10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 53641Ssemery * Common Development and Distribution License (the "License"). 63641Ssemery * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*11262SRajagopal.Andra@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate 270Sstevel@tonic-gate #include <stdlib.h> 280Sstevel@tonic-gate #include <syslog.h> 290Sstevel@tonic-gate #include <errno.h> 300Sstevel@tonic-gate #include <string.h> 310Sstevel@tonic-gate #include <rpc/rpc.h> 320Sstevel@tonic-gate #include <unistd.h> 330Sstevel@tonic-gate #include <assert.h> 340Sstevel@tonic-gate #include <stdarg.h> 350Sstevel@tonic-gate #include <sys/types.h> 360Sstevel@tonic-gate #include <sys/wait.h> 370Sstevel@tonic-gate #include <limits.h> 384405Sjjj #include <signal.h> 394405Sjjj #include <pthread.h> 404405Sjjj #include <synch.h> 410Sstevel@tonic-gate 420Sstevel@tonic-gate #include <rpcsvc/nis.h> 430Sstevel@tonic-gate #include <rpcsvc/nispasswd.h> 440Sstevel@tonic-gate #include <rpcsvc/yppasswd.h> 450Sstevel@tonic-gate #include <rpcsvc/ypclnt.h> 460Sstevel@tonic-gate #include <rpc/key_prot.h> 470Sstevel@tonic-gate #include <rpc/rpc.h> 480Sstevel@tonic-gate #include <nfs/nfs.h> 490Sstevel@tonic-gate #include <nfs/nfssys.h> 500Sstevel@tonic-gate #include <nss_dbdefs.h> 510Sstevel@tonic-gate #include <nsswitch.h> 520Sstevel@tonic-gate #include <rpcsvc/nis_dhext.h> 530Sstevel@tonic-gate 540Sstevel@tonic-gate #include <security/pam_appl.h> 550Sstevel@tonic-gate #include <security/pam_modules.h> 560Sstevel@tonic-gate #include <security/pam_impl.h> 570Sstevel@tonic-gate 580Sstevel@tonic-gate #include <libintl.h> 590Sstevel@tonic-gate 600Sstevel@tonic-gate #include <sys/mman.h> 610Sstevel@tonic-gate 620Sstevel@tonic-gate #include <passwdutil.h> 630Sstevel@tonic-gate 640Sstevel@tonic-gate #include "key_call_uid.h" 657422SJohn.Sonnenschein@Sun.COM #include <shadow.h> 660Sstevel@tonic-gate 670Sstevel@tonic-gate extern int _nfssys(int, void *); 680Sstevel@tonic-gate 690Sstevel@tonic-gate /* 700Sstevel@tonic-gate * int msg(pamh, ...) 710Sstevel@tonic-gate * 720Sstevel@tonic-gate * display message to the user 730Sstevel@tonic-gate */ 740Sstevel@tonic-gate /*PRINTFLIKE2*/ 754405Sjjj static int 760Sstevel@tonic-gate msg(pam_handle_t *pamh, char *fmt, ...) 770Sstevel@tonic-gate { 780Sstevel@tonic-gate va_list ap; 790Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; 800Sstevel@tonic-gate 810Sstevel@tonic-gate va_start(ap, fmt); 820Sstevel@tonic-gate (void) vsnprintf(messages[0], sizeof (messages[0]), fmt, ap); 830Sstevel@tonic-gate va_end(ap); 840Sstevel@tonic-gate 850Sstevel@tonic-gate return (__pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, NULL)); 860Sstevel@tonic-gate } 870Sstevel@tonic-gate 880Sstevel@tonic-gate 890Sstevel@tonic-gate /* 900Sstevel@tonic-gate * Get the secret key for the given netname, key length, and algorithm 910Sstevel@tonic-gate * type and send it to keyserv if the given pw decrypts it. Update the 920Sstevel@tonic-gate * following counter args as necessary: get_seckey_cnt, good_pw_cnt, and 930Sstevel@tonic-gate * set_seckey_cnt. 940Sstevel@tonic-gate * 950Sstevel@tonic-gate * Returns 0 on malloc failure, else 1. 