17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 53bfb48feSsemery * Common Development and Distribution License (the "License"). 63bfb48feSsemery * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22*8ce3ffdfSPeter Shoults * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #include <libintl.h> 277c478bd9Sstevel@tonic-gate #include <security/pam_appl.h> 287c478bd9Sstevel@tonic-gate #include <security/pam_modules.h> 297c478bd9Sstevel@tonic-gate #include <string.h> 307c478bd9Sstevel@tonic-gate #include <stdio.h> 317c478bd9Sstevel@tonic-gate #include <stdlib.h> 327c478bd9Sstevel@tonic-gate #include <sys/types.h> 337c478bd9Sstevel@tonic-gate #include <pwd.h> 347c478bd9Sstevel@tonic-gate #include <syslog.h> 357c478bd9Sstevel@tonic-gate #include <libintl.h> 36d80035c5Sps #include <k5-int.h> 377c478bd9Sstevel@tonic-gate #include <netdb.h> 387c478bd9Sstevel@tonic-gate #include <unistd.h> 397c478bd9Sstevel@tonic-gate #include <sys/stat.h> 407c478bd9Sstevel@tonic-gate #include <fcntl.h> 41505d05c7Sgtb #include <errno.h> 427c478bd9Sstevel@tonic-gate #include <com_err.h> 437c478bd9Sstevel@tonic-gate 447c478bd9Sstevel@tonic-gate #include "utils.h" 457c478bd9Sstevel@tonic-gate #include "krb5_repository.h" 467c478bd9Sstevel@tonic-gate 477c478bd9Sstevel@tonic-gate #define PAMTXD "SUNW_OST_SYSOSPAM" 487c478bd9Sstevel@tonic-gate #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 497c478bd9Sstevel@tonic-gate 507c478bd9Sstevel@tonic-gate extern void krb5_cleanup(pam_handle_t *, void *, int); 517c478bd9Sstevel@tonic-gate 527c478bd9Sstevel@tonic-gate static int attempt_refresh_cred(krb5_module_data_t *, char *, int); 537c478bd9Sstevel@tonic-gate static int attempt_delete_initcred(krb5_module_data_t *); 547c478bd9Sstevel@tonic-gate static krb5_error_code krb5_renew_tgt(krb5_module_data_t *, krb5_principal, 557c478bd9Sstevel@tonic-gate krb5_principal, int); 567c478bd9Sstevel@tonic-gate 577c478bd9Sstevel@tonic-gate extern uint_t kwarn_add_warning(char *, int); 587c478bd9Sstevel@tonic-gate extern uint_t kwarn_del_warning(char *); 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate /* 617c478bd9Sstevel@tonic-gate * pam_sm_setcred 627c478bd9Sstevel@tonic-gate */ 637c478bd9Sstevel@tonic-gate int 647c478bd9Sstevel@tonic-gate pam_sm_setcred( 657c478bd9Sstevel@tonic-gate pam_handle_t *pamh, 667c478bd9Sstevel@tonic-gate int flags, 677c478bd9Sstevel@tonic-gate int argc, 687c478bd9Sstevel@tonic-gate const char **argv) 697c478bd9Sstevel@tonic-gate { 707c478bd9Sstevel@tonic-gate int i; 717c478bd9Sstevel@tonic-gate int err = 0; 727c478bd9Sstevel@tonic-gate int debug = 0; 737c478bd9Sstevel@tonic-gate krb5_module_data_t *kmd = NULL; 743bfb48feSsemery char *user = NULL; 757c478bd9Sstevel@tonic-gate krb5_repository_data_t *krb5_data = NULL; 767c478bd9Sstevel@tonic-gate pam_repository_t *rep_data = NULL; 777c478bd9Sstevel@tonic-gate 787c478bd9Sstevel@tonic-gate for (i = 0; i < argc; i++) { 797c478bd9Sstevel@tonic-gate if (strcasecmp(argv[i], "debug") == 0) 807c478bd9Sstevel@tonic-gate debug = 1; 817c478bd9Sstevel@tonic-gate else if (strcasecmp(argv[i], "nowarn") == 0) 827c478bd9Sstevel@tonic-gate flags = flags | PAM_SILENT; 837c478bd9Sstevel@tonic-gate } 847c478bd9Sstevel@tonic-gate 857c478bd9Sstevel@tonic-gate if (debug) 863bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 877c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): start: nowarn = %d, flags = 0x%x", 887c478bd9Sstevel@tonic-gate flags & PAM_SILENT ? 1 : 0, flags); 897c478bd9Sstevel@tonic-gate 907c478bd9Sstevel@tonic-gate /* make sure flags are valid */ 917c478bd9Sstevel@tonic-gate if (flags && 927c478bd9Sstevel@tonic-gate !