xref: /freebsd/lib/libpam/modules/pam_krb5/pam_krb5.c (revision 6780ab54325a71e7e70112b11657973edde8655e)
1 /*-
2  * This pam_krb5 module contains code that is:
3  *   Copyright (c) Derrick J. Brashear, 1996. All rights reserved.
4  *   Copyright (c) Frank Cusack, 1999-2001. All rights reserved.
5  *   Copyright (c) Jacques A. Vidrine, 2000-2001. All rights reserved.
6  *   Copyright (c) Nicolas Williams, 2001. All rights reserved.
7  *   Copyright (c) Perot Systems Corporation, 2001. All rights reserved.
8  *   Copyright (c) Mark R V Murray, 2001.  All rights reserved.
9  *   Copyright (c) Networks Associates Technology, Inc., 2002.
10  *       All rights reserved.
11  *
12  * Portions of this software were developed for the FreeBSD Project by
13  * ThinkSec AS and NAI Labs, the Security Research Division of Network
14  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
15  * ("CBOSS"), as part of the DARPA CHATS research program.
16  *
17  * Redistribution and use in source and binary forms, with or without
18  * modification, are permitted provided that the following conditions
19  * are met:
20  * 1. Redistributions of source code must retain the above copyright
21  *    notices, and the entire permission notice in its entirety,
22  *    including the disclaimer of warranties.
23  * 2. Redistributions in binary form must reproduce the above copyright
24  *    notice, this list of conditions and the following disclaimer in the
25  *    documentation and/or other materials provided with the distribution.
26  * 3. The name of the author may not be used to endorse or promote
27  *    products derived from this software without specific prior
28  *    written permission.
29  *
30  * ALTERNATIVELY, this product may be distributed under the terms of
31  * the GNU Public License, in which case the provisions of the GPL are
32  * required INSTEAD OF the above restrictions.  (This clause is
33  * necessary due to a potential bad interaction between the GPL and
34  * the restrictions contained in a BSD-style copyright.)
35  *
36  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
37  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
38  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
39  * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
40  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
41  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
42  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46  * OF THE POSSIBILITY OF SUCH DAMAGE.
47  *
48  */
49 
50 #include <sys/cdefs.h>
51 __FBSDID("$FreeBSD$");
52 
53 #include <sys/types.h>
54 #include <sys/stat.h>
55 #include <errno.h>
56 #include <limits.h>
57 #include <pwd.h>
58 #include <stdio.h>
59 #include <stdlib.h>
60 #include <string.h>
61 #include <syslog.h>
62 #include <unistd.h>
63 
64 #include <krb5.h>
65 #include <com_err.h>
66 
67 #define	PAM_SM_AUTH
68 #define	PAM_SM_ACCOUNT
69 #define	PAM_SM_PASSWORD
70 
71 #include <security/pam_appl.h>
72 #include <security/pam_modules.h>
73 #include <security/pam_mod_misc.h>
74 
75 #define	COMPAT_HEIMDAL
76 /* #define	COMPAT_MIT */
77 
78 static int	verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int);
79 static void	cleanup_cache(pam_handle_t *, void *, int);
80 static const	char *compat_princ_component(krb5_context, krb5_principal, int);
81 static void	compat_free_data_contents(krb5_context, krb5_data *);
82 
83 #define USER_PROMPT		"Username: "
84 #define PASSWORD_PROMPT		"Password:"
85 #define NEW_PASSWORD_PROMPT	"New Password:"
86 
87 enum {
88 	PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
89 	PAM_OPT_CCACHE,
90 	PAM_OPT_FORWARDABLE,
