[utils.git] / pam_krb5auto.c

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdarg.h>
#include <malloc.h>
#include <krb5.h>
#include <pwd.h>
#include <errno.h>

#define PAM_SM_AUTH

#include <security/pam_modules.h>

#define DEF_INSTANCE "autologin"

struct options
{
    char *realm;
    char *instance;
    char *keytab;
    int debug;
    int forwardable;
    int renewable;
};

struct data
{
    krb5_context ctx;
    krb5_ccache cc;
    krb5_principal me;
    krb5_creds initcreds;
    int hascreds;
    uid_t uid;
};

static void log(int prio, char *format, ...)
{
    va_list args;
    char buf[1024];
    
    va_start(args, format);
    snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format);
    vsyslog(prio, buf, args);
    va_end(args);
}

static struct options *parseopts(int argc, const char **argv)
{
    int i;
    struct options *opts;
    
    opts = malloc(sizeof(*opts));
    memset(opts, 0, sizeof(*opts));
    for(i = 0; i < argc; i++) {
	if(!strncmp(argv[i], "realm=", 6))
	    opts->realm = strdup(argv[i] + 6);
	if(!strncmp(argv[i], "instance=", 9))
	    opts->instance = strdup(argv[i] + 9);
	if(!strncmp(argv[i], "keytab=", 7))
	    opts->keytab = strdup(argv[i] + 7);
	if(!strncmp(argv[i], "renew=", 6))
	    opts->renewable = atoi(argv[i] + 6);
	if(!strcmp(argv[i], "forwardable"))
	    opts->forwardable = 1;
	if(!strcmp(argv[i], "debug"))
	    opts->debug = 1;
    }
    return(opts);
}

static void freeopts(struct options *opts)
{
    if(opts->realm != NULL)
	free(opts->realm);
    if(opts->instance != NULL)
	free(opts->instance);
    if(opts->keytab != NULL)
	free(opts->keytab);
    free(opts);
}

static void freedata(struct data *data)
{
    if(data->hascreds)
	krb5_free_cred_contents(data->ctx, &data->initcreds);
    if(data->cc != NULL)
	krb5_cc_close(data->ctx, data->cc);
    if(data->me != NULL)
	krb5_free_principal(data->ctx, data->me);
    if(data->ctx != NULL)
	krb5_free_context(data->ctx);
    free(data);
}

static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status)
{
    freedata(data);
}

static struct data *getdata(pam_handle_t *pamh, struct options *opts)
{
    int ret;
    struct data *data;
    char buf[1024];
    const char *user, *instance;
    struct passwd *pwent;
    
    data = NULL;
    pam_get_data(pamh, "krb5auto-data", (const void **)&data);
    if(data == NULL) {
	if(opts->debug)
	    log(LOG_DEBUG, "creating new instance");
	data = malloc(sizeof(*data));
	memset(data, 0, sizeof(*data));
	pam_get_user(pamh, &user, NULL);
	if(user == NULL) {
	    log(LOG_ERR, "could not get user name");
	    freedata(data);
	    return(NULL);
	}
	errno = 0;
	if((pwent = getpwnam(user)) == NULL) {
	    log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
	    freedata(data);
	    return(NULL);
	}
	data->uid = pwent->pw_uid;
	if((ret = krb5_init_context(&data->ctx)) != 0) {
	    log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
	    freedata(data);
	    return(NULL);
	}
	if(opts->instance)
	    instance = opts->instance;
	else
	    instance = DEF_INSTANCE;
	if(opts->realm)
	    snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm);
	else
	    snprintf(buf, sizeof(buf), "%s/%s", user, instance);
	if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) {
	    log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret));
	    freedata(data);
	    return(NULL);
	}
	pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata);
    }
    return(data);
}

static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data)
{
    int ret, fd;
    krb5_keytab kt;
    krb5_get_init_creds_opt icopts;
    char buf[1024], *ccname, *filename;
    
    krb5_get_init_creds_opt_init(&icopts);
    kt = NULL;
    
