PR/35968: Jukka Salmi: add option to pam_krb5(8) to request renewable tickets

2007-03-10 17:47:21 +00:00 · 2007-03-10 17:47:21 +00:00 · 476933786a
parent 935d2b1c7f
commit 476933786a
2 changed files with 30 additions and 3 deletions
--- a/lib/libpam/modules/pam_krb5/pam_krb5.8
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.8
@ -1,4 +1,4 @@
-.\" $NetBSD: pam_krb5.8,v 1.6 2005/02/28 10:32:13 wiz Exp $
+.\" $NetBSD: pam_krb5.8,v 1.7 2007/03/10 17:47:21 christos Exp $
 .\" $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.8,v 1.6 2001/11/24 23:41:32 dd Exp $
 .Dd February 27, 2005
 .Dt PAM_KRB5 8
@ -80,6 +80,11 @@ This option is similar to the
 .Cm use_first_pass
 option, except that if the previously obtained password fails, the
 user is prompted for another password.
+.It Cm renewable Ns = Ns Ar timeperiod
+Obtain renewanle Kerberos credentials for the user.
+The renewable time can be specified, or it defaults to one month.
+Since spaces are not allowed in the pam configuration time, underscores
+are used to form parseable times (eg.  1_month).
 .It Cm forwardable
 Obtain forwardable Kerberos credentials for the user.
 .It Cm no_ccache
--- a/lib/libpam/modules/pam_krb5/pam_krb5.c
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.c
@ -1,4 +1,4 @@
-/*	$NetBSD: pam_krb5.c,v 1.18 2006/11/03 18:55:40 christos Exp $	*/
+/*	$NetBSD: pam_krb5.c,v 1.19 2007/03/10 17:47:21 christos Exp $	*/

 /*-
 * This pam_krb5 module contains code that is:
@ -53,7 +53,7 @@
 #ifdef __FreeBSD__
 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $");
 #else
-__RCSID("$NetBSD: pam_krb5.c,v 1.18 2006/11/03 18:55:40 christos Exp $");
+__RCSID("$NetBSD: pam_krb5.c,v 1.19 2007/03/10 17:47:21 christos Exp $");
 #endif

 #include <sys/types.h>
@ -69,6 +69,7 @@ __RCSID("$NetBSD: pam_krb5.c,v 1.18 2006/11/03 18:55:40 christos Exp $");

 #include <krb5/krb5.h>
 #include <krb5/com_err.h>
+#include <krb5/parse_time.h>

 #define	PAM_SM_AUTH
 #define	PAM_SM_ACCOUNT
@ -94,6 +95,7 @@ static void	compat_free_data_contents(krb5_context, krb5_data *);
 #define PAM_OPT_CCACHE		"ccache"
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
+#define PAM_OPT_RENEWABLE	"renewable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"

@ -118,6 +120,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 	char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
 	char password_prompt[80];
 	char pwbuf[1024];
+	const char *rtime;

 	princ_name = NULL;
 	retval = pam_get_user(pamh, &user, USER_PROMPT);
@ -152,6 +155,25 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 	if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
 		krb5_get_init_creds_opt_set_forwardable(&opts, 1);

+	if ((rtime = openpam_get_option(pamh, PAM_OPT_RENEWABLE)) != NULL) {
+		krb5_deltat renew;
+		char rbuf[80], *rp;
+
+		if (*rtime) {
+			(void)strlcpy(rbuf, rtime, sizeof(rbuf));
+			rtime = rbuf;
+			for (rp = rbuf; *rp; rp++)
+				if (*rp == '_')
+					rp[-1] = ' ';
+		}
+		else
+			rtime = "1 month";
+		renew = parse_time(rtime, "s");
+		krb5_get_init_creds_opt_set_renew_life(&opts, renew);
+	}
+
+
+
 	PAM_LOG("Credentials initialised");

 	krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);