diff options
author | Tom Yu <tlyu@mit.edu> | 2007-03-30 03:08:33 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2007-03-30 03:08:33 +0000 |
commit | 057bbcd99fd1dc9451decea422509a6f2fd7b926 (patch) | |
tree | 348d826b7db52bac97b2eaa4dbc2b11de45a638b | |
parent | 62cea8439af886214e3278d97030edf41bffdf4f (diff) | |
download | krb5-057bbcd99fd1dc9451decea422509a6f2fd7b926.zip krb5-057bbcd99fd1dc9451decea422509a6f2fd7b926.tar.gz krb5-057bbcd99fd1dc9451decea422509a6f2fd7b926.tar.bz2 |
pull up r19221 from trunk
r19221@cathode-dark-space: jaltman | 2007-03-13 02:35:13 -0400
ticket: new
subject: KFW: Vista Integrated Logon
component: windows
On Windows Vista the GINA architecture was removed. As a side
effect the support for the Logon Event Handlers was also removed.
The KFW Integrated Logon functionality relies on the "Logon"
event handler to migrate the user's tickets from a secure FILE:
ccache to an API: ccache so that the tickets will be available
to NetIDMgr and all other Kerberos applications.
This functionality is especially important on Vista for
accounts that are members of the Administrators group because
the User Account Control (UAC) restricts access to the session
keys of all tickets in the MSLSA ccache. The only way for
tickets to be made available to MIT Kerberos applications is
by obtaining them within the Network Provider and pushing them
into the Logon Session.
This patch replaces the missing Logon Event Handler support
with a new exported function "LogonEventHandler" which adheres
to the rundll32.exe specifications. The "LogonEventHandler"
function accepts as input the name of a FILE ccache and moves
the contents into an API: ccache and then deletes the FILE
ccache.
In order for this to work the FILE ccache must be owned by
the account that was used to logon to the current session.
The NPLogonNotify() function must therefore lookup the SID
for the active account, assign an appropriate DACL to the
ccache file, and change the owner. In addition, when Vista
is in use a LogonScript must be constructed that will perform
the call to rundll32.exe.
Other changes include altering the prototype of
KFW_copy_ccache_system_file to accept a filename instead of
the LogonID. This improves the abstraction and allows the
filename to be computed once and passed into multiple
functions from NPLogonNotify().
Many debugging calls were added to assist with implementation.
#define DEBUG 1 at the top of kfwcommon.c when you wish to
build with debugging that generates entries in the Windows
Application Event Viewer.
It is important to note that Integrated Logon attempts to
logon the username within the default realm within the
krb5.ini file using the provided password. This is so
a local machine account name matching the default realm
can obtain Kerberos tickets by synchronizing the password.
ticket: 5469
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19334 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/windows/kfwlogon/kfwcommon.c | 127 | ||||
-rw-r--r-- | src/windows/kfwlogon/kfwlogon.c | 221 | ||||
-rw-r--r-- | src/windows/kfwlogon/kfwlogon.def | 2 | ||||
-rw-r--r-- | src/windows/kfwlogon/kfwlogon.h | 6 |
4 files changed, 323 insertions, 33 deletions
diff --git a/src/windows/kfwlogon/kfwcommon.c b/src/windows/kfwlogon/kfwcommon.c index 14beef9..a3b02ee 100644 --- a/src/windows/kfwlogon/kfwcommon.c +++ b/src/windows/kfwlogon/kfwcommon.c @@ -1,5 +1,6 @@ /*
Copyright 2005,2006 by the Massachusetts Institute of Technology
+Copyright 2007 by Secure Endpoints Inc.
All rights reserved.
