#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <limits.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <krb5.h>
#include <com_err.h>
#ifdef MK_MITKRB5
#include <k5-int.h>
#endif
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_PASSWORD
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
#include <security/openpam.h>
#define COMPAT_HEIMDAL
static int verify_krb_v5_tgt_begin(krb5_context, char *, int,
const char **, krb5_principal *, char[static BUFSIZ]);
static int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int,
const char *, krb5_principal, char[static BUFSIZ]);
static void verify_krb_v5_tgt_cleanup(krb5_context, int,
const char *, krb5_principal, char[static BUFSIZ]);
static void cleanup_cache(pam_handle_t *, void *, int);
static const char *compat_princ_component(krb5_context, krb5_principal, int);
static void compat_free_data_contents(krb5_context, krb5_data *);
#define USER_PROMPT "Username: "
#define PASSWORD_PROMPT "Password:"
#define NEW_PASSWORD_PROMPT "New Password:"
#define PAM_OPT_CCACHE "ccache"
#define PAM_OPT_DEBUG "debug"
#define PAM_OPT_FORWARDABLE "forwardable"
#define PAM_OPT_NO_CCACHE "no_ccache"
#define PAM_OPT_NO_USER_CHECK "no_user_check"
#define PAM_OPT_REUSE_CCACHE "reuse_ccache"
#define PAM_OPT_NO_USER_CHECK "no_user_check"
#define PAM_OPT_ALLOW_KDC_SPOOF "allow_kdc_spoof"
#define PAM_LOG_KRB5_ERR(ctx, rv, fmt, ...) \
do { \
const char *krb5msg = krb5_get_error_message(ctx, rv); \
PAM_LOG(fmt ": %s", ##__VA_ARGS__, krb5msg); \
krb5_free_error_message(ctx, krb5msg); \
} while (0)
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
krb5_error_code krbret;
krb5_context krbctx;
int debug;
const char *auth_service;
krb5_principal auth_princ;
char auth_phost[BUFSIZ];
krb5_creds creds;
krb5_principal princ;
krb5_ccache ccache;
krb5_get_init_creds_opt *opts;
struct passwd *pwd;
int retval;
const void *ccache_data;
const char *user, *pass;
const void *sourceuser, *service;
char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
retval = pam_get_user(pamh, &user, USER_PROMPT);
if (retval != PAM_SUCCESS)
return (retval);
PAM_LOG("Got user: %s", user);
retval = pam_get_item(pamh, PAM_RUSER, &sourceuser);
if (retval != PAM_SUCCESS)
return (retval);
PAM_LOG("Got ruser: %s", (const char *)sourceuser);
service = NULL;
pam_get_item(pamh, PAM_SERVICE, &service);
if (service == NULL)
service = "unknown";
PAM_LOG("Got service: %s", (const char *)service);
if ((srvdup = strdup(service)) == NULL) {
retval = PAM_BUF_ERR;
goto cleanup6;
}
krbret = krb5_init_context(&krbctx);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup5;
}
PAM_LOG("Context initialised");
debug = openpam_get_option(pamh, PAM_OPT_DEBUG) ? 1 : 0;
krbret = verify_krb_v5_tgt_begin(krbctx, srvdup, debug,
&auth_service, &auth_princ, auth_phost);
if (krbret != 0) {
if (!openpam_get_option(pamh, PAM_OPT_ALLOW_KDC_SPOOF)) {
retval = PAM_SERVICE_ERR;
goto cleanup4;
}
}
krbret = krb5_cc_register(krbctx, &krb5_mcc_ops, FALSE);
if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
PAM_LOG("Done krb5_cc_register()");
if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
asprintf(&principal, "%s/%s", (const char *)sourceuser, user);
else
principal = strdup(user);
PAM_LOG("Created principal: %s", principal);
krbret = krb5_parse_name(krbctx, principal, &princ);
free(principal);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_parse_name()");
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
PAM_LOG("Done krb5_parse_name()");
princ_name = NULL;
krbret = krb5_unparse_name(krbctx, princ, &princ_name);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_unparse_name()");
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
PAM_LOG("Got principal: %s", princ_name);
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
if (retval != PAM_SUCCESS)
goto cleanup2;
PAM_LOG("Got password");
if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
PAM_LOG("Skipping local user check");
else {
if (strchr(user, '@')) {
krbret = krb5_aname_to_localname(krbctx, princ,
