diff options
Diffstat (limited to 'crypto/heimdal/lib/auth/pam')
-rw-r--r-- | crypto/heimdal/lib/auth/pam/Makefile.am | 3 | ||||
-rw-r--r-- | crypto/heimdal/lib/auth/pam/Makefile.in | 491 | ||||
-rw-r--r-- | crypto/heimdal/lib/auth/pam/pam.c | 243 | ||||
-rw-r--r-- | crypto/heimdal/lib/auth/pam/pam.conf.add | 76 |
4 files changed, 813 insertions, 0 deletions
diff --git a/crypto/heimdal/lib/auth/pam/Makefile.am b/crypto/heimdal/lib/auth/pam/Makefile.am new file mode 100644 index 0000000..abde2d9 --- /dev/null +++ b/crypto/heimdal/lib/auth/pam/Makefile.am @@ -0,0 +1,3 @@ +# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $ + +include $(top_srcdir)/Makefile.am.common diff --git a/crypto/heimdal/lib/auth/pam/Makefile.in b/crypto/heimdal/lib/auth/pam/Makefile.in new file mode 100644 index 0000000..37f8d22 --- /dev/null +++ b/crypto/heimdal/lib/auth/pam/Makefile.in @@ -0,0 +1,491 @@ +# Makefile.in generated automatically by automake 1.4 from Makefile.am + +# Copyright (C) 1994, 1995-8, 1999 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $ + + +# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $ + + +# $Id: Makefile.am.common,v 1.13 1999/11/01 03:19:58 assar Exp $ + + +SHELL = @SHELL@ + +srcdir = @srcdir@ +top_srcdir = @top_srcdir@ +VPATH = @srcdir@ +prefix = @prefix@ +exec_prefix = @exec_prefix@ + +bindir = @bindir@ +sbindir = @sbindir@ +libexecdir = @libexecdir@ +datadir = @datadir@ +sysconfdir = @sysconfdir@ +sharedstatedir = @sharedstatedir@ +localstatedir = @localstatedir@ +libdir = @libdir@ +infodir = @infodir@ +mandir = @mandir@ +includedir = @includedir@ +oldincludedir = /usr/include + +DESTDIR = + +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ + +top_builddir = ../../.. + +ACLOCAL = @ACLOCAL@ +AUTOCONF = @AUTOCONF@ +AUTOMAKE = @AUTOMAKE@ +AUTOHEADER = @AUTOHEADER@ + +INSTALL = @INSTALL@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ $(AM_INSTALL_PROGRAM_FLAGS) +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +transform = @program_transform_name@ + +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +host_alias = @host_alias@ +host_triplet = @host@ +AFS_EXTRA_LD = @AFS_EXTRA_LD@ +AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ +AWK = @AWK@ +CANONICAL_HOST = @CANONICAL_HOST@ +CATMAN = @CATMAN@ +CATMANEXT = @CATMANEXT@ +CC = @CC@ +DBLIB = @DBLIB@ +EXEEXT = @EXEEXT@ +EXTRA_LIB45 = @EXTRA_LIB45@ +GROFF = @GROFF@ +INCLUDE_ = @INCLUDE_@ +LD = @LD@ +LEX = @LEX@ +LIBOBJS = @LIBOBJS@ +LIBTOOL = @LIBTOOL@ +LIB_ = @LIB_@ +LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ +LIB_kdb = @LIB_kdb@ +LIB_otp = @LIB_otp@ +LIB_roken = @LIB_roken@ +LIB_security = @LIB_security@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MAKE_X_PROGS_BIN_PROGS = @MAKE_X_PROGS_BIN_PROGS@ +MAKE_X_PROGS_BIN_SCRPTS = @MAKE_X_PROGS_BIN_SCRPTS@ +MAKE_X_PROGS_LIBEXEC_PROGS = @MAKE_X_PROGS_LIBEXEC_PROGS@ +NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@ +NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@ +NM = @NM@ +NROFF = @NROFF@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +RANLIB = @RANLIB@ +VERSION = @VERSION@ +VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ +WFLAGS = @WFLAGS@ +WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ +WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ +YACC = @YACC@ + +AUTOMAKE_OPTIONS = foreign