@@ -778,6 +779,8 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) return 1;
}
+ DebugEvent0("KFW_set_ccache_dacl");
+
/* Get System SID */
if (!ConvertStringSidToSid("S-1-5-18", &pSystemSID)) {
DebugEvent("KFW_set_ccache_dacl - ConvertStringSidToSid GLE = 0x%x", GetLastError());
@@ -833,7 +836,7 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) ccacheACL,
NULL)) {
gle = GetLastError();
- DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle);
+ DebugEvent("SetNamedSecurityInfo DACL (1) failed: GLE = 0x%lX", gle);
if (gle != ERROR_NO_TOKEN)
ret = 1;
}
@@ -844,7 +847,7 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) NULL,
NULL)) {
gle = GetLastError();
- DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle);
+ DebugEvent("SetNamedSecurityInfo OWNER (2) failed: GLE = 0x%lX", gle);
if (gle != ERROR_NO_TOKEN)
ret = 1;
}
@@ -856,7 +859,7 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) ccacheACL,
NULL)) {
gle = GetLastError();
- DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle);
+ DebugEvent("SetNamedSecurityInfo DACL (3) failed: GLE = 0x%lX", gle);
if (gle != ERROR_NO_TOKEN)
ret = 1;
}
@@ -872,6 +875,102 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) return ret;
}
+int KFW_set_ccache_dacl_with_user_sid(char *filename, PSID pUserSID)
+{
+ // SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY;
+ PSID pSystemSID = NULL;
+ DWORD SystemSIDlength = 0, UserSIDlength = 0;
+ PACL ccacheACL = NULL;
+ DWORD ccacheACLlength = 0;
+ DWORD retLen;
+ DWORD gle;
+ int ret = 0;
+
+ if (!filename) {
+ DebugEvent0("KFW_set_ccache_dacl_with_user_sid - invalid parms");
+ return 1;
+ }
+
+ DebugEvent0("KFW_set_ccache_dacl_with_user_sid");
+
+ /* Get System SID */
+ if (!ConvertStringSidToSid("S-1-5-18", &pSystemSID)) {
+ DebugEvent("KFW_set_ccache_dacl - ConvertStringSidToSid GLE = 0x%x", GetLastError());
+ ret = 1;
+ goto cleanup;
+ }
+
+ /* Create ACL */
+ SystemSIDlength = GetLengthSid(pSystemSID);
+ ccacheACLlength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE)
+ + SystemSIDlength - sizeof(DWORD);
+
+ if (pUserSID) {
+ UserSIDlength = GetLengthSid(pUserSID);
+
+ ccacheACLlength += sizeof(ACCESS_ALLOWED_ACE) + UserSIDlength
+ - sizeof(DWORD);
+ }
+
+ ccacheACL = (PACL) LocalAlloc(LPTR, ccacheACLlength);
+ if (!ccacheACL) {
+ DebugEvent("KFW_set_ccache_dacl - LocalAlloc GLE = 0x%x", GetLastError());
+ ret = 1;
+ goto cleanup;
+ }
+
+ InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION);
+ AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ pSystemSID);
+ if (pUserSID) {
+ AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ pUserSID);
+ if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+ DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+ NULL,
+ NULL,
+ ccacheACL,
+ NULL)) {
+ gle = GetLastError();
+ DebugEvent("SetNamedSecurityInfo DACL (4) failed: GLE = 0x%lX", gle);
+ if (gle != ERROR_NO_TOKEN)
+ ret = 1;
+ }
+ if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+ OWNER_SECURITY_INFORMATION,
+ pUserSID,
+ NULL,
+ NULL,
+ NULL)) {
+ gle = GetLastError();
+ DebugEvent("SetNamedSecurityInfo OWNER (5) failed: GLE = 0x%lX", gle);
+ if (gle != ERROR_NO_TOKEN)
+ ret = 1;
+ }
+ } else {
+ if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+ DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+ NULL,
+ NULL,
+ ccacheACL,
+ NULL)) {
+ gle = GetLastError();
+ DebugEvent("SetNamedSecurityInfo DACL (6) failed: GLE = 0x%lX", gle);
+ if (gle != ERROR_NO_TOKEN)
+ ret = 1;
+ }
+ }
+
+ cleanup:
+ if (pSystemSID)
+ LocalFree(pSystemSID);
+ if (ccacheACL)
+ LocalFree(ccacheACL);
+ return ret;
+}
+
int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size)
{
int retval = 0;
@@ -894,9 +993,8 @@ int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int siz }
void
-KFW_copy_cache_to_system_file(char * user, char * szLogonId)
+KFW_copy_cache_to_system_file(char * user, char * filename)
{
- char filename[MAX_PATH] = "";
DWORD count;
char cachename[MAX_PATH + 8] = "FILE:";
krb5_context ctx = 0;
@@ -906,24 +1004,11 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId) krb5_ccache ncc = 0;
PSECURITY_ATTRIBUTES pSA = NULL;
- if (!pkrb5_init_context || !user || !szLogonId)
+ if (!pkrb5_init_context || !user || !filename)
return;
- count = GetEnvironmentVariable("TEMP", filename, sizeof(filename));
- if ( count > sizeof(filename) || count == 0 ) {
- GetWindowsDirectory(filename, sizeof(filename));
- }
-
- DebugEvent0(filename);
- if ( strlen(filename) + strlen(szLogonId) + 2 > sizeof(filename) ) {
- DebugEvent0("filename buffer too small");
- return;
- }
-
- strcat(filename, "\\");
- strcat(filename, szLogonId);
-
- strcat(cachename, filename);
+ strncat(cachename, filename, sizeof(cachename));
+ cachename[sizeof(cachename)-1] = '\0';
DebugEvent("KFW_Logon_Event - ccache %s", cachename);
diff --git a/src/windows/kfwlogon/kfwlogon.c b/src/windows/kfwlogon/kfwlogon.c index 6dcd998..3974a2c 100644 --- a/src/windows/kfwlogon/kfwlogon.c +++ b/src/windows/kfwlogon/kfwlogon.c @@ -1,5 +1,6 @@ /*
Copyright 2005,2006 by the Massachusetts Institute of Technology
+Copyright 2007 by Secure Endpoints Inc.
