Create an info file.
[utils.git] / pam_krb5auto.c
CommitLineData
7ccba695
DC
1/*
2 * pam_krb5auto - Gets initial credentials non-interactively
3 * Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18*/
dc647f87 19#include <stdlib.h>
2febc19a 20#include <stdio.h>
dc647f87 21#include <unistd.h>
2febc19a
DC
22#include <string.h>
23#include <stdarg.h>
24#include <malloc.h>
dc647f87 25#include <krb5.h>
eb2a40de
DC
26#include <pwd.h>
27#include <errno.h>
dc647f87
DC
28
29#define PAM_SM_AUTH
30
31#include <security/pam_modules.h>
32
2febc19a
DC
33#define DEF_INSTANCE "autologin"
34
35struct options
36{
37 char *realm;
38 char *instance;
39 char *keytab;
40 int debug;
eb2a40de
DC
41 int forwardable;
42 int renewable;
2febc19a
DC
43};
44
45struct data
46{
47 krb5_context ctx;
48 krb5_ccache cc;
49 krb5_principal me;
eb2a40de
DC
50 krb5_creds initcreds;
51 int hascreds;
52 uid_t uid;
e1427cb7 53 gid_t gid;
2febc19a
DC
54};
55
56static void log(int prio, char *format, ...)
57{
58 va_list args;
59 char buf[1024];
60
61 va_start(args, format);
62 snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format);
63 vsyslog(prio, buf, args);
64 va_end(args);
65}
66
67static struct options *parseopts(int argc, const char **argv)
68{
69 int i;
70 struct options *opts;
7dc0e19e
DC
71 const char *p;
72 int unit;
2febc19a
DC
73
74 opts = malloc(sizeof(*opts));
75 memset(opts, 0, sizeof(*opts));
76 for(i = 0; i < argc; i++) {
77 if(!strncmp(argv[i], "realm=", 6))
78 opts->realm = strdup(argv[i] + 6);
79 if(!strncmp(argv[i], "instance=", 9))
80 opts->instance = strdup(argv[i] + 9);
81 if(!strncmp(argv[i], "keytab=", 7))
82 opts->keytab = strdup(argv[i] + 7);
7dc0e19e
DC
83 if(!strncmp(argv[i], "renew=", 6)) {
84 p = argv[i] + strlen(argv[i]) - 1;
85 unit = 1;
86 if((*p >= 'a') && (*p <= 'z')) {
87 if(*p == 'm')
88 unit = 60;
89 else if(*p == 'h')
90 unit = 3600;
91 else if(*p == 'd')
92 unit = 86400;
93 else
94 unit = 1;
95 }
96 opts->renewable = atoi(argv[i] + 6) * unit;
97 }
eb2a40de
DC
98 if(!strcmp(argv[i], "forwardable"))
99 opts->forwardable = 1;
2febc19a
DC
100 if(!strcmp(argv[i], "debug"))
101 opts->debug = 1;
102 }
103 return(opts);
104}
105
106static void freeopts(struct options *opts)
107{
108 if(opts->realm != NULL)
109 free(opts->realm);
110 if(opts->instance != NULL)
111 free(opts->instance);
112 if(opts->keytab != NULL)
113 free(opts->keytab);
114 free(opts);
115}
116
117static void freedata(struct data *data)
118{
eb2a40de
DC
119 if(data->hascreds)
120 krb5_free_cred_contents(data->ctx, &data->initcreds);
121 if(data->cc != NULL)
122 krb5_cc_close(data->ctx, data->cc);
2febc19a
DC
123 if(data->me != NULL)
124 krb5_free_principal(data->ctx, data->me);
125 if(data->ctx != NULL)
126 krb5_free_context(data->ctx);
127 free(data);
128}
129
130static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status)
131{
132 freedata(data);
133}
134
135static struct data *getdata(pam_handle_t *pamh, struct options *opts)
136{
137 int ret;
138 struct data *data;
139 char buf[1024];
140 const char *user, *instance;
eb2a40de 141 struct passwd *pwent;
2febc19a
DC
142
143 data = NULL;
144 pam_get_data(pamh, "krb5auto-data", (const void **)&data);
145 if(data == NULL) {
146 if(opts->debug)
147 log(LOG_DEBUG, "creating new instance");
148 data = malloc(sizeof(*data));
149 memset(data, 0, sizeof(*data));
eb2a40de
DC
150 pam_get_user(pamh, &user, NULL);
151 if(user == NULL) {
152 log(LOG_ERR, "could not get user name");
153 freedata(data);
154 return(NULL);
155 }
156 errno = 0;
157 if((pwent = getpwnam(user)) == NULL) {
158 log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
159 freedata(data);
160 return(NULL);
161 }
162 data->uid = pwent->pw_uid;
e1427cb7 163 data->gid = pwent->pw_gid;
2febc19a
DC
164 if((ret = krb5_init_context(&data->ctx)) != 0) {
165 log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
166 freedata(data);
167 return(NULL);
168 }
2febc19a
DC
169 if(opts->instance)
170 instance = opts->instance;
171 else
172 instance = DEF_INSTANCE;
173 if(opts->realm)
174 snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm);
175 else
176 snprintf(buf, sizeof(buf), "%s/%s", user, instance);
177 if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) {
