+/*
+ * pam_krb5auto - Gets initial credentials non-interactively
+ * Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdarg.h>
#include <malloc.h>
+#include <syslog.h>
#include <krb5.h>
+#include <pwd.h>
+#include <errno.h>
#define PAM_SM_AUTH
char *instance;
char *keytab;
int debug;
+ int forwardable;
+ int renewable;
};
struct data
krb5_context ctx;
krb5_ccache cc;
krb5_principal me;
+ krb5_creds initcreds;
+ int hascreds;
+ uid_t uid;
+ gid_t gid;
};
static void log(int prio, char *format, ...)
{
int i;
struct options *opts;
+ const char *p;
+ int unit;
opts = malloc(sizeof(*opts));
memset(opts, 0, sizeof(*opts));
opts->instance = strdup(argv[i] + 9);
if(!strncmp(argv[i], "keytab=", 7))
opts->keytab = strdup(argv[i] + 7);
+ if(!strncmp(argv[i], "renew=", 6)) {
+ p = argv[i] + strlen(argv[i]) - 1;
+ unit = 1;
+ if((*p >= 'a') && (*p <= 'z')) {
+ if(*p == 'm')
+ unit = 60;
+ else if(*p == 'h')
+ unit = 3600;
+ else if(*p == 'd')
+ unit = 86400;
+ else
+ unit = 1;
+ }
+ opts->renewable = atoi(argv[i] + 6) * unit;
+ }
+ if(!strcmp(argv[i], "forwardable"))
+ opts->forwardable = 1;
if(!strcmp(argv[i], "debug"))
opts->debug = 1;
}
static void freedata(struct data *data)
{
+ if(data->hascreds)
+ krb5_free_cred_contents(data->ctx, &data->initcreds);
+ if(data->cc != NULL)
+ krb5_cc_close(data->ctx, data->cc);
if(data->me != NULL)
krb5_free_principal(data->ctx, data->me);
if(data->ctx != NULL)
struct data *data;
char buf[1024];
const char *user, *instance;
+ struct passwd *pwent;
data = NULL;
pam_get_data(pamh, "krb5auto-data", (const void **)&data);
log(LOG_DEBUG, "creating new instance");
data = malloc(sizeof(*data));
memset(data, 0, sizeof(*data));
+ pam_get_user(pamh, &user, NULL);
+ if(user == NULL) {
+ log(LOG_ERR, "could not get user name");
+ freedata(data);
+ return(NULL);
+ }
+ errno = 0;
+ if((pwent = getpwnam(user)) == NULL) {
+ log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
+ freedata(data);
+ return(NULL);
+ }
+ data->uid = pwent->pw_uid;
+ data->gid = pwent->pw_gid;
if((ret = krb5_init_context(&data->ctx)) != 0) {
log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
freedata(data);
return(NULL);
}
- pam_get_user(pamh, &user, NULL);
if(opts->instance)
instance = opts->instance;
else
return(data);
}
-static void savecreds(struct options *opts, struct data *data)
+static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data)
{
+ int ret, fd;
+ krb5_keytab kt;
+ krb5_get_init_creds_opt icopts;
+ char buf[1024], *ccname, *filename;
+
+ krb5_get_init_creds_opt_init(&icopts);
+ kt = NULL;
+
+ if(opts->keytab) {
+ if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
+ log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
+ ret = PAM_SERVICE_ERR;
+ goto out;
+ }
+ if(opts->debug)
+ log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
+ }
+ krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
+ krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
+ if(data->hascreds) {
+ krb5_free_cred_contents(data->ctx, &data->initcreds);
+ data->hascreds = 0;
+ }
+ if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
+ log(LOG_ERR, "could not get credentials: %s", error_message(ret));
+ ret = PAM_SERVICE_ERR;
+ goto out;
+ }
+ data->hascreds = 1;
+ if(opts->debug)
+ log(LOG_DEBUG, "got creds successfully");
+ snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
+ ccname = buf + sizeof("KRB5CCNAME=") - 1;
+ filename = ccname + sizeof("FILE:") - 1;
+ if((fd = mkstemp(filename)) < 0) {
+ log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
+ ret = PAM_SERVICE_ERR;
+ goto out;
+ }
+ close(fd);
+ if(opts->debug)
+ log(LOG_DEBUG, "created ccache `%s'", filename);
+ if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
+ log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
+ unlink(filename);
+ ret = PAM_SERVICE_ERR;
+ goto out;
+ }
+ if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
+ log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
+ unlink(filename);
+ ret = PAM_SERVICE_ERR;
+ goto out;
+ }
+ if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
+ log(LOG_ERR, "could not store credentials: %s", error_message(ret));
+ unlink(filename);
+ ret = PAM_SERVICE_ERR;
+ goto out;
+ }
+ chown(filename, data->uid, data->gid);
+ pam_putenv(pamh, strdup(buf));
+ if(opts->debug)
+ log(LOG_DEBUG, "successfully initialized ccache");
+ ret = PAM_SUCCESS;
+
+ out:
+ if(kt != NULL)
+ krb5_kt_close(data->ctx, kt);
+ return(ret);
+}
+
+static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data)
+{
+ if(opts->debug)
+ log(LOG_DEBUG, "deleting credentials");
+ if(data->hascreds) {
+ krb5_free_cred_contents(data->ctx, &data->initcreds);
+ data->hascreds = 0;
+ if(opts->debug)
+ log(LOG_DEBUG, "freed internal creds");
+ }
+ if(data->cc != NULL) {
+ krb5_cc_destroy(data->ctx, data->cc);
+ data->cc = NULL;
+ if(opts->debug)
+ log(LOG_DEBUG, "destroyed ccache");
+ }
+ return(PAM_SUCCESS);
}
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
+ struct options *opts;
+
+ opts = parseopts(argc, argv);
+ if(opts->debug)
+ log(LOG_DEBUG, "pam_sm_authenticate called");
+ freeopts(opts);
return(PAM_IGNORE);
}
{
struct options *opts;
struct data *data;
+ int ret;
opts = parseopts(argc, argv);
+ if(opts->debug)
+ log(LOG_DEBUG, "pam_sm_setcred called");
data = getdata(pamh, opts);
if(data == NULL) {
log(LOG_ERR, "could not get data, erroring out");
return(PAM_SERVICE_ERR);
}
+ ret = PAM_SERVICE_ERR;
if(flags & PAM_ESTABLISH_CRED) {
- savecreds(opts, data);
+ ret = savecreds(pamh, opts, data);
+ } else if(flags & PAM_DELETE_CRED) {
+ ret = delcreds(pamh, opts, data);
}
freeopts(opts);
- return(PAM_IGNORE);
+ return(ret);
}
/*
* Local Variables:
- * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c"
+ * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"
* End:
*/