1 /* $NetBSD: pam_afslog.c,v 1.2 2006/01/20 16:51:15 christos Exp $ */
2
3 /*-
4 * Copyright 2005 Tyler C. Sarna <tsarna@netbsd.org>
5 *
6 * This code is derived from software contributed to The NetBSD Foundation
7 * by Tyler C. Sarna
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Neither the name of The NetBSD Foundation nor the names of its
15 * contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
19 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
20 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
22 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <sys/cdefs.h>
32
33 __RCSID("$NetBSD: pam_afslog.c,v 1.2 2006/01/20 16:51:15 christos Exp $");
34
35 #include <krb5/krb5.h>
36 #include <krb5/kafs.h>
37
38 #define PAM_SM_AUTH
39 #define PAM_SM_CRED
40 #include <security/pam_appl.h>
41 #include <security/pam_modules.h>
42 #include <security/pam_mod_misc.h>
43
44 PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh,int flags __unused,int argc __unused,const char * argv[]__unused)45 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
46 int argc __unused, const char *argv[] __unused)
47 {
48 return PAM_IGNORE;
49 }
50
51 PAM_EXTERN int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc __unused,const char * argv[]__unused)52 pam_sm_setcred(pam_handle_t *pamh, int flags,
53 int argc __unused, const char *argv[] __unused)
54 {
55 krb5_context ctx;
56 krb5_ccache ccache;
57 krb5_principal principal;
58 krb5_error_code kret;
59 const void *service = NULL;
60 const char *ccname = NULL;
61 int do_afslog = 0, ret = PAM_SUCCESS;
62
63 pam_get_item(pamh, PAM_SERVICE, &service);
64 if (service == NULL)
65 service = "pam_afslog";
66
67 kret = krb5_init_context(&ctx);
68 if (kret != 0) {
69 PAM_LOG("Error: krb5_init_context() failed");
70 ret = PAM_SERVICE_ERR;
71 } else {
72 ccname = pam_getenv(pamh, "KRB5CCNAME");
73 if (ccname)
74 kret = krb5_cc_resolve(ctx, ccname, &ccache);
75 else
76 kret = krb5_cc_default(ctx, &ccache);
77 if (kret != 0) {
78 PAM_LOG("Error: failed to open ccache");
79 ret = PAM_SERVICE_ERR;
80 } else {
81 kret = krb5_cc_get_principal(ctx, ccache, &principal);
82 if (kret != 0) {
83 PAM_LOG("Error: krb5_cc_get_principal() failed");
84 ret = PAM_SERVICE_ERR;
85 } else {
86 krb5_appdefault_boolean(ctx,
87 (const char *)service,
88 krb5_principal_get_realm(
89 ctx, principal),
90 "afslog", FALSE, &do_afslog);
91
92 /* silently bail if not enabled */
93
94 if (do_afslog && k_hasafs()) {
95 switch (flags & ~PAM_SILENT) {
96 case 0:
97 case PAM_ESTABLISH_CRED:
98 k_setpag();
99
100 /* FALLTHROUGH */
101
102 case PAM_REINITIALIZE_CRED:
103 case PAM_REFRESH_CRED:
104 krb5_afslog(ctx, ccache,
105 NULL, NULL);
106 break;
107
108 case PAM_DELETE_CRED:
109 k_unlog();
110 break;
111 }
112 }
113
114 krb5_free_principal(ctx, principal);
115 }
116
117 krb5_cc_close(ctx, ccache);
118 }
119
120 krb5_free_context(ctx);
121 }
122
123 return ret;
124 }
125
126 PAM_MODULE_ENTRY("pam_afslog");
127