usr/src/lib/pam_modules/krb5/krb5_authenticate.c

root/usr/src/lib/pam_modules/krb5/krb5_authenticate.c
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
 *
 * Copyright 2023 OmniOS Community Edition (OmniOSce) Association.
 */

#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_impl.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <pwd.h>
#include <syslog.h>
#include <libintl.h>
#include <k5-int.h>
#include "profile/prof_int.h"
#include <netdb.h>
#include <ctype.h>
#include "utils.h"
#include "krb5_repository.h"

#define KRB5_DEFAULT_OPTIONS 0

int forwardable_flag = 0;
int renewable_flag = 0;
int proxiable_flag = 0;
int no_address_flag = 0;
profile_options_boolean config_option[] = {
        { "forwardable", &forwardable_flag, 0 },
        { "renewable",  &renewable_flag, 0 },
        { "proxiable", &proxiable_flag, 0 },
        { "no_addresses", &no_address_flag, 0 },
        { NULL, NULL, 0 }
};
char *renew_timeval;
char *life_timeval;
profile_option_strings config_times[] = {
        { "max_life", &life_timeval, 0 },
        { "max_renewable_life",  &renew_timeval, 0 },
        { NULL, NULL, 0 }
};
char *realmdef[] = { "realms", NULL, NULL, NULL };
char *appdef[] = { "appdefaults", "kinit", NULL };

#define krb_realm (*(realmdef + 1))

int     attempt_krb5_auth(pam_handle_t *, krb5_module_data_t *, const char *,
        char **, boolean_t);
void    krb5_cleanup(pam_handle_t *, void *, int);

extern errcode_t profile_get_options_boolean();
extern errcode_t profile_get_options_string();
extern int krb5_verifypw(char *, char *, int);
extern krb5_error_code krb5_verify_init_creds(krb5_context,
                krb5_creds *, krb5_principal, krb5_keytab, krb5_ccache *,
                krb5_verify_init_creds_opt *);
extern krb5_error_code __krb5_get_init_creds_password(krb5_context,
                krb5_creds *, krb5_principal, char *, krb5_prompter_fct, void *,
                krb5_deltat, char *, krb5_get_init_creds_opt *,
                krb5_kdc_rep **);

/*
 * pam_sm_authenticate          - Authenticate user
 */
int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
        const char *user = NULL;
        int err;
        int result = PAM_AUTH_ERR;
        /* pam.conf options */
        int debug = 0;
        int warn = 1;
        /* return an error on password expire */
        int err_on_exp = 0;
        int i;
        char *password = NULL;
        uid_t pw_uid;
        krb5_module_data_t *kmd = NULL;
        krb5_repository_data_t *krb5_data = NULL;
        const pam_repository_t *rep_data = NULL;
        boolean_t do_pkinit = FALSE;

        for (i = 0; i < argc; i++) {
                if (strcmp(argv[i], "debug") == 0) {
                        debug = 1;
                } else if (strcmp(argv[i], "nowarn") == 0) {
                        warn = 0;
                } else if (strcmp(argv[i], "err_on_exp") == 0) {
                        err_on_exp = 1;
                } else if (strcmp(argv[i], "pkinit") == 0) {
                        do_pkinit = TRUE;
                } else {
                        __pam_log(LOG_AUTH | LOG_ERR,
                            "PAM-KRB5 (auth) unrecognized option %s", argv[i]);
                }
        }
        if (flags & PAM_SILENT) warn = 0;

        if (debug)
                __pam_log(LOG_AUTH | LOG_DEBUG,
                    "PAM-KRB5 (auth): pam_sm_authenticate flags=%d",
                    flags);

        /*
         * pam_get_data could fail if we are being called for the first time
         * or if the module is not found, PAM_NO_MODULE_DATA is not an error
         */
        err = pam_get_data(pamh, KRB5_DATA, (const void **)&kmd);
        if (!(err == PAM_SUCCESS || err == PAM_NO_MODULE_DATA))
                return (PAM_SYSTEM_ERR);

