Added the GPL notice.
[utils.git] / pam_krb5auto.c
CommitLineData
dc647f87 1#include <stdlib.h>
2febc19a 2#include <stdio.h>
dc647f87 3#include <unistd.h>
2febc19a
DC
4#include <string.h>
5#include <stdarg.h>
6#include <malloc.h>
dc647f87 7#include <krb5.h>
eb2a40de
DC
8#include <pwd.h>
9#include <errno.h>
dc647f87
DC
10
11#define PAM_SM_AUTH
12
13#include <security/pam_modules.h>
14
2febc19a
DC
15#define DEF_INSTANCE "autologin"
16
17struct options
18{
19 char *realm;
20 char *instance;
21 char *keytab;
22 int debug;
eb2a40de
DC
23 int forwardable;
24 int renewable;
2febc19a
DC
25};
26
27struct data
28{
29 krb5_context ctx;
30 krb5_ccache cc;
31 krb5_principal me;
eb2a40de
DC
32 krb5_creds initcreds;
33 int hascreds;
34 uid_t uid;
e1427cb7 35 gid_t gid;
2febc19a
DC
36};
37
38static void log(int prio, char *format, ...)
39{
40 va_list args;
41 char buf[1024];
42
43 va_start(args, format);
44 snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format);
45 vsyslog(prio, buf, args);
46 va_end(args);
47}
48
49static struct options *parseopts(int argc, const char **argv)
50{
51 int i;
52 struct options *opts;
53
54 opts = malloc(sizeof(*opts));
55 memset(opts, 0, sizeof(*opts));
56 for(i = 0; i < argc; i++) {
57 if(!strncmp(argv[i], "realm=", 6))
58 opts->realm = strdup(argv[i] + 6);
59 if(!strncmp(argv[i], "instance=", 9))
60 opts->instance = strdup(argv[i] + 9);
61 if(!strncmp(argv[i], "keytab=", 7))
62 opts->keytab = strdup(argv[i] + 7);
eb2a40de
DC
63 if(!strncmp(argv[i], "renew=", 6))
64 opts->renewable = atoi(argv[i] + 6);
65 if(!strcmp(argv[i], "forwardable"))
66 opts->forwardable = 1;
2febc19a
DC
67 if(!strcmp(argv[i], "debug"))
68 opts->debug = 1;
69 }
70 return(opts);
71}
72
73static void freeopts(struct options *opts)
74{
75 if(opts->realm != NULL)
76 free(opts->realm);
77 if(opts->instance != NULL)
78 free(opts->instance);
79 if(opts->keytab != NULL)
80 free(opts->keytab);
81 free(opts);
82}
83
84static void freedata(struct data *data)
85{
eb2a40de
DC
86 if(data->hascreds)
87 krb5_free_cred_contents(data->ctx, &data->initcreds);
88 if(data->cc != NULL)
89 krb5_cc_close(data->ctx, data->cc);
2febc19a
DC
90 if(data->me != NULL)
91 krb5_free_principal(data->ctx, data->me);
92 if(data->ctx != NULL)
93 krb5_free_context(data->ctx);
94 free(data);
95}
96
97static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status)
98{
99 freedata(data);
100}
101
102static struct data *getdata(pam_handle_t *pamh, struct options *opts)
103{
104 int ret;
105 struct data *data;
106 char buf[1024];
107 const char *user, *instance;
eb2a40de 108 struct passwd *pwent;
2febc19a
DC
109
110 data = NULL;
111 pam_get_data(pamh, "krb5auto-data", (const void **)&data);
112 if(data == NULL) {
113 if(opts->debug)
114 log(LOG_DEBUG, "creating new instance");
115 data = malloc(sizeof(*data));
116 memset(data, 0, sizeof(*data));
eb2a40de
DC
117 pam_get_user(pamh, &user, NULL);
118 if(user == NULL) {
119 log(LOG_ERR, "could not get user name");
120 freedata(data);
121 return(NULL);
122 }
123 errno = 0;
124 if((pwent = getpwnam(user)) == NULL) {
125 log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
126 freedata(data);
127 return(NULL);
128 }
129 data->uid = pwent->pw_uid;
e1427cb7 130 data->gid = pwent->pw_gid;
2febc19a
DC
131 if((ret = krb5_init_context(&data->ctx)) != 0) {
132 log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
133 freedata(data);
134 return(NULL);
135 }
2febc19a
DC
136 if(opts->instance)
137 instance = opts->instance;
138 else
139 instance = DEF_INSTANCE;
140 if(opts->realm)
141 snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm);
142 else
143 snprintf(buf, sizeof(buf), "%s/%s", user, instance);
144 if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) {
145 log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret));
146 freedata(data);
147 return(NULL);
148 }
149 pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata);
150 }
151 return(data);
152}
153
