2 * This pam_krb5 module contains code that is:
3 * Copyright (c) Derrick J. Brashear, 1996. All rights reserved.
4 * Copyright (c) Frank Cusack, 1999-2001. All rights reserved.
5 * Copyright (c) Jacques A. Vidrine, 2000-2001. All rights reserved.
6 * Copyright (c) Nicolas Williams, 2001. All rights reserved.
7 * Copyright (c) Perot Systems Corporation, 2001. All rights reserved.
8 * Copyright (c) Mark R V Murray, 2001. All rights reserved.
9 * Copyright (c) Networks Associates Technology, Inc., 2002-2005.
10 * All rights reserved.
12 * Portions of this software were developed for the FreeBSD Project by
13 * ThinkSec AS and NAI Labs, the Security Research Division of Network
14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
15 * ("CBOSS"), as part of the DARPA CHATS research program.
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
20 * 1. Redistributions of source code must retain the above copyright
21 * notices, and the entire permission notice in its entirety,
22 * including the disclaimer of warranties.
23 * 2. Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following disclaimer in the
25 * documentation and/or other materials provided with the distribution.
26 * 3. The name of the author may not be used to endorse or promote
27 * products derived from this software without specific prior
30 * ALTERNATIVELY, this product may be distributed under the terms of
31 * the GNU Public License, in which case the provisions of the GPL are
32 * required INSTEAD OF the above restrictions. (This clause is
33 * necessary due to a potential bad interaction between the GPL and
34 * the restrictions contained in a BSD-style copyright.)
36 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
37 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
38 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
39 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
40 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
41 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
42 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 #include <sys/cdefs.h>
51 __FBSDID("$FreeBSD$");
53 #include <sys/types.h>
68 #define PAM_SM_ACCOUNT
69 #define PAM_SM_PASSWORD
71 #include <security/pam_appl.h>
72 #include <security/pam_modules.h>
73 #include <security/pam_mod_misc.h>
74 #include <security/openpam.h>
76 #define COMPAT_HEIMDAL
77 /* #define COMPAT_MIT */
79 static int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int);
80 static void cleanup_cache(pam_handle_t *, void *, int);
81 static const char *compat_princ_component(krb5_context, krb5_principal, int);
82 static void compat_free_data_contents(krb5_context, krb5_data *);
84 #define USER_PROMPT "Username: "
85 #define PASSWORD_PROMPT "Password:"
86 #define NEW_PASSWORD_PROMPT "New Password:"
88 #define PAM_OPT_CCACHE "ccache"
89 #define PAM_OPT_DEBUG "debug"
90 #define PAM_OPT_FORWARDABLE "forwardable"
91 #define PAM_OPT_NO_CCACHE "no_ccache"
92 #define PAM_OPT_REUSE_CCACHE "reuse_ccache"
95 * authentication management
98 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
99 int argc __unused, const char *argv[] __unused)
101 krb5_error_code krbret;
102 krb5_context pam_context;
104 krb5_principal princ;
106 krb5_get_init_creds_opt opts;
109 const void *ccache_data;
110 const char *user, *pass;
111 const void *sourceuser, *service;
112 char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
114 retval = pam_get_user(pamh, &user, USER_PROMPT);
115 if (retval != PAM_SUCCESS)
118 PAM_LOG("Got user: %s", user);
120 retval = pam_get_item(pamh, PAM_RUSER, &sourceuser);
121 if (retval != PAM_SUCCESS)
124 PAM_LOG("Got ruser: %s", (const char *)sourceuser);