        /*
         * If pam_krb5 was stacked higher in the auth stack and did PKINIT
         * preauth sucessfully then this instance is a fallback to password
         * based preauth and should just return PAM_IGNORE.
         *
         * The else clause is handled further down.
         */
        if (kmd != NULL) {
                if (++(kmd->auth_calls) > 2) {
                        /*
                         * pam_krb5 has been stacked > 2 times in the auth
                         * stack.  Clear out the current kmd and proceed as if
                         * this is the first time pam_krb5 auth has been called.
                         */
                        if (debug) {
                                __pam_log(LOG_AUTH | LOG_DEBUG,
                                    "PAM-KRB5 (auth): stacked more than"
                                    " two times, clearing kmd");
                        }
                        /* clear out/free current kmd */
                        err = pam_set_data(pamh, KRB5_DATA, NULL, NULL);
                        if (err != PAM_SUCCESS) {
                                krb5_cleanup(pamh, kmd, err);
                                result = err;
                                goto out;
                        }
                        kmd = NULL;
                } else if (kmd->auth_calls == 2 &&
                    kmd->auth_status == PAM_SUCCESS) {
                        /*
                         * The previous instance of pam_krb5 succeeded and this
                         * instance was a fall back in case it didn't succeed so
                         * return ignore.
                         */
                        if (debug) {
                                __pam_log(LOG_AUTH | LOG_DEBUG,
                                    "PAM-KRB5 (auth): PKINIT succeeded "
                                    "earlier so returning PAM_IGNORE");
                        }
                        return (PAM_IGNORE);
                }
        }

        (void) pam_get_item(pamh, PAM_USER, (const void **)&user);

        if (user == NULL || *user == '\0') {
                if (do_pkinit) {
                        /*
                         * If doing PKINIT it is okay to prompt for the user
                         * name.
                         */
                        if ((err = pam_get_user(pamh, &user,
                            NULL)) != PAM_SUCCESS) {
                                if (debug) {
                                        __pam_log(LOG_AUTH | LOG_DEBUG,
                                            "PAM-KRB5 (auth): get user failed: "
                                            "%s", pam_strerror(pamh, err));
                                }
                                return (err);
                        }
                } else {
                        if (debug)
                                __pam_log(LOG_AUTH | LOG_DEBUG,
                                    "PAM-KRB5 (auth): user empty or null");
                        return (PAM_USER_UNKNOWN);
                }
        }

        /* make sure a password entry exists for this user */
        if (!get_pw_uid(user, &pw_uid))
                return (PAM_USER_UNKNOWN);

        if (kmd == NULL) {
                kmd = calloc(1, sizeof (krb5_module_data_t));
                if (kmd == NULL) {
                        result = PAM_BUF_ERR;
                        goto out;
                }

                err = pam_set_data(pamh, KRB5_DATA, kmd, &krb5_cleanup);
                if (err != PAM_SUCCESS) {
                        free(kmd);
                        result = err;
                        goto out;
                }
        }

        if (!kmd->env) {
                char buffer[512];

                if (snprintf(buffer, sizeof (buffer),
                    "%s=FILE:/tmp/krb5cc_%d",
                    KRB5_ENV_CCNAME, (int)pw_uid) >= sizeof (buffer)) {
                        result = PAM_SYSTEM_ERR;
                        goto out;
                }

                /* we MUST copy this to the heap for the putenv to work! */
                kmd->env = strdup(buffer);
                if (!kmd->env) {
                        result = PAM_BUF_ERR;
                        goto out;
                } else {
                        if (putenv(kmd->env)) {
                                result = PAM_SYSTEM_ERR;
                                goto out;
                        }
                }
        }

        if (kmd->user != NULL)
                free(kmd->user);
        if ((kmd->user = strdup(user)) == NULL) {
                result = PAM_BUF_ERR;
                goto out;
        }

        kmd->auth_status = PAM_AUTH_ERR;
        kmd->debug = debug;
        kmd->warn = warn;
        kmd->err_on_exp = err_on_exp;
        kmd->ccache = NULL;
        kmd->kcontext = NULL;
        kmd->password = NULL;
        kmd->age_status = PAM_SUCCESS;
        (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds));
        kmd->auth_calls = 1;
        kmd->preauth_type = do_pkinit ? KRB_PKINIT : KRB_PASSWD;

