17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 53bfb48feSsemery * Common Development and Distribution License (the "License"). 63bfb48feSsemery * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 215ad42b1bSSurya Prakki 227c478bd9Sstevel@tonic-gate /* 23*b0c1f5b7SWill Fiveash * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 247c478bd9Sstevel@tonic-gate * Use is subject to license terms. 257c478bd9Sstevel@tonic-gate */ 267c478bd9Sstevel@tonic-gate 277c478bd9Sstevel@tonic-gate #include <libintl.h> 287c478bd9Sstevel@tonic-gate #include <security/pam_appl.h> 297c478bd9Sstevel@tonic-gate #include <security/pam_modules.h> 307c478bd9Sstevel@tonic-gate #include <string.h> 317c478bd9Sstevel@tonic-gate #include <stdio.h> 327c478bd9Sstevel@tonic-gate #include <stdlib.h> 337c478bd9Sstevel@tonic-gate #include <sys/types.h> 347c478bd9Sstevel@tonic-gate #include <pwd.h> 357c478bd9Sstevel@tonic-gate #include <syslog.h> 367c478bd9Sstevel@tonic-gate #include <libintl.h> 37d80035c5Sps57422 #include <k5-int.h> 387c478bd9Sstevel@tonic-gate #include <netdb.h> 397c478bd9Sstevel@tonic-gate #include <unistd.h> 407c478bd9Sstevel@tonic-gate #include <sys/stat.h> 417c478bd9Sstevel@tonic-gate #include <fcntl.h> 42505d05c7Sgtb #include <errno.h> 437c478bd9Sstevel@tonic-gate #include <com_err.h> 447c478bd9Sstevel@tonic-gate 457c478bd9Sstevel@tonic-gate #include "utils.h" 467c478bd9Sstevel@tonic-gate #include "krb5_repository.h" 477c478bd9Sstevel@tonic-gate 487c478bd9Sstevel@tonic-gate #define PAMTXD "SUNW_OST_SYSOSPAM" 497c478bd9Sstevel@tonic-gate #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 507c478bd9Sstevel@tonic-gate 517c478bd9Sstevel@tonic-gate extern void krb5_cleanup(pam_handle_t *, void *, int); 527c478bd9Sstevel@tonic-gate 537c478bd9Sstevel@tonic-gate static int attempt_refresh_cred(krb5_module_data_t *, char *, int); 547c478bd9Sstevel@tonic-gate static int attempt_delete_initcred(krb5_module_data_t *); 557c478bd9Sstevel@tonic-gate static krb5_error_code krb5_renew_tgt(krb5_module_data_t *, krb5_principal, 567c478bd9Sstevel@tonic-gate krb5_principal, int); 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate extern uint_t kwarn_add_warning(char *, int); 597c478bd9Sstevel@tonic-gate extern uint_t kwarn_del_warning(char *); 607c478bd9Sstevel@tonic-gate 617c478bd9Sstevel@tonic-gate /* 627c478bd9Sstevel@tonic-gate * pam_sm_setcred 637c478bd9Sstevel@tonic-gate */ 647c478bd9Sstevel@tonic-gate int 657c478bd9Sstevel@tonic-gate pam_sm_setcred( 667c478bd9Sstevel@tonic-gate pam_handle_t *pamh, 677c478bd9Sstevel@tonic-gate int flags, 687c478bd9Sstevel@tonic-gate int argc, 697c478bd9Sstevel@tonic-gate const char **argv) 707c478bd9Sstevel@tonic-gate { 717c478bd9Sstevel@tonic-gate int i; 727c478bd9Sstevel@tonic-gate int err = 0; 737c478bd9Sstevel@tonic-gate int debug = 0; 747c478bd9Sstevel@tonic-gate krb5_module_data_t *kmd = NULL; 753bfb48feSsemery char *user = NULL; 767c478bd9Sstevel@tonic-gate krb5_repository_data_t *krb5_data = NULL; 777c478bd9Sstevel@tonic-gate pam_repository_t *rep_data = NULL; 787c478bd9Sstevel@tonic-gate 797c478bd9Sstevel@tonic-gate for (i = 0; i < argc; i++) { 807c478bd9Sstevel@tonic-gate if (strcasecmp(argv[i], "debug") == 0) 817c478bd9Sstevel@tonic-gate debug = 1; 827c478bd9Sstevel@tonic-gate else if (strcasecmp(argv[i], "nowarn") == 0) 837c478bd9Sstevel@tonic-gate flags = flags | PAM_SILENT; 847c478bd9Sstevel@tonic-gate } 857c478bd9Sstevel@tonic-gate 867c478bd9Sstevel@tonic-gate if (debug) 873bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 887c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): start: nowarn = %d, flags = 0x%x", 897c478bd9Sstevel@tonic-gate flags & PAM_SILENT ? 1 : 0, flags); 907c478bd9Sstevel@tonic-gate 917c478bd9Sstevel@tonic-gate /* make sure flags are valid */ 927c478bd9Sstevel@tonic-gate if (flags && 937c478bd9Sstevel@tonic-gate !