lib/auth/pam/pam.c

   1 /*
   2  * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. All advertising materials mentioning features or use of this software
  18  *    must display the following acknowledgement:
  19  *      This product includes software developed by the Kungliga Tekniska
  20  *      Högskolan and its contributors.
  21  *
  22  * 4. Neither the name of the Institute nor the names of its contributors
  23  *    may be used to endorse or promote products derived from this software
  24  *    without specific prior written permission.
  25  *
  26  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  36  * SUCH DAMAGE.
  37  */
  38
  39 /* This code is extremely ugly, and would probably be better off
  40    beeing completely rewritten */
  41
  42
  43 #ifdef HAVE_CONFIG_H
  44 #include<config.h>
  45 RCSID("$Id$");
  46 #endif
  47
  48 #include <stdio.h>
  49 #include <stdlib.h>
  50 #include <string.h>
  51 #include <pwd.h>
  52 #include <unistd.h>
  53 #include <sys/types.h>
  54
  55 #define PAM_SM_AUTH
  56 #define PAM_SM_SESSION
  57 #include <security/pam_appl.h>
  58 #include <security/pam_modules.h>
  59
  60 #include <netinet/in.h>
  61 #include <krb.h>
  62 #include <kafs.h>
  63
  64 static int
  65 cleanup(pam_handle_t *pamh, void *data, int error_code)
  66 {
  67     if(error_code != PAM_SUCCESS)
  68         dest_tkt();
  69     free(data);
  70     return PAM_SUCCESS;
  71 }
  72
  73 static int
  74 doit(pam_handle_t *pamh, char *name, char *inst, char *pwd, char *tkt)
  75 {
  76     char realm[REALM_SZ];
  77     int ret;
  78
  79     pam_set_data(pamh, "KRBTKFILE", strdup(tkt), cleanup);
  80     krb_set_tkt_string(tkt);
  81
  82     krb_get_lrealm(realm, 1);
  83     ret = krb_verify_user(name, inst, realm, pwd, 1, NULL);
  84     memset(pwd, 0, strlen(pwd));
  85     switch(ret){
  86     case KSUCCESS:
  87         return PAM_SUCCESS;
  88     case KDC_PR_UNKNOWN:
  89         return PAM_USER_UNKNOWN;
  90     case SKDC_CANT:
  91     case SKDC_RETRY:
  92     case RD_AP_TIME:
  93         return PAM_AUTHINFO_UNAVAIL;
  94     default:
  95         return PAM_AUTH_ERR;
  96     }
  97 }
  98
  99 static int
 100 auth_login(pam_handle_t *pamh, int flags, char *user, struct pam_conv *conv)
 101 {
 102     int ret;
 103     struct pam_message msg, *pmsg;
 104     struct pam_response *resp;
 105     char prompt[128];
 106
 107     pmsg = &msg;
 108     msg.msg_style = PAM_PROMPT_ECHO_OFF;
 109     snprintf(prompt, sizeof(prompt), "%s's Password: ", user);
 110     msg.msg = prompt;
 111
 112     ret = conv->conv(1, (const struct pam_message**)&pmsg,
 113                      &resp, conv->appdata_ptr);
 114     if(ret != PAM_SUCCESS)
 115         return ret;
 116
 117     {
 118         char tkt[1024];
 119         struct passwd *pw = getpwnam(user);
 120
 121         if(pw){
 122             snprintf(tkt, sizeof(tkt),
 123                      "%s%u", TKT_ROOT, (unsigned)pw->pw_uid);
 124             ret = doit(pamh, user, "", resp->resp, tkt);
 125             if(ret == PAM_SUCCESS)
 126                 chown(tkt, pw->pw_uid, pw->pw_gid);
 127         }else
 128             ret = PAM_USER_UNKNOWN;
 129         memset(resp->resp, 0, strlen(resp->resp));
 130         free(resp->resp);
 131         free(resp);
 132     }
 133     return ret;
 134 }
 135
 136 static int
 137 auth_su(pam_handle_t *pamh, int flags, char *user, struct pam_conv *conv)
 138 {
 139     int ret;
 140     struct passwd *pw;
 141     struct pam_message msg, *pmsg;
 142     struct pam_response *resp;
 143     char prompt[128];
 144     krb_principal pr;
 145
 146     pr.realm[0] = 0;
 147     ret = pam_get_user(pamh, &user, "login: ");
 148     if(ret != PAM_SUCCESS)
 149         return ret;
 150
 151     pw = getpwuid(getuid());
 152     if(strcmp(user, "root") == 0){
 153         strcpy_truncate(pr.name, pw->pw_name, sizeof(pr.name));
 154         strcpy_truncate(pr.instance, "root", sizeof(pr.instance));
 155     }else{
 156         strcpy_truncate(pr.name, user, sizeof(pr.name));
 157         pr.instance[0] = 0;
 158     }
 159     pmsg = &msg;
 160     msg.msg_style = PAM_PROMPT_ECHO_OFF;
 161     snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&pr));
 162     msg.msg = prompt;
 163
 164     ret = conv->conv(1, (const struct pam_message**)&pmsg,
 165                      &resp, conv->appdata_ptr);
 166     if(ret != PAM_SUCCESS)
 167         return ret;
 168
 169     {
 170         char tkt[1024];
 171
 172         snprintf(tkt, sizeof(tkt),"%s_%s_to_%s",
 173                  TKT_ROOT, pw->pw_name, user);
 174         ret = doit(pamh, pr.name, pr.instance, resp->resp, tkt);
 175         if(ret == PAM_SUCCESS)
 176             chown(tkt, pw->pw_uid, pw->pw_gid);
 177         memset(resp->resp, 0, strlen(resp->resp));
 178         free(resp->resp);
 179         free(resp);
 180     }
 181     return ret;
 182 }
 183
 184 int
 185 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 186 {
 187     char *user;
 188     int ret;
 189     struct pam_conv *conv;
 190     ret = pam_get_user(pamh, &user, "login: ");
 191     if(ret != PAM_SUCCESS)
 192         return ret;
 193
 194     ret = pam_get_item(pamh, PAM_CONV, (void*)&conv);
 195     if(ret != PAM_SUCCESS)
 196         return ret;
 197
 198
 199     if(getuid() != geteuid())
 200         return auth_su(pamh, flags, user, conv);
 201     else
 202         return auth_login(pamh, flags, user, conv);
 203 }
 204
 205 int
 206 pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
 207 {
 208     return PAM_SUCCESS;
 209 }
 210
 211
 212 int
 213 pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
 214 {
 215     char *tkt;
 216     pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt);
 217     setenv("KRBTKFILE", tkt, 1);
 218     if(k_hasafs()){
 219         k_setpag();
 220         krb_afslog(0, 0);
 221     }
 222     return PAM_SUCCESS;
 223 }
 224
 225
 226 int
 227 pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
 228 {
 229     dest_tkt();
 230     if(k_hasafs())
 231         k_unlog();
 232     return PAM_SUCCESS;
 233 }