gnu/services/kerberos.scm

   1 ;;; GNU Guix --- Functional package management for GNU
   2 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
   3 ;;;
   4 ;;; This file is part of GNU Guix.
   5 ;;;
   6 ;;; GNU Guix is free software; you can redistribute it and/or modify it
   7 ;;; under the terms of the GNU General Public License as published by
   8 ;;; the Free Software Foundation; either version 3 of the License, or (at
   9 ;;; your option) any later version.
  10 ;;;
  11 ;;; GNU Guix is distributed in the hope that it will be useful, but
  12 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
  13 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14 ;;; GNU General Public License for more details.
  15 ;;;
  16 ;;; You should have received a copy of the GNU General Public License
  17 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
  18
  19 (define-module (gnu services kerberos)
  20   #:use-module (gnu services)
  21   #:use-module (gnu services configuration)
  22   #:use-module (gnu system pam)
  23   #:use-module (guix gexp)
  24   #:use-module (guix records)
  25   #:use-module (srfi srfi-1)
  26   #:use-module (srfi srfi-34)
  27   #:use-module (srfi srfi-35)
  28   #:use-module (ice-9 match)
  29   #:export (pam-krb5-configuration
  30             pam-krb5-configuration?
  31             pam-krb5-service-type
  32
  33             krb5-realm
  34             krb5-realm?
  35
  36             krb5-configuration
  37             krb5-configuration?
  38             krb5-service-type))
  39
  40 \f
  41
  42 (define unset-field (list 'unset-field))
  43
  44 (define (predicate/unset pred)
  45   (lambda (x) (or (eq? x unset-field) (pred x))))
  46
  47 (define string/unset? (predicate/unset string?))
  48 (define boolean/unset? (predicate/unset boolean?))
  49 (define integer/unset? (predicate/unset integer?))
  50
  51 (define (uglify-field-name field-name)
  52   "Return FIELD-NAME with all instances of '-' replaced by '_' and any
  53 trailing '?' removed."
  54   (let ((str (symbol->string field-name)))
  55     (string-join (string-split (if (string-suffix? "?" str)
  56                                    (substring str 0 (1- (string-length str)))
  57                                    str)
  58                                #\-)
  59                  "_")))
  60
  61 (define (serialize-field* field-name val)
  62   (format #t "~a = ~a\n" (uglify-field-name field-name) val))
  63
  64 (define (serialize-string/unset field-name val)
  65   (unless (eq? val unset-field)
  66       (serialize-field* field-name val)))
  67
  68 (define (serialize-integer/unset field-name val)
  69   (unless (eq? val unset-field)
  70       (serialize-field* field-name val)))
  71
  72 (define (serialize-boolean/unset field-name val)
  73   (unless (eq? val unset-field)
  74       (serialize-field* field-name
  75                         (if val "true" "false"))))
  76
  77
  78 ;; An end-point is an address such as "192.168.0.1"
  79 ;; or an address port pair ("foobar.example.com" . 109)
  80 (define (end-point? val)
  81   (match val
  82     ((? string?) #t)
  83     (((? string?) . (? integer?)) #t)
  84     (_ #f)))
  85
  86 (define (serialize-end-point field-name val)
  87   (serialize-field* field-name
  88                     (match val
  89                       ((host . port)
  90                        ;; The [] are needed in the case of IPv6 addresses
  91                        (format #f "[~a]:~a" host port))
  92                       (host
  93                        (format #f "~a" host)))))
  94
  95 (define (serialize-space-separated-string-list/unset field-name val)
  96   (unless (eq? val unset-field)
  97       (serialize-field* field-name (string-join val " "))))
  98
  99 (define space-separated-string-list/unset?
 100   (predicate/unset space-separated-string-list?))
 101
 102 (define comma-separated-integer-list/unset?