no-dependencies + +SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x + +INCLUDES = -I$(top_builddir)/include + +AM_CFLAGS = $(WFLAGS) + +COMPILE_ET = $(top_builddir)/lib/com_err/compile_et + +buildinclude = $(top_builddir)/include + +LIB_XauReadAuth = @LIB_XauReadAuth@ +LIB_crypt = @LIB_crypt@ +LIB_dbm_firstkey = @LIB_dbm_firstkey@ +LIB_dbopen = @LIB_dbopen@ +LIB_dlopen = @LIB_dlopen@ +LIB_dn_expand = @LIB_dn_expand@ +LIB_el_init = @LIB_el_init@ +LIB_getattr = @LIB_getattr@ +LIB_gethostbyname = @LIB_gethostbyname@ +LIB_getpwent_r = @LIB_getpwent_r@ +LIB_getpwnam_r = @LIB_getpwnam_r@ +LIB_getsockopt = @LIB_getsockopt@ +LIB_logout = @LIB_logout@ +LIB_logwtmp = @LIB_logwtmp@ +LIB_odm_initialize = @LIB_odm_initialize@ +LIB_readline = @LIB_readline@ +LIB_res_search = @LIB_res_search@ +LIB_setpcred = @LIB_setpcred@ +LIB_setsockopt = @LIB_setsockopt@ +LIB_socket = @LIB_socket@ +LIB_syslog = @LIB_syslog@ +LIB_tgetent = @LIB_tgetent@ + +HESIODLIB = @HESIODLIB@ +HESIODINCLUDE = @HESIODINCLUDE@ +INCLUDE_hesiod = @INCLUDE_hesiod@ +LIB_hesiod = @LIB_hesiod@ + +INCLUDE_krb4 = @INCLUDE_krb4@ +LIB_krb4 = @LIB_krb4@ + +INCLUDE_readline = @INCLUDE_readline@ + +LEXLIB = @LEXLIB@ + +cat1dir = $(mandir)/cat1 +cat3dir = $(mandir)/cat3 +cat5dir = $(mandir)/cat5 +cat8dir = $(mandir)/cat8 + +MANRX = \(.*\)\.\([0-9]\) +CATSUFFIX = @CATSUFFIX@ + +NROFF_MAN = groff -mandoc -Tascii + +@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) + +@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la $(top_builddir)/lib/asn1/libasn1.la +@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la + +CHECK_LOCAL = $(PROGRAMS) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = ../../../include/config.h +CONFIG_CLEAN_FILES = +CFLAGS = @CFLAGS@ +COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ +DIST_COMMON = Makefile.am Makefile.in + + +DISTFILES = $(DIST_COMMON) $(SOURCES) $(HEADERS) $(TEXINFOS) $(EXTRA_DIST) + +TAR = tar +GZIP_ENV = --best +all: all-redirect +.SUFFIXES: +.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x +$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common + cd $(top_srcdir) && $(AUTOMAKE) --foreign lib/auth/pam/Makefile + +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + cd $(top_builddir) \ + && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status + +tags: TAGS +TAGS: + + +distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir) + +subdir = lib/auth/pam + +distdir: $(DISTFILES) + @for file in $(DISTFILES); do \ + d=$(srcdir); \ + if test -d $$d/$$file; then \ + cp -pr $$/$$file $(distdir)/$$file; \ + else \ + test -f $(distdir)/$$file \ + || ln $$d/$$file $(distdir)/$$file 2> /dev/null \ + || cp -p $$d/$$file $(distdir)/$$file || :; \ + fi; \ + done + $(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook +info-am: +info: info-am +dvi-am: +dvi: dvi-am +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-local +check: check-am +installcheck-am: +installcheck: installcheck-am +install-exec-am: + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-exec-hook +install-exec: install-exec-am + +install-data-am: install-data-local +install-data: install-data-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am +install: install-am +uninstall-am: +uninstall: uninstall-am +all-am: Makefile all-local +all-redirect: