Commit | Line | Data |
---|---|---|
dc647f87 | 1 | #include <stdlib.h> |
2febc19a | 2 | #include <stdio.h> |
dc647f87 | 3 | #include <unistd.h> |
2febc19a DC |
4 | #include <string.h> |
5 | #include <stdarg.h> | |
6 | #include <malloc.h> | |
dc647f87 | 7 | #include <krb5.h> |
eb2a40de DC |
8 | #include <pwd.h> |
9 | #include <errno.h> | |
dc647f87 DC |
10 | |
11 | #define PAM_SM_AUTH | |
12 | ||
13 | #include <security/pam_modules.h> | |
14 | ||
2febc19a DC |
15 | #define DEF_INSTANCE "autologin" |
16 | ||
17 | struct options | |
18 | { | |
19 | char *realm; | |
20 | char *instance; | |
21 | char *keytab; | |
22 | int debug; | |
eb2a40de DC |
23 | int forwardable; |
24 | int renewable; | |
2febc19a DC |
25 | }; |
26 | ||
27 | struct data | |
28 | { | |
29 | krb5_context ctx; | |
30 | krb5_ccache cc; | |
31 | krb5_principal me; | |
eb2a40de DC |
32 | krb5_creds initcreds; |
33 | int hascreds; | |
34 | uid_t uid; | |
2febc19a DC |
35 | }; |
36 | ||
37 | static void log(int prio, char *format, ...) | |
38 | { | |
39 | va_list args; | |
40 | char buf[1024]; | |
41 | ||
42 | va_start(args, format); | |
43 | snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format); | |
44 | vsyslog(prio, buf, args); | |
45 | va_end(args); | |
46 | } | |
47 | ||
48 | static struct options *parseopts(int argc, const char **argv) | |
49 | { | |
50 | int i; | |
51 | struct options *opts; | |
52 | ||
53 | opts = malloc(sizeof(*opts)); | |
54 | memset(opts, 0, sizeof(*opts)); | |
55 | for(i = 0; i < argc; i++) { | |
56 | if(!strncmp(argv[i], "realm=", 6)) | |
57 | opts->realm = strdup(argv[i] + 6); | |
58 | if(!strncmp(argv[i], "instance=", 9)) | |
59 | opts->instance = strdup(argv[i] + 9); | |
60 | if(!strncmp(argv[i], "keytab=", 7)) | |
61 | opts->keytab = strdup(argv[i] + 7); | |
eb2a40de DC |
62 | if(!strncmp(argv[i], "renew=", 6)) |
63 | opts->renewable = atoi(argv[i] + 6); | |
64 | if(!strcmp(argv[i], "forwardable")) | |
65 | opts->forwardable = 1; | |
2febc19a DC |
66 | if(!strcmp(argv[i], "debug")) |
67 | opts->debug = 1; | |
68 | } | |
69 | return(opts); | |
70 | } | |
71 | ||
72 | static void freeopts(struct options *opts) | |
73 | { | |
74 | if(opts->realm != NULL) | |
75 | free(opts->realm); | |
76 | if(opts->instance != NULL) | |
77 | free(opts->instance); | |
78 | if(opts->keytab != NULL) | |
79 | free(opts->keytab); | |
80 | free(opts); | |
81 | } | |
82 | ||
83 | static void freedata(struct data *data) | |
84 | { | |
eb2a40de DC |
85 | if(data->hascreds) |
86 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
87 | if(data->cc != NULL) | |
88 | krb5_cc_close(data->ctx, data->cc); | |
2febc19a DC |
89 | if(data->me != NULL) |
90 | krb5_free_principal(data->ctx, data->me); | |
91 | if(data->ctx != NULL) | |
92 | krb5_free_context(data->ctx); | |
93 | free(data); | |
94 | } | |
95 | ||
96 | static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status) | |
97 | { | |
98 | freedata(data); | |
99 | } | |
100 | ||
101 | static struct data *getdata(pam_handle_t *pamh, struct options *opts) | |
102 | { | |
103 | int ret; | |
104 | struct data *data; | |
105 | char buf[1024]; | |
106 | const char *user, *instance; | |
eb2a40de | 107 | struct passwd *pwent; |
2febc19a DC |
108 | |
109 | data = NULL; | |
110 | pam_get_data(pamh, "krb5auto-data", (const void **)&data); | |
111 | if(data == NULL) { | |
112 | if(opts->debug) | |
113 | log(LOG_DEBUG, "creating new instance"); | |
114 | data = malloc(sizeof(*data)); | |
115 | memset(data, 0, sizeof(*data)); | |
eb2a40de DC |
116 | pam_get_user(pamh, &user, NULL); |
117 | if(user == NULL) { | |
118 | log(LOG_ERR, "could not get user name"); | |
119 | freedata(data); | |
120 | return(NULL); | |
121 | } | |
122 | errno = 0; | |
123 | if((pwent = getpwnam(user)) == NULL) { | |
124 | log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno)); | |
125 | freedata(data); | |
126 | return(NULL); | |
127 | } | |
128 | data->uid = pwent->pw_uid; | |
2febc19a DC |
129 | if((ret = krb5_init_context(&data->ctx)) != 0) { |
130 | log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret)); | |
131 | freedata(data); | |
132 | return(NULL); | |
133 | } | |
2febc19a DC |
134 | if(opts->instance) |
135 | instance = opts->instance; | |
136 | else | |
137 | instance = DEF_INSTANCE; | |
138 | if(opts->realm) | |
139 | snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm); | |
140 | else | |
141 | snprintf(buf, sizeof(buf), "%s/%s", user, instance); | |
142 | if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) { | |
143 | log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret)); | |
144 | freedata(data); | |
145 | return(NULL); | |
146 | } | |
147 | pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata); | |
148 | } | |
149 | return(data); | |