 103   (predicate/unset (lambda (val)
 104                      (and (list? val)
 105                           (and-map (lambda (x) (integer? x))
 106                                    val)))))
 107
 108 (define (serialize-comma-separated-integer-list/unset field-name val)
 109   (unless (eq? val unset-field)
 110       (serialize-field* field-name
 111                        (string-drop ; Drop the leading comma
 112                         (fold
 113                          (lambda (i prev)
 114                            (string-append prev "," (number->string i)))
 115                          "" val) 1))))
 116
 117 (define file-name? (predicate/unset
 118                     (lambda (val)
 119                       (string-prefix? "/" val))))
 120
 121 (define (serialize-file-name field-name val)
 122   (unless (eq? val unset-field)
 123     (serialize-string field-name val)))
 124
 125 (define (non-negative-integer? val)
 126   (and (exact-integer? val) (not (negative? val))))
 127
 128 (define (serialize-non-negative-integer/unset field-name val)
 129   (unless (eq? val unset-field)
 130     (serialize-field* field-name val)))
 131
 132 (define (free-form-fields? val)
 133   (match val
 134     (() #t)
 135     ((((? symbol?) . (? string)) . val) (free-form-fields? val))
 136     (_ #f)))
 137
 138 (define (serialize-free-form-fields field-name val)
 139   (for-each (match-lambda ((k . v) (serialize-field* k v))) val))
 140
 141 (define non-negative-integer/unset? (predicate/unset non-negative-integer?))
 142
 143 (define (realm-list? val)
 144   (and (list? val)
 145        (and-map (lambda (x) (krb5-realm? x)) val)))
 146
 147 (define (serialize-realm-list field-name val)
 148   (format #t "\n[~a]\n" field-name)
 149   (for-each (lambda (realm)
 150               (format #t "\n~a = {\n" (krb5-realm-name realm))
 151               (for-each (lambda (field)
 152                           (unless (eq? 'name (configuration-field-name field))
 153                             ((configuration-field-serializer field)
 154                              (configuration-field-name field)
 155                              ((configuration-field-getter field)
 156                               realm)))) krb5-realm-fields)
 157
 158               (format #t "}\n")) val))
 159
 160 \f
 161
 162 ;; For a more detailed explanation of these fields see man 5 krb5.conf
 163 (define-configuration krb5-realm
 164   (name
 165    (string/unset unset-field)
 166    "The name of the realm.")
 167
 168   (kdc
 169    (end-point unset-field)
 170    "The host and port on which the realm's Key Distribution Server listens.")
 171
 172   (admin-server
 173    (string/unset unset-field)
 174    "The Host running the administration server for the realm.")
 175
 176   (master-kdc
 177    (string/unset unset-field)
 178    "If an attempt to get credentials fails because of an invalid password,
 179 the client software will attempt to contact the master KDC.")
 180
 181   (kpasswd-server
 182    (string/unset unset-field)
 183    "The server where password changes are performed.")
 184
 185   (auth-to-local
 186    (free-form-fields '())
 187    "Rules to map between principals and local users.")
 188
 189   (auth-to-local-names
 190    (free-form-fields '())
 191    "Explicit mappings between principal names and local user names.")
 192
 193   (http-anchors
 194    (free-form-fields '())
 195    "Useful only when http proxy is used to access KDC or KPASSWD.")
 196
 197   ;; The following are useful only for working with V4 services
 198   (default-domain
 199     (string/unset unset-field)
 200     "The domain used to expand host names when translating Kerberos 4 service
 201 principals to Kerberos 5 principals")
 202
 203   (v4-instance-convert
 204    (free-form-fields '())
 205    "Exceptions to the default-domain mapping rule.")
 206
 207   (v4-realm
 208    (string/unset unset-field)
 209    "Used  when the V4 realm name and the V5 realm name are not the same, but
 210 still share the same principal names and passwords"))
 211
 212
 213
 214 ;; For a more detailed explanation of these fields see man 5 krb5.conf
 215 (define-configuration krb5-configuration
 216   (allow-weak-crypto?
 217    (boolean/unset unset-field)
 218    "If true, permits access to services which only offer weak encryption.")
 219
 220   (ap-req-checksum-type
 221    (non-negative-integer/unset unset-field)
 222    "The type of the AP-REQ checksum.")
