17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * CDDL HEADER START
37c478bd9Sstevel@tonic-gate *
47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
53bfb48feSsemery * Common Development and Distribution License (the "License").
63bfb48feSsemery * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate *
87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate * and limitations under the License.
127c478bd9Sstevel@tonic-gate *
137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate *
197c478bd9Sstevel@tonic-gate * CDDL HEADER END
207c478bd9Sstevel@tonic-gate */
215ad42b1bSSurya Prakki
227c478bd9Sstevel@tonic-gate /*
23b0c1f5b7SWill Fiveash * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
247c478bd9Sstevel@tonic-gate * Use is subject to license terms.
257c478bd9Sstevel@tonic-gate */
267c478bd9Sstevel@tonic-gate
277c478bd9Sstevel@tonic-gate #include <libintl.h>
287c478bd9Sstevel@tonic-gate #include <security/pam_appl.h>
297c478bd9Sstevel@tonic-gate #include <security/pam_modules.h>
307c478bd9Sstevel@tonic-gate #include <string.h>
317c478bd9Sstevel@tonic-gate #include <stdio.h>
327c478bd9Sstevel@tonic-gate #include <stdlib.h>
337c478bd9Sstevel@tonic-gate #include <sys/types.h>
347c478bd9Sstevel@tonic-gate #include <pwd.h>
357c478bd9Sstevel@tonic-gate #include <syslog.h>
367c478bd9Sstevel@tonic-gate #include <libintl.h>
37d80035c5Sps #include <k5-int.h>
387c478bd9Sstevel@tonic-gate #include <netdb.h>
397c478bd9Sstevel@tonic-gate #include <unistd.h>
407c478bd9Sstevel@tonic-gate #include <sys/stat.h>
417c478bd9Sstevel@tonic-gate #include <fcntl.h>
42505d05c7Sgtb #include <errno.h>
437c478bd9Sstevel@tonic-gate #include <com_err.h>
447c478bd9Sstevel@tonic-gate
457c478bd9Sstevel@tonic-gate #include "utils.h"
467c478bd9Sstevel@tonic-gate #include "krb5_repository.h"
477c478bd9Sstevel@tonic-gate
487c478bd9Sstevel@tonic-gate #define PAMTXD "SUNW_OST_SYSOSPAM"
497c478bd9Sstevel@tonic-gate #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
507c478bd9Sstevel@tonic-gate
517c478bd9Sstevel@tonic-gate extern void krb5_cleanup(pam_handle_t *, void *, int);
527c478bd9Sstevel@tonic-gate
537c478bd9Sstevel@tonic-gate static int attempt_refresh_cred(krb5_module_data_t *, char *, int);
547c478bd9Sstevel@tonic-gate static int attempt_delete_initcred(krb5_module_data_t *);
557c478bd9Sstevel@tonic-gate static krb5_error_code krb5_renew_tgt(krb5_module_data_t *, krb5_principal,
567c478bd9Sstevel@tonic-gate krb5_principal, int);
577c478bd9Sstevel@tonic-gate
587c478bd9Sstevel@tonic-gate extern uint_t kwarn_add_warning(char *, int);
597c478bd9Sstevel@tonic-gate extern uint_t kwarn_del_warning(char *);
607c478bd9Sstevel@tonic-gate
617c478bd9Sstevel@tonic-gate /*
627c478bd9Sstevel@tonic-gate * pam_sm_setcred
637c478bd9Sstevel@tonic-gate */
647c478bd9Sstevel@tonic-gate int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)657c478bd9Sstevel@tonic-gate pam_sm_setcred(
667c478bd9Sstevel@tonic-gate pam_handle_t *pamh,
677c478bd9Sstevel@tonic-gate int flags,
687c478bd9Sstevel@tonic-gate int argc,
697c478bd9Sstevel@tonic-gate const char **argv)
707c478bd9Sstevel@tonic-gate {
717c478bd9Sstevel@tonic-gate int i;
727c478bd9Sstevel@tonic-gate int err = 0;
737c478bd9Sstevel@tonic-gate int debug = 0;
747c478bd9Sstevel@tonic-gate krb5_module_data_t *kmd = NULL;
753bfb48feSsemery char *user = NULL;
767c478bd9Sstevel@tonic-gate krb5_repository_data_t *krb5_data = NULL;
777c478bd9Sstevel@tonic-gate pam_repository_t *rep_data = NULL;
787c478bd9Sstevel@tonic-gate