sizeof(luser), luser);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_aname_to_localname()");
retval = PAM_USER_UNKNOWN;
goto cleanup2;
}
retval = pam_set_item(pamh, PAM_USER, luser);
if (retval != PAM_SUCCESS)
goto cleanup2;
PAM_LOG("PAM_USER Redone");
}
if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
pwd = getpwnam(user);
if (pwd == NULL) {
retval = PAM_USER_UNKNOWN;
goto cleanup2;
}
}
PAM_LOG("Done getpwnam()");
}
krbret = krb5_get_init_creds_opt_alloc(krbctx, &opts);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_get_init_creds_opt_alloc()");
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
krb5_get_init_creds_opt_set_default_flags(krbctx,
service, NULL, opts);
if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
krb5_get_init_creds_opt_set_forwardable(opts, 1);
PAM_LOG("Credential options initialised");
memset(&creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(krbctx, &creds, princ,
pass, NULL, pamh, 0, NULL, opts);
krb5_get_init_creds_opt_free(krbctx, opts);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_get_init_creds_password()");
retval = PAM_AUTH_ERR;
goto cleanup2;
}
PAM_LOG("Got TGT");
krbret = krb5_cc_new_unique(krbctx, krb5_cc_type_memory, NULL, &ccache);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_new_unique()");
retval = PAM_SERVICE_ERR;
goto cleanup;
}
krbret = krb5_cc_initialize(krbctx, ccache, princ);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_initialize()");
retval = PAM_SERVICE_ERR;
goto cleanup;
}
krbret = krb5_cc_store_cred(krbctx, ccache, &creds);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_store_cred()");
krb5_cc_destroy(krbctx, ccache);
retval = PAM_SERVICE_ERR;
goto cleanup;
}
PAM_LOG("Credentials stashed");
krbret = verify_krb_v5_tgt(krbctx, ccache, srvdup,
debug,
auth_service, auth_princ, auth_phost);
free(srvdup);
srvdup = NULL;
if (krbret == -1) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
krb5_cc_destroy(krbctx, ccache);
retval = PAM_AUTH_ERR;
goto cleanup;
}
PAM_LOG("Credentials stash verified");
retval = pam_get_data(pamh, "ccache", &ccache_data);
if (retval == PAM_SUCCESS) {
krb5_cc_destroy(krbctx, ccache);
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_AUTH_ERR;
goto cleanup;
}
PAM_LOG("Credentials stash not pre-existing");
asprintf(&ccache_name, "%s:%s", krb5_cc_get_type(krbctx,
ccache), krb5_cc_get_name(krbctx, ccache));
if (ccache_name == NULL) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_BUF_ERR;
goto cleanup;
}
retval = pam_set_data(pamh, "ccache", ccache_name, cleanup_cache);
if (retval != 0) {
krb5_cc_destroy(krbctx, ccache);
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup;
}
PAM_LOG("Credentials stash saved");
cleanup:
krb5_free_cred_contents(krbctx, &creds);
PAM_LOG("Done cleanup");
cleanup2:
krb5_free_principal(krbctx, princ);
if (princ_name)
free(princ_name);
PAM_LOG("Done cleanup2");
cleanup3:
krb5_free_context(krbctx);
PAM_LOG("Done cleanup3");
cleanup4:
verify_krb_v5_tgt_cleanup(krbctx, debug,
auth_service, auth_princ, auth_phost);
PAM_LOG("Done cleanup4");
cleanup5:
if (srvdup != NULL)
free(srvdup);
PAM_LOG("Done cleanup5");
cleanup6:
if (retval != PAM_SUCCESS)
PAM_VERBOSE_ERROR("Kerberos 5 refuses you");
PAM_LOG("Done cleanup6");
return (retval);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc __unused, const char *argv[] __unused)
{
#ifdef _FREEFALL_CONFIG
return (PAM_SUCCESS);
#else
krb5_error_code krbret;
krb5_context krbctx;
krb5_principal princ;
krb5_creds creds;
krb5_ccache ccache_temp, ccache_perm;
krb5_cc_cursor cursor;
struct passwd *pwd = NULL;
int retval;
const char *cache_name, *q;
const void *user;
const void *cache_data;
char *cache_name_buf = NULL, *p;
uid_t euid;
gid_t egid;
if (flags & PAM_DELETE_CRED)
return (PAM_SUCCESS);
if (flags & PAM_REFRESH_CRED)
return (PAM_SUCCESS);
if (flags & PAM_REINITIALIZE_CRED)
return (PAM_SUCCESS);
if (!(flags & PAM_ESTABLISH_CRED))
return (PAM_SERVICE_ERR);
if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
return (PAM_SUCCESS);
PAM_LOG("Establishing credentials");