all-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) AM_INSTALL_PROGRAM_FLAGS=-s install +installdirs: + + +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -rm -f Makefile $(CONFIG_CLEAN_FILES) + -rm -f config.cache config.log stamp-h stamp-h[0-9]* + +maintainer-clean-generic: +mostlyclean-am: mostlyclean-generic + +mostlyclean: mostlyclean-am + +clean-am: clean-generic mostlyclean-am + +clean: clean-am + +distclean-am: distclean-generic clean-am + -rm -f libtool + +distclean: distclean-am + +maintainer-clean-am: maintainer-clean-generic distclean-am + @echo "This command is intended for maintainers to use;" + @echo "it deletes files that may require special tools to rebuild." + +maintainer-clean: maintainer-clean-am + +.PHONY: tags distdir info-am info dvi-am dvi check-local check check-am \ +installcheck-am installcheck install-exec-am install-exec \ +install-data-local install-data-am install-data install-am install \ +uninstall-am uninstall all-local all-redirect all-am all installdirs \ +mostlyclean-generic distclean-generic clean-generic \ +maintainer-clean-generic clean mostlyclean distclean maintainer-clean + + +install-suid-programs: + @foo='$(bin_SUIDS)'; \ + for file in $$foo; do \ + x=$(DESTDIR)$(bindir)/$$file; \ + if chown 0:0 $$x && chmod u+s $$x; then :; else \ + chmod 0 $$x; fi; done + +install-exec-hook: install-suid-programs + +install-build-headers:: $(include_HEADERS) $(build_HEADERZ) + @foo='$(include_HEADERS) $(build_HEADERZ)'; \ + for f in $$foo; do \ + f=`basename $$f`; \ + if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ + else file="$$f"; fi; \ + if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ + : ; else \ + echo " cp $$file $(buildinclude)/$$f"; \ + cp $$file $(buildinclude)/$$f; \ + fi ; \ + done + +all-local: install-build-headers +#NROFF_MAN = nroff -man +.1.cat1: + $(NROFF_MAN) $< > $@ +.3.cat3: + $(NROFF_MAN) $< > $@ +.5.cat5: + $(NROFF_MAN) $< > $@ +.8.cat8: + $(NROFF_MAN) $< > $@ + +dist-cat1-mans: + @foo='$(man1_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.1) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat3-mans: + @foo='$(man3_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.3) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat5-mans: + @foo='$(man5_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.5) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat8-mans: + @foo='$(man8_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.8) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans + +install-cat1-mans: + @ext=1;\ + foo='$(man1_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.1) foo="$$foo $$i";; \ + esac; done; \ + if test "$$foo"; then \ + $(mkinstalldirs) $(DESTDIR)$(cat1dir); \ + for x in $$foo; do \ + f=`echo $$x | sed 's/\.[^.]*$$/.cat1/'`; \ + if test -f "$(srcdir)/$$f"; then \ + b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ + echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX)";\ + $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat1dir)/$$b.$(CATSUFFIX);\ + fi; \ + done ;\ + fi + +install-cat3-mans: + @ext=3;\ + foo='$(man3_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.3) foo="$$foo $$i";; \ + esac; done; \ + if test "$$foo"; then \ + $(mkinstalldirs) $(DESTDIR)$(cat3dir); \ + for x in $$foo; do \ + f=`echo $$x | sed 's/\.[^.]