        /*
         * For apps that already did krb5 auth exchange...
         * Now that we've created the kmd structure, we can
         * return SUCCESS.  'kmd' may be needed later by other
         * PAM functions, thats why we wait until this point to
         * return.
         */
        (void) pam_get_item(pamh, PAM_REPOSITORY, (const void **)&rep_data);

        if (rep_data != NULL) {
                if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) {
                        if (debug)
                                __pam_log(LOG_AUTH | LOG_DEBUG,
                                    "PAM-KRB5 (auth): wrong"
                                    "repository found (%s), returning "
                                    "PAM_IGNORE", rep_data->type);
                        return (PAM_IGNORE);
                }
                if (rep_data->scope_len == sizeof (krb5_repository_data_t)) {
                        krb5_data = (krb5_repository_data_t *)rep_data->scope;

                        if (krb5_data->flags ==
                            SUNW_PAM_KRB5_ALREADY_AUTHENTICATED &&
                            krb5_data->principal != NULL &&
                            strlen(krb5_data->principal)) {
                                if (debug)
                                        __pam_log(LOG_AUTH | LOG_DEBUG,
                                            "PAM-KRB5 (auth): Principal "
                                            "%s already authenticated",
                                            krb5_data->principal);
                                kmd->auth_status = PAM_SUCCESS;
                                return (PAM_SUCCESS);
                        }
                }
        }

        /*
         * if root key exists in the keytab, it's a random key so no
         * need to prompt for pw and we just return IGNORE.
         *
         * note we don't need to force a prompt for pw as authtok_get
         * is required to be stacked above this module.
         */
        if ((strcmp(user, ROOT_UNAME) == 0) &&
            key_in_keytab(user, debug)) {
                if (debug)
                        __pam_log(LOG_AUTH | LOG_DEBUG,
                            "PAM-KRB5 (auth): "
                            "key for '%s' in keytab, returning IGNORE", user);
                result = PAM_IGNORE;
                goto out;
        }

        (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **)&password);

        result = attempt_krb5_auth(pamh, kmd, user, &password, 1);

out:
        if (kmd) {
                if (debug)
                        __pam_log(LOG_AUTH | LOG_DEBUG,
                            "PAM-KRB5 (auth): pam_sm_auth finalize"
                            " ccname env, result =%d, env ='%s',"
                            " age = %d, status = %d",
                            result, kmd->env ? kmd->env : "<null>",
                            kmd->age_status, kmd->auth_status);

                if (kmd->env &&
                    !(kmd->age_status == PAM_NEW_AUTHTOK_REQD &&
                    kmd->auth_status == PAM_SUCCESS)) {


                        if (result == PAM_SUCCESS) {
                                /*
                                 * Put ccname into the pamh so that login
                                 * apps can pick this up when they run
                                 * pam_getenvlist().
                                 */
                                if ((result = pam_putenv(pamh, kmd->env))
                                    != PAM_SUCCESS) {
                                        /* should not happen but... */
                                        __pam_log(LOG_AUTH | LOG_ERR,
                                            "PAM-KRB5 (auth):"
                                            " pam_putenv failed: result: %d",
                                            result);
                                        goto cleanupccname;
                                }
                        } else {
                        cleanupccname:
                                /* for lack of a Solaris unputenv() */
                                krb5_unsetenv(KRB5_ENV_CCNAME);
                                free(kmd->env);
                                kmd->env = NULL;
                        }
                }
                kmd->auth_status = result;
        }

        if (debug)
                __pam_log(LOG_AUTH | LOG_DEBUG,
                    "PAM-KRB5 (auth): end: %s", pam_strerror(pamh, result));

        return (result);
}

static krb5_error_code
pam_krb5_prompter(krb5_context ctx, void *data, const char *name,
    const char *banner, int num_prompts, krb5_prompt prompts[])
{
        krb5_error_code rc = KRB5_LIBOS_CANTREADPWD;
        pam_handle_t *pamh = (pam_handle_t *)data;
        const struct pam_conv   *pam_convp;
        struct pam_message *msgs = NULL;
        struct pam_response *ret_respp = NULL;
        int i;
        krb5_prompt_type *prompt_type = krb5_get_prompt_types(ctx);
        char tmpbuf[PAM_MAX_MSG_SIZE];

        if (prompts) {
                assert(num_prompts > 0);
        }
        /*
         * Because this function should never be used for password prompts,
         * disallow password prompts.
         */
        for (i = 0; i < num_prompts; i++) {
                switch (prompt_type[i]) {
                case KRB5_PROMPT_TYPE_PASSWORD:
                case KRB5_PROMPT_TYPE_NEW_PASSWORD:
                case KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:
                        return (rc);
                }
        }

