X-Git-Url: http://dolda2000.com/gitweb/?p=utils.git;a=blobdiff_plain;f=pam_krb5auto.c;h=3ca6bf447b0b55b73f2850c2337467801617b0a0;hp=cf1e5e758ae44a05b72f18ec2e39679281fd17a9;hb=f7bd9b51138dbccb7cc2fd27f07ef66d5d2d79cf;hpb=dc647f87d4a534c14cc08972a25541da44dd49dc

diff --git a/pam_krb5auto.c b/pam_krb5auto.c
index cf1e5e7..3ca6bf4 100644
--- a/pam_krb5auto.c
+++ b/pam_krb5auto.c
@@ -1,14 +1,320 @@
+/*
+ *  pam_krb5auto - Gets initial credentials non-interactively
+ *  Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+*/
 #include <stdlib.h>
+#include <stdio.h>
 #include <unistd.h>
+#include <string.h>
+#include <stdarg.h>
+#include <malloc.h>
+#include <syslog.h>
 #include <krb5.h>
+#include <pwd.h>
+#include <errno.h>
 
 #define PAM_SM_AUTH
 
 #include <security/pam_modules.h>
 
+#define DEF_INSTANCE "autologin"
+
+struct options
+{
+    char *realm;
+    char *instance;
+    char *keytab;
+    int debug;
+    int forwardable;
+    int renewable;
+};
+
+struct data
+{
+    krb5_context ctx;
+    krb5_ccache cc;
+    krb5_principal me;
+    krb5_creds initcreds;
+    int hascreds;
+    uid_t uid;
+    gid_t gid;
+};
+
+static void log(int prio, char *format, ...)
+{
+    va_list args;
+    char buf[1024];
+    
+    va_start(args, format);
+    snprintf(buf, sizeof(buf), "pam_krb5auto[%i]: %s", getpid(), format);
+    vsyslog(prio, buf, args);
+    va_end(args);
+}
+
+static struct options *parseopts(int argc, const char **argv)
+{
+    int i;
+    struct options *opts;
+    const char *p;
+    int unit;
+    
+    opts = malloc(sizeof(*opts));
+    memset(opts, 0, sizeof(*opts));
+    for(i = 0; i < argc; i++) {
+	if(!strncmp(argv[i], "realm=", 6))
+	    opts->realm = strdup(argv[i] + 6);
+	if(!strncmp(argv[i], "instance=", 9))
+	    opts->instance = strdup(argv[i] + 9);
+	if(!strncmp(argv[i], "keytab=", 7))
+	    opts->keytab = strdup(argv[i] + 7);
+	if(!strncmp(argv[i], "renew=", 6)) {
+	    p = argv[i] + strlen(argv[i]) - 1;
+	    unit = 1;
+	    if((*p >= 'a') && (*p <= 'z')) {
+		if(*p == 'm')
+		    unit = 60;
+		else if(*p == 'h')
+		    unit = 3600;
+		else if(*p == 'd')
+		    unit = 86400;
+		else
+		    unit = 1;
+	    }
+	    opts->renewable = atoi(argv[i] + 6) * unit;
+	}
+	if(!strcmp(argv[i], "forwardable"))
+	    opts->forwardable = 1;
+	if(!strcmp(argv[i], "debug"))
+	    opts->debug = 1;
+    }
+    return(opts);
+}
+
+static void freeopts(struct options *opts)
+{
+    if(opts->realm != NULL)
+	free(opts->realm);
+    if(opts->instance != NULL)
+	free(opts->instance);
+    if(opts->keytab != NULL)
+	free(opts->keytab);
+    free(opts);
+}
+
+static void freedata(struct data *data)
+{
+    if(data->hascreds)
+	krb5_free_cred_contents(data->ctx, &data->initcreds);
+    if(data->cc != NULL)
+	krb5_cc_close(data->ctx, data->cc);
+    if(data->me != NULL)
+	krb5_free_principal(data->ctx, data->me);
+    if(data->ctx != NULL)
+	krb5_free_context(data->ctx);
+    free(data);
+}
+
+static void cleanupdata(pam_handle_t *pamh, struct data *data, int error_status)
+{
+    freedata(data);
+}
+
+static struct data *getdata(pam_handle_t *pamh, struct options *opts)
+{
+    int ret;
+    struct data *data;
+    char buf[1024];
+    const char *user, *instance;
+    struct passwd *pwent;
+    
+    data = NULL;
+    pam_get_data(pamh, "krb5auto-data", (const void **)&data);
+    if(data == NULL) {
+	if(opts->debug)
+	    log(LOG_DEBUG, "creating new instance");
+	data = malloc(sizeof(*data));
+	memset(data, 0, sizeof(*data));
+	pam_get_user(pamh, &user, NULL);
+	if(user == NULL) {
+	    log(LOG_ERR, "could not get user name");
+	    freedata(data);
+	    return(NULL);
+	}
+	errno = 0;
+	if((pwent = getpwnam(user)) == NULL) {
+	    log(LOG_ERR, "could not user information for `%s': %s", user, (errno == 0)?"user not found":strerror(errno));
+	    freedata(data);
+	    return(NULL);
+	}
+	data->uid = pwent->pw_uid;
+	data->gid = pwent->pw_gid;
+	if((ret = krb5_init_context(&data->ctx)) != 0) {
+	    log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
+	    freedata(data);
+	    return(NULL);
+	}
+	if(opts->instance)
+	    instance = opts->instance;
+	else
+	    instance = DEF_INSTANCE;
+	if(opts->realm)
+	    snprintf(buf, sizeof(buf), "%s/%s@%s", user, instance, opts->realm);
+	else
+	    snprintf(buf, sizeof(buf), "%s/%s", user, instance);