91 	PAM_OPT_NO_CCACHE,
92 	PAM_OPT_REUSE_CCACHE
93 };
94 
95 static struct opttab other_options[] = {
96 	{ "auth_as_self",	PAM_OPT_AUTH_AS_SELF },
97 	{ "ccache",		PAM_OPT_CCACHE },
98 	{ "forwardable",	PAM_OPT_FORWARDABLE },
99 	{ "no_ccache",		PAM_OPT_NO_CCACHE },
100 	{ "reuse_ccache",	PAM_OPT_REUSE_CCACHE },
101 	{ NULL, 0 }
102 };
103 
104 /*
105  * authentication management
106  */
107 PAM_EXTERN int
108 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
109     int argc, const char *argv[])
110 {
111 	krb5_error_code krbret;
112 	krb5_context pam_context;
113 	krb5_creds creds;
114 	krb5_principal princ;
115 	krb5_ccache ccache;
116 	krb5_get_init_creds_opt opts;
117 	struct options options;
118 	struct passwd *pwd;
119 	int retval;
120 	const char *sourceuser, *user, *pass, *service;
121 	char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
122 
123 	pam_std_option(&options, other_options, argc, argv);
124 
125 	PAM_LOG("Options processed");
126 
127 	retval = pam_get_user(pamh, &user, USER_PROMPT);
128 	if (retval != PAM_SUCCESS)
129 		return (retval);
130 
131 	PAM_LOG("Got user: %s", user);
132 
133 	retval = pam_get_item(pamh, PAM_RUSER, (const void **)&sourceuser);
134 	if (retval != PAM_SUCCESS)
135 		return (retval);
136 
137 	PAM_LOG("Got ruser: %s", sourceuser);
138 
139 	service = NULL;
140 	pam_get_item(pamh, PAM_SERVICE, (const void **)&service);
141 	if (service == NULL)
142 		service = "unknown";
143 
144 	PAM_LOG("Got service: %s", service);
145 
146 	krbret = krb5_init_context(&pam_context);
147 	if (krbret != 0) {
148 		PAM_VERBOSE_ERROR("Kerberos 5 error");
149 		return (PAM_SERVICE_ERR);
150 	}
151 
152 	PAM_LOG("Context initialised");
153 
154 	krb5_get_init_creds_opt_init(&opts);
155 
156 	if (pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL))
157 		krb5_get_init_creds_opt_set_forwardable(&opts, 1);
158 
159 	PAM_LOG("Credentials initialised");
160 
161 	krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
162 	if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
163 		PAM_VERBOSE_ERROR("Kerberos 5 error");
164 		retval = PAM_SERVICE_ERR;
165 		goto cleanup3;
166 	}
167 
168 	PAM_LOG("Done krb5_cc_register()");
169 
170 	/* Get principal name */
171 	if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL))
172 		asprintf(&principal, "%s/%s", sourceuser, user);
173 	else
174 		principal = strdup(user);
175 
176 	PAM_LOG("Created principal: %s", principal);
177 
178 	krbret = krb5_parse_name(pam_context, principal, &princ);
179 	free(principal);
180 	if (krbret != 0) {
181 		PAM_LOG("Error krb5_parse_name(): %s",
182 		    krb5_get_err_text(pam_context, krbret));
183 		PAM_VERBOSE_ERROR("Kerberos 5 error");
184 		retval = PAM_SERVICE_ERR;
185 		goto cleanup3;
186 	}
187 
188 	PAM_LOG("Done krb5_parse_name()");
189 
190 	/* Now convert the principal name into something human readable */
191 	princ_name = NULL;
192 	krbret = krb5_unparse_name(pam_context, princ, &princ_name);
193 	if (krbret != 0) {
194 		PAM_LOG("Error krb5_unparse_name(): %s",
195 		    krb5_get_err_text(pam_context, krbret));
196 		PAM_VERBOSE_ERROR("Kerberos 5 error");
197 		retval = PAM_SERVICE_ERR;
198 		goto cleanup2;
199 	}
200 
201 	PAM_LOG("Got principal: %s", princ_name);
202 
203 	/* Get password */
204 	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
205 	if (retval != PAM_SUCCESS)
206 		goto cleanup2;
207 
208 	PAM_LOG("Got password");
209 
210 	/* Verify the local user exists (AFTER getting the password) */
211 	if (strchr(user, '@')) {
212 		/* get a local account name for this principal */
213 		krbret = krb5_aname_to_localname(pam_context, princ,