        if (pam_get_item(pamh, PAM_CONV, (const void **)&pam_convp) !=
            PAM_SUCCESS) {
                return (rc);
        }
        if (pam_convp == NULL) {
                return (rc);
        }

        msgs = (struct pam_message *)calloc(num_prompts,
            sizeof (struct pam_message));
        if (msgs == NULL) {
                return (rc);
        }
        (void) memset(msgs, 0, sizeof (struct pam_message) * num_prompts);

        for (i = 0; i < num_prompts; i++) {
                /* convert krb prompt style to PAM style */
                if (prompts[i].hidden) {
                        msgs[i].msg_style = PAM_PROMPT_ECHO_OFF;
                } else {
                        msgs[i].msg_style = PAM_PROMPT_ECHO_ON;
                }
                /*
                 * krb expects the prompting function to append ": " to the
                 * prompt string.
                 */
                if (snprintf(tmpbuf, sizeof (tmpbuf), "%s: ",
                    prompts[i].prompt) < 0) {
                        goto cleanup;
                }
                msgs[i].msg = strdup(tmpbuf);
                if (msgs[i].msg == NULL) {
                        goto cleanup;
                }
        }

        /*
         * Call PAM conv function to display the prompt.
         */

        if ((pam_convp->conv)(num_prompts, (const struct pam_message **)&msgs,
            &ret_respp, pam_convp->appdata_ptr) == PAM_SUCCESS) {
                for (i = 0; i < num_prompts; i++) {
                        /* convert PAM response to krb prompt reply format */
                        assert(prompts[i].reply->data != NULL);
                        assert(ret_respp[i].resp != NULL);

                        if (strlcpy(prompts[i].reply->data,
                            ret_respp[i].resp, prompts[i].reply->length) >=
                            prompts[i].reply->length) {
                                char errmsg[1][PAM_MAX_MSG_SIZE];

                                (void) snprintf(errmsg[0], PAM_MAX_MSG_SIZE,
                                    "%s", dgettext(TEXT_DOMAIN,
                                    "Reply too long: "));
                                (void) __pam_display_msg(pamh, PAM_ERROR_MSG,
                                    1, errmsg, NULL);
                                goto cleanup;
                        } else {
                                char *retp;

                                /*
                                 * newline must be replaced with \0 terminator
                                 */
                                retp = strchr(prompts[i].reply->data, '\n');
                                if (retp != NULL)
                                        *retp = '\0';
                                /* NULL terminator should not be counted */
                                prompts[i].reply->length =
                                    strlen(prompts[i].reply->data);
                        }
                }
                rc = 0;
        }

cleanup:
        for (i = 0; i < num_prompts; i++) {
                if (msgs[i].msg) {
                        free(msgs[i].msg);
                }
                if (ret_respp[i].resp) {
                        /* 0 out sensitive data before free() */
                        (void) memset(ret_respp[i].resp, 0,
                            strlen(ret_respp[i].resp));
                        free(ret_respp[i].resp);
                }
        }
        free(msgs);
        free(ret_respp);
        return (rc);
}

int
attempt_krb5_auth(
        pam_handle_t *pamh,
        krb5_module_data_t      *kmd,
        const char      *user,
        char            **krb5_pass,
        boolean_t       verify_tik)
{
        krb5_principal  me = NULL, clientp = NULL;
        krb5_principal  server = NULL, serverp = NULL;
        krb5_creds      *my_creds;
        krb5_timestamp  now;
        krb5_error_code code = 0;
        char            kuser[2*MAXHOSTNAMELEN];
        krb5_deltat     lifetime;
        krb5_deltat     rlife;
        krb5_deltat     krb5_max_duration;
        int             options = KRB5_DEFAULT_OPTIONS;
        krb5_data tgtname = {
                0,
                KRB5_TGS_NAME_SIZE,
                KRB5_TGS_NAME
        };
        krb5_get_init_creds_opt *opts = NULL;
        krb5_kdc_rep *as_reply = NULL;
        /*
         * "result" should not be assigned PAM_SUCCESS unless
         * authentication has succeeded and there are no other errors.
         *
         * "code" is sometimes used for PAM codes, sometimes for krb5
         * codes.  Be careful.
         */
        int result = PAM_AUTH_ERR;

        if (kmd->debug)
                __pam_log(LOG_AUTH | LOG_DEBUG,
                    "PAM-KRB5 (auth): attempt_krb5_auth: start: user='%s'",
                    user ? user : "<null>");

