1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 5 * Authors: Doug Rabson <dfr@rabson.org> 6 * Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org> 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 #include <sys/cdefs.h> 31 #include <sys/param.h> 32 #include <sys/stat.h> 33 #include <sys/linker.h> 34 #include <sys/module.h> 35 #include <sys/queue.h> 36 #include <sys/socket.h> 37 #include <sys/sysctl.h> 38 #include <sys/syslog.h> 39 #include <ctype.h> 40 #include <dirent.h> 41 #include <err.h> 42 #include <errno.h> 43 #ifndef WITHOUT_KERBEROS 44 #include <krb5.h> 45 #endif 46 #include <netdb.h> 47 #include <pwd.h> 48 #include <signal.h> 49 #include <stdarg.h> 50 #include <stdio.h> 51 #include <stdlib.h> 52 #include <string.h> 53 #include <unistd.h> 54 #include <arpa/inet.h> 55 #include <netinet/in.h> 56 #include <gssapi/gssapi.h> 57 #include <rpc/rpc.h> 58 #include <rpc/rpc_com.h> 59 60 #include "gssd.h" 61 62 #ifndef _PATH_GSS_MECH 63 #define _PATH_GSS_MECH "/etc/gss/mech" 64 #endif 65 #ifndef _PATH_GSSDSOCK 66 #define _PATH_GSSDSOCK "/var/run/gssd.sock" 67 #endif 68 #define GSSD_CREDENTIAL_CACHE_FILE "/tmp/krb5cc_gssd" 69 70 struct gss_resource { 71 LIST_ENTRY(gss_resource) gr_link; 72 uint64_t gr_id; /* identifier exported to kernel */ 73 void* gr_res; /* GSS-API resource pointer */ 74 }; 75 LIST_HEAD(gss_resource_list, gss_resource) gss_resources; 76 int gss_resource_count; 77 uint32_t gss_next_id; 78 uint32_t gss_start_time; 79 int debug_level; 80 static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1]; 81 static char pref_realm[1024]; 82 static int verbose; 83 static int hostbased_initiator_cred; 84 #ifndef WITHOUT_KERBEROS 85 /* 1.2.752.43.13.14 */ 86 static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc = 87 {6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"}; 88 static gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = 89 &gss_krb5_set_allowable_enctypes_x_desc; 90 static gss_OID_desc gss_krb5_mech_oid_x_desc = 91 {9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; 92 static gss_OID GSS_KRB5_MECH_OID_X = 93 &gss_krb5_mech_oid_x_desc; 94 #endif 95 96 static void gssd_load_mech(void); 97 static int find_ccache_file(const char *, uid_t, char *); 98 static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *); 99 static void gssd_verbose_out(const char *, ...); 100 #ifndef WITHOUT_KERBEROS 101 static krb5_error_code gssd_get_cc_from_keytab(const char *); 102 static OM_uint32 gssd_get_user_cred(OM_uint32 *, uid_t, gss_cred_id_t *); 103 #endif 104 void gssd_terminate(int); 105 106 extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp); 107 extern int gssd_syscall(char *path); 108 109 int 110 main(int argc, char **argv) 111 { 112 /* 113 * We provide an RPC service on a local-domain socket. The 114 * kernel's GSS-API code will pass what it can't handle 115 * directly to us. 116 */ 117 struct sockaddr_un sun; 118 int fd, oldmask, ch, debug, jailed; 119 SVCXPRT *xprt; 120 size_t jailed_size; 121 122 /* 123 * Initialize the credential cache file name substring and the 124 * search directory list. 125 */ 126 strlcpy(ccfile_substring, "krb5cc_", sizeof(ccfile_substring)); 127 ccfile_dirlist[0] = '\0'; 128 pref_realm[0] = '\0'; 129 debug = 0; 130 verbose = 0; 131 while ((ch = getopt(argc, argv, "dhvs:c:r:")) != -1) { 132 switch (ch) { 133 case 'd': 134 debug_level++; 135 break; 136 case 'h': 137 #ifndef WITHOUT_KERBEROS 138 /* 139 * Enable use of a host based initiator credential 140 * in the default keytab file. 141 */ 142 hostbased_initiator_cred = 1; 143 #else 144 errx(1, "This option not available when built" 145 " without MK_KERBEROS\n"); 146 #endif 147 break; 148 case 'v': 149 verbose = 1; 150 break; 151 case 's': 152 #ifndef WITHOUT_KERBEROS 153 /* 154 * Set the directory search list. This enables use of 155 * find_ccache_file() to search the directories for a 156 * suitable credentials cache file. 157 */ 158 strlcpy(ccfile_dirlist, optarg, sizeof(ccfile_dirlist)); 159 #else 160 errx(1, "This option not available when built" 161 " without MK_KERBEROS\n"); 162 #endif 163 break; 164 case 'c': 165 /* 166 * Specify a non-default credential cache file 167 * substring. 