 223
 224   (canonicalize?
 225    (boolean/unset unset-field)
 226    "Should principals in initial ticket requests be canonicalized?")
 227
 228   (ccache-type
 229    (non-negative-integer/unset unset-field)
 230    "The format of the credential cache type.")
 231
 232   (clockskew
 233    (non-negative-integer/unset unset-field)
 234    "Maximum allowable clock skew in seconds (default 300).")
 235
 236   (default-ccache-name
 237     (file-name unset-field)
 238     "The name of the default credential cache.")
 239
 240   (default-client-keytab-name
 241     (file-name unset-field)
 242     "The name of the default keytab for client credentials.")
 243
 244   (default-keytab-name
 245     (file-name unset-field)
 246     "The name of the default keytab file.")
 247
 248   (default-realm
 249     (string/unset unset-field)
 250     "The realm to be accessed if not explicitly specified by clients.")
 251
 252   (default-tgs-enctypes
 253     (free-form-fields '())
 254     "Session key encryption types when making TGS-REQ requests.")
 255
 256   (default-tkt-enctypes
 257     (free-form-fields '())
 258     "Session key encryption types when making AS-REQ requests.")
 259
 260   (dns-canonicalize-hostname?
 261    (boolean/unset  unset-field)
 262    "Whether name lookups will be used to canonicalize host names for use in
 263 service principal names.")
 264
 265   (dns-lookup-kdc?
 266    (boolean/unset unset-field)
 267  "Should DNS SRV records should be used to locate the KDCs and other servers
 268 not appearing in the realm specification")
 269
 270   (err-fmt
 271    (string/unset unset-field)
 272    "Custom error message formatting. If not #f error messages will be formatted
 273 by substituting a normal error message for %M and an error code for %C in the
 274 value.")
 275
 276   (forwardable?
 277    (boolean/unset unset-field)
 278    "Should initial tickets be forwardable by default?")
 279
 280   (ignore-acceptor-hostname?
 281    (boolean/unset unset-field)
 282    "When accepting GSSAPI or krb5 security contexts for host-based service
 283 principals, ignore any hostname passed by the calling application, and allow
 284 clients to authenticate to any service principal in the keytab matching the
 285 service name and realm name.")
 286
 287   (k5login-authoritative?
 288    (boolean/unset unset-field)
 289    "If this flag is true, principals must be listed in a local user's k5login
 290 file to be granted login access, if a ~/.k5login file exists.")
 291
 292   (k5login-directory
 293    (string/unset unset-field)
 294    "If not #f, the library will look for a local user's @file{k5login} file
 295 within the named directory (instead of the user's home directory), with a
 296 file name corresponding to the local user name.")
 297
 298   (kcm-mach-service
 299    (string/unset unset-field)
 300    "The name of the bootstrap service used to contact the KCM daemon for the
 301 KCM credential cache type.")
 302
 303   (kcm-socket
 304    (file-name unset-field)
 305  "Path to the Unix domain socket used to access the KCM daemon for the KCM
 306 credential cache type.")
 307
 308   (kdc-default-options
 309    (non-negative-integer/unset unset-field)
 310    "Default KDC options (logored for multiple values) when requesting initial
 311 tickets.")
 312
 313   (kdc-timesync
 314    (non-negative-integer/unset unset-field)
 315    "Attempt to compensate for clock skew between the KDC and client.")
 316
 317   (kdc-req-checksum-type
 318    (non-negative-integer/unset unset-field)
 319    "The type of checksum to use for the KDC requests. Relevant only for DES
 320 keys")
 321
 322   (noaddresses?
 323    (boolean/unset unset-field)
 324    "If true, initial ticket requests will not be made with address restrictions.
 325 This enables their use across NATs.")
 326
 327   (permitted-enctypes
 328    (space-separated-string-list/unset unset-field)
 329    "All encryption types that are permitted for use in session key encryption.")
 330
 331   (plugin-base-dir
 332    (file-name unset-field)
 333    "The directory where krb5 plugins are located.")
