diff options
Diffstat (limited to 'crypto/kerberosIV/lib/auth/pam')
-rw-r--r-- | crypto/kerberosIV/lib/auth/pam/Makefile.am | 3 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/pam/Makefile.in | 87 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/pam/README | 25 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/pam/pam.c | 443 | ||||
-rw-r--r-- | crypto/kerberosIV/lib/auth/pam/pam.conf.add | 81 |
5 files changed, 0 insertions, 639 deletions
diff --git a/crypto/kerberosIV/lib/auth/pam/Makefile.am b/crypto/kerberosIV/lib/auth/pam/Makefile.am deleted file mode 100644 index abde2d9..0000000 --- a/crypto/kerberosIV/lib/auth/pam/Makefile.am +++ /dev/null @@ -1,3 +0,0 @@ -# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $ - -include $(top_srcdir)/Makefile.am.common diff --git a/crypto/kerberosIV/lib/auth/pam/Makefile.in b/crypto/kerberosIV/lib/auth/pam/Makefile.in deleted file mode 100644 index 4369532..0000000 --- a/crypto/kerberosIV/lib/auth/pam/Makefile.in +++ /dev/null @@ -1,87 +0,0 @@ -# -# $Id: Makefile.in,v 1.25.2.2 2000/12/07 16:44:11 assar Exp $ -# - -SHELL = /bin/sh - -srcdir = @srcdir@ -VPATH = @srcdir@ - -CC = @CC@ -LINK = @LINK@ -AR = ar -RANLIB = @RANLIB@ -DEFS = @DEFS@ -CFLAGS = @CFLAGS@ $(WFLAGS) -WFLAGS = @WFLAGS@ - -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -MKINSTALLDIRS = @top_srcdir@/mkinstalldirs - -prefix = @prefix@ -exec_prefix = @exec_prefix@ -libdir = @libdir@ - -PICFLAGS = @REAL_PICFLAGS@ -LDSHARED = @LDSHARED@ -SHLIBEXT = @REAL_SHLIBEXT@ -LD_FLAGS = @REAL_LD_FLAGS@ - -LIB_res_search = @LIB_res_search@ -LIB_dn_expand = @LIB_dn_expand@ - -@lib_deps_yes@LIB_DEPS = ../../kafs/libkafs_pic.a \ -@lib_deps_yes@ ../../krb/libkrb_pic.a ../../des/libdes_pic.a \ -@lib_deps_yes@ $(LIB_res_search) $(LIB_dn_expand) -lpam -lc -@lib_deps_no@LIB_DEPS = - -LIBNAME = pam_krb4 -LIB = $(LIBNAME).$(SHLIBEXT) - -SOURCES = pam.c - -OBJECTS = pam.o - -all: $(LIB) - -Wall: - make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" - -.c.o: - $(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $< - -install: all - $(MKINSTALLDIRS) $(DESTDIR)$(libdir) - -if test "$(LIB)" != ""; then \ - $(INSTALL_DATA) $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \ - fi - -uninstall: - -if test "$(LIB)" != ""; then \ - rm -f $(DESTDIR)$(libdir)/$(LIB) ; \ - fi - -TAGS: $(SOURCES) - etags $(SOURCES) - -check: - -clean: - rm -f $(LIB) *.o - -mostlyclean: clean - -distclean: clean - rm -f Makefile *.tab.c *~ - -realclean: distclean - rm -f TAGS - -$(OBJECTS): ../../../include/config.h - -$(LIB): $(OBJECTS) - rm -f $@ - $(LDSHARED) -Wl,-Bsymbolic -o $@ $(OBJECTS) $(LD_FLAGS) $(LIB_DEPS) - -.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/lib/auth/pam/README b/crypto/kerberosIV/lib/auth/pam/README deleted file mode 100644 index 2c45a53..0000000 --- a/crypto/kerberosIV/lib/auth/pam/README +++ /dev/null @@ -1,25 +0,0 @@ - -PAM ---- - -The PAM module was written more out of curiosity that anything else. It -has not been updated for quite a while, but it seems to mostly work on -both Linux and Solaris. - -To use this module you should: - - * Make sure `pam_krb4.so' is available in `/usr/athena/lib'. You - might actually want it on local disk, so `/lib/security' might be a - better place if `/usr/athena' is