150 | } | |
151 | ||
eb2a40de | 152 | static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data) |
2febc19a | 153 | { |
eb2a40de DC |
154 | int ret, fd; |
155 | krb5_keytab kt; | |
156 | krb5_get_init_creds_opt icopts; | |
157 | char buf[1024], *ccname, *filename; | |
158 | ||
159 | krb5_get_init_creds_opt_init(&icopts); | |
160 | kt = NULL; | |
161 | ||
162 | if(opts->keytab) { | |
163 | if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) { | |
164 | log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret)); | |
165 | ret = PAM_SERVICE_ERR; | |
166 | goto out; | |
167 | } | |
168 | if(opts->debug) | |
169 | log(LOG_DEBUG, "using keytab `%s'", opts->keytab); | |
170 | } | |
171 | krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable); | |
172 | krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable); | |
173 | if(data->hascreds) { | |
174 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
175 | data->hascreds = 0; | |
176 | } | |
177 | if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) { | |
178 | log(LOG_ERR, "could not get credentials: %s", error_message(ret)); | |
179 | ret = PAM_SERVICE_ERR; | |
180 | goto out; | |
181 | } | |
182 | data->hascreds = 1; | |
183 | if(opts->debug) | |
184 | log(LOG_DEBUG, "got creds successfully"); | |
185 | snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid); | |
186 | ccname = buf + sizeof("KRB5CCNAME="); | |
187 | filename = ccname + sizeof("FILE:"); | |
188 | if((fd = mkstemp(filename)) < 0) { | |
189 | log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno)); | |
190 | ret = PAM_SERVICE_ERR; | |
191 | goto out; | |
192 | } | |
193 | close(fd); | |
194 | if(opts->debug) | |
195 | log(LOG_DEBUG, "created ccache `%s'", filename); | |
196 | if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) { | |
197 | log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret)); | |
198 | unlink(filename); | |
199 | ret = PAM_SERVICE_ERR; | |
200 | goto out; | |
201 | } | |
202 | if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) { | |
203 | log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret)); | |
204 | unlink(filename); | |
205 | ret = PAM_SERVICE_ERR; | |
206 | goto out; | |
207 | } | |
208 | if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) { | |
209 | log(LOG_ERR, "could not store credentials: %s", error_message(ret)); | |
210 | unlink(filename); | |
211 | ret = PAM_SERVICE_ERR; | |
212 | goto out; | |
213 | } | |
214 | pam_putenv(pamh, strdup(buf)); | |
215 | if(opts->debug) | |
216 | log(LOG_DEBUG, "successfully initialized ccache"); | |
217 | ret = PAM_SUCCESS; | |
218 | ||
219 | out: | |
220 | if(kt != NULL) | |
221 | krb5_kt_close(data->ctx, kt); | |
222 | return(ret); | |
223 | } | |
224 | ||
225 | static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data) | |
226 | { | |
227 | if(opts->debug) | |
228 | log(LOG_DEBUG, "deleting credentials"); | |
229 | if(data->hascreds) { | |
230 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
231 | data->hascreds = 0; | |
232 | if(opts->debug) | |
233 | log(LOG_DEBUG, "freed internal creds"); | |
234 | } | |
235 | if(data->cc != NULL) { | |
236 | krb5_cc_destroy(data->ctx, data->cc); | |
237 | data->cc = NULL; | |
238 | if(opts->debug) | |
239 | log(LOG_DEBUG, "destroyed ccache"); | |
240 | } | |
241 | return(PAM_SUCCESS); | |
2febc19a DC |
242 | } |
243 | ||
244 | PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) | |
245 | { | |
eb2a40de DC |
246 | struct options *opts; |
247 | ||
248 | opts = parseopts(argc, argv); | |
249 | if(opts->debug) | |
250 | log(LOG_DEBUG, "pam_sm_authenticate called"); | |
251 | freeopts(opts); | |
2febc19a DC |
252 | return(PAM_IGNORE); |
253 | } | |
254 | ||
255 | PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) | |
256 | { | |
257 | struct options *opts; | |
258 | struct data *data; | |
eb2a40de | 259 | int ret; |
2febc19a DC |
260 | |
261 | opts = parseopts(argc, argv); | |
4fb861a5 DC |
262 | if(opts->debug) |
263 | log(LOG_DEBUG, "pam_sm_setcred called"); | |
2febc19a DC |
264 | data = getdata(pamh, opts); |
265 | if(data == NULL) { | |
266 | log(LOG_ERR, "could not get data, erroring out"); | |
267 | return(PAM_SERVICE_ERR); | |
268 | } | |
eb2a40de | 269 | ret = PAM_SERVICE_ERR; |
2febc19a | 270 | if(flags & PAM_ESTABLISH_CRED) { |
eb2a40de DC |
271 | ret = savecreds(pamh, opts, data); |
272 | } else if(flags & PAM_DELETE_CRED) { | |
273 | ret = delcreds(pamh, opts, data); | |
2febc19a DC |
274 | } |
275 | freeopts(opts); | |
eb2a40de | 276 | return(ret); |
2febc19a | 277 | } |
dc647f87 DC |
278 | |
279 | /* | |
280 | * Local Variables: | |
4aa1b80b | 281 | * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5" |
dc647f87 DC |
282 | * End: |
283 | */ |