214 		    sizeof(luser), luser);
215 		if (krbret != 0) {
216 			PAM_VERBOSE_ERROR("Kerberos 5 error");
217 			PAM_LOG("Error krb5_aname_to_localname(): %s",
218 			    krb5_get_err_text(pam_context, krbret));
219 			retval = PAM_USER_UNKNOWN;
220 			goto cleanup2;
221 		}
222 
223 		retval = pam_set_item(pamh, PAM_USER, luser);
224 		if (retval != PAM_SUCCESS)
225 			goto cleanup2;
226 
227 		retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
228 		if (retval != PAM_SUCCESS)
229 			goto cleanup2;
230 
231 		PAM_LOG("PAM_USER Redone");
232 	}
233 
234 	pwd = getpwnam(user);
235 	if (pwd == NULL) {
236 		retval = PAM_USER_UNKNOWN;
237 		goto cleanup2;
238 	}
239 
240 	PAM_LOG("Done getpwnam()");
241 
242 	/* Get a TGT */
243 	memset(&creds, 0, sizeof(krb5_creds));
244 	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
245 	    pass, NULL, pamh, 0, NULL, &opts);
246 	if (krbret != 0) {
247 		PAM_VERBOSE_ERROR("Kerberos 5 error");
248 		PAM_LOG("Error krb5_get_init_creds_password(): %s",
249 		    krb5_get_err_text(pam_context, krbret));
250 		retval = PAM_AUTH_ERR;
251 		goto cleanup2;
252 	}
253 
254 	PAM_LOG("Got TGT");
255 
256 	/* Generate a temporary cache */
257 	krbret = krb5_cc_gen_new(pam_context, &krb5_mcc_ops, &ccache);
258 	if (krbret != 0) {
259 		PAM_VERBOSE_ERROR("Kerberos 5 error");
260 		PAM_LOG("Error krb5_cc_gen_new(): %s",
261 		    krb5_get_err_text(pam_context, krbret));
262 		retval = PAM_SERVICE_ERR;
263 		goto cleanup;
264 	}
265 	krbret = krb5_cc_initialize(pam_context, ccache, princ);
266 	if (krbret != 0) {
267 		PAM_VERBOSE_ERROR("Kerberos 5 error");
268 		PAM_LOG("Error krb5_cc_initialize(): %s",
269 		    krb5_get_err_text(pam_context, krbret));
270 		retval = PAM_SERVICE_ERR;
271 		goto cleanup;
272 	}
273 	krbret = krb5_cc_store_cred(pam_context, ccache, &creds);
274 	if (krbret != 0) {
275 		PAM_VERBOSE_ERROR("Kerberos 5 error");
276 		PAM_LOG("Error krb5_cc_store_cred(): %s",
277 		    krb5_get_err_text(pam_context, krbret));
278 		krb5_cc_destroy(pam_context, ccache);
279 		retval = PAM_SERVICE_ERR;
280 		goto cleanup;
281 	}
282 
283 	PAM_LOG("Credentials stashed");
284 
285 	/* Verify them */
286 	if ((srvdup = strdup(service)) == NULL) {
287 		retval = PAM_BUF_ERR;
288 		goto cleanup;
289 	}
290 	krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup,
291 	    pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL));
292 	free(srvdup);
293 	if (krbret == -1) {
294 		PAM_VERBOSE_ERROR("Kerberos 5 error");
295 		krb5_cc_destroy(pam_context, ccache);
296 		retval = PAM_AUTH_ERR;
297 		goto cleanup;
298 	}
299 
300 	PAM_LOG("Credentials stash verified");
301 
302 	retval = pam_get_data(pamh, "ccache", (const void **)&ccache_name);
303 	if (retval == PAM_SUCCESS) {
304 		krb5_cc_destroy(pam_context, ccache);
305 		PAM_VERBOSE_ERROR("Kerberos 5 error");
306 		retval = PAM_AUTH_ERR;
307 		goto cleanup;
308 	}
309 
310 	PAM_LOG("Credentials stash not pre-existing");
311 
312 	asprintf(&ccache_name, "%s:%s", krb5_cc_get_type(pam_context,
313 		ccache), krb5_cc_get_name(pam_context, ccache));
314 	if (ccache_name == NULL) {
315 		PAM_VERBOSE_ERROR("Kerberos 5 error");
316 		retval = PAM_BUF_ERR;
317 		goto cleanup;
318 	}
319 	retval = pam_set_data(pamh, "ccache", ccache_name, cleanup_cache);
320 	if (retval != 0) {
321 		krb5_cc_destroy(pam_context, ccache);
322 		PAM_VERBOSE_ERROR("Kerberos 5 error");
323 		retval = PAM_SERVICE_ERR;
324 		goto cleanup;
325 	}
326 
327 	PAM_LOG("Credentials stash saved");
328 
329 cleanup:
330 	krb5_free_cred_contents(pam_context, &creds);
331 	PAM_LOG("Done cleanup");
332 cleanup2:
333 	krb5_free_principal(pam_context, princ);
