[utils.git] / pam_krb5auto.c

/*
 *  pam_krb5auto - Gets initial credentials non-interactively
 *  Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
 *  
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *  
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdarg.h>
#include <malloc.h>
#include <krb5.h>
#include <pwd.h>
#include <errno.h>

#define PAM_SM_AUTH

#include <security/pam_modules.h>

#define DEF_INSTANCE "autologin"

struct options
{
    char *realm;
    char *instance;
    char *keytab;
    int debug;
    int forwardable;
    int renewable;
};

struct data
{
    krb5_context ctx;
    krb5_ccache cc;
    krb5_principal me;
    krb5_creds initcreds;
    int hascreds;
    uid_t uid;
    gid_t gid;
};

static void log(int prio, char *format, ...)
{
    va_list args;
    char buf[1024];
    
    va_start(args, format);
    snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format);
    vsyslog(prio, buf, args);
    va_end(args);
}

static struct options *parseopts(int argc, const char **argv)
{
    int i;
    struct options *opts;
    const char *p;
    int unit;
    
    opts = malloc(sizeof(*opts));
    memset(opts, 0, sizeof(*opts));
    for(i = 0; i < argc; i++) {
	if(!strncmp(argv[i], "realm=", 6))
	    opts->realm = strdup(argv[i] + 6);
	if(!strncmp(argv[i], "instance=", 9))
	    opts->instance = strdup(argv[i] + 9);
	if(!strncmp(argv[i], "keytab=", 7))
	    opts->keytab = strdup(argv[i] + 7);
	if(!strncmp(argv[i], "renew=", 6)) {
	    p = argv[i] + strlen(argv[i]) - 1;
	    unit = 1;
	    if((*p >= 'a') && (*p <= 'z')) {
		if(*p == 'm')
		    unit = 60;
		else if(*p == 'h')
		    unit = 3600;
		else if(*p == 'd')
		    unit = 86400;
		else
		    unit = 1;
	    }
	    opts->renewable = atoi(argv[i] + 6) * unit;
	}
	if(!strcmp(argv[i], "forwardable"))
	    opts->forwardable = 1;
	if(!strcmp(argv[i], "debug"))
	    opts->debug = 1;
    }
    return(opts);
}

static void freeopts(struct options *opts)
{
    if(opts->realm != NULL)
	free(opts->realm);
    if(opts->instance != NULL)
	free(opts->instance);
    if(opts->keytab != NULL)
	free(opts->keytab);
    free(opts);
}

static void freedata(struct data *data)
{
    if(data->hascreds)
	krb5_free_cred_contents(data->ctx, &data->initcreds);
    if(data->cc != NULL)
	krb5_cc_close(data->ctx, data->cc);
    if(data->me != NULL)
	krb5_free_principal(data->ctx, data->me);
    if(data->ctx != NULL)
	krb5_free_context(data->ctx);
    free(data);
}

static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status)
{
    freedata(data);
}

static struct data *getdata(pam_handle_t *pamh, struct options *opts)
{
    int ret;
    struct data *data;
    char buf[1024];
    const char *user, *instance;
    struct passwd *pwent;
    
    data = NULL;
    pam_get_data(pamh, "krb5auto-data", (const void **)&data);
    if(data == NULL) {
	if(opts->debug)
	    log(LOG_DEBUG, "creating new instance");
	data = malloc(sizeof(*data));
	memset(data, 0, sizeof(*data));
	pam_get_user(pamh, &user, NULL);
	if(user == NULL) {
	    log(LOG_ERR, "could not get user name");
	    freedata(data);
	    return(NULL);
	}
	errno = 0;
	if((pwent = getpwnam(user)) == NULL) {
	    log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
	    freedata(data);
	    return(NULL);
	}
	data->uid = pwent->pw_uid;
	data->gid = pwent->pw_gid;
	if((ret = krb5_init_context(&data->ctx)) != 0) {
	    log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
	    freedata(data);
	    return(NULL);
	}
	if(opts->instance)
	    instance = opts->instance;
	else
	    instance = DEF_INSTANCE;
	if(opts->realm)
	    snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm);
	else
	    snprintf(buf, sizeof(buf), "%s/%s", user, instance);
	if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) {
	    log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret));
	    freedata(data);
	    return(NULL);
	}
	pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata);
    }
    return(data);
}

static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data)
{
    int ret, fd;
    krb5_keytab kt;
    krb5_get_init_creds_opt icopts;
    char buf[1024], *ccname, *filename;
    
