summaryrefslogtreecommitdiffstats
path: root/crypto/kerberosIV/lib/auth/pam/pam.c
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/kerberosIV/lib/auth/pam/pam.c')
-rw-r--r--crypto/kerberosIV/lib/auth/pam/pam.c443
1 files changed, 0 insertions, 443 deletions
diff --git a/crypto/kerberosIV/lib/auth/pam/pam.c b/crypto/kerberosIV/lib/auth/pam/pam.c
deleted file mode 100644
index 22dfc74..0000000
--- a/crypto/kerberosIV/lib/auth/pam/pam.c
+++ /dev/null
@@ -1,443 +0,0 @@
-/*
- * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifdef HAVE_CONFIG_H
-#include<config.h>
-RCSID("$Id: pam.c,v 1.22.2.2 2000/10/13 15:41:09 assar Exp $");
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <pwd.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <syslog.h>
-
-#include <security/pam_appl.h>
-#include <security/pam_modules.h>
-#ifndef PAM_AUTHTOK_RECOVERY_ERR /* Fix linsux typo. */
-#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
-#endif
-
-#include <netinet/in.h>
-#include <krb.h>
-#include <kafs.h>
-
-#if 0
-/* Debugging PAM modules is a royal pain, truss helps. */
-#define DEBUG(msg) (access(msg " at line", __LINE__))
-#endif
-
-static void
-psyslog(int level, const char *format, ...)
-{
- va_list args;
- va_start(args, format);
- openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(level, format, args);
- va_end(args);
- closelog();
-}
-
-enum {
- KRB4_DEBUG,
- KRB4_USE_FIRST_PASS,
- KRB4_TRY_FIRST_PASS,
- KRB4_IGNORE_ROOT,
- KRB4_NO_VERIFY,
- KRB4_REAFSLOG,
- KRB4_CTRLS /* Number of ctrl arguments defined. */
-};
-
-#define KRB4_DEFAULTS 0
-
-static int ctrl_flags = KRB4_DEFAULTS;
-#define ctrl_on(x) (krb4_args[x].flag & ctrl_flags)
-#define ctrl_off(x) (!ctrl_on(x))
-
-typedef struct
-{
- const char *token;
- unsigned int flag;
-} krb4_ctrls_t;
-
-static krb4_ctrls_t krb4_args[KRB4_CTRLS] =
-{
- /* KRB4_DEBUG */ { "debug", 0x01 },
- /* KRB4_USE_FIRST_PASS */ { "use_first_pass", 0x02 },
- /* KRB4_TRY_FIRST_PASS */ { "try_first_pass", 0x04 },
- /* KRB4_IGNORE_ROOT */ { "ignore_root", 0x08 },
- /* KRB4_NO_VERIFY */ { "no_verify", 0x10 },
- /* KRB4_REAFSLOG */ { "reafslog", 0x20 },
-};
-
-static void
-parse_ctrl(int argc, const char **argv)
-{
- int i, j;
-
- ctrl_flags = KRB4_DEFAULTS;
- for (i = 0; i < argc; i++)
- {
- for (j = 0; j < KRB4_CTRLS; j++)
- if (strcmp(argv[i], krb4_args[j].token) == 0)
- break;
-
- if (j >= KRB4_CTRLS)
- psyslog(LOG_ALERT, "unrecognized option [%s]", *argv);
- else
- ctrl_flags |= krb4_args[j].flag;
- }
-}
-
-static void
-pdeb(const char *format, ...)
-{
- va_list args;
- if (ctrl_off(KRB4_DEBUG))
- return;
- va_start(args, format);
- openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(LOG_DEBUG, format, args);
- va_end(args);
- closelog();
-}
-
-#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid())
-
-static void
-set_tkt_string(uid_t uid)
-{
- char buf[128];
-
- snprintf(buf, sizeof(buf), "%s%u", TKT_ROOT, (unsigned)uid);
- krb_set_tkt_string(buf);
-
-#if 0
- /* pam_set_data+pam_get_data are not guaranteed to work, grr. */
- pam_set_data(pamh, "KRBTKFILE", strdup(t), cleanup);
- if (pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt) == PAM_SUCCESS)
- {
- pam_putenv(pamh, var);
- }
-#endif
-
- /* We don't want to inherit this variable.