(flags & PAM_ESTABLISH_CRED) && 947c478bd9Sstevel@tonic-gate !(flags & PAM_REINITIALIZE_CRED) && 957c478bd9Sstevel@tonic-gate !(flags & PAM_REFRESH_CRED) && 967c478bd9Sstevel@tonic-gate !(flags & PAM_DELETE_CRED) && 977c478bd9Sstevel@tonic-gate !(flags & PAM_SILENT)) { 983bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR, 993bfb48feSsemery "PAM-KRB5 (setcred): illegal flag %d", flags); 1007c478bd9Sstevel@tonic-gate err = PAM_SYSTEM_ERR; 1017c478bd9Sstevel@tonic-gate goto out; 1027c478bd9Sstevel@tonic-gate } 1037c478bd9Sstevel@tonic-gate 1043bfb48feSsemery (void) pam_get_item(pamh, PAM_USER, (void**) &user); 1057c478bd9Sstevel@tonic-gate 1063bfb48feSsemery if (user == NULL || *user == '\0') 1073bfb48feSsemery return (PAM_USER_UNKNOWN); 1087c478bd9Sstevel@tonic-gate 1097c478bd9Sstevel@tonic-gate if (pam_get_data(pamh, KRB5_DATA, (const void**)&kmd) != PAM_SUCCESS) { 1107c478bd9Sstevel@tonic-gate if (debug) { 1113bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1127c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kmd get failed, kmd=0x%p", 1137c478bd9Sstevel@tonic-gate kmd); 1147c478bd9Sstevel@tonic-gate } 1157c478bd9Sstevel@tonic-gate 1167c478bd9Sstevel@tonic-gate /* 1177c478bd9Sstevel@tonic-gate * User doesn't need to authenticate for PAM_REFRESH_CRED 1187c478bd9Sstevel@tonic-gate * or for PAM_DELETE_CRED 1197c478bd9Sstevel@tonic-gate */ 1207c478bd9Sstevel@tonic-gate if (flags & (PAM_REFRESH_CRED|PAM_DELETE_CRED)) { 1213bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1227c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): inst kmd structure"); 1237c478bd9Sstevel@tonic-gate 1247c478bd9Sstevel@tonic-gate kmd = calloc(1, sizeof (krb5_module_data_t)); 1257c478bd9Sstevel@tonic-gate 12647fc6f3cSsemery if (kmd == NULL) 12747fc6f3cSsemery return (PAM_BUF_ERR); 12847fc6f3cSsemery 12947fc6f3cSsemery 13047fc6f3cSsemery /* 13147fc6f3cSsemery * Need to initialize auth_status here to 13247fc6f3cSsemery * PAM_AUTHINFO_UNAVAIL else there is a false positive 13347fc6f3cSsemery * of PAM_SUCCESS. 13447fc6f3cSsemery */ 13547fc6f3cSsemery kmd->auth_status = PAM_AUTHINFO_UNAVAIL; 1367c478bd9Sstevel@tonic-gate 1377c478bd9Sstevel@tonic-gate if ((err = pam_set_data(pamh, KRB5_DATA, 1387c478bd9Sstevel@tonic-gate kmd, &krb5_cleanup)) != PAM_SUCCESS) { 1397c478bd9Sstevel@tonic-gate free(kmd); 1407c478bd9Sstevel@tonic-gate return (PAM_SYSTEM_ERR); 1417c478bd9Sstevel@tonic-gate } 1427c478bd9Sstevel@tonic-gate } else { 1433441f6a1Ssemery /* 1443441f6a1Ssemery * This could mean that we are not the account authority 1453441f6a1Ssemery * for the authenticated user. Therefore we should 1463441f6a1Ssemery * return PAM_IGNORE in order to not affect the 1473441f6a1Ssemery * login process of said user. 1483441f6a1Ssemery */ 1493441f6a1Ssemery err = PAM_IGNORE; 1507c478bd9Sstevel@tonic-gate goto out; 1517c478bd9Sstevel@tonic-gate } 1527c478bd9Sstevel@tonic-gate 1537c478bd9Sstevel@tonic-gate } else { /* pam_get_data success */ 1547c478bd9Sstevel@tonic-gate if (kmd == NULL) { 1557c478bd9Sstevel@tonic-gate if (debug) { 1563bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1577c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kmd structure" 1587c478bd9Sstevel@tonic-gate " gotten but is NULL for user %s", user); 1597c478bd9Sstevel@tonic-gate } 16047fc6f3cSsemery err = PAM_SYSTEM_ERR; 1617c478bd9Sstevel@tonic-gate goto out; 1627c478bd9Sstevel@tonic-gate } 1637c478bd9Sstevel@tonic-gate 1647c478bd9Sstevel@tonic-gate if (debug) 1653bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1667c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kmd auth_status: %s", 1677c478bd9Sstevel@tonic-gate pam_strerror(pamh, kmd->auth_status)); 