(flags & PAM_ESTABLISH_CRED) && 937c478bd9Sstevel@tonic-gate !(flags & PAM_REINITIALIZE_CRED) && 947c478bd9Sstevel@tonic-gate !(flags & PAM_REFRESH_CRED) && 957c478bd9Sstevel@tonic-gate !(flags & PAM_DELETE_CRED) && 967c478bd9Sstevel@tonic-gate !(flags & PAM_SILENT)) { 973bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR, 984a7ceb24Sjjj "PAM-KRB5 (setcred): illegal flag %d", flags); 997c478bd9Sstevel@tonic-gate err = PAM_SYSTEM_ERR; 1007c478bd9Sstevel@tonic-gate goto out; 1017c478bd9Sstevel@tonic-gate } 1027c478bd9Sstevel@tonic-gate 1033bfb48feSsemery (void) pam_get_item(pamh, PAM_USER, (void**) &user); 1047c478bd9Sstevel@tonic-gate 1053bfb48feSsemery if (user == NULL || *user == '\0') 1063bfb48feSsemery return (PAM_USER_UNKNOWN); 1077c478bd9Sstevel@tonic-gate 1087c478bd9Sstevel@tonic-gate if (pam_get_data(pamh, KRB5_DATA, (const void**)&kmd) != PAM_SUCCESS) { 1097c478bd9Sstevel@tonic-gate if (debug) { 1103bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1117c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kmd get failed, kmd=0x%p", 1127c478bd9Sstevel@tonic-gate kmd); 1137c478bd9Sstevel@tonic-gate } 1147c478bd9Sstevel@tonic-gate 1157c478bd9Sstevel@tonic-gate /* 1167c478bd9Sstevel@tonic-gate * User doesn't need to authenticate for PAM_REFRESH_CRED 1177c478bd9Sstevel@tonic-gate * or for PAM_DELETE_CRED 1187c478bd9Sstevel@tonic-gate */ 1197c478bd9Sstevel@tonic-gate if (flags & (PAM_REFRESH_CRED|PAM_DELETE_CRED)) { 1203bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1214a7ceb24Sjjj "PAM-KRB5 (setcred): inst kmd structure"); 1227c478bd9Sstevel@tonic-gate 1237c478bd9Sstevel@tonic-gate kmd = calloc(1, sizeof (krb5_module_data_t)); 1247c478bd9Sstevel@tonic-gate 12547fc6f3cSsemery if (kmd == NULL) 12647fc6f3cSsemery return (PAM_BUF_ERR); 12747fc6f3cSsemery 12847fc6f3cSsemery 12947fc6f3cSsemery /* 13047fc6f3cSsemery * Need to initialize auth_status here to 13147fc6f3cSsemery * PAM_AUTHINFO_UNAVAIL else there is a false positive 13247fc6f3cSsemery * of PAM_SUCCESS. 13347fc6f3cSsemery */ 13447fc6f3cSsemery kmd->auth_status = PAM_AUTHINFO_UNAVAIL; 1357c478bd9Sstevel@tonic-gate 1367c478bd9Sstevel@tonic-gate if ((err = pam_set_data(pamh, KRB5_DATA, 1374a7ceb24Sjjj kmd, &krb5_cleanup)) != PAM_SUCCESS) { 1387c478bd9Sstevel@tonic-gate free(kmd); 1397c478bd9Sstevel@tonic-gate return (PAM_SYSTEM_ERR); 1407c478bd9Sstevel@tonic-gate } 1417c478bd9Sstevel@tonic-gate } else { 1423441f6a1Ssemery /* 1433441f6a1Ssemery * This could mean that we are not the account authority 1443441f6a1Ssemery * for the authenticated user. Therefore we should 1453441f6a1Ssemery * return PAM_IGNORE in order to not affect the 1463441f6a1Ssemery * login process of said user. 1473441f6a1Ssemery */ 1483441f6a1Ssemery err = PAM_IGNORE; 1493441f6a1Ssemery goto out; 1507c478bd9Sstevel@tonic-gate } 1517c478bd9Sstevel@tonic-gate 1527c478bd9Sstevel@tonic-gate } else { /* pam_get_data success */ 1537c478bd9Sstevel@tonic-gate if (kmd == NULL) { 1547c478bd9Sstevel@tonic-gate if (debug) { 1553bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1567c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kmd structure" 1577c478bd9Sstevel@tonic-gate " gotten but is NULL for user %s", user); 1587c478bd9Sstevel@tonic-gate } 15947fc6f3cSsemery err = PAM_SYSTEM_ERR; 1607c478bd9Sstevel@tonic-gate goto out; 1617c478bd9Sstevel@tonic-gate } 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gate if (debug) 1643bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1657c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kmd auth_status: %s", 1667c478bd9Sstevel@tonic-gate pam_strerror(pamh, kmd->auth_status)); 