    if(opts->keytab) {
	if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
	    log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
	    ret = PAM_SERVICE_ERR;
	    goto out;
	}
	if(opts->debug)
	    log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
    }
    krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
    krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
    if(data->hascreds) {
	krb5_free_cred_contents(data->ctx, &data->initcreds);
	data->hascreds = 0;
    }
    if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
	log(LOG_ERR, "could not get credentials: %s", error_message(ret));
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    data->hascreds = 1;
    if(opts->debug)
	log(LOG_DEBUG, "got creds successfully");
    snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
    ccname = buf + sizeof("KRB5CCNAME=");
    filename = ccname + sizeof("FILE:");
    if((fd = mkstemp(filename)) < 0) {
	log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    close(fd);
    if(opts->debug)
	log(LOG_DEBUG, "created ccache `%s'", filename);
    if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
	log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
	unlink(filename);
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
	log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
	unlink(filename);
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
	log(LOG_ERR, "could not store credentials: %s", error_message(ret));
	unlink(filename);
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    pam_putenv(pamh, strdup(buf));
    if(opts->debug)
	log(LOG_DEBUG, "successfully initialized ccache");
    ret = PAM_SUCCESS;
    
 out:
    if(kt != NULL)
	krb5_kt_close(data->ctx, kt);
    return(ret);
}

static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data)
{
    if(opts->debug)
	log(LOG_DEBUG, "deleting credentials");
    if(data->hascreds) {
	krb5_free_cred_contents(data->ctx, &data->initcreds);
	data->hascreds = 0;
	if(opts->debug)
	    log(LOG_DEBUG, "freed internal creds");
    }
    if(data->cc != NULL) {
	krb5_cc_destroy(data->ctx, data->cc);
	data->cc = NULL;
	if(opts->debug)
	    log(LOG_DEBUG, "destroyed ccache");
    }
    return(PAM_SUCCESS);
}

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
    struct options *opts;
    
    opts = parseopts(argc, argv);
    if(opts->debug)
	log(LOG_DEBUG, "pam_sm_authenticate called");
    freeopts(opts);
    return(PAM_IGNORE);
}

PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
    struct options *opts;
    struct data *data;
    int ret;
    
    opts = parseopts(argc, argv);
    data = getdata(pamh, opts);
    if(data == NULL) {
	log(LOG_ERR, "could not get data, erroring out");
	return(PAM_SERVICE_ERR);
    }
    ret = PAM_SERVICE_ERR;
    if(flags & PAM_ESTABLISH_CRED) {
	ret = savecreds(pamh, opts, data);
    } else if(flags & PAM_DELETE_CRED) {
	ret = delcreds(pamh, opts, data);
    }
    freeopts(opts);
    return(ret);
}

