2 * This pam_krb5 module contains code that is:
3 * Copyright (c) Derrick J. Brashear, 1996. All rights reserved.
4 * Copyright (c) Frank Cusack, 1999-2001. All rights reserved.
5 * Copyright (c) Jacques A. Vidrine, 2000-2001. All rights reserved.
6 * Copyright (c) Nicolas Williams, 2001. All rights reserved.
7 * Copyright (c) Perot Systems Corporation, 2001. All rights reserved.
8 * Copyright (c) Mark R V Murray, 2001. All rights reserved.
9 * Copyright (c) Networks Associates Technology, Inc., 2002-2005.
10 * All rights reserved.
12 * Portions of this software were developed for the FreeBSD Project by
13 * ThinkSec AS and NAI Labs, the Security Research Division of Network
14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
15 * ("CBOSS"), as part of the DARPA CHATS research program.
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
20 * 1. Redistributions of source code must retain the above copyright
21 * notices, and the entire permission notice in its entirety,
22 * including the disclaimer of warranties.
23 * 2. Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following disclaimer in the
25 * documentation and/or other materials provided with the distribution.
26 * 3. The name of the author may not be used to endorse or promote
27 * products derived from this software without specific prior
30 * ALTERNATIVELY, this product may be distributed under the terms of
31 * the GNU Public License, in which case the provisions of the GPL are
32 * required INSTEAD OF the above restrictions. (This clause is
33 * necessary due to a potential bad interaction between the GPL and
34 * the restrictions contained in a BSD-style copyright.)
36 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
37 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
38 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
39 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
40 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
41 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
42 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 #include <sys/cdefs.h>
51 __FBSDID("$FreeBSD$");
53 #include <sys/types.h>
68 #define PAM_SM_ACCOUNT
69 #define PAM_SM_PASSWORD
71 #include <security/pam_appl.h>
72 #include <security/pam_modules.h>
73 #include <security/pam_mod_misc.h>
74 #include <security/openpam.h>
76 #define COMPAT_HEIMDAL
77 /* #define COMPAT_MIT */
79 static int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int);
80 static void cleanup_cache(pam_handle_t *, void *, int);
81 static const char *compat_princ_component(krb5_context, krb5_principal, int);
82 static void compat_free_data_contents(krb5_context, krb5_data *);
84 #define USER_PROMPT "Username: "
85 #define PASSWORD_PROMPT "Password:"
86 #define NEW_PASSWORD_PROMPT "New Password:"
88 #define PAM_OPT_CCACHE "ccache"
89 #define PAM_OPT_DEBUG "debug"
90 #define PAM_OPT_FORWARDABLE "forwardable"
91 #define PAM_OPT_NO_CCACHE "no_ccache"
92 #define PAM_OPT_NO_USER_CHECK "no_user_check"
93 #define PAM_OPT_REUSE_CCACHE "reuse_ccache"
94 #define PAM_OPT_NO_USER_CHECK "no_user_check"
96 #define PAM_LOG_KRB5_ERR(ctx, rv, fmt, ...) \
98 const char *krb5msg = krb5_get_error_message(ctx, rv); \