960Sstevel@tonic-gate */ 970Sstevel@tonic-gate static int 980Sstevel@tonic-gate get_and_set_seckey( 990Sstevel@tonic-gate pam_handle_t *pamh, /* in */ 1000Sstevel@tonic-gate const char *netname, /* in */ 1010Sstevel@tonic-gate keylen_t keylen, /* in */ 1020Sstevel@tonic-gate algtype_t algtype, /* in */ 1030Sstevel@tonic-gate const char *pw, /* in */ 1040Sstevel@tonic-gate uid_t uid, /* in */ 1050Sstevel@tonic-gate gid_t gid, /* in */ 1060Sstevel@tonic-gate int *get_seckey_cnt, /* out */ 1070Sstevel@tonic-gate int *good_pw_cnt, /* out */ 1080Sstevel@tonic-gate int *set_seckey_cnt, /* out */ 1090Sstevel@tonic-gate int flags, /* in */ 1100Sstevel@tonic-gate int debug) /* in */ 1110Sstevel@tonic-gate { 1120Sstevel@tonic-gate char *skey; 1130Sstevel@tonic-gate int skeylen; 1140Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; 1150Sstevel@tonic-gate 1160Sstevel@tonic-gate skeylen = BITS2NIBBLES(keylen) + 1; 1170Sstevel@tonic-gate 1180Sstevel@tonic-gate if ((skey = malloc(skeylen)) == NULL) { 1190Sstevel@tonic-gate return (0); 1200Sstevel@tonic-gate } 1210Sstevel@tonic-gate 1220Sstevel@tonic-gate if (getsecretkey_g(netname, keylen, algtype, skey, skeylen, pw)) { 1230Sstevel@tonic-gate (*get_seckey_cnt)++; 1240Sstevel@tonic-gate 1250Sstevel@tonic-gate if (skey[0]) { 1260Sstevel@tonic-gate /* password does decrypt secret key */ 1270Sstevel@tonic-gate (*good_pw_cnt)++; 1280Sstevel@tonic-gate if (key_setnet_g_uid(netname, skey, keylen, NULL, 0, 1294405Sjjj algtype, uid, gid) >= 0) { 1300Sstevel@tonic-gate (*set_seckey_cnt)++; 1310Sstevel@tonic-gate } else { 1320Sstevel@tonic-gate if (debug) 1330Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: " 1344405Sjjj "get_and_set_seckey: could not " 1354405Sjjj "set secret key for keytype " 1364405Sjjj "%d-%d", keylen, algtype); 1370Sstevel@tonic-gate } 1380Sstevel@tonic-gate } else { 1390Sstevel@tonic-gate if (pamh && !(flags & PAM_SILENT)) { 1400Sstevel@tonic-gate (void) snprintf(messages[0], 1410Sstevel@tonic-gate sizeof (messages[0]), 1420Sstevel@tonic-gate dgettext(TEXT_DOMAIN, 1434405Sjjj "Password does not " 1444405Sjjj "decrypt secret key (type = %d-%d) " 1454405Sjjj "for '%s'."), keylen, algtype, netname); 1460Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, 1474405Sjjj messages, NULL); 1480Sstevel@tonic-gate } 1490Sstevel@tonic-gate } 1500Sstevel@tonic-gate } else { 1510Sstevel@tonic-gate if (debug) 1520Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: get_and_set_seckey: " 1534405Sjjj "could not get secret key for keytype %d-%d", 1544405Sjjj keylen, algtype); 1550Sstevel@tonic-gate } 1560Sstevel@tonic-gate 1570Sstevel@tonic-gate free(skey); 1580Sstevel@tonic-gate 1590Sstevel@tonic-gate return (1); 1600Sstevel@tonic-gate } 1610Sstevel@tonic-gate 1620Sstevel@tonic-gate /* 1630Sstevel@tonic-gate * int establish_key(pamh, flags, debug, netname) 1640Sstevel@tonic-gate * 1655945Ssdussud * This routine establishes the Secure RPC Credentials for the 1660Sstevel@tonic-gate * user specified in PAM_USER, using the password in PAM_AUTHTOK. 