2 * pam_krb5auto - Gets initial credentials non-interactively
3 * Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31 #include <security/pam_modules.h>
33 #define DEF_INSTANCE "autologin"
56 static void log(int prio, char *format, ...)
61 va_start(args, format);
62 snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format);
63 vsyslog(prio, buf, args);
67 static struct options *parseopts(int argc, const char **argv)
72 opts = malloc(sizeof(*opts));
73 memset(opts, 0, sizeof(*opts));
74 for(i = 0; i < argc; i++) {
75 if(!strncmp(argv[i], "realm=", 6))
76 opts->realm = strdup(argv[i] + 6);
77 if(!strncmp(argv[i], "instance=", 9))
78 opts->instance = strdup(argv[i] + 9);
79 if(!strncmp(argv[i], "keytab=", 7))
80 opts->keytab = strdup(argv[i] + 7);
81 if(!strncmp(argv[i], "renew=", 6))
82 opts->renewable = atoi(argv[i] + 6);
83 if(!strcmp(argv[i], "forwardable"))
84 opts->forwardable = 1;
85 if(!strcmp(argv[i], "debug"))
91 static void freeopts(struct options *opts)
93 if(opts->realm != NULL)
95 if(opts->instance != NULL)
97 if(opts->keytab != NULL)
102 static void freedata(struct data *data)
105 krb5_free_cred_contents(data->ctx, &data->initcreds);
107 krb5_cc_close(data->ctx, data->cc);
109 krb5_free_principal(data->ctx, data->me);
110 if(data->ctx != NULL)
111 krb5_free_context(data->ctx);
115 static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status)
120 static struct data *getdata(pam_handle_t *pamh, struct options *opts)
125 const char *user, *instance;
126 struct passwd *pwent;
129 pam_get_data(pamh, "krb5auto-data", (const void **)&data);
132 log(LOG_DEBUG, "creating new instance");
133 data = malloc(sizeof(*data));
134 memset(data, 0, sizeof(*data));
135 pam_get_user(pamh, &user, NULL);
137 log(LOG_ERR, "could not get user name");
142 if((pwent = getpwnam(user)) == NULL) {
143 log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
147 data->uid = pwent->pw_uid;
148 data->gid = pwent->pw_gid;
149 if((ret = krb5_init_context(&data->ctx)) != 0) {
150 log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
155 instance = opts->instance;
157 instance = DEF_INSTANCE;
159 snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm);
161 snprintf(buf, sizeof(buf), "%s/%s", user, instance);
162 if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) {
163 log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret));
167 pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata);
172 static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data)
176 krb5_get_init_creds_opt icopts;
177 char buf[1024], *ccname, *filename;
179 krb5_get_init_creds_opt_init(&icopts);
183 if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
184 log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
185 ret = PAM_SERVICE_ERR;
189 log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
191 krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
192 krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
194 krb5_free_cred_contents(data->ctx, &data->initcreds);
197 if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
198 log(LOG_ERR, "could not get credentials: %s", error_message(ret));
199 ret = PAM_SERVICE_ERR;
204 log(LOG_DEBUG, "got creds successfully");
205 snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
206 ccname = buf + sizeof("KRB5CCNAME=") - 1;
207 filename = ccname + sizeof("FILE:") - 1;
208 if((fd = mkstemp(filename)) < 0) {
209 log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
210 ret = PAM_SERVICE_ERR;
215 log(LOG_DEBUG, "created ccache `%s'", filename);
216 if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
217 log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
219 ret = PAM_SERVICE_ERR;
222 if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
223 log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
225 ret = PAM_SERVICE_ERR;
228 if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
229 log(LOG_ERR, "could not store credentials: %s", error_message(ret));
231 ret = PAM_SERVICE_ERR;
234 chown(filename, data->uid, data->gid);
235 pam_putenv(pamh, strdup(buf));
237 log(LOG_DEBUG, "successfully initialized ccache");
242 krb5_kt_close(data->ctx, kt);
246 static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data)
249 log(LOG_DEBUG, "deleting credentials");
251 krb5_free_cred_contents(data->ctx, &data->initcreds);
254 log(LOG_DEBUG, "freed internal creds");
256 if(data->cc != NULL) {
257 krb5_cc_destroy(data->ctx, data->cc);
260 log(LOG_DEBUG, "destroyed ccache");
265 PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
267 struct options *opts;
269 opts = parseopts(argc, argv);
271 log(LOG_DEBUG, "pam_sm_authenticate called");
276 PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
278 struct options *opts;
282 opts = parseopts(argc, argv);
284 log(LOG_DEBUG, "pam_sm_setcred called");
285 data = getdata(pamh, opts);
287 log(LOG_ERR, "could not get data, erroring out");
288 return(PAM_SERVICE_ERR);
290 ret = PAM_SERVICE_ERR;
291 if(flags & PAM_ESTABLISH_CRED) {
292 ret = savecreds(pamh, opts, data);
293 } else if(flags & PAM_DELETE_CRED) {
294 ret = delcreds(pamh, opts, data);
302 * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"