168 */ 169 strlcpy(ccfile_substring, optarg, 170 sizeof(ccfile_substring)); 171 break; 172 case 'r': 173 /* 174 * Set the preferred realm for the credential cache tgt. 175 */ 176 strlcpy(pref_realm, optarg, sizeof(pref_realm)); 177 break; 178 default: 179 fprintf(stderr, 180 "usage: %s [-d] [-s dir-list] [-c file-substring]" 181 " [-r preferred-realm]\n", argv[0]); 182 exit(1); 183 break; 184 } 185 } 186 187 gssd_load_mech(); 188 189 if (!debug_level) { 190 if (daemon(0, 0) != 0) 191 err(1, "Can't daemonize"); 192 signal(SIGINT, SIG_IGN); 193 signal(SIGQUIT, SIG_IGN); 194 signal(SIGHUP, SIG_IGN); 195 } 196 signal(SIGTERM, gssd_terminate); 197 signal(SIGPIPE, gssd_terminate); 198 199 memset(&sun, 0, sizeof sun); 200 sun.sun_family = AF_LOCAL; 201 unlink(_PATH_GSSDSOCK); 202 strcpy(sun.sun_path, _PATH_GSSDSOCK); 203 sun.sun_len = SUN_LEN(&sun); 204 fd = socket(AF_LOCAL, SOCK_STREAM, 0); 205 if (fd < 0) { 206 if (debug_level == 0) { 207 syslog(LOG_ERR, "Can't create local gssd socket"); 208 exit(1); 209 } 210 err(1, "Can't create local gssd socket"); 211 } 212 oldmask = umask(S_IXUSR|S_IRWXG|S_IRWXO); 213 if (bind(fd, (struct sockaddr *) &sun, sun.sun_len) < 0) { 214 if (debug_level == 0) { 215 syslog(LOG_ERR, "Can't bind local gssd socket"); 216 exit(1); 217 } 218 err(1, "Can't bind local gssd socket"); 219 } 220 umask(oldmask); 221 if (listen(fd, SOMAXCONN) < 0) { 222 if (debug_level == 0) { 223 syslog(LOG_ERR, "Can't listen on local gssd socket"); 224 exit(1); 225 } 226 err(1, "Can't listen on local gssd socket"); 227 } 228 xprt = svc_vc_create(fd, RPC_MAXDATASIZE, RPC_MAXDATASIZE); 229 if (!xprt) { 230 if (debug_level == 0) { 231 syslog(LOG_ERR, 232 "Can't create transport for local gssd socket"); 233 exit(1); 234 } 235 err(1, "Can't create transport for local gssd socket"); 236 } 237 if (!svc_reg(xprt, GSSD, GSSDVERS, gssd_1, NULL)) { 238 if (debug_level == 0) { 239 syslog(LOG_ERR, 240 "Can't register service for local gssd socket"); 241 exit(1); 242 } 243 err(1, "Can't register service for local gssd socket"); 244 } 245 246 LIST_INIT(&gss_resources); 247 gss_next_id = 1; 248 gss_start_time = time(0); 249 250 if (gssd_syscall(_PATH_GSSDSOCK) < 0) { 251 jailed = 0; 252 if (errno == EPERM) { 253 jailed_size = sizeof(jailed); 254 sysctlbyname("security.jail.jailed", &jailed, 255 &jailed_size, NULL, 0); 256 } 257 if (debug_level == 0) { 258 if (jailed != 0) 259 syslog(LOG_ERR, "Cannot start gssd." 260 " allow.nfsd must be configured"); 261 else 262 syslog(LOG_ERR, "Cannot start gssd"); 263 exit(1); 264 } 265 if (jailed != 0) 266 err(1, "Cannot start gssd." 267 " allow.nfsd must be configured"); 268 else 269 err(1, "Cannot start gssd"); 270 } 271 svc_run(); 272 gssd_syscall(""); 273 274 return (0); 275 } 276 277 static void 278 gssd_load_mech(void) 279 { 280 FILE *fp; 281 char buf[256]; 282 char *p; 283 char *name, *oid, *lib, *kobj; 284 285 fp = fopen(_PATH_GSS_MECH, "r"); 286 if (!fp) 287 return; 288 289 while (fgets(buf, sizeof(buf), fp)) { 290 if (*buf == '#') 291 continue; 292 p = buf; 293 name = strsep(&p, "\t\n "); 294 if (p) while (isspace(*p)) p++; 295 oid = strsep(&p, "\t\n "); 296 if (p) while (isspace(*p)) p++; 297 lib = strsep(&p, "\t\n "); 298 if (p) while (isspace(*p)) p++; 299 kobj = strsep(&p, "\t\n "); 300 if (!name || !oid || !lib || !kobj) 301 continue; 302 303 if (strcmp(kobj, "-")) { 304 /* 305 * Attempt to load the kernel module if its 306 * not already present. 307 */ 308 if (modfind(kobj) < 0) { 309 if (kldload(kobj) < 0) { 310 fprintf(stderr, 311 "%s: can't find or load kernel module %s for %s\n", 312 getprogname(), kobj, name); 313 } 314 } 315 } 316 } 317 fclose(fp); 318 } 319 320 static void * 321 gssd_find_resource(uint64_t id) 322 { 323 struct gss_resource *gr; 324 325 if (!id) 326 return (NULL); 327 328 LIST_FOREACH(gr, &gss_resources, gr_link) 329 if (gr->gr_id == id) 330 return (gr->gr_res); 331 332 return (NULL); 333 } 334 335 static uint64_t 336 gssd_make_resource(void *res) 337 { 338 struct gss_resource *gr; 339 340 if (!res) 341 return (0); 342 343 gr = malloc(sizeof(struct gss_resource)); 344 if (!gr) 345 return (0); 346 gr->gr_id = (gss_next_id++) + ((uint64_t) gss_start_time << 32); 347 gr->gr_res = res; 348 LIST_INSERT_HEAD(&gss_resources, gr, gr_link); 349 gss_resource_count++; 350 if (debug_level > 1) 351 printf("%d resources allocated\n", gss_resource_count); 352 353 return (gr->gr_id); 354 } 355 356 static void 357 gssd_delete_resource(uint64_t id) 358 { 359 struct gss_resource *gr; 360 361 LIST_FOREACH(gr, &gss_resources, gr_link) { 362 if (gr->gr_id == id) { 363 LIST_REMOVE(gr, gr_link); 364 free(gr); 365 gss_resource_count--; 366 if (debug_level > 1) 367 printf("%d resources allocated\n", 368 gss_resource_count); 369 return; 370 } 371 } 372 } 373 374 static void 375 gssd_verbose_out(const char *fmt, ...) 376 { 377 va_list ap; 378 379 if (verbose != 0) { 380 va_start(ap, fmt); 381 if (debug_level == 0) 382 vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap); 383 else 384 vfprintf(stderr, fmt, ap); 385 va_end(ap); 386 } 387 } 388 389 bool_t 390 gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp) 391 { 392 393 gssd_verbose_out("gssd_null: done\n"); 394 return (TRUE); 395 } 396 397 bool_t 398 gssd_init_sec_context_1_svc(init_sec_context_args *argp, init_sec_context_res *result, struct svc_req *rqstp) 399 { 400 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; 401 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; 402 gss_name_t name = GSS_C_NO_NAME; 403 char ccname[PATH_MAX + 5 + 1], *cp, *cp2; 404 int gotone, gotcred; 405 OM_uint32 min_stat; 406 #ifndef WITHOUT_KERBEROS 407 gss_buffer_desc principal_desc; 408 char enctype[sizeof(uint32_t)]; 409 int key_enctype; 410 OM_uint32 maj_stat; 411 #endif 412 413 memset(result, 0, sizeof(*result)); 414 if (hostbased_initiator_cred != 0 && argp->cred != 0 && 415 argp->uid == 0) { 416 /* 417 * These credentials are for a host based initiator name 418 * in a keytab file, which should now have credentials 419 * in /tmp/krb5cc_gssd, because gss_acquire_cred() did 420 * the equivalent of "kinit -k". 