- * If we still do, it must have a sane value. */
- if (getenv("KRBTKFILE") != 0)
- {
- char *var = malloc(sizeof(buf));
- snprintf(var, sizeof(buf), "KRBTKFILE=%s", tkt_string());
- putenv(var);
- /* free(var); XXX */
- }
-}
-
-static int
-verify_pass(pam_handle_t *pamh,
- const char *name,
- const char *inst,
- const char *pass)
-{
- char realm[REALM_SZ];
- int ret, krb_verify, old_euid, old_ruid;
-
- krb_get_lrealm(realm, 1);
- if (ctrl_on(KRB4_NO_VERIFY))
- krb_verify = KRB_VERIFY_SECURE_FAIL;
- else
- krb_verify = KRB_VERIFY_SECURE;
- old_ruid = getuid();
- old_euid = geteuid();
- setreuid(0, 0);
- ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL);
- pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s",
- name, inst, realm, krb_verify,
- krb_get_err_text(ret));
- setreuid(old_ruid, old_euid);
- if (getuid() != old_ruid || geteuid() != old_euid)
- {
- psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
- old_ruid, old_euid, __LINE__);
- exit(1);
- }
-
- switch(ret) {
- case KSUCCESS:
- return PAM_SUCCESS;
- case KDC_PR_UNKNOWN:
- return PAM_USER_UNKNOWN;
- case SKDC_CANT:
- case SKDC_RETRY:
- case RD_AP_TIME:
- return PAM_AUTHINFO_UNAVAIL;
- default:
- return PAM_AUTH_ERR;
- }
-}
-
-static int
-krb4_auth(pam_handle_t *pamh,
- int flags,
- const char *name,
- const char *inst,
- struct pam_conv *conv)
-{
- struct pam_response *resp;
- char prompt[128];
- struct pam_message msg, *pmsg = &msg;
- int ret;
-
- if (ctrl_on(KRB4_TRY_FIRST_PASS) || ctrl_on(KRB4_USE_FIRST_PASS))
- {
- char *pass = 0;
- ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass);
- if (ret != PAM_SUCCESS)
- {
- psyslog(LOG_ERR , "pam_get_item returned error to get-password");
- return ret;
- }
- else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS)
- return PAM_SUCCESS;
- else if (ctrl_on(KRB4_USE_FIRST_PASS))
- return PAM_AUTHTOK_RECOVERY_ERR; /* Wrong password! */
- else
- /* We tried the first password but it didn't work, cont. */;
- }
-
- msg.msg_style = PAM_PROMPT_ECHO_OFF;
- if (*inst == 0)
- snprintf(prompt, sizeof(prompt), "%s's Password: ", name);
- else
- snprintf(prompt, sizeof(prompt), "%s.%s's Password: ", name, inst);
- msg.msg = prompt;
-
- ret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr);
- if (ret != PAM_SUCCESS)
- return ret;
-
- ret = verify_pass(pamh, name, inst, resp->resp);
- if (ret == PAM_SUCCESS)
- {
- memset(resp->resp, 0, strlen(resp->resp)); /* Erase password! */
- free(resp->resp);
- free(resp);
- }
- else
- {
- pam_set_item(pamh, PAM_AUTHTOK, resp->resp); /* Save password. */
- /* free(resp->resp); XXX */
- /* free(resp); XXX */
- }
-
- return ret;
-}
-
-int
-pam_sm_authenticate(pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv)
-{
- char *user;
- int ret;
- struct pam_conv *conv;
- struct passwd *pw;
- uid_t uid = -1;
- const char *name, *inst;
- char realm[REALM_SZ];
- realm[0] = 0;
-
- parse_ctrl(argc, argv);
- ENTRY("pam_sm_authenticate");
-
- ret = pam_get_user(pamh, &user, "login: ");
- if (ret != PAM_SUCCESS)
- return ret;
-
- if (ctrl_on(KRB4_IGNORE_ROOT) && strcmp(user, "root") == 0)
- return PAM_AUTHINFO_UNAVAIL;
-
- ret = pam_get_item(pamh, PAM_CONV, (void*)&conv);
- if (ret != PAM_SUCCESS)
- return ret;
-
- pw = getpwnam(user);
- if (pw != 0)
- {
- uid = pw->pw_uid;
- set_tkt_string(uid);
- }
-
- if (strcmp(user, "root") == 0 && getuid() != 0)
- {
- pw = getpwuid(getuid());
- if (pw != 0)
- {
- name = strdup(pw->pw_name);
- inst = "root";
- }
- }
- else
- {
- name = user;
- inst = "";
- }
-
- ret = krb4_auth(pamh, flags, name, inst, conv);
-
- /*
- * The realm was lost inside krb_verify_user() so we can't simply do
- * a krb_kuserok() when inst != "".