    krb5_get_init_creds_opt_init(&icopts);
    kt = NULL;
    
    if(opts->keytab) {
	if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
	    log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
	    ret = PAM_SERVICE_ERR;
	    goto out;
	}
	if(opts->debug)
	    log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
    }
    krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
    krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
    if(data->hascreds) {
	krb5_free_cred_contents(data->ctx, &data->initcreds);
	data->hascreds = 0;
    }
    if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
	log(LOG_ERR, "could not get credentials: %s", error_message(ret));
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    data->hascreds = 1;
    if(opts->debug)
	log(LOG_DEBUG, "got creds successfully");
    snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
    ccname = buf + sizeof("KRB5CCNAME=") - 1;
    filename = ccname + sizeof("FILE:") - 1;
    if((fd = mkstemp(filename)) < 0) {
	log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    close(fd);
    if(opts->debug)
	log(LOG_DEBUG, "created ccache `%s'", filename);
    if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
	log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
	unlink(filename);
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
	log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
	unlink(filename);
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
	log(LOG_ERR, "could not store credentials: %s", error_message(ret));
	unlink(filename);
	ret = PAM_SERVICE_ERR;
	goto out;
    }
    chown(filename, data->uid, data->gid);
    pam_putenv(pamh, strdup(buf));
    if(opts->debug)
	log(LOG_DEBUG, "successfully initialized ccache");
    ret = PAM_SUCCESS;
    
 out:
    if(kt != NULL)
	krb5_kt_close(data->ctx, kt);
    return(ret);
}

static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data)
{
    if(opts->debug)
	log(LOG_DEBUG, "deleting credentials");
    if(data->hascreds) {
	krb5_free_cred_contents(data->ctx, &data->initcreds);
	data->hascreds = 0;
	if(opts->debug)
	    log(LOG_DEBUG, "freed internal creds");
    }
    if(data->cc != NULL) {
	krb5_cc_destroy(data->ctx, data->cc);
	data->cc = NULL;
	if(opts->debug)
	    log(LOG_DEBUG, "destroyed ccache");
    }
    return(PAM_SUCCESS);
}

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
    struct options *opts;
    
    opts = parseopts(argc, argv);
    if(opts->debug)
	log(LOG_DEBUG, "pam_sm_authenticate called");
    freeopts(opts);
    return(PAM_IGNORE);
}

PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
    struct options *opts;
    struct data *data;
    int ret;
    
    opts = parseopts(argc, argv);
    if(opts->debug)
	log(LOG_DEBUG, "pam_sm_setcred called");
    data = getdata(pamh, opts);
    if(data == NULL) {
	log(LOG_ERR, "could not get data, erroring out");
	return(PAM_SERVICE_ERR);
    }
    ret = PAM_SERVICE_ERR;
    if(flags & PAM_ESTABLISH_CRED) {
	ret = savecreds(pamh, opts, data);
    } else if(flags & PAM_DELETE_CRED) {
	ret = delcreds(pamh, opts, data);
    }
    freeopts(opts);
    return(ret);
}

