From f0e522c78d5f23d3e470502a814de773c779a69f Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Tue, 13 Mar 2007 06:35:13 +0000 Subject: [PATCH] KFW: Vista Integrated Logon On Windows Vista the GINA architecture was removed. As a side effect the support for the Logon Event Handlers was also removed. The KFW Integrated Logon functionality relies on the "Logon" event handler to migrate the user's tickets from a secure FILE: ccache to an API: ccache so that the tickets will be available to NetIDMgr and all other Kerberos applications. This functionality is especially important on Vista for accounts that are members of the Administrators group because the User Account Control (UAC) restricts access to the session keys of all tickets in the MSLSA ccache. The only way for tickets to be made available to MIT Kerberos applications is by obtaining them within the Network Provider and pushing them into the Logon Session. This patch replaces the missing Logon Event Handler support with a new exported function "LogonEventHandler" which adheres to the rundll32.exe specifications. The "LogonEventHandler" function accepts as input the name of a FILE ccache and moves the contents into an API: ccache and then deletes the FILE ccache. In order for this to work the FILE ccache must be owned by the account that was used to logon to the current session. The NPLogonNotify() function must therefore lookup the SID for the active account, assign an appropriate DACL to the ccache file, and change the owner. In addition, when Vista is in use a LogonScript must be constructed that will perform the call to rundll32.exe. Other changes include altering the prototype of KFW_copy_ccache_system_file to accept a filename instead of the LogonID. This improves the abstraction and allows the filename to be computed once and passed into multiple functions from NPLogonNotify(). Many debugging calls were added to assist with implementation. #define DEBUG 1 at the top of kfwcommon.c when you wish to build with debugging that generates entries in the Windows Application Event Viewer. It is important to note that Integrated Logon attempts to logon the username within the default realm within the krb5.ini file using the provided password. This is so a local machine account name matching the default realm can obtain Kerberos tickets by synchronizing the password. ticket: new component: windows git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19221 dc483132-0cff-0310-8789-dd5450dbe970 --- src/windows/kfwlogon/kfwcommon.c | 127 ++++++++++++++--- src/windows/kfwlogon/kfwlogon.c | 221 ++++++++++++++++++++++++++++-- src/windows/kfwlogon/kfwlogon.def | 2 + src/windows/kfwlogon/kfwlogon.h | 6 +- 4 files changed, 323 insertions(+), 33 deletions(-) diff --git a/src/windows/kfwlogon/kfwcommon.c b/src/windows/kfwlogon/kfwcommon.c index 14beef966..a3b02eeab 100644 --- a/src/windows/kfwlogon/kfwcommon.c +++ b/src/windows/kfwlogon/kfwcommon.c @@ -1,5 +1,6 @@ /* Copyright 2005,2006 by the Massachusetts Institute of Technology +Copyright 2007 by Secure Endpoints Inc. All rights reserved. @@ -778,6 +779,8 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) return 1; } + DebugEvent0("KFW_set_ccache_dacl"); + /* Get System SID */ if (!ConvertStringSidToSid("S-1-5-18", &pSystemSID)) { DebugEvent("KFW_set_ccache_dacl - ConvertStringSidToSid GLE = 0x%x", GetLastError()); @@ -833,7 +836,7 