1677c478bd9Sstevel@tonic-gate 1687c478bd9Sstevel@tonic-gate /* 1697c478bd9Sstevel@tonic-gate * pam_auth has set status to ignore, so we also return ignore 1707c478bd9Sstevel@tonic-gate */ 1717c478bd9Sstevel@tonic-gate if (kmd->auth_status == PAM_IGNORE) { 1727c478bd9Sstevel@tonic-gate err = PAM_IGNORE; 1737c478bd9Sstevel@tonic-gate goto out; 1747c478bd9Sstevel@tonic-gate } 1757c478bd9Sstevel@tonic-gate } 1767c478bd9Sstevel@tonic-gate 1777c478bd9Sstevel@tonic-gate kmd->debug = debug; 1787c478bd9Sstevel@tonic-gate 1797c478bd9Sstevel@tonic-gate /* 1807c478bd9Sstevel@tonic-gate * User must have passed pam_authenticate() 1817c478bd9Sstevel@tonic-gate * in order to use PAM_ESTABLISH_CRED or PAM_REINITIALIZE_CRED 1827c478bd9Sstevel@tonic-gate */ 1837c478bd9Sstevel@tonic-gate if ((flags & (PAM_ESTABLISH_CRED|PAM_REINITIALIZE_CRED)) && 1847c478bd9Sstevel@tonic-gate (kmd->auth_status != PAM_SUCCESS)) { 1857c478bd9Sstevel@tonic-gate if (kmd->debug) 1863bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1877c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): unable to " 1887c478bd9Sstevel@tonic-gate "setcreds, not authenticated!"); 1897c478bd9Sstevel@tonic-gate return (PAM_CRED_UNAVAIL); 1907c478bd9Sstevel@tonic-gate } 1917c478bd9Sstevel@tonic-gate 1927c478bd9Sstevel@tonic-gate /* 1937c478bd9Sstevel@tonic-gate * We cannot assume that kmd->kcontext being non-NULL 1947c478bd9Sstevel@tonic-gate * means it is valid. Other pam_krb5 mods may have 1957c478bd9Sstevel@tonic-gate * freed it but not reset it to NULL. 1967c478bd9Sstevel@tonic-gate * Log a message when debugging to track down memory 1977c478bd9Sstevel@tonic-gate * leaks. 1987c478bd9Sstevel@tonic-gate */ 1997c478bd9Sstevel@tonic-gate if (kmd->kcontext != NULL && kmd->debug) 2003bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 2014a7ceb24Sjjj "PAM-KRB5 (setcred): kcontext != NULL, " 2024a7ceb24Sjjj "possible memory leak."); 2037c478bd9Sstevel@tonic-gate 2043bfb48feSsemery /* 2053bfb48feSsemery * Use the authenticated and validated user, if applicable. 2063bfb48feSsemery */ 2073bfb48feSsemery if (kmd->user != NULL) 2083bfb48feSsemery user = kmd->user; 2093bfb48feSsemery 2107c478bd9Sstevel@tonic-gate /* 2117c478bd9Sstevel@tonic-gate * If auth was short-circuited we will not have anything to 2127c478bd9Sstevel@tonic-gate * renew, so just return here. 2137c478bd9Sstevel@tonic-gate */ 2143bfb48feSsemery (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); 2153bfb48feSsemery 2167c478bd9Sstevel@tonic-gate if (rep_data != NULL) { 2177c478bd9Sstevel@tonic-gate if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { 2187c478bd9Sstevel@tonic-gate if (debug) 2193bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 2204a7ceb24Sjjj "PAM-KRB5 (setcred): wrong" 2214a7ceb24Sjjj "repository found (%s), returning " 2224a7ceb24Sjjj "PAM_IGNORE", rep_data->type); 2237c478bd9Sstevel@tonic-gate return (PAM_IGNORE); 2247c478bd9Sstevel@tonic-gate } 2257c478bd9Sstevel@tonic-gate if (rep_data->scope_len == sizeof (krb5_repository_data_t)) { 2267c478bd9Sstevel@tonic-gate krb5_data = (krb5_repository_data_t *)rep_data->scope; 2277c478bd9Sstevel@tonic-gate 2287c478bd9Sstevel@tonic-gate if (krb5_data->flags == 2294a7ceb24Sjjj SUNW_PAM_KRB5_ALREADY_AUTHENTICATED && 2304a7ceb24Sjjj krb5_data->principal != NULL && 2314a7ceb24Sjjj strlen(krb5_data->principal)) { 2327c478bd9Sstevel@tonic-gate if (debug) 2333bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 2344a7ceb24Sjjj "PAM-KRB5 (setcred): " 2354a7ceb24Sjjj "Principal %s already " 2364a7ceb24Sjjj "authenticated, " 2374a7ceb24Sjjj "cannot setcred", 2384a7ceb24Sjjj