1670Sstevel@tonic-gate * 1685945Ssdussud * Establishing RPC credentials is considered a "helper" function for the PAM 1695945Ssdussud * stack so we should only return failures or PAM_IGNORE. Returning PAM_SUCCESS 1705945Ssdussud * may short circuit the stack and circumvent later critical checks. 1715945Ssdussud * 172*11262SRajagopal.Andra@Sun.COM * we are called from pam_sm_setcred: 173*11262SRajagopal.Andra@Sun.COM * 1. if we are root (uid == 0), we do nothing and return 174*11262SRajagopal.Andra@Sun.COM * PAM_IGNORE. 175*11262SRajagopal.Andra@Sun.COM * 2. else, we try to establish credentials. 1760Sstevel@tonic-gate * 177*11262SRajagopal.Andra@Sun.COM * We return framework errors as appropriate such as PAM_USER_UNKNOWN, 178*11262SRajagopal.Andra@Sun.COM * PAM_BUF_ERR, PAM_PERM_DENIED. 1795945Ssdussud * 180*11262SRajagopal.Andra@Sun.COM * If we succeed in establishing credentials we return PAM_IGNORE. 1810Sstevel@tonic-gate * 182*11262SRajagopal.Andra@Sun.COM * If we fail to establish credentials then we return: 183*11262SRajagopal.Andra@Sun.COM * - PAM_SERVICE_ERR (credentials needed) or PAM_SYSTEM_ERR 184*11262SRajagopal.Andra@Sun.COM * (credentials not needed) if netname could not be created; 185*11262SRajagopal.Andra@Sun.COM * - PAM_AUTH_ERR (credentials needed) or PAM_IGNORE (credentials 186*11262SRajagopal.Andra@Sun.COM * not needed) if no credentials were retrieved; 187*11262SRajagopal.Andra@Sun.COM * - PAM_AUTH_ERR if the password didn't decrypt the cred; 188*11262SRajagopal.Andra@Sun.COM * - PAM_SYSTEM_ERR if the cred's could not be stored. 1890Sstevel@tonic-gate * 1900Sstevel@tonic-gate * This routine returns the user's netname in "netname". 1910Sstevel@tonic-gate * 1920Sstevel@tonic-gate * All tools--but the PAM stack--currently use getpass() to obtain 1930Sstevel@tonic-gate * the user's secure RPC password. We must make sure we don't use more than 1940Sstevel@tonic-gate * the first des_block (eight) characters of whatever is handed down to us. 1950Sstevel@tonic-gate * Therefore, we use a local variable "short_pass" to hold those 8 char's. 1960Sstevel@tonic-gate */ 1974405Sjjj static int 198*11262SRajagopal.Andra@Sun.COM establish_key(pam_handle_t *pamh, int flags, int debug, char *netname) 1990Sstevel@tonic-gate { 2000Sstevel@tonic-gate char *user; 2010Sstevel@tonic-gate char *passwd; 2020Sstevel@tonic-gate char short_pass[sizeof (des_block)+1], *short_passp; 2030Sstevel@tonic-gate int result; 2040Sstevel@tonic-gate uid_t uid; 2050Sstevel@tonic-gate gid_t gid; 2060Sstevel@tonic-gate int err; 2070Sstevel@tonic-gate 2080Sstevel@tonic-gate struct passwd pw; /* Needed to obtain uid */ 2090Sstevel@tonic-gate char *scratch; 2100Sstevel@tonic-gate int scratchlen; 2110Sstevel@tonic-gate 2120Sstevel@tonic-gate mechanism_t **mechs; 2130Sstevel@tonic-gate mechanism_t **mpp; 2140Sstevel@tonic-gate int get_seckey_cnt = 0; 2150Sstevel@tonic-gate int set_seckey_cnt = 0; 