*$$/.cat3/'`; \ + if test -f "$(srcdir)/$$f"; then \ + b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ + echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX)";\ + $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat3dir)/$$b.$(CATSUFFIX);\ + fi; \ + done ;\ + fi + +install-cat5-mans: + @ext=5;\ + foo='$(man5_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.5) foo="$$foo $$i";; \ + esac; done; \ + if test "$$foo"; then \ + $(mkinstalldirs) $(DESTDIR)$(cat5dir); \ + for x in $$foo; do \ + f=`echo $$x | sed 's/\.[^.]*$$/.cat5/'`; \ + if test -f "$(srcdir)/$$f"; then \ + b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ + echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX)";\ + $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat5dir)/$$b.$(CATSUFFIX);\ + fi; \ + done ;\ + fi + +install-cat8-mans: + @ext=8;\ + foo='$(man8_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.8) foo="$$foo $$i";; \ + esac; done; \ + if test "$$foo"; then \ + $(mkinstalldirs) $(DESTDIR)$(cat8dir); \ + for x in $$foo; do \ + f=`echo $$x | sed 's/\.[^.]*$$/.cat8/'`; \ + if test -f "$(srcdir)/$$f"; then \ + b=`echo $$x | sed 's!$(MANRX)!\1!'`; \ + echo "$(INSTALL_DATA) $(srcdir)/$$f $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX)";\ + $(INSTALL_DATA) $(srcdir)/$$g $(DESTDIR)$(cat8dir)/$$b.$(CATSUFFIX);\ + fi; \ + done ;\ + fi + +install-cat-mans: install-cat1-mans install-cat3-mans install-cat5-mans install-cat8-mans + +install-data-local: install-cat-mans + +.et.h: + $(COMPILE_ET) $< +.et.c: + $(COMPILE_ET) $< + +.x.c: + @cmp -s $< $@ 2> /dev/null || cp $< $@ + +check-local:: + @foo='$(CHECK_LOCAL)'; \ + if test "$$foo"; then \ + failed=0; all=0; \ + for i in $$foo; do \ + all=`expr $$all + 1`; \ + if ./$$i --version > /dev/null 2>&1; then \ + echo "PASS: $$i"; \ + else \ + echo "FAIL: $$i"; \ + failed=`expr $$failed + 1`; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="$$failed of $$all tests failed"; \ + fi; \ + dashes=`echo "$$banner" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + fi + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/crypto/heimdal/lib/auth/pam/pam.c b/crypto/heimdal/lib/auth/pam/pam.c new file mode 100644 index 0000000..d919bf8 --- /dev/null +++ b/crypto/heimdal/lib/auth/pam/pam.c @@ -0,0 +1,243 @@ +/* + * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* This code is extremely ugly, and would probably be better off + beeing completely rewritten */ + + +#ifdef HAVE_CONFIG_H +#include<config.h> +RCSID("$Id: pam.c,v 1.22 1999/12/02 16:58:37 joda Exp $"); +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <pwd.h> +#include <unistd.h> +#include <sys/types.h> + +#define PAM_SM_AUTH +#define PAM_SM_SESSION +#include <security/pam_appl.h> +#include <security/pam_modules.h> + +#include <netinet/in.h> +#include <krb.h> +#include <kafs.h> + +static int +cleanup(pam_handle_t *pamh, void *data, int error_code) +{ + if(error_code != PAM_SUCCESS) + dest_tkt(); + free(data); + return PAM_SUCCESS; +} + +static int +doit(pam_handle_t *pamh, char *name, char *inst, char *pwd, char *tkt) +{ + char realm[REALM_SZ]; + int ret; + + pam_set_data(pamh, "KRBTKFILE", strdup(tkt), cleanup); + krb_set_tkt_string(tkt); + + krb_get_lrealm(realm, 1); + ret = krb_verify_user(name, inst, realm, pwd, KRB_VERIFY_SECURE, NULL); + memset(pwd, 