797c478bd9Sstevel@tonic-gate for (i = 0; i < argc; i++) {
807c478bd9Sstevel@tonic-gate if (strcasecmp(argv[i], "debug") == 0)
817c478bd9Sstevel@tonic-gate debug = 1;
827c478bd9Sstevel@tonic-gate else if (strcasecmp(argv[i], "nowarn") == 0)
837c478bd9Sstevel@tonic-gate flags = flags | PAM_SILENT;
847c478bd9Sstevel@tonic-gate }
857c478bd9Sstevel@tonic-gate
867c478bd9Sstevel@tonic-gate if (debug)
873bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
887c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): start: nowarn = %d, flags = 0x%x",
897c478bd9Sstevel@tonic-gate flags & PAM_SILENT ? 1 : 0, flags);
907c478bd9Sstevel@tonic-gate
917c478bd9Sstevel@tonic-gate /* make sure flags are valid */
927c478bd9Sstevel@tonic-gate if (flags &&
937c478bd9Sstevel@tonic-gate !(flags & PAM_ESTABLISH_CRED) &&
947c478bd9Sstevel@tonic-gate !(flags & PAM_REINITIALIZE_CRED) &&
957c478bd9Sstevel@tonic-gate !(flags & PAM_REFRESH_CRED) &&
967c478bd9Sstevel@tonic-gate !(flags & PAM_DELETE_CRED) &&
977c478bd9Sstevel@tonic-gate !(flags & PAM_SILENT)) {
983bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
994a7ceb24Sjjj "PAM-KRB5 (setcred): illegal flag %d", flags);
1007c478bd9Sstevel@tonic-gate err = PAM_SYSTEM_ERR;
1017c478bd9Sstevel@tonic-gate goto out;
1027c478bd9Sstevel@tonic-gate }
1037c478bd9Sstevel@tonic-gate
1043bfb48feSsemery (void) pam_get_item(pamh, PAM_USER, (void**) &user);
1057c478bd9Sstevel@tonic-gate
1063bfb48feSsemery if (user == NULL || *user == '\0')
1073bfb48feSsemery return (PAM_USER_UNKNOWN);
1087c478bd9Sstevel@tonic-gate
1097c478bd9Sstevel@tonic-gate if (pam_get_data(pamh, KRB5_DATA, (const void**)&kmd) != PAM_SUCCESS) {
1107c478bd9Sstevel@tonic-gate if (debug) {
1113bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
1127c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kmd get failed, kmd=0x%p",
1137c478bd9Sstevel@tonic-gate kmd);
1147c478bd9Sstevel@tonic-gate }
1157c478bd9Sstevel@tonic-gate
1167c478bd9Sstevel@tonic-gate /*
1177c478bd9Sstevel@tonic-gate * User doesn't need to authenticate for PAM_REFRESH_CRED
1187c478bd9Sstevel@tonic-gate * or for PAM_DELETE_CRED
1197c478bd9Sstevel@tonic-gate */
1207c478bd9Sstevel@tonic-gate if (flags & (PAM_REFRESH_CRED|PAM_DELETE_CRED)) {
1213bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
1224a7ceb24Sjjj "PAM-KRB5 (setcred): inst kmd structure");
1237c478bd9Sstevel@tonic-gate
1247c478bd9Sstevel@tonic-gate kmd = calloc(1, sizeof (krb5_module_data_t));
1257c478bd9Sstevel@tonic-gate
12647fc6f3cSsemery if (kmd == NULL)
12747fc6f3cSsemery return (PAM_BUF_ERR);
12847fc6f3cSsemery
12947fc6f3cSsemery
13047fc6f3cSsemery /*
13147fc6f3cSsemery * Need to initialize auth_status here to
13247fc6f3cSsemery * PAM_AUTHINFO_UNAVAIL else there is a false positive
13347fc6f3cSsemery * of PAM_SUCCESS.
13447fc6f3cSsemery */
13547fc6f3cSsemery kmd->auth_status = PAM_AUTHINFO_UNAVAIL;
1367c478bd9Sstevel@tonic-gate
1377c478bd9Sstevel@tonic-gate if ((err = pam_set_data(pamh, KRB5_DATA,
1384a7ceb24Sjjj kmd, &krb5_cleanup)) != PAM_SUCCESS) {
1397c478bd9Sstevel@tonic-gate free(kmd);
1407c478bd9Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
1417c478bd9Sstevel@tonic-gate }
1427c478bd9Sstevel@tonic-gate } else {
1433441f6a1Ssemery /*
1443441f6a1Ssemery * This could mean that we are not the account authority
1453441f6a1Ssemery * for the authenticated user. Therefore we should
1463441f6a1Ssemery * return PAM_IGNORE in order to not affect the
1473441f6a1Ssemery * login process of said user.
