PR/35968: Jukka Salmi: add option to pam_krb5(8) to request renewable tickets
This commit is contained in:
parent
935d2b1c7f
commit
476933786a
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: pam_krb5.8,v 1.6 2005/02/28 10:32:13 wiz Exp $
|
||||
.\" $NetBSD: pam_krb5.8,v 1.7 2007/03/10 17:47:21 christos Exp $
|
||||
.\" $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.8,v 1.6 2001/11/24 23:41:32 dd Exp $
|
||||
.Dd February 27, 2005
|
||||
.Dt PAM_KRB5 8
|
||||
@ -80,6 +80,11 @@ This option is similar to the
|
||||
.Cm use_first_pass
|
||||
option, except that if the previously obtained password fails, the
|
||||
user is prompted for another password.
|
||||
.It Cm renewable Ns = Ns Ar timeperiod
|
||||
Obtain renewanle Kerberos credentials for the user.
|
||||
The renewable time can be specified, or it defaults to one month.
|
||||
Since spaces are not allowed in the pam configuration time, underscores
|
||||
are used to form parseable times (eg. 1_month).
|
||||
.It Cm forwardable
|
||||
Obtain forwardable Kerberos credentials for the user.
|
||||
.It Cm no_ccache
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: pam_krb5.c,v 1.18 2006/11/03 18:55:40 christos Exp $ */
|
||||
/* $NetBSD: pam_krb5.c,v 1.19 2007/03/10 17:47:21 christos Exp $ */
|
||||
|
||||
/*-
|
||||
* This pam_krb5 module contains code that is:
|
||||
@ -53,7 +53,7 @@
|
||||
#ifdef __FreeBSD__
|
||||
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $");
|
||||
#else
|
||||
__RCSID("$NetBSD: pam_krb5.c,v 1.18 2006/11/03 18:55:40 christos Exp $");
|
||||
__RCSID("$NetBSD: pam_krb5.c,v 1.19 2007/03/10 17:47:21 christos Exp $");
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -69,6 +69,7 @@ __RCSID("$NetBSD: pam_krb5.c,v 1.18 2006/11/03 18:55:40 christos Exp $");
|
||||
|
||||
#include <krb5/krb5.h>
|
||||
#include <krb5/com_err.h>
|
||||
#include <krb5/parse_time.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
@ -94,6 +95,7 @@ static void compat_free_data_contents(krb5_context, krb5_data *);
|
||||
#define PAM_OPT_CCACHE "ccache"
|
||||
#define PAM_OPT_DEBUG "debug"
|
||||
#define PAM_OPT_FORWARDABLE "forwardable"
|
||||
#define PAM_OPT_RENEWABLE "renewable"
|
||||
#define PAM_OPT_NO_CCACHE "no_ccache"
|
||||
#define PAM_OPT_REUSE_CCACHE "reuse_ccache"
|
||||
|
||||
@ -118,6 +120,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
|
||||
char password_prompt[80];
|
||||
char pwbuf[1024];
|
||||
const char *rtime;
|
||||
|
||||
princ_name = NULL;
|
||||
retval = pam_get_user(pamh, &user, USER_PROMPT);
|
||||
@ -152,6 +155,25 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
|
||||
krb5_get_init_creds_opt_set_forwardable(&opts, 1);
|
||||
|
||||
if ((rtime = openpam_get_option(pamh, PAM_OPT_RENEWABLE)) != NULL) {
|
||||
krb5_deltat renew;
|
||||
char rbuf[80], *rp;
|
||||
|
||||
if (*rtime) {
|
||||
(void)strlcpy(rbuf, rtime, sizeof(rbuf));
|
||||
rtime = rbuf;
|
||||
for (rp = rbuf; *rp; rp++)
|
||||
if (*rp == '_')
|
||||
rp[-1] = ' ';
|
||||
}
|
||||
else
|
||||
rtime = "1 month";
|
||||
renew = parse_time(rtime, "s");
|
||||
krb5_get_init_creds_opt_set_renew_life(&opts, renew);
|
||||
}
|
||||
|
||||
|
||||
|
||||
PAM_LOG("Credentials initialised");
|
||||
|
||||
krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
|
||||
|
Loading…
Reference in New Issue
Block a user