421 */ 422 snprintf(ccname, sizeof(ccname), "FILE:%s", 423 GSSD_CREDENTIAL_CACHE_FILE); 424 } else if (ccfile_dirlist[0] != '\0' && argp->cred == 0) { 425 /* 426 * For the "-s" case and no credentials provided as an 427 * argument, search the directory list for an appropriate 428 * credential cache file. If the search fails, return failure. 429 */ 430 gotone = 0; 431 cp = ccfile_dirlist; 432 do { 433 cp2 = strchr(cp, ':'); 434 if (cp2 != NULL) 435 *cp2 = '\0'; 436 gotone = find_ccache_file(cp, argp->uid, ccname); 437 if (gotone != 0) 438 break; 439 if (cp2 != NULL) 440 *cp2++ = ':'; 441 cp = cp2; 442 } while (cp != NULL && *cp != '\0'); 443 if (gotone == 0) { 444 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 445 gssd_verbose_out("gssd_init_sec_context: -s no" 446 " credential cache file found for uid=%d\n", 447 (int)argp->uid); 448 return (TRUE); 449 } 450 } else { 451 /* 452 * If there wasn't a "-s" option or the credentials have 453 * been provided as an argument, do it the old way. 454 * When credentials are provided, the uid should be root. 455 */ 456 if (argp->cred != 0 && argp->uid != 0) { 457 if (debug_level == 0) 458 syslog(LOG_ERR, "gss_init_sec_context:" 459 " cred for non-root"); 460 else 461 fprintf(stderr, "gss_init_sec_context:" 462 " cred for non-root\n"); 463 } 464 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", 465 (int) argp->uid); 466 } 467 setenv("KRB5CCNAME", ccname, TRUE); 468 469 if (argp->cred) { 470 cred = gssd_find_resource(argp->cred); 471 if (!cred) { 472 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 473 gssd_verbose_out("gssd_init_sec_context: cred" 474 " resource not found\n"); 475 return (TRUE); 476 } 477 } 478 if (argp->ctx) { 479 ctx = gssd_find_resource(argp->ctx); 480 if (!ctx) { 481 result->major_status = GSS_S_CONTEXT_EXPIRED; 482 gssd_verbose_out("gssd_init_sec_context: context" 483 " resource not found\n"); 484 return (TRUE); 485 } 486 } 487 if (argp->name) { 488 name = gssd_find_resource(argp->name); 489 if (!name) { 490 result->major_status = GSS_S_BAD_NAME; 491 gssd_verbose_out("gssd_init_sec_context: name" 492 " resource not found\n"); 493 return (TRUE); 494 } 495 } 496 gotcred = 0; 497 498 result->major_status = gss_init_sec_context(&result->minor_status, 499 cred, &ctx, name, argp->mech_type, 500 argp->req_flags, argp->time_req, argp->input_chan_bindings, 501 &argp->input_token, &result->actual_mech_type, 502 &result->output_token, &result->ret_flags, &result->time_rec); 503 gssd_verbose_out("gssd_init_sec_context: done major=0x%x minor=%d" 504 " uid=%d\n", (unsigned int)result->major_status, 505 (int)result->minor_status, (int)argp->uid); 506 if (gotcred != 0) 507 gss_release_cred(&min_stat, &cred); 508 509 if (result->major_status == GSS_S_COMPLETE 510 || result->major_status == GSS_S_CONTINUE_NEEDED) { 511 if (argp->ctx) 512 result->ctx = argp->ctx; 513 else 514 result->ctx = gssd_make_resource(ctx); 515 } 516 517 return (TRUE); 518 } 519 520 bool_t 521 gssd_accept_sec_context_1_svc(accept_sec_context_args *argp, accept_sec_context_res *result, struct svc_req *rqstp) 522 { 523 gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; 524 gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; 525 gss_name_t src_name; 526 gss_cred_id_t delegated_cred_handle; 527 528 memset(result, 0, sizeof(*result)); 529 if (argp->ctx) { 530 ctx = gssd_find_resource(argp->ctx); 531 if (!ctx) { 532 result->major_status = GSS_S_CONTEXT_EXPIRED; 533 gssd_verbose_out("gssd_accept_sec_context: ctx" 534 " resource not found\n"); 535 return (TRUE); 536 } 537 } 538 if (argp->cred) { 539 cred = gssd_find_resource(argp->cred); 540 if (!cred) { 541 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 542 gssd_verbose_out("gssd_accept_sec_context: cred" 543 " resource not found\n"); 544 return (TRUE); 545 } 546 } 547 548 memset(result, 0, sizeof(*result)); 549 result->major_status = gss_accept_sec_context(&result->minor_status, 550 &ctx, cred, &argp->input_token, argp->input_chan_bindings, 551 &src_name, &result->mech_type, &result->output_token, 552 &result->ret_flags, &result->time_rec, 553 &delegated_cred_handle); 554 gssd_verbose_out("gssd_accept_sec_context: done major=0x%x minor=%d\n", 555 (unsigned int)result->major_status, (int)result->minor_status); 