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) ccacheACL, NULL)) { gle = GetLastError(); - DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle); + DebugEvent("SetNamedSecurityInfo DACL (1) failed: GLE = 0x%lX", gle); if (gle != ERROR_NO_TOKEN) ret = 1; } @@ -844,7 +847,7 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) NULL, NULL)) { gle = GetLastError(); - DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle); + DebugEvent("SetNamedSecurityInfo OWNER (2) failed: GLE = 0x%lX", gle); if (gle != ERROR_NO_TOKEN) ret = 1; } @@ -856,7 +859,7 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) ccacheACL, NULL)) { gle = GetLastError(); - DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle); + DebugEvent("SetNamedSecurityInfo DACL (3) failed: GLE = 0x%lX", gle); if (gle != ERROR_NO_TOKEN) ret = 1; } @@ -872,6 +875,102 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) return ret; } +int KFW_set_ccache_dacl_with_user_sid(char *filename, PSID pUserSID) +{ + // SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY; + PSID pSystemSID = NULL; + DWORD SystemSIDlength = 0, UserSIDlength = 0; + PACL ccacheACL = NULL; + DWORD ccacheACLlength = 0; + DWORD retLen; + DWORD gle; + int ret = 0; + + if (!filename) { + DebugEvent0("KFW_set_ccache_dacl_with_user_sid - invalid parms"); + return 1; + } + + DebugEvent0("KFW_set_ccache_dacl_with_user_sid"); + + /* Get System SID */ + if (!ConvertStringSidToSid("S-1-5-18", &pSystemSID)) { + DebugEvent("KFW_set_ccache_dacl - ConvertStringSidToSid GLE = 0x%x", GetLastError()); + ret = 1; + goto cleanup; + } + + /* Create ACL */ + SystemSIDlength = GetLengthSid(pSystemSID); + ccacheACLlength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + + SystemSIDlength - sizeof(DWORD); + + if (pUserSID) { + UserSIDlength = GetLengthSid(pUserSID); + + ccacheACLlength += sizeof(ACCESS_ALLOWED_ACE) + UserSIDlength + - sizeof(DWORD); + } + + ccacheACL = (PACL) LocalAlloc(LPTR, ccacheACLlength); + if (!ccacheACL) { + DebugEvent("KFW_set_ccache_dacl - LocalAlloc GLE = 0x%x", GetLastError()); + ret = 1; + goto cleanup; + } + + InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION); + AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0, + STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, + pSystemSID); + if (pUserSID) { + AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0, + STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, + pUserSID); + if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT, + DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION, + NULL, + NULL, + ccacheACL, + NULL)) { + gle = GetLastError(); + DebugEvent("SetNamedSecurityInfo DACL (4) failed: GLE = 0x%lX", gle); + if (gle != ERROR_NO_TOKEN) + ret = 1; + } + if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT, + OWNER_SECURITY_INFORMATION, + pUserSID, + NULL, + NULL, + NULL)) { + gle = GetLastError(); + DebugEvent("SetNamedSecurityInfo OWNER (5) failed: GLE = 0x%lX", gle); + if (gle != ERROR_NO_TOKEN) + ret = 1; + } + } else { + if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT, + DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION, + NULL, + NULL, + ccacheACL, + NULL)) { + gle = GetLastError(); + DebugEvent("SetNamedSecurityInfo DACL (6) failed: GLE = 0x%lX", gle); + if (gle != ERROR_NO_TOKEN) + ret = 1; + } + } + + cleanup: + if (pSystemSID) + LocalFree(pSystemSID); + if (ccacheACL) + LocalFree(ccacheACL); + return