NetBSD/lib/libpam/modules/pam_afslog/pam_afslog.c

/*	$NetBSD: pam_afslog.c,v 1.2 2006/01/20 16:51:15 christos Exp $	*/

/*-
 * Copyright 2005 Tyler C. Sarna <tsarna@netbsd.org>
 *
 * This code is derived from software contributed to The NetBSD Foundation
 * by Tyler C. Sarna
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Neither the name of The NetBSD Foundation nor the names of its
 *    contributors may be used to endorse or promote products derived
 *    from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#include <sys/cdefs.h>

__RCSID("$NetBSD: pam_afslog.c,v 1.2 2006/01/20 16:51:15 christos Exp $");

#include <krb5/krb5.h>
#include <krb5/kafs.h>

#define PAM_SM_AUTH
#define PAM_SM_CRED
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>

PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
    int argc __unused, const char *argv[] __unused)
{
	return PAM_IGNORE;
}

PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags,
    int argc __unused, const char *argv[] __unused)
{
	krb5_context ctx;
	krb5_ccache ccache;
	krb5_principal principal;
	krb5_error_code kret;
	const void *service = NULL;
	const char *ccname = NULL;
	int do_afslog = 0, ret = PAM_SUCCESS;
					        
	pam_get_item(pamh, PAM_SERVICE, &service);
	if (service == NULL)
		service = "pam_afslog";

	kret = krb5_init_context(&ctx);
	if (kret != 0) {
		PAM_LOG("Error: krb5_init_context() failed");
		ret = PAM_SERVICE_ERR;
	} else {
		ccname = pam_getenv(pamh, "KRB5CCNAME");
		if (ccname)
			kret = krb5_cc_resolve(ctx, ccname, &ccache);
		else
			kret = krb5_cc_default(ctx, &ccache);
		if (kret != 0) {
			PAM_LOG("Error: failed to open ccache");
			ret = PAM_SERVICE_ERR;
		} else {
			kret = krb5_cc_get_principal(ctx, ccache, &principal);
			if (kret != 0) {
				PAM_LOG("Error: krb5_cc_get_principal() failed");
				ret = PAM_SERVICE_ERR;
			} else {
				krb5_appdefault_boolean(ctx,
					(const char *)service,
					krb5_principal_get_realm(
						ctx, principal),
					"afslog", FALSE, &do_afslog);

				/* silently bail if not enabled */
	
				if (do_afslog && k_hasafs()) {
					switch (flags & ~PAM_SILENT) {
					case 0:
					case PAM_ESTABLISH_CRED:
						k_setpag();
				
						/* FALLTHROUGH */
	
					case PAM_REINITIALIZE_CRED:
					case PAM_REFRESH_CRED:
						krb5_afslog(ctx, ccache,
							NULL, NULL);
						break;

					case PAM_DELETE_CRED:
						k_unlog();
						break;
					}
				}

				krb5_free_principal(ctx, principal);
			}

			krb5_cc_close(ctx, ccache);
		}

		krb5_free_context(ctx);
	}
	
	return ret;
}

PAM_MODULE_ENTRY("pam_afslog");
Declare what we services provide, otherwise pam assumes that we provide everything and this breaks static linking. 2006-01-20 19:51:15 +03:00			`/* $NetBSD: pam_afslog.c,v 1.2 2006/01/20 16:51:15 christos Exp $ */`
pam_afslog is used in conjunction with pam_krb5 to obtain AFS tokens and create a PAG if necessary. Especially important for home directories on AFS. 2005-09-21 18:19:08 +04:00
			`/*-`
			`* Copyright 2005 Tyler C. Sarna <tsarna@netbsd.org>`
			`*`
			`* This code is derived from software contributed to The NetBSD Foundation`
			`* by Tyler C. Sarna`
			`*`
			`* Redistribution and use in source and binary forms, with or without`
			`* modification, are permitted provided that the following conditions`
			`* are met:`
			`* 1. Redistributions of source code must retain the above copyright`
			`* notice, this list of conditions and the following disclaimer.`
			`* 2. Neither the name of The NetBSD Foundation nor the names of its`
			`* contributors may be used to endorse or promote products derived`
			`* from this software without specific prior written permission.`
			`*`
			`* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS`
			* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
			`* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR`
			`* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS`
			`* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR`
			`* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF`
			`* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS`
			`* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN`
			`* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
			`* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE`
			`* POSSIBILITY OF SUCH DAMAGE.`
			`*/`