99 PAM_LOG(fmt ": %s", ##__VA_ARGS__, krb5msg); \
100 krb5_free_error_message(ctx, krb5msg); \
104 * authentication management
107 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
108 int argc __unused, const char *argv[] __unused)
110 krb5_error_code krbret;
111 krb5_context pam_context;
113 krb5_principal princ;
115 krb5_get_init_creds_opt *opts;
118 const void *ccache_data;
119 const char *user, *pass;
120 const void *sourceuser, *service;
121 char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
123 retval = pam_get_user(pamh, &user, USER_PROMPT);
124 if (retval != PAM_SUCCESS)
127 PAM_LOG("Got user: %s", user);
129 retval = pam_get_item(pamh, PAM_RUSER, &sourceuser);
130 if (retval != PAM_SUCCESS)
133 PAM_LOG("Got ruser: %s", (const char *)sourceuser);
136 pam_get_item(pamh, PAM_SERVICE, &service);
140 PAM_LOG("Got service: %s", (const char *)service);
142 krbret = krb5_init_context(&pam_context);
144 PAM_VERBOSE_ERROR("Kerberos 5 error");
145 return (PAM_SERVICE_ERR);
148 PAM_LOG("Context initialised");
150 krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
151 if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
152 PAM_VERBOSE_ERROR("Kerberos 5 error");
153 retval = PAM_SERVICE_ERR;
157 PAM_LOG("Done krb5_cc_register()");
159 /* Get principal name */
160 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
161 asprintf(&principal, "%s/%s", (const char *)sourceuser, user);
163 principal = strdup(user);
165 PAM_LOG("Created principal: %s", principal);
167 krbret = krb5_parse_name(pam_context, principal, &princ);
170 PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_parse_name()");
171 PAM_VERBOSE_ERROR("Kerberos 5 error");
172 retval = PAM_SERVICE_ERR;
176 PAM_LOG("Done krb5_parse_name()");
178 /* Now convert the principal name into something human readable */
180 krbret = krb5_unparse_name(pam_context, princ, &princ_name);
182 PAM_LOG_KRB5_ERR(pam_context, krbret,
183 "Error krb5_unparse_name()");
184 PAM_VERBOSE_ERROR("Kerberos 5 error");
185 retval = PAM_SERVICE_ERR;
189 PAM_LOG("Got principal: %s", princ_name);
192 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
193 if (retval != PAM_SUCCESS)
196 PAM_LOG("Got password");
198 if (openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
199 PAM_LOG("Skipping local user check");
202 /* Verify the local user exists (AFTER getting the password) */
203 if (strchr(user, '@')) {
204 /* get a local account name for this principal */
205 krbret = krb5_aname_to_localname(pam_context, princ,
206 sizeof(luser), luser);
208 PAM_VERBOSE_ERROR("Kerberos 5 error");
209 PAM_LOG_KRB5_ERR(pam_context, krbret,
210 "Error krb5_aname_to_localname()");
211 retval = PAM_USER_UNKNOWN;
215 retval = pam_set_item(pamh, PAM_USER, luser);
216 if (retval != PAM_SUCCESS)
219 PAM_LOG("PAM_USER Redone");
222 if (!openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK)) {
223 pwd = getpwnam(user);
225 retval = PAM_USER_UNKNOWN;
230 PAM_LOG("Done getpwnam()");
233 /* Initialize credentials request options. */
234 krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
236 PAM_LOG_KRB5_ERR(pam_context, krbret,
237 "Error krb5_get_init_creds_opt_alloc()");
238 PAM_VERBOSE_ERROR("Kerberos 5 error");
239 retval = PAM_SERVICE_ERR;
