summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/lib/auth/pam/pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/lib/auth/pam/pam.c')
-rw-r--r--crypto/heimdal/lib/auth/pam/pam.c80
1 files changed, 49 insertions, 31 deletions
diff --git a/crypto/heimdal/lib/auth/pam/pam.c b/crypto/heimdal/lib/auth/pam/pam.c
index 1a385e0..c207756 100644
--- a/crypto/heimdal/lib/auth/pam/pam.c
+++ b/crypto/heimdal/lib/auth/pam/pam.c
@@ -33,7 +33,7 @@
#ifdef HAVE_CONFIG_H
#include<config.h>
-RCSID("$Id: pam.c,v 1.24 2000/02/18 14:33:06 bg Exp $");
+RCSID("$Id: pam.c,v 1.26 2000/10/04 20:22:15 bg Exp $");
#endif
#include <stdio.h>
@@ -60,12 +60,12 @@ RCSID("$Id: pam.c,v 1.24 2000/02/18 14:33:06 bg Exp $");
#endif
static void
-log_error(int level, const char *format, ...)
+psyslog(int level, const char *format, ...)
{
va_list args;
va_start(args, format);
openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(level | LOG_AUTH, format, args);
+ vsyslog(level, format, args);
va_end(args);
closelog();
}
@@ -115,7 +115,7 @@ parse_ctrl(int argc, const char **argv)
break;
if (j >= KRB4_CTRLS)
- log_error(LOG_ALERT, "unrecognized option [%s]", *argv);
+ psyslog(LOG_ALERT, "unrecognized option [%s]", *argv);
else
ctrl_flags |= krb4_args[j].flag;
}
@@ -128,13 +128,13 @@ pdeb(const char *format, ...)
if (ctrl_off(KRB4_DEBUG))
return;
va_start(args, format);
- openlog("pam_krb4", LOG_PID, LOG_AUTH);
- vsyslog(LOG_DEBUG | LOG_AUTH, format, args);
+ openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
+ vsyslog(LOG_DEBUG, format, args);
va_end(args);
closelog();
}
-#define ENTRY(f) pdeb("%s() ruid = %d euid = %d", f, getuid(), geteuid())
+#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid())
static void
set_tkt_string(uid_t uid)
@@ -182,9 +182,14 @@ verify_pass(pam_handle_t *pamh,
old_euid = geteuid();
setreuid(0, 0);
ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL);
- if (setreuid(old_ruid, old_euid) != 0)
+ pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s",
+ name, inst, realm, krb_verify,
+ krb_get_err_text(ret));
+ setreuid(old_ruid, old_euid);
+ if (getuid() != old_ruid || geteuid() != old_euid)
{
- log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
+ psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
+ old_ruid, old_euid, __LINE__);
exit(1);
}
@@ -220,7 +225,7 @@ krb4_auth(pam_handle_t *pamh,
ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass);
if (ret != PAM_SUCCESS)
{
- log_error(LOG_ERR , "pam_get_item returned error to get-password");
+ psyslog(LOG_ERR , "pam_get_item returned error to get-password");
return ret;
}
else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS)
@@ -271,6 +276,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
struct passwd *pw;
uid_t uid = -1;
const char *name, *inst;
+ char realm[REALM_SZ];
+ realm[0] = 0;
parse_ctrl(argc, argv);
ENTRY("pam_sm_authenticate");
@@ -316,11 +323,9 @@ pam_sm_authenticate(pam_handle_t *pamh,
*/
if (ret == PAM_SUCCESS && inst[0] != 0)
{
- char realm[REALM_SZ];
uid_t old_euid = geteuid();
uid_t old_ruid = getuid();
- realm[0] = 0;
setreuid(0, 0); /* To read ticket file. */
if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
ret = PAM_SERVICE_ERR;
@@ -334,28 +339,44 @@ pam_sm_authenticate(pam_handle_t *pamh,
if (ret != PAM_SUCCESS)
{
dest_tkt(); /* Passwd known, ok to kill ticket. */
- log_error(LOG_NOTICE,
- "%s.%s@%s is not allowed to log in as %s",
- name, inst, realm, user);
+ psyslog(LOG_NOTICE,
+ "%s.%s@%s is not allowed to log in as %s",
+ name, inst, realm, user);
}
- if (setreuid(old_ruid, old_euid) != 0)
+ setreuid(old_ruid, old_euid);
+ if (getuid() != old_ruid || geteuid() != old_euid)
{
- log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid);
+ psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
+ old_ruid, old_euid, __LINE__);
exit(1);
}
}
if (ret == PAM_SUCCESS)
- chown(tkt_string(), uid, -1);
-
- /* Sun dtlogin unlock screen does not call any other pam_* funcs. */
- if (ret == PAM_SUCCESS
- && ctrl_on(KRB4_REAFSLOG)
- && k_hasafs()
- && (pw = getpwnam(user)) != 0)
- krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, pw->pw_uid, pw->pw_dir);
+ {
+ psyslog(LOG_INFO,
+ "%s.%s@%s authenticated as user %s",
+ name, inst, realm, user);
+ if (chown(tkt_string(), uid, -1) == -1)
+ {
+ dest_tkt();
+ psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid);
+ exit(1);
+ }
+ }
+ /*
+ * Kludge alert!!! Sun dtlogin unlock screen fails to call
+ * pam_setcred(3) with PAM_REFRESH_CRED after a successful
+ * authentication attempt, sic.
+ *
+ * This hack is designed as a workaround to that problem.
+ */
+ if (ctrl_on(KRB4_REAFSLOG))
+ if (ret == PAM_SUCCESS)
+ pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv);
+
return ret;
}
@@ -364,14 +385,13 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
parse_ctrl(argc, argv);
ENTRY("pam_sm_setcred");
- pdeb("flags = 0x%x", flags);
switch (flags & ~PAM_SILENT) {
case 0:
case PAM_ESTABLISH_CRED:
if (k_hasafs())
k_setpag();
- /* Fill PAG with credentials below. */
+ /* Fall through, fill PAG with credentials below. */
case PAM_REINITIALIZE_CRED:
case PAM_REFRESH_CRED:
if (k_hasafs())
@@ -393,7 +413,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
k_unlog();
break;
default:
- log_error(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
+ psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
break;
}
@@ -417,9 +437,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
ENTRY("pam_sm_close_session");
/* This isn't really kosher, but it's handy. */
- dest_tkt();
- if (k_hasafs())
- k_unlog();
+ pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv);
return PAM_SUCCESS;
}
OpenPOWER on IntegriCloud