- */
- if (ret == PAM_SUCCESS && inst[0] != 0)
- {
- uid_t old_euid = geteuid();
- uid_t old_ruid = getuid();
-
- setreuid(0, 0); /* To read ticket file. */
- if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
- ret = PAM_SERVICE_ERR;
- else if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
- {
- setreuid(0, uid); /* To read ~/.klogin. */
- if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
- ret = PAM_PERM_DENIED;
- }
-
- if (ret != PAM_SUCCESS)
- {
- dest_tkt(); /* Passwd known, ok to kill ticket. */
- psyslog(LOG_NOTICE,
- "%s.%s@%s is not allowed to log in as %s",
- name, inst, realm, user);
- }
-
- setreuid(old_ruid, old_euid);
- if (getuid() != old_ruid || geteuid() != old_euid)
- {
- psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
- old_ruid, old_euid, __LINE__);
- exit(1);
- }
- }
-
- if (ret == PAM_SUCCESS)
- {
- psyslog(LOG_INFO,
- "%s.%s@%s authenticated as user %s",
- name, inst, realm, user);
- if (chown(tkt_string(), uid, -1) == -1)
- {
- dest_tkt();
- psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid);
- exit(1);
- }
- }
-
- /*
- * Kludge alert!!! Sun dtlogin unlock screen fails to call
- * pam_setcred(3) with PAM_REFRESH_CRED after a successful
- * authentication attempt, sic.
- *
- * This hack is designed as a workaround to that problem.
- */
- if (ctrl_on(KRB4_REAFSLOG))
- if (ret == PAM_SUCCESS)
- pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv);
-
- return ret;
-}
-
-int
-pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- parse_ctrl(argc, argv);
- ENTRY("pam_sm_setcred");
-
- switch (flags & ~PAM_SILENT) {
- case 0:
- case PAM_ESTABLISH_CRED:
- if (k_hasafs())
- k_setpag();
- /* Fall through, fill PAG with credentials below. */
- case PAM_REINITIALIZE_CRED:
- case PAM_REFRESH_CRED:
- if (k_hasafs())
- {
- void *user = 0;
-
- if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS)
- {
- struct passwd *pw = getpwnam((char *)user);
- if (pw != 0)
- krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0,
- pw->pw_uid, pw->pw_dir);
- }
- }
- break;
- case PAM_DELETE_CRED:
- dest_tkt();
- if (k_hasafs())
- k_unlog();
- break;
- default:
- psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
- break;
- }
-
- return PAM_SUCCESS;
-}
-
-int
-pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
-{
- parse_ctrl(argc, argv);
- ENTRY("pam_sm_open_session");
-
- return PAM_SUCCESS;
-}
-
-
-int
-pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
-{
- parse_ctrl(argc, argv);
- ENTRY("pam_sm_close_session");
-
- /* This isn't really kosher, but it's handy. */
- pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv);
-
- return PAM_SUCCESS;
-}
OpenPOWER on IntegriCloud