eb2a40de 154static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data)
2febc19a 155{
eb2a40de
DC
156 int ret, fd;
157 krb5_keytab kt;
158 krb5_get_init_creds_opt icopts;
159 char buf[1024], *ccname, *filename;
160
161 krb5_get_init_creds_opt_init(&icopts);
162 kt = NULL;
163
164 if(opts->keytab) {
165 if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
166 log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
167 ret = PAM_SERVICE_ERR;
168 goto out;
169 }
170 if(opts->debug)
171 log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
172 }
173 krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
174 krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
175 if(data->hascreds) {
176 krb5_free_cred_contents(data->ctx, &data->initcreds);
177 data->hascreds = 0;
178 }
179 if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
180 log(LOG_ERR, "could not get credentials: %s", error_message(ret));
181 ret = PAM_SERVICE_ERR;
182 goto out;
183 }
184 data->hascreds = 1;
185 if(opts->debug)
186 log(LOG_DEBUG, "got creds successfully");
187 snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
32601c6b
DC
188 ccname = buf + sizeof("KRB5CCNAME=") - 1;
189 filename = ccname + sizeof("FILE:") - 1;
eb2a40de
DC
190 if((fd = mkstemp(filename)) < 0) {
191 log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
192 ret = PAM_SERVICE_ERR;
193 goto out;
194 }
195 close(fd);
196 if(opts->debug)
197 log(LOG_DEBUG, "created ccache `%s'", filename);
198 if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
199 log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
200 unlink(filename);
201 ret = PAM_SERVICE_ERR;
202 goto out;
203 }
204 if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
205 log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
206 unlink(filename);
207 ret = PAM_SERVICE_ERR;
208 goto out;
209 }
210 if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
211 log(LOG_ERR, "could not store credentials: %s", error_message(ret));
212 unlink(filename);
213 ret = PAM_SERVICE_ERR;
214 goto out;
215 }
e1427cb7 216 chown(filename, data->uid, data->gid);
eb2a40de
DC
217 pam_putenv(pamh, strdup(buf));
218 if(opts->debug)
219 log(LOG_DEBUG, "successfully initialized ccache");
220 ret = PAM_SUCCESS;
221
222 out:
223 if(kt != NULL)
224 krb5_kt_close(data->ctx, kt);
225 return(ret);
226}
227
228static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data)
229{
230 if(opts->debug)
231 log(LOG_DEBUG, "deleting credentials");
232 if(data->hascreds) {
233 krb5_free_cred_contents(data->ctx, &data->initcreds);
234 data->hascreds = 0;
235 if(opts->debug)
236 log(LOG_DEBUG, "freed internal creds");
237 }
238 if(data->cc != NULL) {
239 krb5_cc_destroy(data->ctx, data->cc);
240 data->cc = NULL;
241 if(opts->debug)
242 log(LOG_DEBUG, "destroyed ccache");
243 }
244 return(PAM_SUCCESS);
2febc19a
DC
245}
246
247PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
248{
eb2a40de
DC
249 struct options *opts;
250
251 opts = parseopts(argc, argv);
252 if(opts->debug)
253 log(LOG_DEBUG, "pam_sm_authenticate called");
254 freeopts(opts);
2febc19a
DC
255 return(PAM_IGNORE);
256}
257
258PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
259{
260 struct options *opts;
261 struct data *data;
eb2a40de 262 int ret;
2febc19a
DC
263
264 opts = parseopts(argc, argv);
4fb861a5
DC
265 if(opts->debug)
266 log(LOG_DEBUG, "pam_sm_setcred called");
2febc19a
DC
267 data = getdata(pamh, opts);
268 if(data == NULL) {
269 log(LOG_ERR, "could not get data, erroring out");
270 return(PAM_SERVICE_ERR);
271 }
eb2a40de 272 ret = PAM_SERVICE_ERR;
2febc19a 273 if(flags & PAM_ESTABLISH_CRED) {
eb2a40de
DC
274 ret = savecreds(pamh, opts, data);
275 } else if(flags & PAM_DELETE_CRED) {
276 ret = delcreds(pamh, opts, data);
2febc19a
DC
277 }
278 freeopts(opts);
eb2a40de 279 return(ret);
2febc19a 280}
dc647f87
DC
281
282/*
283 * Local Variables:
4aa1b80b 284 * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"
dc647f87
DC
285 * End:
286 */