+	if((ret = krb5_parse_name(data->ctx, buf, &data->me)) != 0) {
+	    log(LOG_ERR, "could not parse principal name `%s': %s", buf, error_message(ret));
+	    freedata(data);
+	    return(NULL);
+	}
+	pam_set_data(pamh, "krb5auto-data", data, (void (*)(pam_handle_t *, void *, int))cleanupdata);
+    }
+    return(data);
+}
+
+static int savecreds(pam_handle_t *pamh, struct options *opts, struct data *data)
+{
+    int ret, fd;
+    krb5_keytab kt;
+    krb5_get_init_creds_opt icopts;
+    char buf[1024], *ccname, *filename;
+    
+    krb5_get_init_creds_opt_init(&icopts);
+    kt = NULL;
+    
+    if(opts->keytab) {
+	if((ret = krb5_kt_resolve(data->ctx, opts->keytab, &kt)) != 0) {
+	    log(LOG_ERR, "could not resolve keytab `%s': %s", opts->keytab, error_message(ret));
+	    ret = PAM_SERVICE_ERR;
+	    goto out;
+	}
+	if(opts->debug)
+	    log(LOG_DEBUG, "using keytab `%s'", opts->keytab);
+    }
+    krb5_get_init_creds_opt_set_forwardable(&icopts, opts->forwardable);
+    krb5_get_init_creds_opt_set_renew_life(&icopts, opts->renewable);
+    if(data->hascreds) {
+	krb5_free_cred_contents(data->ctx, &data->initcreds);
+	data->hascreds = 0;
+    }
+    if((ret = krb5_get_init_creds_keytab(data->ctx, &data->initcreds, data->me, kt, 0, NULL, &icopts)) != 0) {
+	log(LOG_ERR, "could not get credentials: %s", error_message(ret));
+	ret = PAM_SERVICE_ERR;
+	goto out;
+    }
+    data->hascreds = 1;
+    if(opts->debug)
+	log(LOG_DEBUG, "got creds successfully");
+    snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
+    ccname = buf + sizeof("KRB5CCNAME=") - 1;
+    filename = ccname + sizeof("FILE:") - 1;
+    if((fd = mkstemp(filename)) < 0) {
+	log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
+	ret = PAM_SERVICE_ERR;
+	goto out;
+    }
+    close(fd);
+    if(opts->debug)
+	log(LOG_DEBUG, "created ccache `%s'", filename);
+    if((ret = krb5_cc_resolve(data->ctx, ccname, &data->cc)) != 0) {
+	log(LOG_ERR, "could not resolve ccache `%s': %s", ccname, error_message(ret));
+	unlink(filename);
+	ret = PAM_SERVICE_ERR;
+	goto out;
+    }
+    if((ret = krb5_cc_initialize(data->ctx, data->cc, data->me)) != 0) {
+	log(LOG_ERR, "could not initialize credentials cache `%s': %s", ccname, error_message(ret));
+	unlink(filename);
+	ret = PAM_SERVICE_ERR;
+	goto out;
+    }
+    if((ret = krb5_cc_store_cred(data->ctx, data->cc, &data->initcreds)) != 0) {
+	log(LOG_ERR, "could not store credentials: %s", error_message(ret));
+	unlink(filename);
+	ret = PAM_SERVICE_ERR;
+	goto out;
+    }
+    chown(filename, data->uid, data->gid);
+    pam_putenv(pamh, strdup(buf));
+    if(opts->debug)
+	log(LOG_DEBUG, "successfully initialized ccache");
+    ret = PAM_SUCCESS;
+    
+ out:
+    if(kt != NULL)
+	krb5_kt_close(data->ctx, kt);
+    return(ret);
+}
+
+static int delcreds(pam_handle_t *pamh, struct options *opts, struct data *data)
+{
+    if(opts->debug)
+	log(LOG_DEBUG, "deleting credentials");
+    if(data->hascreds) {
+	krb5_free_cred_contents(data->ctx, &data->initcreds);
+	data->hascreds = 0;
+	if(opts->debug)
+	    log(LOG_DEBUG, "freed internal creds");
+    }
+    if(data->cc != NULL) {
+	krb5_cc_destroy(data->ctx, data->cc);
+	data->cc = NULL;
+	if(opts->debug)
+	    log(LOG_DEBUG, "destroyed ccache");
+    }
+    return(PAM_SUCCESS);
+}
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+    struct options *opts;
+    
+    opts = parseopts(argc, argv);
+    if(opts->debug)
+	log(LOG_DEBUG, "pam_sm_authenticate called");
+    freeopts(opts);
+    return(PAM_IGNORE);
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+    struct options *opts;
+    struct data *data;
+    int ret;
+    
+    opts = parseopts(argc, argv);
+    if(opts->debug)
+	log(LOG_DEBUG, "pam_sm_setcred called");
+    data = getdata(pamh, opts);
+    if(data == NULL) {
+	log(LOG_ERR, "could not get data, erroring out");
+	return(PAM_SERVICE_ERR);
+    }
+    ret = PAM_SERVICE_ERR;
+    if(flags & PAM_ESTABLISH_CRED) {
+	ret = savecreds(pamh, opts, data);
+    } else if(flags & PAM_DELETE_CRED) {
+	ret = delcreds(pamh, opts, data);
+    }
+    freeopts(opts);
+    return(ret);
+}
 
 /*
  * Local Variables:
- * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c"
+ * compile-command: "gcc -Wall -g --shared -fPIC -o pam_krb5auto.so pam_krb5auto.c -lkrb5"
  * End:
  */