334 	PAM_LOG("Done cleanup2");
335 cleanup3:
336 	if (princ_name)
337 		free(princ_name);
338 
339 	krb5_free_context(pam_context);
340 
341 	PAM_LOG("Done cleanup3");
342 
343 	if (retval != PAM_SUCCESS)
344 		PAM_VERBOSE_ERROR("Kerberos 5 refuses you");
345 
346 	return (retval);
347 }
348 
349 PAM_EXTERN int
350 pam_sm_setcred(pam_handle_t *pamh, int flags,
351     int argc, const char *argv[])
352 {
353 
354 	krb5_error_code krbret;
355 	krb5_context pam_context;
356 	krb5_principal princ;
357 	krb5_creds creds;
358 	krb5_ccache ccache_temp, ccache_perm;
359 	krb5_cc_cursor cursor;
360 	struct options options;
361 	struct passwd *pwd = NULL;
362 	int retval;
363 	char *user;
364 	char *cache_name, *cache_env_name, *p, *q;
365 
366 	uid_t euid;
367 	gid_t egid;
368 
369 	pam_std_option(&options, other_options, argc, argv);
370 
371 	PAM_LOG("Options processed");
372 
373 	if (flags & PAM_DELETE_CRED)
374 		return (PAM_SUCCESS);
375 
376 	if (flags & PAM_REFRESH_CRED)
377 		return (PAM_SUCCESS);
378 
379 	if (flags & PAM_REINITIALIZE_CRED)
380 		return (PAM_SUCCESS);
381 
382 	if (!(flags & PAM_ESTABLISH_CRED))
383 		return (PAM_SERVICE_ERR);
384 
385 	PAM_LOG("Establishing credentials");
386 
387 	/* Get username */
388 	retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
389 	if (retval != PAM_SUCCESS)
390 		return (retval);
391 
392 	PAM_LOG("Got user: %s", user);
393 
394 	krbret = krb5_init_context(&pam_context);
395 	if (krbret != 0) {
396 		PAM_LOG("Error krb5_init_context() failed");
397 		return (PAM_SERVICE_ERR);
398 	}
399 
400 	PAM_LOG("Context initialised");
401 
402 	euid = geteuid();	/* Usually 0 */
403 	egid = getegid();
404 
405 	PAM_LOG("Got euid, egid: %d %d", euid, egid);
406 
407 	/* Retrieve the temporary cache */
408 	retval = pam_get_data(pamh, "ccache", (const void **)&cache_name);
409 	if (retval != PAM_SUCCESS) {
410 		retval = PAM_CRED_UNAVAIL;
411 		goto cleanup3;
412 	}
413 	krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_temp);
414 	if (krbret != 0) {
415 		PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", cache_name,
416 		    krb5_get_err_text(pam_context, krbret));
417 		retval = PAM_SERVICE_ERR;
418 		goto cleanup3;
419 	}
420 
421 	/* Get the uid. This should exist. */
422 	pwd = getpwnam(user);
423 	if (pwd == NULL) {
424 		retval = PAM_USER_UNKNOWN;
425 		goto cleanup3;
426 	}
427 
428 	PAM_LOG("Done getpwnam()");
429 
430 	/* Avoid following a symlink as root */
431 	if (setegid(pwd->pw_gid)) {
432 		retval = PAM_SERVICE_ERR;
433 		goto cleanup3;
434 	}
435 	if (seteuid(pwd->pw_uid)) {
436 		retval = PAM_SERVICE_ERR;
437 		goto cleanup3;
438 	}
439 
440 	PAM_LOG("Done setegid() & seteuid()");
441 
442 	/* Get the cache name */
443 	cache_name = NULL;
444 	pam_test_option(&options, PAM_OPT_CCACHE, &cache_name);
445 	if (cache_name == NULL)
446 		asprintf(&cache_name, "FILE:/tmp/krb5cc_%d", pwd->pw_uid);
447 
448 	p = calloc(PATH_MAX + 16, sizeof(char));
449 	q = cache_name;
450 
451 	if (p == NULL) {
452 		PAM_LOG("Error malloc(): failure");
453 		retval = PAM_BUF_ERR;
454 		goto cleanup3;
455 	}
456 	cache_name = p;
457 
458 	/* convert %u and %p */
459 	while (*q) {
460 		if (*q == '%') {
461 			q++;
462 			if (*q == 'u') {
463 				sprintf(p, "%d", pwd->pw_uid);
464 				p += strlen(p);
465 			}
466 			else if (*q == 'p') {
467 				sprintf(p, "%d", getpid());
468 				p += strlen(p);
469 			}
470 			else {
471 				/* Not a special token */
472 				*p++ = '%';
473 				q--;
474 			}
475 			q++;
476 		}
477 		else {
478 			*p++ = *q++;
479 		}
480 	}
481 
482 	PAM_LOG("Got cache_name: %s", cache_name);
483 
