summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/libpam/modules/pam_krb5/README4
-rw-r--r--lib/libpam/modules/pam_krb5/compat_heimdal.c12
-rw-r--r--lib/libpam/modules/pam_krb5/pam_krb5.h2
-rw-r--r--lib/libpam/modules/pam_krb5/pam_krb5_auth.c70
4 files changed, 24 insertions, 64 deletions
diff --git a/lib/libpam/modules/pam_krb5/README b/lib/libpam/modules/pam_krb5/README
index ee97421..fa9a19a 100644
--- a/lib/libpam/modules/pam_krb5/README
+++ b/lib/libpam/modules/pam_krb5/README
@@ -36,8 +36,8 @@ dtlogin on Solaris doesn't support xrealm logins (probably a good thing).
III. PAM notes/open issues
auth module:
-When is pam_sm_setcred() ever called with flags other than PAM_ESTABLISH_CRED
-or PAM_DELETE_CRED?
+When is pam_sm_setcred() ever called with flags other than PAM_ESTABLISH_CRED?
+It would be fairly easy to support PAM_DELETE_CRED.
acct module:
I believe this to be complete.
diff --git a/lib/libpam/modules/pam_krb5/compat_heimdal.c b/lib/libpam/modules/pam_krb5/compat_heimdal.c
index fb4e102..926b533 100644
--- a/lib/libpam/modules/pam_krb5/compat_heimdal.c
+++ b/lib/libpam/modules/pam_krb5/compat_heimdal.c
@@ -28,17 +28,9 @@ compat_free_data_contents(krb5_context context, krb5_data *data)
krb5_xfree(data->data);
}
-krb5_error_code
-compat_cc_next_cred(krb5_context context, const krb5_ccache id,
- krb5_cc_cursor *cursor, krb5_creds *creds)
-{
- return krb5_cc_next_cred(context, id, creds, cursor);
-}
-
-
static krb5_error_code
-heimdal_pam_prompter(krb5_context context, void *data, const char *banner, int
- num_prompts, krb5_prompt prompts[])
+heimdal_pam_prompter(krb5_context context, void *data, const char *name,
+ const char *banner, int num_prompts, krb5_prompt prompts[])
{
int pam_prompts = num_prompts;
int pamret, i;
diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.h b/lib/libpam/modules/pam_krb5/pam_krb5.h
index ff02373..d14c62e 100644
--- a/lib/libpam/modules/pam_krb5/pam_krb5.h
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.h
@@ -13,8 +13,6 @@ krb5_prompter_fct pam_prompter;
const char *compat_princ_component(krb5_context, krb5_principal, int);
void compat_free_data_contents(krb5_context, krb5_data *);
-krb5_error_code compat_cc_next_cred(krb5_context, const krb5_ccache,
- krb5_cc_cursor *, krb5_creds *);
#ifndef ENCTYPE_DES_CBC_MD5
#define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5
diff --git a/lib/libpam/modules/pam_krb5/pam_krb5_auth.c b/lib/libpam/modules/pam_krb5/pam_krb5_auth.c
index fd4270b..00d6ab7 100644
--- a/lib/libpam/modules/pam_krb5/pam_krb5_auth.c
+++ b/lib/libpam/modules/pam_krb5/pam_krb5_auth.c
@@ -48,14 +48,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
int pamret, i;
const char *name;
- char *source_princ = NULL;
char *princ_name = NULL;
char *pass = NULL, *service = NULL;
char *prompt = NULL;
char cache_name[L_tmpnam + 8];
char lname[64]; /* local acct name */
struct passwd *pw;
- uid_t ruid;
int debug = 0, try_first_pass = 0, use_first_pass = 0;
int forwardable = 0, reuse_ccache = 0, no_ccache = 0;
@@ -110,24 +108,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
}
/* Get principal name */
- /* This case is for use mainly by su.