All rights reserved.
@@ -25,6 +26,7 @@ SOFTWARE. #include "kfwlogon.h"
#include <io.h>
+#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
@@ -107,6 +109,75 @@ UnicodeStringToANSI(UNICODE_STRING uInputString, LPSTR lpszOutputString, int nOu } // UnicodeStringToANSI
+static BOOL
+is_windows_vista(void)
+{
+ static BOOL fChecked = FALSE;
+ static BOOL fIsWinVista = FALSE;
+
+ if (!fChecked)
+ {
+ OSVERSIONINFO Version;
+
+ memset (&Version, 0x00, sizeof(Version));
+ Version.dwOSVersionInfoSize = sizeof(Version);
+
+ if (GetVersionEx (&Version))
+ {
+ if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT &&
+ Version.dwMajorVersion >= 6)
+ fIsWinVista = TRUE;
+ }
+ fChecked = TRUE;
+ }
+
+ return fIsWinVista;
+}
+
+/* Construct a Logon Script that will cause the LogonEventHandler to be executed
+ * under in the logon session
+ */
+VOID
+ConfigureLogonScript(LPWSTR *lpLogonScript, char * filename) {
+ DWORD dwLogonScriptLen;
+ LPWSTR lpScript;
+ LPSTR lpTemp;
+
+ if (!lpLogonScript)
+ return;
+ *lpLogonScript = NULL;
+
+ if (!filename)
+ return;
+
+ dwLogonScriptLen = strlen("rundll32.exe kfwlogon.dll,LogonEventHandler ") + strlen(filename) + 1;
+ lpTemp = (LPSTR) malloc(dwLogonScriptLen);
+ if (!lpTemp)
+ return;
+
+ _snprintf(lpTemp, dwLogonScriptLen,
+ "rundll32.exe kfwlogon.dll,LogonEventHandler %s",
+ filename);
+
+ SetLastError(0);
+ dwLogonScriptLen = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, lpTemp, strlen(lpTemp), NULL, 0);
+ DebugEvent("ConfigureLogonScript %s requires %d bytes gle=0x%x", lpTemp, dwLogonScriptLen, GetLastError());
+
+ lpScript = LocalAlloc(LMEM_ZEROINIT, dwLogonScriptLen * 2);
+ if (lpScript) {
+ if (MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, lpTemp, strlen(lpTemp),
+ lpScript, 2 * dwLogonScriptLen))
+ *lpLogonScript = lpScript;
+ else {
+ DebugEvent("ConfigureLogonScript - MultiByteToWideChar failed gle = 0x%x", GetLastError());
+ LocalFree(lpScript);
+ }
+ } else {
+ DebugEvent("LocalAlloc failed gle=0x%x", GetLastError());
+ }
+ free(lpTemp);
+}
+
DWORD APIENTRY NPLogonNotify(
PLUID lpLogonId,
LPCWSTR lpAuthentInfoType,
@@ -117,10 +188,9 @@ DWORD APIENTRY NPLogonNotify( LPVOID StationHandle,
LPWSTR *lpLogonScript)
{
- char uname[MAX_USERNAME_LENGTH]="";
- char password[MAX_PASSWORD_LENGTH]="";
- char logonDomain[MAX_DOMAIN_LENGTH]="";
- char szLogonId[128] = "";
+ char uname[MAX_USERNAME_LENGTH+1]="";
+ char password[MAX_PASSWORD_LENGTH+1]="";
+ char logonDomain[MAX_DOMAIN_LENGTH+1]="";
MSV1_0_INTERACTIVE_LOGON *IL;
@@ -187,8 +257,86 @@ DWORD APIENTRY NPLogonNotify( * for this user
*/
if (!code) {
- sprintf(szLogonId,"kfwlogon-%d.%d",lpLogonId->HighPart, lpLogonId->LowPart);
- KFW_copy_cache_to_system_file(uname, szLogonId);
+ char filename[MAX_PATH+1] = "";
+ char acctname[MAX_USERNAME_LENGTH+MAX_DOMAIN_LENGTH+3]="";
+ PSID pUserSid = NULL;
+ LPTSTR pReferencedDomainName = NULL;
+ DWORD dwSidLen = 0, dwDomainLen = 0, count;