        /* need to free context with krb5_free_context */
        if (code = krb5_init_secure_context(&kmd->kcontext)) {
                __pam_log(LOG_AUTH | LOG_ERR,
                    "PAM-KRB5 (auth): Error initializing "
                    "krb5: %s",
                    error_message(code));
                return (PAM_SYSTEM_ERR);
        }

        if ((code = get_kmd_kuser(kmd->kcontext, user, kuser,
            2 * MAXHOSTNAMELEN)) != 0) {
                /* get_kmd_kuser returns proper PAM error statuses */
                return (code);
        }

        if ((code = krb5_parse_name(kmd->kcontext, kuser, &me)) != 0) {
                krb5_free_context(kmd->kcontext);
                kmd->kcontext = NULL;
                return (PAM_SYSTEM_ERR);
        }

        /* call krb5_free_cred_contents() on error */
        my_creds = &kmd->initcreds;

        if ((code =
            krb5_copy_principal(kmd->kcontext, me, &my_creds->client))) {
                result = PAM_SYSTEM_ERR;
                goto out_err;
        }
        clientp = my_creds->client;

        if (code = krb5_build_principal_ext(kmd->kcontext, &server,
            krb5_princ_realm(kmd->kcontext, me)->length,
            krb5_princ_realm(kmd->kcontext, me)->data,
            tgtname.length, tgtname.data,
            krb5_princ_realm(kmd->kcontext, me)->length,
            krb5_princ_realm(kmd->kcontext, me)->data, 0)) {
                __pam_log(LOG_AUTH | LOG_ERR,
                    "PAM-KRB5 (auth): attempt_krb5_auth: "
                    "krb5_build_princ_ext failed: %s",
                    error_message(code));
                result = PAM_SYSTEM_ERR;
                goto out;
        }

        if (code = krb5_copy_principal(kmd->kcontext, server,
            &my_creds->server)) {
                result = PAM_SYSTEM_ERR;
                goto out_err;
        }
        serverp = my_creds->server;

        if (code = krb5_timeofday(kmd->kcontext, &now)) {
                __pam_log(LOG_AUTH | LOG_ERR,
                    "PAM-KRB5 (auth): attempt_krb5_auth: "
                    "krb5_timeofday failed: %s",
                    error_message(code));
                result = PAM_SYSTEM_ERR;
                goto out;
        }

        /*
         * set the values for lifetime and rlife to be the maximum
         * possible
         */
        krb5_max_duration = KRB5_KDB_EXPIRATION - now - 60*60;
        lifetime = krb5_max_duration;
        rlife = krb5_max_duration;

        /*
         * Let us get the values for various options
         * from Kerberos configuration file
         */

        krb_realm = krb5_princ_realm(kmd->kcontext, me)->data;
        profile_get_options_boolean(kmd->kcontext->profile,
            realmdef, config_option);
        profile_get_options_boolean(kmd->kcontext->profile,
            appdef, config_option);
        profile_get_options_string(kmd->kcontext->profile,
            realmdef, config_times);
        profile_get_options_string(kmd->kcontext->profile,
            appdef, config_times);

        if (renew_timeval) {
                code = krb5_string_to_deltat(renew_timeval, &rlife);
                if (code != 0 || rlife == 0 || rlife > krb5_max_duration) {
                        __pam_log(LOG_AUTH | LOG_ERR,
                            "PAM-KRB5 (auth): Bad max_renewable_life "
                            " value '%s' in Kerberos config file",
                            renew_timeval);
                        result = PAM_SYSTEM_ERR;
                        goto out;
                }
        }
        if (life_timeval) {
                code = krb5_string_to_deltat(life_timeval, &lifetime);
                if (code != 0 || lifetime == 0 ||
                    lifetime > krb5_max_duration) {
                        __pam_log(LOG_AUTH | LOG_ERR,
                            "lifetime value '%s' in Kerberos config file",
                            life_timeval);
                        result = PAM_SYSTEM_ERR;
                        goto out;
                }
        }
        /*  start timer when request gets to KDC */
        my_creds->times.starttime = 0;
        my_creds->times.endtime = now + lifetime;