2160Sstevel@tonic-gate int good_pw_cnt = 0; 2170Sstevel@tonic-gate int valid_mech_cnt = 0; 2180Sstevel@tonic-gate 2190Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_USER, (void **)&user); 2200Sstevel@tonic-gate 2210Sstevel@tonic-gate if (user == NULL || *user == '\0') { 2220Sstevel@tonic-gate if (debug) 2230Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: user NULL or empty"); 2240Sstevel@tonic-gate return (PAM_USER_UNKNOWN); 2250Sstevel@tonic-gate } 2260Sstevel@tonic-gate 2270Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&passwd); 2280Sstevel@tonic-gate 2290Sstevel@tonic-gate scratchlen = sysconf(_SC_GETPW_R_SIZE_MAX); 2300Sstevel@tonic-gate if ((scratch = malloc(scratchlen)) == NULL) 2310Sstevel@tonic-gate return (PAM_BUF_ERR); 2320Sstevel@tonic-gate 2330Sstevel@tonic-gate if (getpwnam_r(user, &pw, scratch, scratchlen) == NULL) { 2340Sstevel@tonic-gate result = PAM_USER_UNKNOWN; 2350Sstevel@tonic-gate goto out; 2360Sstevel@tonic-gate } 2370Sstevel@tonic-gate 2380Sstevel@tonic-gate uid = pw.pw_uid; 2390Sstevel@tonic-gate gid = pw.pw_gid; 2400Sstevel@tonic-gate 2410Sstevel@tonic-gate /* 2420Sstevel@tonic-gate * We don't set credentials when root logs in. 2430Sstevel@tonic-gate */ 244*11262SRajagopal.Andra@Sun.COM if (uid == 0) { 2450Sstevel@tonic-gate result = PAM_IGNORE; 2460Sstevel@tonic-gate goto out; 2470Sstevel@tonic-gate } 2480Sstevel@tonic-gate 249*11262SRajagopal.Andra@Sun.COM err = user2netname(netname, uid, NULL); 2500Sstevel@tonic-gate 2510Sstevel@tonic-gate if (err != 1) { 2520Sstevel@tonic-gate if (debug) 2530Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: user2netname failed"); 2540Sstevel@tonic-gate result = PAM_SYSTEM_ERR; 2550Sstevel@tonic-gate goto out; 2560Sstevel@tonic-gate } 2570Sstevel@tonic-gate 2580Sstevel@tonic-gate /* passwd can be NULL (no passwd or su as root) */ 2590Sstevel@tonic-gate if (passwd) { 2600Sstevel@tonic-gate (void) strlcpy(short_pass, passwd, sizeof (short_pass)); 2610Sstevel@tonic-gate short_passp = short_pass; 2620Sstevel@tonic-gate } else 2630Sstevel@tonic-gate short_passp = NULL; 2640Sstevel@tonic-gate 2650Sstevel@tonic-gate if (mechs = __nis_get_mechanisms(FALSE)) { 2660Sstevel@tonic-gate 2670Sstevel@tonic-gate for (mpp = mechs; *mpp; mpp++) { 2680Sstevel@tonic-gate mechanism_t *mp = *mpp; 2690Sstevel@tonic-gate 2700Sstevel@tonic-gate if (AUTH_DES_COMPAT_CHK(mp)) 2710Sstevel@tonic-gate break; /* fall through to AUTH_DES below */ 2720Sstevel@tonic-gate 2730Sstevel@tonic-gate if (!VALID_MECH_ENTRY(mp)) 2740Sstevel@tonic-gate continue; 2750Sstevel@tonic-gate 2760Sstevel@tonic-gate if (debug) 2770Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: trying " 2784405Sjjj "key type = %d-%d", mp->keylen, 2794405Sjjj mp->algtype); 2800Sstevel@tonic-gate valid_mech_cnt++; 2810Sstevel@tonic-gate if (!get_and_set_seckey(pamh, netname, mp->keylen, 2824405Sjjj mp->algtype, short_passp, uid, gid, 2834405Sjjj &get_seckey_cnt, &good_pw_cnt, &set_seckey_cnt, 284*11262SRajagopal.Andra@Sun.COM flags, debug)) { 2850Sstevel@tonic-gate result = PAM_BUF_ERR; 2860Sstevel@tonic-gate goto out; 2870Sstevel@tonic-gate } 2880Sstevel@tonic-gate } 2890Sstevel@tonic-gate __nis_release_mechanisms(mechs); 2900Sstevel@tonic-gate /* fall through to AUTH_DES below */ 2910Sstevel@tonic-gate } else { 2920Sstevel@tonic-gate /* 293*11262SRajagopal.Andra@Sun.COM * No usable mechs found in security congifuration file thus 2940Sstevel@tonic-gate * fallback to AUTH_DES compat. 