+ SID_NAME_USE eUse;
+
+ if (_snprintf(acctname, sizeof(acctname), "%s\\%s", logonDomain, uname) < 0) {
+ code = -1;
+ goto cleanup;
+ }
+
+ count = GetEnvironmentVariable("TEMP", filename, sizeof(filename));
+ if ( count > sizeof(filename) || count == 0 ) {
+ GetWindowsDirectory(filename, sizeof(filename));
+ }
+
+ if (_snprintf(filename, sizeof(filename), "%s\\kfwlogon-%d.%d",
+ filename, lpLogonId->HighPart, lpLogonId->LowPart) < 0)
+ {
+ code = -1;
+ goto cleanup;
+ }
+
+ KFW_copy_cache_to_system_file(uname, filename);
+
+ /* Need to determine the SID */
+
+ /* First get the size of the required buffers */
+ LookupAccountName (NULL,
+ acctname,
+ pUserSid,
+ &dwSidLen,
+ pReferencedDomainName,
+ &dwDomainLen,
+ &eUse);
+ if(dwSidLen){
+ pUserSid = (PSID) malloc (dwSidLen);
+ memset(pUserSid,0,dwSidLen);
+ }
+
+ if(dwDomainLen){
+ pReferencedDomainName = (LPTSTR) malloc (dwDomainLen * sizeof(TCHAR));
+ memset(pReferencedDomainName,0,dwDomainLen * sizeof(TCHAR));
+ }
+
+ //Now get the SID and the domain name
+ if (pUserSid && LookupAccountName( NULL,
+ acctname,
+ pUserSid,
+ &dwSidLen,
+ pReferencedDomainName,
+ &dwDomainLen,
+ &eUse))
+ {
+ DebugEvent("LookupAccountName obtained user %s sid in domain %s", acctname, pReferencedDomainName);
+ code = KFW_set_ccache_dacl_with_user_sid(filename, pUserSid);
+
+ /* If we are on Vista, setup a LogonScript
+ * that will execute the LogonEventHandler entry point via rundll32.exe
+ */
+ if (is_windows_vista()) {
+ ConfigureLogonScript(lpLogonScript, filename);
+ if (*lpLogonScript)
+ DebugEvent("LogonScript \"%s\"", *lpLogonScript);
+ else
+ DebugEvent0("No Logon Script");
+
+ }
+ } else {
+ DebugEvent0("LookupAccountName failed");
+ DeleteFile(filename);
+ code = -1;
+ }
+
+ cleanup:
+ if (pUserSid)
+ free(pUserSid);
+ if (pReferencedDomainName)
+ free(pReferencedDomainName);
}
KFW_destroy_tickets_for_principal(uname);
@@ -202,8 +350,7 @@ DWORD APIENTRY NPLogonNotify( h = RegisterEventSource(NULL, KFW_LOGON_EVENT_NAME);
ptbuf[0] = msg;
- ReportEvent(h, EVENTLOG_WARNING_TYPE, 0, 1008, NULL,
- 1, 0, ptbuf, NULL);
+ ReportEvent(h, EVENTLOG_WARNING_TYPE, 0, 1008, NULL, 1, 0, ptbuf, NULL);
DeregisterEventSource(h);
SetLastError(code);
}
@@ -312,7 +459,7 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo ) LogonId = pLogonSessionData->LogonId;
DebugEvent("KFW_Logon_Event - LogonId(%d,%d)", LogonId.HighPart, LogonId.LowPart);
- sprintf(szLogonId,"kfwlogon-%d.%d",LogonId.HighPart, LogonId.LowPart);
+ _snprintf(szLogonId, sizeof(szLogonId), "kfwlogon-%d.%d",LogonId.HighPart, LogonId.LowPart);
LsaFreeReturnBuffer( pLogonSessionData );
} else {
DebugEvent0("KFW_Logon_Event - Unable to determine LogonId");
@@ -365,7 +512,7 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo ) return;
}
- sprintf(commandline, "kfwcpcc.exe \"%s\"", newfilename);
+ _snprintf(commandline, sizeof(commandline), "kfwcpcc.exe \"%s\"", newfilename);