242 krb5_get_init_creds_opt_set_default_flags(pam_context,
243 service, NULL, opts);
245 if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
246 krb5_get_init_creds_opt_set_forwardable(opts, 1);
248 PAM_LOG("Credential options initialised");
251 memset(&creds, 0, sizeof(krb5_creds));
252 krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
253 pass, NULL, pamh, 0, NULL, opts);
254 krb5_get_init_creds_opt_free(pam_context, opts);
256 PAM_VERBOSE_ERROR("Kerberos 5 error");
257 PAM_LOG_KRB5_ERR(pam_context, krbret,
258 "Error krb5_get_init_creds_password()");
259 retval = PAM_AUTH_ERR;
265 /* Generate a temporary cache */
266 krbret = krb5_cc_new_unique(pam_context, krb5_cc_type_memory, NULL, &ccache);
268 PAM_VERBOSE_ERROR("Kerberos 5 error");
269 PAM_LOG_KRB5_ERR(pam_context, krbret,
270 "Error krb5_cc_new_unique()");
271 retval = PAM_SERVICE_ERR;
274 krbret = krb5_cc_initialize(pam_context, ccache, princ);
276 PAM_VERBOSE_ERROR("Kerberos 5 error");
277 PAM_LOG_KRB5_ERR(pam_context, krbret,
278 "Error krb5_cc_initialize()");
279 retval = PAM_SERVICE_ERR;
282 krbret = krb5_cc_store_cred(pam_context, ccache, &creds);
284 PAM_VERBOSE_ERROR("Kerberos 5 error");
285 PAM_LOG_KRB5_ERR(pam_context, krbret,
286 "Error krb5_cc_store_cred()");
287 krb5_cc_destroy(pam_context, ccache);
288 retval = PAM_SERVICE_ERR;
292 PAM_LOG("Credentials stashed");
295 if ((srvdup = strdup(service)) == NULL) {
296 retval = PAM_BUF_ERR;
299 krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup,
300 openpam_get_option(pamh, PAM_OPT_DEBUG) ? 1 : 0);
303 PAM_VERBOSE_ERROR("Kerberos 5 error");
304 krb5_cc_destroy(pam_context, ccache);
305 retval = PAM_AUTH_ERR;
309 PAM_LOG("Credentials stash verified");
311 retval = pam_get_data(pamh, "ccache", &ccache_data);
312 if (retval == PAM_SUCCESS) {
313 krb5_cc_destroy(pam_context, ccache);
314 PAM_VERBOSE_ERROR("Kerberos 5 error");
315 retval = PAM_AUTH_ERR;
319 PAM_LOG("Credentials stash not pre-existing");
321 asprintf(&ccache_name, "%s:%s", krb5_cc_get_type(pam_context,
322 ccache), krb5_cc_get_name(pam_context, ccache));
323 if (ccache_name == NULL) {
324 PAM_VERBOSE_ERROR("Kerberos 5 error");
325 retval = PAM_BUF_ERR;
328 retval = pam_set_data(pamh, "ccache", ccache_name, cleanup_cache);
330 krb5_cc_destroy(pam_context, ccache);
331 PAM_VERBOSE_ERROR("Kerberos 5 error");
332 retval = PAM_SERVICE_ERR;
336 PAM_LOG("Credentials stash saved");
339 krb5_free_cred_contents(pam_context, &creds);
340 PAM_LOG("Done cleanup");
342 krb5_free_principal(pam_context, princ);
345 PAM_LOG("Done cleanup2");
348 krb5_free_context(pam_context);
350 PAM_LOG("Done cleanup3");
352 if (retval != PAM_SUCCESS)
353 PAM_VERBOSE_ERROR("Kerberos 5 refuses you");
359 pam_sm_setcred(pam_handle_t *pamh, int flags,
360 int argc __unused, const char *argv[] __unused)
362 #ifdef _FREEFALL_CONFIG
363 return (PAM_SUCCESS);
366 krb5_error_code krbret;
367 krb5_context pam_context;
368 krb5_principal princ;
370 krb5_ccache ccache_temp, ccache_perm;
371 krb5_cc_cursor cursor;
372 struct passwd *pwd = NULL;
374 const char *cache_name, *q;
376 const void *cache_data;
377 char *cache_name_buf = NULL, *p;
382 if (flags & PAM_DELETE_CRED)
383 return (PAM_SUCCESS);
385 if (flags & PAM_REFRESH_CRED)
