X-Git-Url: http://dolda2000.com/gitweb/?p=utils.git;a=blobdiff_plain;f=pam_krb5auto.c;h=3ca6bf447b0b55b73f2850c2337467801617b0a0;hp=54dce9d56823aa741f4afc08d920731624144c25;hb=f7bd9b51138dbccb7cc2fd27f07ef66d5d2d79cf;hpb=4aa1b80bc056898a8fce3b181ce3bd3f6a2e3938 diff --git a/pam_krb5auto.c b/pam_krb5auto.c index 54dce9d..3ca6bf4 100644 --- a/pam_krb5auto.c +++ b/pam_krb5auto.c @@ -1,10 +1,31 @@ +/* + * pam_krb5auto - Gets initial credentials non-interactively + * Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +*/ #include #include #include #include #include #include +#include #include +#include +#include #define PAM_SM_AUTH @@ -18,6 +39,8 @@ struct options char *instance; char *keytab; int debug; + int forwardable; + int renewable; }; struct data @@ -25,6 +48,10 @@ struct data krb5_context ctx; krb5_ccache cc; krb5_principal me; + krb5_creds initcreds; + int hascreds; + uid_t uid; + gid_t gid; }; static void log(int prio, char *format, ...) @@ -42,6 +69,8 @@ static struct options *parseopts(int argc, const char **argv) { int i; struct options *opts; + const char *p; + int unit; opts = malloc(sizeof(*opts)); memset(opts, 0, sizeof(*opts)); @@ -52,6 +81,23 @@ static struct options *parseopts(int argc, const char **argv) opts->instance = strdup(argv[i] + 9); if(!strncmp(argv[i], "keytab=", 7)) opts->keytab = strdup(argv[i] + 7); + if(!strncmp(argv[i], "renew=", 6)) { + p = argv[i] + strlen(argv[i]) - 1; + unit = 1; + if((*p >= 'a') && (*p <= 'z')) { + if(*p == 'm') + unit = 60; + else if(*p == 'h') + unit = 3600; + else if(*p == 'd') + unit = 86400; + else + unit = 1; + } + opts->renewable = atoi(argv[i] + 6) * unit; + } + if(!strcmp(argv[i], "forwardable")) + opts->forwardable = 1; if(!strcmp(argv[i], "debug")) opts->debug = 1; } @@ -71,6 +117,10 @@ static void freeopts(struct options *opts) static void freedata(struct data *data) { + if(data->hascreds) + krb5_free_cred_contents(data->ctx, &data->initcreds); + if(data->cc != NULL) + krb5_cc_close(data->ctx, data->cc); if(data->me != NULL) krb5_free_principal(data->ctx, data->me); if(data->ctx != NULL) @@ -89,6 +139,7 @@ static struct data *getdata(pam_handle_t *pamh, struct options *opts) struct data *data; char buf[1024]; const char *user, *instance; + struct passwd *pwent; data = NULL; pam_get_data(pamh, "krb5auto-data", (const void **)&data); @@ -97,12 +148,25 @@ static struct data *getdata(pam_handle_t *pamh, struct options *opts) log(LOG_DEBUG, "creating new instance"); data = malloc(sizeof(*data)); memset(data, 0, sizeof(*data)); + pam_get_user(pamh, &user, NULL); + if(user == NULL) { + log(LOG_ERR, "could not get user name"); + freedata(data); + return(NULL); + } + errno = 0; + if((pwent = getpwnam(user)) == NULL) { + log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno)); + freedata(data); + return(NULL); + } + data->uid = pwent->pw_uid; + data->gid = pwent->pw_gid; if((ret = krb5_init_context(&data->ctx)) != 0) { log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret)); freedata(data); return(NULL); } - pam_get_user(pamh, &user, NULL); if(opts->instance) instance = opts->instance; else @@ -121,12 +185,107 @@ static struct data *getdata(pam_handle_t *pamh, struct options *opts) return(data); } -static void savecreds(struct options *opts, struct data *data) +static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data) { + int ret, fd; + krb5_keytab kt; + krb5_get_init_creds_opt icopts; + char buf[1024], *ccname, *filename; + + krb5_get_init_creds_opt_init(&icopts); + kt = NULL; + + if(opts->keytab) { + if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) { + log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret)); + ret = PAM_SERVICE_ERR; + goto out; + } + if(opts->debug) + log(LOG_DEBUG, "using keytab `%s'", opts->keytab); + } + krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable); + krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable); + if(data->hascreds) { + krb5_free_cred_contents(data->ctx, &data->initcreds); + data->hascreds = 0; + } + if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) { + log(LOG_ERR, "could not get credentials: %s", error_message(ret)); + ret = PAM_SERVICE_ERR; + goto out; + } + data->hascreds = 1; + if(opts->debug) + log(LOG_DEBUG, "got creds successfully"); + snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid); + ccname = buf + sizeof("KRB5CCNAME=") - 1; + filename = ccname + sizeof("FILE:") - 1; + if((fd = mkstemp(filename)) < 0) { + log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno)); + ret = PAM_SERVICE_ERR; + goto out; + } + close(fd); + if(opts->debug) + log(LOG_DEBUG, "created ccache `%s'", filename); + if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) { + log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret)); + unlink(filename); + ret = PAM_SERVICE_ERR; + goto out; + } + if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) { + log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret)); + unlink(filename); + ret = PAM_SERVICE_ERR; + goto out; + } + if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) { + log(LOG_ERR, "could not store credentials: %s", error_message(ret)); + unlink(filename); + ret = PAM_SERVICE_ERR; + goto out; + } + chown(filename, data->uid, data->gid); + pam_putenv(pamh, strdup(buf)); + if(opts->debug) + log(LOG_DEBUG, "successfully initialized ccache"); + ret = PAM_SUCCESS; + + out: + if(kt != NULL) + krb5_kt_close(data->ctx, kt); + return(ret); +} + +static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data) +{ + if(opts->debug) + log(LOG_DEBUG, "deleting credentials"); + if(data->hascreds) { + krb5_free_cred_contents(data->ctx, &data->initcreds); + data->hascreds = 0; + if(opts->debug) + log(LOG_DEBUG, "freed internal creds"); + } + if(data->cc != NULL) { + krb5_cc_destroy(data->ctx, data->cc); + data->cc = NULL; + if(opts->debug) + log(LOG_DEBUG, "destroyed ccache"); + } + return(PAM_SUCCESS); } PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { + struct options *opts; + + opts = parseopts(argc, argv); + if(opts->debug) + log(LOG_DEBUG, "pam_sm_authenticate called"); + freeopts(opts); return(PAM_IGNORE); } @@ -134,18 +293,24 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const cha { struct options *opts; struct data *data; + int ret; opts = parseopts(argc, argv); + if(opts->debug) + log(LOG_DEBUG, "pam_sm_setcred called"); data = getdata(pamh, opts); if(data == NULL) { log(LOG_ERR, "could not get data, erroring out"); return(PAM_SERVICE_ERR); } + ret = PAM_SERVICE_ERR; if(flags & PAM_ESTABLISH_CRED) { - savecreds(opts, data); + ret = savecreds(pamh, opts, data); + } else if(flags & PAM_DELETE_CRED) { + ret = delcreds(pamh, opts, data); } freeopts(opts); - return(PAM_IGNORE); + return(ret); } /*