1483441f6a1Ssemery */
1493441f6a1Ssemery err = PAM_IGNORE;
1503441f6a1Ssemery goto out;
1517c478bd9Sstevel@tonic-gate }
1527c478bd9Sstevel@tonic-gate
1537c478bd9Sstevel@tonic-gate } else { /* pam_get_data success */
1547c478bd9Sstevel@tonic-gate if (kmd == NULL) {
1557c478bd9Sstevel@tonic-gate if (debug) {
1563bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
1577c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kmd structure"
1587c478bd9Sstevel@tonic-gate " gotten but is NULL for user %s", user);
1597c478bd9Sstevel@tonic-gate }
16047fc6f3cSsemery err = PAM_SYSTEM_ERR;
1617c478bd9Sstevel@tonic-gate goto out;
1627c478bd9Sstevel@tonic-gate }
1637c478bd9Sstevel@tonic-gate
1647c478bd9Sstevel@tonic-gate if (debug)
1653bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
1667c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kmd auth_status: %s",
1677c478bd9Sstevel@tonic-gate pam_strerror(pamh, kmd->auth_status));
1687c478bd9Sstevel@tonic-gate
1697c478bd9Sstevel@tonic-gate /*
1707c478bd9Sstevel@tonic-gate * pam_auth has set status to ignore, so we also return ignore
1717c478bd9Sstevel@tonic-gate */
1727c478bd9Sstevel@tonic-gate if (kmd->auth_status == PAM_IGNORE) {
1737c478bd9Sstevel@tonic-gate err = PAM_IGNORE;
1747c478bd9Sstevel@tonic-gate goto out;
1757c478bd9Sstevel@tonic-gate }
1767c478bd9Sstevel@tonic-gate }
1777c478bd9Sstevel@tonic-gate
1787c478bd9Sstevel@tonic-gate kmd->debug = debug;
1797c478bd9Sstevel@tonic-gate
1807c478bd9Sstevel@tonic-gate /*
1817c478bd9Sstevel@tonic-gate * User must have passed pam_authenticate()
1827c478bd9Sstevel@tonic-gate * in order to use PAM_ESTABLISH_CRED or PAM_REINITIALIZE_CRED
1837c478bd9Sstevel@tonic-gate */
1847c478bd9Sstevel@tonic-gate if ((flags & (PAM_ESTABLISH_CRED|PAM_REINITIALIZE_CRED)) &&
1857c478bd9Sstevel@tonic-gate (kmd->auth_status != PAM_SUCCESS)) {
1867c478bd9Sstevel@tonic-gate if (kmd->debug)
1873bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
1887c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): unable to "
1897c478bd9Sstevel@tonic-gate "setcreds, not authenticated!");
1907c478bd9Sstevel@tonic-gate return (PAM_CRED_UNAVAIL);
1917c478bd9Sstevel@tonic-gate }
1927c478bd9Sstevel@tonic-gate
1937c478bd9Sstevel@tonic-gate /*
1947c478bd9Sstevel@tonic-gate * We cannot assume that kmd->kcontext being non-NULL
1957c478bd9Sstevel@tonic-gate * means it is valid. Other pam_krb5 mods may have
1967c478bd9Sstevel@tonic-gate * freed it but not reset it to NULL.
1977c478bd9Sstevel@tonic-gate * Log a message when debugging to track down memory
1987c478bd9Sstevel@tonic-gate * leaks.
1997c478bd9Sstevel@tonic-gate */
2007c478bd9Sstevel@tonic-gate if (kmd->kcontext != NULL && kmd->debug)
2013bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
2024a7ceb24Sjjj "PAM-KRB5 (setcred): kcontext != NULL, "
2034a7ceb24Sjjj "possible memory leak.");
2047c478bd9Sstevel@tonic-gate
2053bfb48feSsemery /*
2063bfb48feSsemery * Use the authenticated and validated user, if applicable.
2073bfb48feSsemery */
2083bfb48feSsemery if (kmd->user != NULL)
2093bfb48feSsemery user = kmd->user;
2103bfb48feSsemery
2117c478bd9Sstevel@tonic-gate /*
2127c478bd9Sstevel@tonic-gate * If auth was short-circuited we will not have anything to
2137c478bd9Sstevel@tonic-gate * renew, so just return here.
2147c478bd9Sstevel@tonic-gate */
2153bfb48feSsemery (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data);
2163bfb48feSsemery
2177c478bd9Sstevel@tonic-gate if (rep_data != NULL) {
2187c478bd9Sstevel@tonic-gate if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) {
2197c478bd9Sstevel@tonic-gate if (debug)
2203bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
2214a7ceb24Sjjj "PAM-KRB5 (setcred): wrong"
2224a7ceb24Sjjj "repository found (%s), returning "
2234a7ceb24Sjjj "PAM_IGNORE", rep_data->type);
2247c478bd9Sstevel@tonic-gate return (PAM_IGNORE);
2257c478bd9Sstevel@tonic-gate }
2267c478bd9Sstevel@tonic-gate if (rep_data->scope_len == sizeof (krb5_repository_data_t)) {
2277c478bd9Sstevel@tonic-gate krb5_data = (krb5_repository_data_t *)rep_data->scope;