/*
 * Local Variables:
 * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"
 * End:
 */
Commit	Line	Data
	1	/*
	2	* pam_krb5auto - Gets initial credentials non-interactively
	3	* Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License as published by
	7	* the Free Software Foundation; either version 2 of the License, or
	8	* (at your option) any later version.
	9	*
	10	* This program is distributed in the hope that it will be useful,
	11	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	12	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	13	* GNU General Public License for more details.
	14	*
	15	* You should have received a copy of the GNU General Public License
	16	* along with this program; if not, write to the Free Software
	17	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	18	*/
	19	#include <stdlib.h>
	20	#include <stdio.h>
	21	#include <unistd.h>
	22	#include <string.h>
	23	#include <stdarg.h>
	24	#include <malloc.h>
	25	#include <krb5.h>
	26	#include <pwd.h>
	27	#include <errno.h>
	28
	29	#define PAM_SM_AUTH
	30
	31	#include <security/pam_modules.h>
	32
	33	#define DEF_INSTANCE "autologin"
	34
	35	struct options
	36	{
	37	char *realm;
	38	char *instance;
	39	char *keytab;
	40	int debug;
	41	int forwardable;
	42	int renewable;
	43	};
	44
	45	struct data
	46	{
	47	krb5_context ctx;
	48	krb5_ccache cc;
	49	krb5_principal me;
	50	krb5_creds initcreds;
	51	int hascreds;
	52	uid_t uid;
	53	gid_t gid;
	54	};
	55
	56	static void log(int prio, char *format, ...)
	57	{
	58	va_list args;
	59	char buf[1024];
	60
	61	va_start(args, format);
	62	snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format);
	63	vsyslog(prio, buf, args);
	64	va_end(args);
	65	}
	66
	67	static struct options parseopts(int argc, const char *argv)
	68	{
	69	int i;
	70	struct options *opts;
	71	const char *p;
	72	int unit;
	73
	74	opts = malloc(sizeof(*opts));
	75	memset(opts, 0, sizeof(*opts));
	76	for(i = 0; i < argc; i++) {
	77	if(!strncmp(argv[i], "realm=", 6))
	78	opts->realm = strdup(argv[i] + 6);
	79	if(!strncmp(argv[i], "instance=", 9))
	80	opts->instance = strdup(argv[i] + 9);
	81	if(!strncmp(argv[i], "keytab=", 7))
	82	opts->keytab = strdup(argv[i] + 7);
	83	if(!strncmp(argv[i], "renew=", 6)) {
	84	p = argv[i] + strlen(argv[i]) - 1;
	85	unit = 1;
	86	if((p >= 'a') && (p <= 'z')) {
	87	if(*p == 'm')
	88	unit = 60;
	89	else if(*p == 'h')
	90	unit = 3600;
	91	else if(*p == 'd')
	92	unit = 86400;
	93	else
	94	unit = 1;
	95	}
	96	opts->renewable = atoi(argv[i] + 6) * unit;
	97	}
	98	if(!strcmp(argv[i], "forwardable"))
	99	opts->forwardable = 1;
	100	if(!strcmp(argv[i], "debug"))
	101	opts->debug = 1;
	102	}
	103	return(opts);
	104	}
	105
	106	static void freeopts(struct options *opts)
	107	{
	108	if(opts->realm != NULL)
	109	free(opts->realm);
	110	if(opts->instance != NULL)
	111	free(opts->instance);
	112	if(opts->keytab != NULL)
	113	free(opts->keytab);
	114	free(opts);
	115	}
	116
	117	static void freedata(struct data *data)
	118	{
	119	if(data->hascreds)
	120	krb5_free_cred_contents(data->ctx, &data->initcreds);
	121	if(data->cc != NULL)
	122	krb5_cc_close(data->ctx, data->cc);
	123	if(data->me != NULL)
	124	krb5_free_principal(data->ctx, data->me);
	125	if(data->ctx != NULL)
	126	krb5_free_context(data->ctx);
	127	free(data);
	128	}
	129
	130	static void cleanupdata(pam_handle_t pamh, struct data data, int error_status)
	131	{
	132	freedata(data);
	133	}
	134
	135	static struct data getdata(pam_handle_t pamh, struct options *opts)
	136	{
	137	int ret;
	138	struct data *data;
	139	char buf[1024];
	140	const char user, instance;
	141	struct passwd *pwent;
	142
	143	data = NULL;
	144	pam_get_data(pamh, "krb5auto-data", (const void **)&data);
	145	if(data == NULL) {
	146	if(opts->debug)
	147	log(LOG_DEBUG, "creating new instance");
	148	data = malloc(sizeof(*data));
	149	memset(data, 0, sizeof(*data));
	150	pam_get_user(pamh, &user, NULL);
	151	if(user == NULL) {
	152	log(LOG_ERR, "could not get user name");
	153	freedata(data);
	154	return(NULL);
	155	}
	156	errno = 0;
	157	if((pwent = getpwnam(user)) == NULL) {
	158	log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
	159	freedata(data);
	160	return(NULL);
	161	}
	162	data->uid = pwent->pw_uid;
	163	data->gid = pwent->pw_gid;
	164	if((ret = krb5_init_context(&data->ctx)) != 0) {
	165	log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
	166	freedata(data);
	167	return(NULL);
	168	}
	169	if(opts->instance)
	170	instance = opts->instance;