2950Sstevel@tonic-gate */ 2960Sstevel@tonic-gate if (debug) 2970Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: no valid mechs " 2984405Sjjj "found. Trying AUTH_DES."); 2990Sstevel@tonic-gate } 3000Sstevel@tonic-gate 3010Sstevel@tonic-gate /* 302*11262SRajagopal.Andra@Sun.COM * We always perform AUTH_DES for the benefit of services like NFS 303*11262SRajagopal.Andra@Sun.COM * that may depend on the classic des 192bit key being set. 3040Sstevel@tonic-gate */ 3050Sstevel@tonic-gate if (!get_and_set_seckey(pamh, netname, AUTH_DES_KEYLEN, 3060Sstevel@tonic-gate AUTH_DES_ALGTYPE, short_passp, uid, gid, &get_seckey_cnt, 307*11262SRajagopal.Andra@Sun.COM &good_pw_cnt, &set_seckey_cnt, flags, debug)) { 3080Sstevel@tonic-gate result = PAM_BUF_ERR; 3090Sstevel@tonic-gate goto out; 3100Sstevel@tonic-gate } 3110Sstevel@tonic-gate 3120Sstevel@tonic-gate if (debug) { 3130Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: mech key totals:\n"); 3140Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: %d valid mechanism(s)", 3154405Sjjj valid_mech_cnt); 3160Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: %d secret key(s) retrieved", 3174405Sjjj get_seckey_cnt); 3180Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: %d passwd decrypt successes", 3194405Sjjj good_pw_cnt); 3200Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: %d secret key(s) set", 3214405Sjjj set_seckey_cnt); 3220Sstevel@tonic-gate } 3230Sstevel@tonic-gate 3240Sstevel@tonic-gate if (get_seckey_cnt == 0) { /* No credentials */ 325*11262SRajagopal.Andra@Sun.COM result = PAM_IGNORE; 3260Sstevel@tonic-gate goto out; 3270Sstevel@tonic-gate } 3280Sstevel@tonic-gate 3290Sstevel@tonic-gate if (good_pw_cnt == 0) { /* wrong password */ 3305945Ssdussud result = PAM_AUTH_ERR; 3310Sstevel@tonic-gate goto out; 3320Sstevel@tonic-gate } 3330Sstevel@tonic-gate 3340Sstevel@tonic-gate if (set_seckey_cnt == 0) { 3355945Ssdussud result = PAM_SYSTEM_ERR; 3360Sstevel@tonic-gate goto out; 3370Sstevel@tonic-gate } 338*11262SRajagopal.Andra@Sun.COM /* Credentials have been successfully established, return PAM_IGNORE */ 3390Sstevel@tonic-gate result = PAM_IGNORE; 3400Sstevel@tonic-gate out: 3415945Ssdussud /* 3425945Ssdussud * If we are authenticating we attempt to establish credentials 3435945Ssdussud * where appropriate. Failure to do so is only an error if we 3445945Ssdussud * definitely needed them. Thus always return PAM_IGNORE 3455945Ssdussud * if we are authenticating and credentials were not needed. 