556 557 if (result->major_status == GSS_S_COMPLETE 558 || result->major_status == GSS_S_CONTINUE_NEEDED) { 559 if (argp->ctx) 560 result->ctx = argp->ctx; 561 else 562 result->ctx = gssd_make_resource(ctx); 563 result->src_name = gssd_make_resource(src_name); 564 result->delegated_cred_handle = 565 gssd_make_resource(delegated_cred_handle); 566 } 567 568 return (TRUE); 569 } 570 571 bool_t 572 gssd_delete_sec_context_1_svc(delete_sec_context_args *argp, delete_sec_context_res *result, struct svc_req *rqstp) 573 { 574 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx); 575 576 if (ctx) { 577 result->major_status = gss_delete_sec_context( 578 &result->minor_status, &ctx, &result->output_token); 579 gssd_delete_resource(argp->ctx); 580 } else { 581 result->major_status = GSS_S_COMPLETE; 582 result->minor_status = 0; 583 } 584 gssd_verbose_out("gssd_delete_sec_context: done major=0x%x minor=%d\n", 585 (unsigned int)result->major_status, (int)result->minor_status); 586 587 return (TRUE); 588 } 589 590 bool_t 591 gssd_export_sec_context_1_svc(export_sec_context_args *argp, export_sec_context_res *result, struct svc_req *rqstp) 592 { 593 gss_ctx_id_t ctx = gssd_find_resource(argp->ctx); 594 595 if (ctx) { 596 result->major_status = gss_export_sec_context( 597 &result->minor_status, &ctx, 598 &result->interprocess_token); 599 result->format = KGSS_HEIMDAL_1_1; 600 gssd_delete_resource(argp->ctx); 601 } else { 602 result->major_status = GSS_S_FAILURE; 603 result->minor_status = 0; 604 result->interprocess_token.length = 0; 605 result->interprocess_token.value = NULL; 606 } 607 gssd_verbose_out("gssd_export_sec_context: done major=0x%x minor=%d\n", 608 (unsigned int)result->major_status, (int)result->minor_status); 609 610 return (TRUE); 611 } 612 613 bool_t 614 gssd_import_name_1_svc(import_name_args *argp, import_name_res *result, struct svc_req *rqstp) 615 { 616 gss_name_t name; 617 618 result->major_status = gss_import_name(&result->minor_status, 619 &argp->input_name_buffer, argp->input_name_type, &name); 620 gssd_verbose_out("gssd_import_name: done major=0x%x minor=%d\n", 621 (unsigned int)result->major_status, (int)result->minor_status); 622 623 if (result->major_status == GSS_S_COMPLETE) 624 result->output_name = gssd_make_resource(name); 625 else 626 result->output_name = 0; 627 628 return (TRUE); 629 } 630 631 /* 632 * If the name is a numeric IP host address, do a DNS lookup on it and 633 * return the DNS name in a malloc'd string. 634 */ 635 static char * 636 gssd_conv_ip_to_dns(int len, char *name) 637 { 638 struct sockaddr_in sin; 639 struct sockaddr_in6 sin6; 640 char *retcp; 641 642 retcp = NULL; 643 if (len > 0) { 644 retcp = mem_alloc(NI_MAXHOST); 645 memcpy(retcp, name, len); 646 retcp[len] = '\0'; 647 if (inet_pton(AF_INET, retcp, &sin.sin_addr) != 0) { 648 sin.sin_family = AF_INET; 649 sin.sin_len = sizeof(sin); 650 sin.sin_port = 0; 651 if (getnameinfo((struct sockaddr *)&sin, 652 sizeof(sin), retcp, NI_MAXHOST, 653 NULL, 0, NI_NAMEREQD) != 0) { 654 mem_free(retcp, NI_MAXHOST); 655 return (NULL); 656 } 657 } else if (inet_pton(AF_INET6, retcp, &sin6.sin6_addr) != 0) { 658 sin6.sin6_family = AF_INET6; 659 sin6.sin6_len = sizeof(sin6); 660 sin6.sin6_port = 0; 661 if (getnameinfo((struct sockaddr *)&sin6, 662 sizeof(sin6), retcp, NI_MAXHOST, 663 NULL, 0, NI_NAMEREQD) != 0) { 664 mem_free(retcp, NI_MAXHOST); 665 return (NULL); 666 } 667 } else { 668 mem_free(retcp, NI_MAXHOST); 669 return (NULL); 670 } 671 gssd_verbose_out("gssd_conv_ip_to_dns: %s\n", retcp); 672 } 673 return (retcp); 674 } 675 676 bool_t 677 gssd_canonicalize_name_1_svc(canonicalize_name_args *argp, canonicalize_name_res *result, struct svc_req *rqstp) 678 { 679 gss_name_t name = gssd_find_resource(argp->input_name); 680 gss_name_t output_name; 681 682 memset(result, 0, sizeof(*result)); 683 if (!name) { 684 result->major_status = GSS_S_BAD_NAME; 685 return (TRUE); 686 } 687 688 result->major_status = gss_canonicalize_name(&result->minor_status, 689 name, argp->mech_type, &output_name); 690 gssd_verbose_out("gssd_canonicalize_name: done major=0x%x minor=%d\n", 691 (unsigned int)result->major_status, (int)result->minor_status); 692 693 if (result->major_status == GSS_S_COMPLETE) 694 result->output_name = gssd_make_resource(output_name); 695 else 696 result->output_name = 0; 697 698 return (TRUE); 699 } 700 701 bool_t 702 gssd_export_name_1_svc(export_name_args *argp, export_name_res *result, struct svc_req *rqstp) 703 { 704 gss_name_t name = gssd_find_resource(argp->input_name); 705 706 memset(result, 0, sizeof(*result)); 707 if (!name) { 708 result->major_status = GSS_S_BAD_NAME; 709 gssd_verbose_out("gssd_export_name: name resource not found\n"); 710 return (TRUE); 711 } 712 713 result->major_status = gss_export_name(&result->minor_status, 714 