retval = pam_get_item(pamh, PAM_USER, &user);
if (retval != PAM_SUCCESS)
return (retval);
PAM_LOG("Got user: %s", (const char *)user);
krbret = krb5_init_context(&krbctx);
if (krbret != 0) {
PAM_LOG("Error krb5_init_context() failed");
return (PAM_SERVICE_ERR);
}
PAM_LOG("Context initialised");
euid = geteuid();
egid = getegid();
PAM_LOG("Got euid, egid: %d %d", euid, egid);
retval = pam_get_data(pamh, "ccache", &cache_data);
if (retval != PAM_SUCCESS) {
retval = PAM_CRED_UNAVAIL;
goto cleanup3;
}
krbret = krb5_cc_resolve(krbctx, cache_data, &ccache_temp);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_resolve(\"%s\")", (const char *)cache_data);
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
pwd = getpwnam(user);
if (pwd == NULL) {
retval = PAM_USER_UNKNOWN;
goto cleanup3;
}
PAM_LOG("Done getpwnam()");
if (setegid(pwd->pw_gid)) {
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
if (seteuid(pwd->pw_uid)) {
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
PAM_LOG("Done setegid() & seteuid()");
cache_name = openpam_get_option(pamh, PAM_OPT_CCACHE);
if (cache_name == NULL) {
asprintf(&cache_name_buf, "FILE:/tmp/krb5cc_%d", pwd->pw_uid);
cache_name = cache_name_buf;
}
p = calloc(PATH_MAX + 16, sizeof(char));
q = cache_name;
if (p == NULL) {
PAM_LOG("Error malloc(): failure");
retval = PAM_BUF_ERR;
goto cleanup3;
}
cache_name = p;
while (*q) {
if (*q == '%') {
q++;
if (*q == 'u') {
sprintf(p, "%d", pwd->pw_uid);
p += strlen(p);
}
else if (*q == 'p') {
sprintf(p, "%d", getpid());
p += strlen(p);
}
else {
*p++ = '%';
q--;
}
q++;
}
else {
*p++ = *q++;
}
}
PAM_LOG("Got cache_name: %s", cache_name);
krbret = krb5_cc_get_principal(krbctx, ccache_temp, &princ);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_get_principal()");
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
krbret = krb5_cc_resolve(krbctx, cache_name, &ccache_perm);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_resolve()");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
krbret = krb5_cc_initialize(krbctx, ccache_perm, princ);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_initialize()");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
PAM_LOG("Cache initialised");
krbret = krb5_cc_start_seq_get(krbctx, ccache_temp, &cursor);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_start_seq_get()");
krb5_cc_destroy(krbctx, ccache_perm);
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
PAM_LOG("Prepared for iteration");
while (krb5_cc_next_cred(krbctx, ccache_temp, &cursor, &creds) == 0) {
krbret = krb5_cc_store_cred(krbctx, ccache_perm, &creds);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_store_cred()");
krb5_cc_destroy(krbctx, ccache_perm);
krb5_free_cred_contents(krbctx, &creds);
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
krb5_free_cred_contents(krbctx, &creds);
PAM_LOG("Iteration");
}
krb5_cc_end_seq_get(krbctx, ccache_temp, &cursor);
PAM_LOG("Done iterating");
if (strstr(cache_name, "FILE:") == cache_name) {
if (chown(&cache_name[5], pwd->pw_uid, pwd->pw_gid) == -1) {
PAM_LOG("Error chown(): %s", strerror(errno));
krb5_cc_destroy(krbctx, ccache_perm);
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
PAM_LOG("Done chown()");
if (chmod(&cache_name[5], (S_IRUSR | S_IWUSR)) == -1) {
PAM_LOG("Error chmod(): %s", strerror(errno));
krb5_cc_destroy(krbctx, ccache_perm);
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
PAM_LOG("Done chmod()");
}
krb5_cc_close(krbctx, ccache_perm);
PAM_LOG("Cache closed");
retval = pam_setenv(pamh, "KRB5CCNAME", cache_name, 1);
if (retval != PAM_SUCCESS) {
PAM_LOG("Error pam_setenv(): %s", pam_strerror(pamh, retval));
krb5_cc_destroy(krbctx, ccache_perm);
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
PAM_LOG("Environment done: KRB5CCNAME=%s", cache_name);
cleanup2:
krb5_free_principal(krbctx, princ);
PAM_LOG("Done cleanup2");
cleanup3:
krb5_free_context(krbctx);
PAM_LOG("Done cleanup3");
seteuid(euid);
setegid(egid);
PAM_LOG("Done seteuid() & setegid()");