        if (options & KDC_OPT_RENEWABLE) {
                my_creds->times.renew_till = now + rlife;
        } else
                my_creds->times.renew_till = 0;

        code = krb5_get_init_creds_opt_alloc(kmd->kcontext, &opts);
        if (code != 0) {
                __pam_log(LOG_AUTH | LOG_ERR,
                    "Error allocating gic opts: %s",
                    error_message(code));
                result = PAM_SYSTEM_ERR;
                goto out;
        }

        krb5_get_init_creds_opt_set_tkt_life(opts, lifetime);

        if (proxiable_flag) {           /* Set in config file */
                if (kmd->debug)
                        __pam_log(LOG_AUTH | LOG_DEBUG,
                            "PAM-KRB5 (auth): Proxiable tickets "
                            "requested");
                krb5_get_init_creds_opt_set_proxiable(opts, TRUE);
        }
        if (forwardable_flag) {
                if (kmd->debug)
                        __pam_log(LOG_AUTH | LOG_DEBUG,
                            "PAM-KRB5 (auth): Forwardable tickets "
                            "requested");
                krb5_get_init_creds_opt_set_forwardable(opts, TRUE);
        }
        if (renewable_flag) {
                if (kmd->debug)
                        __pam_log(LOG_AUTH | LOG_DEBUG,
                            "PAM-KRB5 (auth): Renewable tickets "
                            "requested");
                krb5_get_init_creds_opt_set_renew_life(opts, rlife);
        }
        if (no_address_flag) {
                if (kmd->debug)
                        __pam_log(LOG_AUTH | LOG_DEBUG,
                            "PAM-KRB5 (auth): Addressless tickets "
                            "requested");
                krb5_get_init_creds_opt_set_address_list(opts, NULL);
        }

        /*
         * mech_krb5 interprets empty passwords as NULL passwords and tries to
         * read a password from stdin. Since we are in pam this is bad and
         * should not be allowed.
         *
         * Note, the logic now is that if the preauth_type is PKINIT then
         * provide a proper PAMcentric prompt function that the underlying
         * PKINIT preauth plugin will use to prompt for the PIN.
         */
        if (kmd->preauth_type == KRB_PKINIT) {
                /*
                 * Do PKINIT preauth
                 *
                 * Note: we want to limit preauth types to just those for PKINIT
                 * but krb5_get_init_creds() doesn't support that at this point.
                 * Instead we rely on pam_krb5_prompter() to limit prompts to
                 * non-password types.  So all we can do here is set the preauth
                 * list so krb5_get_init_creds() will try that first.
                 */
                krb5_preauthtype pk_pa_list[] = {
                        KRB5_PADATA_PK_AS_REQ,
                        KRB5_PADATA_PK_AS_REQ_OLD
                };
                krb5_get_init_creds_opt_set_preauth_list(opts, pk_pa_list, 2);

                if (*krb5_pass == NULL || strlen(*krb5_pass) != 0) {
                        if (*krb5_pass != NULL) {
                                /* treat the krb5_pass as a PIN */
                                code = krb5_get_init_creds_opt_set_pa(
                                    kmd->kcontext, opts, "PIN", *krb5_pass);
                        }

                        if (!code) {
                                code = __krb5_get_init_creds_password(
                                    kmd->kcontext,
                                    my_creds,
                                    me,
                                    NULL, /* clear text passwd */
                                    pam_krb5_prompter, /* prompter */
                                    pamh, /* prompter data */
                                    0, /* start time */
                                    NULL, /* defaults to krbtgt@REALM */
                                    opts,
                                    &as_reply);
                        }
                } else {
                        /* invalid PIN */
                        code = KRB5KRB_AP_ERR_BAD_INTEGRITY;
                }
        } else {
                /*
                 * Do password based preauths
                 *
                 * See earlier PKINIT comment.  We are doing something similar
                 * here but we do not pass in a prompter (we assume
                 * pam_authtok_get has already prompted for that).
                 */
                if (*krb5_pass == NULL || strlen(*krb5_pass) == 0) {
                        code = KRB5KRB_AP_ERR_BAD_INTEGRITY;
                } else {
                        krb5_preauthtype pk_pa_list[] = {
                                KRB5_PADATA_ENC_TIMESTAMP
                        };