386 return (PAM_SUCCESS);
388 if (flags & PAM_REINITIALIZE_CRED)
389 return (PAM_SUCCESS);
391 if (!(flags & PAM_ESTABLISH_CRED))
392 return (PAM_SERVICE_ERR);
394 /* If a persistent cache isn't desired, stop now. */
395 if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE) ||
396 openpam_get_option(pamh, PAM_OPT_NO_USER_CHECK))
397 return (PAM_SUCCESS);
399 PAM_LOG("Establishing credentials");
402 retval = pam_get_item(pamh, PAM_USER, &user);
403 if (retval != PAM_SUCCESS)
406 PAM_LOG("Got user: %s", (const char *)user);
408 krbret = krb5_init_context(&pam_context);
410 PAM_LOG("Error krb5_init_context() failed");
411 return (PAM_SERVICE_ERR);
414 PAM_LOG("Context initialised");
416 euid = geteuid(); /* Usually 0 */
419 PAM_LOG("Got euid, egid: %d %d", euid, egid);
421 /* Retrieve the temporary cache */
422 retval = pam_get_data(pamh, "ccache", &cache_data);
423 if (retval != PAM_SUCCESS) {
424 retval = PAM_CRED_UNAVAIL;
427 krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp);
429 PAM_LOG_KRB5_ERR(pam_context, krbret,
430 "Error krb5_cc_resolve(\"%s\")", (const char *)cache_data);
431 retval = PAM_SERVICE_ERR;
435 /* Get the uid. This should exist. */
436 pwd = getpwnam(user);
438 retval = PAM_USER_UNKNOWN;
442 PAM_LOG("Done getpwnam()");
444 /* Avoid following a symlink as root */
445 if (setegid(pwd->pw_gid)) {
446 retval = PAM_SERVICE_ERR;
449 if (seteuid(pwd->pw_uid)) {
450 retval = PAM_SERVICE_ERR;
454 PAM_LOG("Done setegid() & seteuid()");
456 /* Get the cache name */
457 cache_name = openpam_get_option(pamh, PAM_OPT_CCACHE);
458 if (cache_name == NULL) {
459 asprintf(&cache_name_buf, "FILE:/tmp/krb5cc_%d", pwd->pw_uid);
460 cache_name = cache_name_buf;
463 p = calloc(PATH_MAX + 16, sizeof(char));
467 PAM_LOG("Error malloc(): failure");
468 retval = PAM_BUF_ERR;
473 /* convert %u and %p */
478 sprintf(p, "%d", pwd->pw_uid);
481 else if (*q == 'p') {
482 sprintf(p, "%d", getpid());
486 /* Not a special token */
497 PAM_LOG("Got cache_name: %s", cache_name);
499 /* Initialize the new ccache */
500 krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ);
502 PAM_LOG_KRB5_ERR(pam_context, krbret,
503 "Error krb5_cc_get_principal()");
504 retval = PAM_SERVICE_ERR;
507 krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm);
509 PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_cc_resolve()");
510 retval = PAM_SERVICE_ERR;
513 krbret = krb5_cc_initialize(pam_context, ccache_perm, princ);
515 PAM_LOG_KRB5_ERR(pam_context, krbret,
516 "Error krb5_cc_initialize()");
517 retval = PAM_SERVICE_ERR;
521 PAM_LOG("Cache initialised");
523 /* Prepare for iteration over creds */
524 krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor);
526 PAM_LOG_KRB5_ERR(pam_context, krbret,
527 "Error krb5_cc_start_seq_get()");
528 krb5_cc_destroy(pam_context, ccache_perm);
529 retval = PAM_SERVICE_ERR;
533 PAM_LOG("Prepared for iteration");
535 /* Copy the creds (should be two of them) */
536 while ((krbret = krb5_cc_next_cred(pam_context, ccache_temp,
537 &cursor, &creds) == 0)) {
538 krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds);
540 PAM_LOG_KRB5_ERR(pam_context, krbret,
541 "Error krb5_cc_store_cred()");
542 krb5_cc_destroy(pam_context, ccache_perm);