krb5_data->principal); 2397c478bd9Sstevel@tonic-gate return (PAM_SUCCESS); 2407c478bd9Sstevel@tonic-gate } 2417c478bd9Sstevel@tonic-gate } 2427c478bd9Sstevel@tonic-gate } 2437c478bd9Sstevel@tonic-gate 2447c478bd9Sstevel@tonic-gate if (flags & PAM_REINITIALIZE_CRED) 2457c478bd9Sstevel@tonic-gate err = attempt_refresh_cred(kmd, user, PAM_REINITIALIZE_CRED); 2467c478bd9Sstevel@tonic-gate else if (flags & PAM_REFRESH_CRED) 2477c478bd9Sstevel@tonic-gate err = attempt_refresh_cred(kmd, user, PAM_REFRESH_CRED); 2487c478bd9Sstevel@tonic-gate else if (flags & PAM_DELETE_CRED) 2497c478bd9Sstevel@tonic-gate err = attempt_delete_initcred(kmd); 2507c478bd9Sstevel@tonic-gate else { 2517c478bd9Sstevel@tonic-gate /* 2527c478bd9Sstevel@tonic-gate * Default case: PAM_ESTABLISH_CRED 2537c478bd9Sstevel@tonic-gate */ 2547c478bd9Sstevel@tonic-gate err = attempt_refresh_cred(kmd, user, PAM_ESTABLISH_CRED); 2557c478bd9Sstevel@tonic-gate } 2567c478bd9Sstevel@tonic-gate 2573bfb48feSsemery if (err != PAM_SUCCESS) 2583bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR, 2597c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): pam_setcred failed " 2607c478bd9Sstevel@tonic-gate "for %s (%s).", user, pam_strerror(pamh, err)); 2617c478bd9Sstevel@tonic-gate 2627c478bd9Sstevel@tonic-gate out: 2637c478bd9Sstevel@tonic-gate if (kmd && kmd->kcontext) { 2647c478bd9Sstevel@tonic-gate /* 2657c478bd9Sstevel@tonic-gate * free 'kcontext' field if it is allocated, 2667c478bd9Sstevel@tonic-gate * kcontext is local to the operation being performed 2677c478bd9Sstevel@tonic-gate * not considered global to the entire pam module. 2687c478bd9Sstevel@tonic-gate */ 2697c478bd9Sstevel@tonic-gate krb5_free_context(kmd->kcontext); 2707c478bd9Sstevel@tonic-gate kmd->kcontext = NULL; 2717c478bd9Sstevel@tonic-gate } 2727c478bd9Sstevel@tonic-gate 2737c478bd9Sstevel@tonic-gate /* 2747c478bd9Sstevel@tonic-gate * 'kmd' is not freed here, it is handled in krb5_cleanup 2757c478bd9Sstevel@tonic-gate */ 2767c478bd9Sstevel@tonic-gate if (debug) 2773bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 2787c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): end: %s", 2797c478bd9Sstevel@tonic-gate pam_strerror(pamh, err)); 2807c478bd9Sstevel@tonic-gate return (err); 2817c478bd9Sstevel@tonic-gate } 2827c478bd9Sstevel@tonic-gate 2837c478bd9Sstevel@tonic-gate static int 2847c478bd9Sstevel@tonic-gate attempt_refresh_cred( 2857c478bd9Sstevel@tonic-gate krb5_module_data_t *kmd, 2867c478bd9Sstevel@tonic-gate char *user, 2877c478bd9Sstevel@tonic-gate int flag) 2887c478bd9Sstevel@tonic-gate { 2897c478bd9Sstevel@tonic-gate krb5_principal me; 2907c478bd9Sstevel@tonic-gate krb5_principal server; 2917c478bd9Sstevel@tonic-gate krb5_error_code code; 2927c478bd9Sstevel@tonic-gate char kuser[2*MAXHOSTNAMELEN]; 2937c478bd9Sstevel@tonic-gate krb5_data tgtname = { 2947c478bd9Sstevel@tonic-gate 0, 2957c478bd9Sstevel@tonic-gate KRB5_TGS_NAME_SIZE, 2967c478bd9Sstevel@tonic-gate KRB5_TGS_NAME 2977c478bd9Sstevel@tonic-gate }; 2987c478bd9Sstevel@tonic-gate 2997c478bd9Sstevel@tonic-gate /* Create a new context here. */ 300*8ce3ffdfSPeter Shoults if (krb5_init_secure_context(&kmd->kcontext) != 0) { 3017c478bd9Sstevel@tonic-gate if (kmd->debug) 3023bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 3037c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): unable to " 3047c478bd9Sstevel@tonic-gate "initialize krb5 context"); 3057c478bd9Sstevel@tonic-gate return (PAM_SYSTEM_ERR); 3067c478bd9Sstevel@tonic-gate } 3077c478bd9Sstevel@tonic-gate 3087c478bd9Sstevel@tonic-gate if (krb5_cc_default(kmd->kcontext, &kmd->ccache) != 0) { 3093bfb48feSsemery