name, &result->exported_name); 715 gssd_verbose_out("gssd_export_name: done major=0x%x minor=%d\n", 716 (unsigned int)result->major_status, (int)result->minor_status); 717 718 return (TRUE); 719 } 720 721 bool_t 722 gssd_release_name_1_svc(release_name_args *argp, release_name_res *result, struct svc_req *rqstp) 723 { 724 gss_name_t name = gssd_find_resource(argp->input_name); 725 726 if (name) { 727 result->major_status = gss_release_name(&result->minor_status, 728 &name); 729 gssd_delete_resource(argp->input_name); 730 } else { 731 result->major_status = GSS_S_COMPLETE; 732 result->minor_status = 0; 733 } 734 gssd_verbose_out("gssd_release_name: done major=0x%x minor=%d\n", 735 (unsigned int)result->major_status, (int)result->minor_status); 736 737 return (TRUE); 738 } 739 740 bool_t 741 gssd_pname_to_uid_1_svc(pname_to_uid_args *argp, pname_to_uid_res *result, struct svc_req *rqstp) 742 { 743 gss_name_t name = gssd_find_resource(argp->pname); 744 uid_t uid; 745 char buf[1024], *bufp; 746 struct passwd pwd, *pw; 747 size_t buflen; 748 int error; 749 static size_t buflen_hint = 1024; 750 751 memset(result, 0, sizeof(*result)); 752 if (name) { 753 result->major_status = 754 gss_pname_to_uid(&result->minor_status, 755 name, argp->mech, &uid); 756 if (result->major_status == GSS_S_COMPLETE) { 757 result->uid = uid; 758 buflen = buflen_hint; 759 for (;;) { 760 pw = NULL; 761 bufp = buf; 762 if (buflen > sizeof(buf)) 763 bufp = malloc(buflen); 764 if (bufp == NULL) 765 break; 766 error = getpwuid_r(uid, &pwd, bufp, buflen, 767 &pw); 768 if (error != ERANGE) 769 break; 770 if (buflen > sizeof(buf)) 771 free(bufp); 772 buflen += 1024; 773 if (buflen > buflen_hint) 774 buflen_hint = buflen; 775 } 776 if (pw) { 777 int len = NGROUPS; 778 int groups[NGROUPS]; 779 result->gid = pw->pw_gid; 780 getgrouplist(pw->pw_name, pw->pw_gid, 781 groups, &len); 782 result->gidlist.gidlist_len = len; 783 result->gidlist.gidlist_val = 784 mem_alloc(len * sizeof(int)); 785 memcpy(result->gidlist.gidlist_val, groups, 786 len * sizeof(int)); 787 gssd_verbose_out("gssd_pname_to_uid: mapped" 788 " to uid=%d, gid=%d\n", (int)result->uid, 789 (int)result->gid); 790 } else { 791 result->gid = 65534; 792 result->gidlist.gidlist_len = 0; 793 result->gidlist.gidlist_val = NULL; 794 gssd_verbose_out("gssd_pname_to_uid: mapped" 795 " to uid=%d, but no groups\n", 796 (int)result->uid); 797 } 798 if (bufp != NULL && buflen > sizeof(buf)) 799 free(bufp); 800 } else 801 gssd_verbose_out("gssd_pname_to_uid: failed major=0x%x" 802 " minor=%d\n", (unsigned int)result->major_status, 803 (int)result->minor_status); 804 } else { 805 result->major_status = GSS_S_BAD_NAME; 806 result->minor_status = 0; 807 gssd_verbose_out("gssd_pname_to_uid: no name\n"); 808 } 809 810 return (TRUE); 811 } 812 813 bool_t 814 gssd_acquire_cred_1_svc(acquire_cred_args *argp, acquire_cred_res *result, struct svc_req *rqstp) 815 { 816 gss_name_t desired_name = GSS_C_NO_NAME; 817 gss_cred_id_t cred; 818 char ccname[PATH_MAX + 5 + 1], *cp, *cp2; 819 int gotone; 820 #ifndef WITHOUT_KERBEROS 821 gss_buffer_desc namebuf; 822 uint32_t minstat; 823 krb5_error_code kret; 824 #endif 825 826 memset(result, 0, sizeof(*result)); 827 if (argp->desired_name) { 828 desired_name = gssd_find_resource(argp->desired_name); 829 if (!desired_name) { 830 result->major_status = GSS_S_BAD_NAME; 831 gssd_verbose_out("gssd_acquire_cred: no desired name" 832 " found\n"); 833 return (TRUE); 834 } 835 } 836 837 #ifndef WITHOUT_KERBEROS 838 if (hostbased_initiator_cred != 0 && argp->desired_name != 0 && 839 argp->uid == 0 && argp->cred_usage == GSS_C_INITIATE) { 840 /* This is a host based initiator name in the keytab file. */ 841 snprintf(ccname, sizeof(ccname), "FILE:%s", 842 GSSD_CREDENTIAL_CACHE_FILE); 843 setenv("KRB5CCNAME", ccname, TRUE); 844 result->major_status = gss_display_name(&result->minor_status, 845 desired_name, &namebuf, NULL); 846 gssd_verbose_out("gssd_acquire_cred: desired name for host " 847 "based initiator cred major=0x%x minor=%d\n", 848 (unsigned int)result->major_status, 849 (int)result->minor_status); 850 if (result->major_status != GSS_S_COMPLETE) 851 return (TRUE); 852 if (namebuf.length > PATH_MAX + 5) { 853 result->minor_status = 0; 854 result->major_status = GSS_S_FAILURE; 855 return (TRUE); 856 } 857 memcpy(ccname, namebuf.value, namebuf.length); 858 ccname[namebuf.length] = '\0'; 859 if ((cp = strchr(ccname, '@')) != NULL) 860 *cp = '/'; 861 kret = gssd_get_cc_from_keytab(ccname); 862 gssd_verbose_out("gssd_acquire_cred: using keytab entry for " 863 "%s, kerberos ret=%d\n", ccname, (int)kret); 864 gss_release_buffer(&minstat, &namebuf); 865 if (kret != 0) { 866 result->minor_status = kret; 867 result->major_status = GSS_S_FAILURE; 868 return (TRUE); 869 } 870 } else 871 #endif /* !WITHOUT_KERBEROS */ 872 if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) { 873 /* 874 * For the "-s" case and no name provided as an 875 * argument, search the directory list for an appropriate 876 * credential cache file. If the search fails, return failure. 