	171	else
	172	instance = DEF_INSTANCE;
	173	if(opts->realm)
	174	snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm);
	175	else
	176	snprintf(buf, sizeof(buf), "%s/%s", user, instance);
	177	if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) {
	178	log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret));
	179	freedata(data);
	180	return(NULL);
	181	}
	182	pam_set_data(pamh, "krb5auto-data", data, (void ()(pam_handle_t , void *, int))cleanupdata);
	183	}
	184	return(data);
	185	}
	186
	187	static int savecreds(pam_handle_t pamh, struct options opts, struct data *data)
	188	{
	189	int ret, fd;
	190	krb5_keytab kt;
	191	krb5_get_init_creds_opt icopts;
	192	char buf[1024], ccname, filename;
	193
	194	krb5_get_init_creds_opt_init(&icopts);
	195	kt = NULL;
	196
	197	if(opts->keytab) {
	198	if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
	199	log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
	200	ret = PAM_SERVICE_ERR;
	201	goto out;
	202	}
	203	if(opts->debug)
	204	log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
	205	}
	206	krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
	207	krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
	208	if(data->hascreds) {
	209	krb5_free_cred_contents(data->ctx, &data->initcreds);
	210	data->hascreds = 0;
	211	}
	212	if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
	213	log(LOG_ERR, "could not get credentials: %s", error_message(ret));
	214	ret = PAM_SERVICE_ERR;
	215	goto out;
	216	}
	217	data->hascreds = 1;
	218	if(opts->debug)
	219	log(LOG_DEBUG, "got creds successfully");
	220	snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
	221	ccname = buf + sizeof("KRB5CCNAME=") - 1;
	222	filename = ccname + sizeof("FILE:") - 1;
	223	if((fd = mkstemp(filename)) < 0) {
	224	log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
	225	ret = PAM_SERVICE_ERR;
	226	goto out;
	227	}
	228	close(fd);
	229	if(opts->debug)
	230	log(LOG_DEBUG, "created ccache `%s'", filename);
	231	if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
	232	log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
	233	unlink(filename);
	234	ret = PAM_SERVICE_ERR;
	235	goto out;
	236	}
	237	if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
	238	log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
	239	unlink(filename);
	240	ret = PAM_SERVICE_ERR;
	241	goto out;
	242	}
	243	if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
	244	log(LOG_ERR, "could not store credentials: %s", error_message(ret));
	245	unlink(filename);
	246	ret = PAM_SERVICE_ERR;
	247	goto out;
	248	}
	249	chown(filename, data->uid, data->gid);
	250	pam_putenv(pamh, strdup(buf));
	251	if(opts->debug)
	252	log(LOG_DEBUG, "successfully initialized ccache");
	253	ret = PAM_SUCCESS;
	254
	255	out:
	256	if(kt != NULL)
	257	krb5_kt_close(data->ctx, kt);
	258	return(ret);
	259	}
	260
	261	static int delcreds(pam_handle_t pamh, struct options opts, struct data *data)
	262	{
	263	if(opts->debug)
	264	log(LOG_DEBUG, "deleting credentials");
	265	if(data->hascreds) {
	266	krb5_free_cred_contents(data->ctx, &data->initcreds);
	267	data->hascreds = 0;
	268	if(opts->debug)
	269	log(LOG_DEBUG, "freed internal creds");
	270	}
	271	if(data->cc != NULL) {
	272	krb5_cc_destroy(data->ctx, data->cc);
	273	data->cc = NULL;
	274	if(opts->debug)
	275	log(LOG_DEBUG, "destroyed ccache");
	276	}
	277	return(PAM_SUCCESS);
	278	}
	279
	280	PAM_EXTERN int pam_sm_authenticate(pam_handle_t pamh, int flags, int argc, const char *argv)
	281	{
	282	struct options *opts;
	283
	284	opts = parseopts(argc, argv);
	285	if(opts->debug)
	286	log(LOG_DEBUG, "pam_sm_authenticate called");
	287	freeopts(opts);
	288	return(PAM_IGNORE);
	289	}
	290
	291	PAM_EXTERN int pam_sm_setcred(pam_handle_t pamh, int flags, int argc, const char *argv)
	292	{
	293	struct options *opts;
	294	struct data *data;
	295	int ret;
	296
	297	opts = parseopts(argc, argv);
	298	if(opts->debug)
	299	log(LOG_DEBUG, "pam_sm_setcred called");
	300	data = getdata(pamh, opts);
	301	if(data == NULL) {
	302	log(LOG_ERR, "could not get data, erroring out");
	303	return(PAM_SERVICE_ERR);
	304	}
	305	ret = PAM_SERVICE_ERR;
	306	if(flags & PAM_ESTABLISH_CRED) {
	307	ret = savecreds(pamh, opts, data);
	308	} else if(flags & PAM_DELETE_CRED) {
	309	ret = delcreds(pamh, opts, data);
	310	}
	311	freeopts(opts);
	312	return(ret);
	313	}
	314
	315	/*
	316	* Local Variables:
	317	* compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"
	318	* End:
	319	*/