2287c478bd9Sstevel@tonic-gate
2297c478bd9Sstevel@tonic-gate if (krb5_data->flags ==
2304a7ceb24Sjjj SUNW_PAM_KRB5_ALREADY_AUTHENTICATED &&
2314a7ceb24Sjjj krb5_data->principal != NULL &&
2324a7ceb24Sjjj strlen(krb5_data->principal)) {
2337c478bd9Sstevel@tonic-gate if (debug)
2343bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
2354a7ceb24Sjjj "PAM-KRB5 (setcred): "
2364a7ceb24Sjjj "Principal %s already "
2374a7ceb24Sjjj "authenticated, "
2384a7ceb24Sjjj "cannot setcred",
2394a7ceb24Sjjj krb5_data->principal);
2407c478bd9Sstevel@tonic-gate return (PAM_SUCCESS);
2417c478bd9Sstevel@tonic-gate }
2427c478bd9Sstevel@tonic-gate }
2437c478bd9Sstevel@tonic-gate }
2447c478bd9Sstevel@tonic-gate
2457c478bd9Sstevel@tonic-gate if (flags & PAM_REINITIALIZE_CRED)
2467c478bd9Sstevel@tonic-gate err = attempt_refresh_cred(kmd, user, PAM_REINITIALIZE_CRED);
2477c478bd9Sstevel@tonic-gate else if (flags & PAM_REFRESH_CRED)
2487c478bd9Sstevel@tonic-gate err = attempt_refresh_cred(kmd, user, PAM_REFRESH_CRED);
2497c478bd9Sstevel@tonic-gate else if (flags & PAM_DELETE_CRED)
2507c478bd9Sstevel@tonic-gate err = attempt_delete_initcred(kmd);
2517c478bd9Sstevel@tonic-gate else {
2527c478bd9Sstevel@tonic-gate /*
2537c478bd9Sstevel@tonic-gate * Default case: PAM_ESTABLISH_CRED
2547c478bd9Sstevel@tonic-gate */
2557c478bd9Sstevel@tonic-gate err = attempt_refresh_cred(kmd, user, PAM_ESTABLISH_CRED);
2567c478bd9Sstevel@tonic-gate }
2577c478bd9Sstevel@tonic-gate
2583bfb48feSsemery if (err != PAM_SUCCESS)
2593bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
2607c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): pam_setcred failed "
2617c478bd9Sstevel@tonic-gate "for %s (%s).", user, pam_strerror(pamh, err));
2627c478bd9Sstevel@tonic-gate
2637c478bd9Sstevel@tonic-gate out:
2647c478bd9Sstevel@tonic-gate if (kmd && kmd->kcontext) {
2657c478bd9Sstevel@tonic-gate /*
2667c478bd9Sstevel@tonic-gate * free 'kcontext' field if it is allocated,
2677c478bd9Sstevel@tonic-gate * kcontext is local to the operation being performed
2687c478bd9Sstevel@tonic-gate * not considered global to the entire pam module.
2697c478bd9Sstevel@tonic-gate */
2707c478bd9Sstevel@tonic-gate krb5_free_context(kmd->kcontext);
2717c478bd9Sstevel@tonic-gate kmd->kcontext = NULL;
2727c478bd9Sstevel@tonic-gate }
2737c478bd9Sstevel@tonic-gate
2747c478bd9Sstevel@tonic-gate /*
2757c478bd9Sstevel@tonic-gate * 'kmd' is not freed here, it is handled in krb5_cleanup
2767c478bd9Sstevel@tonic-gate */
2777c478bd9Sstevel@tonic-gate if (debug)
2783bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
2797c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): end: %s",
2807c478bd9Sstevel@tonic-gate pam_strerror(pamh, err));
2817c478bd9Sstevel@tonic-gate return (err);
2827c478bd9Sstevel@tonic-gate }
2837c478bd9Sstevel@tonic-gate
2847c478bd9Sstevel@tonic-gate static int
attempt_refresh_cred(krb5_module_data_t * kmd,char * user,int flag)2857c478bd9Sstevel@tonic-gate attempt_refresh_cred(
2867c478bd9Sstevel@tonic-gate krb5_module_data_t *kmd,
2877c478bd9Sstevel@tonic-gate char *user,
2887c478bd9Sstevel@tonic-gate int flag)
2897c478bd9Sstevel@tonic-gate {
2907c478bd9Sstevel@tonic-gate krb5_principal me;
2917c478bd9Sstevel@tonic-gate krb5_principal server;
2927c478bd9Sstevel@tonic-gate krb5_error_code code;
2937c478bd9Sstevel@tonic-gate char kuser[2*MAXHOSTNAMELEN];
2947c478bd9Sstevel@tonic-gate krb5_data tgtname = {
2957c478bd9Sstevel@tonic-gate 0,
2967c478bd9Sstevel@tonic-gate KRB5_TGS_NAME_SIZE,
2977c478bd9Sstevel@tonic-gate KRB5_TGS_NAME
2987c478bd9Sstevel@tonic-gate };
2997c478bd9Sstevel@tonic-gate
3007c478bd9Sstevel@tonic-gate /* Create a new context here. */
3018ce3ffdfSPeter Shoults if (krb5_init_secure_context(&kmd->kcontext) != 0) {
3027c478bd9Sstevel@tonic-gate if (kmd->debug)
3033bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
3047c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): unable to "
3057c478bd9Sstevel@tonic-gate "initialize krb5 context");
3067c478bd9Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