ret; +} + int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size) { int retval = 0; @@ -894,9 +993,8 @@ int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int siz } void -KFW_copy_cache_to_system_file(char * user, char * szLogonId) +KFW_copy_cache_to_system_file(char * user, char * filename) { - char filename[MAX_PATH] = ""; DWORD count; char cachename[MAX_PATH + 8] = "FILE:"; krb5_context ctx = 0; @@ -906,24 +1004,11 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId) krb5_ccache ncc = 0; PSECURITY_ATTRIBUTES pSA = NULL; - if (!pkrb5_init_context || !user || !szLogonId) + if (!pkrb5_init_context || !user || !filename) return; - count = GetEnvironmentVariable("TEMP", filename, sizeof(filename)); - if ( count > sizeof(filename) || count == 0 ) { - GetWindowsDirectory(filename, sizeof(filename)); - } - - DebugEvent0(filename); - if ( strlen(filename) + strlen(szLogonId) + 2 > sizeof(filename) ) { - DebugEvent0("filename buffer too small"); - return; - } - - strcat(filename, "\\"); - strcat(filename, szLogonId); - - strcat(cachename, filename); + strncat(cachename, filename, sizeof(cachename)); + cachename[sizeof(cachename)-1] = '\0'; DebugEvent("KFW_Logon_Event - ccache %s", cachename); diff --git a/src/windows/kfwlogon/kfwlogon.c b/src/windows/kfwlogon/kfwlogon.c index 6dcd99870..3974a2ca7 100644 --- a/src/windows/kfwlogon/kfwlogon.c +++ b/src/windows/kfwlogon/kfwlogon.c @@ -1,5 +1,6 @@ /* Copyright 2005,2006 by the Massachusetts Institute of Technology +Copyright 2007 by Secure Endpoints Inc. All rights reserved. @@ -25,6 +26,7 @@ SOFTWARE. #include "kfwlogon.h" #include +#include #include #include #include @@ -107,6 +109,75 @@ UnicodeStringToANSI(UNICODE_STRING uInputString, LPSTR lpszOutputString, int nOu } // UnicodeStringToANSI +static BOOL +is_windows_vista(void) +{ + static BOOL fChecked = FALSE; + static BOOL fIsWinVista = FALSE; + + if (!fChecked) + { + OSVERSIONINFO Version; + + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); + + if (GetVersionEx (&Version)) + { + if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && + Version.dwMajorVersion >= 6) + fIsWinVista = TRUE; + } + fChecked = TRUE; + } + + return fIsWinVista; +} + +/* Construct a Logon Script that will cause the LogonEventHandler to be executed + * under in the logon session + */ +VOID +ConfigureLogonScript(LPWSTR *lpLogonScript, char * filename) { + DWORD dwLogonScriptLen; + LPWSTR lpScript; + LPSTR lpTemp; + + if (!lpLogonScript) + return; + *lpLogonScript = NULL; + + if (!filename) + return; + + dwLogonScriptLen = strlen("rundll32.exe kfwlogon.dll,LogonEventHandler ") + strlen(filename) + 1; + lpTemp = (LPSTR) malloc(dwLogonScriptLen); + if (!lpTemp) + return; + + _snprintf(lpTemp, dwLogonScriptLen, + "rundll32.exe kfwlogon.dll,LogonEventHandler %s", + filename); + + SetLastError(0); + dwLogonScriptLen = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, lpTemp, strlen(lpTemp), NULL, 0); + DebugEvent("ConfigureLogonScript %s requires %d bytes gle=0x%x", lpTemp, dwLogonScriptLen, GetLastError()); + + lpScript = LocalAlloc(LMEM_ZEROINIT, dwLogonScriptLen * 2); + if (lpScript) { + if (MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, lpTemp, strlen(lpTemp), + lpScript, 2 * dwLogonScriptLen)) + *lpLogonScript = lpScript; + else { + DebugEvent("ConfigureLogonScript - MultiByteToWideChar failed gle = 0x%x", GetLastError()); + LocalFree(lpScript); + } + } else { + DebugEvent("LocalAlloc failed gle=0x%x", GetLastError()); + } + free(lpTemp); +} + DWORD APIENTRY NPLogonNotify( PLUID lpLogonId, LPCWSTR lpAuthentInfoType, @@ -117,10 +188,9 @@ DWORD APIENTRY NPLogonNotify( LPVOID StationHandle, LPWSTR *lpLogonScript) { - char uname[MAX_USERNAME_LENGTH]=""; - char password[MAX_PASSWORD_LENGTH]=""; - char logonDomain[MAX_DOMAIN_LENGTH]=""; - char szLogonId[128] = ""; + char uname[MAX_USERNAME_LENGTH+1]=""; + char password[MAX_PASSWORD_LENGTH+1]=""; + char logonDomain[MAX_DOMAIN_LENGTH+1]=""; MSV1_0_INTERACTIVE_LOGON *IL; @@ -187,8 +257,86 @@ DWORD APIENTRY NPLogonNotify( * for this user */ if (!code) { - sprintf(szLogonId,"kfwlogon-%d.%d",lpLogonId->HighPart, lpLogonId->LowPart); - KFW_copy_cache_to_system_file(uname, szLogonId); + char filename[MAX_PATH+1] = ""; + char acctname[MAX_USERNAME_LENGTH+MAX_DOMAIN_LENGTH+3]=""; + PSID pUserSid = NULL; + LPTSTR pReferencedDomainName = NULL; + DWORD dwSidLen = 0, dwDomainLen = 0, count; + SID_NAME_USE eUse; + + if (_snprintf(acctname, sizeof(acctname), "%s\\%s", logonDomain, uname) < 0) { + code = -1; + goto cleanup; + } + + count = GetEnvironmentVariable("TEMP", filename, sizeof(filename)); + if ( count > sizeof(filename) || count == 0 ) { + GetWindowsDirectory(filename, sizeof(filename)); + } + + if (_snprintf(filename, sizeof(filename), "%s\\kfwlogon-%d.%d", + filename, lpLogonId->HighPart, lpLogonId->LowPart) < 0) + { + code = -1; + goto cleanup; + } + + KFW_copy_cache_to_system_file(uname, filename); + + /* Need to determine the SID */ + + /* First get the size of the required buffers */ + LookupAccountName (NULL, + acctname, + pUserSid, + &dwSidLen, + pReferencedDomainName, + &dwDomainLen, + &eUse); + if(dwSidLen){ + pUserSid = (PSID) malloc (dwSidLen); + memset(pUserSid,0,dwSidLen); + } + + if(dwDomainLen){ + pReferencedDomainName = (LPTSTR) malloc (dwDomainLen * sizeof(TCHAR)); + memset(pReferencedDomainName,0,dwDomainLen * sizeof(TCHAR)); + } + + //Now get the SID and the domain name + if (pUserSid && LookupAccountName( NULL, + acctname, + pUserSid, + &dwSidLen, + pReferencedDomainName, + &dwDomainLen, + &eUse)) + { + DebugEvent("LookupAccountName obtained user %s sid in domain %s", acctname, pReferencedDomainName); + code = KFW_set_ccache_dacl_with_user_sid(filename, pUserSid); + + /* If we are on Vista, setup a LogonScript + * that will execute the LogonEventHandler entry point via rundll32.exe + */ + if (is_windows_vista()) { + ConfigureLogonScript(lpLogonScript, filename); + if (*lpLogonScript) + DebugEvent("LogonScript \"%s\"", *lpLogonScript); + else + DebugEvent0("No Logon Script"); + + } + } else { + DebugEvent0("LookupAccountName failed"); + DeleteFile(filename); + code = -1; + } + + cleanup: + if (pUserSid) + free(pUserSid); + if (pReferencedDomainName) + free(pReferencedDomainName); } KFW_destroy_tickets_for_principal(uname); @@ -202,8 +350,7 @@ DWORD APIENTRY NPLogonNotify( h = RegisterEventSource(NULL, KFW_LOGON_EVENT_NAME); ptbuf[0] = msg; - ReportEvent(h, EVENTLOG_WARNING_TYPE, 0, 1008, NULL, - 1, 0, ptbuf, NULL); + ReportEvent(h, EVENTLOG_WARNING_TYPE, 0, 1008, NULL, 1, 0, ptbuf, NULL); DeregisterEventSource(h); SetLastError(code); } @@ -312,7 +459,7 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo ) LogonId = pLogonSessionData->LogonId; DebugEvent("KFW_Logon_Event - LogonId(%d,%d)", LogonId.HighPart, LogonId.LowPart); - sprintf(szLogonId,"kfwlogon-%d.