3465945Ssdussud */ 3470Sstevel@tonic-gate free(scratch); 3480Sstevel@tonic-gate 3490Sstevel@tonic-gate (void) memset(short_pass, '\0', sizeof (short_pass)); 3500Sstevel@tonic-gate 3510Sstevel@tonic-gate return (result); 3520Sstevel@tonic-gate } 3530Sstevel@tonic-gate 354*11262SRajagopal.Andra@Sun.COM /*ARGSUSED*/ 3550Sstevel@tonic-gate int 3560Sstevel@tonic-gate pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) 3570Sstevel@tonic-gate { 358*11262SRajagopal.Andra@Sun.COM return (PAM_IGNORE); 3590Sstevel@tonic-gate } 3600Sstevel@tonic-gate 3614405Sjjj 3624405Sjjj typedef struct argres { 3634405Sjjj uid_t uid; 3644405Sjjj int result; 3654405Sjjj } argres_t; 3664405Sjjj 3674405Sjjj /* 3684405Sjjj * Revoke NFS DES credentials. 3694405Sjjj * NFS may not be installed so we need to deal with SIGSYS 3704405Sjjj * when we call _nfssys(); we thus call _nfssys() in a seperate thread that 3714405Sjjj * is created specifically for this call. The thread specific signalmask 3724405Sjjj * is set to ignore SIGSYS. After the call to _nfssys(), the thread 3734405Sjjj * ceases to exist. 3744405Sjjj */ 3754405Sjjj static void * 3764405Sjjj revoke_nfs_cred(void *ap) 3774405Sjjj { 3784405Sjjj struct nfs_revauth_args nra; 3794405Sjjj sigset_t isigset; 3804405Sjjj argres_t *argres = (argres_t *)ap; 3814405Sjjj 3824405Sjjj nra.authtype = AUTH_DES; 3834405Sjjj nra.uid = argres->uid; 3844405Sjjj 3854405Sjjj (void) sigemptyset(&isigset); 3864405Sjjj (void) sigaddset(&isigset, SIGSYS); 3874405Sjjj 3884405Sjjj if (pthread_sigmask(SIG_BLOCK, &isigset, NULL) == 0) { 3894405Sjjj argres->result = _nfssys(NFS_REVAUTH, &nra); 3904405Sjjj if (argres->result < 0 && errno == ENOSYS) { 3914405Sjjj argres->result = 0; 3924405Sjjj } 3934405Sjjj } else { 3944405Sjjj argres->result = -1; 3954405Sjjj } 3964405Sjjj return (NULL); 3974405Sjjj } 3984405Sjjj 3994405Sjjj static int 4000Sstevel@tonic-gate remove_key(pam_handle_t *pamh, int flags, int debug) 4010Sstevel@tonic-gate { 4020Sstevel@tonic-gate int result; 4030Sstevel@tonic-gate char *uname; 4040Sstevel@tonic-gate attrlist attr_pw[2]; 4050Sstevel@tonic-gate struct pam_repository *auth_rep = NULL; 4060Sstevel@tonic-gate pwu_repository_t *pwu_rep; 4070Sstevel@tonic-gate uid_t uid; 4080Sstevel@tonic-gate gid_t gid; 4094405Sjjj argres_t argres; 4104405Sjjj thread_t tid; 4110Sstevel@tonic-gate 4120Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_USER, (void **)&uname); 4130Sstevel@tonic-gate if (uname == NULL || *uname == NULL) { 4140Sstevel@tonic-gate if (debug) 4150Sstevel@tonic-gate syslog(LOG_DEBUG, 4160Sstevel@tonic-gate "pam_dhkeys: user NULL or empty in remove_key()"); 4170Sstevel@tonic-gate return (PAM_USER_UNKNOWN); 4180Sstevel@tonic-gate } 4190Sstevel@tonic-gate 4200Sstevel@tonic-gate if (strcmp(uname, "root") == 0) { 4210Sstevel@tonic-gate if ((flags & PAM_SILENT) == 0) { 4220Sstevel@tonic-gate char msg[3][PAM_MAX_MSG_SIZE]; 4230Sstevel@tonic-gate (void) snprintf(msg[0], sizeof (msg[0]), 4240Sstevel@tonic-gate dgettext(TEXT_DOMAIN, 4254405Sjjj "removing root credentials would" 4264405Sjjj " break the rpc services that")); 4270Sstevel@tonic-gate (void) snprintf(msg[1], sizeof (msg[1]), 4280Sstevel@tonic-gate