Commit | Line | Data |
---|---|---|
7ccba695 DC |
1 | /* |
2 | * pam_krb5auto - Gets initial credentials non-interactively | |
3 | * Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com) | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License as published by | |
7 | * the Free Software Foundation; either version 2 of the License, or | |
8 | * (at your option) any later version. | |
9 | * | |
10 | * This program is distributed in the hope that it will be useful, | |
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
13 | * GNU General Public License for more details. | |
14 | * | |
15 | * You should have received a copy of the GNU General Public License | |
16 | * along with this program; if not, write to the Free Software | |
17 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
18 | */ | |
dc647f87 | 19 | #include <stdlib.h> |
2febc19a | 20 | #include <stdio.h> |
dc647f87 | 21 | #include <unistd.h> |
2febc19a DC |
22 | #include <string.h> |
23 | #include <stdarg.h> | |
24 | #include <malloc.h> | |
dc647f87 | 25 | #include <krb5.h> |
eb2a40de DC |
26 | #include <pwd.h> |
27 | #include <errno.h> | |
dc647f87 DC |
28 | |
29 | #define PAM_SM_AUTH | |
30 | ||
31 | #include <security/pam_modules.h> | |
32 | ||
2febc19a DC |
33 | #define DEF_INSTANCE "autologin" |
34 | ||
35 | struct options | |
36 | { | |
37 | char *realm; | |
38 | char *instance; | |
39 | char *keytab; | |
40 | int debug; | |
eb2a40de DC |
41 | int forwardable; |
42 | int renewable; | |
2febc19a DC |
43 | }; |
44 | ||
45 | struct data | |
46 | { | |
47 | krb5_context ctx; | |
48 | krb5_ccache cc; | |
49 | krb5_principal me; | |
eb2a40de DC |
50 | krb5_creds initcreds; |
51 | int hascreds; | |
52 | uid_t uid; | |
e1427cb7 | 53 | gid_t gid; |
2febc19a DC |
54 | }; |
55 | ||
56 | static void log(int prio, char *format, ...) | |
57 | { | |
58 | va_list args; | |
59 | char buf[1024]; | |
60 | ||
61 | va_start(args, format); | |
62 | snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format); | |
63 | vsyslog(prio, buf, args); | |
64 | va_end(args); | |
65 | } | |
66 | ||
67 | static struct options *parseopts(int argc, const char **argv) | |
68 | { | |
69 | int i; | |
70 | struct options *opts; | |
71 | ||
72 | opts = malloc(sizeof(*opts)); | |
73 | memset(opts, 0, sizeof(*opts)); | |
74 | for(i = 0; i < argc; i++) { | |
75 | if(!strncmp(argv[i], "realm=", 6)) | |
76 | opts->realm = strdup(argv[i] + 6); | |
77 | if(!strncmp(argv[i], "instance=", 9)) | |
78 | opts->instance = strdup(argv[i] + 9); | |
79 | if(!strncmp(argv[i], "keytab=", 7)) | |
80 | opts->keytab = strdup(argv[i] + 7); | |
eb2a40de DC |
81 | if(!strncmp(argv[i], "renew=", 6)) |
82 | opts->renewable = atoi(argv[i] + 6); | |
83 | if(!strcmp(argv[i], "forwardable")) | |
84 | opts->forwardable = 1; | |
2febc19a DC |
85 | if(!strcmp(argv[i], "debug")) |
86 | opts->debug = 1; | |
87 | } | |
88 | return(opts); | |
89 | } | |
90 | ||
91 | static void freeopts(struct options *opts) | |
92 | { | |
93 | if(opts->realm != NULL) | |
94 | free(opts->realm); | |
95 | if(opts->instance != NULL) | |
96 | free(opts->instance); | |
97 | if(opts->keytab != NULL) | |
98 | free(opts->keytab); | |
99 | free(opts); | |
100 | } | |
101 | ||
102 | static void freedata(struct data *data) | |
103 | { | |
eb2a40de DC |
104 | if(data->hascreds) |
105 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
106 | if(data->cc != NULL) | |
107 | krb5_cc_close(data->ctx, data->cc); | |
2febc19a DC |
108 | if(data->me != NULL) |