not local. - - * Look at `pam.conf.add' for examples of what to add to - `/etc/pam.conf'. - -There is currently no support for changing kerberos passwords. Use -kpasswd instead. - -See also Derrick J Brashear's `<shadow@dementia.org>' Kerberos PAM -module at -<ftp://ftp.dementia.org/pub/pam>. It has a lot more features, and it is -also more in line with other PAM modules. - diff --git a/crypto/kerberosIV/lib/auth/pam/pam.c b/crypto/kerberosIV/lib/auth/pam/pam.c deleted file mode 100644 index 22dfc74..0000000 --- a/crypto/kerberosIV/lib/auth/pam/pam.c +++ /dev/null @@ -1,443 +0,0 @@ -/* - * Copyright (c) 1995 - 2000 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_CONFIG_H -#include<config.h> -RCSID("$Id: pam.c,v 1.22.2.2 2000/10/13 15:41:09 assar Exp $"); -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <pwd.h> -#include <unistd.h> -#include <sys/types.h> -#include <syslog.h> - -#include <security/pam_appl.h> -#include <security/pam_modules.h> -#ifndef PAM_AUTHTOK_RECOVERY_ERR /* Fix linsux typo. */ -#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR -#endif - -#include <netinet/in.h> -#include <krb.h> -#include <kafs.h> - -#if 0 -/* Debugging PAM modules is a royal pain, truss helps. */ -#define DEBUG(msg) (access(msg " at line", __LINE__)) -#endif - -static void -psyslog(int level, const char *format, ...) -{ - va_list args; - va_start(args, format); - openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(level, format, args); - va_end(args); - closelog(); -} - -enum { - KRB4_DEBUG, - KRB4_USE_FIRST_PASS, - KRB4_TRY_FIRST_PASS, - KRB4_IGNORE_ROOT, - KRB4_NO_VERIFY, - KRB4_REAFSLOG, - KRB4_CTRLS /* Number of ctrl arguments defined. */ -}; - -#define KRB4_DEFAULTS 0 - -static int ctrl_flags = KRB4_DEFAULTS; -#define ctrl_on(x) (krb4_args[x].flag & ctrl_flags) -#define ctrl_off(x) (!ctrl_on(x)) - -typedef struct -{ - const char *token; - unsigned int flag; -} krb4_ctrls_t; - -static krb4_ctrls_t krb4_args[KRB4_CTRLS] = -{ - /* KRB4_DEBUG */ { "debug", 0x01 }, - /* KRB4_USE_FIRST_PASS */ { "use_first_pass", 0x02 }, - /* KRB4_TRY_FIRST_PASS */ { "try_first_pass", 0x04 }, - /* KRB4_IGNORE_ROOT */ { "ignore_root", 0x08 }, - /* KRB4_NO_VERIFY */ { "no_verify", 0x10 }, - /* KRB4_REAFSLOG */ { "reafslog", 0x20 }, -}; - -static void -parse_ctrl(int argc, const char **argv) -{ - int i, j; - - ctrl_flags = KRB4_DEFAULTS; - for (i = 0; i < argc; i++) - { - for (j = 0; j < KRB4_CTRLS; j++) - if (strcmp(argv[i], krb4_args[j].token) == 0) - break; - - if (j >= KRB4_CTRLS) - psyslog(LOG_ALERT, "unrecognized option [%s]", *argv); - else - ctrl_flags |= krb4_args[j].flag; - } -} - -static void -pdeb(const char *format, ...) -{ - va_list args; - if (ctrl_off(KRB4_DEBUG)) - return; - va_start(args, format); - openlog("pam_krb4", LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(LOG_DEBUG, format, args); - va_end(args); - closelog(); -} - -#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid()) - -static void -set_tkt_string(uid_t uid) -{ - char buf[128]; - - snprintf(buf, sizeof(buf), "%s%u", TKT_ROOT, (unsigned)uid); - krb_set_tkt_string(buf); - -#if 0 - /* pam_set_data+pam_get_data are not guaranteed to work, grr. */ - pam_set_data(pamh, "KRBTKFILE", strdup(t), cleanup); - if (pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt) == PAM_SUCCESS) - { - pam_putenv(pamh, var); - } -#endif - - /* We don't want to inherit this variable. - * If we still do, it must have a sane value. */ - if (getenv("KRBTKFILE") != 0) - { - char *var = malloc(sizeof(buf)); - snprintf(var, sizeof(buf), "KRBTKFILE=%s", tkt_string()); - putenv(var); - /* free(var); XXX */ - } -} - -static int -verify_pass(pam_handle_t *pamh, - const char *name, - const char *inst, - const char *pass) -{ - char realm[REALM_SZ]; - int ret, krb_verify, old_euid, old_ruid; - - krb_get_lrealm(realm, 1); - if (ctrl_on(KRB4_NO_VERIFY)) - krb_verify = KRB_VERIFY_SECURE_FAIL; - else - krb_verify = KRB_VERIFY_SECURE; - old_ruid = getuid(); - old_euid = geteuid(); - setreuid(0, 0); - ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL); - pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s", - name, inst, realm, krb_verify, - krb_get_err_text(ret)); - setreuid(old_ruid, old_euid); - if (getuid() != old_ruid || geteuid() != old_euid) - { - psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d", - old_ruid, old_euid, __LINE__); - exit(1); - } - - switch(ret) { - case KSUCCESS: - return PAM_SUCCESS; - case KDC_PR_UNKNOWN: - return PAM_USER_UNKNOWN; - case SKDC_CANT: - case SKDC_RETRY: - case RD_AP_TIME: - return PAM_AUTHINFO_UNAVAIL; - default: - return PAM_AUTH_ERR; - } -} - -static int -krb4_auth(pam_handle_t *pamh, - int flags, - const char *name, - const char *inst, - struct pam_conv *conv) -{ - struct pam_response *resp; - char prompt[128]; - struct pam_message msg, *pmsg = &msg; - int ret; - - if (ctrl_on(KRB4_TRY_FIRST_PASS) || ctrl_on(KRB4_USE_FIRST_PASS)) - { - char *pass = 0; - ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); - if (ret != PAM_SUCCESS) - { - psyslog(LOG_ERR , "pam_get_item returned error to get-password"); - return ret; - } - else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS) - return PAM_SUCCESS; - else if (ctrl_on(KRB4_USE_FIRST_PASS)) - return PAM_AUTHTOK_RECOVERY_ERR; /* Wrong password! */ - else - /* We tried the first password but it didn't work, cont. */; - } - - msg.msg_style = PAM_PROMPT_ECHO_OFF; - if (*inst == 0) - snprintf(prompt, sizeof(prompt), "%s's Password: ", name); - else - snprintf(prompt, sizeof(prompt), "%s.%s's Password: ", name, inst); - msg.msg = prompt; - - ret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr); - if (ret != PAM_SUCCESS) - return ret; - - ret = verify_pass(pamh, name, inst, resp->resp); - if (ret == PAM_SUCCESS) - { - memset(resp->resp, 0, strlen(resp->resp)); /* Erase password! */ - free(resp->resp); - free(resp); - } - else - { - pam_set_item(pamh, PAM_AUTHTOK, resp->resp); /* Save password. */ - /* free(resp->resp); XXX */ - /* free(resp); XXX */ - } - - return ret; -} - -int -pam_sm_authenticate(pam_handle_t *pamh, - int flags, - int argc, - const char **argv) -{ - char *user; - int ret; - struct pam_conv *conv; - struct passwd *pw; - uid_t uid = -1; - const char *name, *inst; - char realm[REALM_SZ]; - realm[0] = 0; - - parse_ctrl(argc, argv); - ENTRY("pam_sm_authenticate"); - - ret = pam_get_user(pamh, &user, "login: "); - if (ret != PAM_SUCCESS) - return ret; - - if (ctrl_on(KRB4_IGNORE_ROOT) && strcmp(user, "root") == 0) - return PAM_AUTHINFO_UNAVAIL; - - ret = pam_get_item(pamh, PAM_CONV, (void*)&conv); - if (ret != PAM_SUCCESS) - return ret; - - pw = getpwnam(user); - if (pw != 0) - { - uid = pw->pw_uid; - set_tkt_string(uid); - } - - if (strcmp(user, "root") == 0 && getuid() != 0) - { - pw = getpwuid(getuid()); - if (pw != 0) - { - name = strdup(pw->pw_name); - inst = "root"; - } - } - else - { - name = user; - inst = ""; - } - - ret = krb4_auth(pamh, flags, name, inst, conv); - - /* - * The realm was lost inside krb_verify_user() so we can't simply do - * a krb_kuserok() when inst != "". - */ - if (ret == PAM_SUCCESS && inst[0] != 0) - { - uid_t old_euid = geteuid(); - uid_t old_ruid = getuid(); - - setreuid(0, 0); /* To read ticket file. */ - if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS) - ret = PAM_SERVICE_ERR; - else if (krb_kuserok(name, inst, realm, user) != KSUCCESS) - { - setreuid(0, uid); /* To read ~/.klogin. */ - if (krb_kuserok(name, inst, realm, user) != KSUCCESS) - ret = PAM_PERM_DENIED; - } - - if (ret != PAM_SUCCESS) - { - dest_tkt(); /* Passwd known, ok to kill ticket. */ - psyslog(LOG_NOTICE, - "%s.%s@%s is not allowed to log in as %s", - name, inst, realm, user); - } - - setreuid(old_ruid, old_euid); - if (getuid() != old_ruid || geteuid() != old_euid) - { - psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d", - old_ruid, old_euid, __LINE__); - exit(1); - } - } - - if (ret == PAM_SUCCESS) - { - psyslog(LOG_INFO, - "%s.%s@%s authenticated as user %s", - name, inst, realm, user); - if (chown(tkt_string(), uid, -1) == -1) - { - dest_tkt(); - psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid); - exit(1); - } - } - - /* - * Kludge alert!!! Sun dtlogin unlock screen fails to call - * pam_setcred(3) with PAM_REFRESH_CRED after a successful - * authentication attempt, sic. - * - * This hack is designed as a workaround to that problem. - */ - if (ctrl_on(KRB4_REAFSLOG)) - if (ret == PAM_SUCCESS) - pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv); - - return ret; -} - -int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - parse_ctrl(argc, argv); - ENTRY("pam_sm_setcred"); - - switch (flags & ~PAM_SILENT) { - case 0: - case PAM_ESTABLISH_CRED: - if (k_hasafs()) - k_setpag(); - /* Fall through, fill PAG with credentials below. */ - case PAM_REINITIALIZE_CRED: - case PAM_REFRESH_CRED: - if (k_hasafs()) - { - void *user = 0; - - if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS) - { - struct passwd *pw = getpwnam((char *)user); - if (pw != 0) - krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, - pw->pw_uid, pw->pw_dir); - } - } - break; - case PAM_DELETE_CRED: - dest_tkt(); - if (k_hasafs()) - k_unlog(); - break; - default: - psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); - break; - } - - return PAM_SUCCESS; -} - -int -pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - parse_ctrl(argc, argv); - ENTRY("pam_sm_open_session"); - - return PAM_SUCCESS; -} - - -int -pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv) -{ - parse_ctrl(argc, argv); - ENTRY("pam_sm_close_session"); - - /* This isn't really kosher, but it's handy. */ - pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv); - - return PAM_SUCCESS; -} diff --git a/crypto/kerberosIV/lib/auth/pam/pam.conf.add b/crypto/kerberosIV/lib/auth/pam/pam.conf.add