1687c478bd9Sstevel@tonic-gate 1697c478bd9Sstevel@tonic-gate /* 1707c478bd9Sstevel@tonic-gate * pam_auth has set status to ignore, so we also return ignore 1717c478bd9Sstevel@tonic-gate */ 1727c478bd9Sstevel@tonic-gate if (kmd->auth_status == PAM_IGNORE) { 1737c478bd9Sstevel@tonic-gate err = PAM_IGNORE; 1747c478bd9Sstevel@tonic-gate goto out; 1757c478bd9Sstevel@tonic-gate } 1767c478bd9Sstevel@tonic-gate } 1777c478bd9Sstevel@tonic-gate 1787c478bd9Sstevel@tonic-gate kmd->debug = debug; 1797c478bd9Sstevel@tonic-gate 1807c478bd9Sstevel@tonic-gate /* 1817c478bd9Sstevel@tonic-gate * User must have passed pam_authenticate() 1827c478bd9Sstevel@tonic-gate * in order to use PAM_ESTABLISH_CRED or PAM_REINITIALIZE_CRED 1837c478bd9Sstevel@tonic-gate */ 1847c478bd9Sstevel@tonic-gate if ((flags & (PAM_ESTABLISH_CRED|PAM_REINITIALIZE_CRED)) && 1857c478bd9Sstevel@tonic-gate (kmd->auth_status != PAM_SUCCESS)) { 1867c478bd9Sstevel@tonic-gate if (kmd->debug) 1873bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 1887c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): unable to " 1897c478bd9Sstevel@tonic-gate "setcreds, not authenticated!"); 1907c478bd9Sstevel@tonic-gate return (PAM_CRED_UNAVAIL); 1917c478bd9Sstevel@tonic-gate } 1927c478bd9Sstevel@tonic-gate 1937c478bd9Sstevel@tonic-gate /* 1947c478bd9Sstevel@tonic-gate * We cannot assume that kmd->kcontext being non-NULL 1957c478bd9Sstevel@tonic-gate * means it is valid. Other pam_krb5 mods may have 1967c478bd9Sstevel@tonic-gate * freed it but not reset it to NULL. 1977c478bd9Sstevel@tonic-gate * Log a message when debugging to track down memory 1987c478bd9Sstevel@tonic-gate * leaks. 1997c478bd9Sstevel@tonic-gate */ 2007c478bd9Sstevel@tonic-gate if (kmd->kcontext != NULL && kmd->debug) 2013bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 2027c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): kcontext != NULL, " 2037c478bd9Sstevel@tonic-gate "possible memory leak."); 2047c478bd9Sstevel@tonic-gate 2057c478bd9Sstevel@tonic-gate /* 2063bfb48feSsemery * Use the authenticated and validated user, if applicable. 2073bfb48feSsemery */ 2083bfb48feSsemery if (kmd->user != NULL) 2093bfb48feSsemery user = kmd->user; 2103bfb48feSsemery 2113bfb48feSsemery /* 2127c478bd9Sstevel@tonic-gate * If auth was short-circuited we will not have anything to 2137c478bd9Sstevel@tonic-gate * renew, so just return here. 2147c478bd9Sstevel@tonic-gate */ 2153bfb48feSsemery (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); 2163bfb48feSsemery 2177c478bd9Sstevel@tonic-gate if (rep_data != NULL) { 2187c478bd9Sstevel@tonic-gate if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { 2197c478bd9Sstevel@tonic-gate if (debug) 2203bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 2213bfb48feSsemery "PAM-KRB5 (setcred): wrong" 2227c478bd9Sstevel@tonic-gate "repository found (%s), returning " 2237c478bd9Sstevel@tonic-gate "PAM_IGNORE", rep_data->type); 2247c478bd9Sstevel@tonic-gate return (PAM_IGNORE); 2257c478bd9Sstevel@tonic-gate } 2267c478bd9Sstevel@tonic-gate if (rep_data->scope_len == sizeof (krb5_repository_data_t)) { 2277c478bd9Sstevel@tonic-gate krb5_data = (krb5_repository_data_t *)rep_data->scope; 2287c478bd9Sstevel@tonic-gate 2297c478bd9Sstevel@tonic-gate if (krb5_data->flags == 2307c478bd9Sstevel@tonic-gate SUNW_PAM_KRB5_ALREADY_AUTHENTICATED && 2317c478bd9Sstevel@tonic-gate krb5_data->principal != NULL && 2327c478bd9Sstevel@tonic-gate strlen(krb5_data->principal)) { 2337c478bd9Sstevel@tonic-gate if (debug) 2343bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 2357c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): " 2367c478bd9Sstevel@tonic-gate "Principal %s already " 2377c478bd9Sstevel@tonic-gate "authenticated, " 2387c478bd9Sstevel@tonic-gate "cannot