dgettext(TEXT_DOMAIN, 4294405Sjjj "use secure rpc on this host!")); 4300Sstevel@tonic-gate (void) snprintf(msg[2], sizeof (msg[2]), 4310Sstevel@tonic-gate dgettext(TEXT_DOMAIN, 4324405Sjjj "root may use keylogout -f to do" 4334405Sjjj " this (at your own risk)!")); 4340Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 3, 4350Sstevel@tonic-gate msg, NULL); 4360Sstevel@tonic-gate } 4370Sstevel@tonic-gate return (PAM_PERM_DENIED); 4380Sstevel@tonic-gate } 4390Sstevel@tonic-gate 4400Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep); 4410Sstevel@tonic-gate if (auth_rep != NULL) { 4420Sstevel@tonic-gate if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL) 4430Sstevel@tonic-gate return (PAM_BUF_ERR); 4440Sstevel@tonic-gate pwu_rep->type = auth_rep->type; 4450Sstevel@tonic-gate pwu_rep->scope = auth_rep->scope; 4460Sstevel@tonic-gate pwu_rep->scope_len = auth_rep->scope_len; 4470Sstevel@tonic-gate } else 4480Sstevel@tonic-gate pwu_rep = PWU_DEFAULT_REP; 4490Sstevel@tonic-gate 4500Sstevel@tonic-gate /* Retrieve user's uid/gid from the password repository */ 4510Sstevel@tonic-gate attr_pw[0].type = ATTR_UID; attr_pw[0].next = &attr_pw[1]; 4520Sstevel@tonic-gate attr_pw[1].type = ATTR_GID; attr_pw[1].next = NULL; 4530Sstevel@tonic-gate 4540Sstevel@tonic-gate result = __get_authtoken_attr(uname, pwu_rep, attr_pw); 4550Sstevel@tonic-gate 4560Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP) 4570Sstevel@tonic-gate free(pwu_rep); 4580Sstevel@tonic-gate 4590Sstevel@tonic-gate if (result == PWU_NOT_FOUND) 4600Sstevel@tonic-gate return (PAM_USER_UNKNOWN); 4610Sstevel@tonic-gate if (result == PWU_DENIED) 4620Sstevel@tonic-gate return (PAM_PERM_DENIED); 4630Sstevel@tonic-gate if (result != PWU_SUCCESS) 4640Sstevel@tonic-gate return (PAM_SYSTEM_ERR); 4650Sstevel@tonic-gate 4660Sstevel@tonic-gate uid = (uid_t)attr_pw[0].data.val_i; 4670Sstevel@tonic-gate gid = (gid_t)attr_pw[1].data.val_i; 4680Sstevel@tonic-gate 4690Sstevel@tonic-gate (void) key_removesecret_g_uid(uid, gid); 4700Sstevel@tonic-gate 4714405Sjjj argres.uid = uid; 4724405Sjjj argres.result = -1; 4730Sstevel@tonic-gate 4744405Sjjj if (pthread_create(&tid, NULL, revoke_nfs_cred, (void *)&argres) == 0) 4754405Sjjj (void) pthread_join(tid, NULL); 4764405Sjjj 4774405Sjjj if (argres.result < 0) { 4780Sstevel@tonic-gate if ((flags & PAM_SILENT) == 0) { 4790Sstevel@tonic-gate (void) msg(pamh, dgettext(TEXT_DOMAIN, 4804405Sjjj "Warning: NFS credentials not destroyed")); 4810Sstevel@tonic-gate } 4820Sstevel@tonic-gate return (PAM_AUTH_ERR); 4830Sstevel@tonic-gate } 4840Sstevel@tonic-gate 4850Sstevel@tonic-gate return (PAM_IGNORE); 4860Sstevel@tonic-gate } 4870Sstevel@tonic-gate 4880Sstevel@tonic-gate int 4890Sstevel@tonic-gate pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) 4900Sstevel@tonic-gate { 4910Sstevel@tonic-gate int i; 4920Sstevel@tonic-gate int debug = 0; 4930Sstevel@tonic-gate int result; 4940Sstevel@tonic-gate char netname[MAXNETNAMELEN + 1]; 4950Sstevel@tonic-gate 4960Sstevel@tonic-gate for (i = 0; i < argc; i++) { 