 334
 335   (preferred-preauth-types
 336    (comma-separated-integer-list/unset unset-field)
 337    "The preferred pre-authentication types which the client will attempt before
 338 others.")
 339
 340   (proxiable?
 341    (boolean/unset unset-field)
 342    "Should initial tickets be proxiable by default?")
 343
 344   (rdns?
 345    (boolean/unset unset-field)
 346    "Should reverse DNS lookup be used in addition to forward name lookup to
 347 canonicalize host names for use in service principal names.")
 348
 349   (realm-try-domains
 350    (integer/unset unset-field)
 351    "Should a host's domain components should be used to determine the Kerberos
 352 realm of the host.")
 353
 354   (renew-lifetime
 355    (non-negative-integer/unset unset-field)
 356    "The default renewable lifetime for initial ticket requests.")
 357
 358   (safe-checksum-type
 359    (non-negative-integer/unset unset-field)
 360    "The type of checksum to use for the KRB-SAFE requests.")
 361
 362   (ticket-lifetime
 363    (non-negative-integer/unset unset-field)
 364    "The default lifetime for initial ticket requests.")
 365
 366   (udp-preference-limit
 367    (non-negative-integer/unset unset-field)
 368    "When sending messages to the KDC, the library will try using TCP
 369 before UDP if the size of the message greater than this limit.")
 370
 371   (verify-ap-rereq-nofail?
 372    (boolean/unset unset-field)
 373  "If true, then attempts to verify initial credentials will fail if the client
 374 machine does not have a keytab.")
 375
 376   (realms
 377    (realm-list '())
 378    "The list of realms which clients may access."))
 379
 380
 381 (define (krb5-configuration-file config)
 382   "Create a Kerberos 5 configuration file based on CONFIG"
 383   (mixed-text-file "krb5.conf"
 384                    "[libdefaults]\n\n"
 385                    (with-output-to-string
 386                      (lambda ()
 387                        (serialize-configuration config
 388                                                 krb5-configuration-fields)))))
 389
 390 (define (krb5-etc-service config)
 391   (list `("krb5.conf" ,(krb5-configuration-file config))))
 392
 393
 394 (define krb5-service-type
 395   (service-type (name 'krb5)
 396                 (extensions
 397                  (list (service-extension etc-service-type
 398                                           krb5-etc-service)))))
 399
 400
 401 \f
 402
 403 (define-record-type* <pam-krb5-configuration>
 404   pam-krb5-configuration  make-pam-krb5-configuration
 405   pam-krb5-configuration?
 406   (pam-krb5               pam-krb5-configuration-pam-krb5
 407                           (default pam-krb5))
 408   (minimum-uid            pam-krb5-configuration-minimum-uid
 409                           (default 1000)))
 410
 411 (define (pam-krb5-pam-service config)
 412   "Return a PAM service for Kerberos authentication."
 413   (lambda (pam)
 414     (define pam-krb5-module
 415       #~(string-append #$(pam-krb5-configuration-pam-krb5 config)
 416                        "/lib/security/pam_krb5.so"))
 417
 418     (let ((pam-krb5-sufficient
 419            (pam-entry
 420             (control "sufficient")
 421             (module pam-krb5-module)
 422             (arguments
 423              (list
 424               (format #f "minimum_uid=~a"
 425                       (pam-krb5-configuration-minimum-uid config)))))))
 426       (pam-service
 427        (inherit pam)
 428        (auth (cons* pam-krb5-sufficient
 429                     (pam-service-auth pam)))
 430        (session (cons* pam-krb5-sufficient
 431                        (pam-service-session pam)))
 432        (account (cons* pam-krb5-sufficient
 433                        (pam-service-account pam)))))))
 434
 435 (define (pam-krb5-pam-services config)
 436   (list (pam-krb5-pam-service config)))
 437
 438 (define pam-krb5-service-type
 439   (service-type (name 'pam-krb5)
 440                 (extensions
 441                  (list
 442                   (service-extension pam-root-service-type
 443                                      pam-krb5-pam-services)))))