877 */ 878 gotone = 0; 879 cp = ccfile_dirlist; 880 do { 881 cp2 = strchr(cp, ':'); 882 if (cp2 != NULL) 883 *cp2 = '\0'; 884 gotone = find_ccache_file(cp, argp->uid, ccname); 885 if (gotone != 0) 886 break; 887 if (cp2 != NULL) 888 *cp2++ = ':'; 889 cp = cp2; 890 } while (cp != NULL && *cp != '\0'); 891 if (gotone == 0) { 892 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 893 gssd_verbose_out("gssd_acquire_cred: no cred cache" 894 " file found\n"); 895 return (TRUE); 896 } 897 setenv("KRB5CCNAME", ccname, TRUE); 898 } else { 899 /* 900 * If there wasn't a "-s" option or the name has 901 * been provided as an argument, do it the old way. 902 * When a name is provided, it will normally exist in the 903 * default keytab file and the uid will be root. 904 */ 905 if (argp->desired_name != 0 && argp->uid != 0) { 906 if (debug_level == 0) 907 syslog(LOG_ERR, "gss_acquire_cred:" 908 " principal_name for non-root"); 909 else 910 fprintf(stderr, "gss_acquire_cred:" 911 " principal_name for non-root\n"); 912 } 913 snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d", 914 (int) argp->uid); 915 setenv("KRB5CCNAME", ccname, TRUE); 916 } 917 918 result->major_status = gss_acquire_cred(&result->minor_status, 919 desired_name, argp->time_req, argp->desired_mechs, 920 argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec); 921 gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n", 922 (unsigned int)result->major_status, (int)result->minor_status); 923 924 if (result->major_status == GSS_S_COMPLETE) 925 result->output_cred = gssd_make_resource(cred); 926 else 927 result->output_cred = 0; 928 929 return (TRUE); 930 } 931 932 bool_t 933 gssd_set_cred_option_1_svc(set_cred_option_args *argp, set_cred_option_res *result, struct svc_req *rqstp) 934 { 935 gss_cred_id_t cred = gssd_find_resource(argp->cred); 936 937 memset(result, 0, sizeof(*result)); 938 if (!cred) { 939 result->major_status = GSS_S_CREDENTIALS_EXPIRED; 940 gssd_verbose_out("gssd_set_cred: no credentials\n"); 941 return (TRUE); 942 } 943 944 result->major_status = gss_set_cred_option(&result->minor_status, 945 &cred, argp->option_name, &argp->option_value); 946 gssd_verbose_out("gssd_set_cred: done major=0x%x minor=%d\n", 947 (unsigned int)result->major_status, (int)result->minor_status); 948 949 return (TRUE); 950 } 951 952 bool_t 953 gssd_release_cred_1_svc(release_cred_args *argp, release_cred_res *result, struct svc_req *rqstp) 954 { 955 gss_cred_id_t cred = gssd_find_resource(argp->cred); 956 957 if (cred) { 958 result->major_status = gss_release_cred(&result->minor_status, 959 &cred); 960 gssd_delete_resource(argp->cred); 961 } else { 962 result->major_status = GSS_S_COMPLETE; 963 result->minor_status = 0; 964 } 965 gssd_verbose_out("gssd_release_cred: done major=0x%x minor=%d\n", 966 (unsigned int)result->major_status, (int)result->minor_status); 967 968 return (TRUE); 969 } 970 971 bool_t 972 gssd_display_status_1_svc(display_status_args *argp, display_status_res *result, struct svc_req *rqstp) 973 { 974 975 result->message_context = argp->message_context; 976 result->major_status = gss_display_status(&result->minor_status, 977 argp->status_value, argp->status_type, argp->mech_type, 978 &result->message_context, &result->status_string); 979 gssd_verbose_out("gssd_display_status: done major=0x%x minor=%d\n", 980 (unsigned int)result->major_status, (int)result->minor_status); 981 982 return (TRUE); 983 } 984 985 bool_t 986 gssd_ip_to_dns_1_svc(ip_to_dns_args *argp, ip_to_dns_res *result, struct svc_req *rqstp) 987 { 988 char *host; 989 990 memset(result, 0, sizeof(*result)); 991 /* Check to see if the name is actually an IP address. */ 992 host = gssd_conv_ip_to_dns(argp->ip_addr.ip_addr_len, 993 argp->ip_addr.ip_addr_val); 994 if (host != NULL) { 995 result->major_status = GSS_S_COMPLETE; 996 result->dns_name.dns_name_len = strlen(host); 997 result->dns_name.dns_name_val = host; 998 return (TRUE); 999 } 1000 result->major_status = GSS_S_FAILURE; 1001 return (TRUE); 1002 } 1003 1004 int 1005 gssd_1_freeresult(SVCXPRT *transp, xdrproc_t xdr_result, caddr_t result) 1006 { 1007 /* 1008 * We don't use XDR to free the results - anything which was 1009 * allocated came from GSS-API. We use xdr_result to figure 1010 * out what to do. 1011 */ 1012 OM_uint32 junk; 1013 1014 if (xdr_result == (xdrproc_t) xdr_init_sec_context_res) { 1015 init_sec_context_res *p = (init_sec_context_res *) result; 1016 gss_release_buffer(&junk, &p->output_token); 1017 } else if (xdr_result == (xdrproc_t) xdr_accept_sec_context_res) { 1018 accept_sec_context_res *p = (accept_sec_context_res *) result; 1019 