3077c478bd9Sstevel@tonic-gate }
3087c478bd9Sstevel@tonic-gate
3097c478bd9Sstevel@tonic-gate if (krb5_cc_default(kmd->kcontext, &kmd->ccache) != 0) {
3103bfb48feSsemery return (PAM_SYSTEM_ERR);
3117c478bd9Sstevel@tonic-gate }
3127c478bd9Sstevel@tonic-gate
3137c478bd9Sstevel@tonic-gate if ((code = get_kmd_kuser(kmd->kcontext, (const char *)user, kuser,
3144a7ceb24Sjjj 2*MAXHOSTNAMELEN)) != 0) {
3157c478bd9Sstevel@tonic-gate return (code);
3167c478bd9Sstevel@tonic-gate }
3177c478bd9Sstevel@tonic-gate
3187c478bd9Sstevel@tonic-gate if (krb5_parse_name(kmd->kcontext, kuser, &me) != 0) {
3193bfb48feSsemery return (PAM_SYSTEM_ERR);
3207c478bd9Sstevel@tonic-gate }
3217c478bd9Sstevel@tonic-gate
3227c478bd9Sstevel@tonic-gate if (code = krb5_build_principal_ext(kmd->kcontext, &server,
3234a7ceb24Sjjj krb5_princ_realm(kmd->kcontext, me)->length,
3244a7ceb24Sjjj krb5_princ_realm(kmd->kcontext, me)->data,
3254a7ceb24Sjjj tgtname.length, tgtname.data,
3264a7ceb24Sjjj krb5_princ_realm(kmd->kcontext, me)->length,
3274a7ceb24Sjjj krb5_princ_realm(kmd->kcontext, me)->data, 0)) {
3283bfb48feSsemery krb5_free_principal(kmd->kcontext, me);
3293bfb48feSsemery return (PAM_SYSTEM_ERR);
3307c478bd9Sstevel@tonic-gate }
3317c478bd9Sstevel@tonic-gate
3327c478bd9Sstevel@tonic-gate code = krb5_renew_tgt(kmd, me, server, flag);
3337c478bd9Sstevel@tonic-gate
3343bfb48feSsemery krb5_free_principal(kmd->kcontext, server);
3353bfb48feSsemery krb5_free_principal(kmd->kcontext, me);
3367c478bd9Sstevel@tonic-gate
3377c478bd9Sstevel@tonic-gate if (code) {
3383bfb48feSsemery if (kmd->debug)
3393bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
3404a7ceb24Sjjj "PAM-KRB5(setcred): krb5_renew_tgt() "
3414a7ceb24Sjjj "failed: %s", error_message((errcode_t)code));
3427c478bd9Sstevel@tonic-gate return (PAM_CRED_ERR);
3437c478bd9Sstevel@tonic-gate } else {
3447c478bd9Sstevel@tonic-gate return (PAM_SUCCESS);
3457c478bd9Sstevel@tonic-gate }
3467c478bd9Sstevel@tonic-gate }
3477c478bd9Sstevel@tonic-gate
3487c478bd9Sstevel@tonic-gate /*
3497c478bd9Sstevel@tonic-gate * This code will update the credential matching "server" in the user's
3507c478bd9Sstevel@tonic-gate * credential cache. The flag may be set to one of:
3516ff38bdbSPeter Shoults * PAM_REINITIALIZE_CRED/PAM_ESTABLISH_CRED - If we have new credentials then
3526ff38bdbSPeter Shoults * create a new cred cache with these credentials else return failure.
35347fc6f3cSsemery * PAM_REFRESH_CRED - If we have new credentials then create a new cred cache
35447fc6f3cSsemery * with these credentials else attempt to renew the credentials.
35547fc6f3cSsemery *
3566ff38bdbSPeter Shoults * Note for any of the flags that if a new credential does exist from the
3576ff38bdbSPeter Shoults * previous auth pass then this will overwrite any existing credentials in the
3586ff38bdbSPeter Shoults * credential cache.
3597c478bd9Sstevel@tonic-gate */
3607c478bd9Sstevel@tonic-gate static krb5_error_code
krb5_renew_tgt(krb5_module_data_t * kmd,krb5_principal me,krb5_principal server,int flag)3617c478bd9Sstevel@tonic-gate krb5_renew_tgt(
3627c478bd9Sstevel@tonic-gate krb5_module_data_t *kmd,
3637c478bd9Sstevel@tonic-gate krb5_principal me,
3647c478bd9Sstevel@tonic-gate krb5_principal server,
3657c478bd9Sstevel@tonic-gate int flag)
3667c478bd9Sstevel@tonic-gate {
3677c478bd9Sstevel@tonic-gate krb5_error_code retval;
3687c478bd9Sstevel@tonic-gate krb5_creds creds;
3691dac1dbeSgtb krb5_creds *renewed_cred = NULL;
3707c478bd9Sstevel@tonic-gate char *client_name = NULL;
3716ff38bdbSPeter Shoults char *username = NULL;
3727c478bd9Sstevel@tonic-gate
3737c478bd9Sstevel@tonic-gate #define my_creds (kmd->initcreds)
3747c478bd9Sstevel@tonic-gate
3757c478bd9Sstevel@tonic-gate if ((flag != PAM_REFRESH_CRED) &&
3764a7ceb24Sjjj (flag != PAM_REINITIALIZE_CRED) &&
3774a7ceb24Sjjj (flag != PAM_ESTABLISH_CRED))
3784a7ceb24Sjjj return (KRB5KRB_ERR_GENERIC);
3797c478bd9Sstevel@tonic-gate
3807c478bd9Sstevel@tonic-gate /* this is needed only for the ktkt_warnd */
