lib/libpam/modules/pam_afslog/pam_afslog.c

   1 /*      $NetBSD: pam_afslog.c,v 1.1 2005/09/21 14:19:08 tsarna Exp $    */
   2
   3 /*-
   4  * Copyright 2005 Tyler C. Sarna <tsarna@netbsd.org>
   5  *
   6  * This code is derived from software contributed to The NetBSD Foundation
   7  * by Tyler C. Sarna
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Neither the name of The NetBSD Foundation nor the names of its
  15  *    contributors may be used to endorse or promote products derived
  16  *    from this software without specific prior written permission.
  17  *
  18  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
  19  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
  20  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  21  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  22  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  23  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  24  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  25  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  26  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  27  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  28  * POSSIBILITY OF SUCH DAMAGE.
  29  */
  30
  31 #include <sys/cdefs.h>
  32
  33 __RCSID("$NetBSD: pam_afslog.c,v 1.1 2005/09/21 14:19:08 tsarna Exp $");
  34
  35 #include <krb5/krb5.h>
  36 #include <krb5/kafs.h>
  37
  38 #define PAM_SM_AUTH
  39 #define PAM_SM_CRED
  40 #include <security/pam_appl.h>
  41 #include <security/pam_modules.h>
  42 #include <security/pam_mod_misc.h>
  43
  44 PAM_EXTERN int
  45 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
  46     int argc __unused, const char *argv[] __unused)
  47 {
  48         return PAM_IGNORE;
  49 }
  50
  51 PAM_EXTERN int
  52 pam_sm_setcred(pam_handle_t *pamh, int flags,
  53     int argc __unused, const char *argv[] __unused)
  54 {
  55         krb5_context ctx;
  56         krb5_ccache ccache;
  57         krb5_principal principal;
  58         krb5_error_code kret;
  59         const void *service = NULL;
  60         const char *ccname = NULL;
  61         int do_afslog = 0, ret = PAM_SUCCESS;
  62
  63         pam_get_item(pamh, PAM_SERVICE, &service);
  64         if (service == NULL)
  65                 service = "pam_afslog";
  66
  67         kret = krb5_init_context(&ctx);
  68         if (kret != 0) {
  69                 PAM_LOG("Error: krb5_init_context() failed");
  70                 ret = PAM_SERVICE_ERR;
  71         } else {
  72                 ccname = pam_getenv(pamh, "KRB5CCNAME");
  73                 if (ccname)
  74                         kret = krb5_cc_resolve(ctx, ccname, &ccache);
  75                 else
  76                         kret = krb5_cc_default(ctx, &ccache);
  77                 if (kret != 0) {
  78                         PAM_LOG("Error: failed to open ccache");
  79                         ret = PAM_SERVICE_ERR;
  80                 } else {
  81                         kret = krb5_cc_get_principal(ctx, ccache, &principal);
  82                         if (kret != 0) {
  83                                 PAM_LOG("Error: krb5_cc_get_principal() failed");
  84                                 ret = PAM_SERVICE_ERR;
  85                         } else {
  86                                 krb5_appdefault_boolean(ctx,
  87                                         (const char *)service,
  88                                         krb5_principal_get_realm(
  89                                                 ctx, principal),
  90                                         "afslog", FALSE, &do_afslog);
  91
  92                                 /* silently bail if not enabled */
  93
  94                                 if (do_afslog && k_hasafs()) {
  95                                         switch (flags & ~PAM_SILENT) {
  96                                         case 0:
  97                                         case PAM_ESTABLISH_CRED:
  98                                                 k_setpag();
  99
 100                                                 /* FALLTHROUGH */
 101
 102                                         case PAM_REINITIALIZE_CRED:
 103                                         case PAM_REFRESH_CRED:
 104                                                 krb5_afslog(ctx, ccache,
 105                                                         NULL, NULL);
 106                                                 break;
 107
 108                                         case PAM_DELETE_CRED:
 109                                                 k_unlog();
 110                                                 break;
 111                                         }
 112                                 }
 113
 114                                 krb5_free_principal(ctx, principal);
 115                         }
 116
 117                         krb5_cc_close(ctx, ccache);
 118                 }
 119
 120                 krb5_free_context(ctx);
 121         }
 122
 123         return ret;
 124 }
 125
 126 PAM_MODULE_ENTRY("pam_afslog");