			`#include <sys/cdefs.h>`

Declare what we services provide, otherwise pam assumes that we provide everything and this breaks static linking. 2006-01-20 19:51:15 +03:00			`__RCSID("$NetBSD: pam_afslog.c,v 1.2 2006/01/20 16:51:15 christos Exp $");`
pam_afslog is used in conjunction with pam_krb5 to obtain AFS tokens and create a PAG if necessary. Especially important for home directories on AFS. 2005-09-21 18:19:08 +04:00
			`#include <krb5/krb5.h>`
			`#include <krb5/kafs.h>`

Declare what we services provide, otherwise pam assumes that we provide everything and this breaks static linking. 2006-01-20 19:51:15 +03:00			`#define PAM_SM_AUTH`
			`#define PAM_SM_CRED`
pam_afslog is used in conjunction with pam_krb5 to obtain AFS tokens and create a PAG if necessary. Especially important for home directories on AFS. 2005-09-21 18:19:08 +04:00			`#include <security/pam_appl.h>`
			`#include <security/pam_modules.h>`
			`#include <security/pam_mod_misc.h>`

			`PAM_EXTERN int`
			`pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,`
			`int argc __unused, const char *argv[] __unused)`
			`{`
			`return PAM_IGNORE;`
			`}`

			`PAM_EXTERN int`
			`pam_sm_setcred(pam_handle_t *pamh, int flags,`
			`int argc __unused, const char *argv[] __unused)`
			`{`
			`krb5_context ctx;`
			`krb5_ccache ccache;`
			`krb5_principal principal;`
			`krb5_error_code kret;`
			`const void *service = NULL;`
			`const char *ccname = NULL;`
			`int do_afslog = 0, ret = PAM_SUCCESS;`

			`pam_get_item(pamh, PAM_SERVICE, &service);`
			`if (service == NULL)`
			`service = "pam_afslog";`

			`kret = krb5_init_context(&ctx);`
			`if (kret != 0) {`
			`PAM_LOG("Error: krb5_init_context() failed");`
			`ret = PAM_SERVICE_ERR;`
			`} else {`
			`ccname = pam_getenv(pamh, "KRB5CCNAME");`
			`if (ccname)`
			`kret = krb5_cc_resolve(ctx, ccname, &ccache);`
			`else`
			`kret = krb5_cc_default(ctx, &ccache);`
			`if (kret != 0) {`
			`PAM_LOG("Error: failed to open ccache");`
			`ret = PAM_SERVICE_ERR;`
			`} else {`
			`kret = krb5_cc_get_principal(ctx, ccache, &principal);`
			`if (kret != 0) {`
			`PAM_LOG("Error: krb5_cc_get_principal() failed");`
			`ret = PAM_SERVICE_ERR;`
			`} else {`
			`krb5_appdefault_boolean(ctx,`
			`(const char *)service,`
			`krb5_principal_get_realm(`
			`ctx, principal),`
			`"afslog", FALSE, &do_afslog);`

			`/* silently bail if not enabled */`

			`if (do_afslog && k_hasafs()) {`
			`switch (flags & ~PAM_SILENT) {`
			`case 0:`
			`case PAM_ESTABLISH_CRED:`
			`k_setpag();`

			`/* FALLTHROUGH */`

			`case PAM_REINITIALIZE_CRED:`
			`case PAM_REFRESH_CRED:`
			`krb5_afslog(ctx, ccache,`
			`NULL, NULL);`
			`break;`

			`case PAM_DELETE_CRED:`
			`k_unlog();`
			`break;`
			`}`
			`}`

			`krb5_free_principal(ctx, principal);`
			`}`

			`krb5_cc_close(ctx, ccache);`
			`}`

			`krb5_free_context(ctx);`
			`}`

			`return ret;`
			`}`

			`PAM_MODULE_ENTRY("pam_afslog");`