3813bfb48feSsemery if ((retval = krb5_unparse_name(kmd->kcontext, me, &client_name)) != 0)
3823bfb48feSsemery return (retval);
3837c478bd9Sstevel@tonic-gate
3841dac1dbeSgtb (void) memset(&creds, 0, sizeof (krb5_creds));
3857c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_principal(kmd->kcontext,
3864a7ceb24Sjjj server, &creds.server))) {
3877c478bd9Sstevel@tonic-gate if (kmd->debug)
3883bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
3894a7ceb24Sjjj "PAM-KRB5 (setcred): krb5_copy_principal "
3904a7ceb24Sjjj "failed: %s",
3914a7ceb24Sjjj error_message((errcode_t)retval));
3927c478bd9Sstevel@tonic-gate goto cleanup_creds;
3937c478bd9Sstevel@tonic-gate }
3947c478bd9Sstevel@tonic-gate
3957c478bd9Sstevel@tonic-gate /* obtain ticket & session key */
3967c478bd9Sstevel@tonic-gate retval = krb5_cc_get_principal(kmd->kcontext,
3974a7ceb24Sjjj kmd->ccache, &creds.client);
3987c478bd9Sstevel@tonic-gate if (retval && (kmd->debug))
3993bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
4004a7ceb24Sjjj "PAM-KRB5 (setcred): User not in cred "
4014a7ceb24Sjjj "cache (%s)", error_message((errcode_t)retval));
4027c478bd9Sstevel@tonic-gate
4036ff38bdbSPeter Shoults /*
4046ff38bdbSPeter Shoults * We got here either with the ESTABLISH | REINIT | REFRESH flag and
4056ff38bdbSPeter Shoults * auth_status returns SUCCESS or REFRESH and auth_status failure.
4066ff38bdbSPeter Shoults *
4076ff38bdbSPeter Shoults * Rules:
4086ff38bdbSPeter Shoults * - If the prior auth pass was successful then store the new
4096ff38bdbSPeter Shoults * credentials in the cache, regardless of which flag.
4106ff38bdbSPeter Shoults *
4116ff38bdbSPeter Shoults * - Else if REFRESH flag is used and there are no new
4126ff38bdbSPeter Shoults * credentials then attempt to refresh the existing credentials.
4136ff38bdbSPeter Shoults *
4146ff38bdbSPeter Shoults * - Note, refresh will not work if "R" flag is not set in
4156ff38bdbSPeter Shoults * original credential. We don't want to 2nd guess the
4166ff38bdbSPeter Shoults * intention of the person who created the existing credential.
4176ff38bdbSPeter Shoults */
4186ff38bdbSPeter Shoults if (kmd->auth_status == PAM_SUCCESS) {
4197c478bd9Sstevel@tonic-gate /*
4207c478bd9Sstevel@tonic-gate * Create a fresh ccache, and store the credentials
4217c478bd9Sstevel@tonic-gate * we got from pam_authenticate()
4227c478bd9Sstevel@tonic-gate */
4237c478bd9Sstevel@tonic-gate if ((retval = krb5_cc_initialize(kmd->kcontext,
4244a7ceb24Sjjj kmd->ccache, me)) != 0) {
4253bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
4264a7ceb24Sjjj "PAM-KRB5 (setcred): krb5_cc_initialize "
4274a7ceb24Sjjj "failed: %s",
4284a7ceb24Sjjj error_message((errcode_t)retval));
4297c478bd9Sstevel@tonic-gate } else if ((retval = krb5_cc_store_cred(kmd->kcontext,
4304a7ceb24Sjjj kmd->ccache, &my_creds)) != 0) {
4313bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
4324a7ceb24Sjjj "PAM-KRB5 (setcred): krb5_cc_store_cred "
4334a7ceb24Sjjj "failed: %s",
4344a7ceb24Sjjj error_message((errcode_t)retval));
4357c478bd9Sstevel@tonic-gate }
4366ff38bdbSPeter Shoults } else if ((retval == 0) && (flag & PAM_REFRESH_CRED)) {
4376ff38bdbSPeter Shoults /*
4386ff38bdbSPeter Shoults * If we only wanted to refresh the creds but failed
4396ff38bdbSPeter Shoults * due to expiration, lack of "R" flag, or other
4406ff38bdbSPeter Shoults * problems, return an error.
4416ff38bdbSPeter Shoults */
4426ff38bdbSPeter Shoults if (retval = krb5_get_credentials_renew(kmd->kcontext,
4436ff38bdbSPeter Shoults 0, kmd->ccache, &creds, &renewed_cred)) {
4446ff38bdbSPeter Shoults if (kmd->debug) {
4456ff38bdbSPeter Shoults __pam_log(LOG_AUTH | LOG_DEBUG,
4466ff38bdbSPeter Shoults "PAM-KRB5 (setcred): "
4476ff38bdbSPeter Shoults "krb5_get_credentials"
4486ff38bdbSPeter Shoults "_renew(update) failed: %s",
4496ff38bdbSPeter Shoults error_message((errcode_t)retval));
4506ff38bdbSPeter Shoults }
4516ff38bdbSPeter Shoults }
4526ff38bdbSPeter Shoults } else {
4537c478bd9Sstevel@tonic-gate /*
4547c478bd9Sstevel@tonic-gate * We failed to get the user's credentials.