127 pam_get_item(pamh, PAM_SERVICE, &service);
131 PAM_LOG("Got service: %s", (const char *)service);
133 krbret = krb5_init_context(&pam_context);
135 PAM_VERBOSE_ERROR("Kerberos 5 error");
136 return (PAM_SERVICE_ERR);
139 PAM_LOG("Context initialised");
141 krb5_get_init_creds_opt_init(&opts);
143 if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
144 krb5_get_init_creds_opt_set_forwardable(&opts, 1);
146 PAM_LOG("Credentials initialised");
148 krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
149 if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
150 PAM_VERBOSE_ERROR("Kerberos 5 error");
151 retval = PAM_SERVICE_ERR;
155 PAM_LOG("Done krb5_cc_register()");
157 /* Get principal name */
158 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
159 asprintf(&principal, "%s/%s", (const char *)sourceuser, user);
161 principal = strdup(user);
163 PAM_LOG("Created principal: %s", principal);
165 krbret = krb5_parse_name(pam_context, principal, &princ);
168 PAM_LOG("Error krb5_parse_name(): %s",
169 krb5_get_err_text(pam_context, krbret));
170 PAM_VERBOSE_ERROR("Kerberos 5 error");
171 retval = PAM_SERVICE_ERR;
175 PAM_LOG("Done krb5_parse_name()");
177 /* Now convert the principal name into something human readable */
179 krbret = krb5_unparse_name(pam_context, princ, &princ_name);
181 PAM_LOG("Error krb5_unparse_name(): %s",
182 krb5_get_err_text(pam_context, krbret));
183 PAM_VERBOSE_ERROR("Kerberos 5 error");
184 retval = PAM_SERVICE_ERR;
188 PAM_LOG("Got principal: %s", princ_name);
191 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
192 if (retval != PAM_SUCCESS)
195 PAM_LOG("Got password");
197 /* Verify the local user exists (AFTER getting the password) */
198 if (strchr(user, '@')) {
199 /* get a local account name for this principal */
200 krbret = krb5_aname_to_localname(pam_context, princ,
201 sizeof(luser), luser);
203 PAM_VERBOSE_ERROR("Kerberos 5 error");
204 PAM_LOG("Error krb5_aname_to_localname(): %s",
205 krb5_get_err_text(pam_context, krbret));
206 retval = PAM_USER_UNKNOWN;
210 retval = pam_set_item(pamh, PAM_USER, luser);
211 if (retval != PAM_SUCCESS)
214 PAM_LOG("PAM_USER Redone");
217 pwd = getpwnam(user);
219 retval = PAM_USER_UNKNOWN;
223 PAM_LOG("Done getpwnam()");
226 memset(&creds, 0, sizeof(krb5_creds));
227 krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
228 pass, NULL, pamh, 0, NULL, &opts);
230 PAM_VERBOSE_ERROR("Kerberos 5 error");
231 PAM_LOG("Error krb5_get_init_creds_password(): %s",
232 krb5_get_err_text(pam_context, krbret));
233 retval = PAM_AUTH_ERR;
239 /* Generate a temporary cache */
240 krbret = krb5_cc_gen_new(pam_context, &krb5_mcc_ops, &ccache);
242 PAM_VERBOSE_ERROR("Kerberos 5 error");
243 PAM_LOG("Error krb5_cc_gen_new(): %s",
244 krb5_get_err_text(pam_context, krbret));
245 retval = PAM_SERVICE_ERR;
248 krbret = krb5_cc_initialize(pam_context, ccache, princ);
250 PAM_VERBOSE_ERROR("Kerberos 5 error");
251 PAM_LOG("Error krb5_cc_initialize(): %s",
252 krb5_get_err_text(pam_context, krbret));
253 retval = PAM_SERVICE_ERR;
256 krbret = krb5_cc_store_cred(pam_context, ccache, &creds);
258 PAM_VERBOSE_ERROR("Kerberos 5 error");
259 PAM_LOG("Error krb5_cc_store_cred(): %s",
260 krb5_get_err_text(pam_context, krbret));
261 krb5_cc_destroy(pam_context, ccache);
262 retval = PAM_SERVICE_ERR;
266 PAM_LOG("Credentials stashed");
269 if ((srvdup = strdup(service)) == NULL) {
270 retval = PAM_BUF_ERR;
273 krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup,
274 openpam_get_option(pamh, PAM_OPT_DEBUG) ? 1 : 0);
277 PAM_VERBOSE_ERROR("Kerberos 5 error");
278 krb5_cc_destroy(pam_context, ccache);
279 retval = PAM_AUTH_ERR;
