Commit | Line | Data |
---|---|---|
dc647f87 | 1 | #include <stdlib.h> |
2febc19a | 2 | #include <stdio.h> |
dc647f87 | 3 | #include <unistd.h> |
2febc19a DC |
4 | #include <string.h> |
5 | #include <stdarg.h> | |
6 | #include <malloc.h> | |
dc647f87 | 7 | #include <krb5.h> |
eb2a40de DC |
8 | #include <pwd.h> |
9 | #include <errno.h> | |
dc647f87 DC |
10 | |
11 | #define PAM_SM_AUTH | |
12 | ||
13 | #include <security/pam_modules.h> | |
14 | ||
2febc19a DC |
15 | #define DEF_INSTANCE "autologin" |
16 | ||
17 | struct options | |
18 | { | |
19 | char *realm; | |
20 | char *instance; | |
21 | char *keytab; | |
22 | int debug; | |
eb2a40de DC |
23 | int forwardable; |
24 | int renewable; | |
2febc19a DC |
25 | }; |
26 | ||
27 | struct data | |
28 | { | |
29 | krb5_context ctx; | |
30 | krb5_ccache cc; | |
31 | krb5_principal me; | |
eb2a40de DC |
32 | krb5_creds initcreds; |
33 | int hascreds; | |
34 | uid_t uid; | |
e1427cb7 | 35 | gid_t gid; |
2febc19a DC |
36 | }; |
37 | ||
38 | static void log(int prio, char *format, ...) | |
39 | { | |
40 | va_list args; | |
41 | char buf[1024]; | |
42 | ||
43 | va_start(args, format); | |
44 | snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format); | |
45 | vsyslog(prio, buf, args); | |
46 | va_end(args); | |
47 | } | |
48 | ||
49 | static struct options *parseopts(int argc, const char **argv) | |
50 | { | |
51 | int i; | |
52 | struct options *opts; | |
53 | ||
54 | opts = malloc(sizeof(*opts)); | |
55 | memset(opts, 0, sizeof(*opts)); | |
56 | for(i = 0; i < argc; i++) { | |
57 | if(!strncmp(argv[i], "realm=", 6)) | |
58 | opts->realm = strdup(argv[i] + 6); | |
59 | if(!strncmp(argv[i], "instance=", 9)) | |
60 | opts->instance = strdup(argv[i] + 9); | |
61 | if(!strncmp(argv[i], "keytab=", 7)) | |
62 | opts->keytab = strdup(argv[i] + 7); | |
eb2a40de DC |
63 | if(!strncmp(argv[i], "renew=", 6)) |
64 | opts->renewable = atoi(argv[i] + 6); | |
65 | if(!strcmp(argv[i], "forwardable")) | |
66 | opts->forwardable = 1; | |
2febc19a DC |
67 | if(!strcmp(argv[i], "debug")) |
68 | opts->debug = 1; | |
69 | } | |
70 | return(opts); | |
71 | } | |
72 | ||
73 | static void freeopts(struct options *opts) | |
74 | { | |
75 | if(opts->realm != NULL) | |
76 | free(opts->realm); | |
77 | if(opts->instance != NULL) | |
78 | free(opts->instance); | |
79 | if(opts->keytab != NULL) | |
80 | free(opts->keytab); | |
81 | free(opts); | |
82 | } | |
83 | ||
84 | static void freedata(struct data *data) | |
85 | { | |
eb2a40de DC |
86 | if(data->hascreds) |
87 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
88 | if(data->cc != NULL) | |
89 | krb5_cc_close(data->ctx, data->cc); | |
2febc19a DC |
90 | if(data->me != NULL) |
91 | krb5_free_principal(data->ctx, data->me); | |
92 | if(data->ctx != NULL) | |
93 | krb5_free_context(data->ctx); | |
94 | free(data); | |
95 | } | |
96 | ||
97 | static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status) | |
98 | { | |
99 | freedata(data); | |
100 | } | |
101 | ||
102 | static struct data *getdata(pam_handle_t *pamh, struct options *opts) | |
103 | { | |
104 | int ret; | |
105 | struct data *data; | |
106 | char buf[1024]; | |
107 | const char *user, *instance; | |
eb2a40de | 108 | struct passwd *pwent; |
2febc19a DC |
109 | |
110 | data = NULL; | |
111 | pam_get_data(pamh, "krb5auto-data", (const void **)&data); | |
112 | if(data == NULL) { | |
113 | if(opts->debug) | |
114 | log(LOG_DEBUG, "creating new instance"); | |
115 | data = malloc(sizeof(*data)); | |
116 | memset(data, 0, sizeof(*data)); | |
eb2a40de DC |
117 | pam_get_user(pamh, &user, NULL); |
118 | if(user == NULL) { | |
119 | log(LOG_ERR, "could not get user name"); | |
120 | freedata(data); | |
121 | return(NULL); | |
122 | } | |
123 | errno = 0; | |
124 | if((pwent = getpwnam(user)) == NULL) { | |
125 | log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno)); | |
126 | freedata(data); | |
127 | return(NULL); | |
128 | } | |
129 | data->uid = pwent->pw_uid; | |
e1427cb7 | 130 | data->gid = pwent->pw_gid; |
2febc19a DC |
131 | if((ret = krb5_init_context(&data->ctx)) != 0) { |
132 | log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret)); | |
133 | freedata(data); | |
134 | return(NULL); | |
135 | } | |
2febc19a DC |
136 | if(opts->instance) |
137 | instance = opts->instance; | |
138 | else | |
139 | instance = DEF_INSTANCE; | |
140 | if(opts->realm) | |
141 | snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm); | |
142 | else | |
143 | snprintf(buf, sizeof(buf), "%s/%s", user, instance); | |
144 | if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) { | |
145 | log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret)); | |
146 | freedata(data); | |
147 | return(NULL); | |
148 | } | |
149 | pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata); | |
150 | } | |
151 | return(data); | |
