Commit | Line | Data |
---|---|---|
7ccba695 DC |
1 | /* |
2 | * pam_krb5auto - Gets initial credentials non-interactively | |
3 | * Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com) | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License as published by | |
7 | * the Free Software Foundation; either version 2 of the License, or | |
8 | * (at your option) any later version. | |
9 | * | |
10 | * This program is distributed in the hope that it will be useful, | |
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
13 | * GNU General Public License for more details. | |
14 | * | |
15 | * You should have received a copy of the GNU General Public License | |
16 | * along with this program; if not, write to the Free Software | |
17 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
18 | */ | |
dc647f87 | 19 | #include <stdlib.h> |
2febc19a | 20 | #include <stdio.h> |
dc647f87 | 21 | #include <unistd.h> |
2febc19a DC |
22 | #include <string.h> |
23 | #include <stdarg.h> | |
24 | #include <malloc.h> | |
dc647f87 | 25 | #include <krb5.h> |
eb2a40de DC |
26 | #include <pwd.h> |
27 | #include <errno.h> | |
dc647f87 DC |
28 | |
29 | #define PAM_SM_AUTH | |
30 | ||
31 | #include <security/pam_modules.h> | |
32 | ||
2febc19a DC |
33 | #define DEF_INSTANCE "autologin" |
34 | ||
35 | struct options | |
36 | { | |
37 | char *realm; | |
38 | char *instance; | |
39 | char *keytab; | |
40 | int debug; | |
eb2a40de DC |
41 | int forwardable; |
42 | int renewable; | |
2febc19a DC |
43 | }; |
44 | ||
45 | struct data | |
46 | { | |
47 | krb5_context ctx; | |
48 | krb5_ccache cc; | |
49 | krb5_principal me; | |
eb2a40de DC |
50 | krb5_creds initcreds; |
51 | int hascreds; | |
52 | uid_t uid; | |
e1427cb7 | 53 | gid_t gid; |
2febc19a DC |
54 | }; |
55 | ||
56 | static void log(int prio, char *format, ...) | |
57 | { | |
58 | va_list args; | |
59 | char buf[1024]; | |
60 | ||
61 | va_start(args, format); | |
62 | snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format); | |
63 | vsyslog(prio, buf, args); | |
64 | va_end(args); | |
65 | } | |
66 | ||
67 | static struct options *parseopts(int argc, const char **argv) | |
68 | { | |
69 | int i; | |
70 | struct options *opts; | |
7dc0e19e DC |
71 | const char *p; |
72 | int unit; | |
2febc19a DC |
73 | |
74 | opts = malloc(sizeof(*opts)); | |
75 | memset(opts, 0, sizeof(*opts)); | |
76 | for(i = 0; i < argc; i++) { | |
77 | if(!strncmp(argv[i], "realm=", 6)) | |
78 | opts->realm = strdup(argv[i] + 6); | |
79 | if(!strncmp(argv[i], "instance=", 9)) | |
80 | opts->instance = strdup(argv[i] + 9); | |
81 | if(!strncmp(argv[i], "keytab=", 7)) | |
82 | opts->keytab = strdup(argv[i] + 7); | |
7dc0e19e DC |
83 | if(!strncmp(argv[i], "renew=", 6)) { |
84 | p = argv[i] + strlen(argv[i]) - 1; | |
85 | unit = 1; | |
86 | if((*p >= 'a') && (*p <= 'z')) { | |
87 | if(*p == 'm') | |
88 | unit = 60; | |
89 | else if(*p == 'h') | |
90 | unit = 3600; | |
91 | else if(*p == 'd') | |
92 | unit = 86400; | |
93 | else | |
94 | unit = 1; | |
95 | } | |
96 | opts->renewable = atoi(argv[i] + 6) * unit; | |
97 | } | |
eb2a40de DC |
98 | if(!strcmp(argv[i], "forwardable")) |
99 | opts->forwardable = 1; | |
2febc19a DC |
100 | if(!strcmp(argv[i], "debug")) |
101 | opts->debug = 1; | |
102 | } | |
103 | return(opts); | |
104 | } | |
105 | ||
106 | static void freeopts(struct options *opts) | |
107 | { | |
108 | if(opts->realm != NULL) | |
109 | free(opts->realm); | |
110 | if(opts->instance != NULL) | |
111 | free(opts->instance); | |
112 | if(opts->keytab != NULL) | |
113 | free(opts->keytab); | |
114 | free(opts); | |
115 | } | |
116 | ||