GetStartupInfo(&startupinfo);
if (CreateProcessAsUser( pInfo->hToken,
@@ -390,8 +537,60 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo ) DebugEvent0("KFW_Logon_Event - CreateProcessFailed");
}
- DeleteFile(filename);
+ DeleteFile(newfilename);
DebugEvent0("KFW_Logon_Event - End");
}
+
+/* Documentation on the use of RunDll32 entrypoints can be found
+ * at http://support.microsoft.com/kb/164787
+ */
+void CALLBACK
+LogonEventHandlerA(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)
+{
+ HANDLE hf = NULL;
+ char commandline[MAX_PATH+256] = "";
+ STARTUPINFO startupinfo;
+ PROCESS_INFORMATION procinfo;
+
+ DebugEvent0("LogonEventHandler - Start");
+
+ /* Validate lpszCmdLine as a file */
+ hf = CreateFile(lpszCmdLine, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING,
+ FILE_ATTRIBUTE_NORMAL, NULL);
+ if (hf == INVALID_HANDLE_VALUE) {
+ DebugEvent0("LogonEventHandler - file cannot be opened");
+ return;
+ }
+ CloseHandle(hf);
+
+
+ _snprintf(commandline, sizeof(commandline), "kfwcpcc.exe \"%s\"", lpszCmdLine);
+
+ GetStartupInfo(&startupinfo);
+ if (CreateProcess( "kfwcpcc.exe",
+ commandline,
+ NULL,
+ NULL,
+ FALSE,
+ CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS,
+ NULL,
+ NULL,
+ &startupinfo,
+ &procinfo))
+ {
+ DebugEvent("KFW_Logon_Event - CommandLine %s", commandline);
+
+ WaitForSingleObject(procinfo.hProcess, 30000);
+
+ CloseHandle(procinfo.hThread);
+ CloseHandle(procinfo.hProcess);
+ } else {
+ DebugEvent0("KFW_Logon_Event - CreateProcessFailed");
+ }
+
+ DeleteFile(lpszCmdLine);
+
+ DebugEvent0("KFW_Logon_Event - End");
+}
diff --git a/src/windows/kfwlogon/kfwlogon.def b/src/windows/kfwlogon/kfwlogon.def index 52af990..05e5b3b 100644 --- a/src/windows/kfwlogon/kfwlogon.def +++ b/src/windows/kfwlogon/kfwlogon.def @@ -7,6 +7,8 @@ EXPORTS NPLogonNotify
NPPasswordChangeNotify
KFW_Logon_Event
+ LogonEventHandlerA
+
diff --git a/src/windows/kfwlogon/kfwlogon.h b/src/windows/kfwlogon/kfwlogon.h index d3fa670..a542b81 100644 --- a/src/windows/kfwlogon/kfwlogon.h +++ b/src/windows/kfwlogon/kfwlogon.h @@ -1,6 +1,7 @@ /*
Copyright 2005,2006 by the Massachusetts Institute of Technology
+Copyright 2007 by Secure Endpoints Inc.
All rights reserved.
@@ -192,11 +193,14 @@ static BOOL WINAPI UnicodeStringToANSI(UNICODE_STRING uInputString, LPSTR lpszOu int KFW_is_available(void);
int KFW_get_cred( char * username, char * password, int lifetime, char ** reasonP );
-void KFW_copy_cache_to_system_file(char * user, char * szLogonId);
+void KFW_copy_cache_to_system_file(const char * user, const char * filename);
int KFW_destroy_tickets_for_principal(char * user);
int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken);
+int KFW_set_ccache_dacl_with_user_sid(char *filename, PSID pUserSID);
int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size);
+void CALLBACK LogonEventHandlerA(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);
+
#ifdef __cplusplus
}
#endif
|