- If non-root is authenticating as "root", use "source_user/root". */
- if (!strcmp(name, "root") && (ruid = getuid()) != 0) {
- pw = getpwuid(ruid);
- if (pw != NULL)
- source_princ = (char *)malloc(strlen(pw->pw_name) + 6);
- if (source_princ)
- sprintf(source_princ, "%s/root", pw->pw_name);
- } else {
- source_princ = strdup(name);
- }
- if (!source_princ) {
- DLOG("malloc()", "failure");
- pamret = PAM_BUF_ERR;
- goto cleanup2;
- }
-
- if ((krbret = krb5_parse_name(pam_context, source_princ, &princ)) != 0) {
+ if ((krbret = krb5_parse_name(pam_context, name, &princ)) != 0) {
DLOG("krb5_parse_name()", error_message(krbret));
pamret = PAM_SERVICE_ERR;
goto cleanup3;
@@ -173,9 +154,15 @@ get_pass:
(void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass);
}
- /* get a local account name for this principal */
- if ((krbret = krb5_aname_to_localname(pam_context, princ,
- sizeof(lname), lname)) == 0) {
+ /* Verify the local user exists (AFTER getting the password) */
+ if (strchr(name, '@')) {
+ /* get a local account name for this principal */
+ if ((krbret = krb5_aname_to_localname(pam_context, princ,
+ sizeof(lname), lname)) != 0) {
+ DLOG("krb5_aname_to_localname()", error_message(krbret));
+ pamret = PAM_USER_UNKNOWN;
+ goto cleanup2;
+ }
DLOG("changing PAM_USER to", lname);
if ((pamret = pam_set_item(pamh, PAM_USER, lname)) != 0) {
DLOG("pam_set_item()", pam_strerror(pamh, pamret));
@@ -188,12 +175,7 @@ get_pass:
pamret = PAM_SERVICE_ERR;
goto cleanup2;
}
- } else {
- DLOG("krb5_aname_to_localname()", error_message(krbret));
- /* Not an error. */
}
-
- /* Verify the local user exists (AFTER getting the password) */
pw = getpwnam(name);
if (!pw) {
DLOG("getpwnam()", lname);
@@ -264,8 +246,6 @@ cleanup3:
free(prompt);
if (princ_name)
free(princ_name);
- if (source_princ)
- free(source_princ);
krb5_free_context(pam_context);
DLOG("exit", pamret ? "failure" : "success");
@@ -306,7 +286,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
if (flags == PAM_REINITIALIZE_CRED)
return PAM_SUCCESS; /* XXX Incorrect behavior */
- if (flags != PAM_ESTABLISH_CRED && flags != PAM_DELETE_CRED)
+ if (flags != PAM_ESTABLISH_CRED)
return PAM_SERVICE_ERR;
for (i = 0; i < argc; i++) {
@@ -341,9 +321,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
/* Retrieve the cache name */
if ((pamret = pam_get_data(pamh, "ccache", (const void **) &ccache_temp))
!= 0) {
- /* User did not use krb5 to login */
- DLOG("ccache", "not found");
- pamret = PAM_SUCCESS;
+ DLOG("pam_get_data()", pam_strerror(pamh, pamret));
+ pamret = PAM_CRED_UNAVAIL;
goto cleanup3;
}
@@ -409,13 +388,6 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
}
}
- if ((krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm))
- != 0) {
- DLOG("krb5_cc_resolve()", error_message(krbret));
- pamret = PAM_SERVICE_ERR;
- goto cleanup3;
- }
- if (flags == PAM_ESTABLISH_CRED) {
/* Initialize the new ccache */
if ((krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ))
!= 0) {
@@ -423,6 +395,12 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
pamret = PAM_SERVICE_ERR;
goto cleanup3;
}
+ if ((krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm))
+ != 0) {
+ DLOG("krb5_cc_resolve()", error_message(krbret));
+ pamret = PAM_SERVICE_ERR;
+ goto cleanup2;
+ }
if ((krbret = krb5_cc_initialize(pam_context, ccache_perm, princ)) != 0) {
DLOG("krb5_cc_initialize()", error_message(krbret));
pamret = PAM_SERVICE_ERR;
@@ -439,7 +417,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
}
/* Copy the creds (should be two of them) */
- while ((krbret = compat_cc_next_cred(pam_context, ccache_temp,
+ while ((krbret = krb5_cc_next_cred(pam_context, ccache_temp,
&cursor, &creds) == 0)) {
if ((krbret = krb5_cc_store_cred(pam_context, ccache_perm,
&creds)) != 0) {
@@ -484,14 +462,6 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
pamret = PAM_SERVICE_ERR;
goto cleanup2;
}
- } else {
- /* flag == PAM_DELETE_CRED */
- if ((krbret = krb5_cc_destroy(pam_context, ccache_perm)) != 0) {
- /* log error, but otherwise ignore it */
- DLOG("krb5_cc_destroy()", error_message(krbret));
- }
- goto cleanup3;
- }
cleanup2:
krb5_free_principal(pam_context, princ);
OpenPOWER on IntegriCloud