Added debug message.
[utils.git] / pam_krb5auto.c
CommitLineData
dc647f87 1#include <stdlib.h>
2febc19a 2#include <stdio.h>
dc647f87 3#include <unistd.h>
2febc19a
DC
4#include <string.h>
5#include <stdarg.h>
6#include <malloc.h>
dc647f87 7#include <krb5.h>
eb2a40de
DC
8#include <pwd.h>
9#include <errno.h>
dc647f87
DC
10
11#define PAM_SM_AUTH
12
13#include <security/pam_modules.h>
14
2febc19a
DC
15#define DEF_INSTANCE "autologin"
16
17struct options
18{
19 char *realm;
20 char *instance;
21 char *keytab;
22 int debug;
eb2a40de
DC
23 int forwardable;
24 int renewable;
2febc19a
DC
25};
26
27struct data
28{
29 krb5_context ctx;
30 krb5_ccache cc;
31 krb5_principal me;
eb2a40de
DC
32 krb5_creds initcreds;
33 int hascreds;
34 uid_t uid;
2febc19a
DC
35};
36
37static void log(int prio, char *format, ...)
38{
39 va_list args;
40 char buf[1024];
41
42 va_start(args, format);
43 snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format);
44 vsyslog(prio, buf, args);
45 va_end(args);
46}
47
48static struct options *parseopts(int argc, const char **argv)
49{
50 int i;
51 struct options *opts;
52
53 opts = malloc(sizeof(*opts));
54 memset(opts, 0, sizeof(*opts));
55 for(i = 0; i < argc; i++) {
56 if(!strncmp(argv[i], "realm=", 6))
57 opts->realm = strdup(argv[i] + 6);
58 if(!strncmp(argv[i], "instance=", 9))
59 opts->instance = strdup(argv[i] + 9);
60 if(!strncmp(argv[i], "keytab=", 7))
61 opts->keytab = strdup(argv[i] + 7);
eb2a40de
DC
62 if(!strncmp(argv[i], "renew=", 6))
63 opts->renewable = atoi(argv[i] + 6);
64 if(!strcmp(argv[i], "forwardable"))
65 opts->forwardable = 1;
2febc19a
DC
66 if(!strcmp(argv[i], "debug"))
67 opts->debug = 1;
68 }
69 return(opts);
70}
71
72static void freeopts(struct options *opts)
73{
74 if(opts->realm != NULL)
75 free(opts->realm);
76 if(opts->instance != NULL)
77 free(opts->instance);
78 if(opts->keytab != NULL)
79 free(opts->keytab);
80 free(opts);
81}
82
83static void freedata(struct data *data)
84{
eb2a40de
DC
85 if(data->hascreds)
86 krb5_free_cred_contents(data->ctx, &data->initcreds);
87 if(data->cc != NULL)
88 krb5_cc_close(data->ctx, data->cc);
2febc19a
DC
89 if(data->me != NULL)
90 krb5_free_principal(data->ctx, data->me);
91 if(data->ctx != NULL)
92 krb5_free_context(data->ctx);
93 free(data);
94}
95
96static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status)
97{
98 freedata(data);
99}
100
101static struct data *getdata(pam_handle_t *pamh, struct options *opts)
102{
103 int ret;
104 struct data *data;
105 char buf[1024];
106 const char *user, *instance;
eb2a40de 107 struct passwd *pwent;
2febc19a
DC
108
109 data = NULL;
110 pam_get_data(pamh, "krb5auto-data", (const void **)&data);
111 if(data == NULL) {
112 if(opts->debug)
113 log(LOG_DEBUG, "creating new instance");
114 data = malloc(sizeof(*data));
115 memset(data, 0, sizeof(*data));
eb2a40de
DC
116 pam_get_user(pamh, &user, NULL);
117 if(user == NULL) {
118 log(LOG_ERR, "could not get user name");
119 freedata(data);
120 return(NULL);
121 }
122 errno = 0;
123 if((pwent = getpwnam(user)) == NULL) {
124 log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
125 freedata(data);
126 return(NULL);
127 }
128 data->uid = pwent->pw_uid;
2febc19a
DC
129 if((ret = krb5_init_context(&data->ctx)) != 0) {
130 log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
131 freedata(data);
132 return(NULL);
133 }
2febc19a
DC
134 if(opts->instance)
135 instance = opts->instance;
136 else
137 instance = DEF_INSTANCE;
138 if(opts->realm)
139 snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm);
140 else
141 snprintf(buf, sizeof(buf), "%s/%s", user, instance);
142 if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) {
143 log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret));
144 freedata(data);
145 return(NULL);
146 }
147 pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata);
148 }
149 return(data);
150}
151