283 PAM_LOG("Credentials stash verified");
285 retval = pam_get_data(pamh, "ccache", &ccache_data);
286 if (retval == PAM_SUCCESS) {
287 krb5_cc_destroy(pam_context, ccache);
288 PAM_VERBOSE_ERROR("Kerberos 5 error");
289 retval = PAM_AUTH_ERR;
293 PAM_LOG("Credentials stash not pre-existing");
295 asprintf(&ccache_name, "%s:%s", krb5_cc_get_type(pam_context,
296 ccache), krb5_cc_get_name(pam_context, ccache));
297 if (ccache_name == NULL) {
298 PAM_VERBOSE_ERROR("Kerberos 5 error");
299 retval = PAM_BUF_ERR;
302 retval = pam_set_data(pamh, "ccache", ccache_name, cleanup_cache);
304 krb5_cc_destroy(pam_context, ccache);
305 PAM_VERBOSE_ERROR("Kerberos 5 error");
306 retval = PAM_SERVICE_ERR;
310 PAM_LOG("Credentials stash saved");
313 krb5_free_cred_contents(pam_context, &creds);
314 PAM_LOG("Done cleanup");
316 krb5_free_principal(pam_context, princ);
317 PAM_LOG("Done cleanup2");
322 krb5_free_context(pam_context);
324 PAM_LOG("Done cleanup3");
326 if (retval != PAM_SUCCESS)
327 PAM_VERBOSE_ERROR("Kerberos 5 refuses you");
333 pam_sm_setcred(pam_handle_t *pamh, int flags,
334 int argc __unused, const char *argv[] __unused)
336 #ifdef _FREEFALL_CONFIG
337 return (PAM_SUCCESS);
340 krb5_error_code krbret;
341 krb5_context pam_context;
342 krb5_principal princ;
344 krb5_ccache ccache_temp, ccache_perm;
345 krb5_cc_cursor cursor;
346 struct passwd *pwd = NULL;
348 const char *cache_name, *q;
350 const void *cache_data;
351 char *cache_name_buf = NULL, *p;
356 if (flags & PAM_DELETE_CRED)
357 return (PAM_SUCCESS);
359 if (flags & PAM_REFRESH_CRED)
360 return (PAM_SUCCESS);
362 if (flags & PAM_REINITIALIZE_CRED)
363 return (PAM_SUCCESS);
365 if (!(flags & PAM_ESTABLISH_CRED))
366 return (PAM_SERVICE_ERR);
368 /* If a persistent cache isn't desired, stop now. */
369 if (openpam_get_option(pamh, PAM_OPT_NO_CCACHE))
370 return (PAM_SUCCESS);
372 PAM_LOG("Establishing credentials");
375 retval = pam_get_item(pamh, PAM_USER, &user);
376 if (retval != PAM_SUCCESS)
379 PAM_LOG("Got user: %s", (const char *)user);
381 krbret = krb5_init_context(&pam_context);
383 PAM_LOG("Error krb5_init_context() failed");
384 return (PAM_SERVICE_ERR);
387 PAM_LOG("Context initialised");
389 euid = geteuid(); /* Usually 0 */
392 PAM_LOG("Got euid, egid: %d %d", euid, egid);
394 /* Retrieve the temporary cache */
395 retval = pam_get_data(pamh, "ccache", &cache_data);
396 if (retval != PAM_SUCCESS) {
397 retval = PAM_CRED_UNAVAIL;
400 krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp);
402 PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)cache_data,
403 krb5_get_err_text(pam_context, krbret));
404 retval = PAM_SERVICE_ERR;
408 /* Get the uid. This should exist. */
409 pwd = getpwnam(user);
411 retval = PAM_USER_UNKNOWN;
415 PAM_LOG("Done getpwnam()");
417 /* Avoid following a symlink as root */
418 if (setegid(pwd->pw_gid)) {
419 retval = PAM_SERVICE_ERR;
422 if (seteuid(pwd->pw_uid)) {
423 retval = PAM_SERVICE_ERR;
427 PAM_LOG("Done setegid() & seteuid()");
429 /* Get the cache name */
430 cache_name = openpam_get_option(pamh, PAM_OPT_CCACHE);
431 if (cache_name == NULL) {
432 asprintf(&cache_name_buf, "FILE:/tmp/krb5cc_%d", pwd->pw_uid);
433 cache_name = cache_name_buf;
436 p = calloc(PATH_MAX + 16, sizeof(char));
440 PAM_LOG("Error malloc(): failure");
441 retval = PAM_BUF_ERR;
446 /* convert %u and %p */
451 sprintf(p, "%d", pwd->pw_uid);
454 else if (*q == 'p') {
455 sprintf(p, "%d", getpid());
459 /* Not a special token */
470 PAM_LOG("Got cache_name: %s", cache_name);
472 /* Initialize the new ccache */
473 krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ);
475 PAM_LOG("Error krb5_cc_get_principal(): %s",
