pam.c revision 55682
1/* 2 * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34/* This code is extremely ugly, and would probably be better off 35 beeing completely rewritten */ 36 37 38#ifdef HAVE_CONFIG_H 39#include<config.h> 40RCSID("$Id: pam.c,v 1.22 1999/12/02 16:58:37 joda Exp $"); 41#endif 42 43#include <stdio.h> 44#include <stdlib.h> 45#include <string.h> 46#include <pwd.h> 47#include <unistd.h> 48#include <sys/types.h> 49 50#define PAM_SM_AUTH 51#define PAM_SM_SESSION 52#include <security/pam_appl.h> 53#include <security/pam_modules.h> 54 55#include <netinet/in.h> 56#include <krb.h> 57#include <kafs.h> 58 59static int 60cleanup(pam_handle_t *pamh, void *data, int error_code) 61{ 62 if(error_code != PAM_SUCCESS) 63 dest_tkt(); 64 free(data); 65 return PAM_SUCCESS; 66} 67 68static int 69doit(pam_handle_t *pamh, char *name, char *inst, char *pwd, char *tkt) 70{ 71 char realm[REALM_SZ]; 72 int ret; 73 74 pam_set_data(pamh, "KRBTKFILE", strdup(tkt), cleanup); 75 krb_set_tkt_string(tkt); 76 77 krb_get_lrealm(realm, 1); 78 ret = krb_verify_user(name, inst, realm, pwd, KRB_VERIFY_SECURE, NULL); 79 memset(pwd, 0, strlen(pwd)); 80 switch(ret){ 81 case KSUCCESS: 82 return PAM_SUCCESS; 83 case KDC_PR_UNKNOWN: 84 return PAM_USER_UNKNOWN; 85 case SKDC_CANT: 86 case SKDC_RETRY: 87 case RD_AP_TIME: 88 return PAM_AUTHINFO_UNAVAIL; 89 default: 90 return PAM_AUTH_ERR; 91 } 92} 93 94static int 95auth_login(pam_handle_t *pamh, int flags, char *user, struct pam_conv *conv) 96{ 97 int ret; 98 struct pam_message msg, *pmsg; 99 struct pam_response *resp; 100 char prompt[128]; 101 102 pmsg = &msg; 103 msg.msg_style = PAM_PROMPT_ECHO_OFF; 104 snprintf(prompt, sizeof(prompt), "%s's Password: ", user); 105 msg.msg = prompt; 106 107 ret = conv->conv(1, (const struct pam_message**)&pmsg, 108 &resp, conv->appdata_ptr); 109 if(ret != PAM_SUCCESS) 110 return ret; 111 112 { 113 char tkt[1024]; 114 struct passwd *pw = getpwnam(user); 115 116 if(pw){ 117 snprintf(tkt, sizeof(tkt), 118 "%s%u", TKT_ROOT, (unsigned)pw->pw_uid); 119 ret = doit(pamh, user, "", resp->resp, tkt); 120 if(ret == PAM_SUCCESS) 121 chown(tkt, pw->pw_uid, pw->pw_gid); 122 }else 123 ret = PAM_USER_UNKNOWN; 124 memset(resp->resp, 0, strlen(resp->resp)); 125 free(resp->resp); 126 free(resp); 127 } 128 return ret; 129} 130 131static int 132auth_su(pam_handle_t *pamh, int flags, char *user, struct pam_conv *conv) 133{ 134 int ret; 135 struct passwd *pw; 136 struct pam_message msg, *pmsg; 137 struct pam_response *resp; 138 char prompt[128]; 139 krb_principal pr; 140 141 pr.realm[0] = 0; 142 ret = pam_get_user(pamh, &user, "login: "); 143 if(ret != PAM_SUCCESS) 144 return ret; 145 146 pw = getpwuid(getuid()); 147 if(strcmp(user, "root") == 0){ 148 strlcpy(pr.name, pw->pw_name, sizeof(pr.name)); 149 strlcpy(pr.instance, "root", sizeof(pr.instance)); 150 }else{ 151 strlcpy(pr.name, user, sizeof(pr.name)); 152 pr.instance[0] = 0; 153 } 154 pmsg = &msg; 155 msg.msg_style = PAM_PROMPT_ECHO_OFF; 156 snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&pr)); 157 msg.msg = prompt; 158 159 ret = conv->conv(1, (const struct pam_message**)&pmsg, 160 &resp, conv->appdata_ptr); 161 if(ret != PAM_SUCCESS) 162 return ret; 163 164 { 165 char tkt[1024]; 166 167 snprintf(tkt, sizeof(tkt),"%s_%s_to_%s", 168 TKT_ROOT, pw->pw_name, user); 169 ret = doit(pamh, pr.name, pr.instance, resp->resp, tkt); 170 if(ret == PAM_SUCCESS) 171 chown(tkt, pw->pw_uid, pw->pw_gid); 172 memset(resp->resp, 0, strlen(resp->resp)); 173 free(resp->resp); 174 free(resp); 175 } 176 return ret; 177} 178 179int 180pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) 181{ 182 char *user; 183 int ret; 184 struct pam_conv *conv; 185 ret = pam_get_user(pamh, &user, "login: "); 186 if(ret != PAM_SUCCESS) 187 return ret; 188 189 ret = pam_get_item(pamh, PAM_CONV, (void*)&conv); 190 if(ret != PAM_SUCCESS) 191 return ret; 192 193 194 if(getuid() != geteuid()) 195 return auth_su(pamh, flags, user, conv); 196 else 197 return auth_login(pamh, flags, user, conv); 198} 199 200int 201pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) 202{ 203 return PAM_SUCCESS; 204} 205 206 207int 208pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) 209{ 210 char *tkt, *var; 211 void *user; 212 const char *homedir = NULL; 213 214 if(pam_get_item (pamh, PAM_USER, &user) == PAM_SUCCESS) { 215 struct passwd *pwd; 216 217 pwd = getpwnam ((char *)user); 218 if (pwd != NULL) 219 homedir = pwd->pw_dir; 220 } 221 222 pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt); 223 var = malloc(strlen("KRBTKFILE=") + strlen(tkt) + 1); 224 strcpy(var, "KRBTKFILE="); 225 strcat(var, tkt); 226 putenv(var); 227 pam_putenv(pamh, var); 228 if(k_hasafs()){ 229 k_setpag(); 230 krb_afslog_home(0, 0, homedir); 231 } 232 return PAM_SUCCESS; 233} 234 235 236int 237pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) 238{ 239 dest_tkt(); 240 if(k_hasafs()) 241 k_unlog(); 242 return PAM_SUCCESS; 243} 244