return (PAM_SYSTEM_ERR); 3107c478bd9Sstevel@tonic-gate } 3117c478bd9Sstevel@tonic-gate 3127c478bd9Sstevel@tonic-gate if ((code = get_kmd_kuser(kmd->kcontext, (const char *)user, kuser, 3134a7ceb24Sjjj 2*MAXHOSTNAMELEN)) != 0) { 3147c478bd9Sstevel@tonic-gate return (code); 3157c478bd9Sstevel@tonic-gate } 3167c478bd9Sstevel@tonic-gate 3177c478bd9Sstevel@tonic-gate if (krb5_parse_name(kmd->kcontext, kuser, &me) != 0) { 3183bfb48feSsemery return (PAM_SYSTEM_ERR); 3197c478bd9Sstevel@tonic-gate } 3207c478bd9Sstevel@tonic-gate 3217c478bd9Sstevel@tonic-gate if (code = krb5_build_principal_ext(kmd->kcontext, &server, 3224a7ceb24Sjjj krb5_princ_realm(kmd->kcontext, me)->length, 3234a7ceb24Sjjj krb5_princ_realm(kmd->kcontext, me)->data, 3244a7ceb24Sjjj tgtname.length, tgtname.data, 3254a7ceb24Sjjj krb5_princ_realm(kmd->kcontext, me)->length, 3264a7ceb24Sjjj krb5_princ_realm(kmd->kcontext, me)->data, 0)) { 3273bfb48feSsemery krb5_free_principal(kmd->kcontext, me); 3283bfb48feSsemery return (PAM_SYSTEM_ERR); 3297c478bd9Sstevel@tonic-gate } 3307c478bd9Sstevel@tonic-gate 3317c478bd9Sstevel@tonic-gate code = krb5_renew_tgt(kmd, me, server, flag); 3327c478bd9Sstevel@tonic-gate 3333bfb48feSsemery krb5_free_principal(kmd->kcontext, server); 3343bfb48feSsemery krb5_free_principal(kmd->kcontext, me); 3357c478bd9Sstevel@tonic-gate 3367c478bd9Sstevel@tonic-gate if (code) { 3373bfb48feSsemery if (kmd->debug) 3383bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 3394a7ceb24Sjjj "PAM-KRB5(setcred): krb5_renew_tgt() " 3404a7ceb24Sjjj "failed: %s", error_message((errcode_t)code)); 3417c478bd9Sstevel@tonic-gate return (PAM_CRED_ERR); 3427c478bd9Sstevel@tonic-gate } else { 3437c478bd9Sstevel@tonic-gate return (PAM_SUCCESS); 3447c478bd9Sstevel@tonic-gate } 3457c478bd9Sstevel@tonic-gate } 3467c478bd9Sstevel@tonic-gate 3477c478bd9Sstevel@tonic-gate /* 3487c478bd9Sstevel@tonic-gate * This code will update the credential matching "server" in the user's 3497c478bd9Sstevel@tonic-gate * credential cache. The flag may be set to one of: 3506ff38bdbSPeter Shoults * PAM_REINITIALIZE_CRED/PAM_ESTABLISH_CRED - If we have new credentials then 3516ff38bdbSPeter Shoults * create a new cred cache with these credentials else return failure. 35247fc6f3cSsemery * PAM_REFRESH_CRED - If we have new credentials then create a new cred cache 35347fc6f3cSsemery * with these credentials else attempt to renew the credentials. 35447fc6f3cSsemery * 3556ff38bdbSPeter Shoults * Note for any of the flags that if a new credential does exist from the 3566ff38bdbSPeter Shoults * previous auth pass then this will overwrite any existing credentials in the 3576ff38bdbSPeter Shoults * credential cache. 3587c478bd9Sstevel@tonic-gate */ 3597c478bd9Sstevel@tonic-gate static krb5_error_code 3607c478bd9Sstevel@tonic-gate krb5_renew_tgt( 3617c478bd9Sstevel@tonic-gate krb5_module_data_t *kmd, 3627c478bd9Sstevel@tonic-gate krb5_principal me, 3637c478bd9Sstevel@tonic-gate krb5_principal server, 3647c478bd9Sstevel@tonic-gate int flag) 3657c478bd9Sstevel@tonic-gate { 3667c478bd9Sstevel@tonic-gate krb5_error_code retval; 3677c478bd9Sstevel@tonic-gate krb5_creds creds; 3681dac1dbeSgtb krb5_creds *renewed_cred = NULL; 3697c478bd9Sstevel@tonic-gate char *client_name = NULL; 3706ff38bdbSPeter Shoults char *username = NULL; 3717c478bd9Sstevel@tonic-gate 3727c478bd9Sstevel@tonic-gate #define my_creds (kmd->initcreds) 3737c478bd9Sstevel@tonic-gate 3747c478bd9Sstevel@tonic-gate if ((flag != PAM_REFRESH_CRED) && 3754a7ceb24Sjjj (flag != PAM_REINITIALIZE_CRED) && 3764a7ceb24Sjjj (flag != PAM_ESTABLISH_CRED)) 3774a7ceb24Sjjj return (KRB5KRB_ERR_GENERIC); 