setcred", 2397c478bd9Sstevel@tonic-gate krb5_data->principal); 2407c478bd9Sstevel@tonic-gate return (PAM_SUCCESS); 2417c478bd9Sstevel@tonic-gate } 2427c478bd9Sstevel@tonic-gate } 2437c478bd9Sstevel@tonic-gate } 2447c478bd9Sstevel@tonic-gate 2457c478bd9Sstevel@tonic-gate if (flags & PAM_REINITIALIZE_CRED) 2467c478bd9Sstevel@tonic-gate err = attempt_refresh_cred(kmd, user, PAM_REINITIALIZE_CRED); 2477c478bd9Sstevel@tonic-gate else if (flags & PAM_REFRESH_CRED) 2487c478bd9Sstevel@tonic-gate err = attempt_refresh_cred(kmd, user, PAM_REFRESH_CRED); 2497c478bd9Sstevel@tonic-gate else if (flags & PAM_DELETE_CRED) 2507c478bd9Sstevel@tonic-gate err = attempt_delete_initcred(kmd); 2517c478bd9Sstevel@tonic-gate else { 2527c478bd9Sstevel@tonic-gate /* 2537c478bd9Sstevel@tonic-gate * Default case: PAM_ESTABLISH_CRED 2547c478bd9Sstevel@tonic-gate */ 2557c478bd9Sstevel@tonic-gate err = attempt_refresh_cred(kmd, user, PAM_ESTABLISH_CRED); 2567c478bd9Sstevel@tonic-gate } 2577c478bd9Sstevel@tonic-gate 2583bfb48feSsemery if (err != PAM_SUCCESS) 2593bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR, 2607c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): pam_setcred failed " 2617c478bd9Sstevel@tonic-gate "for %s (%s).", user, pam_strerror(pamh, err)); 2627c478bd9Sstevel@tonic-gate 2637c478bd9Sstevel@tonic-gate out: 2647c478bd9Sstevel@tonic-gate if (kmd && kmd->kcontext) { 2657c478bd9Sstevel@tonic-gate /* 2667c478bd9Sstevel@tonic-gate * free 'kcontext' field if it is allocated, 2677c478bd9Sstevel@tonic-gate * kcontext is local to the operation being performed 2687c478bd9Sstevel@tonic-gate * not considered global to the entire pam module. 2697c478bd9Sstevel@tonic-gate */ 2707c478bd9Sstevel@tonic-gate krb5_free_context(kmd->kcontext); 2717c478bd9Sstevel@tonic-gate kmd->kcontext = NULL; 2727c478bd9Sstevel@tonic-gate } 2737c478bd9Sstevel@tonic-gate 2747c478bd9Sstevel@tonic-gate /* 2757c478bd9Sstevel@tonic-gate * 'kmd' is not freed here, it is handled in krb5_cleanup 2767c478bd9Sstevel@tonic-gate */ 2777c478bd9Sstevel@tonic-gate if (debug) 2783bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 2797c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): end: %s", 2807c478bd9Sstevel@tonic-gate pam_strerror(pamh, err)); 2817c478bd9Sstevel@tonic-gate return (err); 2827c478bd9Sstevel@tonic-gate } 2837c478bd9Sstevel@tonic-gate 2847c478bd9Sstevel@tonic-gate static int 2857c478bd9Sstevel@tonic-gate attempt_refresh_cred( 2867c478bd9Sstevel@tonic-gate krb5_module_data_t *kmd, 2877c478bd9Sstevel@tonic-gate char *user, 2887c478bd9Sstevel@tonic-gate int flag) 2897c478bd9Sstevel@tonic-gate { 2907c478bd9Sstevel@tonic-gate krb5_principal me; 2917c478bd9Sstevel@tonic-gate krb5_principal server; 2927c478bd9Sstevel@tonic-gate krb5_error_code code; 2937c478bd9Sstevel@tonic-gate char kuser[2*MAXHOSTNAMELEN]; 2947c478bd9Sstevel@tonic-gate krb5_data tgtname = { 2957c478bd9Sstevel@tonic-gate 0, 2967c478bd9Sstevel@tonic-gate KRB5_TGS_NAME_SIZE, 2977c478bd9Sstevel@tonic-gate KRB5_TGS_NAME 2987c478bd9Sstevel@tonic-gate }; 2997c478bd9Sstevel@tonic-gate 3007c478bd9Sstevel@tonic-gate /* Create a new context here. */ 3018ce3ffdfSPeter Shoults if (krb5_init_secure_context(&kmd->kcontext) != 0) { 3027c478bd9Sstevel@tonic-gate if (kmd->debug) 3033bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 3047c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): unable to " 3057c478bd9Sstevel@tonic-gate "initialize krb5 context"); 3067c478bd9Sstevel@tonic-gate return (PAM_SYSTEM_ERR); 3077c478bd9Sstevel@tonic-gate } 3087c478bd9Sstevel@tonic-gate 3097c478bd9Sstevel@tonic-gate if (krb5_cc_default(kmd->kcontext, &kmd->ccache) != 0) { 3103bfb48feSsemery return (PAM_SYSTEM_ERR); 3117c478bd9Sstevel@tonic-gate } 3127c478bd9Sstevel@tonic-gate 