117 | static void freedata(struct data *data) | |
118 | { | |
eb2a40de DC |
119 | if(data->hascreds) |
120 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
121 | if(data->cc != NULL) | |
122 | krb5_cc_close(data->ctx, data->cc); | |
2febc19a DC |
123 | if(data->me != NULL) |
124 | krb5_free_principal(data->ctx, data->me); | |
125 | if(data->ctx != NULL) | |
126 | krb5_free_context(data->ctx); | |
127 | free(data); | |
128 | } | |
129 | ||
130 | static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status) | |
131 | { | |
132 | freedata(data); | |
133 | } | |
134 | ||
135 | static struct data *getdata(pam_handle_t *pamh, struct options *opts) | |
136 | { | |
137 | int ret; | |
138 | struct data *data; | |
139 | char buf[1024]; | |
140 | const char *user, *instance; | |
eb2a40de | 141 | struct passwd *pwent; |
2febc19a DC |
142 | |
143 | data = NULL; | |
144 | pam_get_data(pamh, "krb5auto-data", (const void **)&data); | |
145 | if(data == NULL) { | |
146 | if(opts->debug) | |
147 | log(LOG_DEBUG, "creating new instance"); | |
148 | data = malloc(sizeof(*data)); | |
149 | memset(data, 0, sizeof(*data)); | |
eb2a40de DC |
150 | pam_get_user(pamh, &user, NULL); |
151 | if(user == NULL) { | |
152 | log(LOG_ERR, "could not get user name"); | |
153 | freedata(data); | |
154 | return(NULL); | |
155 | } | |
156 | errno = 0; | |
157 | if((pwent = getpwnam(user)) == NULL) { | |
158 | log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno)); | |
159 | freedata(data); | |
160 | return(NULL); | |
161 | } | |
162 | data->uid = pwent->pw_uid; | |
e1427cb7 | 163 | data->gid = pwent->pw_gid; |
2febc19a DC |
164 | if((ret = krb5_init_context(&data->ctx)) != 0) { |
165 | log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret)); | |
166 | freedata(data); | |
167 | return(NULL); | |
168 | } | |
2febc19a DC |
169 | if(opts->instance) |
170 | instance = opts->instance; | |
171 | else | |
172 | instance = DEF_INSTANCE; | |
173 | if(opts->realm) | |
174 | snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm); | |
175 | else | |
176 | snprintf(buf, sizeof(buf), "%s/%s", user, instance); | |
177 | if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) { | |
178 | log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret)); | |
179 | freedata(data); | |
180 | return(NULL); | |
181 | } | |
182 | pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata); | |
183 | } | |
184 | return(data); | |
185 | } | |
186 | ||
eb2a40de | 187 | static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data) |
2febc19a | 188 | { |
eb2a40de DC |
189 | int ret, fd; |
190 | krb5_keytab kt; | |
191 | krb5_get_init_creds_opt icopts; | |
192 | char buf[1024], *ccname, *filename; | |
193 | ||
194 | krb5_get_init_creds_opt_init(&icopts); | |
195 | kt = NULL; | |
196 | ||
197 | if(opts->keytab) { | |
198 | if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) { | |
199 | log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret)); | |
200 | ret = PAM_SERVICE_ERR; | |
201 | goto out; | |
202 | } | |
203 | if(opts->debug) | |
204 | log(LOG_DEBUG, "using keytab `%s'", opts->keytab); | |
205 | } | |
206 | krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable); | |
207 | krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable); | |
208 | if(data->hascreds) { | |
209 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
210 | data->hascreds = 0; | |
211 | } | |
212 | if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) { | |
213 | log(LOG_ERR, "could not get credentials: %s", error_message(ret)); | |
214 | ret = PAM_SERVICE_ERR; | |
215 | goto out; | |
216 | } | |
217 | data->hascreds = 1; | |