%d",LogonId.HighPart, LogonId.LowPart); + _snprintf(szLogonId, sizeof(szLogonId), "kfwlogon-%d.%d",LogonId.HighPart, LogonId.LowPart); LsaFreeReturnBuffer( pLogonSessionData ); } else { DebugEvent0("KFW_Logon_Event - Unable to determine LogonId"); @@ -365,7 +512,7 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo ) return; } - sprintf(commandline, "kfwcpcc.exe \"%s\"", newfilename); + _snprintf(commandline, sizeof(commandline), "kfwcpcc.exe \"%s\"", newfilename); GetStartupInfo(&startupinfo); if (CreateProcessAsUser( pInfo->hToken, @@ -390,8 +537,60 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo ) DebugEvent0("KFW_Logon_Event - CreateProcessFailed"); } - DeleteFile(filename); + DeleteFile(newfilename); DebugEvent0("KFW_Logon_Event - End"); } + +/* Documentation on the use of RunDll32 entrypoints can be found + * at http://support.microsoft.com/kb/164787 + */ +void CALLBACK +LogonEventHandlerA(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) +{ + HANDLE hf = NULL; + char commandline[MAX_PATH+256] = ""; + STARTUPINFO startupinfo; + PROCESS_INFORMATION procinfo; + + DebugEvent0("LogonEventHandler - Start"); + + /* Validate lpszCmdLine as a file */ + hf = CreateFile(lpszCmdLine, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, NULL); + if (hf == INVALID_HANDLE_VALUE) { + DebugEvent0("LogonEventHandler - file cannot be opened"); + return; + } + CloseHandle(hf); + + + _snprintf(commandline, sizeof(commandline), "kfwcpcc.exe \"%s\"", lpszCmdLine); + + GetStartupInfo(&startupinfo); + if (CreateProcess( "kfwcpcc.exe", + commandline, + NULL, + NULL, + FALSE, + CREATE_NEW_PROCESS_GROUP | DETACHED_PROCESS, + NULL, + NULL, + &startupinfo, + &procinfo)) + { + DebugEvent("KFW_Logon_Event - CommandLine %s", commandline); + + WaitForSingleObject(procinfo.hProcess, 30000); + + CloseHandle(procinfo.hThread); + CloseHandle(procinfo.hProcess); + } else { + DebugEvent0("KFW_Logon_Event - CreateProcessFailed"); + } + + DeleteFile(lpszCmdLine); + + DebugEvent0("KFW_Logon_Event - End"); +} diff --git a/src/windows/kfwlogon/kfwlogon.def b/src/windows/kfwlogon/kfwlogon.def index 52af99090..05e5b3b1d 100644 --- a/src/windows/kfwlogon/kfwlogon.def +++ b/src/windows/kfwlogon/kfwlogon.def @@ -7,6 +7,8 @@ EXPORTS NPLogonNotify NPPasswordChangeNotify KFW_Logon_Event + LogonEventHandlerA + diff --git a/src/windows/kfwlogon/kfwlogon.h b/src/windows/kfwlogon/kfwlogon.h index d3fa6709d..a542b81c3 100644 --- a/src/windows/kfwlogon/kfwlogon.h +++ b/src/windows/kfwlogon/kfwlogon.h @@ -1,6 +1,7 @@ /* Copyright 2005,2006 by the Massachusetts Institute of Technology +Copyright 2007 by Secure Endpoints Inc. All rights reserved. @@ -192,11 +193,14 @@ static BOOL WINAPI UnicodeStringToANSI(UNICODE_STRING uInputString, LPSTR lpszOu int KFW_is_available(void); int KFW_get_cred( char * username, char * password, int lifetime, char ** reasonP ); -void KFW_copy_cache_to_system_file(char * user, char * szLogonId); +void KFW_copy_cache_to_system_file(const char * user, const char * filename); int KFW_destroy_tickets_for_principal(char * user); int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken); +int KFW_set_ccache_dacl_with_user_sid(char *filename, PSID pUserSID); int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size); +void CALLBACK LogonEventHandlerA(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow); + #ifdef __cplusplus } #endif -- 2.26.2