3137c478bd9Sstevel@tonic-gate if ((code = get_kmd_kuser(kmd->kcontext, (const char *)user, kuser, 3147c478bd9Sstevel@tonic-gate 2*MAXHOSTNAMELEN)) != 0) { 3157c478bd9Sstevel@tonic-gate return (code); 3167c478bd9Sstevel@tonic-gate } 3177c478bd9Sstevel@tonic-gate 3187c478bd9Sstevel@tonic-gate if (krb5_parse_name(kmd->kcontext, kuser, &me) != 0) { 3193bfb48feSsemery return (PAM_SYSTEM_ERR); 3207c478bd9Sstevel@tonic-gate } 3217c478bd9Sstevel@tonic-gate 3227c478bd9Sstevel@tonic-gate if (code = krb5_build_principal_ext(kmd->kcontext, &server, 3237c478bd9Sstevel@tonic-gate krb5_princ_realm(kmd->kcontext, me)->length, 3247c478bd9Sstevel@tonic-gate krb5_princ_realm(kmd->kcontext, me)->data, 3257c478bd9Sstevel@tonic-gate tgtname.length, tgtname.data, 3267c478bd9Sstevel@tonic-gate krb5_princ_realm(kmd->kcontext, me)->length, 3277c478bd9Sstevel@tonic-gate krb5_princ_realm(kmd->kcontext, me)->data, 0)) { 3283bfb48feSsemery krb5_free_principal(kmd->kcontext, me); 3293bfb48feSsemery return (PAM_SYSTEM_ERR); 3307c478bd9Sstevel@tonic-gate } 3317c478bd9Sstevel@tonic-gate 3327c478bd9Sstevel@tonic-gate code = krb5_renew_tgt(kmd, me, server, flag); 3337c478bd9Sstevel@tonic-gate 3347c478bd9Sstevel@tonic-gate krb5_free_principal(kmd->kcontext, server); 3357c478bd9Sstevel@tonic-gate krb5_free_principal(kmd->kcontext, me); 3367c478bd9Sstevel@tonic-gate 3377c478bd9Sstevel@tonic-gate if (code) { 3383bfb48feSsemery if (kmd->debug) 3393bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 3403bfb48feSsemery "PAM-KRB5(setcred): krb5_renew_tgt() " 3413bfb48feSsemery "failed: %s", error_message((errcode_t)code)); 3427c478bd9Sstevel@tonic-gate return (PAM_CRED_ERR); 3437c478bd9Sstevel@tonic-gate } else { 3447c478bd9Sstevel@tonic-gate return (PAM_SUCCESS); 3457c478bd9Sstevel@tonic-gate } 3467c478bd9Sstevel@tonic-gate } 3477c478bd9Sstevel@tonic-gate 3487c478bd9Sstevel@tonic-gate /* 3497c478bd9Sstevel@tonic-gate * This code will update the credential matching "server" in the user's 3507c478bd9Sstevel@tonic-gate * credential cache. The flag may be set to one of: 3516ff38bdbSPeter Shoults * PAM_REINITIALIZE_CRED/PAM_ESTABLISH_CRED - If we have new credentials then 3526ff38bdbSPeter Shoults * create a new cred cache with these credentials else return failure. 35347fc6f3cSsemery * PAM_REFRESH_CRED - If we have new credentials then create a new cred cache 35447fc6f3cSsemery * with these credentials else attempt to renew the credentials. 35547fc6f3cSsemery * 3566ff38bdbSPeter Shoults * Note for any of the flags that if a new credential does exist from the 3576ff38bdbSPeter Shoults * previous auth pass then this will overwrite any existing credentials in the 3586ff38bdbSPeter Shoults * credential cache. 3597c478bd9Sstevel@tonic-gate */ 3607c478bd9Sstevel@tonic-gate static krb5_error_code 3617c478bd9Sstevel@tonic-gate krb5_renew_tgt( 3627c478bd9Sstevel@tonic-gate krb5_module_data_t *kmd, 3637c478bd9Sstevel@tonic-gate krb5_principal me, 3647c478bd9Sstevel@tonic-gate krb5_principal server, 3657c478bd9Sstevel@tonic-gate int flag) 3667c478bd9Sstevel@tonic-gate { 3677c478bd9Sstevel@tonic-gate krb5_error_code retval; 3687c478bd9Sstevel@tonic-gate krb5_creds creds; 3691dac1dbeSgtb krb5_creds *renewed_cred = NULL; 3707c478bd9Sstevel@tonic-gate char *client_name = NULL; 3716ff38bdbSPeter Shoults char *username = NULL; 3727c478bd9Sstevel@tonic-gate 3737c478bd9Sstevel@tonic-gate #define my_creds (kmd->initcreds) 3747c478bd9Sstevel@tonic-gate 3757c478bd9Sstevel@tonic-gate if ((flag != PAM_REFRESH_CRED) && 3767c478bd9Sstevel@tonic-gate (flag != PAM_REINITIALIZE_CRED) && 3777c478bd9Sstevel@tonic-gate (flag != PAM_ESTABLISH_CRED)) 3783bfb48feSsemery return (KRB5KRB_ERR_GENERIC); 3797c478bd9Sstevel@tonic-gate 3807c478bd9Sstevel@tonic-gate /* this is needed only for the