1/* $NetBSD: pam_afslog.c,v 1.1 2005/09/21 14:19:08 tsarna Exp $ */ 2 3/*- 4 * Copyright 2005 Tyler C. Sarna <tsarna@netbsd.org> 5 * 6 * This code is derived from software contributed to The NetBSD Foundation 7 * by Tyler C. Sarna 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Neither the name of The NetBSD Foundation nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31#include <sys/cdefs.h> 32 33__RCSID("$NetBSD: pam_afslog.c,v 1.1 2005/09/21 14:19:08 tsarna Exp $"); 34 35#include <krb5/krb5.h> 36#include <krb5/kafs.h> 37 38#define PAM_SM_AUTH 39#define PAM_SM_CRED 40#include <security/pam_appl.h> 41#include <security/pam_modules.h> 42#include <security/pam_mod_misc.h> 43 44PAM_EXTERN int 45pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 46 int argc __unused, const char *argv[] __unused) 47{ 48 return PAM_IGNORE; 49} 50 51PAM_EXTERN int 52pam_sm_setcred(pam_handle_t *pamh, int flags, 53 int argc __unused, const char *argv[] __unused) 54{ 55 krb5_context ctx; 56 krb5_ccache ccache; 57 krb5_principal principal; 58 krb5_error_code kret; 59 const void *service = NULL; 60 const char *ccname = NULL; 61 int do_afslog = 0, ret = PAM_SUCCESS; 62 63 pam_get_item(pamh, PAM_SERVICE, &service); 64 if (service == NULL) 65 service = "pam_afslog"; 66 67 kret = krb5_init_context(&ctx); 68 if (kret != 0) { 69 PAM_LOG("Error: krb5_init_context() failed"); 70 ret = PAM_SERVICE_ERR; 71 } else { 72 ccname = pam_getenv(pamh, "KRB5CCNAME"); 73 if (ccname) 74 kret = krb5_cc_resolve(ctx, ccname, &ccache); 75 else 76 kret = krb5_cc_default(ctx, &ccache); 77 if (kret != 0) { 78 PAM_LOG("Error: failed to open ccache"); 79 ret = PAM_SERVICE_ERR; 80 } else { 81 kret = krb5_cc_get_principal(ctx, ccache, &principal); 82 if (kret != 0) { 83 PAM_LOG("Error: krb5_cc_get_principal() failed"); 84 ret = PAM_SERVICE_ERR; 85 } else { 86 krb5_appdefault_boolean(ctx, 87 (const char *)service, 88 krb5_principal_get_realm( 89 ctx, principal), 90 "afslog", FALSE, &do_afslog); 91 92 /* silently bail if not enabled */ 93 94 if (do_afslog && k_hasafs()) { 95 switch (flags & ~PAM_SILENT) { 96 case 0: 97 case PAM_ESTABLISH_CRED: 98 k_setpag(); 99 100 /* FALLTHROUGH */ 101 102 case PAM_REINITIALIZE_CRED: 103 case PAM_REFRESH_CRED: 104 krb5_afslog(ctx, ccache, 105 NULL, NULL); 106 break; 107 108 case PAM_DELETE_CRED: 109 k_unlog(); 110 break; 111 } 112 } 113 114 krb5_free_principal(ctx, principal); 115 } 116 117 krb5_cc_close(ctx, ccache); 118 } 119 120 krb5_free_context(ctx); 121 } 122 123 return ret; 124} 125 126PAM_MODULE_ENTRY("pam_afslog"); 127