218 | if(opts->debug) | |
219 | log(LOG_DEBUG, "got creds successfully"); | |
220 | snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid); | |
32601c6b DC |
221 | ccname = buf + sizeof("KRB5CCNAME=") - 1; |
222 | filename = ccname + sizeof("FILE:") - 1; | |
eb2a40de DC |
223 | if((fd = mkstemp(filename)) < 0) { |
224 | log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno)); | |
225 | ret = PAM_SERVICE_ERR; | |
226 | goto out; | |
227 | } | |
228 | close(fd); | |
229 | if(opts->debug) | |
230 | log(LOG_DEBUG, "created ccache `%s'", filename); | |
231 | if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) { | |
232 | log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret)); | |
233 | unlink(filename); | |
234 | ret = PAM_SERVICE_ERR; | |
235 | goto out; | |
236 | } | |
237 | if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) { | |
238 | log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret)); | |
239 | unlink(filename); | |
240 | ret = PAM_SERVICE_ERR; | |
241 | goto out; | |
242 | } | |
243 | if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) { | |
244 | log(LOG_ERR, "could not store credentials: %s", error_message(ret)); | |
245 | unlink(filename); | |
246 | ret = PAM_SERVICE_ERR; | |
247 | goto out; | |
248 | } | |
e1427cb7 | 249 | chown(filename, data->uid, data->gid); |
eb2a40de DC |
250 | pam_putenv(pamh, strdup(buf)); |
251 | if(opts->debug) | |
252 | log(LOG_DEBUG, "successfully initialized ccache"); | |
253 | ret = PAM_SUCCESS; | |
254 | ||
255 | out: | |
256 | if(kt != NULL) | |
257 | krb5_kt_close(data->ctx, kt); | |
258 | return(ret); | |
259 | } | |
260 | ||
261 | static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data) | |
262 | { | |
263 | if(opts->debug) | |
264 | log(LOG_DEBUG, "deleting credentials"); | |
265 | if(data->hascreds) { | |
266 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
267 | data->hascreds = 0; | |
268 | if(opts->debug) | |
269 | log(LOG_DEBUG, "freed internal creds"); | |
270 | } | |
271 | if(data->cc != NULL) { | |
272 | krb5_cc_destroy(data->ctx, data->cc); | |
273 | data->cc = NULL; | |
274 | if(opts->debug) | |
275 | log(LOG_DEBUG, "destroyed ccache"); | |
276 | } | |
277 | return(PAM_SUCCESS); | |
2febc19a DC |
278 | } |
279 | ||
280 | PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) | |
281 | { | |
eb2a40de DC |
282 | struct options *opts; |
283 | ||
284 | opts = parseopts(argc, argv); | |
285 | if(opts->debug) | |
286 | log(LOG_DEBUG, "pam_sm_authenticate called"); | |
287 | freeopts(opts); | |
2febc19a DC |
288 | return(PAM_IGNORE); |
289 | } | |
290 | ||
291 | PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) | |
292 | { | |
293 | struct options *opts; | |
294 | struct data *data; | |
eb2a40de | 295 | int ret; |
2febc19a DC |
296 | |
297 | opts = parseopts(argc, argv); | |
4fb861a5 DC |
298 | if(opts->debug) |
299 | log(LOG_DEBUG, "pam_sm_setcred called"); | |
2febc19a DC |
300 | data = getdata(pamh, opts); |
301 | if(data == NULL) { | |
302 | log(LOG_ERR, "could not get data, erroring out"); | |
303 | return(PAM_SERVICE_ERR); | |
304 | } | |
eb2a40de | 305 | ret = PAM_SERVICE_ERR; |
2febc19a | 306 | if(flags & PAM_ESTABLISH_CRED) { |
eb2a40de DC |
307 | ret = savecreds(pamh, opts, data); |
308 | } else if(flags & PAM_DELETE_CRED) { | |
309 | ret = delcreds(pamh, opts, data); | |
2febc19a DC |
310 | } |
311 | freeopts(opts); | |
eb2a40de | 312 | return(ret); |
2febc19a | 313 | } |
dc647f87 DC |
314 | |
315 | /* | |
316 | * Local Variables: | |
4aa1b80b | 317 | * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5" |
dc647f87 DC |
318 | * End: |
319 | */ |