deleted file mode 100644 index 64a4915..0000000 --- a/crypto/kerberosIV/lib/auth/pam/pam.conf.add +++ /dev/null @@ -1,81 +0,0 @@ -To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch: - ---- /etc/pam.conf.DIST Mon Jul 20 15:37:46 1998 -+++ /etc/pam.conf Tue Feb 15 19:39:12 2000 -@@ -4,15 +4,19 @@ - # - # Authentication management - # -+login auth sufficient /usr/athena/lib/pam_krb4.so - login auth required /usr/lib/security/pam_unix.so.1 - login auth required /usr/lib/security/pam_dial_auth.so.1 - # - rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 - rlogin auth required /usr/lib/security/pam_unix.so.1 - # -+dtlogin auth sufficient /usr/athena/lib/pam_krb4.so - dtlogin auth required /usr/lib/security/pam_unix.so.1 - # - rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 -+# Reafslog is for dtlogin lock display -+other auth sufficient /usr/athena/lib/pam_krb4.so reafslog - other auth required /usr/lib/security/pam_unix.so.1 - # - # Account management -@@ -24,6 +28,8 @@ - # - # Session management - # -+dtlogin session required /usr/athena/lib/pam_krb4.so -+login session required /usr/athena/lib/pam_krb4.so - other session required /usr/lib/security/pam_unix.so.1 - # - # Password management ---------------------------------------------------------------------------- -To enable PAM in /bin/login and xdm under Red Hat 6.1 apply these patches: - ---- /etc/pam.d/login~ Thu Jul 8 00:14:02 1999 -+++ /etc/pam.d/login Mon Aug 30 14:33:12 1999 -@@ -1,9 +1,12 @@ - #%PAM-1.0 -+# Updated to work with kerberos -+auth sufficient /lib/security/pam_krb4.so - auth required /lib/security/pam_securetty.so - auth required /lib/security/pam_pwdb.so shadow nullok - auth required /lib/security/pam_nologin.so - account required /lib/security/pam_pwdb.so - password required /lib/security/pam_cracklib.so - password required /lib/security/pam_pwdb.so nullok use_authtok shadow -+session required /lib/security/pam_krb4.so - session required /lib/security/pam_pwdb.so - session optional /lib/security/pam_console.so ---- /etc/pam.d/xdm~ Mon Jun 14 17:39:05 1999 -+++ /etc/pam.d/xdm Mon Aug 30 14:54:51 1999 -@@ -1,8 +1,10 @@ - #%PAM-1.0 -+auth sufficient /lib/security/pam_krb4.so - auth required /lib/security/pam_pwdb.so shadow nullok - auth required /lib/security/pam_nologin.so - account required /lib/security/pam_pwdb.so - password required /lib/security/pam_cracklib.so - password required /lib/security/pam_pwdb.so shadow nullok use_authtok -+session required /lib/security/pam_krb4.so - session required /lib/security/pam_pwdb.so - session optional /lib/security/pam_console.so --------------------------------------------------------------------------- - -This stuff may work under some other system. - -# To get this to work, you will have to add entries to /etc/pam.conf -# -# To make login kerberos-aware, you might change pam.conf to look -# like: - -# login authorization -login auth sufficient /lib/security/pam_krb4.so -login auth required /lib/security/pam_securetty.so -login auth required /lib/security/pam_unix_auth.so -login account required /lib/security/pam_unix_acct.so -login password required /lib/security/pam_unix_passwd.so -login session required /lib/security/pam_krb4.so -login session required /lib/security/pam_unix_session.so |