if (cache_name_buf != NULL)
free(cache_name_buf);
return (retval);
#endif
}
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
krb5_error_code krbret;
krb5_context krbctx;
krb5_ccache ccache;
krb5_principal princ;
int retval;
const void *user;
const void *ccache_name;
retval = pam_get_item(pamh, PAM_USER, &user);
if (retval != PAM_SUCCESS)
return (retval);
PAM_LOG("Got user: %s", (const char *)user);
retval = pam_get_data(pamh, "ccache", &ccache_name);
if (retval != PAM_SUCCESS)
return (PAM_SUCCESS);
PAM_LOG("Got credentials");
krbret = krb5_init_context(&krbctx);
if (krbret != 0) {
PAM_LOG("Error krb5_init_context() failed");
return (PAM_PERM_DENIED);
}
PAM_LOG("Context initialised");
krbret = krb5_cc_resolve(krbctx, (const char *)ccache_name, &ccache);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_resolve(\"%s\")", (const char *)ccache_name);
krb5_free_context(krbctx);
return (PAM_PERM_DENIED);
}
PAM_LOG("Got ccache %s", (const char *)ccache_name);
krbret = krb5_cc_get_principal(krbctx, ccache, &princ);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_cc_get_principal()");
retval = PAM_PERM_DENIED;
goto cleanup;
}
PAM_LOG("Got principal");
if (krb5_kuserok(krbctx, princ, (const char *)user))
retval = PAM_SUCCESS;
else
retval = PAM_PERM_DENIED;
krb5_free_principal(krbctx, princ);
PAM_LOG("Done kuserok()");
cleanup:
krb5_free_context(krbctx);
PAM_LOG("Done cleanup");
return (retval);
}
PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
int argc __unused, const char *argv[] __unused)
{
krb5_error_code krbret;
krb5_context krbctx;
krb5_creds creds;
krb5_principal princ;
krb5_get_init_creds_opt *opts;
krb5_data result_code_string, result_string;
int result_code, retval;
const char *pass;
const void *user;
char *princ_name, *passdup;
if (!(flags & PAM_UPDATE_AUTHTOK))
return (PAM_AUTHTOK_ERR);
retval = pam_get_item(pamh, PAM_USER, &user);
if (retval != PAM_SUCCESS)
return (retval);
PAM_LOG("Got user: %s", (const char *)user);
krbret = krb5_init_context(&krbctx);
if (krbret != 0) {
PAM_LOG("Error krb5_init_context() failed");
return (PAM_SERVICE_ERR);
}
PAM_LOG("Context initialised");
krbret = krb5_parse_name(krbctx, (const char *)user, &princ);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_parse_name()");
retval = PAM_USER_UNKNOWN;
goto cleanup3;
}
princ_name = NULL;
krbret = krb5_unparse_name(krbctx, princ, &princ_name);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_unparse_name()");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
PAM_LOG("Got principal: %s", princ_name);
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT);
if (retval != PAM_SUCCESS)
goto cleanup2;
PAM_LOG("Got password");
krbret = krb5_get_init_creds_opt_alloc(krbctx, &opts);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_get_init_creds_opt_alloc()");
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
PAM_LOG("Credentials options initialised");
memset(&creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(krbctx, &creds, princ,
pass, NULL, pamh, 0, "kadmin/changepw", opts);
krb5_get_init_creds_opt_free(krbctx, opts);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_get_init_creds_password()");
retval = PAM_AUTH_ERR;
goto cleanup2;
}
PAM_LOG("Credentials established");
for (;;) {
retval = pam_get_authtok(pamh,
PAM_AUTHTOK, &pass, NEW_PASSWORD_PROMPT);
if (retval != PAM_TRY_AGAIN)
break;
pam_error(pamh, "Mismatch; try again, EOF to quit.");
}
if (retval != PAM_SUCCESS)
goto cleanup;
PAM_LOG("Got new password");
if ((passdup = strdup(pass)) == NULL) {
retval = PAM_BUF_ERR;
goto cleanup;
}
krbret = krb5_set_password(krbctx, &creds, passdup, NULL,
&result_code, &result_code_string, &result_string);
free(passdup);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(krbctx, krbret,
"Error krb5_change_password()");
retval = PAM_AUTHTOK_ERR;
goto cleanup;
}
if (result_code) {
PAM_LOG("Error krb5_change_password(): (result_code)");
retval = PAM_AUTHTOK_ERR;
goto cleanup;
}
PAM_LOG("Password changed");
if (result_string.data)
free(result_string.data);