eb2a40de 152static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data)
2febc19a 153{
eb2a40de
DC
154 int ret, fd;
155 krb5_keytab kt;
156 krb5_get_init_creds_opt icopts;
157 char buf[1024], *ccname, *filename;
158
159 krb5_get_init_creds_opt_init(&icopts);
160 kt = NULL;
161
162 if(opts->keytab) {
163 if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
164 log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
165 ret = PAM_SERVICE_ERR;
166 goto out;
167 }
168 if(opts->debug)
169 log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
170 }
171 krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
172 krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
173 if(data->hascreds) {
174 krb5_free_cred_contents(data->ctx, &data->initcreds);
175 data->hascreds = 0;
176 }
177 if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
178 log(LOG_ERR, "could not get credentials: %s", error_message(ret));
179 ret = PAM_SERVICE_ERR;
180 goto out;
181 }
182 data->hascreds = 1;
183 if(opts->debug)
184 log(LOG_DEBUG, "got creds successfully");
185 snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
186 ccname = buf + sizeof("KRB5CCNAME=");
187 filename = ccname + sizeof("FILE:");
188 if((fd = mkstemp(filename)) < 0) {
189 log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
190 ret = PAM_SERVICE_ERR;
191 goto out;
192 }
193 close(fd);
194 if(opts->debug)
195 log(LOG_DEBUG, "created ccache `%s'", filename);
196 if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
197 log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
198 unlink(filename);
199 ret = PAM_SERVICE_ERR;
200 goto out;
201 }
202 if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
203 log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
204 unlink(filename);
205 ret = PAM_SERVICE_ERR;
206 goto out;
207 }
208 if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
209 log(LOG_ERR, "could not store credentials: %s", error_message(ret));
210 unlink(filename);
211 ret = PAM_SERVICE_ERR;
212 goto out;
213 }
214 pam_putenv(pamh, strdup(buf));
215 if(opts->debug)
216 log(LOG_DEBUG, "successfully initialized ccache");
217 ret = PAM_SUCCESS;
218
219 out:
220 if(kt != NULL)
221 krb5_kt_close(data->ctx, kt);
222 return(ret);
223}
224
225static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data)
226{
227 if(opts->debug)
228 log(LOG_DEBUG, "deleting credentials");
229 if(data->hascreds) {
230 krb5_free_cred_contents(data->ctx, &data->initcreds);
231 data->hascreds = 0;
232 if(opts->debug)
233 log(LOG_DEBUG, "freed internal creds");
234 }
235 if(data->cc != NULL) {
236 krb5_cc_destroy(data->ctx, data->cc);
237 data->cc = NULL;
238 if(opts->debug)
239 log(LOG_DEBUG, "destroyed ccache");
240 }
241 return(PAM_SUCCESS);
2febc19a
DC
242}
243
244PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
245{
eb2a40de
DC
246 struct options *opts;
247
248 opts = parseopts(argc, argv);
249 if(opts->debug)
250 log(LOG_DEBUG, "pam_sm_authenticate called");
251 freeopts(opts);
2febc19a
DC
252 return(PAM_IGNORE);
253}
254
255PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
256{
257 struct options *opts;
258 struct data *data;
eb2a40de 259 int ret;
2febc19a
DC
260
261 opts = parseopts(argc, argv);
4fb861a5
DC
262 if(opts->debug)
263 log(LOG_DEBUG, "pam_sm_setcred called");
2febc19a
DC
264 data = getdata(pamh, opts);
265 if(data == NULL) {
266 log(LOG_ERR, "could not get data, erroring out");
267 return(PAM_SERVICE_ERR);
268 }
eb2a40de 269 ret = PAM_SERVICE_ERR;
2febc19a 270 if(flags & PAM_ESTABLISH_CRED) {
eb2a40de
DC
271 ret = savecreds(pamh, opts, data);
272 } else if(flags & PAM_DELETE_CRED) {
273 ret = delcreds(pamh, opts, data);
2febc19a
DC
274 }
275 freeopts(opts);
eb2a40de 276 return(ret);
2febc19a 277}
dc647f87
DC
278
279/*
280 * Local Variables:
4aa1b80b 281 * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"
dc647f87
DC
282 * End:
283 */