109 | krb5_free_principal(data->ctx, data->me); | |
110 | if(data->ctx != NULL) | |
111 | krb5_free_context(data->ctx); | |
112 | free(data); | |
113 | } | |
114 | ||
115 | static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status) | |
116 | { | |
117 | freedata(data); | |
118 | } | |
119 | ||
120 | static struct data *getdata(pam_handle_t *pamh, struct options *opts) | |
121 | { | |
122 | int ret; | |
123 | struct data *data; | |
124 | char buf[1024]; | |
125 | const char *user, *instance; | |
eb2a40de | 126 | struct passwd *pwent; |
2febc19a DC |
127 | |
128 | data = NULL; | |
129 | pam_get_data(pamh, "krb5auto-data", (const void **)&data); | |
130 | if(data == NULL) { | |
131 | if(opts->debug) | |
132 | log(LOG_DEBUG, "creating new instance"); | |
133 | data = malloc(sizeof(*data)); | |
134 | memset(data, 0, sizeof(*data)); | |
eb2a40de DC |
135 | pam_get_user(pamh, &user, NULL); |
136 | if(user == NULL) { | |
137 | log(LOG_ERR, "could not get user name"); | |
138 | freedata(data); | |
139 | return(NULL); | |
140 | } | |
141 | errno = 0; | |
142 | if((pwent = getpwnam(user)) == NULL) { | |
143 | log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno)); | |
144 | freedata(data); | |
145 | return(NULL); | |
146 | } | |
147 | data->uid = pwent->pw_uid; | |
e1427cb7 | 148 | data->gid = pwent->pw_gid; |
2febc19a DC |
149 | if((ret = krb5_init_context(&data->ctx)) != 0) { |
150 | log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret)); | |
151 | freedata(data); | |
152 | return(NULL); | |
153 | } | |
2febc19a DC |
154 | if(opts->instance) |
155 | instance = opts->instance; | |
156 | else | |
157 | instance = DEF_INSTANCE; | |
158 | if(opts->realm) | |
159 | snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm); | |
160 | else | |
161 | snprintf(buf, sizeof(buf), "%s/%s", user, instance); | |
162 | if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) { | |
163 | log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret)); | |
164 | freedata(data); | |
165 | return(NULL); | |
166 | } | |
167 | pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata); | |
168 | } | |
169 | return(data); | |
170 | } | |
171 | ||
eb2a40de | 172 | static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data) |
2febc19a | 173 | { |
eb2a40de DC |
174 | int ret, fd; |
175 | krb5_keytab kt; | |
176 | krb5_get_init_creds_opt icopts; | |
177 | char buf[1024], *ccname, *filename; | |
178 | ||
179 | krb5_get_init_creds_opt_init(&icopts); | |
180 | kt = NULL; | |
181 | ||
182 | if(opts->keytab) { | |
183 | if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) { | |
184 | log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret)); | |
185 | ret = PAM_SERVICE_ERR; | |
186 | goto out; | |
187 | } | |
188 | if(opts->debug) | |
189 | log(LOG_DEBUG, "using keytab `%s'", opts->keytab); | |
190 | } | |
191 | krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable); | |
192 | krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable); | |
193 | if(data->hascreds) { | |
194 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
195 | data->hascreds = 0; | |
196 | } | |
197 | if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) { | |
198 | log(LOG_ERR, "could not get credentials: %s", error_message(ret)); | |
199 | ret = PAM_SERVICE_ERR; | |
200 | goto out; | |
201 | } | |
202 | data->hascreds = 1; | |
203 | if(opts->debug) | |
204 | log(LOG_DEBUG, "got creds successfully"); | |
205 | snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid); | |