if (result_code_string.data)
free(result_code_string.data);
cleanup:
krb5_free_cred_contents(krbctx, &creds);
PAM_LOG("Done cleanup");
cleanup2:
krb5_free_principal(krbctx, princ);
if (princ_name)
free(princ_name);
PAM_LOG("Done cleanup2");
cleanup3:
krb5_free_context(krbctx);
PAM_LOG("Done cleanup3");
return (retval);
}
PAM_MODULE_ENTRY("pam_krb5");
static int
verify_krb_v5_tgt_begin(krb5_context context, char *pam_service, int debug,
const char **servicep, krb5_principal *princp __unused, char phost[static BUFSIZ])
{
krb5_error_code retval;
krb5_principal princ;
krb5_keyblock *keyblock;
const char *services[3], **service;
*servicep = NULL;
if (debug)
openlog("pam_krb5", LOG_PID, LOG_AUTHPRIV);
services[0] = "host";
services[1] = pam_service;
services[2] = NULL;
keyblock = NULL;
retval = -1;
for (service = &services[0]; *service != NULL; service++) {
retval = krb5_sname_to_principal(context, NULL, *service,
KRB5_NT_SRV_HST, &princ);
if (retval != 0) {
if (debug) {
const char *msg = krb5_get_error_message(
context, retval);
syslog(LOG_DEBUG,
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
"krb5_sname_to_principal()", msg);
krb5_free_error_message(context, msg);
}
return -1;
}
strncpy(phost, compat_princ_component(context, princ, 1),
BUFSIZ);
phost[BUFSIZ - 1] = '\0';
retval = krb5_kt_read_service_key(context, NULL, princ, 0, 0,
&keyblock);
if (retval != 0)
continue;
break;
}
if (keyblock)
krb5_free_keyblock(context, keyblock);
return (retval);
}
static int
verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
char *pam_service __unused, int debug,
const char *service, krb5_principal princ, char phost[static BUFSIZ])
{
krb5_error_code retval;
krb5_auth_context auth_context = NULL;
krb5_data packet;
if (service == NULL)
return (0);
packet.data = 0;
auth_context = NULL;
retval = krb5_mk_req(context, &auth_context, 0, service, phost,
NULL, ccache, &packet);
if (auth_context) {
krb5_auth_con_free(context, auth_context);
auth_context = NULL;
}
if (retval) {
if (debug) {
const char *msg = krb5_get_error_message(context,
retval);
syslog(LOG_DEBUG,
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
"krb5_mk_req()", msg);
krb5_free_error_message(context, msg);
}
retval = -1;
goto cleanup;
}
retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL,
NULL, NULL);
if (retval) {
if (debug) {
const char *msg = krb5_get_error_message(context,
retval);
syslog(LOG_DEBUG,
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
"krb5_rd_req()", msg);
krb5_free_error_message(context, msg);
}
retval = -1;
}
else
retval = 1;
cleanup:
if (packet.data)
compat_free_data_contents(context, &packet);
return (retval);
}
static void
verify_krb_v5_tgt_cleanup(krb5_context context, int debug,
const char *service, krb5_principal princ, char phost[static BUFSIZ] __unused)
{
if (service)
krb5_free_principal(context, princ);
if (debug)
closelog();
}
static void
cleanup_cache(pam_handle_t *pamh __unused, void *data, int pam_end_status __unused)
{
krb5_context krbctx;
krb5_ccache ccache;
krb5_error_code krbret;
if (krb5_init_context(&krbctx))
return;
krbret = krb5_cc_resolve(krbctx, data, &ccache);
if (krbret == 0)
krb5_cc_destroy(krbctx, ccache);
krb5_free_context(krbctx);
free(data);
}
#ifdef COMPAT_HEIMDAL
#ifdef COMPAT_MIT
#error This cannot be MIT and Heimdal compatible!
#endif
#endif
#ifndef COMPAT_HEIMDAL
#ifndef COMPAT_MIT
#error One of COMPAT_MIT and COMPAT_HEIMDAL must be specified!
#endif
#endif
#ifdef COMPAT_HEIMDAL
static const char *
compat_princ_component(krb5_context context __unused, krb5_principal princ, int n)
{
return princ->name.name_string.val[n];
}
static void
compat_free_data_contents(krb5_context context __unused, krb5_data * data)
{
krb5_xfree(data->data);
}
#endif
#ifdef COMPAT_MIT
static const char *
compat_princ_component(krb5_context context, krb5_principal princ, int n)
{
return krb5_princ_component(context, princ, n)->data;
}
static void
compat_free_data_contents(krb5_context context, krb5_data * data)
{
krb5_free_data_contents(context, data);
}
#endif