476 krb5_get_err_text(pam_context, krbret));
477 retval = PAM_SERVICE_ERR;
480 krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm);
482 PAM_LOG("Error krb5_cc_resolve(): %s",
483 krb5_get_err_text(pam_context, krbret));
484 retval = PAM_SERVICE_ERR;
487 krbret = krb5_cc_initialize(pam_context, ccache_perm, princ);
489 PAM_LOG("Error krb5_cc_initialize(): %s",
490 krb5_get_err_text(pam_context, krbret));
491 retval = PAM_SERVICE_ERR;
495 PAM_LOG("Cache initialised");
497 /* Prepare for iteration over creds */
498 krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor);
500 PAM_LOG("Error krb5_cc_start_seq_get(): %s",
501 krb5_get_err_text(pam_context, krbret));
502 krb5_cc_destroy(pam_context, ccache_perm);
503 retval = PAM_SERVICE_ERR;
507 PAM_LOG("Prepared for iteration");
509 /* Copy the creds (should be two of them) */
510 while ((krbret = krb5_cc_next_cred(pam_context, ccache_temp,
511 &cursor, &creds) == 0)) {
512 krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds);
514 PAM_LOG("Error krb5_cc_store_cred(): %s",
515 krb5_get_err_text(pam_context, krbret));
516 krb5_cc_destroy(pam_context, ccache_perm);
517 krb5_free_cred_contents(pam_context, &creds);
518 retval = PAM_SERVICE_ERR;
521 krb5_free_cred_contents(pam_context, &creds);
522 PAM_LOG("Iteration");
524 krb5_cc_end_seq_get(pam_context, ccache_temp, &cursor);
526 PAM_LOG("Done iterating");
528 if (strstr(cache_name, "FILE:") == cache_name) {
529 if (chown(&cache_name[5], pwd->pw_uid, pwd->pw_gid) == -1) {
530 PAM_LOG("Error chown(): %s", strerror(errno));
531 krb5_cc_destroy(pam_context, ccache_perm);
532 retval = PAM_SERVICE_ERR;
535 PAM_LOG("Done chown()");
537 if (chmod(&cache_name[5], (S_IRUSR | S_IWUSR)) == -1) {
538 PAM_LOG("Error chmod(): %s", strerror(errno));
539 krb5_cc_destroy(pam_context, ccache_perm);
540 retval = PAM_SERVICE_ERR;
543 PAM_LOG("Done chmod()");
546 krb5_cc_close(pam_context, ccache_perm);
548 PAM_LOG("Cache closed");
550 retval = pam_setenv(pamh, "KRB5CCNAME", cache_name, 1);
551 if (retval != PAM_SUCCESS) {
552 PAM_LOG("Error pam_setenv(): %s", pam_strerror(pamh, retval));
553 krb5_cc_destroy(pam_context, ccache_perm);
554 retval = PAM_SERVICE_ERR;
558 PAM_LOG("Environment done: KRB5CCNAME=%s", cache_name);
561 krb5_free_principal(pam_context, princ);
562 PAM_LOG("Done cleanup2");
564 krb5_free_context(pam_context);
565 PAM_LOG("Done cleanup3");
570 PAM_LOG("Done seteuid() & setegid()");
572 if (cache_name_buf != NULL)
573 free(cache_name_buf);
583 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
584 int argc __unused, const char *argv[] __unused)
586 krb5_error_code krbret;
587 krb5_context pam_context;
589 krb5_principal princ;
592 const void *ccache_name;
594 retval = pam_get_item(pamh, PAM_USER, &user);
595 if (retval != PAM_SUCCESS)
598 PAM_LOG("Got user: %s", (const char *)user);
600 retval = pam_get_data(pamh, "ccache", &ccache_name);
601 if (retval != PAM_SUCCESS)
602 return (PAM_SUCCESS);
604 PAM_LOG("Got credentials");
606 krbret = krb5_init_context(&pam_context);
608 PAM_LOG("Error krb5_init_context() failed");
609 return (PAM_PERM_DENIED);
612 PAM_LOG("Context initialised");
614 krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache);
616 PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)ccache_name,
617 krb5_get_err_text(pam_context, krbret));
618 krb5_free_context(pam_context);
619 return (PAM_PERM_DENIED);
622 PAM_LOG("Got ccache %s", (const char *)ccache_name);
625 krbret = krb5_cc_get_principal(pam_context, ccache, &princ);
627 PAM_LOG("Error krb5_cc_get_principal(): %s",
628 krb5_get_err_text(pam_context, krbret));
629 retval = PAM_PERM_DENIED;;