32601c6b DC |
206 | ccname = buf + sizeof("KRB5CCNAME=") - 1; |
207 | filename = ccname + sizeof("FILE:") - 1; | |
eb2a40de DC |
208 | if((fd = mkstemp(filename)) < 0) { |
209 | log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno)); | |
210 | ret = PAM_SERVICE_ERR; | |
211 | goto out; | |
212 | } | |
213 | close(fd); | |
214 | if(opts->debug) | |
215 | log(LOG_DEBUG, "created ccache `%s'", filename); | |
216 | if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) { | |
217 | log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret)); | |
218 | unlink(filename); | |
219 | ret = PAM_SERVICE_ERR; | |
220 | goto out; | |
221 | } | |
222 | if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) { | |
223 | log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret)); | |
224 | unlink(filename); | |
225 | ret = PAM_SERVICE_ERR; | |
226 | goto out; | |
227 | } | |
228 | if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) { | |
229 | log(LOG_ERR, "could not store credentials: %s", error_message(ret)); | |
230 | unlink(filename); | |
231 | ret = PAM_SERVICE_ERR; | |
232 | goto out; | |
233 | } | |
e1427cb7 | 234 | chown(filename, data->uid, data->gid); |
eb2a40de DC |
235 | pam_putenv(pamh, strdup(buf)); |
236 | if(opts->debug) | |
237 | log(LOG_DEBUG, "successfully initialized ccache"); | |
238 | ret = PAM_SUCCESS; | |
239 | ||
240 | out: | |
241 | if(kt != NULL) | |
242 | krb5_kt_close(data->ctx, kt); | |
243 | return(ret); | |
244 | } | |
245 | ||
246 | static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data) | |
247 | { | |
248 | if(opts->debug) | |
249 | log(LOG_DEBUG, "deleting credentials"); | |
250 | if(data->hascreds) { | |
251 | krb5_free_cred_contents(data->ctx, &data->initcreds); | |
252 | data->hascreds = 0; | |
253 | if(opts->debug) | |
254 | log(LOG_DEBUG, "freed internal creds"); | |
255 | } | |
256 | if(data->cc != NULL) { | |
257 | krb5_cc_destroy(data->ctx, data->cc); | |
258 | data->cc = NULL; | |
259 | if(opts->debug) | |
260 | log(LOG_DEBUG, "destroyed ccache"); | |
261 | } | |
262 | return(PAM_SUCCESS); | |
2febc19a DC |
263 | } |
264 | ||
265 | PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) | |
266 | { | |
eb2a40de DC |
267 | struct options *opts; |
268 | ||
269 | opts = parseopts(argc, argv); | |
270 | if(opts->debug) | |
271 | log(LOG_DEBUG, "pam_sm_authenticate called"); | |
272 | freeopts(opts); | |
2febc19a DC |
273 | return(PAM_IGNORE); |
274 | } | |
275 | ||
276 | PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) | |
277 | { | |
278 | struct options *opts; | |
279 | struct data *data; | |
eb2a40de | 280 | int ret; |
2febc19a DC |
281 | |
282 | opts = parseopts(argc, argv); | |
4fb861a5 DC |
283 | if(opts->debug) |
284 | log(LOG_DEBUG, "pam_sm_setcred called"); | |
2febc19a DC |
285 | data = getdata(pamh, opts); |
286 | if(data == NULL) { | |
287 | log(LOG_ERR, "could not get data, erroring out"); | |
288 | return(PAM_SERVICE_ERR); | |
289 | } | |
eb2a40de | 290 | ret = PAM_SERVICE_ERR; |
2febc19a | 291 | if(flags & PAM_ESTABLISH_CRED) { |
eb2a40de DC |
292 | ret = savecreds(pamh, opts, data); |
293 | } else if(flags & PAM_DELETE_CRED) { | |
294 | ret = delcreds(pamh, opts, data); | |
2febc19a DC |
295 | } |
296 | freeopts(opts); | |
eb2a40de | 297 | return(ret); |
2febc19a | 298 | } |
dc647f87 DC |
299 | |
300 | /* | |
301 | * Local Variables: | |
4aa1b80b | 302 | * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5" |
dc647f87 DC |
303 | * End: |
304 | */ |