484 	/* Initialize the new ccache */
485 	krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ);
486 	if (krbret != 0) {
487 		PAM_LOG("Error krb5_cc_get_principal(): %s",
488 		    krb5_get_err_text(pam_context, krbret));
489 		retval = PAM_SERVICE_ERR;
490 		goto cleanup3;
491 	}
492 	krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm);
493 	if (krbret != 0) {
494 		PAM_LOG("Error krb5_cc_resolve(): %s",
495 		    krb5_get_err_text(pam_context, krbret));
496 		retval = PAM_SERVICE_ERR;
497 		goto cleanup2;
498 	}
499 	krbret = krb5_cc_initialize(pam_context, ccache_perm, princ);
500 	if (krbret != 0) {
501 		PAM_LOG("Error krb5_cc_initialize(): %s",
502 		    krb5_get_err_text(pam_context, krbret));
503 		retval = PAM_SERVICE_ERR;
504 		goto cleanup2;
505 	}
506 
507 	PAM_LOG("Cache initialised");
508 
509 	/* Prepare for iteration over creds */
510 	krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor);
511 	if (krbret != 0) {
512 		PAM_LOG("Error krb5_cc_start_seq_get(): %s",
513 		    krb5_get_err_text(pam_context, krbret));
514 		krb5_cc_destroy(pam_context, ccache_perm);
515 		retval = PAM_SERVICE_ERR;
516 		goto cleanup2;
517 	}
518 
519 	PAM_LOG("Prepared for iteration");
520 
521 	/* Copy the creds (should be two of them) */
522 	while ((krbret = krb5_cc_next_cred(pam_context, ccache_temp,
523 				&cursor, &creds) == 0)) {
524 		krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds);
525 		if (krbret != 0) {
526 			PAM_LOG("Error krb5_cc_store_cred(): %s",
527 			    krb5_get_err_text(pam_context, krbret));
528 			krb5_cc_destroy(pam_context, ccache_perm);
529 			krb5_free_cred_contents(pam_context, &creds);
530 			retval = PAM_SERVICE_ERR;
531 			goto cleanup2;
532 		}
533 		krb5_free_cred_contents(pam_context, &creds);
534 		PAM_LOG("Iteration");
535 	}
536 	krb5_cc_end_seq_get(pam_context, ccache_temp, &cursor);
537 
538 	PAM_LOG("Done iterating");
539 
540 	if (strstr(cache_name, "FILE:") == cache_name) {
541 		if (chown(&cache_name[5], pwd->pw_uid, pwd->pw_gid) == -1) {
542 			PAM_LOG("Error chown(): %s", strerror(errno));
543 			krb5_cc_destroy(pam_context, ccache_perm);
544 			retval = PAM_SERVICE_ERR;
545 			goto cleanup2;
546 		}
547 		PAM_LOG("Done chown()");
548 
549 		if (chmod(&cache_name[5], (S_IRUSR | S_IWUSR)) == -1) {
550 			PAM_LOG("Error chmod(): %s", strerror(errno));
551 			krb5_cc_destroy(pam_context, ccache_perm);
552 			retval = PAM_SERVICE_ERR;
553 			goto cleanup2;
554 		}
555 		PAM_LOG("Done chmod()");
556 	}
557 
558 	krb5_cc_close(pam_context, ccache_perm);
559 
560 	PAM_LOG("Cache closed");
561 
562 	cache_env_name = malloc(strlen(cache_name) + 12);
563 	if (!cache_env_name) {
564 		PAM_LOG("Error malloc(): failure");
565 		krb5_cc_destroy(pam_context, ccache_perm);
566 		retval = PAM_BUF_ERR;
567 		goto cleanup2;
568 	}
569 
570 	sprintf(cache_env_name, "KRB5CCNAME=%s", cache_name);
571 	if ((retval = pam_putenv(pamh, cache_env_name)) != 0) {
572 		PAM_LOG("Error pam_putenv(): %s", pam_strerror(pamh, retval));
573 		krb5_cc_destroy(pam_context, ccache_perm);
574 		retval = PAM_SERVICE_ERR;
575 		goto cleanup2;
576 	}
577 
578 	PAM_LOG("Environment done: KRB5CCNAME=%s", cache_name);
579 
580 cleanup2:
581 	krb5_free_principal(pam_context, princ);
582 	PAM_LOG("Done cleanup2");
583 cleanup3:
584 	krb5_free_context(pam_context);
585 	PAM_LOG("Done cleanup3");
586 
587 	seteuid(euid);
588 	setegid(egid);
589 
590 	PAM_LOG("Done seteuid() & setegid()");
591 
592 	return (retval);
593 }
594 
595 /*
596  * account management
597  */
598 PAM_EXTERN int
599 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
600     int argc, const char *argv[])