ktkt_warnd */ 3813bfb48feSsemery if ((retval = krb5_unparse_name(kmd->kcontext, me, &client_name)) != 0) 3823bfb48feSsemery return (retval); 3837c478bd9Sstevel@tonic-gate 3841dac1dbeSgtb (void) memset(&creds, 0, sizeof (krb5_creds)); 3857c478bd9Sstevel@tonic-gate if ((retval = krb5_copy_principal(kmd->kcontext, 3861dac1dbeSgtb server, &creds.server))) { 3877c478bd9Sstevel@tonic-gate if (kmd->debug) 3883bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 3897c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): krb5_copy_principal " 3907c478bd9Sstevel@tonic-gate "failed: %s", 3917c478bd9Sstevel@tonic-gate error_message((errcode_t)retval)); 3927c478bd9Sstevel@tonic-gate goto cleanup_creds; 3937c478bd9Sstevel@tonic-gate } 3947c478bd9Sstevel@tonic-gate 3957c478bd9Sstevel@tonic-gate /* obtain ticket & session key */ 3967c478bd9Sstevel@tonic-gate retval = krb5_cc_get_principal(kmd->kcontext, 3971dac1dbeSgtb kmd->ccache, &creds.client); 3987c478bd9Sstevel@tonic-gate if (retval && (kmd->debug)) 3993bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 4007c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): User not in cred " 4013bfb48feSsemery "cache (%s)", error_message((errcode_t)retval)); 4027c478bd9Sstevel@tonic-gate 4037c478bd9Sstevel@tonic-gate /* 4046ff38bdbSPeter Shoults * We got here either with the ESTABLISH | REINIT | REFRESH flag and 4056ff38bdbSPeter Shoults * auth_status returns SUCCESS or REFRESH and auth_status failure. 4067c478bd9Sstevel@tonic-gate * 4077c478bd9Sstevel@tonic-gate * Rules: 40847fc6f3cSsemery * - If the prior auth pass was successful then store the new 40947fc6f3cSsemery * credentials in the cache, regardless of which flag. 4107c478bd9Sstevel@tonic-gate * 41147fc6f3cSsemery * - Else if REFRESH flag is used and there are no new 41247fc6f3cSsemery * credentials then attempt to refresh the existing credentials. 41347fc6f3cSsemery * 41447fc6f3cSsemery * - Note, refresh will not work if "R" flag is not set in 41547fc6f3cSsemery * original credential. We don't want to 2nd guess the 41647fc6f3cSsemery * intention of the person who created the existing credential. 4177c478bd9Sstevel@tonic-gate */ 4186ff38bdbSPeter Shoults if (kmd->auth_status == PAM_SUCCESS) { 4196ff38bdbSPeter Shoults /* 4206ff38bdbSPeter Shoults * Create a fresh ccache, and store the credentials 4216ff38bdbSPeter Shoults * we got from pam_authenticate() 4226ff38bdbSPeter Shoults */ 4236ff38bdbSPeter Shoults if ((retval = krb5_cc_initialize(kmd->kcontext, 4246ff38bdbSPeter Shoults kmd->ccache, me)) != 0) { 4256ff38bdbSPeter Shoults __pam_log(LOG_AUTH | LOG_DEBUG, 4266ff38bdbSPeter Shoults "PAM-KRB5 (setcred): krb5_cc_initialize " 4276ff38bdbSPeter Shoults "failed: %s", 4286ff38bdbSPeter Shoults error_message((errcode_t)retval)); 4296ff38bdbSPeter Shoults } else if ((retval = krb5_cc_store_cred(kmd->kcontext, 4306ff38bdbSPeter Shoults kmd->ccache, &my_creds)) != 0) { 4316ff38bdbSPeter Shoults __pam_log(LOG_AUTH | LOG_DEBUG, 4326ff38bdbSPeter Shoults "PAM-KRB5 (setcred): krb5_cc_store_cred " 4336ff38bdbSPeter Shoults "failed: %s", 4346ff38bdbSPeter Shoults error_message((errcode_t)retval)); 4356ff38bdbSPeter Shoults } 4366ff38bdbSPeter Shoults } else if ((retval == 0) && (flag & PAM_REFRESH_CRED)) { 4377c478bd9Sstevel@tonic-gate /* 4387c478bd9Sstevel@tonic-gate * If we only wanted to refresh the creds but failed 4397c478bd9Sstevel@tonic-gate * due to expiration, lack of "R" flag, or other 44047fc6f3cSsemery * problems, return an error. 