633 PAM_LOG("Got principal");
635 if (krb5_kuserok(pam_context, princ, (const char *)user))
636 retval = PAM_SUCCESS;
638 retval = PAM_PERM_DENIED;
639 krb5_free_principal(pam_context, princ);
641 PAM_LOG("Done kuserok()");
644 krb5_free_context(pam_context);
645 PAM_LOG("Done cleanup");
652 * password management
655 pam_sm_chauthtok(pam_handle_t *pamh, int flags,
656 int argc __unused, const char *argv[] __unused)
658 krb5_error_code krbret;
659 krb5_context pam_context;
661 krb5_principal princ;
662 krb5_get_init_creds_opt opts;
663 krb5_data result_code_string, result_string;
664 int result_code, retval;
667 char *princ_name, *passdup;
669 if (!(flags & PAM_UPDATE_AUTHTOK))
670 return (PAM_AUTHTOK_ERR);
672 retval = pam_get_item(pamh, PAM_USER, &user);
673 if (retval != PAM_SUCCESS)
676 PAM_LOG("Got user: %s", (const char *)user);
678 krbret = krb5_init_context(&pam_context);
680 PAM_LOG("Error krb5_init_context() failed");
681 return (PAM_SERVICE_ERR);
684 PAM_LOG("Context initialised");
686 krb5_get_init_creds_opt_init(&opts);
688 PAM_LOG("Credentials options initialised");
690 /* Get principal name */
691 krbret = krb5_parse_name(pam_context, (const char *)user, &princ);
693 PAM_LOG("Error krb5_parse_name(): %s",
694 krb5_get_err_text(pam_context, krbret));
695 retval = PAM_USER_UNKNOWN;
699 /* Now convert the principal name into something human readable */
701 krbret = krb5_unparse_name(pam_context, princ, &princ_name);
703 PAM_LOG("Error krb5_unparse_name(): %s",
704 krb5_get_err_text(pam_context, krbret));
705 retval = PAM_SERVICE_ERR;
709 PAM_LOG("Got principal: %s", princ_name);
712 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT);
713 if (retval != PAM_SUCCESS)
716 PAM_LOG("Got password");
718 memset(&creds, 0, sizeof(krb5_creds));
719 krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
720 pass, NULL, pamh, 0, "kadmin/changepw", &opts);
722 PAM_LOG("Error krb5_get_init_creds_password(): %s",
723 krb5_get_err_text(pam_context, krbret));
724 retval = PAM_AUTH_ERR;
728 PAM_LOG("Credentials established");
730 /* Now get the new password */
732 retval = pam_get_authtok(pamh,
733 PAM_AUTHTOK, &pass, NEW_PASSWORD_PROMPT);
734 if (retval != PAM_TRY_AGAIN)
736 pam_error(pamh, "Mismatch; try again, EOF to quit.");
738 if (retval != PAM_SUCCESS)
741 PAM_LOG("Got new password");
744 if ((passdup = strdup(pass)) == NULL) {
745 retval = PAM_BUF_ERR;
748 krbret = krb5_change_password(pam_context, &creds, passdup,
749 &result_code, &result_code_string, &result_string);
752 PAM_LOG("Error krb5_change_password(): %s",
753 krb5_get_err_text(pam_context, krbret));
754 retval = PAM_AUTHTOK_ERR;
758 PAM_LOG("Error krb5_change_password(): (result_code)");
759 retval = PAM_AUTHTOK_ERR;
763 PAM_LOG("Password changed");
765 if (result_string.data)
766 free(result_string.data);
767 if (result_code_string.data)
768 free(result_code_string.data);
771 krb5_free_cred_contents(pam_context, &creds);
772 PAM_LOG("Done cleanup");
774 krb5_free_principal(pam_context, princ);
775 PAM_LOG("Done cleanup2");
780 krb5_free_context(pam_context);
782 PAM_LOG("Done cleanup3");
787 PAM_MODULE_ENTRY("pam_krb5");
790 * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
791 * Modified by Sam Hartman <hartmans@mit.edu> to support PAM services
794 * Verify the Kerberos ticket-granting ticket just retrieved for the
795 * user. If the Kerberos server doesn't respond, assume the user is
796 * trying to fake us out (since we DID just get a TGT from what is
797 * supposedly our KDC). If the host/<host> service is unknown (i.e.,
798 * the local keytab doesn't have it), and we cannot find another
799 * service we do have, let her in.
