From eb2a40dee9e8b7a40a5ca6c6ee5a4690d01524ad Mon Sep 17 00:00:00 2001 From: "fredrik@DOLDA2000.COM" Date: Fri, 4 Mar 2005 19:39:21 +0000 Subject: [PATCH] Incremental commit. git-svn-id: svn+ssh://svn.dolda2000.com/srv/svn/repos/src/utils@174 959494ce-11ee-0310-bf91-de5d638817bd --- pam_krb5auto.c | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 130 insertions(+), 4 deletions(-) diff --git a/pam_krb5auto.c b/pam_krb5auto.c index 54dce9d..ac53d66 100644 --- a/pam_krb5auto.c +++ b/pam_krb5auto.c @@ -5,6 +5,8 @@ #include #include #include +#include +#include #define PAM_SM_AUTH @@ -18,6 +20,8 @@ struct options char *instance; char *keytab; int debug; + int forwardable; + int renewable; }; struct data @@ -25,6 +29,9 @@ struct data krb5_context ctx; krb5_ccache cc; krb5_principal me; + krb5_creds initcreds; + int hascreds; + uid_t uid; }; static void log(int prio, char *format, ...) @@ -52,6 +59,10 @@ static struct options *parseopts(int argc, const char **argv) opts->instance = strdup(argv[i] + 9); if(!strncmp(argv[i], "keytab=", 7)) opts->keytab = strdup(argv[i] + 7); + if(!strncmp(argv[i], "renew=", 6)) + opts->renewable = atoi(argv[i] + 6); + if(!strcmp(argv[i], "forwardable")) + opts->forwardable = 1; if(!strcmp(argv[i], "debug")) opts->debug = 1; } @@ -71,6 +82,10 @@ static void freeopts(struct options *opts) static void freedata(struct data *data) { + if(data->hascreds) + krb5_free_cred_contents(data->ctx, &data->initcreds); + if(data->cc != NULL) + krb5_cc_close(data->ctx, data->cc); if(data->me != NULL) krb5_free_principal(data->ctx, data->me); if(data->ctx != NULL) @@ -89,6 +104,7 @@ static struct data *getdata(pam_handle_t *pamh, struct options *opts) struct data *data; char buf[1024]; const char *user, *instance; + struct passwd *pwent; data = NULL; pam_get_data(pamh, "krb5auto-data", (const void **)&data); @@ -97,12 +113,24 @@ static struct data *getdata(pam_handle_t *pamh, struct options *opts) log(LOG_DEBUG, "creating new instance"); data = malloc(sizeof(*data)); memset(data, 0, sizeof(*data)); + pam_get_user(pamh, &user, NULL); + if(user == NULL) { + log(LOG_ERR, "could not get user name"); + freedata(data); + return(NULL); + } + errno = 0; + if((pwent = getpwnam(user)) == NULL) { + log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno)); + freedata(data); + return(NULL); + } + data->uid = pwent->pw_uid; if((ret = krb5_init_context(&data->ctx)) != 0) { log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret)); freedata(data); return(NULL); } - pam_get_user(pamh, &user, NULL); if(opts->instance) instance = opts->instance; else @@ -121,12 +149,106 @@ static struct data *getdata(pam_handle_t *pamh, struct options *opts) return(data); } -static void savecreds(struct options *opts, struct data *data) +static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data) { + int ret, fd; + krb5_keytab kt; + krb5_get_init_creds_opt icopts; + char buf[1024], *ccname, *filename; + + krb5_get_init_creds_opt_init(&icopts); + kt = NULL; + + if(opts->keytab) { + if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) { + log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret)); + ret = PAM_SERVICE_ERR; + goto out; + } + if(opts->debug) + log(LOG_DEBUG, "using keytab `%s'", opts->keytab); + } + krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable); + krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable); + if(data->hascreds) { + krb5_free_cred_contents(data->ctx, &data->initcreds); + data->hascreds = 0; + } + if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) { + log(LOG_ERR, "could not get credentials: %s", error_message(ret)); + ret = PAM_SERVICE_ERR; + goto out; + } + data->hascreds = 1; + if(opts->debug) + log(LOG_DEBUG, "got creds successfully"); + snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid); + ccname = buf + sizeof("KRB5CCNAME="); + filename = ccname + sizeof("FILE:"); + if((fd = mkstemp(filename)) < 0) { + log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno)); + ret = PAM_SERVICE_ERR; + goto out; + } + close(fd); + if(opts->debug) + log(LOG_DEBUG, "created ccache `%s'", filename); + if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) { + log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret)); + unlink(filename); + ret = PAM_SERVICE_ERR; + goto out; + } + if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) { + log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret)); + unlink(filename); + ret = PAM_SERVICE_ERR; + goto out; + } + if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) { + log(LOG_ERR, "could not store credentials: %s", error_message(ret)); + unlink(filename); + ret = PAM_SERVICE_ERR; + goto out; + } + pam_putenv(pamh, strdup(buf)); + if(opts->debug) + log(LOG_DEBUG, "successfully initialized ccache"); + ret = PAM_SUCCESS; + + out: + if(kt != NULL) + krb5_kt_close(data->ctx, kt); + return(ret); +} + +static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data) +{ + if(opts->debug) + log(LOG_DEBUG, "deleting credentials"); + if(data->hascreds) { + krb5_free_cred_contents(data->ctx, &data->initcreds); + data->hascreds = 0; + if(opts->debug) + log(LOG_DEBUG, "freed internal creds"); + } + if(data->cc != NULL) { + krb5_cc_destroy(data->ctx, data->cc); + data->cc = NULL; + if(opts->debug) + log(LOG_DEBUG, "destroyed ccache"); + } + return(PAM_SUCCESS); } PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { + struct options *opts; + + opts = parseopts(argc, argv); + if(opts->debug) + log(LOG_DEBUG, "pam_sm_authenticate called"); + freeopts(opts); return(PAM_IGNORE); } @@ -134,6 +256,7 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const cha { struct options *opts; struct data *data; + int ret; opts = parseopts(argc, argv); data = getdata(pamh, opts); @@ -141,11 +264,14 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const cha log(LOG_ERR, "could not get data, erroring out"); return(PAM_SERVICE_ERR); } + ret = PAM_SERVICE_ERR; if(flags & PAM_ESTABLISH_CRED) { - savecreds(opts, data); + ret = savecreds(pamh, opts, data); + } else if(flags & PAM_DELETE_CRED) { + ret = delcreds(pamh, opts, data); } freeopts(opts); - return(PAM_IGNORE); + return(ret); } /* -- 2.11.0