3787c478bd9Sstevel@tonic-gate 3797c478bd9Sstevel@tonic-gate /* this is needed only for the ktkt_warnd */ 3803bfb48feSsemery if ((retval = krb5_unparse_name(kmd->kcontext, me, &client_name)) != 0) 3813bfb48feSsemery return (retval); 3827c478bd9Sstevel@tonic-gate 3831dac1dbeSgtb (void) memset(&creds, 0, sizeof (krb5_creds)); 3847c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_principal(kmd->kcontext, 3854a7ceb24Sjjj server, &creds.server))) { 3867c478bd9Sstevel@tonic-gate if (kmd->debug) 3873bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 3884a7ceb24Sjjj "PAM-KRB5 (setcred): krb5_copy_principal " 3894a7ceb24Sjjj "failed: %s", 3904a7ceb24Sjjj error_message((errcode_t)retval)); 3917c478bd9Sstevel@tonic-gate goto cleanup_creds; 3927c478bd9Sstevel@tonic-gate } 3937c478bd9Sstevel@tonic-gate 3947c478bd9Sstevel@tonic-gate /* obtain ticket & session key */ 3957c478bd9Sstevel@tonic-gate retval = krb5_cc_get_principal(kmd->kcontext, 3964a7ceb24Sjjj kmd->ccache, &creds.client); 3977c478bd9Sstevel@tonic-gate if (retval && (kmd->debug)) 3983bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 3994a7ceb24Sjjj "PAM-KRB5 (setcred): User not in cred " 4004a7ceb24Sjjj "cache (%s)", error_message((errcode_t)retval)); 4017c478bd9Sstevel@tonic-gate 4026ff38bdbSPeter Shoults /* 4036ff38bdbSPeter Shoults * We got here either with the ESTABLISH | REINIT | REFRESH flag and 4046ff38bdbSPeter Shoults * auth_status returns SUCCESS or REFRESH and auth_status failure. 4056ff38bdbSPeter Shoults * 4066ff38bdbSPeter Shoults * Rules: 4076ff38bdbSPeter Shoults * - If the prior auth pass was successful then store the new 4086ff38bdbSPeter Shoults * credentials in the cache, regardless of which flag. 4096ff38bdbSPeter Shoults * 4106ff38bdbSPeter Shoults * - Else if REFRESH flag is used and there are no new 4116ff38bdbSPeter Shoults * credentials then attempt to refresh the existing credentials. 4126ff38bdbSPeter Shoults * 4136ff38bdbSPeter Shoults * - Note, refresh will not work if "R" flag is not set in 4146ff38bdbSPeter Shoults * original credential. We don't want to 2nd guess the 4156ff38bdbSPeter Shoults * intention of the person who created the existing credential. 4166ff38bdbSPeter Shoults */ 4176ff38bdbSPeter Shoults if (kmd->auth_status == PAM_SUCCESS) { 4187c478bd9Sstevel@tonic-gate /* 4197c478bd9Sstevel@tonic-gate * Create a fresh ccache, and store the credentials 4207c478bd9Sstevel@tonic-gate * we got from pam_authenticate() 4217c478bd9Sstevel@tonic-gate */ 4227c478bd9Sstevel@tonic-gate if ((retval = krb5_cc_initialize(kmd->kcontext, 4234a7ceb24Sjjj kmd->ccache, me)) != 0) { 4243bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 4254a7ceb24Sjjj "PAM-KRB5 (setcred): krb5_cc_initialize " 4264a7ceb24Sjjj "failed: %s", 4274a7ceb24Sjjj error_message((errcode_t)retval)); 4287c478bd9Sstevel@tonic-gate } else if ((retval = krb5_cc_store_cred(kmd->kcontext, 4294a7ceb24Sjjj kmd->ccache, &my_creds)) != 0) { 4303bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 4314a7ceb24Sjjj "PAM-KRB5 (setcred): krb5_cc_store_cred " 4324a7ceb24Sjjj "failed: %s", 4334a7ceb24Sjjj error_message((errcode_t)retval)); 4347c478bd9Sstevel@tonic-gate } 4356ff38bdbSPeter Shoults } else if ((retval == 0) && (flag & PAM_REFRESH_CRED)) { 4366ff38bdbSPeter Shoults /* 4376ff38bdbSPeter Shoults * If we only wanted to refresh the creds but failed 4386ff38bdbSPeter Shoults * due to expiration, lack of "R" flag, or other 4396ff38bdbSPeter Shoults * problems, return an error. 