/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <krb5.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_impl.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#include <syslog.h>
#include <libintl.h>
int pam_status);
/*
* pam_sm_authenticate - Authenticate a host-based client service
* principal to kadmind in order to permit the creation of a new user
* principal in the client's default realm.
*/
{
int err, i;
/* pam.conf options */
int debug = 0;
int quiet = 0;
int expire_pw = 0;
/* krb5-specific defines */
int strlength = 0;
long mask = 0;
for (i = 0; i < argc; i++) {
debug = 1;
quiet = 1;
expire_pw = 1;
} else {
"PAM-KRB5-AUTOMIGRATE (auth): unrecognized "
"option %s", argv[i]);
}
}
if (flags & PAM_SILENT)
quiet = 1;
if (err != PAM_SUCCESS) {
goto cleanup;
}
/*
* Check if user name is *not* NULL
*/
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): user empty or null");
goto cleanup;
}
/*
* Can't tolerate memory failure later on. Get a copy
* before any work is done.
*/
"PAM-KRB5-AUTOMIGRATE (auth): Out of memory");
goto cleanup;
}
/*
* Grok the user password
*/
if (err != PAM_SUCCESS) {
goto cleanup;
}
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): "
"authentication token is empty or null");
goto cleanup;
}
/*
*/
"PAM-KRB5-AUTOMIGRATE (auth): Error initializing "
goto cleanup;
}
"PAM-KRB5-AUTOMIGRATE (auth): Error while obtaining "
"default krb5 realm");
goto cleanup;
}
&kadmin_princ)) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while obtaining "
"host based service name for realm %s\n", def_realm);
goto cleanup;
}
"PAM-KRB5-AUTOMIGRATE (auth): Error while creating "
"krb5 host service principal: %s",
goto cleanup;
}
&svcprincstr)) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while "
goto cleanup;
}
/*
* Initialize the kadm5 connection using the default keytab
*/
if (retval) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while "
goto cleanup;
}
/*
* The RPCSEC_GSS connection has been established; Lets check to see
* if the corresponding user principal exists in the KDC database.
* If not, lets create a new one.
*/
goto cleanup;
&userprinc)) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while "
"parsing user principal name: %s",
goto cleanup;
}
if (retval) {
switch (retval) {
case KADM5_AUTH_GET:
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): %s does "
"not have the GET privilege "
"for kadm5_get_principal: %s",
break;
case KADM5_UNK_PRINC:
default:
break;
}
/*
* We will try & add this principal anyways, continue on ...
*/
} else {
/*
* Principal already exists in the KDC database, quit now
*/
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): Principal %s "
"already exists in Kerberos KDC database",
goto cleanup;
}
&(kadm5_userprinc.principal))) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while "
"parsing user principal name: %s",
goto cleanup;
}
if (expire_pw) {
/*
* The local system time could actually be later than the
* system time of the KDC we are authenticating to. We expire
* assured that it is expired on this login, not the next.
*/
}
mask |= KADM5_PRINCIPAL;
if (retval) {
switch (retval) {
case KADM5_AUTH_ADD:
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): %s does "
"not have the ADD privilege "
"for kadm5_create_principal: %s",
break;
default:
"PAM-KRB5-AUTOMIGRATE (auth): Generic error"
"while doing kadm5_create_principal: %s",
break;
}
goto cleanup;
}
/*
* Success, new user principal has been added !
*/
if (!quiet) {
"automatically migrated to the Kerberos realm %s\n"),
}
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): User %s "
"has been added to the Kerberos KDC database",
/*
* Since this is a new krb5 principal, do a pam_set_data()
* for possible use by the acct_mgmt routine of pam_krb5(5)
*/
(const void **)&olduserdata) == PAM_SUCCESS) {
/*
* We created a princ in a previous run on the same handle and
* it must have been for a different PAM_USER / princ name,
* otherwise we couldn't succeed here, unless that princ
* got deleted.
*/
if (olduserdata != NULL)
}
krb5_migrate_cleanup) != PAM_SUCCESS) {
}
if (service)
if (kadmin_princ)
if (svcprincstr)
if (userprincstr)
if (def_realm)
(void) kadm5_destroy((void *)handle);
return (PAM_IGNORE);
}
/*ARGSUSED*/
static void
}
/*ARGSUSED*/
int
{
return (PAM_IGNORE);
}