamh
, LOG_ERR
,
701 "key not loaded, returning try_again");
702 zfs_key_config_free(&config
);
703 return (PAM_PERM_DENIED
);
707 if ((flags
& PAM_UPDATE_AUTHTOK
) != 0) {
708 const pw_password_t
*token
= pw_get(pamh
);
710 zfs_key_config_free(&config
);
711 return (PAM_SERVICE_ERR
);
713 if (pam_zfs_init(pamh
) != 0) {
714 zfs_key_config_free(&config
);
715 return (PAM_SERVICE_ERR
);
717 char *dataset
= zfs_key_config_get_dataset(&config
);
720 zfs_key_config_free(&config
);
721 return (PAM_SERVICE_ERR
);
723 if (change_key(pamh
, dataset
, token
->value
) == -1) {
726 zfs_key_config_free(&config
);
727 return (PAM_SERVICE_ERR
);
731 zfs_key_config_free(&config
);
732 if (pw_clear(pamh
) == -1) {
733 return (PAM_SERVICE_ERR
);
736 zfs_key_config_free(&config
);
738 return (PAM_SUCCESS
);
742 pam_sm_open_session(pam_handle_t
*pamh
, int flags
,
743 int argc
, const char **argv
)
747 if (geteuid() != 0) {
748 pam_syslog(pamh
, LOG_ERR
,
749 "Cannot zfs_mount when not being root.");
750 return (PAM_SUCCESS
);
752 zfs_key_config_t config
;
753 zfs_key_config_load(pamh
, &config
, argc
, argv
);
754 if (config
.uid
< 1000) {
755 zfs_key_config_free(&config
);
756 return (PAM_SUCCESS
);
759 int counter
= zfs_key_config_modify_session_counter(pamh
, &config
, 1);
761 zfs_key_config_free(&config
);
762 return (PAM_SUCCESS
);
765 const pw_password_t
*token
= pw_get(pamh
);
767 zfs_key_config_free(&config
);
768 return (PAM_SESSION_ERR
);
770 if (pam_zfs_init(pamh
) != 0) {
771 zfs_key_config_free(&config
);
772 return (PAM_SERVICE_ERR
);
774 char *dataset
= zfs_key_config_get_dataset(&config
);
777 zfs_key_config_free(&config
);
778 return (PAM_SERVICE_ERR
);
780 if (decrypt_mount(pamh
, dataset
, token
->value
) == -1) {
783 zfs_key_config_free(&config
);
784 return (PAM_SERVICE_ERR
);
788 zfs_key_config_free(&config
);
789 if (pw_clear(pamh
) == -1) {
790 return (PAM_SERVICE_ERR
);
792 return (PAM_SUCCESS
);
796 __attribute__((visibility("default")))
798 pam_sm_close_session(pam_handle_t
*pamh
, int flags
,
799 int argc
, const char **argv
)
803 if (geteuid() != 0) {
804 pam_syslog(pamh
, LOG_ERR
,
805 "Cannot zfs_mount when not being root.");
806 return (PAM_SUCCESS
);
808 zfs_key_config_t config
;
809 zfs_key_config_load(pamh
, &config
, argc
, argv
);
810 if (config
.uid
< 1000) {
811 zfs_key_config_free(&config
);
812 return (PAM_SUCCESS
);
815 int counter
= zfs_key_config_modify_session_counter(pamh
, &config
, -1);
817 zfs_key_config_free(&config
);
818 return (PAM_SUCCESS
);
821 if (config
.unmount_and_unload
) {
822 if (pam_zfs_init(pamh
) != 0) {
823 zfs_key_config_free(&config
);
824 return (PAM_SERVICE_ERR
);
826 char *dataset
= zfs_key_config_get_dataset(&config
);
829 zfs_key_config_free(&config
);
830 return (PAM_SESSION_ERR
);
832 if (unmount_unload(pamh
, dataset
) == -1) {
835 zfs_key_config_free(&config
);
836 return (PAM_SESSION_ERR
);
842 zfs_key_config_free(&config
);
843 return (PAM_SUCCESS
);