4557c478bd9Sstevel@tonic-gate * This might be due to permission error on the cache,
4567c478bd9Sstevel@tonic-gate * or maybe we are looking in the wrong cache file!
4577c478bd9Sstevel@tonic-gate */
4583bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
4594a7ceb24Sjjj "PAM-KRB5 (setcred): Cannot find creds"
4604a7ceb24Sjjj " for %s (%s)",
4614a7ceb24Sjjj client_name ? client_name : "(unknown)",
4624a7ceb24Sjjj error_message((errcode_t)retval));
4637c478bd9Sstevel@tonic-gate }
4647c478bd9Sstevel@tonic-gate
4657c478bd9Sstevel@tonic-gate cleanup_creds:
4667c478bd9Sstevel@tonic-gate
4677c478bd9Sstevel@tonic-gate if ((retval == 0) && (client_name != NULL)) {
4687c478bd9Sstevel@tonic-gate /*
4697c478bd9Sstevel@tonic-gate * Credential update was successful!
4707c478bd9Sstevel@tonic-gate *
4717c478bd9Sstevel@tonic-gate * We now chown the ccache to the appropriate uid/gid
4727c478bd9Sstevel@tonic-gate * combination, if its a FILE based ccache.
4737c478bd9Sstevel@tonic-gate */
474d80035c5Sps if (!kmd->env || strstr(kmd->env, "FILE:")) {
4757c478bd9Sstevel@tonic-gate uid_t uuid;
4767c478bd9Sstevel@tonic-gate gid_t ugid;
4776ff38bdbSPeter Shoults char *tmpname = NULL;
4787c478bd9Sstevel@tonic-gate char *filepath = NULL;
4797c478bd9Sstevel@tonic-gate
4807c478bd9Sstevel@tonic-gate username = strdup(client_name);
4814a7ceb24Sjjj if (username == NULL) {
4824a7ceb24Sjjj __pam_log(LOG_AUTH | LOG_ERR,
4834a7ceb24Sjjj "PAM-KRB5 (setcred): Out of memory");
4844a7ceb24Sjjj retval = KRB5KRB_ERR_GENERIC;
4854a7ceb24Sjjj goto error;
4864a7ceb24Sjjj }
4877c478bd9Sstevel@tonic-gate if ((tmpname = strchr(username, '@')))
4887c478bd9Sstevel@tonic-gate *tmpname = '\0';
4897c478bd9Sstevel@tonic-gate
4907c478bd9Sstevel@tonic-gate if (get_pw_uid(username, &uuid) == 0 ||
4917c478bd9Sstevel@tonic-gate get_pw_gid(username, &ugid) == 0) {
4923bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
4933bfb48feSsemery "PAM-KRB5 (setcred): Unable to "
4947c478bd9Sstevel@tonic-gate "find matching uid/gid pair for user `%s'",
4957c478bd9Sstevel@tonic-gate username);
4961dac1dbeSgtb retval = KRB5KRB_ERR_GENERIC;
4971dac1dbeSgtb goto error;
4987c478bd9Sstevel@tonic-gate }
499d80035c5Sps
500d80035c5Sps if (!kmd->env) {
501d80035c5Sps char buffer[512];
502d80035c5Sps
503d80035c5Sps if (snprintf(buffer, sizeof (buffer),
504d80035c5Sps "%s=FILE:/tmp/krb5cc_%d", KRB5_ENV_CCNAME,
505d80035c5Sps (int)uuid) >= sizeof (buffer)) {
506d80035c5Sps retval = KRB5KRB_ERR_GENERIC;
507d80035c5Sps goto error;
508d80035c5Sps }
509d80035c5Sps
510d80035c5Sps /*
511d80035c5Sps * We MUST copy this to the heap for the putenv
512d80035c5Sps * to work!
