krb5_acct_mgmt.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <krb5.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_impl.h>
#include <syslog.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#include <libintl.h>
#include <netdb.h>
#include "utils.h"
#include <shadow.h>
#include "krb5_repository.h"
#define KRB5_AUTOMIGRATE_DATA "SUNW-KRB5-AUTOMIGRATE-DATA"
/*
* pam_sm_acct_mgmt main account managment routine.
*/
static int
char *princ_str,
char *password,
int debug)
{
krb5_principal princ = 0;
char admin_realm[1024];
char *cpw_service;
void *server_handle;
return (PAM_SYSTEM_ERR);
}
2*MAXHOSTNAMELEN)) != 0) {
return (code);
}
if (code != 0) {
return (PAM_SYSTEM_ERR);
}
if (debug)
"PAM-KRB5 (acct): fetch_princ_entry: pwlen=0");
return (PAM_AUTH_ERR);
}
(void) strlcpy(admin_realm,
sizeof (admin_realm));
"PAM-KRB5 (acct): unable to get host based "
"service name for realm '%s'"),
return (PAM_SYSTEM_ERR);
}
if (code != 0) {
if (debug)
"PAM-KRB5 (acct): fetch_princ_entry: "
"init_with_pw failed: code = %d", code);
return ((code == KADM5_BAD_PASSWORD) ?
}
if (debug)
"PAM-KRB5 (acct): fetch_princ_entry: "
"non-RPCSEC_GSS chpw server, can't get "
"princ entry");
(void) kadm5_destroy(server_handle);
return (PAM_SYSTEM_ERR);
}
if (code != 0) {
(void) kadm5_destroy(server_handle);
return ((code == KADM5_UNK_PRINC) ?
}
(void) kadm5_destroy(server_handle);
"PAM-KRB5 (acct): krb5_timeofday fail: code=%d"),
code);
return (PAM_SYSTEM_ERR);
}
(void) kadm5_destroy(server_handle);
return (PAM_SUCCESS);
}
/*
* exp_warn
*
* warn the user if her pw is set to expire
*
* We use the kadm protocol and chpw svc to fetch the user's KDC db
* entry. The user's default perms on the KDC db should allow this.
* Note since the SEAM kadm API uses rpcsec_gss (which is diff from
* what MS and MIT 1.2 and before uses), this probably only works
* with a SEAM KDC.
*/
static int
char *user,
char *password,
int debug)
{
int err;
if (debug)
"PAM-KRB5 (acct): exp_warn start: user = '%s'",
goto out;
}
if (debug)
"PAM-KRB5 (acct): exp_warn: fetch_pr failed %d",
err);
goto out;
}
if (debug)
"PAM-KRB5 (acct): exp_warn: fetch_princ success:"
" princ exp=%ld pw_exp = %ld, now =%ld, days=%ld",
prent.pw_expiration > 0
: 0);
/* warn user if principal's pw is set to expire */
if (prent.pw_expiration > 0) {
if (days <= 0)
sizeof (messages[0]),
"Your Kerberos password will expire within 24 hours.\n"));
else if (days == 1)
sizeof (messages[0]),
"Your Kerberos password will expire in 1 day.\n"));
else
sizeof (messages[0]),
"Your Kerberos password will expire in %d days.\n"),
(int)days);
}
/* things went smooth */
err = PAM_SUCCESS;
out:
if (debug)
"PAM-KRB5 (acct): exp_warn end: err = %d", err);
return (err);
}
/*
* pam_krb5 acct_mgmt
*
* we do
* - check if pw expired (flag set in auth)
* - warn user if pw is set to expire
*
* notes
* - we require the auth module to have already run (sets module data)
* - we don't worry about an expired princ cuz if that's the case,
* auth would have failed
*/
int
int flags,
int argc,
const char **argv)
{
int err;
int i;
for (i = 0; i < argc; i++) {
debug = 1;
nowarn = 1;
} else {
"PAM-KRB5 (acct): illegal option %s",
argv[i]);
}
}
if (debug)
"PAM-KRB5 (acct): debug=%d, nowarn=%d",
/*
* If the repository is not ours,
* return PAM_IGNORE.
*/
if (debug)
"repository found (%s), returning "
return (PAM_IGNORE);
}
}
/* get user name */
!= PAM_SUCCESS) {
"PAM-KRB5 (acct):"
" get user failed: err=%d"),
err);
goto out;
}
goto out;
}
/* get pam_krb5_migrate specific data */
(const void **)&userdata);
if (err != PAM_SUCCESS) {
if (debug)
"PAM-KRB5 (acct): "
"no module data for KRB5_AUTOMIGRATE_DATA"));
} else {
/*
* We try and reauthenticate, since this user has a
* newly created krb5 principal via the pam_krb5_migrate
* auth module. That way, this new user will have fresh
* creds (assuming pam_sm_authenticate() succeeds).
*/
(const char **)argv);
else
if (debug)
"PAM-KRB5 (acct): PAM_USER %s"
"does not match user %s from pam_get_data()"),
}
/* get krb5 module data */
!= PAM_SUCCESS) {
if (err == PAM_NO_MODULE_DATA) {
/*
* pam_auth never called (possible config
* error; no pam_krb5 auth entry in pam.conf)
* or
* auth module returned before module data
* was instantiated (normal for auth 'acceptor')
*/
if (debug)
"PAM-KRB5 (acct): no module data");
err = PAM_IGNORE;
goto out;
} else {
"PAM-KRB5 (acct): get module"
" data failed: err=%d"),
err);
}
goto out;
}
/*
* auth mod set status to ignore, most likely cuz root key is
* in keytab, so skip other checks and return ignore
*/
if (debug)
"PAM-KRB5 (acct): kmd auth_status is IGNORE");
err = PAM_IGNORE;
goto out;
}
/*
* age_status will be set to PAM_NEW_AUTHTOK_REQD in pam_krb5's
*/
if (!nowarn) {
"Your Kerberos password has expired.\n"));
}
goto out;
}
/* if we fail, let it slide, it's only a warning brah */
}
/* everything a-ok */
err = PAM_SUCCESS;
out:
if (debug)
return (err);
}