543 krb5_free_cred_contents(pam_context, &creds);
544 retval = PAM_SERVICE_ERR;
547 krb5_free_cred_contents(pam_context, &creds);
548 PAM_LOG("Iteration");
550 krb5_cc_end_seq_get(pam_context, ccache_temp, &cursor);
552 PAM_LOG("Done iterating");
554 if (strstr(cache_name, "FILE:") == cache_name) {
555 if (chown(&cache_name[5], pwd->pw_uid, pwd->pw_gid) == -1) {
556 PAM_LOG("Error chown(): %s", strerror(errno));
557 krb5_cc_destroy(pam_context, ccache_perm);
558 retval = PAM_SERVICE_ERR;
561 PAM_LOG("Done chown()");
563 if (chmod(&cache_name[5], (S_IRUSR | S_IWUSR)) == -1) {
564 PAM_LOG("Error chmod(): %s", strerror(errno));
565 krb5_cc_destroy(pam_context, ccache_perm);
566 retval = PAM_SERVICE_ERR;
569 PAM_LOG("Done chmod()");
572 krb5_cc_close(pam_context, ccache_perm);
574 PAM_LOG("Cache closed");
576 retval = pam_setenv(pamh, "KRB5CCNAME", cache_name, 1);
577 if (retval != PAM_SUCCESS) {
578 PAM_LOG("Error pam_setenv(): %s", pam_strerror(pamh, retval));
579 krb5_cc_destroy(pam_context, ccache_perm);
580 retval = PAM_SERVICE_ERR;
584 PAM_LOG("Environment done: KRB5CCNAME=%s", cache_name);
587 krb5_free_principal(pam_context, princ);
588 PAM_LOG("Done cleanup2");
590 krb5_free_context(pam_context);
591 PAM_LOG("Done cleanup3");
596 PAM_LOG("Done seteuid() & setegid()");
598 if (cache_name_buf != NULL)
599 free(cache_name_buf);
609 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
610 int argc __unused, const char *argv[] __unused)
612 krb5_error_code krbret;
613 krb5_context pam_context;
615 krb5_principal princ;
618 const void *ccache_name;
620 retval = pam_get_item(pamh, PAM_USER, &user);
621 if (retval != PAM_SUCCESS)
624 PAM_LOG("Got user: %s", (const char *)user);
626 retval = pam_get_data(pamh, "ccache", &ccache_name);
627 if (retval != PAM_SUCCESS)
628 return (PAM_SUCCESS);
630 PAM_LOG("Got credentials");
632 krbret = krb5_init_context(&pam_context);
634 PAM_LOG("Error krb5_init_context() failed");
635 return (PAM_PERM_DENIED);
638 PAM_LOG("Context initialised");
640 krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache);
642 PAM_LOG_KRB5_ERR(pam_context, krbret,
643 "Error krb5_cc_resolve(\"%s\")", (const char *)ccache_name);
644 krb5_free_context(pam_context);
645 return (PAM_PERM_DENIED);
648 PAM_LOG("Got ccache %s", (const char *)ccache_name);
651 krbret = krb5_cc_get_principal(pam_context, ccache, &princ);
653 PAM_LOG_KRB5_ERR(pam_context, krbret,
654 "Error krb5_cc_get_principal()");
655 retval = PAM_PERM_DENIED;
659 PAM_LOG("Got principal");
661 if (krb5_kuserok(pam_context, princ, (const char *)user))
662 retval = PAM_SUCCESS;
664 retval = PAM_PERM_DENIED;
665 krb5_free_principal(pam_context, princ);
667 PAM_LOG("Done kuserok()");
670 krb5_free_context(pam_context);
671 PAM_LOG("Done cleanup");
678 * password management
681 pam_sm_chauthtok(pam_handle_t *pamh, int flags,
682 int argc __unused, const char *argv[] __unused)
684 krb5_error_code krbret;
685 krb5_context pam_context;
687 krb5_principal princ;
688 krb5_get_init_creds_opt *opts;
689 krb5_data result_code_string, result_string;
690 int result_code, retval;
693 char *princ_name, *passdup;
695 if (!(flags & PAM_UPDATE_AUTHTOK))
696 return (PAM_AUTHTOK_ERR);
698 retval = pam_get_item(pamh, PAM_USER, &user);