                        krb5_get_init_creds_opt_set_preauth_list(opts,
                            pk_pa_list, 1);

                        /*
                         * We call our own private version of gic_pwd, because
                         * we need more information, such as password/account
                         * expiration, that is found in the as_reply.  The
                         * "prompter" interface is not granular enough for PAM
                         * to make use of.
                         */
                        code = __krb5_get_init_creds_password(kmd->kcontext,
                            my_creds,
                            me,
                            *krb5_pass, /* clear text passwd */
                            NULL,       /* prompter */
                            NULL,       /* data */
                            0,          /* start time */
                            NULL,       /* defaults to krbtgt@REALM */
                            opts,
                            &as_reply);
                }
        }

        if (kmd->debug)
                __pam_log(LOG_AUTH | LOG_DEBUG,
                    "PAM-KRB5 (auth): attempt_krb5_auth: "
                    "krb5_get_init_creds_password returns: %s",
                    code == 0 ? "SUCCESS" : error_message(code));

        switch (code) {
        case 0:
                /* got a tgt, let's verify it */
                if (verify_tik) {
                        krb5_verify_init_creds_opt vopts;

                        krb5_principal sp = NULL;
                        char kt_name[MAX_KEYTAB_NAME_LEN];
                        char *fqdn;

                        krb5_verify_init_creds_opt_init(&vopts);

                        code = krb5_verify_init_creds(kmd->kcontext,
                            my_creds,
                            NULL,       /* defaults to host/localhost@REALM */
                            NULL,
                            NULL,
                            &vopts);

                        if (code) {
                                result = PAM_SYSTEM_ERR;

                                /*
                                 * Give a better error message when the
                                 * keytable entry isn't found or the keytab
                                 * file cannot be found.
                                 */
                                if (krb5_sname_to_principal(kmd->kcontext, NULL,
                                    NULL, KRB5_NT_SRV_HST, &sp))
                                        fqdn = "<fqdn>";
                                else
                                        fqdn = sp->data[1].data;

                                if (krb5_kt_default_name(kmd->kcontext, kt_name,
                                    sizeof (kt_name)))
                                        (void) strlcpy(kt_name,
                                            "default keytab",
                                            sizeof (kt_name));

                                switch (code) {
                                case KRB5_KT_NOTFOUND:
                                        __pam_log(LOG_AUTH | LOG_ERR,
                                            "PAM-KRB5 (auth): "
                                            "krb5_verify_init_creds failed:"
                                            " Key table entry \"host/%s\""
                                            " not found in %s",
                                            fqdn, kt_name);
                                        break;
                                case ENOENT:
                                        __pam_log(LOG_AUTH | LOG_ERR,
                                            "PAM-KRB5 (auth): "
                                            "krb5_verify_init_creds failed:"
                                            " Keytab file \"%s\""
                                            " does not exist.\n",
                                            kt_name);
                                        break;
                                default:
                                        __pam_log(LOG_AUTH | LOG_ERR,
                                            "PAM-KRB5 (auth): "
                                            "krb5_verify_init_creds failed:"
                                            " %s",
                                            error_message(code));
                                        break;
                                }

                                if (sp)
                                        krb5_free_principal(kmd->kcontext, sp);
                        }
                }

                if (code == 0)
                        kmd->expiration = as_reply->enc_part2->key_exp;

                break;

        case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
                /*
                 * Since this principal is not part of the local
                 * Kerberos realm, we just return PAM_USER_UNKNOWN.
                 */
                result = PAM_USER_UNKNOWN;

                if (kmd->debug)
                        __pam_log(LOG_AUTH | LOG_DEBUG,
                            "PAM-KRB5 (auth): attempt_krb5_auth:"
                            " User is not part of the local Kerberos"
                            " realm: %s", error_message(code));
                break;

        case KRB5KDC_ERR_PREAUTH_FAILED:
        case KRB5KRB_AP_ERR_BAD_INTEGRITY:
                /*
                 * We could be trying the password from a previous
                 * pam authentication module, but we don't want to
                 * generate an error if the unix password is different
                 * than the Kerberos password...
                 */
                break;