gss_release_buffer(&junk, &p->output_token); 1020 } else if (xdr_result == (xdrproc_t) xdr_delete_sec_context_res) { 1021 delete_sec_context_res *p = (delete_sec_context_res *) result; 1022 gss_release_buffer(&junk, &p->output_token); 1023 } else if (xdr_result == (xdrproc_t) xdr_export_sec_context_res) { 1024 export_sec_context_res *p = (export_sec_context_res *) result; 1025 if (p->interprocess_token.length) 1026 memset(p->interprocess_token.value, 0, 1027 p->interprocess_token.length); 1028 gss_release_buffer(&junk, &p->interprocess_token); 1029 } else if (xdr_result == (xdrproc_t) xdr_export_name_res) { 1030 export_name_res *p = (export_name_res *) result; 1031 gss_release_buffer(&junk, &p->exported_name); 1032 } else if (xdr_result == (xdrproc_t) xdr_acquire_cred_res) { 1033 acquire_cred_res *p = (acquire_cred_res *) result; 1034 gss_release_oid_set(&junk, &p->actual_mechs); 1035 } else if (xdr_result == (xdrproc_t) xdr_pname_to_uid_res) { 1036 pname_to_uid_res *p = (pname_to_uid_res *) result; 1037 if (p->gidlist.gidlist_val) 1038 free(p->gidlist.gidlist_val); 1039 } else if (xdr_result == (xdrproc_t) xdr_display_status_res) { 1040 display_status_res *p = (display_status_res *) result; 1041 gss_release_buffer(&junk, &p->status_string); 1042 } 1043 1044 return (TRUE); 1045 } 1046 1047 /* 1048 * Search a directory for the most likely candidate to be used as the 1049 * credential cache for a uid. If successful, return 1 and fill the 1050 * file's path id into "rpath". Otherwise, return 0. 1051 */ 1052 static int 1053 find_ccache_file(const char *dirpath, uid_t uid, char *rpath) 1054 { 1055 DIR *dirp; 1056 struct dirent *dp; 1057 struct stat sb; 1058 time_t exptime, oexptime; 1059 int gotone, len, rating, orating; 1060 char namepath[PATH_MAX + 5 + 1]; 1061 char retpath[PATH_MAX + 5 + 1]; 1062 1063 dirp = opendir(dirpath); 1064 if (dirp == NULL) 1065 return (0); 1066 gotone = 0; 1067 orating = 0; 1068 oexptime = 0; 1069 while ((dp = readdir(dirp)) != NULL) { 1070 len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath, 1071 dp->d_name); 1072 if (len < sizeof(namepath) && 1073 (hostbased_initiator_cred == 0 || strcmp(namepath, 1074 GSSD_CREDENTIAL_CACHE_FILE) != 0) && 1075 strstr(dp->d_name, ccfile_substring) != NULL && 1076 lstat(namepath, &sb) >= 0 && 1077 sb.st_uid == uid && 1078 S_ISREG(sb.st_mode)) { 1079 len = snprintf(namepath, sizeof(namepath), "FILE:%s/%s", 1080 dirpath, dp->d_name); 1081 if (len < sizeof(namepath) && 1082 is_a_valid_tgt_cache(namepath, uid, &rating, 1083 &exptime) != 0) { 1084 if (gotone == 0 || rating > orating || 1085 (rating == orating && exptime > oexptime)) { 1086 orating = rating; 1087 oexptime = exptime; 1088 strcpy(retpath, namepath); 1089 gotone = 1; 1090 } 1091 } 1092 } 1093 } 1094 closedir(dirp); 1095 if (gotone != 0) { 1096 strcpy(rpath, retpath); 1097 return (1); 1098 } 1099 return (0); 1100 } 1101 1102 /* 1103 * Try to determine if the file is a valid tgt cache file. 1104 * Check that the file has a valid tgt for a principal. 1105 * If it does, return 1, otherwise return 0. 1106 * It also returns a "rating" and the expiry time for the TGT, when found. 1107 * This "rating" is higher based on heuristics that make it more 1108 * likely to be the correct credential cache file to use. It can 1109 * be used by the caller, along with expiry time, to select from 1110 * multiple credential cache files. 1111 */ 1112 static int 1113 is_a_valid_tgt_cache(const char *filepath, uid_t uid, int *retrating, 1114 time_t *retexptime) 1115 { 1116 #ifndef WITHOUT_KERBEROS 1117 krb5_context context; 1118 krb5_principal princ; 1119 krb5_ccache ccache; 1120 krb5_error_code retval; 1121 krb5_cc_cursor curse; 1122 krb5_creds krbcred; 1123 int gotone, orating, rating, ret; 1124 struct passwd *pw; 1125 char *cp, *cp2, *pname; 1126 time_t exptime; 1127 1128 /* Find a likely name for the uid principal. */ 1129 pw = getpwuid(uid); 1130 1131 /* 1132 * Do a bunch of krb5 library stuff to try and determine if 1133 * this file is a credentials cache with an appropriate TGT 1134 * in it. 1135 */ 1136 retval = krb5_init_context(&context); 1137 if (retval != 0) 1138 return (0); 1139 retval = krb5_cc_resolve(context, filepath, &ccache); 1140 if (retval != 0) { 1141 krb5_free_context(context); 1142 return (0); 1143 } 1144 ret = 0; 1145 orating = 0; 1146 exptime = 0; 1147 retval = krb5_cc_start_seq_get(context, ccache, &curse); 1148 if (retval == 0) { 1149 while ((retval = krb5_cc_next_cred(context, ccache, &curse, 1150 &krbcred)) == 0) { 1151 gotone = 0; 1152 rating = 0; 1153 retval = krb5_unparse_name(context, krbcred.server, 1154 &pname); 1155 if (retval == 0) { 1156 cp = strchr(pname, '/'); 1157 if (cp != NULL) { 1158 *cp++ = '\0'; 1159 if (strcmp(pname, "krbtgt") == 0 && 1160 krbcred.times.endtime > time(NULL) 1161 ) { 1162 gotone = 1; 1163 /* 1164 * Test to