1/*	$NetBSD: pam_afslog.c,v 1.1 2005/09/21 14:19:08 tsarna Exp $	*/
2
3/*-
4 * Copyright 2005 Tyler C. Sarna <tsarna@netbsd.org>
5 *
6 * This code is derived from software contributed to The NetBSD Foundation
7 * by Tyler C. Sarna
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Neither the name of The NetBSD Foundation nor the names of its
15 *    contributors may be used to endorse or promote products derived
16 *    from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
19 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
20 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
22 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31#include <sys/cdefs.h>
32
33__RCSID("$NetBSD: pam_afslog.c,v 1.1 2005/09/21 14:19:08 tsarna Exp $");
34
35#include <krb5/krb5.h>
36#include <krb5/kafs.h>
37
38#define PAM_SM_AUTH
39#define PAM_SM_CRED
40#include <security/pam_appl.h>
41#include <security/pam_modules.h>
42#include <security/pam_mod_misc.h>
43
44PAM_EXTERN int
45pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
46    int argc __unused, const char *argv[] __unused)
47{
48	return PAM_IGNORE;
49}
50
51PAM_EXTERN int
52pam_sm_setcred(pam_handle_t *pamh, int flags,
53    int argc __unused, const char *argv[] __unused)
54{
55	krb5_context ctx;
56	krb5_ccache ccache;
57	krb5_principal principal;
58	krb5_error_code kret;
59	const void *service = NULL;
60	const char *ccname = NULL;
61	int do_afslog = 0, ret = PAM_SUCCESS;
62
63	pam_get_item(pamh, PAM_SERVICE, &service);
64	if (service == NULL)
65		service = "pam_afslog";
66
67	kret = krb5_init_context(&ctx);
68	if (kret != 0) {
69		PAM_LOG("Error: krb5_init_context() failed");
70		ret = PAM_SERVICE_ERR;
71	} else {
72		ccname = pam_getenv(pamh, "KRB5CCNAME");
73		if (ccname)
74			kret = krb5_cc_resolve(ctx, ccname, &ccache);
75		else
76			kret = krb5_cc_default(ctx, &ccache);
77		if (kret != 0) {
78			PAM_LOG("Error: failed to open ccache");
79			ret = PAM_SERVICE_ERR;
80		} else {
81			kret = krb5_cc_get_principal(ctx, ccache, &principal);
82			if (kret != 0) {
83				PAM_LOG("Error: krb5_cc_get_principal() failed");
84				ret = PAM_SERVICE_ERR;
85			} else {
86				krb5_appdefault_boolean(ctx,
87					(const char *)service,
88					krb5_principal_get_realm(
89						ctx, principal),
90					"afslog", FALSE, &do_afslog);
91
92				/* silently bail if not enabled */
93
94				if (do_afslog && k_hasafs()) {
95					switch (flags & ~PAM_SILENT) {
96					case 0:
97					case PAM_ESTABLISH_CRED:
98						k_setpag();
99
100						/* FALLTHROUGH */
101
102					case PAM_REINITIALIZE_CRED:
103					case PAM_REFRESH_CRED:
104						krb5_afslog(ctx, ccache,
105							NULL, NULL);
106						break;
107
108					case PAM_DELETE_CRED:
109						k_unlog();
110						break;
111					}
112				}
113
114				krb5_free_principal(ctx, principal);
115			}
116
117			krb5_cc_close(ctx, ccache);
118		}
119
120		krb5_free_context(ctx);
121	}
122
123	return ret;
124}
125
126PAM_MODULE_ENTRY("pam_afslog");
127