4970Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0) 4980Sstevel@tonic-gate debug = 1; 4990Sstevel@tonic-gate else if (strcmp(argv[i], "nowarn") == 0) 5000Sstevel@tonic-gate flags |= PAM_SILENT; 5010Sstevel@tonic-gate } 5020Sstevel@tonic-gate 5030Sstevel@tonic-gate /* Check for invalid flags */ 5040Sstevel@tonic-gate if (flags && (flags & PAM_ESTABLISH_CRED) == 0 && 5054405Sjjj (flags & PAM_REINITIALIZE_CRED) == 0 && 5064405Sjjj (flags & PAM_REFRESH_CRED) == 0 && 5074405Sjjj (flags & PAM_DELETE_CRED) == 0 && 5084405Sjjj (flags & PAM_SILENT) == 0) { 5090Sstevel@tonic-gate syslog(LOG_ERR, "pam_dhkeys: pam_setcred: illegal flags %d", 5104405Sjjj flags); 5110Sstevel@tonic-gate return (PAM_SYSTEM_ERR); 5120Sstevel@tonic-gate } 5130Sstevel@tonic-gate 5140Sstevel@tonic-gate 5150Sstevel@tonic-gate if ((flags & PAM_REINITIALIZE_CRED) || (flags & PAM_REFRESH_CRED)) { 5160Sstevel@tonic-gate /* doesn't apply to UNIX */ 5170Sstevel@tonic-gate if (debug) 5180Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: cred reinit/refresh " 5190Sstevel@tonic-gate "ignored\n"); 5200Sstevel@tonic-gate return (PAM_IGNORE); 5210Sstevel@tonic-gate } 5220Sstevel@tonic-gate 5230Sstevel@tonic-gate if (flags & PAM_DELETE_CRED) { 5240Sstevel@tonic-gate if (debug) 5250Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: removing creds\n"); 5260Sstevel@tonic-gate result = remove_key(pamh, flags, debug); 5270Sstevel@tonic-gate } else { 528*11262SRajagopal.Andra@Sun.COM result = establish_key(pamh, flags, debug, netname); 5290Sstevel@tonic-gate /* Some diagnostics */ 5300Sstevel@tonic-gate if ((flags & PAM_SILENT) == 0) { 5310Sstevel@tonic-gate if (result == PAM_AUTH_ERR) 5320Sstevel@tonic-gate (void) msg(pamh, dgettext(TEXT_DOMAIN, 5330Sstevel@tonic-gate "Password does not decrypt any secret " 5340Sstevel@tonic-gate "keys for %s."), netname); 5350Sstevel@tonic-gate else if (result == PAM_SYSTEM_ERR && netname[0]) 5360Sstevel@tonic-gate (void) msg(pamh, dgettext(TEXT_DOMAIN, 5370Sstevel@tonic-gate "Could not set secret key(s) for %s. " 5380Sstevel@tonic-gate "The key server may be down."), netname); 5390Sstevel@tonic-gate } 5400Sstevel@tonic-gate 5410Sstevel@tonic-gate /* Not having credentials set is not an error... */ 5420Sstevel@tonic-gate result = PAM_IGNORE; 5430Sstevel@tonic-gate } 5440Sstevel@tonic-gate 5450Sstevel@tonic-gate return (result); 5460Sstevel@tonic-gate } 5470Sstevel@tonic-gate 5480Sstevel@tonic-gate /*ARGSUSED*/ 5490Sstevel@tonic-gate void 5500Sstevel@tonic-gate rpc_cleanup(pam_handle_t *pamh, void *data, int pam_status) 5510Sstevel@tonic-gate { 5520Sstevel@tonic-gate if (data) { 5530Sstevel@tonic-gate (void) memset(data, 0, strlen(data)); 5540Sstevel@tonic-gate free(data); 5550Sstevel@tonic-gate } 5560Sstevel@tonic-gate } 5570Sstevel@tonic-gate 558*11262SRajagopal.Andra@Sun.COM /*ARGSUSED*/ 5590Sstevel@tonic-gate int 5600Sstevel@tonic-gate pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) 5610Sstevel@tonic-gate { 562*11262SRajagopal.Andra@Sun.COM return (PAM_IGNORE); 5630Sstevel@tonic-gate } 564