4406ff38bdbSPeter Shoults */ 4416ff38bdbSPeter Shoults if (retval = krb5_get_credentials_renew(kmd->kcontext, 4426ff38bdbSPeter Shoults 0, kmd->ccache, &creds, &renewed_cred)) { 4436ff38bdbSPeter Shoults if (kmd->debug) { 4446ff38bdbSPeter Shoults __pam_log(LOG_AUTH | LOG_DEBUG, 4456ff38bdbSPeter Shoults "PAM-KRB5 (setcred): " 4466ff38bdbSPeter Shoults "krb5_get_credentials" 4476ff38bdbSPeter Shoults "_renew(update) failed: %s", 4486ff38bdbSPeter Shoults error_message((errcode_t)retval)); 4496ff38bdbSPeter Shoults } 4506ff38bdbSPeter Shoults } 4516ff38bdbSPeter Shoults } else { 4527c478bd9Sstevel@tonic-gate /* 4537c478bd9Sstevel@tonic-gate * We failed to get the user's credentials. 4547c478bd9Sstevel@tonic-gate * This might be due to permission error on the cache, 4557c478bd9Sstevel@tonic-gate * or maybe we are looking in the wrong cache file! 4567c478bd9Sstevel@tonic-gate */ 4573bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR, 4584a7ceb24Sjjj "PAM-KRB5 (setcred): Cannot find creds" 4594a7ceb24Sjjj " for %s (%s)", 4604a7ceb24Sjjj client_name ? client_name : "(unknown)", 4614a7ceb24Sjjj error_message((errcode_t)retval)); 4627c478bd9Sstevel@tonic-gate } 4637c478bd9Sstevel@tonic-gate 4647c478bd9Sstevel@tonic-gate cleanup_creds: 4657c478bd9Sstevel@tonic-gate 4667c478bd9Sstevel@tonic-gate if ((retval == 0) && (client_name != NULL)) { 4677c478bd9Sstevel@tonic-gate /* 4687c478bd9Sstevel@tonic-gate * Credential update was successful! 4697c478bd9Sstevel@tonic-gate * 4707c478bd9Sstevel@tonic-gate * We now chown the ccache to the appropriate uid/gid 4717c478bd9Sstevel@tonic-gate * combination, if its a FILE based ccache. 4727c478bd9Sstevel@tonic-gate */ 473d80035c5Sps if (!kmd->env || strstr(kmd->env, "FILE:")) { 4747c478bd9Sstevel@tonic-gate uid_t uuid; 4757c478bd9Sstevel@tonic-gate gid_t ugid; 4766ff38bdbSPeter Shoults char *tmpname = NULL; 4777c478bd9Sstevel@tonic-gate char *filepath = NULL; 4787c478bd9Sstevel@tonic-gate 4797c478bd9Sstevel@tonic-gate username = strdup(client_name); 4804a7ceb24Sjjj if (username == NULL) { 4814a7ceb24Sjjj __pam_log(LOG_AUTH | LOG_ERR, 4824a7ceb24Sjjj "PAM-KRB5 (setcred): Out of memory"); 4834a7ceb24Sjjj retval = KRB5KRB_ERR_GENERIC; 4844a7ceb24Sjjj goto error; 4854a7ceb24Sjjj } 4867c478bd9Sstevel@tonic-gate if ((tmpname = strchr(username, '@'))) 4877c478bd9Sstevel@tonic-gate *tmpname = '\0'; 4887c478bd9Sstevel@tonic-gate 4897c478bd9Sstevel@tonic-gate if (get_pw_uid(username, &uuid) == 0 || 4907c478bd9Sstevel@tonic-gate get_pw_gid(username, &ugid) == 0) { 4913bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR, 4923bfb48feSsemery "PAM-KRB5 (setcred): Unable to " 4937c478bd9Sstevel@tonic-gate "find matching uid/gid pair for user `%s'", 4947c478bd9Sstevel@tonic-gate username); 4951dac1dbeSgtb retval = KRB5KRB_ERR_GENERIC; 4961dac1dbeSgtb goto error; 4977c478bd9Sstevel@tonic-gate } 498d80035c5Sps 499d80035c5Sps if (!kmd->env) { 500d80035c5Sps char buffer[512]; 501d80035c5Sps 502d80035c5Sps if (snprintf(buffer, sizeof (buffer), 503d80035c5Sps "%s=FILE:/tmp/krb5cc_%d", KRB5_ENV_CCNAME, 504d80035c5Sps (int)uuid) >= sizeof (buffer)) { 505d80035c5Sps retval = KRB5KRB_ERR_GENERIC; 506d80035c5Sps goto error; 507d80035c5Sps } 508d80035c5Sps 509d80035c5Sps /* 510d80035c5Sps * We MUST copy this to the heap for the putenv 511d80035c5Sps * to work! 512d80035c5Sps */ 513d80035c5Sps kmd->env = strdup(buffer); 514d80035c5Sps if (!kmd->env) { 515d80035c5Sps retval = ENOMEM; 516d80035c5Sps goto error; 517d80035c5Sps } else { 518d80035c5Sps if (putenv(kmd->env)) { 519d80035c5Sps retval = ENOMEM; 520d80035c5Sps goto error; 521d80035c5Sps } 522d80035c5Sps } 523d80035c5Sps } 524d80035c5Sps 5256ff38bdbSPeter Shoults /* 5266ff38bdbSPeter Shoults * We know at this point that kmd->env must