see if this is a 1165 * tgt for cross-realm auth. 1166 * Rate it higher, if it is not. 1167 */ 1168 cp2 = strchr(cp, '@'); 1169 if (cp2 != NULL) { 1170 *cp2++ = '\0'; 1171 if (strcmp(cp, cp2) == 1172 0) 1173 rating++; 1174 } 1175 } 1176 } 1177 free(pname); 1178 } 1179 if (gotone != 0) { 1180 retval = krb5_unparse_name(context, 1181 krbcred.client, &pname); 1182 if (retval == 0) { 1183 cp = strchr(pname, '@'); 1184 if (cp != NULL) { 1185 *cp++ = '\0'; 1186 if (pw != NULL && strcmp(pname, 1187 pw->pw_name) == 0) 1188 rating++; 1189 if (strchr(pname, '/') == NULL) 1190 rating++; 1191 if (pref_realm[0] != '\0' && 1192 strcmp(cp, pref_realm) == 0) 1193 rating++; 1194 } 1195 } 1196 free(pname); 1197 if (rating > orating) { 1198 orating = rating; 1199 exptime = krbcred.times.endtime; 1200 } else if (rating == orating && 1201 krbcred.times.endtime > exptime) 1202 exptime = krbcred.times.endtime; 1203 ret = 1; 1204 } 1205 krb5_free_cred_contents(context, &krbcred); 1206 } 1207 krb5_cc_end_seq_get(context, ccache, &curse); 1208 } 1209 krb5_cc_close(context, ccache); 1210 krb5_free_context(context); 1211 if (ret != 0) { 1212 *retrating = orating; 1213 *retexptime = exptime; 1214 } 1215 return (ret); 1216 #else /* WITHOUT_KERBEROS */ 1217 return (0); 1218 #endif /* !WITHOUT_KERBEROS */ 1219 } 1220 1221 #ifndef WITHOUT_KERBEROS 1222 /* 1223 * This function attempts to do essentially a "kinit -k" for the principal 1224 * name provided as the argument, so that there will be a TGT in the 1225 * credential cache. 1226 */ 1227 static krb5_error_code 1228 gssd_get_cc_from_keytab(const char *name) 1229 { 1230 krb5_error_code ret, opt_ret, princ_ret, cc_ret, kt_ret, cred_ret; 1231 krb5_context context; 1232 krb5_principal principal; 1233 krb5_keytab kt; 1234 krb5_creds cred; 1235 krb5_get_init_creds_opt *opt; 1236 krb5_deltat start_time = 0; 1237 krb5_ccache ccache; 1238 1239 ret = krb5_init_context(&context); 1240 if (ret != 0) 1241 return (ret); 1242 opt_ret = cc_ret = kt_ret = cred_ret = 1; /* anything non-zero */ 1243 princ_ret = ret = krb5_parse_name(context, name, &principal); 1244 if (ret == 0) 1245 opt_ret = ret = krb5_get_init_creds_opt_alloc(context, &opt); 1246 if (ret == 0) 1247 cc_ret = ret = krb5_cc_default(context, &ccache); 1248 if (ret == 0) 1249 ret = krb5_cc_initialize(context, ccache, principal); 1250 if (ret == 0) { 1251 krb5_get_init_creds_opt_set_default_flags(context, "gssd", 1252 krb5_principal_get_realm(context, principal), opt); 1253 kt_ret = ret = krb5_kt_default(context, &kt); 1254 } 1255 if (ret == 0) 1256 cred_ret = ret = krb5_get_init_creds_keytab(context, &cred, 1257 principal, kt, start_time, NULL, opt); 1258 if (ret == 0) 1259 ret = krb5_cc_store_cred(context, ccache, &cred); 1260 if (kt_ret == 0) 1261 krb5_kt_close(context, kt); 1262 if (cc_ret == 0) 1263 krb5_cc_close(context, ccache); 1264 if (opt_ret == 0) 1265 krb5_get_init_creds_opt_free(context, opt); 1266 if (princ_ret == 0) 1267 krb5_free_principal(context, principal); 1268 if (cred_ret == 0) 1269 krb5_free_cred_contents(context, &cred); 1270 krb5_free_context(context); 1271 return (ret); 1272 } 1273 1274 /* 1275 * Acquire a gss credential for a uid. 1276 */ 1277 static OM_uint32 1278 gssd_get_user_cred(OM_uint32 *min_statp, uid_t uid, gss_cred_id_t *credp) 1279 { 1280 gss_buffer_desc principal_desc; 1281 gss_name_t name; 1282 OM_uint32 maj_stat, min_stat; 1283 gss_OID_set mechlist; 1284 struct passwd *pw; 1285 1286 pw = getpwuid(uid); 1287 if (pw == NULL) { 1288 *min_statp = 0; 1289 return (GSS_S_FAILURE); 1290 } 1291 1292 /* 1293 * The mechanism must be set to KerberosV for acquisition 1294 * of credentials to work reliably. 1295 */ 1296 maj_stat = gss_create_empty_oid_set(min_statp, &mechlist); 1297 if (maj_stat != GSS_S_COMPLETE) 1298 return (maj_stat); 1299 maj_stat = gss_add_oid_set_member(min_statp, GSS_KRB5_MECH_OID_X, 1300 &mechlist); 1301 if (maj_stat != GSS_S_COMPLETE) { 1302 gss_release_oid_set(&min_stat, &mechlist); 1303 return (maj_stat); 1304 } 1305 1306 principal_desc.value = (void *)pw->pw_name; 1307 principal_desc.length = strlen(pw->pw_name); 1308 maj_stat = gss_import_name(min_statp, &principal_desc, 1309 GSS_C_NT_USER_NAME, &name); 1310 if (maj_stat != GSS_S_COMPLETE) { 1311 gss_release_oid_set(&min_stat, &mechlist); 1312 return (maj_stat); 1313 } 1314 /* Acquire the credentials. */ 1315 maj_stat = gss_acquire_cred(min_statp, name, 0, mechlist, 1316 GSS_C_INITIATE, credp, NULL, NULL); 1317 gss_release_name(&min_stat, &name); 1318 gss_release_oid_set(&min_stat, &mechlist); 1319 return (maj_stat); 1320 } 1321 #endif /* !WITHOUT_KERBEROS */ 1322 1323 void gssd_terminate(int sig __unused) 1324 { 1325 1326 #ifndef WITHOUT_KERBEROS 1327 if (hostbased_initiator_cred != 0) 1328 unlink(GSSD_CREDENTIAL_CACHE_FILE); 1329 #endif 1330 gssd_syscall(""); 1331 exit(0); 1332 } 1333 1334