801 * Returns 1 for confirmation, -1 for failure, 0 for uncertainty.
805 verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
806 char *pam_service, int debug)
808 krb5_error_code retval;
809 krb5_principal princ;
810 krb5_keyblock *keyblock;
812 krb5_auth_context auth_context;
814 const char *services[3], **service;
818 /* If possible we want to try and verify the ticket we have
819 * received against a keytab. We will try multiple service
820 * principals, including at least the host principal and the PAM
821 * service principal. The host principal is preferred because access
822 * to that key is generally sufficient to compromise root, while the
823 * service key for this PAM service may be less carefully guarded.
824 * It is important to check the keytab first before the KDC so we do
825 * not get spoofed by a fake KDC.
827 services[0] = "host";
828 services[1] = pam_service;
832 for (service = &services[0]; *service != NULL; service++) {
833 retval = krb5_sname_to_principal(context, NULL, *service,
834 KRB5_NT_SRV_HST, &princ);
838 "pam_krb5: verify_krb_v5_tgt(): %s: %s",
839 "krb5_sname_to_principal()",
840 krb5_get_err_text(context, retval));
844 /* Extract the name directly. */
845 strncpy(phost, compat_princ_component(context, princ, 1),
847 phost[BUFSIZ - 1] = '\0';
850 * Do we have service/<host> keys?
851 * (use default/configured keytab, kvno IGNORE_VNO to get the
852 * first match, and ignore enctype.)
854 retval = krb5_kt_read_service_key(context, NULL, princ, 0, 0,
860 if (retval != 0) { /* failed to find key */
861 /* Keytab or service key does not exist */
864 "pam_krb5: verify_krb_v5_tgt(): %s: %s",
865 "krb5_kt_read_service_key()",
866 krb5_get_err_text(context, retval));
871 krb5_free_keyblock(context, keyblock);
873 /* Talk to the kdc and construct the ticket. */
875 retval = krb5_mk_req(context, &auth_context, 0, *service, phost,
876 NULL, ccache, &packet);
878 krb5_auth_con_free(context, auth_context);
879 auth_context = NULL; /* setup for rd_req */
884 "pam_krb5: verify_krb_v5_tgt(): %s: %s",
886 krb5_get_err_text(context, retval));
891 /* Try to use the ticket. */
892 retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL,
897 "pam_krb5: verify_krb_v5_tgt(): %s: %s",
899 krb5_get_err_text(context, retval));
907 compat_free_data_contents(context, &packet);
908 krb5_free_principal(context, princ);
912 /* Free the memory for cache_name. Called by pam_end() */
915 cleanup_cache(pam_handle_t *pamh __unused, void *data, int pam_end_status __unused)
917 krb5_context pam_context;
919 krb5_error_code krbret;
921 if (krb5_init_context(&pam_context))
924 krbret = krb5_cc_resolve(pam_context, data, &ccache);
926 krb5_cc_destroy(pam_context, ccache);
927 krb5_free_context(pam_context);
931 #ifdef COMPAT_HEIMDAL
933 #error This cannot be MIT and Heimdal compatible!
937 #ifndef COMPAT_HEIMDAL
939 #error One of COMPAT_MIT and COMPAT_HEIMDAL must be specified!
943 #ifdef COMPAT_HEIMDAL
946 compat_princ_component(krb5_context context __unused, krb5_principal princ, int n)
948 return princ->name.name_string.val[n];
953 compat_free_data_contents(krb5_context context __unused, krb5_data * data)
955 krb5_xfree(data->data);
961 compat_princ_component(krb5_context context, krb5_principal princ, int n)
963 return krb5_princ_component(context, princ, n)->data;
967 compat_free_data_contents(krb5_context context, krb5_data * data)
969 krb5_free_data_contents(context, data);