178 log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret));
179 freedata(data);
180 return(NULL);
181 }
182 pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata);
183 }
184 return(data);
185}
186
eb2a40de 187static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data)
2febc19a 188{
eb2a40de
DC
189 int ret, fd;
190 krb5_keytab kt;
191 krb5_get_init_creds_opt icopts;
192 char buf[1024], *ccname, *filename;
193
194 krb5_get_init_creds_opt_init(&icopts);
195 kt = NULL;
196
197 if(opts->keytab) {
198 if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
199 log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
200 ret = PAM_SERVICE_ERR;
201 goto out;
202 }
203 if(opts->debug)
204 log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
205 }
206 krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
207 krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
208 if(data->hascreds) {
209 krb5_free_cred_contents(data->ctx, &data->initcreds);
210 data->hascreds = 0;
211 }
212 if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
213 log(LOG_ERR, "could not get credentials: %s", error_message(ret));
214 ret = PAM_SERVICE_ERR;
215 goto out;
216 }
217 data->hascreds = 1;
218 if(opts->debug)
219 log(LOG_DEBUG, "got creds successfully");
220 snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
32601c6b
DC
221 ccname = buf + sizeof("KRB5CCNAME=") - 1;
222 filename = ccname + sizeof("FILE:") - 1;
eb2a40de
DC
223 if((fd = mkstemp(filename)) < 0) {
224 log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
225 ret = PAM_SERVICE_ERR;
226 goto out;
227 }
228 close(fd);
229 if(opts->debug)
230 log(LOG_DEBUG, "created ccache `%s'", filename);
231 if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
232 log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
233 unlink(filename);
234 ret = PAM_SERVICE_ERR;
235 goto out;
236 }
237 if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
238 log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
239 unlink(filename);
240 ret = PAM_SERVICE_ERR;
241 goto out;
242 }
243 if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
244 log(LOG_ERR, "could not store credentials: %s", error_message(ret));
245 unlink(filename);
246 ret = PAM_SERVICE_ERR;
247 goto out;
248 }
e1427cb7 249 chown(filename, data->uid, data->gid);
eb2a40de
DC
250 pam_putenv(pamh, strdup(buf));
251 if(opts->debug)
252 log(LOG_DEBUG, "successfully initialized ccache");
253 ret = PAM_SUCCESS;
254
255 out:
256 if(kt != NULL)
257 krb5_kt_close(data->ctx, kt);
258 return(ret);
259}
260
261static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data)
262{
263 if(opts->debug)
264 log(LOG_DEBUG, "deleting credentials");
265 if(data->hascreds) {
266 krb5_free_cred_contents(data->ctx, &data->initcreds);
267 data->hascreds = 0;
268 if(opts->debug)
269 log(LOG_DEBUG, "freed internal creds");
270 }
271 if(data->cc != NULL) {
272 krb5_cc_destroy(data->ctx, data->cc);
273 data->cc = NULL;
274 if(opts->debug)
275 log(LOG_DEBUG, "destroyed ccache");
276 }
277 return(PAM_SUCCESS);
2febc19a
DC
278}
279
280PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
281{
eb2a40de
DC
282 struct options *opts;
283
284 opts = parseopts(argc, argv);
285 if(opts->debug)
286 log(LOG_DEBUG, "pam_sm_authenticate called");
287 freeopts(opts);
2febc19a
DC
288 return(PAM_IGNORE);
289}
290
291PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
292{
293 struct options *opts;
294 struct data *data;
eb2a40de 295 int ret;
2febc19a
DC
296
297 opts = parseopts(argc, argv);
4fb861a5
DC
298 if(opts->debug)
299 log(LOG_DEBUG, "pam_sm_setcred called");
2febc19a
DC
300 data = getdata(pamh, opts);
301 if(data == NULL) {
302 log(LOG_ERR, "could not get data, erroring out");
303 return(PAM_SERVICE_ERR);
304 }
eb2a40de 305 ret = PAM_SERVICE_ERR;
2febc19a 306 if(flags & PAM_ESTABLISH_CRED) {
eb2a40de
DC
307 ret = savecreds(pamh, opts, data);
308 } else if(flags & PAM_DELETE_CRED) {
309 ret = delcreds(pamh, opts, data);
2febc19a
DC
310 }
311 freeopts(opts);
eb2a40de 312 return(ret);
2febc19a 313}
dc647f87
DC
314
315/*
316 * Local Variables:
4aa1b80b 317 * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"
dc647f87
DC
318 * End:
319 */