513d80035c5Sps */
514d80035c5Sps kmd->env = strdup(buffer);
515d80035c5Sps if (!kmd->env) {
516d80035c5Sps retval = ENOMEM;
517d80035c5Sps goto error;
518d80035c5Sps } else {
519d80035c5Sps if (putenv(kmd->env)) {
520d80035c5Sps retval = ENOMEM;
521d80035c5Sps goto error;
522d80035c5Sps }
523d80035c5Sps }
524d80035c5Sps }
525d80035c5Sps
5266ff38bdbSPeter Shoults /*
5276ff38bdbSPeter Shoults * We know at this point that kmd->env must start
5286ff38bdbSPeter Shoults * with the literal string "FILE:". Set filepath
5296ff38bdbSPeter Shoults * character string to point to ":"
5306ff38bdbSPeter Shoults */
5316ff38bdbSPeter Shoults
5326ff38bdbSPeter Shoults filepath = strchr(kmd->env, ':');
5336ff38bdbSPeter Shoults
5346ff38bdbSPeter Shoults /*
5356ff38bdbSPeter Shoults * Now check if first char after ":" is null char
5366ff38bdbSPeter Shoults */
5376ff38bdbSPeter Shoults if (filepath[1] == '\0') {
5383bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR,
5394a7ceb24Sjjj "PAM-KRB5 (setcred): Invalid pathname "
5404a7ceb24Sjjj "for credential cache of user `%s'",
5414a7ceb24Sjjj username);
5421dac1dbeSgtb retval = KRB5KRB_ERR_GENERIC;
5431dac1dbeSgtb goto error;
5447c478bd9Sstevel@tonic-gate }
5457c478bd9Sstevel@tonic-gate if (chown(filepath+1, uuid, ugid)) {
5467c478bd9Sstevel@tonic-gate if (kmd->debug)
5473bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
5487c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): chown to user "
5497c478bd9Sstevel@tonic-gate "`%s' failed for FILE=%s",
5507c478bd9Sstevel@tonic-gate username, filepath);
5517c478bd9Sstevel@tonic-gate }
5527c478bd9Sstevel@tonic-gate }
5531dac1dbeSgtb }
5547c478bd9Sstevel@tonic-gate
5551dac1dbeSgtb error:
5561dac1dbeSgtb if (retval == 0) {
5571dac1dbeSgtb krb5_timestamp endtime;
5581dac1dbeSgtb
5591dac1dbeSgtb if (renewed_cred && renewed_cred->times.endtime != 0)
5601dac1dbeSgtb endtime = renewed_cred->times.endtime;
5611dac1dbeSgtb else
5621dac1dbeSgtb endtime = my_creds.times.endtime;
5631dac1dbeSgtb
5641dac1dbeSgtb if (kmd->debug)
5651dac1dbeSgtb __pam_log(LOG_AUTH | LOG_DEBUG,
5664a7ceb24Sjjj "PAM-KRB5 (setcred): delete/add warning");
5671dac1dbeSgtb
568b0c1f5b7SWill Fiveash if (kwarn_del_warning(client_name) != 0) {
569b0c1f5b7SWill Fiveash __pam_log(LOG_AUTH | LOG_NOTICE,
570b0c1f5b7SWill Fiveash "PAM-KRB5 (setcred): kwarn_del_warning"
571*bbf21555SRichard Lowe " failed: ktkt_warnd(8) down?");
572b0c1f5b7SWill Fiveash }
573b0c1f5b7SWill Fiveash
5741dac1dbeSgtb if (kwarn_add_warning(client_name, endtime) != 0) {
5751dac1dbeSgtb __pam_log(LOG_AUTH | LOG_NOTICE,
5764a7ceb24Sjjj "PAM-KRB5 (setcred): kwarn_add_warning"
577*bbf21555SRichard Lowe " failed: ktkt_warnd(8) down?");
5787c478bd9Sstevel@tonic-gate }
5797c478bd9Sstevel@tonic-gate }
5801dac1dbeSgtb
5811dac1dbeSgtb if (renewed_cred != NULL)
5821dac1dbeSgtb krb5_free_creds(kmd->kcontext, renewed_cred);
5831dac1dbeSgtb
5847c478bd9Sstevel@tonic-gate if (client_name != NULL)
5857c478bd9Sstevel@tonic-gate free(client_name);
5867c478bd9Sstevel@tonic-gate
5876ff38bdbSPeter Shoults if (username)
5886ff38bdbSPeter Shoults free(username);
5896ff38bdbSPeter Shoults
5907c478bd9Sstevel@tonic-gate krb5_free_cred_contents(kmd->kcontext, &creds);
5917c478bd9Sstevel@tonic-gate
5927c478bd9Sstevel@tonic-gate return (retval);
5937c478bd9Sstevel@tonic-gate }
5947c478bd9Sstevel@tonic-gate
5957c478bd9Sstevel@tonic-gate /*
5967c478bd9Sstevel@tonic-gate * Delete the user's credentials for this session
5977c478bd9Sstevel@tonic-gate */
5987c478bd9Sstevel@tonic-gate static int
attempt_delete_initcred(krb5_module_data_t * kmd)5997c478bd9Sstevel@tonic-gate attempt_delete_initcred(krb5_module_data_t *kmd)
6007c478bd9Sstevel@tonic-gate {
6017c478bd9Sstevel@tonic-gate if (kmd == NULL)
6023bfb48feSsemery return (PAM_SUCCESS);
6037c478bd9Sstevel@tonic-gate
6047c478bd9Sstevel@tonic-gate if (kmd->debug) {
6053bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG,
6064a7ceb24Sjjj "PAM-KRB5 (setcred): deleting user's "
6074a7ceb24Sjjj "credentials (initcreds)");
6087c478bd9Sstevel@tonic-gate }
6097c478bd9Sstevel@tonic-gate krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds);
6107c478bd9Sstevel@tonic-gate (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds));
6117c478bd9Sstevel@tonic-gate kmd->auth_status = PAM_AUTHINFO_UNAVAIL;
6123bfb48feSsemery return (PAM_SUCCESS);
6137c478bd9Sstevel@tonic-gate }
614