start 5276ff38bdbSPeter Shoults * with the literal string "FILE:". Set filepath 5286ff38bdbSPeter Shoults * character string to point to ":" 5296ff38bdbSPeter Shoults */ 5306ff38bdbSPeter Shoults 5316ff38bdbSPeter Shoults filepath = strchr(kmd->env, ':'); 5326ff38bdbSPeter Shoults 5336ff38bdbSPeter Shoults /* 5346ff38bdbSPeter Shoults * Now check if first char after ":" is null char 5356ff38bdbSPeter Shoults */ 5366ff38bdbSPeter Shoults if (filepath[1] == '\0') { 5373bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR, 5384a7ceb24Sjjj "PAM-KRB5 (setcred): Invalid pathname " 5394a7ceb24Sjjj "for credential cache of user `%s'", 5404a7ceb24Sjjj username); 5411dac1dbeSgtb retval = KRB5KRB_ERR_GENERIC; 5421dac1dbeSgtb goto error; 5437c478bd9Sstevel@tonic-gate } 5447c478bd9Sstevel@tonic-gate if (chown(filepath+1, uuid, ugid)) { 5457c478bd9Sstevel@tonic-gate if (kmd->debug) 5463bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 5477c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): chown to user " 5487c478bd9Sstevel@tonic-gate "`%s' failed for FILE=%s", 5497c478bd9Sstevel@tonic-gate username, filepath); 5507c478bd9Sstevel@tonic-gate } 5517c478bd9Sstevel@tonic-gate } 5521dac1dbeSgtb } 5537c478bd9Sstevel@tonic-gate 5541dac1dbeSgtb error: 5551dac1dbeSgtb if (retval == 0) { 5561dac1dbeSgtb krb5_timestamp endtime; 5571dac1dbeSgtb 5581dac1dbeSgtb if (renewed_cred && renewed_cred->times.endtime != 0) 5591dac1dbeSgtb endtime = renewed_cred->times.endtime; 5601dac1dbeSgtb else 5611dac1dbeSgtb endtime = my_creds.times.endtime; 5621dac1dbeSgtb 5631dac1dbeSgtb if (kmd->debug) 5641dac1dbeSgtb __pam_log(LOG_AUTH | LOG_DEBUG, 5654a7ceb24Sjjj "PAM-KRB5 (setcred): delete/add warning"); 5661dac1dbeSgtb 5671dac1dbeSgtb kwarn_del_warning(client_name); 5681dac1dbeSgtb if (kwarn_add_warning(client_name, endtime) != 0) { 5691dac1dbeSgtb __pam_log(LOG_AUTH | LOG_NOTICE, 5704a7ceb24Sjjj "PAM-KRB5 (setcred): kwarn_add_warning" 5714a7ceb24Sjjj " failed: ktkt_warnd(1M) down?"); 5727c478bd9Sstevel@tonic-gate } 5737c478bd9Sstevel@tonic-gate } 5741dac1dbeSgtb 5751dac1dbeSgtb if (renewed_cred != NULL) 5761dac1dbeSgtb krb5_free_creds(kmd->kcontext, renewed_cred); 5771dac1dbeSgtb 5787c478bd9Sstevel@tonic-gate if (client_name != NULL) 5797c478bd9Sstevel@tonic-gate free(client_name); 5807c478bd9Sstevel@tonic-gate 5816ff38bdbSPeter Shoults if (username) 5826ff38bdbSPeter Shoults free(username); 5836ff38bdbSPeter Shoults 5847c478bd9Sstevel@tonic-gate krb5_free_cred_contents(kmd->kcontext, &creds); 5857c478bd9Sstevel@tonic-gate 5867c478bd9Sstevel@tonic-gate return (retval); 5877c478bd9Sstevel@tonic-gate } 5887c478bd9Sstevel@tonic-gate 5897c478bd9Sstevel@tonic-gate /* 5907c478bd9Sstevel@tonic-gate * Delete the user's credentials for this session 5917c478bd9Sstevel@tonic-gate */ 5927c478bd9Sstevel@tonic-gate static int 5937c478bd9Sstevel@tonic-gate attempt_delete_initcred(krb5_module_data_t *kmd) 5947c478bd9Sstevel@tonic-gate { 5957c478bd9Sstevel@tonic-gate if (kmd == NULL) 5963bfb48feSsemery return (PAM_SUCCESS); 5977c478bd9Sstevel@tonic-gate 5987c478bd9Sstevel@tonic-gate if (kmd->debug) { 5993bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 6004a7ceb24Sjjj "PAM-KRB5 (setcred): deleting user's " 6014a7ceb24Sjjj "credentials (initcreds)"); 6027c478bd9Sstevel@tonic-gate } 6037c478bd9Sstevel@tonic-gate krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds); 6047c478bd9Sstevel@tonic-gate (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds)); 6057c478bd9Sstevel@tonic-gate kmd->auth_status = PAM_AUTHINFO_UNAVAIL; 6063bfb48feSsemery return (PAM_SUCCESS); 6077c478bd9Sstevel@tonic-gate } 608