2 * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by the Kungliga Tekniska
20 * Högskolan and its contributors.
22 * 4. Neither the name of the Institute nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
26 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 /* This code is extremely ugly, and would probably be better off
40 beeing completely rewritten */
53 #include <sys/types.h>
56 #define PAM_SM_SESSION
57 #include <security/pam_appl.h>
58 #include <security/pam_modules.h>
60 #include <netinet/in.h>
65 cleanup(pam_handle_t
*pamh
, void *data
, int error_code
)
67 if(error_code
!= PAM_SUCCESS
)
74 doit(pam_handle_t
*pamh
, char *name
, char *inst
, char *pwd
, char *tkt
)
79 pam_set_data(pamh
, "KRBTKFILE", strdup(tkt
), cleanup
);
80 krb_set_tkt_string(tkt
);
82 krb_get_lrealm(realm
, 1);
83 ret
= krb_verify_user(name
, inst
, realm
, pwd
, 1, NULL
);
84 memset(pwd
, 0, strlen(pwd
));
89 return PAM_USER_UNKNOWN
;
93 return PAM_AUTHINFO_UNAVAIL
;
100 auth_login(pam_handle_t
*pamh
, int flags
, char *user
, struct pam_conv
*conv
)
103 struct pam_message msg
, *pmsg
;
104 struct pam_response
*resp
;
108 msg
.msg_style
= PAM_PROMPT_ECHO_OFF
;
109 snprintf(prompt
, sizeof(prompt
), "%s's Password: ", user
);
112 ret
= conv
->conv(1, (const struct pam_message
**)&pmsg
,
113 &resp
, conv
->appdata_ptr
);
114 if(ret
!= PAM_SUCCESS
)
119 struct passwd
*pw
= getpwnam(user
);
122 snprintf(tkt
, sizeof(tkt
),
123 "%s%u", TKT_ROOT
, (unsigned)pw
->pw_uid
);
124 ret
= doit(pamh
, user
, "", resp
->resp
, tkt
);
125 if(ret
== PAM_SUCCESS
)
126 chown(tkt
, pw
->pw_uid
, pw
->pw_gid
);
128 ret
= PAM_USER_UNKNOWN
;
129 memset(resp
->resp
, 0, strlen(resp
->resp
));
137 auth_su(pam_handle_t
*pamh
, int flags
, char *user
, struct pam_conv
*conv
)
141 struct pam_message msg
, *pmsg
;
142 struct pam_response
*resp
;
147 ret
= pam_get_user(pamh
, &user
, "login: ");
148 if(ret
!= PAM_SUCCESS
)
151 pw
= getpwuid(getuid());
152 if(strcmp(user
, "root") == 0){
153 strcpy_truncate(pr
.name
, pw
->pw_name
, sizeof(pr
.name
));
154 strcpy_truncate(pr
.instance
, "root", sizeof(pr
.instance
));
156 strcpy_truncate(pr
.name
, user
, sizeof(pr
.name
));
160 msg
.msg_style
= PAM_PROMPT_ECHO_OFF
;
161 snprintf(prompt
, sizeof(prompt
), "%s's Password: ", krb_unparse_name(&pr
));
164 ret
= conv
->conv(1, (const struct pam_message
**)&pmsg
,
165 &resp
, conv
->appdata_ptr
);
166 if(ret
!= PAM_SUCCESS
)
172 snprintf(tkt
, sizeof(tkt
),"%s_%s_to_%s",
173 TKT_ROOT
, pw
->pw_name
, user
);
174 ret
= doit(pamh
, pr
.name
, pr
.instance
, resp
->resp
, tkt
);
175 if(ret
== PAM_SUCCESS
)
176 chown(tkt
, pw
->pw_uid
, pw
->pw_gid
);
177 memset(resp
->resp
, 0, strlen(resp
->resp
));
185 pam_sm_authenticate(pam_handle_t
*pamh
, int flags
, int argc
, const char **argv
)
189 struct pam_conv
*conv
;
190 ret
= pam_get_user(pamh
, &user
, "login: ");
191 if(ret
!= PAM_SUCCESS
)
194 ret
= pam_get_item(pamh
, PAM_CONV
, (void*)&conv
);
195 if(ret
!= PAM_SUCCESS
)
199 if(getuid() != geteuid())
200 return auth_su(pamh
, flags
, user
, conv
);
202 return auth_login(pamh
, flags
, user
, conv
);
206 pam_sm_setcred(pam_handle_t
*pamh
, int flags
, int argc
, const char **argv
)
213 pam_sm_open_session(pam_handle_t
*pamh
, int flags
, int argc
, const char **argv
)
216 pam_get_data(pamh
, "KRBTKFILE", (const void**)&tkt
);
217 setenv("KRBTKFILE", tkt
, 1);
227 pam_sm_close_session(pam_handle_t
*pamh
, int flags
, int argc
, const char **argv
)