699 if (retval != PAM_SUCCESS)
702 PAM_LOG("Got user: %s", (const char *)user);
704 krbret = krb5_init_context(&pam_context);
706 PAM_LOG("Error krb5_init_context() failed");
707 return (PAM_SERVICE_ERR);
710 PAM_LOG("Context initialised");
712 /* Get principal name */
713 krbret = krb5_parse_name(pam_context, (const char *)user, &princ);
715 PAM_LOG_KRB5_ERR(pam_context, krbret,
716 "Error krb5_parse_name()");
717 retval = PAM_USER_UNKNOWN;
721 /* Now convert the principal name into something human readable */
723 krbret = krb5_unparse_name(pam_context, princ, &princ_name);
725 PAM_LOG_KRB5_ERR(pam_context, krbret,
726 "Error krb5_unparse_name()");
727 retval = PAM_SERVICE_ERR;
731 PAM_LOG("Got principal: %s", princ_name);
734 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT);
735 if (retval != PAM_SUCCESS)
738 PAM_LOG("Got password");
740 /* Initialize credentials request options. */
741 krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
743 PAM_LOG_KRB5_ERR(pam_context, krbret,
744 "Error krb5_get_init_creds_opt_alloc()");
745 PAM_VERBOSE_ERROR("Kerberos 5 error");
746 retval = PAM_SERVICE_ERR;
750 PAM_LOG("Credentials options initialised");
752 memset(&creds, 0, sizeof(krb5_creds));
753 krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
754 pass, NULL, pamh, 0, "kadmin/changepw", opts);
755 krb5_get_init_creds_opt_free(pam_context, opts);
757 PAM_LOG_KRB5_ERR(pam_context, krbret,
758 "Error krb5_get_init_creds_password()");
759 retval = PAM_AUTH_ERR;
763 PAM_LOG("Credentials established");
765 /* Now get the new password */
767 retval = pam_get_authtok(pamh,
768 PAM_AUTHTOK, &pass, NEW_PASSWORD_PROMPT);
769 if (retval != PAM_TRY_AGAIN)
771 pam_error(pamh, "Mismatch; try again, EOF to quit.");
773 if (retval != PAM_SUCCESS)
776 PAM_LOG("Got new password");
779 if ((passdup = strdup(pass)) == NULL) {
780 retval = PAM_BUF_ERR;
783 krbret = krb5_set_password(pam_context, &creds, passdup, NULL,
784 &result_code, &result_code_string, &result_string);
787 PAM_LOG_KRB5_ERR(pam_context, krbret,
788 "Error krb5_change_password()");
789 retval = PAM_AUTHTOK_ERR;
793 PAM_LOG("Error krb5_change_password(): (result_code)");
794 retval = PAM_AUTHTOK_ERR;
798 PAM_LOG("Password changed");
800 if (result_string.data)
801 free(result_string.data);
802 if (result_code_string.data)
803 free(result_code_string.data);
806 krb5_free_cred_contents(pam_context, &creds);
807 PAM_LOG("Done cleanup");
809 krb5_free_principal(pam_context, princ);
812 PAM_LOG("Done cleanup2");
815 krb5_free_context(pam_context);
817 PAM_LOG("Done cleanup3");
822 PAM_MODULE_ENTRY("pam_krb5");
825 * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
826 * Modified by Sam Hartman <hartmans@mit.edu> to support PAM services
829 * Verify the Kerberos ticket-granting ticket just retrieved for the
830 * user. If the Kerberos server doesn't respond, assume the user is
831 * trying to fake us out (since we DID just get a TGT from what is
832 * supposedly our KDC). If the host/<host> service is unknown (i.e.,
833 * the local keytab doesn't have it), and we cannot find another
834 * service we do have, let her in.
836 * Returns 1 for confirmation, -1 for failure, 0 for uncertainty.