152 | } | |
153 | ||
eb2a40de | 154 | static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data) |
2febc19a | 155 | { |
eb2a40de DC |
156 | int ret, fd; |
157 | krb5_keytab kt; | |
158 | krb5_get_init_creds_opt icopts; | |
159 | char buf[1024], *ccname, *filename; | |
160 | ||
161 | krb5_get_init_creds_opt_init(&icopts); | |
162 | kt = NULL; | |
163 | ||
164 | if(opts->keytab) { | |
165 | if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) { | |
166 | log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret)); | |
167 | ret = PAM_SERVICE_ERR; | |
168 | goto out; | |
169 | } | |
170 | if(opts->debug) | |
171 | log(LOG_DEBUG, "using keytab `%s'", opts->keytab); | |
172 | } | |
173 | krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable); | |
174 | krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable); | |
175 | if(data->hascreds) { | |
176 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
177 | data->hascreds = 0; | |
178 | } | |
179 | if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) { | |
180 | log(LOG_ERR, "could not get credentials: %s", error_message(ret)); | |
181 | ret = PAM_SERVICE_ERR; | |
182 | goto out; | |
183 | } | |
184 | data->hascreds = 1; | |
185 | if(opts->debug) | |
186 | log(LOG_DEBUG, "got creds successfully"); | |
187 | snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid); | |
32601c6b DC |
188 | ccname = buf + sizeof("KRB5CCNAME=") - 1; |
189 | filename = ccname + sizeof("FILE:") - 1; | |
eb2a40de DC |
190 | if((fd = mkstemp(filename)) < 0) { |
191 | log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno)); | |
192 | ret = PAM_SERVICE_ERR; | |
193 | goto out; | |
194 | } | |
195 | close(fd); | |
196 | if(opts->debug) | |
197 | log(LOG_DEBUG, "created ccache `%s'", filename); | |
198 | if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) { | |
199 | log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret)); | |
200 | unlink(filename); | |
201 | ret = PAM_SERVICE_ERR; | |
202 | goto out; | |
203 | } | |
204 | if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) { | |
205 | log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret)); | |
206 | unlink(filename); | |
207 | ret = PAM_SERVICE_ERR; | |
208 | goto out; | |
209 | } | |
210 | if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) { | |
211 | log(LOG_ERR, "could not store credentials: %s", error_message(ret)); | |
212 | unlink(filename); | |
213 | ret = PAM_SERVICE_ERR; | |
214 | goto out; | |
215 | } | |
e1427cb7 | 216 | chown(filename, data->uid, data->gid); |
eb2a40de DC |
217 | pam_putenv(pamh, strdup(buf)); |
218 | if(opts->debug) | |
219 | log(LOG_DEBUG, "successfully initialized ccache"); | |
220 | ret = PAM_SUCCESS; | |
221 | ||
222 | out: | |
223 | if(kt != NULL) | |
224 | krb5_kt_close(data->ctx, kt); | |
225 | return(ret); | |
226 | } | |
227 | ||
228 | static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data) | |
229 | { | |
230 | if(opts->debug) | |
231 | log(LOG_DEBUG, "deleting credentials"); | |
232 | if(data->hascreds) { | |
233 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
234 | data->hascreds = 0; | |
235 | if(opts->debug) | |
236 | log(LOG_DEBUG, "freed internal creds"); | |
237 | } | |
238 | if(data->cc != NULL) { | |
239 | krb5_cc_destroy(data->ctx, data->cc); | |
240 | data->cc = NULL; | |
241 | if(opts->debug) | |
242 | log(LOG_DEBUG, "destroyed ccache"); | |
243 | } | |
244 | return(PAM_SUCCESS); | |
2febc19a DC |
245 | } |
246 | ||
247 | PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) | |
248 | { | |
eb2a40de DC |
249 | struct options *opts; |
250 | ||
251 | opts = parseopts(argc, argv); | |
252 | if(opts->debug) | |
253 | log(LOG_DEBUG, "pam_sm_authenticate called"); | |
254 | freeopts(opts); | |
2febc19a DC |
255 | return(PAM_IGNORE); |
256 | } | |
257 | ||
258 | PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) | |
259 | { | |
260 | struct options *opts; | |
261 | struct data *data; | |
eb2a40de | 262 | int ret; |
2febc19a DC |
263 | |
264 | opts = parseopts(argc, argv); | |
4fb861a5 DC |
265 | if(opts->debug) |
266 | log(LOG_DEBUG, "pam_sm_setcred called"); | |
2febc19a DC |
267 | data = getdata(pamh, opts); |
268 | if(data == NULL) { | |
269 | log(LOG_ERR, "could not get data, erroring out"); | |
270 | return(PAM_SERVICE_ERR); | |
271 | } | |
eb2a40de | 272 | ret = PAM_SERVICE_ERR; |
2febc19a | 273 | if(flags & PAM_ESTABLISH_CRED) { |
eb2a40de DC |
274 | ret = savecreds(pamh, opts, data); |
275 | } else if(flags & PAM_DELETE_CRED) { | |
276 | ret = delcreds(pamh, opts, data); | |
2febc19a DC |
277 | } |
278 | freeopts(opts); | |
eb2a40de | 279 | return(ret); |
2febc19a | 280 | } |
dc647f87 DC |
281 | |
282 | /* | |
283 | * Local Variables: | |
4aa1b80b | 284 | * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5" |
dc647f87 DC |
285 | * End: |
286 | */ |