krb5_migrate_authenticate.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <krb5.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_impl.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#include <syslog.h>
#include <libintl.h>
#define KRB5_AUTOMIGRATE_DATA "SUNW-KRB5-AUTOMIGRATE-DATA"
int pam_status);
/*
* pam_sm_authenticate - Authenticate a host-based client service
* principal to kadmind in order to permit the creation of a new user
* principal in the client's default realm.
*/
{
int err, i;
/* pam.conf options */
int debug = 0;
int quiet = 0;
int expire_pw = 0;
/* krb5-specific defines */
kadm5_ret_t retval = 0;
char *svcprincstr = NULL;
char *userprincstr = NULL;
int strlength = 0;
char *kadmin_princ = NULL;
long mask = 0;
for (i = 0; i < argc; i++) {
debug = 1;
quiet = 1;
expire_pw = 1;
} else {
"PAM-KRB5-AUTOMIGRATE (auth): unrecognized "
"option %s"),
argv[i]);
}
}
if (flags & PAM_SILENT)
quiet = 1;
if (err != PAM_SUCCESS) {
goto cleanup;
}
/*
* Check if user name is *not* NULL
*/
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): "
"user empty or null"));
goto cleanup;
}
/*
* Grok the user password
*/
if (err != PAM_SUCCESS) {
goto cleanup;
}
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): "
"authentication token is empty or null"));
goto cleanup;
}
/*
*/
"PAM-KRB5-AUTOMIGRATE (auth): Error initializing "
"krb5: %s"),
goto cleanup;
}
"PAM-KRB5-AUTOMIGRATE (auth): Error while obtaining "
"default krb5 realm"));
goto cleanup;
}
&kadmin_princ)) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while obtaining "
"host based service name for realm %s\n"), def_realm);
goto cleanup;
}
&svcprinc)) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while creating "
"krb5 host service principal: %s"),
goto cleanup;
}
&svcprincstr)) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while "
"unparsing principal name: %s"),
goto cleanup;
}
/*
* Initialize the kadm5 connection using the default keytab
*/
¶ms,
&handle);
if (retval) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while "
"doing kadm5_init_with_skey: %s"),
goto cleanup;
}
/*
* The RPCSEC_GSS connection has been established; Lets check to see
* if the corresponding user principal exists in the KDC database.
* If not, lets create a new one.
*/
&userprinc)) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while "
"parsing user principal name: %s"),
goto cleanup;
}
if (retval) {
switch (retval) {
case KADM5_AUTH_GET:
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): %s does "
"not have the GET privilege "
"for kadm5_get_principal: %s"),
break;
case KADM5_UNK_PRINC:
default:
break;
}
/*
* We will try & add this principal anyways, continue on ...
*/
} else {
/*
* Principal already exists in the KDC database, quit now
*/
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): Principal %s "
"already exists in Kerberos KDC database"),
goto cleanup;
}
&(kadm5_userprinc.principal))) {
"PAM-KRB5-AUTOMIGRATE (auth): Error while "
"parsing user principal name: %s"),
goto cleanup;
}
if (expire_pw) {
}
mask |= KADM5_PRINCIPAL;
if (retval) {
switch (retval) {
case KADM5_AUTH_ADD:
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): %s does "
"not have the ADD privilege "
"for kadm5_create_principal: %s"),
break;
default:
"PAM-KRB5-AUTOMIGRATE (auth): Generic error"
"while doing kadm5_create_principal: %s"),
break;
}
goto cleanup;
}
/*
* Success, new user principal has been added !
*/
if (!quiet) {
"automatically migrated to the Kerberos realm %s\n"),
}
if (debug)
"PAM-KRB5-AUTOMIGRATE (auth): User %s "
"has been added to the Kerberos KDC database"),
/*
* Since this is a new krb5 principal, do a pam_set_data()
* for possible use by the acct_mgmt routine of pam_krb5(5)
*/
(const void **)&userdata) == PAM_SUCCESS) {
/*
* We created a princ in a previous run on the same handle and
* it must have been for a different PAM_USER / princ name,
* otherwise we couldn't succeed here, unless that princ
* got deleted.
*/
}
krb5_migrate_cleanup) != PAM_SUCCESS) {
}
if (service)
if (kadmin_princ)
if (svcprincstr)
if (userprincstr)
if (def_realm)
(void) kadm5_destroy((void *)handle);
return (PAM_IGNORE);
}
/*ARGSUSED*/
static void
}
/*ARGSUSED*/
int
{
return (PAM_IGNORE);
}