840 verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
841 char *pam_service, int debug)
843 krb5_error_code retval;
844 krb5_principal princ;
845 krb5_keyblock *keyblock;
847 krb5_auth_context auth_context;
849 const char *services[3], **service;
853 /* If possible we want to try and verify the ticket we have
854 * received against a keytab. We will try multiple service
855 * principals, including at least the host principal and the PAM
856 * service principal. The host principal is preferred because access
857 * to that key is generally sufficient to compromise root, while the
858 * service key for this PAM service may be less carefully guarded.
859 * It is important to check the keytab first before the KDC so we do
860 * not get spoofed by a fake KDC.
862 services[0] = "host";
863 services[1] = pam_service;
867 for (service = &services[0]; *service != NULL; service++) {
868 retval = krb5_sname_to_principal(context, NULL, *service,
869 KRB5_NT_SRV_HST, &princ);
872 const char *msg = krb5_get_error_message(
875 "pam_krb5: verify_krb_v5_tgt(): %s: %s",
876 "krb5_sname_to_principal()", msg);
877 krb5_free_error_message(context, msg);
882 /* Extract the name directly. */
883 strncpy(phost, compat_princ_component(context, princ, 1),
885 phost[BUFSIZ - 1] = '\0';
888 * Do we have service/<host> keys?
889 * (use default/configured keytab, kvno IGNORE_VNO to get the
890 * first match, and ignore enctype.)
892 retval = krb5_kt_read_service_key(context, NULL, princ, 0, 0,
898 if (retval != 0) { /* failed to find key */
899 /* Keytab or service key does not exist */
901 const char *msg = krb5_get_error_message(context,
904 "pam_krb5: verify_krb_v5_tgt(): %s: %s",
905 "krb5_kt_read_service_key()", msg);
906 krb5_free_error_message(context, msg);
912 krb5_free_keyblock(context, keyblock);
914 /* Talk to the kdc and construct the ticket. */
916 retval = krb5_mk_req(context, &auth_context, 0, *service, phost,
917 NULL, ccache, &packet);
919 krb5_auth_con_free(context, auth_context);
920 auth_context = NULL; /* setup for rd_req */
924 const char *msg = krb5_get_error_message(context,
927 "pam_krb5: verify_krb_v5_tgt(): %s: %s",
928 "krb5_mk_req()", msg);
929 krb5_free_error_message(context, msg);
935 /* Try to use the ticket. */
936 retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL,
940 const char *msg = krb5_get_error_message(context,
943 "pam_krb5: verify_krb_v5_tgt(): %s: %s",
944 "krb5_rd_req()", msg);
945 krb5_free_error_message(context, msg);
954 compat_free_data_contents(context, &packet);
955 krb5_free_principal(context, princ);
959 /* Free the memory for cache_name. Called by pam_end() */
962 cleanup_cache(pam_handle_t *pamh __unused, void *data, int pam_end_status __unused)
964 krb5_context pam_context;
966 krb5_error_code krbret;
968 if (krb5_init_context(&pam_context))
971 krbret = krb5_cc_resolve(pam_context, data, &ccache);
973 krb5_cc_destroy(pam_context, ccache);
974 krb5_free_context(pam_context);
978 #ifdef COMPAT_HEIMDAL
980 #error This cannot be MIT and Heimdal compatible!
984 #ifndef COMPAT_HEIMDAL
986 #error One of COMPAT_MIT and COMPAT_HEIMDAL must be specified!
990 #ifdef COMPAT_HEIMDAL
993 compat_princ_component(krb5_context context __unused, krb5_principal princ, int n)
995 return princ->name.name_string.val[n];
1000 compat_free_data_contents(krb5_context context __unused, krb5_data * data)
1002 krb5_xfree(data->data);
1008 compat_princ_component(krb5_context context, krb5_principal princ, int n)
1010 return krb5_princ_component(context, princ, n)->data;
1014 compat_free_data_contents(krb5_context context, krb5_data * data)
1016 krb5_free_data_contents(context, data);