601 {
602 	krb5_error_code krbret;
603 	krb5_context pam_context;
604 	krb5_ccache ccache;
605 	krb5_principal princ;
606 	struct options options;
607 	int retval;
608 	const char *user, *ccache_name;
609 
610 	pam_std_option(&options, other_options, argc, argv);
611 
612 	PAM_LOG("Options processed");
613 
614 	retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
615 	if (retval != PAM_SUCCESS)
616 		return (retval);
617 
618 	PAM_LOG("Got user: %s", user);
619 
620 	retval = pam_get_data(pamh, "ccache", (const void **)&ccache_name);
621 	if (retval != PAM_SUCCESS)
622 		return (PAM_SUCCESS);
623 
624 	PAM_LOG("Got credentials");
625 
626 	krbret = krb5_init_context(&pam_context);
627 	if (krbret != 0) {
628 		PAM_LOG("Error krb5_init_context() failed");
629 		return (PAM_PERM_DENIED);
630 	}
631 
632 	PAM_LOG("Context initialised");
633 
634 	krbret = krb5_cc_resolve(pam_context, ccache_name, &ccache);
635 	if (krbret != 0) {
636 		PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", ccache_name,
637 		    krb5_get_err_text(pam_context, krbret));
638 		krb5_free_context(pam_context);
639 		return (PAM_PERM_DENIED);
640 	}
641 
642 	PAM_LOG("Got ccache %s", ccache_name);
643 
644 
645 	krbret = krb5_cc_get_principal(pam_context, ccache, &princ);
646 	if (krbret != 0) {
647 		PAM_LOG("Error krb5_cc_get_principal(): %s",
648 		    krb5_get_err_text(pam_context, krbret));
649 		retval = PAM_PERM_DENIED;;
650 		goto cleanup;
651 	}
652 
653 	PAM_LOG("Got principal");
654 
655 	if (krb5_kuserok(pam_context, princ, user))
656 		retval = PAM_SUCCESS;
657 	else
658 		retval = PAM_PERM_DENIED;
659 	krb5_free_principal(pam_context, princ);
660 
661 	PAM_LOG("Done kuserok()");
662 
663 cleanup:
664 	krb5_free_context(pam_context);
665 	PAM_LOG("Done cleanup");
666 
667 	return (retval);
668 
669 }
670 
671 /*
672  * password management
673  */
674 PAM_EXTERN int
675 pam_sm_chauthtok(pam_handle_t *pamh, int flags,
676     int argc, const char *argv[])
677 {
678 	krb5_error_code krbret;
679 	krb5_context pam_context;
680 	krb5_creds creds;
681 	krb5_principal princ;
682 	krb5_get_init_creds_opt opts;
683 	krb5_data result_code_string, result_string;
684 	struct options options;
685 	int result_code, retval;
686 	const char *user, *pass;
687 	char *princ_name, *passdup;
688 
689 	pam_std_option(&options, other_options, argc, argv);
690 
691 	PAM_LOG("Options processed");
692 
693 	if (!(flags & PAM_UPDATE_AUTHTOK))
694 		return (PAM_AUTHTOK_ERR);
695 
696 	retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
697 	if (retval != PAM_SUCCESS)
698 		return (retval);
699 
700 	PAM_LOG("Got user: %s", user);
701 
702 	krbret = krb5_init_context(&pam_context);
703 	if (krbret != 0) {
704 		PAM_LOG("Error krb5_init_context() failed");
705 		return (PAM_SERVICE_ERR);
706 	}
707 
708 	PAM_LOG("Context initialised");
709 
710 	krb5_get_init_creds_opt_init(&opts);
711 
712 	PAM_LOG("Credentials options initialised");
713 
714 	/* Get principal name */
715 	krbret = krb5_parse_name(pam_context, user, &princ);
716 	if (krbret != 0) {
717 		PAM_LOG("Error krb5_parse_name(): %s",
718 		    krb5_get_err_text(pam_context, krbret));
719 		retval = PAM_USER_UNKNOWN;
720 		goto cleanup3;
721 	}
722 
723 	/* Now convert the principal name into something human readable */
724 	princ_name = NULL;
725 	krbret = krb5_unparse_name(pam_context, princ, &princ_name);
726 	if (krbret != 0) {
727 		PAM_LOG("Error krb5_unparse_name(): %s",
728 		    krb5_get_err_text(pam_context, krbret));
729 		retval = PAM_SERVICE_ERR;
730 		goto cleanup2;
731 	}
732 
733 	PAM_LOG("Got principal: %s", princ_name);
734 