/*
 * Local Variables:
 * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"
 * End:
 */
Commit	Line	Data
dc647f87	1	#include <stdlib.h>
2febc19a	2	#include <stdio.h>
dc647f87	3	#include <unistd.h>
2febc19a DC	4	#include <string.h>
	5	#include <stdarg.h>
	6	#include <malloc.h>
dc647f87	7	#include <krb5.h>
eb2a40de DC	8	#include <pwd.h>
eb2a40de DC	9	#include <errno.h>
dc647f87 DC	10
	11	#define PAM_SM_AUTH
	12
	13	#include <security/pam_modules.h>
	14
2febc19a DC	15	#define DEF_INSTANCE "autologin"
	16
	17	struct options
	18	{
	19	char *realm;
	20	char *instance;
	21	char *keytab;
	22	int debug;
eb2a40de DC	23	int forwardable;
eb2a40de DC	24	int renewable;
2febc19a DC	25	};
	26
	27	struct data
	28	{
	29	krb5_context ctx;
	30	krb5_ccache cc;
	31	krb5_principal me;
eb2a40de DC	32	krb5_creds initcreds;
	33	int hascreds;
	34	uid_t uid;
2febc19a DC	35	};
	36
	37	static void log(int prio, char *format, ...)
	38	{
	39	va_list args;
	40	char buf[1024];
	41
	42	va_start(args, format);
	43	snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format);
	44	vsyslog(prio, buf, args);
	45	va_end(args);
	46	}
	47
	48	static struct options parseopts(int argc, const char *argv)
	49	{
	50	int i;
	51	struct options *opts;
	52
	53	opts = malloc(sizeof(*opts));
	54	memset(opts, 0, sizeof(*opts));
	55	for(i = 0; i < argc; i++) {
	56	if(!strncmp(argv[i], "realm=", 6))
	57	opts->realm = strdup(argv[i] + 6);
	58	if(!strncmp(argv[i], "instance=", 9))
	59	opts->instance = strdup(argv[i] + 9);
	60	if(!strncmp(argv[i], "keytab=", 7))
	61	opts->keytab = strdup(argv[i] + 7);
eb2a40de DC	62	if(!strncmp(argv[i], "renew=", 6))
	63	opts->renewable = atoi(argv[i] + 6);
	64	if(!strcmp(argv[i], "forwardable"))
	65	opts->forwardable = 1;
2febc19a DC	66	if(!strcmp(argv[i], "debug"))
	67	opts->debug = 1;
	68	}
	69	return(opts);
	70	}
	71
	72	static void freeopts(struct options *opts)
	73	{
	74	if(opts->realm != NULL)
	75	free(opts->realm);
	76	if(opts->instance != NULL)
	77	free(opts->instance);
	78	if(opts->keytab != NULL)
	79	free(opts->keytab);
	80	free(opts);
	81	}
	82
	83	static void freedata(struct data *data)
	84	{
eb2a40de DC	85	if(data->hascreds)
	86	krb5_free_cred_contents(data->ctx, &data->initcreds);
	87	if(data->cc != NULL)
	88	krb5_cc_close(data->ctx, data->cc);
2febc19a DC	89	if(data->me != NULL)
	90	krb5_free_principal(data->ctx, data->me);
	91	if(data->ctx != NULL)
	92	krb5_free_context(data->ctx);
	93	free(data);
	94	}
	95
	96	static void cleanupdata(pam_handle_t pamh, struct data data, int error_status)
	97	{
	98	freedata(data);
	99	}
	100
	101	static struct data getdata(pam_handle_t pamh, struct options *opts)
	102	{
	103	int ret;
	104	struct data *data;
	105	char buf[1024];
	106	const char user, instance;
eb2a40de	107	struct passwd *pwent;
2febc19a DC	108
	109	data = NULL;
	110	pam_get_data(pamh, "krb5auto-data", (const void **)&data);
	111	if(data == NULL) {
	112	if(opts->debug)
	113	log(LOG_DEBUG, "creating new instance");
	114	data = malloc(sizeof(*data));
	115	memset(data, 0, sizeof(*data));
eb2a40de DC	116	pam_get_user(pamh, &user, NULL);
	117	if(user == NULL) {
	118	log(LOG_ERR, "could not get user name");
	119	freedata(data);
	120	return(NULL);
	121	}
	122	errno = 0;
	123	if((pwent = getpwnam(user)) == NULL) {
	124	log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
	125	freedata(data);
	126	return(NULL);
	127	}
	128	data->uid = pwent->pw_uid;
2febc19a DC	129	if((ret = krb5_init_context(&data->ctx)) != 0) {
	130	log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
	131	freedata(data);
	132	return(NULL);
	133	}
2febc19a DC	134	if(opts->instance)
	135	instance = opts->instance;
	136	else
	137	instance = DEF_INSTANCE;
	138	if(opts->realm)
	139	snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm);
	140	else
	141	snprintf(buf, sizeof(buf), "%s/%s", user, instance);
	142	if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) {
	143	log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret));
	144	freedata(data);
	145	return(NULL);
	146	}
	147	pam_set_data(pamh, "krb5auto-data", data, (void ()(pam_handle_t , void *, int))cleanupdata);