44147fc6f3cSsemery */ 44247fc6f3cSsemery if (retval = krb5_get_credentials_renew(kmd->kcontext, 44347fc6f3cSsemery 0, kmd->ccache, &creds, &renewed_cred)) { 4446ff38bdbSPeter Shoults if (kmd->debug) { 44547fc6f3cSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 44647fc6f3cSsemery "PAM-KRB5 (setcred): " 44747fc6f3cSsemery "krb5_get_credentials" 44847fc6f3cSsemery "_renew(update) failed: %s", 44947fc6f3cSsemery error_message((errcode_t)retval)); 4506ff38bdbSPeter Shoults } 45147fc6f3cSsemery } 45247fc6f3cSsemery } else { 45347fc6f3cSsemery /* 4546ff38bdbSPeter Shoults * We failed to get the user's credentials. 4556ff38bdbSPeter Shoults * This might be due to permission error on the cache, 4566ff38bdbSPeter Shoults * or maybe we are looking in the wrong cache file! 4577c478bd9Sstevel@tonic-gate */ 4586ff38bdbSPeter Shoults __pam_log(LOG_AUTH | LOG_ERR, 4596ff38bdbSPeter Shoults "PAM-KRB5 (setcred): Cannot find creds" 4606ff38bdbSPeter Shoults " for %s (%s)", 4616ff38bdbSPeter Shoults client_name ? client_name : "(unknown)", 4626ff38bdbSPeter Shoults error_message((errcode_t)retval)); 4637c478bd9Sstevel@tonic-gate } 4647c478bd9Sstevel@tonic-gate 4657c478bd9Sstevel@tonic-gate cleanup_creds: 4667c478bd9Sstevel@tonic-gate 4677c478bd9Sstevel@tonic-gate if ((retval == 0) && (client_name != NULL)) { 4687c478bd9Sstevel@tonic-gate /* 4697c478bd9Sstevel@tonic-gate * Credential update was successful! 4707c478bd9Sstevel@tonic-gate * 4717c478bd9Sstevel@tonic-gate * We now chown the ccache to the appropriate uid/gid 4727c478bd9Sstevel@tonic-gate * combination, if its a FILE based ccache. 4737c478bd9Sstevel@tonic-gate */ 474d80035c5Sps57422 if (!kmd->env || strstr(kmd->env, "FILE:")) { 4757c478bd9Sstevel@tonic-gate uid_t uuid; 4767c478bd9Sstevel@tonic-gate gid_t ugid; 4776ff38bdbSPeter Shoults char *tmpname = NULL; 4787c478bd9Sstevel@tonic-gate char *filepath = NULL; 4797c478bd9Sstevel@tonic-gate 4807c478bd9Sstevel@tonic-gate username = strdup(client_name); 4814a7ceb24Sjjj if (username == NULL) { 4824a7ceb24Sjjj __pam_log(LOG_AUTH | LOG_ERR, 4834a7ceb24Sjjj "PAM-KRB5 (setcred): Out of memory"); 4844a7ceb24Sjjj retval = KRB5KRB_ERR_GENERIC; 4854a7ceb24Sjjj goto error; 4864a7ceb24Sjjj } 4877c478bd9Sstevel@tonic-gate if ((tmpname = strchr(username, '@'))) 4887c478bd9Sstevel@tonic-gate *tmpname = '\0'; 4897c478bd9Sstevel@tonic-gate 4907c478bd9Sstevel@tonic-gate if (get_pw_uid(username, &uuid) == 0 || 4917c478bd9Sstevel@tonic-gate get_pw_gid(username, &ugid) == 0) { 4923bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR, 4933bfb48feSsemery "PAM-KRB5 (setcred): Unable to " 4947c478bd9Sstevel@tonic-gate "find matching uid/gid pair for user `%s'", 4957c478bd9Sstevel@tonic-gate username); 4961dac1dbeSgtb retval = KRB5KRB_ERR_GENERIC; 4971dac1dbeSgtb goto error; 4987c478bd9Sstevel@tonic-gate } 499d80035c5Sps57422 500d80035c5Sps57422 if (!kmd->env) { 501d80035c5Sps57422 char buffer[512]; 502d80035c5Sps57422 503d80035c5Sps57422 if (snprintf(buffer, sizeof (buffer), 504d80035c5Sps57422 "%s=FILE:/tmp/krb5cc_%d", KRB5_ENV_CCNAME, 505d80035c5Sps57422 (int)uuid) >= sizeof (buffer)) { 506d80035c5Sps57422 retval = KRB5KRB_ERR_GENERIC; 507d80035c5Sps57422 goto error; 508d80035c5Sps57422 } 509d80035c5Sps57422 510d80035c5Sps57422 /* 511d80035c5Sps57422 * We MUST copy this to the heap for the putenv 512d80035c5Sps57422 * to work! 513d80035c5Sps57422 */ 514d80035c5Sps57422 kmd->env = strdup(buffer); 515d80035c5Sps57422 if (!kmd->env) { 516d80035c5Sps57422 retval = ENOMEM; 517d80035c5Sps57422 goto error; 518d80035c5Sps57422 } else { 519d80035c5Sps57422 if (putenv(kmd->env)) { 520d80035c5Sps57422 retval = ENOMEM; 521d80035c5Sps57422 goto error; 522d80035c5Sps57422 } 523d80035c5Sps57422 } 524d80035c5Sps57422 } 525d80035c5Sps57422 5266ff38bdbSPeter Shoults /* 5276ff38bdbSPeter Shoults * We know at this point that kmd->env must start 5286ff38bdbSPeter Shoults * with the literal string "FILE:". Set filepath 5296ff38bdbSPeter Shoults * character string to point to ":" 5306ff38bdbSPeter Shoults */ 5316ff38bdbSPeter