735 	/* Get password */
736 	retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT);
737 	if (retval != PAM_SUCCESS)
738 		goto cleanup2;
739 
740 	PAM_LOG("Got password");
741 
742 	memset(&creds, 0, sizeof(krb5_creds));
743 	krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
744 	    pass, NULL, pamh, 0, "kadmin/changepw", &opts);
745 	if (krbret != 0) {
746 		PAM_LOG("Error krb5_get_init_creds_password()",
747 		    krb5_get_err_text(pam_context, krbret));
748 		retval = PAM_AUTH_ERR;
749 		goto cleanup2;
750 	}
751 
752 	PAM_LOG("Credentials established");
753 
754 	/* Now get the new password */
755 	for (;;) {
756 		retval = pam_get_authtok(pamh,
757 		    PAM_AUTHTOK, &pass, NEW_PASSWORD_PROMPT);
758 		if (retval != PAM_TRY_AGAIN)
759 			break;
760 		pam_error(pamh, "Mismatch; try again, EOF to quit.");
761 	}
762 	if (retval != PAM_SUCCESS)
763 		goto cleanup;
764 
765 	PAM_LOG("Got new password");
766 
767 	/* Change it */
768 	if ((passdup = strdup(pass)) == NULL) {
769 		retval = PAM_BUF_ERR;
770 		goto cleanup;
771 	}
772 	krbret = krb5_change_password(pam_context, &creds, passdup,
773 	    &result_code, &result_code_string, &result_string);
774 	free(passdup);
775 	if (krbret != 0) {
776 		PAM_LOG("Error krb5_change_password(): %s",
777 		    krb5_get_err_text(pam_context, krbret));
778 		retval = PAM_AUTHTOK_ERR;
779 		goto cleanup;
780 	}
781 	if (result_code) {
782 		PAM_LOG("Error krb5_change_password(): (result_code)");
783 		retval = PAM_AUTHTOK_ERR;
784 		goto cleanup;
785 	}
786 
787 	PAM_LOG("Password changed");
788 
789 	if (result_string.data)
790 		free(result_string.data);
791 	if (result_code_string.data)
792 		free(result_code_string.data);
793 
794 cleanup:
795 	krb5_free_cred_contents(pam_context, &creds);
796 	PAM_LOG("Done cleanup");
797 cleanup2:
798 	krb5_free_principal(pam_context, princ);
799 	PAM_LOG("Done cleanup2");
800 cleanup3:
801 	if (princ_name)
802 		free(princ_name);
803 
804 	krb5_free_context(pam_context);
805 
806 	PAM_LOG("Done cleanup3");
807 
808 	return (retval);
809 }
810 
811 PAM_MODULE_ENTRY("pam_krb5");
812 
813 /*
814  * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
815  * Modified by Sam Hartman <hartmans@mit.edu> to support PAM services
816  * for Debian.
817  *
818  * Verify the Kerberos ticket-granting ticket just retrieved for the
819  * user.  If the Kerberos server doesn't respond, assume the user is
820  * trying to fake us out (since we DID just get a TGT from what is
821  * supposedly our KDC).  If the host/<host> service is unknown (i.e.,
822  * the local keytab doesn't have it), and we cannot find another
823  * service we do have, let her in.
824  *
825  * Returns 1 for confirmation, -1 for failure, 0 for uncertainty.
826  */
827 static int
828 verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
829     char *pam_service, int debug)
830 {
831 	krb5_error_code retval;
832 	krb5_principal princ;
833 	krb5_keyblock *keyblock;
834 	krb5_data packet;
835 	krb5_auth_context auth_context;
836 	char phost[BUFSIZ];
837 	const char *services[3], **service;
838 
839 	packet.data = 0;
840 
841 	/* If possible we want to try and verify the ticket we have
842 	 * received against a keytab.  We will try multiple service
843 	 * principals, including at least the host principal and the PAM
844 	 * service principal.  The host principal is preferred because access
845 	 * to that key is generally sufficient to compromise root, while the
846 	 * service key for this PAM service may be less carefully guarded.
847 	 * It is important to check the keytab first before the KDC so we do
848 	 * not get spoofed by a fake KDC.