	148	}
	149	return(data);
	150	}
	151
eb2a40de	152	static int savecreds(pam_handle_t pamh, struct options opts, struct data *data)
2febc19a	153	{
eb2a40de DC	154	int ret, fd;
	155	krb5_keytab kt;
	156	krb5_get_init_creds_opt icopts;
	157	char buf[1024], ccname, filename;
	158
	159	krb5_get_init_creds_opt_init(&icopts);
	160	kt = NULL;
	161
	162	if(opts->keytab) {
	163	if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
	164	log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
	165	ret = PAM_SERVICE_ERR;
	166	goto out;
	167	}
	168	if(opts->debug)
	169	log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
	170	}
	171	krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
	172	krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
	173	if(data->hascreds) {
	174	krb5_free_cred_contents(data->ctx, &data->initcreds);
	175	data->hascreds = 0;
	176	}
	177	if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
	178	log(LOG_ERR, "could not get credentials: %s", error_message(ret));
	179	ret = PAM_SERVICE_ERR;
	180	goto out;
	181	}
	182	data->hascreds = 1;
	183	if(opts->debug)
	184	log(LOG_DEBUG, "got creds successfully");
	185	snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
	186	ccname = buf + sizeof("KRB5CCNAME=");
	187	filename = ccname + sizeof("FILE:");
	188	if((fd = mkstemp(filename)) < 0) {
	189	log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
	190	ret = PAM_SERVICE_ERR;
	191	goto out;
	192	}
	193	close(fd);
	194	if(opts->debug)
	195	log(LOG_DEBUG, "created ccache `%s'", filename);
	196	if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
	197	log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
	198	unlink(filename);
	199	ret = PAM_SERVICE_ERR;
	200	goto out;
	201	}
	202	if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
	203	log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
	204	unlink(filename);
	205	ret = PAM_SERVICE_ERR;
	206	goto out;
	207	}
	208	if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
	209	log(LOG_ERR, "could not store credentials: %s", error_message(ret));
	210	unlink(filename);
	211	ret = PAM_SERVICE_ERR;
	212	goto out;
	213	}
	214	pam_putenv(pamh, strdup(buf));
	215	if(opts->debug)
	216	log(LOG_DEBUG, "successfully initialized ccache");
	217	ret = PAM_SUCCESS;
218
219	out:
220	if(kt != NULL)
221	krb5_kt_close(data->ctx, kt);
222	return(ret);
223	}
224
225	static int delcreds(pam_handle_t pamh, struct options opts, struct data *data)
226	{
227	if(opts->debug)
228	log(LOG_DEBUG, "deleting credentials");
229	if(data->hascreds) {
230	krb5_free_cred_contents(data->ctx, &data->initcreds);
231	data->hascreds = 0;
232	if(opts->debug)
233	log(LOG_DEBUG, "freed internal creds");
234	}
235	if(data->cc != NULL) {
236	krb5_cc_destroy(data->ctx, data->cc);
237	data->cc = NULL;
238	if(opts->debug)
239	log(LOG_DEBUG, "destroyed ccache");
240	}
241	return(PAM_SUCCESS);
2febc19a DC	242	}
	243
	244	PAM_EXTERN int pam_sm_authenticate(pam_handle_t pamh, int flags, int argc, const char *argv)
	245	{
eb2a40de DC	246	struct options *opts;
	247
	248	opts = parseopts(argc, argv);
	249	if(opts->debug)
	250	log(LOG_DEBUG, "pam_sm_authenticate called");
	251	freeopts(opts);
2febc19a DC	252	return(PAM_IGNORE);
	253	}
	254
	255	PAM_EXTERN int pam_sm_setcred(pam_handle_t pamh, int flags, int argc, const char *argv)
	256	{
	257	struct options *opts;
	258	struct data *data;
eb2a40de	259	int ret;
2febc19a DC	260
	261	opts = parseopts(argc, argv);
	262	data = getdata(pamh, opts);
	263	if(data == NULL) {
	264	log(LOG_ERR, "could not get data, erroring out");
	265	return(PAM_SERVICE_ERR);
	266	}
eb2a40de	267	ret = PAM_SERVICE_ERR;
2febc19a	268	if(flags & PAM_ESTABLISH_CRED) {
eb2a40de DC	269	ret = savecreds(pamh, opts, data);
	270	} else if(flags & PAM_DELETE_CRED) {
	271	ret = delcreds(pamh, opts, data);
2febc19a DC	272	}
2febc19a DC	273	freeopts(opts);
eb2a40de	274	return(ret);
2febc19a	275	}
dc647f87 DC	276
	277	/*
	278	* Local Variables:
4aa1b80b	279	* compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"
dc647f87 DC	280	* End:
dc647f87 DC	281	*/