Shoults 5326ff38bdbSPeter Shoults filepath = strchr(kmd->env, ':'); 5336ff38bdbSPeter Shoults 5346ff38bdbSPeter Shoults /* 5356ff38bdbSPeter Shoults * Now check if first char after ":" is null char 5366ff38bdbSPeter Shoults */ 5376ff38bdbSPeter Shoults if (filepath[1] == '\0') { 5383bfb48feSsemery __pam_log(LOG_AUTH | LOG_ERR, 5397c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): Invalid pathname " 5407c478bd9Sstevel@tonic-gate "for credential cache of user `%s'", 5417c478bd9Sstevel@tonic-gate username); 5421dac1dbeSgtb retval = KRB5KRB_ERR_GENERIC; 5431dac1dbeSgtb goto error; 5447c478bd9Sstevel@tonic-gate } 5457c478bd9Sstevel@tonic-gate if (chown(filepath+1, uuid, ugid)) { 5467c478bd9Sstevel@tonic-gate if (kmd->debug) 5473bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 5487c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): chown to user " 5497c478bd9Sstevel@tonic-gate "`%s' failed for FILE=%s", 5507c478bd9Sstevel@tonic-gate username, filepath); 5517c478bd9Sstevel@tonic-gate } 5527c478bd9Sstevel@tonic-gate } 5531dac1dbeSgtb } 5547c478bd9Sstevel@tonic-gate 5551dac1dbeSgtb error: 5561dac1dbeSgtb if (retval == 0) { 5571dac1dbeSgtb krb5_timestamp endtime; 5581dac1dbeSgtb 5591dac1dbeSgtb if (renewed_cred && renewed_cred->times.endtime != 0) 5601dac1dbeSgtb endtime = renewed_cred->times.endtime; 5611dac1dbeSgtb else 5621dac1dbeSgtb endtime = my_creds.times.endtime; 5631dac1dbeSgtb 5641dac1dbeSgtb if (kmd->debug) 5651dac1dbeSgtb __pam_log(LOG_AUTH | LOG_DEBUG, 5661dac1dbeSgtb "PAM-KRB5 (setcred): delete/add warning"); 5671dac1dbeSgtb 568*b0c1f5b7SWill Fiveash if (kwarn_del_warning(client_name) != 0) { 569*b0c1f5b7SWill Fiveash __pam_log(LOG_AUTH | LOG_NOTICE, 570*b0c1f5b7SWill Fiveash "PAM-KRB5 (setcred): kwarn_del_warning" 571*b0c1f5b7SWill Fiveash " failed: ktkt_warnd(1M) down?"); 572*b0c1f5b7SWill Fiveash } 573*b0c1f5b7SWill Fiveash 5741dac1dbeSgtb if (kwarn_add_warning(client_name, endtime) != 0) { 5753bfb48feSsemery __pam_log(LOG_AUTH | LOG_NOTICE, 5761dac1dbeSgtb "PAM-KRB5 (setcred): kwarn_add_warning" 5773bfb48feSsemery " failed: ktkt_warnd(1M) down?"); 5787c478bd9Sstevel@tonic-gate } 5797c478bd9Sstevel@tonic-gate } 5801dac1dbeSgtb 5811dac1dbeSgtb if (renewed_cred != NULL) 5821dac1dbeSgtb krb5_free_creds(kmd->kcontext, renewed_cred); 5831dac1dbeSgtb 5847c478bd9Sstevel@tonic-gate if (client_name != NULL) 5857c478bd9Sstevel@tonic-gate free(client_name); 5867c478bd9Sstevel@tonic-gate 5876ff38bdbSPeter Shoults if (username) 5886ff38bdbSPeter Shoults free(username); 5896ff38bdbSPeter Shoults 5907c478bd9Sstevel@tonic-gate krb5_free_cred_contents(kmd->kcontext, &creds); 5917c478bd9Sstevel@tonic-gate 5927c478bd9Sstevel@tonic-gate return (retval); 5937c478bd9Sstevel@tonic-gate } 5947c478bd9Sstevel@tonic-gate 5957c478bd9Sstevel@tonic-gate /* 5967c478bd9Sstevel@tonic-gate * Delete the user's credentials for this session 5977c478bd9Sstevel@tonic-gate */ 5987c478bd9Sstevel@tonic-gate static int 5997c478bd9Sstevel@tonic-gate attempt_delete_initcred(krb5_module_data_t *kmd) 6007c478bd9Sstevel@tonic-gate { 6017c478bd9Sstevel@tonic-gate if (kmd == NULL) 6023bfb48feSsemery return (PAM_SUCCESS); 6037c478bd9Sstevel@tonic-gate 6047c478bd9Sstevel@tonic-gate if (kmd->debug) { 6053bfb48feSsemery __pam_log(LOG_AUTH | LOG_DEBUG, 6067c478bd9Sstevel@tonic-gate "PAM-KRB5 (setcred): deleting user's " 6077c478bd9Sstevel@tonic-gate "credentials (initcreds)"); 6087c478bd9Sstevel@tonic-gate } 6097c478bd9Sstevel@tonic-gate krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds); 6107c478bd9Sstevel@tonic-gate (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds)); 6117c478bd9Sstevel@tonic-gate kmd->auth_status = PAM_AUTHINFO_UNAVAIL; 6123bfb48feSsemery return (PAM_SUCCESS); 6137c478bd9Sstevel@tonic-gate } 614