849 	 */
850 	services[0] = "host";
851 	services[1] = pam_service;
852 	services[2] = NULL;
853 	keyblock = 0;
854 	retval = -1;
855 	for (service = &services[0]; *service != NULL; service++) {
856 		retval = krb5_sname_to_principal(context, NULL, *service,
857 		    KRB5_NT_SRV_HST, &princ);
858 		if (retval != 0) {
859 			if (debug)
860 				syslog(LOG_DEBUG,
861 				    "pam_krb5: verify_krb_v5_tgt(): %s: %s",
862 				    "krb5_sname_to_principal()",
863 				    krb5_get_err_text(context, retval));
864 			return -1;
865 		}
866 
867 		/* Extract the name directly. */
868 		strncpy(phost, compat_princ_component(context, princ, 1),
869 		    BUFSIZ);
870 		phost[BUFSIZ - 1] = '\0';
871 
872 		/*
873 		 * Do we have service/<host> keys?
874 		 * (use default/configured keytab, kvno IGNORE_VNO to get the
875 		 * first match, and ignore enctype.)
876 		 */
877 		retval = krb5_kt_read_service_key(context, NULL, princ, 0, 0,
878 		    &keyblock);
879 		if (retval != 0)
880 			continue;
881 		break;
882 	}
883 	if (retval != 0) {	/* failed to find key */
884 		/* Keytab or service key does not exist */
885 		if (debug)
886 			syslog(LOG_DEBUG,
887 			    "pam_krb5: verify_krb_v5_tgt(): %s: %s",
888 			    "krb5_kt_read_service_key()",
889 			    krb5_get_err_text(context, retval));
890 		retval = 0;
891 		goto cleanup;
892 	}
893 	if (keyblock)
894 		krb5_free_keyblock(context, keyblock);
895 
896 	/* Talk to the kdc and construct the ticket. */
897 	auth_context = NULL;
898 	retval = krb5_mk_req(context, &auth_context, 0, *service, phost,
899 		NULL, ccache, &packet);
900 	if (auth_context) {
901 		krb5_auth_con_free(context, auth_context);
902 		auth_context = NULL;	/* setup for rd_req */
903 	}
904 	if (retval) {
905 		if (debug)
906 			syslog(LOG_DEBUG,
907 			    "pam_krb5: verify_krb_v5_tgt(): %s: %s",
908 			    "krb5_mk_req()",
909 			    krb5_get_err_text(context, retval));
910 		retval = -1;
911 		goto cleanup;
912 	}
913 
914 	/* Try to use the ticket. */
915 	retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL,
916 	    NULL, NULL);
917 	if (retval) {
918 		if (debug)
919 			syslog(LOG_DEBUG,
920 			    "pam_krb5: verify_krb_v5_tgt(): %s: %s",
921 			    "krb5_rd_req()",
922 			    krb5_get_err_text(context, retval));
923 		retval = -1;
924 	}
925 	else
926 		retval = 1;
927 
928 cleanup:
929 	if (packet.data)
930 		compat_free_data_contents(context, &packet);
931 	krb5_free_principal(context, princ);
932 	return retval;
933 }
934 
935 /* Free the memory for cache_name. Called by pam_end() */
936 static void
937 cleanup_cache(pam_handle_t *pamh __unused, void *data, int pam_end_status __unused)
938 {
939 	krb5_context pam_context;
940 	krb5_ccache ccache;
941 	krb5_error_code krbret;
942 
943 	if (krb5_init_context(&pam_context))
944 		return;
945 
946 	krbret = krb5_cc_resolve(pam_context, data, &ccache);
947 	if (krbret == 0)
948 		krb5_cc_destroy(pam_context, ccache);
949 	krb5_free_context(pam_context);
950 	free(data);
951 }
952 
953 #ifdef COMPAT_HEIMDAL
954 #ifdef COMPAT_MIT
955 #error This cannot be MIT and Heimdal compatible!
956 #endif
957 #endif
958 
959 #ifndef COMPAT_HEIMDAL
960 #ifndef COMPAT_MIT
961 #error One of COMPAT_MIT and COMPAT_HEIMDAL must be specified!
962 #endif
963 #endif
964 
965 #ifdef COMPAT_HEIMDAL
966 static const char *
967 compat_princ_component(krb5_context context __unused, krb5_principal princ, int n)
968 {
969 	return princ->name.name_string.val[n];
970 }
971 
972 static void
973 compat_free_data_contents(krb5_context context __unused, krb5_data * data)
974 {
975 	krb5_xfree(data->data);
976 }
977 #endif
978 
979 #ifdef COMPAT_MIT
980 static const char *
981 compat_princ_component(krb5_context context, krb5_principal princ, int n)
982 {
983 	return krb5_princ_component(context, princ, n)->data;
984 }
985 
986 static void
987 compat_free_data_contents(krb5_context context, krb5_data * data)
988 {
989 	krb5_free_data_contents(context, data);
990 }
991 #endif
992