        case KRB5KDC_ERR_KEY_EXP:
                if (!kmd->err_on_exp) {
                        /*
                         * Request a tik for changepw service and it will tell
                         * us if pw is good or not. If PKINIT is being done it
                         * is possible that *krb5_pass may be NULL so check for
                         * that.  If that is the case this function will return
                         * an error.
                         */
                        if (*krb5_pass != NULL) {
                                code = krb5_verifypw(kuser, *krb5_pass,
                                    kmd->debug);
                                if (kmd->debug) {
                                        __pam_log(LOG_AUTH | LOG_DEBUG,
                                            "PAM-KRB5 (auth): "
                                            "attempt_krb5_auth: "
                                            "verifypw %d", code);
                                }
                                if (code == 0) {
                                        /*
                                         * pw is good, set age status for
                                         * acct_mgmt.
                                         */
                                        kmd->age_status = PAM_NEW_AUTHTOK_REQD;
                                }
                        }

                }
                break;

        default:
                result = PAM_SYSTEM_ERR;
                if (kmd->debug)
                        __pam_log(LOG_AUTH | LOG_DEBUG,
                            "PAM-KRB5 (auth): error %d - %s",
                            code, error_message(code));
                break;
        }

        if (code == 0) {
                /*
                 * success for the entered pw or PKINIT succeeded.
                 *
                 * we can't rely on the pw in PAM_AUTHTOK
                 * to be the (correct) krb5 one so
                 * store krb5 pw in module data for
                 * use in acct_mgmt.  Note that *krb5_pass may be NULL if we're
                 * doing PKINIT.
                 */
                if (*krb5_pass != NULL &&
                    !(kmd->password = strdup(*krb5_pass))) {
                        __pam_log(LOG_AUTH | LOG_ERR,
                            "Cannot strdup password");
                        result = PAM_BUF_ERR;
                        goto out_err;
                }

                result = PAM_SUCCESS;
                goto out;
        }

out_err:
        /* jump (or reach) here if error and cred cache has been init */

        if (kmd->debug)
                __pam_log(LOG_AUTH | LOG_DEBUG,
                    "PAM-KRB5 (auth): clearing initcreds in "
                    "pam_authenticate()");

        krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds);
        (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds));

out:
        if (server)
                krb5_free_principal(kmd->kcontext, server);
        if (me)
                krb5_free_principal(kmd->kcontext, me);
        if (as_reply)
                krb5_free_kdc_rep(kmd->kcontext, as_reply);

        /*
         * clientp or serverp could be NULL in certain error cases in this
         * function.  mycreds->[client|server] could also be NULL in case
         * of error in this function, see out_err above.  The pointers clientp
         * and serverp reference the input argument in my_creds for
         * get_init_creds and must be freed if the input argument does not
         * match the output argument, which occurs during a successful call
         * to get_init_creds.
         */
        if (clientp && my_creds->client && clientp != my_creds->client)
                krb5_free_principal(kmd->kcontext, clientp);
        if (serverp && my_creds->server && serverp != my_creds->server)
                krb5_free_principal(kmd->kcontext, serverp);

        if (kmd->kcontext) {
                krb5_free_context(kmd->kcontext);
                kmd->kcontext = NULL;
        }
        if (opts)
                krb5_get_init_creds_opt_free(kmd->kcontext, opts);

        if (kmd->debug)
                __pam_log(LOG_AUTH | LOG_DEBUG,
                    "PAM-KRB5 (auth): attempt_krb5_auth returning %d",
                    result);

        return (kmd->auth_status = result);
}

/*ARGSUSED*/
void
krb5_cleanup(pam_handle_t *pamh, void *data, int pam_status)
{
        krb5_module_data_t *kmd = (krb5_module_data_t *)data;

        if (kmd == NULL)
                return;

        if (kmd->debug) {
                __pam_log(LOG_AUTH | LOG_DEBUG,
                    "PAM-KRB5 (auth): krb5_cleanup auth_status = %d",
                    kmd->auth_status);
        }

        /*
         * Apps could be calling pam_end here, so we should always clean
         * up regardless of success or failure here.
         */
        if (kmd->ccache)
                (void) krb5_cc_close(kmd->kcontext, kmd->ccache);

        if (kmd->password) {
                (void) memset(kmd->password, 0, strlen(kmd->password));
                free(kmd->password);
        }

        if (kmd->user)
                free(kmd->user);

        if (kmd->env)
                free(kmd->env);

        krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds);
        (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds));

        free(kmd);
}
Illumos