0, strlen(pwd)); + switch(ret){ + case KSUCCESS: + return PAM_SUCCESS; + case KDC_PR_UNKNOWN: + return PAM_USER_UNKNOWN; + case SKDC_CANT: + case SKDC_RETRY: + case RD_AP_TIME: + return PAM_AUTHINFO_UNAVAIL; + default: + return PAM_AUTH_ERR; + } +} + +static int +auth_login(pam_handle_t *pamh, int flags, char *user, struct pam_conv *conv) +{ + int ret; + struct pam_message msg, *pmsg; + struct pam_response *resp; + char prompt[128]; + + pmsg = &msg; + msg.msg_style = PAM_PROMPT_ECHO_OFF; + snprintf(prompt, sizeof(prompt), "%s's Password: ", user); + msg.msg = prompt; + + ret = conv->conv(1, (const struct pam_message**)&pmsg, + &resp, conv->appdata_ptr); + if(ret != PAM_SUCCESS) + return ret; + + { + char tkt[1024]; + struct passwd *pw = getpwnam(user); + + if(pw){ + snprintf(tkt, sizeof(tkt), + "%s%u", TKT_ROOT, (unsigned)pw->pw_uid); + ret = doit(pamh, user, "", resp->resp, tkt); + if(ret == PAM_SUCCESS) + chown(tkt, pw->pw_uid, pw->pw_gid); + }else + ret = PAM_USER_UNKNOWN; + memset(resp->resp, 0, strlen(resp->resp)); + free(resp->resp); + free(resp); + } + return ret; +} + +static int +auth_su(pam_handle_t *pamh, int flags, char *user, struct pam_conv *conv) +{ + int ret; + struct passwd *pw; + struct pam_message msg, *pmsg; + struct pam_response *resp; + char prompt[128]; + krb_principal pr; + + pr.realm[0] = 0; + ret = pam_get_user(pamh, &user, "login: "); + if(ret != PAM_SUCCESS) + return ret; + + pw = getpwuid(getuid()); + if(strcmp(user, "root") == 0){ + strlcpy(pr.name, pw->pw_name, sizeof(pr.name)); + strlcpy(pr.instance, "root", sizeof(pr.instance)); + }else{ + strlcpy(pr.name, user, sizeof(pr.name)); + pr.instance[0] = 0; + } + pmsg = &msg; + msg.msg_style = PAM_PROMPT_ECHO_OFF; + snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&pr)); + msg.msg = prompt; + + ret = conv->conv(1, (const struct pam_message**)&pmsg, + &resp, conv->appdata_ptr); + if(ret != PAM_SUCCESS) + return ret; + + { + char tkt[1024]; + + snprintf(tkt, sizeof(tkt),"%s_%s_to_%s", + TKT_ROOT, pw->pw_name, user); + ret = doit(pamh, pr.name, pr.instance, resp->resp, tkt); + if(ret == PAM_SUCCESS) + chown(tkt, pw->pw_uid, pw->pw_gid); + memset(resp->resp, 0, strlen(resp->resp)); + free(resp->resp); + free(resp); + } + return ret; +} + +int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + char *user; + int ret; + struct pam_conv *conv; + ret = pam_get_user(pamh, &user, "login: "); + if(ret != PAM_SUCCESS) + return ret; + + ret = pam_get_item(pamh, PAM_CONV, (void*)&conv); + if(ret != PAM_SUCCESS) + return ret; + + + if(getuid() != geteuid()) + return auth_su(pamh, flags, user, conv); + else + return auth_login(pamh, flags, user, conv); +} + +int +pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return PAM_SUCCESS; +} + + +int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + char *tkt, *var; + void *user; + const char *homedir = NULL; + + if(pam_get_item (pamh, PAM_USER, &user) == PAM_SUCCESS) { + struct passwd *pwd; + + pwd = getpwnam ((char *)user); + if (pwd != NULL) + homedir = pwd->pw_dir; + } + + pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt); + var = malloc(strlen("KRBTKFILE=") + strlen(tkt) + 1); + strcpy(var, "KRBTKFILE="); + strcat(var, tkt); + putenv(var); + pam_putenv(pamh, var); + if(k_hasafs()){ + k_setpag(); + krb_afslog_home(0, 0, homedir); + } + return PAM_SUCCESS; +} + + +int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + dest_tkt(); + if(k_hasafs()) + k_unlog(); + return PAM_SUCCESS; +} diff --git a/crypto/heimdal/lib/auth/pam/pam.conf.add b/crypto/heimdal/lib/auth/pam/pam.conf.add new file mode 100644 index 0000000..42497d2 --- /dev/null +++ b/crypto/heimdal/lib/auth/pam/pam.conf.add @@ -0,0 +1,76 @@ +To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch: + +--- /etc/pam.conf.DIST Mon Jul 20 15:37:46 1998 ++++ /etc/pam.conf Tue Nov 30 18:47:22 1999 +@@ -4,12 +4,14 @@ + # + # Authentication management + # ++login auth sufficient /usr/athena/lib/pam_krb4.so + login auth required /usr/lib/security/pam_unix.so.1 + login auth required /usr/lib/security/pam_dial_auth.so.1 + # + rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 + rlogin auth required /usr/lib/security/pam_unix.so.1 + # ++dtlogin auth sufficient /usr/athena/lib/pam_krb4.so + dtlogin auth required /usr/lib/security/pam_unix.so.1 + # + rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 +@@ -24,6 +26,8 @@ + # + # Session management + # ++dtlogin session required /usr/athena/lib/pam_krb4.so ++login session required /usr/athena/lib/pam_krb4.so + other session required /usr/lib/security/pam_unix.so.1 + # + # Password management +--------------------------------------------------------------------------- +To enable PAM in /bin/login and xdm under Red Hat 6.1 apply these patches: + +--- /etc/pam.d/login~ Thu Jul 8 00:14:02 1999 ++++ /etc/pam.d/login Mon Aug 30 14:33:12 1999 +@@ -1,9 +1,12 @@ + #%PAM-1.0 ++# Updated to work with kerberos ++auth sufficient /lib/security/pam_krb4.so + auth required /lib/security/pam_securetty.so + auth required /lib/security/pam_pwdb.so shadow nullok + auth required /lib/security/pam_nologin.so + account required /lib/security/pam_pwdb.so + password required /lib/security/pam_cracklib.so + password required /lib/security/pam_pwdb.so nullok use_authtok shadow ++session required /lib/security/pam_krb4.so + session required /lib/security/pam_pwdb.so + session optional /lib/security/pam_console.so +--- /etc/pam.d/xdm~ Mon Jun 14 17:39:05 1999 ++++ /etc/pam.d/xdm Mon Aug 30 14:54:51 1999 +@@ -1,8 +1,10 @@ + #%PAM-1.0 ++auth sufficient /lib/security/pam_krb4.so + auth required /lib/security/pam_pwdb.so shadow nullok + auth required /lib/security/pam_nologin.so + account required /lib/security/pam_pwdb.so + password required /lib/security/pam_cracklib.so + password required /lib/security/pam_pwdb.so shadow nullok use_authtok ++session required /lib/security/pam_krb4.so + session required /lib/security/pam_pwdb.so + session optional /lib/security/pam_console.so +-------------------------------------------------------------------------- + +This stuff may work under some other system. + +# To get this to work, you will have to add entries to /etc/pam.conf +# +# To make login kerberos-aware, you might change pam.conf to look +# like: + +# login authorization +login auth sufficient /lib/security/pam_krb4.so +login auth required /lib/security/pam_securetty.so +login auth required /lib/security/pam_unix_auth.so +login account required /lib/security/pam_unix_acct.so +login password required /lib/security/pam_unix_passwd.so +login session required /lib/security/pam_krb4.so +login session required /lib/security/pam_unix_session.so |